An Automata-Theoretic Approach to Hardware/Software Co-verification

Preview:

Click to see full reader

DESCRIPTION

An Automata-Theoretic Approach to Hardware/Software Co-verification. Thomas Ball Microsoft Research Joint work with Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Vladimir Levin and Con McGarvey Microsoft Corporation. - PowerPoint PPT Presentation

Citation preview

An Automata-Theoretic Approach to Hardware/Software Co-verification

Thomas BallMicrosoft Research

Joint work withJuncao Li and Fei XieDept. of Computer Science, Portland State UniversityVladimir Levin and Con McGarveyMicrosoft Corporation

Hardware/Software (HW/SW) Interfaces are Pervasive…

Windows XP◦ Over 35,000 drivers (over

100,000 versions) for different devices (Murphy and Garzia, 2004)

Linux◦ 70% of code for drivers that

operate hardware (Chou, et al., 2001)

And Unreliable…In Windows

◦ Drivers cause 85% reported failures (Swift, 2005)

◦ At least 52.6% of Windows crashes involve HW/SW interaction (Sinha, 2005)

In Linux◦ Seven times more driver failures

(Chou, et al., 2001)

Lots of failures cannot be gathered …

ChallengesEffective formal specification

frameworkDescribe the HW/SW system Easy to understand

Unifying formal model for co-verificationHardware and software are

differentUse different formal

representations

The Plan (I)

Co-specification

Model Checking

Formal ModelBüchi Pushdown System

Specify HW/SW system

Co-specification for Driver/Device

Driver implementation• to be verified• Low-priority dispatch

routines• High-priority Interrupt

Service Routines (ISR)

A Hardware ModelSpecified using Verilog semantics

Popular to hardware engineersNon-blocking assignment

Atomicity in register state changes

A hardware model hasStates described by registers Initial states given by the initialization taskState transitions specified in Transaction

Level Modeling (TLM)

10

begin hardware model // declare registers for hardware states reg [7:0] PortA, IntConfg; ……

initial random; // a task that assigns non-deterministic values to registers

if ( rand(0,1) ) begin // model the hardware behavior // low level triggers the interrupt if( (IntConfg == 8’h04) && ((PortA & 8’h01)==0) ) begin IntStatus <= 1; // set the interrupt status register INTR <= 1; // set the interrupt pending status to notify software end …… end else begin // simulate inputs from the environment // non-deterministically input to PortA if ( rand(0,1) ) PortA <= rand(8’h0, 8’hFF); ........ end

end hardware model

HW/SW Interface

WRITE_REGISTER_UCHAR(foo, 32)

Software to Hardware Interaction

// Intermediate code that relates the read/write register function calls // to hardware state transitionsUCHAR READ_REGISTER_UCHAR ( PUCHAR register ) { switch ( register ) { case REG_PORTA: return ReadPortA(); case REG_PORTB: return ReadPortB(); case REG_PORTC: return ReadPortC();

…… case REG_STATUS: return ReadIntStatus(); return; default: RegAddressMismatch(); return; }}

Software Event Triggering Hardware State Transitions__atomic UCHAR ReadIntStatus( ) {

// clear the interrupt status when read reg [7:0] retreg; retreg <= IntStatus; IntStatus <= 0;

// return the register value to software return retreg;}

The Plan (II)

Co-specification

Model Checking

Formal ModelBüchi Pushdown System

BPDS = BA ˣ LPDS• Represent concurrent

executions • Allow both HW and

SW models to be• Asynchronous• Synchronous

Büchi Automaton (BA)A BA,

◦ , the alphabet◦ , the finite set of states◦ , the set of state transitions◦ , the initial state◦ , the set of final states

The alphabet is defined on the states of PDS◦ PDS is the generator of inputs to the BA

),,,,( 0 FqQΒ Q

0qF

WRITE_REGISTER_UCHAR(foo, 32)

Pushdown System (PDS)A PDS,

◦ , finite set of global states◦ , finite stack alphabet◦ , ◦ , initial configuration

PDS doesn’t take any inputs◦need to synchronize the PDS and BA

),,,,( 00 gGPG

*)()( GG

00 ,g

Labeled PDS (LPDS)We extend the PDS as

◦ , the input alphabet◦So the set of transition rules is

Now we can use our LPDS as a recognizer

),,,,,( 00 gGIP

*)()( GIG

Labeling Functions

The Plan (III)

