Course: CS234 Computer-Aided Verification

Fall 2005

• Instructor: Rupak Majumdar (Email: rupak at cs ucla edu)

• Lectures: Monday, Wednesday 4:00-5:40 Location 5272 Boelter Hall

• Office hours:Wednesday 11:00-12:00 and by appointment

• Introduction 

How can a designer check that the system (s)he has designed works correctly? Will a cache coherence
protocol continue to work correctly when an extra processor is added? Does a device driver follow the 
protocol expected by the operating system kernel? Can an intruder ever execute a piece of code with 
superuser privileges? Today, designers attempt to answer such questions using simulation over selected 
sample cases. As reactive systems become more complex and pervasive, simulation-based techniques are 
not sufficient to assure desired reliability. Model checking and related computer-aided verification techniques
are emerging as practical alternatives to simulation for debugging complex software and hardware systems.
These methods allow the designer to verify that a mathematical model of a system satisfies its abstract logical
specification. This approach has been most effective in the analysis of control-intensive hardware components,
and is rapidly becoming an integral part of the design cycle in companies like Intel and Motorola. Much recent
work has focused on applying similar techniques to improve the reliability of systems software.

• Objectives 

The participants will become familiar with both the theory and practice of software and hardware model checking. 
Some of the homework problems will involve formal proofs, and other homework problems will involve experimentation
with verification tools. Students will also read some research papers in the field.

• Prerequisites 

The course requires basic knowledge of algorithms, data structures, automata theory, computational complexity, and propositional
logic. For example, you should know what it means for a formula to be satisfiable, how to determinize a finite automaton, what is
depth first search, and what P and NP means. If you are not familiar with these concepts, or need more information to decide,
contact the instructor. I shall assume you have taken CS180 and CS181 or equivalents.

• Textbook: Class notes will be handed out. You can also look at Clarke, Grumberg, and Peled, Model Checking, MIT Press.

• Grading: Grades will be awarded on the basis of a few homework assignments and a project paper. Instead of a final exam, there will be presentations of the project papers.

• Projects: 

Potential project topics, both theoretical and experimental, will be announced during the first weeks of the course. Any suggestions for designing your own project according to your interests are very welcome. Every project will require a mentor. Projects will involve either surveying a field in depth, or using state of the art model checkers to verify large systems of interest, or to extend the capabilities of existing model checkers by implementing new algorithms or proving new theorems. See the project page for more details.

• Teamwork: 

Students may collaborate on homeworks, but each student needs to individually write up a solution set and be
prepared to present it in class on the due date. Projects must be done individually, or as clearly identifiable parts of a larger effort.

• Lecture Notes

Lecture 1 Monday October 3
Introduction to formal verification, modeling, reactive modules.
Lecture Notes
Some notation Reactive Modules

Homework 1 (due Wednesday October 12): Problems 1.7 (except part d), any one of 1.9-1.11, and any one of 1.13-1.14. These numbers refer to the exercises in the Reactive modules handout above.

Lecture 2 Wednesday October 5
Reactive modules, examples, composition operators.

Lecture 3 Monday October 10 Reactive modules to state transition graphs. Invariant verification. Enumerative algorithms.
Invariant verification (You may omit Section 2.5).

• Homework 2 (due Wednesday October 19). You do not have to turn in the practice part.
• Theory: Problems 2.3, any one of 2.4 and 2.6, and Problem 2.12 (use only the state enumerative data structures).
  
• Practice: Look at the SPIN model checker web page. Look at the leader election protocol in Promela (the input language for Spin) in the paper The Model Checker SPIN. Use Spin to check for the invariant nr_leaders <=1. What happens to the model checking time if you increase the number of processes?

Lecture 4 Wednesday 12 Enumerative model checking. Optimizations. Introduction to symbolic methods. Equivalence checking.

Lecture 5 Monday October 17 Symbolic model checking. Bounded model checking. BDGs.
Symbolic representations

Lecture 6 Wednesday October 19 BDDs.
Read the classic paper on BDDs.
Homework 3 (due Wednesday October 26).
(a) Exercises 3.3 (assume a further operation toSymreg : state -> symreg), 3.20, 3.21.
(b) How should you order the primed and the unprimed variables in order to get a linear time implementation of Rename(X, X', bdd)?

Lecture 7 Monday October 23 End BDDs. Graph minimization and partition refinement.
Graph minimization

Lecture 8 Wednesday October 25 No class. Think about projects.

Lecture 9 Monday October 31 Partitition refinement algorithms.

Lecture 10 Wednesday November 2 Safe temporal logic. Model Checking STL.
Temporal safety requirements

• Homework 4 (due Wednesday Nov 9) Exercise 4.6, 6.2, 6.4.

Lecture 11 Monday November 7 Distinguishing power and expressive power of STL.

Lecture 12 Wednesday November 9 Automata theoretic model checking. Hierarchical verification.

• Automata and model checking
• Hierarchical verification
• Homework (due Wednesday November 16) 6.25, 7.5, 7.9.

Lecture 13 Monday November 14 Simulation checking. CTL. Fairness. Fair modules. Note that we did not cover most of this in class.

Lecture 14 Wednesday November 16 Fairness. Fair cycle detection. Response verification Liveness verification
No homework this week. Work on your projects.

Lecture 15 Monday November 21 Fair CTL model checking.

Lecture 16 Wednesday November 23 Mu-calculus and symbolic CTL model checking.
(Last) Homework: 9.10, 10.7, 10.8, 10.11.

Lecture 17 Monday November 28 LTL. Automata on infinite words. Automata and the mu calculus.

Lecture 18 Wednesday November 30 Tableau construction. LTL model checking.

Lecture 19 Monday December 5 Introduction to infinite state model checking. Well quasi orderings and reachability.

Lecture 20 Wednesday December 7 Project presentations.