formal verification of synchronization issues of specc description with automatic abstraction...
TRANSCRIPT
Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction
Thanyapat SakunkonchakMasahiro Fujita
Department of Electronics EngineeringUniversity of Tokyo
Overview Introduction Verification Flows Example Summary & Outlooks
main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ }} behavior b { main() { x=20; /*st3*/ }}
time
a.main()
b.main()
St1 St2
St3
Tas T1s T1e T2s T2e Tae
Tbs T3s T3e Tbe
main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}
time
a.main()
b.main()
St1 St2
St3
Tas T1s T1e T2s T2e Tae
Tbs T3s T3e Tbe
Synchronization by Notify/wait
Synchronization in SpecC
Ambiguous results on y causing from x = 10; /*st1*/x = 20; /*st3*/
y = 20 (always)
Difference Decision Diagrams (DDD)
Introduce by MΦller, et al.
Symbolic representation of ‘non-boolean’, such as inequality: less efficient if using BDD
DDD represents difference constraints (x-y≤c), x,y are integers, c is constant
Represents graph for¬(x−z<1)Λ(x−y≤0)Λ(y−z≤2)
Overview Introduction Verification Flows Example Summary & Outlooks
Verification Flows Goals:
Check whether given SpecC codes (with ‘par’, ‘notify/wait’) are properly synchronized
If checking fails, counter-examples should be generated (trace to source of errors)
Based on: Boolean SpecC, DDD, SVC, Program
Slicing, ...
Pass
Fail
Fail
Pass
SpecC
Boolean SpecC
Linear eq/ineq Solver (DDD)
Satisfy
Program Slicing +
Validity/Satisfiability Checker
(e.g. SVC, CHAFF)
Trace to the SpecC source that correspond to the variables in Ci (C0=>x>1),(C1=>y>3) Then check for the validity/satisfiability.
behavior A() { void main(){ if (C0) { notify e ... } if (C1) { . .
Unsatisfy with
Counter Example
Refine relationship
among Ci’s
Abort No conclusion results
Automatic refinement will be done at this step
1
2
Synchronization or other properties to be checked
Verify
3
behavior A(out event e, inout int x, inout int y) { void main(){ if (x > 1) { notify e; y = x - 1; } if (y > 3) { . .
Additional constraints/conditions
4
Overview Introduction Verification Flows Example Summary & Outlooks
Example Sleeping barber problem
barbercustomerempty chair
barber chair
• barber: finished cutting->call customer• barber: no customer->wait• customer: barber wait->has hair cut• customer: chairs occupied->come again• customer: a chair empty->wait
Examplebehavior barber (inout event call, inout bool chairOccupied,
inout int numCustomer) {
void main() {
while(1) {
if (numCustomer == 0)
DayDreaming();
else {
if (chairOccupied == true) {
KeepCutting();
chairOccupied = false;
}
else {
notify call;
chairOccupied = true;
}
}
}
}
};
behavior customer (inout event call, inout bool chairOccupied,
inout int numCustomer) {
void main() {
while(1) {
if (numCustomer == 3)
GoBack();
else {
numCustomer++;
if (chairOccupied == false) {
wait call;
numCustomer--;
}
}
}
}
};
Example (verify)1. SpecC => boolean SpecC & build
Control Flow Graph (CFG)2. Verify with DDDs if result is satisfied,
terminate, else go to next step3. Use CFG to find related path and use SVC
to verify boolean variables and find the conditions imply infeasibility
4. Use those conditions and modify boolean SpecC
5. Go to 2
Examplebehavior barber (inout event call, inout bool chairOccupied,
inout int numCustomer) {
void main() {
while(1) {
if (numCustomer == 0)
DayDreaming();
else {
if (chairOccupied == true) {
KeepCutting();
chairOccupied = false;
}
else {
notify call;
chairOccupied = true;
}
}
}
}
};
behavior customer (inout event call, inout bool chairOccupied,
inout int numCustomer) {
void main() {
while(1) {
if (numCustomer == 3)
GoBack();
else {
numCustomer++;
if (chairOccupied == false) {
wait call;
numCustomer--;
}
}
}
}
};
Build boolean SpecC & CFG
Example (abstract)behavior barber () {
void main() {
while(a0) {
if (a1)
...
else {
if (a2) {
...
...
}
else {
notify call;
...
}
}
}
}
};
behavior customer () {
void main() {
while(b0) {
if (b1)
...
else {
...
if (b2) {
wait call;
...
}
}
}
}
};
Verify with DDDs
Example (refine)behavior barber () {
void main() {
while(a0) {
if (a1) //numCustomer == 0
...
else {
if (a2) { //chairOccupied == true
...
!a2 //chairOccupied == false
}
else {
notify call;
a2 //chairOccupied == true
}
}
}
}
};
behavior customer () {
void main() {
while(b0) {
if (b1) //numCustomer == 3
...
else {
... //numCustomer++
if (b2) { //chairOccupied == false
wait call;
... //numCustomer--
}
}
}
}
};
Check predicates for validity (SVC) Verify with DDDs
Example (verification) The synchronization of even ‘call’ is satisfied User-defined assertions can be used to verify
for some properties, e.g. to see whether numCustomer is more than 3
The refinement process is not automatically done. Some efforts from users are needed to browse over CFG and find the locations
numCustomer++; if (numCustomer > 3) assert(F); if (chairOccupied == false) {
Overview Introduction Verification Flows Example Summary & Outlooks
Summary & Outlook The verification of synchronization
issues of SpecC is described The automatic abstraction is proposed Up to the current implementation:
The refinement process is not fully automatic (CFG cooperation needs to be manually done)
Cannot handle complex SpecC construct
Summary & Outlook (2) Future plans
Make the “abstraction refinement” to be automatically operated
Expand capability to support more complex SpecC structure, e.g. loop, functions, recursive