1
Predicate Abstraction and Refinement for Verifying Hardware Designs
Himanshu Jain
Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke
Appeared at Design Automation Conference (DAC) 2005
2
Outline
• Introduction
• Predicate Abstraction
• Abstraction and Refinement loop
• Experimental results
• Conclusion
3
Introduction
• Computer system design– Hardware: Verilog, VHDL, …
• Specification– circuit computes floating point divison – program sorts an input array
4
Does my program work correctly
• Testing
• Bugs in design– Ariane 5 Explosion, cost $500M– Pentium floating point division bug, cost $400M
5
Formal Verification
• Act of proving or disproving the correctness of a system with respect to a specification
• Techniques– Theorem proving– Model Checking
6
An example
• Circuit for multiplication of two 32 bit numbers
State = (A, B, O)State space = {(A,B,O)}Size of state space = (232 £ 232) £ 264 = 2128
MULTIPLIER
32
32A
B
64O
7
Model Checking
• Performing exhaustive search of the state space of the design
MULTIPLIER
32
32A
B
64O
For all A, B: (O == A £ B)
8
Model checker
Model checker
Specification:
(O == A £ B)
B
MULTIPLIER
AO
32
32
64
Model:
Property Property holdsholds
Bug foundBug found
9
Features of Model Checking
• No manual proofs
• Fast (compared to other rigorous methods such as theorem proving)
• Diagnostic counterexamples– Multiplier example: [A= 101, B = 2, O = 200]
10
Main Challenge
State Space Explosion Problem:
• Large state space
Much progress has been made on this problem!
• Abstraction – only focus on details needed to prove or disprove a given property
12
Hardware design
Ease of design
increases
Gate level (netlists)
Register Level
…………
System
Behavioral
Formal verification support
Gate Level (netlist):
.model counter_cell
.inputs carry_in
.outputs carry_out
.names value carry_in _n2
.def 01 1 1.names _n2 carry_out$raw_n1- =_n2.names value$raw_n30.names _n60.names value _n6 _n7.def 00 1 11 0 1.r value$raw_n3 value0 01 1….. (120 lines)
Register Level Verilog:
module counter_cell(clk, carry_in, carry_out);input clk;input carry_in;output carry_out;reg value;assign carry_out = value & carry_in;initial value = 0;
always @(posedge clk) begin// value = (value + carry_in) % 2; case(value) 0: value = carry_in; 1: if (carry_in ==0) value = 1; else value = 0; endcaseendendmodule
13
Lack of verification support
Gate level (netlists)
Register Level
…………
System
Behavioral
Need techniquesfrom software verification
Need automaticand scalabletechniques
14
Software verification
• Predicate Abstraction– Developed by Graf and Saidi, 1997
• Verification of C programs (2000 onwards)– SLAM, Microsoft research– MAGIC, CMU– BLAST, UC Berkeley– F-Soft, NEC Labs
15
Our contribution
Gate level (netlists)
Register Level
…………
System
Behavioral
Predicate abstraction
16
Outline
• Introduction
• Predicate Abstraction
• Abstraction and Refinement loop
• Experimental results
• Conclusion
17
Abstraction
void main() { int i;
i = 0;
while(even(i)){ i++; }
if (i == 0) ERROR:; }
void main() { int i;
i = 0;
while(even(i)){ i++; }
if (i == 0) ERROR:; }
assert ( odd(i));
void main() { int i;
i = *;
while(even(i)){ i = *; }
if (i == 0) ERROR:; }
void main() { int i;
i = *;
while(even(i)){ i = *; }
if (i == 0) ERROR:; }
assert ( odd(i));
Throw away irrelevant details
P’ is a safe abstraction of P
P P’
18
Safe Abstraction
• Let P’ be a safe abstraction of P
• If P’ satisfies a property , then P satisfies
• P’ can be much easier to verify than P
19
An example
module main (clk)input clk;reg [2:0] x, y;
initial x= 1, y= 2;
always @ (posedge clk)begin x <= y; y <= x;endendmodule
Verilog programVerilog program
registers [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
20
An example
registers [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
Property:
assert (x == 1 Ç x == 2)
1, 2 2, 1
0,0 0,1 7,6 7,7
State: (x, y)
21
Predicate Abstraction
• Given a program and a set of predicates
• Abstracts data by keeping track of certain predicates
• Predicate abstraction is a safe abstraction
22
Predicate Abstraction
Property:
assert (x == 1 Ç x == 2)
Initial set of predicates:
{x == 1, x == 2}
registers [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
23
????
Computing Predicate Abstraction
{x == 1, x == 2} + x’ := yy’ := x
PredicatesPredicates Transition RelationTransition Relation
1,0 0,0
0,1 1,1
SATISFIABLE
Plug in x=1,y=3,x’=3, y’=1
24
????
Computing Predicate Abstraction
{x == 1, x == 2} + x’ := yy’ := x
PredicatesPredicates Transition RelationTransition Relation
1,0 0,0
0,1 1,1
SATISFIABLE
Plug in x=1,y=2,x’=2, y’=1
25
Computing Predicate Abstraction
{x == 1, x == 2} + x’ := yy’ := x
PredicatesPredicates Transition RelationTransition Relation
1,0 0,0
0,1 1,1
26
Abstract Model
registers x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Property: assert (x == 1 or x == 2)
Initial set of predicates:{x == 1, x == 2}
Hardware designHardware design
Initial Initial statestate
Failure Failure statestate
1,0 0,0
0,1 1,1
27
Model checking
Failure Failure statestate
1,0 0,0
0,1 1,1
Initial Initial statestate
Abstract ModelAbstract Model
28
Model checking
1,0 0,0
0,1 1,1
Initial Initial statestate
Abstract ModelAbstract Model
Counterexample Counterexample
Failure Failure statestate
We need to check if this is a real bug in our hardware design
29
Outline
• Introduction
• Predicate Abstraction
• Abstraction and Refinement loop
• Experimental results
• Conclusion
30
Abstraction-Refinement loop
VerilogProgramVerilog
ProgramSafe abstract
modelSafe abstract
modelModel
Checker
VerificationVerificationPredicatePredicate
abstractionabstraction
SimulatorBug foundBug found
Spurious counterexampleSpurious counterexample
Counterexample
31
Simulation
Failure Failure statestate
1,0 0,0Initial Initial statestate
Predicates:= {x == 1, x== 2}
Counterexample is spurious
Counterexample in Counterexample in abstract modelabstract model
registers [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
(x==1) Æ: (x == 2)
: (x’ ==1) Æ: (x’ == 2)
????
32
Abstraction-Refinement loop
VerilogProgramVerilog
ProgramSafe abstract
modelSafe abstract
modelModel
Checker
Get new predicatesGet new predicates
VerificationVerificationPredicatePredicate
abstractionabstraction
SimulatorBug foundBug found
Refinement
Spurious counterexampleSpurious counterexample
Counterexample
33
Recall
Failure Failure statestate
1,0 0,0Initial Initial statestate
Abstract counterexampleAbstract counterexample
registers [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
Predicates:= {x == 1, x== 2}
(x==1) Æ: (x == 2)
: (x’ ==1) Æ: (x’ == 2)
Value of x’==2 not being tracked precisely
34
Refinement
• Find out predicates whose values are not tracked precisely in the abstract model– Example: x’==2
• Track values of these predicates precisely
35
Weakest pre-condition
• { ? } x := y + 1 { x == 9}
• { (y + 1) == 9} x := y + 1 { x == 9}
• { [ x à e]} x := e {}
36
Refinement
(x’ == 2)(x’ == 2)
x’ := y
(y == 2)(y == 2)weakest weakest preconditionprecondition
New predicatey == 2registers [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
Need to trackvalue precisely
37
Abstraction-Refinement loop
VerilogProgramVerilog
ProgramSafe abstract
modelSafe abstract
modelModel
Checker
Get new predicatesGet new predicates
VerificationVerificationPredicatePredicate
abstractionabstraction
SimulatorBug foundBug found
Refinement
Spurious counterexampleSpurious counterexample
Counterexample{x == 1, x == 2, y==2}
38
Abstraction-Refinement loop
VerilogProgramVerilog
ProgramSafe abstract
modelSafe abstract
modelModel
Checker
Get new predicatesGet new predicates
VerificationVerificationPredicatePredicate
abstractionabstraction
SimulatorBug foundBug found
Refinement
Spurious counterexampleSpurious counterexample
Counterexample{x == 1, x == 2, y ==2, y ==1}
39
Abstract again
1,0,0,11,0,0,1 0,1,1,00,1,1,0InitialInitialstatestate
Next step: model check!Next step: model check!
New abstraction
{x == 1, x == 2, y ==1, y== 2}
PredicatesPredicatesregisters [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
0,0,0,00,0,0,0 0,0,0,10,0,0,1 1,1,1,11,1,1,116 states
Property:assert (x == 1 Ç x == 2)
40
Abstract again
1,0,0,11,0,0,1 0,1,1,00,1,1,0InitialInitialstatestate
New abstraction
{x == 1, x == 2, y ==1, y== 2}
PredicatesPredicatesregisters [2:0] x, y;
initial x= 1, y= 2;
Transition relation: x’ := y; y’ := x;
Hardware design Hardware design
Property:assert (x == 1 Ç x == 2)
Property holds in abstract model!
Property holds!Property holds!
41
Overall verification flow
VerilogProgramVerilog
ProgramSafe abstract
modelSafe abstract
modelModel
Checker
Get new predicatesGet new predicates
VerificationVerificationPredicatePredicate
abstractionabstraction
Simulator
Property Property holdsholds
Bug foundBug found
Refinement
Spurious counterexampleSpurious counterexample
Counterexample
42
Outline
• Introduction
• Predicate Abstraction
• Abstraction and Refinement loop
• Experimental results
• Conclusion
43
Implementation
• These techniques have been implemented in the VCEGAR tool
• Inputs to the tool– Register Level Verilog description– Safety property (like an assert statement)
• Output– Property holds– Counterexample (real bug in design)
44
Experimental results
Benchmark
#States VCEGAR #Preds/#Iter
Cadence SMV (Previous work)
ICRAM2KB 216427 450.7s 3/8 25s
ICRAM4KB 232796 843.3s 3/8 too many state elements
ARITH200 2402 9.6s 3/3 2147s
ARITH500 21002 32.2s 3/3 timeout
ARITH1000 22002 122.6s 3/3 timeout
45
Experimental results (VIS benchmarks)Benchmark #States VCEGAR
Time #Predicates #Iteration
cache
coherence
243 49s 25 9
mpeg
decoder 1
2567 29s 9 3
usb_phy 250 104s 47 22
ethernet 291 15s 30 15
SDLX 241 139s 43 30
ITC99_b12 2125 188s 32 23
46
Outline
• Introduction
• Predicate Abstraction
• Abstraction and Refinement loop
• Experimental results
• Conclusion
47
Conclusion
• Abstraction is key to make verification scale– Throw away irrelevant details
• Predicate abstraction– Eliminates data – Keeps track of certain predicates
• Abstraction and refinement loop– Automatically refine the abstraction when necessary
48
Conclusion: our contribution
Gate level (netlists)
Register Level
…………
System
Behavioral Predicate abstraction
and refinement
Hardware Design
49
Future work
• Finding right predicates
• Efficient predicate abstraction computation
• Asynchronous hardware designs
51
Example for Predicate Abstractionvoid main() { int i;
i=0;
while(even(i)){ i++; }
if (i == 0) ERROR:; }
void main() { int i;
i=0;
while(even(i)){ i++; }
if (i == 0) ERROR:; }
+p1 i=0p2 even(i)p1 i=0p2 even(i) =
void main() { bool p1, p2;
p1=TRUE; p2=TRUE;
while(p2) { p2=!p2; if (p1){p1=false;} else {p1 = *;} }
}
void main() { bool p1, p2;
p1=TRUE; p2=TRUE;
while(p2) { p2=!p2; if (p1){p1=false;} else {p1 = *;} }
}
PredicatesC program Abstract model
assert ( i != 0);
assert ( !p1);
52
Challenges
• How to get the right set of predicates automatically
• How to compute the predicate abstraction
53
Making it work in practice
• Computation of predicate abstraction– Handling of large no. of predicates
With 50 predicates there can be 2100 predicate relationships!!
54
Predicate Partitioning Current state
predicatesp1 := x = 100 p2 := x = 200p3 := y = 100 p4 := y = 200
+ x’ := yy’ := x
+p’1:= x’ = 100 p’2:= x’ = 200p’3:= y’ = 100 p’4:= y’ = 200
Next statepredicates
Transitionrelation
PartitionPartition
++ ++pp11 := x = 100 := x = 100 pp22 := x = 200 := x = 200 y’ := xy’ := x
p’p’33 := y’ = 100 := y’ = 100 p’p’44 := y’ = 200 := y’ = 200
p3 := y = 100 p4 := y = 200 x’ := y
p’1 := x’ = 100 p’2 := x’ = 200+ +
ÆÆ
55
• Counterexample in the abstract model – <1 , 0> <0 , 0> (length = 1)
– Each state is a valuation of h x = 100, x=200 i
Simulation equation
Simulation of the counterexample
Initial values of the registerspredicate values
in the first state of the counterexample
Transition relation
predicate valuesin the second state of the counterexample
equation is unsatisfiable So counterexample is spurious