Formal Verification of Safety Properties in Timed Circuits Marco A. Peña (Univ. Politècnica de...
77
Formal Verification of Safety Properties in Timed Circuits Marco A. Peña (Univ. Politècnica de Catalunya) Jordi Cortadella (Univ. Politècnica de Catalunya) Alex Kondratyev (Theseus Logic Inc.) Enric Pastor (Univ. Politècnica de Catalunya)
-
date post
19-Dec-2015 -
Category
Documents
-
view
219 -
download
1
Transcript of Formal Verification of Safety Properties in Timed Circuits Marco A. Peña (Univ. Politècnica de...
Formal Verification ofSafety Properties in
Timed Circuits
Marco A. Peña (Univ. Politècnica de Catalunya)
Jordi Cortadella (Univ. Politècnica de Catalunya)
Alex Kondratyev (Theseus Logic Inc.)
Enric Pastor (Univ. Politècnica de Catalunya)
y-
a+ b+
x+ y+
c+
c-
a-
b-
x-
x+ y-
y+x-
a
b
xy
c
Are there any hazards or glitches?
Outline
Preliminaries Transitions systems and timing constraints From absolute to relative timing State space refinement by timing constraints Verification algorithm Results and conclusions
Gate Delay Model
d [3,5]
d [2,4]
X
Y
Z
X
Y
Z3
5 2 4
A circuit is a concurrent system
Gates ProcessesDelays Computation timesSignal transitions Events
Previous workTime separation of events
– McMillan & Dill (1992): min/max constraints in acyclic graphs
– Hulgaard & Burns (1994): max constraints for cyclic graphs with choice
Zone automata– Dill (1989): Clock zones represented as conjunctions of timing constraints
(difference-bound matrices)
– Rockiki, Myers, Belluomini (1994, 1998): Partial orders to reduce the number of geometric regions (ATACS)
– Maler (1995): Timed polyhedra (Open KRONOS)
Incremental refinement– Alur et al. (1995): timing constraints added as needed (COSPAN, timed
automata).
– Balarin & Sangiovanni-Vincentelli (1995): trace-based refinement
– Negulescu (1997): process spaces (FIREMAPS)
Time separation of events– McMillan & Dill (1992): min/max constraints in acyclic graphs
Incremental refinement
Our approach
for absolute timing analysis
by acyclic graphs with relative timing
Applicable to timed transition systems, with any type of causality relations
Verification of temporal safety properties
BDD-based symbolic representation(large untimed state spaces can be handled)
Backannotation: sufficient (relative) timing constraints for correctness are reported
Our approach: features
Transition systemsand
timing constraints
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
Transition System
• States• Transitions• Events
g
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
Firing Region (a)
g
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
Firing Region (b)
g
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
Concurrency
a || b
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
AND causality
ga b c
dFR (d)
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
OR causality
ga b
c
FR (c)
Property
• g must fire before d after having fired x
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a
a
b
b
b
c
c
c
c
c
g
g
dy
Timed Transition System(Manna, Pnueli)
• Transition System• Min/Max Delays
(a) [1,2](b) [1,2](c) [2.5,3](g) [0.5,0.5]
d,x,y
From absoluteto
relative timing
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
• An event e can only become enabled at the time another event e’ fires (e’ triggers e)
{e’, ...}
{e, ...}
e’
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
aa
xx
g
b
b
c
c
d
d
g
Timing-consistent trace
Time assignment toevent firings such that ...
