Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Similar documents
Automatic Verification of Finite State Concurrent Systems

Sérgio Campos, Edmund Clarke

Model Checking I Binary Decision Diagrams

Model Checking. Dragana Cvijanovic

Verifying IP-Core based System-On-Chip Designs

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

Model Checking VHDL with CV

Binary Decision Diagrams and Symbolic Model Checking

Behavior models and verification Lecture 6

Lecture 2: Symbolic Model Checking With SAT

Formal Verification by Model Checking

Model Checking: Back and Forth Between Hardware and Software

Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Scenario Graphs Applied to Security (Summary Paper)

Illlll~~ iII! 075l

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Tutorial on Model Checking Modelling and Verification in Computer Science

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Action Language Verifier, Extended

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Combining Decision Diagrams and SAT Procedures for Efficient Symbolic Model Checking

Formal Verification Techniques for Digital Systems

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Finite State Verification. CSCE Lecture 14-02/25/2016

Finite State Verification. CSCE Lecture 21-03/28/2017

Motivation. CS389L: Automated Logical Reasoning. Lecture 5: Binary Decision Diagrams. Historical Context. Binary Decision Trees

Formal Verification of a Commercial Serial Bus Interface Bernard Plessier & Carl Pixley Motorola SSDT-Austin (51 2) , cad-pixleyq .mot.

Design Constraints in Symbolic Model Checking

Set Manipulation with Boolean Functional Vectors for Symbolic Reachability Analysis

Symbolic Model Checking

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Combining Symbolic Model Checking with Uninterpreted Functions for Out-of-Order Processor Verification?

EECS 219C: Formal Methods Binary Decision Diagrams (BDDs) Sanjit A. Seshia EECS, UC Berkeley

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

More on Verification and Model Checking

Boolean Representations and Combinatorial Equivalence

Binary Decision Diagrams (BDD)

Utilizing Static Analysis for Programmable Logic Controllers

Iterative Abstraction-based CTL Model Checking

Ashish Sabharwal Computer Science and Engineering University of Washington, Box Seattle, Washington

Model Checking Cache Coherence Protocols for Distributed File Systems

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Optimizing Symbolic Model Checking for Constraint-Rich Models

Advanced VLSI Design Prof. Virendra K. Singh Department of Electrical Engineering Indian Institute of Technology Bombay

A Case Study for CTL Model Update

Formal Verification Methods 2: Symbolic Simulation

Binary Decision Diagrams

Model checking Timber program. Paweł Pietrzak

Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Program verification. Generalities about software Verification Model Checking. September 20, 2016

A Simple Tutorial on NuSMV

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Model Checking for Autonomy Software

NuSMV Hands-on introduction

Transistors NODES. Time (sec) No. of Nodes/Transistors

Verification of Out-Of-Order Processor Designs Using Model Checking and a Light-Weight Completion Function

Lecture Notes on Binary Decision Diagrams

Optimizing Model Checking Based on BDD Characterization

Symbolic Boolean Manipulation with Ordered Binary Decision Diagrams

CSC2108: Automated Verification Assignment 1 - Solutions

based methods generally required user interaction to guide expression simplification.

Unit 4: Formal Verification

Novel Applications of a Compact Binary Decision Diagram Library to Important Industrial Problems

Linear-Time Model Checking: Automata Theory in Practice

XEVE, an ESTEREL Verification Environment

Propositional Calculus. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Exploiting Positive Equality in a Logic of Equality with Uninterpreted Functions

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Binary Decision Diagrams

Proving the Correctness of Distributed Algorithms using TLA

The Verus Language: Representing Time efficiently with BDDs 1

On the Relation between SAT and BDDs for Equivalence Checking

Symbolic Trajectory Evaluation - A Survey

NuSMV 2: An OpenSource Tool for Symbolic Model Checking

Computer Science. Using Ordered Binary-Decision Diagrams for Compressing Images and Image Sequences

Leslie Lamport: The Specification Language TLA +

Propositional Calculus. Math Foundations of Computer Science

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Binary Decision Diagrams

Symbolic and Concolic Execution of Programs

Distributed Systems Programming (F21DS1) Formal Verification

Lazy Group Sifting for Efficient Symbolic State Traversal of FSMs

BDD-Based Software Model Checking with CPAchecker

Model Checking of the Fairisle ATM Switch Fabric using FormalCheck

Biconnectivity on Symbolically Represented Graphs: A Linear Solution

Verification of Intelligent Software

A Logically Complete Reasoning Maintenance System Based on a Logical Constraint Solver

NuSMV 2: An OpenSource Tool for Symbolic Model Checking

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

The ComFoRT Reasoning Framework

Using Integer Equations for High Level Formal Verification Property Checking

Model Checkers for Test Case Generation: An Experimental Study

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

A Theory of Consistency for Modular Synchronous Systems

Dynamic abstraction model checking

System Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine

Verification of Bakery algorithm variants for two processes

Chapter 8: Data Abstractions

Transcription:

Lecture: Symbolic Model Checking with BDDs Edmund M Clarke, Jr Computer Science Department Carnegie Mellon University Pittsburgh, PA 523

Temporal Logic Model Checking Specification Language: A propositional temporal logic Verification Procedure: Exhaustive search of the state space of the concurrent system to determine truth of specification E M Clarke and E A Emerson Synthesis of synchronization skeletons for branching time temporal logic In Logic of programs: workshop, Yorktown Heights, NY, May 98, volume 3 of Lecture Notes in Computer Science Springer-Verlag, 98 JP Quielle and J Sifakis Specification and verification of concurrent systems in CESAR In Proceedings of the Fifth International Symposium in Programming, volume 37 of Lecture Notes in Computer Science Springer-Verlag, 98

Why Model Checking? Advantages: No proofs!!! Fast Counterexamples No problem with partial specifications Logics can easily express many concurrency properties Main Disadvantage: State Explosion Problem Too many processes In digital hardware terms: too many latches Much progress recently!!

Temporal Logic a b State Transition Graph or Kripke Model b c c a b b c c a b c c Infinite Computation Tree (Unwind State Graph to obtain Infinite Tree)

Computation Tree Logics Formulas are constructed from path quantifiers and temporal operators: Path quantifier: A for every path E there exists a path 2 Temporal Operator: X holds next time F holds sometime in the future G holds globally in the future U holds until holds

The Logic CTL In CTL each temporal operator must be immediately preceeded by a path quantifier The four most widely used CTL operators are illustrated below Each computation tree has initial state as its root g g g g g g g g g g AG AF g g g g EF EG

Typical CTL Formulas EF : it is possible to get to a state where Started holds but Ready does not hold AG AF : if a Request occurs, then it will be eventually Acknowledged AG AF : DeviceEnabled holds infinitely often on every computation path AG EF : from any state it is possible to get to the Restart state

E M Clarke, E A Emerson, and A P Sistla Automatic verification of finite-state concurrent systems using temporal logic specifications ACM Trans Programming Languages and Systems, 8(2):pages 244 263, 986 Model Checking Problem Let be the state transition graph obtained from the concurrent system Let be the specification expressed in temporal logic Find all states of such that and check if initial states are among these Efficient model checking algorithms exist for CTL

Explicit Traversal Preprocessor Model Checker (EMC) CTL formulas State Transition Graph 4 to 5 states True or Counterexample

Symbolic Model Checking Method used by most industrial strength model checkers: uses boolean encoding for state machine and sets of states can handle much larger designs hundreds of state variables BDDs traditionally used to represent boolean functions

Symbolic Model Checking with BDDs Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 987 Carl Pixley independently developed a similar algorithm, as did the French researchers, Coudert and Madre BDDs enabled handling much larger concurrent systems (usually, an order of magnitude increase in hardware latches!) J R Burch, E M Clarke, K L McMillan, D L Dill, and J Hwang Symbolic model checking: states and beyond Information and Computation, 98(2):pages 42 7, 992 K L McMillan Symbolic Model Checking Kluwer Academic Publishers, 993

Fixpoint Algorithms EF EX EF p p

Fixpoint Algorithms (cont) Key properties of EF : EF EX EF 2 EX implies EF We write EF Lfp EX How to compute EF : False EX EX EX

EF? p s

EF? p s EX

EF? p s EX

EF? p s EX

Ordered Binary Decision Trees and Diagrams Ordered Binary Decision Tree for the two-bit comparator, given by the formula is shown in the figure below: a b b aa aa aa a a 2 2 2 2 2 2 22 b b b b b b b b 2 b b b b 2 2 2 2 2 2 2

From Binary Decision Trees to Diagrams An Ordered Binary Decision Diagram (OBDD) is an ordered decision tree where All isomorphic subtrees are combined, and All nodes with isomorphic children are eliminated Given a parameter ordering, OBDD is unique up to isomorphism R E Bryant Graph-based algorithms for boolean function manipulation IEEE Transactions on Computers, C-35(8):677 69, 986

OBDD for Comparator Example If we use the ordering OBDD below: for the comparator function, we obtain the a b b a 2 b b 2 2

Variable Ordering Problem The size of an OBDD depends critically on the variable ordering If we use the ordering OBDD below: for the comparator function, we get the a a 2 a 22 b b b b b b 2 2

Variable Ordering Problem (Cont) For an -bit comparator: if we use the ordering if we use the ordering, the number of vertices will be, the number of vertices is Moreover, there are boolean functions that have exponential size OBDDs for any variable ordering An example is the middle output ( two bit integers output) of a combinational circuit to multiply

Logical operations on OBDD s Logical negation: Replace each leaf by its negation Logical conjunction: Use Shannon s expansion as follows, to break problem into two subproblems Solve subproblems recursively Always combine isomorphic subtrees and eliminate redundant nodes Hash table stores previously computed subproblems Number of subproblems bounded by

Logical operations (cont) Boolean quantification: By definition, : replace all nodes by left sub-tree : replace all nodes by right sub-tree Using the above operations, we can build up OBDD s for complex boolean functions from simpler ones

Symbolic Model Checking Algorithm How to represent state-transition graphs with Ordered Binary Decision Diagrams: Assume that system behavior is determined by boolean state variables The Transition relation variables: will be given as a boolean formula in terms of the state where represents the current state and represents the next state Now convert to a OBDD!!

Symbolic Model Checking (cont) Representing transition relations symbolically: a a, b Boolean formula for transition relation: Now, represent as an OBDD!

Symbolic Model Checking (cont) Consider EX Now, introduce state variables and transition relation: Compute OBDD for relational product on right side of formula

Symbolic Model Checking (cont) How to evaluate fixpoint formulas using OBDDs: Introduce state variables: EF Lfp EX EF Lfp Now, compute the sequence until convergence Convergence can be detected since the sets of states are represented as OBDDs

Notable Examples The following examples illustrate the power of model checking to handle industrial size problems They come from many sources, not just my research group Edmund M Clarke, Jeannette M Wing, et al Formal methods: State of the art and future directions ACM Computing Surveys, 28(4):626 643, December 996

Notable Examples IEEE Futurebus In 992 Clarke and his students at CMU used SMV to verify the cache coherence protocol in the IEEE Futurebus+ Standard They constructed a precise model of the protocol and attempted to show that it satisfied a formal specification of cache coherence They found a number of previously undetected errors in the design of the protocol This was the first time that formal methods have been used to find errors in an IEEE standard Although development started in 988, all previous attempts to validate Futurebus+ were based on informal techniques

Notable Examples HDLC A High-level Data Link Controller (HDLC) was being designed at AT&T in Madrid In 996 researchers at Bell Labs offered to check some properties of the design The design was almost finished, so no errors were expected Within five hours, six properties were specified and five were verified, using the FormalCheck verifier The sixth property failed, uncovering a bug that would have reduced throughput or caused lost transmissions The error was corrected in a few minutes and formally verified

Notable Examples PowerPC 62 Microprocessor Richard Raimi and Jim Lear at Somerset used Motorola s Verdict model checker to debug a hardware laboratory failure Initial silicon of PowerPC 62 microprocessor crashed during boot of an operating system With run time in seconds, Verdict produced example of BIU deadlock causing the failure Paper on this published at 997 IEEE International Test Conference

Future Research Directions Additional work needed on classical model checking: Abstraction, Compositional Reasoning, Symmetry, and Parameterized Designs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback