Model Checking

Introduction
In software and hardware design of complex systems, more time and effort are
spent on verification than on construction. Formal methods offer a large potential
to obtain an early integration of verification in the design process, to provide more
effective verification techniques, and to reduce the verification time.

During the last two decades, research in formal methods has led to the
development of some very promising verification techniques that facilitate the
early detection of defects. These techniques are accompanied by powerful software
tools that can be used to automate various verification steps.

Model-based verification techniques are based on models describing the possible

system behavior in a mathematically precise and unambiguous manner. It turns out
that – prior to any form of verification – the accurate modeling of systems often
leads to the discovery of incompleteness, ambiguities, and inconsistencies in
informal system specifications. Such problems are usually only discovered at a
much later stage of the design. The system models are accompanied by algorithms
that systematically explore all states of the system model. This provides the basis
for a whole range of verification techniques ranging from an exhaustive
exploration (model checking) to experiments with a restrictive set of scenarios in
the model (simulation), or in reality (testing).

Model checking is a verification technique that explores all possible system states
in a brute-force manner. Similar to a computer chess program that checks possible
moves, a model checker, the software tool that performs the model checking,
examines all possible system scenarios in a systematic manner. In this way, it can
be shown that a given system model truly satisfies a certain property. It is a real
challenge to examine the largest possible state spaces that can be treated with
current means, i.e., processors and memories. State of-the-art model checkers can
handle state spaces of about 108 to 109 states with explicit state-space
enumeration. Using clever algorithms and tailored data structures, larger state
spaces (1020 up to even 10476 states) can be handled for specific problems.
Schematic view of the model checking approach

Characteristics of Model Checking

 Model checking is an automated technique that, given a finite-state
model of a system and a formal property, systematically checks
whether this property holds for (a given state in) that model.
 Model checking is an effective technique to expose potential design
errors.
 Any verification using model-based techniques is only as good as
the model of the system.
 Typical properties that can be checked using model checking are of
a qualitative nature.
The Model-Checking Process
In applying model checking to a design the following different
phases can be distinguished:
• Modeling phase:
– model the system under consideration using the model description language of
the model checker at hand;
– as a first sanity check and quick assessment of the model perform some
simulations;
– formalize the property to be checked using the property specification language.
• Running phase: run the model checker to check the validity of the property in the
system model.
• Analysis phase:
– property satisfied? → check next property (if any);
– property violated? →
1. analyze generated counterexample by simulation;
2. refine the model, design, or property;
3. repeat the entire procedure.
– out of memory? → try to reduce the model and try again.

The strengths of model checking:

• It is a general verification approach that is applicable to a wide range of

applications such as embedded systems, software engineering, and hardware
design.

• It supports partial verification, i.e., properties can be checked individually, thus

allowing focus on the essential properties first. No complete requirement
specification is needed.

• It is not vulnerable to the likelihood that an error is exposed; this contrasts with
testing and simulation that are aimed at tracing the most probable defects.

• It provides diagnostic information in case a property is invalidated; this is very

useful for debugging purposes.
• It is a potential “push-button” technology; the use of model checking requires
neither a high degree of user interaction nor a high degree of expertise.

• It enjoys a rapidly increasing interest by industry; several hardware companies

have started their in-house verification labs, job offers with required skills in model
checking frequently appear, and commercial model checkers have become
available.

• It can be easily integrated in existing development cycles; its learning curve is

not very steep, and empirical studies indicate that it may lead to shorter
development times.

The weaknesses of model checking:

• It is mainly appropriate to control-intensive applications and less suited for data

intensive applications as data typically ranges over infinite domains.

It verifies a system model, and not the actual system (product or prototype) itself;

Any obtained result is thus as good as the system model. Complementary

techniques, such as testing, are needed to find fabrication faults (for hardware) or
coding errors (for software).

• It checks only stated requirements, i.e., there is no guarantee of completeness.

The validity of properties that are not checked cannot be judged.