Automatic Verification of Industrial Designs

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
BDDs & Theorem Proving Binary Decision Diagrams Dr. Eng. Amr T. Abdel-Hamid NETW 703 Winter 2012 Network Protocols Lectures are based on slides by: K.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
Spring 07, Feb 13 ELEC 7770: Advanced VLSI Design (Agrawal) 1 ELEC 7770 Advanced VLSI Design Spring 2007 Binary Decision Diagrams Vishwani D. Agrawal James.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Witness and Counterexample Li Tan Oct. 15, 2002.
Review of the automata-theoretic approach to model-checking.
Taylor Expansion Diagrams (TED): Verification EC667: Synthesis and Verification of Digital Systems Spring 2011 Presented by: Sudhan.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
Witness and Counterexample Li Tan Oct. 15, 2002.
ECE Synthesis & Verification - Lecture 10 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Binary.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: BDD BDDs applied in equivalence checking.
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
Binary Decision Diagrams (BDDs)
10/19/2015COSC , Lecture 171 Real-Time Systems, COSC , Lecture 17 Stefan Andrei.
CS6133 Software Specification and Verification
Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.
Algorithmic Software Verification V &VI. Binary decision diagrams.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Introduction to Model Checking
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
Verification & Validation By: Amir Masoud Gharehbaghi
Verifying Programs with BDDs Topics Representing Boolean functions with Binary Decision Diagrams Application to program verification class-bdd.ppt
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Lecture 7 Discuss midterm Scheduling. Alternative Directory Structure See hw 1 and hw 2. This one more aligned with UNIX directory structure. Idea for.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Basic concepts of Model Checking
CIS 842: Specification and Verification of Reactive Systems
Propositional Calculus: Boolean Algebra and Simplification
CSCI1600: Embedded and Real Time Software
Software Testing COM /28/2018 Testing/Spring 98.
Automatic Verification of Industrial Designs
Binary Decision Diagrams
Formal Methods in software development
CSCI1600: Embedded and Real Time Software
Computer Security: Art and Science, 2nd Edition
CSCI1600: Embedded and Real Time Software
Introduction to verification
Formal Methods in software development
Verifying Programs with BDDs Sept. 22, 2006
10 Design Verification and Test
Presentation transcript:

Automatic Verification of Industrial Designs Based on two papers in: Workshop on Industrial-Strength Formal Specification Techniques, 1995, Boca Raton, Florida, IEEE Computer Society Automatic Verification of Industrial Designs, pages 88-96 Timing Analysis of Industrial Real-Time Systems, pages 97-107 12/4/2018 Testing/Spring 98

Successful formal methods in industry Formal methods are mathematical techniques that have been used in the specification and verification of computer systems. Want to know: Are we building the product correctly? (Different from: are we building the right product). 12/4/2018 Testing/Spring 98

Formal methods Many different specification languages and proof techniques. Some are difficult to apply since computers are not good at proving theorems (they need a lot of human help) Exception: Symbolic Model Checking: Fast, based on OBDD techniques (Ordered Binary Decision Diagrams). 12/4/2018 Testing/Spring 98

Symbolic Model Checking Determine correctness of finite state systems. Developed at CMU by Clarke/Emerson Specifications are written as formulas in a propositional temporal logic. Temporal logic: expressing ordering of events without introducing time explicitly 12/4/2018 Testing/Spring 98

Temporal Logic A kind of modal logic. Origins in Aristotle and medieval logicians. Studied many modes of truth. Modal logic includes propositional logic. Embellished with operators to achieve greater expressiveness. A particular temporal logic: CTL (Computation Tree Logic) 12/4/2018 Testing/Spring 98

Computation Tree Logic Used to express properties that will be verified Computation trees are derived from the state transition graphs State transition graphs unwound into an infinite tree rooted at initial state Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

S0 S0 S1 S2 S2 S0 S1 S1 structure S1 S2 S0 computation tree for S0 a b 12/4/2018 Testing/Spring 98

Computation Tree Logic CTL formulas built from atomic propositions, where each proposition corresponds to a variable in the model Boolean connectives Operators. Two parts path quantifier (A, E) temporal operator (F,G,X,U) Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Computation Tree Logic Paths in tree represent all possible computations in model. CTL formulas refer to the computation tree Campos/Clarke/Marrero/Minea page 97 If the signal req is high then eventually ack will also be high 12/4/2018 Testing/Spring 98

