Formal Verification ofSpecC Programs usingPredicate Abstraction

Himanshu Jain

Daniel Kroening

Edmund Clarke

Carnegie Mellon University

Introduction

System on chip design

Increase in complexity

Gate level (netlists)

Level Number of components

107

105

103

100

Ab

stra

ctio

n

System

Structural

Behavioral

…………

Introduction

Emergence of system design languages

HardwareC, SpecC, Handel-C, and SystemC

Based on C / C++

Allows joint modeling of both hardware and software components of a system

Support for bit vectors, concurrency, synchronization, exception handling

Verification support

Current model-checkers used in hardware industry work at netlist or RTL level

Languages like SpecC are more closer to concurrent software

Verification tools must reason about: Programming languages constructs Concurrency Pointers, Objects Bit vector operations like concatenation,

extraction

Talk outline

Introduction and motivation

SpecC

Our approach Abstraction Handling of concurrency constructs Model checking and refinement

Experimental results

Conclusion

SpecC Behaviorsevent e; int x;

behavior A () {

void main() { x = 42; notify e; }

};

behavior B () {

void main() { wait e; printf("Got %d\n", x); }

};

behavior Main {

A a1();

B b1();

int main () { par { a1.main(); b1.main(); } }

};

Object Instances

Object Instances

Event Declaration

Event Declaration

Generate Event

Generate Event

Wait for Event

Wait for Event

parallel execution

SpecC

Asynchronous interleaving semantics No atomicity is guaranteed SpecC provides multiple synchronization constructs

More SpecC operators

bit[7:0] a;

unsigned bit[16] b;

bit[31:0] SpecExample (bit[32] y)

{

bit [31:0] r;

a = 11001110b;

b[7:0] = a;

b = a @ y[7:0];

r = b@b;

return r;

}

Bit vectors

Extraction

Concatenation

Talk outline

Introduction and motivation

SpecC

Our approach Abstraction Handling of concurrency constructs Model checking and refinement

Experimental results

Conclusion

Abstraction Refinement Loop

SpecCProgramSpecC

ProgramConcurrent

BooleanProgram

ConcurrentBooleanProgram

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Spuriouscounterexample

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

[Kurshan et al. ’93]

[Clarke et al. ’00]

[Ball, Rajamani ’00]

Example for Predicate Abstraction

behavior main() { int i;

i=0;

while(even(i)) i++;}

behavior main() { int i;

i=0;

while(even(i)) i++;}

+ p1 i=0p2 even(i)

p1 i=0p2 even(i) =

void main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p1=p1?FALSE:nondet(); p2=!p2; }}

void main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p1=p1?FALSE:nondet(); p2=!p2; }}

PredicatesSpecC program Boolean program

[Ball, Rajamani ’00]

[Graf, Saidi ’97]

Predicate Abstraction for SpecC

Use predicate abstraction to prove assertions or safety properties

Successfully applied for verification of C programs (SLAM, MAGIC, BLAST)

Predicate abstraction produces an over-approximation

Our approach

Abstract each thread seperately (we assume no recursion)

Let the modelchecker handle the interleavings between various abstract threads

|| || ||T1 T2 Tn

|| || ||B1 B2 Bn

Abstracting a single thread

Identify basic blocks and abstract each block separately

a = a + b[2:0];

i = 0;

while (i < 10) {

wait e1;

x[2:0] = y;

i++;

notify e2;

}

a = a + b[2:0];

i = 0;

x[2:0] = y;

i++;

Abstracting a single thread

Wait and notify translated to the abstract model directly

a = a + b[2:0];

i = 0;

while (i < 10) {

wait e1;

x[2:0] = y;

i++;

notify e2;

}

wait

notify

Problems with existing tools

Large number of expensive theorem prover calls – slow (2n £ 2n )

Over-approximation yields additional,unnecessary spurious counterexamples

Theorem prover works on natural numbers, but

SpecC uses bit-vectors false positives

Most theorem provers support only few operators(+, -, <, ≤, …), no bitwise operator

Abstraction of a basic block

Use a SAT solver for computing abstraction of a basic block

Successfully used for abstraction of C programs (Clarke et al, 2003)

Create a SAT instance which relates initial value of predicates, basic block, and the values of predicates after the execution of basic block

Abstraction of a basic block

+ +

Computing abstract transitions

Abstract transitions

(!p1 & !p1 & !p1 & !p’1 & !p’2 & p’3) 000 ) 001

(!p1 & !p2 & p3 & p’1 & !p’2 & !p’3) 001 ) 100

…………………….

Equation passed to the SAT solver

Abstraction of a basic block

Use SAT solver!

1. Generate query equation withpredicates as free variables

2. Transform equation into CNF usingBit Vector Logic

One satisfying assignment matchesone abstract transition

3. Obtain all satisfying assignments= most precise abstract transition relation

Abstraction of a basic block

Use SAT solver!

1. Generate query equation withpredicates as free variables

2. Transform equation into CNF usingBit Vector Logic

One satisfying assignment matchesone abstract transition

3. Obtain all satisfying assignments= most precise abstract transition relation

Advantages of using SAT

Use SAT solver!

1. Generate query equation withpredicates as free variables

2. Transform equation into CNF usingBit Vector Logic

One satisfying assignment matchesone abstract transition

3. Obtain all satisfying assignments= most precise abstract transition relation

This solves two problems:

1. Now can do all SpecC operators, including *, /, %, <<, @, [ x:y] etc.

2. Sound with respect to overflow

This solves two problems:

1. Now can do all SpecC operators, including *, /, %, <<, @, [ x:y] etc.

2. Sound with respect to overflow

No moreunnecessary

spurious counterexamples!

No moreunnecessary

spurious counterexamples!

Talk outline

Introduction and motivation

SpecC

Our approach Abstraction Handling of concurrency constructs Model checking and refinement

Experimental results

Conclusion

Handling concurrency constructs

Replace the par statements using wait and notify.

t1{

……..

}

t2 {

…….

}

main() {

par{ t1; t2}

}

main() {

notify start1, start2;

wait done1 & done2;

}

t1{

1: wait start1;

…………..

notify done1;

goto 1;

}

Wait and Notify

Introduce a boolean variable for each thread and event pair

t1 {

1: wait e;

}

t2 {

1: notify e;

}

Wait and Notify

t1 {

1: wait e;

}

t2 {

1: notify e;

}

t1 {

(e1 == 1) ) e1 = 0;

}

t2 {

e1 ,e2 := (1,1);

}

boolean e1, e2;

Abstraction Refinement Loop

SpecCProgramSpecC

ProgramConcurrent

BooleanProgram

ConcurrentBooleanProgram

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Spuriouscounterexample

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Abstraction Refinement Loop

SpecCProgramSpecC

ProgramConcurrent

BooleanProgram

ConcurrentBooleanProgram

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Spuriouscounterexample

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Counterexample

Simulating the Counterexample

Check if the abstract counterexample exists in the concrete model

Thread interleavings : T1[1] T2[1] T1[2] T1[3] ………

Simulation corresponds to a series of Bounded Model Checking instances

Abstraction Refinement Loop

ActualProgramActual

ProgramConcurrent

BooleanProgram

ConcurrentBooleanProgram

ModelChecker

Abstraction refinement

VerificationInitial

AbstractionNo error

or bug found

Spuriouscounterexample

Simulator

Propertyholds

Simulationsucessful

Bug found

Refinement

Talk outline

Introduction and motivation

SpecC

Our approach Abstraction Handling of concurrency constructs Model checking and refinement

Experimental results

Conclusion

Experimental Results

Property: Relation between data put in pipeline and data coming out of pipeline

Each stage is a thread

Runtime dominated by NuSMV

Experimental Results

PRED: artificial benchmark that requires a known number of predicates

ALUPIPE: Arithmetic properties of pipelined ALU

Summary of Results

Concurrent system-level models can be abstracted in a thread-modular way

In contrast to sequential models,the verification of the abstract model is the bottleneck

Future Work

Use partial order reduction

Object oriented languages: System-C based on C++

Better decision procedures for large programs Translation to arithmetic circuits can

sometimes be expensive

Questions?

References

SpecC Language tutorial. Available at http://www.ics.uci.edu/~specc/

Predicate Abstraction of ANSI-C Programs using SAT. Formal Methods in System Design. Edmund Clarke, Daniel Kroening, Natasha Sharygina, Karen Yorav.