Download presentation

Presentation is loading. Please wait.

Published byNichole Mull Modified about 1 year ago

1

2
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley

3
Formal Verification Problem –Design or system M - mathematical model –Specification - formal language –Does M satisfy ? Applications –Software (safety-critical) –Hardware (microprocessors) –Protocols (shared memory multiprocessors) –Security

4
Specification Intent Implementation Product Property verification Refinement checking Equivalence checking

5
Approaches Algorithmic (model checking) –Design - typically finite state machines –Specification - first-order temporal logic – Automatic !! Deductive (interactive theorem proving) –Very expressive –User interacts with the prover Deductive + Algorithmic –Abstraction –Compositional model checking

6
Modeling designs Formal model of implementation and specification - finite state machine r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 r 1 0 1 1 1 0 0 0 g 1 0 0 0 1 0 0 0 r 2 0 1 1 1 1 1 0 g 2 0 1 0 0 0 1 0 Semantics of model - trace language on I/O

7
Specification - Temporal logic pppppp Finally: F p Globally: G p NeXt: X p Temporal operators: Arbiter specification: G (r 1 F g 1 )

8
Specification - FSM r2r2 r1r1 g2g2 g1g1 r2r2 r1r1 F G1G1 G2G2 Nondeterministic finite state machine r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 P P’ iff def L(P) is contained in L(P’) iff Every linear property satisfied by P’ is satisfied by P

9
Model Checking Explore state space of I exhaustively All possible execution sequences are checked !! FSM I Does I satisfy ? Does I refine S ? Counterexample No

10
State space explosion P || Q m n states Designs expressed as composition P 1 || P 2 ||.... || P k - m 1 m 2 .... m k states Model checking exponential in design description a P m states Q n states a bb FSM composition operator ||

11
Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

12
VIS Symbolic model checker I 1 || I 2 || I 3 I1I1 I2I2 I3I3 Temporal logic spec Hierarchical description Flat description Compose

13
Symbolic Model Checking Manipulation of state sets (not individual states) Implicit representation with boolean expressions –state transition graph –state sets Operations on state sets performed implicitly –boolean ( , , ) –image computation (pre, post)

14
Pre Transition relation T S pre(S) T

15
Post Transition relation T post(S) S T

16
VIS : Limitations 1. Backward Model Checking Invariant checking : init F bad ? initbad Iterate pre until fixpoint Useless exploration of unreachable states

17
VIS: Limitations 2. Design structure not utilized Symbolic model checker I 1 || I 2 || I 3 I1I1 I2I2 I3I3 Temporal logic spec Compose

18
VIS: Limitations 3. Unsuitable for asynchronous protocols Naïve symbolic exploration explores all orderings of independent events - wasteful ! Independent events a, b a a b b

19
Partial-order techniques –explicit state exploration –avoids exploring all orderings of independent events VIS: Limitations 3. Unsuitable for asynchronous protocols “Partial-order reduction in symbolic state exploration,” Alur, Brayton, Henzinger, Qadeer, Rajamani 1997

20
VIS: Limitations 4. Limited to finite-state systems Parameterized systems –protocols (communication, multiprocessors) –finite-state methods verify only instantiations “Verifying sequential consistency on shared-memory multiprocessors,” Henzinger, Qadeer, Rajamani 1999

21
Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

22
Invariant Verification: Pre init F bad ? initbad

23
Invariant Verification: Post init F bad ? initbad

24
Response Verification: Pre init F (req G ack) ack G ack

25
Response Verification: Pre init F (req G ack) G ackreq init

26
Response Verification: Post init F (req G ack) init req R = Reach(init) req req req R

27
Response Verification: Post req R ack

28
Theorem All linear properties expressible by Buchi automata can be model checked by forward reasoning. “From pre-historic to post-modern symbolic model checking,” Henzinger, Kupferman, Qadeer 1998

29
Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

30
Previous approaches Heuristically improve state exploration efficiency –Synchronous hardware: symbolic techniques (BDDs) - VIS –Asynchronous protocols: state reduction with explicit enumeration partial-order reduction - SPIN symmetry reduction - Murphi Algorithms work on flat description of systems State-of-the-art : 50-100 state variables

31
Our approach - M OCHA Complex designs necessarily modular and hierarchical Utilize rather than destroy design structure Partition the verification problem into smaller obligations Use existing algorithms to decide these obligations

32
Divide and Conquer P P’ Q Q’ P || Q P’ || Q’ Difficulty : Not applicable in practice

33
P P’ Q Q’ PQ P’Q’ P’

34
Assume-Guarantee Rule [Stark] [Clarke-Long-McMillan] [Grumberg-Long] [Abadi-Lamport][Alur-Henzinger][McMillan] P || Q’ P’ P’ || Q Q’ P || Q P’ || Q’

35
Propositional Validity? p q’ p’ p’ q q’ p q p’ q’ Consider case when p = true q = true p’ = false q’ = false

36
Refinement Checking in M OCHA Space Abstraction

37
Refinement Checking in M OCHA Space Abstraction Time abstraction

38
Refinement Checking in M OCHA

39
Refinement Maps Environment signals not present in specification Manually construct abstract constraining modules Design insight is required !

40
EQEQ yx a y EPEP Px b a b EQEQ EPEP a a P Q x y b S x y EPEP b S xy Q EQEQ y a b x

41
M OCHA - Refinement Examples Asynchronous applications –Sliding window protocol Synchronous applications –Pipeline –Tomasulo’s algorithm “You assume, we guarantee: methodology and case studies,” Henzinger, Qadeer, Rajamani 1998

42
VGI architecture 16 clusters with 6 processors in each - 4 compute, 1 memory, 1 I/O ~30K logic gates and ~800 latches per processor 3-stage pipelined compute processors Complex handshake between processors Interconnection between processors configured statically

43
Complex handshake FIFO buffer pipeline ISA

44
Verification of VGI Level-sensitive latches multiple implementation steps correspond to single specification step Very large design need compositional verification “Assume-guarantee refinement between different time scales,” Henzinger, Qadeer, Rajamani 1999 “Formal specification and verification of a dataflow processor array,” Henzinger, Liu, Qadeer, Rajamani 1999

45
MOCHA Verilog Proof Assistant e.g., assume-guarantee,.... Reactive Module Algorithm 1Algorithm 2 Temporal logic specification Abstract Module EsterelJava “Mocha: modularity in model checking,” Alur, Henzinger, Mang, Qadeer, Rajamani, Tasiran 1998

46
Formal design 3 subtle bugs in the interaction between datapath and communication control were found and fixed Design insight (through refinement maps) indispensable for model checking Model checking indispensable for producing correct design –Error traces invaluable –Iterative testing of design fixes

47
Formal design Symbiotic relationship between design and verification Refinement maps not a big burden for designers Vision –Both activities performed in parallel –Designer uses a model checker interactively during the design phase itself

48
P’Q’ PQ TPTP TQTQ PQ TPTP TQTQ P’ P Q’ Q P’

49
Sample operator Finite state machine P Predicate on the variables of P A run of P sampled whenever is true is a run of Sample (P) We compare Sample ~clk (VGI) against its specification

50
pipeline ISA ~clk

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google