Model Checking
basic concepts and techniques
Sriram K. Rajamani
Sources:
My MSR Model checking crash course
from Fall 99
Tom Henzinger’s slides from his OSQ
course
Model checking, narrowly interpreted:
Decision procedures for checking if
a given Kripke structure is a model
for a given formula of a temporal
logic.
Why is this of interest to us?
Because the dynamics of a discrete system can
be captured by a Kripke structure.
Because some dynamic properties of a discrete
system can be stated in temporal logics.

Model checking = System verification
Model checking, generously interpreted:
Algorithms for system verification
which operate on a system model (semantics)
rather than a system description (syntax).
Agenda
Part I: Models and Specifications
Part II: State explosion
Kripke Structure
States: valuations to a finite set of
variables
S0
Initial states : subset of states
Arcs: transitions between states
Atomic Propositions:
finite set of predicates over
variables
S1
S2
Observation (color):
Valuation to all atomic propositions at
a state
S3
Kripke Structure
M =  W, I, R, L,  
W
I
R
L

: set of states (possibly infinite)
 W : set of initial states
 W X W : set of arcs
: set of atomic propositions
L
W2 :
mapping from states to
subset of atomic propostions (colors)
Specification
Three important decisions:
1 may vs. must:
branching vs. linear time
2 prohibiting bad vs. desiring good behavior:
safety vs. liveness
3 operational vs. declarative:
automata vs. logic
S0
S0
Run
S1
S2
S1
S3
Trace
S2
S0
Run-tree
S1
S0
S2
S3
S1
S2
S3
Trace-tree
Branching Vs Linear
Linear temporal logics (eg LTL) view a model
as a set of traces
Branching temporal logics (eg CTL) view a
model as a set of trace-trees
S0
t0
S1
S2
S3
S4
t1
t2
Same traces, different trace trees
t3
Linear time is conceptually simpler than
branching time (words vs. trees).
Branching time is often computationally
more efficient.
Branching “refinement” implies linear
“refinement”
Expressive powers are incomparable
Specification
Three important decisions:
1 may vs. must:
branching vs. linear time
2 prohibiting bad vs. desiring good behavior:
safety vs. liveness
3 operational vs. declarative:
automata vs. logic
Safety vs. liveness
Safety:
something “bad” will never happen
Liveness: something “good” will happen
(but we don’t know when)
Example: Mutual exclusion
It cannot happen that both processes are in
their critical sections simultaneously.
Example: Mutual exclusion
It cannot happen that both processes are in
their critical sections simultaneously.
Safety
Example: Bounded overtaking
Whenever process P1 wants to enter the critical
section, then process P2 gets to enter at most
once before process P1 gets to enter.
Example: Bounded overtaking
Whenever process P1 wants to enter the critical
section, then process P2 gets to enter at most
once before process P1 gets to enter.
Safety
Whenever process P1 wants to enter the critical
section, it enters it within 51 cycles
Whenever process P1 wants to enter the critical
section, it enters it within 51 cycles
Whenever process P1 wants to enter the critical
section, it is not the case that 51 cycles pass
without P1 entering the critical section
Safety
Whenever process P1 wants to enter the critical
section, it eventually enters it
Liveness
Sequential programs
Safety corresponds to partial correctness
Liveness corresponds to termination
Safety Vs Liveness
The vast majority of properties to be
verified are safety.
Why liveness?
“Eventually, we are all dead!”
The answer is:
abstraction and fairness
While nobody will ever observe the violation
of a true liveness property, fairness is a
useful abstraction that turns complicated
safety into simple liveness.
Why liveness?
r1
r2
r1
~r1
F1 ~r2 F2
G1
g1
r2
G2
g2
If P1 requests and keeps
requesting, it will be granted
within 2 cycles
Abstract view
r1
r2
r1
~r1
F1 ~r2 F2
r2
G1
r1
r2
g1
r1
G1
G2
g2
g1
F
r2
G2
g2
Safety: If P1 requests and
keeps requesting, it will be
granted within 2 cycles
Liveness: If P1 requests and
keeps requesting it will be
eventually granted (Does this
hold?)
q1
q2
q3
Fairness constraint:
the green transition cannot be ignored forever
q1
q2
q3
Without fairness: infRuns = q1 (q3 q1)* (q2)  (q1 q3)
With fairness:
infRuns = q1 (q3 q1)* (q2)
Two important types of fairness
1 Weak (Buchi) fairness:
a specified set of transitions cannot be
enabled forever without being taken
2 Strong (Streett) fairness:
a specified set of transitions cannot be
enabled infinitely often without being taken
Fair Kripke Structure
M =  W, I, R, L, , SF, WF 
W : set of states (possibly infinite)
I  W : set of initial states
R  W X W : set of arcs
L : set of atomic propositions
L
  W  2 : labeling function
SF: set of strongly fair arcs
WF: set of weakly fair arcs
Model-Checking Algorithms for finite state
Kripke structures = Graph Algorithms
Automata theoretic approach to model checking
Does M satisfy property ?
Step 1: Build automaton A for negation of 
Step 2: Construct product P = MxA
Step 3: Check if L(P) is empty
1
Safety:
-algorithm: reachability (linear)
2 Response under weak fairness:
-algorithm: strongly connected components (linear)
3 Liveness:
-algorithm: recursively nested SCCs (quadratic)
Logic
Model checking complexity
Invariant
|M|
CTL
|M| * ||
LTL
|M| * 2||
Modal -calculus
Refinement
?
|M| * 2
|S|
Example: State Machine
For Locking
U
Unlocked
L
Locked
U
L
Error
Product Construction
…
Lock(&x);
If (x->foo) {
if (bar(x)) {
Unlock(&x);
return OK;
}
}
Unlock(&x)
…
Product Construction
…
Lock(&x);
If (x->foo) {
if (bar(x)) {
Unlock(&x);
// return OK;
}
}
Unlock(&x)
…
Agenda
Part I: Models and Specifications
Part II: State explosion
Problem
State explosion :
|M| is exponential in the syntactic
description of M
Fighting state explosion
– Symbolic techniques (BDDs) - [SMV, VIS]
– Symmetry reduction - [Murphi]
– Partial-order reduction - [SPIN]
– Divide and Conquer - [MOCHA, new SMV]
– Abstraction - [STeP, InVeSt,SLAM]
Binary Decision Diagrams
[Bryant]
Ordered decision tree for f = a  b  c  d
a
0
0
0
d
c
b
1
1
1
0
d
d
0
c
1
0
d
d
c
b
1
1
0
d
d
c
1
d
0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0
OBDD reduction
f=abcd
a
0
1
b
0
b
1
1
c
0
c
1
1
d
0
0
0
0
d
1
1
0
1
OBDD properties
Variable order strongly affects
size
Canonical representation for a
given order
Efficient apply algorithm
– boolean operations on BDD’s is
easy
– Can build BDD’s for large circuits
f
fg
g
O(|f| |g|)
Boolean quantification
• If v is a boolean variable, then
$v.f = f |v =0 + f |v =1
Example: $(b,c). (ab + ce + b´d)
=
a+e+d
• Complexity on BDD representation
– worst case exponential
– heuristically efficient
Characterizing sets
• Let M be a model with boolean variables
(v1,v2,…,vn)
• Represent any P  {0,1}n by its characteristic
function cP
P = {(v1,v2,…,vn) : cP}
Example:
Variables = (x,y,z)
P = { (0,0,1) , (0,1,0), (1,0,0), (1,1,1) }
cP = x + y + z
Characterizing sets
• Represent characteristic function as BDD
• Set operations can be now done as BDD
operations
 c = false
 cP  Q = P + Q
 cS \ P =  P
cS = true
cP  Q = P . Q
Transition Relations
• Transition relation R is a set of state pairs
for all the arcs in the state machine
– R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) :  cR}
v0
v1
cR =
(v’0 =
 v0)  (v’1
= v0  v1)
Forward Image
Image(P,R)
P
R
Image (P, R)  {v' : for some v, v  P and ( v, v' )  R}
c Image (P, R ) ( v' )  $v. ( c P ( v)  c R ( v, v' ))
Reverse Image
Image-1(P,R)
R
P
Image -1 (P, R)  {v : for some v ', v ' P and ( v, v' )  R}
c Image (P, R ) ( v)  $v'. ( c P ( v' )  c R ( v, v' ))
Symbolic invariant checking
S := BDD for initial states
V := BDD for negation of invariant
R := BDD for transition relation
Loop
If ( S  V) then print “failed” and exit
I := Image( S, R)
S’ := S  I
If ( S = S’) then print “passed” and exit
End
BDDs
Big breakthrough in hardware
• McMillan’s thesis won the ACM thesis award
• Intel, IBM, Motorola all have BDD based model
checkers, and large “formal verification” teams based
on them.
BDDs compactly represent transition relations
• Can prove that if the circuit has “bounded”
communication,then transition relation is small
• Images and Reachable sets tend to blowup
BDDs
Images and reachable sets blow up often
Subject of intense investigation
(PhD theses on how to compute images without BDDs
blowing up)
Alphabetical soup of variations: ADDs to ZDDs
Work upto ~100 variables , don’t really scale to thousands
of variables
Provide good “bootstrap” for compositional methods
Infinite state model checking
S := constraint for initial states
V := constraint for negation of invariant
R := constraint for transition relation
Loop
If ( S  V) then print “failed” and exit
I := Image( S, R)
S’ := S  I
If ( S = S’) then print “passed” and exit
End
Fighting state explosion
– Symbolic techniques (BDDs) - [SMV, VIS]
– Symmetry reduction - [Murphi]
– Partial-order reduction - [SPIN]
– Divide and Conquer - [MOCHA, new SMV]
– Abstraction - [STeP, InVeSt,SLAM]
Symmetry Reductions
Idea: If state space is symmetric, explore only
a symmetric “quotient” of the state space
Let us define “quotient” first…
(also useful in abstractions)
Recall our model
M =  W, I, R, L,  
W
I
R
L

: set of states
 W : set of initial states
 W X W : set of arcs
: set of atomic propositions
L
 W  2 : mapping from states to colors
Usually we fix the colors and say:
M =  W, I, R,  
Quotient
M =  W, I, R,  
Let  be an equivalence relation on W.
Assume:
s  t  (s) = (t)
s  I iff t I
Quotient: M’ =  W’, I’, R’, ’ 
– W’ = W / 
I’ = I / 
– R’ ([s] ,[t]) whenever R(s,t)
– ’([s]) =  (s)
Abstract search
Suppose we want to check an invariant:
Does M satisfy  ?
Instead check:
Does M’ satisfy  ?
This is sound but not complete. (Why?)
Stable equivalences
Equivalence  is called stable if:
R ( x, y) 
for every s in [x]
there exists some t in [y]
such that R (s,t)
Claim: Suppose  is called stable, then:
M satisifies  iff M’ satisfy 
Sound and complete! (Why?)
Automorphisms
A permutation function
f : W  W is an
automorphism if:
1. x  f(x) for all x
2. R( x, z)  R( f(x), f(z))
0,0
0,1
1,0
1,1
Automorphisms
f: f(0,0) = 1,1 f(1,1) = 0,0
f(0,1) = 0,1 f(1,0) = 1,0
g: g(0,0) = 0,0 g(1,1) = 1,1
g(0,1) = 1,0 g(1,0) = 0,1
0,0
0,1
1,0
1,1
A = { f, g, f  g, I}
The set of all automorphisms forms a group!
Automorphisms
Let x  y
if there is some
automorphism f such that f(x) = y
The equivalence classes of  are called orbits
Claim 1:  is an equivalence
Claim 2:  is stable
Orbits
0,0
[ (0,0), (1,1) ]
[ (0,1), (1,0) ]
0,1
1,0
1,1
Symmetry reduction
[ (0,0),(1,1) ]
[ (0,1), (1,0) ]
Map each state to its representative in the
orbit
Symmetry reduction
Step 1: Analyze the system statically and come
up with a function that maps each state to its
representative
Step 2: When exploring the states, store and
explore the representatives!
Symmetry reduction
Difficulty:
Computing the function (which maps states to
representatives) is hard!
Solutions:
• Be satisfied with multiple representatives for
each orbit
• Ask user to tell you where the symmetries are
Symmetry reduction
• Implemented in Mur
• Similar ideas have also impacted Nitpick
Fighting state explosion
– Symbolic techniques (BDDs) - [SMV, VIS]
– Symmetry reduction - [Murphi]
– Partial-order reduction - [SPIN]
– Divide and Conquer - [MOCHA, new SMV]
– Abstraction - [STeP, InVeSt,SLAM]
Partial Order Methods
Protocols are usually modeled as an
asynchronous composition of processes
(interleaving model)
Partial order reduction explores only a portion
of the state space
You can still prove properties about the entire
state space
Actions
• An action is a guarded
command
• Nondeterminism arises
because any of the enabled

actions could be scheduled
next!

• Can label state machine
S2
transitions with action
names
S0


S1

S3
Independent Actions
Actions  and  are
independent if:
S0

1. Neither action enables
or disables the other

S2
S3


S1
2. If both  and  are
enabled, then they
commute
Partial Order Methods
Key idea:
If actions {,,c} are independent
then:
c  c  c  c  c  c
Need to explore only one!
But there are some caveats..
Parital Order Equivalence
Two action sequences A and B are partialorder-equivalent if:
A can be transformed to B by swapping
adjacent independent actions
Need to explore only one representative in
each equivalence class!
Partial Order Methods
Offer good reductions in asynchronous
protocols:
• Exponential reductions in “artificial”
examples
• 5-10 times faster in “real” examples
Implemented in SPIN
Also implemented in Verisoft (we will revisit
this later!)
Example
integer x, y;
boolean bomb;
Init
 true  x := 0; y := 0; bomb := false
Update
  : ( x < 10) & ! bomb  x := x+1
  : ( y < 10) & ! bomb  y := y+1
  : ( x = 3) & ( y = 3) & ! bomb
 bomb := true
0,0


0,1



0,2
1,1

1,2

1,3
2,1

2,2

2,3
3,0


3,1
4,1

3,2
4,2



3,3




4,3






4,0









2,0




0,3
1,0


