Compositional Specification and Verification in GSTE

1
Compositional Specification and Verification in
GSTE

• Jin Yang,
• joint work with Carl Seger
• Strategic CAD Labs, Intel Corp.
• CMU
• March 23, 2004

2
Motivation

• GSTE
• combines high capacity of STE with expressive
  power of traditional model checking (YS ICCD00)
• provides a multi-dim. approach to achieve high
  capacity while maintaining accuracy (YS FMCAD02)
• has been used by FVers for gt 1 year successfully
  on next-gen. Intel ?-processors (Schubert
  ICCAD03)
• part of FORTE public release
• However
• assertion graph specification in GSTE is
  inherently sequential but circuit behavior may be
  concurrent

3
Sequential Ex. Memory
1024 x 64 Memory
wren
rden
addr90
dout630
din630
Always read from a cell the most recently
written data
?
( wren addr90 A90
din630 D630, true )
( rden addr90 A90, dout630
D630 )
antecedent
?
consequent
v2
vI
v1
( !wren addr90 ! A90, true )
4
Concurrent Ex. Voting Machine
reset
avail1
vote1
Voting Machine
vout
avail2
vote2
avail3
vote3

• a vote can be accepted at station i (through
  votei1,2,3) when it is available
• it outputs a voting result (voutf(vote1,
  vote2, vote3) as soon as all three votes are
  in, and then makes the stations available for
  next round.

5
Voting Machine (cont.)

• Specification using an assertion graph causes
  exponential complexity
• order 1 vote1, , vote2, , vote3
• order 2 vote1, , vote3, , vote2
• Solution
• concurrent extension to assertion graphs
• implementation independent
• utilizing and guiding GSTE model checking
• (future) ability to reason about specifications

6
Basics Domain And Trace

• Domain
• D
• a finite non-empty alphabet
• e.g., the set of states in a FSM (circuit)
• P(D) power set of D
• e.g., all subsets of states (state predicates) in
  FSM
• Trace
• ? d1d2d3
• an infinite word in D?
• e.g., an infinite state sequence (trace) in FSM

7
Basics Assertion Alphabet

• Assertion alphabet
• ? P(D) ? P(D)
• set of antecedent/consequence pairs
• ? (D1,D2)? ? assertion letter
• antecedent ant(?) D1
• consequent cons(?) D2

8
Basics Assertion Language

• Assertion word - any word w ?1?2?k in ?
• STE assertion ? assertion word
• Assertion language - any set of words L in P(? )
• assertion graph ? regular assertion language

9
Basics Trace Semantics

• Trace Satisfiability
• trace ? satisfies a word ??P(D), if ?1?i??,
  ?(i) ? ? i
• Trace Language
• assertion word
• ?(w) ??D? ? sat. ant(w) ? ? sat. cons(w)
• assertion language (for all semantics)
• ?(L) ?w?L ?(w)
• Theorem
• L1 ? L2 ? ? (L1) ?? (L2 )
• more words ? more restricted behavior

10
The Meet Operator

• Meet of assertion letters
• ( C1, C2 ) ?? ( D1, D2 ) ( C1 ? D1, C2 ? D2 )
• Meet of assertion words
• ?1?2?k ?? ?1?2?k (?1???1) (?2???2)
  (?k???k)
• Meet of assertion languages
• L1 ?? L2 w1?? w2 w1? L1, w2? L2, w1
  w2

11
Self Consistency

• Repeated application
• ?? 0 L L, ?? k L (?? k-1 L) ?? L (kgt0)
• Lemma
• ?? k L ? ?? k1 L but ?( ?? k L ) ?( ?? k1 L
  )
• proof sketch
• (w1 ?? w2 ?? ?? wk) ?? wk w1 ?? w2 ?? ?? wk
  
• w ?? w may be new, but ?(w) ? ?(w) ? ?(w ?? w)
• Theorem (about limit)
• L ? ?k?0 ?? k L but ?( L ) ?( ?k?0 ?? k L )

12
Compositional Specification

• Initialization
• L0 ? L0 (D,D)
• Prefix (1?ilth)
• Li Lj ?j
• Summation (h?iltl)
• Li Li1 ? ? Lik (0?ijlth)
• Meet (l?iltn)
• Li Li1 ?? ?? Lik (0?ijltl)

• Comment
• there is a unique solution to the system
• very much like CCS but with new ??

