Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Similar presentations


Presentation on theme: "Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University."— Presentation transcript:

1 Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University

2 Introduction System on chip design Increase in complexity Gate level (netlists) Level Number of components 10 7 10 5 10 3 10 0 Abstraction System Structural Behavioral …………

3 Introduction Emergence of system design languages HardwareC, SpecC, Handel-C, and SystemC Based on C / C++ Allows joint modeling of both hardware and software components of a system Support for bit vectors, concurrency, synchronization, exception handling

4 Verification support Current model-checkers used in hardware industry work at netlist or RTL level Languages like SpecC are more closer to concurrent software Verification tools must reason about:  Programming languages constructs  Concurrency  Pointers, Objects  Bit vector operations like concatenation, extraction

5 Talk outline Introduction and motivation SpecC Our approach  Abstraction  Handling of concurrency constructs  Model checking and refinement Experimental results Conclusion

6 SpecC Behaviors event e; int x; behavior A () { void main() { x = 42; notify e; } }; behavior B () { void main() { wait e; printf("Got %d\n", x); } }; behavior Main { A a1(); B b1(); int main () { par { a1.main(); b1.main(); } } }; Object Instances Event Declaration Generate Event Wait for Event parallel execution

7 SpecC Asynchronous interleaving semantics  No atomicity is guaranteed  SpecC provides multiple synchronization constructs

8 More SpecC operators bit[7:0] a; unsigned bit[16] b; bit[31:0] SpecExample (bit[32] y) { bit [31:0] r; a = 11001110b; b[7:0] = a; b = a @ y[7:0]; r = b@b; return r; } Bit vectors Extraction Concatenatio n

9 Talk outline Introduction and motivation SpecC Our approach  Abstraction  Handling of concurrency constructs  Model checking and refinement Experimental results Conclusion

10 Abstraction Refinement Loop SpecC Program Concurrent Boolean Program Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Spurious counterexample Simulator Property holds Simulation sucessful Bug found Refinement [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’00]

11 Example for Predicate Abstraction behavior main() { int i; i=0; while(even(i)) i++; } + p 1  i=0 p 2  even(i) = void main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } PredicatesSpecC programBoolean program [Ball, Rajamani ’00] [Graf, Saidi ’97]

12 Predicate Abstraction for SpecC Use predicate abstraction to prove assertions or safety properties Successfully applied for verification of C programs (SLAM, MAGIC, BLAST) Predicate abstraction produces an over-approximation

13 Our approach Abstract each thread seperately (we assume no recursion) Let the modelchecker handle the interleavings between various abstract threads || T1T2 Tn || B1B2Bn

14 Abstracting a single thread Identify basic blocks and abstract each block separately a = a + b[2:0]; i = 0; while (i < 10) { wait e1; x[2:0] = y; i++; notify e2; } a = a + b[2:0]; i = 0; x[2:0] = y; i++;

15 Abstracting a single thread Wait and notify translated to the abstract model directly a = a + b[2:0]; i = 0; while (i < 10) { wait e1; x[2:0] = y; i++; notify e2; } wait notify

16 Using theorem prover for abstraction Predicates i++; Basic BlockFormula Current Abstract State Next Abstract State p1p1 p2p2 p3p3 000 001 010 011 100 101 110 111 p’ 1 p’ 2 p’ 3 000 001 010 011 100 101 110 111 ?? Query 

17 Using theorem prover for abstraction Predicates i++; Basic BlockFormula Current Abstract State Next Abstract State p1p1 p2p2 p3p3 000 001 010 011 100 101 110 111 p’ 1 p’ 2 p’ 3 000 001 010 011 100 101 110 111 Query ?? … and so on …

18 Problems with existing tools Large number of expensive theorem prover calls – slow (2 n £ 2 n ) Over-approximation yields additional, unnecessary spurious counterexamples Theorem prover works on natural numbers, but SpecC uses bit-vectors  false positives Most theorem provers support only few operators (+, -, <, ≤, …), no bitwise operator

19 Abstraction of a basic block Use a SAT solver for computing abstraction of a basic block Successfully used for abstraction of C programs (Clarke et al, 2003) Create a SAT instance which relates initial value of predicates, basic block, and the values of predicates after the execution of basic block

20 Abstraction of a basic block ++ Computing abstract transitions

21 Abstract transitions (!p 1 & !p 1 & !p 1 & !p’ 1 & !p’ 2 & p’ 3 ) 000 ) 001 (!p 1 & !p 2 & p 3 & p’ 1 & !p’ 2 & !p’ 3 ) 001 ) 100 ……………………. Equation passed to the SAT solver

22 Abstraction of a basic block Use SAT solver! 1.Generate query equation with predicates as free variables 2.Transform equation into CNF using Bit Vector Logic One satisfying assignment matches one abstract transition 3.Obtain all satisfying assignments = most precise abstract transition relation

23 Abstraction of a basic block Use SAT solver! 1.Generate query equation with predicates as free variables 2.Transform equation into CNF using Bit Vector Logic One satisfying assignment matches one abstract transition 3.Obtain all satisfying assignments = most precise abstract transition relation

24 Advantages of using SAT Use SAT solver! 1.Generate query equation with predicates as free variables 2.Transform equation into CNF using Bit Vector Logic One satisfying assignment matches one abstract transition 3.Obtain all satisfying assignments = most precise abstract transition relation This solves two problems: 1.Now can do all SpecC operators, including *, /, %, <<, @, [ x:y] etc. 2.Sound with respect to overflow This solves two problems: 1.Now can do all SpecC operators, including *, /, %, <<, @, [ x:y] etc. 2.Sound with respect to overflow No more unnecessary spurious counterexamples!

25 Talk outline Introduction and motivation SpecC Our approach  Abstraction  Handling of concurrency constructs  Model checking and refinement Experimental results Conclusion

26 Handling concurrency constructs Replace the par statements using wait and notify. t1{ …….. } t2 { ……. } main() { par{ t1; t2} } main() { notify start1, start2; wait done1 & done2; } t1{ 1: wait start1; ………….. notify done1; goto 1; }

27 Wait and Notify Introduce a boolean variable for each thread and event pair t1 { 1: wait e; } t2 { 1: notify e; }

28 Wait and Notify t1 { 1: wait e; } t2 { 1: notify e; } t1 { (e1 == 1) ) e1 = 0; } t2 { e1,e2 := (1,1); } boolean e1, e2;

29 Abstraction Refinement Loop SpecC Program Concurrent Boolean Program Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Spurious counterexample Simulator Property holds Simulation sucessful Bug found Refinement

30 Abstraction Refinement Loop SpecC Program Concurrent Boolean Program Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Spurious counterexample Simulator Property holds Simulation sucessful Bug found Refinement Counterexample

31 Simulating the Counterexample Check if the abstract counterexample exists in the concrete model Thread interleavings :  T 1 [1] T 2 [1] T 1 [2] T 1 [3] ……… Simulation corresponds to a series of Bounded Model Checking instances

32 Abstraction Refinement Loop Actual Program Concurrent Boolean Program Model Checker Abstraction refinement Verification Initial Abstraction No error or bug found Spurious counterexample Simulator Property holds Simulation sucessful Bug found Refinement

33 Talk outline Introduction and motivation SpecC Our approach  Abstraction  Handling of concurrency constructs  Model checking and refinement Experimental results Conclusion

34 Experimental Results Property: Relation between data put in pipeline and data coming out of pipeline Each stage is a thread Runtime dominated by NuSMV

35 Experimental Results PRED: artificial benchmark that requires a known number of predicates ALUPIPE: Arithmetic properties of pipelined ALU

36 Summary of Results Concurrent system-level models can be abstracted in a thread-modular way In contrast to sequential models, the verification of the abstract model is the bottleneck

37 Future Work Use partial order reduction Object oriented languages: System-C based on C++ Better decision procedures for large programs  Translation to arithmetic circuits can sometimes be expensive

38 Questions?

39 References SpecC Language tutorial. Available at http://www.ics.uci.edu/~specc/ http://www.ics.uci.edu/~specc/ Predicate Abstraction of ANSI-C Programs using SAT. Formal Methods in System Design. Edmund Clarke, Daniel Kroening, Natasha Sharygina, Karen Yorav.


Download ppt "Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University."

Similar presentations


Ads by Google