Predicate Abstraction for Software and Hardware VerificationPredicate Abstraction for Software and Hardware Verification

Himanshu JainHimanshu Jain

Model checking seminarModel checking seminarApril 22, 2005April 22, 2005

Introduction

Scalable software verification

Properties Array bounds check, division by zero Pointer safety Assertion checking Lock and unlocking

Focus on partial specifications

Predicate Abstraction

Extract a finite state model from an infinite state system

Used to prove assertions or safety properties

Successfully applied for verification of C programs SLAM (used in windows device driver verification) MAGIC, BLAST, F-Soft

Example for Predicate Abstraction

int main() { int i;

i=0;

while(even(i)) i++;}

int main() { int i;

i=0;

while(even(i)) i++;}

+ p1 i=0p2 even(i)

p1 i=0p2 even(i) =

void main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p1=p1?FALSE:nondet(); p2=!p2; }}

void main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p1=p1?FALSE:nondet(); p2=!p2; }}

PredicatesC program Boolean program

[Ball, Rajamani ’01]

[Graf, Saidi ’97]

Computing Predicate Abstraction

How to get predicates for checking a given property?

How do we compute the abstraction?

Predicate Abstraction is an over-approximation

How to refine coarse abstractions

Counterexample Guided Abstraction Refinement loop

CProgram

CProgram

Abstract model

Abstract model

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Spurious counterexample

Abstraction

1: x = ctr;

2: y = ctr + 1;

3: if (x = i-1){

4: if (y != i){

ERROR: }

}

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

Abstract

C program No predicates available currently

Checking the abstract model

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

Abstract model has a path leading to error state

Is ERROR reachable?

yes

Simulation

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

Does this correspond to a

real bug?

Not possible

Concrete traceCheck using a SAT solver

Refinement

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

1: skip;

2: skip;

3: if (*){

4: if (*){

ERROR: }

}

Spurious Counterexample Initial abstraction

Refinement

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

1: skip;

2: skip;

3: if (*){

4: if (b0){

ERROR: }

}

boolean b0 : y != i

Refinement

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

1: skip;

2: skip;

3: if (b1){

4: if (b0){

ERROR: }

}

boolean b0 : y != i

boolean b1 : x== i-1

Refinement

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

1: skip;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

boolean b0 : y != i

boolean b1 : x== i-1

boolean b2 : ctr + 1 ! = iWeakest precondition of y != i

Refinement

1: x = ctr;

2: y = ctr + 1;

3: assume(x == i-1)

4: assume (y != i)

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

boolean b0 : y != i

boolean b1 : x== i-1

boolean b2 : ctr + 1 ! = i

boolean b3: ctr == i -1

Refinement

1: b1 = b3;

2: b0 = b2;

3: if (b1){

4: if (b0){

ERROR: }

}

boolean b0 : y != i

boolean b1 : x== i-1

boolean b2 : ctr + 1 ! = i

boolean b3: ctr == i -1

b2 and b3 are mutually

exclusive.

b2 =1, b3 = 0

b2 =0 , b3 = 1

What about initial values of b2 and b3?

So system is safe!

Tools for Predicate Abstraction of C

SLAM at Microsoft Used for verifying correct sequencing of function calls in windows

device drivers

MAGIC at CMU Allows verification of concurrent C programs Found bugs in MicroC OS

BLAST at Berkeley Lazy abstraction, interpolation

SATABS at CMU Computes predicate abstraction using SAT Can handle pointer arithmetic, bit-vectors

F-Soft at NEC Labs Localization, register sharing

Applications of Predicate Abstraction inHardware Verification

System on chip design

Increase in complexity

Gate level (netlists)

Structural

Behavioral/RTL

…………

Level Number of components

10E7

10E5

10E3

10E0

Ab

stra

ctio

n

System Level

Introduction

Emergence of system design languages

HardwareC, SpecC, Handel-C, and SystemC

Based on C / C++

Allows joint modeling of both hardware and software components of a system

Support for bit vectors, concurrency, synchronization, exception handling, timing

Verification support

Most model-checkers used in hardware industry work at netlist level

Higher abstraction levels offered by languages like SpecC or RTL Verilog are not yet supported

Languages like SpecC are more closer to concurrent software

Verification tools must reason about: Programming languages constructs Concurrency Pointers, Objects Bit vector operations like concatenation, extraction

Why predicate abstraction

Many properties depend on relationship between registers, and not the values stored in them

Predicate Abstraction Keeps tracks of certain predicates on data Successfully used in software verification

Can handle larger designs

Abstraction-Refinement loopAbstraction-Refinement loop

VerilogProgramVerilog

ProgramAbstract model

Abstract model

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Spurious counterexample

An exampleAn example

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Property:

AG (x = 100 or x = 200)

Verilog program

Abstraction-Refinement loopAbstraction-Refinement loop

VerilogProgramVerilog

ProgramAbstract model

Abstract model

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Spurious counterexample

Predicate AbstractionPredicate Abstraction

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Property:

AG (x = 100 or x = 200)

Initial set of predicates:

{x = 100, x = 200}

Verilog program Word level predicates

Computing Most Precise AbstractionComputing Most Precise Abstraction

<x = 100, x = 200> + x’ = yy’ = x

+ <x’ = 100, x’ = 200>

Current state Next state

Equation passed to the SAT solver

Transition Relation

Computing abstract transitions

Obtain transitionsObtain transitions

Computing abstract transitions

10 00

01 11 … … and so on …and so on …

Abstract ModelAbstract Model

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Property: AG (x = 100 or x = 200)

Initial set of predicates:{x = 100, x = 200}

Verilog program

Initial state

Failure state10 00

01 11

Abstraction-Refinement loopAbstraction-Refinement loop

VerilogProgramVerilog

ProgramAbstract model

Abstract model

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Spurious counterexample

Model checking Model checking

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Verilog program

Failure state

10 00

01 11

Initial state

Abstract Model

Model checking Model checking

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Verilog program

Failure state

10 00

01 11

Initial state

Abstract Model

Counterexample

Abstraction-Refinement loopAbstraction-Refinement loop

VerilogProgramVerilog

ProgramAbstract model

Abstract model

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Spurious counterexample

Counterexample in the abstract model Counterexample in the abstract model <1 , 0> <1 , 0> <0 , 0> (length = 1)<0 , 0> (length = 1)

Each state is a valuation of Each state is a valuation of hh x = 100, x=200 x = 100, x=200 ii

Simulation equation

Simulation of the counterexampleSimulation of the counterexample

Initial values of the registerspredicate values

in the first state of the counterexample

Transition relation

predicate valuesin the second state of the counterexample

equation is unsatisfiable So counterexample is spurious

Abstraction-Refinement loopAbstraction-Refinement loop

VerilogProgramVerilog

ProgramAbstract model

Abstract model

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Spurious counterexample

RefinementRefinement

Let length of spurious counterexample be Let length of spurious counterexample be kk

Take Take weakest pre-condition of propertyweakest pre-condition of property for k steps with respect for k steps with respect

to transition functionsto transition functions

Pick atomic predicates from weakest preconditionPick atomic predicates from weakest precondition

RefinementRefinement

(x’ = 100 Ç x’ = 200)Holds after one step

x’ = yy’ = x

(y = 100 Ç y = 200)weakest precondition

x’ = yy’ = x

AG (x = 100 Ç x = 200)+

Transition functions

Property

length =1+

spurious counterexampleNew predicates

y = 100, y = 200

Abstract againAbstract again

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Property: AG (x = 100 or x = 200)

Updated set of predicates:{x = 100, x = 200, y=100, y=200}

Verilog program

1001 0110Initialstate

Model check

New abstraction

Model checkingModel checking

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Property: AG (x = 100 or x = 200)

Updated set of predicates:{x = 100, x = 200, y=100, y=200}

Verilog program

1001 0110Initialstate

Property holds!

New abstraction

Result Result

module main (clk)input clk;reg [10:0] x, y;

initial x= 100, y= 200;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Property: AG (x = 100 or x = 200)

Verilog program

Property holds!

Experimental results (VIS benchmarks)Experimental results (VIS benchmarks)

BenchmarkBenchmark Lines of Lines of

codecode

#Latches#Latches #Variables#Variables Veracity Veracity

Time Time

#Predicates#Predicates #Iteration#Iteration

cachecache

coherencecoherence

549549 4343 170170 49s49s 2525 99

mpegmpeg

decoder 1decoder 1

12151215 567567 800800 29s29s 99 33

mpegmpeg

decoder 2decoder 2

12151215 567567 800800 47s47s 99 44

SDLXSDLX 898898 4141 8181 139s139s 4343 3030

MiimMiim 841841 8383 237237 0.57s0.57s** 44 22

PI-BusPI-Bus 10201020 312312 863863 2.42s2.42s** 1010 11

* Using lazy abstraction All use predicate partitioning

Bigger benchmarksBigger benchmarks

BenchmarkBenchmark #Latches#Latches Veracity timeVeracity time Cadence SMV timeCadence SMV time

ICUICU 2828 1.3s1.3s 0.1s0.1s

ICRAM2KBICRAM2KB 1642716427 450.7s450.7s 25s25s

ICRAM4KBICRAM4KB 3279632796 843.3s843.3s terminatesterminates

ARITH100ARITH100 202202 3.5s3.5s 182.4s182.4s

ARITH200ARITH200 402402 9.6s9.6s 2147s2147s

ARITH500ARITH500 10021002 32.2s32.2s timeouttimeout

ARITH1000ARITH1000 20022002 122.6s122.6s timeouttimeout

ToolsTools

VCEGARVCEGAR (Verilog Counterexample Guided Abstraction (Verilog Counterexample Guided Abstraction

Refinement) at CMURefinement) at CMUwww.cs.cmu.edu/~modelcheck/vcegarwww.cs.cmu.edu/~modelcheck/vcegar

QuestionsQuestions