Formal verification

Marco A. Peña

Universitat Politècnica de Catalunya

Outline Motivation

Simulation

Formal verification

– Theorem proving

– Model checking

State space exploration

Formal verification with relative timing

Conclusions

Motivation

Motivation: the problem System’s complexity: continuous growth is scale and

functionality

Probability to introduce design errors increases

System failures are unacceptable:

– Software: cost of update, credibility, etc.

– Embedded software: no update possible

– Hardware: high cost of fabrication/replacement

– Safety-critical systems: catastrophic consequences Delay in time-to-market, loss of money and human lives!!

Motivation: examples 1994: Floating point divider unit of Pentium microprocessor

– Bug in the implementation of the division algorithm

– 475 million US $

1996: Launch failure of Ariane 5 rocket

– Wrong data type conversion when computing altitude

– Explosion 36 minutes after lunch 1986: Challenger space shuttle

– … What else?

Motivation: where do bugs come from? Incorrect specifications

Misinterpretation of specifications

Misunderstandings between designers

Missed cases

Protocol non-conformance

And a long etcetera.

Motivation: what to do? Develop methods to ensure systems reliability

Detect and fix bugs at the early stages of the design flow

Verification:

– General bug-finding techniques.

– Usually simulation.

Formal verification:

– Methods for 100% bug coverage.

– Use mathematical formalisms (logics, automata, etc.) and techniques to reason about the correctness of a system.

Simulation

Simulation Predominant verification method: intuitive idea

Construction of test-cases: manually, randomly, etc.

“Heisenbug” paradigm: when trying to reproduce a bug it never shows up

Example: (x+1)2 = x2 + 2x +1 ?

Simulation Example:

– Concurrent processes A and B

– Events happen concurrently every 1010 operation cycles

Process A

.......

X := X + 1

.......

Process B

.......

X := X - 1

.......

Precondition X = 0

Postcondition X = 1 (!)

Simulation: typical experience

Time

Functional testing

Purgatory Product in the marketBugs

found

Formal verification

Formal verification Ensures consistency with specification for all possible

input patterns: exhaustive coverage

Requires:

– Formal model of the system

– Formal specification language: properties

– Reasoning method

Main strategies:

– Theorem proving

– Model checking

Formal verification Example: (x+1)2 = x2 + 2x +1 ?

Formal verification: theorem proving

Implementation and specification: formulas in some mathematical logic

Deep knowledge of the formalisms and proof techniques

The prover is often human

Useful for: arithmetic algorithms, etc.

Formal verification: theorem proving Major drawbacks: no guarantee of a proof, complexity of

the proof, no counterexample, …

Some impressive results:

– AMD K7 floating point unit

– Combined with model checking: Intel P4 instruction decoder

Few automatic tools exist

Not a general solution:

– Too expert human interaction

– Only for small problems or niche applications

Formal verification: model checking

The checker enumerates all the states of the system

Finite state space, but combinatorial explosion !

Symbolic methods, partial orders, abstractions, etc.

Several automatic tools and success stories exist

Formal verification: model checking Gaining acceptance but not yet widely used

Major drawbacks: state explosion problem and tools difficult to use for designers

Commercial tools start to appear: Abstract, Chrysalis, IBM, Lucent, Verysys, …

Companies have increasing interest: IBM, Intel, AT&T, etc. Oportunity!

Not a general solution:

– Combination with theorem proving

– Combination with semi-formal strategies

State space exploration

State space exploration Combinatorial explosion

Symbolic representations: BDDs

State space exploration

Some states do not exist, but …

State space exploration

Time incorporates a new source of exponentiality !!

Formal verification with

Relative Timing

Verification approach: main features

Model checking-like approach for timed systems

Iterative incremental refinement of the untimed state space by:

– Off-line timing analysis on small acyclic graphs, and

– Incorporation of Relative Timing constraints

Verification of temporal safety properties

BDD-based symbolic representation: large untimed state

spaces

Backannotation: sufficient relative timing constraints for

correctness are reported, or counterexample trace

Verification approach: system model

Timed Transition Systems: Transition System + delay bounds

Verification approach

Verification approach

Verification approach

Verification approach

Verification approach

Verification approach

Verification approach

Symbolic state space exploration

and failure detection

Verification approach

Failure states

• Failure trace• Event structure

x

a b

cg

d

• Timing analysis• Composition

Verification approach

[1,2] [1,2]

[1,2]

[3,4]

[1,2]

[1,2]

• Failure trace• Event structure

x

a b

cg

d

• Timing analysis• Composition

Verification approach

[1,2] [1,2]

[1,2]

[3,4]

[1,2]

[1,2]

Verification approach: flow

Conclusions

Conclusions

Size of the system (state bits)

Pro

bab

ilit

y o

f ve

rifi

cati

on

Research

Real systems

1 10 100 103 104 105 106 107

100%

Conclusions: research

Research in Spain: University

– PhD programs, FI/FPI grants

– Possible stages in foreign universities/companies

Verification teams in companies grow much faster than

design teams: oportunity!

Companies and research centers:

– USA and Europe

– PhD required

Conclusions: collaboration, projects,…

Long list of open problems:

– Real case studies: circuits, protocols, etc.

– Implementations of other techniques for comparison

– Parallel implementations: clusters, etc.

– Combination of techniques: formal and semi-formal, etc.

– …