1 / 46

Generalized Symbolic Trajectory Evaluation

This paper by Jin Yang from Intel presents an overview of the Symbolic Trajectory Evaluation (STE) methodology, emphasizing its role in hardware verification. The STE technique, a lattice-based model checking technology, leverages symbolic simulation to enhance verification capacity and automation. The paper highlights successful industrial applications across major companies like Intel and Motorola, detailing case studies such as floating-point arithmetic units and memory units. Challenges in extending the expressiveness of STE while maintaining efficiency in model checking are discussed, alongside potential solutions to improve its applicability.

keira
Télécharger la présentation

Generalized Symbolic Trajectory Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Generalized Symbolic Trajectory Evaluation Jin Yang Strategic CAD Labs., Intel Architecture Group, Intel Corporation jin.yang@intel.com Feb., 2001

  2. Who Are We? • SCL - A CAD Research Organization within Intel • research & transfer new design technologies vital to Intel’s future product lines in the areas of • logic verification  PV/PD  Synthesis • composed mostly of Ph.D.s with various academia and industrial backgrounds • Logic Group • fundamental and applied FV researches in the areas of • model checking, theorem proving, HLM, abstraction, ... • datapath FV, processor FV, system level FV, protocol, … • 7 Ph.D.s / 2 M.S. • Close relation with Academia • SRC funding, mentoring, internship, visiting professors

  3. Overview • Motivation • Specification in GSTE • Model Checking under Strong Semantics • Model Checking under Normal Semantics • Model Checking under Fairness • w-regular equivalent • (G)STE and Abstract Interpretation • Two Case Studies

  4. STE : the Success Story • STE - Symbolic Trajectory Evaluation • a lattice-based model checking technology based on a form of symbolic simulation (Seger & Bryant) • proven high capacity with a high degree of automation • a comprehensive methodology • Active Industrial Usage in Hardware Verification • Intel • floating point arithmetic unit against IEEE 754 • length decoder unit with 12,000 gates and 1100 latches • Motorola • memory units with million transistors • IBM • processor units at abstract level

  5. ck 100 100 100 a c ck e f a[99:0] A[99:0] B[99:0] b d b[99:0] c[99:0] A+B antecedent consequent STE: Simple Specification • Normalized basic STE assertion A1 & N( A2 ) & … & Nk-1(Ak ) ==> C1 & N( C2 )&…& Nk-1( Ck ) • e.g. ( !ck & a[99:0]=A[99:0] & b[99:0]=B[99:0] ) & N( ck ) & N2( !ck ) & N3( ck ) ==> N3( c[99:0]=A[99:0]+B[99:0] )

  6. ck a[99:0] A b[99:0] B next state defining value for all i, id[[Ci ]] ? A A c[99:0] d[99:0] B B e[99:0] A+B A+B f[99:0] A+B STE: Sim.-based Model Checking • Phase 1: Simulation 1 = d[[ A1 ]], 2= d[[ A2 ]] next(1), …, k= d[[Ak]] next(k-1) • Phase 2: Checking

  7.  X X 0 0 1 1 T T  X 0 1 T X X X 0 X 1 T T X X X 1 0 T X 0 0 0 0 1 T T 0 0 X 1 1 0 1 1 T T 1 1 T T T T T T T T T T STE: Quaternary Circuit Modeling • Work on quarternary {0,1,X,T} instead of boolean {0,1} • X - unknown, T - over-constrained • e.g. only 200 boolean variables are used in the adder, although the circuit has 500 state or input elements

  8. 64 64 64 100 100 100 ck ck a c a en e f en +1 b d en b stall STE: Limitation • Very limited expressiveness • what about stall? • stall causes arbitrary long latency • what about backward analysis? • simulation is forward in nature • Challenge • extend expressiveness without losing STE-style model checking efficiency and verification methodology (a=ptr) ==> (b = ptr+1)

  9. s2 s4 s1 s3 s5 s1, s2, s4, s5, s4, s5, ... s2, s4, s5, s4, s5, ... s4, s5, s4, s5, ... s1, s3, s5, s4, s5, s4, ... s3, s5, s4, s5, s4, ... s5, s4, s5, s4, ... Model • State transition on S R(S, S) • every state is initial • no deadlock • Transition-induced model M=(pre, post) • pre(Si) = {s | s’Si.R(s,s’) } • post(Si) = {s’ | sSi.R(s,s’) } • Trace s1, s2, …, si, si+1, … • si+1 post({si}), • and hence si pre({si+1})

  10. s2 s4 s1 M s3 s5 cons: {s4} 2 ant: {s2} 1 3 cons: {s5} * all trivial antecedents and consequences are ignored Assertion Graph: An Example Property 1 • If the system is in state s2, then it will be in state s4 and state s5 alternatively.

  11. Assertion Graph: Formal Definition • Assertion graph G = (V, vI, E, ant, cons) • V - set of vertices • vI - the initial vertex • E - set of edges (each vertex has 1 outgoing edges) • ant - map each edge to a set of states (or equivalently a state predicate) called antecedent • cons - map each edge to a set of states (or equivalently a state predicate) called consequent * first proposed by Seger and Beatty * path: a sequence of consecutive edges from the initial vertex

  12. s2 s4 s1 M s3 s5 cons: {s4} ant: {s2} 2 1 cons: {s5} 3 s1 s2, s4 Strong (original STE) Semantics Trace satisfies path  under L,  |=L: for every 1i ||,(i) L((i)). Model Mstrongly satisfiesG,M ||= G: for every finite path , for every finite trace ,  |=ant   |=cons  First proposed by Jain and clarified by Chou ||= trace 1: trace 2:

  13. s2 s4 s1 M s3 s5 Step cons: {s4} 3 1 2 { } 1 {s2} ant: {s2} { } 2 {s4} { }  S  post({s2}) S  post({}) 1 cons: {s5} { }  S  post({s4}) {s5} 3 {s2} {s4} 3 4 {s2} {s4} {s4}  post({s2})  post({s5})    Model Checking Strong Satisfiability • Phase 1: build simulation relation from edges to state sets ||= 2 {s2} { } {s5} • Phase 2: check consequences

  14. SMC(M, G) 1. if e is from vI sim(e) := ant(e), else sim(e) := F. 2. repeat until fix-point: for every edge e, sim(e) := sim(e)  ( (post(sim(e-)  ant(e)))). e -  in(e) 3. return T if for every edge e, sim(e)  cons(e), return F otherwise. * first proposed by Jain and clarified by Chou Model Checking Strong Satisfiability Theorem: SMC(M, G)  M ||= G

  15. s2 s4 s1 M s3 s5 cons: {s1} ant: {s2} 3 1 2 s3 s5 trace:   Ant. Cons. The property would fail because the antecedent failed after the consequence failure! Limitation of Strong Semantics Property 2 • If the system is in state s2, it must have been in s1 at the previous time.

  16. s2 s4 s1 M s3 s5 cons: {s1} ant: {s2} 3 1 2 s3, s5, … ... trace: Normal Semantics Model MsatisfiesG,M |= G: for every infinite path , for every infinitetrace ,  |=ant   |=cons  ||=

  17. transform G’ = (V, vI, E, ant’, cons) G = (V, vI, E, ant, cons) Model Checking Normal Satisfiability • Approach - Reduce to Strong Satisfiability s.t., M |=G  M |= G’ M |=G’  M ||= G’ (future independent) Future Extensibility Condition G’ is future extensible on M: for every edge e, for every state s in ant’(e), there is an inf. e-path , an inf. trace from s ,  |=ant’

  18. s2 s4 s1 M s3 s5 cons: {s1} ant: {s2} 3 1 2 1 2 3 Step 2 S 1 S {s2} S S  pre({s2}) {s1} {s2} {s2}  pre(S)    Model Checking Normal Satisfiability • Phase 1: strengthen antecedents backward ||= • Phase 2: check strong satisfiability

  19. Theorem: NMC(M, G)  M |= G Model Checking Normal Satisfiability NMC(M, G) 1. repeat until fix-point: for all edge e, ant(e) := ant(e)  (  (pre(ant(e+)))). e+  out(e) 2. call SMC(M, G)

  20. s2 s4 s1 M’ ant: S - {s4,s5} ant: {s4} s3 s5 3 1 2 cons: {s2} 4 ant: {s4,s5} trace: s3, s5, s5, … ... The property would fail because an undesired path is examined! Limitation of Normal Semantics Property 3 • If the system is in state s4, then at the last time when it was neither in s4 nor s5, it must have been in s2.

  21. s2 s4 s1 M’ ant: S - {s4,s5} ant: {s4} s3 s5 3 1 2 cons: {s2} 4 ant: {s4,s5} Theorem: (w-regular equivalence) every det. Streett automaton has an equivalent fair assertion graph Assertion Graph with Fairness Fairness condition: • fair edge sets: E = {E1, E2, …, Ek} • a fair path visits each Ei infinitely often Model Mfairly satisfiesG underE,M |=E G: for every fair infinite path , for every infinite trace ,  |=ant   |=cons  ||=

  22. ant: S - {s4,s5} ant: {s2} ant: {s4} ant: {s4} cons: {s2} cons: {s2} ant: {s4,s5} ant: {s4}  Model Checking Fair Assertion Graph • More of the same... - Reduce to Strong Satisfiability Fair Extensibility Condition G’ is fairly extensible on M: for every edge e, for every state s in ant’(e), there is an inf. faire-path , an inf. trace from s ,  |=ant’

  23. FMC(M, G, E) 1. repeat until fix-point: 2. for each fair edge set Ef in E, 3. build backward simulation relation towards Ef; 4. G := replace the antecedents in G with the simulation relation; /* future extensible to Ef*/ 5. call SMC(M, G). Theorem: FMC(M, G, E)  M |=E G Model Checking Fair Assertion Graph

  24. Ex 1. T G R Y  Relevant Lattice Concepts Finite Complete Lattice (L, ) • L - finite set of points • - partial order relation: • p1 p2 if p1 is less uncertain than p2 • T - top element •  - bottom element Ex 2. (2S,  ) - subset lattice • S - top element • {} - bottom element Note: we use an partial order relation consistent with 

  25. T G R Y  post pre R, Y, G, G, ... R, T, T, T, ... T, Y, G, G, ...    T, T, T, T, ...  Extend Model to Lattice Model M = (pre, post) • pre, post: L  L (monotonic) • post(p) =   p =  • for every p in L, p pre(post(p)) * STE model is a special case where • pre(p) = T for every p. Trajectory p1, p2, p3, …, pi, pi+1, … • pi+1 post(pi), pi pre(pi+1) • pi   * a trajectory captures a set of traces

  26. T G R Y |=  post cons: G ant: Y pre Semantic Extension • trajectorysatisfies pathunder L: for every i,(i)L((i)). • Satisfiability definitions remain the same except working on trajectory satisfiability ant cons R, Y, G, ...   Y, G, G, ...   Extend Assertion Graph to Lattice Assertion Graph G=(V, vI, E, ant, cons) • extend ant, cons:E 2Sto E  L

  27. Main GSTE Results on Lattice • Extended Model Checking Algorithms: *GSTE • by generalizing  ,  ,  in *MC to, , • GSTE Theorems • strong semantics: SGSTE(M, G)  M ||= G • normal semantics: NGSTE(M, G)  M |= G • fairness: FGSTE(M, G, E)  M |=E G • Incompleteness • lose information when using coarse lattice • but gain efficiency

  28. {S1, S2, S3 , S4, S5} T ... ... ... {S2, S3} ... {S4, S5} ... G R Y {S1} {S3} {S4} {S5} {S2}  { } Abstract Interpretation Concepts • Abstraction of (L, ) - Galois insertion (La, a) abstraction function :L La, such that • (T) = Ta, (p) = a iff p = , •  is onto, anddistributive

  29. {00,01,10,11} XX {00,01,10} {00,01,11} {00,10,11} {01,10,11} 0X X0 X1 1X {00,01} {00,10} {00,11} {01,10} {01,11} {10,11} 00 01 10 11 {00} {01} {10} {11} T { } The Quaternary Abstraction • From boolean domain to quaternary domain two variable boolean domain: two variable quaternary domain:

  30. s2 s4 s1 s3 s5 post pre T M G R Y  Model Abstraction Abstraction of Model M=(pre, post) Ma=(prea, posta) • (pre(p)) a prea((p)) • (post(p)) a posta((p))

  31. Abstraction in GSTE • Abstraction theorem If G is consequence preserving i.e., -1((cons(e))) = cons(e) for all edge e, then • strong semantics Ma ||= Ga M ||= G • normal semantics Ma |= Ga M |= G • fairness Ma |=E Ga M |=E G

  32. G, M on (L, ) Check the consequence against the concretized simulation relation Ga, Ma on (La, a) Perform antecedent strengthening and simulation relation building on Ga,Ma Concretize the simulation result Abstraction in GSTE • GSTE using Abstraction: a*GSTE(M, G) • when G is not consequence preserving Theorem: 1. strong semantics: aSGSTE(M, G)  M ||= G 2. normal semantics: aNGSTE(M, G)  M |= G 3. fair semantics: aFGSTE(M, G, E)  M |=E G

  33. 128 bank0 bank1 bank2 bank3 128 128 128 128 128 datard3 datard2 datard0 datard1 memory block Case Study: A Memory datainbypass 128 alignmask block dataout datawr addr[9:8] bnksel[1:0] 4 addr[9:0] we end[4:0] drive[4:0] ck begin[4:0] align[7:0] 4 banks * 256 entries/bank * 128 bits / entry = 128K bits

  34. ck we addr[9:0] A A datawr[127:0] D drive[3:0] V No write to the same address align[6:0] R begin[3:0] B end[3:0] E dataout[127:0] O we  (addr=A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Specification • Correctness Statement: always read from a cell the most recently written data write phase read cycle hold phase

  35. 128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass D[127:0] 128 alignmask block dataout datawr A[9:0] 4 addr[9:0] we 1 end[4:0] drive[4:0] begin[4:0] align[7:0] ck

  36. bank[i].row[j] = D, if A=i*256+ j X, otherwise 128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass 128 alignmask block dataout datawr 4 addr[9:0] we end[4:0] drive[4:0] begin[4:0] align[7:0] ck

  37. bank[i].row[j] = D, if A=i*256+ j X, otherwise 128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass 128 alignmask block D dataout datawr A 4 addr[9:0] we 0 end[4:0] drive[4:0] begin[4:0] align[7:0] ck

  38. 128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass 128 alignmask block dataout datawr mask(align(drive(D, V), R, B, E) A 4 addr[9:0] we 0 end[4:0] drive[4:0] begin[4:0] align[7:0] ck

  39. GSTE vs. STE and Classic MC • GSTE • complete black-box verification • complexity - 128K bits • 157 variables used in assertion graph • finished in 833 seconds • STE • requires open-up of the memory • requires three STE assertions for write, retain and read • Classic MC • state explosion under any variable order

  40. datainbypass 128 mask mux predischarge mux 128 select, precharge, and mux align 128 128 128 128 128 datain2 dataout datain3 datain0 datain1 4 4 7 4 2 qclk all 0’s bnksel buspch align drive begin end alignvalid hit# ck Case Study: An AlignMask Module dual-rail

  41. ck alignvalid if it was low first drive[i/32] ant1 / ant2 / con2 bnksel[1:0] S ant5 / ant3 / align[6:0] A ant4 / datain(j)[127:0] ant1: ck  alignvalid  drive[k]  (bnksel=S)  (align=A)  mutex_for_all_j mutex_for_all_j retain until delivery ant6 / datain(j)#[127:0] dataout[i] ant2:  ck  alignvalid dataout[i] dataout#[i] ant3: ck  alignvalid  drive[k]  (bnksel=S)  (align=A)  mutex_for_all_j ant4:  ck  alignvalid  drive[k] ant5: ck  alignvalid  drive[k] ant6: ck  alignvalid  drive[k] con2:  dataout#[i] (k = i/32) Prop: Two Rails Must be Weak Mutex • Fair Semantics: • bi-directional simulation over • an arbitrary long interval • Complexity: • 9 variables in total • no variables for how to mask Rephrase: if the high rail of a bit i is 1, then the low rail must be 0.

  42. Summary Expressiveness / Time Complexity Fair AG (w-regular) / fix-point 2 FGTE Normal AG / 2 fix-points NGTE Strong AG / 1 fix-point SGTE STE Spec./ 0 fix-point STE Completeness / Space Complexity Coarse lattice abstraction Quaternary abstraction Finer lattice abstraction No abstraction

  43. Comparison with Classic Approach • Similarities • model described as M=(pre, post) • model checking is some form of ‘reachability’ analysis • Differences • clear distinction of antecedents and consequences • lattice based simulation strategy, e.g., for circuits, • no expensive next state function or transition relation • dynamic model abstraction • for-all semantics • more comprehensive methodology • Perhaps …, this work provides a common framework for getting the best of both approaches

  44. Future Work • Bring theory to practice • efficient implementation • debugging environment • methodology development • Relationship with other formal methods • efficient links from/to other temporal logics • GSTE for protocol verification ... • Incorporation of established abstraction techniques • symmetry reduction • uninterpreted function • … ...

  45. Backup Slide

  46.  X X 0 0 1 1 T T  X 0 1 T X X X 0 X 1 T T X X X 1 0 T X 0 0 0 0 1 T T 0 0 X 1 0 1 1 1 T T 1 1 T T T T T T T T T T if !x&!y then v else X a if !x&y then v else X mux b mux if x&!y then v else X c if x&!y then v else X d x y x y STE: Quaternary Circuit Modeling • Boolean {0, 1} to quarternary {0, 1, X, T} • X - unknown, T - over-constrained full symbolic simulation quaternary symbolic simulation 6 variables 3 variables

More Related