Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Published byRachel Rogers Modified over 10 years ago

Similar presentations

Presentation on theme: "Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan."— Presentation transcript:

1 Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan

2 Verification approaches Informal verification (testing) –risk of escapes Partial formal verification –prove, for example, no arithmetic overflow –can use very coarse abstractions Formal functional verification –verify against functional spec

3 Outline Formal functional verification for hardware –combined theorem proving/ model checking –proof decomposition strategies that allow coarse abstractions Prospects of application to embedded systems –how are embedded systems different p.o.v. formal verification? –how might we apply formal hardware verification methods to embedded systems?

4 Mixed approach Model checking –automated verification of finite state systems –limited in scale by state explosion problem Theorem provers –in principle can scale up –in practice require substantial manual guidance Mixed approach –use theorem prover to break large problems into small, model-checkable problems

5 Proof decomposition: reduction to decidable/tractable problems do it in as few (and as simple) steps as possible Proof goal Undecidable/ intractable sub Decidable/ tractable...but how? proof assistant

6 Structural decompositions intermediate assertions must be temporal q captures everything M 2 must know about M 1 intermediate assertions can be quite complex {p} M 1 {q} {q} M 2 {r} {p} M 1 M 2 {r}

7 Functional decompositions Divide by units of work and not by syntax –instructions –packets –etc. Much simpler intermediate assertions –interaction between units of work is simpler than between system components Abstraction to finite state –if each unit of work uses finite resources –temporal assertions become model-checkable

8 Example : packet router Unit of work is a packet Packets dont interact Each packet uses finite resources –specializing the property allows a much coarser abstraction Switch fabric input buffersoutput buffers

9 Refinement framework Reference model System Refinement relations –Specify intermediate results with respect to reference model –Each intermediate result uses finite operations storage locations –Thus, can reduce local verification problems to finite state –Use circular proof! refinement relations

10 Circular proofs Reference model 1 up to t -1 implies 2 up to t 2 up to t -1 implies 1 up to t always 1 and 2 or, in temporal logic... ( 2 U 1 ) ( 1 U 2 ) G( 1 2 ) O.K., but how do we break into units of work?

11 Temporal case splitting p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... Idea: parameterize on most recent writer w at time t. : I'm O.K. at time t. Rule can be used to decompose large arrays i: p i G((w=i) ) ( i p i ) G

12 Combine with circular reasoning p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. To prove case w=i at time t, assume general case up to t-1: still have unbounded cases to prove... i: p i ((w=i) ) ( i p i ) G

13 Freeing processes p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. i: p i ((w=i) ) ( i p i ) G

14 Abstract interpretation Problem: variables range over unbounded set U Solution: reduce U to finite set Û by a parameterized abstraction, e.g., where U\i represents all the values in U except i. Need a sound abstract interpretation, s.t.: if is valid in the abstraction, then, for all parameter valuations, is valid in the original. Û = {{i}, U\i}

15 = {i} U\i {i} 1 0 U\i 0 Data type abstractions in SMV Abstract values represent sets of concrete values For sound abstraction of operator f, we need: Examples: –Equality Û = {{i}, U\i} f( x) fx)

16 –Arrays and function symbols –Other operators... boolean operators temporal operators quantifiers arithmetic/inequalities x {i} U\i f(x) f(i) Abstraction, continued... Unbounded array reduced to one fixed element!

17 Illustration: Tomasulos algorithm Execute instructions in data flow order OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE

18 EU Functional decomposition Unit of work is the instruction OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE OP,DST opraoprb

19 EU Functional decomposition Break instruction into operand fetch and op OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE OP,DST opraoprb

20 EU Intermediate assertion All previous instructions produce correct res OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE OP,DST opraoprb

21 Points about this proof Three simple intermediate assertions –operands of instruction are correct –results of instruction are correct –one non-interference property No invariants about control state No syntactic decomposition –Abstract interpretation reduces model to finite Much simpler than proof by invariant is there a useful structural decomposition?

22 A more complex example Unit of work = instruction OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS RETIRED RESULTS INSTRUCTIONS VAL/TAG REG FILE BUF RES PM PC branch predictor decdec LSQ DM branch results pc

23 Scaling problem Must consider up to three instructions: –instruction we want to verify –up to two previous instructions Soln: break instruction up into parts –write intermediate assertions ==> too much state for model checker

24 Memory operation Abstract out unneeded components OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS RETIRED RESULTS INSTRUCTIONS VAL/TAG REG FILE BUF RES PM PC branch predictor decdec LSQ DM branch results specify LSQ data

25 Points about this proof No interface specifications –specify internal data structures of units No invariants on control state First decomposition is functional –then abstract out structural components Compared to similar proof using invariants... –invariant proof approx. 2MB (!) –this proof approx. 20 KB

26 FLASH cache protocol Distributed protocol Maintains consistency of N processor caches PCPC PCPC PCPC PCPC PCPC home dir mem Reference model is programmers model of memory Unit of work = read/write

27 Proof decomposition Unit of work = read/write Non-interference lemmas –No two exclusive copies in network –No unexpected invalidate acks PCPC PCPC PCPC home reader writer get fwd put ack Abstracted nodes interference

28 Lamport's Bakery algorithm... p 1 (t 1 )p 2 (t 2 )p 3 (t 3 )p 4 (t 4 ) non-critical section read all tickets choose one larger wait for all processes with smaller ticket critical section

29 Unit of work = ticket number –Split cases on process p j that process p i is waiting for... –Assume by induction that j terminates if t j <t i. Note, p j must get higher ticket than p i on next iteration* –By induction on j, process p i exits wait loop Liveness proof (Qadeer and Saxe)... p j (t j )p i (t i )... Note: reduction to finite number of processes model checking gets property * automatically

30 Points about this proof No invariants used Two liveness lemmas: –one for termination of each loop –these reference specific code lines, but... No syntactic decomposition used

31 Overview of approach Specify by temporal refinement relations –circular temporal argument Specialize properties by restricting to a single unit of work –temporal case splitting Abstract to finite-state –specialization allows a coarser abstract interpretation This approach is supported by a special purpose proof assistant, built on the SMV model checker

32 Application to embedded systems Generic software issues Issues specific to embedded systems

33 Why is HW easier than SW? Finite-state is not the issue –Proofs above did not depend on bounded state Bad aspects of software –global store (hardware term: bottleneck) any component can interfere with any other we can expect an explosion of non-interference lemmas pointers are a chief culprit –inductive data structures requires complex invariants for recursive functions –arithmetic? –real time?

34 Can we make SW more HW-like? More structured communication –allows coarser abstractions for verification without introducing interference –good examples: Esterel, Polis, etc. Increase grain of atomicity –analog of clock cycle Separate timing from functionality –as in synchronous hardware Trends are in these directions, although languages are problematic (esp. C++)

35 Embedded systems issues How do embedded systems differ from other systems, from an FV point of view? –hardware differences processors tend to be simpler (good) many and heterogeneous processors –hard real time (see above) –greater software/hardware interaction more precisely: interaction at less abstract level

36 Abstracting hardware arch. Use FV to construct abstract reference models of custom hardware HW reference model hardware implementation refinement relation software model

37 Abstracting HW/SW comps Next layer up is provided by driver HW reference model refinement relation software driver driver reference model software

38 Platform based design Build an abstract layer using synthesis tools Formal framework for integrating models syntax intf refinement relations constraint compilation/ synthesis

39 Conclusions Functional approach to proof decomposition –divide problem into units of work –allows coarse abstractions for model checking –proof effort appears to scale well with system size –supported by special-purpose proof assistant Issues for application to embedded systems –Needs more structured communication –Needs separation of timing and function –Can provide reference models to abstract hardware/software interface –Can support platform-based design

Download ppt "Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan."

Similar presentations

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.
1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.

1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.
Compositional Methods and Symbolic Model Checking

Compositional Methods and Symbolic Model Checking
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Lecture 12 Reduce Miss Penalty and Hit Time

Lecture 12 Reduce Miss Penalty and Hit Time
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Using Formal Specifications to Monitor and Guide Simulation: Verifying the Cache Coherence Engine of the Alpha 21364 Microprocessor Serdar Tasiran Systems.

Using Formal Specifications to Monitor and Guide Simulation: Verifying the Cache Coherence Engine of the Alpha Microprocessor Serdar Tasiran Systems.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Similar presentations

Ads by Google