Forgetting. Encoding Failure Encoding failure Encoding Failure Encoding failure.
Sequential Encoding for Relational Analysis (SERA)
description
Transcript of Sequential Encoding for Relational Analysis (SERA)
November 2005
Sequential Encoding for Relational Analysis (SERA)
Fadi Zaraket, Sarfraz Khurshid, Adnan Aziz
Validation and Verification of Software
2
Outline
Review of model checking with Alloy
Finitization into a SAT problem
Review of transformation based verification (TBV)
Alloy SAT instances and TBV
Sequential encoding of Alloy
Less variables, more TBV transforms
Results
Conclusion
3
Alloy model checking
Alloy model
sig id {…}sig license extends id {…} sig passport extends id {…}…
Environment:fact { passport in license}
Properties:
predicate valid() {…}predicate ……assert IntelAgentsKnowAllValidPeople for 5
compile, synthesize
SAT CNF netlist !
Graph<Vertices,Edges,Targets,Constraints>Vertices [input, NOT, OR, AND]
Edges: inputs [NOT, OR]OR [AND]AND [AND]No combinational cycles
Targets ½ Vertices Constraints ½ Vertices
Verify: targets never true while constraints hold
4
Problem Under Consideration
Design RTL: vhdl, verilog, …
decl name (inputs, outputs, bidi, generic)begin….end
Environment: input constraintsannotated vhdl or verilog, sugar, PSL, CTL, LTL
stmnt1( inputs)….stmntN(inputs)
Properties: safety, liveliness, [correctness, progress,...]annotated vhdl or verilog, sugar, PSL, CTL, LTL, …equiv1( inputs, outputs), ….assertN(inputs, outputs)
Compilers, Synthesizers, Optimizers
Netlist !
Graph<Vertices,Edges,Targets,Constraints>Vertices [input, register, NAND]Edges: Vertices Vertices
no combinational cycles
Register:Gate next state functionGate initial value function
Targets ½ Vertices Constraints ½ Vertices
Verify: Targets never true while constraints hold
5
Tree example
A tree is a non-empty undirected graph
connected and acyclic
connected and |edges| == |vertices| -1
acyclic and |edges| == |vertices| -1
connected and if one edge removed then not connected
acyclic and if one edge added then cyclic
All the 5 statements are equivalent
6
Tree modelsig V { E: set V } { some V }fact undirected { E = ~E}
pred inCycle(v: V, c: V -> V) { v in v.c || some v': v.c | v' in v.*( c - (v -> v') - (v' -> v) )}
pred aCyclic() { all v: V | ! inCycle(v, E)}pred cyclic(c: V->V){ some v : V | inCycle(v, c)}
pred connected(c: V->V) { all v1, v2 : V | v2 in v1.*c}
pred connectedAndAcyclic() { connected(E) and aCyclic()}pred connectedAndCardinality() { connected(E) and (#E = #V + #V - 2) }
assert equivalentStatements { connectedAndAcyclic() iff connectedAndCardinality() }
check equivalentStatements for 5
7
Alloy semantics
Relational first-order (FO)
No nested relations
quantifiers
propositional logic
Types are sets
relations are also sets
Finitization
scope makes model finite
8
Alloy encoding [Jackson SIGSOFT’00]
Each relation is encoded into a bit-matrix
R(i,j) == 1 iff R: ai 2 A bj 2 B
quantifiers are folded with conjunction (8) or disjunction (9)
expression mapped to tree of parameterized matrices of Boolean formulas
9
Alloy encoding (continued)
Environment binds quantified variables only
Transitive closure: quadratic expansion
Variables and CNF clauses: doubly exponential in terms of scope and highest arity
10
Outline
Review of model checking with Alloy
Finitization into a SAT problem
Review of transformation based verification (TBV)
Alloy SAT instances and TBV
Sequential encoding of Alloy
Less variables, more TBV transforms
Results
Conclusion
11
Transformation-based verification (TBV) - 1
Formal verification (FV) very powerful at exposing design flaws
increasing industrial acceptance of automatic FV technologies
Significant gap between industrial design sizes and FV capacity
formal analysis generally requires exponential resources
invariant checking: PSPACE – complete
induction: NP – complete, often inconclusive
semi-formal: NP – complete, falsification only
12
TBV - 2
Large designs pose verification challenges
