1 / 43

Predicate Abstraction for Software and Hardware Verification

Predicate Abstraction for Software and Hardware Verification. Himanshu Jain Model checking seminar April 22, 2005. Introduction. Scalable software verification Properties Array bounds check, division by zero Pointer safety Assertion checking Lock and unlocking

flo
Download Presentation

Predicate Abstraction for Software and Hardware Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005

  2. Introduction • Scalable software verification • Properties • Array bounds check, division by zero • Pointer safety • Assertion checking • Lock and unlocking • Focus on partial specifications

  3. Predicate Abstraction • Extract a finite state model from an infinite state system • Used to prove assertions or safety properties • Successfully applied for verification of C programs • SLAM (used in windows device driver verification) • MAGIC, BLAST, F-Soft

  4. Example for Predicate Abstraction void main(){ bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } } intmain() { int i; i=0; while(even(i)) i++; } + = p1 i=0 p2 even(i) C program Predicates Boolean program [Graf, Saidi ’97] [Ball, Rajamani ’01]

  5. Computing Predicate Abstraction • How to get predicates for checking a given property? • How do we compute the abstraction? • Predicate Abstraction is an over-approximation • How to refine coarse abstractions

  6. Initial Abstraction Verification No erroror bug found CProgram ModelChecker Abstract model Property holds Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample Counterexample Guided Abstraction Refinement loop

  7. Abstraction 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y != i){ ERROR: } } 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } } Abstract C program No predicates available currently

  8. Checking the abstract model Is ERROR reachable? 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } } yes Abstract model has a path leading to error state

  9. Simulation Does this correspond to a real bug? 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } } Check using a SAT solver Concrete trace Not possible

  10. Refinement 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: } } Initial abstraction Spurious Counterexample

  11. Refinement 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (*){ 4: if (b0){ ERROR: } } boolean b0 : y != i

  12. Refinement 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: skip; 3: if (b1){ 4: if (b0){ ERROR: } } boolean b0 : y != i boolean b1 : x== i-1

  13. Refinement Weakest precondition of y != i boolean b2 : ctr + 1 ! = i 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: skip; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } } boolean b0 : y != i boolean b1 : x== i-1

  14. Refinement boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y != i) 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } } boolean b0 : y != i boolean b1 : x== i-1

  15. Refinement boolean b2 : ctr + 1 ! = i boolean b3: ctr == i -1 What about initial values of b2 and b3? 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: } } b2 and b3 are mutually exclusive. b2 =1, b3 = 0 b2 =0 , b3 = 1 So system is safe! boolean b0 : y != i boolean b1 : x== i-1

  16. Tools for Predicate Abstraction of C • SLAM at Microsoft • Used for verifying correct sequencing of function calls in windows device drivers • MAGIC at CMU • Allows verification of concurrent C programs • Found bugs in MicroC OS • BLAST at Berkeley • Lazy abstraction, interpolation • SATABS at CMU • Computes predicate abstraction using SAT • Can handle pointer arithmetic, bit-vectors • F-Soft at NEC Labs • Localization, register sharing

  17. Applications of Predicate Abstraction in Hardware Verification

  18. System on chip design • Increase in complexity Number of components Level System Level 10E0 Behavioral/RTL Structural 10E3 Abstraction 10E5 Gate level (netlists) 10E7 …………

  19. Introduction • Emergence of system design languages • HardwareC, SpecC, Handel-C, and SystemC • Based on C / C++ • Allows joint modeling of both hardware and software components of a system • Support for bit vectors, concurrency, synchronization, exception handling, timing

  20. Verification support • Most model-checkers used in hardware industry work at netlist level • Higher abstraction levels offered by languages like SpecC or RTL Verilog are not yet supported • Languages like SpecC are more closer to concurrent software • Verification tools must reason about: • Programming languages constructs • Concurrency • Pointers, Objects • Bit vector operations like concatenation, extraction

  21. Why predicate abstraction • Many properties depend on relationship between registers, and not the values stored in them • Predicate Abstraction • Keeps tracks of certain predicates on data • Successfully used in software verification • Can handle larger designs

  22. Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample Abstraction-Refinement loop

  23. An example module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Verilog program

  24. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  25. Predicate Abstraction module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Word level predicates Verilog program

  26. Computing abstract transitions Computing Most Precise Abstraction Next state Current state Transition Relation + + <x = 100, x = 200> <x’ = 100, x’ = 200> x’ = y y’ = x Equation passed to the SAT solver

  27. Obtain transitions Computing abstract transitions 10 00 01 … and so on … 11

  28. 10 00 01 11 Abstract Model module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Failure state Initial state Verilog program

  29. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  30. Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Abstract Model Initial state Failure state 10 00 01 11 Verilog program

  31. Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Abstract Model Counterexample Initial state Failure state 10 00 01 11 Verilog program

  32. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  33. Simulation equation Simulation of the counterexample • Counterexample in the abstract model • <1 , 0> <0 , 0> (length = 1) • Each state is a valuation of h x = 100, x=200 i Initial values of the registers predicate values in the first state of the counterexample Transition relation predicate values in the second state of the counterexample equation is unsatisfiable So counterexample is spurious

  34. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  35. Refinement • Let length of spurious counterexample be k • Take weakest pre-condition of propertyfor k steps with respect to transition functions • Pick atomic predicates from weakest precondition

  36. spurious counterexample Transition functions Property length =1 x’ = y y’ = x + AG (x = 100 Ç x = 200) + (y = 100 Ç y = 200) weakest precondition x’ = y y’ = x Holds after one step (x’ = 100 Ç x’ = 200) Refinement New predicates y = 100, y = 200

  37. New abstraction Initial state 1001 0110 Abstract again module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Model check Verilog program

  38. New abstraction Initial state 1001 0110 Property holds! Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program

  39. Result module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Property holds! Verilog program

  40. Experimental results (VIS benchmarks) * Using lazy abstraction All use predicate partitioning

  41. Bigger benchmarks

  42. Tools • VCEGAR (Verilog Counterexample Guided Abstraction Refinement) at CMU • www.cs.cmu.edu/~modelcheck/vcegar

  43. Questions

More Related