automatic abstraction refinement for gste
DESCRIPTION
Automatic Abstraction Refinement for GSTE. Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel. Nov 13, 2007. Our Contributions. AutoGSTE – An automatic approach to abstraction refinement for GSTE - PowerPoint PPT PresentationTRANSCRIPT
Automatic Abstraction Refinement for GSTE
Yan Chen, Yujing He, and Fei Xie
Portland State University
Jin Yang
Intel
Nov 13, 2007
Our Contributions
AutoGSTE – An automatic approach to abstraction refinement for GSTE
Quickly converge to good abstractions that enable verifications that are not possible before
Allow assertion graphs to be high-level w/o adapting too much to circuit implementation
2
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE
Counterexample-guided abstraction refinement Model refinement and specification refinement
Experiments Conclusion & Future Work
3
Symbolic Trajectory Evaluation [Bryant & Seger]
Scalability Model checking complexity largely depends on the
complexity of the assertion rather than the circuit Pros: Highly efficient Cons:
False negatives due to insufficient input constraints R. Tzoref, O. Grumberg, Automatic refinement and vacuity detection for
STE, CAV’06 J. Roorda, K. Clarssen, Sat-based assistance to abstraction refinement for
STE, CAV’06
Only properties over finite time GSTE4
Generalized STE [Yang & Seger]
ω-regular properties represented by assertion graphs
G = { (V, v0, E, ant, cons) } Non-deterministic execution Fixed-point computation
5
V0 V1
V3
V5
a0/c0
a1/c1a7/c7
a3/c3
Start V2
a2/c2
V4a5/c5
a8/c8
a6/c6
a4/c4
GSTE Algorithm
6
Algorithm: GSTE(G, post)(* initialize symbolic simulation *)1. for each edge e in G2. if e is from the initial vertex3. sim(e) := ant(e);4. put e in EventQueue;5. else6. sim(e) := { };(* perform symbolic simulation *)7. while EventQueue is not empty8. get an edge e from the queue,9. for each successor edge e’ of e begin10. sim(e’) := sim(e’) post(sim(e)) ant(e’);11. if there is a change in sim(e’)12. put e’ into EventQueue; end(* check consequence *)13. for each edge e in G14. if !(sim(e) cons(e)) return false;15. return true;end.
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE
Counterexample-guided abstraction refinement Model refinement and specification refinement
Experiments Conclusion & Future Work
7
Quaternary-Value Logic
(Unknown)
(Conflict)
Information Partial Order
1X X
0 X
Propagation of “Unknown”
Two sides of a coin Significantly reduce state spaces by
quaternary abstraction Over abstractions cause false negatives
8
1X
Causes of False Negative: Quaternary State Set Unions
11
1A
B
Out10
1 XXX
Abs.
9
01
sim(e’) := sim(e’) post(sim(e)) ant(e’);
1 1
Check whether the output is always 1 under certain inputs
Causes of False Negative: Existentially Quantified-Out Symbolic Variables
A=c1 &B=(!c1|c2)
/ Out=1
True/Out=1
c1,c2 is existentially quantified out after every single step simulation
10
[A=c1, B=(!c1|c2)]Out=A|B=c1|(!c1|c2)=1
[A=X, B=X]Out=A|B=X
A
B
Out11
10
01
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE
Counterexample-guided abstraction refinement Model refinement and specification refinement
Experiments Conclusion & Future Work
11
AutoGSTE: Automatic Abstraction Refinement
(1) GSTE
CircuitImpl.
AssertionGraph
Assertionholds
CounterExample
(2) CounterExample Analysis
Assertion fails
Causes ofImprecision
(3) AbstractionRefinement
RefinedAbstraction
Abstraction refinement: (monotonic) (1) Constraining inputs with symbolic constants/variables
(2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations
Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;
(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables
Counter Example Analysis Counter Example
[(edge1,src1,dest1),…,(edgeT, srcT,destT)]
Identify “X” nodes in destT that violates consequent on edgeT
Backtrack to identify the causes for “X” node N
In the end, the following causes will be identified:
Output circuit nodes/assertion edges on which Xs are introduced.
13
J
Q
Q
K
SET
CLR
X1 X
Input Union Weak
XInputJ
Q
Q
K
SET
CLR
01 X
n2=(variable v) &n3=(variable v)
True/n2=n3
AutoGSTE: Automatic Abstraction Refinement
(1) GSTE
CircuitImpl.
AssertionGraph
Assertionholds
CounterExample
(2) CounterExample Analysis
Assertion fails
Causes ofImprecision
(3) AbstractionRefinement
RefinedAbstraction
Abstraction refinement: (1) Constraining inputs with symbolic constants/variables
(2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations
Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;
(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables
Model Refinement
Symbolic Indexing (Verifier has to encode it in the specification)
Abs.
0 1 11 0 1 1
0 1 11 0 1 X1
vv
!v?1:X 1
XX X
w1
v
10
v!v+w 1
Partition Abs. rew.
rew.Finer Partition
15
Model Refinement (Cont.)
Precise Nodes: Circuit nodes that must always have boolean values by symbolic indexing
[Yang and Seger, FMCAD’02] Manually specify precise nodes to eliminate Xs caused by both unions and weaks.
AutoGSTE automatically marks precise nodes Mark all the identified nodes as precise Mark one node at a time (control signals first?)
16
Specification Refinement Loop unrolling transformations address unions
Allow the specification to be high level Dynamically adapt to the real computation flow of the circuit
……
17
Automating loop unrolling Unroll each problematic edge to prevent
unwanted state set unions
Specification Refinement (Cont.)
18
1
2
3 4
Case splitting transformations address weaks Symbolic variables symbolically index a set of
edges with scalar values Remember the variable values by case splitting
V0 V1
enq=(variable v)deq=(variable v)
V0 V1
enq=deq=0
enq=deq=1
True/enq=deqTrue/enq=deq
Specification Refinement (Cont.)
19
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our solution – AutoGSTE
Counterexample-guided abstraction refinement Model Refinement .vs. Specification Refinement
Experiments Conclusion & Future Work
20
Experiment: FIFO
21
FIFO Model Refinement
Circuit Mark precise nodes all at once Mark precise nodes one a time
FIFO Depth
# of Nodes
# of Iter.
# of P. Nodes
Time
(Sec.)BDD
Nodes# of P. Nodes
Time
(Sec.)BDD
Nodes
3 181 1 5 0.12 10232 3 0.26 8996
8 296 1 7 0.4 32923 4 0.81 26708
16 476 1 9 1.1 72189 5 2.37 58250
24 787 1 11 2.38 131236 6 6.83 104246
Better than manual analysis!22
FIFO Specification Refinement
Circuit GSTE on Original assertion graph Semantic-Preserving Transformation
FIFO Depth
# of Edges
Time
(Sec.)BDD
NodesMem
(MB)Result
# of Edges
Time
(Sec.)BDD
NodesMem
(MB)Result
3 11 0.01 5 17 Fail 31 0.23 6 17 Pass
8 26 0.02 5 17 Fail 201 2.69 6 19 Pass
16 50 0.04 5 17 Fail 785 17.3 6 26 Pass
24 74 0.07 5 17 Fail 1753 54.2 6 39 Pass
Too complex to do manually!
23
0
10
20
30
40
50
60
0 5 10 15 20 25 0
10
20
30
40
50
60R
un
Tim
e (
sec)
Me
mo
ry (
MB
)
FIFO Depth
time for spec ref.
0
10
20
30
40
50
60
0 5 10 15 20 25 0
10
20
30
40
50
60R
un
Tim
e (
sec)
Me
mo
ry (
MB
)
FIFO Depth
time for spec ref.time for model ref.
0
10
20
30
40
50
60
0 5 10 15 20 25 15
20
25
30
35
40R
un
Tim
e (
sec)
Me
mo
ry (
MB
)
FIFO Depth
time for spec ref.time for model ref.mem for spec ref.
mem for model ref.
Conclusion & Future Work
An automatic approach to abstraction refinement for GSTE
Quickly converge to good abstractions Future work
Identify minimal set of precise nodes Reduce unnecessary loop-unrolling/case-splitting Integrate model refinement and spec refinement
27