# **Model Checking**

# My 27 year quest to overcome the state explosion problem



## **Intel Pentium FDIV Bug**



- Try 4195835 4195835 / 3145727 \* 3145727.
  In 94' Pentium, it doesn't return 0, but 256.
- Intel uses the SRT algorithm for floating point division. Five entries in the lookup table are missing.
- Cost: \$500 million
- Xudong Zhao's Thesis on Word Level Model Checking

### Recent Rumor: New AMD TLB Bug??



- AMD Family 10h revision B2 processors suffer from an issue in the processor TLB (Translation Lookaside Buffer).
- Launch date of these processors was delayed in September, 2007.
- AMD doesn't have official announcement yet, but you can google "AMD Barcelona bug" for plenty of discussion.

### Temporal Logic Model Checking

- Model checking is an **automatic verification technique** for finite state concurrent systems.
- Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980's.
- Specifications are written in propositional temporal logic.
- Verification procedure is an exhaustive search of the state space of the design.

### Advantages of Model Checking

- No proofs!!!
- Fast (compared to other rigorous methods such as theorem proving)
- Diagnostic counterexamples
- No problem with partial specifications
- Logics can easily express many concurrency properties

### **Main Disadvantage**

**State Explosion Problem:** 





## Main Disadvantage Contd.

**State Explosion Problem:** 



Unavoidable in worst case, but steady progress over the past 27 years using clever algorithms, data structures, and engineering



| a     | "a is true now"                         |
|-------|-----------------------------------------|
| Xa    | "a is true in the neXt state"           |
| Fa    | "a will be true in the Future"          |
| Ga    | "a will be Globally true in the future" |
| a U b | "a will hold true Until b becomes true" |



| a     | "a is true now"                         |
|-------|-----------------------------------------|
| Xa    | "a is true in the neXt state"           |
| Fa    | "a will be true in the Future"          |
| Ga    | "a will be Globally true in the future" |
| a U b | "a will hold true Until b becomes true" |



| a     | "a is true now"                         |
|-------|-----------------------------------------|
| Xa    | "a is true in the neXt state"           |
| Fa    | "a will be true in the Future"          |
| Ga    | "a will be Globally true in the future" |
| a U b | "a will hold true Until b becomes true" |



| a     | "a is true now"                         |
|-------|-----------------------------------------|
| Xa    | "a is true in the neXt state"           |
| Fa    | "a will be true in the Future"          |
| Ga    | "a will be Globally true in the future" |
| a U b | "a will hold true Until b becomes true" |
|       |                                         |



| a     | "a is true now"                         |
|-------|-----------------------------------------|
| Xa    | "a is true in the neXt state"           |
| Fa    | "a will be true in the Future"          |
| Ga    | "a will be Globally true in the future" |
| a U b | "a will hold true Until b becomes true" |

# **Branching Time**





EF g

"g will possibly become true"



AF g "g will necessarily become true"



### AG g "g is an invariant"



### EG g "g is a potential invariant"

CTL uses the temporal operators

AX, AG, AF, AU EX, EG, EF, EU

CTL\* allows complex nestings such as AXX, AGX, EXF, ...

CTL: linear model checking algorithm !

# **Model Checking Problem**

- Let *M* be a state-transition graph.
- Let **f** be the **specification** in temporal logic.
- Find all states s of M such that M, s = f.

- CTL Model Checking: CE 81; CES 83/86; QS 81/82.
- LTL Model Checking: LP 85.
- Automata Theoretic LTL Model Checking: VW 86.
- CTL\* Model Checking: EL 85.

### **Model of computation**



#### **Microwave Oven Example** State-transition graph describes system evolving ~ Start ~ Close over time. ~ Heat ~ Error ~ Start Start ~ Start Close ~ Close Close ~ Heat Heat ~ Heat ~ Error Error ~ Error Start Start Start Close Close Close ~ Heat ~ Heat Heat **Error** ~ Error ~ Error

### **Temporal Logic and Model Checking**



- The oven doesn't heat up until the door is closed.
- Not heat\_up holds until door\_closed
- (~ heat\_up) U door\_closed

# **Model Checking**



### Hardware Example: IEEE Futurebus+

- In 1992 we used Model Checking to verify the IEEE Future+ cache coherence protocol.
- Found a number of previously undetected errors in the design.
- First time that formal methods were used to find errors in an IEEE standard.
- Development of the protocol began in 1988, but previous attempts to validate it were informal.

### Four Big Breakthroughs on State Space Explosion Problem!

Symbolic Model Checking

Burch, Clarke, McMillan, Dill, and Hwang 90;

Ken McMillan's thesis 92





• The Partial Order Reduction Valmari 90 Godefroid 90 Peled 94



### Four Big Breakthroughs on State Space Explosion Problem (Cont.)

- Bounded Model Checking

   Biere, Cimatti, Clarke, Zhu 99
  - Using Fast SAT solvers
  - Can handle thousands of state elements



### Can the given property fail in k-steps?



BMC in practice: Circuit with 9510 latches, 9499 inputs BMC formula has  $4 \pm 10^6$  variables,  $1.2 \pm 10^7$  clauses Shortest bug of length 37 found in 69 seconds

### Four Big Breakthroughs on State Space Explosion Problem (Cont.)

Localization Reduction
 Bob Kurshan 1994





- Counterexample Guided Abstraction Refinement (CEGAR)
  - Clarke, Grumberg, Jha, Lu, Veith 2000
  - Used in most software model checkers



### From Hardware to Software:

Natural Question: Is it possible to model check software?

According to **Wired News** on Nov 10, 2005:

"When Bill Gates announced that the technology was under development at the 2002 Windows Engineering Conference, he called it the holy grail of computer science"

### Grand Challenge: Model Check Software !

# What makes **Software Model Checking** different ?



### What Makes Software Model Checking Different ?

- Large/unbounded base types: int, float, string
- User-defined types/classes
- Pointers/aliasing + unbounded #'s of heap-allocated cells
- Procedure calls/recursion/calls through pointers/dynamic method lookup/overloading
- Concurrency + unbounded #'s of threads

### What Makes Software Model Checking Different ?

- Templates/generics/include files
- Interrupts/exceptions/callbacks
- Use of secondary storage: files, databases
- Absent source code for: libraries, system calls, mobile code
- Esoteric features: continuations, self-modifying code
- Size (e.g., MS Word = 1.4 MLOC)

### **1. Combine static analysis and model checking** Use static analysis to extract a model K from a boolean abstraction of the program.

Then check that f is true in K (K <sup>2</sup> f), where f is the specification of the program.

- SLAM (Microsoft)
- Bandera (Kansas State)
- MAGIC, SATABS (CMU)
- BLAST (Berkeley)
- F-Soft (NEC)

- 1. Simulate program along all paths in computation tree
  - <sup>2</sup> Java PathFinder (NASA Ames)
  - <sup>2</sup> Source code + backtracking (e.g., Verisoft)
  - <sup>2</sup> Source code + symbolic execution + backtracking (e.g., MS/Intrinsa Prefix)

 Use finite-state machine to look for patterns in control-flow graph [Engler]

- **1. Design with Finite-State Software Models** Finite state software models can act as "missing link" between transition graphs and complex software.
  - <sup>2</sup> Statecharts
  - <sup>2</sup> Esterel

- Use Bounded Model Checking and SAT [Kroening]
  - <sup>2</sup> Problem: How to compute set of reachable states? Fixpoint computation is too expensive.
  - <sup>2</sup> Restrict search to states that are reachable from initial state within fixed number n of transitions
  - <sup>2</sup> Implemented by unwinding program and using SAT solver

### Key techniques for Software Model Checking

- Counterexample Guided Abstraction Refinement
  - Kurshan, Yuan Lu, Clarke et al JACM, Ball et al
  - Uses counterexamples to refine abstraction

### • Predicate Abstraction

- Graf and Saidi, Ball et al, Chaki et al, Kroening
- Keeps track of certain predicates on data
- Captures relationship between variables

# Counterexamples



# Counterexamples



# Counterexamples



# **Existential Abstraction**

Given an abstraction function  $\alpha : S \rightarrow S_{\alpha}$ , the concrete states are grouped and mapped into abstract states :



### **Preservation Theorem**

 Theorem (Clarke, Grumberg, Long) If property holds on abstract model, it holds on concrete model

- Technical conditions
  - $\succ$  Property is universal i.e., no existential quantifiers
  - $\succ$  Atomic formulas respect abstraction mapping
- Converse implication is not valid !

# **Spurious Behavior**



### AGAF red

"Every path necessarily leads back to red."

Spurious Counterexample: <go><go><go>... Artifact of the abstraction !

### How to define Abstraction Functions?

Abstraction too fine

State Explosion

Abstraction too coarse Information Loss

**Automatic Abstraction Methodology** 

### **Automatic Abstraction**



### **CEGAR** CounterExample-Guided Abstraction Refinement



Spurious counterexample

### Software Example: Device Driver Code

### Also according to Wired News:

"Microsoft has developed a tool called Static Device Verifier or SDV, that uses 'Model Checking' to analyze the source code for Windows drivers and see if the code that the programmer wrote matches a mathematical model of what a Windows device driver should do. If the driver doesn't match the model, the SDV warns that the driver might contain a bug."

### **Back to Hardware!**



#### **Register Level Verilog:**

```
always @(posedge clk) begin
// value = (value + carry_in) % 2;
    case(value)
        0: value = carry_in;
        1: if (carry_in ==0)
            value = 1;
        else value = 0;
    endcase
end
endmodule
```

#### Gate Level (netlist):

.model counter\_cell .inputs carry\_in .outputs carry\_out

```
.names value carry in n2
.def 0
111
.names n2 carry out$raw n1
- = n2
.names value$raw n3
0
.names n6
\mathbf{0}
.names value n6 n7
.def 0
011
101
.r value$raw n3 value
00
1 1
     (120 lines)
```

## Lack of verification support



### Model Checking at the Register Level



# **Abstraction-Refinement loop** (CEGAR)



Spurious counterexample

# Benchmarks

- Ethernet MAC from opencores.org
- 5000 lines of RTL Verilog



Transmit Module In Ethernet MAC (self-loop on each state not shown)

Checked three properties:

- 3. Transmit module simulates state machine on left. (ETH0)
- 4. Checks transitions out of state BackOff (ETH1)
  - Checks transitions out of state Jam (ETH2)

# **Experimental Results**

| Benchmark | Latches | Time<br>(sec) | #Preds | #Iters |
|-----------|---------|---------------|--------|--------|
| ETH0      | 359     | 44            | 21     | 55     |
| ETH1      | 359     | 127           | 93     | 51     |
| ETH2      | 359     | 161           | 94     | 111    |

### **Challenges for the Future**

- Exploiting the Power of SAT, Satisfiability Modulo Theories (SMT)
- **Compositional Model Checking** of both Hardware and Software
- Software Model Checking, Model Checking and Static Analysis
- Verification of Embedded Systems (Timed and Hybrid Automata)
- Model Checking and Theorem Proving (PVS, STEP, SyMP, Maude)
- Probabilistic and Statistical Model Checking
- Interpreting Counterexamples
- Scaling up even more!!

### My goal: Verification of Safety-Critical Embedded



### Do you trust your car?

Embedded Systems are as important in Europe as Computer Security is in the U.S.!

### Students, Post-docs, and **isutors**

- **Sergey Berezin**
- **Michael Browne** •
- Jerry Burch ٠
- ٠ Sergio Campos
- ٠ Sagar Chaki
- Pankaj Chauhan ٠
- **David Dill** ٠
- Allen Emerson •
- ٠ **Alex Groce**
- **Anubhav Gupta** •
- Vicki Hartonas-Garmhausen ٠
- Himanshu Jain ٠
- ٠ Sumit Jha
- William Klieber ٠
- **David Long** •
- Yuan Lu •
- ٠ Dong Wang
- Will Marrero •
- Ken McMillan ٠
- Marius Minea ٠
- **Bud Mishra** ٠
- ٠ Christos Nikolaou
- Nishant Sinha ٠
- **Prasad Sistla** •
- **Muralidhar Talupur** ٠
- **Xudong Zhao** •

**Post-docs:** 

- **Constantinos Bartzis**
- **Armin Biere**
- Lei Bu
- **David Deharbe**
- **Alexandre Donze**
- Azadeh Farzan
- **Ansgar Fehnker**
- **Wolfgang Heinle**
- **Tamir Heyman**
- James Kapinski
- Daniel Kroening
- **Axel Legay**
- **Daniel Milam**
- Alaexandar Nanevski
- Joel Ouaknine
- **Karsten Schmidt**
- Subash Shankar
- **Ofer Strichman**
- Prasanna Thati
- **Micheal Theobald**
- **Tayssir Touili**
- **Helmut Veith**
- Silke Wagner
- **Karen Yorav**
- Haifeng Zhu
- Yunshan Zhu

Visitors:

- Y. Chen
- Y. Feng
- T. Filkorn
- M. Fujita
- P. Granger
- O. Grumberg •
- H. Hamaguchi
- H. Hiraishi
- S. Kimura
- S. Krischner
- G.H. Kwon
- X. Li
- A. Platzer
- R. Raimi
- H. Schlingloff
- S. Shanker
- Y.Q. Sun
- T. Tang
- F. Tiplea
- Y. Tsay
- J.P. Vidal
- **B. Wang**
- F. Wang
- P. Williams
- W. Windsteiger
- Kwang Yi
- T. Yoneda

