Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel, now U. Utah)

– 2 – Timed System A system whose correctness depends not only on its functionality (what results it generates), but also on its timeliness (the time at which results are generated).

– 3 – Real-Time Embedded Systems

– 4 – Self-Timed Circuits

– 5 – Modeling & Verification Timed System Verify model Model

– 6 – Challenges with Timed Systems State has 2 components: State has 2 components: –Boolean variables ( V ): model discrete state –Real-valued variables ( X ): measure real time Infinitely-many states Infinitely-many states –Has a finite representation (regions graph) –But grows worse than | X | | X | –Verification is hard!

– 7 – Modeling & Verification Timed System Verify model Model Self-Timed Circuit Timed Automaton Model Checking

– 8 – Message of This Talk: Leverage Boolean Methods Modeling Modeling –Use Boolean variables to model timing, where possible Verification Verification –Use symbolic Boolean representations and algorithms operating on them Binary Decision Diagrams (BDDs), Boolean satisfiability solvers (SAT) Binary Decision Diagrams (BDDs), Boolean satisfiability solvers (SAT) Why? Why? –Systems have complex Boolean behavior anyway –Great progress made in finite-state model checking, SAT solving, etc. over last 15 years

– 9 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

– 10 – Self-Timed (Asynchronous) Circuits Many design styles use timing assumptions Many design styles use timing assumptions Delay Independent Gate-level Metric Timing  Relative Timing: [Stevens et al. ASYNC’99, TVLSI’03]  Circuit behavior constrained by relative ordering of signal transitions of signal transitions  u "  u " Á v " Relative Timing Burst Mode

– 11 – Relative Timing (RT) Verification Methodology: 2 Steps 1. Check circuit functionality under timing assumptions  Search the constrained state space  Model checking 2. Verify timing assumptions themselves  Size circuit path delays appropriately  Static timing analysis

– 12 – Pros and Cons of RT Advantages: Advantages: +Applies to many design styles +Incremental addition of timing constraints +No conservatively set min-max delays Disadvantages: Disadvantages: –Cannot express metric timing –More work to be done on verification Scaling up Scaling up Validating timing constraints themselves Validating timing constraints themselves

– 13 – Our Contributions Generalized RT Generalized RT –Can express some metric timing Applied Fully Symbolic Verification Techniques Applied Fully Symbolic Verification Techniques –Model circuits using timed automata Metric timing modeled using real-valued variables Metric timing modeled using real-valued variables Non-metric with Booleans Non-metric with Booleans Performed Case Sudies Performed Case Sudies –Including Global STP circuit (published version of Pentium-4 ALU ckt.) [Seshia, Stevens, & Bryant, ASYNC’05]

– 14 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits  Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

– 15 – Generalizing Relative Timing Delay Independent Gate-level Metric Timing Relative Timing Burst Mode

– 16 – Circuit Model Variables (signals): Variables (signals): v 1, v 2, …, v n Events (signal transitions): is or Events (signal transitions): e i is v i " or v i Rules Rules – E i () e i – E i ( v 1, v 2, …, v n ) e i Timing Constraints Timing Constraints "

– 17 – Generalized Relative Timing (GRT) Constraint  (e i, e j ) : Time between e j and previous occurrence of e i  (e i, e j ) : Time between e j and previous occurrence of e i Form of GRT constraint: Form of GRT constraint:  (e i, e j ) ·  (e i ’, e k ) + d  (e i, e j ) ·  (e i ’, e k ) + d ejejejej eieieiei ekekekek eieieiei ei’ei’ei’ei’ ejejejej

– 18 – Special Case: Common Point-of- Divergence (PoD) PoD constraint: PoD constraint:  (e i, e j ) ·  (e i, e k )  (e i, e j ) ·  (e i, e k ) Written as: Written as: e i ! e j Á e k e i ! e j Á e k An RT constraint traced back to its source An RT constraint traced back to its source ekekekek eieieiei ejejejej

– 19 – Example: Point-of-Divergence (PoD) Constraint " " " c ! ac Á b " " "

– 20 – Example: Metric Timing  ( data_in, data_in_aux ) ·  ( enable, trigger )  ( data_in ", data_in_aux " ) ·  ( enable ", trigger " )

