- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -

Slides:



Advertisements
Similar presentations
Evaluation and Validation
Advertisements

1 Verification by Model Checking. 2 Part 1 : Motivation.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
CSEP590 – Model Checking and Software Verification University of Washington Department of Computer Science and Engineering Summer 2003.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
© Betty HC Cheng. This presentation is available free for non-commercial use with attribution under a creative commons license. Acknowledge: S.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Witness and Counterexample Li Tan Oct. 15, 2002.
Review of the automata-theoretic approach to model-checking.
Evaluation and Validation Peter Marwedel TU Dortmund, Informatik 12 Germany Graphics: © Alexandra Nolte, Gesine Marwedel, 2003 These slides use Microsoft.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
University of Toronto Department of Computer Science © Steve Easterbrook. This presentation is available free for non-commercial use with attribution.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Witness and Counterexample Li Tan Oct. 15, 2002.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
Evaluation and Validation Peter Marwedel TU Dortmund, Informatik 12 Germany 2012 年 12 月 11 日 These slides use Microsoft clip arts. Microsoft copyright.
Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
10/19/2015COSC , Lecture 171 Real-Time Systems, COSC , Lecture 17 Stefan Andrei.
CS6133 Software Specification and Verification
Verification & Validation By: Amir Masoud Gharehbaghi
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Speaker: Nansen Huang VLSI Design and Test Seminar (ELEC ) March 9, 2016 Simulation-Based Equivalence Checking.
29/06/2016Verification Synchronous Languages Verification.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
CENG 424-Logic for CS Introduction Based on the Lecture Notes of Konstantin Korovin, Valentin Goranko, Russel and Norvig, and Michael Genesereth.
Basic concepts of Model Checking
CIS 842: Specification and Verification of Reactive Systems
CSCI1600: Embedded and Real Time Software
Automatic Verification of Industrial Designs
CSCI1600: Embedded and Real Time Software
Computer Security: Art and Science, 2nd Edition
CSCI1600: Embedded and Real Time Software
Lecture 10, Computer Networks (198:552)
Translating Linear Temporal Logic into Büchi Automata
Introduction to verification
Formal Methods in software development
Program correctness Model-checking CTL
Presentation transcript:

- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -

- 2 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation

- 3 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Formal verification  Formal verification = formally proving a system correct, using the language of mathematics.  Formal model required. Obtaining this cannot be automated.  If the model is available, we can try to prove properties.  Even a formally verified system can fail (e.g. if assumptions are not met).  Classification by the type of logics.  Formal verification = formally proving a system correct, using the language of mathematics.  Formal model required. Obtaining this cannot be automated.  If the model is available, we can try to prove properties.  Even a formally verified system can fail (e.g. if assumptions are not met).  Classification by the type of logics.

- 4 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Propositional logic (1)  Consisting of Boolean formulas comprising Boolean variables and connectives such as  and .  Gate-level logic networks can be described.  Typical aim: checking if two models are equivalent (called tautology checkers or equivalence checkers).  Since propositional logic is decidable, it is also decidable whether or not the two representations are equivalent.  Tautology checkers can frequently cope with designs which are too large to allow simulation-based exhaustive validation.  Consisting of Boolean formulas comprising Boolean variables and connectives such as  and .  Gate-level logic networks can be described.  Typical aim: checking if two models are equivalent (called tautology checkers or equivalence checkers).  Since propositional logic is decidable, it is also decidable whether or not the two representations are equivalent.  Tautology checkers can frequently cope with designs which are too large to allow simulation-based exhaustive validation.

- 5 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Propositional logic (2)  Reason for power of tautology checkers: Binary Decision Diagrams (BDDs)  Complexity of equivalence checks of Boolean functions represented with BDDs: O(number of BDD-nodes) (equivalence check for sums of products is NP-hard). #(BDD-nodes) not to be ignored!  Many functions can be efficiently represented with BDDs. In general, however, the #(nodes) of BDDs grows exponentially with the number of variables.  Simulators frequently replaced by equivalence checkers if functions can be efficiently represented with BDDs.  Very much limited ability to verify FSMs.  Reason for power of tautology checkers: Binary Decision Diagrams (BDDs)  Complexity of equivalence checks of Boolean functions represented with BDDs: O(number of BDD-nodes) (equivalence check for sums of products is NP-hard). #(BDD-nodes) not to be ignored!  Many functions can be efficiently represented with BDDs. In general, however, the #(nodes) of BDDs grows exponentially with the number of variables.  Simulators frequently replaced by equivalence checkers if functions can be efficiently represented with BDDs.  Very much limited ability to verify FSMs.

- 6 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund First order logic (FOL) FOL includes quantification, using  and . Some automation for verifying FOL models is feasible. However, since FOL is undecidable in general, there may be cases of doubt. FOL includes quantification, using  and . Some automation for verifying FOL models is feasible. However, since FOL is undecidable in general, there may be cases of doubt.

- 7 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Higher order logic (HOL) Higher order allows functions to be manipulated like other objects. For higher order logic, proofs can hardly ever be automated and typically must be done manually with some proof- support. Higher order allows functions to be manipulated like other objects. For higher order logic, proofs can hardly ever be automated and typically must be done manually with some proof- support.

- 8 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Temporal logic (1) Logic extended with a notion of "time" Branching vs. linear time:  Linear time Models physical time At each time instant, only one of the future behaviors is considered.  Branching time (at each time instant, all possible future behaviors are considered). Models different computational sequences of a system. Nondeterministic selection of the path taken. Logic extended with a notion of "time" Branching vs. linear time:  Linear time Models physical time At each time instant, only one of the future behaviors is considered.  Branching time (at each time instant, all possible future behaviors are considered). Models different computational sequences of a system. Nondeterministic selection of the path taken. T. Kropf: Introduction to Formal Hardware Verification, Springer, 1999

- 9 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Temporal logic (2) Discrete vs. continuous time  Discrete time Used by most temporal logics, mostly using natural numbers to model time.  Continuous time Using real numbers Discrete vs. continuous time  Discrete time Used by most temporal logics, mostly using natural numbers to model time.  Continuous time Using real numbers ℕ ℝ T. Kropf: Introduction to Formal Hardware Verification, Springer, 1999

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Temporal structures Definition: A temporal structure M:= (S,R,L) consists of 1.A finite set of states S 2.A transition relation R  S  S with  s  S  s'  S:(s,s')  R 3.A labeling function L: S  (V), with being the set of propositional variables (atomic formulas) This structure is often called Kripke structure. Definition: A temporal structure M:= (S,R,L) consists of 1.A finite set of states S 2.A transition relation R  S  S with  s  S  s'  S:(s,s')  R 3.A labeling function L: S  (V), with being the set of propositional variables (atomic formulas) This structure is often called Kripke structure. T. Kropf: Introduction to Formal Hardware Verification, Springer, 1999

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Link between temporal structures and computation trees Starting state s°  S defined ab cbc s°s° s²s²s1s1 ab bc c c cab Temporal structure Computation trees T. Kropf: Introduction to Formal Hardware Verification, Springer, 1999

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Computation tree logic (CTL) Let V be a set of atomic propositions CTL formulas are defined recursively: 1.Every atomic proposition is a formula 2.If f 1 and f 2 are CTL formulas, then so are  f 1, f 1  f 2, AX f 1, EX f 1, A[f 1 U f 2 ] and E[f 1 U f 2 ] AX f 1 means: holds in state s° iff f 1 holds in all successor states of s° EX f 1 means: There exists a successor such that f 1 holds A[f 1 U f 2 ] means: always until. E[f 1 U f 2 ] means: There exists a path such that f 1 holds until is f 2 satisfied. Let V be a set of atomic propositions CTL formulas are defined recursively: 1.Every atomic proposition is a formula 2.If f 1 and f 2 are CTL formulas, then so are  f 1, f 1  f 2, AX f 1, EX f 1, A[f 1 U f 2 ] and E[f 1 U f 2 ] AX f 1 means: holds in state s° iff f 1 holds in all successor states of s° EX f 1 means: There exists a successor such that f 1 holds A[f 1 U f 2 ] means: always until. E[f 1 U f 2 ] means: There exists a path such that f 1 holds until is f 2 satisfied. Christoph Kern and Mark R. Greenstreet: Formal Verification In Hardware Design: A Survey, ACM Transactions on Design Automation of Electronic Systems, Vol. 4, No. 2, April 1999, Pages 123–193.

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Model checking Aims at the verification of finite state systems. Analyzes the state space of the system. Verification using this approach requires three stages:  generation of a model of the system to be verified,  definition of the properties expected, and  model checking (the actual verification step). Aims at the verification of finite state systems. Analyzes the state space of the system. Verification using this approach requires three stages:  generation of a model of the system to be verified,  definition of the properties expected, and  model checking (the actual verification step).

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund 2 types of input Verification tools can prove or disprove the properties. In the latter case, they can provide a counter-example. Example: Clarke’s EMC-system Verification tools can prove or disprove the properties. In the latter case, they can provide a counter-example. Example: Clarke’s EMC-system

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Computational properties  Model checking is easier to automate than FOL.  In 1987, model checking was implemented using BDDs.  It was possible to locate several errors in the specification of the future bus protocol.  Extensions are needed in order to also cover real-time behavior and numbers.  Model checking is easier to automate than FOL.  In 1987, model checking was implemented using BDDs.  It was possible to locate several errors in the specification of the future bus protocol.  Extensions are needed in order to also cover real-time behavior and numbers.

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Examples of successful verification (1) Microprocessors 1.Generic interpreter theory 2.Pipelined processors 3.FM AAMP5 5.PowerPC transistor level verification [Kühlmann, 1995] Floating point units 1.Intel extended precision FPU 2.ADK IEEE floating point multiplier Microprocessors 1.Generic interpreter theory 2.Pipelined processors 3.FM AAMP5 5.PowerPC transistor level verification [Kühlmann, 1995] Floating point units 1.Intel extended precision FPU 2.ADK IEEE floating point multiplier Christoph Kern and Mark R. Greenstreet: Formal Verification In Hardware Design: A Survey, ACM Transactions on Design Automation of Electronic Systems, Vol. 4, No. 2, April 1999, Pages 123–193.

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Examples of successful verification (2) Asynchronous and distributed systems 1.Summit bus converter 2.Cache coherence protocols Memory subsystems ATM switch fabrics Asynchronous and distributed systems 1.Summit bus converter 2.Cache coherence protocols Memory subsystems ATM switch fabrics Christoph Kern and Mark R. Greenstreet: Formal Verification In Hardware Design: A Survey, ACM Transactions on Design Automation of Electronic Systems, Vol. 4, No. 2, April 1999, Pages 123–193.

 P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund The end Lectures: Peter MarwedelSlides: Peter MarwedelLabs: Birgit Sirocic, Robert PykaTextbook: Peter MarwedelCopyright: University of Dortmund, MMV