Model checking labelled state transition systems

If the system is represented as an LSTS M, the model checking problem is to determine if the formal specification φ evaluates to true for all computation paths starting from the initial states s0 ∈ I ⊆ S, where S and I are the sets of states, respectively initial states corresponding to M (Clarke et al., 1999, Chapter 4).

In order to ensure that the provided answer is correct, algorithms solving the model checking problem for an LSTS M explore the entire state space of M in a brute-force manner. Since the size of the state space can become very large (e.g. 10120 _{(Miller et al., 2010)) efficient data structures and algorithms for state space} exploration were developed; they differ depending on the temporal logic used to encode the formal specification φ.

2.4.1.1 LTL model checking

In case the specification is written in LTL (see Subsubsection 2.3.1.1), a structure is usually constructed which records how atomic propositions and logic subformulae of φ evaluate for each state of the model M. Typical examples of such structures are tableaus (Lichtenstein and Pnueli, 1985) (i.e. graphs encoding which logic formulae hold in each state and how the system can transition between states) or B¨uchi automata (Vardi and Wolper, 1986) (i.e. an automaton which encodes how a system transition between states when one or multiple logic subformulae hold). Counterexample computation paths are searched in these structures and if found, the model is declared invalid, otherwise it is declared valid. The computational complexity of these LTL model checking algorithms (O(|M|2|φ|)) is linear in the size of the model M and exponential in the size of the specification φ.

One of the most prominent LTL model checkers based on modelling the LTL formula as a B¨uchi automaton (Vardi and Wolper, 1986) was developed by Holzmann and is called SPIN (Holzmann, 1997). The model of the system is described using the language PROMELA and LTL formulae are verified using “on-the-fly” verification techniques (Gerth et al., 1996). Conversely, one of the most well-known tableau-based (Clarke et al., 1997) model checkers is NuSMV (Cimatti et al., 1999, 2002).

2.4.1.2 CTL model checking

Conversely in case of CTL specifications (see Subsubsection 2.3.2.1) labelling functions are usually employed which evaluate atomic propositions and logic subformulae of φ for each state of the model M (Clarke et al., 1986). The corresponding model checking algorithms work in iterations by first labelling

states with logic formulae of length one, then of length two, and so on and so forth until the length of the specification φ is reached. Based on the results of the labelling functions the model is declared valid if and only if all initial states of M are labelled with the specification φ (i.e. φ holds in these states). The computational complexity of these CTL model checking algorithms (O(|M||φ|)) is linear in the size of both the model M and the specification φ.

The significant complexity difference between LTL (O(|M|2|φ|)) and CTL (O(|M||φ|)) model checking algorithms is due to the type of properties which can

be expressed in each logic.

The first CTL model checker was developed and described by Clarke and Emerson and was called EMC (Clarke and Emerson, 1982). Approximately at the same time Queille and Sifakis presented the model checker CESAR (Queille and Sifakis, 1982) which was taking as input properties formalised in a temporal branching logic very similar to CTL. EMC was later optimised and extended to support fairness constraints (Clarke et al., 1986).

2.4.1.3 CTL* model checking

Finally in case of CTL* specifications (see Subsubsection 2.3.2.2) the model checking algorithms usually employ the labelling function based approach for CTL state and path logic subformulae, and the structure based approach for LTL path subformulae (Emerson and Lei, 1987). Similarly to LTL the computational complexity of CTL* model checking algorithms (O(|M|2|φ|)) is linear in the size of the model M and exponential in the size of the specification φ.

One of the first CTL* model checkers was described by Visser et al. (Visser et al., 1997) and is called AltMC. The SPIN model checker could be also extended to support CTL* specifications as suggested by Visser and Barringer (Visser and Barringer, 2000).

2.4.1.4 State space explosion problem

In spite of the efficient data structures and independently of the temporal logic employed to encode the formal specification, the complexity of the model checking algorithms depends on the size of the state space (see complexity of LTL, CTL and CTL* algorithms above). For complex systems the number of states usually increases exponentially with the number of concurrent processes considered and the domains of possible state variable values. This is known as the state space explosion problem and is the cause for the main limitation of model checking approaches i.e. poor scalability.

In an attempt to address this limitation multiple approaches for reducing the size of the state space have been developed; several of the most employed approaches are depicted in Figure 2.6.

On-the-fly

model checking model checkingSymbolic Partial orderreduction Symmetryreduction Abstraction Induction

State space reduction Heuristics

Design guidelines

Methods for coping with the state space explosion problem

Figure 2.6: Well-known approaches for tackling the state space explosion problem. State space reduction methods are traditional while heuristics and design guidelines are more recent.

State space reduction

Most approaches attempt to combat the state space explosion problem by reducing the size of the state space and/or the memory footprint. The most well-known methods of this type are:

• On-the-fly model checking: Compared to explicit state static (Rafe et al., 2013) model checking, on-the-fly model checking dynamically constructs only the required part of the state space (Gerth et al., 1996).

• Symbolic model checking: The state space is represented in a compact form (symbolically) using binary decision diagrams (BDD) (Bryant, 1986). Each symbolic state in the BDD represents a subset of states in the original state space. Therefore a BDD representation of the state space can be exponentially more compact than the original representation (Clarke et al., 2001). Advances in BDD-based data structures enabled representing state spaces of sizes up to 10120 _states.

• Partial order reduction: When modelling concurrent systems there usu- ally are sequences of events which occur in parallel. For completeness purposes all possible permutations of the order in which the events occur need to be considered. This leads to an exponential increase in the size of the state space. However if the events are independent from each other (with respect to the property to be checked) the order in which they are executed

does not influence the final outcome. Thus only one of the sequences needs to be considered. Partial order methods reduce the size of the state space by applying this principle and thus eliminating all redundant states (Godefroid, 1991; Peled, 1994; Valmari, 1991).

• Symmetry reduction: Systems usually comprise multiple subcomponents, some of which might be identical. Symmetry reduction takes advantage of this fact and simplifies the model by removing subcomponents from the system which are identical with respect to an equivalence relation (Clarke et al., 1996; Emerson and Sistla, 1996; Ip and Dill, 1996).

• Abstraction: From the point of view of the specification the model should contain enough details to enable checking all the properties of the system but not more. Abstraction is a state space reduction method which ab- stracts away all unnecessary details of the model with respect to a formal specification. Some of the most well-known methods involve eliminating variables which do not have an effect on the variables described in the speci- fication, and mapping the set of data values to a smaller set of abstract data values (Baier and Katoen, 2008, Chapter 7),(Clarke et al., 1999, Chapter 13).

• Induction: Some systems can be described as the composition of multiple copies of a single subsystem. If it is possible to show that one subsystem is always valid (or invariant) with respect to the given formal specification, and that the composition of this subsystem with the (i + 1)-th copy is also always valid, then by induction the composition of multiple copies of the subsystem will be always valid (Clarke et al., 1986; Clarke, 2008; Kurshan and McMillan, 1989).

Heuristics

An alternative category of methods for tackling the state space explosion problem is based on heuristics. They are mainly used to explore the state space in a directed manner to find states which violate the formal specification. An example of a model checking approach using random-walks guided by heuristics is given by Bui and Nymeyer (Bui and Nymeyer, 2009), and an example employing genetic algorithms to explore large state spaces is given by Godefroid and Khurshid (Godefroid and Khurshid, 2002).

Design guidelines

Finally the third distinct strand (in some respects) is to construct verifiable models by following a set of five guidelines starting from the model design stage (Groote et al., 2012). Some of the given rules (e.g. using data categories instead of explicit data values) are similar to the more traditional methods (e.g. abstraction) while others (e.g. information polling) are challenging them (e.g. information pushing).

Although multiple specific approaches for combating the state space explosion problem were developed over the years a unified solution is yet to emerge.