Easy Parameterized Verification of Biphase Mark and 8N1 Protocols

Similar documents
Satisfiability Modulo Theories Applications and Challenges

Introduction to SMT Solving And Infinite Bounded Model Checking

The Formal Verification of a Reintegration Protocol

SMT Solvers: A Disruptive Technology

Abstractions and Decision Procedures for Effective Software Model Checking

ERTS 06; Toulouse January

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

The TLA + proof system

A Brief Introduction to Model Checking

Vinter: A Vampire-Based Tool for Interpolation

HybridSAL Relational Abstracter

Predicate Abstraction: A Tutorial

Ranking Verification Counterexamples: An Invariant guided approach

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

Applications of Craig Interpolants in Model Checking

Bounded Model Checking and Induction: From Refutation to Verification

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Bounded Retransmission in Event-B CSP: a Case Study

Towards Lightweight Integration of SMT Solvers

Efficient Verification of Multi-Property Designs. The benefit of wrong assumptions (E. Goldberg, M. Güdemann, D. Kroening, R.

Time-Aware Abstractions in HybridSal

The algorithmic analysis of hybrid system

Modeling 8N1 Protocol with Uppaal

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Model Checking: An Introduction

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

IMITATOR: A Tool for Synthesizing Constraints on Timing Bounds of Timed Automata

Binary Decision Diagrams and Symbolic Model Checking

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Formal Verification of McMillan s Compositional Assume-Guarantee Rule

Computer Science Laboratory, SRI International. Hybrid Systems. Ashish Tiwari SRI International

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Tutorial 1: Modern SMT Solvers and Verification

CEGAR:Counterexample-Guided Abstraction Refinement

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

CS357: CTL Model Checking (two lectures worth) David Dill

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Predicate Abstraction in Protocol Verification

University of Surrey. Bounded Retransmission in Event-B CSP: A Case Study. Steve Schneider, Helen Treharne and Heike Wehrheim

A Formal Model of Clock Domain Crossing and Automated Verification of Time-Triggered Hardware

Decomposing Specifications of Concurrent Systems

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Automata-Theoretic Model Checking of Reactive Systems

Modeling & Control of Hybrid Systems. Chapter 7 Model Checking and Timed Automata

Formal Verification of Systems-on-Chip

SMT BASICS WS 2017/2018 ( ) LOGIC SATISFIABILITY MODULO THEORIES. Institute for Formal Models and Verification Johannes Kepler Universität Linz

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Appendix B. Review of Digital Logic. Baback Izadi Division of Engineering Programs

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Software Verification

Model checking the basic modalities of CTL with Description Logic

A new Abstraction-Refinement based Verifier for Modular Linear Hybrid Automata and its Implementation

Incremental Proof-Based Verification of Compiler Optimizations

Integrating Induction and Deduction for Verification and Synthesis

SAT in Formal Hardware Verification

The Eager Approach to SMT. Eager Approach to SMT

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

IC3 and Beyond: Incremental, Inductive Verification

Automatic Synthesis of Distributed Protocols

arxiv: v1 [cs.lo] 29 May 2014

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

An Interpolating Theorem Prover

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Synthesizing from Components: Building from Blocks

SAT-Based Verification with IC3: Foundations and Demands

Postprint.

Computer Science and State Machines

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Lecture Notes on Software Model Checking

Formal Verification of Systems-on-Chip Industrial Practices

Deductive Verification

Lecture 2: Symbolic Model Checking With SAT

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

Software Verification with Abstraction-Based Methods

NCS Lecture 11 Distributed Computation for Cooperative Control. Richard M. Murray (Caltech) and Erik Klavins (U. Washington) 17 March 2008

Generalized Property Directed Reachability

Symmetry Reduction and Compositional Verification of Timed Automata

EECS150 - Digital Design Lecture 23 - FSMs & Counters

1 Reed Solomon Decoder Final Project. Group 3 Abhinav Agarwal S Branavan Grant Elliott. 14 th May 2007

Timed Automata VINO 2011

An introduction to Uppaal and Timed Automata MVP5 1

Automata, Logic and Games: Theory and Application

Revising UNITY Programs: Possibilities and Limitations 1

Verifying Data Independent Programs Using Game Semantics

Monitoring Distributed Controllers

MONOTONIC ABSTRACTION (ON EFFICIENT VERIFICATION OF PARAMETERIZED SYSTEMS)

