Comments on: Formal verification stalling, take two http://www.ocoudert.com/blog/2010/02/21/formal-verification-stalling-take-two/ My take on tech --and other topics Mon, 16 Aug 2010 22:30:37 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Chris Wilson http://www.ocoudert.com/blog/2010/02/21/formal-verification-stalling-take-two/comment-page-1/#comment-1218 Chris Wilson Wed, 14 Apr 2010 18:54:16 +0000 http://www.ocoudert.com/blog/?p=724#comment-1218 Hi Olivier, I posted some more comments on this in my blog. http://bugsareeasy.wordpress.com/2010/04/13/is-formal-verification-a-mature-technology/ --chris Hi Olivier,

I posted some more comments on this in my blog.
http://bugsareeasy.wordpress.com/2010/04/13/is-formal-verification-a-mature-technology/

–chris

]]> By: Olivier Coudert http://www.ocoudert.com/blog/2010/02/21/formal-verification-stalling-take-two/comment-page-1/#comment-649 Olivier Coudert Tue, 23 Feb 2010 17:12:37 +0000 http://www.ocoudert.com/blog/?p=724#comment-649 Hi Armin, If your state space is finite, the sequences will be periodic, and therefore your statement is correct. As long as we have an upper bound on the period, or on the longest sequence required for an induction proof, we can cast the liveness property into a safety property. There is a large body of work that has been done in reachability analysis, from "multiple stepping" (using an augmented next-state function to explore the reachable states in less iterations) to abstraction techniques. It works to some extend, even though the main problem is again debugging. Usually the period is extremely large, which makes these methods not very practical. This is why people rely more on (incomplete) hybrid methods to explore the state space an look for "exception" states where the FSM can be trapped in a loop that would invalidate the liveness property. Regardless of the method though, debugging still remains a problem --long input sequences are extremely difficult to use to figure out the flaw in a control system. Hi Armin,

If your state space is finite, the sequences will be periodic, and therefore your statement is correct. As long as we have an upper bound on the period, or on the longest sequence required for an induction proof, we can cast the liveness property into a safety property.

There is a large body of work that has been done in reachability analysis, from “multiple stepping” (using an augmented next-state function to explore the reachable states in less iterations) to abstraction techniques. It works to some extend, even though the main problem is again debugging. Usually the period is extremely large, which makes these methods not very practical. This is why people rely more on (incomplete) hybrid methods to explore the state space an look for “exception” states where the FSM can be trapped in a loop that would invalidate the liveness property. Regardless of the method though, debugging still remains a problem –long input sequences are extremely difficult to use to figure out the flaw in a control system.

]]> By: Armin http://www.ocoudert.com/blog/2010/02/21/formal-verification-stalling-take-two/comment-page-1/#comment-646 Armin Tue, 23 Feb 2010 03:13:57 +0000 http://www.ocoudert.com/blog/?p=724#comment-646 Olivier, Thanks for your articles. I'm trying to make sense of point and counter point. I agree formal verification can coexist with dynamic simulation at this point to speed up simulation, to increase coverage and to help debugging as you have in article. Definitely they have their own share of verification and progress from many sources. Here is the state problem and solution, please add to develop discussion. Problem: To address liveness assertion which is infinite duration, all periodic cycles from starting states (all initialization phases) need to be analyzed. To analyze periodic cycles, the formal engine must analyze the length of longest cycle plus and initialization phase. And longest path can be infinite. Solution: One can bound the problem based on knowledge of design, but sometimes it’s not possible to convert liveness to safety assertion. To address this issue, bounding engines build state space incrementally and verify assertions so avoid state space explosion. Unfortunately bounded engines cannot solve liveness assertions because they also blow up. Dynamic Hybrid Engines use simulation to get to interesting state (control transition or when exception occur or where corner case is based on design knowledge) and then bounded model checker can find bugs which is not proof but bug hunting technique. To reduce state space again, one needs to have knowledge of design and tool needs to support engine optimization, nondeterminism (freeing and abstraction), pruning and partitioning. -- Armin Olivier,
Thanks for your articles. I’m trying to make sense of point and counter point. I agree formal verification can coexist with dynamic simulation at this point to speed up simulation, to increase coverage and to help debugging as you have in article. Definitely they have their own share of verification and progress from many sources. Here is the state problem and solution, please add to develop discussion.

Problem: To address liveness assertion which is infinite duration, all periodic cycles from starting states (all initialization phases) need to be analyzed. To analyze periodic cycles, the formal engine must analyze the length of longest cycle plus and initialization phase. And longest path can be infinite.

Solution: One can bound the problem based on knowledge of design, but sometimes it’s not possible to convert liveness to safety assertion. To address this issue, bounding engines build state space incrementally and verify assertions so avoid state space explosion. Unfortunately bounded engines cannot solve liveness assertions because they also blow up. Dynamic Hybrid Engines use simulation to get to interesting state (control transition or when exception occur or where corner case is based on design knowledge) and then bounded model checker can find bugs which is not proof but bug hunting technique. To reduce state space again, one needs to have knowledge of design and tool needs to support engine optimization, nondeterminism (freeing and abstraction), pruning and partitioning.

– Armin

]]> By: Has formal verification technology stalled? http://www.ocoudert.com/blog/2010/02/21/formal-verification-stalling-take-two/comment-page-1/#comment-642 Has formal verification technology stalled? Mon, 22 Feb 2010 20:04:14 +0000 http://www.ocoudert.com/blog/?p=724#comment-642 [...] Formal verification stalling, take two [...] [...] Formal verification stalling, take two [...]

]]>