Model Checking Basics

In software engineering several formalism are in some form or another compositions of state machines. For example, Statecharts are simply state machines. There is value in simply writing these formal specifications down because it forces the designer to think carefully. However, in highly distributed designs subtle errors (such as deadlocks or race conditions) are very hard to catch simply by inspection. The difficulty stems from the fact that the global state space of the entire system can be very large and exhibit very complex behaviors. Therefore, there is a need for automatic analysis of specifications expressed as composition of state machines. Model checking is a technique for automatically analyzing whether a model of a distributed system has a desired property, e.g., absence of deadlocks. Model checking takes as its input a formal model of the system and a property expressed in temporal logic. Temporal logics are logics that have a notion of time. Using sophisticated state space exploration techniques a model checker verifies that the model satisfies the desired property. If the property turns out to be false in the model, most model checkers output a counter-example or a trace of states in the model that shows “why” the property does not hold. Figure 1 gives a schematic description of a model-checker. Next we describe the two inputs to the model checker. The discussion is kept at an abstract level. We will discuss specific details when we describe the model checker NuSMV.