reasoning about timed systems using boolean methods · –50– related research projectrelated...
TRANSCRIPT
Reasoning about Timed Systems Using Boolean Methods
Reasoning about Timed Systems Using Boolean Methods
Sanjit A. SeshiaSanjit A. SeshiaEECS, UC BerkeleyEECS, UC Berkeley
Joint work withJoint work withRandal E. Bryant (CMU)Randal E. Bryant (CMU)
Kenneth S. Stevens (Intel, now U. Utah)Kenneth S. Stevens (Intel, now U. Utah)
– 2 –
Timed SystemTimed System
A system whose correctness depends A system whose correctness depends not only on its not only on its functionalityfunctionality (what results (what results it generates), but also on its it generates), but also on its timelinesstimeliness(the time at which results are generated).(the time at which results are generated).
– 3 –
Real-Time Embedded SystemsReal-Time Embedded Systems
– 4 –
Self-Timed CircuitsSelf-Timed Circuits
– 5 –
Modeling & VerificationModeling & Verification
Timed System
Verify model
Model
– 6 –
Challenges with Timed SystemsChallenges with Timed Systems
State has 2 components:State has 2 components:–– Boolean variables (Boolean variables (VV): model discrete state): model discrete state–– RealReal--valued variables (valued variables (XX): measure real time): measure real time
InfinitelyInfinitely--many statesmany states–– Has a finite representation (regions graph)Has a finite representation (regions graph)–– But grows worse than |But grows worse than |XX| | ||XX||
–– Verification is hard!Verification is hard!
– 7 –
Modeling & VerificationModeling & Verification
Timed System
Verify model
Model
Self-TimedCircuit
Timed Automaton
Model Checking
– 8 –
Message of This Talk: Leverage Boolean Methods
Message of This Talk: Leverage Boolean Methods
ModelingModeling–– Use Boolean variables to model timing, where Use Boolean variables to model timing, where
possiblepossible
VerificationVerification–– Use symbolic Boolean representations and Use symbolic Boolean representations and
algorithms operating on themalgorithms operating on themBinary Decision Diagrams (Binary Decision Diagrams (BDDsBDDs), Boolean ), Boolean satisfiabilitysatisfiability solvers (SAT)solvers (SAT)
Why?Why?–– Systems have complex Boolean behavior anywaySystems have complex Boolean behavior anyway–– Great progress made in finiteGreat progress made in finite--state model state model
checking, SAT solving, etc. over last 15 yearschecking, SAT solving, etc. over last 15 years
– 9 –
Talk OutlineTalk Outline
Motivating Problem: Verifying SelfMotivating Problem: Verifying Self--Timed Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed AutomataTimed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 10 –
Self-Timed (Asynchronous) CircuitsSelf-Timed (Asynchronous) Circuits
Many design styles useMany design styles use timing assumptionstiming assumptions
Delay Independent
Gate-levelMetric Timing
Relative Timing: Relative Timing: [Stevens et al. ASYNC[Stevens et al. ASYNC’’99, TVLSI99, TVLSI’’03]03]Circuit behavior constrained by relative orderingCircuit behavior constrained by relative orderingof signal transitionsof signal transitions
uu ↑ ≺ v ↑↑
Relative Timing
Burst Mode
– 11 –
Relative Timing (RT) Verification Methodology: 2 StepsRelative Timing (RT) Verification Methodology: 2 Steps
1.1. Check circuit functionality Check circuit functionality under timing under timing assumptionsassumptions
Search the constrained state spaceSearch the constrained state spaceModel checkingModel checking
2.2. Verify timing assumptions themselvesVerify timing assumptions themselvesSize circuit path delays appropriatelySize circuit path delays appropriatelyStatic timing analysisStatic timing analysis
– 12 –
Pros and Cons of RTPros and Cons of RT
Advantages:Advantages:++ Applies to many design stylesApplies to many design styles++ Incremental addition of timing constraintsIncremental addition of timing constraints++ No conservatively set minNo conservatively set min--max delaysmax delays
Disadvantages:Disadvantages:–– Cannot express metric timingCannot express metric timing–– More work to be done on verification More work to be done on verification
Scaling upScaling upValidating timing constraints themselvesValidating timing constraints themselves
– 13 –
Our ContributionsOur Contributions
Generalized RTGeneralized RT–– Can express some metric timingCan express some metric timing
Applied Fully Symbolic Verification TechniquesApplied Fully Symbolic Verification Techniques–– Model circuits using timed automataModel circuits using timed automata
Metric timing modeled using realMetric timing modeled using real--valued variablesvalued variablesNonNon--metric with Booleansmetric with Booleans
Performed Case Performed Case SudiesSudies–– Including Global STP circuit Including Global STP circuit (published version of (published version of
PentiumPentium--4 ALU 4 ALU cktckt.).)
[Seshia, Stevens, & Bryant, ASYNC[Seshia, Stevens, & Bryant, ASYNC’’05]05]
– 14 –
Talk OutlineTalk Outline
Motivating Problem: Verifying SelfMotivating Problem: Verifying Self--Timed Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed AutomataTimed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 15 –
Generalizing Relative TimingGeneralizing Relative Timing
Delay Independent
Gate-levelMetric Timing
Relative Timing
Burst Mode
– 16 –
Circuit ModelCircuit Model
Variables (signals): Variables (signals): v1, v2, …, vn
Events (signal transitions): Events (signal transitions): ei is is vi ↑ oror vi
Rules Rules –– EEii ((v1, v2, …, vn ) ) eeii
Timing ConstraintsTiming Constraints
↑
– 17 –
Generalized Relative Timing (GRT) ConstraintGeneralized Relative Timing (GRT) Constraint
ΔΔ((eeii, , eejj)) : Time between : Time between eejj and previous and previous occurrence of occurrence of eeii
Form of GRT constraint:Form of GRT constraint:ΔΔ((eeii, , eejj) ) ·· ΔΔ((eeii’’, , eekk) + ) + dd
eejjeeii
eekkeeii eeii’’ eejj
– 18 –
Special Case: Common Point-of-Divergence (PoD)Special Case: Common Point-of-Divergence (PoD)
PoDPoD constraint:constraint:ΔΔ((eeii , , eejj) ) ·· ΔΔ((eeii , , eekk) )
Written as:Written as:eeii →→ eejj ≺≺ eekk
An RT constraint traced back to its sourceAn RT constraint traced back to its source
eekkeeii eejj
– 19 –
Example: Point-of-Divergence (PoD) ConstraintExample: Point-of-Divergence (PoD) Constraint
↑↑
↑
cc →→ acac ≺≺ bb
↑
↑↑
– 20 –
Example: Metric Timing Example: Metric Timing
ΔΔ((data_indata_in↑, , data_in_auxdata_in_aux↑)) ·· ΔΔ((enableenable↑, , triggertrigger↑))
– 21 –
Do We Need Metric Timing?Do We Need Metric Timing?
Useful for Useful for modular specificationmodular specification of timing constraintsof timing constraintsAlso when delays are explicitly usedAlso when delays are explicitly used
– 22 –
Verifying Generalized Relative Timing ConstraintsVerifying Generalized Relative Timing Constraints
Use static timing analysis to compute minUse static timing analysis to compute min--max max path delayspath delays
To verify:To verify:ΔΔ((eeii, , eejj) ) ·· ΔΔ((eeii’’, , eekk) + ) + dd
We verify that:We verify that:maxmax--delay( delay( eeii ÃÃ eejj ) ) ·· minmin--delay( delay( eeii’’ ÃÃ eekk ) + ) + dd
– 23 –
Talk OutlineTalk Outline
Motivating Problem: Verifying SelfMotivating Problem: Verifying Self--Timed Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed AutomataTimed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 24 –
Modeling Timed CircuitsModeling Timed Circuits
Need to model:Need to model:RulesRules ((““BooleanBoolean”” behavior) and behavior) and TimingTiming
Our formalism:Our formalism: Timed Automata Timed Automata [[AlurAlur & Dill, & Dill, ’’90] 90] –– Generalization of finite automataGeneralization of finite automata–– State variables:State variables:
Boolean (circuit signals) Boolean (circuit signals) RealReal--valued timers or valued timers or ““clocksclocks”” (impose timing (impose timing constraints) constraints)
–– Operations: (1) compare with constant, (2) reset to zeroOperations: (1) compare with constant, (2) reset to zeroWe model nonWe model non--metric timing with Booleansmetric timing with Booleans
– 25 –
Enforcing Timing with BooleansEnforcing Timing with Booleans
↑↑
↑
cc →→ acac ≺≺ bb
↑
↑↑
1.1.cc sets a bit
2.2.acac resets it
3.3.b b cannot occur while the bit is set
↑
↑
↑
– 26 –
Enforcing Timing with Timer VariablesEnforcing Timing with Timer VariablesΔΔ((data_indata_in↑, , data_in_auxdata_in_aux↑)) ·· ΔΔ((enableenable↑, , triggertrigger↑))
– 27 –
•• data_indata_in sets x1 to 0
•• data_in_aux data_in_aux must occur while x1 · c
•• enable enable sets x2 to 0
•• trigger trigger can only occur if x2 ≥ c
c determined just as in other metric timing styles
↑
↑
↑
↑
Enforcing Timing with Timer VariablesEnforcing Timing with Timer VariablesΔΔ((data_indata_in↑, , data_in_auxdata_in_aux↑)) ·· ΔΔ((enableenable↑, , triggertrigger↑))
– 28 –
Booleans vs. TimersBooleans vs. Timers
Most timing constraints tend to be Most timing constraints tend to be PoDPoD
So few realSo few real--valued timer variables used in valued timer variables used in practicepractice
– 29 –
Talk OutlineTalk Outline
Motivating Problem: Verifying SelfMotivating Problem: Verifying Self--Timed Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed AutomataTimed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 30 –
StateState
Boolean part: assignment to signalsBoolean part: assignment to signals
RealReal--valued part: relation between timersvalued part: relation between timers
v1 = 0, v2 = 1, v3 = 0, . . .
x1 ≥ 0 ∧ x2 ≥ 0 ∧ x1 ≥ x2
x1
x2
symbolic representation
– 31 –
Symbolic Model Checking of Timed AutomataSymbolic Model Checking of Timed Automata
,
,
,
, ,
,
. . . . . .
Examples: ATACS [Myers et al.], Kronos [Yovine, Maler, et al.], Uppaal [Larsen, Yi, et al.], …
– 32 –
Fully Symbolic Model CheckingFully Symbolic Model Checking
Symbolically represent sets of signal assignments with corresponding relations between timers
v1 ∨ v2∧
x1 ≥ 0 ∧ x2 ≥ 0 ∧ x1 ≥ x2
.
.
.
,
– 33 –
Our Approach to Fully Symbolic Model CheckingOur Approach to Fully Symbolic Model Checking [Seshia & Bryant, CAV[Seshia & Bryant, CAV’’03]03]
Based on algorithm given by Based on algorithm given by HenzingerHenzinger et al.et al.(1994)(1994)
Core model checking operationsCore model checking operations–– Image computation Image computation
Quantifier elimination in quantified difference logicQuantifier elimination in quantified difference logic–– Termination check Termination check
Satisfiability checking of difference logicSatisfiability checking of difference logic
Our Approach: Use Boolean encodingsOur Approach: Use Boolean encodings–– Quantified difference logic Quantified difference logic
Quantified Boolean logicQuantified Boolean logic–– Difference logic Difference logic Boolean logicBoolean logic–– Use Use BDDsBDDs, SAT solvers, SAT solvers
– 34 –
Example: Termination CheckExample: Termination Check
Have we seen all reachable states of the Have we seen all reachable states of the systems?systems?
SatisfiabilitySatisfiability solving in Difference Logicsolving in Difference Logic
⊆
?
– 35 –
Solving Difference Logic via SATSolving Difference Logic via SAT
x ≥ y ∧ y ≥ z ∧ z ≥ x+1
e1 ∧ e2 ⇒ ¬e3
∧Overall Boolean Encoding
Transitivity Constraint
e1
y ≥ z
z ≥ x+1
x ≥ y
e2
e3
e1 ∧ e2 ∧ e3
– 36 –
A More Realistic SituationA More Realistic Situation
∨
∧¬
∨
∧
∨
.
.
.
x ≥ y
y ≥ z
z ≥ x+1
x ≥ y ∧ y ≥ z ∧ z ≥ x+1 ∧ . . . is a term in the SOP (DNF)
– 37 –
Talk OutlineTalk Outline
Motivating Problem: Verifying SelfMotivating Problem: Verifying Self--Timed Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed AutomataTimed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 38 –
Case StudiesCase Studies
Global STP CircuitGlobal STP Circuit–– SelfSelf--resetting domino resetting domino cktckt. in Pentium. in Pentium--4 ALU4 ALU–– Analyzed published Analyzed published cktckt. . [Hinton et al., JSSC[Hinton et al., JSSC’’01]01]
GasPGasP FIFO Control FIFO Control [Sutherland & Fairbanks, ASYNC[Sutherland & Fairbanks, ASYNC’’01]01]
STAPL LeftSTAPL Left--Right Buffer Right Buffer [[NystromNystrom & Martin, & Martin, ’’02]02]
STARI STARI [[GreenstreetGreenstreet, , ’’93]93]
– 39 –
Footed and Unfooted Domino InvertersFooted and Unfooted Domino Inverters
– 40 –
Global STP Circuit (simplest version at gate-level)Global STP Circuit (simplest version at gate-level)
ck
out
↑↑ ↑ ↑↑
↑
↑res
– 41 –
Global STP Circuit: Sample ConstraintGlobal STP Circuit: Sample Constraint
ck
out
↑↑ ↑ ↑↑
↑
↑res
ck
res
↑
ckck →→ ckck ≺≺ resres↑ ↑
– 42 –
Global STP Circuit: An ErrorGlobal STP Circuit: An Error
ck
out
↑
↑
rs
↑
We want: red < blue7 transitions < 5 transitions
– 43 –
Comparison with ATACSComparison with ATACS
Model checking for absence of shortModel checking for absence of short--circuitscircuits
CircuitCircuit Number Number of Signalsof Signals
Time for our model checker, Time for our model checker, TMV (in sec.)TMV (in sec.)
Global Global STPSTP 2828
6060
3030
66.3266.32
GasPGasP--10 10 stagesstages 26.1026.10
STAPLSTAPL--3 3 stagesstages 278.05 278.05
ATACS did not finish within 3600 sec. on any
– 44 –
Comparison with ATACS on STARIComparison with ATACS on STARI
– 45 –
Related WorkRelated Work
ModelingModeling–– GateGate--level Metric Timinglevel Metric Timing
Timed Petri Nets, TEL, Timed Petri Nets, TEL, …… [Myers, [Myers, YonedaYoneda, et al.], et al.]Timed AutomataTimed Automata--based based [[MalerMaler, , PnueliPnueli, et al.], et al.]
–– Chain Constraints Chain Constraints [[NegulescuNegulescu & & PeetersPeeters]]–– Relative Timing Relative Timing [Stevens et al.][Stevens et al.]
Lazy transition systemsLazy transition systems [Pena et al.][Pena et al.]–– Symbolic Gate Delays Symbolic Gate Delays [[ClarisoClariso & & CortadellaCortadella]]
VerificationVerification–– For circuits, mostly restricted to just symbolic For circuits, mostly restricted to just symbolic
techniques techniques [e.g., ATACS][e.g., ATACS]
– 46 –
Talk OutlineTalk Outline
Motivating Problem: Verifying SelfMotivating Problem: Verifying Self--Timed Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed AutomataTimed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 47 –
SummarySummary
Leverage Boolean Methods for Timed SystemsLeverage Boolean Methods for Timed Systems–– Modeling: Modeling: generalized relative timinggeneralized relative timing–– Verification: Verification: fully symbolic model checkingfully symbolic model checking
Using Using BDDsBDDs, SAT, SAT
Demonstrated Application: Modeling and Demonstrated Application: Modeling and Verifying SelfVerifying Self--Timed Circuits Timed Circuits
– 48 –
Future Directions: Model GenerationFuture Directions: Model Generation
Timed System
Model
Needs to be automated
Main Challenge: Automatic generation of timing constraints
Idea: Machine learning from simulated runs (successful and failing)
– 49 –
Future Directions: New ApplicationsFuture Directions: New Applications
Distributed RealDistributed Real--time Embedded Systemstime Embedded Systems–– E.g., sensor networksE.g., sensor networks–– Operate asynchronouslyOperate asynchronously–– Lots of concurrencyLots of concurrency–– Timeliness importantTimeliness important
Will generalized relative timing work for this Will generalized relative timing work for this application?application?
– 50 –
Related Research ProjectRelated Research Project
UCLIDUCLID–– Modeling & Verifying InfiniteModeling & Verifying Infinite--State SystemsState Systems–– Focus: Integer arithmetic, Data Structures (arrays, Focus: Integer arithmetic, Data Structures (arrays,
memories, queues, etc.), Bitmemories, queues, etc.), Bit--vector operations,vector operations,……–– Applications: Program verification, Processor Applications: Program verification, Processor
verification, Analyzing security propertiesverification, Analyzing security propertiesE.g., detecting if a piece of code exhibits malicious E.g., detecting if a piece of code exhibits malicious behavior (worm/virus)behavior (worm/virus)
Also based on Boolean MethodsAlso based on Boolean Methods–– Problems in firstProblems in first--order logic translated to SATorder logic translated to SAT
Programming Systems seminar, Oct. 24 Programming Systems seminar, Oct. 24 ’’0505
– 51 –
Thank you !
More information atMore information athttp://http://www.eecs.berkeley.edu/~sseshia/research.htmlwww.eecs.berkeley.edu/~sseshia/research.html