# Delayed Nondeterminism in Model Checking Embedded Systems Assembly Code

#### <u>Thomas Noll</u><sup>1</sup> Bastian Schlich<sup>2</sup>

<sup>1</sup>Software Modelling and Verification Group <sup>2</sup>Software for Embedded Systems RWTH Aachen University noll@cs.rwth-aachen.de

Haifa Verification Conference, October 25, 2007

- Most microcontroller software written in C
- Many model checkers accept (ANSI) C programs: BLAST, CBMC, MAGIC, ...
- Often restricted support of C constructs:
  - no expressions with side effects
  - no recursion
  - only integer variables
  - ...
- Many microcontroller features not considered in ANSI C:
  - direct hardware access (registers, ...)
  - embedded assembly code
  - interrupts
  - ...

Case studies from industrial applications contain errors which

- passed all tests and reviews
- are only observable on assembly level
- caused by forgotten interrupt enabling/disabling, reentrance problems, ...

Base model checking on assembly code



- Most microcontroller software written in C
- Many model checkers accept (ANSI) C programs: BLAST, CBMC, MAGIC, ...
- Often restricted support of C constructs:
  - no expressions with side effects
  - no recursion
  - only integer variables
  - ...
  - Many microcontroller features not considered in ANSI C:
    - direct hardware access (registers, ...)
    - embedded assembly code
    - interrupts
    - ....

Case studies from industrial applications contain errors which

- passed all tests and reviews
- are only observable on assembly level
- caused by forgotten interrupt enabling/disabling, reentrance problems, ...

Base model checking on assembly code



- Most microcontroller software written in C
- Many model checkers accept (ANSI) C programs: BLAST, CBMC, MAGIC, ...
- Often restricted support of C constructs:
  - no expressions with side effects
  - no recursion
  - only integer variables
  - ...
- Many microcontroller features not considered in ANSI C:
  - direct hardware access (registers, ...)
  - embedded assembly code
  - interrupts
  - ...
- Case studies from industrial applications contain errors which
  - passed all tests and reviews
  - are only observable on assembly level
  - caused by forgotten interrupt enabling/disabling, reentrance problems, ...

Base model checking on assembly code



- Most microcontroller software written in C
- Many model checkers accept (ANSI) C programs: BLAST, CBMC, MAGIC, ...
- Often restricted support of C constructs:
  - no expressions with side effects
  - no recursion
  - only integer variables
  - ...
- Many microcontroller features not considered in ANSI C:
  - direct hardware access (registers, ...)
  - embedded assembly code
  - interrupts
  - ...
- Case studies from industrial applications contain errors which
  - passed all tests and reviews
  - are only observable on assembly level
  - caused by forgotten interrupt enabling/disabling, reentrance problems, ...
- Base model checking on assembly code

```
int main (void) {
  init();// call initialization
  sei();
  while(1) {
    inputs = PINA & 0x0F;
    cli();
    if (direction < 5) {
      if (inputs & (1 << 1)) {// down
        if (direction = 2 \mid \mid direction = 3) {
           TCCR1B = 0x00;
           TIFR = 0xFF;
           TCNT1 = 0 \times 00;
           TIMSK = (1 < < OCIE1A);
           TCCR1B = 0x05;
           direction = 1;
         }
```



```
int main (void) {
  init();
 __asm___volatile__ ("sei" ::);
 while(1) {
    inputs = (*(volatile uint8_t *)((0x19) + 0x20)) \& 0x0F;
    asm volatile ("cli" ::);
    if (direction < 5) {
      if (inputs & (1 << 1)) {
        if (direction = 2 \mid \mid direction = 3) {
          (*(volatile uint8_t *)((0x2E) + 0x20)) = 0x00;
          (*(volatile uint8_t *)((0x38) + 0x20)) = 0xFF;
          (*(volatile uint16 t *)((0x2C) + 0x20)) = 0x00;
          (*(volatile uint8 t *)((0x39) + 0x20)) = (1 << 4);
          (*(volatile uint8 t *)((0x2E) + 0x20)) = 0x05;
          direction = 1;
        }
```



## **Pros and Cons of Using Assembly Code**

#### Advantages:

- Errors of all development stages detectable:
  - (C) programming errors
  - compiler errors
  - errors invisible in the C code (reentrance problems, ...)
  - errors in handling the hardware (interrupts, ...)
- Instructions (relatively) easy to handle
- Clean and well documented semantics
- Implementation close to actual execution

**Disadvantages:** 

- Hardware dependency
  - $\implies$  compiler-generating approach
- Bigger state spaces (finer granularity)
  - $\implies$  abstraction techniques



# **Pros and Cons of Using Assembly Code**

#### Advantages:

- Errors of all development stages detectable:
  - (C) programming errors
  - compiler errors
  - errors invisible in the C code (reentrance problems, ...)
  - errors in handling the hardware (interrupts, ...)
- Instructions (relatively) easy to handle
- Clean and well documented semantics
- Implementation close to actual execution

#### **Disadvantages:**

- Hardware dependency
  - $\implies$  compiler-generating approach
- Bigger state spaces (finer granularity)
  - $\implies$  abstraction techniques



## The [mc]square Model Checker





### The ATMEL ATmega16 Microcontroller



- 8-bit microcontroller
- 16 KB flash memory
- 1KByte internal SRAM
- 512 bytes EEPROM
- 3 timer/counter units
- 4 I/O Ports 8-bit
- 20 vectorized interrupts



## **Sources of Nondeterminism**



- I/O ports
- Timer
- SPI
- TWI
- USART
- ...



### **I/O Ports**



- Basic means to monitor and control external hardware
- Each 8 I/O pins (byte access)
- Bidirectional

Monitoring, access and control of I/O ports via three special registers for each port:

- Data Direction Register (DDR): specifies input (= 0) or output (= 1) property of corresponding pin
- Port Register (PORT): specifies values of output pins
- Port Input Register (PIN): contains values of input pins (read-only)



### **I/O Ports**



- Basic means to monitor and control external hardware
- Each 8 I/O pins (byte access)
- Bidirectional

Monitoring, access and control of I/O ports via three special registers for each port:

- Data Direction Register (DDR): specifies input (= 0) or output (= 1) property of corresponding pin
- Port Register (PORT): specifies values of output pins
- Port Input Register (PIN): contains values of input pins (read-only)







### **Impact on State Space II**





# **Impact on State Space III**





# **Delayed Nondeterminism**





### **The Formal Model: State Space**

- Bits:  $\mathbb{B} := \{0, 1\}$
- Bytes:  $\mathbb{C} := \mathbb{B}^8$
- Memory addresses:  $A := \mathbb{C}^m$  (here: m = 2)
- Nondeterministic bit value: \*
- $\mathbb{B}_* := \mathbb{B} \cup \{*\}, \mathbb{C}_* := \mathbb{B}^8_*$
- Deterministic addresses D ⊆ A (certain registers, variables in formula, ...)
- Memory states:  $V := \{v \mid v : A \to \mathbb{C}_*\}$  where  $v(a) \in \mathbb{C}$  for every  $a \in D$
- Control locations: Q (here: program counter)
- (System) states:  $S := Q \times V$

- run environment handler g<sub>1</sub>; ...; g<sub>k</sub>
   (introduces nondeterministic values where necessary),
- if necessary, apply interrupt dispatcher e<sub>1</sub>: q<sub>1</sub> > ... > e<sub>l</sub>: q<sub>l</sub>
   (reaction to extraordinary events such as interrupts); otherwise
- apply instruction handler q : h<sub>1</sub> : q'<sub>1</sub> > ... > h<sub>m</sub> : q'<sub>m</sub> for current location q ∈ Q (normal execution of machine instructions)

Here each  $g_i$ ,  $h_i$  is a guarded assignment of the form

$$e_0 \rightarrow x_1 := e_1, \ldots, x_n := e_n$$

 $(e_j \text{ value expressions}, x_j \text{ address expressions})$ 



- run environment handler g<sub>1</sub>; ...; g<sub>k</sub>
   (introduces nondeterministic values where necessary),
- if necessary, apply interrupt dispatcher  $e_1 : q_1 > ... > e_l : q_l$ (reaction to extraordinary events such as interrupts) otherwise

apply instruction handler q : h<sub>1</sub> : q'<sub>1</sub> > ... > h<sub>m</sub> : q'<sub>m</sub> for current location q ∈ Q

 (normal execution of machine instructions)

Here each  $g_i$ ,  $h_i$  is a guarded assignment of the form

$$e_0 \rightarrow x_1 := e_1, \ldots, x_n := e_n$$

 $(e_j \text{ value expressions}, x_j \text{ address expressions})$ 



- run environment handler g<sub>1</sub>; ...; g<sub>k</sub>
   (introduces nondeterministic values where necessary),
- if necessary, apply interrupt dispatcher  $e_1 : q_1 > ... > e_l : q_l$ (reaction to extraordinary events such as interrupts); otherwise
- apply instruction handler q : h₁ : q'₁ > ... > h<sub>m</sub> : q'<sub>m</sub> for current location q ∈ Q (normal execution of machine instructions)

Here each  $g_i$ ,  $h_i$  is a guarded assignment of the form

 $e_0 \rightarrow x_1 := e_1, \ldots, x_n := e_n$ 

 $(e_j \text{ value expressions}, x_j \text{ address expressions})$ 



- run environment handler g<sub>1</sub>; ...; g<sub>k</sub>
   (introduces nondeterministic values where necessary),
- if necessary, apply interrupt dispatcher  $e_1 : q_1 > ... > e_l : q_l$ (reaction to extraordinary events such as interrupts); otherwise
- apply instruction handler q : h₁ : q'₁ > ... > h<sub>m</sub> : q'<sub>m</sub> for current location q ∈ Q (normal execution of machine instructions)

Here each  $g_i$ ,  $h_i$  is a guarded assignment of the form

$$e_0 \rightarrow x_1 := e_1, \ldots, x_n := e_n$$

( $e_j$  value expressions,  $x_j$  address expressions)



 $\begin{aligned} & \text{TCCR0}[\text{CS02}] = 1 \lor \text{TCCR0}[\text{CS01}] = 1 \lor \text{TCCR0}[\text{CS00}] = 1 \\ & \rightarrow \text{TIFR}[\text{TOV0}] := nd(\text{TIFR}[\text{TOV0}]); \\ & \text{DDRB}[\text{DDB2}] = 0 \rightarrow \text{GIFR}[\text{INTF2}] := nd(\text{GIFR}[\text{INTF2}]); \ldots \end{aligned}$ 

- Timer overflow interrupt possible if timer activated
- External interrupt possible if input enabled
- Here: nd(\*) := \*, nd(0) := \*, and nd(1) := 1



 $TCCR0[CS02] = 1 \lor TCCR0[CS01] = 1 \lor TCCR0[CS00] = 1$   $\rightarrow TIFR[TOV0] := nd(TIFR[TOV0]);$  $DDRB[DDB2] = 0 \rightarrow GIFR[INTF2] := nd(GIFR[INTF2]); \dots$ 

- Timer overflow interrupt possible if timer activated
- External interrupt possible if input enabled
- Here: nd(\*) := \*, nd(0) := \*, and nd(1) := 1

# $\begin{array}{l} \texttt{SREG[I]} = 1 \land \texttt{TIMSK[TOIE0]} = 1 \land \texttt{TIFR[TOV0]} = 1:18 > \\ \texttt{SREG[I]} = 1 \land \texttt{GICR[INT2]} = 1 \land \texttt{GIFR[INTF2]} = 1:36 > \dots \end{array}$

#### • Timer interrupt raised if

- interrupts are globally enabled and
- timer interrupt not masked and
- timer overflow has occurred
- Effect: jump to interrupt handler at address 18



$$\begin{split} & \texttt{SREG}[\texttt{I}] = 1 \land \texttt{TIMSK}[\texttt{TOIE0}] = 1 \land \texttt{TIFR}[\texttt{TOV0}] = 1 : 18 \\ & \texttt{SREG}[\texttt{I}] = 1 \land \texttt{GICR}[\texttt{INT2}] = 1 \land \texttt{GIFR}[\texttt{INTF2}] = 1 : 36 > \dots \end{split}$$

#### • Timer interrupt raised if

- interrupts are globally enabled and
- timer interrupt not masked and
- timer overflow has occurred
- Effect: jump to interrupt handler at address 18



# $$\begin{split} &\texttt{SREG}[\texttt{I}] = 1 \land \texttt{TIMSK}[\texttt{TOIE0}] = 1 \land \texttt{TIFR}[\texttt{TOV0}] = 1 : 18 > \\ &\texttt{SREG}[\texttt{I}] = 1 \land \texttt{GICR}[\texttt{INT2}] = 1 \land \texttt{GIFR}[\texttt{INTF2}] = 1 : 36 > \dots \end{split}$$

#### • Timer interrupt raised if

- interrupts are globally enabled and
- timer interrupt not masked and
- timer overflow has occurred

• Effect: jump to interrupt handler at address 18



# $$\begin{split} & \texttt{SREG}[\texttt{I}] = 1 \land \texttt{TIMSK}[\texttt{TOIE0}] = 1 \land \texttt{TIFR}[\texttt{TOV0}] = 1: 18 \\ & \texttt{SREG}[\texttt{I}] = 1 \land \texttt{GICR}[\texttt{INT2}] = 1 \land \texttt{GIFR}[\texttt{INTF2}] = 1: 36 > \dots \end{split}$$

#### • Timer interrupt raised if

- interrupts are globally enabled and
- timer interrupt not masked and
- timer overflow has occurred
- Effect: jump to interrupt handler at address 18



### **Example: Adding Instruction**

#### ADD Ri, Rj at address q:

 $q: \mathbf{R}i := \mathbf{R}i + \mathbf{R}j, \mathbf{SREG}[\mathbf{Z}] := (\mathbf{R}i + \mathbf{R}j = 0), \mathbf{SREG}[\mathbf{C}] := \dots, \dots : q+2$ 

#### • Adds contents of registers Ri and Rj and stores result in Ri

• Sets flags in status register SREG:

• ...

#### • $.+.: \mathbb{C} \times \mathbb{C} \to \mathbb{C}$

•  $. = 0 : \mathbb{C} \to \mathbb{B}$ 



### **Example: Adding Instruction**

ADD Ri, Rj at address q:

 $q: Ri := Ri + Rj, SREG[Z] := (Ri + Rj = 0), SREG[C] := \dots, \dots : q+2$ 

- Adds contents of registers Ri and Rj and stores result in Ri
- Sets flags in status register SREG:
  - zero flag Z (= 0)
  - carry flag C (= 1)
  - ...
- $.+.: \mathbb{C} \times \mathbb{C} \to \mathbb{C}$
- $. = 0 : \mathbb{C} \to \mathbb{B}$

IN Ri, A at address q:

 $q: Ri := (DDRA \land PORTA) \lor (\neg DDRA \land PINA) : q + 2$ 

- Copies contents of registers PORTA/PINA according to mask DDRA
- $. \land . : \mathbb{C} \times \mathbb{C}_* \to \mathbb{C}_*$
- $. \lor . : \mathbb{C}_* \times \mathbb{C}_* \to \mathbb{C}_*$
- $\neg$ .:  $\mathbb{C} \to \mathbb{C}$

SBRC Ri, b at address q:

$$q: \operatorname{R} i[b] = 0 \rightarrow : q+3 >$$
  
 $\operatorname{R} i[b] = 1 \rightarrow : q+2$ 

• Branches control according to bth bit in register Ri



#### **Immediate Instantiation**

Each assignment of nondeterministic bit values is resolved by assigning all possible combinations of concrete values.

- Thus: only deterministic values are allowed to be stored
- Still v(a) ∈ C<sub>\*</sub> \ C possible for specific addresses a ∈ A \ D (e.g., a = PINA)
- Guarded assignment  $g = q : e_0 \to x_1 := e_1, \dots, x_n := e_n : q'$  enabled in state  $(q, v) \in S$  if  $\llbracket e_0 \rrbracket_v = 1$
- Gives rise to concrete transition  $(q, v) \xrightarrow{g} (q', v')$  for every  $v' \in V$  obtained by
  - evaluating every right-hand side expression  $e_i$
  - bit taking every possible instantiation of nondeterministic bit values
  - updating *v* accordingly
- Formally:
  - $v' := v[\llbracket x_i \rrbracket_v \mapsto c_i; 1 \le i \le n]$  with  $\mathbb{C} \cup \mathbb{B} \ni c_i \sqsubseteq \llbracket e_i \rrbracket_v$  for all  $1 \le i \le n$
  - $\sqsubseteq \subseteq \mathbb{B}_* \times \mathbb{B}_*$  given by  $0 \sqsubseteq *$  and  $1 \sqsubseteq *$  (pointwise lifted to  $\mathbb{C}_*$  and V)
- $\Rightarrow$  Yields concrete transition system  $T^c = (S, \bigcup_{e \in G} \xrightarrow{s}, s_0)$



#### **Immediate Instantiation**

Each assignment of nondeterministic bit values is resolved by assigning all possible combinations of concrete values.

- Thus: only deterministic values are allowed to be stored
- Still v(a) ∈ C<sub>\*</sub> \ C possible for specific addresses a ∈ A \ D (e.g., a = PINA)
- Guarded assignment  $g = q : e_0 \to x_1 := e_1, \dots, x_n := e_n : q'$  enabled in state  $(q, v) \in S$  if  $\llbracket e_0 \rrbracket_v = 1$
- Gives rise to concrete transition  $(q, v) \xrightarrow{g} (q', v')$  for every  $v' \in V$  obtained by
  - **()** evaluating every right-hand side expression  $e_i$
  - taking every possible instantiation of nondeterministic bit values
  - updating v accordingly
- Formally:
  - $v' := v[\llbracket x_i \rrbracket_v \mapsto c_i; 1 \le i \le n]$  with  $\mathbb{C} \cup \mathbb{B} \ni c_i \sqsubseteq \llbracket e_i \rrbracket_v$  for all  $1 \le i \le n$
  - $\Box \subseteq \mathbb{B}_* \times \mathbb{B}_*$  given by  $0 \sqsubseteq *$  and  $1 \sqsubseteq *$  (pointwise lifted to  $\mathbb{C}_*$  and V)
- ⇒ Yields concrete transition system  $T^c = (S, \bigcup_{e \in G} \xrightarrow{s}, s_0)$



#### **Immediate Instantiation**

Each assignment of nondeterministic bit values is resolved by assigning all possible combinations of concrete values.

- Thus: only deterministic values are allowed to be stored
- Still v(a) ∈ C<sub>\*</sub> \ C possible for specific addresses a ∈ A \ D (e.g., a = PINA)
- Guarded assignment  $g = q : e_0 \to x_1 := e_1, \dots, x_n := e_n : q'$  enabled in state  $(q, v) \in S$  if  $\llbracket e_0 \rrbracket_v = 1$
- Gives rise to concrete transition  $(q, v) \xrightarrow{g} (q', v')$  for every  $v' \in V$  obtained by

If evaluating every right-hand side expression  $e_i$ 

taking every possible instantiation of nondeterministic bit values

Updating v accordingly

• Formally:

- $v' := v[\llbracket x_i \rrbracket_v \mapsto c_i; 1 \le i \le n]$  with  $\mathbb{C} \cup \mathbb{B} \ni c_i \sqsubseteq \llbracket e_i \rrbracket_v$  for all  $1 \le i \le n$
- $\Box \subseteq \mathbb{B}_* \times \mathbb{B}_*$  given by  $0 \sqsubseteq *$  and  $1 \sqsubseteq *$  (pointwise lifted to  $\mathbb{C}_*$  and V)

⇒ Yields concrete transition system  $T^c = (S, \bigcup_{g \in G} \xrightarrow{s}, s_0)$ 



## **Immediate Instantiation**

Each assignment of nondeterministic bit values is resolved by assigning all possible combinations of concrete values.

- Thus: only deterministic values are allowed to be stored
- Still v(a) ∈ C<sub>\*</sub> \ C possible for specific addresses a ∈ A \ D (e.g., a = PINA)
- Guarded assignment  $g = q : e_0 \to x_1 := e_1, \dots, x_n := e_n : q'$  enabled in state  $(q, v) \in S$  if  $\llbracket e_0 \rrbracket_v = 1$
- Gives rise to concrete transition  $(q, v) \xrightarrow{g} (q', v')$  for every  $v' \in V$  obtained by

• evaluating every right-hand side expression  $e_i$ 

**2** taking every possible instantiation of nondeterministic bit values

updating v accordingly

Formally

•  $v' := v[\llbracket x_i \rrbracket_v \mapsto c_i; 1 \le i \le n]$  with  $\mathbb{C} \cup \mathbb{B} \ni c_i \sqsubseteq \llbracket e_i \rrbracket_v$  for all  $1 \le i \le n$ •  $\sqsubseteq \subseteq \mathbb{B}_* \times \mathbb{B}_*$  given by  $0 \sqsubseteq *$  and  $1 \sqsubseteq *$  (pointwise lifted to  $\mathbb{C}_*$  and V)

Yields concrete transition system  $T^c = (S, \bigcup_{s \in G} \xrightarrow{s})$ 



## **Immediate Instantiation**

Each assignment of nondeterministic bit values is resolved by assigning all possible combinations of concrete values.

- Thus: only deterministic values are allowed to be stored
- Still v(a) ∈ C<sub>\*</sub> \ C possible for specific addresses a ∈ A \ D (e.g., a = PINA)
- Guarded assignment g = q : e<sub>0</sub> → x<sub>1</sub> := e<sub>1</sub>,..., x<sub>n</sub> := e<sub>n</sub> : q' enabled in state (q, v) ∈ S if [[e<sub>0</sub>]]<sub>v</sub> = 1
- Gives rise to concrete transition (q, v) → (q', v') for every v' ∈ V obtained by

• evaluating every right-hand side expression  $e_i$ 

2 taking every possible instantiation of nondeterministic bit values

updating v accordingly

• Formally:

- $v' := v[\llbracket x_i \rrbracket_v \mapsto c_i; 1 \le i \le n]$  with  $\mathbb{C} \cup \mathbb{B} \ni c_i \sqsubseteq \llbracket e_i \rrbracket_v$  for all  $1 \le i \le n$
- $\sqsubseteq \subseteq \mathbb{B}_* \times \mathbb{B}_*$  given by  $0 \sqsubseteq *$  and  $1 \sqsubseteq *$  (pointwise lifted to  $\mathbb{C}_*$  and V)

• Yields concrete transition system T



## **Immediate Instantiation**

Each assignment of nondeterministic bit values is resolved by assigning all possible combinations of concrete values.

- Thus: only deterministic values are allowed to be stored
- Still v(a) ∈ C<sub>\*</sub> \ C possible for specific addresses a ∈ A \ D (e.g., a = PINA)
- Guarded assignment g = q : e<sub>0</sub> → x<sub>1</sub> := e<sub>1</sub>,..., x<sub>n</sub> := e<sub>n</sub> : q' enabled in state (q, v) ∈ S if [[e<sub>0</sub>]]<sub>v</sub> = 1
- Gives rise to concrete transition (q, v) → (q', v') for every v' ∈ V obtained by

• evaluating every right-hand side expression  $e_i$ 

2 taking every possible instantiation of nondeterministic bit values

updating v accordingly

• Formally:

RVIT

- $v' := v[\llbracket x_i \rrbracket_v \mapsto c_i; 1 \le i \le n]$  with  $\mathbb{C} \cup \mathbb{B} \ni c_i \sqsubseteq \llbracket e_i \rrbracket_v$  for all  $1 \le i \le n$
- $\sqsubseteq \subseteq \mathbb{B}_* \times \mathbb{B}_*$  given by  $0 \sqsubseteq *$  and  $1 \sqsubseteq *$  (pointwise lifted to  $\mathbb{C}_*$  and V)

 $\Rightarrow \text{ Yields concrete transition system } T^c = (S, \bigcup_{g \in G} \stackrel{g}{\longrightarrow}, s_0)$ 

- v(DDRA) = 11111100, v(PORTA) = 00000000, v(PINA) = \* \* \* \* \* \* \*
- Execution of IN R1, A at address q:

 $q: R1 := (DDRA \land PORTA) \lor (\neg DDRA \land PINA) : q + 2$ 

### • Transitions from (q, v) to

- **①**  $(q+2, v[R1 \mapsto 0000000])$ **④**  $(q+2, v[R1 \mapsto 00000001])$
- **a**  $(q+2, v[R1 \mapsto 0000010])$
- $(q+2, v[R1 \mapsto 0000011])$



- v(DDRA) = 11111100, v(PORTA) = 00000000, v(PINA) = \* \* \* \* \* \* \*
- Execution of IN R1, A at address q:

 $q: \texttt{R1} := (\texttt{DDRA} \land \texttt{PORTA}) \lor (\neg \texttt{DDRA} \land \texttt{PINA}) : q + 2$ 





- v(DDRA) = 11111100, v(PORTA) = 00000000, v(PINA) = \* \* \* \* \* \* \*
- Execution of IN R1, A at address q:

 $q: R1 := (DDRA \land PORTA) \lor (\neg DDRA \land PINA) : q + 2$ 

### • Transitions from (q, v) to

**(**
$$q + 2, v[\text{R1} \mapsto 0000000]$$
)  
**(** $q + 2, v[\text{R1} \mapsto 00000001]$ )

$$(q+2, v[R1 \mapsto 0000010])$$



Replace nondeterministic by concrete values only if and when this is required by a subsequent computation step.



**Informally:** instantiation of v(a)[b] = \* in  $(q, v) \in S$  required when ex.  $g = q : e_0 \rightarrow x_1 :=$ 

 $e_1,\ldots,x_n:=e_n:q'$  s.t.

- (a,b) referred by  $e_0$ , or
- g enabled and some  $e_i$ refers to (a, b) in a deterministic argument, or
- some *x<sub>i</sub>* dereferences *a*, or
- some  $e_i$  yields \* and  $x_i$  deterministic

## **Formally:** g induces abstract transition $(q, v) \stackrel{g}{\Longrightarrow} (q', v')$ if ex. $v_1, v_2, v_3, v_4 \in V$ s.t.

- $v_1 \sqsubseteq v$  with  $v_1(a,b) \neq *$  if (a,b) referred by  $e_0$ , and
  - $[e_0]_{v_1} = 1, and$
  - $v_2 \subseteq v_1$  with  $v_2(a, b) \neq *$  if some  $e_i = op(y_1, \dots, y_n), op : T_1 \times \dots \times T_n \to T_0,$ and (a, b) referred by some  $y_j$  where  $T_j \in \{\mathbb{C}, \mathbb{B}\},$  and
  - $v_3 \sqsubseteq v_2$  with  $v_3(a, b) \neq *$  if some  $x_i = a \downarrow + d$ , and
  - $v_4 := v_3[[[x_i]]_{v_3} \mapsto [[e_i]]_{v_3}; 1 \le i \le n]$ , and •  $v' \le v_4$  with  $v'(a, b) \ne *$  if  $[[x_i]]_{v_i} \in \{a, (a, b)\}$  for some  $i, a \in D$



**Informally:** instantiation of v(a)[b] = \* in  $(q, v) \in S$  required when ex.  $g = q : e_0 \rightarrow x_1 :=$ 

 $e_1,\ldots,x_n:=e_n:q'$  s.t.

- (a,b) referred by  $e_0$ , or
- g enabled and some  $e_i$ refers to (a, b) in a deterministic argument, or
- some *x<sub>i</sub>* dereferences *a*, or
- some  $e_i$  yields \* and  $x_i$  deterministic

- **Formally:** g induces abstract transition  $(q, v) \stackrel{g}{\Longrightarrow} (q', v')$  if ex.  $v_1, v_2, v_3, v_4 \in V$  s.t.
  - $v_1 \sqsubseteq v$  with  $v_1(a,b) \neq *$  if (a,b) referred by  $e_0$ , and
    - $[e_0]_{v_1} = 1$ , and
    - ▶  $v_2 \sqsubseteq v_1$  with  $v_2(a, b) \neq *$  if some  $e_i = op(y_1, ..., y_n), op : T_1 \times ... \times T_n \rightarrow T_0,$ and (a, b) referred by some  $y_j$  where  $T_j \in \{\mathbb{C}, \mathbb{B}\},$  and
  - $v_3 \sqsubseteq v_2$  with  $v_3(a, b) \neq *$  if some  $x_i = a \downarrow + d$ , and
  - $v_4 := v_3[[[x_i]]_{v_3} \mapsto [[e_i]]_{v_3}; 1 \le i \le n]$ , and •  $v' \le v_4$  with  $v'(a, b) \ne *$  if  $[[x_i]]_{v_4} \in \{a, (a, b)\}$  for some  $i, a \in D$



**Informally:** instantiation of v(a)[b] = \* in  $(q, v) \in S$  required when ex.

 $g = q : e_0 \to x_1 :=$  $e_1, \dots, x_n := e_n : q' \text{ s.t.}$ 

- (a, b) referred by  $e_0$ , or
- *g* enabled and some *e<sub>i</sub>* refers to (*a*, *b*) in a deterministic argument, or
- some *x<sub>i</sub>* dereferences *a*, or
- some  $e_i$  yields \* and  $x_i$  deterministic

**Formally:** *g* induces abstract transition

$$(q,v) \stackrel{g}{\Longrightarrow} (q',v')$$
 if ex.  $v_1, v_2, v_3, v_4 \in V$  s.t.

- $v_1 \sqsubseteq v$  with  $v_1(a,b) \neq *$  if (a,b) referred by  $e_0$ , and
- **2**  $\llbracket e_0 \rrbracket_{v_1} = 1$ , and
- $v_2 \sqsubseteq v_1$  with  $v_2(a, b) \neq *$  if some  $e_i = op(y_1, \dots, y_n), op : T_1 \times \dots \times T_n \to T_0,$ and (a, b) referred by some  $y_j$  where  $T_j \in \{\mathbb{C}, \mathbb{B}\},$  and
- $v_3 \sqsubseteq v_2$  with  $v_3(a,b) \neq *$  if some  $x_i = a \downarrow + d$ , and
- $v_4 := v_3[[[x_i]]_{v_3} \mapsto [[e_i]]_{v_3}; 1 \le i \le n]$ , and •  $v' \le v_4$  with  $v'(a, b) \ne *$  if
  - $[x_i]_{v_4} \in \{a, (a, b)\}$  for some  $i, a \in D$



**Informally:** instantiation of v(a)[b] = \* in  $(q, v) \in S$  required when ex.

 $g = q : e_0 \to x_1 :=$  $e_1, \dots, x_n := e_n : q' \text{ s.t.}$ 

- (a, b) referred by  $e_0$ , or
- g enabled and some  $e_i$ refers to (a, b) in a deterministic argument, or
- some *x<sub>i</sub>* dereferences *a*, or
- some e<sub>i</sub> yields \* and x<sub>i</sub> deterministic

**Formally:** *g* induces abstract transition

$$(q,v) \stackrel{g}{\Longrightarrow} (q',v')$$
 if ex.  $v_1, v_2, v_3, v_4 \in V$  s.t.

- $v_1 \sqsubseteq v$  with  $v_1(a, b) \neq *$  if (a, b) referred by  $e_0$ , and
- **2**  $\llbracket e_0 \rrbracket_{v_1} = 1$ , and
- $v_2 \sqsubseteq v_1$  with  $v_2(a, b) \neq *$  if some  $e_i = op(y_1, ..., y_n), op : T_1 \times ... \times T_n \rightarrow T_0,$ and (a, b) referred by some  $y_j$  where  $T_j \in \{\mathbb{C}, \mathbb{B}\},$  and
- $v_3 \sqsubseteq v_2$  with  $v_3(a,b) \neq *$  if some  $x_i = a \downarrow + d$ , and
- **●**  $v_4 := v_3[[[x_i]]_{v_3} \mapsto [[e_i]]_{v_3}; 1 \le i \le n]$ , and
  - $v' ≤ v_4 \text{ with } v'(a, b) ≠ * \text{ if }$  $[[x_i]]_{v_4} ∈ \{a, (a, b)\} \text{ for some } i, a ∈ D$



**Informally:** instantiation of v(a)[b] = \* in  $(q, v) \in S$  required when ex.

 $g = q : e_0 \to x_1 :=$  $e_1, \dots, x_n := e_n : q' \text{ s.t.}$ 

- (a, b) referred by  $e_0$ , or
- g enabled and some  $e_i$ refers to (a, b) in a deterministic argument, or
- some *x<sub>i</sub>* dereferences *a*, or
- some  $e_i$  yields \* and  $x_i$  deterministic

**Formally:** *g* induces abstract transition

$$(q,v) \stackrel{g}{\Longrightarrow} (q',v')$$
 if ex.  $v_1, v_2, v_3, v_4 \in V$  s.t.

- $v_1 \sqsubseteq v$  with  $v_1(a, b) \neq *$  if (a, b) referred by  $e_0$ , and
- **2**  $\llbracket e_0 \rrbracket_{v_1} = 1$ , and
- $v_2 \sqsubseteq v_1$  with  $v_2(a, b) \neq *$  if some  $e_i = op(y_1, ..., y_n), op : T_1 \times ... \times T_n \rightarrow T_0,$ and (a, b) referred by some  $y_j$  where  $T_j \in \{\mathbb{C}, \mathbb{B}\},$  and
- $v_3 \sqsubseteq v_2$  with  $v_3(a,b) \neq *$  if some  $x_i = a \downarrow + d$ , and
- **5**  $v_4 := v_3[[x_i]]_{v_3} \mapsto [[e_i]]_{v_3}; 1 \le i \le n]$ , and
- $v' \le v_4$  with  $v'(a,b) \ne *$  if  $[x_i]_{v_4} \in \{a, (a, b)\}$  for some  $i, a \in D$



**Informally:** instantiation of v(a)[b] = \* in  $(q, v) \in S$  required when ex.

 $g = q : e_0 \to x_1 :=$  $e_1, \dots, x_n := e_n : q' \text{ s.t.}$ 

- (a, b) referred by  $e_0$ , or
- g enabled and some  $e_i$ refers to (a, b) in a deterministic argument, or
- some *x<sub>i</sub>* dereferences *a*, or
- some  $e_i$  yields \* and  $x_i$  deterministic

**Formally:** *g* induces abstract transition

$$(q,v) \stackrel{g}{\Longrightarrow} (q',v')$$
 if ex.  $v_1, v_2, v_3, v_4 \in V$  s.t.

- $v_1 \sqsubseteq v$  with  $v_1(a, b) \neq *$  if (a, b) referred by  $e_0$ , and
- **2**  $\llbracket e_0 \rrbracket_{v_1} = 1$ , and
- $v_2 \sqsubseteq v_1$  with  $v_2(a, b) \neq *$  if some  $e_i = op(y_1, ..., y_n), op : T_1 \times ... \times T_n \rightarrow T_0,$ and (a, b) referred by some  $y_j$  where  $T_j \in \{\mathbb{C}, \mathbb{B}\},$  and
- $v_3 \sqsubseteq v_2$  with  $v_3(a,b) \neq *$  if some  $x_i = a \downarrow + d$ , and
- $v_4 := v_3[[[x_i]]_{v_3} \mapsto [[e_i]]_{v_3}; 1 \le i \le n]$ , and •  $v' \le v_4$  with  $v'(a, b) \ne *$  if

• v(DDRA) = 11111100, v(PORTA) = 00000000, v(PINA) = \* \* \* \* \* \* \*

• Execution of IN R1, A at address q:

•  $q: R1 := (DDRA \land PORTA) \lor (\neg DDRA \land PINA) : q + 2$ • yields transition  $(q, y) \Longrightarrow (q + 2, y[R1 \mapsto 000000 * *])$ 

• Execution of SBRC R1, 0 at address q':

• 
$$q' : \operatorname{R1}[0] = 0 \rightarrow : q' + 3$$
  
 $q' : \operatorname{R1}[0] = 1 \rightarrow : q' + 2$ 

• yields  $(q', v') \Longrightarrow (q' + 3, v[\mathbb{R}1 \mapsto 000000 * 0])$ and  $(q', v') \Longrightarrow (q' + 2, v[\mathbb{R}1 \mapsto 000000 * 1])$ 



• v(DDRA) = 11111100, v(PORTA) = 00000000, v(PINA) = \* \* \* \* \* \* \*

• Execution of IN R1, A at address q:

- $q: R1 := (DDRA \land PORTA) \lor (\neg DDRA \land PINA) : q + 2$
- yields transition  $(q, v) \Longrightarrow (q+2, v[\mathbb{R}1 \mapsto 000000 * *])$

1,1

• Execution of SBRC R1, 0 at address q':

• 
$$q': \operatorname{R1}[0] = 0 \rightarrow : q' + 3$$

$$q': \operatorname{R1}[0] = 1 \rightarrow : q' + 2$$

- yields  $(q', v') \Longrightarrow (q' + 3, v[\mathbb{R}1 \mapsto 000000 * 0])$ 
  - and  $(q', v') \Longrightarrow (q' + 2, v[\text{R1} \mapsto 000000 * 1])$



• v(DDRA) = 11111100, v(PORTA) = 00000000, v(PINA) = \* \* \* \* \* \* \*

• Execution of IN R1, A at address q:

- $q: R1 := (DDRA \land PORTA) \lor (\neg DDRA \land PINA) : q + 2$
- yields transition  $(q, v) \Longrightarrow (q+2, v[\mathbb{R}1 \mapsto 000000 * *])$

• Execution of SBRC R1, 0 at address q':

• 
$$q' : \operatorname{R1}[0] = 0 \longrightarrow q' + 3$$
  
 $q' : \operatorname{R1}[0] = 1 \longrightarrow q' + 2$ 

• yields  $(q', v') \Longrightarrow (q' + 3, v[\mathbb{R}1 \mapsto 000000 * 0])$ and  $(q', v') \Longrightarrow (q' + 2, v[\mathbb{R}1 \mapsto 000000 * 1])$ 

## **Soundness of Abstraction I**

- Property specification given by temporal formula  $\varphi$  over set *P* of bit value expressions
- Defines labeling  $\lambda : S \to 2^P : (q, v) \mapsto \{p \in P \mid \llbracket p \rrbracket_v = 1\}$ 
  - concrete LTS:  $L^c = (S, \bigcup_{g \in G} \xrightarrow{g}, s_0, \lambda)$
  - abstract LTS:  $L^a = (S, \bigcup_{g \in G} \stackrel{g}{\Longrightarrow}, s_0, \lambda)$
  - note:  $\llbracket p \rrbracket_{v}$  always defined since  $Var(\varphi) \subseteq D$
- Connection between  $L^c$  and  $L^a$  given by simulation: a binary relation  $\rho \subseteq S \times S$  such that  $s_0 \rho s_0$  and, whenever  $s_1$ 
  - $\lambda(s_1) = \lambda(s_2)$  and
  - for every transition s<sub>1</sub> → s'<sub>1</sub> there exists s'<sub>2</sub> ∈ S such that s<sub>2</sub> ⇒ s' and s' os'



## **Soundness of Abstraction I**

- Property specification given by temporal formula  $\varphi$  over set *P* of bit value expressions
- Defines labeling  $\lambda : S \to 2^P : (q, v) \mapsto \{p \in P \mid \llbracket p \rrbracket_v = 1\}$ 
  - concrete LTS:  $L^c = (S, \bigcup_{g \in G} \xrightarrow{g}, s_0, \lambda)$
  - abstract LTS:  $L^a = (S, \bigcup_{g \in G} \stackrel{g}{\Longrightarrow}, s_0, \lambda)$
  - note:  $\llbracket p \rrbracket_{\nu}$  always defined since  $Var(\varphi) \subseteq D$
- Connection between  $L^c$  and  $L^a$  given by simulation: a binary relation  $\rho \subseteq S \times S$  such that  $s_0\rho s_0$  and, whenever  $s_1\rho s_2$ ,
  - $\lambda(s_1) = \lambda(s_2)$  and
  - for every transition  $s_1 \xrightarrow{g} s'_1$ there exists  $s'_2 \in S$ such that  $s_2 \xrightarrow{g} s'_2$  and  $s'_1 \rho s'_2$



# **Soundness of Abstraction II**

### Theorem

 $L^a$  simulates  $L^c$ .

#### Proof.

Simulation relation given by partial order on bit values:  $(q_1, v_1)\rho(q_2, v_2)$  iff  $q_1 = q_2$  and  $v_1 \sqsubseteq v_2$ 

#### Corollary

Delayed nondeterminism is sound w.r.t. "path-universal" temporal logics such as LTL or ACTL:

 $L^a \models \varphi$  implies  $L^c \models \varphi$ 

(i.e., no false positives)



## **Soundness of Abstraction II**

### Theorem

 $L^a$  simulates  $L^c$ .

### Proof.

Simulation relation given by partial order on bit values:  $(q_1, v_1)\rho(q_2, v_2)$  iff  $q_1 = q_2$  and  $v_1 \sqsubseteq v_2$ 

#### Corollary

Delayed nondeterminism is sound w.r.t. "path-universal" temporal logics such as LTL or ACTL:

 $L^a \models \varphi$  implies  $L^c \models \varphi$ 

(i.e., no false positives)



## **Soundness of Abstraction II**

### Theorem

 $L^a$  simulates  $L^c$ .

### Proof.

Simulation relation given by partial order on bit values:  $(q_1, v_1)\rho(q_2, v_2)$  iff  $q_1 = q_2$  and  $v_1 \sqsubseteq v_2$ 

### Corollary

Delayed nondeterminism is sound w.r.t. "path-universal" temporal logics such as LTL or ACTL:

$$L^a \models \varphi$$
 implies  $L^c \models \varphi$ 

(i.e., no false positives)



| Program       | Instantiation | # states stored | # states created | Size [MB] | Time [s] | Reduction |
|---------------|---------------|-----------------|------------------|-----------|----------|-----------|
| light switch  | immediate     | 6,624           | 9,050            | 2         | 0.2      | -         |
|               | delayed       | 352             | 380              | < 1       | 0.01     | 95%       |
| plant         | immediate     | 801,616         | 854,203          | 256       | 23.19    | -         |
|               | delayed       | 188,404         | 195,955          | 61        | 5.05     | 76%       |
| reentrance    | immediate     | 107,649         | 110,961          | 33        | 2.8      | -         |
| problem       | delayed       | 107,649         | 110,961          | 33        | 2.8      | 0%        |
| traffic light | immediate     | 35,613          | 38,198           | 11        | 0.92     | -         |
|               | delayed       | 10,004          | 10,520           | 3         | 0.28     | 72%       |
| window lift   | immediate     | 10,100,400      | 11,196,174       | 2,049     | 416.98   | -         |
|               | delayed       | 323,450         | 444,191          | 102       | 10.78    | 97%       |

- Delayed Nondeterminism: abstraction technique for explicit-state model checking of microcontroller code (similar to "X-valued simulation" in hardware verification)
- Significant reduction of state space in concrete examples
- Over-approximation:
  - sound for path-universal logics (simulation)
  - generally incomplete (false negatives due to copying of nondeterminism)
- Future work:
  - handle more microcontrollers (Infineon Tricore, Intel MC, ...)
  - establish bisimulation by introducing identities for nondeterministic values
  - implement compiler generator for state-space evaluators



- Delayed Nondeterminism: abstraction technique for explicit-state model checking of microcontroller code (similar to "X-valued simulation" in hardware verification)
- Significant reduction of state space in concrete examples
- Over-approximation:
  - sound for path-universal logics (simulation)
  - generally incomplete (false negatives due to copying of nondeterminism)
- Future work:
  - handle more microcontrollers (Infineon Tricore, Intel MC, ...)
  - establish bisimulation by introducing identities for nondeterministic values
  - implement compiler generator for state-space evaluators



- Delayed Nondeterminism: abstraction technique for explicit-state model checking of microcontroller code (similar to "X-valued simulation" in hardware verification)
- Significant reduction of state space in concrete examples
- Over-approximation:
  - sound for path-universal logics (simulation)
  - generally incomplete (false negatives due to copying of nondeterminism)
- Future work:
  - handle more microcontrollers (Infineon Tricore, Intel MC, ...)
  - establish bisimulation by introducing identities for nondeterministic values
  - implement compiler generator for state-space evaluators



- Delayed Nondeterminism: abstraction technique for explicit-state model checking of microcontroller code (similar to "X-valued simulation" in hardware verification)
- Significant reduction of state space in concrete examples
- Over-approximation:
  - sound for path-universal logics (simulation)
  - generally incomplete (false negatives due to copying of nondeterminism)
- Future work:
  - handle more microcontrollers (Infineon Tricore, Intel MC, ...)
  - establish bisimulation by introducing identities for nondeterministic values
  - implement compiler generator for state-space evaluators







|       |                                                                                          | $:=*:q_2$               |
|-------|------------------------------------------------------------------------------------------|-------------------------|
|       | $\begin{array}{c} q_2\colon a[1] \ q_3\colon a[0]\wedge  eg a[1]  ightarrow \end{array}$ | $ :=a[0]:q_3$<br>$:q_4$ |
|       | Immediate                                                                                | Delayed                 |
| $q_1$ | •                                                                                        | •                       |
|       |                                                                                          |                         |
|       |                                                                                          |                         |
|       |                                                                                          |                         |



| Example          |                                                                 |                                            |   |
|------------------|-----------------------------------------------------------------|--------------------------------------------|---|
|                  | $q_1$ :                                                         | $a[0] := * : q_2$                          |   |
|                  | $\begin{array}{c} q_2: \ q_3: a[0] \wedge  eg a[1] \end{array}$ | $a[1] := a[0]: q_3$<br>$\rightarrow : q_4$ |   |
|                  | Immediate                                                       | -                                          |   |
| $\overline{q_1}$ | •                                                               | Delayed                                    |   |
| -                |                                                                 |                                            |   |
| $q_2$            | $a[0] = 0 \qquad a[0]$                                          | a[0] = 1 $a[0] = *$                        |   |
|                  |                                                                 |                                            |   |
|                  |                                                                 |                                            |   |
|                  |                                                                 |                                            |   |
|                  | legatives possible                                              |                                            | _ |



## Observation: over-approximation due to copying of nondeterminism

| Example          |                                                            |                    |
|------------------|------------------------------------------------------------|--------------------|
|                  | $q_1$ : $a[0] :=$                                          | * : q <sub>2</sub> |
|                  |                                                            | $= a[0]: q_3$      |
|                  | $q_3$ : $a[0] \land \neg a[1] \rightarrow$                 | $: q_4$            |
|                  | Immediate                                                  | Delayed            |
| $\overline{q_1}$ | •                                                          | •                  |
|                  |                                                            | _ ↓                |
| $q_2$            | $a[0] = 0 \qquad \qquad a[0] = 1 \qquad \qquad \downarrow$ | a[0] = *           |
| $q_3$            | a[0] = a[1] = 0 $a[0] = a[1] = 1$                          | a[0] = a[1] = *    |
|                  |                                                            |                    |

⇒ false negatives possible



| Example |                 |                               |                             |  |
|---------|-----------------|-------------------------------|-----------------------------|--|
|         | $q_1$ :         |                               | * : q <sub>2</sub>          |  |
|         | $q_2$ :         |                               | $= a[0]: q_3$               |  |
|         | $q_3: a[0]$ /   | $\land \neg a[1] \rightarrow$ | $:q_4$                      |  |
|         | Imme            | ediate                        | Delayed                     |  |
| $q_1$   | •               | •                             | •                           |  |
|         | 1               | $\searrow$                    | $\downarrow$                |  |
| $q_2$   | a[0] = 0        | a[0] = 1                      | a[0] = *                    |  |
|         | $\downarrow$    | $\downarrow$                  | $\downarrow$                |  |
| $q_3$   | a[0] = a[1] = 0 | a[0] = a[1] = 1               | a[0] = a[1] = *             |  |
|         | X               | X                             | $\downarrow$                |  |
| $q_4$   |                 |                               | $a[0] = 1, a[1] = 0 \notin$ |  |
|         |                 |                               |                             |  |



## Observation: over-approximation due to copying of nondeterminism

| Example          |                                   |                                                                                             |
|------------------|-----------------------------------|---------------------------------------------------------------------------------------------|
|                  | $q_1$ :                           | $a[0] := * : q_2$                                                                           |
|                  | -                                 | $a[1] := a[0]: q_3$                                                                         |
|                  | $q_3$ : $a[0] \wedge \neg a[1] -$ | $\rightarrow$ : $q_4$                                                                       |
|                  | Immediate                         | Delayed                                                                                     |
| $\overline{q_1}$ | •                                 | •                                                                                           |
|                  | $\checkmark$                      | $\downarrow$                                                                                |
| $q_2$            | $a[0] = 0 \qquad a[0]$            | $= 1 \qquad a[0] = * \downarrow$                                                            |
|                  | $\downarrow$ $\downarrow$         | $\downarrow$                                                                                |
| $q_3$            | a[0] = a[1] = 0 $a[0] = a$        | $\begin{bmatrix} 1 \end{bmatrix} = 1 \qquad a[0] = \overset{+}{a}[1] = * \qquad \downarrow$ |
|                  | X A                               | ∠ ↓                                                                                         |
| $q_4$            |                                   | $a[0] = 1, a[1] = 0 \not\geq$                                                               |
| 1                |                                   |                                                                                             |

 $\implies$  false negatives possible

