Introduction to Model Checking Cyrille Artho and Elena Troubitsyna KTH Royal Institute of Technology, Stockholm, Sweden School of Electrical Engineering and Computer Science Theoretical Computer Science [email protected] Cyrille Artho, KTH/EECS, 2019-03-26 Goal: Compute all possible system behaviors • Question: All possible outcomes of a program execution. No matter what the inputs/parameters are. • Answer: Enumerate all possibilities! → Model Checking. • Alternative: Reason about all outcomes (theorem proving). Cyrille Artho, KTH/EECS, 2019-03-26 1 Model Checking = state space search Trajectory P ? Counter−example S 0 Initial states • Traditionally applied to specifications, protocols, algorithms. • Certain types of software (embedded) can be mapped to such model checkers. Cyrille Artho, KTH/EECS, 2019-03-26 2 State space search P S U S 0 1 S 0 Cyrille Artho, KTH/EECS, 2019-03-26 3 State space search — 2 P S U S 0 1 ... U S 2 S 0 Cyrille Artho, KTH/EECS, 2019-03-26 4 State space search — 3 P S U S 0 1 ... U S ... U S 2 3 S 0 Cyrille Artho, KTH/EECS, 2019-03-26 5 Problem: State space explosion! A B • Process state space exponential in the size of the state. • Cross-product of processes. Cyrille Artho, KTH/EECS, 2019-03-26 6 Remedies Partial-order reduction System abstraction A B A B Cyrille Artho, KTH/EECS, 2019-03-26 7 Outline 1. The structure of common models: Kripke structures. 2. How to write (temporal) properties: (a) Linear Temporal Logic (LTL). (b) Computation Tree Logic (CTL). 3. How to use the NuSMV model checker, part 1. Cyrille Artho, KTH/EECS, 2019-03-26 8 How to define models: Kripke structures Trajectory P ? label ... Counter−example S 0 Initial states State transition system M = (S,S0,R,L). Each transition affects AP : atomic properties. S: set of states R : S × S: transition relation AP S0: set of initial states L: set of (action) labels: S → 2 2AP: power set: each atomic property is true or false at given state. Cyrille Artho, KTH/EECS, 2019-03-26 9 Example (by Ashutosh Gupta) S = {s1,s2,s3} s1 s2 S0 ={ } {p,q} {q} R = {(s1,s2),(s2,s1), } L = {(s1,{p,q}), s 3 } {p} Fill in the gaps Give some example paths that this system can generate! Cyrille Artho, KTH/EECS, 2019-03-26 10 Example (by Ashutosh Gupta) S = {s1,s2,s3} S0 ={s1} R = {(s1,s2),(s2,s1), s1 s2 (s2,s3),(s3,s3)} {p,q} {q} L = {(s1,{p,q}), (s2,{q}),(s3,{p})} s 3 Example paths: {p} hs1,s2,s3,s3i hs1,s2,s1,s2,s3i hs1,s2i (overline = inf. path) Cyrille Artho, KTH/EECS, 2019-03-26 11 Words generated by transition systems • Example: {p,q},{q},{p,q},{q},{p},... • Words can be infinitely long. • We need to reason about words (sequence of atomic properties). Cyrille Artho, KTH/EECS, 2019-03-26 12 How model is designed • We typically think of a „state” as certain (state) variables having certain values. • State transitions have preconditions and actions (more in next lecture). • Model checker translates this into (simpler but larger) Kripke structure. • Efficient algorithms to check reachability (more on that soon). • We could just label „bad” states but that’s not convenient. How to describe properties? Cyrille Artho, KTH/EECS, 2019-03-26 13 How to describe events and properties Cyrille Artho, KTH/EECS, 2019-03-26 14 Linear Temporal Logic (LTL) 1. Propositions: p, ¬p, p ∧ q, p ∨ q (also for subformulas) 2. Temporal operators X next U until F finally ♦ G globally Other operators exists but they are not used quite as frequently, and can be derived from the ones above. Cyrille Artho, KTH/EECS, 2019-03-26 15 Semantics: defined on paths 1. Propositions: p, ¬p, p ∧ q, p ∨ q (also for subformulas) Formula p is true if p holds in first state: w |= p if p ∈ w(0) Negation: w |= ¬p if w 6|= p; conjunct: w |= p ∧ q if w |= p and w |= q 2. Temporal operators X p next p w |= Xp if w1 |= p p U q until ∃ j ≥ 0,w j |= q ∧∀i,0 ≤ i < j,wi |= p F p finally ♦p true U p, equivalent to ∃ j ≥ 0,w j |= p G p globally p ¬F¬p, equivalent to ∀ j ≥ 0,w j |= p 3. Temporal operators can be nested. Furthermore, instead of just atomic propositions for p and q, we can also use other temporal formulas as subexpressions. Cyrille Artho, KTH/EECS, 2019-03-26 16 Examples finally globally F p G p next until X p p U q Cyrille Artho, KTH/EECS, 2019-03-26 17 Until true? true? !p, q !p, !q !p, q p U q p U q true? true? p, !q p, !q p, !q p, q p, q p U q p U q Cyrille Artho, KTH/EECS, 2019-03-26 18 Nesting true? FG p true? FG p How about infinite traces? Cyrille Artho, KTH/EECS, 2019-03-26 19 Computation Tree Logic 1. Propositions 2. Path quantifiers + temporal operators F AF p: For all paths, p is eventually true. A G AG p: For all paths, p is always true. AX p: For all paths, p is true in the next state. E X A[p U q]: For all paths, p holds until q holds. E: There exists a path. U 3. Temporal operators always follow path quantifier Cyrille Artho, KTH/EECS, 2019-03-26 20 Semantics: Defined on transition systems 1. Propositions: same as above 2. Temporal operators for model M(S,→,L) AX p ((M,s) |= AXp) ⇔ (∀hs → s1i((M,s1) |= p)) AG p ((M,s) |= AGp) ⇔ (∀hs1 → s2 → ...i(s = s1)∀i((M,si) |= p)) AF p ((M,s) |= AFp) ⇔ (∀hs1 → s2 → ...i(s = s1)∃i((M,si) |= p)) A [p U q] ((M,s) |= A[p U q]) ⇔∀(hs1 → s2 → ...i(s = s1)∃ j (((M,s j) |= q) ∧ (∀(i < j)(M,si) |= p))) E... defined analogously with existential path quantifier. 3. Temporal operators canNOT be directly nested. However, instead of just atomic propositions for p and q, we can also use other temporal formulas as subexpressions. Cyrille Artho, KTH/EECS, 2019-03-26 21 Computation Tree Logic (CTL): finally, globally finally globally for all paths AF p AG p there exists a path EF p EG p Cyrille Artho, KTH/EECS, 2019-03-26 22 Computation Tree Logic (CTL): next, until next until for all paths AX p A[ p U q ] there exists a path EX p E[ p U q ] Cyrille Artho, KTH/EECS, 2019-03-26 23 LTL 6= CTL 1. FG(p) 2. EX(p) • Which logic can express the formulas above? • What is the semantics of each formula? • Where does the counterpart fail to express it? CTL*: Combines LTL and CTL. Cyrille Artho, KTH/EECS, 2019-03-26 24 Safety vs. Liveness Safety: Something bad will never happen. Ensures absence of defects and hazards. Liveness: Something good eventually happens. Ensures progress. Which temporal logic operators are suitable for which type of property? Cyrille Artho, KTH/EECS, 2019-03-26 25 Summary Temporal logics Linear temporal logic (LTL): Computational tree logic (CTL): • No branching. • Branching. • Defined on paths. • Defined on transition systems. Model checking Enumerate all reachable states. • Check if „bad” state reachable. • Active research, many optimizations (such as BDDs). Cyrille Artho, KTH/EECS, 2019-03-26 26 SMV and NuSMV • Symbolic Model Verifier (SMV): First practical symbolic model checker by Ken McMillan/CMU. • Re-implementation NuSMV (open source) at IRST Trento, Italy. • NuSMV is still being maintained and developed. • Current version is 2.6.0 (used in this course). Cyrille Artho, KTH/EECS, 2019-03-26 27 NuSMV • Re-implementation NuSMV (open source) at IRST Trento, Italy. • NuSMV is still being maintained and developed. • Current version is 2.6.0 (used in this course). Cyrille Artho, KTH/EECS, 2019-03-26 28 Example: Vending machine ready choice made choice canceled expect item dispensed payment payment made dispense item Cyrille Artho, KTH/EECS, 2019-03-26 29 Details not modeled • How choice is made (how many choices) and canceled. → Button, timeout, both? • How payment is handled/accepted; price of goods. • Item dispenser mechanism, time taken to dispense item. Cyrille Artho, KTH/EECS, 2019-03-26 30 Example: Vending machine—2 ready choice made choice canceled expect item dispensed payment payment made dispense item • Three states: ready, expect payment, dispense item. • Two user inputs (non-deterministic): 1. Choice (of item); can be cancelled. 2. Payment (requires choice to be made first). Cyrille Artho, KTH/EECS, 2019-03-26 31 Vending machine in NuSMV MODULE main VAR choice, payment: boolean; state: { ready, expect payment, dispense item }; ASSIGN init (state) := ready; next (state) := case state = ready & choice: expect payment; state = expect payment & payment: dispense item; state = expect payment & !choice: ready; state = dispense item: ready; esac; Cyrille Artho, KTH/EECS, 2019-03-26 32 NuSMV syntax • Module, variables, assignments. • case (follows order of declaration); can have multiple outcomes. Cyrille Artho, KTH/EECS, 2019-03-26 33 Error message file vending.smv: line 3: at token ",": syntax error file vending.smv: line 3: Parser error NuSMV terminated by a signal • Cannot declare more than one variable per line! • Try again... Cyrille Artho, KTH/EECS, 2019-03-26 34 Another error message file vending.smv: line 14: case conditions are not exhaustive • Recall the case block: state = ready & choice: expect payment; state = expect payment & payment: dispense item; state = expect payment & !choice: ready; state = dispense item: ready; • State should remain the same by default: specify! Cyrille Artho, KTH/EECS, 2019-03-26 35 Complete case block ASSIGN init (state) := ready; next (state) := case state = ready & choice: expect payment; state = expect payment & payment: dispense item; state = expect payment & !choice: ready; state = dispense item: ready; TRUE: state; esac; • Transitions from ready and expect payment depend on user choice.