generalized symbolic trajectory evaluation
DESCRIPTION
Generalized Symbolic Trajectory Evaluation. Jin Yang Strategic CAD Labs., Intel Architecture Group, Intel Corporation [email protected] Feb., 2001. Who Are We?. SCL - A CAD Research Organization within Intel - PowerPoint PPT PresentationTRANSCRIPT
Generalized Symbolic Trajectory Evaluation
Generalized Symbolic Trajectory Evaluation
Jin Yang
Strategic CAD Labs.,
Intel Architecture Group,
Intel Corporation
Feb., 2001
Who Are We?Who Are We?
SCL - A CAD Research Organization within Intel research & transfer new design technologies vital to
Intel’s future product lines in the areas of logic verification PV/PD Synthesis
composed mostly of Ph.D.s with various academia and industrial backgrounds
Logic Group fundamental and applied FV researches in the areas of
model checking, theorem proving, HLM, abstraction, ... datapath FV, processor FV, system level FV, protocol, …
7 Ph.D.s / 2 M.S.
Close relation with Academia SRC funding, mentoring, internship, visiting professors
OverviewOverview
Motivation
Specification in GSTE
Model Checking under Strong Semantics
Model Checking under Normal Semantics
Model Checking under Fairness -regular equivalent
(G)STE and Abstract Interpretation
Two Case Studies
STE : the Success StorySTE : the Success Story
STE - Symbolic Trajectory Evaluation a lattice-based model checking technology based on a
form of symbolic simulation (Seger & Bryant) proven high capacity with a high degree of automation a comprehensive methodology
Active Industrial Usage in Hardware Verification Intel
floating point arithmetic unit against IEEE 754 length decoder unit with 12,000 gates and 1100 latches
Motorola memory units with million transistors
IBM processor units at abstract level
STE: Simple SpecificationSTE: Simple Specification
Normalized basic STE assertion
A1 & N( A2 ) & … & Nk-1( Ak )
==> C1 & N( C2 ) &…& Nk-1( Ck )
e.g.
( !ck & a[99:0]=A[99:0] & b[99:0]=B[99:0] ) & N( ck ) & N2( !ck ) & N3( ck ) ==> N3( c[99:0]=A[99:0]+B[99:0] )
100
100
100a
b
c
d
ck
e f
ck
a[99:0] A[99:0]
B[99:0]b[99:0]
A+Bc[99:0]
antecedent
consequent
STE: Sim.-based Model CheckingSTE: Sim.-based Model Checking
Phase 1: Simulation
1 = [[ A1 ]], 2= [[ A2 ]] next(1), …, k= [[Ak ]] next(k-1)
Phase 2: Checking
defining value next state
for all i, i [[ Ci ]] ?
ck
a[99:0] A
Bb[99:0]
c[99:0]
d[99:0]
e[99:0]
f[99:0]
A
B
A+B
A
B
A+B
A+B
STE: Quaternary Circuit ModelingSTE: Quaternary Circuit Modeling
Work on quarternary {0,1,X,T} instead of boolean {0,1} X - unknown, T - over-constrained
e.g. only 200 boolean variables are used in the adder, although the circuit has 500 state or input elements
X 0 1 T
X
0
1
T
X
X
X0
0 00
0 1
T T T T
T
T
T
X 0 1 T
X
0
1
T
X
1
1X
X 10
1 1
T T T T
T
T
T X 0 1 T
X 01 T
STE: LimitationSTE: Limitation
Very limited expressiveness what about stall?
stall causes arbitrary long latency
what about backward analysis? simulation is forward in nature
Challenge extend expressiveness without losing STE-style model checking efficiency and
verification methodology
100
100
100a
b
c
d
ck
e f
stall
en
en
en
64
64
a
b
ck
+1
64
(a=ptr) ==> (b = ptr+1)
ModelModel State transition on S
R(S, S) every state is initial no deadlock
Transition-induced model M=(pre, post)
pre(Si) = {s | s’Si.R(s,s’) } post(Si) = {s’ | sSi.R(s,s’) }
Trace s1, s2, …, si, si+1, … si+1 post({si}), and hence si pre({si+1})
State transition on S R(S, S) every state is initial no deadlock
Transition-induced model M=(pre, post)
pre(Si) = {s | s’Si.R(s,s’) } post(Si) = {s’ | sSi.R(s,s’) }
Trace s1, s2, …, si, si+1, … si+1 post({si}), and hence si pre({si+1})
s1
s2
s3
s4
s5
s1, s2, s4, s5, s4, s5, ...
s2, s4, s5, s4, s5, ...
s4, s5, s4, s5, ...
s1, s3, s5, s4, s5, s4, ...
s3, s5, s4, s5, s4, ...
s5, s4, s5, s4, ...
Assertion Graph: An ExampleAssertion Graph: An Example
Property 1 If the system is in state s2, then it
will be in state s4 and state s5 alternatively.
s1
s2
s3
s4
s5
M
ant: {s2}
cons: {s4}
cons: {s5}
* all trivial antecedents and consequences are ignored
1
2
3
Assertion Graph: Formal DefinitionAssertion Graph: Formal Definition
Assertion graph
G = (V, vI, E, ant, cons) V - set of vertices vI - the initial vertex E - set of edges (each vertex has 1 outgoing edges) ant - map each edge to a set of states (or equivalently a state predicate) called antecedent cons - map each edge to a set of states (or equivalently a state predicate) called consequent
* first proposed by Seger and Beatty
* path: a sequence of consecutive edges edges from the initial vertex
* first proposed by Seger and Beatty
* path: a sequence of consecutive edges edges from the initial vertex
Strong (original STE) SemanticsStrong (original STE) Semantics
Trace satisfies path under L, |=L :
for every 1 i ||, (i) L((i)).
Model M strongly satisfies G, M ||= G:for every finite path ,
for every finite trace , |=ant |=cons
First proposed by Jain and clarified by Chou
Trace satisfies path under L, |=L :
for every 1 i ||, (i) L((i)).
Model M strongly satisfies G, M ||= G:for every finite path ,
for every finite trace , |=ant |=cons
First proposed by Jain and clarified by Chou
trace 1: s1
s2, s4trace 2:
ant: {s2}
cons: {s4}
cons: {s5}
1
2
3
s1
s2
s3
s4
s5
M ||=
Model Checking Strong SatisfiabilityModel Checking Strong Satisfiability
Phase 1: build simulation relation from edges to state sets
2 {s2}
3 {s2} {s4}
4 {s2}
Phase 2: check consequences
Step
1 {s2} { } { }
1 2 3
{ } S post({s2}) S post({}) {s4} { }
{ } S post({s4}) {s5}
{s4} post({s2}) post({s5}) {s4} {s5}
ant: {s2}
cons: {s4}
cons: {s5}
1
2
3
s1
s2
s3
s4
s5
M ||=
Model Checking Strong SatisfiabilityModel Checking Strong Satisfiability
Theorem:
SMC(M, G) M ||= G
1. if e is from vI sim(e) := ant(e), else sim(e) := F.
2. repeat until fix-point: for every edge e,
sim(e) := sim(e) ( (post(sim(e-) ant(e)))). e - in(e)
SMC(M, G)
3. return T if for every edge e, sim(e) cons(e),
return F otherwise.* first proposed by Jain and clarified by Chou
Limitation of Strong SemanticsLimitation of Strong Semantics
Property 2 If the system is in state s2, it must
have been in s1 at the previous time.
Ant. Cons.
The property would fail because the antecedent failed after the consequence failure!
s3trace: s5
ant: {s2} cons: {s1}1 2 3
s1
s2
s3
s4
s5
M
Normal SemanticsNormal Semantics
Model M satisfies G, M |= G:for every infiniteinfinite path ,
for every infiniteinfinite trace , |=ant |=cons
Model M satisfies G, M |= G:for every infiniteinfinite path ,
for every infiniteinfinite trace , |=ant |=cons
s3, s5,trace: … ...
ant: {s2} cons: {s1}1 2 3s1
s2
s3
s4
s5
M ||=
Model Checking Normal SatisfiabilityModel Checking Normal Satisfiability
G = (V, vI, E, ant, cons)
Approach - Reduce to Strong Satisfiability
G’ = (V, vI, E, ant’, cons)
transform
s.t., M |=G M |= G’
M |=G’ M ||= G’
(future independent)
Future Extensibility Condition
G’ is future extensible on M:
for every edge e, for every state s in ant’(e),
there is an inf. e-path , an inf. trace from s ,
|=ant’
Future Extensibility Condition
G’ is future extensible on M:
for every edge e, for every state s in ant’(e),
there is an inf. e-path , an inf. trace from s ,
|=ant’
Model Checking Normal SatisfiabilityModel Checking Normal Satisfiability
Phase 1: strengthen antecedents backward
Phase 2: check strong satisfiability
Step
1 S {s2} S
1 2 3
{s2} pre(S)2 S {s2} S pre({s2}) {s1}
ant: {s2} cons: {s1}1 2 3s1
s2
s3
s4
s5
M ||=
Model Checking Normal SatisfiabilityModel Checking Normal Satisfiability
1. repeat until fix-point: for all edge e,
ant(e) := ant(e) ( (pre(ant(e+)))). e+ out(e)
NMC(M, G)
2. call SMC(M, G)
Theorem:
NMC(M, G) M |= G
Limitation of Normal SemanticsLimitation of Normal SemanticsProperty 3
If the system is in state s4, then at the last time when it was neither in s4 nor s5, it must have been in s2.
s3, s5, s5, … ...trace:
The property would fail becausean undesired path is examined!
s1
s2
s3
s4
s5
M’
ant: S - {s4,s5} ant: {s4}
cons: {s2}
ant: {s4,s5}
1 2 3
4
Assertion Graph with FairnessAssertion Graph with FairnessFairness condition:
fair edge sets: E = {E1, E2, …, Ek} a fair path visits each Ei infinitely often
Model M fairly satisfies G under E, M |=E G:
for every fairfair infinite path ,
for every infinite trace , |=ant |=cons
Fairness condition: fair edge sets: E = {E1, E2, …, Ek} a fair path visits each Ei infinitely often
Model M fairly satisfies G under E, M |=E G:
for every fairfair infinite path ,
for every infinite trace , |=ant |=cons
ant: S - {s4,s5} ant: {s4}
cons: {s2}
ant: {s4,s5}
1 2 3
4
s1
s2
s3
s4
s5
M’ ||=
Theorem: (-regular equivalence) every det. Streett automaton has an equivalent fair assertion graph
Model Checking Fair Assertion GraphModel Checking Fair Assertion Graph
More of the same... - Reduce to Strong Satisfiability
Fair Extensibility Condition
G’ is fairly extensible on M:
for every edge e, for every state s in ant’(e),
there is an inf. fair e-path , an inf. trace from s ,
|=ant’
Fair Extensibility Condition
G’ is fairly extensible on M:
for every edge e, for every state s in ant’(e),
there is an inf. fair e-path , an inf. trace from s ,
|=ant’
ant: S - {s4,s5} ant: {s4}
cons: {s2}
ant: {s4,s5}
ant: {s2} ant: {s4}
cons: {s2}
ant: {s4}
Model Checking Fair Assertion GraphModel Checking Fair Assertion Graph
1. repeat until fix-point:
2. for each fair edge set Ef in E,
3. build backward simulation relation
towards Ef;
4. G := replace the antecedents in G
with the simulation relation;
/* future extensible to Ef */
5. call SMC(M, G).
FMC(M, G, E)
Theorem:
FMC(M, G, E) M |=E G
Relevant Lattice ConceptsRelevant Lattice Concepts
Finite Complete Lattice (L, ) L - finite set of points - partial order relation:
p1 p2 if p1 is less uncertain than p2 T - top element - bottom element
Finite Complete Lattice (L, ) L - finite set of points - partial order relation:
p1 p2 if p1 is less uncertain than p2 T - top element - bottom element
Ex 2. (2S, ) - subset lattice S - top element {} - bottom element
Ex 1.
R Y G
T
Note: we use an partial order relation consistent with
Extend Model to LatticeExtend Model to Lattice
Model M = (pre, post)
pre, post: L L (monotonic) post(p) = p = for every p in L, p pre(post(p))
* STE model is a special case where pre(p) = T for every p.
Model M = (pre, post)
pre, post: L L (monotonic) post(p) = p = for every p in L, p pre(post(p))
* STE model is a special case where pre(p) = T for every p.
R Y G
T
postpre
Trajectoryp1, p2, p3, …, pi, pi+1, …
pi+1 post(pi), pi pre(pi+1) pi * a trajectory captures a set of traces
Trajectoryp1, p2, p3, …, pi, pi+1, …
pi+1 post(pi), pi pre(pi+1) pi * a trajectory captures a set of traces
R, Y, G, G, ...
T, T, T, T, ...
R, T, T, T, ...
T, Y, G, G, ...
Extend Assertion Graph to LatticeExtend Assertion Graph to Lattice
Assertion Graph
G=(V, vI, E, ant, cons) extend ant, cons: E 2S to E L
Assertion Graph
G=(V, vI, E, ant, cons) extend ant, cons: E 2S to E L
Semantic Extension trajectory satisfies path under
L: for every i, (i) L((i)). Satisfiability definitions remain
the same except working on trajectory satisfiability
Semantic Extension trajectory satisfies path under
L: for every i, (i) L((i)). Satisfiability definitions remain
the same except working on trajectory satisfiability
ant: Y cons: G
R, Y, G, ...
ant cons
Y, G, G, ... R Y G
T
postpre
|=
Main GSTE Results on Lattice Main GSTE Results on Lattice
Extended Model Checking Algorithms:*GSTE
by generalizing , , in *MC to , ,
GSTE Theorems
strong semantics: SGSTE(M, G) M ||= G normal semantics: NGSTE(M, G) M |= G fairness: FGSTE(M, G, E) M |=E G
Incompleteness lose information when using coarse lattice but gain efficiency
Abstract Interpretation ConceptsAbstract Interpretation Concepts
R Y G
T
{S1} {S2} {S3} {S4} {S5}
{ }
{S2, S3} {S4, S5}... ... ...
