Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Published byNichole Mull Modified over 10 years ago

Similar presentations

Presentation on theme: "Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley."— Presentation transcript:

1

2 Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley

3 Formal Verification Problem –Design or system M - mathematical model –Specification  - formal language –Does M satisfy  ? Applications –Software (safety-critical) –Hardware (microprocessors) –Protocols (shared memory multiprocessors) –Security

4 Specification Intent Implementation Product Property verification Refinement checking Equivalence checking

5 Approaches Algorithmic (model checking) –Design - typically finite state machines –Specification - first-order temporal logic – Automatic !! Deductive (interactive theorem proving) –Very expressive –User interacts with the prover Deductive + Algorithmic –Abstraction –Compositional model checking

6 Modeling designs Formal model of implementation and specification - finite state machine r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 r 1 0 1 1 1 0 0 0 g 1 0 0 0 1 0 0 0 r 2 0 1 1 1 1 1 0 g 2 0 1 0 0 0 1 0 Semantics of model - trace language on I/O

7 Specification - Temporal logic pppppp Finally: F p Globally: G p NeXt: X p Temporal operators: Arbiter specification: G (r 1  F g 1 )

8 Specification - FSM r2r2 r1r1 g2g2 g1g1 r2r2 r1r1 F G1G1 G2G2 Nondeterministic finite state machine r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2  P  P’ iff def L(P) is contained in L(P’) iff Every linear property satisfied by P’ is satisfied by P

9 Model Checking Explore state space of I exhaustively All possible execution sequences are checked !! FSM I Does I satisfy  ? Does I refine S ? Counterexample No

10 State space explosion P || Q m  n states Designs expressed as composition P 1 || P 2 ||.... || P k - m 1  m 2 ....  m k states Model checking exponential in design description a P m states Q n states a bb FSM composition operator ||

11 Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

12 VIS Symbolic model checker I 1 || I 2 || I 3 I1I1 I2I2 I3I3  Temporal logic spec Hierarchical description Flat description Compose

13 Symbolic Model Checking Manipulation of state sets (not individual states) Implicit representation with boolean expressions –state transition graph –state sets Operations on state sets performed implicitly –boolean ( , ,  ) –image computation (pre, post)

14 Pre Transition relation T S pre(S) T

15 Post Transition relation T post(S) S T

16 VIS : Limitations 1. Backward Model Checking Invariant checking : init   F bad   ? initbad Iterate pre until fixpoint Useless exploration of unreachable states

17 VIS: Limitations 2. Design structure not utilized Symbolic model checker I 1 || I 2 || I 3 I1I1 I2I2 I3I3  Temporal logic spec Compose

18 VIS: Limitations 3. Unsuitable for asynchronous protocols Naïve symbolic exploration explores all orderings of independent events - wasteful ! Independent events a, b a a b b

19 Partial-order techniques –explicit state exploration –avoids exploring all orderings of independent events VIS: Limitations 3. Unsuitable for asynchronous protocols “Partial-order reduction in symbolic state exploration,” Alur, Brayton, Henzinger, Qadeer, Rajamani 1997

20 VIS: Limitations 4. Limited to finite-state systems Parameterized systems –protocols (communication, multiprocessors) –finite-state methods verify only instantiations “Verifying sequential consistency on shared-memory multiprocessors,” Henzinger, Qadeer, Rajamani 1999

21 Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

22 Invariant Verification: Pre init   F bad   ? initbad

23 Invariant Verification: Post init   F bad   ? initbad

24 Response Verification: Pre init   F (req  G  ack)    ack  G  ack

25 Response Verification: Pre init   F (req  G  ack)    G  ackreq init

26 Response Verification: Post init   F (req  G  ack)   init req R = Reach(init)  req req req R

27 Response Verification: Post req R  ack

28 Theorem All linear properties expressible by Buchi automata can be model checked by forward reasoning. “From pre-historic to post-modern symbolic model checking,” Henzinger, Kupferman, Qadeer 1998

