Model Checking: A Tutorial Overview

We survey principles of model checking techniques for the automatic analysis of reactive systems. The use of model checking is exemplified by an analysis of the Needham-Schroeder public key protocol. We then formally define transition systems, temporal logic, w-automata, and their relationship. Basic model checking algorithms for linear- and branching-time temporal logics are defined, followed by an introduction to symbolic model checking and partial-order reduction techniques. The paper ends with a list of references to some more advanced topics.

[1]  Antti Valmari,et al.  The State Explosion Problem , 1996, Petri Nets.

[2]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murphi , 1996, CAV.

[3]  Orna Kupferman,et al.  Verification of Fair Transisiton Systems , 1996, CAV.

[4]  Pierre Wolper,et al.  Memory-efficient algorithms for the verification of temporal properties , 1990, Formal Methods Syst. Des..

[5]  Karsten Stahl,et al.  Abstracting WS1S Systems to Verify Parameterized Networks , 2000, TACAS.

[6]  Fausto Giunchiglia,et al.  Improved Automata Generation for Linear Temporal Logic , 1999, CAV.

[7]  Rance Cleaveland,et al.  A linear-time model-checking algorithm for the alternation-free modal mu-calculus , 1993, Formal Methods Syst. Des..

[8]  Anuchit Anuchitanukul,et al.  Synthesis of reactive programs , 1996 .

[9]  Ursula Goltz,et al.  Timed Sequence Diagrams and Tool-Based Analysis - A Case Study , 1999, UML.

[10]  Henny B. Sipma,et al.  Visual Verification of Reactive Systems , 1997, TACAS.

[11]  Henny B. Sipma,et al.  Visual Abstractions for Temporal Verification , 1999, AMAST.

[12]  Rob Gerthy Partial Order Reductions Preserving Simulations , 1999 .

[13]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[14]  Johan Lilius,et al.  Formalising UML State Machines for Model Checking , 1999, UML.

[15]  Thomas A. Henzinger,et al.  HYTECH: A Model Checker for Hybrid Systems , 1997, CAV.

[16]  Amir Pnueli,et al.  The Glory of the Past , 1985, Logic of Programs.

[17]  Leslie Lamport,et al.  "Sometime" is sometimes "not never": on the temporal logic of programs , 1980, POPL '80.

[18]  Arto Salomaa Jewels are Forever, Contributions on Theoretical Computer Science in Honor of Arto Salomaa , 1999, Jewels are Forever.

[19]  Javier Esparza,et al.  More infinite results , 2001, INFINITY.

[20]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[21]  Jochen Bern,et al.  Global rebuilding of OBDDs Avoiding Memory Requirement Maxima , 1995, CAV.

[22]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[23]  Moshe Y. Vardi Alternating Automata and Program Verification , 1995, Computer Science Today.

[24]  J. R. Büchi On a Decision Method in Restricted Second Order Arithmetic , 1990 .

[25]  Hantao Zhang,et al.  SATO: An Efficient Propositional Prover , 1997, CADE.

[26]  Philippe Schnoebelen,et al.  The Complexity of Propositional Linear Temporal Logics in Simple Cases (Extended Abstract) , 1998, STACS.

[27]  Patrice Godefroid,et al.  Symbolic Verification of Communication Protocols with Infinite State Spaces using QDDs , 1999, Formal Methods Syst. Des..

[28]  Alasdair Urquhart,et al.  Temporal Logic , 1971 .

[29]  Edmund M. Clarke,et al.  Another Look at LTL Model Checking , 1994, Formal Methods Syst. Des..

[30]  Somesh Jha,et al.  Verification of the Futurebus+ cache coherence protocol , 1993, Formal Methods Syst. Des..

[31]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[32]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[33]  Amir Pnueli,et al.  In Transition From Global to Modular Temporal Reasoning about Programs , 1989, Logics and Models of Concurrent Systems.

[34]  Yuri Gurevich,et al.  Logic in Computer Science , 1993, Current Trends in Theoretical Computer Science.

[35]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[36]  J. Van Leeuwen,et al.  Handbook of theoretical computer science - Part A: Algorithms and complexity; Part B: Formal models and semantics , 1990 .

[37]  Thomas A. Henzinger,et al.  Temporal Proof Methodologies for Timed Transition Systems , 1994, Inf. Comput..

[38]  Pierre Wolper,et al.  Simple on-the-fly automatic verification of linear temporal logic , 1995, PSTV.

[39]  Hiroshige Fujii,et al.  Interleaving based variable ordering methods for ordered binary decision diagrams , 1993, Proceedings of 1993 International Conference on Computer Aided Design (ICCAD).

[40]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[41]  Bernhard Josko,et al.  Verifying the Correctness of AADL Modules Using Model Checking , 1989, REX Workshop.

[42]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.

[43]  Orna Grumberg,et al.  Abstract Interpretation of Reactive Systems: Abstractions Preserving 'I1CTL *. 3CTL * and CTL * , 1994 .

