Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Similar presentations


Presentation on theme: "Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley."— Presentation transcript:

1

2 Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley

3 Formal Verification Problem –Design or system M - mathematical model –Specification  - formal language –Does M satisfy  ? Applications –Software (safety-critical) –Hardware (microprocessors) –Protocols (shared memory multiprocessors) –Security

4 Specification Intent Implementation Product Property verification Refinement checking Equivalence checking

5 Approaches Algorithmic (model checking) –Design - typically finite state machines –Specification - first-order temporal logic – Automatic !! Deductive (interactive theorem proving) –Very expressive –User interacts with the prover Deductive + Algorithmic –Abstraction –Compositional model checking

6 Modeling designs Formal model of implementation and specification - finite state machine r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 r g r g Semantics of model - trace language on I/O

7 Specification - Temporal logic pppppp Finally: F p Globally: G p NeXt: X p Temporal operators: Arbiter specification: G (r 1  F g 1 )

8 Specification - FSM r2r2 r1r1 g2g2 g1g1 r2r2 r1r1 F G1G1 G2G2 Nondeterministic finite state machine r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2  P  P’ iff def L(P) is contained in L(P’) iff Every linear property satisfied by P’ is satisfied by P

9 Model Checking Explore state space of I exhaustively All possible execution sequences are checked !! FSM I Does I satisfy  ? Does I refine S ? Counterexample No

10 State space explosion P || Q m  n states Designs expressed as composition P 1 || P 2 ||.... || P k - m 1  m 2 ....  m k states Model checking exponential in design description a P m states Q n states a bb FSM composition operator ||

11 Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

12 VIS Symbolic model checker I 1 || I 2 || I 3 I1I1 I2I2 I3I3  Temporal logic spec Hierarchical description Flat description Compose

13 Symbolic Model Checking Manipulation of state sets (not individual states) Implicit representation with boolean expressions –state transition graph –state sets Operations on state sets performed implicitly –boolean ( , ,  ) –image computation (pre, post)

14 Pre Transition relation T S pre(S) T

15 Post Transition relation T post(S) S T

16 VIS : Limitations 1. Backward Model Checking Invariant checking : init   F bad   ? initbad Iterate pre until fixpoint Useless exploration of unreachable states

17 VIS: Limitations 2. Design structure not utilized Symbolic model checker I 1 || I 2 || I 3 I1I1 I2I2 I3I3  Temporal logic spec Compose

18 VIS: Limitations 3. Unsuitable for asynchronous protocols Naïve symbolic exploration explores all orderings of independent events - wasteful ! Independent events a, b a a b b

19 Partial-order techniques –explicit state exploration –avoids exploring all orderings of independent events VIS: Limitations 3. Unsuitable for asynchronous protocols “Partial-order reduction in symbolic state exploration,” Alur, Brayton, Henzinger, Qadeer, Rajamani 1997

20 VIS: Limitations 4. Limited to finite-state systems Parameterized systems –protocols (communication, multiprocessors) –finite-state methods verify only instantiations “Verifying sequential consistency on shared-memory multiprocessors,” Henzinger, Qadeer, Rajamani 1999

21 Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

22 Invariant Verification: Pre init   F bad   ? initbad

23 Invariant Verification: Post init   F bad   ? initbad

24 Response Verification: Pre init   F (req  G  ack)    ack  G  ack

25 Response Verification: Pre init   F (req  G  ack)    G  ackreq init

26 Response Verification: Post init   F (req  G  ack)   init req R = Reach(init)  req req req R

27 Response Verification: Post req R  ack

28 Theorem All linear properties expressible by Buchi automata can be model checked by forward reasoning. “From pre-historic to post-modern symbolic model checking,” Henzinger, Kupferman, Qadeer 1998

29 Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

30 Previous approaches Heuristically improve state exploration efficiency –Synchronous hardware: symbolic techniques (BDDs) - VIS –Asynchronous protocols: state reduction with explicit enumeration partial-order reduction - SPIN symmetry reduction - Murphi Algorithms work on flat description of systems State-of-the-art : state variables

31 Our approach - M OCHA Complex designs necessarily modular and hierarchical Utilize rather than destroy design structure Partition the verification problem into smaller obligations Use existing algorithms to decide these obligations

32 Divide and Conquer P  P’ Q  Q’ P || Q  P’ || Q’ Difficulty : Not applicable in practice

33 P P’  Q Q’  PQ P’Q’  P’

34 Assume-Guarantee Rule [Stark] [Clarke-Long-McMillan] [Grumberg-Long] [Abadi-Lamport][Alur-Henzinger][McMillan] P || Q’  P’ P’ || Q  Q’ P || Q  P’ || Q’

35 Propositional Validity? p  q’  p’ p’  q  q’ p  q  p’  q’ Consider case when p = true q = true p’ = false q’ = false

36 Refinement Checking in M OCHA  Space Abstraction

37 Refinement Checking in M OCHA  Space Abstraction Time abstraction

38 Refinement Checking in M OCHA 

39 Refinement Maps Environment signals not present in specification  Manually construct abstract constraining modules Design insight is required !

40 EQEQ yx a y EPEP Px b a  b EQEQ EPEP a a P Q x y b S x y  EPEP b S xy Q EQEQ y a b x 

41 M OCHA - Refinement Examples Asynchronous applications –Sliding window protocol Synchronous applications –Pipeline –Tomasulo’s algorithm “You assume, we guarantee: methodology and case studies,” Henzinger, Qadeer, Rajamani 1998

42 VGI architecture 16 clusters with 6 processors in each - 4 compute, 1 memory, 1 I/O ~30K logic gates and ~800 latches per processor 3-stage pipelined compute processors Complex handshake between processors Interconnection between processors configured statically

43 Complex handshake FIFO buffer pipeline ISA

44 Verification of VGI Level-sensitive latches  multiple implementation steps correspond to single specification step Very large design  need compositional verification “Assume-guarantee refinement between different time scales,” Henzinger, Qadeer, Rajamani 1999 “Formal specification and verification of a dataflow processor array,” Henzinger, Liu, Qadeer, Rajamani 1999

45 MOCHA Verilog Proof Assistant e.g., assume-guarantee,.... Reactive Module Algorithm 1Algorithm 2 Temporal logic specification Abstract Module EsterelJava “Mocha: modularity in model checking,” Alur, Henzinger, Mang, Qadeer, Rajamani, Tasiran 1998

46 Formal design 3 subtle bugs in the interaction between datapath and communication control were found and fixed Design insight (through refinement maps) indispensable for model checking Model checking indispensable for producing correct design –Error traces invaluable –Iterative testing of design fixes

47 Formal design Symbiotic relationship between design and verification Refinement maps not a big burden for designers Vision –Both activities performed in parallel –Designer uses a model checker interactively during the design phase itself

48  P’Q’ PQ TPTP TQTQ PQ  TPTP TQTQ P’  P Q’  Q P’

49 Sample operator Finite state machine P Predicate  on the variables of P A run of P sampled whenever  is true is a run of Sample  (P) We compare Sample ~clk (VGI) against its specification

50 pipeline ISA  ~clk


Download ppt "Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley."

Similar presentations


Ads by Google