Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel,"— Presentation transcript:

1 Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel, now U. Utah)

2 – 2 – Timed System A system whose correctness depends not only on its functionality (what results it generates), but also on its timeliness (the time at which results are generated).

3 – 3 – Real-Time Embedded Systems

4 – 4 – Self-Timed Circuits

5 – 5 – Modeling & Verification Timed System Verify model Model

6 – 6 – Challenges with Timed Systems State has 2 components: State has 2 components: –Boolean variables ( V ): model discrete state –Real-valued variables ( X ): measure real time Infinitely-many states Infinitely-many states –Has a finite representation (regions graph) –But grows worse than | X | | X | –Verification is hard!

7 – 7 – Modeling & Verification Timed System Verify model Model Self-Timed Circuit Timed Automaton Model Checking

8 – 8 – Message of This Talk: Leverage Boolean Methods Modeling Modeling –Use Boolean variables to model timing, where possible Verification Verification –Use symbolic Boolean representations and algorithms operating on them Binary Decision Diagrams (BDDs), Boolean satisfiability solvers (SAT) Binary Decision Diagrams (BDDs), Boolean satisfiability solvers (SAT) Why? Why? –Systems have complex Boolean behavior anyway –Great progress made in finite-state model checking, SAT solving, etc. over last 15 years

9 – 9 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

10 – 10 – Self-Timed (Asynchronous) Circuits Many design styles use timing assumptions Many design styles use timing assumptions Delay Independent Gate-level Metric Timing  Relative Timing: [Stevens et al. ASYNC’99, TVLSI’03]  Circuit behavior constrained by relative ordering of signal transitions of signal transitions  u "  u " Á v " Relative Timing Burst Mode

11 – 11 – Relative Timing (RT) Verification Methodology: 2 Steps 1. Check circuit functionality under timing assumptions  Search the constrained state space  Model checking 2. Verify timing assumptions themselves  Size circuit path delays appropriately  Static timing analysis

12 – 12 – Pros and Cons of RT Advantages: Advantages: +Applies to many design styles +Incremental addition of timing constraints +No conservatively set min-max delays Disadvantages: Disadvantages: –Cannot express metric timing –More work to be done on verification Scaling up Scaling up Validating timing constraints themselves Validating timing constraints themselves

13 – 13 – Our Contributions Generalized RT Generalized RT –Can express some metric timing Applied Fully Symbolic Verification Techniques Applied Fully Symbolic Verification Techniques –Model circuits using timed automata Metric timing modeled using real-valued variables Metric timing modeled using real-valued variables Non-metric with Booleans Non-metric with Booleans Performed Case Sudies Performed Case Sudies –Including Global STP circuit (published version of Pentium-4 ALU ckt.) [Seshia, Stevens, & Bryant, ASYNC’05]

14 – 14 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits  Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

15 – 15 – Generalizing Relative Timing Delay Independent Gate-level Metric Timing Relative Timing Burst Mode

16 – 16 – Circuit Model Variables (signals): Variables (signals): v 1, v 2, …, v n Events (signal transitions): is or Events (signal transitions): e i is v i " or v i Rules Rules – E i () e i – E i ( v 1, v 2, …, v n ) e i Timing Constraints Timing Constraints "

17 – 17 – Generalized Relative Timing (GRT) Constraint  (e i, e j ) : Time between e j and previous occurrence of e i  (e i, e j ) : Time between e j and previous occurrence of e i Form of GRT constraint: Form of GRT constraint:  (e i, e j ) ·  (e i ’, e k ) + d  (e i, e j ) ·  (e i ’, e k ) + d ejejejej eieieiei ekekekek eieieiei ei’ei’ei’ei’ ejejejej

18 – 18 – Special Case: Common Point-of- Divergence (PoD) PoD constraint: PoD constraint:  (e i, e j ) ·  (e i, e k )  (e i, e j ) ·  (e i, e k ) Written as: Written as: e i ! e j Á e k e i ! e j Á e k An RT constraint traced back to its source An RT constraint traced back to its source ekekekek eieieiei ejejejej

19 – 19 – Example: Point-of-Divergence (PoD) Constraint " " " c ! ac Á b " " "

20 – 20 – Example: Metric Timing  ( data_in, data_in_aux ) ·  ( enable, trigger )  ( data_in ", data_in_aux " ) ·  ( enable ", trigger " )