Computation Tree Logic path quantifier (A, E) A: true for all paths from a given state E: true for some paths from a given state temporal operator (F,G,X,U) F ( holds sometime in the future) is true of a path if there exists a state in the path that satisfies . Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Computation Tree Logic temporal operator (F,G,X,U) F ( holds sometime in the future) is true of a path if there exists a state in the path that satisfies . Example: EF(started and not ready): It is possible to get to a state where started holds but ready does not hold. Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Computation Tree Logic temporal operator (F,G,X,U) G ( holds globally) is true of a path if  holds for all states in the path. Example: AG(req implies AF ack). It is always the case that if the signal req is high then eventually ack will also be high. Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Computation Tree Logic temporal operator (F,G,X,U) X ( holds in the next state) means that  is true in the next state.  U ( holds until  holds) is satisfied by a path if  is true in some state in the path, and in all preceding states,  holds. Example: AG(send implies AF[send U recv]). It is always the case that if send occurs, then eventually recv is true, and until that time, send must remain true. Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Computation Tree Logic Example: AG EF restart: From any state it is possible to get to the restart state. Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Computation Tree Logic Examples: Dark circle indicates that a specification  is true in corresponding state. Light means false. inevitable invarian Campos/Clarke/Marrero/Minea page 97 AF AG EG 12/4/2018 Testing/Spring 98

Computation Tree Logic Model to be verified: Finite state machine (S,R,P), where S is the finite set of all possible states, R a binary relation on S which defines the possible transitions and P assigns to each state the set of atomic propositions true in that state. Can verify systems with more than 10120 states (1995). Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Example: two-process mutual exclusion N: noncritical region T: trying region C: critical region N1 N2 T1 N2 1 N1 T2 N1 C2 C1 N2 T1 T2 T1 T2 C1 T2 T1 C2 12/4/2018 Testing/Spring 98

Example: two-process mutual exclusion N: noncritical region T: trying region C: critical region N1 N2 T1 N2 1 N1 T2 N1 C2 C1 N2 T1 T2 T1 T2 C1 T2 T1 C2 AF(C1) true in 1 EF(C1 and C2) false in 0 12/4/2018 Testing/Spring 98

Model checking algorithm There is an algorithm for determining whether a CTL formula f is true in state s of a structure M = (S,R,P) which runs in time O(length(f))*(card(S) + card(R))) 12/4/2018 Testing/Spring 98

Computation Tree Logic: Railway Interlocking Control Simple Interlocking Model C 4 Avoid derailments and train crashes B Campos/Clarke/Marrero/Minea page 97 2 5 3 A Track sections: 2,3,4,5 Control Signals: A,B,C 12/4/2018 Testing/Spring 98

Computation Tree Logic: Railway Interlocking Control Simple Interlocking Model Inputs 2T 0 no train in 2 1 2 occupied by train or broken C 4 B Campos/Clarke/Marrero/Minea page 97 Finite State Machine not shown 2 A 5 3 Track sections: 2,3,4,5 Control Signals: A,B,C 12/4/2018 Testing/Spring 98

Computation Tree Logic: Railway Interlocking Control Simple Interlocking Model SPEC AG!(SignalA=1 and SignalB=1) SignalC=1) AG(2T=0 implies AX SignalA=0) C 4 B Campos/Clarke/Marrero/Minea page 97 2 A 5 3 Track sections: 2,3,4,5 (0: unoccupied) Control Signals: A,B,C(0:red, 1:green) 12/4/2018 Testing/Spring 98

Output from checker Specification AG(SignalA=1 and …) is false as demonstrated by the following execution sequence state 1.1 state 1.2 … Gives counterexample if there is one. 12/4/2018 Testing/Spring 98

Computation Tree Logic: Implementation: BDDs Binary Decision Diagrams A canonical representation for Boolean formulas (canonical = in simplest or standard form). Invented by Randal Bryant, now at CMU. Similar to a binary decision tree, but structure is a dag rather than a tree. Allows nodes and substructures to be shared. Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Applications VLSI design Verification of sequential machines Finding a satisfying assignment for a Boolean formula Checking whether two Boolean functions are identical 12/4/2018 Testing/Spring 98

BDD Definition A BDD is a directed acyclic graph with two terminal nodes (0-terminal, 1-terminal). Each non-terminal node has an index to identify an input variable of the Boolean function and has two outgoing edges, called the 0-edge and the 1-edge. 12/4/2018 Testing/Spring 98

OBDD Definition A OBDD is a BDD where input variables appear in a fixed order in all paths of the graph and no variable appears more than once on a path. 12/4/2018 Testing/Spring 98

Computation Tree Logic: Implementation: BDDs (x3 and x2) or not x1 Binary decision tree OBDD x3 1 1 x2 x1 Campos/Clarke/Marrero/Minea page 97 1 1 1 1 1 1 1 1 12/4/2018 Testing/Spring 98

Reduced ordered BDD: ROBBD Two reduction rules eliminate all the redundant nodes whose two edges point to the same node share all the equivalent subgraphs ROBDD: canonical form for fixed ordering of variables. Important for equivalence checking BDD now means ROBDD 12/4/2018 Testing/Spring 98

