Reasoning about Timed Systems Using Boolean Methods

Transcription

1 Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel, now U. Utah)

2 Timed System A system whose correctness depends not only on its functionality (what results it generates), but also on its timeliness (the time at which results are generated). 2

3 Real-Time Embedded Systems 3

4 Self-Timed Circuits 4

5 Modeling & Verification Verify model Model Timed System 5

6 Challenges with Timed Systems State has 2 components: Boolean variables (V):( model discrete state Real-valued variables (X):( measure real time Infinitely-many states Has a finite representation (regions graph) But grows worse than X X Verification is hard! 6

7 Modeling & Verification Verify model Model Checking Model Timed Automaton Timed System Self-Timed Circuit 7

8 Message of This Talk: Leverage Boolean Methods Modeling Use Boolean variables to model timing, where possible Verification Use symbolic Boolean representations and algorithms operating on them Binary Decision Diagrams (BDDs( BDDs), Boolean satisfiability solvers (SAT) Why? Systems have complex Boolean behavior anyway Great progress made in finite-state model checking, SAT solving, etc. over last 15 years 8

9 Talk Outline Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Circuits Timed Automata Model Checking Timed Automata Case Studies Future Directions & Related Research 9

10 Self-Timed (Asynchronous) Circuits Many design styles use timing assumptions Relative Timing Delay Independent Burst Mode Gate-level Metric Timing Relative Timing: [Stevens et al. ASYNC 99, TVLSI 03] Circuit behavior constrained by relative ordering of signal transitions u v 10

11 Relative Timing (RT) Verification Methodology: 2 Steps 1. Check circuit functionality under timing assumptions Search the constrained state space Model checking 2. Verify timing assumptions themselves Size circuit path delays appropriately Static timing analysis 11

12 Pros and Cons of RT Advantages: + Applies to many design styles + Incremental addition of timing constraints + No conservatively set min-max max delays Disadvantages: Cannot express metric timing More work to be done on verification Scaling up Validating timing constraints themselves 12

13 Our Contributions Generalized RT Can express some metric timing [Seshia, Stevens, & Bryant, ASYNC 05] Applied Fully Symbolic Verification Techniques Model circuits using timed automata Metric timing modeled using real-valued variables Non-metric with Booleans Performed Case Sudies Including Global STP circuit (published version of Pentium-4 4 ALU ckt.) 13

14 Talk Outline Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Circuits Timed Automata Model Checking Timed Automata Case Studies Future Directions & Related Research 14

15 Generalizing Relative Timing Relative Timing Delay Independent Burst Mode Gate-level Metric Timing 15

16 Circuit Model Variables (signals): v 1, v 2,, v n Events (signal transitions): e i Rules E i (v 1, v 2,, v n ) e i is v i or v i Timing Constraints 16

17 Generalized Relative Timing (GRT) Constraint : Time between e j and previous occurrence of e i Δ(e i, e j ) : Time between e i e j Form of GRT constraint: Δ(e i, e j ) Δ(e i, e k ) + d e i e i e j e k 17

18 Special Case: Common Point-of- Divergence (PoD) PoD constraint: Δ(e i, e j ) Δ(e i, e k ) Written as: e i e j e k e i e j e k An RT constraint traced back to its source 18

19 Example: Point-of-Divergence (PoD) Constraint c ac b 19

20 Example: Metric Timing Δ(data_in, data_in_aux) Δ(enable, trigger) 20

21 Do We Need Metric Timing? Useful for modular specification of timing constraints Also when delays are explicitly used 21

22 Verifying Generalized Relative Timing Constraints Use static timing analysis to compute min-max max path delays To verify: Δ(e i, e j ) Δ(e i, e k ) + d We verify that: max-delay( e i à e j ) min-delay( e i à e k ) + ) + d 22

23 Talk Outline Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Circuits Timed Automata Model Checking Timed Automata Case Studies Future Directions & Related Research 23

24 Modeling Timed Circuits Need to model: Rules ( Boolean behavior) and Timing Our formalism: Timed Automata [Alur Generalization of finite automata State variables: Alur & Dill, 90] Boolean (circuit signals) Real-valued timers or clocks (impose timing constraints) Operations: (1) compare with constant, (2) reset to zero We model non-metric timing with Booleans 24

25 Enforcing Timing with Booleans c ac b 1.c sets a bit ac resets it 3.b cannot occur while the bit is set 3. 25

26 Enforcing Timing with Timer Variables Δ(data_in, data_in_aux) Δ(enable, trigger) 26

27 Enforcing Timing with Timer Variables Δ(data_in, data_in_aux) Δ(enable, trigger) data_in sets x 1 to 0 data_in_aux must occur while x 1 c enable sets x 2 to 0 trigger can only occur if x 2 c c determined just as in other metric timing styles 27

