CDA 5416: Computer System Veri cationhaozheng/teach/cda5416/slides/intro.pdf · Contents 1 Course...
Transcript of CDA 5416: Computer System Veri cationhaozheng/teach/cda5416/slides/intro.pdf · Contents 1 Course...
-
CDA 5416: Computer System VerificationIntroduction
Hao Zheng
Department of Computer Science and EngineeringUniversity of South Florida
Tampa, FL 33620Email: [email protected]: (813)974-4757Fax: (813)974-5456
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 1 / 49
-
Contents
1 Course Logistics
2 Verification − Why
3 Verification − Overview
4 Formal Verification and Model Checking
5 Course Topics
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 2 / 49
-
About This Course
Definition of Verification (Google)The process of establishing the truth, or validity of something
Objective: learn model checking, an automated techniques forverifying computing systems
• Learn modeling computation and communication of concurrentsystems
• Learn formal correctness specification using temporal logics,• Understand the basic model checking algorithms• Gain Hand-on experience with widely-used model checkers
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 3 / 49
-
Contact Information
Office Location: ENB 312Office Hours: 1− 2:30pm, Mon & Wed,
or by appointmentCourse webpage: Canvas
http://www.cse.usf.edu/~haozheng/
teach/cda5416/
Email: [email protected]: (813) 974-4757
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 4 / 49
http://www.cse.usf.edu/~haozheng/teach/cda5416/http://www.cse.usf.edu/~haozheng/teach/cda5416/
-
Background Requirements
• Topics covered are for HW/SW verification.• Basic knowledge of how HW/SW works (logic design, computer
architecture, OS, etc).
• Knowledge in automata/first-order logic (Discrete math) isdesirable,• but we will review the basics as needed.
• Programming skills that might be needed for the final project.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 5 / 49
-
Textbook
Principles of Model CheckingChristel Baier and Joost-Pieter Katoen
The MIT Press | Massachusetts Institute of Technology Cambridge, Massachusetts 02142 | http://mitpress.mit.edu 978-0-262-02649-9
Principles of Model CheckingChristel Baier and Joost-Pieter Katoen
Principles of Model C
hecking Baier and Katoen
computer science
Our growing dependence on increasingly complex computer and software systems necessitates the development of formalisms, techniques, and tools for assessing functional properties of these systems. One such technique that has emerged in the last twenty years is model checking, which systematically (and automatically) checks whether a model of a given system satisfies a desired property such as deadlock freedom, invariants, or request-response properties. This automated technique for verification and debugging has developed into a mature and widely used approach with many applications. Principles of Model Checking offers a comprehensive introduction to model checking that is not only a text suitable for classroom use but also a valuable reference for researchers and practitioners in the field.
The book begins with the basic principles for modeling concurrent and communicating systems, introduces different classes of properties (including safety and liveness), presents the notion of fairness, and provides automata-based algorithms for these properties. It introduces the temporal logics LTL and CTL, compares them, and covers algorithms for verifying these logics, discussing real-time systems as well as systems subject to random phenomena. Separate chapters treat such efficiency-improving techniques as abstraction and symbolic manipulation. The book includes an extensive set of examples (most of which run through several chapters) and a complete set of basic results accompanied by detailed proofs. Each chapter concludes with a summary, bibliographic notes, and an extensive list of exercises of both practical and theoretical nature.
Christel Baier is Professor and Chair for Algebraic and Logical Foundations of Computer Science in the Faculty of Computer Science at the Technical University of Dresden. Joost-Pieter Katoen is Professor at the RWTH Aachen University and leads the Software Modeling and Verification Group within the Department of Computer Science. He is affiliated with the Formal Methods and Tools Group at the University of Twente.
“ This book offers one of the most comprehensive introductions to logic model checking techniques available today. The authors have found a way to explain both basic concepts and foundational theory thoroughly and in crystal-clear prose. Highly recommended for anyone who wants to learn about this important new field, or brush up on their knowledge of the current state of the art.”
Gerard J. Holzmann, NASA/JPL Laboratory for Reliable Software
“ Principles of Model Checking, by two principals of model-checking research, offers an extensive and thorough coverage of the state of art in computer-aided verification. With its coverage of timed and probabilistic systems, the reader gets a textbook exposition of some of the most advanced topics in model-checking research. Obviously, one cannot expect to cover this heavy volume in a regular graduate course; rather, one can base several graduate courses on this book, which belongs on the bookshelf of every model-checking researcher.”
Moshe Vardi, Director, Computer and Information Technology Institute, Rice University
• Principles of Model Checking byChristel Baier and Joost-Pieter KatoenMIT Press 2008.
• Lectures borrow much material from thetextbook.
• Free on-line access via USF Library
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 6 / 49
-
Books for References
Books for References
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 6 / 53
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 7 / 49
-
Another Reference Book
A systematic introduction to the SPIN model checker
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 8 / 49
-
Evaluation
• Grading policy:• Homeworks: 40%• Quizzes: 5%• Midterm: 25%• Final Project: 30%
• Final Grade: suppose your grade is x%.
90% ≤ x : A80% ≤ x < 90% : B70% ≤ x < 80% : C
x < 70% : D.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 9 / 49
-
Course Communications
• Communications: Canvas at my.usf.edu.• Check out grades, announcements, handouts, etc• All submissions must be done via Canvas.
• Submission using other means will be ignored!• HW solutions and other related information.• Additional information can be found on
http://www.cse.usf.edu/~haozheng/teach/cda5416/
• Clear your email inbox!• You are responsible for not getting emails due the full inbox.
• Request for late submissions and makeup exam:• Granted only when proof showing emergency is provided.• Exceptions to homework or exam schedules for religious observance
will be granted if you let me know at least one week ahead!
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 10 / 49
http://www.cse.usf.edu/~haozheng/teach/cda5416/
-
Academic Integrity
• Students are expected to be honest and do not cheat.• More important, be honest to yourselves.
• Collaboration and discussions are highly encouraged.• Copying each others work is forbidden.• Read the university policy at
http://www.ugs.usf.edu/catalogs/0809/adadap.htm
• The reward for cheating is FF.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 11 / 49
http://www.ugs.usf.edu/catalogs/0809/adadap.htm
-
Contents
1 Course Logistics
2 Verification − Why
3 Verification − Overview
4 Formal Verification and Model Checking
5 Course Topics
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 12 / 49
-
A Flight Autopilot
• Requirement: The autopilot should avoid collision with otherplanes.
• A solution: When distance is 1km, give warning to other planeand notify the pilot. When distance is 300m, and no changes inthe course of other plane were noticed, go up to avoid collision.
• Is this correct?
• The same SW installed on both planes, and both may be directedto change to the same course again!
• Deadlock is a state where all parties are stuck and cannot makefurther progress.• Deadly consequences may occur if the control system deadlocks.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 13 / 49
-
A Flight Autopilot
• Requirement: The autopilot should avoid collision with otherplanes.
• A solution: When distance is 1km, give warning to other planeand notify the pilot. When distance is 300m, and no changes inthe course of other plane were noticed, go up to avoid collision.
• Is this correct?• The same SW installed on both planes, and both may be directedto change to the same course again!
• Deadlock is a state where all parties are stuck and cannot makefurther progress.• Deadly consequences may occur if the control system deadlocks.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 13 / 49
-
A Flight Autopilot
• Requirement: The autopilot should avoid collision with otherplanes.
• A solution: When distance is 1km, give warning to other planeand notify the pilot. When distance is 300m, and no changes inthe course of other plane were noticed, go up to avoid collision.
• Is this correct?• The same SW installed on both planes, and both may be directedto change to the same course again!
• Deadlock is a state where all parties are stuck and cannot makefurther progress.• Deadly consequences may occur if the control system deadlocks.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 13 / 49
-
A SW example
process Inc: while true do if x < 200 then x := x+ 1 odprocess Dec: while true do if x > 0 then x := x− 1 odprocess Reset: while true do if x = 200 then x := 0 od
Property: is x always between (including) 0 and 200?
Answer: When x = 200, both Dec and Reset are active, ...
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 14 / 49
-
A SW example
process Inc: while true do if x < 200 then x := x+ 1 odprocess Dec: while true do if x > 0 then x := x− 1 odprocess Reset: while true do if x = 200 then x := 0 od
Property: is x always between (including) 0 and 200?
Answer: When x = 200, both Dec and Reset are active, ...
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 14 / 49
-
A SW example: SPIN Model (1)
int x = 0;
proctype Inc() {
do :: true -> if :: (x < 200) -> x = x+1 fi od
}
proctype Dec() {
do :: true -> if :: (x > 0) -> x = x-1 fi od
}
proctype Reset() {
do :: true -> if :: (x == 200) -> x = 0 fi od
}
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 15 / 49
-
A SW example: SPIN Model (2)
proctype Check() {
assert (x >= 0 && x
-
A SW example: SPIN OutputA SW example: SPIN Output
pan:1: assertion violated ((x>=0)&&(x
-
Some High-Profile Bugs
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 18 / 49
-
Pentium FDIV Bug (1994)
• Intel Pentium chip, released in 1994 produced error in floatingpoint division.
• Try 4195835− 41958353145727
∗ 3145727.• You would expect 0.• In 94 Pentium, it returns 256!
• Cause: Five entries in the lookup table used for the divisionalgorithm are missing when implemented.
• Bugs only occur after 10th bits to the right of floating point.• Cost: $475 million (part replacements + reputation demage)
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 19 / 49
-
Ariane 5 Explosion (1996)
• In December 1996, the Ariane 5 rocket exploded 40 seconds aftertake off.
• Cause: A software components threw an exception caused by adata conversion from 64-bit floating point to 16-bit signed number.
• The exception handler was not used.• Cost: $400 million payload.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 20 / 49
-
Thera-25 Radiation Overdose (1985-87)
• Therac-25: a radiation machine for treatment of cancer patients.• Cause: A failure in the control SW caused wrong dosages of
x-rays into patients.
• Cost: Three patients died as a direct result of this accident.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 21 / 49
-
AT&T Telephone Network Outage (1990)
• January 1990: problem in New York City leads to 9 hour outage oflarge parts of U.S. telephone network
• Cause: a flaw (wrong interpretation of break statement in C) inthe SW embedded in the switches.
• Cost: hundreds of millions US$.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 22 / 49
-
Lessons from Previous Bugs
• Accidents are often not simple.• Usually involve complex sequences of interactions among different
components in the system, and the operating environmentincluding human beings using the system.• Verifying a component is far from being enough.• The whole system must be thoroughly verified.
• Verification challenges• Huge space of behavior − impossible to verify them completely• External events − non-determinism
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 23 / 49
-
Importance of System Correctness
• Computing integrated in various applications• Embedded systems• Communication protocols• transportation systems• Manufacturing/process control
• System reliability depends on correctness of HW/SW.• Defects can be• Very expensive for mass-produced products − repair & replacements• Fatal for safety-critical systems − loss of human lives
• NIST (National Institute of Standards and Technology) reportssoftware bugs cost $60 billion annually
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 24 / 49
-
Cost of BugsCost of Bugs
The number of design bugs and the cost to fixing them over the course of adesign project.
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 28 / 53
The number of design bugs and the cost to fixing them over the course of adesign project.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 25 / 49
-
Verification in Reality
• Some numbers:• Verification engineers : design engineer = 3:1.• Verification takes 50%− 70% of design resources.
• The reasons:• The longer bugs undetected the costlier to fix them.• A bug found early incurs little fixing cost.• A bug found after being manufactured may require to repeat the
whole design process.• A bug slipped into customer’s hand can cost hundreds of millions in
hardware and brand image.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 26 / 49
-
Contents
1 Course Logistics
2 Verification − Why
3 Verification − Overview
4 Formal Verification and Model Checking
5 Course Topics
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 27 / 49
-
Types of Verification
• A process that establishes or confirms that a system fulfills itsrequirements.
• Verification can be classified depending on the attributes:• Functional• Performance• Power• Reliability
Verification 6= Validation1 Verification = check that we are building the the thing right
2 Validation = check that we are building the the right thing
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 28 / 49
-
What is Functional Verification?
• Verification to ensure that the logic behavior of a system meetsrequirements.• Also called logic verification.
• Target applications:• HW & SW & communication protocols• Sequential or concurrent systems• Can be found in many important applications such as
• Digital logic designs,• Communication protocols• Embedded control systems
• Can be applied to finite or infinite systems• Abstraction can reduce infinite state systems to finite ones.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 29 / 49
-
When to Use Functional VerificationThe Role of Functional Verification
• A system is designed through asequence of refinement steps.
• Di↵erent requirements atdi↵erent levels.
• System at a lower level mustconforms to the one at ahigher level.
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 25 / 53
• A system is designed through asequence of refinement steps.
• Different requirements atdifferent levels.
• System at a lower level mustconform to the one at a higherlevel.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 30 / 49
-
Functional Verification Techniques
• Simulation
Common Approaches to Func. Verification
• Simulation
• Logic Emulation: a design is prototyped with FPGAs• Faster, more real testing, and easier for system integration.• Less flexible, hard to debug, etc.
• Testing: work on real stu↵!
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 26 / 53
• Testing: work on real stuff!• Logic Emulation: a design is prototyped with FPGAs• Faster, more real testing, and easier for system integration.• Less flexible, hard to debug, etc.
• Formal verification/model checking• Based on mathematic logic foundation.Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 31 / 49
-
Challenges to Verification
• System complexity grows exponentially over time• Moore’s law says that number of transistors double in every 24
months.• More functions are integrated on a single chip.
• Effectiveness of simulation/testing degrades exponentially.• Performance of simulation degrades linearly in system size and
number of simulation vectors − too slow for large complex systems.• The state space to check grows exponentially at the same time.• Not enough input vectors can be simulated with reasonable amount
of time.
⇒ Low confidence in system correctness.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 32 / 49
-
Contents
1 Course Logistics
2 Verification − Why
3 Verification − Overview
4 Formal Verification and Model Checking
5 Course Topics
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 33 / 49
-
Formal Verification
• Applied mathematic logic for modeling and analyzing computingsystems.• Improve system quality, and reduce verification time.
• Highly recommended by FAA and NASA.• Formal Specification: describe behavior accurately at higher
abstraction level.
• Models: mathematical objects independent of implementations.• Approaches• Theorem Proving: highly expressive• Logic equivalence checking: highly automated• Model Checking: automated
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 34 / 49
-
Model Checking: OverviewOverview of Model Checking
Software ErrorsSoftware Correctness
Model CheckingCourse Details
Model Checking Overview
Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model CheckingHao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 34 / 53Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 35 / 49
-
Model Checking: Definition
Model checking (MC) is an automatic verification technique thatanswers yes or no to the following question:
M |= f
where
• M is a finite state model of the system under verification,• f is the set of formal properties specifying the correctness
requirements.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 36 / 49
-
What are Models?What are Models?
Software ErrorsSoftware Correctness
Model CheckingCourse Details
What are Models?
Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model Checking
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 36 / 53Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 37 / 49
-
What are Models?
State transition systems• States labeled with basic propositions.• Transition relation between states.
Generality• Sequential programs• Multi-threaded programs• Communicating processes and protocols• Hardware circuits• Biologic systems• . . .
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 38 / 49
-
What are Properties?
• Examples:• Can the system reach a deadlock state?• Can two processes access a shared resource at the same time?• Does the program in the correct state upon termination?
Classification
• Safety properties: nothing bad ever happens.
• Liveness properties: good things eventually happen.
• Fairness: something happens infinitely often or repeatedly.
• Specification formalims• Temporal logic• Automata
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 39 / 49
-
Advantages of Model Checking
• Exhaustiveness (vs simulation)• All system states are checked, at least in theory.• Not biased to the most possible scenarios (as in testing).
• Automated and fast (vs theorem proving)• Allows easy integration into the existing design flow.
• Diagnostic counter-examples to speed debugging• Help to pinpoint source of the bug
• Specification logics easily express many concurrency properties.• Concise and rigorous.
• The process of modeling and specification itself can reveal a lot of• Incompleteness, ambiguities, and inconsistencies.
• No proofs: why a system is correct is not important, and does notreveal much useful information.• Often used as an enhanced debugger.Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 40 / 49
-
State Explosion
• State space grows exponentially as the size of system description.• System state space = product of component state space• Available memory cannot keep up with demand.