21 – 21 – Do We Need Metric Timing? Useful for modular specification of timing constraints Useful for modular specification of timing constraints Also when delays are explicitly used Also when delays are explicitly used

22 – 22 – Verifying Generalized Relative Timing Constraints Use static timing analysis to compute min-max path delays Use static timing analysis to compute min-max path delays To verify: To verify:  (e i, e j ) ·  (e i ’, e k ) + d  (e i, e j ) ·  (e i ’, e k ) + d We verify that: We verify that: max-delay( e i à e j ) · min-delay( e i ’ à e k ) + d max-delay( e i à e j ) · min-delay( e i ’ à e k ) + d

23 – 23 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing  Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

24 – 24 – Modeling Timed Circuits Need to model: Need to model: Rules (“Boolean” behavior) and Timing Rules (“Boolean” behavior) and Timing Our formalism: Timed Automata [Alur & Dill, ’90] Our formalism: Timed Automata [Alur & Dill, ’90] –Generalization of finite automata –State variables: Boolean (circuit signals) Boolean (circuit signals) Real-valued timers or “clocks” (impose timing constraints) Real-valued timers or “clocks” (impose timing constraints) –Operations: (1) compare with constant, (2) reset to zero  We model non-metric timing with Booleans

25 – 25 – Enforcing Timing with Booleans " " " c ! ac Á b " " " 1.c 1.c sets a bit 2.ac 2.ac resets it 3.b 3.b cannot occur while the bit is set " " "

26 – 26 – Enforcing Timing with Timer Variables  ( data_in, data_in_aux ) ·  ( enable, trigger )  ( data_in ", data_in_aux " ) ·  ( enable ", trigger " )

27 – 27 – data_indata_in sets x 1 to 0 data_in_auxdata_in_aux must occur while x 1 · c enableenable sets x 2 to 0 triggertrigger can only occur if x 2 ¸ c  c determined just as in other metric timing styles " " " " Enforcing Timing with Timer Variables  ( data_in, data_in_aux ) ·  ( enable, trigger )  ( data_in ", data_in_aux " ) ·  ( enable ", trigger " )

28 – 28 – Booleans vs. Timers Most timing constraints tend to be PoD Most timing constraints tend to be PoD So few real-valued timer variables used in practice So few real-valued timer variables used in practice

29 – 29 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata  Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

30 – 30 – State Boolean part: assignment to signals Boolean part: assignment to signals Real-valued part: relation between timers Real-valued part: relation between timers v 1 = 0, v 2 = 1, v 3 = 0,... x 1 ¸ 0 Æ x 2 ¸ 0 Æ x 1 ¸ x 2 x1x1 x2x2 symbolic representation

31 – 31 – Symbolic Model Checking of Timed Automata,,,,,,... Examples: ATACS [Myers et al.], Kronos [Yovine, Maler, et al.], Uppaal [Larsen, Yi, et al.], …

32 – 32 – Fully Symbolic Model Checking Symbolically represent sets of signal assignments with corresponding relations between timers v 1 Ç v 2 Æ x 1 ¸ 0 Æ x 2 ¸ 0 Æ x 1 ¸ x 2......,

33 – 33 – Our Approach to Fully Symbolic Model Checking Based on algorithm given by Henzinger et al. (1994) Based on algorithm given by Henzinger et al. (1994) Core model checking operations Core model checking operations –Image computation  Quantifier elimination in quantified difference logic Quantifier elimination in quantified difference logic –Termination check  Satisfiability checking of difference logic Satisfiability checking of difference logic  Our Approach: Use Boolean encodings –Quantified difference logic  Quantified Boolean logic –Difference logic  Boolean logic –Use BDDs, SAT solvers [Seshia & Bryant, CAV’03]

34 – 34 – Example: Termination Check Have we seen all reachable states of the systems? Have we seen all reachable states of the systems? Satisfiability solving in Difference Logic Satisfiability solving in Difference Logic µ ?

