Model checking

Text

Text

Begining

• Automatic formal verification of finite state transition systems. 1990's.
• Major chip design companies >  added these > normal quality assurance process.
• Most widely used mtds:  Model Checking
• Design to be verified: modeled as a finite state machine.
•  Specification: formalized by writing temporal logic properties.
   

Begining

• The reachable states of the design are then traversed.
• property fails, a counterexample is generated in the form of a sequence of states.
• Safety property ; Liveness property.
• Properties: true for every possible execution.
• Safety: nothing bad happens. C: A trace of states, where the last state contradicts the property.
• Liveness: something good eventually happens.
  C : A path to a loop that does not contain the desired state. Such a loop represents an infinite
  path that never reaches the specified state.

Model checkers

• State space explosion.
• Finding logical errors (‘falsification’) rather than for proving that they do not exist (‘verification’).
• These tools are capable of finding errors that are not likely to be found by simulation.
• Unlike simulators, which examine a relatively small set of test cases, model checkers consider all possible behaviors or executions of the system.
• the process of writing the temporal properties in a formal language can be very beneficial by itself, as it clarifies potential ambiguities in the specification. refine specification.
  
   

Model checkers

• The term Model Checking was coined by Clarke and Emerson [11] in the early eighties.
• The first model checking algorithms explicitly enumerated the reachable states of the system in order to check the correctness of a given specification
• Problem: The number of states can grow exponentially in the number of variables,

Symbolic model checking

• Sets of states are represented implicitly using Boolean functions.
• Assume that the behavior of some system is determined by the two variables v1 and v2, and that
  (11 , 01 , 10 ) are the three combinations of values that can be assigned to these variables in any execution of this system. Rather than keeping and manipulating this explicit list of states,  it is more efficient to handle a Boolean function that represents this set,  v1 ∨ v2.

Bounded model checking

Bounded Model Checking (BMC), was first proposed by Biere et al. in 1999 [4].

It does not solve the complexity problem of model checking, since it still relies on an exponential procedure and hence is limited in its capacity.

Unlike BDD's; BMC has the disadvantage of not being able to prove the absence of errors.
 

Bounded model checking

The basic idea in BMC is to search for a counterex in executions whose length is bounded by some integer k.

If no bug is found then one increases k until either a bug
is found, the problem becomes intractable, or some pre-known upper bound is reached. (Completeness Threshold of the design).

The BMC problem can be efficiently reduced to a propositional satisfiability problem, and can therefore be solved by SAT methods rather than BDDs.

SAT procedures do not suffer from the space explosion problem of BDD-based methods.
 

Additional charecteristics

1. User has to provide a bound on the number of cycles that should be explored, which implies that the method is incomplete if the bound is not high enough.

2. It uses SAT techniques rather than BDDs.

3. If the SAT checkers are tuned to take advantage of the unique structure of the formulas resulting from BMC, this method improves even further.