ABSTRACT INTERPRETATION TECHNIQUES FOR THE VERIFICATION OF TIMED SYSTEMS Dissertation submitted in partial fulfillment of the requirements for the Degree of Doctor in Computer Science by ROBERT CLARISO´ VILADROSA PhD Program in Software Barcelona Dept. de Llenguatges i Sistemes Informatics` June 2005 Universitat Politecnica` de Catalunya Contents Acknowledgements ix Abstract xi 1 Introduction 1 1.1 Motivation . 1 1.1.1 Formal Verification . 1 1.1.2 Timed Circuits . 2 1.1.3 Abstract Interpretation . 2 1.2 Overview of the Contributions . 3 1.3 Organization of the Thesis . 4 2 Abstract Interpretation 7 2.1 Introduction . 7 2.2 Overview . 8 2.2.1 Notation . 8 2.2.2 Overall Strategy . 9 2.3 Formal definition . 11 2.3.1 General Framework . 11 2.3.2 Galois Connection . 11 2.3.3 Resolution of Fixpoints . 13 2.3.4 Extrapolation: Widening and Narrowing . 16 2.4 Numerical abstract domains . 19 2.4.1 Description of a Numerical Abstract Domain . 19 2.4.2 Classification of Numerical Abstract Domains . 21 2.4.3 Intervals . 23 2.4.4 Difference Bound Matrices (DBMs) . 24 2.4.5 Octagons . 25 2.4.6 Convex Polyhedra . 25 2.4.7 Two-variables per Inequality . 28 2.4.8 Presburger Arithmetic . 29 2.5 Conclusions . 29 ii CONTENTS 3 Verification of Timed Systems 31 3.1 Introduction . 31 3.1.1 Timed and Parametric Timed Systems . 31 3.1.2 Asynchronous and Timed Circuits . 32 3.2 Timed systems . 33 3.2.1 Specification of Timed Systems . 33 3.2.2 Temporal Logics . 36 3.2.3 Analysis of Timed Systems . 38 3.2.4 Parametric Timed Systems . 42 3.2.5 Analysis of Parametric Timed Systems . 43 3.3 Timed Circuits . 46 3.3.1 Introduction . 46 3.3.2 Metric Timing . 51 3.3.3 Relative Timing (RT) . 52 3.3.4 Chain Constraints . 53 3.3.5 Timed Circuits with Symbolic Delays . 53 3.4 Conclusions . 54 4 Verification with Symbolic Delays 55 4.1 Introduction . 55 4.2 Formalization of the problem . 57 4.2.1 Basic Notation . 57 4.2.2 Interaction with the Environment . 58 4.2.3 Composing the Implementation and the Specification . 60 4.2.4 Correctness Criterion . 62 4.2.5 Delay Model . 63 4.2.6 Output of the Verification . 66 4.3 Computation of Timing Constraints . 69 4.3.1 Overview of the Algorithm . 69 4.3.2 Computation of the Untimed State Space . 69 4.3.3 Timing Analysis by Abstract Interpretation . 74 4.3.4 Propagation of Clock Values . 76 4.4 Choice of Timing Constraints . 77 4.5 Experimental Results . 79 4.5.1 GasP FIFO Controller . 80 4.5.2 Asynchronous Pipeline . 81 4.5.3 Other Examples . 81 4.5.4 Evaluation of the Results . 82 4.6 Related Work . 84 4.7 Conclusions . 87 CONTENTS iii 5 The Octahedron Abstract Domain 89 5.1 Introduction . 89 5.2 Formal Description of Octahedra . 91 5.2.1 Definitions and Properties . 91 5.2.2 Computing the Canonical Form . 94 5.2.3 Approximations of the Canonical Form . 97 5.3 Decision-diagram Based Implementation . 99 5.3.1 Overview . 99 5.3.2 Notation . 100 5.3.3 Related Work . 103 5.3.4 Abstract Semantics of the Operations . 104 5.3.5 Implementation in OhDD . 106 5.4 Bit-vector Based Implementation . 108 5.4.1 Overview . 108 5.4.2 Notation . 109 5.4.3 Abstract Semantics of the Operations . 111 5.5 Experimental Results . 115 5.5.1 Asynchronous Pipeline . 115 5.5.2 Asynchronous Controllers . 115 5.6 Conclusions . 119 6 Future Work and Applications 121 6.1 Introduction . 121 6.2 Verification of Timed Circuits . 122 6.3 The Octahedron Abstract Domain . 123 6.3.1 Future Work . 123 6.3.2 Potential Areas of Application . 123 6.4 Case Study: Analysis of Petri Net Models . 125 6.4.1 Motivation . 125 6.4.2 Choice of an Abstract Domain . 126 6.4.3 Experiments . 127 6.5 Conclusions . 128 7 Conclusions 129 A OhDD Algorithms 147 iv CONTENTS List of Figures 2.1 Approximating the postcondition of the assignment x := y % 7. 10 2.2 Galois connections . 12 2.3 Non-exhaustive hierarchy of numerical abstract domains . 19 2.4 Approximating a set of values with several abstract domains . 21 2.5 Example of the double description of a convex polyhedron . 26 2.6 Operations on convex polyhedra . 28 3.1 Modeling the railroad crossing problem with several temporal for- malisms . 34 3.2 A TA with a behavior that depends on the discrete/dense semantics 37 3.3 Representations of timed states . 39 3.4 Decision diagrams for the analysis of timed systems . 41 3.5 Decision diagrams for the analysis of parametric timed systems . 46 3.6 Overview of a synchronous circuit. 47 3.7 An example of a timed circuit. 48 3.8 Trivial timed circuit example used to illustrate timing constraints. 49 4.1 The D flip-flop example . 56 4.2 Example of a Petri Net. 58 4.3 Example of a STG using (a) the normal Petri Net notation or (b) the compressed notation for STG. 59 4.4 Inputs of the verification problem . 62 4.5 Some classes of errors studied in this chapter: hazards, lack of conformance and short-circuits. 64 4.6 Effect of delays in a PTTS . 67 4.7 The nowick asynchronous controller . 68 4.8 Back edges and reverse DFS postorder . 70 4.9 Pseudocode of the algorithm that computes the untimed state space. 71 4.10 Reduction rules for PTTS. 72 4.11 Abstract interpretation algorithm . 75 4.12 Clock transfer function . 77 4.13 Example of the transfer function for an event e, with the postcon- dition Q obtained from a precondition P . 78 4.14 The GasP FIFO controller . 80 vi LIST OF FIGURES 4.15 Asynchronous pipeline example . 82 5.1 Examples of (a) octahedra and (b) non-octahedra over two variables. 91 5.2 An example where A \ B is not in canonical form. 93 5.3 Two upper approximations of the union: convex hull (C-hull) and octahedral hull (O-hull) . 94 5.4 Unit inequalities and the system of generators. 95 5.5 Pseudocode to compute the canonical form of an octahedron. 96 5.6 (a) Empty octahedron where the saturation algorithm does not ter- minate and (b) Non-empty octahedron where the saturated form is different from the canonical form. 99 5.7 An example of OhDD . 101 5.8 Reduction rules for OhDD . 102 5.9 Comparison of reduction rules of OhDD. 103 5.10 Comparing DDC, HRD and OhDD . 104 5.11 A graphical example of the semantics of a strongest common con- straint . 111 5.12 The desynch controller example . 117 5.13 Reachable state space of the GasP FIFO controller considering the timing constraints computed with (a) octahedra and (b) convex polyhedra. 118 6.1 Petri Net model of an automated manufacturing system . 127 A.1 Pseudocode for the methods that implement the reduction of zero coefficients with non-negative variables. 150 A.2 Pseudocode for the saturation procedure in the OhDD implemen- tation. 150 A.3 Pseudocode of one iteration of the saturation procedure in the OhDD implementation. 151 A.4 Pseudocode of the intersection procedure in the OhDD implemen- tation . 152 List of Tables 2.1 Criteria.