1 / 56

Randal E. Bryant

Symbolic Simulation and its Connection to Formal Verification. Randal E. Bryant. Carnegie Mellon University. http://www.cs.cmu.edu/~bryant. SymSim ‘02. a. b. Symbolic Simulation. Idea Encode set of values symbolically Evaluate system operation over these values Effect

salena
Télécharger la présentation

Randal E. Bryant

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symbolic Simulation and its Connection to Formal Verification Randal E. Bryant Carnegie Mellon University http://www.cs.cmu.edu/~bryant SymSim ‘02

  2. a b Symbolic Simulation • Idea • Encode set of values symbolically • Evaluate system operation over these values • Effect • In single run, compute information that would otherwise require multiple simulation runs • If do it right, can even be used for formal verification Black Box In0 a & b Out In1

  3. Advantages of Symbolic Simulation • Relative to better known formal verification techniques • symbolic model checking • Modeling Capabilities • Can use wide variety of circuit models • Including ones requiring event scheduling • Efficiency • Hybrid between symbolic and conventional simulation • Reduce coverage to make tractable • Exploit abstraction capabilities of X • Form of abstract interpretation

  4. Categorization #1 • Verification Objective • Accelerated Simulation • Get more simulation done in less time • Rigorous, formal verification • Don’t trust anything that hasn’t been proven Accelerated Simulation Rigorous Formal Verification Objective

  5. Abstracted Data Boolean Model Level Discrete Switch Linear Switch Categorization #2 • Modeling Level • Abstract away as much as possible • Especially data values & operations • Boolean gate / RTL • Focus of 99% of verification research • Transistor • Challenge to have tractable but accurate model

  6. Symbolic Trajectory Evaluation Symbolic Simulation Landscape Auto-mated Deduc-tion Abstracted Data Chris Wilson’s Simulator Commercial Tools Forward Model Checking Boolean Model Level Discrete Switch Switch- Level Timing Sim. Linear Switch Accelerated Simulation Rigorous Formal Verification Objective

  7. Automated Deduction Auto-mated Deduc-tion Abstracted Data Boolean Model Level Discrete Switch Linear Switch Accelerated Simulation Rigorous Formal Verification Objective

  8. x0 x1  x2 x xn-1 p T F x 1 0 ITE(p, x, y) x x 1 0 1 0 y x y y y Abstracting Data • View Data as Symbolic “Terms” • No particular properties or operations • Except for equations: x = y • Can store in memories & registers • Can select with multiplexors • ITE: If-Then-Else operation

  9. IF/ID ID/EX EX/WB PC Control Control Op Instr Mem Rd Ra = Adat Reg. File ALU Imm +4 = Rb Abstraction Via Uninterpreted Functions • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Also view instruction memory as function F3 F2 F1

  10. T = 0 T = 1 T = 2 T = 3 Ra Ra Ra Ra x x x x x x x x b a b a b b a a ALU ALU ALU ALU f f f f f f Rb Rb Rb Rb Term-Level Symbolic Simulation • Simulator Operation • Register states are term-level expressions • Denoted by pointers to nodes in Directed Acyclic Graph (DAG) • Simulate each cycle of circuit by adding new nodes to DAG • Based on circuit operations • Construct DAG denoting correctness condition

  11. e 1 f T F Ù e Ø 0 = x f 0 T Ú = F T F d 0 Resulting Decision Problem • Logical Formula • Integer Values • Solid lines • Uninterpreted functions • Integer variables • If-Then-Else operation • Boolean Values • Dashed Lines • Uninterpreted predicates • Propositional variables • Logical connectives • Equations & inequalities • Task • Determine whether formula is universally valid • True for all interpretations of variables and function symbols

  12. Deduction-Based Verification • Automatic Theorem Provers • Some of the earliest work in formal hardware verification • Gordon ‘83, Hunt ‘85, … • Heavy focus on rigor • Strong abstraction capabilities • Can selectively apply different levels of abstraction • Increasing Degree of Automation • Burch & Dill, CAV ‘94 • Implement & tune decision procedure to match modeling needs • Automate generation of simulation relation • For pipelined microprocessors • Active research area • But, not focus of this talk

  13. Forward Model Checking Abstracted Data Forward Model Checking Boolean Model Level Discrete Switch Linear Switch Accelerated Simulation Rigorous Formal Verification Objective

  14. Circuit Behavior Image Compu- tation Loop Control Set Union Reached States = Initial State Forward Reachability • Determine set of all reachable states of circuit • Key step in model checking • Many (but not all) properties can be checked by some form of reachability computation

  15. 0 / 1 A Union Intersection A A B B Characteristic Function Representation of Set • Concept • A {0,1}n • Set of bit vectors of length n • Represent set A as Boolean function A of n variables • XA if and only if A(X ) = 1 Set Operations

  16. Transition Relation Relational Cross Product Loop Control Boolean OR Reached States Circuit Behavior = Image Compu- tation Loop Control Set Union Reached States = Initial State Initial State Forward Reachability via Characteristic Functions • Model system behavior as transition relation • (s,s) = 1 when possible to change from state s to state s in one step • Powerful, but expensive approach

  17. FA(Y ) Y FA Parametric Representation of Set • Concept • A {0,1}n • Set of bit vectors of length n • Must be nonempty • Represent set A as set of n Boolean functions FA • Set indicated by function images • XA if and only if for some Y, FA(Y ) = X • Not unique • Various algorithms to generate • Set Operations • Not clear how to do these!

  18. Gate-Level Circuit Symbolic Sim. (FA(Y )) Y FA Parametric Representation of Next State Set • One step of symbolic simulation generates parametric form of image computation • Set of states X such that X = (X) for some state X A

  19. Gate-Level Circuit Symbolic Sim. A to FA FA to A Loop Control Boolean OR Reached States Circuit Behavior = Image Compu- tation Loop Control Set Union Reached States = Initial State Initial State Forward Reachability via Parametric Representation #1 • Coudert & Madre ‘89 • Among earliest work on symbolic reachability • Converted to characteristic function to perform Boolean operations • Loses advantage of symbolic simulation

  20. Gate-Level Circuit Symbolic Sim. Loop Control Param. Union Reached States Circuit Behavior = Reparameterize Image Compu- tation Loop Control Set Union Reached States = Initial State Initial State Forward Reachability via Parametric Representation #2 • Amit Goel, CMU ‘02 • Generate canonical parametric form from any other parametric form • Algorithm due to Coudert, Robert Jones • New algorithm to compute set union in parametric form • Does not generate characteristic function explicitly or implicitly

  21. Some Results • Comparison • VIS with IWLS partitioning & ordering of transition relation • Based on characteristic functions • Boolean Functional Vectors • Based on parametric representation • Performance • Big improvement for some benchmarks

  22. Symbolic Trajectory Evaluation Symbolic Trajectory Evaluation Abstracted Data Boolean Model Level Discrete Switch Linear Switch Accelerated Simulation Rigorous Formal Verification Objective

  23. Symbolic Trajectory Evaluation • Formulation • Bryant & Seger (1990) • View symbolic simulator as form of model checker • For limited class of LTL formulas • Abstract states with ternary { 0, 1, X } logic • Extensions • Enlarge class of safety properties • Seger (1995), Jain (1997), Chou (1999) • Add fairness • “Generalized Symbolic Trajectory Evaluation” • Yang & Seger (2000) • All -regular properties

  24. STE Example 4-Bit Shift Register • Specification • If apply input “a” • Then four cycles later, will get output “a” • N is “next-time” operator • Similar to “X” in other temporal logics Din Dout Din = a NNNN Dout = a

  25. X X X a X X X a X X X X X a X a X X X X T = 3 T = 4 T = 2 T = 0 T = 1 X X X X a X X X X a Assert Din Din Din Din Din Dout Dout Dout Dout Dout Check Verification by STE Din = a  NNNN Dout = a

  26. X X X X T = 0 X Din Dout 0 1 X Mathematical Basis for STE • Partially Ordered State Model • Monotonic Circuit Behavior • Any 0/1 behavior observed with all-X initial state will occur for arbitrary initial state • Subtle details in simulator implementation Complete Information Incomplete Information

  27. Transition Relation Compare: Model Checking with Characteristic Functions • Encode Entire System State Symbolically • Two Boolean variables per state bit • Impractical to model systems with very large memories • Typically verify models with reduced data widths and memory capacities s0 s1 s2 s3 Current State i s0’ s1’ s2’ s3’ Next State i’

  28. Performance of STE • Key Property • Use symbolic variables only to encode input and (part of) initial state • Verification complexity depends on complexity of specification, not of system • Can verify systems containing large memories • Industrial Applications of STE • Motorola: Verify variety of memory subsystems • Intel: Block-level verification

  29. iRdy = 1 Din = a iRdy = 1 iRdy = 1 iRdy = 1 iRdy = 1 Assert Dout = d Check iRdy = 0 iRdy = 0 iRdy = 0 iRdy = 0 Increasing STE Expressive Power 4-Bit Stoppable Shift Register • Specification • Graphical notation more expressive and intuitive than textual • Allows arbitrary number of idle cycles between inputs • Implemented with simple fixed-point operation iRdy Din Dout

  30. Addr Write Dout Din Addr  a Addr = a Write = 1 Din = d Addr = a Write = 0 Dout = d Check Write = 0 RAM Verification by STE • Specification • Perform write with address a • Perform arbitrary number of reads, or operations with a different address • Perform read with address a • Should get value d on Dout • Verification requirements for 2m-bit memory • Constant number of iterations • O(m) Boolean variables

  31. Generalized STE • Yang & Seger (2000) • Extends Class of Trajectory Graphs • Arbitrary graph structure • Adds Fairness Constraints • Require that specified arcs be traversed infinitely often • Very Expressive • -regular languages • Not Directly Comparable to CTL Model Checking • Cannot express existential properties in GSTE • Cannot describe path properties in CTL

  32. Chris Wilson’s Simulator Abstracted Data Chris Wilson’s Simulator Boolean Model Level Discrete Switch Linear Switch Accelerated Simulation Rigorous Formal Verification Objective

  33. Wilson’s Symbolic Simulator • Chris Wilson, PhD, Stanford (2001) • Less Pessimistic X Handling • Can verify simple forms of data propagation • Automatic Variable Classification • When to use X’s, and when to use symbols • Major headache for users of other symbolic simulators • Too many  get X’s for check values • Too few  BDD blowup • Integrate BDDs with Explicit Case Simulation • When BDDs get too big, start enumerating variable values rather than encoding them symbolically • Guarantees useful partial results

  34. Xa Xa Xa Xa 0 Xa 0 X Xa 1 0 Xb Tagged X Values • Can Tag X with Literal • Xa, Xa, Xb, Xb, etc. • Allow Limited Propagation of Tags • When value depends on multiple tags, revert to regular X • Handles Simple Data Propagation • Data moved across busses, stored in registers, passed through multiplexors

  35. Automatic Variable Classification • Two Ways to Represent Symbolic Value • BDD variable a • Tagged X value Xa • Strategy • Start with only tagged X’s • Simulate symbolic test • If check is X, then select some symbol to strengthen • As BDD variable, rather than as tagged X • Resimulate • Continue process until check either proved or disproved

  36. A B Xa a X a?Xb:1 Xb X Xa a a?1:Xb X Xb Xb Reclassification Example • Simple heuristics determine which variable to strengthen • Must rerun entire simulation every time strengthen variable Task: Prove Out = B Out

  37. Switch-Level Timing Simulation Abstracted Data Boolean Model Level Discrete Switch Switch- Level Timing Sim. Linear Switch Accelerated Simulation Rigorous Formal Verification Objective

  38. 1 Logic Value Voltage X 0 Linear Switch-Level Simulation • Linear Switch-Level Simulation • RSIM (Terman), nRSIM (Chu), IRSIM (Horowitz) • Model transistor as switched, linear resistor • Ternary (0, 1, X) node states • Elmore (RC product) model of circuit delay a  a

  39. Symbolic Timing Simulation • Symbolic Implementation of Linear Switch-Level Simulation • SirSim: McDonald, ICCAD ‘99 • Symbolic Extensions • BDD node values • MTBDD delay calculations • Exactly equivalent to running 2n IRSIM simulations • Is This Formal Verification? • Model is too simplistic to justify this

  40. C R * b a 20fF 30fF Inf 3k = Delay a b Inf 60ps 90ps Symbolic Delay Calculation From “a” rising to “out” falling • Delays computed as (driver resistance) * (load capacitance) out a b

  41. t=0 in x y small out in x  y @ t=0 x large out x y y t=30ps t=60ps Handling Data-Dependent Delays • Schedule event for each possible time point • Event includes mask indicating conditions under which update should occur NodeVal = (Mask & NewVal)  (Mask & OldVal) @t=30ps : out = (y &y y &x) = x &y @t=60ps : out = (y &y  y &x &y) = y

  42. Manchester Adders • Speedup of 1033 over exhaustive IRSIM for 64 bit adder • Sirsim < 15 min • IRSIM > 1029 yrs • Runtime=O(n3)

  43. Alpha Microprocessor Circuits

  44. CQ 000 001 010 011 100 101 110 111 Cluster Scheduling • Group events into clusters with symbolic event times • “Cluster-Queue” structure maintains proper ordering • Up to 8x speedup on previously published cases • Exponential speedup demonstrated Symbolically Encoded Cases

  45. Commercial Symbolic Simulators Abstracted Data Commercial Tools Boolean Model Level Discrete Switch Linear Switch Accelerated Simulation Rigorous Formal Verification Objective

  46. Commercial Symbolic Simulators • Innologic • Verilog-Based Symbolic Simulator • Handles all of Verilog • Not just synthesizable subset • Extend input vector format to allow symbolic values • Biggest successes to date are in memory verification • Synopsys • Part of formalVERA (a.k.a., Ketchum) assertion checker • Uses multiple strategies: automatic test generation, symbolic simulation, bounded model checking

  47. Exploiting Hierarchy • Hierarchical Modeling • Symbolically encode circuit structure • Based on hierarchy in circuit description • Simulator operates directly on encoded circuit • Use symbolic variables to encode both data values & circuit structure • Implemented by Innologic, variant by Synopsys (DAC ‘02)

  48. L4 x=0 x=1 L2 y=0 y=1 L2 y=0 y=1 L1 L1 L1 L1 Din Dout Hierarchical Circuit Representation • Hierarchy • Follows that in circuit representation • Encoding • Introduce Boolean variables to encode module instances

  49. L2 y=0 y=1 L1 L1 In Out M y 1 1 E N C E N C Out L1 1 X T R 0 0 In 0 M Signal Extractor Signal Encoder y y A A[y=1] 1 X T R y&A  y&B A B 0 A[y=0] Symbolically Encoding Circuit Operation

  50. L4 x=0 x=1 L2 y=0 y=1 L2 y=0 y=1 1 1 E N C E N C L1 L1 L1 L1 Din Dout x 0 0 y L1 1 1 Dout X T R X T R Din 0 0 Symbolically Encoding Circuit Operation

More Related