Model Checking

ion. Although symbolic model checking and partial-order reduction techniques attempt to battle the so-called state explosion problem, the size of systems that can be analysed using model checking remains relatively limited: even astronomical numbers such as 10100 reachable states are generated by systems with a few hundred bits, which is a far cry from real hardware or software systems. Model checking must therefore be performed on rather abstract models. Ideally, model checking is applied concurrently with system design, and particularly in its early stages when systems are modelled at a high level of abstraction, because the payoff of finding bugs at that stage is highest whereas the costs are low. For example, Lilius and Porres [83] describe a tool for model checking UML state machine diagrams [13], and model checking for similar high-level system descriptions is described in [5, 49]. When the model is too big to be analysed or even infinite, a smaller, more abstract model has to be found such that the validity of the property over the abstract model implies its validity over the concrete model. The relationship between the abstract and the concrete models can be formalised by an abstraction function or relation, and either needs to be verified using interactive theorem proving or ensured by construction of the abstract model using techniques of abstract interpretation [32]. Relevant papers on this subject include [25, 85, 34, 84, 93]. A particular convenient way of presenting abstraction functions is in the form of predicate abstractions that introduce boolean variables for atomic propositions. In conjunction with the presentation of abstract systems as verification diagrams, this form of abstraction can be presented in a form that is directly understood by the system designer and can be used to (interactively) analyze systems of arbitrary complexity [36, 86, 104, 70].model using techniques of abstract interpretation [32]. Relevant papers on this subject include [25, 85, 34, 84, 93]. A particular convenient way of presenting abstraction functions is in the form of predicate abstractions that introduce boolean variables for atomic propositions. In conjunction with the presentation of abstract systems as verification diagrams, this form of abstraction can be presented in a form that is directly understood by the system designer and can be used to (interactively) analyze systems of arbitrary complexity [36, 86, 104, 70]. Symmetry reductions. Replication of identical components induces symmetry in the models of reactive systems, and it is clearly wasteful to search all permutations of symmetric transitions. More formally, a boolean function f (b1; : : : ; bn ) is said to be invariant under a permutation of its arguments if f (b1; : : : ; bn) = f ( (b1); : : : ; (bn )), and invariant under a group G of permutations if it is invariant under all permutations in the group. If the transition relation of a system is invariant under a permutation group one can check the quotient of the transition system modulo the associated equivalence relation and obtain a system that can be much smaller [107, 22, 66, 67]. Parameterized systems where, for example, the number of processes is a parameter of the system description, can be regarded as a special instance of symmetry. It may be possible to perform standard model checking in order to analyse models for fixed parameter values and then establish correctness for arbitrary parameter values by induction. For example, Browne et al. [14] suggested to model check a two-process system, and to establish a bisimulation relation between two-process and n-process systems, ensuring that formulas expressed in a suitable logic cannot distinguish between these systems. This approach has been extended in [78, 116] to use a finite-state process I that acts as an invariant, requiring to show that the composition of I with another process of the parameterized system does not add any new computations. Because I is finitestate, this can be accomplished using (a variation of) standard model checking. Related techniques are described in [43, 52]. Infinite-state systems. The extension of model checking techniques to infinite-state systems has been a particularly hot research topic during recent years [20, 46, 47, 94]. See Esparza’s contribution to this volume for more details. Compositional verification. Instead of verifying a system composed from several processes as a whole, it may be preferable to establish properties of its subcomponents and combine these in order to derive properties of the entire system [37]. One problem that arises with this approach is that subcomponents are designed to make assumptions about the behavior of their environment, and that every subcomponent is part of every other’s environment. One should therefore expect cyclic assumptions between different processes. Pnueli et al. [100, 8] require a well-founded dependency between assumptions, avoiding the problem of circular reasoning. However, depending on the computational model and the type of the property to be checked, cyclic assumptions can be tolerated because it is possible to perform induction on the number of computation steps [1, 21, 90]. Model checking algorithms for modular verification include [68, 56]. Real-time systems. Whereas temporal logics such as PTL and CTL only formalize the relative ordering of states and events, some systems require assertions about quantitative aspects of time, and adequate formal models such as timed automata [2] or timed transition systems [59] and logics [4] have been proposed. Algorithms for the reachability and model checking problems include [3, 61, 60]. In general, the complexity for the verification of real-time and hybrid systems is much higher than for untimed systems, and tools such as KRONOS [118], UPPAAL [80] or HYTECH [58] are restricted to relatively small systems.

[1]  David E. Muller,et al.  Infinite sequences and finite machines , 1963, SWCT.

[2]  Johan Anthory Willem Kamp,et al.  Tense logic and the theory of linear order , 1968 .

[3]  M. Rabin Decidability of second-order theories and automata on infinite trees , 1968 .

[4]  R. McNaughton,et al.  Counter-Free Automata , 1971 .

[5]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[6]  David Michael Ritchie Park Finiteness is Mu-Ineffable , 1976, Theor. Comput. Sci..

[7]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[8]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[9]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[10]  Pierre Wolper,et al.  Temporal logic can be more expressive , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[11]  A. Prasad Sistla,et al.  The complexity of propositional linear temporal logics , 1982, STOC '82.

[12]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[13]  Leslie Lamport,et al.  What Good is Temporal Logic? , 1983, IFIP Congress.

[14]  Amir Pnueli,et al.  Now you may compose temporal logic specifications , 1984, STOC '84.

[15]  Amir Pnueli,et al.  On the Development of Reactive Systems , 1989, Logics and Models of Concurrent Systems.

[16]  Amir Pnueli,et al.  In Transition From Global to Modular Temporal Reasoning about Programs , 1989, Logics and Models of Concurrent Systems.

[17]  Amir Pnueli,et al.  The Glory of the Past , 1985, Logic of Programs.

[18]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[19]  Chin-Laung Lei,et al.  Efficient Model Checking in Fragments of the Propositional Mu-Calculus (Extended Abstract) , 1986, LICS.

[20]  A. P. Sistla,et al.  Automatic verification of finite-state concurrent systems using temporal logic specifications , 1986, TOPL.

[21]  David E. Muller,et al.  Alternating Automata. The Weak Monadic Theory of the Tree, and its Complexity , 1986, ICALP.

[22]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[23]  Z. Manna,et al.  A hierarchy of temporal properties , 1987, PODC '87.

[24]  David E. Muller,et al.  Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[25]  Pierre Wolper,et al.  Verifying Properties of Large Sets of Processes with Network Invariants , 1990, Automatic Verification Methods for Finite State Systems.

[26]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[27]  Edmund M. Clarke,et al.  Reasoning about Networks with Many Identical Finite State Processes , 1989, Inf. Comput..

[28]  Wolfgang Thomas,et al.  Automata on Infinite Objects , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[29]  J. R. Büchi On a Decision Method in Restricted Second Order Arithmetic , 1990 .

[30]  Wolfgang Thomas,et al.  Handbook of Theoretical Computer Science, Volume B: Formal Models and Semantics , 1990 .

[31]  Antti Valmari,et al.  A stubborn attack on state explosion , 1990, Formal Methods Syst. Des..

[32]  Thomas A. Henzinger,et al.  Logics and Models of Real Time: A Survey , 1991, REX Workshop.

[33]  Pierre Wolper,et al.  A partial approach to model checking , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[34]  Randal E. Bryant,et al.  On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication , 1991, IEEE Trans. Computers.

[35]  P. H. Starke,et al.  Reachability analysis of Petri nets using symmetries , 1991 .

[36]  D. E. Long,et al.  Model checking and abstraction , 1992, POPL '92.

[37]  Samson Abramsky,et al.  Handbook of logic in computer science. , 1992 .

[38]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[39]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[40]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[41]  Pierre Wolper,et al.  Memory-efficient algorithms for the verification of temporal properties , 1990, Formal Methods Syst. Des..

[42]  Somesh Jha,et al.  Verification of the Futurebus+ cache coherence protocol , 1993, Formal Methods Syst. Des..

[43]  A. Prasad Sistla,et al.  On Model-Checking for Fragments of µ-Calculus , 1993, CAV.

[44]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[45]  Chikahiro Hori,et al.  Interleaving based variable ordering methods for ordered binary decision diagrams , 1993, ICCAD.

[46]  Edmund M. Clarke,et al.  Model checking, abstraction, and compositional verification , 1993 .

[47]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[48]  Robert K. Brayton,et al.  Dynamic variable reordering for BDD minimization , 1993, Proceedings of EURO-DAC 93 and EURO-VHDL 93- European Design Automation Conference.

[49]  Rance Cleaveland,et al.  A linear-time model-checking algorithm for the alternation-free modal mu-calculus , 1993, Formal Methods Syst. Des..

[50]  Somesh Jha,et al.  Exploiting Symmetry In Temporal Logic Model Checking , 1993, CAV.

[51]  Orna Grumberg,et al.  Abstract Interpretation of Reactive Systems: Abstractions Preserving 'I1CTL *. 3CTL * and CTL * , 1994 .

[52]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[53]  Javier Esparza Model Checking Using Net Unfoldings , 1994, Sci. Comput. Program..

[54]  Gerard J. Holzmann,et al.  An improvement in formal verification , 1994, FORTE.

[55]  Orna Grumberg,et al.  Abstract interpretation of reactive systems : abstractions preserving .. , 1994 .

[56]  Thomas A. Henzinger,et al.  Symbolic Model Checking for Real-Time Systems , 1994, Inf. Comput..

[57]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.

[58]  Thomas A. Henzinger,et al.  Temporal Proof Methodologies for Timed Transition Systems , 1994, Inf. Comput..

[59]  Edmund M. Clarke,et al.  Another Look at LTL Model Checking , 1994, CAV.

[60]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[61]  K. Larsen,et al.  Model-Checking for Real-Time Systems , 1995, International Symposium on Fundamentals of Computation Theory.

[62]  Pierre Wolper,et al.  Simple on-the-fly automatic verification of linear temporal logic , 1995, PSTV.

[63]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[64]  Gerard J. Holzmann An analysis of bitstate hashing , 1995 .

[65]  Moshe Y. Vardi Alternating Automata and Program Verification , 1995, Computer Science Today.

[66]  D. Peled,et al.  Temporal Logic: Mathematical Foundations and Computational Aspects, Volume 1 , 1995 .

[67]  Parallel composition of assumption-commitment specifications a unifying approach for shared variable and distributed message passing concurrency , 1995 .

[68]  Jochen Bern,et al.  Global rebuilding of OBDDs Avoiding Memory Requirement Maxima , 1995, CAV.

[69]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murphi , 1996, CAV.

[70]  Javier Esparza,et al.  More infinite results , 2001, INFINITY.

[71]  Patrice Godefroid,et al.  Symbolic Protocol Verification with Queue BDDs , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[72]  Thomas A. Henzinger,et al.  A Space-Efficient On-the-fly Algorithm for Real-Time Model Checking , 1996, CONCUR.

[73]  Faron Moller,et al.  Infinite Results , 1996, CONCUR.

[74]  Rajeev Alur,et al.  An Analyzer for Message Sequence Charts , 1996, Softw. Concepts Tools.

[75]  Anuchit Anuchitanukul,et al.  Synthesis of reactive programs , 1996 .

[76]  Kedar S. Namjoshi,et al.  Automatic Verification of Parameterized Synchronous Systems (Extended Abstract) , 1996, CAV.

[77]  Wolfgang Thomas,et al.  Languages, Automata, and Logic , 1997, Handbook of Formal Languages.

[78]  Orna Kupferman,et al.  Weak alternating automata are not that weak , 1997, Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems.

[79]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[80]  Nils Klarlund,et al.  Mona & Fido: The Logic-Automaton Connection in Practice , 1997, CSL.

[81]  Hantao Zhang,et al.  SATO: An Efficient Propositional Prover , 1997, CADE.

[82]  Sergio Yovine,et al.  KRONOS: a verification tool for real-time systems , 1997, International Journal on Software Tools for Technology Transfer.

[83]  Henny B. Sipma,et al.  Visual Verification of Reactive Systems , 1997, TACAS.

[84]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[85]  Armin Biere Effiziente Modellprüfung des µ-Kalküls mit binären Entscheidungsdiagrammen , 1997 .

[86]  Stephan Merz,et al.  Rules for Abstraction , 1997, ASIAN.

[87]  Javier Esparza,et al.  Decidability of model checking for infinite-state concurrent systems , 1997, Acta Informatica.

[88]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[89]  Henny B. Sipma,et al.  Visual Abstractions for Temporal Verification , 1999, AMAST.

[90]  Orna Kupferman,et al.  Verification of Fair Transition Systems , 1998, Chic. J. Theor. Comput. Sci..

[91]  Amir Pnueli,et al.  Compositionality: The Significant Difference , 1999, Lecture Notes in Computer Science.

[92]  Rob Pooley,et al.  The unified modelling language , 1999, IEE Proc. Softw..

[93]  Wolfgang Thomas Complementation of Büchi Automata Revised , 1999, Jewels are Forever.

[94]  E. Clarke,et al.  Symbolic model checking using SAT procedures instead of BDDs , 1999, Proceedings 1999 Design Automation Conference (Cat. No. 99CH36361).

[95]  Alain Finkel,et al.  On the verification of broadcast protocols , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[96]  Fausto Giunchiglia,et al.  Improved Automata Generation for Linear Temporal Logic , 1999, CAV.

[97]  Johan Lilius,et al.  Formalising UML State Machines for Model Checking , 1999, UML.

[98]  Ursula Goltz,et al.  Timed Sequence Diagrams and Tool-Based Analysis - A Case Study , 1999, UML.

[99]  Martin Leucker,et al.  Model Checking Games for the Alternation-Free µ-Calculus and Alternating Automata , 1999, LPAR.

[100]  Patrice Godefroid,et al.  Symbolic Verification of Communication Protocols with Infinite State Spaces using QDDs , 1999, Formal Methods Syst. Des..

[101]  Thomas A. Henzinger,et al.  Alternating-time temporal logic , 1999 .

[102]  Jean-Michel Couvreur,et al.  On-the-Fly Verification of Linear Temporal Logic , 1999, World Congress on Formal Methods.

[103]  Amir Pnueli,et al.  Verifying Liveness by Augmented Abstraction , 1999, CSL.

[104]  Klaus Schneider Yet another Look at the LTL Model Checking , 1999, CHARME.

[105]  Henny B. Sipma,et al.  Deductive Model Checking , 1996, Formal Methods Syst. Des..

[106]  Rob Gerthy Partial Order Reductions Preserving Simulations , 1999 .

[107]  Pierre Wolper,et al.  An automata-theoretic approach to branching-time model checking , 2000, JACM.