13
Example 1 Memory

• LI ? LI (true, true)
• LI, 1 LI (wren addr A din D, true)
• L1,1 L1 (!wren addr ! A, true)
• L1 LI, 1 ? L1,1
• L2 L1 (rden addr A, dout D)

14
Example 2 Voting Machine (VM)
reset
avail1
vote1
Voting Machine
vout
avail2
vote2
avail3
vote3

• a vote can be accepted at station i (through
  votei1,2,3) when it is available
• it outputs a voting result (voutf(vote1,
  vote2, vote3) as soon as all three votes are
  in, and then makes the stations available for
  next round.

15
Example 2 (cont)

• Linit ? Linit (true, true)
• Lreadyi Linit (reset, true) ?
• (Lreadyi ? Lpoll) (reset
  votei0, availi)
• Lvotingi (Lreadyi ? Lpoll) (!reset
  voteiVigt0, availi)
• Lvotedi ((Lvotingi ? Lvotedi) ?? Lwait)
  (!reset, !availi)
• Lwait ?1?i?3 Lreadyi
• Lpoll ?1?i?3 (Lvotingi ?? (
  ??j?i(Lvotingj ? Lvotedi)))
• Loutp Lpoll (true, votef(V1, V2,
  V3))

16
Model Checking Product Spec.

• Theorem (product specification)
• for any language L in the solution, ?k?0 ?? k L
  is regular
• proof sketch
• ?k?0??k (Lj ?j) (?k?0??k Lj) ?j
• ?k?0??k (L1 ? L2) (?k?0??k L1) ? (?k?0??k L2) ?
  (?k?0??k L1) ?? (?k?0??k L2)
• ?k?0??k (L1 ?? L2) (?k?0??k L1) ?? (?k?0??k L2)
• construct transitions for the states in
  P(?k?0??k L1 , ?k?0??k L2 , , ?k?0??k Ln)
• since ?(L) ?(?k?0 ?? k L), this effectively
  provides a precise GSTE model checking solution
  for each L in the solution
• but assertion graph for ?k?0??kL may be
  exponentially large

Need more efficient solution !
17
Model

• M (S, R, L)
• S is a finite set of states
• R ? S?S is a transition relation s.t. ?s, ?s,
  (s, s) ? R
• L S?D is a labeling function
• Semantics
• run
• ? N?S s.t. ?i?0, (?(i), ?(i1))?R
• trace language
• ?(M) L(?) ? is a run of M
• satisfiability M ?0?i?n Li
• ?(M) ? ?(?0?i?n Li)
• Post-Image
• post(S) s ?s?S, s.t. (s, s)?R

18
Simulation Relation

• Definition
• any mapping
• R L0, L1, , Ln ?P(S)
• satisfying s ?R(Li), if ?w?Li, ? of M s.t.
  ?(w)s, L(?) sat. ant(w)
• Theorem
• ? Li Lj ?, L(R(Li)) ? cons(?) ? M ?0?i?n
  Li

19
compGSTE

• Initialization
• for all Li, R(Li)
• Fix-point iteration
• repeat
• R R
• for all Li, case
• Li L0 R(Li) S
• Li Lj ? if LjL0 then R(Lj) s
  L(s)?ant(?)
• else R(Lj)
  post(R(Lj)) ? s L(s)?ant(?)
• if ?(L(R(Li)) ? cons(?))
  then return false
• Li ?j Lj R(Lj) ?j R(Lj)
• Li ?? j Lj R(Lj) ?j R(Lj)
• until R R
• return true

20
Ex VM Implementation
reset
avail1
0

en
voted1
vote1
vote_in1
2
clr
clear

avail2
0

0
vout
voted2
en
mux
vote2
vote_in2
2
clr
avail3
0

voted3
en
vote3
vote_in3
2
clr
21
Ex VM Model Checking
reset
Linit

clear
1. true

availi
Lreadyi
0

0
mux
en
votedi
vout
Lvotingi
votei
vote_ini
2
clr
Lvotedi

• Linit ? Linit (true, true)
• Lreadyi Linit (reset, true) ?
• (Lreadyi ? Lpoll) (reset
  votei0, availi)
• Lvotingi (Lreadyi ? Lpoll) (!reset
  voteiVigt0, availi)
• Lvotedi ((Lvotingi ? Lvotedi) ?? Lwait)
  (!reset, !availi)
• Lwait ?1?i?3 Lreadyi
• Lpoll ?1?i?3 (Lvotingi ?? (
  ??j?i(Lvotingj ? Lvotedi)))
• Loutp Lpoll (true, votef(V1, V2,
  V3))

Lwait
Lpoll
Loutp
22
Ex VM Model Checking
reset
Linit

clear
2. true

availi
Lreadyi
2. reset
0

0
mux
en
votedi
vout
Lvotingi
votei
vote_ini
2
clr
Lvotedi

• Linit ? Linit (true, true)
• Lreadyi Linit (reset, true) ?
• (Lreadyi ? Lpoll) (reset
  votei0, availi)
• Lvotingi (Lreadyi ? Lpoll) (!reset
  voteiVigt0, availi)
• Lvotedi ((Lvotingi ? Lvotedi) ?? Lwait)
  (!reset, !availi)
• Lwait ?1?i?3 Lreadyi
• Lpoll ?1?i?3 (Lvotingi ?? (
  ??j?i(Lvotingj ? Lvotedi)))
• Loutp Lpoll (true, votef(V1, V2,
  V3))

Lwait
Lpoll
Loutp
23
Ex VM Model Checking
reset
Linit

clear
3. true

availi
Lreadyi
0

3. reset votei0 vote_ini0
0
mux
en
votedi
vout
Lvotingi
votei
vote_ini
2
clr
3. !reset voteiVi vote_ini0
Lvotedi

• Linit ? Linit (true, true)
• Lreadyi Linit (reset, true) ?
• (Lreadyi ? Lpoll) (reset
  votei0, availi)
• Lvotingi (Lreadyi ? Lpoll) (!reset
  voteiVigt0, availi)
• Lvotedi ((Lvotingi ? Lvotedi) ?? Lwait)
  (!reset, !availi)
• Lwait ?1?i?3 Lreadyi
• Lpoll ?1?i?3 (Lvotingi ?? (
  ??j?i(Lvotingj ? Lvotedi)))
• Loutp Lpoll (true, votef(V1, V2,
  V3))

Lwait
Lpoll
Loutp
24
Ex VM Model Checking
reset
Linit

clear
true

availi
Lreadyi
0

reset votei0 vote_ini0
0
mux
en
votedi
vout
Lvotingi
votei
vote_ini
2
clr
!reset voteiVi vote_ini0
Lvotedi

!reset vote_iniVi ?j.

• Linit ? Linit (true, true)
• Lreadyi Linit (reset, true) ?
• (Lreadyi ? Lpoll) (reset
  votei0, availi)
• Lvotingi (Lreadyi ? Lpoll) (!reset
  voteiVigt0, availi)
• Lvotedi ((Lvotingi ? Lvotedi) ?? Lwait)
  (!reset, !availi)
• Lwait ?1?i?3 Lreadyi
• Lpoll ?1?i?3 (Lvotingi ?? (
  ??j?i(Lvotingj ? Lvotedi)))
• Loutp Lpoll (true, votef(V1, V2,
  V3))

Lwait
reset ?i.votei0 vote_ini0
Lpoll
?i.!reset voteiVi vote_ini0
?j?i.(votejVj vote_injVj)
Loutp
?i.vote_iniVi
25
Brief Discussions

• compGSTE is approximate
• sound but not complete
• extended quaternary model abstraction (FMCAD
  2002)
• Abstraction refinement
• model refinement vs spec. refinement (FMCAD 2002)
• partial product construction on specifications
  (serialization)
• Advantages over assume-guarantee based
  composition
• pure specification, implementation independent
• computed intermediate assumptions
• much less sensitive to implementation changes

26
Ex Implementation Change
reset

availi
0 bundle
1 bundle
vout
0

votei
1
2 bundle
2
2
3
3 bundle

• Assume-guarantee based composition
• re-partition the model, re-specify interface
  assumptions
• re-run model checking
• compGSTE
• specification unchanged, only re-run model
  checking

27
Industrial Ex. Resource Scheduler

• Specification
• when resource is available (avail 1), schedule
  the oldest ready uop
• handling 10 uops at a time, gt1k state elements,
  gt17000 gates
• priority matrix, CAM, decision logic,
  power-saving feature etc.

28
Main Result

• Previous work w/ a state-of-art in-house symbolic
  model checker
• hundreds of small local properties
• only on the priority matrix
• Compositional specification (top down)
• schedule uopi, if uopi is the oldest ready
  and resource is available
• uopi is oldest ready, if uopi is ready and
  for all j ? i (??j ? i), either uopj is not
  ready or uopi arrived earlier than uopj
• lt 50 boolean variables for gt1k state elements
• Compositional model checking
• 122.5 seconds, 36M on P4 1.5GHz
• scalable - O(log2 uops), BDD was not a
  bottle-neck!
• Detailed work is in writing
• hopefully in time for ICCAD

29
Conclusion

• Summary of the compositional approach
• compositional specification to handle concurrency
• efficient compositional model checking
• implementation independent
• building for reasoning
• Future work
• reasoning about compositional specifications
• extension to handle parameterized specification

Thanks!