 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Chapter 2 Logic Circuits.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Class Presentation on Binary Moment Diagrams by Krishna Chillara Base Paper: “Verification of Arithmetic Circuits using Binary Moment Diagrams” by.
ECE 667 Synthesis & Verification - Boolean Functions 1 ECE 667 Spring 2013 ECE 667 Spring 2013 Synthesis and Verification of Digital Circuits Boolean Functions.
DATE-2002TED1 Taylor Expansion Diagrams: A Compact Canonical Representation for Symbolic Verification M. Ciesielski, P. Kalla, Z. Zeng B. Rouzeyre Electrical.
Equivalence Checking Using Cuts and Heaps Andreas Kuehlmann Florian Krohm IBM Thomas J. Watson Research Center Presented by: Zhenghua Qi.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
ECE Synthesis & Verification - Lecture 18 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Word-level.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Boolean Functions and their Representations
A New Approach to Structural Analysis and Transformation of Networks Alan Mishchenko November 29, 1999.
Witness and Counterexample Li Tan Oct. 15, 2002.
ECE Synthesis & Verification - L211 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Verification Equivalence checking.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems FSM Traversal.
Taylor Expansion Diagrams (TED): Verification EC667: Synthesis and Verification of Digital Systems Spring 2011 Presented by: Sudhan.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Sequential Equivalence Checking.
Witness and Counterexample Li Tan Oct. 15, 2002.
ECE Synthesis & Verification - Lecture 10 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Binary.
 2001 CiesielskiBDD Tutorial1 Decision Diagrams Maciej Ciesielski Electrical & Computer Engineering University of Massachusetts, Amherst, USA
ECE 667 Synthesis & Verification - BDD 1 ECE 667 ECE 667 Synthesis and Verification of Digital Systems Binary Decision Diagrams (BDD)
 2000 M. CiesielskiPTL Synthesis1 Synthesis for Pass Transistor Logic Maciej Ciesielski Dept. of Electrical & Computer Engineering University of Massachusetts,
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
By Tariq Bashir Ahmad Taylor Expansion Diagrams (TED) Adapted from the paper M. Ciesielski, P. Kalla, Z. Zeng, B. Rouzeyre,”Taylor Expansion Diagrams:
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
Propositional Calculus Math Foundations of Computer Science.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: BDD BDDs applied in equivalence checking.
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
Binary Decision Diagrams (BDDs)
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
Verification & Validation By: Amir Masoud Gharehbaghi
1 Class Presentation on Binary Moment Diagrams by Krishna Chillara Base Paper: “Verification of Arithmetic Circuits with Binary Moment Diagrams” by Randal.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Boolean Functions 1 ECE 667 ECE 667 Synthesis and Verification of Digital Circuits Boolean Functions Basics Maciej Ciesielski Univ.
Binary Decision Diagrams Prof. Shobha Vasudevan ECE, UIUC ECE 462.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Basic concepts of Model Checking
CTL model checking algorithms
ECE 667 Synthesis and Verification of Digital Systems
LPSAT: A Unified Approach to RTL Satisfiability
Binary Decision Diagrams
Automatic Verification of Industrial Designs
Formal Methods in software development
CSCI1600: Embedded and Real Time Software
Introduction to BDDs.
Formal Methods in software development
ECE 667 Synthesis and Verification of Digital Systems
10 Design Verification and Test
Presentation transcript:

 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University of Massachusetts, Amherst, USA

 2001 CiesielskiFormal Verification2 Overview Introduction –What is verification (validation) –Why do we need it –Formal verification vs. simulation-based methods Math background –Decision diagrams (BDD’s, BMD’s, etc.) –Symbolic FSM traversal Formal methods –model checking –equivalence checking Semi-formal methods –symbolic simulation –functional validation

 2001 CiesielskiFormal Verification3 Formal Methods Equivalence checking –Combinational circuits –Sequential circuits Model checking –Problem statement –Explicit algorithms (on graphs) –Symbolic algorithms (using BDDs) Theorem proving –Deductive reasoning

 2001 CiesielskiFormal Verification4 Functional Testing Simulation-based methods –Symbolic simulation –Functional test generation SAT-based methods, Boolean SAT RTL verification: Arithmetic/Boolean SAT ATPG-based methods Emulation-based methods –Hardware-assisted simulation –System prototyping

 2001 CiesielskiFormal Verification5 Part I INTRODUCTION

 2001 CiesielskiFormal Verification6 Verification Design verification = ensuring correctness of the design –against its implementation (at different levels) behavior structure function layout HDL / RTL Gate level Logic level Mask level Design 1  ? model  ? RTL Gate level Mask level Design 2 Logic level  ? – against alternative design (at the same level)

 2001 CiesielskiFormal Verification7 Why Verification Verification crisis –System complexity, difficult to manage –More time, effort devoted to verification than to actual design –Need automated verification methods, integration Consequences –Disasters, life threatening situations –Inconvenience (Pentium bug … ?) –Many more …

 2001 CiesielskiFormal Verification8 Verification Methods Deductive verification Model checking Equivalence checking Simulation - performed on the model Emulation, prototyping – product + environment Testing - performed on the actual product (manufacturing test) Formal Verification

 2001 CiesielskiFormal Verification9 Deductive reasoning (theorem proving) –uses axioms, rules to prove system correctness –no guarantee that it will terminate –difficult, time consuming: for critical applications only Model checking –automatic technique to prove correctness of concurrent systems: digital circuits, communication protocols, etc. Equivalence checking –check if two circuits are equivalent –OK for combinational circuits, unsolved for sequential

 2001 CiesielskiFormal Verification10 Why Formal Verification Need for reliable hardware validation Simulation, test cannot handle all possible cases Formal verification conducts exhaustive exploration of all possible behaviors –compare to simulation, which explores some of possible behaviors –if correct, all behaviors are verified –if incorrect, a counter-example (proof) is presented Examples of successful use of formal verification –SMV system [McMillan 1993] –verification of cache coherence protocol in IEEE Futurebus+ standard

 2001 CiesielskiFormal Verification11 Model Checking Algorithmic method of verifying correctness of (finite state) concurrent systems against temporal logic specifications –A practical approach to formal verification Basic idea –System is described in a formal model derived from high level design (HDL, C), circuit structure, etc. –The desired behavior is expressed as a set of properties expressed as temporal logic specification –The specification is checked against the model

 2001 CiesielskiFormal Verification12 Functional Validation Verify the design in the full operational context RTL functional verification –Validate HDL specification of RTL model Functional test generation –SAT-based methods (Boolean, arithmetic) –ATPG-based methods Symbolic simulation (semi-formal methods)Symbolic simulation (semi-formal methods) –Combine simulation with symbolic methods

 2001 CiesielskiFormal Verification13 Canonical representations: BDD, BMD Boolean satisfiability problem (SAT) Finite State Machine (FSM) traversal Part II BACKGROUND

 2001 CiesielskiFormal Verification14 Binary Decision Diagrams (BDD) Based on recursive Shannon expansion F = x F x + x’ F x’ Compact data structure for Boolean logic –can represents sets of objects (states) encoded as Boolean functions Canonical representation –reduced ordered BDDs (ROBDD) are canonical –essential for verification

 2001 CiesielskiFormal Verification15 BDD Construction Typically done using APPLY operator Reduction rules –remove duplicate terminals –merge duplicate nodes (isomorphic subgraphs) –remove redundant nodes Redundant nodes: –nodes with identical children 10 b 10 b c ab f f f ab

 2001 CiesielskiFormal Verification16 BDD Construction – your first BDD Construction of a Reduced Ordered BDD 1 edge 0 edge a b c f Truth table f = ac + bc Decision tree a b c b ccc f

 2001 CiesielskiFormal Verification17 BDD Construction – cont’d 10 a b c b ccc ff 10 a b c b c 10 a b c f = (a+b)c 2. Merge duplicate nodes 1. Remove duplicate terminals 3. Remove redundant nodes

 2001 CiesielskiFormal Verification18 Application to Verification Equivalence of combinational circuits Canonicity property of BDDs: –if F and G are equivalent, their BDDs are identical (for the same ordering of variables ) 10 a b c F = a’bc + abc +ab’c G = ac +bc 10 a b c 

 2001 CiesielskiFormal Verification19 Application to Verification, cont’d Functional test generation –SAT, Boolean satisfiability analysis –to test for H = 1 (0), find a path in the BDD to terminal 1 (0) –the path, expressed in function variables, gives a satisfying solution (test vector) ab ab’c H 0 1 a b c

 2001 CiesielskiFormal Verification20 Logic Manipulation using BDDs Useful operators ¬ FF’ 0 1 F(x,y) x=b 0 1 F(y) Restrict – Restrict: F| x=b = F(x=b) where b = const – Complement ¬ F = F’ (switch the terminal nodes)

 2001 CiesielskiFormal Verification21 Useful BDD Operators - cont’d Apply: F G where stands for any Boolean operator (AND, OR, XOR,  ) =  F G F G    Any logic operation can be expressed using only Restrict and Apply Efficient algorithms, work directly on BDDs

 2001 CiesielskiFormal Verification22 Apply Operation Basic operator for efficient BDD manipulation (structural) Based on recursive Shannon expansion F OP G = x (F x OP G x ) + x’(F x’ OP G x’ ) where OP = OR, AND, XOR, etc

 2001 CiesielskiFormal Verification23 Apply Operation - AND 10 a c ac a AND c 10 a 2 c a c AND = =

 2001 CiesielskiFormal Verification24 Apply Operation - OR OR ac 10 a c 4 5 bc 10 b c 6 7 = = 10 a b c f = ac+bc c a b

 2001 CiesielskiFormal Verification25 Binary Moment Diagrams (*BMD) Devised for word-level operations, arithmetic Based on Shannon expansion, manipulated f = x f x + x’ f x’ = x f x + (1-x) f x’ = f x’ + x (f x - f x’ ) = f x’ + x f x. f x’ = f (x=0), is constant (zero moment) f x. = (f x - f x’ ) is called first moment, similar to first derivative Additive and multiplicative weights on edges (*BMD)

 2001 CiesielskiFormal Verification26 *BMD for arithmetic circuits Efficiently models word-level operators Bit level x0 x1 x y0 y1 y2 2 1 X + Y X Y 1 0 X Y word level 1 0 X Y 1 0 x0 x1 x2 y0 y1 y Bit level

 2001 CiesielskiFormal Verification27 *BMD for Boolean logic AND 1 0 x y x  y = x y 10 x 1 x’ = (1-x) NOT OR x  y = (x + y – x y) 1 0 x yy 1 XOR x 1 0 yy -2 1 x  y = (x + y – 2 x y) Needed to model complex arithmetic circuits

 2001 CiesielskiFormal Verification28 Decison Diagrams - summary BDDs and BMDs are canonical for fixed variable order BDDs –Good for equivalence checking and SAT –Inefficient for large arithmetic circuits (multipliers) BMDs –Efficient for word-level operators –Less compact for Boolean logic than BDDs –Good for equivalence checking, but not for SAT New type of compact, canonical diagram available, better suited for arithmetic designs –TED, based on Taylor series Expansion

 2001 CiesielskiFormal Verification29 Boolean Satisfiability (SAT) Given a representation for a Boolean function f (X): –Find an assignment X* such that f (X*) = 1, or –Prove that such an assignment does not exist A classical way to solve SAT: –Represent function f (X) in conjunctive normal form (CNF) –Solve SAT by finding satisfying assignment to binary variables for each clause (GRASP, SATO)

 2001 CiesielskiFormal Verification30 CNF for Boolean Network a b d  d  = [d = ¬(a b )][¬d = a b] = [d =  ¬a + ¬b][¬d = a b] = (¬a  d)(¬b  d)(a b  ¬d) = (a +  d)(b +  d)(¬a +  ¬b + ¬d) Represent Boolean function as a connection of gates Represent each gate as a CNF clause Solve = find satisfying assignment for all CNF clauses

 2001 CiesielskiFormal Verification31 Finite State Machines (FSM) FSM M(X,S, ,,O) –Inputs:X –Outputs:O –States:S –Next state function,  (s,x) : S  X  S –Output function, (s,x) : S  X  OOX R  (s,x) (s,x) ss’

 2001 CiesielskiFormal Verification32 FSM Traversal State Transition Graphs –directed graphs with labeled nodes and arcs (transitions) –symbolic state traversal methods important for symbolic verification, state reachability analysis, FSM traversal, etc. 0/0 0/1 1/0 s0 s1 0/1 s2 1/0

 2001 CiesielskiFormal Verification33 Existential Quantification Existential quantification (abstraction)  x f = f | x=0 + f | x=1 Example:  x (x y + z) = y + z Note:  x f does not depend on x (smoothing) Useful in symbolic image computation (sets of states)

 2001 CiesielskiFormal Verification34 Existential Quantification - cont’d Function can be existentially quantified w.r.to a vector: X = x 1 x 2 …  X f =  x1x2... f =  x1  x2 ... f Can be done efficiently directly on a BDD Very useful in computing sets of states –Image computation: next states –Pre-Image computation: previous states from a given set of initial states

 2001 CiesielskiFormal Verification35 Image Computation Computing set of next states from a given initial state (or set of states) Img( S,R ) =  u S(u) R(u,v) Img(v) R(u,v) S(u) FSM: when transitions are labeled with input predicates x, quantify w.r.to all inputs (primary inputs and state var) Img( S,R ) =  x  u S(u) R(x,u,v)

 2001 CiesielskiFormal Verification36 Image Computation - example Encode the states: s1=00, s2=01, s3=10, s4=11 Write transition relations for the encoded states: R = (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) a xy XY ………. s1 s2 s3 s4 a a’ Compute a set of next states from state s1

 2001 CiesielskiFormal Verification37 Example - cont’d Compute Image from s1 under R Img( s1,R ) =  a  xy s1(x,y) R(a,x,y,X,Y) Result: a set of next states for all inputs s1  {s2, s3} s1 s2 s3 s4 a a’ =  a  xy (x’y’) (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) =  axy (ax’y’X’Y + a’x’y’XY’ ) = (X’Y + XY’ ) = {01, 10} = {s2,s3}

 2001 CiesielskiFormal Verification38 Pre-Image Computation Computing a set of present states from a given next state (or set of states) Pre-Img( S’,R) =  v R(u,v) ) S’(v) S’(v) R(u,v) Pre-Img(u) Similar to Image computation, except that quantification is done w.r.to next state variables The result: a set of states backward reachable from state set S’, expressed in present state variables u Useful in computing CTL formulas: AF, EF

 2001 CiesielskiFormal Verification39 Part III EQUIVALENCE CHECKING

 2001 CiesielskiFormal Verification40 Equivalence Checking Two circuits are functionally equivalent if they exhibit the same behavior Combinational circuits –for all possible input values In Out CL PoPI PsNs R Sequential circuits – for all possible input sequences

 2001 CiesielskiFormal Verification41 Combinational Equivalence Checking Functional Approach –transform output functions of combinational circuits into a unique (canonical) representation –two circuits are equivalent if their representations are identical –efficient canonical representation: BDD Structural –identify structurally similar internal points –prove internal points (cut-points) equivalent –find implications

 2001 CiesielskiFormal Verification42 Functional Equivalence If BDD can be constructed for each circuit –represent each circuit as shared (multi-output) BDD use the same variable ordering ! –BDDs of both circuits must be identical If BDDs are too large –cannot construct BDD, memory problem –use partitioned BDD method decompose circuit into smaller pieces, each as BDD check equivalence of internal points

 2001 CiesielskiFormal Verification43 Functional Decomposition Decompose each function into functional blocks –represent each block as a BDD (partitioned BDD method) –define cut-points (z) –verify equivalence of blocks at cut-points starting at primary inputs F f2f2 f1f1 z x y G g2g2 g1g1 z x y

 2001 CiesielskiFormal Verification44 Cut-Points Resolution Problem F f2f2 f1f1 z1z1 x y G g2g2 g1g1 z2z2 x y If all pairs of cut-points (z 1,z 2 ) are equivalent –so are the two functions, F,G If intermediate functions (f 2,g 2 ) are not equivalent –the functions (F,G) may still be equivalent –this is called false negative Why do we have false negative ? –functions are represented in terms of intermediate variables –to prove/disprove equivalence must represent the functions in terms of primary inputs (BDD composition)

 2001 CiesielskiFormal Verification45 Cut-Point Resolution – Theory Let f 1 (x)=g 1 (x)  x –if f 2 (z,y)  g 2 (z,y),  z,y then f 2 (f 1 (x),y)  g 2 (f 1 (x),y)  F  G –if f 2 (z,y)  g 2 (z,y),  z,y  f 2 (f 1 (x),y)  g 2 (f 1 (x),y)  F  G False negative –two functions are equivalent, but the verification algorithm declares them as different. F f2f2 f1f1 z x y G g2g2 g1g1 z x y We cannot say if F  G or not

 2001 CiesielskiFormal Verification46 Cut-Point Resolution – cont’d Procedure 1: create a miter (XOR) between two potentially equivalent nodes/functions –perform ATPG test for stuck-at 0 –find test pattern to prove F  G –efiicient for true negative (gives test vector, a proof) –inefficient when there is no test 0, F  G (false negative) 1, F  G (true negative) FG How to verify if negative is false or true ?

 2001 CiesielskiFormal Verification47 Cut-Point Resolution – cont’d Procedure 2: create a BDD for F  G –perform satisfiability analysis (SAT) of the BDD if BDD for F  G = , problem is not satisfiable, false negative BDD for F  G  , problem is satisfiable, true negative Non-empty, F  G , F  G (false negative) F  G = =  F G Note: must compose BDDs until they are equivalent, or expressed in terms of primary inputs – the SAT solution, if exists, provides a test vector (proof of non-equivalence) – as in ATPG – unlike the ATPG technique, it is effective for false negative (the BDD is empty!)

