Download - Model Checking Basics
Model Checking Basics
Dr. Eng. Amr T. Abdel-Hamid
Netw 703
Winter 2012
Slides based on slides of:• K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU. • E. Clarke, Formal Methods, to be updated by course name•S. Tahar, E. Cerny and X. Song, “ Formal Verification of Systems”.
Netw
ork P
roto
cols
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Branching Time Temporal Logic (BTTL)
Structure of time: an infinite tree, each instant may have many successor instants
Along each path in the tree, the corresponding timeline is isomorphic to N State quantifiers: Xp, Fp, Gp, pUq (like in linear temporal logic) Path quantifiers: for All paths (A) and there Exists a path (E) from a given state
A = E = ∀ ∃ In linear time logic, temporal operators are provided for describing events
along a single future, however, when a linear formula is used for specification, there is usually an implicit universal quantification over all possible futures (linear traces)
In contrast, in branching time logic the operators usually reflect the branching nature of time by allowing explicit quantification over possible futures in any state
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL
Formulas are constructed from path quantifiers and temporal operators:Path quantifier:
A: for every pathE: there exists a path
Temporal Operator:F: holds sometime in the futureX: holds next timeG: holds globally in the futurep U q: p holds until q hold
i.e. AF, AG, AX, A( U ), EF, EG, EX, E( U )
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL: Computation Tree Logic
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Example
Structure M <S,R,L>: A Kripke structure: triple M = <S, R, L> S: set of states R S × S: transition relation⊆ L: S → 2AP : (Truth valuation) set of atomic propositions true in
each state
S = {1,2,3,4,5}, AP = {a,b,c},
R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)}
L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}
6/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example: Two input Muller C-element (assuming finite discrete delays):
Specification in CTL: Liveness: If inputs remain equal, then eventually the output will
change to this value.AG( A( ( a=0 b=0 ) U ( out=0 a=1 b=1 ) ) )∧ ∨ ∨AG( A( ( a=1 b=1 ) U ( out=1 a=0 b=0 ) ) )∧ ∨ ∨
Safety: If all inputs and the output have the same value then the output should not change until all inputs change their values.AG( ( a=0 b=0 out=0 ) A( out=0 U (a=1 b=1 ) ) )∧ ∧ ⇒ ∧AG( ( a=1 b=1 out=1 ) A( out=1 U (a=0 b=0 ) ) )∧ ∧ ⇒ ∧
7/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Model Checking Problem Given an FSM M (equivalent Kripke structure) and a
temporal logic formula p, does M define a model of p?Determine the truth of a formula with respect to a
given (initial) state in MFind all states s of M such that (M, s) p
For any propositional temporal logic, the model checking problem is decidable: exhaustive search of all paths through the finite input structure
8/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Model Checking Problem
9/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Theoretical Background
Theorem [Wolper, 1986]: The model checking for CTL is in deterministic polynomial time
Theorem [Sistla & Clark, 1985]: The model checking problem for PLTL is PSPACE complete
Theorem [Emerson & Lei, 1987]: Given any model-checking algorithm for a linear logic LTL, there is a model checking algorithm for the corresponding branching logic BTL, whose basic modalities are defined by the LTL, of the same order of complexity
• Theorem [Clark, Emerson & Sistla, 1986]: The model checking problem for CTL* is PSPACE-complete
10/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
PSPACE-complete
11/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Fixpoints Algorithm
Model Checking Algorithms Original algorithm described in terms of labeling the CTL
structure (Clark83)Required explicit representation of the whole state space
Better algorithm based on fixed point calculations Algorithm amenable to symbolic formulation Symbolic evaluation allows implicit enumeration of states Significant improvement in maximum size of systems that can
be verified
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
13
Symbolic model checking
Symbolic model checking approach Boolean formulas represent sets and relations Use fixed point characterizations of CTL operators Model checking without building complete state graph
CTL model checking problem can be solved in O(|f| (|S|+|R|))
Note that the complexity is linear in the size of the formula and the transition system Recall that the size of the transition system is exponential in the
number of variables (this is called the state space explosion problem)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Model Checking Algorithm
Translate the formula to a formula which uses the basis EX p, EG p, E(p U q)
Start from the innermost subformulas Label the states in the transition system with the subformulas
that hold in that state
Initially states are labeled with atomic properties
Each (temporal or boolean) operator has to be processed once
Processing of each operator takes O(|S|+|R|)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Model Checking Algorithm
Boolean operators are easy
p : Each state which is not labeled with p should be labeled with p
p q : Each state which is labeled with both p and q should be labeled with p q
p q : Each state which is labeled with p or q should be labeled with p q
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Model Checking Algorithm: EX p
EX p is easy to do in O(|S|+|R|) All the nodes which have a next state labeled with p should be
labeled with EX p
s2s1 s4s3
p p
p, EX pp, EX p
EX p
s2s1 s4s3
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Model Checking Algorithm: E(pUq)
E(pUq): Find the states which are the source of a path where p U q holds Find the nodes that reach a node that is labeled with q by a path
where each node is labeled with p
Label such nodes with E(pUq) It is a reachability problem which can be solved in O(|S|+|R|)
First label the nodes which satisfy q with E(pUq)For each node labeled with E(pUq), label all its
previous states that are labeled with p with E(p U q)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Model Checking Algorithm: E(pUq)
s2s1 s4s3
p p
p, E(pUq)p, E(pUq)
s2s1 s4s3
q
q, E(pUq)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Model Checking Algorithm: EG p
EG p: Find infinite paths where each node on the path is labeled with p, and label nodes in such paths with EG p First remove all the states which do not satisfy p from the
transition graph Compute the strongly connected components of the remaining
graph, and then find the nodes which can reach the strongly connected components (both of which can be done in O(|S|+|R|)
Label the nodes in the strongly connected components and the nodes that can reach the strongly connected components with EG p
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Model Checking Algorithm: EG p
s2s1 s4s3
p p
p, EG pp, EG p
s2s1 s4s3
p
p, EG p
s2 s4s3
p p
p
A strongly connectedcomponent
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Verification vs. Falsification
Verification: Show: initial states truth set of p
Falsification: Find: a state initial states truth set of p Generate a counter-example starting from that state
CTL model checking algorithm can also generate a counter-example path if the property is not satisfied without increasing the complexity
The ability to find counter-examples is one of the biggest strengths of the model checkers
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Temporal Properties Fixpoints [Emerson and Clarke 80]
Here are some interesting CTL equivalences:
AG p = p AX AG pEG p = p EX EG p
AF p = p AX AF pEF p = p EX EF p
A(p U q) = q (p AX A(p U q))p EU q = q (p EX E(p U q))
Note that we wrote the CTL temporal operators in terms of themselves and EX and AX operators
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Functionals
Given a transition system M=(S, L, R), we will define functions (Properties) from sets of states to sets of states F : 2S 2S
For example, one such function is the EX operator (which computes the precondition of a set of states) EX : 2S 2S
which can be defined as:
EX(p) = { s | (s,s’) R and s’ p } Image calculation
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
CTL Example
Structure M <S,R,L>: A Kripke structure: triple M = <S, R, L> S: set of states R S × S: transition relation⊆ L: S → 2AP : (Truth valuation) set of atomic propositions true in
each state
S = {1,2,3,4,5}, AP = {a,b,c},
R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)}
L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}
24/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Fixpoint Characterizations
Fixpoint Characterization Equivalences
AG p = y . p AX y AG p = p AX AG p
EG p = y . p EX y EG p = p EX EG p
AF p = y . p AX y AF p = p AX AF p
EF p = y . p EX y EF p = p EX EF p
A(p U q) = y . q (p AX (y)) p AU q=q (p AX (p AU q))
E(pUq) = y . q (p EX (y)) p EU q = q (p EX (p EU q))
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Functionals
Now, we can think of all temporal operators also as functions from sets of states to sets of states
For example:AX p = EX(p)
or if we use the set notationAX p = (S - EX(S - p))
Logic Setp q p qp q p q p S – pFalse True S
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Lattice
The set of states of the transition system forms a lattice:
lattice 2S
partial order bottom element top element S Least upper bound (lub) Greatest lower bound (glb)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Lattice
(lub): y P is a ∈ least upper bound of S in P means y is an upper bound of S and z P which is an upper bound of ∀ ∈S, y ≤ z
(glb) y P is a ∈ greatest lower bound of S in P means y is a lower bound of S and z P which is a lower bound of ∀ ∈S, z ≤ y
28/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Temporal Properties Fixpoints
Based on the equivalence
EF p = p EX EF p
EF p is a fixpoint of function (F):
where F => F y = p EX y
F (EF p) = EF p
In fact, EF p is the least fixpoint of F, which is written as:
EF p = y . p EX y( means least fixpoint)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EF Fixpoint Computation
• • •• • •pp
EF(p)EF(p) states that can reach p states that can reach p p p EX(p) EX(p) EX(EX(p)) EX(EX(p)) ... ...
EF(p)EF(p)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Temporal Properties Fixpoints
Based on the equivalence
EG p = p AX EG p
EG p is a fixpoint of function (F):
where F => F y = p EX y
F (EG p) = EG p
In fact, EG p is the greatest fixpoint of F, which is written as:
EG p = y . p EX y ( means greatest fixpoint)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EG Fixpoint Computation
• • •• • • EG(p)EG(p)
EG(p) EG(p) states that can avoid reaching states that can avoid reaching pp p p EX(p) EX(p) EX(EX(p)) EX(EX(p)) ......
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Least Fixpoint
Given a monotonic function F, its least fixpoint is the greatest lower bound (glb) of all the reductive elements :
y . F y = { y | F y y }
The least fixpoint y . F y is the limit of the following sequence (assuming F is -continuous):
, F , F2 , F3 , ...
If S is finite, then we can compute the least fixpoint using the above sequence
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EF Fixpoint Computation
EF p = y . p EX y is the limit of the sequence:
, pEX , pEX(pEX ) , pEX(pEX(p EX )) , ...
which is equivalent to
, p, p EX p , p EX (p EX (p) ) , ...
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EF Fixpoint Computation
s2s1 s4s3p
p
Start
1st iterationpEX = {s1,s4} EX()= {s1,s4} ={s1,s4}
2nd iterationpEX(pEX ) = {s1,s4} EX({s1,s4})= {s1,s4} {s3}={s1,s3,s4}
3rd iterationpEX(pEX(p EX )) = {s1,s4} EX({s1,s3,s4})= {s1,s4} {s2,s3,s4}={s1,s2,s3,s4}
4th iterationpEX(pEX(pEX(p EX ))) = {s1,s4} EX({s1,s2,s3,s4})= {s1,s4} {s1,s2,s3,s4} = {s1,s2,s3,s4}
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EF Fixpoint Computation
• • •• • •pp
EF(p)EF(p) states that can reach p states that can reach p p p EX(p) EX(p) EX(EX(p)) EX(EX(p)) ... ...
EF(p)EF(p)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Greatest Fixpoint
Given a monotonic function F, its greatest fixpoint is the least upper bound (lub) of all the extensive elements:
y. F y = { y | F y y }
The greatest fixpoint y . F y is the limit of the following sequence (assuming F is -continuous):
S, F S, F2 S, F3 S, ...
If S is finite, then we can compute the greatest fixpoint using the above sequence
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EG Fixpoint Computation
Similarly, EG p = y . p EX y is the limit of the sequence:
S, pEX S, pEX(p EX S) , pEX(p EX (p EX S)) , ...
which is equivalent to
S, p, p EX p , p EX (p EX (p) ) , ...
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EG Fixpoint Computation
s2s1 s4s3
p p
p
StartS = {s1,s2,s3,s4}
1st iterationpEX S = {s1,s3,s4}EX({s1,s2,s3,s4})= {s1,s3,s4}{s1,s2,s3,s4}={s1,s3,s4}
2nd iterationpEX(pEX S) = {s1,s3,s4}EX({s1,s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}
3rd iterationpEX(pEX(pEX S)) = {s1,s3,s4}EX({s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
EG Fixpoint Computation
• • •• • • EG(p)EG(p)
EG(p) EG(p) states that can avoid reaching states that can avoid reaching pp p p EX(p) EX(p) EX(EX(p)) EX(EX(p)) ......