min(g) t6 - t2 max(g)
• • •
• • •
t1
t2
t3
t4
t5
t6
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
Event structure from a trace
x
a b
c
d
g
aa
xx
g
b
b
c
c
d
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
Trace and event structure are
enabling compatible
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{a}
{c,g}
{d,g}
{g}
Ø
x
b
a
c
d
g
{x}
{a,b}
{b,c,g}
{b,g}
{b}
{d}
Ø
x
a
c
g
b
d
{x}
{a,b}
{b,c,g}
{b,c}
{c}
{d}
Ø
x
a
g
b
c
d
x
a b
c
d
g
[1,2] [1,2]
[2.5,3][0.5,0.5]
[0,)
[0,)
Maximum Time Separation (McMillan & Dill, 1992)
max (g) - (d) = -2
x
a b
c
d
g
Maximum Time Separation (McMillan & Dill, 1992)
max (g) - (d) = -2
From absolute torelative timing
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
{x}
{a,b}
{a}
{c,g}
{d,g}
{g}
Ø
x
b
a
c
d
g
{x}
{a,b}
{b,c,g}
{b,g}
{b}
{d}
Ø
x
a
c
g
b
d
{x}
{a,b}
{b,c,g}
{b,c}
{c}
{d}
Ø
x
a
g
b
c
d
{x}
{a,b}
{b,c,g}
{c,g}
{d,g}
{g}
Ø
x
a
b
c
d
g
x
a b
c
d
g
• min and max for each event
Theorem:The trace is timing consistent iffit is an enabling-compatible traceof the timedtimed event structure
{x}
{a,b}
{b,c,g}
{b,g}
{b}
{d}
Ø
x
a
c
g
b
d
State space refinementby
timing constraints
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
Enabling compatible
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
Not enabling compatible
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
Not enabling compatible
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a
a
a
b
b
b
c
c
c
c
c
g
g
g
g
b
bd
dy
g
x
a b
cg
d
x
a b
b
b c
c
c
c
g
g
g
g
b
bd
dy
g
a
a
c
c
c
g
g
g
d
d
y
x
a
b
b c
c
c
c
g
g
g
g
b
bd
d
g
x
a b
cg
d
Timing analysis
x
a
b
b c
c
c
c
g
g
g
g
b
bd
d
g
x
a b
cg
d
Timing analysis
x
a
b
b c
c
c
c
g
g
d
x
a b
cg
d
Timing analysis
x
a
b
b
c
g
g
d
b
y
a
a
c
c
c
g
g
g
d
d
y
x
b
a
a
c
c
c
g
g
g
d
d
x
a b
cg
d
Timing analysis
x
b
a
a
c
c
c
g
g
g
d
d
x
a b
cg
d
Timing analysis
x
b
ac
c
c
g
d
x
a b
cg
d
Timing analysis
x
b
a
c
g
d
a
b
c
g
g
dy
y
b
x
a b
b
b
c
g
g
dy
a
c
g
d
y
Verificationalgorithm
Symbolic state space exploration
and failure detection
Border of failure states• Failure trace
• Event structure
x
a b
cg
d
• Timing analysis• Composition
• Failure trace
• Event structure
• Timing analysis
x
a b
cg
d
• Composition
r
st
uw
r
st
uw
i
j
k
i
j
k
i
j
k
r
st
uw
x
a b
cg
d
Backannotation (sufficient timing constraints)
Convergence of the algorithm
Nodal points
All cycles cut by nodal points
Finite number of tracesbetween nodal points
Convergence and exactresults guaranteed
Implementation issues
Event structure: calculated from the shortest suffix that invalidates the failure trace
Composition: slight modification of the Transition Relation (one extra boolean variable to indicate enabling compatibility)
State encoding: n bits for untimed states n+k bits for timed states(k event structures used for timing analysis)
Experimental results
name gates untimed failure iters. correct ? CPUsbuf-read-ctl 10 74 16 3 Y 1rcv-setup 6 78 34 2 N 1alloc-outbound 11 82 20 3 Y 2ebergen 9 83 22 1 N 1mp-forw ard-pkt 8 186 70 3 Y 2dff 6 255 164 6 N 2half 7 227 133 1 N 1chu133 9 288 204 4 N 2converta 12 408 244 6 N 6now ick 10 510 292 2 Y 2chu150 8 520 339 7 N 5sbuf-send-ctl 13 1592 1081 3 N 5rpdtf 8 2612 1841 2 N 2sbuf-send-pkt2 13 4544 4044 11 N 30vme 15 10568 8655 13 N 137sbuf-ram-w rite 15 14016 12362 4 N 37ram-read-sbuf 16 19328 17488 5 Y 36mr1 16 21076 11574 7 Y 31mr0 20 727304 642291 12 Y 225tsend-bm 12 763608 717561 3 N 185trimos-send 24 2.1 E6 1.8 E6 1 N 200mmu 22 5.6 E6 5.2 E6 3 N 470
Conclusions Timing analysis with absolute delays typically
produces unmanageable state spaces
Temporal properties (no glitches, mutual exclusion, no conflicts) can be posed as relative timing constraints
Strategy: combine absolute timing (for analysis)with relative timing (for state space calculation)
Backannotation: important in the design flow and for sensitivity analysis
