Logic in Automatic Verification

Transcription

1 Logic in Automatic Verification Javier Esparza Sofware Reliability and Security Group Institute for Formal Methods in Computer Science University of Stuttgart Many thanks to Abdelwaheb Ayari, David Basin, Armin Biere, Paul Gastin and Denis Oddoux

2 Automatic verification The dream: feed a machine with a system and a specification push a button get yes or no, because... In this talk: three small examples of application of decision procedures for logics to this problem SAT / QBF Temporal logics Monadic second order logics 2

3 Verifying adders with boolean logic

4 Modelling circuits with QBL Gates as boolean formulas Stable states as satisfying truth assignments a not b a b and c a b or c a b xor c not(a, b) a b and(a, b, c) (a b) c or(a, b, c) (a b) c xor(a, b, c) (( a b) (a b)) c 3

5 Combine gates with, (and renaming of variables) x y a b R d c w b c a R2 d q R r s R(x, y, q, r, s) = w. R (x, y, w, q) R 2 (y, w, r, s) 4

6 A full adder cout cin a b s... a b cin w w2 w3 s cout full adder(a, b, s, cin, cout) w, w 2, w 3. xor(a, b, w ) xor(w, cin, out) and(a, b, w 2 ) and(cin, w, w 3 ) or(w 3, w 2, cout) 5

7 An n-bit ripple-carry adder c 2 c cin (= 0) a 2 a a 0 + b 2 b b 0 cout s 2 s s 0 Wire together n -bit adders where ith carry-out is i+st carry-in, first carry is the carry-in and last is the carry-out. cout b2 a2 b a b0 a0 adder adder adder c2 s2 s s0 c cin c0 6

8 We obtain the formula adder n (a 0,..., a n, b 0,..., b n, s 0,..., s n, cin, cout) Problem: too slow!! c 0,..., c n. (c 0 cin) (c n cout) n i= full adder(a i, b i, s i, c i, c i+ )) Each c i can only be computed after all of c i,..., c 0 have been computed Delay: 2n + 2 time units for n-bit numbers 7

9 A carry-look-ahead n-adder Compute all of c n,..., c 0 (and cout) concurrently First step: given a n... a 0 and b n... b 0, identify the i [0, n ] that are Generating: c i+ independently of c i. These are the positions such that = g i and(a i, b i ). Propagating: c i+ c i, i.e., c i is propagated to c i+. These are the positions such that = p i xor(a i, b i ) Observe: all g i, p i can be computed simultaneously Second step: compute the c i s by c i g i (p i g i ) (p i p i g i 2 )... (p i p i... g 0 ) Logarithmic delay in n using balanced -trees and -trees Delay depends on tree structure. For 64 bits: units (instead of 30) 8

10 Description of the circuit cin RootCell cout NodeCell NodeCell NodeCell LeafCell LeafCell LeafCell LeafCell a0 b0 s 0 a b s a2b2 s2 a3b3 s 3 9

11 Description of the circuit II f f 2 e e 2 z z2 s a b LeafCell circuit x 2 x circuit y 2 y f f e e 2 2 cin cout f f e e 0 2 NodeCell circuit 2 f f e e 2 f f 2 e e 2 RootCell circuit 0

12 Verification of the carry-look-ahead n-adder Check if adder n (a 0,..., a n, b 0,..., b n, s 0,..., s n, cin, cout) cla n (a 0,..., a n, b 0,..., b n, s 0,..., s n, cin, cout) Use SAT solvers or QBF solvers Results of the SAT 2002 competition on a variant of this problem: Task was to compare 2, 4, 8,..., 256 bits adders (8 problems) From 26 variables and 70 3CNF clauses to 4584 variables and 3226 clauses Fastest solver (Zchaff) checked all 8 problems in 4 seconds More info at Rule-of-thumb: circuits with some hundreds of gates are routinedly solved

13 Verifying mutual exclusion algorithms with propositional temporal logics

14 The mutual exclusion problem The setting: Two computers connected to a database (e.g., of plane bookings) Can communicate with each other through shared variables (i.e., variables that both can read and write) Both computers run a program having a critical section, from which the program can update the database records The problem: design the program run by the computers so that At any time, at most one computer can be in the critical section If a computer wishes to enter the critical section, it eventually will These properties still hold if any of the computers breaks down in the non-critical section Observe: not an input/output system! 2

15 A solution due to Peterson var flag[0], flag[] : {true, false} init false; var turn : {0,}; while true do s 0 non-critical section s flag[0] := true; s 2 turn := ; s 3 while (flag[] and turn=) skip ; s 4 critical section s 5 flag[0] := false; od while true do r 0 non-critical section r flag[] := true; r 2 turn := 0; r 3 while (flag[0] and turn=0) skip ; r 4 critical section r 5 flag[] := false; od 3

16 Linear-time temporal logic (LTL) Built on top of a set AP of atomic propositions World: valuation of the atomic propositions over {true, false} Formulas of LTL interpreted over runs: infinite sequences of worlds Notation: run ρ = ρ 0 ρ ρ 2... suffix ρ i = ρ i ρ i+ ρ i

17 Type Formula ρ = ϕ iff... Intuition atomic p p is true at ρ 0 p holds now boolean ϕ ρ = ϕ ϕ ψ ρ = ϕ or ρ = ψ temporal X ϕ ρ = ϕ ϕ holds next F ϕ ρ i = ϕ for some i N eventually ϕ G ϕ ρ i = ϕ for all i N always ϕ ϕ U ψ there is i N such that ρ i = ψ and ρ j = ϕ for all 0 j < i ϕ until ψ 5

18 Application to the mutex algorithm Atomic propositions: flag[0] = true, at s 4,... The program satisfies a property if all its runs (executions) satisfy it The mutual exclusion property: G( at s 4 at r 4 ) If computer 0 wants to enter the critical section, it eventually will: G(flag[0] = true F at s 4 ) But this property does not take breakdowns out of the non-critical section into account... 6

19 Dealing with breakdowns Introduce propositions last 0, last saying which computer did the last step No breakdowns for computer 0: G F last 0 No breakdowns for computer 0 but possibly in the non-critical section: G F last 0 F G at s 0 The final property to be checked: (G F last 0 F G at s 0 ) (G F last F G at r 0 ) = G(flag[0] = true F at r 4 ) G(flag[] = true F at s 4 ) 7

20 Automatic verification The model-checking problem: whether all runs of the algorithm satisfy a given LTL formula Can be algorithmically solved in three steps (Vardi, Wolper 85): Construct a Büchi automaton for the negation of the formula (decision procedure for satisfiability) Construct the product of this automaton and the state space of the system Check emptyness of the product Linear complexity in the number of states of the program, exponential complexity in the size of the formula Formula verified in less than one second with Holzmann s SPIN checker ( 8

21 Automaton for the formula LTL2BA by Gastin and Oddoux ( oddoux/ltl2ba/) Quite sophisticated: formula alternating Büchi generalized Büchi Büchi, with simplification heuristics at each step The automaton for the negation of the formula has 36 states 9

22 Verifying parameterized adders with monadic second order logics

23 WSS : weak MSO logic of one successor First order variables p, q,... interpreted over N Second-order variables X, Y,... interpreted over finite subsets of N φ ::= p = s(q) p X φ φ φ p. φ X. φ 20

24 Definitions (Sample) φ φ 2 ( φ φ 2 ) p. φ p. φ X(p) p X X(0) p. ( q. p s(q)) X(p) X(p + n) p,..., p n. p = s(p)... p n = s(p n ) X(p n ) x = y X. X(x) X(y) x y X. (X(y) z, w. (X(z) s(w) = z X(w)) X(x)) x < y x y (x = y) 2

25 WSS as a logic of binary strings Second-order variables interpreted as strings over {0, } First-order variables interpreted as positions in the string X(p) holds iff string X has a at position p Formula φ with free variables determines a language L(φ) 0 L(X() X(3)) 0 L(X() X(3)) n free variables in φ determine language over {0, } n p. p < 4 (X(p) Y (p)) X 0 0 Y 0 0 L(φ) and X 0 Y / L(φ) 22

26 Examples p, q. p q X(p) X(q) X is a string with a in at least 2 positions, e.g., 0000 p. ( q. p s(q)) X(p) X is a string whose initial letter is p. X(p) Y (s(p)) Y is X right-shifted position, e.g.,

27 Well-known results Satisfiability of WSS is decidable in non-elementary time (each quantifier alternation adds one exponential) The language L(φ) is regular A finite automaton accepting L(φ) can be computed directly from φ 24

28 Modelling the family of ALL ripple-carry adders Recall the formula for a ripple carry n-adder adder n (a 0,..., a n, b 0,..., b n, s 0,..., s n, cin, cout) c 0,..., c n. (c 0 cin) (c n cout) n i=0 We construct the WSS formula adder(n, A, B, S, cin, cout) full adder(a i, b i, s i, c i, c i+ ) C. (C(0) cin) (C(n) cout) p. p < n full adder(a(p), B(p), S(p), C(p), C(p + )) p. p n ( A(p) B(p) S(p)) 25

29 A model of adder(a, B, S, cin, cout) A B S n = 4 cin = 0 cout = 0 The set of models of adder is the union of all the sets of models of adder n 26

30 WS2S : weak MSO logic of two successors Seen as a logic over binary trees Second-order variables interpreted as trees over {0, } First-order variables interpreted as positions (nodes) in the tree Example: X(ɛ) ( p. X(s 0 (p)) X(s (p))) p. Y (s 0 (p)) Y (s (p)) X contains the root node ɛ, and a node p is in X iff its brother is also in X, and for any node p, Y contains at most one of p s successors 27

31 Models A model of a formula with n free variables is a superposition of trees over B, i.e., a tree whose nodes are labelled with elements of {0, } n The tree is a model of X(ɛ) ( p. X(s 0 (p)) X(s (p))) p. Y (s 0 (p)) Y (s (p)) 28

32 Modelling the family of ALL carry-look-ahead adders cin RootCell cout NodeCell NodeCell NodeCell LeafCell LeafCell LeafCell LeafCell a0 b0 s 0 a b s a2b2 s2 a3b3 s 3 29

33 The family can be modelled by the formula cla(a, B, S, cin, cout) T, E, E 2, F, F 2 RootCell(F, F 2, E, E 2, cin, cout) ( p.(leaf(p, T ) LeafCell(A, B, S, F, F 2, E, E 2, p)) (node(p, T ) NodeCell(F, F 2, E, E 2, p))) shape cond(a, B, S, T ) 30

34 Verification of a parameterized cla-adder Check validity of A, B, S, cin, cout. adder(a, B, S, cin, cout) cla(a, B, S, cin, cout) (Requires to embed WSS into WS2S) Checked in second by MONA (Mona at mona) Restrictions: only array or tree structures only one parameter (two parameters quantification on binary relations) 3

35 Conclusions : no conclusions, just examples! 32

36 Conclusions No conclusions, just examples! 33