35 – 35 – Solving Difference Logic via SAT x ¸ y Æ y ¸ z Æ z ¸ x+1 e 1 Æ e 2 ) : e 3 Æ Overall Boolean Encoding Transitivity Constraint e1e1 y ¸ z z ¸ x+1 x ¸ y e2e2 e3e3 e 1 Æ e 2 Æ e 3

36 – 36 – A More Realistic Situation Ç Æ : Ç Æ Ç...... x ¸ y y ¸ z z ¸ x+1 x ¸ y Æ y ¸ z Æ z ¸ x+1 Æ... is a term in the SOP (DNF)

37 – 37 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata  Case Studies Future Directions & Related Research Future Directions & Related Research

38 – 38 – Case Studies Global STP Circuit Global STP Circuit –Self-resetting domino ckt. in Pentium-4 ALU –Analyzed published ckt. [Hinton et al., JSSC’01] GasP FIFO Control [Sutherland & Fairbanks, ASYNC’01] GasP FIFO Control [Sutherland & Fairbanks, ASYNC’01] STAPL Left-Right Buffer [Nystrom & Martin, ’02] STAPL Left-Right Buffer [Nystrom & Martin, ’02] STARI [Greenstreet, ’93] STARI [Greenstreet, ’93]

39 – 39 – Footed and Unfooted Domino Inverters

40 – 40 – Global STP Circuit (simplest version at gate-level) ck out " " " " " " " res

41 – 41 – Global STP Circuit: Sample Constraint ck out " " " " " " " res ck res " ck ! ck Á res " "

42 – 42 – Global STP Circuit: An Error ck out " " r s " We want: red < blue 7 transitions < 5 transitions

43 – 43 – Comparison with ATACS Model checking for absence of short-circuits Model checking for absence of short-circuits Circuit Number of Signals Time for our model checker, TMV (in sec.) Global STP 28 66.32 66.32 GasP-10 stages 60 26.10 26.10 STAPL-3 stages 30278.05 ATACS did not finish within 3600 sec. on any

44 – 44 – Comparison with ATACS on STARI

45 – 45 – Related Work Modeling Modeling –Gate-level Metric Timing Timed Petri Nets, TEL, … [Myers, Yoneda, et al.] Timed Petri Nets, TEL, … [Myers, Yoneda, et al.] Timed Automata-based [Maler, Pnueli, et al.] Timed Automata-based [Maler, Pnueli, et al.] –Chain Constraints [Negulescu & Peeters] –Relative Timing [Stevens et al.] Lazy transition systems [Pena et al.] Lazy transition systems [Pena et al.] –Symbolic Gate Delays [Clariso & Cortadella] Verification Verification –For circuits, mostly restricted to just symbolic techniques [e.g., ATACS]

46 – 46 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies  Future Directions & Related Research

47 – 47 – Summary Leverage Boolean Methods for Timed Systems Leverage Boolean Methods for Timed Systems –Modeling: generalized relative timing –Verification: fully symbolic model checking Using BDDs, SAT Using BDDs, SAT Demonstrated Application: Modeling and Verifying Self-Timed Circuits Demonstrated Application: Modeling and Verifying Self-Timed Circuits

48 – 48 – Future Directions: Model Generation Timed System Model Needs to be automated Main Challenge: Automatic generation of timing constraints Idea: Machine learning from simulated runs (successful and failing)

49 – 49 – Future Directions: New Applications Distributed Real-time Embedded Systems Distributed Real-time Embedded Systems –E.g., sensor networks –Operate asynchronously –Lots of concurrency –Timeliness important Will generalized relative timing work for this application? Will generalized relative timing work for this application?

50 – 50 – Related Research Project UCLID UCLID –Modeling & Verifying Infinite-State Systems –Focus: Integer arithmetic, Data Structures (arrays, memories, queues, etc.), Bit-vector operations,… –Applications: Program verification, Processor verification, Analyzing security properties E.g., detecting if a piece of code exhibits malicious behavior (worm/virus) E.g., detecting if a piece of code exhibits malicious behavior (worm/virus) Also based on Boolean Methods Also based on Boolean Methods –Problems in first-order logic translated to SAT Programming Systems seminar, Oct. 24 ’05 Programming Systems seminar, Oct. 24 ’05

51 – 51 – Thank you ! More information at http://www.eecs.berkeley.edu/~sseshia/research.html

Download ppt "Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel,"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.

Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Timed Automata.

Timed Automata.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.

Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Model Checking for Probabilistic Timed Systems Jeremy Sproston Università di Torino VOSS Dagstuhl seminar 9th December 2002.

Model Checking for Probabilistic Timed Systems Jeremy Sproston Università di Torino VOSS Dagstuhl seminar 9th December 2002.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Similar presentations

Ads by Google