Download presentation
Presentation is loading. Please wait.
1
Model Checking Basics Dr. Eng. Amr T. Abdel-Hamid Netw 703 Winter 2012 Slides based on slides of: K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU. E. Clarke, Formal Methods, to be updated by course name S. Tahar, E. Cerny and X. Song, “ Formal Verification of Systems”. Network Protocols
2
Dr. Amr Talaat Netw 703 Network Protocols Branching Time Temporal Logic (BTTL) Structure of time: an infinite tree, each instant may have many successor insta nts Along each path in the tree, the corresponding timeline is isomorphic to N State quantifiers: Xp, Fp, Gp, pUq (like in linear temporal logic) Path quantifiers: for All paths (A) and there Exists a path (E) from a given state A = ∀ E = ∃ In linear time logic, temporal operators are provided for describing events alon g a single future, however, when a linear formula is used for specification, ther e is usually an implicit universal quantification over all possible futures (linear tr aces) In contrast, in branching time logic the operators usually reflect the branching n ature of time by allowing explicit quantification over possible futures in any stat e
3
Dr. Amr Talaat Netw 703 Network Protocols CTL Formulas are constructed from path quantifiers and temp oral operators: Path quantifier: A: for every path E: there exists a path Temporal Operator: F: holds sometime in the future X: holds next time G: holds globally in the future p U q: p holds until q hold i.e. AF, AG, AX, A( U ), EF, EG, EX, E( U )
4
Dr. Amr Talaat Netw 703 Network Protocols CTL
5
Dr. Amr Talaat Netw 703 Network Protocols CTL: Computation Tree Logic
6
Dr. Amr Talaat Netw 703 Network Protocols CTL Example Structure M : A Kripke structure: triple M = S: set of states R ⊆ S × S: transition relation L: S → 2 AP : (Truth valuation) set of atomic propositions true in ea ch state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c} 6/80
7
Dr. Amr Talaat Netw 703 Network Protocols Example: Two input Muller C-element (assuming finite discrete delays): Specification in CTL: Liveness: If inputs remain equal, then eventually the output will c hange to this value. AG( A( ( a=0 ∧ b=0 ) U ( out=0 ∨ a=1 ∨ b=1 ) ) ) AG( A( ( a=1 ∧ b=1 ) U ( out=1 ∨ a=0 ∨ b=0 ) ) ) Safety: If all inputs and the output have the same value then the output should not change until all inputs change their values. AG( ( a=0 ∧ b=0 ∧ out=0 ) ⇒ A( out=0 U (a=1 ∧ b=1 ) ) ) AG( ( a=1 ∧ b=1 ∧ out=1 ) ⇒ A( out=1 U (a=0 ∧ b=0 ) ) ) 7/80
8
Dr. Amr Talaat Netw 703 Network Protocols Model Checking Problem Given an FSM M (equivalent Kripke structure) and a tem poral logic formula p, does M define a model of p? Determine the truth of a formula with respect to a give n (initial) state in M Find all states s of M such that (M, s) p For any propositional temporal logic, the model chec king problem is decidable: exhaustive search of all pat hs through the finite input structure 8/80
9
Dr. Amr Talaat Netw 703 Network Protocols Model Checking Problem 9/80
10
Dr. Amr Talaat Netw 703 Network Protocols Theoretical Background Theorem [Wolper, 1986]: The model checking for CTL is in deterministic polynomial time Theorem [Sistla & Clark, 1985]: The model checking pr oblem for PLTL is PSPACE complete Theorem [Emerson & Lei, 1987]: Given any model-chec king algorithm for a linear logic LTL, there is a model che cking algorithm for the corresponding branching logic BT L, whose basic modalities are defined by the LTL, of the s ame order of complexity Theorem [Clark, Emerson & Sistla, 1986]: The model checking problem for CTL* is PSPACE-complete 10/80
11
Dr. Amr Talaat Netw 703 Network Protocols PSPACE-complete 11/80
12
Dr. Amr Talaat Netw 703 Network Protocols Fixpoints Algorithm Model Checking Algorithms Original algorithm described in terms of labeling the CTL structur e (Clark83) Required explicit representation of the whole state space Better algorithm based on fixed point calculations Algorithm amenable to symbolic formulation Symbolic evaluation allows implicit enumeration of states Significant improvement in maximum size of systems that can be verified
13
Dr. Amr Talaat Netw 703 Network Protocols 13 Symbolic model checking Symbolic model checking approach Boolean formulas represent sets and relations Use fixed point characterizations of CTL operators Model checking without building complete state graph CTL model checking problem can be solved in O(|f| (|S|+|R|)) Note that the complexity is linear in the size of the formula and the transition system Recall that the size of the transition system is exponential in the num ber of variables (this is called the state space explosion problem)
14
Dr. Amr Talaat Netw 703 Network Protocols CTL Model Checking Algorithm Translate the formula to a formula which uses the basis EX p, EG p, E(p U q) Start from the innermost subformulas Label the states in the transition system with the subformulas that hold in that state Initially states are labeled with atomic properties Each (temporal or boolean) operator has to be processed once Processing of each operator takes O(|S|+|R|)
15
Dr. Amr Talaat Netw 703 Network Protocols CTL Model Checking Algorithm Boolean operators are easy p : Each state which is not labeled with p should be labeled with p p q : Each state which is labeled with both p and q should be la beled with p q p q : Each state which is labeled with p or q should be labeled with p q
16
Dr. Amr Talaat Netw 703 Network Protocols CTL Model Checking Algorithm: EX p EX p is easy to do in O(|S|+|R|) All the nodes which have a next state labeled with p should be label ed with EX p s2s1s4s3 pp p, EX p EX p s2s1s4s3
17
Dr. Amr Talaat Netw 703 Network Protocols CTL Model Checking Algorithm: E(pUq) E(pUq): Find the states which are the source of a path where p U q holds Find the nodes that reach a node that is labeled with q by a path where each node is labeled with p Label such nodes with E(pUq) It is a reachability problem which can be solved in O(|S|+|R|) First label the nodes which satisfy q with E(pUq) For each node labeled with E(pUq), label all its pre vious states that are labeled with p with E(p U q)
18
Dr. Amr Talaat Netw 703 Network Protocols CTL Model Checking Algorithm: E(pUq) s2s1s4s3 pp p, E(pUq) s2s1s4s3 q q, E(pUq)
19
Dr. Amr Talaat Netw 703 Network Protocols CTL Model Checking Algorithm: EG p EG p: Find infinite paths where each node on the path is label ed with p, and label nodes in such paths with EG p First remove all the states which do not satisfy p from the transitio n graph Compute the strongly connected components of the remaining gr aph, and then find the nodes which can reach the strongly conne cted components (both of which can be done in O(|S|+|R|) Label the nodes in the strongly connected components and the n odes that can reach the strongly connected components with EG p
20
Dr. Amr Talaat Netw 703 Network Protocols CTL Model Checking Algorithm: EG p s2s1s4s3 pp p, EG p s2s1s4s3 p p, EG p s2s4s3 pp p A strongly connected component
21
Dr. Amr Talaat Netw 703 Network Protocols Verification vs. Falsification Verification: Show: initial states truth set of p Falsification: Find: a state initial states truth set of p Generate a counter-example starting from that state CTL model checking algorithm can also generate a counter-ex ample path if the property is not satisfied without increasing the complexity The ability to find counter-examples is one of the biggest stren gths of the model checkers
22
Dr. Amr Talaat Netw 703 Network Protocols Temporal Properties Fixpoints [Emerson and Clarke 80] Here are some interesting CTL equivalences: AG p = p AX AG p EG p = p EX EG p AF p = p AX AF p EF p = p EX EF p A(p U q) = q (p AX A(p U q)) p EU q = q (p EX E(p U q)) Note that we wrote the CTL temporal operators in terms of thems elves and EX and AX operators
23
Dr. Amr Talaat Netw 703 Network Protocols Functionals Given a transition system M=(S, L, R), we will define functions (Properties) from sets of states to sets of states F : 2 S 2 S For example, one such function is the EX operator (which com putes the precondition of a set of states) EX : 2 S 2 S which can be defined as: EX(p) = { s | (s,s’) R and s’ p } Image calculation
24
Dr. Amr Talaat Netw 703 Network Protocols CTL Example Structure M : A Kripke structure: triple M = S: set of states R ⊆ S × S: transition relation L: S → 2 AP : (Truth valuation) set of atomic propositions true in ea ch state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c} 24/80
25
Dr. Amr Talaat Netw 703 Network Protocols Fixpoint Characterizations Fixpoint CharacterizationEquivalences AG p = y. p AX y AG p = p AX AG p EG p = y. p EX y EG p = p EX EG p AF p = y. p AX y AF p = p AX AF p EF p = y. p EX y EF p = p EX EF p A(p U q) = y. q (p AX (y)) p AU q=q (p AX (p AU q)) E(pUq) = y. q (p EX (y)) p EU q = q (p EX (p EU q))
26
Dr. Amr Talaat Netw 703 Network Protocols Functionals Now, we can think of all temporal operators also as functions fr om sets of states to sets of states For example: AX p = EX( p) or if we use the set notation AX p = (S - EX(S - p)) LogicSet p q p q p q p q p S – p False TrueS
27
Dr. Amr Talaat Netw 703 Network Protocols Lattice The set of states of the transition system forms a lattice: lattice2 S partial order bottom element top elementS Least upper bound (lub) Greatest lower bound (glb)
28
Dr. Amr Talaat Netw 703 Network Protocols Lattice (lub): y ∈ P is a least upper bound of S in P means y is an upper bound of S and ∀ z ∈ P which is an upper bound of S, y ≤ z (glb) y ∈ P is a greatest lower bound of S in P means y is a lower bound of S and ∀ z ∈ P which is a lower bound of S, z ≤ y 28/80
29
Dr. Amr Talaat Netw 703 Network Protocols Temporal Properties Fixpoints Based on the equivalence EF p = p EX EF p EF p is a fixpoint of function (F): where F =>F y = p EX y F (EF p) = EF p In fact, EF p is the least fixpoint of F, which is written as: EF p = y. p EX y ( means least fixpoint)
30
Dr. Amr Talaat Netw 703 Network Protocols EF Fixpoint Computation p EF(p)states that can reach p p EX(p) EX(EX(p))... EF(p) states that can reach p p EX(p) EX(EX(p)) ... EF(p)
31
Dr. Amr Talaat Netw 703 Network Protocols Temporal Properties Fixpoints Based on the equivalence EG p = p AX EG p EG p is a fixpoint of function (F): where F => F y = p EX y F (EG p) = EG p In fact, EG p is the greatest fixpoint of F, which is written as: EG p = y. p EX y ( means greatest fixpoint)
32
Dr. Amr Talaat Netw 703 Network Protocols EG Fixpoint Computation EG(p) EG(p) states that can avoid reaching pp EX(p) EX(EX(p))... EG(p) states that can avoid reaching p p EX(p) EX(EX(p)) ...
33
Dr. Amr Talaat Netw 703 Network Protocols Least Fixpoint Given a monotonic function F, its least fixpoint is the greatest low er bound (glb) of all the reductive elements : y. F y = { y | F y y } The least fixpoint y. F y is the limit of the following sequence (a ssuming F is -continuous): , F , F 2 , F 3 ,... If S is finite, then we can compute the least fixpoint using the abo ve sequence
34
Dr. Amr Talaat Netw 703 Network Protocols EF Fixpoint Computation EF p = y. p EX y is the limit of the sequence: , p EX , p EX(p EX ), p EX(p EX(p EX )),... which is equivalent to , p, p EX p, p EX (p EX (p) ),...
35
Dr. Amr Talaat Netw 703 Network Protocols EF Fixpoint Computation s2s1s4s3 p p Start 1 st iteration p EX = {s1,s4} EX( )= {s1,s4} ={s1,s4} 2 nd iteration p EX(p EX ) = {s1,s4} EX({s1,s4})= {s1,s4} {s3}={s1,s3,s4} 3 rd iteration p EX(p EX(p EX )) = {s1,s4} EX({s1,s3,s4})= {s1,s4} {s2,s3,s4}={s1,s2,s3,s4} 4 th iteration p EX(p EX(p EX(p EX ))) = {s1,s4} EX({s1,s2,s3,s4})= {s1,s4} {s1,s2,s3,s4} = {s1,s2,s3,s4}
36
Dr. Amr Talaat Netw 703 Network Protocols EF Fixpoint Computation p EF(p)states that can reach p p EX(p) EX(EX(p))... EF(p) states that can reach p p EX(p) EX(EX(p)) ... EF(p)
37
Dr. Amr Talaat Netw 703 Network Protocols Greatest Fixpoint Given a monotonic function F, its greatest fixpoint is the least upp er bound (lub) of all the extensive elements: y. F y = { y | F y y } The greatest fixpoint y. F y is the limit of the following sequenc e (assuming F is -continuous): S, F S, F 2 S, F 3 S,... If S is finite, then we can compute the greatest fixpoint using the above sequence
38
Dr. Amr Talaat Netw 703 Network Protocols EG Fixpoint Computation Similarly, EG p = y. p EX y is the limit of the sequence: S, p EX S, p EX(p EX S), p EX(p EX (p EX S)),... which is equivalent to S, p, p EX p, p EX (p EX (p) ),...
39
Dr. Amr Talaat Netw 703 Network Protocols EG Fixpoint Computation s2s1s4s3 pp p Start S = {s1,s2,s3,s4} 1 st iteration p EX S = {s1,s3,s4} EX({s1,s2,s3,s4})= {s1,s3,s4} {s1,s2,s3,s4}={s1,s3,s4} 2 nd iteration p EX(p EX S) = {s1,s3,s4} EX({s1,s3,s4})= {s1,s3,s4} {s2,s3,s4}={s3,s4} 3 rd iteration p EX(p EX(p EX S)) = {s1,s3,s4} EX({s3,s4})= {s1,s3,s4} {s2,s3,s4}={s3,s4}
40
Dr. Amr Talaat Netw 703 Network Protocols EG Fixpoint Computation EG(p) EG(p) states that can avoid reaching pp EX(p) EX(EX(p))... EG(p) states that can avoid reaching p p EX(p) EX(EX(p)) ...
41
Dr. Amr Talaat Netw 703 Network Protocols Example Structure M : S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c} Check if AG(a ∨ c) holds 41/80
42
Dr. Amr Talaat Netw 703 Network Protocols Example (cont.) Remember that: AG p = y. p AX y AX p = EX( p) H(a ∨ c) = H(a) ∪ H(c) ={2,3} ∪ {3,4,5} = {2,3,4,5} I0 S = {1,2,3,4,5} I1 {2,3,4,5} ∩ S = {2,3,4,5} ∩ {1,2,3,4,5} = {2,3,4,5} I2 {2,3,4,5} ∩ AX(2,3,4,5) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} I3 {2,3,4,5} ∩ AX(2,3,4) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} I3 = I2 H(AG(a ∨ c)) = {2,3,4} To verify that f holds in state s, check if s ∈ H(f) 42/80
43
Dr. Amr Talaat Netw 703 Network Protocols Example 43/80 1 2 3 4 5 6 a,b c b,c a dc For the FSM below, formally check the following properties, using Fixpoint Theorm: AG(a ∨c ∨b) AF(a b) If failed show the subset of the design the property holds for as well as the counter example S = {1,2,3,4,5,6}, AP = {a,b,c,d}, R = {(1,2), (1,3),(2,3), (3,4), (4,4), (4,5), (5,2), (2,6), (6,1)} L(1) = {a,b}, L(2) = {c}, L(3) = {b,c}, L(4) = {a}, L(5) = {c}, L(6) = {d}
44
Dr. Amr Talaat Netw 703 Network Protocols Example (cont.) Remember that: H(a ∪ b) = H(a) ∪ H(b) ∪ H(c) ={1,4} ∪ {2,3,5} ∪ {1,3} = {1,2,3,4,5} AG(a ∨ c ∨ b) = AG p = y. p AX y = y. p AX y AX p = EX( p) I0 S = {1,2,3,4,5,6} I1 {1,2,3,4,5} ∩ S = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,2,3,4,5} I2 {1,2,3,4,5} ∩ AX(1,2,3,4,5) = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,3,4,5} This is because that : AX(1,2,3,4,5) = EX( (1,2,3,4,5)) = EX(6) = (2) = S- {2 } = {1,3,4,5,6} I3 {1,2,3,4,5} ∩ AX(1,3,4,5) = {1,3,4,5} This is because that : AX(1,3,4,5) = EX( (1,3,4,5)) = EX(2,6) = (2,6) = S- {2,6} = {1,3,4,5} I3 = I2 H(AG(a ∨ b ∨ c)) = {1,3,4,5} The property does not hold, except for the above states, and it is clear that s tates {2,6} can be considered as counter examples. state 6 does not contain neither a,c,b and state 2 does not have a proceedin g one on one of its pathes path (2,6) 44/80
45
Dr. Amr Talaat Netw 703 Network Protocols Example (AF(ab)) Remember that: H(a b) = H(a) H(b) ={1,4} {1,3}= {1} AF(a b) = AG p = y. p AX y = y. p AX y AX p = EX( p) I0 I1 {1} ∩ AX( ) = {1} ∩ = This is because that : AX( ) = EX( ( )) = EX(1,2,3,4,5,6) = The property does not hold for any state. 45/80
46
Dr. Amr Talaat Netw 703 Network Protocols Model Checking Tools (non-commercial) SMV (Symbolic Model Verifier) A tool for checking finite state systems against specifications in the temporal logic CTL. Developed at Carnegie Mellon University by E. Clarke, K. McMillan et. al. Supports a simple input language: SMV For more information: http://www.cs.cmu.edu/~modelcheck/smv.htmlhttp://www.cs.cmu.edu/~modelcheck/smv.html Cadence SMV Updated version of SMV by K. McMillan at Berkeley Cadence Labs Input languages: extended SMV and synchronous Verilog Supports temporal logics CTL and LTL, finite automata, embedded assertions, an d refinement specifications. Features compositional reasoning, link with a simple theorem prover, an easy-to-u se graphical user interface and source level debugging capabilities For more information: http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/ 46/80
47
Dr. Amr Talaat Netw 703 Network Protocols Model Checking Tools (commercial) FormalCheck Supports the synthesizable subsets of Verilog and VHDL hardware d esign languages. User supplies FormalCheck with a set of queries (properties and con straints) Each property is defined using semantics of the class of omega auto mata. Tool provides powerful model reduction options. For more information: http://www.cadence.com/datasheets/formalche ck.html 47/80
48
Dr. Amr Talaat Netw 703 Network Protocols 48 Model Checking Automatic verification (or falsification) of finite state systems Explicit State Representation ⇒ State Explosion Pr oblem (about 10 8 states maximum) Breakthrough: Implicit State Representation using ROBDD (about 10 20 states). Use Boolean characteristic functions represented by RO BDDs to encode sets of states and transition relations.
