1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.

Slides:



Advertisements
Similar presentations
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Advertisements

Demand-driven inference of loop invariants in a theorem prover
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Catching Bugs in Software Rajeev Alur Systems Design Research Lab University of Pennsylvania
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Table 7.1 Verilog Operators.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Give qualifications of instructors: DAP
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Leveraging Assertion Based Verification by using Magellan Michal Cayzer.
Demonstration Of SPIN By Mitra Purandare
CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Software Engineering: Where are we? And where do we go from here? V Software Engineering Lecture 23 Clark Barrett New York University 4/17/2006.
Interpolants [Craig 1957] G(y,z) F(x,y)
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Equivalence Checking Sean Weaver.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
University of Jordan Computer Engineering Department CPE 439: Computer Design Lab.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.
MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University.
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
Grand Challenge Problem: Model Check Concurrent Software Edmund M. Clarke Department of Computer Science Carnegie Mellon University.
Using Formal Verification to Exhaustively Verify SoC Assemblies by Mark Handover Kenny Ranerup Applications Engineer ASIC Consultant Mentor Graphics Corp.
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
1 Abstractions and Decision Procedures for Effective Software Model Checking Microsoft Summer School, Moscow, July 2011 Lecture 1 Prof. Natasha Sharygina.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
Verification & Validation By: Amir Masoud Gharehbaghi
ELEE 4303 Digital II Introduction to Verilog. ELEE 4303 Digital II Learning Objectives Get familiar with background of HDLs Basic concepts of Verilog.
Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
Compositional Verification for System-on-Chip Designs SRC Student Symposium Paper 16.5 Nishant Sinha Edmund Clarke Carnegie Mellon University.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
Combinational Design, Part 2: Procedure. 2 Topics Positive vs. negative logic Design procedure.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Property Directed Reachability with Word-Level Abstraction
Over-Approximating Boolean Programs with Unbounded Thread Creation
Synchronization Verification in System-Level Design with ILP Solvers
Predicate Abstraction
SAT Based Abstraction/Refinement in Model-Checking
Presentation transcript:

1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke Appeared at Design Automation Conference (DAC) 2005

2 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

3 Introduction Computer system design –Hardware: Verilog, VHDL, … Specification –circuit computes floating point divison –program sorts an input array

4 Does my program work correctly Testing Bugs in design –Ariane 5 Explosion, cost $500M –Pentium floating point division bug, cost $400M

5 Formal Verification Act of proving or disproving the correctness of a system with respect to a specification Techniques –Theorem proving –Model Checking

6 An example Circuit for multiplication of two 32 bit numbers State = (A, B, O) State space = {(A,B,O)} Size of state space = (2 32 £ 2 32 ) £ 2 64 = MULTIPLIER 32 A B 64 O

7 Model Checking Performing exhaustive search of the state space of the design MULTIPLIER 32 A B 64 O For all A, B: (O == A £ B)

8 Model checker Model checker Specification: (O == A £ B) B MULTIPLIER A O Model: Property holds Bug found

9 Features of Model Checking No manual proofs Fast (compared to other rigorous methods such as theorem proving) Diagnostic counterexamples –Multiplier example: [A= 101, B = 2, O = 200]

10 Main Challenge State Space Explosion Problem: Large state space Much progress has been made on this problem! Abstraction – only focus on details needed to prove or disprove a given property

11 This talk is about model checking of hardware designs with help of automated abstraction

12 Hardware design Ease of design increases Gate level (netlists) Register Level ………… System Behavioral Formal verification support Gate Level (netlist):.model counter_cell.inputs carry_in.outputs carry_out.names value carry_in _n2.def names _n2 carry_out$raw_n1 - =_n2.names value$raw_n3 0.names _n6 0.names value _n6 _n7.def r value$raw_n3 value 0 1 ….. (120 lines) Register Level Verilog: module counter_cell(clk, carry_in, carry_out); input clk; input carry_in; output carry_out; reg value; assign carry_out = value & carry_in; initial value = 0; clk) begin // value = (value + carry_in) % 2; case(value) 0: value = carry_in; 1: if (carry_in ==0) value = 1; else value = 0; endcase end endmodule

13 Lack of verification support Gate level (netlists) Register Level ………… System Behavioral Need techniques from software verification Need automatic and scalable techniques

14 Software verification Predicate Abstraction –Developed by Graf and Saidi, 1997 Verification of C programs (2000 onwards) –SLAM, Microsoft research –MAGIC, CMU –BLAST, UC Berkeley –F-Soft, NEC Labs

15 Our contribution Gate level (netlists) Register Level ………… System Behavioral Predicate abstraction 

16 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

17 Abstraction void main() { int i; i = 0; while(even(i)){ i++; } if (i == 0) ERROR:; } assert ( odd(i)); void main() { int i; i = *; while(even(i)){ i = *; } if (i == 0) ERROR:; } assert ( odd(i)); Throw away irrelevant details P’ is a safe abstraction of P PP’

18 Safe Abstraction Let P’ be a safe abstraction of P If P’ satisfies a property , then P satisfies  P’ can be much easier to verify than P

19 An example module main (clk) input clk; reg [2:0] x, y; initial x= 1, y= 2; (posedge clk) begin x <= y; y <= x; end endmodule Verilog program registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design

20 An example registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Property: assert (x == 1 Ç x == 2) 1, 22, 1 0,00,17,67,7 State: (x, y)

21 Predicate Abstraction Given a program and a set of predicates Abstracts data by keeping track of certain predicates Predicate abstraction is a safe abstraction

22 Predicate Abstraction Property: assert (x == 1 Ç x == 2) Initial set of predicates: {x == 1, x == 2} registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design

23 ?? Computing Predicate Abstraction {x == 1, x == 2} + x’ := y y’ := x Predicates Transition Relation 1,0 0,0 0,1 1,1 SATISFIABLE Plug in x=1,y=3, x’=3, y’=1

24 ?? Computing Predicate Abstraction {x == 1, x == 2} + x’ := y y’ := x Predicates Transition Relation 1,0 0,0 0,1 1,1 SATISFIABLE Plug in x=1,y=2, x’=2, y’=1

25 Computing Predicate Abstraction {x == 1, x == 2} + x’ := y y’ := x Predicates Transition Relation 1,0 0,0 0,1 1,1 

26 Abstract Model registers x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Property: assert (x == 1 or x == 2) Initial set of predicates: {x == 1, x == 2} Hardware design Initialstate Failure Failurestate 1,0 0,0 0,1 1,1

27 Model checking Failure Failurestate 1,0 0,0 0,1 1,1 Initialstate Abstract Model

28 Model checking 1,0 0,0 0,1 1,1 Initialstate Abstract Model Counterexample Failure Failurestate We need to check if this is a real bug in our hardware design

29 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

30 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Verification Predicateabstraction Simulator Bug found Spurious counterexample Counterexample

31 Simulation Failure Failurestate 1,0 0,0Initialstate Predicates:= {x == 1, x== 2} Counterexample is spurious Counterexample in abstract model registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design (x==1) Æ : (x == 2) : (x’ ==1) Æ : (x’ == 2) ?? 

32 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Bug found Refinement Spurious counterexample Counterexample

33 Recall Failure Failurestate 1,0 0,0 Initialstate Abstract counterexample registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Predicates:= {x == 1, x== 2} (x==1) Æ : (x == 2) : (x’ ==1) Æ : (x’ == 2)  Value of x’==2 not being tracked precisely

34 Refinement Find out predicates whose values are not tracked precisely in the abstract model –Example: x’==2 Track values of these predicates precisely

35 Weakest pre-condition { ? } x := y + 1 { x == 9} { (y + 1) == 9} x := y + 1 { x == 9} {  [ x à e]} x := e {  }

36 Refinement (x’ == 2) x’ := y (y == 2) weakestprecondition New predicate y == 2 registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Need to track value precisely

37 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Bug found Refinement Spurious counterexample Counterexample {x == 1, x == 2, y==2}

38 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Bug found Refinement Spurious counterexample Counterexample {x == 1, x == 2, y ==2, y ==1}

39 Abstract again 1,0,0,1 0,1,1,0 Initialstate Next step: model check! New abstraction {x == 1, x == 2, y ==1, y== 2} Predicates registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design 0,0,0,00,0,0,1 1,1,1,1 16 states Property: assert (x == 1 Ç x == 2)

40 Abstract again 1,0,0,1 0,1,1,0Initialstate New abstraction {x == 1, x == 2, y ==1, y== 2} Predicates registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Property: assert (x == 1 Ç x == 2) Property holds in abstract model! Property holds!

41 Overall verification flow Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Property holds Bug found Refinement Spurious counterexample Counterexample

42 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

43 Implementation These techniques have been implemented in the VCEGAR tool Inputs to the tool –Register Level Verilog description –Safety property (like an assert statement) Output –Property holds –Counterexample (real bug in design)

44 Experimental results Benchmark#StatesVCEGAR#Preds/ #Iter Cadence SMV (Previous work) ICRAM2KB s3/825s ICRAM4KB s3/8too many state elements ARITH s3/32147s ARITH s3/3timeout ARITH s3/3timeout

45 Experimental results (VIS benchmarks) Benchmark#StatesVCEGAR Time #Predicates#Iteration cache coherence s259 mpeg decoder s93 usb_phy s4722 ethernet s3015 SDLX s4330 ITC99_b s3223

46 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

47 Conclusion Abstraction is key to make verification scale –Throw away irrelevant details Predicate abstraction –Eliminates data –Keeps track of certain predicates Abstraction and refinement loop –Automatically refine the abstraction when necessary

48 Conclusion: our contribution Gate level (netlists) Register Level ………… System Behavioral Predicate abstraction and refinement  Hardware Design

49 Future work Finding right predicates Efficient predicate abstraction computation Asynchronous hardware designs

50 Questions?

51 Example for Predicate Abstraction void main() { int i; i=0; while(even(i)){ i++; } if (i == 0) ERROR:; } + p1  i=0 p2  even(i) = void main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p2=!p2; if (p1){p1=false;} else {p1 = *;} } } Predicates C programAbstract model assert ( i != 0); assert ( !p1);

52 Challenges How to get the right set of predicates automatically How to compute the predicate abstraction

53 Making it work in practice Computation of predicate abstraction –Handling of large no. of predicates With 50 predicates there can be predicate relationships!!

54 Predicate Partitioning Current state predicates p 1 := x = 100 p 2 := x = 200 p 3 := y = 100 p 4 := y = x’ := y y’ := x + p’ 1 := x’ = 100 p’ 2 := x’ = 200 p’ 3 := y’ = 100 p’ 4 := y’ = 200 Next state predicates Transition relationPartition+ + p 1 := x = 100 p 2 := x = 200 y’ := x p’ 3 := y’ = 100 p’ 4 := y’ = 200 p 3 := y = 100 p 4 := y = 200 x’ := y p’ 1 := x’ = 100 p’ 2 := x’ = Æ

55 Counterexample in the abstract model –  (length = 1) –Each state is a valuation of h x = 100, x=200 i Simulation equation Simulation of the counterexample Initial values of the registers predicate values in the first state of the counterexample Transition relation predicate values in the second state of the counterexample equation is unsatisfiable So counterexample is spurious

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.