Co-specification

Model Checking

Formal modelBüchi Pushdown System

Verify BPDS model using existing model checker

Yes/No

Co-verification Tool (CoVer)

Hardware Interface

ModelDriver Code

Abstraction

Tool

BPDS Model

BPDS2PDS

PDS Model

MopedModel

Checker

EvaluationApplied our approach to

◦ an OSR Windows sample driver for a PCI device, and

◦ the hardware interface model of the device

Found one previously undiscovered driver bug◦ A device driver architect has confirmed our finding

Designed a test benchmark for our model-checking algorithm

ConclusionOur approach to co-verification

◦Co-specification◦Co-verification model, BPDS

Evaluation has shown that our approach◦can detect sophisticated bugs◦is promising in improving the

reliability of HW/SW interface implementations

Recommended

Behaviour Analysis of Distributed Systems using the Tracta … · 2005. 10. 14. · Tracta Tracta is a CRA approach that follows the automata theoretic approach to program verification
Documents
Automata-Theoretic Models for Computational Complementarity
Documents
ECE/CS 584: Verification of Embedded Computing Systems Model Checking Timed Automata
Documents
An Automata-Theoretic Approach to Linear Temporal Logicwpage.unina.it/benerece/TSV/LTL-readings/Vardi_automata-theoretic … · An often advocated approach to program development
Documents
automata-theoretic model checkinghomepages.inf.ed.ac.uk/kousha/sfm02_lecs.pdf · 2003. 5. 5. · overview • The purpose of my lectures: – to cover the fundamental algorithms used
Documents
Automata-Theoretic LTL Model-Checkingemc/15414-f11/lecture/lec16_Buchi+LTL.pdf · Automata-Theoretic LTL Model-Checking Arie Gurfinkel arie@cmu.edu ... • NFA = DFA: Every non
Documents
Relational String Verification Using Multi-track Automata
Documents
Automata-Theoretic Models for Computational Complementarityecalude/elenathesis.pdf · Automata-Theoretic Models for Computational Complementarity ... an attempt to model elementary
Documents
INFINITE STATES VERIFICATION IN GAME-THEORETIC ...lesperan/papers/KmiecMSc.pdfINFINITE STATES VERIFICATION IN GAME-THEORETIC LOGICS by Slawomir Kmiec By virtue of submitting this document
Documents
Formal Verification of Multitasking Applications …hanzalek/publications/...Keywords: Formal methods, Verification, Model-checking, Timed automata, OSEK/VDX, Multitasking 1 Introduction
Documents
Verification of 800 Automata-Based Programs Built by means of Genetic Programming
Science
Verification and Power Analysis of TinyOS with Hybrid Automata
Documents
Online Hybrid Automata Verification of Dynamical …emc/2014/speakers/LeiBuEMC14.pdfOnline Hybrid Automata Verification of Dynamical ... # Communication-Based Train Control System
Documents
Topological, Automata-Theoretic and Logical Characterizations of … · 2016-01-07 · Topological, Automata-Theoretic and Logical Characterizations of Finitary Languages Presentation
Documents
re.public.polimi.it...OPERATOR PRECEDENCE LANGUAGES: THEIR AUTOMATA-THEORETIC AND LOGIC CHARACTERIZATION VIOLETTA LONATI∗, DINO MANDRIOLI †, FEDERICA PANELLA , AND MATTEO PRADELLA†
Documents
Review of the automata-theoretic approach to model-checking
Documents
-Automata - TUM - Chair VII · 2015-09-23 · ω-Automata • Automata that accept (or reject) words of infinite length. • Languages of infinite words appear: – in verification,
Documents
Verification of timed automata: reachability, liveness, and modeling
Documents
Extended Tree Automata Models for the Verification of ... · 2.5 Pushdown and Visibly Pushdown Tree Automata . . . . . . . . 42 ... 2.7 Application to the verification of communicating
Documents
5. Finite Automata and Temporal Logicjaa/verification/lectures/5... · 2020-02-06 · Finite Automata and Temporal Logic Jacob Abraham, February 6, 2020 15 / 61 Department of Electrical
Documents