View
224
Download
0
Category
Preview:
Citation preview
Predicate Abstraction for Software and Hardware VerificationPredicate Abstraction for Software and Hardware Verification
Himanshu JainHimanshu Jain
Model checking seminarModel checking seminarApril 22, 2005April 22, 2005
Introduction
Scalable software verification
Properties Array bounds check, division by zero Pointer safety Assertion checking Lock and unlocking
Focus on partial specifications
Predicate Abstraction
Extract a finite state model from an infinite state system
Used to prove assertions or safety properties
Successfully applied for verification of C programs SLAM (used in windows device driver verification) MAGIC, BLAST, F-Soft
Example for Predicate Abstraction
int main() { int i;
i=0;
while(even(i)) i++;}
int main() { int i;
i=0;
while(even(i)) i++;}
+ p1 i=0p2 even(i)
p1 i=0p2 even(i) =
void main() { bool p1, p2;
p1=TRUE; p2=TRUE;
while(p2) { p1=p1?FALSE:nondet(); p2=!p2; }}
void main() { bool p1, p2;
p1=TRUE; p2=TRUE;
while(p2) { p1=p1?FALSE:nondet(); p2=!p2; }}
PredicatesC program Boolean program
[Ball, Rajamani ’01]
[Graf, Saidi ’97]
Computing Predicate Abstraction
How to get predicates for checking a given property?
How do we compute the abstraction?
Predicate Abstraction is an over-approximation
How to refine coarse abstractions
Counterexample Guided Abstraction Refinement loop
CProgram
CProgram
Abstract model
Abstract model
ModelChecker
Abstraction refinement
VerificationInitial
AbstractionNo error
or bug found
Simulator
Propertyholds
Simulationsucessful
Bug found
Refinement
Spurious counterexample
Abstraction
1: x = ctr;
2: y = ctr + 1;
3: if (x = i-1){
4: if (y != i){
ERROR: }
}
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
Abstract
C program No predicates available currently
Checking the abstract model
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
Abstract model has a path leading to error state
Is ERROR reachable?
yes
Simulation
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
Does this correspond to a
real bug?
Not possible
Concrete traceCheck using a SAT solver
Refinement
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
1: skip;
2: skip;
3: if (*){
4: if (*){
ERROR: }
}
Spurious Counterexample Initial abstraction
Refinement
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
1: skip;
2: skip;
3: if (*){
4: if (b0){
ERROR: }
}
boolean b0 : y != i
Refinement
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
1: skip;
2: skip;
3: if (b1){
4: if (b0){
ERROR: }
}
boolean b0 : y != i
boolean b1 : x== i-1
Refinement
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
1: skip;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
boolean b0 : y != i
boolean b1 : x== i-1
boolean b2 : ctr + 1 ! = iWeakest precondition of y != i
Refinement
1: x = ctr;
2: y = ctr + 1;
3: assume(x == i-1)
4: assume (y != i)
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
boolean b0 : y != i
boolean b1 : x== i-1
boolean b2 : ctr + 1 ! = i
boolean b3: ctr == i -1
Refinement
1: b1 = b3;
2: b0 = b2;
3: if (b1){
4: if (b0){
ERROR: }
}
boolean b0 : y != i
boolean b1 : x== i-1
boolean b2 : ctr + 1 ! = i
boolean b3: ctr == i -1
b2 and b3 are mutually
exclusive.
b2 =1, b3 = 0
b2 =0 , b3 = 1
What about initial values of b2 and b3?
So system is safe!
Tools for Predicate Abstraction of C
SLAM at Microsoft Used for verifying correct sequencing of function calls in windows
device drivers
MAGIC at CMU Allows verification of concurrent C programs Found bugs in MicroC OS
BLAST at Berkeley Lazy abstraction, interpolation
SATABS at CMU Computes predicate abstraction using SAT Can handle pointer arithmetic, bit-vectors
F-Soft at NEC Labs Localization, register sharing
Applications of Predicate Abstraction inHardware Verification
System on chip design
Increase in complexity
Gate level (netlists)
Structural
Behavioral/RTL
…………
Level Number of components
10E7
10E5
10E3
10E0
Ab
stra
ctio
n
System Level
Introduction
Emergence of system design languages
HardwareC, SpecC, Handel-C, and SystemC
Based on C / C++
Allows joint modeling of both hardware and software components of a system
Support for bit vectors, concurrency, synchronization, exception handling, timing
Verification support
Most model-checkers used in hardware industry work at netlist level
Higher abstraction levels offered by languages like SpecC or RTL Verilog are not yet supported
Languages like SpecC are more closer to concurrent software
Verification tools must reason about: Programming languages constructs Concurrency Pointers, Objects Bit vector operations like concatenation, extraction
Why predicate abstraction
Many properties depend on relationship between registers, and not the values stored in them
Predicate Abstraction Keeps tracks of certain predicates on data Successfully used in software verification
Can handle larger designs
Abstraction-Refinement loopAbstraction-Refinement loop
VerilogProgramVerilog
ProgramAbstract model
Abstract model
ModelChecker
Abstraction refinement
VerificationInitial
AbstractionNo error
or bug found
Simulator
Propertyholds
Simulationsucessful
Bug found
Refinement
Spurious counterexample
An exampleAn example
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Property:
AG (x = 100 or x = 200)
Verilog program
Abstraction-Refinement loopAbstraction-Refinement loop
VerilogProgramVerilog
ProgramAbstract model
Abstract model
ModelChecker
Abstraction refinement
VerificationInitial
AbstractionNo error
or bug found
Simulator
Propertyholds
Simulationsucessful
Bug found
Refinement
Spurious counterexample
Predicate AbstractionPredicate Abstraction
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Property:
AG (x = 100 or x = 200)
Initial set of predicates:
{x = 100, x = 200}
Verilog program Word level predicates
Computing Most Precise AbstractionComputing Most Precise Abstraction
<x = 100, x = 200> + x’ = yy’ = x
+ <x’ = 100, x’ = 200>
Current state Next state
Equation passed to the SAT solver
Transition Relation
Computing abstract transitions
Obtain transitionsObtain transitions
Computing abstract transitions
10 00
01 11 … … and so on …and so on …
Abstract ModelAbstract Model
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Property: AG (x = 100 or x = 200)
Initial set of predicates:{x = 100, x = 200}
Verilog program
Initial state
Failure state10 00
01 11
Abstraction-Refinement loopAbstraction-Refinement loop
VerilogProgramVerilog
ProgramAbstract model
Abstract model
ModelChecker
Abstraction refinement
VerificationInitial
AbstractionNo error
or bug found
Simulator
Propertyholds
Simulationsucessful
Bug found
Refinement
Spurious counterexample
Model checking Model checking
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Verilog program
Failure state
10 00
01 11
Initial state
Abstract Model
Model checking Model checking
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Verilog program
Failure state
10 00
01 11
Initial state
Abstract Model
Counterexample
Abstraction-Refinement loopAbstraction-Refinement loop
VerilogProgramVerilog
ProgramAbstract model
Abstract model
ModelChecker
Abstraction refinement
VerificationInitial
AbstractionNo error
or bug found
Simulator
Propertyholds
Simulationsucessful
Bug found
Refinement
Spurious counterexample
Counterexample in the abstract model Counterexample in the abstract model <1 , 0> <1 , 0> <0 , 0> (length = 1)<0 , 0> (length = 1)
Each state is a valuation of Each state is a valuation of hh x = 100, x=200 x = 100, x=200 ii
Simulation equation
Simulation of the counterexampleSimulation of the counterexample
Initial values of the registerspredicate values
in the first state of the counterexample
Transition relation
predicate valuesin the second state of the counterexample
equation is unsatisfiable So counterexample is spurious
Abstraction-Refinement loopAbstraction-Refinement loop
VerilogProgramVerilog
ProgramAbstract model
Abstract model
ModelChecker
Abstraction refinement
VerificationInitial
AbstractionNo error
or bug found
Simulator
Propertyholds
Simulationsucessful
Bug found
Refinement
Spurious counterexample
RefinementRefinement
Let length of spurious counterexample be Let length of spurious counterexample be kk
Take Take weakest pre-condition of propertyweakest pre-condition of property for k steps with respect for k steps with respect
to transition functionsto transition functions
Pick atomic predicates from weakest preconditionPick atomic predicates from weakest precondition
RefinementRefinement
(x’ = 100 Ç x’ = 200)Holds after one step
x’ = yy’ = x
(y = 100 Ç y = 200)weakest precondition
x’ = yy’ = x
AG (x = 100 Ç x = 200)+
Transition functions
Property
length =1+
spurious counterexampleNew predicates
y = 100, y = 200
Abstract againAbstract again
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Property: AG (x = 100 or x = 200)
Updated set of predicates:{x = 100, x = 200, y=100, y=200}
Verilog program
1001 0110Initialstate
Model check
New abstraction
Model checkingModel checking
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Property: AG (x = 100 or x = 200)
Updated set of predicates:{x = 100, x = 200, y=100, y=200}
Verilog program
1001 0110Initialstate
Property holds!
New abstraction
Result Result
module main (clk)input clk;reg [10:0] x, y;
initial x= 100, y= 200;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Property: AG (x = 100 or x = 200)
Verilog program
Property holds!
Experimental results (VIS benchmarks)Experimental results (VIS benchmarks)
BenchmarkBenchmark Lines of Lines of
codecode
#Latches#Latches #Variables#Variables Veracity Veracity
Time Time
#Predicates#Predicates #Iteration#Iteration
cachecache
coherencecoherence
549549 4343 170170 49s49s 2525 99
mpegmpeg
decoder 1decoder 1
12151215 567567 800800 29s29s 99 33
mpegmpeg
decoder 2decoder 2
12151215 567567 800800 47s47s 99 44
SDLXSDLX 898898 4141 8181 139s139s 4343 3030
MiimMiim 841841 8383 237237 0.57s0.57s** 44 22
PI-BusPI-Bus 10201020 312312 863863 2.42s2.42s** 1010 11
* Using lazy abstraction All use predicate partitioning
Bigger benchmarksBigger benchmarks
BenchmarkBenchmark #Latches#Latches Veracity timeVeracity time Cadence SMV timeCadence SMV time
ICUICU 2828 1.3s1.3s 0.1s0.1s
ICRAM2KBICRAM2KB 1642716427 450.7s450.7s 25s25s
ICRAM4KBICRAM4KB 3279632796 843.3s843.3s terminatesterminates
ARITH100ARITH100 202202 3.5s3.5s 182.4s182.4s
ARITH200ARITH200 402402 9.6s9.6s 2147s2147s
ARITH500ARITH500 10021002 32.2s32.2s timeouttimeout
ARITH1000ARITH1000 20022002 122.6s122.6s timeouttimeout
ToolsTools
VCEGARVCEGAR (Verilog Counterexample Guided Abstraction (Verilog Counterexample Guided Abstraction
Refinement) at CMURefinement) at CMUwww.cs.cmu.edu/~modelcheck/vcegarwww.cs.cmu.edu/~modelcheck/vcegar
QuestionsQuestions
Recommended