... ...
{S1, S2, S3 , S4, S5}
Abstraction of (L, ) - Galois insertion
(La, a)
abstraction function : L La, such that (T) = Ta, (p) = a iff p = , is onto, and distributive
Abstraction of (L, ) - Galois insertion
(La, a)
abstraction function : L La, such that (T) = Ta, (p) = a iff p = , is onto, and distributive
The Quaternary AbstractionThe Quaternary Abstraction
From boolean domain to quaternary domain
{ }
{00} {01} {10} {11}
{00,01} {00,10} {00,11} {01,10} {01,11} {10,11}
{00,01,10} {00,01,11} {00,10,11} {01,10,11}
{00,01,10,11}
two variable boolean domain: two variable quaternary domain:
T
00 01 10 11
0X X0 X1 1X
XX
Model AbstractionModel AbstractionAbstraction of Model M=(pre, post)
Ma=(prea, posta) (pre(p)) a prea((p)) (post(p)) a posta((p))
Abstraction of Model M=(pre, post)
Ma=(prea, posta) (pre(p)) a prea((p)) (post(p)) a posta((p))
R Y G
T
postpre
s1
s2
s3
s4
s5
M
Abstraction in GSTEAbstraction in GSTE
Abstraction theorem
If G is consequence preserving i.e., -1((cons(e))) = cons(e) for all edge e,then strong semantics
Ma ||= Ga M ||= G normal semantics
Ma |= Ga M |= G fairness
Ma |=E Ga M |=E G
Abstraction in GSTEAbstraction in GSTE
GSTE using Abstraction: a*GSTE(M, G) when G is not consequence preserving
Theorem: 1. strong semantics: aSGSTE(M, G) M ||= G
2. normal semantics: aNGSTE(M, G) M |= G
3. fair semantics: aFGSTE(M, G, E) M |=E G
Theorem: 1. strong semantics: aSGSTE(M, G) M ||= G
2. normal semantics: aNGSTE(M, G) M |= G
3. fair semantics: aFGSTE(M, G, E) M |=E G
Check the consequence against
the concretized simulation relation
Ga, Ma on (La, a)
G, M on (L, )
Concretize the simulation result
Perform antecedent strengthening
and simulation relation building on
Ga, Ma
Case Study: A MemoryCase Study: A Memory
bank0
bank1
bank2
bank3
mem
ory
blo
ckdatawr
128 alignmaskblock
128dataout
128datard0
128datard1
128datard2
128datard3
128datainbypass
addr[9:0]addr[9:8] bnksel[1:0]
we
4
drive[4:0]ck
align[7:0]begin[4:0]
end[4:0]
4 banks * 256 entries/bank * 128 bits / entry = 128K bits
SpecificationSpecification
we (addr=A) (datawr=D)
we (addrA)
we ck (addr=A) (drive=V) (align=R)
we ck (begin=B) (end=E)
dataout=mask(align(drive(D, V), R), B, E)
Correctness Statement: always read from a cell the most recently written data
we
ck
datawr[127:0]
addr[9:0]
dataout[127:0]
align[6:0]
begin[3:0]
end[3:0]
drive[3:0]
A A
D
O
V
R
B
E
No
wri
te t
o th
e sa
me
add
ress
write phase read cycle
hold phase
Model CheckingModel Checking
bank0
bank1
bank2
bank3
datawr128 alignmask
block
128dataout
128datainbypass
addr[9:0]we
4
drive[4:0]
ck align[7:0]begin[4:0]
end[4:0]
we (addr= A) (datawr=D)
we (addrA)
we ck (addr=A) (drive=V) (align=R)
we ck (begin=B) (end=E)
dataout=mask(align(drive(D, V), R), B, E)
1
A[9:0]
D[127:0]
Model CheckingModel Checking
bank0
bank1
bank2
bank3
datawr128 alignmask
block
128dataout
128datainbypass
addr[9:0]we
4
drive[4:0]
ck align[7:0]begin[4:0]
end[4:0]
we (addr= A) (datawr=D)
we (addrA)
we ck (addr=A) (drive=V) (align=R)
we ck (begin=B) (end=E)
dataout=mask(align(drive(D, V), R), B, E)
bank[i].row[j] =
D, if A=i*256+ j
X, otherwise
Model CheckingModel Checking
bank0
bank1
bank2
bank3
datawr128 alignmask
block
128dataout
128datainbypass
addr[9:0]we
4
drive[4:0]
ck align[7:0]begin[4:0]
end[4:0]
we (addr= A) (datawr=D)
we (addrA)
we ck (addr=A) (drive=V) (align=R)
we ck (begin=B) (end=E)
dataout=mask(align(drive(D, V), R), B, E)
