1 predicate abstraction and refinement for verifying hardware designs himanshu jain joint work with...

1

Predicate Abstraction and Refinement for Verifying Hardware Designs

Himanshu Jain

Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke

Appeared at Design Automation Conference (DAC) 2005

2

Outline

• Introduction

• Predicate Abstraction

• Abstraction and Refinement loop

• Experimental results

• Conclusion

3

Introduction

• Computer system design– Hardware: Verilog, VHDL, …

• Specification– circuit computes floating point divison – program sorts an input array

4

Does my program work correctly

• Testing

• Bugs in design– Ariane 5 Explosion, cost $500M– Pentium floating point division bug, cost $400M

5

Formal Verification

• Act of proving or disproving the correctness of a system with respect to a specification

• Techniques– Theorem proving– Model Checking

6

An example

• Circuit for multiplication of two 32 bit numbers

State = (A, B, O)State space = {(A,B,O)}Size of state space = (232 £ 232) £ 264 = 2128

MULTIPLIER

32

32A

B

64O

7

Model Checking

• Performing exhaustive search of the state space of the design

MULTIPLIER

32

32A

B

64O

For all A, B: (O == A £ B)

8

Model checker

Model checker

Specification:

(O == A £ B)

B

MULTIPLIER

AO

32

32

64

Model:

Property Property holdsholds

Bug foundBug found

9

Features of Model Checking

• No manual proofs

• Fast (compared to other rigorous methods such as theorem proving)

• Diagnostic counterexamples– Multiplier example: [A= 101, B = 2, O = 200]

10

Main Challenge

State Space Explosion Problem:

• Large state space

Much progress has been made on this problem!

• Abstraction – only focus on details needed to prove or disprove a given property

11

This talk is about

model checking of

hardware designs

with help ofautomated abstraction

12

Hardware design

Ease of design

increases

Gate level (netlists)

Register Level

…………

System

Behavioral

Formal verification support

Gate Level (netlist):

.model counter_cell

.inputs carry_in

.outputs carry_out

.names value carry_in _n2

.def 01 1 1.names _n2 carry_out$raw_n1- =_n2.names value$raw_n30.names _n60.names value _n6 _n7.def 00 1 11 0 1.r value$raw_n3 value0 01 1….. (120 lines)

Register Level Verilog:

module counter_cell(clk, carry_in, carry_out);input clk;input carry_in;output carry_out;reg value;assign carry_out = value & carry_in;initial value = 0;

always @(posedge clk) begin// value = (value + carry_in) % 2; case(value) 0: value = carry_in; 1: if (carry_in ==0) value = 1; else value = 0; endcaseendendmodule

13

Lack of verification support


Register Level

…………

System

Behavioral

Need techniquesfrom software verification

Need automaticand scalabletechniques

14

Software verification

• Predicate Abstraction– Developed by Graf and Saidi, 1997

• Verification of C programs (2000 onwards)– SLAM, Microsoft research– MAGIC, CMU– BLAST, UC Berkeley– F-Soft, NEC Labs

15

Our contribution


Register Level

…………

System

Behavioral

Predicate abstraction

16

Outline

• Introduction




• Conclusion

17

Abstraction

void main() { int i;

i = 0;

while(even(i)){ i++; }

if (i == 0) ERROR:; }


i = 0;


if (i == 0) ERROR:; }

assert ( odd(i));


i = *;

while(even(i)){ i = *; }

if (i == 0) ERROR:; }


i = *;

while(even(i)){ i = *; }

if (i == 0) ERROR:; }

assert ( odd(i));

Throw away irrelevant details

P’ is a safe abstraction of P

P P’

18

Safe Abstraction

• Let P’ be a safe abstraction of P

• If P’ satisfies a property , then P satisfies

• P’ can be much easier to verify than P

19

An example

module main (clk)input clk;reg [2:0] x, y;

initial x= 1, y= 2;

always @ (posedge clk)begin x <= y; y <= x;endendmodule

Verilog programVerilog program

registers [2:0] x, y;

initial x= 1, y= 2;

Transition relation: x’ := y; y’ := x;

Hardware design Hardware design

20

An example


initial x= 1, y= 2;



Property:

assert (x == 1 Ç x == 2)

1, 2 2, 1

0,0 0,1 7,6 7,7

State: (x, y)

21

Predicate Abstraction

• Given a program and a set of predicates

• Abstracts data by keeping track of certain predicates

• Predicate abstraction is a safe abstraction

22

Predicate Abstraction

Property:

assert (x == 1 Ç x == 2)

Initial set of predicates:

{x == 1, x == 2}


initial x= 1, y= 2;



23

????

Computing Predicate Abstraction

{x == 1, x == 2} + x’ := yy’ := x

PredicatesPredicates Transition RelationTransition Relation

1,0 0,0

0,1 1,1

SATISFIABLE

Plug in x=1,y=3,x’=3, y’=1

24

????


{x == 1, x == 2} + x’ := yy’ := x


1,0 0,0

0,1 1,1

SATISFIABLE

Plug in x=1,y=2,x’=2, y’=1

25


{x == 1, x == 2} + x’ := yy’ := x


1,0 0,0

0,1 1,1

26

Abstract Model

registers x, y;

initial x= 1, y= 2;


Property: assert (x == 1 or x == 2)

Initial set of predicates:{x == 1, x == 2}

Hardware designHardware design

Initial Initial statestate

Failure Failure statestate

1,0 0,0

0,1 1,1

27

Model checking


1,0 0,0

0,1 1,1


Abstract ModelAbstract Model

28

Model checking

1,0 0,0

0,1 1,1


Abstract ModelAbstract Model

Counterexample Counterexample


We need to check if this is a real bug in our hardware design

29

Outline

• Introduction




• Conclusion

30

Abstraction-Refinement loop

VerilogProgramVerilog

ProgramSafe abstract

modelSafe abstract

modelModel

Checker

VerificationVerificationPredicatePredicate

abstractionabstraction

SimulatorBug foundBug found

Spurious counterexampleSpurious counterexample

Counterexample

31

Simulation


1,0 0,0Initial Initial statestate

Predicates:= {x == 1, x== 2}

Counterexample is spurious

Counterexample in Counterexample in abstract modelabstract model


initial x= 1, y= 2;



(x==1) Æ: (x == 2)

: (x’ ==1) Æ: (x’ == 2)

????

32




modelSafe abstract

modelModel

Checker

Get new predicatesGet new predicates




Refinement


Counterexample

33

Recall


1,0 0,0Initial Initial statestate

Abstract counterexampleAbstract counterexample


initial x= 1, y= 2;



Predicates:= {x == 1, x== 2}

(x==1) Æ: (x == 2)

: (x’ ==1) Æ: (x’ == 2)

Value of x’==2 not being tracked precisely

34

Refinement

• Find out predicates whose values are not tracked precisely in the abstract model– Example: x’==2

• Track values of these predicates precisely

35

Weakest pre-condition

• { ? } x := y + 1 { x == 9}

• { (y + 1) == 9} x := y + 1 { x == 9}

• { [ x Ã e]} x := e {}

36

Refinement

(x’ == 2)(x’ == 2)

x’ := y

(y == 2)(y == 2)weakest weakest preconditionprecondition

New predicatey == 2registers [2:0] x, y;

initial x= 1, y= 2;



Need to trackvalue precisely

37




modelSafe abstract

modelModel

Checker





Refinement


Counterexample{x == 1, x == 2, y==2}

38




modelSafe abstract

modelModel

Checker





Refinement


Counterexample{x == 1, x == 2, y ==2, y ==1}

39

Abstract again

1,0,0,11,0,0,1 0,1,1,00,1,1,0InitialInitialstatestate

Next step: model check!Next step: model check!

New abstraction

{x == 1, x == 2, y ==1, y== 2}

PredicatesPredicatesregisters [2:0] x, y;

initial x= 1, y= 2;



0,0,0,00,0,0,0 0,0,0,10,0,0,1 1,1,1,11,1,1,116 states

Property:assert (x == 1 Ç x == 2)

40

Abstract again

1,0,0,11,0,0,1 0,1,1,00,1,1,0InitialInitialstatestate

New abstraction

{x == 1, x == 2, y ==1, y== 2}

PredicatesPredicatesregisters [2:0] x, y;

initial x= 1, y= 2;



Property:assert (x == 1 Ç x == 2)

Property holds in abstract model!

Property holds!Property holds!

41

Overall verification flow



modelSafe abstract

modelModel

Checker




Simulator

Property Property holdsholds

Bug foundBug found

Refinement


Counterexample

42

Outline

• Introduction




• Conclusion

43

Implementation

• These techniques have been implemented in the VCEGAR tool

• Inputs to the tool– Register Level Verilog description– Safety property (like an assert statement)

• Output– Property holds– Counterexample (real bug in design)

44

Experimental results

Benchmark

#States VCEGAR #Preds/#Iter

Cadence SMV (Previous work)

ICRAM2KB 216427 450.7s 3/8 25s

ICRAM4KB 232796 843.3s 3/8 too many state elements

ARITH200 2402 9.6s 3/3 2147s

ARITH500 21002 32.2s 3/3 timeout

ARITH1000 22002 122.6s 3/3 timeout

45

Experimental results (VIS benchmarks)Benchmark #States VCEGAR

Time #Predicates #Iteration

cache

coherence

243 49s 25 9

mpeg

decoder 1

2567 29s 9 3

usb_phy 250 104s 47 22

ethernet 291 15s 30 15

SDLX 241 139s 43 30

ITC99_b12 2125 188s 32 23

46

Outline

• Introduction




• Conclusion

47

Conclusion

• Abstraction is key to make verification scale– Throw away irrelevant details

• Predicate abstraction– Eliminates data – Keeps track of certain predicates

• Abstraction and refinement loop– Automatically refine the abstraction when necessary

48

Conclusion: our contribution


Register Level

…………

System

Behavioral Predicate abstraction

and refinement

Hardware Design

49

Future work

• Finding right predicates

• Efficient predicate abstraction computation

• Asynchronous hardware designs

50

Questions?

51

Example for Predicate Abstractionvoid main() { int i;

i=0;


if (i == 0) ERROR:; }


i=0;


if (i == 0) ERROR:; }

+p1 i=0p2 even(i)p1 i=0p2 even(i) =

void main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p2=!p2; if (p1){p1=false;} else {p1 = *;} }

}

void main() { bool p1, p2;

p1=TRUE; p2=TRUE;

while(p2) { p2=!p2; if (p1){p1=false;} else {p1 = *;} }

}

PredicatesC program Abstract model

assert ( i != 0);

assert ( !p1);

52

Challenges

• How to get the right set of predicates automatically

• How to compute the predicate abstraction

53

Making it work in practice

• Computation of predicate abstraction– Handling of large no. of predicates

With 50 predicates there can be 2100 predicate relationships!!

54

Predicate Partitioning Current state

predicatesp1 := x = 100 p2 := x = 200p3 := y = 100 p4 := y = 200

+ x’ := yy’ := x

+p’1:= x’ = 100 p’2:= x’ = 200p’3:= y’ = 100 p’4:= y’ = 200

Next statepredicates

Transitionrelation

PartitionPartition

++ ++pp11 := x = 100 := x = 100 pp22 := x = 200 := x = 200 y’ := xy’ := x

p’p’33 := y’ = 100 := y’ = 100 p’p’44 := y’ = 200 := y’ = 200

p3 := y = 100 p4 := y = 200 x’ := y

p’1 := x’ = 100 p’2 := x’ = 200+ +

ÆÆ

55

• Counterexample in the abstract model – <1 , 0> <0 , 0> (length = 1)

– Each state is a valuation of h x = 100, x=200 i

Simulation equation

Simulation of the counterexample

Initial values of the registerspredicate values

in the first state of the counterexample

Transition relation

predicate valuesin the second state of the counterexample

equation is unsatisfiable So counterexample is spurious

1 predicate abstraction and refinement for verifying hardware designs himanshu jain joint work with...

Documents