State Explosion
• State space grows exponentially as the size of system description.• System state space = product of component state space• Available memory cannot keep up with demand.
OUTPUTS: li,lo,ri,roINTERNAL: nor_fifo1,ce_fifo1
DUMMY: dummy
s0
s19
li+
s8
lo+
s20
nor_fifo1+
s10
li-
s13
ce_fifo1+
s2
nor_fifo1+
li+
s14
ce_fifo1+
s17
nor_fifo1- li-
s7
ri-
s9
ri-li+
s18
li- nor_fifo1-
s11
ro-
s12
ro-li+
s15
ce_fifo1-
s4
lo-
s5
ri+
s16
ce_fifo1-li+
s6
ro+
s3
li+li+ ri+ ro+
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 41 / 53
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 41 / 49
-
State Explosion (1)
|S| = 116, |R| = 240
������
�������
�����
��������
������
����
������
State Explosion (1)
|S | = 116, |R | = 240
OUTPUTS: li,lo,ri,roINTERNAL: nor_fifo1,nor_fifo2,ce_fifo1,ce_fifo2,r21,l12
DUMMY: dummy
s0
s31
li+
s20
lo+
s85
ce_fifo1+
s16
li-
s84
nor_fifo1+
s76
li-
s86
nor_fifo1-
s75
nor_fifo1+
li+
s79
nor_fifo1-
s105
lo-
ce_fifo1+
s66
l12+
s114
li+
li-
s22
r21+
s69
li+
s72
ce_fifo2+
s3
ce_fifo1-
s27
li+
s51
ce_fifo1-
s93
nor_fifo2-
s81
li+
ce_fifo2+
s32
l12-
s10
li+
s70
nor_fifo2-
s90
l12-
s58
li+
ce_fifo1-
s104
li+ce_fifo2+
s39
li+
s74
li+
s116
l12-
s94
li+ nor_fifo2- ce_fifo1-
s6
nor_fifo2- l12-
s34
r21-li+
s54
ro+
s106
nor_fifo1+
s41
li+
l12- nor_fifo2-ce_fifo2+
r21-
s61
li+
s50
ri+
s11
nor_fifo1+ro+
s115
li+
nor_fifo2-
ce_fifo1-
ro+nor_fifo1+
ce_fifo2+l12-
s57
ri+
s18
nor_fifo1+ li+
s2
ce_fifo2-
s7
nor_fifo1+li+ ri+ro+
s88
lo+
ce_fifo2+ce_fifo1-
s8
ce_fifo2-
s15
nor_fifo1+ li+
s92
ro-
s63
nor_fifo1+
s110
lo+ ri+ li+ ce_fifo2-
r21+
ro+
s80
li-
s43
ce_fifo1+
s64
ce_fifo1+
s102
ri+
s98
li-
s35
ce_fifo1+ ro+
s103
ro-
s68
nor_fifo1+lo+ ce_fifo2-
s89
nor_fifo2+
ro+li-
s44
nor_fifo1-
l12+
s42
nor_fifo1+li+
s99
ri-ro-li+
s48
li+
s47
ri-
s65
nor_fifo1-
s55
li-
s59
ri+
s36
nor_fifo1- ro+
s19
l12+ nor_fifo2+
nor_fifo1+
s111
ri-
s46
ce_fifo2-ce_fifo1+
s91
li-
s87
ri-
ro-lo+ce_fifo1+ ri+li- ro+
s83
nor_fifo2+
li+
nor_fifo2+
li+ nor_fifo1+
s56
ro+
s62
lo- li-
s60
ri+
s29
lo+
s49
ri-
s14
nor_fifo2+
li+l12+
s17
ri-l12+
ro-
s12
ce_fifo1+
s38
li-
nor_fifo2+
nor_fifo1+nor_fifo1-
s52
ri+
s108
ro-
nor_fifo1- ce_fifo2-li- ce_fifo2-ce_fifo1+
nor_fifo2+
li+
s78
li+ ri-
s73
lo-
s53
ri+
s13
ce_fifo2-li-
s67
li+
s23
l12+ ro+
s24
li-
s107
ce_fifo1+
s30
ri-nor_fifo1-
s4
li- ro-
s40
ce_fifo2-
s101
nor_fifo2+
lo-
s96
li+ ro-
s25
ro-l12+
ro-ce_fifo1+
nor_fifo2+
lo+
s9
ri-li+l12+
ce_fifo2-nor_fifo1-
s28
l12+
s82
ro+
s5
li-
s109
ro-
s26
ri-
s95
ce_fifo1+
s45
ri+
s113
nor_fifo2+
li-
s33
li+ ce_fifo2-
li+
s37
ro+
s97
ri-lo-
s77
l12+ ce_fifo2-
nor_fifo1- ro- nor_fifo1-
s112
ri-li-l12+ li+
s71
ri+
nor_fifo2+
li-ce_fifo1+
s100
nor_fifo2+
nor_fifo1-
s21
l12+ li+ ro-
ce_fifo2-lo-ro+ ro-lo-
nor_fifo2+
ce_fifo1+ri-li-li+ ri+
nor_fifo2+
nor_fifo1- li-nor_fifo1- ri-l12+ ri+l12+ li+ ce_fifo2-
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 42 / 53
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 42 / 49
-
State Explosion (2)
|S| = 644, |R| = 1724
������
�������
�����
��������
������
����
������
�����
��������
State Explosion (2)
|S | = 644, |R | = 1724
INTERNAL: nor_fifo1,nor_fifo2,nor_fifo3,ce_fifo1,ce_fifo2,ce_fifo3,t1,t2,li,lo,ri,ro,b1,b2DUMMY: dummy
s0
s625
li+
s609
lo+
s445
li-
s257
ce_fifo1+
s167
nor_fifo1+
s2
nor_fifo1+
li+
s103
ce_fifo1+
s428
nor_fifo1-
li-
s270
li-
s288
lo-
s608
t1+
s443
li+
nor_fifo1-
s134
li+
s602
b1+
s126
b1+
s496
nor_fifo2+
s479
ce_fifo1-
s620
ce_fifo2+
t1+
s347
ce_fifo2+
s156
t1-
s352
nor_fifo2-ce_fifo1-
s337
nor_fifo2+
li+
s172
t1+ nor_fifo2+
s54
ce_fifo1-nor_fifo2-
s16
t1-
s8
nor_fifo2+
t1+ li+
ce_fifo2+
s374
t1-
s627
nor_fifo2+
lo-
nor_fifo2-
s450
nor_fifo2+
nor_fifo1-
s379
b1-
s151
nor_fifo2+
li-
s614
nor_fifo2+
li- nor_fifo1-
s208
nor_fifo1+
s204
t2+
s175
nor_fifo2+
ce_fifo1+
s28
t2+
s193
lo+
s339
nor_fifo2+
ce_fifo1+li-
s358
b2+
s5
lo+
s354
nor_fifo2+
lo+
s180
ce_fifo3+
s343
lo+
s498
ce_fifo2-
s191
nor_fifo2+
li+
s526
nor_fifo2+
nor_fifo1+
s319
ce_fifo2-
s258
nor_fifo3-
s159
lo+
s366
nor_fifo2+
nor_fifo1+ li+
s302
lo+
s510
t2-
s401
nor_fifo3-
s488
t2-
s389
nor_fifo3-
s142
li-
s587
ce_fifo1+
lo+
s586
nor_fifo3-
s570
nor_fifo3-
s331
li-
s130
ce_fifo1+
t2-
s43
ce_fifo1+
s230
li-
s420
ce_fifo1+ t2-
nor_fifo3-
lo+
s255
b2-
s222
ce_fifo1+
s238
b2-
s407
li-
s606
t2-
s523
nor_fifo3-
s598
nor_fifo1-
ce_fifo1+
nor_fifo3-
s187
ro+ lo+
s543
nor_fifo2+
lo+t2-
s182
ri+
s165
lo+
s456
nor_fifo2+
s535
b2-
s391
nor_fifo1-
s59
li-
s145
nor_fifo1- nor_fifo3-
s533
nor_fifo2+
s80
li- ce_fifo1+ro+
s436
ro+
s184
ce_fifo1+
s373
li-
s360
ce_fifo3-
s161
lo+
s449
nor_fifo2+
s642
ro+ nor_fifo2+
s375
ce_fifo1+
s440
ro+ nor_fifo2+
li-
s65
nor_fifo1-
li-nor_fifo2+ ce_fifo1+ri+
s639
ri+
s284
ce_fifo1+
s280
nor_fifo2+
s423
ro-
s346
lo+
s628
nor_fifo2+
s433
ri+
s91
ce_fifo1+li-
s438
ri+
s622
nor_fifo1-nor_fifo2+ li-nor_fifo2+ li- ce_fifo1+ce_fifo3- ro+
s362
nor_fifo1-
s21
li-
ro+
ce_fifo1+
s612
ce_fifo3-
s276
li-
s85
ce_fifo1+
s282
ce_fifo1+nor_fifo2+
s179
ce_fifo3-
s411
lo+
s427
ri-
s72
nor_fifo2+
li-nor_fifo2+
s617
nor_fifo1-
s619
ce_fifo3-nor_fifo2+ro- li- ce_fifo1+
s263
nor_fifo2+ri+
s460
li-
nor_fifo1-ri+
s572
li-
ri+
nor_fifo2+
nor_fifo1-
lo+
ro-
ri+
ce_fifo1+
s262
ce_fifo1+
s448
li-
s61
ro-
s251
li-
s64
ce_fifo1+
s415
ri- nor_fifo2+
s455
nor_fifo1-
s567
nor_fifo2+
s457
ce_fifo3-
s108
li-
s260
ri+ce_fifo1+ce_fifo3- li-ce_fifo3- nor_fifo1-ro- nor_fifo2+ ce_fifo1+
lo+ce_fifo3-
li-
s158
ce_fifo3- nor_fifo2+nor_fifo1-nor_fifo2+ li-ro-
s544
ce_fifo1+
s253
ri-
s540
nor_fifo2+
s106
nor_fifo2+
s634
ce_fifo3-
s476
lo-
s234
ro- li-
s431
nor_fifo2+
s123
lo-ri+nor_fifo1-
s107
ce_fifo3-
s357
ro- li- nor_fifo1-ce_fifo1+
ro-
li-ce_fifo3-ro- nor_fifo1-nor_fifo2+nor_fifo2+
s67
ri- nor_fifo1-li-
lo+
ri+
s117
ri+
s435
t1+
s279
li+
s363
ri-
s528
nor_fifo1-
s196
li-
nor_fifo3+
nor_fifo2+
s546
li-
s236
nor_fifo1-
s74
li-ri- nor_fifo2+ri- nor_fifo1-
nor_fifo2+
lo-
s274
ce_fifo3-
nor_fifo3+
ce_fifo1+
s542
nor_fifo2+
ro- nor_fifo2+
s14
lo-
lo+
ro+
nor_fifo1-
ro-
nor_fifo1-ri+
li-ro-
s432
t1+
s293
ce_fifo3-
s275
li+
nor_fifo3+
s531
nor_fifo1-
s203
li-
nor_fifo3+
s78
nor_fifo1-
nor_fifo2+
s368
nor_fifo2+
s93
lo-ri- lo-ro- ri+
s603
li+
s426
b1+
nor_fifo3+
nor_fifo2+ li- li-ri-
s596
li+
s422
b1+
s610
ce_fifo3-
s380
ro-
s446
li+
t1+
lo-
s371
ri- ri+
s594
b1+
nor_fifo2+
s410
t1+
s97
ri-
s249
li+
nor_fifo3+
li-
nor_fifo3+
nor_fifo2+ lo-
s591
b1+
s138
ce_fifo3-
s60
t1+
s539
li+
s383
ri- t1+ro-nor_fifo2+
s413
ri-
s577
li+
nor_fifo3+
lo-li+
s605
ce_fifo3-
s285
ce_fifo2+
s147
ce_fifo1-
nor_fifo3+
nor_fifo2+t1+
s252
li+
s128
ce_fifo3-
s441
ce_fifo2+
s307
ce_fifo1-
s62
ri-
s55
b1+
s224
li+
b1+
ro-
li+
s328
ce_fifo1-
s462
ce_fifo2+ ro-
s541
ri-
t1+
nor_fifo3+
li+t1+
s644
ce_fifo1- li+
s6
nor_fifo2-ce_fifo3- ce_fifo3- ce_fifo2+
s459
t1- li+
t1+ ce_fifo3-
nor_fifo3+
nor_fifo2+
s581
li+
nor_fifo3+
nor_fifo1-
s623
ce_fifo2+
s485
ce_fifo1-
s217
ro-
s640
t1-
s186
ce_fifo2+ li+
s397
ro- ce_fifo3-
s166
li+
s329
t1-
s365
nor_fifo2-
ce_fifo1- ce_fifo3-
s170
nor_fifo2-
nor_fifo3+
s227
t1+
nor_fifo3+
s58
b1+
li+
ce_fifo3- ce_fifo2+
s621
li+
s190
ce_fifo3-
li+
ce_fifo1-
ce_fifo2+ce_fifo3-
t1-
ce_fifo1- li+nor_fifo2-
s547
ro-
t1+
ri+
ri-ce_fifo2+ ce_fifo1-
li+
nor_fifo3+
ce_fifo1+ ro- li+b1+
nor_fifo1-
ri-
s507
ce_fifo2+
s163
li+
s77
ro-t1-
s351
li+
s254
ro-
s536
nor_fifo2-
s486
t1-ce_fifo3-
s524
nor_fifo2-
s68
ro-
s353
nor_fifo2-ce_fifo1-ce_fifo3- li+
s42
nor_fifo2-
li+
s261
ro-
ce_fifo1-
s63
nor_fifo3+
ce_fifo1+
li-
s402
ce_fifo1-
s551
ce_fifo2+nor_fifo3+
s219
li+
li+nor_fifo2- ri- ce_fifo1-
s561
ro-ce_fifo2+ t1-li+ri-ce_fifo2+ t1-
ri- ce_fifo1+
s565
ri-
s416
ce_fifo2+
s235
t1- ce_fifo1-
s418
nor_fifo2-
s71
ri-
s57
ce_fifo1- ro-
s23
li+
s578
ro-
s216
nor_fifo2-
ce_fifo3-
s205
nor_fifo2-nor_fifo2-t1- ro-li+
s259
ce_fifo2+
s321
nor_fifo3+
s81
t1- li+
s264
ri-
s611
ce_fifo1-
ce_fifo3- t1-ce_fifo1-
s458
nor_fifo3+ nor_fifo2-
li+
ce_fifo2+ ro-
nor_fifo3+
ce_fifo1+li-
nor_fifo2+
ri- t1-li+
nor_fifo2-
ce_fifo2+ ri-li+
li+
ce_fifo1-ce_fifo2+
ce_fifo1+
ri- li-
s76
nor_fifo3+
lo+
nor_fifo3+
s417
ce_fifo2+
s240
t1-
s584
t1-
s181
nor_fifo3+ li+
s616
nor_fifo2-
s557
nor_fifo3+
li+
s137
ro-
s376
t1-nor_fifo2-
s98
ro- ce_fifo3-
s209
b1-
s248
nor_fifo3+
nor_fifo1+
li+
ce_fifo2+
s633
t1-
nor_fifo3+
lo+ nor_fifo2+
ri-li+
s292
nor_fifo2- nor_fifo2-t1-ri-
li+
ce_fifo1-
s189
nor_fifo2-
ce_fifo3- ce_fifo1-
ce_fifo2+ nor_fifo3+li+ ce_fifo2+ri- ce_fifo1-
s421
ri-
lo+ri-
nor_fifo3+
ce_fifo1- li+
ce_fifo2+ce_fifo3-
s105
li+
s298
nor_fifo2-
s499
nor_fifo3+
s447
t1-
s143
ri-
s245
ri-nor_fifo1+
s92
nor_fifo3+
nor_fifo1+ li+
s553
ri- li+
li+
s534
nor_fifo2- t1-
s269
nor_fifo3+
nor_fifo2+ li+
ro-
s382
b1- nor_fifo2-ri-
li+
ce_fifo1-
s304
b1- li+ ri-
nor_fifo3+
t1- nor_fifo2-
s607
nor_fifo3+
nor_fifo2+nor_fifo1+
li+
ce_fifo2+
nor_fifo3+
ce_fifo2+
s309
ri-
s119
t2+
s461
li+
s129
nor_fifo1+
s171
nor_fifo1+
ro-
b1-
s452
ri-
s206
t2+ ro-
s211
nor_fifo1+
nor_fifo3+
nor_fifo2-
li+
s214
t1- nor_fifo3+b1- li+
s86
li+ri-nor_fifo1+
s265
li+
nor_fifo2+ ri-
nor_fifo3+
t1-
s468
li+
ro-
li+
nor_fifo2-
s442
nor_fifo3+
nor_fifo2+nor_fifo1+ li+
s604
nor_fifo1+
nor_fifo2+ri-
li+
s220
b1-nor_fifo3+
s132
nor_fifo1+
s127
t2+
s464
li+
s626
nor_fifo1+
ce_fifo3-
s277
ro-
s30
nor_fifo1+
s198
li+
ro-nor_fifo2+
s439
nor_fifo2+nor_fifo1+ ri- li+
s530
nor_fifo1+
nor_fifo2+ro-
li+ ri-
s585
nor_fifo1+
s295
li+
ce_fifo3-
s7
li+ro-nor_fifo1+ nor_fifo3+ t1- li+
t2+
s286
nor_fifo1+ ri-
nor_fifo3+
b1-
nor_fifo3+
ce_fifo1-
li+
s47
nor_fifo1+
s41
t2+nor_fifo3+
s589
t2+
s290
li+
s18
li+
ce_fifo3-nor_fifo2+
s283
ri-
s109
nor_fifo1+
s301
li+
ri+
s267
lo+ t2+ ri- li+nor_fifo1+ nor_fifo3+
s370
nor_fifo1+ ro- li+nor_fifo2+
li+ ri-
s359
nor_fifo1+
nor_fifo2+ce_fifo3-
s466
li+nor_fifo1+ ce_fifo3-
s631
nor_fifo1+
ri+
nor_fifo3+
ce_fifo1-
nor_fifo2-
nor_fifo3+
t2+nor_fifo1+
li+t1-
ri-
s272
ri-
s559
ce_fifo1+
s113
li-
s90
t2+
s24
li+
ri+nor_fifo2+
li+
s512
t2+
s111
nor_fifo1+ nor_fifo3+
s471
nor_fifo1+ ri+ li+
ri-lo+ li+ nor_fifo3+ nor_fifo1+
s369
b2+ li+
nor_fifo3+
ce_fifo1-
ce_fifo2+ri-li+t2+
s385
li+
ro+
s73
nor_fifo1+
ro+
nor_fifo3+
lo+ t2+
s195
nor_fifo1+ ce_fifo3- li+nor_fifo2+
s364
nor_fifo1+
ri+nor_fifo2+
s564
ce_fifo1+
s95
t2+nor_fifo3+
s115
li-
s202
nor_fifo1+nor_fifo2+ ri+ li+
s396
li-
s96
nor_fifo1- ri-
s381
t2+
nor_fifo3+
lo+
li+
s197
b2+ce_fifo1+ ri-
s571
t2+
ce_fifo1+ ri-
li-
s425
nor_fifo1+
nor_fifo2+ ro+
ce_fifo1- ce_fifo2+
ri-
s100
li+
ro+nor_fifo2+
nor_fifo3+
b1+
s194
ce_fifo3+ nor_fifo1+
s529
li+
s516
ce_fifo2-
nor_fifo1+
b2+
s554
ro+nor_fifo1+ li+
s221
t2+
s400
ri-
s576
nor_fifo1-
s15
nor_fifo1+
s338
ce_fifo2-
s273
nor_fifo3-
s356
li+
s552
t2+
s99
ri-
li-
s474
nor_fifo3+li-nor_fifo1-
s386
t2+
s120
nor_fifo1+
b2-
li-nor_fifo1- ri- ce_fifo1+ nor_fifo3+
s574
li-
li+
ce_fifo3+
s340
ce_fifo2-
s419
li+
b2-
nor_fifo3+
nor_fifo2+
nor_fifo1+
s32
ce_fifo2-ce_fifo3+ li+nor_fifo1+ce_fifo3+
s50
t2-
b1+ ri-
ce_fifo1+ t2+
s33
li-
s268
ro+ li+nor_fifo1+nor_fifo2+
ce_fifo1+ nor_fifo3+
t2+
s226
ri-
s392
nor_fifo1-
s316
li-
s12
nor_fifo1-
s291
t2+nor_fifo3+
s579
nor_fifo1- t2+
li+
s104
nor_fifo3-
s154
ce_fifo2-
s212
t2-
s497
ce_fifo3+ nor_fifo1+
s38
nor_fifo1+
nor_fifo3-
s555
ri-
li-
li- nor_fifo3+t2+ ce_fifo3+ li+
s521
t2-li-nor_fifo1- nor_fifo3+
s583
nor_fifo1+
t2-
s350
li+
nor_fifo3-
s597
li+nor_fifo1+b2- ri- nor_fifo2+
s239
li+
t2-
li+
s520
t2-
s414
nor_fifo3- nor_fifo1+ ce_fifo2-
s430
li+nor_fifo1+ li+ce_fifo3+ nor_fifo1+
nor_fifo1+
ce_fifo2- nor_fifo3-ce_fifo1+ b2+
s491
li-
nor_fifo3+
nor_fifo2+
t1+
ce_fifo1+
t2+
s495
nor_fifo1-
s133
t2+nor_fifo3+
s393
t2+
s592
lo-
ce_fifo3+
s39
nor_fifo1+nor_fifo1- nor_fifo3+ li-
s465
t2+li- nor_fifo3+ li- nor_fifo1-
s618
b2+
nor_fifo1+
t2-nor_fifo3-
s504
nor_fifo2+
ro-li+nor_fifo1+nor_fifo3- li+t2- nor_fifo1+
s475
ce_fifo2- ce_fifo3+ce_fifo1+
s177
li-
ce_fifo2-
nor_fifo1+
nor_fifo2+
t1+ri-ce_fifo2-
li+
li+
t2- nor_fifo3-
ce_fifo3+
lo+t2-
ce_fifo3+
li+
s310
t2+
s515
lo-
s408
lo- nor_fifo3+ nor_fifo1-
s454
b2+
s155
b2+li-
s345
ro-
nor_fifo2+
li+
ce_fifo2-
s242
lo+
ce_fifo3+
s25
t2-
s124
ce_fifo1+
s317
li-
ce_fifo2-
s437
ce_fifo1+ nor_fifo3-
s637
li-
s325
nor_fifo2+
ce_fifo3-
ce_fifo3+
lo+ nor_fifo1- ce_fifo3+ce_fifo2-
li-
s178
nor_fifo2+
t1+ro-
s94
t1+
s573
li+
s333
nor_fifo3+
s297
ce_fifo2-
s630
li-
s615
ce_fifo3+
ce_fifo3+
s508
li-
s306
ce_fifo1+
s160
nor_fifo2+
ce_fifo3-li+
b2+
lo-
s537
nor_fifo3-nor_fifo1- ce_fifo2-
s281
li-
s332
nor_fifo2+
ri+
ce_fifo2-
ce_fifo1+
s83
li-
s638
nor_fifo2+
t1+ ce_fifo3-
nor_fifo2+ro-
t1+li+
nor_fifo1- ce_fifo3+t2-
s599
li-
s4
nor_fifo3+
s250
li+
s139
li-
s121
ce_fifo3+
s483
t2-
s69
nor_fifo1-
s377
li- ce_fifo2-
s451
ce_fifo3+
s13
lo- ce_fifo2- nor_fifo3-li- ce_fifo2-
ce_fifo3+
s146
ce_fifo1+
s164
nor_fifo2+
ri+li+
ce_fifo1+ ce_fifo2-
li-
nor_fifo3-t2-nor_fifo1-ce_fifo3+nor_fifo1-
li-
nor_fifo2+
t1+li+ ce_fifo3-
s641
nor_fifo2+
t1+ ri+
s342
b2+
s169
li+
s548
li-
s218
ce_fifo2-
s472
lo- nor_fifo3-ce_fifo2-ce_fifo3+
s176
li+
s152
ce_fifo2-t1+ lo-
s326
t2- ce_fifo3+ nor_fifo1- ce_fifo2-
t2-
nor_fifo1- li-
nor_fifo3- li-
s305
nor_fifo1-nor_fifo3-t2-li-li- ce_fifo3+
s482
nor_fifo2+
t1+ ri+li+
ce_fifo1+ t2-
s563
nor_fifo3-
s613
ce_fifo2-
s157
t1+
s635
li+ lo-
s56
ce_fifo2-
s501
t1+ ce_fifo3+
s315
ce_fifo2- ce_fifo3+
s473
t1+li+
s348
t2- t2-li-lo- ce_fifo3+
ce_fifo2-
nor_fifo1- nor_fifo3-
ri+ nor_fifo2+
lo-
li- nor_fifo3-ce_fifo2- ce_fifo3+li+ nor_fifo1- t2-lo- t2- nor_fifo3-
b2-
ce_fifo1+
s66
ce_fifo2-
s241
t1+
s82
li+ nor_fifo3-
s162
t2-
s140
li+
s299
t1+
s632
li+
s22
t2- ce_fifo3+ nor_fifo3-
s323
li+ ce_fifo2-ce_fifo2- ce_fifo3+ t1+ ce_fifo2- nor_fifo3-t1+ ce_fifo3+
s506
t2- ce_fifo3+li+ t1+ lo-
s232
nor_fifo3- li- b2-lo- t2- nor_fifo1- b2-
ce_fifo3+
nor_fifo1-
ce_fifo2-
nor_fifo3-
ce_fifo1+
s388
t1+
s229
li+
s244
t2-
s404
li+ ce_fifo2-
s327
li+
s484
t1+ nor_fifo3-
s453
ce_fifo3+
s185
t2- nor_fifo3-ce_fifo2- t1+ t2- nor_fifo3-ce_fifo3+t1+
b2+
li+ ce_fifo3+ lo-
s545
b2-
ro+
nor_fifo1- nor_fifo2+
ro+
nor_fifo2+li-li+ nor_fifo3-t2- t1+ ce_fifo2-
ce_fifo3+
nor_fifo1-
t2-
s550
ce_fifo2-nor_fifo3-
s643
t2-
s406
nor_fifo3-t1+ce_fifo3+ li+
s568
t2-t1+ t2-li+ nor_fifo3-
s355
t2+
ce_fifo3+
t2-
ce_fifo1+
s560
b2-li+ t1+
ro+
s200
li-
ro+
lo- nor_fifo2+
nor_fifo1-
ce_fifo3+
ce_fifo2-nor_fifo3+
ro+
nor_fifo1-
s490
b2+
t1+
s246
ri-
s192
t2+
li+
ro+
s210
nor_fifo2+
s79
li+
s237
t1+
s88
t2-
s429
nor_fifo3+t2+
t1+ b2-nor_fifo3-
ce_fifo3+
ce_fifo2-ce_fifo1+t1+ nor_fifo3+
t1+ b2+
li+
ro+
lo-li+ b2-
s31
t1+t2+
s173
ro-
s399
b2-
ro+
s532
t1+
s372
li+
ro+
t1+ nor_fifo2+
s87
ri-
li+
s424
t2+ ri-
ro+
li+ nor_fifo2+
ce_fifo1+
b2+
s271
t2+
nor_fifo3+li+
s569
t1+ ri- t1+ t2+li+
s114
t1+t2+ nor_fifo3+
ro+
s52
nor_fifo2+
s629
ce_fifo3-
ro+
s525
b1+li+
s361
t2+ ro-
ro+
t1+
s405
ri-
t1+li+
s492
t1+ ro-
s266
t2+li+ ri-
t2+
t1+ nor_fifo3+li+
ce_fifo1+
nor_fifo3+
s112
t1+t2+ ri-
s9
li+ ro-
s636
ri+
s335
ro-li+ t1+
s378
ce_fifo2+
s231
ce_fifo1- ro+
s45
li+
s35
t1+t2+ ro-
ro+
b1+
s469
li+ ce_fifo3-
ri-
lo-
s183
t2+ ce_fifo3-
s590
t2+t1+ ri-li+
ce_fifo1+
ri-
s313
t1+ ce_fifo3-
s199
li+ ro-t2+
s518
t2+li+ ro-t1+
s503
ce_fifo3-t1+t2+
s477
li+ ri+
s312
lo- ro-
s538
li+
s289
ro+
s84
ce_fifo1-
s89
nor_fifo2-
s390
li+ ce_fifo2+
s549
t1-
s149
ro+
s19
t2+li+ ce_fifo3-
s150
ce_fifo3-t1+li+
ri-
t2+lo-
s188
t2+ ri+
s75
ro+
ri+
ce_fifo2+ce_fifo1- li+
s318
t1+ ri+
ce_fifo2+ce_fifo1-ro+
s394
t1+ ro+
s243
ce_fifo1-
s444
ro+
s247
nor_fifo2-
ri+
li+
s3
ce_fifo1-
s10
nor_fifo2-
s467
ro-
li-
ce_fifo2+
s311
ro+
s70
t1-
s153
t1+ ri+li+
li+ro+
s403
t1-
s434
nor_fifo2-
s502
lo- t2+ ro-
s463
ro+ ce_fifo2+li+ ro+ li+ ce_fifo1-
ri+
ce_fifo2+t1- li+
s136
ro-
nor_fifo1-
s344
ce_fifo3-li+ t1+ t2+
ri+
ce_fifo2+ce_fifo1-
s26
t2+ ri+li+
s556
ro+li+
s256
ro+ t2+
s135
ce_fifo3-lo-
s509
ri+t1+ t2+
s141
lo- ri+
s580
t2+t1+ ro+
s566
t1-
s601
nor_fifo2-
s168
ro+
ri+
s174
nor_fifo2-ce_fifo1-
ri+
s367
nor_fifo2-
s334
t1- li+
s296
ro-
nor_fifo1- li-
s595
ce_fifo3-nor_fifo1-
ri+
ce_fifo2+
s624
li+
ri+
ce_fifo1- li+
s324
ro-
nor_fifo1- t2+
s294
ce_fifo3-li-
s17
ro-
t2+li-
s349
t2+ ri+t1+li+
ri+
t1- ce_fifo2+
s322
ce_fifo3-lo- t2+
ce_fifo1-ro+
s122
nor_fifo2-ro+ li+ ro+ t1-li+
s493
ro-
ce_fifo1+
s101
ro+ t2+li+
ce_fifo2+ro+
s233
li+ ro+t1+
s600
nor_fifo1- ri+
ri+
s46
t1-
s527
li+
s481
ro-
t2+li-nor_fifo1-
s131
b1-
s278
li+ro+
s144
t2+ce_fifo3-nor_fifo1-
ri+
s489
li+ nor_fifo2-
s480
t2+ ce_fifo3-li-
s330
t2+lo- ri+
nor_fifo2-ro+ t1-ro+
ri+
ce_fifo2+
s11
ro-
ce_fifo1+ li-
s300
li- ri+
s412
li+ ro+t1+ t2+
s118
ce_fifo3-li-nor_fifo1-
s225
ro+lo-
ri+
ce_fifo1-
ri+
t1- nor_fifo2-
s314
ce_fifo1+ ce_fifo3-
s36
ro-
ce_fifo1+ t2+
s487
ri+li- t2+
s303
ce_fifo3-li-nor_fifo1- t2+
s53
ro+
s287
li+
s588
t2+
s593
nor_fifo1+
s51
ro+nor_fifo1-
s148
t2+ri+nor_fifo1-
s470
ce_fifo3-ce_fifo1+ li-
s207
ro+ b1-
s201
ro-
ce_fifo1+ t2+li-
li+
ce_fifo3- t1-
ri+
nor_fifo2-
s384
ro+li-
ro-
lo+
b1-ri+ li+
s125
li-nor_fifo1- ri+
ri+
t1-
s320
ce_fifo1+ ri+
s505
ce_fifo1+ t2+ce_fifo3-
s398
ro+lo- t2+
s48
ri+
s517
t2+
s215
li+
s522
nor_fifo1+
s562
ro+ t2+li-
s20
ce_fifo1+ t2+ce_fifo3-li-
s228
t2+ro+nor_fifo1-
s395
ce_fifo1+ ro+
s494
lo+ce_fifo3-
s514
ro-
li+
s478
ri+ce_fifo1+ li-
li+
ro-
t1-
li+
b1-ce_fifo3-
ri+
b1-
ro-
lo+t2+
s308
nor_fifo1- ri+li- t2+
s213
li-nor_fifo1- ro+
s116
nor_fifo1+ro+
s110
t2+ro+
s409
nor_fifo1+ li+li+ro+ t2+
s511
ce_fifo1+ t2+ri+
s223
ce_fifo3-
s513
t2+
s519
nor_fifo1+ li+
s27
ri+ t2+ce_fifo1+ li-
s44
li+ro-
nor_fifo1+
s37
lo+ t2+ce_fifo3-
s387
nor_fifo1- li- ro+ t2+
ri+
s34
li+
s341
nor_fifo1+
s558
li- ro+ce_fifo1+
s29
ce_fifo3-
nor_fifo1+
s582
ce_fifo1+ t2+ro+
s40
ro+
s575
t2+
s102
lo+ nor_fifo1+ t2+ri+
li+ ro-
b1-
s500
ri+lo+
s336
li+ce_fifo3-
s49
ro-
t2+ li+
li+ t2+ri+ li+ro+ ro+ nor_fifo1+
ro- li+
t2+nor_fifo1+ lo+ ri+ t2+ce_fifo3- li+nor_fifo1+ ri+ nor_fifo1+lo+ ro+ro+ce_fifo1+ t2+li- li+ri+li+t2+ce_fifo3-
ce_fifo3-
nor_fifo1+ t2+
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 43 / 53
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 43 / 49
-
Big Breakthroughs on State Explosion
• Symbolic model checking: Burch, Clarke, McMillan, Dill, andHwang 90, Ken McMillans thesis 92.• Encode state space and MC algorithms using Boolean formulas and
operations.
• Partial order reduction: Valmari 90, Godefroid 90, Peled 94.• Mainly used to reduce redundant states in asynchronous design verification.
• Bounded model checking: Biere, Cimatti, Clarke, Zhu 99• targeted to find bugs of fixed lengths.• Use fast SAT solvers at Boolean reasoning engine.• Can handle designs of thousands of state variables.• There are now many SAT-based unbounded methods.
• Counter-example guided abstraction refinement (CEGAR):Bob Kurshan 1994, Clarke, Grumberg, Jha, Lu, Veith 2000.• Used in most software model checkers.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 44 / 49
-
Success Stories of Model Checking
• Security: Needham-Schroeder encryption protocol• Error that remained undiscovered for 17 years unrevealed
• Transportation systems• Train model containing 10476 states
• Model checkers for C, Java and C++• Used (and developed) by Microsoft, Digital, NASA• Successful application area: device drivers
• Dutch storm surge barrier in Nieuwe Waterweg• Software in the current/next generation of space missiles• NASAs Mars Pathfinder, Deep Space-1, JPL LARS group
• An entire execution cluster in Intel Core i7 (CAV 2009).
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 45 / 49
-
Model Checking Tools
• Industry (Intel, IBM, Motorola) has been using MC more widely forobvious reasons.
• SMV: first symbolic model checker, many variants.• VIS: logic synthesis and verification for synchronous circuits.• SPIN/LTSA: an explicit model checker for SW verification.• Uppaal/Kronos/ATACS: real-time system verification.• HyTech: hybrid system verification.• Cospan/FormalCheck: ω-automata/language inclusion.• SteP/PVS: combination of model checking and theorem proving.• SLAM: a project done at Microsoft for device driver verification.
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 46 / 49
-
Contents
1 Course Logistics
2 Verification − Why
3 Verification − Overview
4 Formal Verification and Model Checking
5 Course Topics
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 47 / 49
-
Topics to be Covered (Tentative)
• Introduction to the model checker SPIN• Modeling concurrent software and hardware systems• Basics of Linear Time Logic and model checking algorithms• Introduction to the model checker NuSMV• Basics of computational-tree logic and symbolic model checking
algorithms
• If there is time, introduce Boolean SAT solving and bounded modelchecking
Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 48 / 49
-
My Research
Building Secure, Trustworthy, Autonomous and Reliable Embedded(STAR) Systems
• Embedded system are pervasive: cars, aircrafts, medical devices,etc.
My Current Focus: Verifying Safety-CriticalEmbedded Systems
• Embedded system are pervasive: cars, aircrafts, medical devices,etc.
• Can we trust cars and aircrafts?
Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 53 / 53
• Can we trust cars and aircrafts?Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 49 / 49
Course LogisticsVerification - WhyVerification - OverviewFormal Verification and Model CheckingCourse Topics