[44]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[45]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[46]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[47]  Thomas A. Henzinger,et al.  A Space-Efficient On-the-fly Algorithm for Real-Time Model Checking , 1996, CONCUR.

[48]  Wolfgang Thomas,et al.  Handbook of Theoretical Computer Science, Volume B: Formal Models and Semantics , 1990 .

[49]  Armin Biere Effiziente Modellprüfung des µ-Kalküls mit binären Entscheidungsdiagrammen , 1997 .

[50]  Javier Esparza,et al.  Model Checking Using Net Unfoldings , 1993, Sci. Comput. Program..

[51]  Kazunori Ueda,et al.  Advances in Computing Science — ASIAN'97 , 1997, Lecture Notes in Computer Science.

[52]  Robert K. Brayton,et al.  Dynamic variable reordering for BDD minimization , 1993, Proceedings of EURO-DAC 93 and EURO-VHDL 93- European Design Automation Conference.

[53]  Stephan Merz,et al.  Rules for Abstraction , 1997, ASIAN.

[54]  Rance Cleaveland,et al.  A linear-time model-checking algorithm for the alternation-free modal mu-calculus , 1993, Formal Methods Syst. Des..

[55]  Faron Moller,et al.  Infinite Results , 1996, CONCUR.

[56]  Pierre Wolper,et al.  A Partial Approach to Model Checking , 1994, Inf. Comput..

[57]  Amir Pnueli,et al.  Now you may compose temporal logic specifications , 1984, STOC '84.

[58]  Amir Pnueli,et al.  Revised Lectures from the International Symposium on Compositionality: The Significant Difference , 1997 .

[59]  Doron A. Peled,et al.  Combining partial order reductions with on-the-fly model-checking , 1994, Formal Methods Syst. Des..

[60]  Johan Anthory Willem Kamp,et al.  Tense logic and the theory of linear order , 1968 .

[61]  Randal E. Bryant,et al.  On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication , 1991, IEEE Trans. Computers.

[62]  Alain Finkel,et al.  On the verification of broadcast protocols , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[63]  Dominique Cansell,et al.  Predicate Diagrams for the Verification of Reactive Systems , 2000, IFM.

[64]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[65]  David E. Muller,et al.  Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[66]  Patrice Godefroid,et al.  Symbolic Verification of Communication Protocols with Infinite State Spaces Using QDDs (Extended Abstract) , 1996, CAV.

[67]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[68]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[69]  M ClarkeEdmund,et al.  Another Look at LTL Model Checking , 1997 .

[70]  Orna Grumberg,et al.  Abstract interpretation of reactive systems : abstractions preserving .. , 1994 .

[71]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[72]  Pierre Wolper,et al.  Verifying Properties of Large Sets of Processes with Network Invariants , 1990, Automatic Verification Methods for Finite State Systems.

[73]  Krzysztof R. Apt,et al.  Logics and Models of Concurrent Systems , 1989, NATO ASI Series.

[74]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[75]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[76]  Nils Klarlund,et al.  Mona & Fido: The Logic-Automaton Connection in Practice , 1997, CSL.

[77]  Amir Pnueli,et al.  Verifying Liveness by Augmented Abstraction , 1999, CSL.

[78]  Jean-Michel Couvreur,et al.  On-the-Fly Verification of Linear Temporal Logic , 1999, World Congress on Formal Methods.

[79]  D. Peled,et al.  Temporal Logic: Mathematical Foundations and Computational Aspects, Volume 1 , 1995 .

[80]  A. Prasad Sistla,et al.  On Model-Checking for Fragments of µ-Calculus , 1993, CAV.

[81]  Amir Pnueli,et al.  Compositionality: The Significant Difference , 1999, Lecture Notes in Computer Science.

[82]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[83]  Patrice Godefroid,et al.  Symbolic Protocol Verification with Queue BDDs , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[84]  Lawrence C. Paulson,et al.  Proving security protocols correct , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[85]  Wolfgang Thomas Complementation of B Uchi Automata Revisited , 1999 .

[86]  Kedar S. Namjoshi,et al.  Automatic Verification of Parameterized Synchronous Systems (Extended Abstract) , 1996, CAV.

[87]  Sergio Yovine,et al.  KRONOS: a verification tool for real-time systems , 1997, International Journal on Software Tools for Technology Transfer.

[88]  P. H. Starke,et al.  Reachability analysis of Petri nets using symmetries , 1991 .

[89]  Samson Abramsky,et al.  Handbook of logic in computer science. , 1992 .

[90]  Chin-Laung Lei,et al.  Efficient Model Checking in Fragments of the Propositional Mu-Calculus (Extended Abstract) , 1986, LICS.

[91]  Chin-Laung Lei,et al.  Modalities for model checking (extended abstract): branching time strikes back , 1985, POPL.

[92]  Klaus Schneider Yet another Look at the LTL Model Checking , 1999, CHARME.

[93]  E. Emerson,et al.  Modalities for model checking (extended abstract): branching time strikes back , 1985, ACM-SIGACT Symposium on Principles of Programming Languages.

[94]  Rajeev Alur,et al.  An Analyzer for Message Sequence Charts , 1996, Softw. Concepts Tools.

[95]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[96]  M. Rabin Decidability of second-order theories and automata on infinite trees , 1968 .

[97]  Edmund M. Clarke,et al.  Model checking, abstraction, and compositional verification , 1993 .

[98]  Amir Pnueli,et al.  On the Development of Reactive Systems , 1989, Logics and Models of Concurrent Systems.

[99]  R. McNaughton,et al.  Counter-Free Automata , 1971 .

[100]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[101]  Javier Esparza,et al.  Decidability of model checking for infinite-state concurrent systems , 1997, Acta Informatica.

[102]  Rance Cleaveland,et al.  Generic tools for verifying concurrent systems , 2002, Sci. Comput. Program..

[103]  Stephan Merz,et al.  Model Checking , 2000 .

[104]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[105]  Gerard J. Holzmann,et al.  An Analysis of Bitstate Hashing , 1995, Formal Methods Syst. Des..

[106]  Robert McNaughton,et al.  Counter-Free Automata (M.I.T. research monograph no. 65) , 1971 .

[107]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[108]  Wolfgang Thomas Complementation of Büchi Automata Revised , 1999, Jewels are Forever.

[109]  David E. Muller,et al.  Infinite sequences and finite machines , 1963, SWCT.

[110]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[111]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[112]  Zohar Manna,et al.  A hierarchy of temporal properties (invited paper, 1989) , 1990, PODC '90.

[113]  David Michael Ritchie Park Finiteness is Mu-Ineffable , 1976, Theor. Comput. Sci..

[114]  Pierre Wolper,et al.  An automata-theoretic approach to branching-time model checking , 2000, JACM.

[115]  Edmund M. Clarke,et al.  Reasoning about networks with many identical finite-state processes , 1986, PODC '86.

[116]  David E. Muller,et al.  Alternating Automata. The Weak Monadic Theory of the Tree, and its Complexity , 1986, ICALP.

[117]  Antti Valmari,et al.  A stubborn attack on state explosion , 1990, Formal Methods Syst. Des..

[118]  Pierre Wolper,et al.  Memory-efficient algorithms for the verification of temporal properties , 1990, Formal Methods Syst. Des..

[119]  Somesh Jha,et al.  Exploiting symmetry in temporal logic model checking , 1993, Formal Methods Syst. Des..

[120]  Pierre Collette An Explanatory Presentation of Composition Rules for Assumption-Commitment Specifications , 1994, Inf. Process. Lett..

[121]  Masahiro Fujita,et al.  Symbolic model checking using SAT procedures instead of BDDs , 1999, DAC '99.

[122]  Dov M. Gabbay,et al.  Temporal logic (vol. 1): mathematical foundations and computational aspects , 1994 .

[123]  Wolfgang Reisig,et al.  Lectures on Petri Nets I: Basic Models , 1996, Lecture Notes in Computer Science.

[124]  Rajeev Alur,et al.  An Analyser for Mesage Sequence Charts , 1996, TACAS.

[125]  Orna Kupferman,et al.  Verification of Fair Transition Systems , 1998, Chic. J. Theor. Comput. Sci..

[126]  Pierre Wolper Temporal Logic Can Be More Expressive , 1983, Inf. Control..

[127]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[128]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[129]  Gerard J. Holzmann,et al.  An improvement in formal verification , 1994, FORTE.

[130]  Thomas Noll,et al.  Truth - A verification platform for concurrent systems , 1998, Tool Support for System Specification, Development and Verification.

[131]  Thomas A. Henzinger,et al.  Alternating-time temporal logic , 1999 .

[132]  Henny B. Sipma,et al.  Deductive Model Checking , 1996, Formal Methods Syst. Des..

[133]  R. BurchJ.,et al.  Symbolic model checking , 1992 .

[134]  Thomas A. Henzinger,et al.  Logics and Models of Real Time: A Survey , 1991, REX Workshop.

[135]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[136]  Satoshi Yamane,et al.  The symbolic model-checking for real-time systems , 1996, Proceedings of the Eighth Euromicro Workshop on Real-Time Systems.

[137]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[138]  Fred Krögr Temporal Logic Of Programs , 1987 .

[139]  Wolfgang Thomas,et al.  Automata on Infinite Objects , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[140]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[141]  Wolfgang Thomas,et al.  Languages, Automata, and Logic , 1997, Handbook of Formal Languages.

[142]  S. Safra,et al.  On the complexity of omega -automata , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[143]  Orna Kupferman,et al.  Weak alternating automata are not that weak , 1997, Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems.