formal verification marco a. peña universitat politècnica de catalunya
Post on 22-Dec-2015
215 views
TRANSCRIPT
Formal verification
Marco A. Peña
Universitat Politècnica de Catalunya
Outline Motivation
Simulation
Formal verification
– Theorem proving
– Model checking
State space exploration
Formal verification with relative timing
Conclusions
Motivation
Motivation: the problem System’s complexity: continuous growth is scale and
functionality
Probability to introduce design errors increases
System failures are unacceptable:
– Software: cost of update, credibility, etc.
– Embedded software: no update possible
– Hardware: high cost of fabrication/replacement
– Safety-critical systems: catastrophic consequences Delay in time-to-market, loss of money and human lives!!
Motivation: examples 1994: Floating point divider unit of Pentium microprocessor
– Bug in the implementation of the division algorithm
– 475 million US $
1996: Launch failure of Ariane 5 rocket
– Wrong data type conversion when computing altitude
– Explosion 36 minutes after lunch 1986: Challenger space shuttle
– … What else?
Motivation: where do bugs come from? Incorrect specifications
Misinterpretation of specifications
Misunderstandings between designers
Missed cases
Protocol non-conformance
And a long etcetera.
Motivation: what to do? Develop methods to ensure systems reliability
Detect and fix bugs at the early stages of the design flow
Verification:
– General bug-finding techniques.
– Usually simulation.
Formal verification:
– Methods for 100% bug coverage.
– Use mathematical formalisms (logics, automata, etc.) and techniques to reason about the correctness of a system.
Simulation
Simulation Predominant verification method: intuitive idea
Construction of test-cases: manually, randomly, etc.
“Heisenbug” paradigm: when trying to reproduce a bug it never shows up
Example: (x+1)2 = x2 + 2x +1 ?
Simulation Example:
– Concurrent processes A and B
– Events happen concurrently every 1010 operation cycles
Process A
.......
X := X + 1
.......
Process B
.......
X := X - 1
.......
Precondition X = 0
Postcondition X = 1 (!)
Simulation: typical experience
Time
Functional testing
Purgatory Product in the marketBugs
found
Formal verification
Formal verification Ensures consistency with specification for all possible
input patterns: exhaustive coverage
Requires:
– Formal model of the system
– Formal specification language: properties
– Reasoning method
Main strategies:
– Theorem proving
– Model checking
Formal verification Example: (x+1)2 = x2 + 2x +1 ?
Formal verification: theorem proving
Implementation and specification: formulas in some mathematical logic
Deep knowledge of the formalisms and proof techniques
The prover is often human
Useful for: arithmetic algorithms, etc.
Formal verification: theorem proving Major drawbacks: no guarantee of a proof, complexity of
the proof, no counterexample, …
Some impressive results:
– AMD K7 floating point unit
– Combined with model checking: Intel P4 instruction decoder
Few automatic tools exist
Not a general solution:
– Too expert human interaction
– Only for small problems or niche applications
Formal verification: model checking
The checker enumerates all the states of the system
Finite state space, but combinatorial explosion !
Symbolic methods, partial orders, abstractions, etc.
Several automatic tools and success stories exist
Formal verification: model checking Gaining acceptance but not yet widely used
Major drawbacks: state explosion problem and tools difficult to use for designers
Commercial tools start to appear: Abstract, Chrysalis, IBM, Lucent, Verysys, …
Companies have increasing interest: IBM, Intel, AT&T, etc. Oportunity!
Not a general solution:
– Combination with theorem proving
– Combination with semi-formal strategies
State space exploration
State space exploration Combinatorial explosion
Symbolic representations: BDDs
State space exploration
Some states do not exist, but …
State space exploration
Time incorporates a new source of exponentiality !!
Formal verification with
Relative Timing
Verification approach: main features
Model checking-like approach for timed systems
Iterative incremental refinement of the untimed state space by:
– Off-line timing analysis on small acyclic graphs, and
– Incorporation of Relative Timing constraints
Verification of temporal safety properties
BDD-based symbolic representation: large untimed state
spaces
Backannotation: sufficient relative timing constraints for
correctness are reported, or counterexample trace
Verification approach: system model
Timed Transition Systems: Transition System + delay bounds
Verification approach
Verification approach
Verification approach
Verification approach
Verification approach
Verification approach
Verification approach
Symbolic state space exploration
and failure detection
Verification approach
Failure states
• Failure trace• Event structure
x
a b
cg
d
• Timing analysis• Composition
Verification approach
[1,2] [1,2]
[1,2]
[3,4]
[1,2]
[1,2]
• Failure trace• Event structure
x
a b
cg
d
• Timing analysis• Composition
Verification approach
[1,2] [1,2]
[1,2]
[3,4]
[1,2]
[1,2]
Verification approach: flow
Conclusions
Conclusions
Size of the system (state bits)
Pro
bab
ilit
y o
f ve
rifi
cati
on
Research
Real systems
1 10 100 103 104 105 106 107
100%
Conclusions: research
Research in Spain: University
– PhD programs, FI/FPI grants
– Possible stages in foreign universities/companies
Verification teams in companies grow much faster than
design teams: oportunity!
Companies and research centers:
– USA and Europe
– PhD required
Conclusions: collaboration, projects,…
Long list of open problems:
– Real case studies: circuits, protocols, etc.
– Implementations of other techniques for comparison
– Parallel implementations: clusters, etc.
– Combination of techniques: formal and semi-formal, etc.
– …