– 21 – Do We Need Metric Timing? Useful for modular specification of timing constraints Useful for modular specification of timing constraints Also when delays are explicitly used Also when delays are explicitly used

– 22 – Verifying Generalized Relative Timing Constraints Use static timing analysis to compute min-max path delays Use static timing analysis to compute min-max path delays To verify: To verify:  (e i, e j ) ·  (e i ’, e k ) + d  (e i, e j ) ·  (e i ’, e k ) + d We verify that: We verify that: max-delay( e i à e j ) · min-delay( e i ’ à e k ) + d max-delay( e i à e j ) · min-delay( e i ’ à e k ) + d

– 23 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing  Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

– 24 – Modeling Timed Circuits Need to model: Need to model: Rules (“Boolean” behavior) and Timing Rules (“Boolean” behavior) and Timing Our formalism: Timed Automata [Alur & Dill, ’90] Our formalism: Timed Automata [Alur & Dill, ’90] –Generalization of finite automata –State variables: Boolean (circuit signals) Boolean (circuit signals) Real-valued timers or “clocks” (impose timing constraints) Real-valued timers or “clocks” (impose timing constraints) –Operations: (1) compare with constant, (2) reset to zero  We model non-metric timing with Booleans

– 25 – Enforcing Timing with Booleans " " " c ! ac Á b " " " 1.c 1.c sets a bit 2.ac 2.ac resets it 3.b 3.b cannot occur while the bit is set " " "

– 26 – Enforcing Timing with Timer Variables  ( data_in, data_in_aux ) ·  ( enable, trigger )  ( data_in ", data_in_aux " ) ·  ( enable ", trigger " )

– 27 – data_indata_in sets x 1 to 0 data_in_auxdata_in_aux must occur while x 1 · c enableenable sets x 2 to 0 triggertrigger can only occur if x 2 ¸ c  c determined just as in other metric timing styles " " " " Enforcing Timing with Timer Variables  ( data_in, data_in_aux ) ·  ( enable, trigger )  ( data_in ", data_in_aux " ) ·  ( enable ", trigger " )

– 28 – Booleans vs. Timers Most timing constraints tend to be PoD Most timing constraints tend to be PoD So few real-valued timer variables used in practice So few real-valued timer variables used in practice

– 29 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata  Model Checking Timed Automata Case Studies Case Studies Future Directions & Related Research Future Directions & Related Research

– 30 – State Boolean part: assignment to signals Boolean part: assignment to signals Real-valued part: relation between timers Real-valued part: relation between timers v 1 = 0, v 2 = 1, v 3 = 0,... x 1 ¸ 0 Æ x 2 ¸ 0 Æ x 1 ¸ x 2 x1x1 x2x2 symbolic representation

– 31 – Symbolic Model Checking of Timed Automata,,,,,,... Examples: ATACS [Myers et al.], Kronos [Yovine, Maler, et al.], Uppaal [Larsen, Yi, et al.], …

– 32 – Fully Symbolic Model Checking Symbolically represent sets of signal assignments with corresponding relations between timers v 1 Ç v 2 Æ x 1 ¸ 0 Æ x 2 ¸ 0 Æ x 1 ¸ x ,

– 33 – Our Approach to Fully Symbolic Model Checking Based on algorithm given by Henzinger et al. (1994) Based on algorithm given by Henzinger et al. (1994) Core model checking operations Core model checking operations –Image computation  Quantifier elimination in quantified difference logic Quantifier elimination in quantified difference logic –Termination check  Satisfiability checking of difference logic Satisfiability checking of difference logic  Our Approach: Use Boolean encodings –Quantified difference logic  Quantified Boolean logic –Difference logic  Boolean logic –Use BDDs, SAT solvers [Seshia & Bryant, CAV’03]

– 34 – Example: Termination Check Have we seen all reachable states of the systems? Have we seen all reachable states of the systems? Satisfiability solving in Difference Logic Satisfiability solving in Difference Logic µ ?

