Verification tools for finite-state concurrent systems

  • E. Clarke
  • O. Grumberg
  • D. Long
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 803)

Abstract

Temporal logic model checking is an automatic technique for verifying finite-state concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a state-transition graph. An efficient search procedure is used to determine whether or not the state-transition graph satisfies the specification. When the technique was first developed ten years ago, it was only possible to handle concurrent systems with a few thousand states. In the last few years, however, the size of the concurrent systems that can be handled has increased dramatically. By representing transition relations and sets of states implicitly using binary decision diagrams, it is now possible to check concurrent systems with more than 10120 states. In this paper we describe in detail how the new implementation works and give realistic examples to illustrate its power. We also discuss a number of directions for future research. The necessary background information on binary decision diagrams, temporal logic, and model checking has been included in order to make the exposition as self-contained as possible.

Keywords

automatic verification temporal logic model checking binary decision diagrams 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    A. V. Aho, J. E. Hopcroft, and J. D. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974.Google Scholar
  2. 2.
    R. Alur, C. Courcourbetis, and D. Dill. Model-checking for real-time systems. In Proceedings of the 5th Symp. on Logic in Computer Science, pages 414–425, 1990.Google Scholar
  3. 3.
    R. Alur and T. A. Henzinger. Logics and models of real-time: A survey. In Lecture Notes in Computer Science, Real-Time: Theory in Practice. Springer-Verlag, 1992.Google Scholar
  4. 4.
    D. L. Beatty, R. E. Bryant, and C.-J. Seger. Formal hardware verification by symbolic ternary trajectory evaluation. In Proceedings of the 28th ACM/IEEE Design Automation Conference. IEEE Computer Society Press, June 1991.Google Scholar
  5. 5.
    M. Ben-Ari, Z. Manna, and A. Pnueli. The temporal logic of branching time. Acta Informatica, 20:207–226, 1983.Google Scholar
  6. 6.
    C. Berthet, O. Coudert, and J. C. Madre. New ideas on symbolic manipulations of finite state machines. In IEEE International Conference on Computer Design, 1990.Google Scholar
  7. 7.
    G. V. Bochmann. Hardware specification with temporal logic: An example. IEEE Transactions on Computers, C-31(3), March 1982.Google Scholar
  8. 8.
    S. Bose and A. L. Fisher. Automatic verification of synchronous circuits using symbolic logic simulation and temporal logic. In L. Claesen, editor, Proceedings of the IMEC-IFIP International Workshop on Applied Formal Methods for Correct VLSI Design, November 1989.Google Scholar
  9. 9.
    K. S. Brace, R. L. Rudell, and R. E. Bryant. Efficient implementation of a BDD package. In DAC90 [36].Google Scholar
  10. 10.
    M. C. Browne and E. M. Clarke. Sml: A high level language for the design and verification of finite state machines. In IFIP WG 10.2 International Working Conference from HDL Descriptions to Guaranteed Correct Circuit Designs, Grenoble, France. IFIP, September 1986.Google Scholar
  11. 11.
    M. C. Browne, E. M. Clarke, and D. Dill. Checking the correctness of sequential circuits. In Proceedings of the 1985 International Conference on Computer Design, Port Chester, New York, October 1985. IEEE.Google Scholar
  12. 12.
    M. C. Browne, E. M. Clarke, and D. Dill. Automatic circuit verification using temporal logic: Two new examples. In Formal Aspects of VLSI Design. Elsevier Science Publishers (North Holland), 1986.Google Scholar
  13. 13.
    M. C. Browne, E. M. Clarke, D. L. Dill, and B. Mishra. Automatic verification of sequential circuits using temporal logic. IEEE Transactions on Computers, C-35(12):1035–1044, 1986.Google Scholar
  14. 14.
    R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8), 1986.Google Scholar
  15. 15.
    R. E. Bryant. On the complexity of vlsi implementations and graph representations of boolean functions with application to integer multiplication. IEEE Transactions on Computers, 40(2):205–213, 1991.Google Scholar
  16. 16.
    R. E. Bryant. Symbolic boolean manipulation with ordered binary decision diagrams. ACM Computing Surveys, 24(3):293–318, September 1992.Google Scholar
  17. 17.
    R. E. Bryant and C.-J. Seger. Formal verification of digital circuits using symbolic ternary system models. In Kurshan and Clarke [53].Google Scholar
  18. 18.
    J. R. Burch. Trace Algebra for Automatic Verification of Real-Time Concurrent Systems. PhD thesis, Carnegie Mellon University, 1992.Google Scholar
  19. 19.
    J. R. Burch, E. M. Clarke, and D. E. Long. Symbolic model checking with partitioned transition relations. In A. Halaas and P. B. Denyer, editors, Proceedings of the 1991 International Conference on Very Large Scale Integration, August 1991. Winner of the Sidney Michaelson Best Paper Award.Google Scholar
  20. 20.
    J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, and D. L. Dill. Symbolic model checking for sequential circuit verification. To appear in IEEE Transactions on Computer-Aided Design of Integrated Circuits.Google Scholar
  21. 21.
    J. R. Burch, E. M. Clarke, K. L. McMillan, and D. L. Dill. Sequential circuit verification using symbolic model checking. In DAC90 [36].Google Scholar
  22. 22.
    J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. Information and Computation, 98(2):142–170, June 1992.Google Scholar
  23. 23.
    S. Campos. The priority inversion problem and real-time symbolic model checking. to appear, April 1993.Google Scholar
  24. 24.
    E. M. Clarke and I. A. Draghicescu. Expressibility results for linear time and branching time logics. In Linear Time, Branching Time, and Partial Order in Logics and Models for Concurrency, volume 354, pages 428–437. Springer-Verlag: Lecture Notes in Computer Science, 1988.Google Scholar
  25. 25.
    E. M. Clarke, I. A. Draghicescu, and R. P. Kurshan. A unified approach for showing language containment and equivalence between various types of ω-automata. In A. Arnold and N. D. Jones, editors, Proceedings of the 15th Colloquium on Trees in Algebra and Programming, volume 407 of Lecture Notes in Computer Science. Springer-Verlag, May 1990.Google Scholar
  26. 26.
    E. M. Clarke and E. A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs: Workshop, Yorktown Heights, NY, May 1981, volume 131 of Lecture Notes in Computer Science. Springer-Verlag, 1981.Google Scholar
  27. 27.
    E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263, 1986.Google Scholar
  28. 28.
    E. M. Clarke, O. Grumberg, and M. C. Browne. Reasoning about networks with many identical finite-state processes. In Proceedings of the Fifth Annual ACM Symposium on Principles of Distributed Computing., pages 240–248. ACM, August 1986.Google Scholar
  29. 29.
    E. M. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D. E. Long, K. L. McMillan, and L. A. Ness. Verification of the Futurebus+ cache coherence protocol. In L. Claesen, editor, Proceedings of the Eleventh International Symposium on Computer Hardware Description Languages and their Applications. North-Holland, April 1993.Google Scholar
  30. 30.
    E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abstraction. In Proceedings of the Nineteenth Annual ACM Symposium on Principles of Programming Languages, January 1992.Google Scholar
  31. 31.
    E. M. Clarke, S. Kimura, D. E. Long, S. Michaylov, S. A. Schwab, and J. P. Vidal. Symbolic computation algorithms on shared memory multiprocessors. In Suzuki [75].Google Scholar
  32. 32.
    E.M. Clarke, T. Filkorn, and S. Jha. Exploiting symmetry in temporal logic model checking. In Courcoubetis [35].Google Scholar
  33. 33.
    O. Coudert, C. Berthet, and J. C. Madre. Verification of synchronous sequential machines based on symbolic execution. In Sifakis [73].Google Scholar
  34. 34.
    O. Coudert, J. C. Madre, and C. Berthet. Verifying temporal properties of sequential machines without building their state diagrams. In Kurshan and Clarke [53].Google Scholar
  35. 35.
    C. Courcoubetis, editor. Proceedings of the Fifth Workshop on Computer-Aided Verification, June/July 1993.Google Scholar
  36. 36.
    Proceedings of the 27th ACM/IEEE Design Automation Conference. IEEE Computer Society Press, June 1990.Google Scholar
  37. 37.
    J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors. Proceedings of the REX Workshop on Stepwise Refinement of Distributed Systems, Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science. Springer-Verlag, May 1989.Google Scholar
  38. 38.
    D. L. Dill and E. M. Clarke. Automatic verification of asynchronous circuits using temporal logic. IEE Proceedings, Part E 133(5), 1986.Google Scholar
  39. 39.
    P. Dixon. Multilevel cache architectures. Minutes of the Futurebus+ Working Group meeting, December 1988.Google Scholar
  40. 40.
    E. Emerson and A. P. Sistla. Symmetry and model checking. In Courcoubetis [35].Google Scholar
  41. 41.
    E. A. Emerson and J. Y. Halpern. “Sometimes” and “Not Never” revisited: On branching time versus linear time. Journal of the ACM, 33:151–178, 1986.Google Scholar
  42. 42.
    E. A. Emerson, A. K. Mok, A. P. Sistla, and J. Srinivasen. Quantitative temporal reason. In Kurshan and Clarke [53].Google Scholar
  43. 43.
    E.A. Emerson and Chin Laung Lei. Modalities for model checking: Branching time strikes back. Twelfth Symposium on Principles of Programming Languages, New Orleans, La., January 1985.Google Scholar
  44. 44.
    M. Fujita, H. Fujisawa, and N. Kawato. Evaluation and improvements of boolean comparison method based on binary decision diagrams. In Proceedings of the 1988 Proceedings of the IEEE International Conference on Computer Aided Design. IEEE Computer Society Press, November 1988.Google Scholar
  45. 45.
    M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, 1979.Google Scholar
  46. 46.
    P. Godefroid. Using partial orders to improve automatic verification methods. In Kurshan and Clarke [53].Google Scholar
  47. 47.
    O. Grumberg and D. E. Long. Model checking and modular verification. In J. C. M. Baeten and J. F. Groote, editors, Proceedings of CONCUR '91: 2nd International Conference on Concurrency Theory, volume 527 of Lecture Notes in Computer Science. Springer-Verlag, August 1991.Google Scholar
  48. 48.
    Z. Har'El and R. P. Kurshan. Software for analytical development of communications protocols. AT&T Technical Journal, 69(1):45–59, Jan.–Feb. 1990.Google Scholar
  49. 49.
    G. E. Hughes and M. J. Creswell. Introduction to Modal Logic. Methuen, London, 1977.Google Scholar
  50. 50.
    IEEE Computer Society. IEEE Standard for Futurebus+-Logical Protocol Specification, March 1992. IEEE Standard 896.1-1991.Google Scholar
  51. 51.
    B. Josko. Verifying the correctness of AADL-modules using model checking. In de Bakker et al. [37].Google Scholar
  52. 52.
    R. P. Kurshan. Analysis of discrete event coordination. In de Bakker et al. [37].Google Scholar
  53. 53.
    R. P. Kurshan and E. M. Clarke, editors. Proceedings of the 1990 Workshop on Computer-Aided Verification, June 1990.Google Scholar
  54. 54.
    R. P. Kurshan and K. L. McMillan. A structural induction theorem for processes. In Proceedings of the Eighth Annual ACM Symposium on Principles of Distributed Computing. ACM Press, August 1989.Google Scholar
  55. 55.
    L. Lamport. “Sometimes” is sometimes “Not Never”. In Annual ACM Symposium on Principles of Programming Languages, pages 174–185, 1980.Google Scholar
  56. 56.
    O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear specification. In Proceedings of the Twelfth Annual ACM Symposium on Principles of Programming Languages, January 1985.Google Scholar
  57. 57.
    D. L. Long. Model Checking, Abstraction, and Compositional Reasoning. PhD thesis, Carnegie Mellon University, 1993.Google Scholar
  58. 58.
    Y. Malachi and S. S. Owicki. Temporal specifications of self-timed systems. In H. T. Kung, B. Sproull, and G. Steele, editors, VLSI Systems and Computations. Computer Science Press, 1981.Google Scholar
  59. 59.
    S. Malik, A. Wang, R. Brayton, and A Sangiovanni-Vincenteli. Logic verification using binary decision diagrams in a logic synthesis environment. In International Conference on Computer-Aided Design, pages 6–9, 1988.Google Scholar
  60. 60.
    R. Marelly and O. Grumberg. GORMEL—Grammar ORiented ModEL checker. Technical Report 697, The Technion, October 1991.Google Scholar
  61. 61.
    K. L. McMillan. Symbolic Model Checking: An Approach to the State Explosion Problem. PhD thesis, Carnegie Mellon University, 1992.Google Scholar
  62. 62.
    K. L. McMillan and J. Schwalbe. Formal verification of the Gigamax cache consistency protocol. In Suzuki [75].Google Scholar
  63. 63.
    B. Mishra and E.M. Clarke. Hierarchical verification of asynchronous circuits using temporal logic. Theoretical Computer Science, 38:269–291, 1985.Google Scholar
  64. 64.
    P.Huber, A. Jensen, L. Jepsen, and K. Jensen. Towards reachability trees for high-level petri nets. In G. Rozenberg, editor, Advances on Petri Nets, 1984.Google Scholar
  65. 65.
    C. Pixley. A computational theory and implementation of sequential hardware equivalence. In R. Kurshan and E. Clarke, editors, Proc. CAV Workshop (also DIMACS Tech. Report 90-31), Rutgers University, NJ, June 1990.Google Scholar
  66. 66.
    C. Pixley, G. Beihl, and E. Pacas-Skewes. Automatic derivation of FSM specification to implementation encoding. In Proceedings of the International Conference on Computer Desgin, pages 245–249, Cambridge, MA, October 1991.Google Scholar
  67. 67.
    C. Pixley, S.-W. Jeong, and G. D. Hachtel. Exact calculation of synchronization sequences based on binary decision diagrams. In Proceedings of the 29th Design Automation Conference, pages 620–623, June 1992.Google Scholar
  68. 68.
    A. Pnueli. A temporal logic of concurrent programs. Theoretical Computer Science, 13:45–60, 1981.Google Scholar
  69. 69.
    D. K. Probst and H. F. Li. Using partial order semantics to avoid the state explosion problem in asynchronous systems. In Kurshan and Clarke [53].Google Scholar
  70. 70.
    J.P. Quielle and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Proceedings of the Fifth International Symposium in Programming, 1981.Google Scholar
  71. 71.
    R. Rudell. Dynamic variable ordering for ordered binary decision diagrams. In Intl. Conf. on Computer Aided Design, Santa Clara, Ca., November 1993.Google Scholar
  72. 72.
    R. Schlor and W. Damm. Specification and verification of system-level hardware designs using timing diagrams. In EDAC 93, 1993.Google Scholar
  73. 73.
    J. Sifakis, editor. Proceedings of the 1989 International Workshop on Automatic Verification Methods for Finite State Systems, Grenoble, France, volume 407 of Lecture Notes in Computer Science. Springer-Verlag, June 1989.Google Scholar
  74. 74.
    A. P. Sistla and E.M. Clarke. Complexity of propositional temporal logics. Journal of the ACM, 32(3):733–749, July 1986.Google Scholar
  75. 75.
    N. Suzuki, editor. Shared Memory Multiprocessing. MIT Press, 1992.Google Scholar
  76. 76.
    A. Tarski. A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math, 5:285–309, 1955.Google Scholar
  77. 77.
    H. J. Touati, R. K. Brayton, and R. P. Kurshan. Testing language containment for ω-automata using BDD's. In Proceedings of the 1991 International Workshop on Formal Methods in VLSI Design, January 1991.Google Scholar
  78. 78.
    A. Valmari. A stubborn attack on the state explosion problem. In Kurshan and Clarke [53].Google Scholar
  79. 79.
    M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In Proceedings of the First Annual Symposium on Logic in Computer Science. IEEE Computer Society Press, June 1986.Google Scholar
  80. 80.
    P. Wolper and V. Lovinfosse. Verifying properties of large sets of processes with network invariants. In Sifakis [73].Google Scholar

Copyright information

© Springer-Verlag 1994

Authors and Affiliations

  • E. Clarke
    • 1
  • O. Grumberg
    • 2
  • D. Long
    • 3
  1. 1.Carnegie MellonPittsburgh
  2. 2.The TechnionHaifa
  3. 3.AT&T Bell LabsMurray Hill

Personalised recommendations