Generalized Symbolic Trajectory Evaluation Jin Yang Strategic CAD Labs., Intel Architecture Group,...

Generalized Symbolic Trajectory Evaluation

Generalized Symbolic Trajectory Evaluation

Jin Yang

Strategic CAD Labs.,

Intel Architecture Group,

Intel Corporation

[email protected]

Feb., 2001

Who Are We?Who Are We?

SCL - A CAD Research Organization within Intel research & transfer new design technologies vital to

Intel’s future product lines in the areas of logic verification PV/PD Synthesis

composed mostly of Ph.D.s with various academia and industrial backgrounds

Logic Group fundamental and applied FV researches in the areas of

model checking, theorem proving, HLM, abstraction, ... datapath FV, processor FV, system level FV, protocol, …

7 Ph.D.s / 2 M.S.

Close relation with Academia SRC funding, mentoring, internship, visiting professors

OverviewOverview

Motivation

Specification in GSTE

Model Checking under Strong Semantics

Model Checking under Normal Semantics

Model Checking under Fairness -regular equivalent

(G)STE and Abstract Interpretation

Two Case Studies

STE : the Success StorySTE : the Success Story

STE - Symbolic Trajectory Evaluation a lattice-based model checking technology based on a

form of symbolic simulation (Seger & Bryant) proven high capacity with a high degree of automation a comprehensive methodology

Active Industrial Usage in Hardware Verification Intel

floating point arithmetic unit against IEEE 754 length decoder unit with 12,000 gates and 1100 latches

Motorola memory units with million transistors

IBM processor units at abstract level

STE: Simple SpecificationSTE: Simple Specification

Normalized basic STE assertion

A1 & N( A2 ) & … & Nk-1( Ak )

==> C1 & N( C2 ) &…& Nk-1( Ck )

e.g.

( !ck & a[99:0]=A[99:0] & b[99:0]=B[99:0] ) & N( ck ) & N2( !ck ) & N3( ck ) ==> N3( c[99:0]=A[99:0]+B[99:0] )

100

100

100a

b

c

d

ck

e f

ck

a[99:0] A[99:0]

B[99:0]b[99:0]

A+Bc[99:0]

antecedent

consequent

STE: Sim.-based Model CheckingSTE: Sim.-based Model Checking

Phase 1: Simulation

1 = [[ A1 ]], 2= [[ A2 ]] next(1), …, k= [[Ak ]] next(k-1)

Phase 2: Checking

defining value next state

for all i, i [[ Ci ]] ?

ck

a[99:0] A

Bb[99:0]

c[99:0]

d[99:0]

e[99:0]

f[99:0]

A

B

A+B

A

B

A+B

A+B

STE: Quaternary Circuit ModelingSTE: Quaternary Circuit Modeling

Work on quarternary {0,1,X,T} instead of boolean {0,1} X - unknown, T - over-constrained

e.g. only 200 boolean variables are used in the adder, although the circuit has 500 state or input elements

X 0 1 T

X

0

1

T

X

X

X0

0 00

0 1

T T T T

T

T

T

X 0 1 T

X

0

1

T

X

1

1X

X 10

1 1

T T T T

T

T

T X 0 1 T

X 01 T

STE: LimitationSTE: Limitation

Very limited expressiveness what about stall?

stall causes arbitrary long latency

what about backward analysis? simulation is forward in nature

Challenge extend expressiveness without losing STE-style model checking efficiency and

verification methodology

100

100

100a

b

c

d

ck

e f

stall

en

en

en

64

64

a

b

ck

+1

64

(a=ptr) ==> (b = ptr+1)

ModelModel State transition on S

R(S, S) every state is initial no deadlock

Transition-induced model M=(pre, post)

pre(Si) = {s | s’Si.R(s,s’) } post(Si) = {s’ | sSi.R(s,s’) }

Trace s1, s2, …, si, si+1, … si+1 post({si}), and hence si pre({si+1})

State transition on S R(S, S) every state is initial no deadlock

Transition-induced model M=(pre, post)

pre(Si) = {s | s’Si.R(s,s’) } post(Si) = {s’ | sSi.R(s,s’) }

Trace s1, s2, …, si, si+1, … si+1 post({si}), and hence si pre({si+1})

s1

s2

s3

s4

s5

s1, s2, s4, s5, s4, s5, ...

s2, s4, s5, s4, s5, ...

s4, s5, s4, s5, ...

s1, s3, s5, s4, s5, s4, ...

s3, s5, s4, s5, s4, ...

s5, s4, s5, s4, ...

Assertion Graph: An ExampleAssertion Graph: An Example

Property 1 If the system is in state s2, then it

will be in state s4 and state s5 alternatively.

s1

s2

s3

s4

s5

M

ant: {s2}

cons: {s4}

cons: {s5}

* all trivial antecedents and consequences are ignored

1

2

3

Assertion Graph: Formal DefinitionAssertion Graph: Formal Definition

Assertion graph

G = (V, vI, E, ant, cons) V - set of vertices vI - the initial vertex E - set of edges (each vertex has 1 outgoing edges) ant - map each edge to a set of states (or equivalently a state predicate) called antecedent cons - map each edge to a set of states (or equivalently a state predicate) called consequent

* first proposed by Seger and Beatty

* path: a sequence of consecutive edges edges from the initial vertex

* first proposed by Seger and Beatty

* path: a sequence of consecutive edges edges from the initial vertex

Strong (original STE) SemanticsStrong (original STE) Semantics

Trace satisfies path under L, |=L :

for every 1 i ||, (i) L((i)).

Model M strongly satisfies G, M ||= G:for every finite path ,

for every finite trace , |=ant |=cons

First proposed by Jain and clarified by Chou

Trace satisfies path under L, |=L :

for every 1 i ||, (i) L((i)).

Model M strongly satisfies G, M ||= G:for every finite path ,

for every finite trace , |=ant |=cons

First proposed by Jain and clarified by Chou

trace 1: s1

s2, s4trace 2:

ant: {s2}

cons: {s4}

cons: {s5}

1

2

3

s1

s2

s3

s4

s5

M ||=

Model Checking Strong SatisfiabilityModel Checking Strong Satisfiability

Phase 1: build simulation relation from edges to state sets

2 {s2}

3 {s2} {s4}

4 {s2}

Phase 2: check consequences

Step

1 {s2} { } { }

1 2 3

{ } S post({s2}) S post({}) {s4} { }

{ } S post({s4}) {s5}

{s4} post({s2}) post({s5}) {s4} {s5}

ant: {s2}

cons: {s4}

cons: {s5}

1

2

3

s1

s2

s3

s4

s5

M ||=

Model Checking Strong SatisfiabilityModel Checking Strong Satisfiability

Theorem:

SMC(M, G) M ||= G

1. if e is from vI sim(e) := ant(e), else sim(e) := F.

2. repeat until fix-point: for every edge e,

sim(e) := sim(e) ( (post(sim(e-) ant(e)))). e - in(e)

SMC(M, G)

3. return T if for every edge e, sim(e) cons(e),

return F otherwise.* first proposed by Jain and clarified by Chou

Limitation of Strong SemanticsLimitation of Strong Semantics

Property 2 If the system is in state s2, it must

have been in s1 at the previous time.

Ant. Cons.

The property would fail because the antecedent failed after the consequence failure!

s3trace: s5

ant: {s2} cons: {s1}1 2 3

s1

s2

s3

s4

s5

M

Normal SemanticsNormal Semantics

Model M satisfies G, M |= G:for every infiniteinfinite path ,

for every infiniteinfinite trace , |=ant |=cons

Model M satisfies G, M |= G:for every infiniteinfinite path ,

for every infiniteinfinite trace , |=ant |=cons

s3, s5,trace: … ...

ant: {s2} cons: {s1}1 2 3s1

s2

s3

s4

s5

M ||=

Model Checking Normal SatisfiabilityModel Checking Normal Satisfiability

G = (V, vI, E, ant, cons)

Approach - Reduce to Strong Satisfiability

G’ = (V, vI, E, ant’, cons)

transform

s.t., M |=G M |= G’

M |=G’ M ||= G’

(future independent)

Future Extensibility Condition

G’ is future extensible on M:

for every edge e, for every state s in ant’(e),

there is an inf. e-path , an inf. trace from s ,

|=ant’

Future Extensibility Condition

G’ is future extensible on M:


there is an inf. e-path , an inf. trace from s ,

|=ant’


Phase 1: strengthen antecedents backward

Phase 2: check strong satisfiability

Step

1 S {s2} S

1 2 3

{s2} pre(S)2 S {s2} S pre({s2}) {s1}

ant: {s2} cons: {s1}1 2 3s1

s2

s3

s4

s5

M ||=


1. repeat until fix-point: for all edge e,

ant(e) := ant(e) ( (pre(ant(e+)))). e+ out(e)

NMC(M, G)

2. call SMC(M, G)

Theorem:

NMC(M, G) M |= G

Limitation of Normal SemanticsLimitation of Normal SemanticsProperty 3

If the system is in state s4, then at the last time when it was neither in s4 nor s5, it must have been in s2.

s3, s5, s5, … ...trace:

The property would fail becausean undesired path is examined!

s1

s2

s3

s4

s5

M’

ant: S - {s4,s5} ant: {s4}

cons: {s2}

ant: {s4,s5}

1 2 3

4

Assertion Graph with FairnessAssertion Graph with FairnessFairness condition:

fair edge sets: E = {E1, E2, …, Ek} a fair path visits each Ei infinitely often

Model M fairly satisfies G under E, M |=E G:

for every fairfair infinite path ,

for every infinite trace , |=ant |=cons

Fairness condition: fair edge sets: E = {E1, E2, …, Ek} a fair path visits each Ei infinitely often

Model M fairly satisfies G under E, M |=E G:

for every fairfair infinite path ,

for every infinite trace , |=ant |=cons

ant: S - {s4,s5} ant: {s4}

cons: {s2}

ant: {s4,s5}

1 2 3

4

s1

s2

s3

s4

s5

M’ ||=

Theorem: (-regular equivalence) every det. Streett automaton has an equivalent fair assertion graph

Model Checking Fair Assertion GraphModel Checking Fair Assertion Graph

More of the same... - Reduce to Strong Satisfiability

Fair Extensibility Condition

G’ is fairly extensible on M:


there is an inf. fair e-path , an inf. trace from s ,

|=ant’

Fair Extensibility Condition

G’ is fairly extensible on M:


there is an inf. fair e-path , an inf. trace from s ,

|=ant’

ant: S - {s4,s5} ant: {s4}

cons: {s2}

ant: {s4,s5}

ant: {s2} ant: {s4}

cons: {s2}

ant: {s4}

Model Checking Fair Assertion GraphModel Checking Fair Assertion Graph

1. repeat until fix-point:

2. for each fair edge set Ef in E,

3. build backward simulation relation

towards Ef;

4. G := replace the antecedents in G

with the simulation relation;

/* future extensible to Ef */

5. call SMC(M, G).

FMC(M, G, E)

Theorem:

FMC(M, G, E) M |=E G

Relevant Lattice ConceptsRelevant Lattice Concepts

Finite Complete Lattice (L, ) L - finite set of points - partial order relation:

p1 p2 if p1 is less uncertain than p2 T - top element - bottom element

Finite Complete Lattice (L, ) L - finite set of points - partial order relation:

p1 p2 if p1 is less uncertain than p2 T - top element - bottom element

Ex 2. (2S, ) - subset lattice S - top element {} - bottom element

Ex 1.

R Y G

T

Note: we use an partial order relation consistent with

Extend Model to LatticeExtend Model to Lattice

Model M = (pre, post)

pre, post: L L (monotonic) post(p) = p = for every p in L, p pre(post(p))

* STE model is a special case where pre(p) = T for every p.

Model M = (pre, post)

pre, post: L L (monotonic) post(p) = p = for every p in L, p pre(post(p))

* STE model is a special case where pre(p) = T for every p.

R Y G

T

postpre

Trajectoryp1, p2, p3, …, pi, pi+1, …

pi+1 post(pi), pi pre(pi+1) pi * a trajectory captures a set of traces

Trajectoryp1, p2, p3, …, pi, pi+1, …

pi+1 post(pi), pi pre(pi+1) pi * a trajectory captures a set of traces

R, Y, G, G, ...

T, T, T, T, ...

R, T, T, T, ...

T, Y, G, G, ...

Extend Assertion Graph to LatticeExtend Assertion Graph to Lattice

Assertion Graph

G=(V, vI, E, ant, cons) extend ant, cons: E 2S to E L

Assertion Graph

G=(V, vI, E, ant, cons) extend ant, cons: E 2S to E L

Semantic Extension trajectory satisfies path under

L: for every i, (i) L((i)). Satisfiability definitions remain

the same except working on trajectory satisfiability

Semantic Extension trajectory satisfies path under

L: for every i, (i) L((i)). Satisfiability definitions remain

the same except working on trajectory satisfiability

ant: Y cons: G

R, Y, G, ...

ant cons

Y, G, G, ... R Y G

T

postpre

|=

Main GSTE Results on Lattice Main GSTE Results on Lattice

Extended Model Checking Algorithms:*GSTE

by generalizing , , in *MC to , ,

GSTE Theorems

strong semantics: SGSTE(M, G) M ||= G normal semantics: NGSTE(M, G) M |= G fairness: FGSTE(M, G, E) M |=E G

Incompleteness lose information when using coarse lattice but gain efficiency

Abstract Interpretation ConceptsAbstract Interpretation Concepts

R Y G

T

{S1} {S2} {S3} {S4} {S5}

{ }

{S2, S3} {S4, S5}... ... ...

... ...

{S1, S2, S3 , S4, S5}

Abstraction of (L, ) - Galois insertion

(La, a)

abstraction function : L La, such that (T) = Ta, (p) = a iff p = , is onto, and distributive

Abstraction of (L, ) - Galois insertion

(La, a)

abstraction function : L La, such that (T) = Ta, (p) = a iff p = , is onto, and distributive

The Quaternary AbstractionThe Quaternary Abstraction

From boolean domain to quaternary domain

{ }

{00} {01} {10} {11}

{00,01} {00,10} {00,11} {01,10} {01,11} {10,11}

{00,01,10} {00,01,11} {00,10,11} {01,10,11}

{00,01,10,11}

two variable boolean domain: two variable quaternary domain:

T

00 01 10 11

0X X0 X1 1X

XX

Model AbstractionModel AbstractionAbstraction of Model M=(pre, post)

Ma=(prea, posta) (pre(p)) a prea((p)) (post(p)) a posta((p))

Abstraction of Model M=(pre, post)

Ma=(prea, posta) (pre(p)) a prea((p)) (post(p)) a posta((p))

R Y G

T

postpre

s1

s2

s3

s4

s5

M

Abstraction in GSTEAbstraction in GSTE

Abstraction theorem

If G is consequence preserving i.e., -1((cons(e))) = cons(e) for all edge e,then strong semantics

Ma ||= Ga M ||= G normal semantics

Ma |= Ga M |= G fairness

Ma |=E Ga M |=E G

Abstraction in GSTEAbstraction in GSTE

GSTE using Abstraction: a*GSTE(M, G) when G is not consequence preserving

Theorem: 1. strong semantics: aSGSTE(M, G) M ||= G

2. normal semantics: aNGSTE(M, G) M |= G

3. fair semantics: aFGSTE(M, G, E) M |=E G

Theorem: 1. strong semantics: aSGSTE(M, G) M ||= G

2. normal semantics: aNGSTE(M, G) M |= G

3. fair semantics: aFGSTE(M, G, E) M |=E G

Check the consequence against

the concretized simulation relation

Ga, Ma on (La, a)

G, M on (L, )

Concretize the simulation result

Perform antecedent strengthening

and simulation relation building on

Ga, Ma

Case Study: A MemoryCase Study: A Memory

bank0

bank1

bank2

bank3

mem

ory

blo

ckdatawr

128 alignmaskblock

128dataout

128datard0

128datard1

128datard2

128datard3

128datainbypass

addr[9:0]addr[9:8] bnksel[1:0]

we

4

drive[4:0]ck

align[7:0]begin[4:0]

end[4:0]

4 banks * 256 entries/bank * 128 bits / entry = 128K bits

SpecificationSpecification

we (addr=A) (datawr=D)

we (addrA)

we ck (addr=A) (drive=V) (align=R)

we ck (begin=B) (end=E)

dataout=mask(align(drive(D, V), R), B, E)

Correctness Statement: always read from a cell the most recently written data

we

ck

datawr[127:0]

addr[9:0]

dataout[127:0]

align[6:0]

begin[3:0]

end[3:0]

drive[3:0]

A A

D

O

V

R

B

E

No

wri

te t

o th

e sa

me

add

ress

write phase read cycle

hold phase

Model CheckingModel Checking

bank0

bank1

bank2

bank3

datawr128 alignmask

block

128dataout

128datainbypass

addr[9:0]we

4

drive[4:0]

ck align[7:0]begin[4:0]

end[4:0]

we (addr= A) (datawr=D)

we (addrA)




1

A[9:0]

D[127:0]


bank0

bank1

bank2

bank3

datawr128 alignmask

block

128dataout

128datainbypass

addr[9:0]we

4

drive[4:0]


end[4:0]


we (addrA)




bank[i].row[j] =

D, if A=i*256+ j

X, otherwise


bank0

bank1

bank2

bank3

datawr128 alignmask

block

128dataout

128datainbypass

addr[9:0]we

4

drive[4:0]


end[4:0]


we (addrA)




0

A

D

bank[i].row[j] =

D, if A=i*256+ j

X, otherwise


bank0

bank1

bank2

bank3

datawr128 alignmask

block

128dataout

128datainbypass

addr[9:0]we

4

drive[4:0]


end[4:0]


we (addrA)




0

A mask(align(drive(D, V), R, B, E)

GSTE vs. STE and Classic MCGSTE vs. STE and Classic MC

GSTE complete black-box verification complexity - 128K bits 157 variables used in assertion graph finished in 833 seconds

STE requires open-up of the memory requires three STE assertions for write, retain and read

Classic MC state explosion under any variable order

Case Study: An AlignMask Module Case Study: An AlignMask Module

128datain0

128 datain1

128datain2

128datain3

128

bnksel2

align

maskselect, p

recharge,

and

mu

x

pred

ischarge m

ux

align7

drive4

begin

end

4

4

alignvalid

128 datainbypass

ck

hit#

qclk

buspch

all 0’s

mu

x

128dataout

dual-rail

Prop: Two Rails Must be Weak MutexProp: Two Rails Must be Weak Mutex

alignvalid

ck

bnksel[1:0]

drive[i/32]

dataout#[i]

datain(j)[127:0]

datain(j)#[127:0]

dataout[i]

align[6:0] A

S

if it was low first

retain u

ntil d

elivery

mutex_for_all_j

ant1 / ant2 / con2

ant3 / ant5 / ant4 /

ant6 /

ant3: ck alignvalid drive[k] (bnksel=S) (align=A) mutex_for_all_j

ant1: ck alignvalid drive[k] (bnksel=S) (align=A) mutex_for_all_j

ant2: ck alignvalid dataout[i]

ant5: ck alignvalid drive[k]

con2: dataout#[i]



(k = i/32)

Fair Semantics:• bi-directional simulation over an arbitrary long interval

Complexity:• 9 variables in total• no variables for how to mask

Rephrase: if the high rail of a bit i is 1, then the low rail must be 0.

SummarySummary

STE Spec./

0 fix-point

Strong AG /

1 fix-point

Normal AG /

2 fix-points

Fair AG (-regular) /

fix-point 2

Coarse lattice

abstraction

Quaternary

abstraction

Finer lattice

abstraction

No

abstraction

Expressiveness /

Time Complexity

Completeness /

Space Complexity

STE

SGTE

NGTE

FGTE

Comparison with Classic ApproachComparison with Classic Approach

Similarities model described as M=(pre, post) model checking is some form of ‘reachability’ analysis

Differences clear distinction of antecedents and consequences lattice based simulation strategy, e.g., for circuits,

no expensive next state function or transition relation dynamic model abstraction

for-all semantics more comprehensive methodology

Perhaps …, this work provides a common framework for getting the best of both approaches

Future WorkFuture Work

Bring theory to practice efficient implementation debugging environment methodology development

Relationship with other formal methods efficient links from/to other temporal logics

GSTE for protocol verification ...

Incorporation of established abstraction techniques symmetry reduction uninterpreted function … ...

Backup Slide

STE: Quaternary Circuit ModelingSTE: Quaternary Circuit Modeling

Boolean {0, 1} to quarternary {0, 1, X, T} X - unknown, T - over-constrained

X 0 1 T

X

0

1

T

X

X

X0

0 00

0 1

T T T T

T

T

T

X 0 1 T

X

0

1

T

X

1

1X

X 10

1 1

T T T T

T

T

T X 0 1 T

X 01 T

full symbolic simulation quaternary symbolic simulation

abcd

mu

xx y

if !x&!y then v else Xif !x&y then v else Xif x&!y then v else X

mu

x

x y

if x&!y then v else X

6 variables 3 variables

Generalized Symbolic Trajectory Evaluation Jin Yang Strategic CAD Labs., Intel Architecture Group,...

Documents

Transcript of Generalized Symbolic Trajectory Evaluation Jin Yang Strategic CAD Labs., Intel Architecture Group,...