1 / 36

Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog

Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog. Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke. Carnegie Mellon University. System. Behavioral. Structural/RTL. Gate level (netlists). …………. Introduction. Hardware design. Formal verification

mina
Download Presentation

Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie MellonUniversity

  2. System Behavioral Structural/RTL Gatelevel(netlists) ………… Introduction • Hardware design Formal verification support Level of abstraction

  3. Verification support • Languages like Verilog, SystemVerilog, SystemC are close to software • Verification tools must reason about: • Programming languages constructs • Bit-vector semantics (concatenation, extraction) • Concurrency, Objects, Templates

  4. System Behavioral Structural/RTL Gatelevel(netlists) ………… This work Model check 

  5. Handling state space explosion • Abstraction for handling state space explosion • Localization reduction [Kurshan ’94] • Tracks values of certain variables (visible) • Predicate Abstraction [Graf and Saidi ’97] • Keeps tracks of certain predicates on data • Captures relationship between variables • Successfully used in software verification

  6. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Counterexample Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  7. Our approach • Apply predicate abstraction at RTL Level • Allows abstraction using word-levelpredicates • Example: x < y – z, x = {z,z} • Use a SAT solver for computing abstraction • Semantics of bit-wise operators take into account • Obtaining suitable word level predicates • Syntactic weakest pre-conditions of Verilog statements

  8. Related work • SAT-Based Predicate Abstraction [Wang et al.] • Works at netlist level • Refinement introduces bit-level predicates • Vapor tool [Andraus et al.] • Works on RTL level designs • Abstraction to CLU models (equality of terms, uninterpreted functions, predicates) • Lots of other related work

  9. An example module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 Ç x = 200) Verilog program

  10. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Counterexample Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  11. Predicate Abstraction module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 Ç x = 200) Initial set of predicates: {x = 100, x = 200} Word Level Transition relation: x’ = y Æ y’ = x Verilog program

  12. Computing abstract transitions Computing Most Precise Abstraction Next state Current state Transition Relation + + <x = 100, x = 200> <x’ = 100, x’ = 200> x’ := y y’ := x

  13. Obtain transitions Computing abstract transitions <p1,p2> 10 00 01 … and so on … 11

  14. 10 00 01 11 Abstract Model module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Failure state Initial state Verilog program

  15. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Counterexample Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  16. Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Abstract Model Initial state Failure state 10 00 01 11 Verilog program

  17. Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Abstract Model Abstract counterexample Initial state Failure state 10 00 01 11 Verilog program

  18. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Counterexample Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  19. <x = 100, x= 200> Simulation module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Abstract counterexample Initial state Failure state 10 00 Verilog program Counterexample is spurious

  20. Abstraction-Refinement loop Initial Abstraction Verification No erroror bug found VerilogProgram ModelChecker Abstract model Property holds Counterexample Refinement Simulator Simulation sucessful Abstraction refinement Bug found Spurious counterexample

  21. Refinement • Let length of spurious counterexample be k • Take weakest pre-condition of property for k steps with respect to transition functions

  22. (y = 100 Ç y = 200) weakest precondition x’ := y y’ := x Holds after one step (x’ = 100 Ç x’ = 200) Refinement spurious counterexample Property New predicates y = 100, y = 200 AG (x = 100 Ç x = 200) length =1 +

  23. New abstraction Initial state 1001 0110 Abstract again module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Model check Verilog program

  24. New abstraction Initial state 1001 0110 Property holds! Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program

  25. Result module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Property holds! Verilog program

  26. Making it work in practice • Computation of predicate abstraction • Handling of large no. of predicates With 50 predicates there can be 2100 predicate relationships!!

  27. + + p1 := x = 100 p2 := x = 200 p3 := y = 100 p4 := y = 200 p’1:= x’ = 100 p’2:= x’ = 200 p’3:= y’ = 100 p’4:= y’ = 200 x’ := y y’ := x Partition + + p’3 := y’ = 100 p’4 := y’ = 200 p1 := x = 100 p2 := x = 200 y’ := x + + p’1 := x’ = 100 p’2 := x’ = 200 p3 := y = 100 p4 := y = 200 x’ := y Predicate Partitioning Next state predicates Transition relation Current state predicates Æ

  28. Predicate Partitioning • Speeds up abstraction computation • Introduces over-approximation • Refinement • Handles over-approximation due to predicate partitioning • Generate new predicates

  29. Refinement by removing spurious transitions Abstract transition: <b1=0, b2=1> ) <b’1=0, b’2=0> Spurious Constrain abstraction [Das and Dill]: : (b1=0 Æ b2=1 Æ b’1=0 Æ b’2=0) Proof of unsatisfiabilty (UNSAT) core: : (b2=1 Æ b’1=0)

  30. <x=1, x=2> <1, 0> <0, 0> Refinement by generating new predicates Identify predicates whose weakest pre-condition needs to be computed Init: x=1, y=2 (x=1) Æ:(x=2) PROOFOF UNSATISFIABILITY x’ := y y’ := x Predicate whose Weakest pre-condition is needed :(x’=1) Æ:(x’=2)

  31. Refinement by generating new predicates Blowup in weakest pre-conditions size Only add atomic predicates ((x < 5) ? (x + 2) : x ) = 2 Add x <5 as a new predicate and run the loop again x’ := (x < 5) ? (x + 2) : x x’ = 2

  32. ((x < 5) ? (x + 2) : x ) = 2 x’ := (x < 5) ? (x + 2) : x x’ = 2 A counterexample of same length But now we get a value for x < 5 from abstract counterexample (say true) New predicate x + 2 < 3 x’ := x + 2 simplify

  33. Experimental results

  34. Experimental results (VIS benchmarks)

  35. Summary • Verification at RTL level without going to netlists • Predicate abstraction using word-level predicates • Handling large no. of predicates (predicate partitioning) • Weakest pre-conditions for obtaining new predicates • Techniques are completely automatic • VCEGAR • Encouraging results on industrial benchmarks • www.cs.cmu.edu/~modelcheck/vcegar

  36. Questions?

More Related