0
A
D
bank[i].row[j] =
D, if A=i*256+ j
X, otherwise
Model CheckingModel Checking
bank0
bank1
bank2
bank3
datawr128 alignmask
block
128dataout
128datainbypass
addr[9:0]we
4
drive[4:0]
ck align[7:0]begin[4:0]
end[4:0]
we (addr= A) (datawr=D)
we (addrA)
we ck (addr=A) (drive=V) (align=R)
we ck (begin=B) (end=E)
dataout=mask(align(drive(D, V), R), B, E)
0
A mask(align(drive(D, V), R, B, E)
GSTE vs. STE and Classic MCGSTE vs. STE and Classic MC
GSTE complete black-box verification complexity - 128K bits 157 variables used in assertion graph finished in 833 seconds
STE requires open-up of the memory requires three STE assertions for write, retain and read
Classic MC state explosion under any variable order
Case Study: An AlignMask Module Case Study: An AlignMask Module
128datain0
128 datain1
128datain2
128datain3
128
bnksel2
align
maskselect, p
recharge,
and
mu
x
pred
ischarge m
ux
align7
drive4
begin
end
4
4
alignvalid
128 datainbypass
ck
hit#
qclk
buspch
all 0’s
mu
x
128dataout
dual-rail
Prop: Two Rails Must be Weak MutexProp: Two Rails Must be Weak Mutex
alignvalid
ck
bnksel[1:0]
drive[i/32]
dataout#[i]
datain(j)[127:0]
datain(j)#[127:0]
dataout[i]
align[6:0] A
S
if it was low first
retain u
ntil d
elivery
mutex_for_all_j
ant1 / ant2 / con2
ant3 / ant5 / ant4 /
ant6 /
ant3: ck alignvalid drive[k] (bnksel=S) (align=A) mutex_for_all_j
ant1: ck alignvalid drive[k] (bnksel=S) (align=A) mutex_for_all_j
ant2: ck alignvalid dataout[i]
ant5: ck alignvalid drive[k]
con2: dataout#[i]
ant4: ck alignvalid drive[k]
ant6: ck alignvalid drive[k]
(k = i/32)
Fair Semantics:• bi-directional simulation over an arbitrary long interval
Complexity:• 9 variables in total• no variables for how to mask
Rephrase: if the high rail of a bit i is 1, then the low rail must be 0.
SummarySummary
STE Spec./
0 fix-point
Strong AG /
1 fix-point
Normal AG /
2 fix-points
Fair AG (-regular) /
fix-point 2
Coarse lattice
abstraction
Quaternary
abstraction
Finer lattice
abstraction
No
abstraction
Expressiveness /
Time Complexity
Completeness /
Space Complexity
STE
SGTE
NGTE
FGTE
Comparison with Classic ApproachComparison with Classic Approach
Similarities model described as M=(pre, post) model checking is some form of ‘reachability’ analysis
Differences clear distinction of antecedents and consequences lattice based simulation strategy, e.g., for circuits,
no expensive next state function or transition relation dynamic model abstraction
for-all semantics more comprehensive methodology
Perhaps …, this work provides a common framework for getting the best of both approaches
Future WorkFuture Work
Bring theory to practice efficient implementation debugging environment methodology development
Relationship with other formal methods efficient links from/to other temporal logics
GSTE for protocol verification ...
Incorporation of established abstraction techniques symmetry reduction uninterpreted function … ...
Backup Slide
STE: Quaternary Circuit ModelingSTE: Quaternary Circuit Modeling
Boolean {0, 1} to quarternary {0, 1, X, T} X - unknown, T - over-constrained
X 0 1 T
X
0
1
T
X
X
X0
0 00
0 1
T T T T
T
T
T
X 0 1 T
X
0
1
T
X
1
1X
X 10
1 1
T T T T
T
T
T X 0 1 T
X 01 T
full symbolic simulation quaternary symbolic simulation
abcd
mu
xx y
if !x&!y then v else Xif !x&y then v else Xif x&!y then v else X
mu
x
x y
if x&!y then v else X
6 variables 3 variables