 2001 CiesielskiFormal Verification48 Structural Equivalence Check Given two circuits, each with its own structure –identify “similar” internal points, cut sets –exploit internal equivalences False negative problem may arise –F  G, but differ structurally (different local support) –verification algorithm declares F,G as different Solution: use BDD-based or ATPG-based methods to resolve the problem. Also: implication, learning techniques. b d1d1 a F a c d2d2 b G

 2001 CiesielskiFormal Verification49 Implication Techniques Techniques that extract and exploit internal correspondences to speed up verification Implications – direct and indirect a=1 c=x b=x f=0 d=0 e=0 a=0 c=x b=x f=1 d=x e=x Direct: a=1  f=0Indirect (learning): f=1  a=0

 2001 CiesielskiFormal Verification50 Learning Techniques Learning –process of deriving indirect implications –Recursive learning recursively analyzes effects of each justification –Functional learning uses BDDs to learn indirect implications 01 a b G 10 a b H G=1  H=0 a c b H=? G=1

 2001 CiesielskiFormal Verification51 Learning Techniques – cont’d Other methods to check implications G=1  H=0 –Build a BDD for G H’ If this function is satisfiable (G·H’=1), the implication holds and gives a test vector Otherwise it does not hold –Since G=1  H=0  (G’+H’)=1, build a BDD for (G’+H’) The implication holds if (G’+H’)  1 (tautology, trivial BDD) a c b H G=1

 2001 CiesielskiFormal Verification52 Sequential Equivalence Checking Represent each sequential circuit as an FSM –verify if two FSMs are equivalent Approach 1: reduction to combinational circuit –unroll FSM over n time frames (flatten the design) M(t 1 ) x(1) s(1) M(t 2 ) x(2) s(2) … … M(t n ) x(n) s(n) Combinational logic: F(x(1,2, …n), s(1,2, … n)) – check equivalence of the resulting combinational circuits – problem: the resulting circuit can be too large too handle

 2001 CiesielskiFormal Verification53 Sequential Verification Approach 2: based on isomorphism of state transition graphs –two machines M1, M2 are equivalent if their state transition graphs (STGs) are isomorphic –perform state minimization of each machine –check if STG(M1) and STG(M2) are isomorphic  State min. 1/ /0 1/1 0/1 M1 min 1/ /0 1/1 0/1 M2 0/0 0/1 1/ /1 2 1/0 M1 1/1

 2001 CiesielskiFormal Verification54 Sequential Verification Approach 3: symbolic FSM traversal of the product machine M1M2 S1 S2 O2O1 X O(M) Given two FSMs: M 1 (X,S 1,  1, 1,O 1 ), M 2 (X,S 2,  2, 2,O 2 ) Create a product FSM: M = M 1  M 2 –traverse the states of M and check its output for each transition –the output O(M) =1, if outputs O 1 = O 2 –if all outputs of M are 1, M 1 and M 2 are equivalent –otherwise, an error state is reached –error trace is produced to show: M 1  M 2

 2001 CiesielskiFormal Verification55 Product Machine - Construction Define the product machine M(X,S, ,,O) –states, S = S 1  S 2 –next state function,  (s,x) : (S 1  S 2 )  X  (S 1  S 2 ) –output function, (s,x) : (S 1  S 2 )  X  {0,1} M1M2 11 22 2 1 X Error trace (distinguishing sequence) that leads to an error state -sequence of inputs which produces 1 at the output of M -produces a state in M for which M1 and M2 give different outputs (s,x) = 1 (s 1,x) 2 (s 2,x)  O =  1 if O 1 =O 2 0 otherwise

 2001 CiesielskiFormal Verification56 FSM Traversal - Algorithm Traverse the product machine M(X,S, ,,O) –start at an initial state S 0 –iteratively compute symbolic image Img(S 0,R) (set of next states): Img( S 0,R ) =  x  s S 0 (s) R(x,s,t) R =  i R i =  i (t i   i (s,x)) until an error state is reached –transition relation R i for each next state variable t i can be computed as t i = (t   (s,x)) (this is an alternative way to compute transition relation, when design is specified at gate level)

 2001 CiesielskiFormal Verification57 Construction of the Product FSM For each pair of states, s 1  M 1, s 2  M 2 –create a combined state s = (s 1. s 2 ) of M –create transitions out of this state to other states of M –label the transitions (input/output) accordingly 1/ /0 1/1 0/1 M1M1 M2M2 1/ /0 0/1 1/1 1/0 M1M1 0 0/1 1 M2M2 2 1/ /1 1111 1/ 000 Output = { 1 OK 0 error

 2001 CiesielskiFormal Verification58 FSM Traversal in Action STOP - backtrack to initial state to get error trace: x={1,1,1,0} 1/ /0 1/1 0/1 M1 M /0 0/1 1/1 1/ /1 1/1 0/ / /0 1/0 0/ / /0 0/0 Out(M) State reached x=0 x=1 Error state 0.0 0/1 1/1 M Initiall states: s 1 =0, s 2 =0, s=(0.0) New 0 = (0.0) 1 1 New 1 = (1.1) 1 1 New 2 = (0.2) 1 1 New 3 = (1.0) 0 0

 2001 CiesielskiFormal Verification59 Part IV MODEL CHECKING

 2001 CiesielskiFormal Verification60 Model Checking Algorithmic method of verifying correctness of (finite state) concurrent systems against temporal logic specifications –A practical approach to formal verification Basic idea –System is described in a formal model derived from high level design (HDL, C), circuit structure, etc. –The desired behavior is expressed as a set of properties expressed as temporal logic specification –The specification is checked agains the model

 2001 CiesielskiFormal Verification61 Model Checking How does it work –System is modeled as a state transition structure (Kripke structure) –Specification is expressed in propositional temporal logic (CTL formula) asserts how system behavior evolves over time –Efficient search procedure checks the transition system to see if it satisifes the specification

 2001 CiesielskiFormal Verification62 Model Checking Characteristics –searches the entire solution space –always terminates with YES or NO –relatively easy, can be done by experienced designers –widely used in industry –can be automated Challenges –state space explosion – use symbolic methods, BDDs History –Clark, Emerson [1981] USA –Quielle, Sifakis [1980’s] France

 2001 CiesielskiFormal Verification63 Model Checking - Tasks Modeling –converts a design into a formalism: state transition system Specification –state the properties that the design must satisfy –use logical formalism: temporal logic asserts how system behavior evolves over time Verification –automated procedure (algorithm)

 2001 CiesielskiFormal Verification64 Model Checking - Issues Completeness –model checking is effective for a given property –impossible to guarantee that the specification covers all properties the system should satisfy –writing the specification - responsibility of the user Negative results –incorrect model –incorrect specification (false negative) –failure to complete the check (too large)

 2001 CiesielskiFormal Verification65 Model Checking - Basics State transition structure M(S,R,L) (Kripke structure) S = finite set of states {s 1, s 2, … s n } R = transition relation L = set of labels assigned to states, so that L(s) = f if state s has property f All properties are composed of atomic propositions (basic properties), e.g. the light is green, the door is open, etc. –L(s) is a subset of all atomic propositions true in state s Label (property ) s3s3 s1s1 s2s2 a b ac

 2001 CiesielskiFormal Verification66 Specification using Temporal Logic Formalism describing sequences of transitions Time is not mentioned explicitly The temporal operators used to express temporal properties –eventually –never –always Temporal logic formulas are evaluated w.r.to a state in the model Temporal operators can be combined with Boolean expressions

 2001 CiesielskiFormal Verification67 Temporal Logics Temporal logics add temporal operators and path quantifiers to standard (e.g. propositional) logics Temporal operators allow one to conveniently describe the order of occurrence of events –Involve time, without explicitly mentioning it Exmples: CTL*, CTL, LTL, etc –Branching time logic –Linear time logic

 2001 CiesielskiFormal Verification68 Computation Trees State transition structure (Kripke Model) Infinite computation tree for initial state s 1 a b a ac s1s1 s3s3 s1s1 s2s2 a b

 2001 CiesielskiFormal Verification69 CTL – Computation Tree Logic Path quantifiers - describe branching structure of the tree –A (for all computation paths) –E (for some computation path = there exists a path) Temporal operators - describe properties of a path through the tree –X (next time, next state) –F (eventually, finally) –G (always, globally) –U (until) –R (release, dual of U)

 2001 CiesielskiFormal Verification70 Operators and Quantifiers State operators –G a :a holds globally –F a :a holds eventually –X a :a holds at the next state –a U b:a holds until b holds –a R b:a releases b Path quantifiers –E: along at least one path (there exists …) –A:along all paths (for all …)

 2001 CiesielskiFormal Verification71 CTL – Computational Tree Logic CTL* - a powerul branching-time temporal logic CTL – a branching-time fragment of CTL* In CTL every temporal operator (G,F,X,U,R) must be immediately preceded by a path quantifier (A,E) We need both state formulae and path formulae to recursively define the logic

 2001 CiesielskiFormal Verification72 CTL Formulas Temporal logic formulas are evaluated w.r.to a state in the model State formulas –apply to a specific state Path formulas –apply to all states along a specific path

 2001 CiesielskiFormal Verification73 Basic CTL Formulas E X (f) –true in state s if f is true in some successor of s (there exists a next state of s for which f holds) A X (f) –true in state s if f is true for all successors of s (for all next states of s f is true) E G (f) – true in s if f holds in every state along some path emanating from s (there exists a path ….) A G (f) –true in s if f holds in every state along all paths emanating from s (for all paths ….globally )

 2001 CiesielskiFormal Verification74 Basic CTL Formulas - cont ’d E F (g) –there exists a path which eventually contains a state in which g is true A F (g) –for all paths, eventually there is state in which g holds E F, A F are special case of E [f U g], A [f U g] –E F (g) = E [ true U g ], A F (g) = A [ true U g ] f U g (f until g) –true if there is a state in the path where g holds, and at every previous state f holds

 2001 CiesielskiFormal Verification75 CTL Operators - examples s o |= E F g g soso soso g g g s o |= A F g s o |= E G g gsoso g g s o |= A G g soso g g g g gg

 2001 CiesielskiFormal Verification76 CTL* Syntax An atomic proposition is a state formula A state formula is also a path formula If a, b are state formulae, so are ¬a, a  b, a  b, If p is a path formula, E p is a state formula If p, q are path formulae, so are ¬p, p  q, p  q If p, q are path formulae, so are X p, pUq, pRq,

 2001 CiesielskiFormal Verification77 Minimal set of CTL Formulas Full set of operators –Boolean: ¬, , , ,  –temporal:E, A, X, F, G, U, R Minimal set sufficient to express any CTL formula –Boolean:¬,  –temporal:E, X, U Examples: f  g = ¬(¬f  ¬g), F f = true U f, A (f ) = ¬E(¬f )

 2001 CiesielskiFormal Verification78 CTL* Semantics If formula q holds at state s (path  ), we write: s |= q (  |= q) s |= p, p  A iff p  L(s) [label of s] s |= ¬ a, iff s |# a s |= a  b, iff s |= a and s |= b s |= E p, iff   from state s, s.t.  |= p  |= ¬ p, iff  |# p  |= p  q, iff  |= p and  |= q  |= X p, iff  1 |= p (p reachable in next state)

 2001 CiesielskiFormal Verification79 Semantics of X and U Semantics of X:  |= X p Semantics of U:  |= p U q   1 |= p  j |= p  i |= q 

 2001 CiesielskiFormal Verification80 Typical CTL Formulas E F ( start  ¬ ready ) –eventually a state is reached where start holds and ready does not hold A G ( req  A F ack ) –any time request occurs, it will be eventually acknowledged A G ( E F restart ) –from any state it is possible to get to the restart state

 2001 CiesielskiFormal Verification81 Model Checking – Explicit Algorithm Problem: given a structure M(S,R,L) and a temporal logic formula f, find a set of states that satisfy f {s  S: M,s |= f } Explicit algorithm: label each state s with the set label(s) of sub-formulas of f which are true in s. 1.i = 0; label(s) = L(s) 2.i = i + 1; Process formulas with (i -1) nested CTL operators. Add the processed formulas to the labeling of each state in which it is true. 3.Continue until closure. Result: M,s |= f iff f  label (s)

 2001 CiesielskiFormal Verification82 Explicit Algorithm - cont’d To check for arbitrary CTL formula f –successively apply the state labeling algorithm to the sub-formulas –start with the shortest, most deeply nested –work outwards Example: E F ¬ (g  h ) T1 = states in which g and h are true T2 = complement of T1 T3 = predecessor states to T2

 2001 CiesielskiFormal Verification83 Actions for Each Label Atomic proposition p: return set of states with p in their labels ¬a: return the complement of sat(M,a) a  b: return sat(M,a)  sat(M,b) a  b: return sat(M,a)  sat(M,b) EX a: return the set of predecessors in M of the states in sat(M,a) EG a: return the set of states entirely contained in sat(M,a)

 2001 CiesielskiFormal Verification84 Model Checking Example Traffic light controller (simplified) R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+ T ’ C T C T ’ C ’+ T C = car sensor T = timer G1 R2 Y1 R2 R1 G2 G1 R2 Y1 R2 R1 G2 R1 Y2 R1 G2 G1 R2R1 Y2R1 G2 R1 Y2 G2 Y2 R2 G1 Y1 R1 C C Timer T sensor Road 2 Road 1

 2001 CiesielskiFormal Verification85 Traffic light controller - Model Checking Model Checking task: check – safety condition – fairness conditions Safety condition: no green lights on both roads at the same time A G ¬ (G1  G2 ) Fairness condition: eventually one road has green light E F (G1  G2) R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+T ’ C T C T ’ C ’+T

 2001 CiesielskiFormal Verification86 Checking the Safety Condition A G ¬ (G1  G2) = ¬ E F (G1  G2) S(G1  G2 ) = S(G1)  S(G2) = {1}  {3} =  S(EF (G1  G2 )) =  S(¬ EF (G1  G2 )) = ¬  = {1, 2, 3, 4} Each state is included in {1,2,3,4}  the safety condition is true (for each state) 2 R1 G2 Y1 R2 G1 R2 R1 Y

 2001 CiesielskiFormal Verification87 Checking the Fairness Condition E F (G1  G2 ) = E(true U (G1  G2 ) ) S(G1  G2 ) = S(G1)  S(G2) = {1}  {3} = {1,3} S(EF (G1  G2 )) = {1,2,3,4} (going backward from {1,3}, find predecessors) Since {1,2,3,4} contains all states, the condition is true for all the states

 2001 CiesielskiFormal Verification88 Another Check E X 2 (Y1) = E X (E X (Y1)) (starting at S 1 =G1R2, isthere a path s.t. Y1 is true in 2 steps ?) S (Y1) = {2} S (EX (Y1)) = {1} (predecessor of 2) S (EX (EX(Y1)) = {1,4} (predecessors of 1) R1 G2 Y1 R2 G1 R2 R1 Y Property E X 2 (Y1) is true for states {1,4}, hence true

 2001 CiesielskiFormal Verification89 Explicit Model Checking - complexity CTL model checking is linear in the size of the formula and the size of the structure M Not a good news: –what if you have states? –Number of states grows exponentially with number of variables –Explicit model checking limited to … 10 9 states Symbolic model checking can do much better

 2001 CiesielskiFormal Verification90 Symbolic Model Checking Symbolic –operates on entire sets rather than individual states Uses BDD for efficient representation –represent Kripke structure –manipulate Boolean formulas RESTRICT and APPLY logic operators Quantification operators –Existential:  x f = f | x=0 + f | x=1 (smoothing) –Universal:  x f = f | x=0 f | x=1 (consensus)

 2001 CiesielskiFormal Verification91 Symbolic Model Checking - example Traffic Light Controller Encode the atomic propositions (G1,R1,Y1, G2,Y2,R2): use [a b c d] for present state, [v x y z] for next state a b c d G Y R G Y R R1 G2 Y1 R2 G1 R2 R1 Y2 s1 s3 s4 s

 2001 CiesielskiFormal Verification92 Example - cont’d Represent the set of states as Boolean formula Q: Q = abcd’ + a’bcd’ + ab’cd + ab’c’d R1 G2 Y1 R2 G1 R2 R1 Y2 s1 s3 s4 s Store Q in a BDD (It will be used to perform logic operations, such as S(G1)  S(G2)

 2001 CiesielskiFormal Verification93 Example - cont’d Write a characteristic function R for the transition relation R =abcd’vxyz’ + abcd’v’xyz’ + … + ab’c’dvxyz’ (6 terms) R1 G2 Y1 R2 G1 R2 R1 Y2 s1 s3 s4 s abcd vxyz R Store R in a BDD. It will be used for Pre-Image computation for EF.

 2001 CiesielskiFormal Verification94 Example - Fairness Condition Check fairness condition: E F (G1  G2 ) Step 1: compute S(G1), S(G2) using RESTRICT operator –S(G1): ab·Restrict Q(G1) = ab Q| ab = abcd’ = {s1} –S(G2): cd·Restrict Q(G2) = cd Q| cd = ab’cd = {s3} Step 2: compute S(G1)  S(G2 ) using APPLY operator –Construct BDD for (abcd’ + ab’cd) = {s1, s3}, set of states labeled with G1 or G2

 2001 CiesielskiFormal Verification95 Example – cont’d  s’ {s1’,s3’} R(s,s’) ) = =  vxyz (vxyz’ + vx’yz) R(a,b,c,d;v,x,y,z) =  vxyz (abcd’vxyz’ + a’bcd’vx’yz + ab’cdvx’yz + ab’c’dvxyz’) = (abcd’ + a’bcd’ + ab’cd + ab’c’d) = {s1, s2, s3, s4} Compare to the result of explicit algoritm  Step 3: compute S(EF (G1  G2 )) using Pre-Image computation (quanitfy w.r.to next state variables) Recall: R = abcd’vxyz’ + abcd’v’xyz’+ … + ab’c’dvxyz’

 2001 CiesielskiFormal Verification96 Example – Interpretation Pre-Img(s1’,s3’,R) eliminates those transitions which do not reach {s1,s3} R1 G2 Y1 R2 G1 R2 R1 Y2 s1 s3 s4 s abcd vxyz R X X Quantification w.r.to next state variables (v,x,y,z) gives the encoded present states {s1,s2,s3,s4}