Research Activity

Key Words

Motivations

• Design errors increase the time needed to complete the project thus increasing its final cost;
• Design errors increase the time-to-market. Because of the short life-cycle of todays products this turns out in decreased revenues because of loss of market share.

Testing and/or simulation are classical ways to look for design errors. However these approaches have two limitations:

• They can only be used when we have a working prototype of our product (be it hardware or software). This means that we are almost at the end of the design cycle. This implies that an error found at this point is back propagated in the design cycle and may trigger (costly) revisions of previously done design steps.
• Testing or simulation can only show the presence of errors in our design. They cannot show absence of errors in our design. I.e. even if our design passes all our tests this thus not mean that there is no error. It just means that we did not find any. For simple projects this may not be such a problem. But for nontrivial projects (or safety critical ones) this is indeed a problem. The INTEL Pentium bug is just an example, although a widely advertised one.

The goal of Formal Methods is to complement testing and simulation by addressing those design areas for which testing or simulation are not suitable. Namely:

• Formal methods are designed to show correctness (i.e. absence of errors) of the design with respect to some given property. This is usually called verification and, conceptually corresponds to run all possible tests. Of course running all possible test is in general impossible, however verification achieves the same effect by using suitable algorithms.
• Formal methods can be applied very early in the design cycle. In fact we can use formal methods for requirements analysis, validation of the high level specifications, verification of the final system.

  Formal methods can be broadly classified into automatic (e.g. Model Checking) and interactive (e.g. Proof Checking).

  Automatic methods (model checking) can be easily introduced in the design cycle since they do not require a long training to be used. However, in general automatic methods can only be applied to Finite State Systems (FSSs). Fortunately many systems for which correctness is important are or can be approximated with FSSs. E.g. digital hardware, many reactive programs found in embedded control and/or telecommunication applications. Indeed automatic verification can often be done starting from the source code describing our systems (hardware or software). E.g. automatic verification can start from (possibly suitable fragments of) HDL, VHDL, SDL or Esterel code.

  Interactive methods (proof checking) can be applied to any system in principle. However they require highly trained people to be used. Thus interactive methods are used only on projects that justify such an effort (e.g. new microprocessors, some military applications, etc).

  Our research focuses on automatic methods for verification and, when possible, synthesis of finite state systems (hardware as well as software). Our main interests are in:

  • Automatic verification algorithms and tools,
  • Automatic synthesis algorithms and tools,
  • Technology transfer.

  Lambda-Calculus

  The problem of automatic verification or synthesis of reactive programs can be casted as the problem of solving a system of equations with programs as unknowns. The lambda-calculus is a convenient language to study systems of program equations in general. This is because using lambda-calculus programs as well as equations (specifications) can be defined in the same language. Of course the problem of solving a system of equations with programs (lambda-terms) as unknowns is, in general, undecidable. However for interesting classes of systems this problem is decidable. Algorithms to solve systems of equations in the lambda-calculus have been the research subject of my M.S. thesis (see [BT 87a], [BT 91]), of my Ph.D. thesis (see [Tro 91], [Tro 95], [Tro 96a], [Tro 96b]) and of [PT 90].

  Symbolic Model Checking

  From a practical point of view decidability is not enough. We need efficient algorithms. This suggests to restrict ourselves to finite state programs. Note that many reactive systems (hardware and/or software) can be represented (or approximated) using Finite State Systems (FSSs). An FSS can be represented with its transition relation which in turn can be represented with a boolean function. This leads us to study systems of equations with boolean functions as unknowns. This approach relies on the fact that efficient canonical representations for boolean functions are available, namely OBDDs ( Ordered Binary Decision Diagrams).

  Using systems of equations on boolean functions we can define a Boolean Symbolic Programming (BSP) language based on BFOL (Boolean First Order Logic). This is done in [Tro 95a].

  BSP is is a programming language designed to define explicit (i.e. using boolean operators or quantifiers) as well as implicit (i.e. using fixpoints) computations on boolean functions (boolean symbolic computations). For BSP we have implemented a BDD based interpreter as well as a BDD package tailored to it.

  BSP can be downloaded from http://www.dsi.uniroma1.it/~tronci/bsp.html.

  Automatic Verification of FSSs via Model Checking amounts to carry out computations on boolean functions [Tro 95a]. Thus BSP can be used as a Model Checker. However BSP has some advantages w.r.t. "traditional" model checkers.

  • BSP is a programming language designed to easily define boolean symbolic computations. This neatly separates the problems of defining the boolean symbolic computation needed to answer a model checking problem from that of efficiently carrying out such computation. This yields an open system architecture thus decreasing the cost of development for verification tools.
  • The all verification task (i.e. implementation and specification) can be defined in BSP. This enables rewriting based global optimization of the verification task before generating BDDs thus allowing automatic verification of systems out of reach for BDDs alone (e.g. see [Tro 95a]).
  • BSP allows us to exploit our knowledge about why a system is supposed to be correct w.r.t. given requirements. In fact for finite state systems a (formal or informal) correctness proof can often be casted as a boolean symbolic computation. Such computation can be defined with a boolean symbolic programming language but not with an implementation oriented language nor with mu-calculus.
  • Note that for large systems automatic verification is always preceded by a manual in-depth analysis phase to (craftly) model system and requirements (e.g. by using suitable abstractions, system partitioning, etc.) so that the resulting model checking problem can be ``automatically'' solved without running out of space or time. Unfortunately it is not always possible or easy to exploit our understanding of system and requirements using a two language based model checker. A boolean symbolic programming language allows us to overcome such limitation while retaining model checking computational benefits.

  Explicit Model Checking

  For protocol verification or, more in general, for software like systems, Explicit Model Checking (i.e. State Space Exploration ) often outperforms Symbolic (i.e. OBDD based) Model Checking.

  Our experimental results show ([TDIZ 01], [TDIZ 01a]) that protocols exhibit transition locality . That is, w.r.t. levels of a Breadth First (BF) visit, state transitions tend to be between states belonging to close levels of the transition graph.

  This lead us to design a verification algorithm exploiting transition locality. We implemented such an algorithm within the Murphi verifier (http://sprout.stanford.edu/dill/murphi.html). We called our tool Cached Murphi and it is available on Murphi web site as well as in http://www.dsi.uniroma1.it/~tronci/cached.murphi.html

  Our experimental results show that using our cached approach we can typically save more than 40% of RAM with an average time penalty of about 50%.

  Transition locality can also be used to improve disk based state space exploration algorithms ([DITZ 02]). For example using our disk based Murphi we were able to complete verification of a protocol with about one billion of reachable states. This would require more than 5 gigabytes of RAM using RAM based Murphi.

  The above results allowed us to automatically verify quite large systems ([DITZ 02]). Moreover our research results show that also Hybrid Systems can be effectively analyzed using cached murphi ([GHBTCM 02]).

  Automatic Synthesis of Controllers from Closed Loop Formal Specifications

  Many safety critical systems are reactive systems modeling (embedded) control systems. Because of this safety critical characteristic correctness is a crucial issue in many control systems.

  A control system can often be partitioned into two main subsystems: a controller and a plant. The controller purpose is to restrict the plant behaviour so as to meet given closed loop system (plant + controller) specifications.

  If plant and controller can be modeled as FSSs formal methods (namely: model checking) can be used to automatically check correctness of the designed controller w.r.t. given closed loop specifications. To this end we need to write formal specifications for the closed loop system, a finite state model of the plant, and a finite state model of the controller. E.g. this is possible when the plant is a finite state Discrete Event System (DES).

  An alternative approach is to automatically synthesize the controller from the plant finite state model and the closed loop formal specifications. This yields a controller which is correct by construction, saves on the controller coding effort (thus saving on design time and cost) and allows us to focus on formal specifications (thus improving design quality).

  The main obstruction to such approach is state explosion. As for automatic verification we can use symbolic (i.e. BDD based) algorithms to contrast state explosion. BSP can be used to define (and effectively run) symbolic controller synthesis algorithms. In general this cannot be done with any of the currently available BDD based tools (Model Checkers) without resorting to BDD primitives.

  Optimal supervisors [Tro 96] as well as optimal controllers [Tro 97] for nontrivial plants can be automatically synthesized using our symbolic algorithms ([Tro 98], [Tro 99a], [Tro 99b]) E.g. we can automatically synthesize optimal controllers for plants with more than 10^9 states.

  Case Study

  Many case studies have been carried out in collaboration with industry as well as research institutions. The goal of these case studies has been mainly that of testing effectiveness of our proposed approaches to automatic verification as well as to carry out technology transefer.

  Here is a selected list of case studies.

  • Automatic Verification of a Hydroelectric Power Plant ([PT 96]).
  • Automatic Synthesis of Control Software for an Industrial Automation Control System ([Tro 99a], [Tro 99b]).
  • Requirements Formalization and Validation for a Telecommunication Equipment Protection Switcher ([CT 00]).
  • Advanced Techniques for Safety Analysis Applied to the Gas Turbine Control System of ICARO C-generative Plant ([BBCIKMT 01], [GHBTCM 02]).
  • Integrating Automatic Verification of Safety Requirements in Railway Interlocking System Design ([DDST 01]).

  Current Research Themes

  The following research themes are currently being pursued.
  • Algorithms and Tools for Automatic Analysis of deterministic reactive systems.
  • Algorithms and Tools for Automatic Verification of probabilistic (Markov Chains) reactive systems.
  • Algorithms and Tools for Automatic Verification of hybrid systems and embedded systems.
  • Algorithms and Tools for Automatic Synthesis of Controllers from Closed Loop Formal Specifications.
  • Case Studies.

  References

  See http://www.dsi.uniroma1.it/~tronci/papers.html

  See Model Checking Links and Tools