1 Lecture 1: Model Checking Edmund Clarke School of Computer Science Carnegie Mellon University2 Cost of Software Errors June 2002 “Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually, or about 0.6 percent of the gross domestic product … At the national level, over half of the costs are borne by software users and the remainder by software developers/vendors.” NIST Planning Report 02-3 The Economic Impacts of Inadequate Infrastructure for Software Testing3 Cost of Software Errors “The study also found that, although all errors cannot be removed, more than a third of these costs, or an estimated $22.2 billion, could be eliminated by an improved testing infrastructure that enables earlier and more effective identification and removal of software defects.”4 Model Checking • Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980’s. • Properties are written in propositional temporal logic. • Systems are modeled by finite state machines. • Verification procedure is an exhaustive search of the state space of the design. • Model checking complements testing/simulation.5 Advantages of Model Checking • No proofs!!! • Fast (compared to other rigorous methods) • Diagnostic counterexamples • No problem with partial specifications / properties • Logics can easily express many concurrency properties6 State-transition graph describes system evolving over time. Model of computation st ~ Start ~ Close ~ Heat ~ Error Start ~ Close ~ Heat Error ~ Start Close ~ Heat ~ Error ~ Start Close Heat ~ Error Start Close Heat ~ Error Start Close ~ Heat ~ Error Start Close ~ Heat Error Microwave Oven Example7 Temporal Logic l The oven doesn’t heat up until the door is closed. l Not heat_up holds until door_closed l (~ heat_up) U door_closed8 Basic Temporal Operators • Fp - p holds sometime in the future. • Gp - p holds globally in the future. • Xp - p holds next time. • pUq - p holds until q holds. The symbol “p” is an atomic proposition, e.g. “heat_up” or “door_closed”.9 Model Checking Problem Let M be a model, i.e., a state-transition graph. Let ƒ be the property in temporal logic. Find all states s such that M has property ƒ at state s. Efficient Algorithms: CE81, CES8310 The EMC System 1982/83 Preprocessor Model Checker (EMC) State Transition Graph 104 to 105 states Properties True or Counterexamples11 Model Checker Architecture System Description Formal Specification Validation or Counterexample Model Checker State Explosion Problem!!12 The State Explosion Problem System Description State Transition Graph Combinatorial explosion of system states renders explicit model construction infeasible. Exponential Growth of … … global state space in number of concurrent components. … memory states in memory size. Feasibility of model checking inherently tied to handling state explosion.13 Combating State Explosion • Binary Decision Diagrams can be used to represent state transition systems more efficiently. à Symbolic Model Checking 1992 • Semantic techniques for alleviating state explosion: – Partial Order Reduction. – Abstraction. – Compositional reasoning. – Symmetry. – Cone of influence reduction. – Semantic minimization.14 Model Checking since 1981 1981 Clarke / Emerson: CTL Model Checking Sifakis / Quielle 1982 EMC: Explicit Model Checker Clarke, Emerson, Sistla 1990 Symbolic Model Checking Burch, Clarke, Dill, McMillan 1992 SMV: Symbolic Model Verifier McMillan 1998 Bounded Model Checking using SAT Biere, Clarke, Zhu 2000 Counterexample-guided Abstraction Refinement Clarke, Grumberg, Jha, Lu, Veith 105 10100 101000 1990s: Formal Hardware Verification in Industry: Intel, IBM, Motorola, etc.15 Model Checking since 1981 1981 Clarke / Emerson: CTL Model Checking Sifakis / Quielle 1982 EMC: Explicit Model Checker Clarke, Emerson, Sistla 1990 Symbolic Model Checking Burch, Clarke, Dill, McMillan 1992 SMV: Symbolic Model Verifier McMillan 1998 Bounded Model Checking using SAT Biere, Clarke, Zhu 2000 Counterexample-guided Abstraction Refinement Clarke, Grumberg, Jha, Lu, Veith CBMC MAGIC16 Grand Challenge: Model Check Software ! What makes Software Model Checking different ?17 What Makes Software Model Checking Different ? • Large/unbounded base types: int, float, string • User-defined types/classes • Pointers/aliasing + unbounded #’s of heap-allocated cells • Procedure calls/recursion/calls through pointers/dynamic method lookup/overloading • Concurrency + unbounded #’s of threads18 What Makes Software Model Checking Different ? • Templates/generics/include files • Interrupts/exceptions/callbacks • Use of secondary storage: files, databases • Absent source code for: libraries, system calls, mobile code • Esoteric features: continuations, self-modifying code • Size (e.g., MS Word = 1.4 MLOC)19 Grand Challenge: Model Check Software ! Early attempts in the 1980s failed to scale. 2000s: renewed interest / demand: Java Pathfinder: NASA Ames SLAM: Microsoft Bandera: Kansas State BLAST: Berkeley … SLAM to be shipped to Windows device driver developers. In general, these tools are unable to handle complex data structures and concurrency.20 The MAGIC Tool: Counterexample-Guided Abstraction Refinement Abstract Memory State Memory State Memory State Memory State Memory State Memory State Memory State Memory State Memory State Abstraction Abstraction maps classes of similar memory states to single abstract memory states. + Model size drastically reduced. - Invalid counterexamples possible. Abstract Memory State21 The MAGIC Tool: Counterexample-Guided Abstraction Refinement Abstraction Verification Yes System OK Counterexample Valid? C Program Abstract Model Yes Abstraction Refinement Abstraction Guidance Improved Abstraction Guidance No No22 CBMC: Embedded Systems Verification • Method: Bounded Model Checking • Implemented GUI to facilitate tech transfer • Applications: – Part of train controller from GE – Cryptographic algorithms (DES, AES, SHS) – C Models of ASICs