reasoning about timed systems using boolean methods · –50– related research projectrelated...

Reasoning about Timed Systems Using Boolean Methods

Sanjit A. SeshiaSanjit A. SeshiaEECS, UC BerkeleyEECS, UC Berkeley

Joint work withJoint work withRandal E. Bryant (CMU)Randal E. Bryant (CMU)

Kenneth S. Stevens (Intel, now U. Utah)Kenneth S. Stevens (Intel, now U. Utah)

– 2 –

Timed SystemTimed System

A system whose correctness depends A system whose correctness depends not only on its not only on its functionalityfunctionality (what results (what results it generates), but also on its it generates), but also on its timelinesstimeliness(the time at which results are generated).(the time at which results are generated).

– 3 –

Real-Time Embedded SystemsReal-Time Embedded Systems

– 4 –

Self-Timed CircuitsSelf-Timed Circuits

– 5 –

Modeling & VerificationModeling & Verification

Timed System

Verify model

– 6 –

Challenges with Timed SystemsChallenges with Timed Systems

State has 2 components:State has 2 components:–– Boolean variables (Boolean variables (VV): model discrete state): model discrete state–– RealReal--valued variables (valued variables (XX): measure real time): measure real time

InfinitelyInfinitely--many statesmany states–– Has a finite representation (regions graph)Has a finite representation (regions graph)–– But grows worse than |But grows worse than |XX| | ||XX||

–– Verification is hard!Verification is hard!

– 7 –

Modeling & VerificationModeling & Verification

Timed System

Verify model

Self-TimedCircuit

Timed Automaton

Model Checking

– 8 –

Message of This Talk: Leverage Boolean Methods

ModelingModeling–– Use Boolean variables to model timing, where Use Boolean variables to model timing, where

possiblepossible

VerificationVerification–– Use symbolic Boolean representations and Use symbolic Boolean representations and

algorithms operating on themalgorithms operating on themBinary Decision Diagrams (Binary Decision Diagrams (BDDsBDDs), Boolean ), Boolean satisfiabilitysatisfiability solvers (SAT)solvers (SAT)

Why?Why?–– Systems have complex Boolean behavior anywaySystems have complex Boolean behavior anyway–– Great progress made in finiteGreat progress made in finite--state model state model

checking, SAT solving, etc. over last 15 yearschecking, SAT solving, etc. over last 15 years

– 9 –

Talk OutlineTalk Outline

Motivating Problem: Verifying SelfMotivating Problem: Verifying Self--Timed Timed CircuitsCircuits

Generalized Relative TimingGeneralized Relative Timing

Circuits Circuits Timed AutomataTimed Automata

Model Checking Timed AutomataModel Checking Timed Automata

Case StudiesCase Studies

Future Directions & Related ResearchFuture Directions & Related Research

– 10 –

Self-Timed (Asynchronous) CircuitsSelf-Timed (Asynchronous) Circuits

Many design styles useMany design styles use timing assumptionstiming assumptions

Delay Independent

Gate-levelMetric Timing

Relative Timing: Relative Timing: [Stevens et al. ASYNC[Stevens et al. ASYNC’’99, TVLSI99, TVLSI’’03]03]Circuit behavior constrained by relative orderingCircuit behavior constrained by relative orderingof signal transitionsof signal transitions

uu ↑ ≺ v ↑↑

Relative Timing

Burst Mode

– 11 –

Relative Timing (RT) Verification Methodology: 2 StepsRelative Timing (RT) Verification Methodology: 2 Steps

1.1. Check circuit functionality Check circuit functionality under timing under timing assumptionsassumptions

Search the constrained state spaceSearch the constrained state spaceModel checkingModel checking

2.2. Verify timing assumptions themselvesVerify timing assumptions themselvesSize circuit path delays appropriatelySize circuit path delays appropriatelyStatic timing analysisStatic timing analysis

– 12 –

Pros and Cons of RTPros and Cons of RT

Advantages:Advantages:++ Applies to many design stylesApplies to many design styles++ Incremental addition of timing constraintsIncremental addition of timing constraints++ No conservatively set minNo conservatively set min--max delaysmax delays

Disadvantages:Disadvantages:–– Cannot express metric timingCannot express metric timing–– More work to be done on verification More work to be done on verification

Scaling upScaling upValidating timing constraints themselvesValidating timing constraints themselves

– 13 –

Our ContributionsOur Contributions

Generalized RTGeneralized RT–– Can express some metric timingCan express some metric timing

Applied Fully Symbolic Verification TechniquesApplied Fully Symbolic Verification Techniques–– Model circuits using timed automataModel circuits using timed automata

Metric timing modeled using realMetric timing modeled using real--valued variablesvalued variablesNonNon--metric with Booleansmetric with Booleans

Performed Case Performed Case SudiesSudies–– Including Global STP circuit Including Global STP circuit (published version of (published version of

PentiumPentium--4 ALU 4 ALU cktckt.).)

[Seshia, Stevens, & Bryant, ASYNC[Seshia, Stevens, & Bryant, ASYNC’’05]05]

– 14 –

– 15 –

Generalizing Relative TimingGeneralizing Relative Timing

Delay Independent

Gate-levelMetric Timing

Relative Timing

Burst Mode

– 16 –

Circuit ModelCircuit Model

Variables (signals): Variables (signals): v1, v2, …, vn

Events (signal transitions): Events (signal transitions): ei is is vi ↑ oror vi

Rules Rules –– EEii ((v1, v2, …, vn ) ) eeii

Timing ConstraintsTiming Constraints

– 17 –

Generalized Relative Timing (GRT) ConstraintGeneralized Relative Timing (GRT) Constraint

ΔΔ((eeii, , eejj)) : Time between : Time between eejj and previous and previous occurrence of occurrence of eeii

Form of GRT constraint:Form of GRT constraint:ΔΔ((eeii, , eejj) ) ·· ΔΔ((eeii’’, , eekk) + ) + dd

eejjeeii

eekkeeii eeii’’ eejj

– 18 –

Special Case: Common Point-of-Divergence (PoD)Special Case: Common Point-of-Divergence (PoD)

PoDPoD constraint:constraint:ΔΔ((eeii , , eejj) ) ·· ΔΔ((eeii , , eekk) )

Written as:Written as:eeii →→ eejj ≺≺ eekk

An RT constraint traced back to its sourceAn RT constraint traced back to its source

eekkeeii eejj

– 19 –

Example: Point-of-Divergence (PoD) ConstraintExample: Point-of-Divergence (PoD) Constraint

↑↑

cc →→ acac ≺≺ bb

↑↑

– 20 –

Example: Metric Timing Example: Metric Timing

ΔΔ((data_indata_in↑, , data_in_auxdata_in_aux↑)) ·· ΔΔ((enableenable↑, , triggertrigger↑))

– 21 –

Do We Need Metric Timing?Do We Need Metric Timing?

Useful for Useful for modular specificationmodular specification of timing constraintsof timing constraintsAlso when delays are explicitly usedAlso when delays are explicitly used

– 22 –

Verifying Generalized Relative Timing ConstraintsVerifying Generalized Relative Timing Constraints

Use static timing analysis to compute minUse static timing analysis to compute min--max max path delayspath delays

To verify:To verify:ΔΔ((eeii, , eejj) ) ·· ΔΔ((eeii’’, , eekk) + ) + dd

We verify that:We verify that:maxmax--delay( delay( eeii ÃÃ eejj ) ) ·· minmin--delay( delay( eeii’’ ÃÃ eekk ) + ) + dd

– 23 –

– 24 –

Modeling Timed CircuitsModeling Timed Circuits

Need to model:Need to model:RulesRules ((““BooleanBoolean”” behavior) and behavior) and TimingTiming

Our formalism:Our formalism: Timed Automata Timed Automata [[AlurAlur & Dill, & Dill, ’’90] 90] –– Generalization of finite automataGeneralization of finite automata–– State variables:State variables:

Boolean (circuit signals) Boolean (circuit signals) RealReal--valued timers or valued timers or ““clocksclocks”” (impose timing (impose timing constraints) constraints)

–– Operations: (1) compare with constant, (2) reset to zeroOperations: (1) compare with constant, (2) reset to zeroWe model nonWe model non--metric timing with Booleansmetric timing with Booleans

– 25 –

Enforcing Timing with BooleansEnforcing Timing with Booleans

↑↑

cc →→ acac ≺≺ bb

↑↑

1.1.cc sets a bit

2.2.acac resets it

3.3.b b cannot occur while the bit is set

– 26 –

Enforcing Timing with Timer VariablesEnforcing Timing with Timer VariablesΔΔ((data_indata_in↑, , data_in_auxdata_in_aux↑)) ·· ΔΔ((enableenable↑, , triggertrigger↑))

– 27 –

•• data_indata_in sets x1 to 0

•• data_in_aux data_in_aux must occur while x1 · c

•• enable enable sets x2 to 0

•• trigger trigger can only occur if x2 ≥ c

c determined just as in other metric timing styles

Enforcing Timing with Timer VariablesEnforcing Timing with Timer VariablesΔΔ((data_indata_in↑, , data_in_auxdata_in_aux↑)) ·· ΔΔ((enableenable↑, , triggertrigger↑))

– 28 –

Booleans vs. TimersBooleans vs. Timers

Most timing constraints tend to be Most timing constraints tend to be PoDPoD

So few realSo few real--valued timer variables used in valued timer variables used in practicepractice

– 29 –

– 30 –

StateState

Boolean part: assignment to signalsBoolean part: assignment to signals

RealReal--valued part: relation between timersvalued part: relation between timers

v1 = 0, v2 = 1, v3 = 0, . . .

x1 ≥ 0 ∧ x2 ≥ 0 ∧ x1 ≥ x2

symbolic representation

– 31 –

Symbolic Model Checking of Timed AutomataSymbolic Model Checking of Timed Automata

. . . . . .

Examples: ATACS [Myers et al.], Kronos [Yovine, Maler, et al.], Uppaal [Larsen, Yi, et al.], …

– 32 –

Fully Symbolic Model CheckingFully Symbolic Model Checking

Symbolically represent sets of signal assignments with corresponding relations between timers

v1 ∨ v2∧

x1 ≥ 0 ∧ x2 ≥ 0 ∧ x1 ≥ x2

– 33 –

Our Approach to Fully Symbolic Model CheckingOur Approach to Fully Symbolic Model Checking [Seshia & Bryant, CAV[Seshia & Bryant, CAV’’03]03]

Based on algorithm given by Based on algorithm given by HenzingerHenzinger et al.et al.(1994)(1994)

Core model checking operationsCore model checking operations–– Image computation Image computation

Quantifier elimination in quantified difference logicQuantifier elimination in quantified difference logic–– Termination check Termination check

Satisfiability checking of difference logicSatisfiability checking of difference logic

Our Approach: Use Boolean encodingsOur Approach: Use Boolean encodings–– Quantified difference logic Quantified difference logic

Quantified Boolean logicQuantified Boolean logic–– Difference logic Difference logic Boolean logicBoolean logic–– Use Use BDDsBDDs, SAT solvers, SAT solvers

– 34 –

Example: Termination CheckExample: Termination Check

Have we seen all reachable states of the Have we seen all reachable states of the systems?systems?

SatisfiabilitySatisfiability solving in Difference Logicsolving in Difference Logic

– 35 –

Solving Difference Logic via SATSolving Difference Logic via SAT

x ≥ y ∧ y ≥ z ∧ z ≥ x+1

e1 ∧ e2 ⇒ ¬e3

∧Overall Boolean Encoding

Transitivity Constraint

y ≥ z

z ≥ x+1

x ≥ y

e1 ∧ e2 ∧ e3

– 36 –

A More Realistic SituationA More Realistic Situation

x ≥ y

y ≥ z

z ≥ x+1

x ≥ y ∧ y ≥ z ∧ z ≥ x+1 ∧ . . . is a term in the SOP (DNF)

– 37 –

– 38 –

Global STP CircuitGlobal STP Circuit–– SelfSelf--resetting domino resetting domino cktckt. in Pentium. in Pentium--4 ALU4 ALU–– Analyzed published Analyzed published cktckt. . [Hinton et al., JSSC[Hinton et al., JSSC’’01]01]

GasPGasP FIFO Control FIFO Control [Sutherland & Fairbanks, ASYNC[Sutherland & Fairbanks, ASYNC’’01]01]

STAPL LeftSTAPL Left--Right Buffer Right Buffer [[NystromNystrom & Martin, & Martin, ’’02]02]

STARI STARI [[GreenstreetGreenstreet, , ’’93]93]

– 39 –

Footed and Unfooted Domino InvertersFooted and Unfooted Domino Inverters

– 40 –

Global STP Circuit (simplest version at gate-level)Global STP Circuit (simplest version at gate-level)

↑↑ ↑ ↑↑

↑res

– 41 –

Global STP Circuit: Sample ConstraintGlobal STP Circuit: Sample Constraint

↑↑ ↑ ↑↑

↑res

ckck →→ ckck ≺≺ resres↑ ↑

– 42 –

Global STP Circuit: An ErrorGlobal STP Circuit: An Error

We want: red < blue7 transitions < 5 transitions

– 43 –

Comparison with ATACSComparison with ATACS

Model checking for absence of shortModel checking for absence of short--circuitscircuits

CircuitCircuit Number Number of Signalsof Signals

Time for our model checker, Time for our model checker, TMV (in sec.)TMV (in sec.)

Global Global STPSTP 2828

66.3266.32

GasPGasP--10 10 stagesstages 26.1026.10

STAPLSTAPL--3 3 stagesstages 278.05 278.05

ATACS did not finish within 3600 sec. on any

– 44 –

Comparison with ATACS on STARIComparison with ATACS on STARI

– 45 –

Related WorkRelated Work

ModelingModeling–– GateGate--level Metric Timinglevel Metric Timing

Timed Petri Nets, TEL, Timed Petri Nets, TEL, …… [Myers, [Myers, YonedaYoneda, et al.], et al.]Timed AutomataTimed Automata--based based [[MalerMaler, , PnueliPnueli, et al.], et al.]

–– Chain Constraints Chain Constraints [[NegulescuNegulescu & & PeetersPeeters]]–– Relative Timing Relative Timing [Stevens et al.][Stevens et al.]

Lazy transition systemsLazy transition systems [Pena et al.][Pena et al.]–– Symbolic Gate Delays Symbolic Gate Delays [[ClarisoClariso & & CortadellaCortadella]]

VerificationVerification–– For circuits, mostly restricted to just symbolic For circuits, mostly restricted to just symbolic

techniques techniques [e.g., ATACS][e.g., ATACS]

– 46 –

– 47 –

SummarySummary

Leverage Boolean Methods for Timed SystemsLeverage Boolean Methods for Timed Systems–– Modeling: Modeling: generalized relative timinggeneralized relative timing–– Verification: Verification: fully symbolic model checkingfully symbolic model checking

Using Using BDDsBDDs, SAT, SAT

Demonstrated Application: Modeling and Demonstrated Application: Modeling and Verifying SelfVerifying Self--Timed Circuits Timed Circuits

– 48 –

Future Directions: Model GenerationFuture Directions: Model Generation

Timed System

Needs to be automated

Main Challenge: Automatic generation of timing constraints

Idea: Machine learning from simulated runs (successful and failing)

– 49 –

Future Directions: New ApplicationsFuture Directions: New Applications

Distributed RealDistributed Real--time Embedded Systemstime Embedded Systems–– E.g., sensor networksE.g., sensor networks–– Operate asynchronouslyOperate asynchronously–– Lots of concurrencyLots of concurrency–– Timeliness importantTimeliness important

Will generalized relative timing work for this Will generalized relative timing work for this application?application?

– 50 –

Related Research ProjectRelated Research Project

UCLIDUCLID–– Modeling & Verifying InfiniteModeling & Verifying Infinite--State SystemsState Systems–– Focus: Integer arithmetic, Data Structures (arrays, Focus: Integer arithmetic, Data Structures (arrays,

memories, queues, etc.), Bitmemories, queues, etc.), Bit--vector operations,vector operations,……–– Applications: Program verification, Processor Applications: Program verification, Processor

verification, Analyzing security propertiesverification, Analyzing security propertiesE.g., detecting if a piece of code exhibits malicious E.g., detecting if a piece of code exhibits malicious behavior (worm/virus)behavior (worm/virus)

Also based on Boolean MethodsAlso based on Boolean Methods–– Problems in firstProblems in first--order logic translated to SATorder logic translated to SAT

Programming Systems seminar, Oct. 24 Programming Systems seminar, Oct. 24 ’’0505

– 51 –

Thank you !

More information atMore information athttp://http://www.eecs.berkeley.edu/~sseshia/research.htmlwww.eecs.berkeley.edu/~sseshia/research.html

reasoning about timed systems using boolean methods · –50– related research projectrelated...

Documents

carnegie mellon university system modeling and formal...

timed value

verifying dmi pool data._ verifying dmi pool data

healing touch timed

estimated timed agenda

timed automata

verifying funds

sample timed writes

globalvillage12 1 timed

act 10 digital keypad operating & installation...

timed online

online timed auction

lorde: timed analysis

communicating timed automata

os timed original

timed quiz - ecosystems

timed booklet

timed writings

timed letters

timed essays