Upload
tyrone
View
25
Download
0
Embed Size (px)
DESCRIPTION
Compositional Specification and Verification in GSTE. Jin Yang, joint work with Carl Seger Strategic CAD Labs, Intel Corp. CMU March 23, 2004. Motivation. GSTE combines high capacity of STE with expressive power of traditional model checking (YS ICCD’00) - PowerPoint PPT Presentation
Citation preview
1Inventing IC design technologies that will be vital to Intel
SSCCLL
Compositional Compositional Specification and Specification and
Verification Verification in GSTEin GSTE
Jin Yang, Jin Yang, joint work with Carl Segerjoint work with Carl SegerStrategic CAD Labs, Intel Corp.Strategic CAD Labs, Intel Corp.
CMUCMUMarch 23, 2004March 23, 2004
GSTE2
MotivationMotivation
GSTEGSTE combines high capacity of STE with expressive combines high capacity of STE with expressive
power of traditional model checking (YS ICCD’00)power of traditional model checking (YS ICCD’00) provides a multi-dim. approach to achieve high provides a multi-dim. approach to achieve high
capacity while maintaining accuracy (YS FMCAD’02)capacity while maintaining accuracy (YS FMCAD’02) has been used by FVers for > 1 year successfully on has been used by FVers for > 1 year successfully on
next-gen. Intel next-gen. Intel -processors (Schubert ICCAD’03)-processors (Schubert ICCAD’03) part of FORTE public releasepart of FORTE public release
HoweverHowever assertion graph specification in GSTE is inherently assertion graph specification in GSTE is inherently
sequential but circuit behavior may be concurrentsequential but circuit behavior may be concurrent … … … …
GSTE3
Sequential Ex.: MemorySequential Ex.: Memory
1024 x 64Memory
wren
din[63:0]
addr[9:0]rden
dout[63:0]
vI v1v2
( wren & addr[9:0] = A[9:0] & din[63:0] = D[63:0], true )
( rden & addr[9:0] = A[9:0], dout[63:0] = D[63:0] )
( !wren | addr[9:0] != A[9:0], true )
antecedentconsequent
“Always read from a cell the most recently written data”
GSTE4
Concurrent Ex.: Voting MachineConcurrent Ex.: Voting Machinereset
avail[1]vote[1]
avail[2]vote[2]
avail[3]vote[3]
voutVoting
Machine
– a vote can be accepted at station a vote can be accepted at station ii (through (through vote[i]=1,2,3vote[i]=1,2,3) ) when it is availablewhen it is available
– it outputs a voting result (it outputs a voting result (vout=f(vote[1], vote[2], vote[3]vout=f(vote[1], vote[2], vote[3]) as ) as soon as all three votes are in, and then makes the stations soon as all three votes are in, and then makes the stations available for next round. available for next round.
2
2
2
2
GSTE5
Voting Machine (cont.)Voting Machine (cont.)
Specification using an assertion graph causes Specification using an assertion graph causes exponential complexityexponential complexity– order 1:order 1: vote[1], …, vote[2], …, vote[3] vote[1], …, vote[2], …, vote[3]
– order 2:order 2: vote[1], …, vote[3], …, vote[2] vote[1], …, vote[3], …, vote[2]
– … … … …
SolutionSolution– concurrent extension to assertion graphs concurrent extension to assertion graphs
– implementation independentimplementation independent
– utilizing and guiding GSTE model checkingutilizing and guiding GSTE model checking
– (future) ability to reason about specifications (future) ability to reason about specifications
GSTE6
Basics: Domain And TraceBasics: Domain And Trace
DomainDomainDD
– a finite non-empty alphabeta finite non-empty alphabet
e.g., the set of states in a FSM (circuit)e.g., the set of states in a FSM (circuit)
– P(D)P(D) – power set of – power set of DD
e.g., all subsets of states (state predicates) in FSMe.g., all subsets of states (state predicates) in FSM
TraceTrace
= d= d11dd22dd33……
– an infinite word in an infinite word in DD
e.g.,e.g., an infinite state sequence (trace) in FSMan infinite state sequence (trace) in FSM
GSTE7
Basics: Assertion AlphabetBasics: Assertion Alphabet
Assertion alphabetAssertion alphabet = P(D) = P(D) P(D) P(D)
– set ofset of antecedent/consequence pairsantecedent/consequence pairs
= (D= (D11,D,D22)) – assertion letter – assertion letter
– antecedent:antecedent: ant(ant() = D) = D11
– consequent:consequent: cons(cons() = D) = D22
+
a[15:0]
b[15:0]
c[15:0]
( a[15:0] = A[15:0] & b[15:0] = B[15:0], c[15:0] = A[15:0] + B[15:0] )
GSTE8
Basics: Assertion LanguageBasics: Assertion Language
Assertion word - any word Assertion word - any word w = w = 1122……kk in in **
– STE assertion STE assertion assertion word assertion word
Assertion language - any set of words Assertion language - any set of words LL in in P(P( **))– assertion graph assertion graph regular assertion language regular assertion language
( wren & addr = A & din = D, true ) ( !wren | addr != A, true ) * ( rden & addr = A, dout = D )
vI v1v2
( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D )
( !wren | addr != A, true )
GSTE9
Basics: Trace SemanticsBasics: Trace Semantics
Trace SatisfiabilityTrace Satisfiability– trace trace satisfies a word satisfies a word P(D)*, P(D)*, ifif 11ii|||, |, (i) (i) [i][i]
Trace LanguageTrace Language– assertion wordassertion word
(w) = {(w) = {DD | | sat. ant(w) sat. ant(w) sat. cons(w) } sat. cons(w) }
– assertion language (for all semantics)assertion language (for all semantics)
(L) = (L) = wwLL (w)(w)
Theorem:Theorem:
LL1 1 L L2 2 (L(L11)) (L(L2 2 ))
““more words more words more restricted behavior” more restricted behavior”
GSTE10
The Meet OperatorThe Meet Operator
Meet of assertion letters:Meet of assertion letters:
( C( C11, C, C2 2 ) ) ( D ( D11, D, D2 2 )) = ( C= ( C11 D D11, C, C22 D D2 2 ))
Meet of assertion words:Meet of assertion words:
1122……kk ’’11’’
22……’’kk = ( = (11’’
11) () (22’’22) … () … (kk’’
kk))
Meet of assertion languages:Meet of assertion languages:
LL11 L L2 2 = { w= { w11 w w2 2 | w| w11 L L11, w, w22 L L22, |w, |w11| | == |w |w22| }| }
( vote[1]=1, true ) ( true, true ) ( true, true ) ( vote[2]=2, true ) ( vote[3]=2, true ) ( true, true )= ( vote[1]=1 & vote[3]=2, true ) ( vote[2]=2, true )
Parallel composition
GSTE11
Self ConsistencySelf Consistency Repeated applicationRepeated application
0 0 LL = L, = L, k k LL = (= ( k-1 k-1 L) L) L (k>0)L (k>0)
LemmaLemma
k k L L k+1 k+1 LL but but ( ( k k L ) = L ) = ( ( k+1 k+1 L )L )
– proof sketchproof sketch
– (w(w11 w w22 … … w wkk) ) w wkk = w = w11 w w22 … … w wkk
– w w w w’’ may be new, but may be new, but (w) (w) (w(w’’) ) (w (w w w’’))
Theorem (about limit)Theorem (about limit)
L L kk0 0 k k LL but but (( L ) = L ) = ( ( kk0 0 k k LL ))
GSTE12
Compositional SpecificationCompositional Specification
Initialization:Initialization:
LL0 0 = = + L + L0 0 • • (D,D) (D,D)
Prefix: Prefix: (1(1i<h)i<h)
LLii = L = Ljj •• jj
Summation: Summation: (h(hi<l)i<l)
LLii = L = Lii11 … … … … L Liik k (0(0iijj<h)<h)
Meet: Meet: (l(li<n)i<n)
LLii = L = Lii1 1 … … … … L Liik k
(0(0iijj<l)<l)
Comment:• there is a unique solution to the system• very much like CCS but with new
GSTE13
Example 1: MemoryExample 1: Memory
vI v1v2
( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D )
( !wren | addr != A, true )
LLII = = + + LLII • • (true, true)(true, true)
LLI, 1I, 1 = L = LI I • • (wren & addr = A & din = D, true)(wren & addr = A & din = D, true)
LL1,11,1 = L = L11 • • (!wren | addr != A, true)(!wren | addr != A, true)
LL11 = L = LI, 1I, 1 L L1,1 1,1
LL22 = L = L1 1 • • (rden & addr = A, dout = D)(rden & addr = A, dout = D)
GSTE14
Example 2: Voting Machine (VM)Example 2: Voting Machine (VM)reset
avail[1]vote[1]
avail[2]vote[2]
avail[3]vote[3]
voutVoting
Machine
– a vote can be accepted at station a vote can be accepted at station ii (through (through vote[i]=1,2,3vote[i]=1,2,3) ) when it is availablewhen it is available
– it outputs a voting result (it outputs a voting result (vout=f(vote[1], vote[2], vote[3]vout=f(vote[1], vote[2], vote[3]) as ) as soon as all three votes are in, and then makes the stations soon as all three votes are in, and then makes the stations available for next round. available for next round.
2
2
2
2
GSTE15
Example 2 (cont)Example 2 (cont)
LLinitinit = = + L + Linit init • • (true, true)(true, true)
LLreadyready[i] = L[i] = Linit init • • (reset, true) (reset, true)
(L(Lreadyready[i][i] LLpollpoll) ) • • (reset | vote[i]=0, avail[i])(reset | vote[i]=0, avail[i])
LLvotingvoting[i] = (L[i] = (Lreadyready[i][i] LLpollpoll)) • • (!reset & vote[i]=V[i]>0, avail[i])(!reset & vote[i]=V[i]>0, avail[i])
LLvotedvoted[i] = ([i] = ((L(Lvotingvoting[i][i] LLvotedvoted[i]) [i]) L Lwaitwait)) • • (!reset, !avail[i])(!reset, !avail[i])
LLwaitwait = = 11ii33 L Lreadyready[i][i]
LLpollpoll = = 11ii33 (L (Lvotingvoting[i][i] ( ( jjii(L(Lvotingvoting[j] [j] LLvotedvoted[i])))[i])))
LLoutpoutp = L = Lpoll poll • • (true, vote=f(V[1], V[2], V[3]))(true, vote=f(V[1], V[2], V[3]))
GSTE16
Model Checking Product Spec.Model Checking Product Spec.
Theorem (product specification)Theorem (product specification)
for any language for any language LL in the solution, in the solution, kk0 0 k k LL is regular is regular
– proof sketch k0
k (Lj • j) = (k0k Lj) • j
k0k (L1 L2) = (k0
k L1) (k0k L2) (k0
k L1) (k0k L2)
k0k (L1 L2) = (k0
k L1) (k0k L2)
• construct transitions for the states in P({k0k L1 , k0
k L2 , …, k0k
Ln})
– since since (L) = (L) = ((kk0 0 k k L)L), this effectively provides a precise , this effectively provides a precise GSTE model checking solution for each GSTE model checking solution for each LL in the solution in the solution
– but assertion graph for but assertion graph for kk00kkLL may be exponentially large may be exponentially large
Need more efficient solution !
GSTE17
ModelModel M = (S, R, L)M = (S, R, L)
– SS is a finite set of states is a finite set of states– R R S SSS is a transition relation s.t. is a transition relation s.t. s, s, s’, (s, s’) s’, (s, s’) R R– L: SL: SDD is a labeling function is a labeling function
SemanticsSemantics– run run
: N: NS S s.t.s.t. ii0, (0, ((i), (i), (i+1))(i+1))RR– trace languagetrace language
(M) = { L((M) = { L() | ) | is a run of M } is a run of M }
– satisfiability satisfiability M |= M |= 00iin n LLii::
(M) (M) ((00iin n LLii) )
Post-ImagePost-Imagepost(S’) = { s | post(S’) = { s | s’s’S’, s.t. (s’, s)S’, s.t. (s’, s)R }R }
GSTE18
Simulation RelationSimulation Relation
DefinitionDefinitionany mappingany mapping
R: {LR: {L00, L, L11, …, L, …, Lnn} } P(S) P(S)
satisfying satisfying s s R(LR(Lii),), if if wwLLii, , of M s.t. of M s.t. (|w|)=s, L((|w|)=s, L() sat. ant(w)) sat. ant(w)
TheoremTheorem
LLii = L = Ljj • • , L(R(L, L(R(Lii)) )) cons( cons() ) M |= M |= 00iin n LLi i
GSTE19
compGSTEcompGSTE
InitializationInitialization
for all Lfor all Lii, R(L, R(Lii) := { };) := { };
Fix-point iterationFix-point iterationrepeatrepeat– RR’’ := R; := R;
– for all Lfor all Lii, case, case– LLii = L = L00: R(L: R(Lii) := S; ) := S;
– LLii = = LLjj • • : if : if LLjj=L=L0 0 then R(Lthen R(Ljj) := {s | L(s)) := {s | L(s)ant(ant()})}
else R(Lelse R(Ljj) := post(R) := post(R’’(L(Ljj)) )) {s | L(s) {s | L(s)ant(ant()};)};
if if ((L(R(LL(R(Lii)) )) cons( cons()) then return false;)) then return false;
– LLii = = j j LLjj: R: R(L(Ljj) := ) := j j R’(LR’(Ljj); );
– LLii = = j j LLjj: R: R(L(Ljj) := ) := j j R’(LR’(Ljj););
until R = R’;until R = R’;
return true;return true;
GSTE20
Ex: VM ImplementationEx: VM Implementation
vout
+
2
0 =
avail[1]
vote[1]
2
0 =
avail[2]
vote[2]
2
0 =
avail[3]
vote[3]
f
mu
x
0
vote_in[1]
vote_in[2]
vote_in[3]
voted[1]
voted[2]
voted[3]
reset
clear
clr
clr
clr
en
en
en
GSTE21
Ex: VM Model CheckingEx: VM Model Checking
vout
+
2
0
avail[i]
vote[i] f
mu
x
0
vote_in[i]
voted[i]
reset
clear
… …
… …
en
clr
LLinitinit
=
LLreadyready[i][i]
LLvotingvoting[i][i]
LLwaitwait
LLpollpoll
LLoutpoutp
1. true1. true
LLinitinit = = + L + Linit init • • (true, true)(true, true)
LLreadyready[i] = L[i] = Linit init • • (reset, true) (reset, true)
(L(Lreadyready[i][i] LLpollpoll) ) • • (reset | vote[i]=0, avail[i])(reset | vote[i]=0, avail[i])
LLvotingvoting[i] = (L[i] = (Lreadyready[i][i] LLpollpoll)) • • (!reset & vote[i]=V[i]>0, avail[i])(!reset & vote[i]=V[i]>0, avail[i]) LLvotedvoted[i] = ((L[i] = ((Lvotingvoting[i][i] LLvotedvoted[i]) [i]) L Lwaitwait)) • • (!reset, !avail[i])(!reset, !avail[i])
LLwaitwait = = 11ii33 L Lreadyready[i][i]
LLpollpoll = = 11ii33 (L (Lvotingvoting[i][i] ( ( jjii(L(Lvotingvoting[j] [j] LLvotedvoted[i])))[i])))
LLoutpoutp = L = Lpoll poll • • (true, vote=f(V[1], V[2], V[3]))(true, vote=f(V[1], V[2], V[3]))
LLvotedvoted[i][i]
GSTE22
Ex: VM Model CheckingEx: VM Model Checking
vout
+
2
0
avail[i]
vote[i] f
mu
x
0
vote_in[i]
voted[i]
reset
clear
… …
… …
en
clr
LLinitinit
=
LLreadyready[i][i]
LLvotingvoting[i][i]
LLwaitwait
LLpollpoll
LLoutpoutp
2. true2. true
LLinitinit = = + L + Linit init • • (true, true)(true, true)
LLreadyready[i] = L[i] = Linit init • • (reset, true) (reset, true)
(L(Lreadyready[i][i] LLpollpoll) ) • • (reset | vote[i]=0, avail[i])(reset | vote[i]=0, avail[i])
LLvotingvoting[i] = (L[i] = (Lreadyready[i][i] LLpollpoll)) • • (!reset & vote[i]=V[i]>0, avail[i])(!reset & vote[i]=V[i]>0, avail[i]) LLvotedvoted[i] = ((L[i] = ((Lvotingvoting[i][i] LLvotedvoted[i]) [i]) L Lwaitwait)) • • (!reset, !avail[i])(!reset, !avail[i])
LLwaitwait = = 11ii33 L Lreadyready[i][i]
LLpollpoll = = 11ii33 (L (Lvotingvoting[i][i] ( ( jjii(L(Lvotingvoting[j] [j] LLvotedvoted[i])))[i])))
LLoutpoutp = L = Lpoll poll • • (true, vote=f(V[1], V[2], V[3]))(true, vote=f(V[1], V[2], V[3]))
LLvotedvoted[i][i]
2. reset2. reset
GSTE23
Ex: VM Model CheckingEx: VM Model Checking
vout
+
2
0
avail[i]
vote[i] f
mu
x
0
vote_in[i]
voted[i]
reset
clear
… …
… …
en
clr
LLinitinit
=
LLreadyready[i][i]
LLvotingvoting[i][i]
LLwaitwait
LLpollpoll
LLoutpoutp
3. true3. true
LLinitinit = = + L + Linit init • • (true, true)(true, true)
LLreadyready[i] = L[i] = Linit init • • (reset, true) (reset, true)
(L(Lreadyready[i][i] LLpollpoll) ) • • (reset | vote[i]=0, avail[i])(reset | vote[i]=0, avail[i])
LLvotingvoting[i] = (L[i] = (Lreadyready[i][i] LLpollpoll)) • • (!reset & vote[i]=V[i]>0, avail[i])(!reset & vote[i]=V[i]>0, avail[i]) LLvotedvoted[i] = ((L[i] = ((Lvotingvoting[i][i] LLvotedvoted[i]) [i]) L Lwaitwait)) • • (!reset, !avail[i])(!reset, !avail[i])
LLwaitwait = = 11ii33 L Lreadyready[i][i]
LLpollpoll = = 11ii33 (L (Lvotingvoting[i][i] ( ( jjii(L(Lvotingvoting[j] [j] LLvotedvoted[i])))[i])))
LLoutpoutp = L = Lpoll poll • • (true, vote=f(V[1], V[2], V[3]))(true, vote=f(V[1], V[2], V[3]))
LLvotedvoted[i][i]
3. reset | vote[i]=0 & vote_in[i]=03. reset | vote[i]=0 & vote_in[i]=0
3. !reset & vote[i]=V[i] & vote_in[i]=03. !reset & vote[i]=V[i] & vote_in[i]=0
GSTE24
Ex: VM Model CheckingEx: VM Model Checking
vout
+
2
0
avail[i]
vote[i] f
mu
x
0
vote_in[i]
voted[i]
reset
clear
… …
… …
en
clr
LLinitinit
=
LLreadyready[i][i]
LLvotingvoting[i][i]
LLwaitwait
LLpollpoll
LLoutpoutp
truetrue
LLinitinit = = + L + Linit init • • (true, true)(true, true)
LLreadyready[i] = L[i] = Linit init • • (reset, true) (reset, true)
(L(Lreadyready[i][i] LLpollpoll) ) • • (reset | vote[i]=0, avail[i])(reset | vote[i]=0, avail[i])
LLvotingvoting[i] = (L[i] = (Lreadyready[i][i] LLpollpoll)) • • (!reset & vote[i]=V[i]>0, avail[i])(!reset & vote[i]=V[i]>0, avail[i]) LLvotedvoted[i] = ((L[i] = ((Lvotingvoting[i][i] LLvotedvoted[i]) [i]) L Lwaitwait)) • • (!reset, !avail[i])(!reset, !avail[i])
LLwaitwait = = 11ii33 L Lreadyready[i][i]
LLpollpoll = = 11ii33 (L (Lvotingvoting[i][i] ( ( jjii(L(Lvotingvoting[j] [j] LLvotedvoted[i])))[i])))
LLoutpoutp = L = Lpoll poll • • (true, vote=f(V[1], V[2], V[3]))(true, vote=f(V[1], V[2], V[3]))
LLvotedvoted[i][i]
reset | vote[i]=0 & vote_in[i]=0reset | vote[i]=0 & vote_in[i]=0
!reset & vote[i]=V[i] & vote_in[i]=0!reset & vote[i]=V[i] & vote_in[i]=0
!reset & vote_in[i]=V[i] & !reset & vote_in[i]=V[i] & j. … … j. … …
reset | reset | i.vote[i]=0 & vote_in[i]=0i.vote[i]=0 & vote_in[i]=0
i.!reset & vote[i]=V[i] & vote_in[i]=0 & i.!reset & vote[i]=V[i] & vote_in[i]=0 & jji.(vote[j]=V[j] | vote_in[j]=V[j])i.(vote[j]=V[j] | vote_in[j]=V[j])
i.vote_in[i]=V[i]i.vote_in[i]=V[i]
GSTE25
Brief DiscussionsBrief Discussions
compGSTE is approximatecompGSTE is approximate– sound but not completesound but not complete
– extended quaternary model abstraction (FMCAD 2002)extended quaternary model abstraction (FMCAD 2002)
Abstraction refinementAbstraction refinement– model refinement vs spec. refinement (FMCAD 2002)model refinement vs spec. refinement (FMCAD 2002)
– partial product construction on specifications (serialization)partial product construction on specifications (serialization)
Advantages over assume-guarantee based compositionAdvantages over assume-guarantee based composition– pure specification, implementation independentpure specification, implementation independent
– computed “intermediate assumptions”computed “intermediate assumptions”
– much less sensitive to implementation changesmuch less sensitive to implementation changes
GSTE26
Ex: Implementation ChangeEx: Implementation Change
2
vote[i]d
ecod
e
0123
0 bundle
vout
+
2
0
avail[i]
vote[i] f
mu
x
0
vote_in[i]
voted[i]
reset
clear
… …
… …
en
clr
=… …
… …
… …
1 bundle
2 bundle
3 bundle
vout
reset
avail[i]
Assume-guarantee based compositionAssume-guarantee based composition– re-partition the model, re-specify interface assumptionsre-partition the model, re-specify interface assumptions
– re-run model checkingre-run model checking
compGSTEcompGSTE– specification unchanged, only re-run model checkingspecification unchanged, only re-run model checking
GSTE27
Industrial Ex.: Resource SchedulerIndustrial Ex.: Resource Scheduler
Specification: Specification:
when resource is available (avail = 1), schedule the oldest ready uop when resource is available (avail = 1), schedule the oldest ready uop handling 10 uops at a time, >1k state elements, >17000 gateshandling 10 uops at a time, >1k state elements, >17000 gates priority matrix, CAM, decision logic, power-saving feature etc.priority matrix, CAM, decision logic, power-saving feature etc.
CAM
receiving
log
ic
priority matrix
ready lo
gic
Stag
ing
an
d
CA
M m
atc
h
sched
ulin
g lo
gic
Deliverin
g lo
gic
uop
alloc
ready
avail
init
out
sched
wrback
GSTE28
Main ResultMain Result
Previous work w/ a state-of-art in-house symbolic model checkerPrevious work w/ a state-of-art in-house symbolic model checker– hundreds of small local properties hundreds of small local properties
– only on the priority matrix only on the priority matrix
Compositional specification (top down)Compositional specification (top down)– schedule uop[i], if “schedule uop[i], if “uop[i] is the oldest readyuop[i] is the oldest ready” and resource is available” and resource is available
– uop[i] is oldest ready, if “uop[i] is oldest ready, if “uop[i] is readyuop[i] is ready” and for all j ” and for all j i ( i (j j i i), either “), either “uop[j] uop[j] is not readyis not ready” or “” or “uop[i] arrived earlier than uop[j]uop[i] arrived earlier than uop[j]””
– … …
– < 50 boolean variables for >1k state elements< 50 boolean variables for >1k state elements
Compositional model checking Compositional model checking – 122.5 seconds, 36M on P4 1.5GHz122.5 seconds, 36M on P4 1.5GHz
– scalable - O(logscalable - O(log22 #uops), BDD was not a bottle-neck! #uops), BDD was not a bottle-neck!
Detailed work is in writingDetailed work is in writing– hopefully in time for ICCADhopefully in time for ICCAD
GSTE29
ConclusionConclusion
Summary of the compositional approachSummary of the compositional approach– compositional specification to handle concurrencycompositional specification to handle concurrency
– efficient compositional model checkingefficient compositional model checking
– implementation independentimplementation independent
– building for reasoningbuilding for reasoning
Future workFuture work– reasoning about compositional specificationsreasoning about compositional specifications
– extension to handle parameterized specificationextension to handle parameterized specification