So far, we have seen that Kripke structures can be used as state space rep-resentations of software systems. Moreover, correctness requirements of a system can be formalised as temporal logic formulae. – A model checker is a tool that takes a Kripke structure and a temporal logic formula as input, and then automatically verifies whether the formula holds for the structure or not.
In this section, we want to take a closer look at the algorithmic aspects of model checking.
2.3 Model Checking Algorithms 27 The basic algorithm for two-valued CTL model checking was originally introduced by Clarke and Emerson [36]. In the first step, this procedure constructs a parse tree representation of the input formulae ψ where each node of the tree represents a subformula of ψ. Then, starting at the level of atomic formulae (i.e. leaf nodes), for each subformula ψ0 the set of states of the Kripke structure where ψ0holds is computed. The algorithm proceeds in a bottom-up manner until the root node, which represents the overall input formula ψ, is reached. CTL model checking under fairness additionally requires to compute the set of states where fair paths start. The algorithm has a time complexity of O(|ψ| × (|S| + |R|) × |F|). A detailed description of CTL model checking can e.g. be found in [41] and [8].
The previously outlined model checking algorithm relies on an explicit representation of the state space. Every single state of the underlying Kripke structure is explicitly enumerated during a model checking run. However, for larger state spaces such an explicit approach is hardly practicable. A usual way to overcome this issue is to work with a symbolic representation of the Kripke structure. Symbolic CTL model checking techniques are based on state space encodings that are substantially more compact than explicit Kripke structures.
The most common approach to symbolic model checking relies on binary decision diagrams (BDDs) [25]. Binary decision diagrams are a data structures that are used to represent boolean functions. Since classical Kripke structures are based on a two-valued domain, they can be straightforwardly encoded as boolean functions. BDD representations of state spaces can be directly built from a system description. Thus, the expensive construction of an explicit Kripke structure is not required for applying symbolic model checking. The basic algorithm for BDD-based model checking was established by Burch et al. [26]. This algorithm proceeds in a similar manner as the explicit variant.
However, the necessary computations can be performed much more efficiently based on binary decision diagrams than on explicit Kripke structures. Hence, BDD-based model checking allows for the verification of systems with far more than 1020states. A prominent BDD-based model checker is part of the NuSMV framework for software verification, developed by Cimatti et al. [32].
More details on symbolic model checking with BDDs can be found in [41] and [8].
The two outlined algorithms for explicit and symbolic CTL model checking are tailored to a boolean setting. Nevertheless, model checking based on deci-sion diagrams has also been applied in a multi-valued context. Multi-valued symbolic model checking, introduced by Chechik et al. [28], is a generalisation of the classical two-valued approach. It allows for the verification of models that are based on arbitrary multi-valued logics whose values form a finite quasi-boolean lattice. The algorithm for multi-valued model checking em-ploys multi-valued decision diagrams (MDDs) [116] for state spaces encodings.
These generalised decision diagrams also allow for compact representations of state spaces, and furthermore, for efficient model checking runs based on fast MDD operations. The time complexity of multi-valued model checking is
O(|L| × |ψ| × (|S| + |R|) × |F|) where |L| is the size of the underlying lattice. An existing symbolic model checker for multi-valued reasoning is χChek devel-oped by Chechik et al. [30, 54]. The fundamentals of multi-valued symbolic model checking are extensively described in [28].
In this thesis, we pursue an approach to verification that is based on three-valued model checking – which is evidently a special case of multi-three-valued model checking. As we have already discussed in Section 2.2, thee-valued model checking is based on the Kleene logic K3which forms the following quasi-boolean lattice:
true unknown f alse
Fig. 2.8 Graphical representation of the finite quasi-boolean lattice LK3corresponding to the Kleene logic K3.
This lattice has a size of 3 and thus in our approach model checking has a time complexity of O(3 × |ψ| × (|S| + |R|) × |F|). The verification tool that we have implemented within this work is in fact build on top of the aforementioned multi-valued model checker χChek.
This nearly completes our background discussion. We have considered the logical and algorithmic aspects of model checking that are essential for our approach to verification. Finally, we want to provide a brief overview of alternative concepts from the field of model checking. CTL is not the only temporal logic that is employed for formalising correctness requirements in model checking. Another logic of relevance in verification is the linear-time temporal logic (LTL) [108]. LTL and CTL are incomparable with regard to their expressiveness. However, a large number of properties can be expressed in both logics. LTL model checking is based on different algorithms than CTL model checking. Explicit-state model checkers for LTL properties typically rely on automata-based computations [44]. A prominent example of such a model checker is SPIN [82]. Symbolic LTL model checking is commonly not based on BDD computations, but on boolean satisfiability solving: Bounded model checking (BMC) [21] is a variant of classical model checking that explores finite path prefixes rather than infinite paths. BMC can be reduced to boolean satisfiability (SAT) [49], and thus, verification can be efficiently performed by SAT-solvers. SAT-based bounded model checking for LTL properties is also supported by the NuSMV framework [33]. Model checking via satisfiability solving has also been considered in a three-valued context: In [126] the three-valued bounded model checking problem is reduced to two boolean sat-isfiability problems. The reduction of a multi-valued model checking problem to a number of classical two-valued model checking problems, e.g. [71, 24],
2.3 Model Checking Algorithms 29 is a common alternative to direct approaches to multi-valued model checking like χChek [30, 54].
Chapter 3
Concurrent Systems
The verification framework that we have developed within this thesis focuses on concurrent systems, which are composed of many software processes run-ning concurrently and communicating with each other. Such systems are in widespread practical use. A variety of examples can be found in the fields of network protocols and distributed computing. Due to the versatile concepts of concurrency and communication, concurrent systems are an appropriate and efficient choice for many complex computational tasks. However, it is exactly these concepts that make verification, i.e. proving the correctness of such systems, particularly challenging.
In this chapter, we give an introduction to the broad field of concurrent sys-tems, which includes a definition of the syntax and semantics of such systems as well as a detailed description of the different concepts of communication.
Moreover, we show how concurrent systems can be formally represented as control flow graphs and finally be transferred into a state space model for verification. We conclude this chapter with an overview of typical correctness requirements for concurrent systems, and we show how these requirements can be formalised in temporal logic.