Model checking

This article is about checking of models in computer science. For the checking of models in statistics, see statistical model validation.

In computer science, model checking or property checking is a method for checking whether a finite-state model of a system meets a given specification (also known as correctness). This is typically associated with hardware or software systems, where the specification contains liveness requirements (such as avoidance of livelock) as well as safety requirements (such as avoidance of states representing a system crash).

Elevator control software can be model-checked to verify both safety properties, like "The cabin never moves with its door open",^[1] and liveness properties, like "Whenever the n^th floor's call button is pressed, the cabin will eventually stop at the n^th floor and open the door".

In order to solve such a problem algorithmically, both the model of the system and its specification are formulated in some precise mathematical language. To this end, the problem is formulated as a task in logic, namely to check whether a structure satisfies a given logical formula. This general concept applies to many kinds of logic and many kinds of structures. A simple model-checking problem consists of verifying whether a formula in the propositional logic is satisfied by a given structure.

Overview

Property checking is used for verification when two descriptions are not equivalent. During refinement, the specification is complemented with details that are unnecessary in the higher-level specification. There is no need to verify the newly introduced properties against the original specification since this is not possible. Therefore, the strict bi-directional equivalence check is relaxed to a one-way property check. The implementation or design is regarded as a model of the system, whereas the specifications are properties that the model must satisfy.^[2]

An important class of model-checking methods has been developed for checking models of hardware and software designs where the specification is given by a temporal logic formula. Pioneering work in temporal logic specification was done by Amir Pnueli, who received the 1996 Turing award for "seminal work introducing temporal logic into computing science".^[3] Model checking began with the pioneering work of E. M. Clarke, E. A. Emerson,^[4][5][6] by J. P. Queille, and J. Sifakis.^[7] Clarke, Emerson, and Sifakis shared the 2007 Turing Award for their seminal work founding and developing the field of model checking.^[8][9]

Model checking is most often applied to hardware designs. For software, because of undecidability (see computability theory) the approach cannot be fully algorithmic, apply to all systems, and always give an answer; in the general case, it may fail to prove or disprove a given property. In embedded-systems hardware, it is possible to validate a specification delivered, e.g., by means of UML activity diagrams^[10] or control-interpreted Petri nets.^[11]

The structure is usually given as a source code description in an industrial hardware description language or a special-purpose language. Such a program corresponds to a finite state machine (FSM), i.e., a directed graph consisting of nodes (or vertices) and edges. A set of atomic propositions is associated with each node, typically stating which memory elements are one. The nodes represent states of a system, the edges represent possible transitions that may alter the state, while the atomic propositions represent the basic properties that hold at a point of execution.^[12]

Formally, the problem can be stated as follows: given a desired property, expressed as a temporal logic formula ${\displaystyle p}$, and a structure ${\displaystyle M}$ with initial state ${\displaystyle s}$, decide if ${\displaystyle M,s\models p}$. If ${\displaystyle M}$ is finite, as it is in hardware, model checking reduces to a graph search.

Symbolic model checking

Instead of enumerating reachable states one at a time, the state space can sometimes be traversed more efficiently by considering large numbers of states at a single step. When such state-space traversal is based on representations of a set of states and transition relations as logical formulas, binary decision diagrams (BDD) or other related data structures, the model-checking method is symbolic.

Historically, the first symbolic methods used BDDs. After the success of propositional satisfiability in solving the planning problem in artificial intelligence (see satplan) in 1996, the same approach was generalized to model checking for linear temporal logic (LTL): the planning problem corresponds to model checking for safety properties. This method is known as bounded model checking.^[13] The success of Boolean satisfiability solvers in bounded model checking led to the widespread use of satisfiability solvers in symbolic model checking.^[14]

Example

One example of such a system requirement: Between the time an elevator is called at a floor and the time it opens its doors at that floor, the elevator can arrive at that floor at most twice. The authors of "Patterns in Property Specification for Finite-State Verification" translate this requirement into the following LTL formula:^[15]

${\displaystyle {\begin{aligned}\Box {\Big (}({\texttt {call}}\land \Diamond {\texttt {open}})\to &{\big (}(\lnot {\texttt {atfloor}}\land \lnot {\texttt {open}})~{\mathcal {U}}\\&({\texttt {open}}\lor (({\texttt {atfloor}}\land \lnot {\texttt {open}})~{\mathcal {U}}\\&({\texttt {open}}\lor ((\lnot {\texttt {atfloor}}\land \lnot {\texttt {open}})~{\mathcal {U}}\\&({\texttt {open}}\lor (({\texttt {atfloor}}\land \lnot {\texttt {open}})~{\mathcal {U}}\\&({\texttt {open}}\lor (\lnot {\texttt {atfloor}}~{\mathcal {U}}~{\texttt {open}})))))))){\big )}{\Big )}\end{aligned}}}$

Here, ${\displaystyle \Box }$ should be read as "always", ${\displaystyle \Diamond }$ as "eventually", ${\displaystyle {\mathcal {U}}}$ as "until" and the other symbols are standard logical symbols, ${\displaystyle \lor }$ for "or", ${\displaystyle \land }$ for "and" and ${\displaystyle \lnot }$ for "not".

Techniques

Model-checking tools face a combinatorial blow up of the state-space, commonly known as the state explosion problem, that must be addressed to solve most real-world problems. There are several approaches to combat this problem.

1. Symbolic algorithms avoid ever explicitly constructing the graph for the finite state machines (FSM); instead, they represent the graph implicitly using a formula in quantified propositional logic. The use of binary decision diagrams (BDDs) was made popular by the work of Ken McMillan,^[16] as well as of Olivier Coudert and Jean-Christophe Madre,^[17] and the development of open-source BDD manipulation libraries such as CUDD^[18] and BuDDy.^[19]
2. Bounded model-checking algorithms unroll the FSM for a fixed number of steps, ${\displaystyle k}$, and check whether a property violation can occur in ${\displaystyle k}$ or fewer steps. This typically involves encoding the restricted model as an instance of SAT. The process can be repeated with larger and larger values of ${\displaystyle k}$ until all possible violations have been ruled out (cf. Iterative deepening depth-first search).
3. Abstraction attempts to prove properties of a system by first simplifying it. The simplified system usually does not satisfy exactly the same properties as the original one so that a process of refinement may be necessary. Generally, one requires the abstraction to be sound (the properties proved on the abstraction are true of the original system); however, sometimes the abstraction is not complete (not all true properties of the original system are true of the abstraction). An example of abstraction is to ignore the values of non-Boolean variables and to only consider Boolean variables and the control flow of the program; such an abstraction, though it may appear coarse, may, in fact, be sufficient to prove e.g. properties of mutual exclusion.
4. Counterexample-guided abstraction refinement (CEGAR) begins checking with a coarse (i.e. imprecise) abstraction and iteratively refines it. When a violation (i.e. counterexample) is found, the tool analyzes it for feasibility (i.e., is the violation genuine or the result of an incomplete abstraction?). If the violation is feasible, it is reported to the user. If it is not, the proof of infeasibility is used to refine the abstraction and checking begins again.^[20]

Model-checking tools were initially developed to reason about the logical correctness of discrete state systems, but have since been extended to deal with real-time and limited forms of hybrid systems.

First-order logic

Model checking is also studied in the field of computational complexity theory. Specifically, a first-order logical formula is fixed without free variables and the following decision problem is considered:

Given a finite interpretation, for instance, one described as a relational database, decide whether the interpretation is a model of the formula.

This problem is in the circuit class AC⁰. It is tractable when imposing some restrictions on the input structure: for instance, requiring that it has treewidth bounded by a constant (which more generally implies the tractability of model checking for monadic second-order logic), bounding the degree of every domain element, and more general conditions such as bounded expansion, locally bounded expansion, and nowhere-dense structures.^[21] These results have been extended to the task of enumerating all solutions to a first-order formula with free variables.^{[citation needed]}

Tools

Main article: List of model checking tools

Here is a list of significant model-checking tools:

• Afra: a model checker for Rebeca which is an actor-based language for modeling concurrent and reactive systems
• Alloy (Alloy Analyzer)
• BLAST (Berkeley Lazy Abstraction Software Verification Tool)
• CADP (Construction and Analysis of Distributed Processes) a toolbox for the design of communication protocols and distributed systems
• CPAchecker: an open-source software model checker for C programs, based on the CPA framework
• ECLAIR: a platform for the automatic analysis, verification, testing, and transformation of C and C++ programs
• FDR2: a model checker for verifying real-time systems modelled and specified as CSP Processes
• ISP code level verifier for MPI programs
• Java Pathfinder: an open-source model checker for Java programs
• Libdmc: a framework for distributed model checking
• mCRL2 Toolset, Boost Software License, Based on ACP
• NuSMV: a new symbolic model checker
• PAT: an enhanced simulator, model checker and refinement checker for concurrent and real-time systems
• Prism: a probabilistic symbolic model checker
• Roméo: an integrated tool environment for modelling, simulation, and verification of real-time systems modelled as parametric, time, and stopwatch Petri nets
• SPIN: a general tool for verifying the correctness of distributed software models in a rigorous and mostly automated fashion
• Storm:^[22] A model checker for probabilistic systems.
• TAPAs: a tool for the analysis of process algebra
• TAPAAL: an integrated tool environment for modelling, validation, and verification of Timed-Arc Petri Nets
• TLA+ model checker by Leslie Lamport
• UPPAAL: an integrated tool environment for modelling, validation, and verification of real-time systems modelled as networks of timed automata
• Zing^[23] – experimental tool from Microsoft to validate state models of software at various levels: high-level protocol descriptions, work-flow specifications, web services, device drivers, and protocols in the core of the operating system. Zing is currently being used for developing drivers for Windows.

See also

• Abstract interpretation
• Automated theorem proving
• Binary decision diagram
• Büchi automaton
• Computation tree logic
• Counterexample-guided abstraction refinement
• Formal verification
• Linear temporal logic
• List of model checking tools
• Partial order reduction
• Program analysis (computer science)
• Static code analysis

References

1. For convenience, the example properties are paraphrased in natural language here. Model-checkers require them to be expressed in some formal logic, like LTL.
2. Lam K., William (2005). "Chapter 1.1: What Is Design Verification?". Hardware Design Verification: Simulation and Formal Method-Based Approaches. Retrieved December 12, 2012.
3. "Amir Pnueli - A.M. Turing Award Laureate".
4. Allen Emerson, E.; Clarke, Edmund M. (1980), "Characterizing correctness properties of parallel programs using fixpoints", Automata, Languages and Programming, Lecture Notes in Computer Science, vol. 85, pp. 169–181, doi:10.1007/3-540-10003-2_69, ISBN 978-3-540-10003-4
5. Edmund M. Clarke, E. Allen Emerson: "Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic". Logic of Programs 1981: 52-71.
6. Clarke, E. M.; Emerson, E. A.; Sistla, A. P. (1986), "Automatic verification of finite-state concurrent systems using temporal logic specifications", ACM Transactions on Programming Languages and Systems, 8 (2): 244, doi:10.1145/5397.5399, S2CID 52853200
7. Queille, J. P.; Sifakis, J. (1982), "Specification and verification of concurrent systems in CESAR", International Symposium on Programming, Lecture Notes in Computer Science, vol. 137, pp. 337–351, doi:10.1007/3-540-11494-7_22, ISBN 978-3-540-11494-9
8. "Press Release: ACM Turing Award Honors Founders of Automatic Verification Technology". Archived from the original on 2008-12-28. Retrieved 2009-01-06.
9. USACM: 2007 Turing Award Winners Announced
10. Grobelna, Iwona; Grobelny, Michał; Adamski, Marian (2014). "Model Checking of UML Activity Diagrams in Logic Controllers Design". Proceedings of the Ninth International Conference on Dependability and Complex Systems DepCoS-RELCOMEX. June 30 – July 4, 2014, Brunów, Poland. Advances in Intelligent Systems and Computing. Vol. 286. pp. 233–242. doi:10.1007/978-3-319-07013-1_22. ISBN 978-3-319-07012-4.
11. I. Grobelna, "Formal verification of embedded logic controller specification with computer deduction in temporal logic", Przeglad Elektrotechniczny, Vol.87, Issue 12a, pp.47–50, 2011
12. This article is based on material taken from Model+checking at the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.
13. Clarke, E.; Biere, A.; Raimi, R.; Zhu, Y. (2001). "Bounded Model Checking Using Satisfiability Solving". Formal Methods in System Design. 19: 7–34. doi:10.1023/A:1011276507260. S2CID 2484208.
14. Vizel, Y.; Weissenbacher, G.; Malik, S. (2015). "Boolean Satisfiability Solvers and Their Applications in Model Checking". Proceedings of the IEEE. 103 (11): 2021–2035. doi:10.1109/JPROC.2015.2455034. S2CID 10190144.
15. Dwyer, M.; Avrunin, G.; Corbett, J. (May 1999). "Patterns in property specifications for finite-state verification". Patterns in Property Specification for Finite-State Verification. Proceedings of the 21st international conference on Software engineering. pp. 411–420. doi:10.1145/302405.302672. ISBN 1581130740.
16. • Symbolic Model Checking, Kenneth L. McMillan, Kluwer, ISBN 0-7923-9380-5, also online Archived 2007-06-02 at the Wayback Machine.
17. Coudert, O.; Madre, J.C. (1990). "A unified framework for the formal verification of sequential circuits" (PDF). 1990 IEEE International Conference on Computer-Aided Design. Digest of Technical Papers. IEEE Comput. Soc. Press. pp. 126–129. doi:10.1109/ICCAD.1990.129859. ISBN 978-0-8186-2055-3.
18. "CUDD: CU Decision Diagram Package".
19. "BuDDy – A Binary Decision Diagram Package".
20. Clarke, Edmund; Grumberg, Orna; Jha, Somesh; Lu, Yuan; Veith, Helmut (2000), "Counterexample-Guided Abstraction Refinement", Computer Aided Verification (PDF), Lecture Notes in Computer Science, vol. 1855, pp. 154–169, doi:10.1007/10722167_15, ISBN 978-3-540-67770-3
21. Dawar, A; Kreutzer, S (2009). "Parameterized complexity of first-order logic" (PDF). ECCC. S2CID 5856640. Archived from the original (PDF) on 2019-03-03.
22. Storm model checker
23. Zing

Further reading

• Peled, Doron A.; Pelliccione, Patrizio; Spoletini, Paola (2009). "Model Checking". Wiley Encyclopedia of Computer Science and Engineering. pp. 1904–1920. doi:10.1002/9780470050118.ecse247. ISBN 978-0-470-05011-8. S2CID 5371327.
• Clarke, Edmund M.; Grumberg, Orna; Peled, Doron A. (1999). Model Checking. MIT Press. ISBN 0-262-03270-8.
• Berard, B.; Bidoit, M.; Finkel, A.; Laroussinie, F.; Petit, A.; Petrucci, L.; Schnoebelen, P. (20 June 2001). Systems and Software Verification: Model-Checking Techniques and Tools. Springer. ISBN 3-540-41523-8.
• Huth, Michael; Ryan, Mark (2004). Logic in Computer Science: Modelling and Reasoning About Systems. Cambridge University Press.
• Holzmann, Gerard J. The Spin Model Checker: Primer and Reference Manual. Addison-Wesley. ISBN 0-321-22862-6.
• Bradfield, Julian; Stirling, Colin (2001). "Modal Logics and mu-Calculi: An Introduction". Handbook of Process Algebra. Elsevier. pp. 293–330. doi:10.1016/B978-044482830-9/50022-9. ISBN 978-0-444-82830-9.. JA Bergstra, A. Ponse and SA Smolka, editors." ().
• "Specification Patterns". SAnToS Laboratory, Kansas State University. Archived from the original on 2011-07-19.
• "Property Pattern Mappings for RAFMC". CADP:Construction and Analysis of Distributed Processes. 2019.
• Mateescu, Radu; Sighireanu, Mihaela (2003). "Efficient On-the-Fly Model-Checking for Regular Alternation-Free Mu-Calculus" (PDF). Science of Computer Programming. 46 (3): 255–281. doi:10.1016/S0167-6423(02)00094-1. S2CID 10942856.
• Müller-Olm, M.; Schmidt, D.A.; Steffen, B. (1999). "Model checking: a tutorial introduction". Static Analysis: 6th International Symposium, SAS'99, Venice, Italy, September 22-24, 1999, Proceedings. Vol. 1694. LNCS: Springer. pp. 330–354. CiteSeerX 10.1.1.96.3011. doi:10.1007/3-540-48294-6_22. ISBN 978-3-540-48294-9.
• Baier, C.; Katoen, J. (2008). Principles of Model Checking. MIT Press. ISBN 978-0-262-30403-0.
• Clarke, E.M. (2008). "The Birth of Model Checking". 25 Years of Model Checking. Lecture Notes in Computer Science. Vol. 5000. pp. 1–26. doi:10.1007/978-3-540-69850-0_1. ISBN 978-3-540-69849-4.
• Emerson, E. Allen (2008). "The Beginning of Model Checking: A Personal Perspective". In Grumberg, Orna; Veith, Helmut (eds.). 25 Years of Model Checking — History, Achievements, Perspectives. LNCS. Vol. 5000. Springer. pp. 27–45. doi:10.1007/978-3-540-69850-0_2. ISBN 978-3-540-69849-4. (this is also a very good introduction and overview of model checking)