Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Similar documents
Lecture 2: Symbolic Model Checking With SAT

3-Valued Abstraction-Refinement

An Introduction to Symbolic Trajectory Evaluation. Koen Lindström Claessen Chalmers University / Jasper AB Gothenburg, Sweden

Abstractions and Decision Procedures for Effective Software Model Checking

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Model Checking: An Introduction

Binary Decision Diagrams and Symbolic Model Checking

Model checking the basic modalities of CTL with Description Logic

ESE601: Hybrid Systems. Introduction to verification

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Linear Temporal Logic and Büchi Automata

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Model Checking. Boris Feigin March 9, University College London

Counterexample-Guided Abstraction Refinement

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Formal Verification of Mobile Network Protocols

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Model for reactive systems/software

A Brief Introduction to Model Checking

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Bounded Model Checking

Chapter 4: Computation tree logic

Chapter 3 Deterministic planning

Automata-Theoretic Model Checking of Reactive Systems

State-Space Exploration. Stavros Tripakis University of California, Berkeley

PSPACE-completeness of LTL/CTL model checking

Model Checking with CTL. Presented by Jason Simas

Undergraduate work. Symbolic Model Checking Using Additive Decomposition by. Himanshu Jain. Joint work with Supratik Chakraborty

IC3 and Beyond: Incremental, Inductive Verification

Lecture Notes on Emptiness Checking, LTL Büchi Automata

The State Explosion Problem

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Chapter 6: Computation Tree Logic

Computation Tree Logic (CTL)

Algorithmic verification

Formal Requirement Debugging for Testing and Verification of Cyber-Physical Systems

MODEL CHECKING. Arie Gurfinkel

The research thesis was done under the supervision of Prof. Orna Grumberg, in the Faculty of Computer Science, the Technion - Israel Institute of Tech

SAT-Based Verification with IC3: Foundations and Demands

SAT-based Model Checking: Interpolation, IC3, and Beyond

Applications of Craig Interpolants in Model Checking

Strengthening Properties using Abstraction Refinement

Symbolic Model Checking Property Specification Language*

Undecidable Problems. Z. Sawa (TU Ostrava) Introd. to Theoretical Computer Science May 12, / 65

1 Algebraic Methods. 1.1 Gröbner Bases Applied to SAT

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Finite-State Model Checking

Boolean decision diagrams and SAT-based representations

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Introduction to Arti Intelligence

Tutorial 1: Modern SMT Solvers and Verification

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Decision Procedures for Satisfiability and Validity in Propositional Logic

Computational Logic. Davide Martinenghi. Spring Free University of Bozen-Bolzano. Computational Logic Davide Martinenghi (1/30)

Equalities and Uninterpreted Functions. Chapter 3. Decision Procedures. An Algorithmic Point of View. Revision 1.0

The Eager Approach to SMT. Eager Approach to SMT

A Game-Theoretic Approach to Simulation of Data-Parameterized Systems

SAT in Formal Hardware Verification

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Timo Latvala. March 7, 2004

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Linear-time Temporal Logic

Verification Using Temporal Logic

CS357: CTL Model Checking (two lectures worth) David Dill

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

Binary Decision Diagrams. Graphs. Boolean Functions

A brief introduction to Logic. (slides from

Logic in Automatic Verification

Basing Decisions on Sentences in Decision Diagrams

Lecture Notes on Software Model Checking

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Automata-based Verification - III

Chapter 5: Linear Temporal Logic

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties

PROPOSITIONAL LOGIC. VL Logik: WS 2018/19

Exploiting resolution proofs to speed up LTL vacuity detection for BMC

A Constructor-Based Reachability Logic for Rewrite Theories

The Polyranking Principle

How Vacuous is Vacuous?

Automata-based Verification - III

LOGIC PROPOSITIONAL REASONING

Enhanced Vacuity Detection in Linear Temporal Logic. Alon Flaisher

Motivation Framework Proposed theory Summary

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Computer-Aided Program Design

The TLA + proof system

(Yet another) decision procedure for Equality Logic

Timo Latvala. February 4, 2004

Predicate Abstraction: A Tutorial

Transcription:

Symbolic Trajectory Evaluation (STE): Automatic Refinement and Vacuity Detection Orna Grumberg Technion, Israel Marktoberdort 2007 1

Agenda Model checking Symbolic Trajectory Evaluation Basic Concepts Automatic Refinement for STE Vacuity in STE 2

System Verification Given a (hardware or software) system and a specification, does the system satisfy the specification? Not decidable! We restrict the problem to a decidable one: Finite-state reactive systems Propositional temporal logics 3

Finite state systems hardware designs Communication protocols High level (abstract) description of non finite state systems 4

Properties in temporal logic mutual exclusion: always ( cs 1 cs 2 ) non starvation: always (request eventually grant) communication protocols: ( get-message) until send-message 5

Model of a system Kripke structure / transition system a,b a b,c a b a,c c a,b 6

Model of systems M=<S, I, R, L> S - Set of states. I S - Initial states. R S x S - Total transition relation. L: S 2 AP - Labeling function. AP Set of atomic propositions 7

π=s 0 s 1 s 2... is a path in M from s iff s = s 0 and for every i 0: (s i,s i+1 ) R 8

Propositional temporal logic AP a set of atomic propositions Temporal operators: Gp Fp Xp puq Path quantifiers: A for all path E there exists a path 9

Model Checking An efficient procedure that receives: A finite-state model describing a system A temporal logic formula describing a property It returns yes, if the system has the property no + Counterexample, otherwise 10

Model Checking Emerging as an industrial standard tool for hardware design: Intel, IBM, Cadence, Synopsys, Recently applied successfully also for software verification: NASA, Microsoft, ETH, CMU, 11

Model checking A basic operation: Image computation Given a set of states Q, Image(Q) returns the set of successors of Q Image(Q) = { s s [ R(s,s ) Q(s)]} 12

Model checking AGp on M Starting from the initial states of M, iteratively compute the set of successors. At each iteration check whether it reached a state which satisfies p. If so, declare a failure. Stop when no new states are found. Result: the set of reachable states. 13

Reachability + checking AG a b,c b 1 2 a,b 3 4 5 a,c 6 a a 7 a,b 8 c Reach = New = I = { 1, 2 } 14

Return: M AG a b,c b 1 2 a,b 3 4 5 a,c 6 a a 7 a,b 8 c Failure: New S a 15

Reachability + checking AG (a b) b,c b 1 2 a,b 3 4 5 a,c 6 a a 7 a,b 8 c Reach = New = I = { 1, 2 } 16

Return: Reach, M = AG (a b) b,c b 1 2 a,b 3 4 5 a,c 6 a a 7 a,b 8 c Reach = {1, 2, 3, 4, 5, 6} New = emptyset 17

Main limitation: The state explosion problem: Model checking is efficient in time but suffers from high space requirements: The number of states in the system model grows exponentially with the number of variables the number of components in the system 18

Symbolic model checking A solution to the state explosion problem which uses Binary Decision Diagrams ( BDDs ) to represent the model and sets of states. Can handle systems with hundreds of Boolean variables 19

Binary decision diagrams (BDDs) Data structure for representing Boolean functions Often concise in memory Canonical representation MostBoolean operations on BDDs can be done in polynomial time in the BDD size 20

BDDs in model checking Every set A can be represented by its characteristic function 1 if u A f A (u) = 0 if u A If the elements of A are encoded by sequences over {0,1} n then f A is a Boolean function and can be represented by a BDD 21

Representing a model with BDDs Assume that states in model M are encoded by {0,1} n and described by Boolean variables v 1...v n Reach, New can be represented by BDDs over v 1...v n R (a set of pairs of states (s,s ) ) can be represented by a BDD over v 1...v n v 1...v n 22

Example: representing a model with BDDs S = { s 1, s 2, s 3 } R = { (s 1,s 2 ), (s 2,s 2 ), (s 3,s 1 ) } State encoding: s 1 : v 1 v 2 =00 s 2 : v 1 v 2 =01 s 3 : v 1 v 2 =11 For A = {s 1, s 2 } the Boolean formula representing A: f A (v 1,v 2 ) = ( v 1 v 2 ) ( v 1 v 2 ) = v 1 23

f R (v 1, v 2, v 1, v 2 ) = ( v 1 v 2 v 1 v 2 ) ( v 1 v 2 v 1 v 2 ) (v 1 v 2 v 1 v 2 ) f A and f R can be represented by BDDs. 24

BDD for f(a,b,c) = (a b ) c Decision tree a b c c c b c 0 1 0 1 0 1 1 1 b a c b c a c b BDD 0 1 1 1 0 1 25

SAT-based model checking Another solution to the state explosion problem Translates the model and the specification to a propositional formula Uses efficient tools for solving the satisfiability problem Since the satisfiability problem is NPcomplete, SAT solvers are based on heuristics. 26

SAT solvers Using heuristics, SAT tools can solve very large problems fast They can handle systems with thousands variables 27

Bounded model checking Most commonly used SAT-based model checking For checking AGp: Unwind the model for k levels, i.e., construct all computation of length k If a state satisfying p is encountered, then produce a counter example The method is suitable for falsification, not verification 28

SAT-based model checking Can also handle general temporal logic specifications Can be used for verification by using methods such as induction and interpolation. 29

Bounded model checking in detail Construct a formula f M,k describing all possible computations of M of length k Construct a formula f ϕ,k expressing that ϕ=ef p holds within k computation steps Check whether f = f M,k f ϕ,k is satisfiable If f is satisfiable then M AGp The satisfying assignment is a counterexample 30

Example shift register Shift register of 3 bits: <x, y, z> Transition relation: R(x,y,z,x,y,z ) = x =y y =z z =1 error Initial condition: I(x,y,z) = x=0 y=0 z=0 Specification: AG ( x=0 y=0 z=0) 31

Propositional formula for k=2 f M = (x 0 =0 y 0 =0 z 0 =0) (x 1 =y 0 y 1 =z 0 z 1 =1) (x 2 =y 1 y 2 =z 1 z 2 =1) f ϕ = V i=0,..2 (x i =1 y i =1 z i =1) Satisfying assignment: 101 011 111 This is a counter example! 32

A remark In order to describe a computation of length k by a propositional formula we need k copies of the state variables. With BDDs we use only two copies of current and next states. 33

Abstraction-Refinement A successful approach to deal with the state explosion problem in model checking Concrete model Abstract model pass Abstract Verify fail Reconstruct Refined model Refine 34

Abstraction-refinement (cont.) M A - abstract model M C - concrete model 2-valued abstraction M A = ϕ M c = ϕ M A ϕ M C? 3-valued abstraction M A = ϕ M c = ϕ M A ϕ M c ϕ M A? M c? 35

Agenda Model checking Symbolic Trajectory Evaluation Basic Concepts Automatic Refinement for STE Vacuity in STE 36

Symbolic Trajectory Evaluation (STE) A powerful technique for hardware model checking that can handle much larger hardware designs relatively simple specification language Widely used in industry, e.g., Intel, Freescale 37

STE is given A circuit M A specification A C, where Antecedent A imposes constraints on M Consequent C imposes requirements on M A and C are formulas in a restricted temporal logic (called TEL) 38

STE Works on the gate-level representation of the circuit Combines symbolic simulation and abstraction 39

Current STE Automatically constructs an abstract model for M, based on A (M A) Checks whether M A ² C Return: Pass: M ² A C Fail + counterexample Undecided: refinement is needed This is a form of 3-valued abstraction Manually refines A (and thus also M A) 40

Agenda Model checking Symbolic Trajectory Evaluation Basic Concepts Automatic Refinement for STE Vacuity in STE 41

Modeling a circuit A Circuit M is described as a graph whose nodes n are inputs, gates, and latches We refer to node n at different times t In fact, we look at an unwinding of the circuit for k times k is determined by A C 42

Modeling a circuit (cont.) The value of an input node at time t is nondeterministic: 0 or 1 The value of a gate node at time t depends on the values of its source nodes at time t The value of a latch node at time t depends on the values of its source nodes at time t and t-1 43

Example: a circuit in 1 0 10 0 n 1 n 2 in 2 10 n 3 10 0 Time=0 Time=1 44

Simulation Based Verification Assigns values to the inputs of the model over time (as in the example) Compares the output values to the expected ones according to the specification Main drawback: the model is verified only for those specific combinations of inputs that were tested 45

Symbolic Simulation Assigns the inputs of the model with Symbolic Variables over {0,1} x x y y Checks all possible combinations of inputs at once Main drawback: representations of such Boolean expressions (e.g. by BDDs) are exponential in the number of inputs 46

STE solution Adds an unknown value X, in addition to 0, 1, and symbolic variables Needs also an over-constrained value 47

4-valued lattice To describe values of nodes, STE uses: 0,1, X, and (n,t) has value X when the value of n at time t is unknown (n,t) has value when the value of n at time t is over-constrained X 0 1 0 b x 1 b x b 0 b 1 48

Operations on lattice elements Meet: a 6 b is the greatest lower bound of a and b X61=1 X60=0 061= 0 1 Join: a 7 b is the least upper bound X 49

Lattice Semantics X is used to obtain abstraction is used to denote a contradiction between a circuit behavior and the constraints imposed by the antecedent A Note: the values of concrete circuit node are only 0 and 1. 50

Quaternary operations X 1 = 1 X 0 = X X X = X X 1 = X X 0 = 0 X X = X X = X Any Boolean expression containing has the value 51

Symbolic execution STE combines abstraction with symbolic simulation to represent multiple executions at once Given a set of symbolic variables V, the nodes of the circuit are mapped to symbolic expressions over V {0,1,X, } 52

Time=0 Time=1 Example: symbolic abstract execution in 1 v 1 X v 21?1:X n 1 n 2 in 2 X n 3 v 2 X v 1 X v 2?1:X Time in 1 in 2 n 1 n 2 n 3 0 1 v 1 X v 1?1:X X X X v 2 v 2?1:X v 1?1:X v 1 v 2?1:X 53

The difference between X and v V X X = X v v = false Different occurrences of X do not necessarily represent the same value ( unknow ) All occurrences of v represent the same value 54

Each line is a symbolic state Trajectory: sequence of states, compatible with the behavior of the circuit Time 0 1 in 1 in 2 n 1 n 2 n 3 v 1 X v 1?1:X X X X v 2 v 2?1:X v 1?1:X v 1 v 2?1:X 55

Implementation issues The value of each node (n,t) is a function from V to {0,1, X, } BDD representation Dual rail Two Boolean functions: f n,t1 : V { 0,1 } f n,t0 : V { 0,1 } 56

Dual rail For a specific assignment to V f n,t1 (V) f n,t0 (V) represents 1 for (n,t) ( f 1 n,t, f 0 n,t ) (n,t) (1,0) 1 (0,1) 0 (0,0) X (1,1) 57

STE / model checking STE holds local view of the system: for each (n,t) separately Model checking holds global view: A state values of all nodes at time t 58

Trajectory Evaluation Logic (TEL) Defined recursively over V, where p is a Boolean expression over V n is a node f, f 1, f 2 are TEL formulas N is the next-time operator (n is p) (p f) (f 1 f 2 ) (N f) 59

Example: TEL formula f = (in1 is v 1 ) N (in 2 is v 2 ) N 2 (v 1 v 2 (n3 is 0)) 60

Semantics of TEL formulas TEL formulas are interpreted over Symbolic execution σ over V, and assignment φ : V {0,1} [φ,σ ² f] {1, 0, X, } Note: (φ,σ) represents an (abstract) execution, i.e., a series of expressions, each over {0,1,X, } 61

Example: TEL semantics The same φ is applied to f and to σ f = N (v 1 v 2 (n 3 is 1)) Time in 1 in 2 n 1 n 2 n 3 0 1 V 1 X X V 2 v 1?1:X v 2?1:X X v 1?1:X X v 1 v 2?1:X For every φ, [φ,σ ² f ] = 1 62

Example: TEL semantics f = N (n 3 is (v 1 v 2?1:0)) Time in 1 in 2 n 1 n 2 n 3 0 1 V 1 X X V 2 v 1?1:X v 2?1:X X v 1?1:X X v 1 v 2?1:X For φ(v 1 v 2 )=0, [φ,σ ² f ] = X 63

TEL Semantics For every TEL formula f, [φ,σ ² f] = iff i,n: φ(σ) (i)(n) = A sequence that contains does not satisfy any formula 64

TEL semantics (cont.) (σ does not contains ) Note: φ(p) {0,1} [φ,σ ² (n is p)] = 1 iff φ(σ)(0)(n) = φ(p) [φ,σ ² (n is p)] = 0 iff φ(σ)(0)(n) {0,1} and φ(σ)(0)(n) φ(p) [φ,σ ² (n is p)] = X iff φ(σ)(0)(n) = X 65

TEL semantics (cont.) [φ,σ ² (f 1 f 2 )] = [φ,σ ² f 1 ] [φ,σ ² f 2 ] [φ,σ ² (p f) ] = φ( p) [φ,σ ² f] [φ,σ ² (N f) ] = [ φ,σ 1 ² f ] 66

TEL semantics (cont.) [σ ² f] = 0 iff for some φ, [φ,σ ² f]=0 [σ ² f] = X iff for all φ, [φ,σ ² f] 0 and for some φ, [φ,σ ² f]=x 67

TEL semantics (cont.) [σ ² f] = 1 iff for all φ, [φ,σ ² f] {0,X} and for some φ, [φ,σ ² f]=1 [σ ² f] = iff for all φ, [φ,σ ² f]= 68

Back to STE Recall that our goal is to check whether M ² A C where A imposes constraints on M and C imposes requirements 69

M A: Abstraction of M derived by A The defining trajectory of M and A, denoted M A, is defined as follows: M A is a symbolic execution of M that satisfies A For every symbolic execution σ of M [σ ² A]=1 σ b M A M A σ n 1,t n 2,t n 3,t n 4,t 1 X 0 X 1/ 0/ 70

M A (cont.) [Seger&Bryant] show that every circuit M and TEL formula f has such M f 71

M A (cont.) M A is the abstraction of all executions of M that satisfy A and therefore should also satisfy C If M A satisfies C then all executions that satisfy A also satisfy C 72

Checking M ² A C with STE Compute the defining trajectory M A of M and A Compute the truth value of [M A ² C] [M A ² C] = 1 Pass [M A ² C] = 0 Fail [M A ² C] = X Undecided The size of M A (as described with BDDs) is proportional to A, not to M! 73

Example: M A A =(in 1 is v 1 ) N (in 2 is v 2 ) C = N (n 3 is 1) in 1 vx 1 n 1 n 2 in 2 X n 3 v 2 v 21?1:X X X v 1 v 2?1:X Time in 1 in 2 n 1 n 2 n 3 0 v 1 X v 1?1:X X X 1 X v 2 v 2?1:X v 1?1:X v 1 v 2?1:X 74

Undecided results A = (in 1 is v1) N (in 2 is v2) C = N (n 3 is 1) In M A the value of (n 3,1) is v 1 v 2?1:X C requires (n 3,1) to be 1 For φ(v1 v2)=0, [φ, M A ² C ] = X When v 1 v 2 is 0, STE results in undecided for (n 3,1) and thus refinement of A is needed 75

Agenda Model checking Symbolic Trajectory Evaluation Basic Concepts Automatic Refinement for STE Vacuity in STE 76

Our Automatic Refinement Methodology Choose for refinement a set Iref of inputs at specific times that do not appear in A For each (n,t) Iref, v n,t is a fresh variable, not in V The refined antecedent is: A new = A Λ (n,t) Iref N t (n is v n,t ) 77

Refinement (cont.) A new has the property that: M ² A C M ² A new C Here we refer to the value of A C / A new C over the concrete behaviors of M 78

Goal: Add a small number of constraints to A, keeping M A relatively small, while eliminating as many undecided results as possible Remark: Eliminating only some of the undecided results may still reveal fail. For pass, all of them need to be eliminated 79

Choose a refinement goal We choose one refinement goal (root,tt) A node that appears in the consequent C Truth value is X Has minimal t and depends on minimal number of inputs We will examine at once all executions in which (root,tt) is undecided 80

Choosing Iref for (root,tt) Naïve (syntactic) solution: Choose all (n,t) from which (root,tt) is reachable in the unwound graph of the circuit Will guarantee elimination of all undecided results for (root,tt) 81

X X X X 1 X 82

Better (semantic) solution Identify those (n,t) that for some assignment are on a path to (root,tt) along which all nodes are X Iref is the subset of the above, where n is an input Will still guarantee elimination of all undecided results for (root,tt) 83

Heuristics for smaller Iref Choose a subset of Iref based on circuit topology and functionality, such as: Prefer inputs that influence (root,tt) along several paths Give priority to control nodes over data nodes And more 84

Experimental Results for Automatic Refinement We implemented our automatic refinement within the Intel s STE tool Forte. We ran it on two nontrivial different circuits: Intel s Content Addressable Memory (CAM) 1152 latches, 83 inputs and 5064 gates IBM s Calculator design 2781 latches, 157 inputs and 56960 gates We limited the number of added constraints at each refinement iteration to 1 85

Some more implementation issues Recall that the value of each node (n,t) is a function from V to {0,1, X, } BDD representation Dual rail Two Boolean functions: f n,t1 : V { 0,1 } f n,t0 : V { 0,1 86

Dual rail ( f 1 n,t, f 0 n,t ) (n,t) (1,0) 1 (0,1) 0 (0,0) X (1,1) 87

Notation: ( f n,t 1, f n,t 0 ) represents (n,t) in MxA ( g n,t 1, g n,t 0 ) represents (n,t) in C 88

Symbolic counterexample V (n,t) C [ ( g n,t1 f n,t1 f n,t0 ) ( g n,t0 f n,t1 f n,t 0 ) ] Note: C is never Represents all assignments to V in which for some node (n,t), MxA and C do not agree on 0/1 User needs to correct either the circuit or the specification 89

Symbolic incomplete trace V (n,t) C [ ( g n,t1 g 0 n,t ) ( f n,t1 f 0 n,t ) ] Represents all assignments to V in which for some node (n,t), C imposes some requirement (0 or 1) but MxA is X Automatic/manual refinement is needed 90

Semantic I ref can be computed in a similar manner X X X X 1 X 91

How do we get in STE? A = in 1 is 0 in 2 is u in 3 is 0 n 3 is 1 in 1 0 n 1 in 2 u u 0 6 1= n 4 n 3 n 6 in 3 0 n 2 u n 5 Antecedent failure 92

Antecedent failure is the case in which, for some assignment, MxA contains Can only occur when the antecedent imposes a constraint on internal node Reflects contradiction between Antecedent constraints Circuit execution In our work, such assignments are ignored during verification 93

Agenda Model checking Symbolic Trajectory Evaluation Basic Concepts Automatic Refinement for STE Vacuity in STE 94

Vacuity in model checking Example: M = AG (request F granted ) holds vacuously if request is always false or grantedis always true 95

Vacuous Results A = in 1 is 0 in 3 is v n 3 is 1 C = N(n 6 is 1) X61=1 in 1 0 X n 1 1 in 2 n n 4 X 3 n 6 v in 3 v n 2 v?1:x n 5 Counterexample for v=0. Spurious? 96

Vacuous Results - Refined A = in 1 is 0 in 2 is u in 3 is 0 n 3 is 1 in 1 0 n 1 in 2 u u 0 6 1= n 4 n 3 n 6 in 3 0 n 2 u n 5 The counterexample is spurious! 97

The Vacuity Problem Given an STE assertion A C, an assignment φ to V and a circuit M: A C is vacuous in M under φ if there is no concrete execution of M that satisfies φ(a) OR C under φ imposes no requirements. For example, if C=(v 1 ->(n is v 2 )) then for assignments in which v 1 =0, C imposes no requirement 98

The Vacuity Problem (cont.) A C fails vacuously in M if [M A ² C] = 0 AND for all assignments φ so that [φ,m A ² C] = 0, A C is vacuous in M under φ 99

The Vacuity Problem (cont.) A C passes vacuously in M if [M A ² C] = 1 AND for all assignments φ so that [φ,m A ² C] = 1, A C is vacuous in M under φ 100

Observation Vacuity can only occur when A contains constraints on internal nodes (gates, latches) Antecedent failure is an explicit vacuity. Our goal is to reveal hidden vacuity. 101

Detecting (non-)vacuity Given a circuit M, an STE assertion A C and an STE result (either fail or pass), our purpose is to find an assignment φ to V and an execution of M that satisfies all the constraints in φ(a) 102

Detecting (non-)vacuity In Addition: In case of pass, φ should also impose requirements in C In case of fail, the execution should constitute a counterexample 103

Detecting (non-)vacuity We developed two different algorithms for detecting vacuity / non-vacuity: An algorithm that uses BMC and runs on the concrete circuit. An algorithm that uses STE and automatic refinement. 104

Detecting (non-)vacuity using BMC 1. Transform A into an LTL formula 2. Encode M and A as a BMC formula 3. In case of fail STE result, add the counterexample as a constraint to the BMC formula 4. In case of pass STE result, add constraints to enforce at least one requirement in C 5. Return vacuous if and only if the resulting formula is unsatisfiable 105

Detecting (non-)vacuity using BMC Main drawback: no abstraction is used We would like to detect vacuity while utilizing STE abstraction 106

Detecting (non-)vacuity using STE A in A out is a new STE assertion, where A in includes all constraints on inputs in A, and A out includes the constraints on internal nodes in A Run STE on A in A out. Let Φ denote the set of assignments to V for which [M A in ² A out ]=1 107

Detecting (non-)vacuity using STE (cont.) 1. In case [M A ² C]=1: If there is an assignment in Φ that imposes a requirement in C, return pass non vacuously 2. In case [M A ² C]=0: If there exists φ Φ and φ so that [φ,m A ² C]=0 and (φ.φ is satisfiable), return fail non vacuously 108

Detecting (non-)vacuity using STE (cont.) 3. If there is no φ so that [φ, M A in ²A out ]=X, return vacuous 4. Refine A in A out and return to step 2 109

Summary What makes STE successful? The combination of: Symbolic simulation Abstraction Local (dual rail) BDD implementation 110

Conclusion and future work Generalized STE (GSTE) extends STE by providing a specification language which is as expressive as ω- regular languages. Other directions: automatic refinement for GSTE (FMCAD 07) Vacuity definition and detection for GSTE SAT-based STE (ATVA 2007) New specification language for GSTE (FMCAD 07) 111

References Model Checking Model checking E. Clarke, O. Grumberg, D. Peled, MIT Press, 1999. Abstraction-refinement in model checking Counterexample-guided abstraction refinement for symbolic model checking E. Clarke, O. Grumberg, S. Jha, Y. Lu, H. Veith, JACM 50(5): 752-794 (2003) Vacuity in model checking Efficient detection of vacuity in temporal model checking I. Beer, S. Ben-David, C. Eisner, Y. Rodeh, Formal Methods in System Design, 18, 2001. 112

References STE Formal verification by symbolic evaluation of partiallyordered trajectories C-J. Seger and R. Bryant, Formal Methods in System Design, 6(2), 1995. FORTE An industrially effective environment for formal hardware verification C-J Seger, R. Jones, J. O Leary, T. Melham, M. Aagaard, C. Barrett, D. Syme, IEEE transactions on Computer-Aided Design of Integrated Circuits and Systems, 24(9), 2005 FORTE http://www.intel.com/software/products/opensource/tools1 /verification 113

References Refinement in STE Automatic refinement and vacuity detection for symbolic trajectory evaluation R. Tzoref and O. Grumberg, CAV 06 R. Tzoref, Master thesis, Technion, Haifa, 2006 SAT-based assistance in abstraction refinement for symbolic trajectory evaluation J-W. Roorda and K. Claessen, CAV 06 GSTE Introduction to generalized symbolic trajectory evaluation J. Yang and C-J. Seger, IEEE transactions on very large scale integrated systems, 11(3), 2003. 114

THE END 115

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback