



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Theory in Practice for System Design and Verification. Rajeev Alur. Thomas A. Henzinger. Moshe Y. Vardi. Univ. of Pennsylvania. IST Austria. Rice University.
Typology: Slides
1 / 6
This page cannot be seen from the preview
Don't miss anything!




Rajeev Alur Thomas A. Henzinger Moshe Y. Vardi Univ. of Pennsylvania IST Austria Rice University
1. INTRODUCTION
Methodology and tools for assisting developers in building high-confidence hardware and software at a reasonable cost has been one of the central themes in computer sci- ence since its inception. The formal methods research on this problem has focused on two complimentary goals: to provide mathematical abstractions to manage the com- plexity of the design and to develop analysis tools to check that the implementation works correctly as intended. Achieving these goals has proved to be extremely chal- lenging for two reasons. First, the scale and complexity of systems being designed remains a moving target as computers have transformed from special-purpose and stand-alone number-crunching processors to networked devices interacting with the physical world. Second, once formalized, the computational problem of verifying that a system meets its specification is undecidable in the general case and has intractable complexity even in special cases.
Advances in theoretical foundations for system design have contributed in address- ing these challenges partially by identifying logics and automata for specification and modeling, and by developing efficient data structures and algorithms for analysis. In Section 2, we discuss real-world impact of these advances in design automation for hardware, software, and embedded control systems. Critical to each success story was an initial demonstration of a compelling match between the capability of a research prototype and an industrial need, followed by sustained research on improving the scalability of the tools. It is worth noting that research on this topic has been recog- nized by multiple notable awards in the last twenty years. These include: A.M. Tur- ing Award to Pnueli for temporal logic in 1996 and to Clarke, Emerson, and Sifakis for model checking in 2007, Paris Kanellakis Theory and Practice Award to Bryant, Clarke, Emerson, and McMillan for symbolic model checking in 1998, to Holzmannn, Kurshan, Vardi, and Wolper for automata-theoretic model checking in 2005, and to Brayton for logic synthesis in 2006, and ACM Software System Award to the model checker SPIN in 2001, to the Boyer-Moore theorem prover in 2005, and to Statemate in 2007.
2. SUCCESS STORIES
In this section, we describe a few illustrative examples of how ideas originating in academic research and rooted in theoretical foundations have matured into tools and methodologies used in industry and other communities.
2.1. Constraint Solvers
The propositional satisfiability problem (SAT) is known to be NP-complete and un- derstanding its structure has been a central theme in complexity theory for the past forty years. A parallel thread of research in the verification community has been the development of efficient solvers for SAT. Modern SAT solvers are capable of solving instances with many thousands of variables due to sustained innovations in core algo- rithms, data structures, decision heuristics, and performance tuning by exploiting the architecture of contemporary processors [12].
A more challenging form of constraint satisfaction problem is to determine the truth of a logical formula built from propositional as well as other types of variables. For exam- ple, in linear real arithmetic, the input formula consists of propositional and real vari- ables, logical connectives, and linear arithmetic operations. Theoretical understanding of general ways of combining distinct decision procedures (in case of linear real arith- metic, integrating the solver for propositional satisfiability with the solver for checking consistency of conjunctions of linear inequalities) has paved the way for the so-called SMT (Satisfiability Modulo Theories) solvers that can now solve constraint satisfaction problems over a rich set of types.
Contemporary analysis and verification tools vary widely in terms of source languages, verification methodology, and the degree of automation, but they all rely on repeatedly invoking a SAT or an SMT solver for core computational tasks such as checking valid- ity of a verification condition and automatically generating a candidate invariant (see [3] for an introduction to decision procedures and program verification). Due to their impressive scalability and maturity, SAT and SMT solvers are also used in many other contexts such as planning and optimization (see [7] and smt-lib.org).
2.2. Hardware Design Automation
The key to managing the complexity of modern VLSI circuits has been the introduction of industry-standard abstractions such as RTL (Register Transfer Level) and Hard- ware Description Languages (such as Verilog and VHDL). The challenge in electronic design automation then is to automatically map descriptions in such high-level ab- stractions to a low-level circuit for fabrication while ensuring semantic correctness and satisfying performance objectives related to area, power, and timing.
The significant advances in electronic design automation have originated in academic tools. Prominent examples include: (1) SPICE for accurate and fast simulation of large- scale circuits, (2) SIS for translating state machines to optimized netlists, and (3) Espresso for minimizing the number of gates in a circuit. These tools rely on a vari- ety of algorithmic techniques such as algebraic rewriting, heuristics for multiobjective optimization, efficient techniques for simulation of differential equations, and equiva- lence checking for finite-state machines.
The work on circuit simulation and logic synthesis in 1980s resulted in founding of Cadence and Synopsis, which are still the two leading companies in EDA (Electronic Design Automation). More significantly, EDA tools are used universally within the semiconductor industry, and the contemporary computing infrastructure would not exist without these advances in hardware design automation (see [13] for a survey of the synergy between the academic research and EDA industry).
tools [9]; and the F-SOFT model checker is used in NEC on a regular basis to find bugs in millions of lines of C/C++ code [10].
The objective of software testing is to select a representative set of inputs for executing the code, and of dynamic analysis is to infer as much information as possible about the program behavior based on observed executions. For these classical software engi- neering problems, new algorithmic techniques have been recently developed based on the use of constraint solvers and symbolic execution. Recently, the testing tool SAGE based on symbolic execution was credited to have found roughly one third of all the security vulnerabilities during the development of Microsoft’s Windows 7 software [8]. A promising new direction for software analysis combines constraint-based static ap- proach with the execution-based dynamic approach.
2.5. Formal Models for Cyber-Physical Systems
Cyber-physical systems are networked computing devices interacting with the phys- ical world. Model-based design is emerging as a promising approach for developing this new class of complex systems in a principled manner, and the foundations of this methodology lie in cross-fertilization of ideas from mathematical modeling and algo- rithmic analysis.
Examples of modeling frameworks include Statecharts for visual and structured mod- eling of reactive systems, Esterel for simplifying design abstractions based on syn- chrony hypothesis, timed automata for integrating timing constraints in state ma- chines, hybrid automata for integrating discrete behavior with continuous-time mod- els of dynamical systems, and Ptolemy for unifying heterogenous models of interaction. Examples of analysis techniques include algorithms for estimation of worst-case exe- cution time and scheduling of computational resources, synthesis of code from models subject to resource constraints, transformation and composition of models, verification algorithms based on computing finite-state abstractions of timed and hybrid systems, symbolic analysis of dynamical systems, and metric-based notions of abstraction and refinement for hybrid systems. See [11] for an introduction to model-based design and analysis of cyber-physical systems.
Model-based design and analysis is slowly being adapted by industry for design of embedded control software in domains such as avionics, automotive, and medi- cal devices. Mathworks, the leading tool vendor in this sector (see mathworks.com), now supports modeling using notations such as Statecharts and hybrid au- tomata, schedulability analysis, and test-case generation using symbolic techniques (Simulink Design Verifier). Companies such as TTTech (tttech.com), Reactive Systems (reactive-systems.com), and Uppaal (uppaal.com) originated from academic research, and market tools for formal modeling and analysis. It is also worth noting the adop- tion of concepts and tools from formal methods in disciplines such as control theory and systems engineering, both in research and undergraduate education.
3. FUTURE DIRECTIONS
Realizing the full potential of emerging computing platforms requires that advances in processing and communication technology are matched by advances in tools for design- ing complex software systems and ensuring their safe and reliable operation. Thus, the research goal of formal approaches to system design and analysis is as relevant and as challenging today as it was fifty years ago, and the success stories discussed in the previous section suggest that theory can be effective in this pursuit. Another lesson is that the path to a successful technology transfer in this domain has been typically long: small steps in advancing the scalability of tools collectively contribute towards impressive results over decades. This calls for continued research in core ar-
eas of formal methods such as identification of analyzable design abstractions, analysis algorithms, and scalability of tools. We conclude this report by listing some new avenues for research.
— Synthesis: With maturing of verification technology that can check the confor- mance of an implementation to its specification, it is natural to focus on synthesis— automatic derivation of implementation from specifications, both to improve pro- grammer productivity and to integrate verification with design so that bugs are found in early stages. There is a growing research on this topic, for instance, on synthesizing finite-state controllers from temporal logic specifications, on automatic completion of partial programs based on user-supplied assertions, and synthesis of programs from examples by exploiting the domain-specific knowledge. New theoretical approaches that combine logical deduction with machine learning can offer scalable computa- tional solutions for synthesis. — Concurrency: While the methodology for design and verification of sequential pro- grams is well understood, despite many proposals for programming languages and verification techniques for concurrent programs, developing concurrent systems re- mains a difficult and error-prone task. Emerging multiprocessor and multicore ar- chitectures offer enormous computational power, but exploiting this parallelism effi- ciently and correctly is challenging due to complex memory models for shared data. The emergence of data-centers and cloud computing again offers exciting opportuni- ties for concurrent computation, but need new programming abstractions to ensure data consistency and fault tolerance. Research in formal methods can potentially have significant impact on programming abstractions and languages for concurrent systems. — Probabilistic and Quantitative Models: Traditionally, models and techniques used for establishing correctness and for evaluating performance have been disjoint. A promising new direction in formal methods research these days is the development of probabilistic models, with associated tools for quantitative evaluation of system performance along with correctness. Concurrent software, distributed protocols, and resource allocation for cloud computing, are potential application domains for such work. — Beyond Worst-Case Complexity: Classical computation theory focuses on estab- lishing the worst-case complexity of problems. For verification problems, such es- timates always indicate intractability, and yet, some of the modern SAT and SMT solvers work well on many instances in this context. Theoretical tools for estimating complexity on real-world instances of problems thus can provide useful insights into the structure of these problems.
REFERENCES T. Ball, V. Levin, and S. K. Rajamani. A decade of software model checking with SLAM. Commun. ACM, 54(7):68–76, 2011. A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C.-H. Gros, A. Kamsky, S. McPeak, and D. R. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM, 53(2):66–75, 2010. A. R. Bradley and Z. Manna. The calculus of computation - decision procedures with applications to verifica- tion. Springer, 2007. E. M. Clarke, E. A. Emerson, and J. Sifakis. Model checking: algorithmic verification and debugging. Com- mun. ACM, 52(11):74–84, 2009. E. M. Clarke, O. Grumberg, and D. A. Peled. Model checking. MIT Press, 2000. P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Min´e, and X. Rival. Why does Astr´ee scale up? Formal Methods in System Design, 35(3):229–264, 2009.