– 35 – Solving Difference Logic via SAT x ¸ y Æ y ¸ z Æ z ¸ x+1 e 1 Æ e 2 ) : e 3 Æ Overall Boolean Encoding Transitivity Constraint e1e1 y ¸ z z ¸ x+1 x ¸ y e2e2 e3e3 e 1 Æ e 2 Æ e 3

– 36 – A More Realistic Situation Ç Æ : Ç Æ Ç x ¸ y y ¸ z z ¸ x+1 x ¸ y Æ y ¸ z Æ z ¸ x+1 Æ... is a term in the SOP (DNF)

– 37 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata  Case Studies Future Directions & Related Research Future Directions & Related Research

– 38 – Case Studies Global STP Circuit Global STP Circuit –Self-resetting domino ckt. in Pentium-4 ALU –Analyzed published ckt. [Hinton et al., JSSC’01] GasP FIFO Control [Sutherland & Fairbanks, ASYNC’01] GasP FIFO Control [Sutherland & Fairbanks, ASYNC’01] STAPL Left-Right Buffer [Nystrom & Martin, ’02] STAPL Left-Right Buffer [Nystrom & Martin, ’02] STARI [Greenstreet, ’93] STARI [Greenstreet, ’93]

– 39 – Footed and Unfooted Domino Inverters

– 40 – Global STP Circuit (simplest version at gate-level) ck out " " " " " " " res

– 41 – Global STP Circuit: Sample Constraint ck out " " " " " " " res ck res " ck ! ck Á res " "

– 42 – Global STP Circuit: An Error ck out " " r s " We want: red < blue 7 transitions < 5 transitions

– 43 – Comparison with ATACS Model checking for absence of short-circuits Model checking for absence of short-circuits Circuit Number of Signals Time for our model checker, TMV (in sec.) Global STP GasP-10 stages STAPL-3 stages ATACS did not finish within 3600 sec. on any

– 44 – Comparison with ATACS on STARI

– 45 – Related Work Modeling Modeling –Gate-level Metric Timing Timed Petri Nets, TEL, … [Myers, Yoneda, et al.] Timed Petri Nets, TEL, … [Myers, Yoneda, et al.] Timed Automata-based [Maler, Pnueli, et al.] Timed Automata-based [Maler, Pnueli, et al.] –Chain Constraints [Negulescu & Peeters] –Relative Timing [Stevens et al.] Lazy transition systems [Pena et al.] Lazy transition systems [Pena et al.] –Symbolic Gate Delays [Clariso & Cortadella] Verification Verification –For circuits, mostly restricted to just symbolic techniques [e.g., ATACS]

– 46 – Talk Outline Motivating Problem: Verifying Self-Timed Circuits Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Generalized Relative Timing Circuits  Timed Automata Circuits  Timed Automata Model Checking Timed Automata Model Checking Timed Automata Case Studies Case Studies  Future Directions & Related Research

– 47 – Summary Leverage Boolean Methods for Timed Systems Leverage Boolean Methods for Timed Systems –Modeling: generalized relative timing –Verification: fully symbolic model checking Using BDDs, SAT Using BDDs, SAT Demonstrated Application: Modeling and Verifying Self-Timed Circuits Demonstrated Application: Modeling and Verifying Self-Timed Circuits

– 48 – Future Directions: Model Generation Timed System Model Needs to be automated Main Challenge: Automatic generation of timing constraints Idea: Machine learning from simulated runs (successful and failing)

– 49 – Future Directions: New Applications Distributed Real-time Embedded Systems Distributed Real-time Embedded Systems –E.g., sensor networks –Operate asynchronously –Lots of concurrency –Timeliness important Will generalized relative timing work for this application? Will generalized relative timing work for this application?

– 50 – Related Research Project UCLID UCLID –Modeling & Verifying Infinite-State Systems –Focus: Integer arithmetic, Data Structures (arrays, memories, queues, etc.), Bit-vector operations,… –Applications: Program verification, Processor verification, Analyzing security properties E.g., detecting if a piece of code exhibits malicious behavior (worm/virus) E.g., detecting if a piece of code exhibits malicious behavior (worm/virus) Also based on Boolean Methods Also based on Boolean Methods –Problems in first-order logic translated to SAT Programming Systems seminar, Oct. 24 ’05 Programming Systems seminar, Oct. 24 ’05

– 51 – Thank you ! More information at