28 Booleans vs. Timers Most timing constraints tend to be PoD So few real-valued timer variables used in practice 28

29 Talk Outline Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Circuits Timed Automata Model Checking Timed Automata Case Studies Future Directions & Related Research 29

30 State Boolean part: assignment to signals v 1 = 0, v 2 = 1, v 3 = 0,... Real-valued part: relation between timers x 2 x 1 0 x 2 0 x 1 x 2 x 1 symbolic representation 30

31 Symbolic Model Checking of Timed Automata,,,,,, Examples: ATACS [Myers et al.], Kronos [Yovine, Maler, et al.], Uppaal [Larsen, Yi, et al.], 31

32 Fully Symbolic Model Checking Symbolically represent sets of signal assignments with corresponding relations between timers v 1 v 2 x 1 0 x 2 0 x 1 x 2,... 32

33 Our Approach to Fully Symbolic Model Checking [Seshia & Bryant, CAV 03] Based on algorithm given by Henzinger et al. Core model checking operations Image computation Quantifier elimination in quantified difference logic Termination check Satisfiability checking of difference logic et al.(1994) Our Approach: Use Boolean encodings Quantified difference logic Quantified Boolean logic Difference logic Boolean logic Use BDDs,, SAT solvers 33

34 Example: Termination Check Have we seen all reachable states of the systems?? Satisfiability solving in Difference Logic 34

35 Solving Difference Logic via SAT x y y z z x+1 e 1 x y e 1 e 2 e 3 e 2 y z Overall Boolean Encoding e 3 z x+1 e 1 e 2 e 3 Transitivity Constraint 35

36 A More Realistic Situation x y... y z z x+1 x y y z z x+1... is a term in the SOP (DNF) 36

37 Talk Outline Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Circuits Timed Automata Model Checking Timed Automata Case Studies Future Directions & Related Research 37

38 Case Studies Global STP Circuit Self-resetting domino ckt.. in Pentium-4 4 ALU Analyzed published ckt. [Hinton et al., JSSC [Hinton et al., JSSC 01] GasP FIFO Control [Sutherland & Fairbanks, ASYNC 01] STAPL Left-Right Buffer [Nystrom & Martin, 02] STARI [Greenstreet, 93] 38

39 Footed and Unfooted Domino Inverters 39

40 Global STP Circuit (simplest version at gate-level) ck res out 40

41 Global STP Circuit: Sample Constraint res ck ck res ck ck res out 41

42 Global STP Circuit: An Error We want: red < blue 7 transitions < 5 transitions ck r s out 42

43 Comparison with ATACS Model checking for absence of short-circuits Circuit Global STP GasP-10 stages STAPL-3 stages Number of Signals Time for our model checker, TMV (in sec.) ATACS did not finish within 3600 sec. on any 43

44 Comparison with ATACS on STARI 44

45 Related Work Modeling Gate-level Metric Timing Timed Petri Nets, TEL, [Myers, Timed Automata-based [Maler Chain Constraints [Negulescu Relative Timing [Stevens et al.] Lazy transition systems [Pena et al.] Symbolic Gate Delays [Clariso [Myers, Yoneda,, et al.] Maler, Pnueli,, et al.] Negulescu & Peeters] Clariso & Cortadella] Verification For circuits, mostly restricted to just symbolic techniques [e.g., ATACS] 45

46 Talk Outline Motivating Problem: Verifying Self-Timed Circuits Generalized Relative Timing Circuits Timed Automata Model Checking Timed Automata Case Studies Future Directions & Related Research 46

47 Summary Leverage Boolean Methods for Timed Systems Modeling: generalized relative timing Verification: fully symbolic model checking Using BDDs,, SAT Demonstrated Application: Modeling and Verifying Self-Timed Circuits 47

48 Future Directions: Model Generation Model Timed System Needs to be automated Main Challenge: Automatic generation of timing constraints Idea: Machine learning from simulated runs (successful and failing) 48

49 Future Directions: New Applications Distributed Real-time Embedded Systems E.g., sensor networks Operate asynchronously Lots of concurrency Timeliness important Will generalized relative timing work for this application? 49

50 Related Research Project UCLID Modeling & Verifying Infinite-State Systems Focus: Integer arithmetic, Data Structures (arrays, memories, queues, etc.), Bit-vector operations, Applications: Program verification, Processor verification, Analyzing security properties E.g., detecting if a piece of code exhibits malicious behavior (worm/virus) Also based on Boolean Methods Problems in first-order logic translated to SAT Programming Systems seminar, Oct

51 More information at Thank you! 51