Ranking Verification Counterexamples: An Invariant guided approach

Transcription

1 Ranking Verification Counterexamples: An Invariant guided approach Ansuman Banerjee Indian Statistical Institute Joint work with Pallab Dasgupta, Srobona Mitra and Harish Kumar

2 Complex Systems Everywhere Hall of Shame Polar Lander logic-error Rover (2004) file-system error Therac-25 Radiation error Entertainment Alice Airbus Control systems, hardware and software, with many sensors, signal & data processing algorithms, communications over networks Rigorous Verification and Validation indispensable

3 Verification dominates Design

4 Dimensions of the verification challenge Discrete Continuous Hybrid Non-Linear Satisfiability Synthesizability Coverage System Type Core Problems Formal specs Boolean Logic Temporal Logic FSM Equations Hybrid Automata Timing validation Reliability validation Protocol validation Architecture validation Unit Cluster Power validation Microcode validation System Formal Verification Task: Verify if a system design meet its specification Standard Testing methods losing steam (system dynamics, stochastic, non-linear, mixed, thousands of states.)

5 Verification using simulation Huge number of possible scenarios Infeasible to simulate or test all scenarios What to do with those scenarios that could not be tested?

6 And then came Formal.. n And then came formal Symbolic SAT-based Exhaustive verification There is a mathematical way of checking everything

7 Formal Verification Formal properties P Specification M Implementation Formal Verifier True False Counterexample To prove mathematically that the machine M satisfies its specification P M is typically a finite state machine P is typically a set of formal properties capturing the design intent State of technology Significant body of literature Widely used in hardware-software industry Language standards + wide arsenal of tools Becoming mandatory in railway and automotive safety standards

8 The promise of Formal Verification An algorithm which takes as input (a) a model of a system A and (b) a property P and terminates with output (c) a proof that all the behaviors of A satisfy P OR (d) a particular behavior of A that violates P Recognitions: 2 Turing Awards 1996: Amir Pnueli) 2008: Clarke & Emerson Examples: 1. A: model of autonomous vehicle P: always stays on the road 2. A: model of a traffic control system P: vehicles do not collide Is completely automatic A P Verification Algorithm A satisfies P Trace of A violating P

9 Formal Verification of Reactive Systems Formal properties P Specification Reactive systems interact with the outside world True World M Model Checker False Implementation Counterexample Stringent requirement (useful only is specific cases) M must satisfy its specification P under all worlds More practical requirement M must satisfy its specification P under all valid worlds What is a valid world?

10 An Example: Railway Signaling Specification: P Signal S1 should not be green when there is a train on the route between S2 and S3. (International Railway Signaling Principles) The world consists of assumptions on the arrival / movement patterns of trains Signals Signaling System: M Track circuits S1 S2 S3 route overlap

11 An example: Automotive Control Requirement: All doors must remain locked when the speed is above 200 kmph Control action: Lock all doors when speed crosses 150 kmph Environment actions: Start ignition, Increase speed, Decrease speed, etc 11

12 Formal Verification with assumptions Capturing the world is one of the hardest challenges in this subject, because We have only informal knowledge about the world The world is too big and hence we are forced to work with an informal summary of the environment Verification with an universal world assumption is computationally infeasible, for any realistic system

13 Assumptions about the world Assert properties: P Specification True Implementation M Model Checker False Counterexample Assume properties: A Assumptions about the world Does M satisfy P under all worlds that satisfy A?

14 On weak and strong assumptions World M Assumptions = Constraints on the world What happens if the assumptions over-constrain the world? Real world may admit behaviors that are prevented by the assumptions We cannot determine whether M fails in one of those scenarios What happens if the assumptions are weak? Assumptions allow scenarios which do not happen in the real world If M fails in one of these scenarios, then we get a fictitious counterexample

15 Assumption Refinement Implementation + Properties + Assumptions Formal verifier Strengthen assumptions PASS? no yes counterexample analysis no Real Cex? yes

16 A Real problem [courtesy Intel] Difficult to verify the entire logic using model checking / testing Enormous state space / too many scenarios FUs Modular Verification / Unit testing Validate the units in isolation OpenSPARC T1 SPARC core

17 The Problem Problem: To verify the implementation of FU 1 FU 2 FU k... a unit functionality is bug-free Given: The implementation of the module B The requirement P on B To determine: Whether B satisfies P D I B B P O B under all valid scenarios admitted by the encompassing logic D

18 The counterexample ranking problem FU 1 FU 2 FU k... Assertion P Unit D I B B O B Logic B embedded inside a large glue logic D Formally verifying P on D typically does not scale Formally verifying P on B in isolation throws up hundreds of counter-examples Many are fictitious Main problem: Determining whether a counter-example is real is not easy because we need to find how to drive it through D

19 An intuitive example from the software world

20 The Counterexample Ranking Problem

21 Counterexample Ranking Objective: Rank the counterexamples produced by the verifier such that Counterexamples are grouped into families having similar rankings Counterexamples belonging to higher ranked families are more likely to be real than the lower ranked ones Present counterexamples to the designer in decreasing order of ranks

22 Counterexample ranking flow World (D) Implementation (B) + assert property (P) assumption miner model checker assume properties assume properties with belief PASS? no yes rank counterexample based on conflict with assume properties block the cex family

23 Counterexample Ranking FU 1 FU 2 FU k... D I B B P O B Bug Fix A 3-Step Strategy 1. Assumption Mining: Mine assume properties s over the interface of B from simulation traces on D Assumptions capture the effect of D on B 2. Assumption Weighting: Assign belief values to assume properties based on evidence received in support 3. Counterexample Ranking: Counterexamples which contradict assume properties of high belief are given lower ranks

24 A relevant challenge Rank counterexamples without actually generating all of them Approach: Create counterexample families based on sets of assume properties they contradict Ensure that a counterexample from the same family is not generated again

25 Step 3: Counterexample ranking FU 1 FU 2 FU k... D I B B P O B Bug Fix Given: A counterexample C produced by model checking P on B A set of assume properties A = {A i } on the signals of B Belief values Bel (A i ) associated with each assume property A i A, where 0 A i 1 Objective: To compute the confidence on C Rank all counterexamples

26 Confidence on a counterexample To compute the confidence on counterexample, C 1. Identify the assumptions A C that conflict with C 2. Confidence on C: = 1.0 if A C is empty = (1 Bel (A j )) Aj A C Justification If any of the assume properties in A C is valid, then C, which contradicts it, cannot be real C can be real if each assume property in A C is not valid Bel (A j ) is the belief that A j is valid based on evidence We compute the probability assuming assumptions are independent

27 An Example Assume properties A1:if (ACVQN3 is 1, n146 should be 0 in the next cycle A4: If n184 is 1, n99 should be 0 in the next cycle A8: If n184 is 0, n99 should be 0 in the next cycle A9: if n156 is 1, n91 should be 0 in the next cycle A12: if n123 is 1 followed by n180 as 1 and n217 as 0, we have n137 as 0 in the next cycle;

28 Counterexample Confidence illustrated A4, A8 and A9 are the assumptions which fail on C A C = {A4,A8,A9} Confidence on C computed as (1 Bel(A4))*(1 Bel(A8)) *(1 Bel(A9))

29 Ranking Counterexample Families Counterexample family: Counterexamples which refute the same set of assume properties For 2 sets of assume properties A1 and A2 If A1 A2, counterexamples which refute all members of A2 also refute all members of A1 Counterexamples refuting A2 have lower confidence than those refuting A1 Once a counterexample is found around a set of assumes Can discard supersets of these assumes Strategy: After finding the first counterexample C, model check P on B in presence of the disjunction of all assumes in A C to prevent Counterexamples from same family as C Counterexamples from supersets of A C (lower confidence)

30 Step-1: Assumption Mining We use decision tree learning for mining assumptions from simulation traces of D Uses learning to analyze simulation traces Assumption mining done with an objective of maximizing information gain Mined properties are bounded sequential expressions A mined invariant is a SVA property of the form: Ψ Φ Ψ is a bounded temporal logic expression over set of signals in D Φ is a literal from the input signals of B

31 Assumption Mining: Considerations Two important considerations for the miner Assume properties needed at the interface of B, on the inputs of B Bias the miner Upper bound on assume sequential depth Assumes with smaller sequential depth are fewer in number but more reliable Spurious invariants are more likely of more depth

32 Step-2: Assumption Weighting Mined assume properties are reported as invariants No evidence of Φ on traces satisfying Ψ Belief based on the coverage of relevant scenarios Belief, Bel(P), on a mined property, P of the form: Ψ => Φ is defined as the fraction of Ψ-satisfying valuations of the signals affecting Φ that has been seen in the simulation traces Example: Set of 4 signals {y1, y2, y3, y4} y1 ##1 y2 => y4; Ψ = (y1##1y2), is satisfied in 2 3 * 2 3 = 2 6 = 64 valuations Simulation has seen 48 of these 64 (y4 true in all of them) Our belief on the invariant is 48/64 = 0.75

33 Counterexample Confidence illustrated Counterexample ranking: A4, A8 and A9 are the assumptions which fail on C A C = {A4,A8, A9} Assumption weighting: antecedents of A4, A8 and A9 can be matched in 2 11 = 2048 ways Number of distinct matches found in the traces for the antecedents of A4 and A8 were respectively 43, 187 and 1320 Bel(A4) = 43/2048, Bel(A8) = 187/2048, Bel(A9) = 1320/2048 Confidence on C computed as (1 Bel(A4))*(1 Bel(A8))*(1 Bel(A9))

34 Ranking using component level traces Available Simulation traces not global traces on the whole of D Scattered simulation traces on individual modules surrounding B Assumptions cannot be mined directly on the interface of B We need to determine the following: dependences between the signals present on the interfaces of different surrounding modules of B dependences between different mined assumptions from the different modules We assign a confidence to a given counterexample trace, using probabilistic reasoning in a Bayesian network

35 Illustration on Example M2 a d B b c M1 Cex Trace t a b c Module M1: A1: b && Xc => XXd Belief: bel1 Module M2: A2: d => Xa Belief: bel2 Query : P ( (a0 = 0) & (b0 = 1) & (c0 = 0) &. & (a3 = 1) & (b3 = 1) & (c3 = 1) =? a0 b0 c0 d0 a1 b1 c1 d1 d0 a1 = 1 a1 = 0 a2 b2 c2 d2 0 x 1 - x 1 bel2 1 bel2 a3 b3 c3 d3

36 Tool Flow

37 Experimental Setup Assumption miner: Implemented in-house in C++ Model-checker: Magellan from Synopsys Verilog Simulator: VCS from Synopsys Counterexample clustering and ranking: Implemented in-house in C++ and C- shell script Evaluation: test-cases of various representative sizes from the ISCAS-89 benchmark circuits and OpenSPARC

38 Counterexample Confidence Plotted Real: + Spurious: X

39 Verification ISI: Focus Areas Logic Assertion Mining Semi-formal flows Formal Methods Cache efficient verification Algorithms Distributed implementations CAD Tools Research High Performance Computing Constraint Solvers (AI, Learning, Architecture) Software Verification Efficient Procedures Probabilistic verification

40 Thank you very much!! Home: