Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work...

Reasoning about Timed Systems Using Boolean Methods

Reasoning about Timed Systems Using Boolean Methods

Sanjit A. SeshiaSanjit A. Seshia

EECS, UC BerkeleyEECS, UC Berkeley

Joint work withJoint work with

Randal E. Bryant (CMU)Randal E. Bryant (CMU)

Kenneth S. Stevens (Intel, now U. Utah)Kenneth S. Stevens (Intel, now U. Utah)

– 2 –

Timed SystemTimed System

A system whose correctness depends A system whose correctness depends not only on its not only on its functionalityfunctionality (what results (what results it generates), but also on its it generates), but also on its timelinesstimeliness (the time at which results are generated).(the time at which results are generated).

– 3 –

Real-Time Embedded SystemsReal-Time Embedded Systems

– 4 –

Self-Timed CircuitsSelf-Timed Circuits

– 5 –

Modeling & VerificationModeling & Verification

Timed System

Verify model

Model

– 6 –

Challenges with Timed SystemsChallenges with Timed Systems

State has 2 components:State has 2 components:– Boolean variables (Boolean variables (VV): model discrete state): model discrete state– Real-valued variables (Real-valued variables (XX): measure real time): measure real time

Infinitely-many statesInfinitely-many states– Has a finite representation (regions graph)Has a finite representation (regions graph)– But grows worse than |But grows worse than |XX| | ||XX||

– Verification is hard!Verification is hard!

– 7 –

Modeling & VerificationModeling & Verification

Timed System

Verify model

Model

Self-TimedCircuit

Timed Automaton

Model Checking

– 8 –

Message of This Talk: Leverage Boolean Methods

Message of This Talk: Leverage Boolean Methods

ModelingModeling– Use Boolean variables to model timing, where Use Boolean variables to model timing, where

possiblepossible

VerificationVerification– Use symbolic Boolean representations and Use symbolic Boolean representations and

algorithms operating on themalgorithms operating on them Binary Decision Diagrams (BDDs), Boolean Binary Decision Diagrams (BDDs), Boolean

satisfiability solvers (SAT)satisfiability solvers (SAT)

Why?Why?– Systems have complex Boolean behavior anywaySystems have complex Boolean behavior anyway– Great progress made in finite-state model Great progress made in finite-state model

checking, SAT solving, etc. over last 15 yearschecking, SAT solving, etc. over last 15 years

– 9 –

Talk OutlineTalk Outline

Motivating Problem: Verifying Self-Timed Motivating Problem: Verifying Self-Timed CircuitsCircuits

Generalized Relative TimingGeneralized Relative Timing

Circuits Circuits Timed Automata Timed Automata

Model Checking Timed AutomataModel Checking Timed Automata

Case StudiesCase Studies

Future Directions & Related ResearchFuture Directions & Related Research

– 10 –

Self-Timed (Asynchronous) CircuitsSelf-Timed (Asynchronous) Circuits

Many design styles useMany design styles use timing assumptions timing assumptions

Delay Independent

Gate-levelMetric Timing

Relative Timing: Relative Timing: [Stevens et al. ASYNC’99, TVLSI’03][Stevens et al. ASYNC’99, TVLSI’03] Circuit behavior constrained by relative orderingCircuit behavior constrained by relative ordering of signal transitionsof signal transitions

uu " Á v ""

Relative Timing

Burst Mode

– 11 –

Relative Timing (RT) Verification Methodology: 2 StepsRelative Timing (RT) Verification Methodology: 2 Steps

1.1. Check circuit functionality Check circuit functionality under timing under timing assumptionsassumptions Search the constrained state spaceSearch the constrained state space Model checkingModel checking

2.2. Verify timing assumptions themselvesVerify timing assumptions themselves Size circuit path delays appropriatelySize circuit path delays appropriately Static timing analysisStatic timing analysis

– 12 –

Pros and Cons of RTPros and Cons of RT

Advantages:Advantages:+ Applies to many design stylesApplies to many design styles+ Incremental addition of timing constraintsIncremental addition of timing constraints+ No conservatively set min-max delaysNo conservatively set min-max delays

Disadvantages:Disadvantages:– Cannot express metric timingCannot express metric timing– More work to be done on verification More work to be done on verification

Scaling upScaling up Validating timing constraints themselvesValidating timing constraints themselves

– 13 –

Our ContributionsOur Contributions

Generalized RTGeneralized RT– Can express some metric timingCan express some metric timing

Applied Fully Symbolic Verification TechniquesApplied Fully Symbolic Verification Techniques– Model circuits using timed automataModel circuits using timed automata

Metric timing modeled using real-valued variablesMetric timing modeled using real-valued variables Non-metric with BooleansNon-metric with Booleans

Performed Case SudiesPerformed Case Sudies– Including Global STP circuit Including Global STP circuit (published version of (published version of

Pentium-4 ALU ckt.)Pentium-4 ALU ckt.)

[Seshia, Stevens, & Bryant, ASYNC’05][Seshia, Stevens, & Bryant, ASYNC’05]

– 14 –








– 15 –

Generalizing Relative TimingGeneralizing Relative Timing

Delay Independent

Gate-levelMetric Timing

Relative Timing

Burst Mode

– 16 –

Circuit ModelCircuit Model

Variables (signals): Variables (signals): v1, v2, …, vn

Events (signal transitions): Events (signal transitions): ei is is vi " or or vi

Rules Rules – EEii ( (v1, v2, …, vn ) ) eeii

Timing ConstraintsTiming Constraints

"

– 17 –

Generalized Relative Timing (GRT) ConstraintGeneralized Relative Timing (GRT) Constraint ((eeii, , eejj)) : Time between : Time between eejj and previous and previous

occurrence of occurrence of eeii

Form of GRT constraint:Form of GRT constraint:

((eeii, , eejj) ) ·· ((eeii’’, , eekk) + ) + dd

eejjeeii

eekkeeii eeii’’ eejj

– 18 –

Special Case: Common Point-of-Divergence (PoD)Special Case: Common Point-of-Divergence (PoD) PoD constraint:PoD constraint:

((eei i , , eejj) ) ·· ((eei i , , eekk) ) Written as:Written as:

eei i !! eej j ÁÁ e ek k

An RT constraint traced back to its sourceAn RT constraint traced back to its source

eekkeeii eejj

– 19 –

Example: Point-of-Divergence (PoD) ConstraintExample: Point-of-Divergence (PoD) Constraint

""

"

cc !! acac ÁÁ bb

"

""

– 20 –

Example: Metric Timing Example: Metric Timing

((data_indata_in", , data_in_auxdata_in_aux")) ·· ((enableenable", , triggertrigger"))

– 21 –

Do We Need Metric Timing?Do We Need Metric Timing?

Useful for Useful for modular specificationmodular specification of timing constraints of timing constraints Also when delays are explicitly usedAlso when delays are explicitly used

– 22 –

Verifying Generalized Relative Timing ConstraintsVerifying Generalized Relative Timing Constraints Use static timing analysis to compute min-max Use static timing analysis to compute min-max

path delayspath delays

To verify:To verify:

((eeii, , eejj) ) ·· ((eeii’’, , eekk) + ) + dd

We verify that:We verify that:

max-delay( max-delay( eeii ÃÃ eejj ) ) ·· min-delay( min-delay( eeii’’ ÃÃ eek k ) + ) + dd

– 23 –








– 24 –

Modeling Timed CircuitsModeling Timed Circuits

Need to model:Need to model:

RulesRules (“Boolean” behavior) and (“Boolean” behavior) and TimingTiming

Our formalism:Our formalism: Timed Automata Timed Automata [Alur & Dill, ’90] [Alur & Dill, ’90]

– Generalization of finite automataGeneralization of finite automata– State variables:State variables:

Boolean (circuit signals) Boolean (circuit signals) Real-valued timers or “clocks” (impose timing Real-valued timers or “clocks” (impose timing

constraints) constraints) – Operations: (1) compare with constant, (2) reset to zeroOperations: (1) compare with constant, (2) reset to zero

We model non-metric timing with BooleansWe model non-metric timing with Booleans

– 25 –

Enforcing Timing with BooleansEnforcing Timing with Booleans

""

"

cc !! acac ÁÁ bb

"

""

1.1.cc sets a bit

2.2.acac resets it

3.3.b b cannot occur while the bit is set

"

"

"

– 26 –

Enforcing Timing with Timer VariablesEnforcing Timing with Timer Variables


– 27 –

• data_indata_in sets x1 to 0

• data_in_aux data_in_aux must occur while x1 · c

• enable enable sets x2 to 0

• trigger trigger can only occur if x2 ¸ c

c determined just as in other metric timing styles

"

"

"

"

Enforcing Timing with Timer VariablesEnforcing Timing with Timer Variables


– 28 –

Booleans vs. TimersBooleans vs. Timers

Most timing constraints tend to be PoDMost timing constraints tend to be PoD

So few real-valued timer variables used in So few real-valued timer variables used in practicepractice

– 29 –








– 30 –

StateState

Boolean part: assignment to signalsBoolean part: assignment to signals

Real-valued part: relation between timersReal-valued part: relation between timers

v1 = 0, v2 = 1, v3 = 0, . . .

x1 ¸ 0 Æ x2 ¸ 0 Æ x1 ¸ x2

x1

x2

symbolic representation

– 31 –

Symbolic Model Checking of Timed AutomataSymbolic Model Checking of Timed Automata

,

,

,

, ,

,

. . . . . .

Examples: ATACS [Myers et al.], Kronos [Yovine, Maler, et al.], Uppaal [Larsen, Yi, et al.], …

– 32 –

Fully Symbolic Model CheckingFully Symbolic Model Checking

Symbolically represent sets of signal assignments with corresponding relations between timers

v1 Ç v2

Æ x1 ¸ 0 Æ x2 ¸ 0 Æ x1 ¸ x2

.

.

.

,

– 33 –

Our Approach to Fully Symbolic Model CheckingOur Approach to Fully Symbolic Model Checking

Based on algorithm given by Henzinger et al.Based on algorithm given by Henzinger et al.(1994)(1994)

Core model checking operationsCore model checking operations– Image computation Image computation Quantifier elimination in quantified difference logicQuantifier elimination in quantified difference logic – Termination check Termination check Satisfiability checking of difference logicSatisfiability checking of difference logic

Our Approach: Use Boolean encodingsOur Approach: Use Boolean encodings– Quantified difference logic Quantified difference logic

Quantified Boolean logic Quantified Boolean logic– Difference logic Difference logic Boolean logic Boolean logic– Use BDDs, SAT solversUse BDDs, SAT solvers

[Seshia & Bryant, CAV’03][Seshia & Bryant, CAV’03]

– 34 –

Example: Termination CheckExample: Termination Check

Have we seen all reachable states of the Have we seen all reachable states of the systems?systems?

Satisfiability solving in Difference LogicSatisfiability solving in Difference Logic

µ

?

– 35 –

Solving Difference Logic via SATSolving Difference Logic via SAT

x ¸ y Æ y ¸ z Æ z ¸ x+1

e1 Æ e2 ) :e3

ÆOverall Boolean Encoding

Transitivity Constraint

e1

y ¸ z

z ¸ x+1

x ¸ y

e2

e3

e1 Æ e2 Æ e3

– 36 –

A More Realistic SituationA More Realistic Situation

Ç

Æ:

Ç

Æ

Ç

.

.

.

x ¸ y

y ¸ z

z ¸ x+1

x ¸ y Æ y ¸ z Æ z ¸ x+1 Æ . . . is a term in the SOP (DNF)

– 37 –








– 38 –


Global STP CircuitGlobal STP Circuit– Self-resetting domino ckt. in Pentium-4 ALUSelf-resetting domino ckt. in Pentium-4 ALU– Analyzed published ckt. Analyzed published ckt. [Hinton et al., JSSC’01][Hinton et al., JSSC’01]

GasP FIFO Control GasP FIFO Control [Sutherland & Fairbanks, ASYNC’01][Sutherland & Fairbanks, ASYNC’01]

STAPL Left-Right Buffer STAPL Left-Right Buffer [Nystrom & Martin, ’02][Nystrom & Martin, ’02]

STARI STARI [Greenstreet, ’93][Greenstreet, ’93]

– 39 –

Footed and Unfooted Domino InvertersFooted and Unfooted Domino Inverters

– 40 –

Global STP Circuit (simplest version at gate-level)Global STP Circuit (simplest version at gate-level)

ck

out

""

" ""

" "res

– 41 –

Global STP Circuit: Sample ConstraintGlobal STP Circuit: Sample Constraint

ck

out

""

" ""

" "res

ck

res

"

ckck !! ckck ÁÁ resres "

"

– 42 –

Global STP Circuit: An ErrorGlobal STP Circuit: An Error

ck

out

""

r

s

"

We want: red < blue7 transitions < 5 transitions

– 43 –

Comparison with ATACSComparison with ATACS

Model checking for absence of short-circuitsModel checking for absence of short-circuits

CircuitCircuit Number Number of Signalsof Signals

Time for our model checker, Time for our model checker,

TMV (in sec.)TMV (in sec.)

Global Global STPSTP 2828 66.3266.32

GasP-10 GasP-10 stagesstages 6060 26.1026.10

STAPL-3 STAPL-3 stagesstages 3030 278.05 278.05

ATACS did not finish within 3600 sec. on any

– 44 –

Comparison with ATACS on STARIComparison with ATACS on STARI

– 45 –

Related WorkRelated Work

ModelingModeling– Gate-level Metric TimingGate-level Metric Timing

Timed Petri Nets, TEL, … Timed Petri Nets, TEL, … [Myers, Yoneda, et al.][Myers, Yoneda, et al.] Timed Automata-based Timed Automata-based [Maler, Pnueli, et al.][Maler, Pnueli, et al.]

– Chain Constraints Chain Constraints [Negulescu & Peeters][Negulescu & Peeters]

– Relative Timing Relative Timing [Stevens et al.][Stevens et al.] Lazy transition systemsLazy transition systems [Pena et al.] [Pena et al.]

– Symbolic Gate Delays Symbolic Gate Delays [Clariso & Cortadella][Clariso & Cortadella]

VerificationVerification– For circuits, mostly restricted to just symbolic For circuits, mostly restricted to just symbolic

techniques techniques [e.g., ATACS][e.g., ATACS]

– 46 –








– 47 –

SummarySummary

Leverage Boolean Methods for Timed SystemsLeverage Boolean Methods for Timed Systems– Modeling: Modeling: generalized relative timinggeneralized relative timing– Verification: Verification: fully symbolic model checkingfully symbolic model checking

Using BDDs, SATUsing BDDs, SAT

Demonstrated Application: Modeling and Demonstrated Application: Modeling and Verifying Self-Timed Circuits Verifying Self-Timed Circuits

– 48 –

Future Directions: Model GenerationFuture Directions: Model Generation

Timed System

Model

Needs to be automated

Main Challenge: Automatic generation of timing constraints

Idea: Machine learning from simulated runs (successful and failing)

– 49 –

Future Directions: New ApplicationsFuture Directions: New Applications

Distributed Real-time Embedded SystemsDistributed Real-time Embedded Systems– E.g., sensor networksE.g., sensor networks– Operate asynchronouslyOperate asynchronously– Lots of concurrencyLots of concurrency– Timeliness importantTimeliness important

Will generalized relative timing work for this Will generalized relative timing work for this application?application?

– 50 –

Related Research ProjectRelated Research Project

UCLIDUCLID– Modeling & Verifying Infinite-State SystemsModeling & Verifying Infinite-State Systems– Focus: Integer arithmetic, Data Structures (arrays, Focus: Integer arithmetic, Data Structures (arrays,

memories, queues, etc.), Bit-vector operations,…memories, queues, etc.), Bit-vector operations,…– Applications: Program verification, Processor Applications: Program verification, Processor

verification, Analyzing security propertiesverification, Analyzing security properties E.g., detecting if a piece of code exhibits malicious E.g., detecting if a piece of code exhibits malicious

behavior (worm/virus)behavior (worm/virus)

Also based on Boolean MethodsAlso based on Boolean Methods– Problems in first-order logic translated to SATProblems in first-order logic translated to SAT

Programming Systems seminar, Oct. 24 ’05Programming Systems seminar, Oct. 24 ’05

– 51 –

Thank you !

More information atMore information athttp://www.eecs.berkeley.edu/~sseshia/research.htmlhttp://www.eecs.berkeley.edu/~sseshia/research.html

Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work...

Documents

Transcript of Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work...