| |
Relative Timing Based Verification of
Concurrent Systems
This work presents a new
theory and methodology for the formal verification of safety properties
in timed systems. The correct operation of such systems not only depends
on a set of functional properties but also on certain assumptions about
the delays of the components of the system and the response times of the
environment in which the system operates. The verification of this type
of systems tipically involves several
computationally hard problems. In particular, the combinatorial state
explosion problem becomes exacerbated by the time dimension.
The theory that supports the proposed verification approach extends the
conventional BDD-based symbolic model checking methods to the
verification of timed systems, modeled by means of timed transition
systems.
The theory is based on the relative timing paradigm, which instead of
considering exact time differences in the occurrence of events,
considers the effect of delays in terms of relative orderings between
events. For example, in order to guarantee that a race is not propagated
in a circuit, it is often sufficient to check that certain signal
switches before another, instead of identifying the exact instants of
time in which both signals switch. Moreover, the timing information is
not computed for the overall system, but only locally for the part of
the system involved in the proof or disproof of a given property. This
is possible thanks to a crucial observation, that the set of executions
of a transition system can be covered by a set of partial orders. As a
consecuence, only a subset of the events of the system is involved in
the proof of a property and the timing analysis can be carried out very
efficiently.
Conventional methods for the verification of timed systems rely on the
computation of the exact timed state space of the system as the first
step of the analysis. Although efficient techniques have been devised to
overcome the complexity issue (e.g. difference bound matrices), symbolic
methods cannot be easily applied.
Thus, the combinatorial time-state explosion problem often limits the
applicability of such methods to moderate-size systems.
Instead, the approach proposed in the thesis relies on an incremental
refinement of the untimed state space of the system, so that timing
information is incorporated as soon as it is needed. The timing
information is derived by an efficient off-line timing analysis over
small sets of events. The refined state space is captured under the
model of lazy transition system, which allows an efficient
representation of the timed domain using conventional symbolic methods.
As a consequence, the approach can be potentially applied to bigger
systems or to systems with more level of detail, than those that can be
handled by similar methods for the verification of timed systems.
A key feature of the proposed verification approach is that not only
proves or disproves the correctness of a timed system. If the system is
correct the set of relative timing relations used for the proof are
provided. Such relations constitute a set of sufficient timing
constraints that guarantee the correctness of the system. On the other
hand, if the system is incorrect, a counterexample failure trace is
provided. The most important aspect of all this feedback is that it can
be used as valuable back-annotation information along the design process.
This feature constitutes another differential aspect of our verification
approach when compared to other equivalent verification methods.
The verification approach has been fully implemented in a experimental
CAV tool called transyt.
The tool can handle hierarchical and distributed modular systems which
can inter-operate by a variety of communication mechanisms.
transyt
has successfully proved its functionality as well as the validity of the
overall verification approach, by verifying a number of timed
asynchronous circuits with up to more than 106 untimed states.
The experiments cover, for example, the verification of: complex-gate
decompositions in quasi-speed-independent circuits, delay-reset domino
circuits, pulse-based systems, circuits optimized for speed using timing
assumptions, etc. Additionally, compositional verification methods have
been combined with the basic verification approach in order to tackle
the size/complexity issues involved in the verification of complex timed
systems. Thus, abstractions, assume-guarantee reasoning and mathematical
induction have been used to prove the correctness the IPCMOS
architecture. It is a scalable pipelined architecture which is aimed to
the interconnection of different clock zones in a system.
Thanks to the rather theoretical nature of the proposed verification
approach, we plan to use it for a wider range of systems, such as:
custom transistor-level circuits that exploit the technology limits for
performance,
complex digital structures where synchronization is a crucial issue (e.g.
dynamic MOS), asynchronous and GALS-type systems, real-time systems, etc.
|
|
