Model checking

In computer science, model checking or property checking is a method for checking whether a finite-state model of a system meets a given specification (also known as correctness). This is typically associated with hardware or software systems, where the specification contains liveness requirements (such as avoidance of livelock) as well as safety requirements (such as avoidance of states representing a system crash).

This article is about checking of models in computer science. For the checking of models in statistics, see statistical model validation.

In order to solve such a problem algorithmically, both the model of the system and its specification are formulated in some precise mathematical language. To this end, the problem is formulated as a task in logic, namely to check whether a structure satisfies a given logical formula. This general concept applies to many kinds of logic and many kinds of structures. A simple model-checking problem consists of verifying whether a formula in the propositional logic is satisfied by a given structure.

Overview[edit]

Property checking is used for verification when two descriptions are not equivalent. During refinement, the specification is complemented with details that are unnecessary in the higher-level specification. There is no need to verify the newly introduced properties against the original specification since this is not possible. Therefore, the strict bi-directional equivalence check is relaxed to a one-way property check. The implementation or design is regarded as a model of the system, whereas the specifications are properties that the model must satisfy.^[2]

An important class of model-checking methods has been developed for checking models of hardware and software designs where the specification is given by a temporal logic formula. Pioneering work in temporal logic specification was done by Amir Pnueli, who received the 1996 Turing award for "seminal work introducing temporal logic into computing science".^[3] Model checking began with the pioneering work of E. M. Clarke, E. A. Emerson,^[4]^[5]^[6] by J. P. Queille, and J. Sifakis.^[7] Clarke, Emerson, and Sifakis shared the 2007 Turing Award for their seminal work founding and developing the field of model checking.^[8]^[9]

Model checking is most often applied to hardware designs. For software, because of undecidability (see computability theory) the approach cannot be fully algorithmic, apply to all systems, and always give an answer; in the general case, it may fail to prove or disprove a given property. In embedded-systems hardware, it is possible to validate a specification delivered, e.g., by means of UML activity diagrams^[10] or control-interpreted Petri nets.^[11]

The structure is usually given as a source code description in an industrial hardware description language or a special-purpose language. Such a program corresponds to a finite state machine (FSM), i.e., a directed graph consisting of nodes (or vertices) and edges. A set of atomic propositions is associated with each node, typically stating which memory elements are one. The nodes represent states of a system, the edges represent possible transitions that may alter the state, while the atomic propositions represent the basic properties that hold at a point of execution.

Formally, the problem can be stated as follows: given a desired property, expressed as a temporal logic formula $p$ , and a structure $M$ with initial state $s$ , decide if $M,s\models p$ . If $M$ is finite, as it is in hardware, model checking reduces to a graph search.

First-order logic[edit]

Model checking is also studied in the field of computational complexity theory. Specifically, a first-order logical formula is fixed without free variables and the following decision problem is considered:

Given a finite interpretation, for instance, one described as a relational database, decide whether the interpretation is a model of the formula.

This problem is in the circuit class AC⁰. It is tractable when imposing some restrictions on the input structure: for instance, requiring that it has treewidth bounded by a constant (which more generally implies the tractability of model checking for monadic second-order logic), bounding the degree of every domain element, and more general conditions such as bounded expansion, locally bounded expansion, and nowhere-dense structures.^[20] These results have been extended to the task of enumerating all solutions to a first-order formula with free variables.

Afra: a model checker for which is an actor-based language for modeling concurrent and reactive systems

Rebeca

(Alloy Analyzer)

Alloy

(Berkeley Lazy Abstraction Software Verification Tool)

BLAST

(Construction and Analysis of Distributed Processes) a toolbox for the design of communication protocols and distributed systems

CADP

: an open-source software model checker for C programs, based on the CPA framework

CPAchecker

: a platform for the automatic analysis, verification, testing, and transformation of C and C++ programs

ECLAIR

: a model checker for verifying real-time systems modelled and specified as CSP Processes

FDR2

code level verifier for MPI programs

ISP

: an open-source model checker for Java programs

Java Pathfinder

: a framework for distributed model checking

Libdmc

Toolset, Boost Software License, Based on ACP

mCRL2

: a new symbolic model checker

NuSMV

: an enhanced simulator, model checker and refinement checker for concurrent and real-time systems

PAT

: a probabilistic symbolic model checker

Prism

: an integrated tool environment for modelling, simulation, and verification of real-time systems modelled as parametric, time, and stopwatch Petri nets

Roméo

: a general tool for verifying the correctness of distributed software models in a rigorous and mostly automated fashion

SPIN

:^[21] A model checker for probabilistic systems.

Storm

: a tool for the analysis of process algebra

TAPAs

: an integrated tool environment for modelling, validation, and verification of Timed-Arc Petri Nets

TAPAAL

model checker by Leslie Lamport

TLA+

: an integrated tool environment for modelling, validation, and verification of real-time systems modelled as networks of timed automata

UPPAAL

^[22] – experimental tool from Microsoft to validate state models of software at various levels: high-level protocol descriptions, work-flow specifications, web services, device drivers, and protocols in the core of the operating system. Zing is currently being used for developing drivers for Windows.

Zing

Here is a list of significant model-checking tools: