Upload
dangtu
View
221
Download
1
Embed Size (px)
Citation preview
Hybrid RELTL for Analog-Mixed Signals
Stefano Tonettajoint work with
Alessandro Cimatti and Marco Roveri
FBK-irst, Trento, Italy{cimatti,roveri,tonettas}@fbk.eu
FAC Workshop, Snowbird, 14 July 2011
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 1 / 21
Assertion-based design for AMS
Design of IC more and more complex.
Integration of digital and analog block is a main issue.
Verification techniques for digital systems does not work forsystem-level logic verification.
Most of bugs in misunderstanding/incomplete/inconsistent propertieson the interfaces among digital and analog blocks.
In Software Engineering jargon, these are requirements faults/errors.
Necessary a precise specification of assertions and assumptions.
Standard languages for discrete circuits assertions such as PSL(Sugar, ForSpec, ...).
RELTL as core temporal logic.It combines Linear-time Temporal Logic (LTL) and Regular Expressions.
HDLs extended with continuous variables and differential equations.
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 2 / 21
Required features
IC HDL formal model traces properties
digital Verilog/VHDL transition systems discrete RELTL
AMS V...-AMS hybrid systems hybrid HRELTL
We need a logic thatrepresents temporal constraintsincludes predicates over derivativesincludes predicates over discrete changescan be analyzed symbolically and automatically.
Our solution:1 HRELTL logic:
extends RELTL (Linear-time Temporal Logic with Regular Expressions)with hybrid aspects;interpreted over hybrid traces;predicates over derivatives in continuous evolutions;predicates over discrete steps.
2 reduction of satisfiability problem for a linear fragment to anequi-satisfiable problem for RELTL.
allows the re-use of validation techniques for RELTL.
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 3 / 21
Outline
1 From discrete to hybrid RELTL
2 HRELTL for AMS
3 SMT-based analysis
4 Conclusions
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 4 / 21
Outline
1 From discrete to hybrid RELTL
2 HRELTL for AMS
3 SMT-based analysis
4 Conclusions
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 5 / 21
LTL
Propositions: p1, p2, ... bits or Boolean predicates.
Boolean combinations: and, or, not, implies.
Temporal operators: next, eventually, always, until.
Examples:
safetyalways (not (p1and p2))response to an impulsealways (p1 implies eventually p2)response to permanent holdingalways (always p1 implies eventually p2)response to persistence(always eventually p1) implies eventually p2
fairnessalways eventually p1
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 6 / 21
RELTL
Regular expressions:
Repetition: r1[∗n] (n = 0 means empty sequence)Concatenation: r1; r2.Fusion: r1 : r2.Or: r1|r2.And: r1&&r2.Non-matching and r1&r2.
Suffix operators:
Suffix implication: r |→ φ.Suffix conjunction: r ♦→ φ.
Allows responses to sequences:always ({p1; p2[∗]; p3} |→ eventually p4)
Reaches ω-regular expressiveness:{true; p}[∗] ♦→ true.
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 7 / 21
From discrete to hybrid traces
discrete trace TIME
DATA
continuous signal TIME
DATA
hybrid trace TIME
DATA
HRELTL = RELTL interpreted over hybrid traces with:continuous variablesarithmetic predicates with next and derivatives
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 8 / 21
Interpretation of continuous predicates
Required features to guarantee the well-defined interpretation of thecontinuous predicates:
interval-based logic
in a semantics based on time-points, x ≤ 0 until x > 0 would beunsatisfiable (if x is continuous);
both open intervals and time-points:
x < 0 requires right-open intervals.x > 0 requires left-open intervals.x = 0 requires time points.
finite variability:
we must guarantee that the continuous behaviors can be sampledenough to have a uniform interpretation of the predicates;
sampling invariance:
the interpretation of formulas does not depend on the sampling.
arbitrary interpretation of next terms over continuous evolution.
