A Computational Model For SAT-based Verification of Hardware-Dependent Low-Level Embedded System Software

Download as pdf or txt
Download as pdf or txt
You are on page 1of 25

A Computational Model for

SAT-based Verification
of
Hardware-Dependent Low-Level
Embedded System Software
Bernard Schmidt, Carlos Villarraga, Jrg Bormann,

Dominik Stoffel, Markus Wedler, Wolfgang Kunz

Yokohama, 1/25/2013

Content

Motivation
Related Works
Model Generation
Basis: Abstract HW/SW Model
Flow
Advantages of Model
Experiment
Conclusion / Future Work

Motivation

Embedded System

Goal

Close interaction
between HW and SW
Examples: drivers,
communication
structures

Formal verification (FV) of combined HW/SW behavior

Objective of this work

Computational model and algorithms for


FV of hardware-dependent, low-level software

Related Works

[2] R. Jhala and R. Majumdar, Software model checking, ACM Comput. Surv., vol. 41, pp. 21:121:54, October 2009.
[3] T. Ball, A. Podelski, and S. K. Rajamani, Boolean and Cartesian Abstraction for Model Checking C Programs, in Proceedings of the
7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, ser. TACAS 2001. London, UK:
Springer-Verlag, 2001, pp. 268283.
[4] D. Beyer, T. A. Henzinger, R. Jhala, and R. Majumdar, The software model checker Blast: Applications to Software Engineering, Int.
J. Softw. Tools Technol. Transf., vol. 9, pp. 505525, October 2007.
[5] P. Godefroid, Model
Checking for Programming Languages using VeriSoft, in Proceedings of the 24th ACM SIGPLAN-SIGACT
Sympo-sium on Principles of Programming Languages, ser. POPL 97. New York, NY, USA: ACM, 1997, pp. 174186.
[6] K. Havelund and Thomas Pressburger, Model Checking Java Programs Using Java PathFinder, International Journal on Software
Tools for Technology Transfer STTT, vol. 2, no. 4, pp. 366381, 2000.
[7] G. J. Holzmann, The model checker spin, IEEE Transactions On Software Engineering, 1997.
[8] D. Babic and A. J. Hu, Calysto: scalable and precise extended static checking, in Proceedings of the 30th International Conference on
Software Engineering,
ser. ICSE 08. New York, NY, USA: ACM, 2008, pp. 211220.
[9] F.Ivancic, Z. Yang, M. Ganai, A. Gupta, and P. Ashar, Efficient SATbased bounded model checking for software verification, in Proc.
In- ternational Symposium on Leveraging Applications of Formal Methods, 2004.
[10] E. Clarke, D. Kroening, and K. Yorav, Behavioral consistency of C and Verilog programs using Bounded Model Checking, in
Proceedings of the 40th annual Design Automation Conference, ser. DAC 03. New York, NY, USA: ACM, 2003, pp. 368371.
[11] D. W. Currie, A. J. Hu, and S. Rajan, Automatic formal verification of DSP software, in Proceedings of the 37th Annual Design
Automation Conference, ser. DAC 00. New York, NY, USA: ACM, 2000, pp. 130135.
[12] B. Schlich, Model checking of software for microcontrollers, ACM Trans. Embed. Comput. Syst., vol. 9, no. 4, pp. 36:136:27, Apr.
2010.
[13] C. S. Psreanu and W. Visser, A survey of new trends in symbolic execution for software testing and analysis, Int. J. Softw. Tools
Technol. Transf., vol. 11, no. 4, pp. 339353, Oct. 2009.
[14] T. Arons, E. Elster, S. Ozer, J. Shalev, and E. Singerman, Efficient symbolic simulation of low level software, in Design, Automation
and Test in Europe, 2008. DATE 08, march 2008, pp. 825 830.
[15] M. D. Nguyen, M. Wedler, D. Stoffel, and W. Kunz, Formal Hardware/Software Co-Verification by Interval Property Checking with
Abstraction, in Proceedings of the 48th Design Automation Conference, ser. DAC 11. New York, NY, USA: ACM, 2011, pp. 510515.
[16] D. Groe, U. Khne, and R. Drechsler, HW/SW co-verification of embedded systems using bounded model checking, in GLSVLSI
06: Proceedings of the 16th ACM Great Lakes symposium on VLSI, 2006, pp. 4348.
[17] A. Biere, A. Cimatti, E. M. Clarke, M. Fujita, and Y. Zhu, Symbolic model checking using SAT procedures instead of BDDs, in Proc.
International Design Automation Conference (DAC), June 1999, pp. 317320

Large research body


on SW verification

Our focus:
New computational model for
hardware-dependent SW

State of the Art: Bounded Model Checking (BMC)


E.g.,
M. D. Nguyen, M. Wedler, D. Stoffel, and W. Kunz, Formal Hardware/Software CoVerification by Interval Property Checking with Abstraction DAC 2011.
D. Groe, U. Khne, and R. Drechsler, HW/SW co-verification of embedded systems
using bounded model checking in GLSVLSI 2006.

Basic approach:
Unroll CPU + software in memory

program flow (instruction sequencing) as given by the


program is represented only implicitly (by PC + memory)

program computation also is represented only implicitly


(by hardware implementation of CPU)

High computational complexity for realistic designs


5

State of the Art: Symbolic Execution


E.g.,
C. S. Psreanu and W. Visser, A survey of new trends in symbolic execution for
software testing and analysis Int. J. Softw. Tools Technol. Transf., 2009.
T. Arons, E. Elster, S. Ozer, J. Shalev, and E. Singerman, Efficient symbolic simulation
of low level software DATE 2008

Basic approach

Enumerate program execution paths and check conditions for


verification along these paths by specialized verification algorithms

Symbolic formulas explicitly represent all possible input scenarios


(along path)

program flow is enumerated explicitly (by path enumeration)

program computation is represented explicitly (through symbolic


formulas)

high complexity of symbolic formulas


6

State of the Art: CBMC and related work


E.g.,
E. Clarke, D. Kroening, and K. Yorav, Behavioral consistency of C and Verilog programs
using Bounded Model Checking DAC 2003

Basic approach

Build a SAT formula for the program computation based on


CFG unrolling

SAT formula contains information about control flow only


implicitly in terms of functional dependencies between
variables of the formula

HW-independent paradigm (high-level programming language)

State of the Art: CBMC and related work


E.g.,
E. Clarke, D. Kroening, and K. Yorav, Behavioral consistency of C and Verilog programs
using Bounded Model Checking DAC 2003

Extension of CBMC for HW-dependent software is difficult!


The computational model (SAT formula):

lacks information about temporal relationships between


statements/instructions as is needed when relating program
behavior to HW periphery

cannot be integrated with environment hardware model

is not compositional
8

Our Approach
New hardware-dependent computational model

Program computation should be represented implicitly


compact model

Program flow should be represented explicitly


facilitates SAT reasoning (since global information about
global execution paths is explicitly available)

Representation of the temporal dependencies between


instructions and I/O
enables HW-dependent verification
enables compositionality of model
9

Basis: Abstract HW/SW Model

Input Ports
Program

Instruction
Logic

State
(AS, memory
variables)

w
Program Control

Program
Counter

jump

Data Path

destination

Output Ports

Program

10

Basis: Abstract HW/SW Model


Instruction Logic:
Input Ports

ADD
Program

PS

Output
Ports
Output
Ports

MUL

PS

MOV

...

(PC) a

ROT

Data Path

w
LOAD
Program Control

(icode) w

jump

Input Ports

State
(AS, memory
variables)

Instruction
Logic

destination

BEQ
Program
Counter

w
Program

J
11

Instruction Cell
program state

Abstract model for a CPU


instruction

Hardware-dependent

Describes the modification of the


program state

Can be formally verified against


RTL implementation of CPU

new
program state

12

Program State
program state

Registers

Control signals in the CPU

Program data in RAM

Active signal (program flow


variable)

new
program state

13

Active Signal

Additional 1-bit signal in program state

Signal is asserted if corresponding program state


belongs to active execution path

Additional logic in instruction cells to handle active


signal:

Datapath and load/store instructions:


propagate active flag from input state to output state
(no extra logic required)
Branch instructions: propagate active flag depending on
branch condition from input state to branch target output
state. All other output states are set inactive.
14

Transform CFG to Execution Graph (EXG)


CFG

1st step

2nd step

Final EXG

always
inactive?

Execution graph:

Models all possible execution paths


Optimized by pruning and merging
Not unique

always
inactive?

always
inactive!
15

Verifying if a branch is active

Branch instruction

Propagates active signal to exactly


one of the branches

program state

Generated property:

Claim: active signal is never


asserted
Property holds: branch never taken
Property does not hold: branch is
taken in some executions

taken

not
taken

16

Program Netlist (PN)

PN generation

Replace every EXG node by an


instruction cell
HW-dependent description of
program computation
Insert merge cells

Merge cell

Merges two paths into one


Path is selected by incoming
active signal
17

Advantages of PN Model
Replacing EXG nodes by instruction cells

PN is a combinational circuit

CFG-based unrolling

Supports SAT-based FV

Explicitly represented program flow

Concatenation of instruction cells

Implicitly represented program computation


18

Advantages of PN Model (2)


Explicit program flow:
program paths are considered separately

Simplification of program computation

CPU logic is simplified to single instruction cell


Machine instruction parameters are constant:
individual instruction cell is further simplified by
Boolean constraint propagation
Simplification takes place during PN generation
(not during property verification)
19

Advantages of PN Model (3)

Active flags:

Small set of signals captures global reachability


information of entire program
Valuation on active signals selects possible execution
paths or sets of execution paths
Helps SAT solver to take into account reachability without
detailed reasoning on all intermediate instructions

Example:
a

Property:
A: = true
C: if b.active
then b=a

20

Experiment Software LIN Master (1)

Industrial automotive design

1309 lines of C code

Send/receive message frames via UART

Interrupt-driven

Compiled for SuperH2 based 32-bit CPU, RISC


architecture, 5-stage pipeline

21

Experiment Software LIN Master (2)

Model generation:

Interrupt Service Routine (ISR), main program


(scheduler) and initialization generated automatically
Composed model: assembled manually

Program
component
LIN-Init
LIN-Scheduler
LIN-ISR

#instructions
CFG
PN
225
385
85
790

84
1138

CPU mem.
(s) (MB)
1.32
36
0.13
11.00

27
102

22

Experiment Software LIN Master (3)


Property verification:

Composed model: 24001 instructions, 62592 primary inputs


Verify correct generation of LIN frame
(header, data, checksum and control signal for UART)
Commercial HW property checker (OneSpin 360MV)
Property
RX frame 4or8 data bytes incl. checksum
RX frame 4or8 data bytes wrong checksum
TX frame 4or8 data bytes incl. Checksum
Wrong PID or not matching ID (8bytes)

CPU(s)

MEM(MB)

17
28
15
14

1641
1545
1584
1566

Conclusion

Program netlist (PN)

New hardware-dependent model for low-level software


verification combining the advantages of HW-style
bounded model checking and SW-style symbolic
execution
Automatic PN generation successful for industrial
automotive software

Future Work

Equivalence checking
Integrate PN with hardware for FV of firmware

24

Thank you!

Questions?

[email protected]

You might also like