Table Of ContentB. Bérard • M. Bidoit • A. Finkel • F. Laroussinie
A. Petit • L. Petrucci • Ph. Schnoebelen
with P. McKenzie
Systems
and Software
Verification
Model-Checking Techniques and Tools
Springer
Systems and Software Verification
B. Bérard • M. Bidoit • A. Finkel • F. Laroussinie
A. Petit • L. Petrucci • Ph. Schnoebelen
with P. McKenzie
Systems and
Software Verification
Model-Checking Techniques
and Tools
With 67 Figures
Springer
Berlin
Heidelberg
New York
Barcelona
Hong Kong
London
Milan
Paris
Singapore
Tokyo Springer
Béatrice Berard Pierre McKenzie
Michel Bidoit Foreword
Department d'lnformatique
Alain Finkel
cl Recherche Opérutionnellc
François Laroussinie
Université de Montréal
Antoine Petit
CP 6u8 succ Centre-Ville
Laure Petrucci
Montréal QC H3C 3J7, Canada
Philippe Schnoebelen
http://www.iro.umontreal.ca/ .mckenzie/
Laboratoire Spécification et Vérification
CNRS, UMR 8643
Ecole Normale Supérieure de Cachan
61, avenue du Président Wilson
94235 Cachan Cedex, France
http://www.lsv.ens-cachan.fr/ One testament to the maturing of a researcli fiehl is the adoptl at of Its
techniques in industrial practice; another is the emergence (I' text)ooks, Ac-
Translated with the help of Pierre McKenzie, Université de Montréal cording to Itotlt signs, research in model decking is now entering Its nuance
phase, some twenty years after almost entirely the )ret,i(al beginnings. It has
Updated version of the French language edition:
been an exciting twenty years, which have seen the research f ocus evolve,
"Vérification de logiciels. Techniques et outils du model-checking",
coordonné par Philippe Schnoebelen like the business plan of a successful enterprise, front a drea,nn of altoii l ie
Copyright © Vuibert, Paris, 1999 program verification to a reality of computer-aided design debugging.
Tous droits réservés
Those who have participated in significant hardware designs or embed -
(led software projects have experienced that the system complexity, and howl -)
the likely number of design errors, grows exponentially with the number of
Library of Congress Cataloging-in-Publication Data applied for
Interacting system components. Furthermore, traditional debugging and val-
Die Deutsche Bibliothek - CIP-Einheitsaufnahme
idation techniques, based on simulation and testing, are woefully Innalegua-to
Systems and software verification: model-checking techniques and tools / Bérard ... -
for detecting errors in highly concurrent designs. It is therefore in such ap-
Iierlin; Heidelberg; New York; Barcelona; Hong Kong; London; Milan; Paris; Singapore; Tokyo:
Springer, 2001 plications that model-checking-based techniques, despite their limitations In
ISBN 3-540-41523-8 the face of the exponential complexity growth, are staking inroads Into the
design flow and the supporting software tools.
ACM Computing Classification (1998): D.2.4, D.2, D.4.5, F.3.1-2, F.4.1, G.4, I,2.2
This monograph, with its emphasis on skills, craft, and tools, will be of
particular value, first, to the practitioner of formal verification, and second,
ISBN 3 -540-41523-8 Springer-Verlag Berlin Heidelberg New York
as a textbook for courses on formal verification that ---as, I believe, all courses
of formal verification should-- contain a significant experimental cottp oment,
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broad- The selected model-checking tools are available to the public, free of clntrge,
casting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of and are suitable for use in the classroom. The reader is exposed to a broad
this publication or parts thereof is permitted only under the provisions of the German Copyright
mix of different tools, from widely used, mature software to experimental
Law of September 9, 1965, in its current version, and permission for use must always be obtained
from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. tools at the research frontier, including programs for model checking roar
Springer-Verlag Berlin Heidelberg New York time and hybrid systems. In this way, the book succeeds in providing butli,
a member of Springer Science+Business Media a survey of established techniques in model checking, as well as a glimpse nt
http://www.springer.de
state-of-the-art research.
© Springer-Verlag Berlin Heidelberg 2001
Printed in Germany
I3erkeley, February 2001 � Thomas A. Holzinger
The use of general descriptive names, registered names, trademarks, etc. in this publication does not
imply, even in the absence of a specific statement, that such names are exempt from the relevant pro-
tective laws and regulations and therefore free for general use.
Cover design: KünkelLopka, Heidelberg
Typesetting: Camera-ready by authors using a Springer TEX macro package
Printed on acid-free paper �SPIN 11395898 �41/3111/xo - 5 4 3
21
rl
Preface
This book is an introduction to model e/ueAvi'nq, a. tec'Jntique fte' antonnttic
verification of software and reactive systems. Model clew king wits hnveutt'd
more than twenty years ago. .It was first developed by ttcadentic niseertls
teams and has more recently been introduced in specialized industrial milts.
It has now proven to be a successful method, frequently used to nncovor
well-hidden bugs in sizeable industrial cases. Numerous studies are HI.III hi
progress, both to extend the area covered by this technique and to incrt'uMt'
its efficiency. This leads us to believe that its industrial applicallons will N,row
significantly in the next few years.
The book contains the basic elements required l'or melerstandluk tuodel
checking and is intended both as a textbook for un lorgrtulaato conrsea lu
computer science and as a reference f or professional eukileers. II. limy elm,
be of interest to researchers, lecturers or Phi) students wishing to prepttre
a talk or an overview on the subject. To increase his theoretical knowledge
on model checking, the reader is invited to consult the excellent monograph
Model Checking (MIT Press), by Clarke, Gruntberg and Poled, which hell
not yet been published when the French edition of this book appeemd,
The first part of the book presents the fundamental principles nderlyhlg
model checking. The second part considers the probl etu of siec.11lc.atlon in
more detail. It provides some help for the design of temporal logic fornetlaa'
to express classes of properties, which are widely used in practice. The third
part describes, from a user's point of view, some significant, model checkerM
freely available in the academic world. All of them have been used by the
authors in the course of their industrial collaborations.
This book was written by French researchers from Luboroloire S1)&0c11,6o11
Vó7ificat'ion (LSV), a joint laboratory of Ecole Nornntle Supterieure de cl
Cachan and Centre National de la Recherche Scientifique. It is a revised
translation of Vr'r°iJi,calion do logiciels : Techniques el o ulils du model.
checking, (Vufl)ert, 1999), a former French undergraduate/graduate text] H1111(
CO-ordinatlel by Philippe Schnoebelen and written I,y I36ittrke, R'i'led, hllcht ^ l
131dolt, FretNois Laroussinie, Antoine Petit and Philippe Schnoebelc v t, with
this help of (! 'ie.t'd (.'(+(e , Catherine I)ul'otu'd, Aluiu h'lttkel, h asn't , 1'ot i iecel
and 0r6goire Buh'c.'I'ha I'rnntli book wits 1t'Noll'derived from n collaboratlntt
Hloótsriczty Company (I.;I)I) and the LSV, between tltt' z'z'eimh
alb •
VIII �I'ref+cce
Acknowledgements. Gérard Cécé, Roopa Chauhan, Sandrine Couffin, Cather-
Contents
ine Dufourd, Paul Gastin, Jean Goubault-Larrecq, Jean-Michel Hufflen,
Amélie Josselin, Pierre McKenzie, Christine Pellen, Sophie Pinchinat, Marie-
Pierre Ponpon, Jérôme Ryckbosch and Grégoire Sutre read the first versions
of the book. Their numerous remarks and suggestions were invaluable to the
production of the final version.
Part I. Principles and Techniques
Introduction � :1
1. Automata � Pc
1.1 Introductory Examples �fl
1.2 A Few Definitions �11
1.3 A Printer Manager � I I
1.4 A Few More Variable � I
1.5 Synchronized Product � I 1
1.(i Synchronization by Message Passing � 21
1.7 Synchronization Iw Shared Variables � 24
2. Temporal Logic � 27
2.1 The Language of Temporal Logic� 2M
2.2 The Formal Syntax of Temporal Logic � '12
2.3 The Semantics of Temporal Logic � :1:1
2.4 PLTL and CTL: Two Temporal Logics � 3fi
2.5 The Expressivity of CTL* � 37
S. Model Checking � '111
3.1 Model Checking CTL � 311
:3.2 Model Checking PLTL � 42
3.3 The State Explosion Problem � 4R
4. Symbolic Model Checking � 47
4.1 Symbolic Computation of State Sets � 47
4.2 Binary Decision Diagrams (BDD) � fi I
4.3 Representing Automata I>y BDDs � 54
4.4 BDD-based Model Checking � 5(1
5. Tlmecl Automata � 511
Fi.l� l)cNerllll, luu of It'I'luu'd Autuuuttcnl � (H)
5.2 Networks of'V1111141 Autuuulta
and Synchronization � (12
X �Conl ee akk ('ontt 41 1M �XI
5.3 Variants and Extensions of the I3nsic. Model � 64 11.5 Abstraction by llestrietlon � it M
5.4 Timed Temporal Logic � 67 11,6 O bserver Automata � 121)
5.5 Timed Model Checking � 68
conclusion � 12 r1
Conclusion � 73
I'nrt III. Some Tools
Part II. Specifying with Temporal Logic
Introduction � 121)
Introduction � 77
12. :HMV Symbolic Model Chocking � 131
6. Reachability Properties � 79 12.1 Wi nil Can We Do with ST\4V'? � I'll
6.1 Reachability in Temporal Logic � 79 12.2 SM V's Essentials � 1:3 I
6.2 Model Checkers and Reachability � 80 12.3 Describing Automata � 1:12
6.3 Computation of the Reachability Graph � 80 12.4 Verification � I :is
12.5 Synchronizing Auuto mata � 13(1
7. Safety Properties � 83 12.6 Documentation and Case Studies � 1:37
7.1 Safety Properties in Temporal Logic � 83 SMV Bibliography � 13H
7.2 A Formal Definition � 84
7.3 Safety Properties in Practice � 86 13. SPIN Communicating Automata � I:10
7.4 The History Variables Method � 87 13.1 What Can We Do with SKIN'? � I:11)
1:1.2 SPIN's Essentials � 1:31)
H. Liveness Properties � 91 13.:1 Describing Processes � I41)
8.1 Simple Liveness in Temporal Logic � 92 1:1.4 Simulating the System � I ,II
8.2 Are Liveness Properties Useful? � 92 1:3.5 Verification � 142
8,:3 Liveness in the Model, Liveness in the Properties � 94 13.6 Documentation and Case Studies � 144
8.4 Verification under Liveness Hypotheses � 96 SPIN Bibliography � If14
8.5 Bounded Liveness � 97
14. DESIGN/CPN - Coloured Petri Nets � 145
9. Deadlock-freeness � 99 14.1 What Can We Do with D ^ '.si(,N/CPN? � I4!'n
9.1 Safety'? Liveness? � 99 14.2 D1,51c:N/CPN's Essentials � 14ín
9.2 Deadlock-freeness for a Given Automaton � 99 14.:3 Editing with DI?,siaN/CPN � 146
9.3 Beware of Abstractions! � 101 14.4 Simulating the Net � 147
14.5 Analyzing the Net � 141)
10. Fairness Properties � 103
1.4.6 Documentation and Case Studies � III)
10.1 Fairness in Temporal Logic � 103
i)i:su:N/CPN Bibliography � IP>(1
10.2 Fairness and Nondeterminism � 104
10.3 Fairness Properties and Fairness Hypotheses � 104 15. UPPAAL -- Timed Systems � 15:1
10.4 Strong Fairness and Weak Fairness � 106 15.1 What Can We Do with UPPAAL? � 153
10.5 Fairness in the Model or in the Property? � 107 15.2 f i'IAAl,'s Essentials � 153
15.3 Modeling Tinted Systems with 11i 'AA!, � 151
11. Abstraction Methods � 109
15.4 Simulating a System � 157
11.1 When Is Model Abstraction Required? � 110
15.5 Verification � 157
11.2 Abstraction by State Merging � 110
15,6 Documentation and Case Studies � IPis
11.3 What Can Be Proved in the Abstract Automaton'? � 110 tIPPnnt, 1311)1ioµrapiny � II'>s
11.4 AI>strac.tiou on the Variables � I 14
•
XII �: 1116tiit(p
16. KRONOS - Model Checking of Real-time Systems � 161
16.1 What Can We Do with KRONOS? � 161
16.2 KRONOS' Essentials � 161
16.3 Describing Automata � 162
16.4 Synchronized Product � 164
16.5 Model Checking � 165
16.6 Documentation and Case Studies � 167
KRONOS Bibliography � 167
17. HYTECH — Linear Hybrid Systems � 169
17.1 What Can We Do With HYTECH? � 169 Principles and Techtiieli1cac+
17.2 HYTECH's Essentials � 169
17.3 Describing Automata � 170
17.4 System Analysis � 172
17.5 Parametric Analysis � 174
17.6 Documentation and Case Studies � 176
HYTECH Bibliography � 176
Main Bibliography � 179
Index � 183
Introduction
This first part describes the concepts underlying the techniques of model
checking. A reader confronted with verification questions will find here Just
enough theory to be able to assess the relevance of the various tools, to un-
derstand the reasons behind their limitations and strengths, and i,o choose
the approach concretely best suited for his/her verification task.
The following are described in turn:
• automata which form the basis of the operational models used to spoelfy
the behavior of the systems to be validated;
• temporal logic and its use in specifying properties;
• model checking based on explicit enumeration;
• symbolic model checking based on binary decision trees;
• timed automata and their related methods.
Chapter 1, "Automata", is the easiest to follow. The notions discussed
there are in all likelihood already familiar and they constitute an essential
prerequisite. Chapters 2, 3 and 4 form a logical sequence. Chapter 5 is iu
large part independent.
The concepts presented in the first two chapters are fundameutal. 'Hwyy
are used throughout the book.
1. Automata
As lI)eWtioued in the foreword, model (i(chlg consists in verifying some prop
miles of the model of a system. Before any checking can begin, one Is thus
confronted with the task of modeling the system under study. To be honest,
we stress that this modeling step is difficult, and yet crucial to the relevance
of the results subsequently obtained. No universal method exists to model a
system; modeling is a challenging task best, performed by qualified engineers
enlightened with a good grasp of both the physical reality and the appll
cable mathematical or computer models. Alternatively, a, pre-modeling step
Involving mixed teams of modeling experts and "area" specialists Is advis-
able. This chapter does not claim to provide a fool-proof modeling method
(Wan otherwise over-ambitious goal to say the least). We will, rather more
humbly, describe a general model which serves as a basis, under a guise or
another, for most model checking methods. Using toy examples In this chap-
ter, we will illustrate how this general model is used to represent objec ts or
"^'c+al-life" systems.
1.1 Introductory Examples
The systems best suited for verification by model checking techniques are
those that are easily modeled by (finite) automata. Briefly put, an automa-
ton is a machine evolving from one state to another under the action ()I'
transitioni% For example, a digital watch can be represented by an automa-
ton In which each state represents the current hour and minutes (we neglect
the seconds), there are thus 24 x (10 = 1440 possible states, and one transltl o fi
links any pair of states representing times one minute apart.
An automaton (or part of an automaton) is often depicted by drawing
end) state as a circle and each transition as an arrow (s(e Figure I.1). An
humming arrow without origin i<lentifl(s the initial state.
'fie availability of such graphical i 'lrescntations is one of the benefits of
automata-based formalisms. These representations provide invaluable sup-
port for building our understandin g of a system's operation.
Another example (ti ^ Is one completely representable, sec figure 1.2) Is that
of a modulo 3 counter, whose automaton will be denoted ,A,,;, (the watch
above could be viewed Was some soil of modulo 1441) counter). The states
