An Introduction to Symbolic Trajectory Evaluation. Koen Lindström Claessen Chalmers University / Jasper AB Gothenburg, Sweden

Size: px

Start display at page:

Download "An Introduction to Symbolic Trajectory Evaluation. Koen Lindström Claessen Chalmers University / Jasper AB Gothenburg, Sweden"

Eugene Harrington
5 years ago
Views:

1 An Introduction to Symbolic Trajectory Evaluation Koen Lindström Claessen Chalmers University / Jasper AB Gothenburg, Sweden

2 An Example A 7-input AND gate? in in1 in2 in3 OR out in4 in5 in6 OR

3 Verification by Simulation (in is ) and (in1 is ) and (in2 is 1) and (in3 is 1) and (in4 is ) and (in5 is 1) and (in6 is ) (out is ) Simulation specification Antecedent driving Consequent checking

4 Simulation 2 7 = 128 simulations OR OR!? OK

5 Smarter Simulation OR OR Good for 2 6 = 64 simulations!! OK?

6 Smarter Simulation (2) 1 1 OR 1 OR Good for 2 6 = 64 simulations! OK?

7 Smarter Simulation? 1 1 OR OR Got stuck?

8 Three-Valued Simulation:,1,X X X X X X X X = unknown X X OR 1 X OR X Good for 2 6 = 64 simulations! OK?

9 Simulating with,1,x abstraction: X = {,1} x 1 X x 1 X enough information not enough information x y X X X 1 1 X X X x y 1 X X X x y X X X 1 1 X X X x OR y X X 1 1 X

10 Three-Valued Specification (in is ) (out is ) (in1 is ) (out is ) (in2 is ) (out is ) (in3 is ) (out is ) (in4 is ) (out is ) (in5 is ) (out is ) (in6 is ) (out is ) not mentioned in antecedent means driven with X 8 simulations in total (in is 1) and (in1 is 1) and and (in5 is 1) and (in6 is 1) (out is )

11 Symbolic Simulation Boolean expression datatype Variables; a, b, c Logical operations; not, and, or Compositional Canonical representation (Reduced Ordered) Binary Decision Diagrams (BDDs)

12 Compositional? F G F: a G: b b c 1 1

13 Canonical? a ~b ~(~a v b) a a b = b 1 1

14 Symbolic Simulation only 1 simulation! a b c d e f g ~(ab) ~(cd) ~e ~(fg) OR OR abcd efg many variables give possible BDD blow-up abcde fg! OK

15 Symbolic Specification (in is a) and (in1 is b) and (in2 is c) and (in3 is d) and (in4 is e) and (in5 is f) and (in6 is g) circuit node symbolic variable expected symbolic value (out is (abcdefg))

16 Summary symbolic three-valued simulation Symbolic Trajectory Evaluation (STE) three-valued simulation symbolic simulation standard simulationbased verification

17 Idea 128 ordinary simulations require 7 symbolic variables 8 three-valued simulations require only 3 symbolic variables! call these p,q,r When p=q=r=1, all inputs are 1 Otherwise, <pqr> indicates which input is Expected value of out? symbolic indexing out is (pqr)

18 STE Specification is a new operator ((~p~q~r) (in is )) and ((~p~q r) (in1 is )) and ((~p q~r) (in2 is )) and ((~p q r) (in3 is )) and (( p~q~r) (in4 is )) and (( p~q r) (in5 is )) and (( p q~r) (in6 is )) and (( p q r) ((in is 1) and (in1 is 1) and Only 3 symbolic variables; less risk of blow-up! and (in5 is 1) and (in6 is 1))) (out is (pqr))

19 Conditional Driving P A Only use A to drive simulation when P is true Otherwise, nodes in A are unknown: X Logically: Implication

20 Three-Valued Symbolic Expressions Simulator needs to deal with boolean values,1 unknown value X symbolic variables a, b, c expressions with, OR,, over the above Solutions new datastructure dual-rail encoding

21 Dual-Rail Encoding x says when x is x1 says when x is 1 Each three-valued entity is represented by a pair of twovalued entities x 1 X (x,x1) (1,) (,1) (,) X means neither nor 1 (x,x1) (y,y1) = (x OR y, x1 y1) (x,x1) OR (y,y1) = (x y, x1 OR y1) (x,x1) = (x1,x)

22 Symbolic Three-Valued (~p~q~r, pqr) Simulation only 1 simulation, 3 variables OR (~p q r, pqr) OR (~(pqr), pqr)

23 Symbolic Trajectory Evaluation Invented in 1995 by Seger and Bryant Used industrially Mainly Intel; heavy use Forte ReFLect/IDV Memory-intensive circuits Hard for other verification methods

24 The Rest of this Lecture Some pitfalls More interesting example: Memory Semantics Current directions

25 What Does X Mean? no second thoughts X1 1

26 Pitfall 1 multiplexer in a ax manual abstraction in1 a sel X ax OR (sel is b) and (in is a) and (in1 is a) (out is a) out ax information loss

27 Pitfall 2 only forwards information propagation in Xa in1 Xb out 1 = ab (in is a) and (in1 is b) and (out is 1) (in is 1) and (in1 is 1) we need a semantics! predictability

28 Example: Memory rd wr addr loc loc1 loc2 out out1 out2 out in

29 Memory Address width k 2^k locations Data width n n*(2^k) state-holding elements state-based model checkers? k=16, n=16: elements

30 A Specification (k=2,n=1) (wr is 1) and (in is d) and (addr is a) and (addr1 is a1) and next point in time N ((rd is 1) and (addr is a) and (addr1 is a1)) N (out is d) we expect d to come out first we write d to address aa1 then we read from address aa1 symbolic variables: a,a1: address, d: data

31 Simulation (initially) rd wr addr X X X out out1 out2 out in

32 Simulation (time 1) if aa1 = then d else X X 1 aa1 d if aa1 = 1 then d else X e X e1 X e2 X

33 Simulation (time 2) 1 X aa1 X if aa1 = then e else e X if aa1 = then d e1 else X e2 X if aa1 = 1 then e2 else if aa1 = then (if aa1 = then d else X) else if aa1 = 1 then d else d OK

34 Memory with STE Address width k, data width n 2^k locations n*(2^k) state-holding elements k+n symbolic variables k=16, n=16: 32 symbolic variables

35 STE Theory /1 clash T 1 four-valued expressions! information ordering X information lattice

36 4-Valued Gates T y = T T OR y = T T = T y T = T y OR T = T Gates are monotonic w.r.t. information ordering no second thoughts

37 Circuit Model example: {in,in1,out} Set of nodes N state-holding: n vs n Set of states s : S = N {X,,1,T} Circuits are modelled as closure functions F : S S propagates given values to other nodes can be easily constructed from the netlist

38 Closure Function F : S S Monotonic s1 <= s2 implies F(s1) <= F(s2) Idempotent F(F(s)) = F(s) Extensive s <= F(s) completely simulated no second thoughts do not invent own things

39 Sequences of States Sequences seq : Seq = Time S Closure function over time F* : Seq Seq Connecting all state-holding registers Monotonic Idempotent Extensive

40 Trajectory Evaluation Logic (TEL) A,B,C ::= n is n is 1 P A A1 and A2 N A n is P shorthand for (P n is 1) and (~P n is )

41 given boolean evaluation phi for symbolic variables Semantics of TEL phi, seq = n is phi, seq = n is 1 phi, seq = P A phi, seq = A1 and A2 phi, seq = N A given a sequence of states seq iff. seq(n)() >= iff. seq(n)() >= 1 iff. phi = P implies phi,seq = A iff. phi,seq =A1 and phi,seq =A2 iff. phi, seq 1 = A time shift

42 Trajectories sequence following from simulation A sequence seq is a trajectory: F*(seq) = seq Alternatively: Exists seq. F*(seq ) = seq

43 Final Semantics F = A C iff. restriction to threevaluedness for all phi, and for all trajectories traj of F: phi,traj = A implies phi,traj = C

44 Fundamental Theorem of STE all trajectories traj of F for which phi,traj = A are characterized by the weakest trajectory traj for which phi,traj = A enough to just calculate the weakest trajectory

45 Abstraction Refinement Failed STE assertion real counter example something is really wrong spurious counter example too many X s in the simulation After spurious counter example Specification needs to be refined hard to know what kind

46 Pitfall 1 multiplexer in a X in1 a X OR out X sel X information loss (in is a) and (in1 is a) (out is a)

47 Weakest Strengthenings (in is a) and (in1 is a) (out is a) a=1 in=1 in1=1 sel=1 out=1 (sel is 1) and (in is 1) and (in1 is 1) (out is 1) weakest satisfying strengthening

48 Weakest Strengthenings (in is a) (out is a) a=1 in=1 in1= sel=1 out= weakest contradicting strengthening

49 Weakest Strengthenings Implemented in a tool STAR SAT-based Available from Chalmers CAV 6

50 Content-Addressable Memory (CAM) Lookup table 2 memories: tagmem, datamem Each tag is coupled with a data Store Retrieve

51 CAM Specification (1) (rd is 1) and (tag is t) and (tagmem is t) and and (tagmem15 is t15) and (datamem is d) and and (datamem15 is d15) ((t = t) (out is d)) and and ((t = t15) (out is d15)) symbolic variables: t,t,..,t15,d,..,d15 too many variables: blow-up!

52 CAM Specification (2) (rd is 1) and (tag is t) and (i = (tagmem is t) and (datamem is d)) and (i = 15 (tagmem15 is t) and (datamem15 is d)) (out is d) symbolic indexing: t,i,d

53 STAR output Weakest contradicting strengthening i=3 t=1 d= rd=1 tag=1 tagmem1=1 tagmem3=1 datmem1=xxxxxx1x datmem3= out= x the rest is X

54 Conclusions STE Powerful Find the right abstraction This can be hard (help)

55 STE Limitations Expressivity Like LTL with finitely many times No initial states No concept of reachable states

56 Solution 1: Induction B should hold for all reachable states Prove in STE: I B (I characterizes the initial states) B N B Conclude that B always holds Need theorem prover for meta-reasoning vital!

57 Solution 2: GSTE Generalized STE Specification is a graph: wr= wr=1,addr=aa1,in=d rd=1,addr=aa1 out=d

58 Active Research What are the right algorithms for (G)STE? BDD-based SAT-based What is the right semantics for GSTE? A logic for GSTE specifications Melham (Oxford) (G)STE refinement? Automatic Semi-automatic

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Symbolic Trajectory Evaluation (STE): Automatic Refinement and Vacuity Detection Orna Grumberg Technion, Israel Marktoberdort 2007 1 Agenda Model checking Symbolic Trajectory Evaluation Basic Concepts