Generalized Symbolic Trajectory Evaluation

Generalized Symbolic Trajectory Evaluation Jin Yang Strategic CAD Labs., Intel Architecture Group, Intel Corporation jin.yang@intel.com Feb., 2001

Who Are We? • SCL - A CAD Research Organization within Intel • research & transfer new design technologies vital to Intel’s future product lines in the areas of • logic verification  PV/PD  Synthesis • composed mostly of Ph.D.s with various academia and industrial backgrounds • Logic Group • fundamental and applied FV researches in the areas of • model checking, theorem proving, HLM, abstraction, ... • datapath FV, processor FV, system level FV, protocol, … • 7 Ph.D.s / 2 M.S. • Close relation with Academia • SRC funding, mentoring, internship, visiting professors

Overview • Motivation • Specification in GSTE • Model Checking under Strong Semantics • Model Checking under Normal Semantics • Model Checking under Fairness • w-regular equivalent • (G)STE and Abstract Interpretation • Two Case Studies

STE : the Success Story • STE - Symbolic Trajectory Evaluation • a lattice-based model checking technology based on a form of symbolic simulation (Seger & Bryant) • proven high capacity with a high degree of automation • a comprehensive methodology • Active Industrial Usage in Hardware Verification • Intel • floating point arithmetic unit against IEEE 754 • length decoder unit with 12,000 gates and 1100 latches • Motorola • memory units with million transistors • IBM • processor units at abstract level

ck 100 100 100 a c ck e f a[99:0] A[99:0] B[99:0] b d b[99:0] c[99:0] A+B antecedent consequent STE: Simple Specification • Normalized basic STE assertion A1 & N( A2 ) & … & Nk-1(Ak ) ==> C1 & N( C2 )&…& Nk-1( Ck ) • e.g. ( !ck & a[99:0]=A[99:0] & b[99:0]=B[99:0] ) & N( ck ) & N2( !ck ) & N3( ck ) ==> N3( c[99:0]=A[99:0]+B[99:0] )

ck a[99:0] A b[99:0] B next state defining value for all i, id[[Ci ]] ? A A c[99:0] d[99:0] B B e[99:0] A+B A+B f[99:0] A+B STE: Sim.-based Model Checking • Phase 1: Simulation 1 = d[[ A1 ]], 2= d[[ A2 ]] next(1), …, k= d[[Ak]] next(k-1) • Phase 2: Checking

  X X 0 0 1 1 T T  X 0 1 T X X X 0 X 1 T T X X X 1 0 T X 0 0 0 0 1 T T 0 0 X 1 1 0 1 1 T T 1 1 T T T T T T T T T T STE: Quaternary Circuit Modeling • Work on quarternary {0,1,X,T} instead of boolean {0,1} • X - unknown, T - over-constrained • e.g. only 200 boolean variables are used in the adder, although the circuit has 500 state or input elements

64 64 64 100 100 100 ck ck a c a en e f en +1 b d en b stall STE: Limitation • Very limited expressiveness • what about stall? • stall causes arbitrary long latency • what about backward analysis? • simulation is forward in nature • Challenge • extend expressiveness without losing STE-style model checking efficiency and verification methodology (a=ptr) ==> (b = ptr+1)

s2 s4 s1 s3 s5 s1, s2, s4, s5, s4, s5, ... s2, s4, s5, s4, s5, ... s4, s5, s4, s5, ... s1, s3, s5, s4, s5, s4, ... s3, s5, s4, s5, s4, ... s5, s4, s5, s4, ... Model • State transition on S R(S, S) • every state is initial • no deadlock • Transition-induced model M=(pre, post) • pre(Si) = {s | s’Si.R(s,s’) } • post(Si) = {s’ | sSi.R(s,s’) } • Trace s1, s2, …, si, si+1, … • si+1 post({si}), • and hence si pre({si+1})

s2 s4 s1 M s3 s5 cons: {s4} 2 ant: {s2} 1 3 cons: {s5} * all trivial antecedents and consequences are ignored Assertion Graph: An Example Property 1 • If the system is in state s2, then it will be in state s4 and state s5 alternatively.

Assertion Graph: Formal Definition • Assertion graph G = (V, vI, E, ant, cons) • V - set of vertices • vI - the initial vertex • E - set of edges (each vertex has 1 outgoing edges) • ant - map each edge to a set of states (or equivalently a state predicate) called antecedent • cons - map each edge to a set of states (or equivalently a state predicate) called consequent * first proposed by Seger and Beatty * path: a sequence of consecutive edges from the initial vertex

s2 s4 s1 M s3 s5 cons: {s4} ant: {s2} 2 1 cons: {s5} 3 s1 s2, s4 Strong (original STE) Semantics Trace satisfies path  under L,  |=L: for every 1i ||,(i) L((i)). Model Mstrongly satisfiesG,M ||= G: for every finite path , for every finite trace ,  |=ant   |=cons  First proposed by Jain and clarified by Chou ||= trace 1: trace 2:

s2 s4 s1 M s3 s5 Step cons: {s4} 3 1 2 { } 1 {s2} ant: {s2} { } 2 {s4} { }  S  post({s2}) S  post({}) 1 cons: {s5} { }  S  post({s4}) {s5} 3 {s2} {s4} 3 4 {s2} {s4} {s4}  post({s2})  post({s5})    Model Checking Strong Satisfiability • Phase 1: build simulation relation from edges to state sets ||= 2 {s2} { } {s5} • Phase 2: check consequences

SMC(M, G) 1. if e is from vI sim(e) := ant(e), else sim(e) := F. 2. repeat until fix-point: for every edge e, sim(e) := sim(e)  ( (post(sim(e-)  ant(e)))). e -  in(e) 3. return T if for every edge e, sim(e)  cons(e), return F otherwise. * first proposed by Jain and clarified by Chou Model Checking Strong Satisfiability Theorem: SMC(M, G)  M ||= G

s2 s4 s1 M s3 s5 cons: {s1} ant: {s2} 3 1 2 s3 s5 trace:   Ant. Cons. The property would fail because the antecedent failed after the consequence failure! Limitation of Strong Semantics Property 2 • If the system is in state s2, it must have been in s1 at the previous time.

s2 s4 s1 M s3 s5 cons: {s1} ant: {s2} 3 1 2 s3, s5, … ... trace: Normal Semantics Model MsatisfiesG,M |= G: for every infinite path , for every infinitetrace ,  |=ant   |=cons  ||=

transform G’ = (V, vI, E, ant’, cons) G = (V, vI, E, ant, cons) Model Checking Normal Satisfiability • Approach - Reduce to Strong Satisfiability s.t., M |=G  M |= G’ M |=G’  M ||= G’ (future independent) Future Extensibility Condition G’ is future extensible on M: for every edge e, for every state s in ant’(e), there is an inf. e-path , an inf. trace from s ,  |=ant’

s2 s4 s1 M s3 s5 cons: {s1} ant: {s2} 3 1 2 1 2 3 Step 2 S 1 S {s2} S S  pre({s2}) {s1} {s2} {s2}  pre(S)    Model Checking Normal Satisfiability • Phase 1: strengthen antecedents backward ||= • Phase 2: check strong satisfiability

Theorem: NMC(M, G)  M |= G Model Checking Normal Satisfiability NMC(M, G) 1. repeat until fix-point: for all edge e, ant(e) := ant(e)  (  (pre(ant(e+)))). e+  out(e) 2. call SMC(M, G)

s2 s4 s1 M’ ant: S - {s4,s5} ant: {s4} s3 s5 3 1 2 cons: {s2} 4 ant: {s4,s5} trace: s3, s5, s5, … ... The property would fail because an undesired path is examined! Limitation of Normal Semantics Property 3 • If the system is in state s4, then at the last time when it was neither in s4 nor s5, it must have been in s2.

s2 s4 s1 M’ ant: S - {s4,s5} ant: {s4} s3 s5 3 1 2 cons: {s2} 4 ant: {s4,s5} Theorem: (w-regular equivalence) every det. Streett automaton has an equivalent fair assertion graph Assertion Graph with Fairness Fairness condition: • fair edge sets: E = {E1, E2, …, Ek} • a fair path visits each Ei infinitely often Model Mfairly satisfiesG underE,M |=E G: for every fair infinite path , for every infinite trace ,  |=ant   |=cons  ||=

ant: S - {s4,s5} ant: {s2} ant: {s4} ant: {s4} cons: {s2} cons: {s2} ant: {s4,s5} ant: {s4}  Model Checking Fair Assertion Graph • More of the same... - Reduce to Strong Satisfiability Fair Extensibility Condition G’ is fairly extensible on M: for every edge e, for every state s in ant’(e), there is an inf. faire-path , an inf. trace from s ,  |=ant’

FMC(M, G, E) 1. repeat until fix-point: 2. for each fair edge set Ef in E, 3. build backward simulation relation towards Ef; 4. G := replace the antecedents in G with the simulation relation; /* future extensible to Ef*/ 5. call SMC(M, G). Theorem: FMC(M, G, E)  M |=E G Model Checking Fair Assertion Graph

Ex 1. T G R Y  Relevant Lattice Concepts Finite Complete Lattice (L, ) • L - finite set of points • - partial order relation: • p1 p2 if p1 is less uncertain than p2 • T - top element •  - bottom element Ex 2. (2S,  ) - subset lattice • S - top element • {} - bottom element Note: we use an partial order relation consistent with 

T G R Y  post pre R, Y, G, G, ... R, T, T, T, ... T, Y, G, G, ...    T, T, T, T, ...  Extend Model to Lattice Model M = (pre, post) • pre, post: L  L (monotonic) • post(p) =   p =  • for every p in L, p pre(post(p)) * STE model is a special case where • pre(p) = T for every p. Trajectory p1, p2, p3, …, pi, pi+1, … • pi+1 post(pi), pi pre(pi+1) • pi   * a trajectory captures a set of traces

T G R Y |=  post cons: G ant: Y pre Semantic Extension • trajectorysatisfies pathunder L: for every i,(i)L((i)). • Satisfiability definitions remain the same except working on trajectory satisfiability ant cons R, Y, G, ...   Y, G, G, ...   Extend Assertion Graph to Lattice Assertion Graph G=(V, vI, E, ant, cons) • extend ant, cons:E 2Sto E  L

Main GSTE Results on Lattice • Extended Model Checking Algorithms: *GSTE • by generalizing  ,  ,  in *MC to, , • GSTE Theorems • strong semantics: SGSTE(M, G)  M ||= G • normal semantics: NGSTE(M, G)  M |= G • fairness: FGSTE(M, G, E)  M |=E G • Incompleteness • lose information when using coarse lattice • but gain efficiency

{S1, S2, S3 , S4, S5} T ... ... ... {S2, S3} ... {S4, S5} ... G R Y {S1} {S3} {S4} {S5} {S2}  { } Abstract Interpretation Concepts • Abstraction of (L, ) - Galois insertion (La, a) abstraction function :L La, such that • (T) = Ta, (p) = a iff p = , •  is onto, anddistributive

{00,01,10,11} XX {00,01,10} {00,01,11} {00,10,11} {01,10,11} 0X X0 X1 1X {00,01} {00,10} {00,11} {01,10} {01,11} {10,11} 00 01 10 11 {00} {01} {10} {11} T { } The Quaternary Abstraction • From boolean domain to quaternary domain two variable boolean domain: two variable quaternary domain:

s2 s4 s1 s3 s5 post pre T M G R Y  Model Abstraction Abstraction of Model M=(pre, post) Ma=(prea, posta) • (pre(p)) a prea((p)) • (post(p)) a posta((p))

Abstraction in GSTE • Abstraction theorem If G is consequence preserving i.e., -1((cons(e))) = cons(e) for all edge e, then • strong semantics Ma ||= Ga M ||= G • normal semantics Ma |= Ga M |= G • fairness Ma |=E Ga M |=E G

G, M on (L, ) Check the consequence against the concretized simulation relation Ga, Ma on (La, a) Perform antecedent strengthening and simulation relation building on Ga,Ma Concretize the simulation result Abstraction in GSTE • GSTE using Abstraction: a*GSTE(M, G) • when G is not consequence preserving Theorem: 1. strong semantics: aSGSTE(M, G)  M ||= G 2. normal semantics: aNGSTE(M, G)  M |= G 3. fair semantics: aFGSTE(M, G, E)  M |=E G

128 bank0 bank1 bank2 bank3 128 128 128 128 128 datard3 datard2 datard0 datard1 memory block Case Study: A Memory datainbypass 128 alignmask block dataout datawr addr[9:8] bnksel[1:0] 4 addr[9:0] we end[4:0] drive[4:0] ck begin[4:0] align[7:0] 4 banks * 256 entries/bank * 128 bits / entry = 128K bits

ck we addr[9:0] A A datawr[127:0] D drive[3:0] V No write to the same address align[6:0] R begin[3:0] B end[3:0] E dataout[127:0] O we  (addr=A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Specification • Correctness Statement: always read from a cell the most recently written data write phase read cycle hold phase

128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass D[127:0] 128 alignmask block dataout datawr A[9:0] 4 addr[9:0] we 1 end[4:0] drive[4:0] begin[4:0] align[7:0] ck

bank[i].row[j] = D, if A=i*256+ j X, otherwise 128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass 128 alignmask block dataout datawr 4 addr[9:0] we end[4:0] drive[4:0] begin[4:0] align[7:0] ck

bank[i].row[j] = D, if A=i*256+ j X, otherwise 128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass 128 alignmask block D dataout datawr A 4 addr[9:0] we 0 end[4:0] drive[4:0] begin[4:0] align[7:0] ck

128 bank1 bank0 bank2 bank3 128 we  (addr= A)  (datawr=D)  we  ck  (addr=A)  (drive=V)  (align=R)  we  ck  (begin=B)  (end=E) dataout= mask(align(drive(D, V), R), B, E)  we  (addrA) Model Checking datainbypass 128 alignmask block dataout datawr mask(align(drive(D, V), R, B, E) A 4 addr[9:0] we 0 end[4:0] drive[4:0] begin[4:0] align[7:0] ck

GSTE vs. STE and Classic MC • GSTE • complete black-box verification • complexity - 128K bits • 157 variables used in assertion graph • finished in 833 seconds • STE • requires open-up of the memory • requires three STE assertions for write, retain and read • Classic MC • state explosion under any variable order

datainbypass 128 mask mux predischarge mux 128 select, precharge, and mux align 128 128 128 128 128 datain2 dataout datain3 datain0 datain1 4 4 7 4 2 qclk all 0’s bnksel buspch align drive begin end alignvalid hit# ck Case Study: An AlignMask Module dual-rail

ck alignvalid if it was low first drive[i/32] ant1 / ant2 / con2 bnksel[1:0] S ant5 / ant3 / align[6:0] A ant4 / datain(j)[127:0] ant1: ck  alignvalid  drive[k]  (bnksel=S)  (align=A)  mutex_for_all_j mutex_for_all_j retain until delivery ant6 / datain(j)#[127:0] dataout[i] ant2:  ck  alignvalid dataout[i] dataout#[i] ant3: ck  alignvalid  drive[k]  (bnksel=S)  (align=A)  mutex_for_all_j ant4:  ck  alignvalid  drive[k] ant5: ck  alignvalid  drive[k] ant6: ck  alignvalid  drive[k] con2:  dataout#[i] (k = i/32) Prop: Two Rails Must be Weak Mutex • Fair Semantics: • bi-directional simulation over • an arbitrary long interval • Complexity: • 9 variables in total • no variables for how to mask Rephrase: if the high rail of a bit i is 1, then the low rail must be 0.

Summary Expressiveness / Time Complexity Fair AG (w-regular) / fix-point 2 FGTE Normal AG / 2 fix-points NGTE Strong AG / 1 fix-point SGTE STE Spec./ 0 fix-point STE Completeness / Space Complexity Coarse lattice abstraction Quaternary abstraction Finer lattice abstraction No abstraction

Comparison with Classic Approach • Similarities • model described as M=(pre, post) • model checking is some form of ‘reachability’ analysis • Differences • clear distinction of antecedents and consequences • lattice based simulation strategy, e.g., for circuits, • no expensive next state function or transition relation • dynamic model abstraction • for-all semantics • more comprehensive methodology • Perhaps …, this work provides a common framework for getting the best of both approaches

Future Work • Bring theory to practice • efficient implementation • debugging environment • methodology development • Relationship with other formal methods • efficient links from/to other temporal logics • GSTE for protocol verification ... • Incorporation of established abstraction techniques • symmetry reduction • uninterpreted function • … ...

Backup Slide

  X X 0 0 1 1 T T  X 0 1 T X X X 0 X 1 T T X X X 1 0 T X 0 0 0 0 1 T T 0 0 X 1 0 1 1 1 T T 1 1 T T T T T T T T T T if !x&!y then v else X a if !x&y then v else X mux b mux if x&!y then v else X c if x&!y then v else X d x y x y STE: Quaternary Circuit Modeling • Boolean {0, 1} to quarternary {0, 1, X, T} • X - unknown, T - over-constrained full symbolic simulation quaternary symbolic simulation 6 variables 3 variables

Generalized Symbolic Trajectory Evaluation

Generalized Symbolic Trajectory Evaluation

Presentation Transcript

SYMBOLIC LOGIC

Copernicus, A Generalized Trajectory Design and Optimization System

Trajectory Generation

Trajectory Equation

Trajectory Calculations

Generalized Symbolic Execution for Model Checking and Testing

Symbolic

Trajectory

Generalized heat transfer coefficient Generalized Admittance Generalized Impedance

Learning Trajectory Patterns by Clustering: Comparative Evaluation

Trajectory

Trajectory

Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation

Symbolic

Automatically Exploring Structural Symmetry in Symbolic Trajectory Evaluation

symbolic

Cost-Optimal Symbolic Pattern Database Planning with State Trajectory and Preference Constraints

Trajectory

Symbolic Processing

Symbolic Evaluation/Execution

Trajectory Generation

Efficient Trajectory Joins using Symbolic Representations