29 Outline Symbolic model checking in VIS Overview of my contributions Forward symbolic model checking Compositional model checking in assume-guarantee paradigm Future research directions

30 Previous approaches Heuristically improve state exploration efficiency –Synchronous hardware: symbolic techniques (BDDs) - VIS –Asynchronous protocols: state reduction with explicit enumeration partial-order reduction - SPIN symmetry reduction - Murphi Algorithms work on flat description of systems State-of-the-art : 50-100 state variables

31 Our approach - M OCHA Complex designs necessarily modular and hierarchical Utilize rather than destroy design structure Partition the verification problem into smaller obligations Use existing algorithms to decide these obligations

32 Divide and Conquer P  P’ Q  Q’ P || Q  P’ || Q’ Difficulty : Not applicable in practice

33 P P’  Q Q’  PQ P’Q’  P’

34 Assume-Guarantee Rule [Stark] [Clarke-Long-McMillan] [Grumberg-Long] [Abadi-Lamport][Alur-Henzinger][McMillan] P || Q’  P’ P’ || Q  Q’ P || Q  P’ || Q’

35 Propositional Validity? p  q’  p’ p’  q  q’ p  q  p’  q’ Consider case when p = true q = true p’ = false q’ = false

36 Refinement Checking in M OCHA  Space Abstraction

37 Refinement Checking in M OCHA  Space Abstraction Time abstraction

38 Refinement Checking in M OCHA 

39 Refinement Maps Environment signals not present in specification  Manually construct abstract constraining modules Design insight is required !

40 EQEQ yx a y EPEP Px b a  b EQEQ EPEP a a P Q x y b S x y  EPEP b S xy Q EQEQ y a b x 

41 M OCHA - Refinement Examples Asynchronous applications –Sliding window protocol Synchronous applications –Pipeline –Tomasulo’s algorithm “You assume, we guarantee: methodology and case studies,” Henzinger, Qadeer, Rajamani 1998

42 VGI architecture 16 clusters with 6 processors in each - 4 compute, 1 memory, 1 I/O ~30K logic gates and ~800 latches per processor 3-stage pipelined compute processors Complex handshake between processors Interconnection between processors configured statically

43 Complex handshake FIFO buffer pipeline ISA

44 Verification of VGI Level-sensitive latches  multiple implementation steps correspond to single specification step Very large design  need compositional verification “Assume-guarantee refinement between different time scales,” Henzinger, Qadeer, Rajamani 1999 “Formal specification and verification of a dataflow processor array,” Henzinger, Liu, Qadeer, Rajamani 1999

45 MOCHA Verilog Proof Assistant e.g., assume-guarantee,.... Reactive Module Algorithm 1Algorithm 2 Temporal logic specification Abstract Module EsterelJava “Mocha: modularity in model checking,” Alur, Henzinger, Mang, Qadeer, Rajamani, Tasiran 1998

46 Formal design 3 subtle bugs in the interaction between datapath and communication control were found and fixed Design insight (through refinement maps) indispensable for model checking Model checking indispensable for producing correct design –Error traces invaluable –Iterative testing of design fixes

47 Formal design Symbiotic relationship between design and verification Refinement maps not a big burden for designers Vision –Both activities performed in parallel –Designer uses a model checker interactively during the design phase itself

48  P’Q’ PQ TPTP TQTQ PQ  TPTP TQTQ P’  P Q’  Q P’

49 Sample operator Finite state machine P Predicate  on the variables of P A run of P sampled whenever  is true is a run of Sample  (P) We compare Sample ~clk (VGI) against its specification

50 pipeline ISA  ~clk

Download ppt "Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.

Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Automated Refinement Checking of Concurrent Systems Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University.

Automated Refinement Checking of Concurrent Systems Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University.
Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)

Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)
Model Checking basic concepts and techniques Sriram K. Rajamani.

Model Checking basic concepts and techniques Sriram K. Rajamani.
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Similar presentations

Ads by Google