Model Checking
Cheng/Dillon-Software Engineering: Formal Methods
Model Checking
Used in studying behaviors of reactive
systems
 Typically involves three steps:

 Create
a finite state model (FSM) of the
system design
 Specify critical correctness properties
 Validate the model w/r to the specifications
Cheng/Dillon-Software Engineering: Model Checking
Create a FSM


FSM languages

focus on expressing concurrency, synchronization, and
communication

abstract details of internal computations

must be precise and unambiguous (formally defined syntax and
semantics)
We will use Promela for giving system
descriptions
Cheng/Dillon-Software Engineering: Model Checking
Specify correctness properties

Safety properties:

Nothing “bad” ever happens

Formalized using state invariants


execution never reaches a “bad” state
Liveness properties:

Something “good” eventually happens

Formalized using temporal logic

special logic for describing sequences
Cheng/Dillon-Software Engineering: Model Checking
Validate the model


“Execute” the model to test it

simulate executions of the system

check satisfaction of safety properties along simulated
executions
Exhaustive analysis

generate reachability graph to verify safety and liveness
properties

Generate counterexamples to illustrate failures
Cheng/Dillon-Software Engineering: Model Checking
Home Heating System
Cheng/Dillon-Software Engineering: Model Checking
Example properties

Pump is never on unless Burner is also on

Whenever Sensor calls resp-temp(LOW),
eventually Controller becomes all-on
Cheng/Dillon-Software Engineering: Model Checking
Reachability Graph
Graph of global states that can be
“reached” during execution
global state contains a state for each
concurrent “process”
transitions show how an event or
action transforms the global state
Analyze global state space to verify
safety properties
Analyze paths through the RG to
verify liveness properties
Cheng/Dillon-Software Engineering: Model Checking
Promela

The system description language of SPIN
 Designed
for modeling data communication
protocols
 System described as a collection of
concurrent processes
 Processes communicate and synchronize via
message channels and global variables
Cheng/Dillon-Software Engineering: Model Checking
Promela

Specify macro definitions
#define signal 0

Declare symbolic constants
mtype = { ON, OFF, LOW, OK }

Declare a synchronous message channel
chan pump_in = [0] of { mtype }
Cheng/Dillon-Software Engineering: Model Checking
Promela

Create a process instance
active proctype pump ( ) { statements }

Send a message
pump_in!ON

Receive a message
pump_in?ON
Cheng/Dillon-Software Engineering: Model Checking
Promela version of HHS
Cheng/Dillon-Software Engineering: Model Checking
Promela version of HHS
Cheng/Dillon-Software Engineering: Model Checking
Promela version of HHS
Cheng/Dillon-Software Engineering: Model Checking
SPIN simulation of HHS

SPIN automatically generates
sequence diagrams to
represent executions




random
guided
interactive
Automates tracing between
system views




sequence diagram
Promela description
state diagram
textual execution traces
Cheng/Dillon-Software Engineering: Model Checking
Verification of a safety property

Pump is never on unless Burner is also on
Cheng/Dillon-Software Engineering: Model Checking
Verification of a liveness property

Whenever Sensor calls resp-temp(LOW),
eventually Controller becomes all-on
Cheng/Dillon-Software Engineering: Model Checking
Verification of a liveness property
Cheng/Dillon-Software Engineering: Model Checking