49
Dr. Amr Talaat Netw 703 Network Protocols Binary Decision Diagrams Ordered binary decision diagrams (OBDDs) are a canonical fo rm for Boolean formulas. OBDDs are often substantially more compact than traditional n ormal forms. Moreover, they can be manipulated very efficiently. Introduced at: R. E. Bryant. Graph-based algorithms for boolean function manip ulation. IEEE Transactions on Computers, C-35(8), 1986.
50
Dr. Amr Talaat Netw 703 Network Protocols Binary Decision Trees A Binary decision tree is a rooted, directed tree with two types of vertices, terminal vertices and nonterminal vertices. Each nonterminal vertex v is labeled by a variable var(v) and h as two successors: low (v) corresponding to the case where the variable is assign ed 0, and high (v) corresponding to the case where the variabl e is assigned 1. Each terminal vertex v is labeled by value(v) which is either 0 or 1
51
Dr. Amr Talaat Netw 703 Network Protocols Example BDT for a two-bit comparator, f(a1,a2,b1,b2) = (a1 b1) (a 2 b2)
52
Dr. Amr Talaat Netw 703 Network Protocols Binary Decision Diagram i.e. exactly like decision TREE
53
Dr. Amr Talaat Netw 703 Network Protocols Reduced Ordered BDDs In practical applications, it is desirable to have a canonical repr esentation for Boolean functions. This simplifies tasks like checking equivalence of two formulas and deciding if a given formula is satisfiable or not. Such a representation must guarantee that two Boolean functi ons are logically equivalent if and only if they have isomorphic representations.
54
Dr. Amr Talaat Netw 703 Network Protocols Reduced Ordered BDD Canonical Form property A canonical representation for Boolean functions is desirable: two Boolean functions are logically equivalent iff they have isomo rphic representations This simplifies checking equivalence of two formulas and deciding if a formula is satisfiable Two BDDs are isomorphic if there exists a bijection h between the g raphs such that Terminals are mapped to terminals and nonterminals are mapped to nonterminals For every terminal vertex v, value(v) = value(h(v)), and For every nonterminal vertex v: var(v) = var(h(v)), h(low(v)) = low( h(v)), and h(high(v)) = high(h(v))
55
Dr. Amr Talaat Netw 703 Network Protocols Canonical Form property Bryant (1986) showed that BDDs are a canonical repr esentation for Boolean functions under two restrictions: the variables appear in the same order along each path from th e root to a terminal there are no isomorphic subtrees or redundant vertices
56
Dr. Amr Talaat Netw 703 Network Protocols Reduced Ordered Binary Decision Diagr ams (ROBDDs): CREATION Canonical Form Property Requirement (1): Impose total order “<” on the variables in the for mula: if vertex u has a nonterminal successor v, then var(u) < var( v) Requirement (2): repeatedly apply three transformation rules (or i mplicitly in operations such as disjunction or conjunction)
57
Dr. Amr Talaat Netw 703 Network Protocols RoBDD Creation 1) Remove duplicate terminals: eliminate all but one terminal v ertex with a given label and redirect all arcs to the eliminated v ertices to the remaining one
58
Dr. Amr Talaat Netw 703 Network Protocols Comparator Example
59
Dr. Amr Talaat Netw 703 Network Protocols ROBDD Creation 2. Remove duplicate nonterminals: if nonterminals u and v hav e var(u) = var(v), low(u) = low(v) and high(u) = high(v), eliminat e one of the two vertices and redirect all incoming arcs to the o ther vertex
60
Dr. Amr Talaat Netw 703 Network Protocols 3. Remove redundant tests: if nonterminal vertex v has low(v) = high(v), eliminate v and redirect all incoming arcs to low(v)
61
Dr. Amr Talaat Netw 703 Network Protocols ROBDD Example Creating the ROBDD for (x ⊕ y ⊕ z)
62
Dr. Amr Talaat Netw 703 Network Protocols Canonical Form Property (cont’d) A canonical form is obtained by applying the transformation rul es until no further application is possible Bryant showed how this can be done by a procedure called Re duce in linear time Applications: checking equivalence: verify isomorphism between ROBDDs non-satisfiability: verify if ROBDD has only one terminal node, lab eled by 0 tautology: verify if ROBDD has only one terminal node, labeled by 1
63
Dr. Amr Talaat Netw 703 Network Protocols Variable Ordering Problem
64
Dr. Amr Talaat Netw 703 Network Protocols Variable Ordering Problem The problem of finding the optimal variable order is NP-complete Some Boolean functions have exponential size ROBDDs for any order (e.g., multiplier) Heuristics for Variable Ordering Heuristics developed for finding a good variable order (if it exists) Intuition for these heuristics comes from the observation that ROBDDs tend to be smaller when related variables are close together in the order Variables appearing in a subcircuit are related: they determine the subcircuit’s out put should usually be close together in the order Dynamic Variable Ordering Useful if no obvious static ordering heuristic applies During verification operations (e.g., reachability analysis) functions change, hence initial order is not good later on Good ROBDD packages periodically internally reorder variables to reduce ROBD D size Basic approach based on neighboring variable exchange Among a number of trials the best is taken, and the exchange is repeated
65
Dr. Amr Talaat Netw 703 Network Protocols BDDs operations Symbolic Model Checking Problem: How to represent state-transition graphs with Ordered Binary Decision Diagrams? Assume that system behavior is determined by N boolean stat e variables (v 1, v 2, v 3, … v n ) The system R can be represented by R(v 1, v 2, v 3, … v n, v’ 1, v’ 2, v’ 3, … v’ n ) Where v’ i is the next state variable
66
Dr. Amr Talaat Netw 703 Network Protocols Example 66/80 Convert function to BDD
67
Dr. Amr Talaat Netw 703 Network Protocols Model Checking The Good: If it works, model checking (unlike theorem proving) is a pus h-button tool. The Bad: If the system is too large, model checking cannot be applied because of state explosion. & The Ugly The system (and/or property) then needs to be suitably “abst racted” in order to use model checking.
68
Dr. Amr Talaat Netw 703 Network Protocols Approximate Model Checking Representing exact state sets may involve large BDDs Compute approximations to reachable states Potentially smaller representation Over-approximation : No bugs found Circuit verified correct Bugs found may be real or false Under-approximation : Bug found Real bug No bugs found Circuit may still contain bugs Reachable states Buggy states
69
Dr. Amr Talaat Netw 703 Network Protocols Theorem Proving Prove that an implementation satisfies a specification by mathematical re asoning Implementation and specification expressed as formulas in a formal logic Required relationship (logical equivalence/logical implication) described as a theorem to be proven within the context of a proof calculus A proof system: A set of axioms and inference rules (simplification, rewriting, induction, etc.)
70
Dr. Amr Talaat Netw 703 Network Protocols Theorem Proving Idea Properties specified in a Logical Language (SPEC) System behavior also in the same language (DES) Establish (DES SPEC) as a theorem. A logical System: A language defining constants, functions and predicates A no. of axioms expressing properties of the constants, function, types, e tc. Inference Rules A Theorem `follows' from axioms by application of inference rules has a proof
71
Dr. Amr Talaat Netw 703 Network Protocols First-Order Logic Propositional logic: reasoning about complete sentences. First-order logic: also reasoning about individual objects and rel ationships between them. Syntax Objects (in FOL) are denoted by expressions called terms: Constants a, b, c,... ; Variables u, v, w,... ; f(t1, t2,..., tn) where t1, t2,..., tn are terms and f a function symbol of n arguments Predicates: true (T) and false (F) p(t1, t2,..., tn) where t1, t2,..., tn are terms and p a predicate symb ol of n arguments
72
Dr. Amr Talaat Netw 703 Network Protocols First-Order Logic (cont.) Formulas: Predicates: P and Q formulas, then P, P Q, P Q, P Q, P Q are formulas x a variable, P a formula, then x.P, x.Q are formulas (x is not free in P, Q)
73
Dr. Amr Talaat Netw 703 Network Protocols First-Order Logic (cont’d) The Validity Problem of FOL To decide the validity for formulas of FOL, the truth table method does not work! Reason: must deal with structures not just truth assignments. Structures need not be finite... Semi-decidable (partially solvable) There is an algorithm which starts with an input, and 1. if the input is valid then it terminates after a finite number of steps, and outputs the correct value (Yes or No) 2.if the input is not valid then it reaches a reject halt or loops fo rever Theorem (Church-Turing, 1936) The validity problem for formulas of FOL is undecidable, but semi-de cidable. Some subsets of FOL are decidable.
74
Dr. Amr Talaat Netw 703 Network Protocols Higher-Order Logic First-order logic: only domain variables can be quantified. Second-order logic: quantification over subsets of variables (i.e., over predicates). Higher-order logics: quantification over arbitrary predicates and functi ons. Higher-Order Logic: Variables can be functions and predicates, Functions and predicates can take functions as arguments a nd return functions as values, Quantification over functions and predicates. Since arguments and results of predicates and functions can the mselves be predicates or functions, this imparts a first-class stat us to functions, and allows them to be manipulated just like or dinary values
75
Dr. Amr Talaat Netw 703 Network Protocols HOL Example 1: (mathematical induction) P. [P(0) ( n. P(n) P(n+1))] n.P(n) (Impossible to express it in FOL) Example 2: Function Rise defined as Rise (c, t) = c(t) c(t+1) Rise expresses the notion that a signal c rises at time t.
76
Dr. Amr Talaat Netw 703 Network Protocols Higher-Order Logic Advantage: high expressive power! Disadvantages: Incompleteness of a sound proof system for most higher-order log ics Theorem (Gödel, 1931) “There is no complete deduction system for the second-order logi c” Inconsistencies can arise in higher-order systems if semantics not ca refully defined “Russell Paradox”: Let P be defined by P(Q) = ¬Q(Q). By substituting P for Q, leads to P(P) = ¬P(P),
77
Dr. Amr Talaat Netw 703 Network Protocols Theorem Proving Systems Some theorem proving systems: Boyer-Moore (first-order logic) HOL (higher-order logic) PVS (higher-order logic) Lambda (higher-order logic) From PVS website: “PVS is a large and complex system and it takes a long while to learn to use it effectively. You should be prepared to invest six months to become a moderately skilled user”
78
Dr. Amr Talaat Netw 703 Network Protocols HOL HOL (Higher-Order Logic) developed at University of Cambridge Interactive environment (in ML, Meta Language) for machine assiste d theorem proving in higherorder logic (a proof assistant) Steps of a proof are implemented by applying inference rules chosen by the user; HOL checks that the steps are safe All inferences rules are built on top of eight primitive inference rules Mechanism to carry out backward proofs by applying built-in ML func tions called tactics and tacticals By building complex tactics, the user can customize proof strategies Numerous applications in software and hardware verification
79
Dr. Amr Talaat Netw 703 Network Protocols HOL HOL provides considerable built-in theorem-proving infrastructure: a powerful rewriting subsystems library facility containing useful theories and tools for general use Decision procedures for tautologies and semi-decision procedure for linear arithmetic provided as libraries The approach to mechanizing formal proof used in HOL is due to Ro bin Milner.
80
Dr. Amr Talaat Netw 703 Network Protocols Proof Styles in HOL Forward proof style: Goal-directed (or Backward) proof style:
81
Dr. Amr Talaat Netw 703 Network Protocols Backward Proofs
82
Dr. Amr Talaat Netw 703 Network Protocols Example 1: Logic AND AND Specification: AND_SPEC (i1,i2,out) := out = i1 ∧ i2 NAND specification: NAND (i1,i2,out) := out = ¬(i1 ∧ i2) NOT specification: NOT (i, out) := out = ¬ I AND Implementation: AND_IMPL (i1,i2,out) := ∃ x. NAND (i1,i2,x) ∧ NOT (x, out)
83
Dr. Amr Talaat Netw 703 Network Protocols Example 1: Logic AND Proof Goal: ∀ i1, i2, out. AND_IMPL(i1,i2,out) ⇒ ANDSPEC(i1,i2,out) Proof (forward) AND_IMP(i1,i2,out) {from above circuit diagram} ∃ x. NAND (i1,i2,x) ∧ NOT (x,out) {by def. of AND impl} NAND (i1,i2,x) ∧ NOT(x,out) {strip off “ ∃ x.”} NAND (i1,i2,x) {left conjunct of line 3} x =¬ (i1 ∧ i2) {by def. of NAND} NOT (x,out) {right conjunct of line 3} out = ¬ x {by def. of NOT} out = ¬(¬(i1 ∧ i2) {substitution, line 5 into 7} out =(i1 ∧ i2) {simplify, ¬¬ t=t} AND (i1,i2,out) {by def. of AND spec} AND_IMPL (i1,i2,out) ⇒ AND_SPEC (i1,i2,out) Q.E.D.
84
Dr. Amr Talaat Netw 703 Network Protocols Inductive Proofs Inductive Proofs Must Have: Base Case (value): where you prove it is true about the base case Inductive Hypothesis (value): where you state what will be assume in this proof Inductive Step (value) show: where you state what will be proven below proof: where you prove what is stated in the show portion this proof must use the Inductive Hypothesis sometime during th e proof
85
Dr. Amr Talaat Netw 703 Network Protocols Example 2 Prove this statement: Base Case (n=1): Inductive Hypothesis (n=p): Inductive Step (n=p+1): Show:
86
Dr. Amr Talaat Netw 703 Network Protocols Example 3 N-Bit Adder Verification of Generic Circuits used in datapath design and verification idea: verify n-bit circuit then specialize proof for specific value of n, (i.e., once proven for n, a simple instantiation of the theorem fo r any concrete value, e.g. 32, gets a proven theorem for that insta nce). use of induction proof Specification N-ADDER_SPEC (n,in1,in2,cin,sum,cout):= (in1 + in2 + cin = 2 n+1 * cout + sum)
87
Dr. Amr Talaat Netw 703 Network Protocols Example 3 N-Bit Adder Implementation 87/80
88
Dr. Amr Talaat Netw 703 Network Protocols Example 3 N-Bit Adder Recursive Definition: N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout):= ∃ w. N-ADDER_IMP(n-1,in1[0..n-2],in2[0..n-2],cin,sum[0..n-2],w) ∧ N-AD DER_IMP(1,in1[n-1],in2[n-1],w,sum[n-1],cout) Notes: N-ADDER_IMP(1,in1[i],in2[i],cin,sum[i],cout) = ADDER_IMP(in1[i],in2 [i],cin,sum[i],cout) Data abstraction function (vn: bitvec → nat) to relate bit vectors to natural numbers: vn(x[0]):= bn(x[0]) vn(x[0,n]):= 2n * bn(x[n]) + vn(x[0,n-1] 88/80
89
Dr. Amr Talaat Netw 703 Network Protocols Example 3 N-Bit Adder Proof goal: ∀ n, in1, in2, cin, sum, cout. N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],ci n,sum[0..n-1],cout) ⇒ N-ADDER_SPEC(n, vn(in1[0..n-1]), vn(in2[ 0..n-1]), vn(cin), vn(sum[0..n-1]), vn(cout)) As an example can be instantiated with n = 32: ∀ in1, in2, cin, sum, cout. N-ADDER_IMP(in1[0..31],in2[0..31],cin,sum[0..31],cout) ⇒ N-ADDER_SPEC(vn(in1[0..31]), vn(in2[0..31]), vn(cin), vn(sum[0..31]), vn(cout)) 89/80
90
Dr. Amr Talaat Netw 703 Network Protocols Example 3 N-Bit Adder Proof by induction over n: basis step: N-ADDER_IMP(1,in1[0],in2[0],cin,sum[0],cout) ⇒ N-ADDER_SPEC( 1,vn(in1[0]),vn(in2[0]),vn(cin),vn(sum[0]),vn(cout)) Induction Step: [N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout) ⇒ N-A DDER_SPEC(n,vn(in1[0..n-1]),vn(in2[0..n-1]),vn(cin),vn(sum[0..n-1]), vn(cout)) ] ⇒ [N-ADDER_IMP(n+1,in1[0..n],in2[0..n],cin,sum[0..n],co ut) ⇒ N-ADDER_SPEC(n+1,vn(in1[0..n]),vn(in2[0..n]),vn(cin),vn(sum [0..n]),vn(cout))] 90/80
91
Dr. Amr Talaat Netw 703 Network Protocols Conclusions Advantages of Theorem Proving High abstraction and expressive notation Powerful logic and reasoning, e.g., induction Can exploit hierarchy and regularity, puts user in control Can be customized with tactics (programs that build larger proofs steps from ba sic ones) Useful for specifying and verifying parameterized (generic) datapath-dominated designs Unrestricted applications (at least theoretically) Limitations of Theorem Proving: Interactive (under user guidance): use many lemmas, large numbers of comma nds Large human investment to prove small theorems Usable only by experts: difficult to prove large / hard theorems Requires deep understanding of the both the design and HOL (while-box verific ation) must develop proficiency in proving by working on simple but similar problems.
92
Dr. Amr Talaat Netw 703 Network Protocols We are not alone Model checking Testin g Theorem proving
93
Dr. Amr Talaat Netw 703 Network Protocols Hybrid Verification Formal Verification using Theorem Proving + Model Checking Model Checking Theorem Proving
94
Dr. Amr Talaat Netw 703 Network Protocols Hybrid Verification |- Goal Imp. Spec. |- Goal Imp.(x y ….) Spec.((y=..) (…..)) G1GnG3G2 ……. Use model checking to verify Sub-Goals G3’’G2’’G1’’Gn’’ G1’ G2’G3’ Gn’
95
Dr. Amr Talaat Netw 703 Network Protocols Different Verification Methods Testing (Simulation/Emulation) Theorem Proving Model checking (automatic verification) Testing Model Checking Theorem Proving
96
Dr. Amr Talaat Netw 703 Network Protocols Semi-formal Verification Simulation Driver Simulation Engine Simulation Monitor Symbolic Simulation Coverage Analysis Diagnosis of Unverified Portions Guided vector generation Conventional Extension Devadas and Keutzer’s proposal: A pragmatic suggestion for SOC verification
97
Dr. Amr Talaat Netw 703 Network Protocols Semi-formal Verification Smart simulation: Use properties to generate directed test vectors. Maximize chances of detecting bugs at small cost Coverage metrics crucial? Use metrics to determine Unexercised parts of design: Guide vector generation Adequacy of verification: When to stop?
98
Dr. Amr Talaat Netw 703 Network Protocols Did you find the BUG yet? Verification and testing problem is an open question with multi-Billion $ Research per year. A great Masters Research Topic
99
Dr. Amr Talaat Netw 703 Network Protocols A Final Proof Software engineers want to be real engineers. Real engineers use mathematics. Formal methods are the mathematics of software engineering. Therefore, software engineers should use formal methods. Mike Holloway, NASA
100
Dr. Amr Talaat Netw 703 Network Protocols Scientists Quotes “Teaching to unsuspecting youngsters the effective use of formal methods is one of the joys of life be cause it is so extremely rewarding” “A formula is worth a thousand pictures” Edsger Wybe Dijkstra (1930–2002)
Similar presentations
