View
42
Download
2
Category
Tags:
Preview:
DESCRIPTION
Reasoning about Timed Systems Using Boolean Methods. Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel, now U. Utah). Timed System. - PowerPoint PPT Presentation
Citation preview
Reasoning about Timed Systems Using Boolean Methods
Reasoning about Timed Systems Using Boolean Methods
Sanjit A. SeshiaSanjit A. Seshia
EECS, UC BerkeleyEECS, UC Berkeley
Joint work withJoint work with
Randal E. Bryant (CMU)Randal E. Bryant (CMU)
Kenneth S. Stevens (Intel, now U. Utah)Kenneth S. Stevens (Intel, now U. Utah)
– 2 –
Timed SystemTimed System
A system whose correctness depends A system whose correctness depends not only on its not only on its functionalityfunctionality (what results (what results it generates), but also on its it generates), but also on its timelinesstimeliness (the time at which results are generated).(the time at which results are generated).
– 3 –
Real-Time Embedded SystemsReal-Time Embedded Systems
– 4 –
Self-Timed CircuitsSelf-Timed Circuits
– 5 –
Modeling & VerificationModeling & Verification
Timed System
Verify model
Model
– 6 –
Challenges with Timed SystemsChallenges with Timed Systems
State has 2 components:State has 2 components:– Boolean variables (Boolean variables (VV): model discrete state): model discrete state– Real-valued variables (Real-valued variables (XX): measure real time): measure real time
Infinitely-many statesInfinitely-many states– Has a finite representation (regions graph)Has a finite representation (regions graph)– But grows worse than |But grows worse than |XX| | ||XX||
– Verification is hard!Verification is hard!
– 7 –
Modeling & VerificationModeling & Verification
Timed System
Verify model
Model
Self-TimedCircuit
Timed Automaton
Model Checking
– 8 –
Message of This Talk: Leverage Boolean Methods
Message of This Talk: Leverage Boolean Methods
ModelingModeling– Use Boolean variables to model timing, where Use Boolean variables to model timing, where
possiblepossible
VerificationVerification– Use symbolic Boolean representations and Use symbolic Boolean representations and
algorithms operating on themalgorithms operating on them Binary Decision Diagrams (BDDs), Boolean Binary Decision Diagrams (BDDs), Boolean
satisfiability solvers (SAT)satisfiability solvers (SAT)
Why?Why?– Systems have complex Boolean behavior anywaySystems have complex Boolean behavior anyway– Great progress made in finite-state model Great progress made in finite-state model
checking, SAT solving, etc. over last 15 yearschecking, SAT solving, etc. over last 15 years
– 9 –
Talk OutlineTalk Outline
Motivating Problem: Verifying Self-Timed Motivating Problem: Verifying Self-Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed Automata Timed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 10 –
Self-Timed (Asynchronous) CircuitsSelf-Timed (Asynchronous) Circuits
Many design styles useMany design styles use timing assumptions timing assumptions
Delay Independent
Gate-levelMetric Timing
Relative Timing: Relative Timing: [Stevens et al. ASYNC’99, TVLSI’03][Stevens et al. ASYNC’99, TVLSI’03] Circuit behavior constrained by relative orderingCircuit behavior constrained by relative ordering of signal transitionsof signal transitions
uu " Á v ""
Relative Timing
Burst Mode
– 11 –
Relative Timing (RT) Verification Methodology: 2 StepsRelative Timing (RT) Verification Methodology: 2 Steps
1.1. Check circuit functionality Check circuit functionality under timing under timing assumptionsassumptions Search the constrained state spaceSearch the constrained state space Model checkingModel checking
2.2. Verify timing assumptions themselvesVerify timing assumptions themselves Size circuit path delays appropriatelySize circuit path delays appropriately Static timing analysisStatic timing analysis
– 12 –
Pros and Cons of RTPros and Cons of RT
Advantages:Advantages:+ Applies to many design stylesApplies to many design styles+ Incremental addition of timing constraintsIncremental addition of timing constraints+ No conservatively set min-max delaysNo conservatively set min-max delays
Disadvantages:Disadvantages:– Cannot express metric timingCannot express metric timing– More work to be done on verification More work to be done on verification
Scaling upScaling up Validating timing constraints themselvesValidating timing constraints themselves
– 13 –
Our ContributionsOur Contributions
Generalized RTGeneralized RT– Can express some metric timingCan express some metric timing
Applied Fully Symbolic Verification TechniquesApplied Fully Symbolic Verification Techniques– Model circuits using timed automataModel circuits using timed automata
Metric timing modeled using real-valued variablesMetric timing modeled using real-valued variables Non-metric with BooleansNon-metric with Booleans
Performed Case SudiesPerformed Case Sudies– Including Global STP circuit Including Global STP circuit (published version of (published version of
Pentium-4 ALU ckt.)Pentium-4 ALU ckt.)
[Seshia, Stevens, & Bryant, ASYNC’05][Seshia, Stevens, & Bryant, ASYNC’05]
– 14 –
Talk OutlineTalk Outline
Motivating Problem: Verifying Self-Timed Motivating Problem: Verifying Self-Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed Automata Timed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 15 –
Generalizing Relative TimingGeneralizing Relative Timing
Delay Independent
Gate-levelMetric Timing
Relative Timing
Burst Mode
– 16 –
Circuit ModelCircuit Model
Variables (signals): Variables (signals): v1, v2, …, vn
Events (signal transitions): Events (signal transitions): ei is is vi " or or vi
Rules Rules – EEii ( (v1, v2, …, vn ) ) eeii
Timing ConstraintsTiming Constraints
"
– 17 –
Generalized Relative Timing (GRT) ConstraintGeneralized Relative Timing (GRT) Constraint ((eeii, , eejj)) : Time between : Time between eejj and previous and previous
occurrence of occurrence of eeii
Form of GRT constraint:Form of GRT constraint:
((eeii, , eejj) ) ·· ((eeii’’, , eekk) + ) + dd
eejjeeii
eekkeeii eeii’’ eejj
– 18 –
Special Case: Common Point-of-Divergence (PoD)Special Case: Common Point-of-Divergence (PoD) PoD constraint:PoD constraint:
((eei i , , eejj) ) ·· ((eei i , , eekk) ) Written as:Written as:
eei i !! eej j ÁÁ e ek k
An RT constraint traced back to its sourceAn RT constraint traced back to its source
eekkeeii eejj
– 19 –
Example: Point-of-Divergence (PoD) ConstraintExample: Point-of-Divergence (PoD) Constraint
""
"
cc !! acac ÁÁ bb
"
""
– 20 –
Example: Metric Timing Example: Metric Timing
((data_indata_in", , data_in_auxdata_in_aux")) ·· ((enableenable", , triggertrigger"))
– 21 –
Do We Need Metric Timing?Do We Need Metric Timing?
Useful for Useful for modular specificationmodular specification of timing constraints of timing constraints Also when delays are explicitly usedAlso when delays are explicitly used
– 22 –
Verifying Generalized Relative Timing ConstraintsVerifying Generalized Relative Timing Constraints Use static timing analysis to compute min-max Use static timing analysis to compute min-max
path delayspath delays
To verify:To verify:
((eeii, , eejj) ) ·· ((eeii’’, , eekk) + ) + dd
We verify that:We verify that:
max-delay( max-delay( eeii ÃÃ eejj ) ) ·· min-delay( min-delay( eeii’’ ÃÃ eek k ) + ) + dd
– 23 –
Talk OutlineTalk Outline
Motivating Problem: Verifying Self-Timed Motivating Problem: Verifying Self-Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed Automata Timed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 24 –
Modeling Timed CircuitsModeling Timed Circuits
Need to model:Need to model:
RulesRules (“Boolean” behavior) and (“Boolean” behavior) and TimingTiming
Our formalism:Our formalism: Timed Automata Timed Automata [Alur & Dill, ’90] [Alur & Dill, ’90]
– Generalization of finite automataGeneralization of finite automata– State variables:State variables:
Boolean (circuit signals) Boolean (circuit signals) Real-valued timers or “clocks” (impose timing Real-valued timers or “clocks” (impose timing
constraints) constraints) – Operations: (1) compare with constant, (2) reset to zeroOperations: (1) compare with constant, (2) reset to zero
We model non-metric timing with BooleansWe model non-metric timing with Booleans
– 25 –
Enforcing Timing with BooleansEnforcing Timing with Booleans
""
"
cc !! acac ÁÁ bb
"
""
1.1.cc sets a bit
2.2.acac resets it
3.3.b b cannot occur while the bit is set
"
"
"
– 26 –
Enforcing Timing with Timer VariablesEnforcing Timing with Timer Variables
((data_indata_in", , data_in_auxdata_in_aux")) ·· ((enableenable", , triggertrigger"))
– 27 –
• data_indata_in sets x1 to 0
• data_in_aux data_in_aux must occur while x1 · c
• enable enable sets x2 to 0
• trigger trigger can only occur if x2 ¸ c
c determined just as in other metric timing styles
"
"
"
"
Enforcing Timing with Timer VariablesEnforcing Timing with Timer Variables
((data_indata_in", , data_in_auxdata_in_aux")) ·· ((enableenable", , triggertrigger"))
– 28 –
Booleans vs. TimersBooleans vs. Timers
Most timing constraints tend to be PoDMost timing constraints tend to be PoD
So few real-valued timer variables used in So few real-valued timer variables used in practicepractice
– 29 –
Talk OutlineTalk Outline
Motivating Problem: Verifying Self-Timed Motivating Problem: Verifying Self-Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed Automata Timed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 30 –
StateState
Boolean part: assignment to signalsBoolean part: assignment to signals
Real-valued part: relation between timersReal-valued part: relation between timers
v1 = 0, v2 = 1, v3 = 0, . . .
x1 ¸ 0 Æ x2 ¸ 0 Æ x1 ¸ x2
x1
x2
symbolic representation
– 31 –
Symbolic Model Checking of Timed AutomataSymbolic Model Checking of Timed Automata
,
,
,
, ,
,
. . . . . .
Examples: ATACS [Myers et al.], Kronos [Yovine, Maler, et al.], Uppaal [Larsen, Yi, et al.], …
– 32 –
Fully Symbolic Model CheckingFully Symbolic Model Checking
Symbolically represent sets of signal assignments with corresponding relations between timers
v1 Ç v2
Æ x1 ¸ 0 Æ x2 ¸ 0 Æ x1 ¸ x2
.
.
.
,
– 33 –
Our Approach to Fully Symbolic Model CheckingOur Approach to Fully Symbolic Model Checking
Based on algorithm given by Henzinger et al.Based on algorithm given by Henzinger et al.(1994)(1994)
Core model checking operationsCore model checking operations– Image computation Image computation Quantifier elimination in quantified difference logicQuantifier elimination in quantified difference logic – Termination check Termination check Satisfiability checking of difference logicSatisfiability checking of difference logic
Our Approach: Use Boolean encodingsOur Approach: Use Boolean encodings– Quantified difference logic Quantified difference logic
Quantified Boolean logic Quantified Boolean logic– Difference logic Difference logic Boolean logic Boolean logic– Use BDDs, SAT solversUse BDDs, SAT solvers
[Seshia & Bryant, CAV’03][Seshia & Bryant, CAV’03]
– 34 –
Example: Termination CheckExample: Termination Check
Have we seen all reachable states of the Have we seen all reachable states of the systems?systems?
Satisfiability solving in Difference LogicSatisfiability solving in Difference Logic
µ
?
– 35 –
Solving Difference Logic via SATSolving Difference Logic via SAT
x ¸ y Æ y ¸ z Æ z ¸ x+1
e1 Æ e2 ) :e3
ÆOverall Boolean Encoding
Transitivity Constraint
e1
y ¸ z
z ¸ x+1
x ¸ y
e2
e3
e1 Æ e2 Æ e3
– 36 –
A More Realistic SituationA More Realistic Situation
Ç
Æ:
Ç
Æ
Ç
.
.
.
x ¸ y
y ¸ z
z ¸ x+1
x ¸ y Æ y ¸ z Æ z ¸ x+1 Æ . . . is a term in the SOP (DNF)
– 37 –
Talk OutlineTalk Outline
Motivating Problem: Verifying Self-Timed Motivating Problem: Verifying Self-Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed Automata Timed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 38 –
Case StudiesCase Studies
Global STP CircuitGlobal STP Circuit– Self-resetting domino ckt. in Pentium-4 ALUSelf-resetting domino ckt. in Pentium-4 ALU– Analyzed published ckt. Analyzed published ckt. [Hinton et al., JSSC’01][Hinton et al., JSSC’01]
GasP FIFO Control GasP FIFO Control [Sutherland & Fairbanks, ASYNC’01][Sutherland & Fairbanks, ASYNC’01]
STAPL Left-Right Buffer STAPL Left-Right Buffer [Nystrom & Martin, ’02][Nystrom & Martin, ’02]
STARI STARI [Greenstreet, ’93][Greenstreet, ’93]
– 39 –
Footed and Unfooted Domino InvertersFooted and Unfooted Domino Inverters
– 40 –
Global STP Circuit (simplest version at gate-level)Global STP Circuit (simplest version at gate-level)
ck
out
""
" ""
" "res
– 41 –
Global STP Circuit: Sample ConstraintGlobal STP Circuit: Sample Constraint
ck
out
""
" ""
" "res
ck
res
"
ckck !! ckck ÁÁ resres "
"
– 42 –
Global STP Circuit: An ErrorGlobal STP Circuit: An Error
ck
out
""
r
s
"
We want: red < blue7 transitions < 5 transitions
– 43 –
Comparison with ATACSComparison with ATACS
Model checking for absence of short-circuitsModel checking for absence of short-circuits
CircuitCircuit Number Number of Signalsof Signals
Time for our model checker, Time for our model checker,
TMV (in sec.)TMV (in sec.)
Global Global STPSTP 2828 66.3266.32
GasP-10 GasP-10 stagesstages 6060 26.1026.10
STAPL-3 STAPL-3 stagesstages 3030 278.05 278.05
ATACS did not finish within 3600 sec. on any
– 44 –
Comparison with ATACS on STARIComparison with ATACS on STARI
– 45 –
Related WorkRelated Work
ModelingModeling– Gate-level Metric TimingGate-level Metric Timing
Timed Petri Nets, TEL, … Timed Petri Nets, TEL, … [Myers, Yoneda, et al.][Myers, Yoneda, et al.] Timed Automata-based Timed Automata-based [Maler, Pnueli, et al.][Maler, Pnueli, et al.]
– Chain Constraints Chain Constraints [Negulescu & Peeters][Negulescu & Peeters]
– Relative Timing Relative Timing [Stevens et al.][Stevens et al.] Lazy transition systemsLazy transition systems [Pena et al.] [Pena et al.]
– Symbolic Gate Delays Symbolic Gate Delays [Clariso & Cortadella][Clariso & Cortadella]
VerificationVerification– For circuits, mostly restricted to just symbolic For circuits, mostly restricted to just symbolic
techniques techniques [e.g., ATACS][e.g., ATACS]
– 46 –
Talk OutlineTalk Outline
Motivating Problem: Verifying Self-Timed Motivating Problem: Verifying Self-Timed CircuitsCircuits
Generalized Relative TimingGeneralized Relative Timing
Circuits Circuits Timed Automata Timed Automata
Model Checking Timed AutomataModel Checking Timed Automata
Case StudiesCase Studies
Future Directions & Related ResearchFuture Directions & Related Research
– 47 –
SummarySummary
Leverage Boolean Methods for Timed SystemsLeverage Boolean Methods for Timed Systems– Modeling: Modeling: generalized relative timinggeneralized relative timing– Verification: Verification: fully symbolic model checkingfully symbolic model checking
Using BDDs, SATUsing BDDs, SAT
Demonstrated Application: Modeling and Demonstrated Application: Modeling and Verifying Self-Timed Circuits Verifying Self-Timed Circuits
– 48 –
Future Directions: Model GenerationFuture Directions: Model Generation
Timed System
Model
Needs to be automated
Main Challenge: Automatic generation of timing constraints
Idea: Machine learning from simulated runs (successful and failing)
– 49 –
Future Directions: New ApplicationsFuture Directions: New Applications
Distributed Real-time Embedded SystemsDistributed Real-time Embedded Systems– E.g., sensor networksE.g., sensor networks– Operate asynchronouslyOperate asynchronously– Lots of concurrencyLots of concurrency– Timeliness importantTimeliness important
Will generalized relative timing work for this Will generalized relative timing work for this application?application?
– 50 –
Related Research ProjectRelated Research Project
UCLIDUCLID– Modeling & Verifying Infinite-State SystemsModeling & Verifying Infinite-State Systems– Focus: Integer arithmetic, Data Structures (arrays, Focus: Integer arithmetic, Data Structures (arrays,
memories, queues, etc.), Bit-vector operations,…memories, queues, etc.), Bit-vector operations,…– Applications: Program verification, Processor Applications: Program verification, Processor
verification, Analyzing security propertiesverification, Analyzing security properties E.g., detecting if a piece of code exhibits malicious E.g., detecting if a piece of code exhibits malicious
behavior (worm/virus)behavior (worm/virus)
Also based on Boolean MethodsAlso based on Boolean Methods– Problems in first-order logic translated to SATProblems in first-order logic translated to SAT
Programming Systems seminar, Oct. 24 ’05Programming Systems seminar, Oct. 24 ’05
– 51 –
Thank you !
More information atMore information athttp://www.eecs.berkeley.edu/~sseshia/research.htmlhttp://www.eecs.berkeley.edu/~sseshia/research.html
Recommended