Sanjit A. Seshia EECS, UC Berkeley

Horn Clauses and Beyond for Relational and Temporal Program Verification

A Concurrency Problem with Exponential DPLL(T ) Proofs

Integrating Induction, Deduction and Structure for Synthesis

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Formal Methods and Theorem Proving Using PVS

Model Checking. Boris Feigin March 9, University College London

Topics in Model-Based Reasoning

Deciding Boolean Algebra with Presburger Arithmetic

Lecture 1: Introduction to Embedded System Verification CS/ECE584. September 4 th 2012 Sayan Mitra

Interpolant-based Transition Relation Approximation

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University

Transcription:

Easy Parameterized Verification of Biphase Mark and 8N1 Protocols Geoffrey M. Brown, Indiana University geobrown@cs.indiana.edu Lee Pike (Presenting), Galois Connections 1 leepike@galois.com March 27, 2006 1 Some of this work was performed while this author was at the NASA Langley Research Center.

Prelude This paper was published in TACAS, 2006. Extensions to this work were presented at DCC, 2006. This paper is an application of SMT possibly of interest to the PDPAR community because It is a real-world verification with an 2-3 orders-of-magnitude simpler proof than previously-published proofs. It demonstrates the power of SMT-enabled infinite-state induction. Warning: not a theory paper.

Application: Biphase Mark and 8N1 Protocols Biphase Mark Protocol (BMP) Used for data transmission in CDs and ethernet, for example. 8N1 Protocol Used in UARTs.

Biphase Mark Protocol (BMP) Data 1 1 0 1 0 0 1 1 1 0 1 1 Clock BMP

Unreliable Sampling

What Makes This Hard? We re crossing clock domains.... With different phases, frequencies, and settling times and stable periods... And error in these parameters due to jitter, signal skew, distortion, etc. And we want a parameterized verification. So we want to prove correct behavior under general constrains on the parameters.

An Informal Comparison to the Past One PVS effort required 37 invariants and 4000 individual proof directives (before optimizing the proofs). Ours required five invariants, each of which is proved automatically by SAL. In the other PVS effort, it takes 5 hours for PVS to check the manually-generated proof scripts. Ours requires just a few minutes to generate the proofs. J. Moore reports the BMP verification as one of his best ideas in his career. 2 Our initial effort in SAL took a couple days....and we found a significant bug in a UART application note. 2 http://www.cs.utexas.edu/users/moore/best-ideas/

What s Needed for Easy Parameterized Verification? Induction via infinite-state bounded model-checking Expressive modeling language (SAL) Easy generation of invariants k-induction Disjunctive invariants

Induction (over Transition Systems) Let S, S 0, be a transition system. For safety property P, show Base: If s S 0, then P(s); Induction Step: If P(s) and s s, then P(s ). Conclude that for all reachable s, P(s).

k-induction Generalization Generalize from single transitions to trajectories of fixed length. For safety property P, show Base: If s 0 S 0, then for all trajectories s 0 s 1... s k, P(s i ) for 0 i k; IS: For all trajectories s 0 s 1... s k, If P(s i ) for 0 i k 1, then P(s k ). Conclude that for all reachable s, P(s). Induction is the special case when k = 1.

Induction States P(s) Reachable states

k-induction States P(s) Reachable states

k-induction counter1: MODULE = BEGIN LOCAL cnt : INTEGER LOCAL b : BOOLEAN INITIALIZATION cnt = 0; b = TRUE TRANSITION [ b --> cnt = cnt + 2; b = NOT b [] ELSE --> cnt = cnt - 1; b = NOT b ] END; Thm1 : THEOREM counter1 - G(cnt >= 0); Circuit behavior: b = T F T F T F... cnt = 0 2 1 3 2 4... Thm1 fails for k = 1, succeeds for k = 2 (why?).

Disjunctive Invariants Disjunctive Invariants to weaken safety properties until they become invariant. General and interactive. Developed by Pneuli & Rushby, independently. A disjunctive invariant can be built iteratively to cover the reachable states from the counterexamples returned by SAL for the hypothesized invariant being verified.

Initial Attempt States I0 000000 111111 11111111 11111111 0 111111111 0 111111111 11111111 0000000 1111111 00000 11111 Reachable states I 0 Not invariant...

Generalization States I0 I1 000000 111111 11111111 11111111 0 111111111 000000 111111 11111111 11111111 0 111111111 0 111111111 11111111 0000000 1111111 00000 0 111111111 11111111 0000000 1111111 00000 11111 Reachable states I 0 I 1 Almost...

Invariant States I0 I1 000000 111111 11111111 11111111 0 111111111 000000 111111 11111111 11111111 0 111111111 000000 111111 11111111 11111111 0 111111111 0 111111111 0 1 11111111 0 1 0000000 1111111 00000 11111 0 111111111 11111111 0000000 1111111 00000 11111 0 111111111 I2 11111111 0000000 1111111 00000 11111 Reachable states I 0 I 1 I 2 There we go!

Disjunctive Invariants counter1: MODULE = BEGIN LOCAL cnt : INTEGER LOCAL b : BOOLEAN INITIALIZATION cnt = 0; b = TRUE TRANSITION [ b --> cnt = (-1 * cnt) - 1; b = NOT b [] ELSE --> cnt = (-1 * cnt) + 1; b = NOT b ] END; Thm2a : THEOREM counter2 - G(b AND cnt >= 0); Circuit behavior: b = T F T F T F... cnt = 0-1 2-3 4-5... Thm2a is our initial approximation...

Thm2b succeeds. Disjunctive Invariants... And fails Counterexample: SAL s output: Step 0: --- System Variables (assignments) --- cnt = 0 b = true ------------------------ Step 1: --- System Variables (assignments) --- cnt = -1 b = false ------------------------ Thm2b : THEOREM counter2 - G( (b AND cnt >= 0) OR (NOT b AND cnt < 0));

Paper Addendum and Challenge We were able to complete fully-parameterized proofs of both BMP and the 8N1 Protocol. We leave it as a challenge to the real-time model-checking communities, including TReX, HyTech, and Uppal, to reproduce these results for both protocols.

Current Work: Temporal Refinement in SAL Infinite-state k-induction is great, but... It s not compositional (between the real-time protocols and synchronous hardware). Idea: Start with a finite-state model of the cross-domain protocol. Prove safety properties over the finite-state model (using SMC). Prove that the real-time model is an implementation of the finite-state one. Abadi-Lamport style refinement over the guarded transitions. 3 Relatively easy for this class of protocols show refinement of the guards of the guarded transitions. 3 The Existence of Refinement Mappings, Theor. Comp. Sci., 82(2), 1991.

Final Thoughts on Real-Time Verification Using SMT We use what Leslie Lamport calls an explicit-time model 4 for real-time verification without a real-time model-checker. Some benefits: No new languages and simple semantics. SMT is extensible (the theory of arrays, lists, uninterpreted functions, etc.) Compositional with non real-time specifications. 4 CHARME, 2005

Getting our Specifications and SAL BMP and 8N1 Specs & Proofs http://www.cs.indiana.edu/ lepike/pub pages/bmp.html Google: Brown Pike BMP 8N1 SRI s SAL http://sal.csl.sri.com Google: SRI SAL...More coming (email if interested). Thanks to John Rushby, Leonardo de Moura, and our TACAS referees for their comments.

Appendix.

General System Architecture tx rx tclock rclock tenv tbit tready tenc tdata rdec rbit Just the encoder (tenc), decoder (rdec), and constraints are protocol-specific.

Timeout Automata 5 (Semantics) An explicit real-time model. Construct a transition system S, S 0, : A set of states S, mapping state variables to values. A set of initial states S 0 S. A partition on the state variables for S, and associated with each partition is a timeout t R. A set of transition relations, such that t associated with timeout t and is enabled if for all timeouts t, t t ( is the union of t for all t.) 5 B. Dutertre and M. Sorea. Timed systems in SAL. SRI TR, 2004.

Parameterized Timing Constraints SMT allows for parameterized proofs of correctness. The following are the parameters from the BMP verification: TIME : TYPE = REAL; TPERIOD : { x : REAL 0 < x }; TSETTLE : { x : REAL 0 <= x AND x < TPERIOD }; TSTABLE : TIME = TPERIOD - TSETTLE; RSCANMIN : { x: TIME 0 < x }; RSCANMAX : { x: TIME RSCANMIN <= x AND x < TPERIOD - TSETTLE}; RSAMPMIN : { x : TIME TPERIOD + TSETTLE < x }; RSAMPMAX : { x : TIME RSAMPMIN <= x AND x < 2 * TPERIOD - TSETTLE - RSCANMAX };

SAL s Language Typed with predicate subtypes. Infinite types (e.g., INTEGER and REAL). Synchronous (lock-step) and asynchronous (interleaving) composition ( and [], respectively). Quantification (over finite types). Recursion (over finite types).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback