700 likes | 913 Views
Model Checking: From Hardware to Software and Back Again. Edmund Clarke Computer Science Department Carnegie Mellon University (Joint work with H. Jain, D. Kroening, and N. Sharygina). Motivation. Hardware design is typically done at a higher level than in the past.
E N D
Model Checking:From Hardware to Softwareand Back Again Edmund Clarke Computer Science Department Carnegie Mellon University (Joint work with H. Jain, D. Kroening, and N. Sharygina)
Motivation • Hardware design is typically done at a higher level than in the past. • Need to reason about hardware languages like Verilog, VHDL, SystemVerilog, SpecC, SystemC, which are close to software. • Verification tools must reason about: • Programming languages constructs • Bit-vector semantics (concatenation, extraction) • Concurrency, Objects, Templates • Fortunately, norecursion, nopointers,and no heap !!
Model checking is an automatic verification techniquefor finite state concurrent systems. Developed independently by Clarke and Emerson and by Queille and Sifakisin early 1980’s. Specifications are written in propositional temporal logic. Verification procedure is an exhaustive search of the state space of the design. Temporal Logic Model Checking
Advantages of Model Checking • No proofs!!! • Fast (compared to other rigorous methods such as theorem proving) • Diagnostic counterexamples • No problem with partial specifications • Logics can easily express many concurrency properties
Main Disadvantage State Explosion Problem: • Too many processes • Complex data structures
LTL - Linear Time Logic Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a“a is true now”X a “a is true in the neXt state”Fa “a will be true in the Future”Ga “a will be Globally true in the future”a U b “a will hold true Until b becomes true” a
LTL - Linear Time Logic Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now”X a“a is true in the neXt state”Fa “a will be true in the Future”Ga “a will be Globally true in the future”a U b “a will hold true Until b becomes true” a
LTL - Linear Time Logic Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now”X a “a is true in the neXt state”Fa“a will be true in the Future”Ga “a will be Globally true in the future”a U b “a will hold true Until b becomes true” a
LTL - Linear Time Logic Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now”X a “a is true in the neXt state”Fa “a will be true in the Future”Ga“a will be Globally true in the future”a U b “a will hold true Until b becomes true” a a a a a
LTL - Linear Time Logic Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now”X a “a is true in the neXt state”Fa “a will be true in the Future”Ga “a will be Globally true in the future”a U b“a will hold true Until b becomes true” a a a a b
CTL: Computation Tree Logic EFg “g will possibly become true”
CTL: Computation Tree Logic AFg “g will necessarily become true”
CTL: Computation Tree Logic AGg “g is an invariant”
CTL: Computation Tree Logic EGg “g is a potential invariant”
CTL: Computation Tree Logic CTL uses the temporal operators AX, AG, AF, AU EX, EG, EF, EU CTL* allows complex nestings such as AXX, AGX, EXF, ... CTL: linear model checking algorithm !
Let M be a state-transition graph. Let ƒ be the specification in temporal logic. Find all states s ofM such that M, sƒ. Model Checking Problem
Model of computation Microwave Oven Example State-transition graph describes system evolving over time. ~ Start ~ Close ~ Heat ~ Error ~ Start Close Heat ~ Error Start ~ Close ~ Heat Error ~ Start Close ~ Heat ~ Error Start Close ~ Heat Error Start Close ~ Heat ~ Error Start Close Heat ~ Error
The oven doesn’t heat up until the door is closed. Notheat_up holds untildoor_closed (~heat_up)Udoor_closed Temporal Logic and Model Checking
manual compilation algorithmic verification Model Checking Hardware Description (VERILOG, VHDL, SMV) Informal Specification Transition System (Automaton, Kripke structure) Temporal Logic Formula (CTL, LTL, etc.)
Hardware Example: IEEE Futurebus+ • In 1992 Clarke and his students at CMU used SMV to verify the IEEE Future+ cache coherence protocol. • They found a number of previously undetected errors in the design of the protocol. • This was the first time that formal methods have been used to find errors in an IEEE standard. • Although the development of the protocol began in 1988, all previous attempts to validate it were based entirely on informal techniques.
From Hardware to Software: Natural Question: Is it possible to model check software? According to Wired News on Nov 10, 2005: “When Bill Gates announced that the technology was under development at the 2002 Windows Engineering Conference, he called it the holy grail of computer science”
Grand Challenge:Model Check Software ! • What makesSoftware Model Checkingdifferent ?
Large/unbounded base types: int, float, string User-defined types/classes Pointers/aliasing + unbounded #’s of heap-allocated cells Procedure calls/recursion/calls through pointers/dynamic method lookup/overloading Concurrency + unbounded #’s of threads What Makes Software Model Checking Different ?
Templates/generics/include files Interrupts/exceptions/callbacks Use of secondary storage: files, databases Absent source code for: libraries, system calls, mobile code Esoteric features: continuations, self-modifying code Size (e.g., MS Word = 1.4 MLOC) What Makes Software Model Checking Different ?
What Does It Mean to Model Check Software? • Combine static analysis and model checking • Usestatic analysisto extract amodel Kfrom a boolean abstraction of the program. • Then check that f is true in K (K ² f), where f is the specification of the program. • ² SLAM (Microsoft) • ² Bandera (Kansas State) • ² MAGIC (CMU)
What Does It Mean to Model Check Software? • Simulate program along all paths in computation tree • ² Java PathFinder (NASA Ames) • ²Source code + backtracking (e.g., Verisoft) • ²Source code + symbolic execution + backtracking • (e.g., MS/Intrinsa Prefix) • Use finite-state machine to look for patterns in control-flow graph [Engler]
What Does It Mean to Model Check Software? • Design with Finite-State Software Models • Finite state software models can act as “missing link” • between transition graphs and complex software. • ²Statecharts • ²Esterel
What Does It Mean to Model Check Software? • Use Bounded Model Checking and SAT [Kroening] • ² Problem: How to compute set of reachable states? • Fixpoint computation is too expensive. • ² Restrict search to states that are reachable from initial • state within fixed number n of transitions • ² Implemented by unwinding program and using • SAT solver
Key techniques for Software Model Checking • Counterexample Guided Abstraction Refinement (Kurshan, Yuan Lu, Clarke et al JACM, Ball et al.) - Uses counterexamples to refine abstraction • Predicate Abstraction (Graf and Saidi, Ball et al, Chaki et al, Kroening) - Keeps track ofcertain predicates on data -Captures relationship between variables
Safety Property: bad state unreachable: satisfied Initial State Counterexamples Informal Specification Program Transition System Temporal Logic Formula (CTL, LTL, etc.)
Initial State Counterexamples Informal Specification Program Transition System Temporal Logic Formula (CTL, LTL, etc.) Safety Property: bad state unreachable Counterexample
Initial State Counterexamples Informal Specification Program Transition System Temporal Logic Formula (CTL, LTL, etc.) Safety Property: bad state unreachable Counterexample
Existential Abstraction Given an abstraction function : S S, the concrete states are grouped and mapped into abstract states : M Preservation Theorem ? M
M |= f Simulation Relation Assume N simulates M (M N) Let f be a universal CTL* formula (ACTL*) M N a a b b b c d c d N |= f
Preservation Theorem Atomic formula f respects if f does not distinguish concrete states within abstract state. Theorem (Clarke, Grumberg, Long)If is an ACTL* specification where the atomic formulas respect , then M M. Corollary Preservation Theorem applicable: M|= implies M |= . Converse implication is not valid !
“red” “go” Spurious Behavior AGAF red “Every path necessarily leads back to red.” Spurious Counterexample: <go><go><go><go> ... Artifact of the abstraction !
How to define Abstraction Functions? Abstraction too fineState Explosion Abstraction too coarseInformation Loss AutomaticAbstraction Methodology
M Initial Abstraction Refinement Refinement Automatic Abstraction Spurious Spurious counterexample Validation or Counterexample Correct ! M Original Model
Initial Abstraction Verification No erroror bug found ModelChecker Property holds Counterexample Refinement Simulation sucessful Abstraction refinement Bug found Spurious counterexample CEGAR CounterExample-Guided Abstraction Refinement CProgram Abstract model Simulator
Software Example: Device Driver Code Also according to Wired News: “Microsoft has developed a tool called Static Device Verifier or SDV, that uses ‘Model Checking’ to analyze the source code for Windows drivers and see if the code that the programmer wrote matches a mathematical model of what a Windows device driver should do. If the driver doesn’t match the model, the SDV warns that the driver might contain a bug.”
System Behavioral Register Level Gate level (netlists) ………… Back to Hardware! Formal verification support Ease of design increases
Register Level Verilog: module counter_cell(clk, carry_in, carry_out); input clk; input carry_in; output carry_out; reg value; assign carry_out = value & carry_in; initial value = 0; always @(posedge clk) begin // value =(value + carry_in) % 2; case(value) 0: value = carry_in; 1: if (carry_in ==0) value = 1; else value = 0; endcase end endmodule Gate Level (netlist): .model counter_cell .inputs carry_in .outputs carry_out .names value carry_in _n2 .def 0 1 1 1 .names _n2 carry_out$raw_n1 - =_n2 .names value$raw_n3 0 .names _n6 0 .names value _n6 _n7 .def 0 0 1 1 1 0 1 .r value$raw_n3 value 0 0 1 1 ….. (120 lines)
System Behavioral Register Level Gate level (netlists) ………… Lack of verification support use techniques fromsoftware verification Must be automatic and scalable!!
System Behavioral Register Level Gatelevel(netlists) ………… This work Model check
Abstraction-Refinement loop (CEGAR) Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Counterexample Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample
Our approach • Apply predicate abstraction at RTL Level • Allows abstraction using word-levelpredicates • Example: x < y – z, x = {z,z} • Use a SAT solver for computing abstraction • Semantics of bit-wise operators taken into account • Obtaining suitable word level predicates • Syntactic weakest pre-conditions of Verilog statements (Kurshan and Namjoshi)
Related work • SAT-Based Predicate Abstraction [Wang et al.] • Works at netlist level • Refinement introduces bit-level predicates • Vapor tool [Andraus et al.] • Works on RTL level designs • Abstraction to CLU models (equality of terms, uninterpreted functions, predicates) • Lots of other related work
An example module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 Ç x = 200) Verilog program
CEGAR loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Counterexample Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample