1 / 29

Compositional Specification and Verification in GSTE

Compositional Specification and Verification in GSTE. Jin Yang, joint work with Carl Seger Strategic CAD Labs, Intel Corp. CMU March 23, 2004. Motivation. GSTE combines high capacity of STE with expressive power of traditional model checking (YS ICCD’00)

tyrone
Download Presentation

Compositional Specification and Verification in GSTE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compositional Specification and Verification in GSTE Jin Yang, joint work with Carl Seger Strategic CAD Labs, Intel Corp. CMU March 23, 2004

  2. Motivation GSTE • combines high capacity of STE with expressive power of traditional model checking (YS ICCD’00) • provides a multi-dim. approach to achieve high capacity while maintaining accuracy (YS FMCAD’02) • has been used by FVers for > 1 year successfully on next-gen. Intel -processors (Schubert ICCAD’03) • part of FORTE public release However • assertion graph specification in GSTE is inherently sequential but circuit behavior may be concurrent • … …

  3. Sequential Ex.: Memory 1024 x 64 Memory wren rden addr[9:0] dout[63:0] din[63:0] “Always read from a cell the most recently written data”  ( wren & addr[9:0] = A[9:0] & din[63:0] = D[63:0], true ) antecedent ( rden & addr[9:0] = A[9:0], dout[63:0] = D[63:0] )  consequent v2 vI v1 ( !wren | addr[9:0] != A[9:0], true )

  4. 2 2 2 2 Concurrent Ex.: Voting Machine reset avail[1] vote[1] Voting Machine vout avail[2] vote[2] avail[3] vote[3] • a vote can be accepted at station i (through vote[i]=1,2,3) when it is available • it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as soon as all three votes are in, and then makes the stations available for next round.

  5. Voting Machine (cont.) • Specification using an assertion graph causes exponential complexity • order 1: vote[1], …, vote[2], …, vote[3] • order 2: vote[1], …, vote[3], …, vote[2] • … … • Solution • concurrent extension to assertion graphs • implementation independent • utilizing and guiding GSTE model checking • (future) ability to reason about specifications

  6. Basics: Domain And Trace • Domain D • a finite non-empty alphabet e.g., the set of states in a FSM (circuit) • P(D) – power set of D e.g., all subsets of states (state predicates) in FSM • Trace  = d1d2d3… • an infinite word in D e.g.,an infinite state sequence (trace) in FSM

  7. a[15:0] + c[15:0] b[15:0] ( a[15:0] = A[15:0] & b[15:0] = B[15:0], c[15:0] = A[15:0] + B[15:0] ) Basics: Assertion Alphabet • Assertion alphabet  = P(D)  P(D) • set ofantecedent/consequence pairs •  = (D1,D2)  – assertion letter • antecedent:ant() = D1 • consequent:cons() = D2

  8. ( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D ) v2 vI v1 ( !wren | addr != A, true ) ( wren & addr = A & din = D, true ) ( !wren | addr != A, true ) * ( rden & addr = A, dout = D ) Basics: Assertion Language • Assertion word - any word w = 12…kin  * • STE assertion  assertion word • Assertion language - any set of words L in P( *) • assertion graph  regular assertion language

  9. Basics: Trace Semantics • Trace Satisfiability • trace satisfies a word P(D)*, if1i||, (i)  [i] • Trace Language • assertion word (w) = {D | sat. ant(w)  sat. cons(w) } • assertion language (for all semantics) (L) = wL (w) • Theorem: L1  L2 (L1)(L2 ) “more words  more restricted behavior”

  10. Parallel composition ( vote[1]=1, true ) ( true, true )  ( true, true ) ( vote[2]=2, true )  ( vote[3]=2, true ) ( true, true ) = ( vote[1]=1 & vote[3]=2, true ) ( vote[2]=2, true ) The Meet Operator • Meet of assertion letters: ( C1, C2 )  ( D1, D2 )= ( C1  D1, C2  D2 ) • Meet of assertion words: 12…k ’1’2…’k = (1’1) (2’2) … (k’k) • Meet of assertion languages: L1 L2 = { w1 w2 | w1 L1, w2 L2, |w1| = |w2| }

  11. Self Consistency • Repeated application 0 L= L, k L= (k-1 L) L (k>0) • Lemma k L  k+1 L but ( k L ) = ( k+1 L ) • proof sketch • (w1 w2 …  wk)  wk = w1 w2 …  wk • w  w’ may be new, but (w)  (w’)  (w  w’) • Theorem (about limit) L  k0 k L but (L ) = ( k0 k L)

  12. Compositional Specification • Initialization: L0 =  + L0 • (D,D) • Prefix: (1i<h) Li = Lj• j • Summation: (hi<l) Li = Li1 … … Lik (0ij<h) • Meet: (li<n) Li = Li1  … … Lik (0ij<l) • Comment: • there is a unique solution to the system • very much like CCS but with new 

  13. ( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D ) v2 vI v1 ( !wren | addr != A, true ) Example 1: Memory • LI =  +LI• (true, true) • LI, 1 = LI • (wren & addr = A & din = D, true) • L1,1 = L1• (!wren | addr != A, true) • L1 = LI, 1  L1,1 • L2 = L1 • (rden & addr = A, dout = D)

  14. 2 2 2 2 Example 2: Voting Machine (VM) reset avail[1] vote[1] Voting Machine vout avail[2] vote[2] avail[3] vote[3] • a vote can be accepted at station i (through vote[i]=1,2,3) when it is available • it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as soon as all three votes are in, and then makes the stations available for next round.

  15. Example 2 (cont) • Linit =  + Linit • (true, true) • Lready[i] = Linit • (reset, true)  (Lready[i]Lpoll) • (reset | vote[i]=0, avail[i]) • Lvoting[i] = (Lready[i]Lpoll)• (!reset & vote[i]=V[i]>0, avail[i]) • Lvoted[i] = ((Lvoting[i]Lvoted[i])  Lwait)• (!reset, !avail[i]) • Lwait = 1i3 Lready[i] • Lpoll = 1i3 (Lvoting[i]( ji(Lvoting[j] Lvoted[i]))) • Loutp = Lpoll • (true, vote=f(V[1], V[2], V[3]))

  16. Model Checking Product Spec. • Theorem (product specification) for any language L in the solution, k0 k L is regular • proof sketch • k0k (Lj • j) = (k0k Lj) • j • k0k (L1  L2) = (k0k L1)  (k0k L2)  (k0k L1)  (k0k L2) • k0k (L1  L2) = (k0k L1)  (k0k L2) • construct transitions for the states in P({k0k L1 , k0k L2 , …, k0k Ln}) • since (L) = (k0 k L), this effectively provides a precise GSTE model checking solution for each L in the solution • but assertion graph for k0kL may be exponentially large Need more efficient solution!

  17. Model • M = (S, R, L) • S is a finite set of states • R  SS is a transition relation s.t. s, s’, (s, s’)  R • L: SD is a labeling function • Semantics • run : NS s.t.i0, ((i), (i+1))R • trace language (M) = { L() |  is a run of M } • satisfiability M |= 0in Li: (M)  (0in Li) • Post-Image post(S’) = { s | s’S’, s.t. (s’, s)R }

  18. Simulation Relation • Definition any mapping R: {L0, L1, …, Ln} P(S) satisfying s R(Li),if wLi,  of M s.t. (|w|)=s, L() sat. ant(w) • Theorem  Li = Lj• , L(R(Li))  cons()  M |= 0in Li

  19. compGSTE • Initialization for all Li, R(Li) := { }; • Fix-point iteration repeat • R’ := R; • for all Li, case • Li = L0: R(Li) := S; • Li = Lj• : if Lj=L0 then R(Lj) := {s | L(s)ant()} else R(Lj) := post(R’(Lj))  {s | L(s)ant()}; if (L(R(Li))  cons()) then return false; • Li = j Lj: R(Lj) := j R’(Lj); • Li = j Lj: R(Lj) := j R’(Lj); until R = R’; return true;

  20. f Ex: VM Implementation reset avail[1] 0 = en voted[1] vote[1] vote_in[1] 2 clr clear + avail[2] 0 = 0 vout voted[2] en mux vote[2] vote_in[2] 2 clr avail[3] 0 = en voted[3] vote[3] vote_in[3] 2 clr

  21. f Ex: VM Model Checking reset Linit … … clear 1. true + avail[i] Lready[i] 0 = 0 mux en voted[i] vout Lvoting[i] vote[i] vote_in[i] 2 clr Lvoted[i] … … • Linit =  + Linit • (true, true) • Lready[i] = Linit • (reset, true)  • (Lready[i]Lpoll) • (reset | vote[i]=0, avail[i]) • Lvoting[i] = (Lready[i]Lpoll)• (!reset & vote[i]=V[i]>0, avail[i]) • Lvoted[i] = ((Lvoting[i]Lvoted[i])  Lwait)• (!reset, !avail[i]) • Lwait = 1i3 Lready[i] • Lpoll = 1i3 (Lvoting[i]( ji(Lvoting[j] Lvoted[i]))) • Loutp = Lpoll • (true, vote=f(V[1], V[2], V[3])) Lwait Lpoll Loutp

  22. f Ex: VM Model Checking reset Linit … … clear 2. true + avail[i] Lready[i] 2. reset 0 = 0 mux en voted[i] vout Lvoting[i] vote[i] vote_in[i] 2 clr Lvoted[i] … … • Linit =  + Linit • (true, true) • Lready[i] = Linit • (reset, true)  • (Lready[i]Lpoll) • (reset | vote[i]=0, avail[i]) • Lvoting[i] = (Lready[i]Lpoll)• (!reset & vote[i]=V[i]>0, avail[i]) • Lvoted[i] = ((Lvoting[i]Lvoted[i])  Lwait)• (!reset, !avail[i]) • Lwait = 1i3 Lready[i] • Lpoll = 1i3 (Lvoting[i]( ji(Lvoting[j] Lvoted[i]))) • Loutp = Lpoll • (true, vote=f(V[1], V[2], V[3])) Lwait Lpoll Loutp

  23. f Ex: VM Model Checking reset Linit … … clear 3. true + avail[i] Lready[i] 0 3. reset | vote[i]=0 & vote_in[i]=0 = 0 mux en voted[i] vout Lvoting[i] vote[i] vote_in[i] 2 clr 3. !reset & vote[i]=V[i] & vote_in[i]=0 Lvoted[i] … … • Linit =  + Linit • (true, true) • Lready[i] = Linit • (reset, true)  • (Lready[i]Lpoll) • (reset | vote[i]=0, avail[i]) • Lvoting[i] = (Lready[i]Lpoll)• (!reset & vote[i]=V[i]>0, avail[i]) • Lvoted[i] = ((Lvoting[i]Lvoted[i])  Lwait)• (!reset, !avail[i]) • Lwait = 1i3 Lready[i] • Lpoll = 1i3 (Lvoting[i]( ji(Lvoting[j] Lvoted[i]))) • Loutp = Lpoll • (true, vote=f(V[1], V[2], V[3])) Lwait Lpoll Loutp

  24. f Ex: VM Model Checking reset Linit … … clear true + avail[i] Lready[i] 0 reset | vote[i]=0 & vote_in[i]=0 = 0 mux en voted[i] vout Lvoting[i] vote[i] vote_in[i] 2 clr !reset & vote[i]=V[i] & vote_in[i]=0 Lvoted[i] … … !reset & vote_in[i]=V[i] & j. … … • Linit =  + Linit • (true, true) • Lready[i] = Linit • (reset, true)  • (Lready[i]Lpoll) • (reset | vote[i]=0, avail[i]) • Lvoting[i] = (Lready[i]Lpoll)• (!reset & vote[i]=V[i]>0, avail[i]) • Lvoted[i] = ((Lvoting[i]Lvoted[i])  Lwait)• (!reset, !avail[i]) • Lwait = 1i3 Lready[i] • Lpoll = 1i3 (Lvoting[i]( ji(Lvoting[j] Lvoted[i]))) • Loutp = Lpoll • (true, vote=f(V[1], V[2], V[3])) Lwait reset | i.vote[i]=0 & vote_in[i]=0 Lpoll i.!reset & vote[i]=V[i] & vote_in[i]=0 & ji.(vote[j]=V[j] | vote_in[j]=V[j]) Loutp i.vote_in[i]=V[i]

  25. Brief Discussions • compGSTE is approximate • sound but not complete • extended quaternary model abstraction (FMCAD 2002) • Abstraction refinement • model refinement vs spec. refinement (FMCAD 2002) • partial product construction on specifications (serialization) • Advantages over assume-guarantee based composition • pure specification, implementation independent • computed “intermediate assumptions” • much less sensitive to implementation changes

  26. reset … … clear + avail[i] 0 = 0 mux en voted[i] vout vote[i] vote_in[i] 2 clr … … f decode Ex: Implementation Change reset • Assume-guarantee based composition • re-partition the model, re-specify interface assumptions • re-run model checking • compGSTE • specification unchanged, only re-run model checking … … avail[i] 0 bundle 1 bundle vout 0 … … vote[i] 1 2 bundle 2 2 3 3 bundle … …

  27. uop out CAM Delivering logic receiving logic alloc Staging and CAM match wrback ready logic sched scheduling logic ready init priority matrix avail Industrial Ex.: Resource Scheduler Specification: when resource is available (avail = 1), schedule the oldest ready uop • handling 10 uops at a time, >1k state elements, >17000 gates • priority matrix, CAM, decision logic, power-saving feature etc.

  28. Main Result • Previous work w/ a state-of-art in-house symbolic model checker • hundreds of small local properties • only on the priority matrix • Compositional specification (top down) • schedule uop[i], if “uop[i] is the oldest ready” and resource is available • uop[i] is oldest ready, if “uop[i] is ready” and for all j  i (j  i), either “uop[j] is not ready” or “uop[i] arrived earlier than uop[j]” • … … • < 50 boolean variables for >1k state elements • Compositional model checking • 122.5 seconds, 36M on P4 1.5GHz • scalable - O(log2 #uops), BDD was not a bottle-neck! • Detailed work is in writing • hopefully in time for ICCAD

  29. Conclusion • Summary of the compositional approach • compositional specification to handle concurrency • efficient compositional model checking • implementation independent • building for reasoning • Future work • reasoning about compositional specifications • extension to handle parameterized specification Thanks!

More Related