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example
Structure M <S,R,L>:
S = {1,2,3,4,5}, AP = {a,b,c},
R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)}
L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}
Check if AG(a c) ∨ holds
41/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example (cont.) Remember that:
AG p = y . p AX y AX p = EX(p) H(a c) = H(a) H(c) ={2,3} {3,4,5} = {2,3,4,5}∨ ∪ ∪
I0 S = {1,2,3,4,5} I1 {2,3,4,5} ∩ S = {2,3,4,5} ∩ {1,2,3,4,5} = {2,3,4,5} I2 {2,3,4,5} ∩ AX(2,3,4,5) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} I3 {2,3,4,5} ∩ AX(2,3,4) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} I3 = I2 H(AG(a c)) = {2,3,4} ∨ To verify that f holds in state s, check if s H(f)∈
42/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example
43/80
1 2 3 4
56
a,b c b,c a
d c
For the FSM below, formally check the following properties, using Fixpoint Theorm:• AG(a ∨c ∨b)• AF(ab)If failed show the subset of the design the property holds for as well as the counter example
S = {1,2,3,4,5,6}, AP = {a,b,c,d},R = {(1,2), (1,3),(2,3), (3,4), (4,4), (4,5), (5,2), (2,6), (6,1)}L(1) = {a,b}, L(2) = {c}, L(3) = {b,c}, L(4) = {a}, L(5) = {c}, L(6) = {d}
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example (cont.) Remember that:
H(a ∪ b) = H(a) H(b) H(c) ={1,4} {2,3,5} {1,3} = {1,2,3,4,5}∪ ∪ ∪ ∪ AG(a c b) = AG p = ∨ ∨ y . p AX y = y . p AX y AX p = EX(p)
I0 S = {1,2,3,4,5,6} I1 {1,2,3,4,5} ∩ S = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,2,3,4,5} I2 {1,2,3,4,5} ∩ AX(1,2,3,4,5) = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,3,4,5}
This is because that : AX(1,2,3,4,5) = EX((1,2,3,4,5)) = EX(6) = (2) = S- {2 } = {1,3,4,5,6}
I3 {1,2,3,4,5} ∩ AX(1,3,4,5) = {1,3,4,5} This is because that : AX(1,3,4,5) = EX((1,3,4,5)) = EX(2,6) = (2,6) = S-
{2 ,6} = {1,3,4,5}
I3 = I2 H(AG(a b c)) = {1,3,4,5} ∨ ∨ The property does not hold, except for the above states, and it is clear that
states {2,6} can be considered as counter examples. state 6 does not contain neither a,c,b and state 2 does not have a
proceeding one on one of its pathes path (2,6)
44/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example (AF(ab)) Remember that:
H(a b) = H(a) H(b) ={1,4} {1,3}= {1} AF(a b) = AG p = y . p AX y = y . p AX y AX p = EX(p)
I0 I1 {1} ∩ AX() = {1} ∩ =
This is because that : AX() = EX(()) = EX(1,2,3,4,5,6) =
The property does not hold for any state.
45/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Model Checking Tools (non-commercial)
SMV (Symbolic Model Verifier) A tool for checking finite state systems against specifications in the temporal logic
CTL. Developed at Carnegie Mellon University by E. Clarke, K. McMillan et. al. Supports a simple input language: SMV For more information: http://www.cs.cmu.edu/~modelcheck/smv.html
Cadence SMV Updated version of SMV by K. McMillan at Berkeley Cadence Labs Input languages: extended SMV and synchronous Verilog Supports temporal logics CTL and LTL, finite automata, embedded assertions,
and refinement specifications. Features compositional reasoning, link with a simple theorem prover, an easy-to-
use graphical user interface and source level debugging capabilities For more information: http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/
46/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Model Checking Tools (commercial)
FormalCheck Supports the synthesizable subsets of Verilog and VHDL hardware
design languages. User supplies FormalCheck with a set of queries (properties and
constraints) Each property is defined using semantics of the class of omega
automata. Tool provides powerful model reduction options. For more information:
http://www.cadence.com/datasheets/formalcheck.html
47/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
48
Model Checking Automatic verification (or falsification) of finite state
systems
Explicit State Representation ⇒ State Explosion Problem (about 108 states maximum)
Breakthrough: Implicit State Representation using ROBDD (about 1020 states).
Use Boolean characteristic functions represented by ROBDDs to encode sets of states and transition relations.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Binary Decision Diagrams
Ordered binary decision diagrams (OBDDs) are a canonical form for Boolean formulas.
OBDDs are often substantially more compact than traditional normal forms.
Moreover, they can be manipulated very efficiently. Introduced at:
R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8), 1986.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Binary Decision Trees
A Binary decision tree is a rooted, directed tree with two types of vertices, terminal vertices and nonterminal vertices.
Each nonterminal vertex v is labeled by a variable var(v) and has two successors:
low (v) corresponding to the case where the variable is assigned 0, and high (v) corresponding to the case where the variable is assigned 1.
Each terminal vertex v is labeled by value(v) which is either 0 or 1
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example
BDT for a two-bit comparator, f(a1,a2,b1,b2) = (a1 b1) (a2 b2)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Binary Decision Diagram
i.e. exactly like decision TREE
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Reduced Ordered BDDs
In practical applications, it is desirable to have a canonical representation for Boolean functions.
This simplifies tasks like checking equivalence of two formulas and deciding if a given formula is satisfiable or not.
Such a representation must guarantee that two Boolean functions are logically equivalent if and
only if they have isomorphic representations.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Reduced Ordered BDD
Canonical Form property A canonical representation for Boolean functions is desirable:
two Boolean functions are logically equivalent iff they have isomorphic representations
This simplifies checking equivalence of two formulas and deciding if a formula is satisfiable
Two BDDs are isomorphic if there exists a bijection h between the graphs such that
Terminals are mapped to terminals and nonterminals are mapped to nonterminals For every terminal vertex v, value(v) = value(h(v)), and For every nonterminal vertex v: var(v) = var(h(v)), h(low(v)) =
low(h(v)), and h(high(v)) = high(h(v))
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Canonical Form property
Bryant (1986) showed that BDDs are a canonical representation for Boolean functions under two restrictions: the variables appear in the same order along each path from
the root to a terminal there are no isomorphic subtrees or redundant vertices
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Reduced Ordered Binary Decision Diagrams (ROBDDs): CREATION Canonical Form Property
Requirement (1): Impose total order “<” on the variables in the formula: if vertex u has a nonterminal successor v, then var(u) < var(v)
Requirement (2): repeatedly apply three transformation rules (or implicitly in operations such as disjunction or conjunction)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
RoBDD Creation
1) Remove duplicate terminals: eliminate all but one terminal vertex with a given label and redirect all arcs to the eliminated vertices to the remaining one
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Comparator Example
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
ROBDD Creation
2. Remove duplicate nonterminals: if nonterminals u and v have var(u) = var(v), low(u) = low(v) and high(u) = high(v), eliminate one of the two vertices and redirect all incoming arcs to the other vertex
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
3. Remove redundant tests: if nonterminal vertex v has low(v) = high(v), eliminate v and redirect all incoming arcs to low(v)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
ROBDD Example Creating the ROBDD for (x⊕y⊕z)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Canonical Form Property (cont’d)
A canonical form is obtained by applying the transformation rules until no further application is possible
Bryant showed how this can be done by a procedure called Reduce in linear time
Applications: checking equivalence: verify isomorphism between ROBDDs non-satisfiability: verify if ROBDD has only one terminal node,
labeled by 0 tautology: verify if ROBDD has only one terminal node, labeled
by 1
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Variable Ordering Problem
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Variable Ordering Problem
The problem of finding the optimal variable order is NP-complete Some Boolean functions have exponential size ROBDDs for any order (e.g., multiplier) Heuristics for Variable Ordering
Heuristics developed for finding a good variable order (if it exists) Intuition for these heuristics comes from the observation that ROBDDs tend to be
smaller when related variables are close together in the order Variables appearing in a subcircuit are related: they determine the subcircuit’s
output should usually be close together in the order Dynamic Variable Ordering
Useful if no obvious static ordering heuristic applies During verification operations (e.g., reachability analysis) functions change, hence
initial order is not good later on Good ROBDD packages periodically internally reorder variables to reduce
ROBDD size
Basic approach based on neighboring variable exchange Among a number of trials the best is taken, and the exchange is repeated
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
BDDs operations
Symbolic Model Checking Problem: How to represent state-transition graphs with Ordered Binary
Decision Diagrams? Assume that system behavior is determined by N boolean
state variables (v1, v2, v3, … vn)
The system R can be represented by
R(v1, v2, v3, … vn, v’1, v’2, v’3, … v’n)
Where v’i is the next state variable
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example
66/80
Convert function to BDD
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Model Checking The Good:
If it works, model checking (unlike theorem proving) is a push-button tool.
The Bad: If the system is too large, model checking cannot be applied
because of state explosion. & The Ugly
The system (and/or property) then needs to be suitably “abstracted” in order to use model checking.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Approximate Model Checking Representing exact state sets may involve large BDDs
Compute approximations to reachable states Potentially smaller representation Over-approximation :
No bugs found Circuit verified correct Bugs found may be real or false
Under-approximation : Bug found Real bug No bugs found Circuit may still contain bugs
Reachable states
Buggy states
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Theorem Proving
Prove that an implementation satisfies a specification by mathematical reasoning
Implementation and specification expressed as formulas in a formal logic Required relationship (logical equivalence/logical implication) described as a
theorem to be proven within the context of a proof calculus
A proof system: A set of axioms and inference rules (simplification, rewriting, induction, etc.)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Theorem Proving Idea
Properties specified in a Logical Language (SPEC) System behavior also in the same language (DES) Establish (DES SPEC) as a theorem.
A logical System: A language defining constants, functions and predicates A no. of axioms expressing properties of the constants, function, types,
etc. Inference Rules
A Theorem `follows' from axioms by application of inference rules has a proof
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
First-Order Logic
Propositional logic: reasoning about complete sentences. First-order logic: also reasoning about individual objects and
relationships between them. Syntax Objects (in FOL) are denoted by expressions called terms:
Constants a, b, c,... ; Variables u, v, w,... ; f(t1, t2,..., tn) where t1, t2,..., tn are terms and f a function symbol
of n arguments Predicates:
true (T) and false (F) p(t1, t2,..., tn) where t1, t2,..., tn are terms and p a predicate
symbol of n arguments
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
First-Order Logic (cont.)
Formulas:Predicates:
P and Q formulas, then P, P Q, P Q, P Q, P Q are formulas
x a variable, P a formula, then x.P, x.Q are formulas (x is not free in P, Q)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
First-Order Logic (cont’d) The Validity Problem of FOL
To decide the validity for formulas of FOL, the truth table method does not work!
Reason: must deal with structures not just truth assignments. Structures need not be finite ...
Semi-decidable (partially solvable) There is an algorithm which starts with an input, and
1. if the input is valid then it terminates after a finite number of steps, and outputs the correct value (Yes or No)
2. if the input is not valid then it reaches a reject halt or loops forever
Theorem (Church-Turing, 1936)
The validity problem for formulas of FOL is undecidable, but semi-decidable.
Some subsets of FOL are decidable.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Higher-Order Logic First-order logic: only domain variables can be quantified. Second-order logic: quantification over subsets of variables (i.e.,
over predicates). Higher-order logics: quantification over arbitrary predicates and
functions. Higher-Order Logic:
Variables can be functions and predicates, Functions and predicates can take functions as arguments
and return functions as values, Quantification over functions and predicates. Since arguments and results of predicates and functions can
themselves be predicates or functions, this imparts a first-class status to functions, and allows them to be manipulated just like ordinary values
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
HOL
Example 1: (mathematical induction)P. [P(0) (n. P(n) P(n+1))] n.P(n)
(Impossible to express it in FOL)
Example 2: Function Rise defined as
Rise (c, t) = c(t) c(t+1) Rise expresses the notion that a signal c rises at time t.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Higher-Order Logic
Advantage: high expressive power!
Disadvantages: Incompleteness of a sound proof system for most higher-order
logics Theorem (Gödel, 1931)
“There is no complete deduction system for the second-order logic”
Inconsistencies can arise in higher-order systems if semantics not carefully defined
“Russell Paradox”: Let P be defined by P(Q) = ¬Q(Q). By substituting P for Q, leads to P(P) = ¬P(P),
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Theorem Proving Systems
Some theorem proving systems:Boyer-Moore (first-order logic)HOL (higher-order logic)PVS (higher-order logic) Lambda (higher-order logic)
From PVS website:
“PVS is a large and complex system and it takes a long while to learn to use it effectively. You should
be prepared to invest six months to become a moderately skilled user”
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
HOL
HOL (Higher-Order Logic) developed at University of Cambridge Interactive environment (in ML, Meta Language) for machine
assisted theorem proving in higherorder logic (a proof assistant) Steps of a proof are implemented by applying inference rules chosen
by the user; HOL checks that the steps are safe All inferences rules are built on top of eight primitive inference rules Mechanism to carry out backward proofs by applying built-in ML
functions called tactics and tacticals By building complex tactics, the user can customize proof strategies Numerous applications in software and hardware verification
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
HOL
HOL provides considerable built-in theorem-proving infrastructure: a powerful rewriting subsystems library facility containing useful theories and tools for general use Decision procedures for tautologies and semi-decision procedure for linear arithmetic provided as libraries
The approach to mechanizing formal proof used in HOL is due to Robin Milner.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Proof Styles in HOL Forward proof style:
Goal-directed (or Backward) proof style:
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Backward Proofs
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 1: Logic AND
AND Specification:
AND_SPEC (i1,i2,out) := out = i1 i2∧ NAND specification:
NAND (i1,i2,out) := out = ¬(i1 i2)∧ NOT specification:
NOT (i, out) := out = ¬ I AND Implementation:
AND_IMPL (i1,i2,out) := x. NAND (i1,i2,x) NOT ∃ ∧(x,out)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 1: Logic AND Proof Goal:
∀ i1, i2, out. AND_IMPL(i1,i2,out) ANDSPEC(i1,i2,out)⇒ Proof (forward)
AND_IMP(i1,i2,out) {from above circuit diagram}
∃ x. NAND (i1,i2,x) NOT (x,out) ∧ {by def. of AND impl}
NAND (i1,i2,x) NOT(x,out) {strip off “ x.”}∧ ∃NAND (i1,i2,x) {left conjunct of line 3}
x =¬ (i1 i2) ∧ {by def. of NAND}
NOT (x,out) {right conjunct of line 3}
out = ¬ x {by def. of NOT}
out = ¬(¬(i1 i2) ∧ {substitution, line 5 into 7}
out =(i1 i2) ∧ {simplify, ¬¬ t=t}
AND (i1,i2,out) {by def. of AND spec}
AND_IMPL (i1,i2,out) AND_SPEC (i1,i2,out)⇒Q.E.D.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Inductive Proofs
Inductive Proofs Must Have: Base Case (value):
where you prove it is true about the base case Inductive Hypothesis (value):
where you state what will be assume in this proof Inductive Step (value)
show: where you state what will be proven below
proof: where you prove what is stated in the show portion this proof must use the Inductive Hypothesis sometime during
the proof
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 2 Prove this statement:
Base Case (n=1):
Inductive Hypothesis (n=p):
Inductive Step (n=p+1):Show:
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 3 N-Bit Adder
Verification of Generic Circuits used in datapath design and verification idea: verify n-bit circuit then specialize proof for specific value of
n, (i.e., once proven for n, a simple instantiation of the theorem for any concrete value, e.g. 32, gets a proven theorem for that instance).
use of induction proof Specification N-ADDER_SPEC (n,in1,in2,cin,sum,cout):=
(in1 + in2 + cin = 2n+1 * cout + sum)
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 3 N-Bit Adder Implementation
87/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 3 N-Bit Adder Recursive Definition:
N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout):=
∃ w. N-ADDER_IMP(n-1,in1[0..n-2],in2[0..n-2],cin,sum[0..n-2],w) ∧ N-ADDER_IMP(1,in1[n-1],in2[n-1],w,sum[n-1],cout)
Notes: N-ADDER_IMP(1,in1[i],in2[i],cin,sum[i],cout) =
ADDER_IMP(in1[i],in2[i],cin,sum[i],cout)
Data abstraction function (vn: bitvec → nat) to relate bit vectors to natural numbers:
vn(x[0]):= bn(x[0])vn(x[0,n]):= 2n * bn(x[n]) + vn(x[0,n-1]
88/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 3 N-Bit Adder
Proof goal:
∀ n, in1, in2, cin, sum, cout. N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout) N-ADDER_SPEC(n, ⇒ vn(in1[0..n-1]), vn(in2[0..n-1]), vn(cin), vn(sum[0..n-1]), vn(cout))
As an example can be instantiated with n = 32:
∀ in1, in2, cin, sum, cout. N-ADDER_IMP(in1[0..31],in2[0..31],cin,sum[0..31],cout) N-⇒ADDER_SPEC(vn(in1[0..31]), vn(in2[0..31]), vn(cin), vn(sum[0..31]), vn(cout))
89/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Example 3 N-Bit Adder
Proof by induction over n: basis step:
N-ADDER_IMP(1,in1[0],in2[0],cin,sum[0],cout) N-⇒ADDER_SPEC(1,vn(in1[0]),vn(in2[0]),vn(cin),vn(sum[0]),vn(cout))
Induction Step:
[N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout) ⇒ N-ADDER_SPEC(n,vn(in1[0..n-1]),vn(in2[0..n-1]),vn(cin),vn(sum[0..n-1]),vn(cout)) ] ⇒ [N-ADDER_IMP(n+1,in1[0..n],in2[0..n],cin,sum[0..n],cout) ⇒ N-ADDER_SPEC(n+1,vn(in1[0..n]),vn(in2[0..n]),vn(cin),vn(sum[0..n]),vn(cout))]
90/80
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Conclusions Advantages of Theorem Proving
High abstraction and expressive notation Powerful logic and reasoning, e.g., induction Can exploit hierarchy and regularity, puts user in control Can be customized with tactics (programs that build larger proofs steps from
basic ones) Useful for specifying and verifying parameterized (generic) datapath-dominated
designs Unrestricted applications (at least theoretically)
Limitations of Theorem Proving: Interactive (under user guidance): use many lemmas, large numbers of
commands Large human investment to prove small theorems Usable only by experts: difficult to prove large / hard theorems Requires deep understanding of the both the design and HOL (while-box
verification) must develop proficiency in proving by working on simple but similar problems.
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
We are not alone
Model checking Testin
g
Theorem proving
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Hybrid Verification
Formal Verification using Theorem Proving + Model Checking
ModelChecking
Theorem Proving
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Hybrid Verification
|-Goal Imp. Spec.
|-Goal Imp.(x y ….) Spec.((y= ..) (…..))
Use model checking to verify Sub-Goals
G1’ G2’ G3’ Gn’
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Different Verification Methods Testing (Simulation/Emulation) Theorem Proving Model checking (automatic verification)
Testing
ModelChecking
Theorem Proving
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Semi-formal Verification
Simulation Driver
Simulation Engine
Simulation Monitor
SymbolicSimulation
CoverageAnalysis
Diagnosis ofUnverifiedPortions
Guided vectorgeneration
Conventional
Extension
Devadas and Keutzer’s proposal:A pragmatic suggestion for SOC verification
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Semi-formal Verification
Smart simulation:Use properties to generate directed test vectors.Maximize chances of detecting bugs at small costCoverage metrics crucial?Use metrics to determine
Unexercised parts of design: Guide vector generationAdequacy of verification: When to stop?
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Did you find the BUG yet?
Verification and testing problem is an open question with multi-Billion $ Research per year.
A great Masters Research Topic
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
A Final Proof
Software engineers want to be real engineers. Real engineers use mathematics. Formal methods are the mathematics of software engineering. Therefore, software engineers should use formal methods.
Mike Holloway,
NASA
Dr. A
mr
Tala
at
Netw 703
Netw
ork P
roto
cols
Scientists Quotes
“Teaching to unsuspecting youngsters the effective use of formal methods is one of the joys of life because it is so extremely rewarding”
“A formula is worth a thousand pictures” Edsger Wybe Dijkstra
(1930–2002)