Size of BDDs n-input Boolean functions Require 2n bits in worst-case Truth tables always require 2n bits Many practical functions require much less space 12/4/2018 Testing/Spring 98

Binary Operations Negation: A BDD for not f: exchange 0-terminal and 1-terminal. No increase in size! 12/4/2018 Testing/Spring 98

x1 x2 x1 x2 1 1 x1 and x2 (x1 and x2) or x3 x3 x2 x2 1 1 1 x1 x1 1 1 1 1 1 x1 and x2 (x1 and x2) or x3 x3 x2 x2 1 1 1 x1 x1 1 1 1 1 12/4/2018 Testing/Spring 98

Satisfiable assignment A path from root to 1-terminal. Can be found in time proportional to the number of input variables. Count number of satisfying assignments in time proportional to the number of nodes in the BDD. 12/4/2018 Testing/Spring 98

Exercise Write a BDD for the equality function for n=3 Boolean variables. 12/4/2018 Testing/Spring 98

Computation Tree Logic: Implementation: BDDs Binary Decision Diagrams a b c d result 1 1 1 1 1 1 0 1 1 1 1 0 1 1 1 a 1 What is Boolean formula? b c Campos/Clarke/Marrero/Minea page 97 1 1 d 1 All paths to 1 1 12/4/2018 Testing/Spring 98

Computation Tree Logic: Implementation: BDDs Binary Decision Diagrams a 1 Given a variable ordering, the BDD for a formula is unique. There are efficient algorithms to compute the BDD for not f and f or g given the BDD of f and g. b c Campos/Clarke/Marrero/Minea page 97 1 1 d 1 1 12/4/2018 Testing/Spring 98

Computation Tree Logic: Implementation: BDDs Binary Decision Diagrams a 1 For the purpose of model checking also need to compute BDD of restricted formulas. Bryant describes an algorithm for computing the BDD of a restricted formula such as f, where v=0. b c Campos/Clarke/Marrero/Minea page 97 1 1 d 1 1 12/4/2018 Testing/Spring 98

Computation Tree Logic: Implementation: BDDs Binary Decision Diagrams: All Boolean formulas are represented by BDDs. BDDs built in a bottom-up manner. The set of atomic formulas is precisely the set of state variables. (BDD for an atomic variable = one BDD variable) Formulas are built from atomic formulas using Boolean connectives. Allows CTL formulas. Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Symbolic Model Checking Determine correctness of finite state systems. Specifications are written as formulas in a propositional temporal logic. Models to be checked are represented by state transition graphs Verification is accomplished by an efficient breadth-first search. 12/4/2018 Testing/Spring 98

Symbolic Model Checking View transition system as model of logic. Verify whether specifications are satisfied for model. Advantages: completely automatic provides counterexamples (execution trace which shows why formula is not true) verify partially specified systems 12/4/2018 Testing/Spring 98

Symbolic Model Checking Model checkers achieve great efficiency through the use of symbolic implementation techniques represent states and transitions through Boolean formulas in BDD form 12/4/2018 Testing/Spring 98

Symbolic Model Checking Representing the Model Labeled state-transition graph M. Use BDDs to represent graph and check whether formula holds. Behavior determined by variables V 12/4/2018 Testing/Spring 98

Symbolic Model Checking Representing the Model Behavior determined by variables V current state V’ = Second copy of variables next state 12/4/2018 Testing/Spring 98

Symbolic Model Checking Representing the Model: Relationship between variables in the current state and the next states is written as a formula using V and V’. Boolean formula N representing transition relation. Convert to BDD. 12/4/2018 Testing/Spring 98

Computation Tree Logic b b s1 s2 a b b a a b b b Campos/Clarke/Marrero/Minea page 97 State transition graph and corresponding computation tree Paths in tree represent all possible computations 12/4/2018 Testing/Spring 98

Computation Tree Logic b b s1 s2 a b b a a b b b Campos/Clarke/Marrero/Minea page 97 State transition graph and corresponding computation tree Paths in tree represent all possible computations 12/4/2018 Testing/Spring 98

Computation Tree Logic Used to express properties that will be verified Computation trees are derived from the state transition graphs State transition graphs unwound into an infinite tree rooted at initial state Campos/Clarke/Marrero/Minea page 97 12/4/2018 Testing/Spring 98

Design and synthesis of synchronization skeletons Edmund Clarke and Allen Emerson, Logics of Programs 1981, LNCS 131, page 52-71. Synthesize synchronization skeleton from a temporal logic specification. Skeleton: detail irrelevant to synchronization is suppressed. 12/4/2018 Testing/Spring 98

Exercise Design a finite state machine with start state s and final state t and prove that for all transitions from s to t any encounter of state y is preceded by encountering first state x. Run your model and specification with the model checker on the CMU model checking home page. 12/4/2018 Testing/Spring 98

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.