Formal Verification of SpecC Programs using Predicate Abstraction

1
Formal Verification ofSpecC Programs
usingPredicate Abstraction

• Himanshu Jain
• Daniel Kroening
• Edmund Clarke
• Carnegie Mellon University

2
Introduction

• System on chip design
• Increase in complexity

Number of components
Level
100
103
Abstraction
105
Gate level (netlists)
107
3
Introduction

• Emergence of system design languages
• HardwareC, SpecC, Handel-C, and SystemC
• Based on C / C
• Allows joint modeling of both hardware and
  software components of a system
• Support for bit vectors, concurrency,
  synchronization, exception handling

4
Verification support

• Current model-checkers used in hardware industry
  work at netlist or RTL level
• Languages like SpecC are more closer to
  concurrent software
• Verification tools must reason about
• Programming languages constructs
• Concurrency
• Pointers, Objects
• Bit vector operations like concatenation,
  extraction

5
Talk outline

• Introduction and motivation
• SpecC
• Our approach
• Abstraction
• Handling of concurrency constructs
• Model checking and refinement
• Experimental results
• Conclusion

6
SpecC Behaviors
Event Declaration
event e int x behavior A () void main()
x 42 notify e behavior B () void
main() wait e printf("Got d\n", x)
behavior Main A a1() B b1() int
main () par a1.main() b1.main()
Generate Event
Wait for Event
Object Instances
parallel execution
7
SpecC

• Asynchronous interleaving semantics
• No atomicity is guaranteed
• SpecC provides multiple synchronization
  constructs

8
More SpecC operators
Bit vectors
bit70 a unsigned bit16 b bit310
SpecExample (bit32 y) bit 310 r
a 11001110b b70 a b
a _at_ y70 r b_at_b return r

Extraction
Concatenation
9
Talk outline

• Introduction and motivation
• SpecC
• Our approach
• Abstraction
• Handling of concurrency constructs
• Model checking and refinement
• Experimental results
• Conclusion

10
Abstraction Refinement Loop
Initial Abstraction
Verification
No erroror bug found
SpecCProgram
ModelChecker
Concurrent BooleanProgram
Property holds
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Kurshan et al. 93
Clarke et al. 00
Spurious counterexample
Ball, Rajamani 00
11
Example for Predicate Abstraction
void main() bool p1, p2 p1TRUE
p2TRUE while(p2) p1p1?FALSEnondet()
p2!p2
behavior main() int i i0
while(even(i)) i


p1 ? i0 p2 ? even(i)
Predicates
SpecC program
Boolean program
Graf, Saidi 97
Ball, Rajamani 00
12
Predicate Abstraction for SpecC

• Use predicate abstraction to prove assertions or
  safety properties
• Successfully applied for verification of C
  programs (SLAM, MAGIC, BLAST)
• Predicate abstraction produces an
  over-approximation

13
Our approach

• Abstract each thread seperately (we assume no
  recursion)
• Let the modelchecker handle the interleavings
  between various abstract threads

Tn



T1
T2



B1
B2
Bn
14
Abstracting a single thread

• Identify basic blocks and abstract each block
  separately

a a b20 i 0 while (i lt 10)
wait e1 x20 y i notify
e2
a a b20 i 0
x20 y i
15
Abstracting a single thread

• Wait and notify translated to the abstract model
  directly

a a b20 i 0 while (i lt 10)
wait e1 x20 y i notify
e2
wait
notify
16
Using theorem prover for abstraction
Predicates
Basic Block
Formula
i
Query
p1 p2 p3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
p1 p2 p3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
?
?

Current Abstract State
Next Abstract State
17
Using theorem prover for abstraction
Predicates
Basic Block
Formula
i
Query
p1 p2 p3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
p1 p2 p3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
?

?
and so on
Current Abstract State
Next Abstract State
18
Problems with existing tools

• Large number of expensive theorem prover calls
  slow (2n 2n )
• Over-approximation yields additional,unnecessary
  spurious counterexamples
• Theorem prover works on natural numbers, but
  SpecC uses bit-vectors ? false positives
• Most theorem provers support only few
  operators(, -, lt, , ), no bitwise operator

19
Abstraction of a basic block

• Use a SAT solver for computing abstraction of a
  basic block
• Successfully used for abstraction of C programs
  (Clarke et al, 2003)
• Create a SAT instance which relates initial value
  of predicates, basic block, and the values of
  predicates after the execution of basic block

20
Abstraction of a basic block


21
Abstract transitions
Equation passed to the SAT solver
(!p1 !p1 !p1 !p1 !p2 p3) 000 )
001
(!p1 !p2 p3 p1 !p2 !p3) 001 ) 100
.
22
Abstraction of a basic block

• Use SAT solver!
• Generate query equation withpredicates as free
  variables
• Transform equation into CNF usingBit Vector
  LogicOne satisfying assignment matchesone
  abstract transition
• Obtain all satisfying assignments most precise
  abstract transition relation

23
Abstraction of a basic block

• Use SAT solver!
• Generate query equation withpredicates as free
  variables
• Transform equation into CNF usingBit Vector
  LogicOne satisfying assignment matchesone
  abstract transition
• Obtain all satisfying assignments most precise
  abstract transition relation

24
Advantages of using SAT

• Use SAT solver!
• Generate query equation withpredicates as free
  variables
• Transform equation into CNF usingBit Vector
  LogicOne satisfying assignment matchesone
  abstract transition
• Obtain all satisfying assignments most precise
  abstract transition relation

• This solves two problems
• Now can do all SpecC operators, including , /,
  , ltlt, _at_, xy etc.
• Sound with respect to overflow

No moreunnecessary spurious counterexamples!
25
Talk outline

• Introduction and motivation
• SpecC
• Our approach
• Abstraction
• Handling of concurrency constructs
• Model checking and refinement
• Experimental results
• Conclusion

26
Handling concurrency constructs
t1 1 wait start1 .. notify done1
goto 1

• Replace the par statements using wait and notify.

t1 ..
t2 .
main() notify start1, start2 wait done1
done2
main() par t1 t2
27
Wait and Notify

• Introduce a boolean variable for each thread and
  event pair

t1 1 wait e t2 1 notify e
28
Wait and Notify
boolean e1, e2
t1 (e1 1) ) e1 0
t1 1 wait e t2 1 notify e
t2 e1 ,e2 (1,1)
29
Abstraction Refinement Loop
Initial Abstraction
Verification
No erroror bug found
SpecCProgram
ModelChecker
Concurrent BooleanProgram
Property holds
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
30
Abstraction Refinement Loop
Initial Abstraction
Verification
No erroror bug found
SpecCProgram
ModelChecker
Concurrent BooleanProgram
Property holds
Counterexample
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
31
Simulating the Counterexample

• Check if the abstract counterexample exists in
  the concrete model
• Thread interleavings
• T11 T21 T12 T13
• Simulation corresponds to a series of Bounded
  Model Checking instances

32
Abstraction Refinement Loop
Initial Abstraction
Verification
No erroror bug found
ActualProgram
ModelChecker
Concurrent BooleanProgram
Property holds
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
33
Talk outline

• Introduction and motivation
• SpecC
• Our approach
• Abstraction
• Handling of concurrency constructs
• Model checking and refinement
• Experimental results
• Conclusion

34
Experimental Results

• Property Relation between data put in pipeline
  and data coming out of pipeline
• Each stage is a thread
• Runtime dominated by NuSMV

35
Experimental Results

• PRED artificial benchmark that requires a known
  number of predicates
• ALUPIPE Arithmetic properties of pipelined ALU

36
Summary of Results

• Concurrent system-level models can be abstracted
  in a thread-modular way
• In contrast to sequential models,the
  verification of the abstract model is the
  bottleneck

37
Future Work

• Use partial order reduction
• Object oriented languages System-C based on C
• Better decision procedures for large programs
• Translation to arithmetic circuits can sometimes
  be expensive

38
Questions?
39
References

• SpecC Language tutorial. Available at
  http//www.ics.uci.edu/specc/
• Predicate Abstraction of ANSI-C Programs using
  SAT. Formal Methods in System Design. Edmund
  Clarke, Daniel Kroening, Natasha Sharygina, Karen
  Yorav.