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 9 / 21
Outline
1 From discrete to hybrid RELTL
2 HRELTL for AMS
3 SMT-based analysis
4 Conclusions
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 10 / 21
AMS assertions in HRELTL
Examples taken from the web:
1 always((a < 10 and b) implies c)2 always((0 ≤ a ≤ 5) implies (−275 ≤ der(a) ≤ 275))3 always(a > 5 implies ((a ≥ 4.5 and b ≥ 4.5) until (b < 4.5))4 always(a > 4.5 implies − 0.1 ≤ b − c ≤ 0.1)
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 11 / 21
Oscillator
-- v is a continuous variable
VAR v: continuous;
-- v does not jump
-- during discrete changes
CONSTRAINT
G ( STEP -> next(v)=v)
-- oscillating behavior
CONSTRAINT
G F ( v>0 ) & G F (v<0)
-- inconsistent scenario
CONSTRAINT
G (v!=0)0 1 2 3 4
time
�1.0
�0.5
0.0
0.5
1.0
volta
ge v
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 12 / 21
Switched capacitor IVAR
v: continuous; t: continuous;
-- initial condition
CONSTRAINT
t=0 & v=-1000 & der(v)>0
-- switching behavior
CONSTRAINT
G (der(v)>0 -> ( (der(v)>=18 & der(v)<=22 & t<100)
U (t=100 & X (t=0 & der(v) <0)))) &
G (der(v)<0 -> ( (der(v)>=-22 & der(v)<=-18 & t <100)
U (t=100 & X (t=0 & der(v) >0))))
-- the property
CONSTRAINT
! G (v>= -2000 & v <=2000)
-- Assumptions:
-- v does not jump during discrete changes
CONSTRAINT
G ( STEP -> next(v)=v)
-- t can be reset only after 100
CONSTRAINT
G (t<100 -> ( STEP -> next(t)=t))
-- t is a timer
CONSTRAINT
G (der(t)=1)
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 13 / 21
Switched capacitor II
0 100 200 300 400 500 600 700time
1000
500
0
500
1000
1500
2000
volta
ge v
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 14 / 21
Outline
1 From discrete to hybrid RELTL
2 HRELTL for AMS
3 SMT-based analysis
4 Conclusions
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 15 / 21
Equi-satisfiable discretization
Satisfiability is undecidable.
Discretize and apply infinite-state model checking.
HRELTL
RELTL
(with SMT constraints)
The translation τ of a generic HRELTL formula is defined as:τ(φ) := ψι ∧ ψder ∧ ψPREDφ
∧ ψVD∧ τ ′(φ).
Theorem
φ and τ(φ) are equi-satisfiable.
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 16 / 21
SMT-based analysis
1 convert hybrid formula into discrete φ
2 build a fair transition system Sφ
3 check whether the language accepted by Sφ is not empty.
Example:
VAR v: continuous;
CONSTRAINT
G ( STEP -> next(v)=v)
CONSTRAINT
G F ( v>0 ) & G F (v<0)
-- consistent scenario
CONSTRAINT
! G (v!=0)
⇒
11 boolean variables2 real variables4 fairness conditions
−− Flattened FSM model generated from stdin−− Dumped layers are: model ___HE_RELTL_LAYER_PROBLEM__
MODULE main−− Input variables from layer ’model’−− Input variables from layer ’___HE_RELTL_LAYER_PROBLEM__’IVARdelta_time : real;
−− State variables from layer ’model’−− State variables from layer ’___HE_RELTL_LAYER_PROBLEM__’VAR"next(v) = v" : boolean;time_point : boolean;v : real;LTL_INPUT_0 : boolean;LTL_INPUT_1 : boolean;LTL_0_SPECF_12 : boolean;LTL_0_SPECF_11 : boolean;LTL_0_SPECF_9 : boolean;LTL_0_SPECF_7 : boolean;LTL_0_SPECF_5 : boolean;LTL_0_SPECF_3 : boolean;LTL_0_SPECF_1 : boolean;
−− Frozen variables from layer ’model’−− Frozen variables from layer ’___HE_RELTL_LAYER_PROBLEM__’−− Defines from layer ’model’−− Defines from layer ’___HE_RELTL_LAYER_PROBLEM__’DEFINE"delta_time>0" := delta_time > 0;"delta_time=0" := delta_time = 0;"v > 0" := !"v <= 0";"v <= 0" := ("v < 0" | "v = 0");"v >= 0" := !"v < 0";"v != 0" := !"v = 0";"v < 0" := v < 0;"v = 0" := v = 0;LTL_0_SPECF_10 := (!((!LTL_INPUT_0 | !LTL_0_SPECF_12) | LTL_INPUT_1) | LTL_0_SPECF_11);LTL_0_SPECF_6 := (!LTL_0_SPECF_8 | LTL_0_SPECF_7);LTL_0_SPECF_8 := (v < 0 | LTL_0_SPECF_9);LTL_0_SPECF_2 := (!LTL_0_SPECF_4 | LTL_0_SPECF_3);LTL_0_SPECF_4 := (!(v < 0 | v = 0) | LTL_0_SPECF_5);LTL_0_SPECF_0 := (v = 0 | LTL_0_SPECF_1);
−− Assignments from layer ’model’
−− Assignments from layer ’___HE_RELTL_LAYER_PROBLEM__’
INIT time_point
INIT !(!(v = 0 | LTL_0_SPECF_1) | (((!LTL_0_SPECF_4 | LTL_0_SPECF_3) | (!LTL_0_SPECF_8 | LTL_0_SPECF_7)) | (!((!LTL_INPUT_0 | !LTL_0_SPECF_12) | LTL_INPUT_1) | LTL_0_SPECF_11)))
TRANS ((time_point & (delta_time = 0 & next(time_point))) | ((time_point & (delta_time > 0 & next(!time_point))) | (!time_point & (delta_time > 0 & next(time_point)))))
TRANS (delta_time > 0 −> ((v < 0 −> next(("v < 0" | "v = 0"))) & (!"v <= 0" −> next(!"v < 0"))))
TRANS ((time_point & delta_time > 0) −> (next(v = 0) −> v = 0))
TRANS ("next(v) = v" <−> next(v) = v)
TRANS (LTL_INPUT_1 <−> (delta_time = 0 & "next(v) = v"))
TRANS next((!((!LTL_INPUT_0 | !LTL_0_SPECF_12) | LTL_INPUT_1) | LTL_0_SPECF_11)) = LTL_0_SPECF_11
TRANS (LTL_INPUT_0 <−> delta_time = 0)
TRANS TRUE = LTL_0_SPECF_12
TRANS next((v < 0 | LTL_0_SPECF_9)) = LTL_0_SPECF_9
TRANS next((!LTL_0_SPECF_8 | LTL_0_SPECF_7)) = LTL_0_SPECF_7
TRANS next((!(v < 0 | v = 0) | LTL_0_SPECF_5)) = LTL_0_SPECF_5
TRANS next((!LTL_0_SPECF_4 | LTL_0_SPECF_3)) = LTL_0_SPECF_3
TRANS next((v = 0 | LTL_0_SPECF_1)) = LTL_0_SPECF_1
FAIRNESS delta_time > 0
FAIRNESS (!(v = 0 | LTL_0_SPECF_1) | v = 0)
FAIRNESS (!(!(v < 0 | v = 0) | LTL_0_SPECF_5) | !(v < 0 | v = 0))
FAIRNESS (!(v < 0 | LTL_0_SPECF_9) | v < 0)
BMC (with fairness)k = 4< 1 second
⇒ SAT
0 1 2 3 4time
�1.0
�0.5
0.0
0.5
1.0
volta
ge v
VAR v: continuous;
CONSTRAINT
G ( STEP -> next(v)=v)
CONSTRAINT
G F ( v>0 ) & G F (v<0)
-- inconsistent scenario
CONSTRAINT
G (v!=0)
⇒
11 boolean variables2 real variables3 fairness conditions
−− Flattened FSM model generated from stdin−− Dumped layers are: model ___HE_RELTL_LAYER_PROBLEM__
MODULE main−− Input variables from layer ’model’−− Input variables from layer ’___HE_RELTL_LAYER_PROBLEM__’IVARdelta_time : real;
−− State variables from layer ’model’−− State variables from layer ’___HE_RELTL_LAYER_PROBLEM__’VAR"next(v) = v" : boolean;time_point : boolean;v : real;LTL_INPUT_0 : boolean;LTL_INPUT_1 : boolean;LTL_0_SPECF_12 : boolean;LTL_0_SPECF_11 : boolean;LTL_0_SPECF_9 : boolean;LTL_0_SPECF_7 : boolean;LTL_0_SPECF_5 : boolean;LTL_0_SPECF_3 : boolean;LTL_0_SPECF_1 : boolean;
−− Frozen variables from layer ’model’−− Frozen variables from layer ’___HE_RELTL_LAYER_PROBLEM__’−− Defines from layer ’model’−− Defines from layer ’___HE_RELTL_LAYER_PROBLEM__’DEFINE"delta_time>0" := delta_time > 0;"delta_time=0" := delta_time = 0;"v > 0" := !"v <= 0";"v <= 0" := ("v < 0" | "v = 0");"v >= 0" := !"v < 0";"v != 0" := !"v = 0";"v < 0" := v < 0;"v = 0" := v = 0;LTL_0_SPECF_10 := (!((!LTL_INPUT_0 | !LTL_0_SPECF_12) | LTL_INPUT_1) | LTL_0_SPECF_11);LTL_0_SPECF_6 := (!LTL_0_SPECF_8 | LTL_0_SPECF_7);LTL_0_SPECF_8 := (v < 0 | LTL_0_SPECF_9);LTL_0_SPECF_2 := (!LTL_0_SPECF_4 | LTL_0_SPECF_3);LTL_0_SPECF_4 := (!(v < 0 | v = 0) | LTL_0_SPECF_5);LTL_0_SPECF_0 := (v = 0 | LTL_0_SPECF_1);
−− Assignments from layer ’model’
−− Assignments from layer ’___HE_RELTL_LAYER_PROBLEM__’
INIT time_point
INIT !((v = 0 | LTL_0_SPECF_1) | (((!LTL_0_SPECF_4 | LTL_0_SPECF_3) | (!LTL_0_SPECF_8 | LTL_0_SPECF_7)) | (!((!LTL_INPUT_0 | !LTL_0_SPECF_12) | LTL_INPUT_1) | LTL_0_SPECF_11)))
TRANS ((time_point & (delta_time = 0 & next(time_point))) | ((time_point & (delta_time > 0 & next(!time_point))) | (!time_point & (delta_time > 0 & next(time_point)))))
TRANS (delta_time > 0 −> ((v < 0 −> next(("v < 0" | "v = 0"))) & (!"v <= 0" −> next(!"v < 0"))))
TRANS ((time_point & delta_time > 0) −> (next(v = 0) −> v = 0))
TRANS ("next(v) = v" <−> next(v) = v)
TRANS (LTL_INPUT_1 <−> (delta_time = 0 & "next(v) = v"))
TRANS next((!((!LTL_INPUT_0 | !LTL_0_SPECF_12) | LTL_INPUT_1) | LTL_0_SPECF_11)) = LTL_0_SPECF_11
TRANS (LTL_INPUT_0 <−> delta_time = 0)
TRANS TRUE = LTL_0_SPECF_12
TRANS next((v < 0 | LTL_0_SPECF_9)) = LTL_0_SPECF_9
TRANS next((!LTL_0_SPECF_8 | LTL_0_SPECF_7)) = LTL_0_SPECF_7
TRANS next((!(v < 0 | v = 0) | LTL_0_SPECF_5)) = LTL_0_SPECF_5
TRANS next((!LTL_0_SPECF_4 | LTL_0_SPECF_3)) = LTL_0_SPECF_3
TRANS next((v = 0 | LTL_0_SPECF_1)) = LTL_0_SPECF_1
FAIRNESS delta_time > 0
FAIRNESS (!(!(v < 0 | v = 0) | LTL_0_SPECF_5) | !(v < 0 | v = 0))
FAIRNESS (!(v < 0 | LTL_0_SPECF_9) | v < 0)
INVARSPECFALSE
PREDv<0PREDv>0PREDv=0PREDLTL_0_SPECF_1PREDLTL_0_SPECF_3PREDLTL_0_SPECF_5PREDLTL_0_SPECF_7PREDLTL_0_SPECF_9PREDLTL_0_SPECF_11PREDLTL_0_SPECF_12PRED"next(v) = v"PREDtime_point
PREDLTL_INPUT_1
K-induction + predicate abs.k = 6, 14 predicates< 1 second
⇒ UNSAT
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 17 / 21
Outline
1 From discrete to hybrid RELTL
2 HRELTL for AMS
3 SMT-based analysis
4 Conclusions
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 18 / 21
Final remarks
Techniques integrated on top of NuSMV.
GUI with timed-trace viewer.
OTHELLO = Object Temporal Hybrid expressions Linear-timetemporal Logic
Example:
The train trip shall issue an emergency brake command,which shall not be revoked until the train has reachedstandstill and the driver has acknowledged the trip (ETCSSRS Sec. 3.13.8.2)
for all t of type Train (t.trip implies(t.emergency brake until (t.speed = 0 and t.driver .ack) ) )
Result of the industrial project EuRailCheck (European RailwayAgency) and the project OthelloPlay (winner of the SEIF 2010 MSRaward).Validated by railway experts to formalize the requirements of theEuropean Train Control System.
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 19 / 21
Future directions
Integration with SMT techniques for hybrid system verification (seetalk of Sergio Mover at CAV).
Integration with testing and ATPG.
Validation of hybrid regular expressions.
Non-linear continuous signals.
SMT-based representation of digital encoding of real data.
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 20 / 21
Thanks for your attention
S. Tonetta (FBK-irst) Hybrid RELTL for Analog-Mixed Signals FAC, 14 July 2011 21 / 21