CS 294-1: Model Checking
EE 219C: Computer-Aided Verification

Spring 2003

• Instructor: Tom Henzinger, Cory 517, email: tah@eecs.berkeley.edu, phone: 643-2430.

• Lectures: TuTh 2:00-3:30, Cory 521.

• Office hours: Mo 3:00-4:00, Th 3:30-4:30, and by appointment.

• Motivation: Model checking concerns the use of algorithmic methods in the temporal safety and performance assurance for software and hardware systems. As our daily lives depend increasingly on digital systems, the reliability of these systems becomes a concern of overwhelming importance, and as the complexity of the systems grows, their reliability can no longer be sufficiently controlled by the traditional approaches of testing and simulation.

• Objectives: The participants will become familiar with both the theory and practice of software and hardware model checking. Some of the homework problems will involve formal proofs, and other homework problems will involve experimentation with verification tools.

• Syllabus:
  • Reactive modules: a formal model for concurrent reactive systems with software and hardware components.

  • Verification algorithms: linear and branching temporal logics, omega automata, equivalences and refinement, games.

  • State explosion: symbolic data structures, automatic abstraction, compositional reasoning.

  • Advanced topics: safety-liveness hierarchy, real-time and hybrid systems, probabilistic systems.

• Prerequisites: Familiarity with propositional logic, finite automata, basic computational complexity classes, and basic graph algorithms is assumed. For example, you should know what a tautology is, how to determinize a finite automaton, what PSPACE stands for, and how to find the strongly connected components of a graph. If you are not familiar with these concepts, please see the instructor. EE 219A and/or 219B are NOT required.

• Textbook: Class notes will be handed out.

• Software: Some of the homework problems will involve experimentation with the verification tools Mocha and Blast.

• Grading: Grades will be awarded on the basis of weekly homework assignments and a project paper. Every student may drop four problem sets and needs to sign up for grading one of the dropped problem sets. In other words, out of a total of 13 problem sets, the 9 highest scores will count. Instead of a final exam, there will be presentations of the project papers.

• Projects: Potential project topics, both theoretical and experimental, will be announced during the first weeks of the course. Any suggestions for designing your own project according to your interests are very welcome. Every project will require a mentor.

  The project papers are due on Friday, May 16, at 1 p.m. The project presentations will be on May 16 from 1 to 5 p.m. in 540 Cory. Every presenter has 10 minutes.

• Teamwork: Students may collaborate on homeworks, but each student needs to individually write up a solution set and be prepared to present it in class on the due date. Projects must be done individually, or as clearly identifiable parts of a larger effort with individual write-ups and presentations.

• This course is offered approximately every other year.

• What is model checking?
• Recent successes in hardware and software verification
  "This has been the Holy Grail of computer science for many decades, but now in some very key areas, for example, driver verification, we're building tools that can do actual proof about the software and how it works in order to guarantee the reliability." Bill Gates, April 18, 2002, Keynote address at WinHEC 2002.

• State space models: The modeling language Reactive Modules

• Dependency relations between atoms
• Trajectories and traces
• Synchronous vs. asynchronous modules
• Operations on reactive modules

• Problems 1.7, 1.11, and 1.13.
• Start up jMocha (Version 2.0) and have it parse some of the reactive modules you give as answers to the previous question.

• Synchronous circuits
• Control flow graphs of multi-threaded programs
• Synchronous message passing
• Real time

• State transition graphs
• From reactive modules to transition graphs
• Invariant verification as graph reachability
• Monitors

• Problems 1.16(a)-(b), 2.3, 2.5, and 2.7.
• Use jMocha to solve an invariant verification problem of your choice (e.g., a mutex protocol).

• Depth-first search
• Enumerative verification
• Optimizations

• State explosion
• Compositional verification
• Assume-guarantee reasoning

• Problems 2.19, 2.23, and 2.25 (assume-guarantee part only).

• Region algebra
• Symbolic search
• Binary decision diagrams

• Operations on BDDs
• Abstraction
• Stable partitions

• Problems 3.1, 3.3, 3.13, and 3.16.

Notes: Graph Minimization

• Variable abstractions
• Graph symmetries
• Partition refinement

• Paige-Tarjan algorithm
• Real-time modules
• Clock regions

• Problems 4.3, 4.12, 4.14, and 5.6.

Notes: Real-Time Modules

• Predicate abstraction
• Counterexample-guided abstraction refinement
• BLAST

• Safe temporal logic
• STL model checking

• Problems 5.9, 6.4, and 6.9.

Notes: Temporal Safety Requirements

• State equivalences
• Bisimilarity
• Distinguishing power of STL

• Expressive power of STL
• Safe automaton logic
• Expressive power of SAL

• Problems 6.17, 6.23, 7.2, and 7.10.

Notes: Automata-theoretic Safety Verification

• Operations on automata
• Determinization of automata
• SAL model checking

• Refinement checking
• Compositional and assume-guarantee reasoning
• Language equivalence, similarity, and bisimilarity

• Problems 8.2, 8.6, 8.11, and 8.15.

• Enumerative simulation checking
• Symbolic simulation checking
• Stuttering and weak equivalences

• Safety vs. liveness
• Safety vs. guarantee
• The progress hierarchy

• Problems 9.1, 9.6, and 9.7.

• Recurrence, persistence, and reactivity
• Weak and strong fairness
• Locality, machine closure, and receptiveness

• Recurrence verification and response monitors
• Strongly connected components
• The weakly-fair and strongly-fair emptiness problems

• Problems 9.16, 10.3, and 10.14.

• CTL
• Enumerative model checking for CTL
• The mu-calculus
• Symbolic model checking for the mu-calculus

• Alternation-free mu-calculus
• Fairness in the mu-calculus
• Expressive power of the mu-calculus

• Problems 11.3, 11.6, 11.14, and 11.16.

Notes: Automata-theoretic Liveness Requirements

• Omega-automata
• Operations on omega-automata
• Hierarchy of deterministic omega-automata

• Linear temporal logic
• Expressiveness of LTL
• Tableau construction for LTL

• Problems 12.3, 13.7, and 13.10.

• Alternating automata
• Complementation of omega-automata

• LTL satisfiability and model checking
• Quantified LTL and omega-automata
• CTL*

• Problems 13.11 and 13.12.
• Prove or give a counterexample: nondeterministic co-Buchi word automata are as expresive as deterministic co-Buchi word automata. (Hint: consider the Miyano-Hayashi translation from alternating to nondeterministic Buchi word automata.)

• S1S
• Safety and reachability games
• Concurrent games

• Parity games

• Hybrid systems
• Polyhedral analysis
• Verification vs. control