Numerous polynomial-time transforms to reduce size
retiming, constant propagation, redundancy removal…
resource-bounded BDD and SAT-based abstractions• localization refinement, parametric re-encoding,…
TBV [Kuehlmann and Baumgartner, CAV’01]
synergistically leverage various transformation algorithms
iteratively simplify and decompose large problems
encapsulate into engines that interact via modular API
13
RET: retiming example
Move registers backward/forward to reduce their count
synthesis: can not retime R1 and R2 with incompatible initial states
FV: no need to preserve i/o if we preserve the property checked
synthesis: can only realize backward constraints
FV: symbolic verification can accept negative registers
14
Localization (LOC) or predicate abstraction
Overapproximate behavior of the netlist and search
Target not reachable: proof
Counterexample: apply it to original netlist
• If actual: bug found• If spurious: refine and try again
T2
T1
T2
T1
T2
T1
localizespurious: refine
abstract verify
counter exampleapply to original unreachableProof
15
TBV typical iterative flow:
Iterative predicates generated by previous runs of CMSA
Illustrates power of bit-level partitioning
Redundancyremoval
Retiming
Semi-formal search
Re-parameterization
Results p1
4,598 registers8,543 inputs
CMSA
Redundancyremoval
Redundancyremoval
CMSA
8,342 registers9,763 inputs
6,722 registers8,783 inputs
Netlist RING(120,000 registers, 20,000 inputs)
Results p2
Results p3
Results p6
Results p7
11 components173
representatives
12 components241
representatives
16
SAT model
SAT returns assignments to Boolean variables
Berkmin, MCHAFF, ZCHAFF, RELSAT
map assignments back to Alloy model• If no assignment exists, we have a proof within the scope
Pass CNF to TBV
combinational only: limited number of engines• redundancy removal, localization, parametric re-encoding
decision: circuit SAT
17
Results: combinational SAT vs. TBV
18
Outline
Review of model checking with Alloy
Finitization into a SAT problem
Review of transformation based verification (TBV)
Alloy SAT instances and TBV
Sequential encoding of Alloy
Less variables, more TBV transforms
Results
Conclusion
19
Sequential encoding
Use less variables to encode the problem
trade complexity in space for complexity in time
use sequential encoding
Existence vectors and production machines
atom: register index over a specialized existence vector
relation: index = encode (<atom>, <atom>)
boolean operators: propositional statements
formulas: finite state production machines
Basic atoms and relations can be randomly initialized to any state
20
Difference between sequential netlists and FSM
2/3 bit write enabled buffer and simplified FSMs
Arcs omitted in 3 bits, labels omitted in both
Sequential netlist often more succinct than FSMs
21
SERA component (production machine)
Inputs: [Y: index, T: relational data, C: control]
Outputs: [B: predicate, M: membership, N: cardinality, Q: validity, queries]
State registers: [X: membership, K: cardinality, U: validity]
next state function: , initial values: primary inputs
22
SERA component
States: {invalid, productive, done, idle}
Memory: existVec[ index(<atom, …>)]
Cardinality: simple priority encoder
counter may be needed in some cases
Control: {start, valid-input, reset}
Boolean predicate: 2, Æ, 9, 8, …
Compositional input: access to [memory, cardinality, predicate] of other components
2[.] Priority
State
counter
start index
accessvalidcardinality
23
Summary table for sequential encoding
24
Example: statement3 with a scope of 2
Pred: (all v1, v2 : V | v2 in v1.*c) and (#E = #V + #V – 2)
Two universal quantifier machines one contained in the other
Starts two V machines and gets two V atoms as indexes per step•Early termination: one valid false is enough to terminate
25
Statement3 executed
26
Example (continued)
Transitive closure (TC): v2 in v1.*c
Alloy rewrites as: <v1,v2> 2 *C
compositional access to the relation C
use iterative squaring and achieve logarithmic encoding• C0 = C• Cn+1 = ( Cn : Cn )[ Cn
Membership is valid after log(n)
function of C and log(n) local memory state variables
counter stores cardinality: avoids complex logic that checks total membership
usually drops with COI reductions since cardinality of TC is rarely checked
Kleene-star operation
27
Transitive-closure optimization
v2 in v1.*c Alloy rewrites as: <v1,v2> 2 *C
advantage: only one big quadratic machine
Subset C into T = v1.C and check v2 2 T
disadvantage: multiple smaller quadratic machines
early termination: may not need them all
redundancy: exploited well by TBV
may as well reuse some of them if one production is guaranteed to finish before the others
28
Set operators
Union: ordered sequential traversal of two machines
use unique order for variables: no duplicates
default: the order sigs appeared in the formula
Intersection: add a delay to preserve order
Complement: flag all compositional input
produce indexes with no flag
Subtract: implement with intersect and complement
Maybe interesting for redundancy: all these operations can be done by complement and transitive closure
29
Transpose operator
Challenge since it forces a change of variable ordering
SERA rewrites the formula and pushes the transpose in the relation
Conflicts may occur, example E = ~E
append a duplicate atom
add a target that indicates the equivalency of the added atom
redundancy removal will take care of it later
30
Predicates and propositional operators
Boolean operators trivial implementation:
the same Boolean construct with a valid state propagation
one valid truth is enough to propagate an OR
one valid false is enough to propagate an AND
Predicates generated from:
Boolean operators: Æ, Ç, !
8: fold(e, Æ) and 9: fold(e,Ç) with early termination
2: existsVec[index(atom, …)]
[=, <, >] integer comparison: finitized into atoms in Alloy • Alternative: we may use regular ring arithmetic
31
2[.
]P
riorit
y
Sta
te
counter
star
tin
dex
acce
ssva
lid card
inal
ity
2[.
]P
riorit
y
Sta
te
counter
star
tin
dex
acce
ssva
lid card
inal
ity
2[.
]P
riorit
y
Sta
tecounte
r
star
tin
dex
acce
ssva
lid card
inal
ity
2[.
]P
riorit
y
Sta
te
counter
star
tin
dex
acce
ssva
lid card
inal
ity
32
Implementation details
Limit scope to powers of two
Simplify counter logic used for indexing
Type determination is limited to a shift operation
Static analysis is now enough to determine the needed width of a tuple in a relation
Only one scope is allowed
Simplifies membership of types into a simple range check
No loss of generality: pick the highest
33
Implementation details
Constrain initial states
False initial bits in existence vectors are always MSB
A simple priority encoder is enough to detect the cardinality
No loss of generality since it does alter the order of existing variables
Optimize relations and transitive closures using facts
fact {E = ~E}: only half of the matrix is meaningful
34
Less variables and more transforms
Sequential encoding can be automated
Less variables and yet better: more TBV power
more cycles: may affect the complexity of the counter example
can be handled by BMC based counter example optimization techniques
Use sequential transforms
sequential equivalence, semi-formal search, target enlargement, compositional minimization, generalized retiming, bounded model checking…
Expert system is not an Alloy expert yet.
may get better in some time
35
Experimental Results
As expected localization and minimization played a big role in proofs
Semi-formal search significant in fast counter example generation
36
Conclusion
Reviewed Alloy and TBV
compared SAT with TBV on Alloy models
Automated sequential encoding of Alloy
enables TBV power
Less variables and more transforms
allowed us to scale our scopes up to 32 where Alloy Analyzer was limited to 7
Future work:
mutation is more native: add native next state construct?
detect a scope that is enough to complete proof
37
?/!