1 / 27

Automatic Abstraction Refinement for GSTE

This paper presents AutoGSTE, an automatic approach to abstraction refinement for Generalized Symbolic Trajectory Evaluation (GSTE). It quickly converges to good abstractions that enable verifications that were not possible before, allowing assertion graphs to be high-level without adapting too much to circuit implementation.

anncoleman
Download Presentation

Automatic Abstraction Refinement for GSTE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007

  2. Our Contributions • AutoGSTE – An automatic approach to abstraction refinement for GSTE • Quickly converge to good abstractions that enable verifications that are not possible before • Allow assertion graphs to be high-level w/o adapting too much to circuit implementation

  3. Outline • Overview of (G)STE • Quaternary Abstraction and its Imprecision • Our Solution – AutoGSTE • Counterexample-guided abstraction refinement • Model refinement and specification refinement • Experiments • Conclusion & Future Work

  4. Symbolic Trajectory Evaluation [Bryant & Seger] • Scalability • Model checking complexity largely depends on the complexity of the assertion rather than the circuit • Pros: Highly efficient • Cons: • False negatives due to insufficient input constraints • R. Tzoref, O. Grumberg, Automatic refinement and vacuity detection for STE, CAV’06 • J. Roorda, K. Clarssen, Sat-based assistance to abstraction refinement for STE, CAV’06 • Only properties over finite time  GSTE

  5. Generalized STE [Yang & Seger] • ω-regular properties represented by assertion graphs G = { (V, v0, E, ant, cons) } • Non-deterministic execution • Fixed-point computation

  6. GSTE Algorithm Algorithm: GSTE(G, post) (* initialize symbolic simulation *) 1.foreach edge ein G 2. ife is from the initial vertex 3. sim(e) := ant(e); 4. put e in EventQueue; 5. else 6. sim(e) := { }; (* perform symbolic simulation *) 7. whileEventQueue is not empty 8. get an edge e from the queue, 9. for each successor edge e’ of ebegin 10. sim(e’) := sim(e’)  post(sim(e))  ant(e’); 11. ifthere is a change in sim(e’) 12. put e’ intoEventQueue; end (* check consequence *) 13. for each edge e in G14. if!(sim(e)  cons(e)) return false; 15. return true; end.

  7. Outline • Overview of (G)STE • Quaternary Abstraction and its Imprecision • Our Solution – AutoGSTE • Counterexample-guided abstraction refinement • Model refinement and specification refinement • Experiments • Conclusion & Future Work

  8. Quaternary-Value Logic Two sides of a coin • Significantly reduce state spaces by quaternary abstraction  • Over abstractions cause false negatives  (Conflict) (Unknown) Information Partial Order Propagation of “Unknown”

  9. 0 1 1 0 1 1 X 1 X X Causes of False Negative: Quaternary State Set Unions sim(e’) := sim(e’)  post(sim(e))  ant(e’); Check whether the output is always 1 under certain inputs Abs. A Out 1 1 1 1 X B

  10. 1 0 1 0 1 1 Causes of False Negative: Existentially Quantified-Out Symbolic Variables [A=X, B=X] Out=A|B=X A Out B [A=c1, B=(!c1|c2)] Out=A|B=c1|(!c1|c2)=1 c1,c2 is existentially quantified out after every single step simulation

  11. Outline • Overview of (G)STE • Quaternary Abstraction and its Imprecision • Our Solution – AutoGSTE • Counterexample-guided abstraction refinement • Model refinement and specification refinement • Experiments • Conclusion & Future Work

  12. AutoGSTE: Automatic Abstraction Refinement Circuit Impl. Assertion Graph Abstraction refinement: (monotonic) (1) Constraining inputs with symbolic constants/variables (2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations (1) GSTE Refined Abstraction (3) Abstraction Refinement Assertion holds Counter Example (2) Counter Example Analysis Causes of Imprecision Assertion fails Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs; (2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables

  13. Counter Example Analysis • Counter Example • [(edge1,src1,dest1),…,(edgeT, srcT,destT)] • Identify “X” nodes in destT that violates consequent on edgeT • Backtrack to identify the causes for “X” node N • In the end, the following causes will be identified: • Output circuit nodes/assertion edges on which Xs are introduced.

  14. AutoGSTE: Automatic Abstraction Refinement Circuit Impl. Assertion Graph Abstraction refinement: (1) Constraining inputs with symbolic constants/variables (2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations (1) GSTE Refined Abstraction (3) Abstraction Refinement Assertion holds Counter Example (2) Counter Example Analysis Causes of Imprecision Assertion fails Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs; (2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables

  15. Model Refinement • Symbolic Indexing (Verifier has to encode it in the specification) Abs. Abs. rew. Partition Finer Partition rew.

  16. Model Refinement (Cont.) • Precise Nodes: Circuit nodes that must always have boolean values by symbolic indexing • [Yang and Seger, FMCAD’02] Manually specify precise nodes to eliminate Xs caused by both unions and weaks. • AutoGSTE automatically marks precise nodes • Mark all the identified nodes as precise • Mark one node at a time (control signals first?)

  17. …… Specification Refinement • Loop unrolling transformations address unions • Allow the specification to be high level • Dynamically adapt to the real computation flow of the circuit

  18. Specification Refinement (Cont.) • Automating loop unrolling • Unroll each problematic edge to prevent unwanted state set unions 2 1 3 4

  19. Specification Refinement (Cont.) • Case splitting transformations address weaks • Symbolic variables symbolically index a set of edges with scalar values • Remember the variable values by case splitting

  20. Outline • Overview of (G)STE • Quaternary Abstraction and its Imprecision • Our solution – AutoGSTE • Counterexample-guided abstraction refinement • Model Refinement .vs. Specification Refinement • Experiments • Conclusion & Future Work

  21. Experiment: FIFO

  22. FIFO Model Refinement Better than manual analysis!

  23. FIFO Specification Refinement Too complex to do manually!

  24. Conclusion & Future Work • An automatic approach to abstraction refinement for GSTE • Quickly converge to good abstractions • Future work • Identify minimal set of precise nodes • Reduce unnecessary loop-unrolling/case-splitting • Integrate model refinement and spec refinement

More Related