Formal Methods Group ETH Z urich June 2003 Armin Biere, Cyrille - - PowerPoint PPT Presentation
Formal Methods Group ETH Z urich June 2003 Armin Biere, Cyrille Artho, Malek Haroud, Viktor Schuppan Computer Systems Institute ETH Z urich, Switzerland FMICS03, Rros, Norway Vision 2 Formal method tools are used like compilers:
FMICS’03, Røros, Norway
2
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
3
.
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
4
➤ BDD based mu-calculus model checker mu-cke – Efficient implementation. – Input language with C++ syntax for specifying model and properties. ➤ Performance study of BDD based model checking ➤ Bounded Model Checking – Leverages power of SAT solvers for model checking purposes. – Wide industrial acceptance.
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
5
➤ SAT (propositional satisfiability solvers) – Continuing increase in reasoning power. – Instances with million of variables can often be handled. – Dedicated heuristics for bounded model checking possible. ➤ Solvers for QBF (quantified boolean formula), e.g., ∀ x ∃ y [(x∨y)∧(x∨y)] – Start to become practical ... – ... although more practical research necessary (efficient implementations). – Potentially allow to make bounded model checking complete. ➤ Applications of QBF and SAT in other domains (e.g., SW checking).
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
6
1 2 3
1’ 3’ 2’ ⊥ 1 2 3
equivalent safety property.
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
7
d =3 ¬p ¬p ¬p ¬p ¬p p d=2
➤ Search for counterexample traverses paths where ¬p holds. ➤ Notion of predicated radius and diameter. ➤ Leads to tight bound for bounded model checking of Fp.
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
8
➤ Java VM written in C. ➤ API for run-time analysis. ➤ Small state representation. ➤ Rollback (undo) operations. ➤ “Exhaustive” scheduling possible (Rivet). ➤ Instrumentation: reproducing counterexamples.
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
9
X Y Z X Y
Thread 2 Thread 1
➤ Both accesses are protected by a common lock (Eraser). ➤ Different atomicity assumptions by the two threads. ➤ New source of potential errors, found by view consistency.
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
10
modified .class replay engine .class jreplay Dynamic Checker Checker Static VM JNuke compliant
T0 T1 T2
t
T1
before Class 1 0 1 switch 1 before Class 2 1 1 switch 2 before Class 1 2 1 switch 1 terminate in Class 2 1 10
VM/ debugger schedule deterministic execution
➤ Enables replay of thread schedules independently of specific VM. → Off-the-shelf debuggers. ➤ Schedule format not tailored to JNuke VM. → Usable by other tools.
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
11
SDL Synthesized C Program Manually Generated Optimized C Program
S y n t h e s i s S y n t h e s i s SDL as modelling language in telecommunication applications same motivation as in HW equivalence checking (or more general for embedded SW) Model
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
12
FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich