Tobias Schuele

A Verified Compiler for Synchronous Programs with Local Declarations

We describe the translation of Esterel-like programs with delayed actions to equivalent equation systems. Potential schizophrenia problems arising from local declarations are solved by (1) generating copies of the surface of the statement and (2) renaming the local variables in one of the copied surfaces generated a loop. The translation runs in quadratic time and has been formally verified with the HOL theorem prover.

From model-based design to formal verification of adaptive embedded systems

Adaptation is important in dependable embedded systems to cope with changing environmental conditions. However, adaptation significantly complicates system design and poses new challenges to system correctness. We propose an integrated model-based development approach facilitating intuitive modelling as well as formal verification of dynamic adaptation behaviour. Our modelling concepts ease the specification of adaptation behaviour and improve the design of adaptive embedded systems by hiding the increased complexity from the developer. Based on a formal framework for representing adaptation behaviour, our approach allows to employ theorem proving, model checking as well as specialised verification techniques to prove properties characteristic for adaptive systems such as stability.

Maximal causality analysis

Perfectly synchronous systems immediately react to the inputs of their environment, which may lead to so-called causality cycles between actions and their trigger conditions. Algorithms to analyze the consistency of such cycles usually extend data types by an additional value to explicitly indicate unknown values. In particular, Boolean functions are thereby extended to ternary functions. However, a Boolean function usually has several ternary extensions, and the result of the causality analysis depends on the chosen ternary extension. In this paper, we show that there always is a maximal ternary extension that allows one to solve as many causality problems as possible. Moreover, we elaborate the relationship to hazard elimination in hardware circuits, and finally show how the maximal ternary extension of a Boolean function can be efficiently computed by means of binary decision diagrams.

Test scheduling for minimal energy consumption under power constraints

Power consumption has become a crucial concern in built-in self-test (BIST) due to the increased switching activity in the circuit under test. In this paper we present a method for scheduling tests which aims at minimizing total energy consumption and test application time under peak power constraints. In contrast to previous approaches, our method takes into account switching activity which occurs in overlapping regions of the subcircuits under test. The key part is a hierarchical approach to power estimation which makes it possible to quickly evaluate the power consumption of partial schedules. Experimental results show that the energy savings range between 54% and 97% in comparison with conventional methods. Test application time can be reduced to the same extent.

Abstraction of assembler programs for symbolic worst case execution time analysis

Various techniques have been proposed to determine the worst case execution time of real-time systems. For most of these approaches, it is not necessary to capture the complete semantics of the system. Instead, it suffices to analyze an abstract model provided that it reflects the systems execution time correctly. To this end, we present an absuaction technique based on program slicing that can be used to simplify software systems at the level of assembler programs. The kiy idea is to determine a minimal set of instructions such that the control flow of the program is maintained. This abstraction is essential for reducing the runtime of the analysis algorithms, in particdar, when symbolic methods are used to perform a complete state space exploration

Global vs. local model checking: a comparison of verification techniques for infinite state systems

Global and local model checking procedures follow radically different paradigms: while global approaches are based on fixpoint computation, local approaches are related to deduction and induction. For the verification finite state systems, this may result in different runtimes. For the verification of infinite state systems, however the differences are far more important. Since most problems are undecidable for such systems, it may be the case that one of the procedures does not terminate. In this paper we compare global and local procedures for model checking p-calculus properties of infinite state systems. In particular we show how they can benefit from each other and present appropriate extensions.

Bounded model checking of infinite state systems: exploiting the automata hierarchy

We present a new approach to bounded model checking that extends current methods in two ways: firstly, instead of a reduction to propositional logic, we choose a more powerful, yet decidable target logic, namely Presburger arithmetic. Secondly, instead of unwinding temporal logic formulas, we unwind corresponding /spl omega/-automata. To this end, we employ a special technique for translating safety and liveness properties to /spl omega/-automata with corresponding acceptance conditions. This combination allows us to utilize bounded model checking techniques for the efficient verification of infinite state systems.

Bounded model checking of infinite state systems

Bounded model checking (BMC) is an attractive alternative to symbolic model checking, since it often allows a more efficient verification. The idea of BMC is to reduce the model checking problem to a satisfiability problem of the underlying base logic, so that sophisticated decision procedures can be utilized to check the resulting formula. We present a new approach to BMC that extends current methods in three ways: First, instead of a reduction to propositional logic which restricts BMC to finite state systems, we focus on infinite state systems and therefore consider more powerful, yet decidable base logics. Second, instead of directly unwinding temporal logic formulas, we use special translations to ω-automata that take into account the temporal logic hierarchy and maintain safety and liveness properties. Third, we employ both global and local model checking procedures to take advantage of the different types of specifications that can be handled by these techniques. Based on three-valued logic, our bounded model checking procedures may either prove or disprove a specification, or they may explicitly state that no information has been obtained due to insufficient bounds.

Three-valued logic in bounded model checking

In principle, bounded model checking (BMC) leads to semi-decision procedures that can be used to verify liveness properties and to falsify safety properties. If the procedures fail, there is usually no information about the validity of the considered specification. In this paper, we present a new approach to BMC based on three-valued logic that allows us in many cases to falsify liveness properties and to verify safety properties. Moreover, we employ both global and local model checking to take advantage of the different types of specifications that can be handled by these techniques.

Verification of data paths using unbounded integers: automata strike back

We present a decision procedure for quantifier-free Presburger arithmetic that is based on a polynomial time translation of Presburger formulas to alternating finite automata (AFAs).Moreover, our approach leverages the advances in SAT solving by reducing the emptiness problem of AFAs to satisfiability problems of propositional logic. In order to obtain a complete decision procedure, we use an inductive style of reasoning as originally proposed for proving safety properties in bounded model checking. Besides linear arithmetic constraints, our decision procedure can deal with bitvector operations that frequently occur in hardware design. Thus, it is well-suited for the verification of data paths at a high level of abstraction.