Optimal and Power Aware BIST for Delay Testing of System-On-Chip
Classic Model Checking Algorithms
1. Classic Model Checking Algorithms
in Reactive Software Systems
US Naval Postgraduate School
Donna A. Dulo
US Dept of Army
Fall 2007
SW 4920 Formal Verification & Validation of Reactive Software Systems
2. Classic Model Checking
Classic Model Checking refers to the Set of Non-Execution
Based Algorithmic Approaches for Checking a Property
expressed as:
A Linear Time Logic (LTL) Formula
A Computational Tree Logic (CTL) Formula
A CTL* Formula
A Finite State Automaton
Against a model, which can be expressed as:
A Finite State Machine
A Kripke Structure
SW 4920 Formal Verification & Validation of Reactive Software Systems
3. The Algorithms of Classical Model
Checking
SW 4920 Formal Verification & Validation of Reactive Software Systems
4. Classic Model Checkers
Most popular developed in academia Classic
Model Checkers available in the public domain:
SPIN LTL
SMV CTL
SW 4920 Formal Verification & Validation of Reactive Software Systems
5. CTL Model Checking
• CTL Model Checking aims to establish
M |= φ ?
Does the model M satisfy the specification φ?
• M is given as a Kripke structure
and φ is given as a formula in temporal logic CTL
SW 4920 Formal Verification & Validation of Reactive Software Systems
6. CTL Model Checking
• Given
- a finite-state Kripke structure M = (Q,T,L)
- where AP are atomic propositions
• L: Q → 2AP is a labeling of states with propositions
and a CTL formula φ
• Find all states in M that satisfy φ :
{q ∈ Q | M,q ╞ φ }
and check that this set includes all initial states
SW 4920 Formal Verification & Validation of Reactive Software Systems
7. CTL Model Checking
• CTL syntax:
φ ::= p | ¬φ | φ1 ^ φ2 | AX φ | EX φ | A(φ1 U φ2) |
E(φ1 U φ2) | AF φ | EF φ | AG φ | EG φ
– Every operator F, G, X, U is preceded by A or E
Every formula can be translated to Existential Normal Form (ENF):
φ ::= p | ¬φ | φ1 ^ φ2 | EX φ | E(φ1 U φ2) | EG φ
SW 4920 Formal Verification & Validation of Reactive Software Systems
8. CTL Model Checking Algorithm
• Convert formula to ENF
• Build parse tree of the formula
• Proceed recursively, bottom-up (from leaves
upwards) labeling states for each sub-formula
– if sub-formula is true in q ∈ Q, add it to the set of
labels for q, lbl(q)
– continue processing upwards on the formula parse tree
– stop when root of the parse tree is checked
• When the algorithm terminates
– M╞ φ iff the initial state is labeled with φ
SW 4920 Formal Verification & Validation of Reactive Software Systems
9. CTL Model Checking Algorithm
• Example formula:
¬E [ true U EG (PC1=15 ^ PC2=23)]
• Build parse tree
¬
EU
EG
True
^
15 23
SW 4920 Formal Verification & Validation of Reactive Software Systems
10. CTL Model Checking Algorithm
• Aim to calculate lbl(q) for state q
• Initialize lbl(q) to {true}
• Must consider 6 cases:
φ ::= p | ¬φ | φ1 ^ φ2 | EX φ | E(φ1 U φ2) | EG φ
SW 4920 Formal Verification & Validation of Reactive Software Systems
11. CTL Model Checking
φ ::= p | ¬φ | φ1 ^ φ2 | EX φ | E(φ1 U φ2) | EG φ
• Case 1: φ is atomic proposition
Add φ to lbl(q) if φ ∈ L(q)
• Case 2: φ is negation
Add φ to lbl(q) if ¬φ ∈ lbl(q)
• Case 3: φ is conjunction
Add φ to lbl(q) if φ1, φ2 ∈ lbl(q)
• Case 4: φ is EX ψ
• Case 5: φ is E(φ1 U φ2)
• Case 6: φ is EG ψ
SW 4920 Formal Verification & Validation of Reactive Software Systems
12. CTL Model Checking Algorithm
Case 1: φ is atomic proposition
Add φ to lbl(q) if φ ∈ L(q)
State Space
SW 4920 Formal Verification & Validation of Reactive Software Systems
13. CTL Model Checking Algorithm
• After moving through all of the cases
¬E [ true U EG (PC1=15 ^ PC2=23)]
• Find no states satisfy the property
• Conclusion: The model M does not satisfy the property
SW 4920 Formal Verification & Validation of Reactive Software Systems
14. LTL Model Checking
Finite State Model
System OK
Model
Checker
ERROR
Trace
Temporal Logic Formula
Error 1…
Φ
( −> ◊ Ω) Error 2…
Error 3…
…
Error n
SW 4920 Formal Verification & Validation of Reactive Software Systems
15. LTL Model Checking
Finite State Model Decision Problem:
System OK
Model
Checker
ERROR
Trace
Temporal Logic Formula
Error 1…
Φ
( −> ◊ Ω) Error 2…
Given finite transition system TS and Error 3…
LTL-formula ϕ: exhibit “yes” if TS |= ϕ, …
Error n
and “no” (plus a counterexample) if TS |
=ϕ
SW 4920 Formal Verification & Validation of Reactive Software Systems
16. LTL Model Checking Algorithm
System OK
Model Checker
Transition System TS
Product
Transition
System
TS Ø A ¬φ TS Ø A ¬φ |= Ppers (A ¬φ)
Generalized
Buchi Buchi
Automaton Automaton
G ¬φ A ¬φ
ERROR
LTL Formula Trace
¬φ
SW 4920 Formal Verification & Validation of Reactive Software Systems
17. Complexity
• CTL Model Checking:
– Partition the state space into strongly
connected components, O(|Q|+|T|)
– Traverse the transition graph, O(|Q|+|T|)
- The overall complexity is O(|φ|*(|Q|+|T|))
• LTL Model Checking:
– is O(2|φ| *(|Q|+|T|)), the exponential in size
of the formula
– Linear in relation to size of model, as is CTL
SW 4920 Formal Verification & Validation of Reactive Software Systems
19. References
Clark, E.M., Grumberg, O., & Peled, D.A. (1999). Model Checking. MIT Press: Cambridge.
Corbett, J.C. & Pasareneau, C. (2007). Translating Ada programs for Model Checking. University of Hawaii.
Drusinski, D., Michael, J.B., & Shing, M. (2007). “Three Dimensions of Formal Validation and Verification
of Reactive System Behaviors. US Naval Postgraduate School, NPS-CS-07-008.
Dwyer, M., Hatcliff, J. & Avrunin, G. (2004). Software Model Checking for Embedded Systems. Kansas State
University.
Intel Corporation. (2007). “Classic Model Checking Introduction”. www.intel.com.
Katoen, J.P. (2006). “LTL Model Checking using Automata”. www-i2.informatik.rwth-aachen.de.
SW 4920 Formal Verification & Validation of Reactive Software Systems