



1

Computer Engineering and Networks Laboratory

### Verification of Finite State Automata

- Because of the finite number of states, verification is possible in principle by enumeration.
- Because of the finite size of memory, the correctness of processors, software, communication systems, ... could be shown.
- **But is this a feasible approach?**



Verification of Finite State Automata

#### Verification of Finite State Automata

- □ In recent years, there was a *break through* here!
- □ Symbolic Model Checking:

Swiss Federal Institute of Technology

- Formulation of questions in terms of logic formulas (temporal logic). *In this lecture, we will NOT cover this because of lack of time! Only a simple question will be tackled (reachability).* 

2

- Efficient representation of sets and relations using OBDDs (ordered binary decision diagrams).
- □ The methods are *used in industry* for proving the correctness of digital circuits (control path, arithmetic units) and of safety critical embedded systems (traffic control, airplane control, ...).



**Computer Engineering** 

and Networks Laboratory

# **Principles**



# **Compare Specification and Implementation**

#### □ Problem 1:

- Specification using a Boolean function.
- Implementation using a Boolean circuit.



х<sub>3</sub>

 $(x_2)$ 

 $v = (x_1 + x_2) \cdot x_2$ 

- Method (convert circuit into function, rewrite terms, normal forms ...) ???

#### □ **Problem 2**:

- Specification of a state machine using transition function.
- Implementation using a Boolean circuit.
- Method (unknown state encoding, huge # execution paths) ???

6





#### **Ordered Binary Decision Diagrams (OBDD)**

- OBDDs can be used to *efficiently represent* Boolean functions, sets, (output and transition) relations.
- □ Because of the *unique representation* of Boolean functions, they can be used to proof equivalence.
- *Operations* on Boolean functions can be done efficiently.
- □ They can be used only if sets, relations, ... are *finite*.

# **Ordered Binary Decision Diagram (OBDD)**

#### □ Concept:

- Data structure for the representation of **Boolean functions.** 

 $x_1 \lor x_2 \lor x_3$ 

 $(x_1 \lor x_2) \land x_3$ 

- Unique (if reduced by removing redundant parts and if variable ordering is fixed).
- Based on decision tree.

#### □ Form:

- Decision nodes that are associated to variables
- Edges denote false (0, green) or true (1, red)
- Leaves denote function values



7





8

#### Decomposition

**BDDs** are based upon the **Boole-Shannon-decomposition** 

 $\overline{f = x \cdot f}_{x=0} + x \cdot f|_{x=1}$ 

- for each free variable, the function has two co-factors



# **Calculations with BDDs**

**RESTRICT:**  $f|_{x=k}$ 

- **Operation: Delete edges corresponding to**  $x = \overline{k}$  **and apply simplification rules.**
- **\square** *APPLY***:** f < op > g with a Boolean operator op

**Operation:** f and g are given as **BDDs.** Apply a recursive algorithm on f and g based on

$$f < op > g = \overline{x} \cdot (f|_{x=0} < op > g|_{x=0}) + x \cdot (f|_{x=1} < op > g|_{x=1})$$



# **Ordering of Variables**

- Reduced BDDs are *unique* for a given fixed variable ordering.
- Therefore, *ordered BDDs* are used (OBDDs).
- The size of a BDD depends on the ordering (and can be exponential)



# **Calculations with BDDs**

□ *Boolean expressions* are converted to BDDs step by step.

$$y = (x_1 \to x_2) \otimes x_3 \qquad \qquad y_1 = x_1 \to x_2$$
$$y = y_1 \otimes x_3$$

- □ *Circuits* are converted to Boolean functions first (based on a topological ordering of the gates).
- □ *Quantors* are represented using APPLY and RESTRICT:

 $\exists x \colon f(x) \quad \leftrightarrow \quad f(x)|_{x=0} + f(x)|_{x=1} = f(0) + f(1)$  $\forall x : f(x) \quad \leftrightarrow \quad f(x)|_{x=0} \cdot f(x)|_{x=1} = f(0) \cdot f(1)$  $\exists x_1, x_2 : f(x_1, x_2) \leftrightarrow \exists x_1 : (\exists x_2 : f(x_1, x_2))$  $\forall x_1, x_2 : f(x_1, x_2) \leftrightarrow \forall x_1 : (\forall x_2 : f(x_1, x_2))$ 



### **Sets and Relations**



### **Equivalence of Boolean Circuits**

- *Comparison* between specification and implementation or between two implementations.
- □ *Method*:
  - Represent the two systems as OBDDs by applying the APPLY operator repetitively.
  - Compare structure of OBDDs.



#### **Reachable States**

**Sets and Relations** 

- *Problem*: Is a state  $x \in X$  reachable ?
- □ Solution:
  - Represent state sets and transition relations as OBDDs.
  - Transform sets of states.
  - Iterative transition until a stable set of states is obtained.





# **Reachable States**

#### □ Core transformation:

 Determine the set of all direct successor states of a given state set X using transition relation f:



### **Reachable States**

- □ Fixed point calculation:
  - Starting from a set of initial states, determine the set of states that can be reached in one or several steps:

$$X_{0} = \{x_{0}\}$$

$$X_{i+1} = X_{i} \cup \operatorname{Im}(X_{i}, f) \quad \text{until } X_{i+1} = X_{i}$$

$$\psi_{X_{i+1}}(x') = \psi_{X_{i}}(x') + (\exists x : \psi_{X_{i}}(x) \cdot \psi_{f}(x, x'))$$

- Because of the finite set of states, a fixed point exists and is reached in finite time.
- Test whether a state is reachable using resulting BDD.

```
Swiss Federal
Institute of Technology
```

18



### **Equivalence of Finite State Automata**

□ A method *based on reachability* is described:



- Calculate the reachable states of the combined automaton.
- Compare the outputs for equality.

### **Equivalence of Finite State Automata**

**Calculate the common transition function:** 

 $\psi_f(x_1, x_2, x_1', x_2') = (\exists u : \psi_{f_1}(u, x_1, x_1') \cdot \psi_{f_2}(u, x_2, x_2'))$ 

**Determine the set of reachable states (as before):** 

#### $\psi_X(x_1,x_2)$

**Determine the set of reachable output values:** 

 $\psi_Y(y_1, y_2) = (\exists x_1, x_2 : \psi_X(x_1, x_2) \cdot \psi_{g_1}(x_1, y_1) \cdot \psi_{g_2}(x_2, y_2))$ 

**•** Automata are different if the following term is true:

 $\exists y_1, y_2 \colon \psi_Y(y_1, y_2) \cdot (y_1 \neq y_2)$ 







#### **Verification of Finite State Automata**

- *Check time properties* of a finite state automaton, for example:
  - 1. Can a *reset* state reached from every reachable state?
  - 2. Is every *request* followed by an *acknowledgement*, eventually?
  - 3. Are the *outputs equal* for all reachable states ?
- □ Usually, these questions are formulated by an expression in some *temporal logic*, for example CTL (computation tree logic).
- Operators and quantors:
  - X: in the next step; F: eventually; G: every times
  - A: for all paths; E: for at least one path

We will not explore this further ....

| ETH | Swiss Federal<br>Institute of Technology |
|-----|------------------------------------------|
|     | Institute of Technology                  |

21

Computer Engineering and Networks Laboratory

#### **Concluding Remarks**

- □ Possible extensions:
  - Proof of properties in absolute time using the concept of clocks.
  - Verification of systems with a potentially unlimited number of states.
  - Combination of discrete event systems and systems with continuous state (hybrid systems).
- **D** Public domain software available, e.g. *SMV*:
  - General input language for system specification.
  - Accepts CTL formulas.
  - Produces counter examples.



22

Computer Engineering and Networks Laboratory

### **Example: Counter Verification with SMV**

**MODULE** main VAR bit0 : counter cell(1); bit1 : counter cell(bit0.carry out); bit2 : counter cell(bit1.carry out); SPEC AF bit2.carry out -- "For all execution paths, the value of bit2.carry out will eventually be false." This will be true. SPEC AG !bit2.carry out -- "For all execution paths, the value of bit2.carry out will be false every times." -- This will be false and a counter example will be produced. MODULE counter cell(carry in) VAR value : boolean; ASSIGN init(value) := 0; next(value) := (value + carry in) mod 2; DEFINE carry out := value & carry in;



