Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Published byAmia Cox Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems."— Presentation transcript:

1 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems

2 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Issue of scalability Model checking does not scale –State/BDD explosion –High asymptotic complexity (PSPACE complete) Can be applied –locally, to small modules –globally to simplified models Hence, model checking is mainly used as a debugging tool. How do we scale up the method so we can use it for verification, not refutation?

3 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional proof Idea: use proof techniques to reduce a property to easier, localized properties. property decomposition verification proof assistant model checker/ decision procedure abstraction

4 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Simple assume/guarantee proof Thus, we localize the verification process Note abstraction is needed to benefit from decomposition. p p q q AB pq verify using A verify using B

5 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Mutual property dependence What about the case of mutual dependence? Note, this doesnt work (why)? AB pq q p p q

6 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. q p p q Gp Gq Circular compositional proofs Let p q stand for if p up to time t-1, then q at t Equivalent in LTL of (p U q) Now we can reason as follows: That is, A only has to behave as long as B does, and vice-versa. verify using A verify using B

7 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Temporal case splitting p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... Idea: Split cases on most recent writer w at time t. : I'm O.K. at time t. Rule can be used to decompose large arrays i: G((w=i) ) G

8 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Combine with circular reasoning p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. To prove case w=i at time t, assume general case up to t-1: still have many cases to prove... i: ((w=i) ) G

9 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Reduction by symmetry p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. By symmetry, suffices to prove that writes by p 1 are O.K.: ((w=1) ) G verify using p 1

10 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Example -- simple pipeline Goal: prove equivalence to unpipelined model (modulo delay) 32 registers + bypass 32 bits control

11 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Direct approach by model checking Model checking completely intractable due to large number of state variables ( > 2048 ) reference model delay pipeline = ? ops

12 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Using reference model Ref. Model A B verify using A verify using B q p q p p q Gp Gq unpipelined version

13 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Decomposition for simple pipeline 32 registers + 32 bits control correct values from reference model p = operand correctness q = result correctness pq unit delay

14 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Lemmas in circular proof Operand correctness –prove Gp a and Gp b, where: p a is stage2.valid stage2.opra = stage2.aux.opra p b is stage2.valid stage2.oprb = stage2.aux.oprb Result correctness –prove Gp r, where: p a is stage2.valid stage2.res = stage2.aux.res p a p b p r p r p a p r p b Gp a Gp b Gp r

15 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction for operands Bit slicing results from "cone of influence reduction" (similarly in reference model) 32 registers + 32 bits control correct values from reference model check q p with this abstraction p q

16 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Resulting MC performance Operand correctness property 80 state variables 3rd order fit Result correctness property –easy: comparison of 32 bit adders

17 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Well, not really... That was a hand picked variable order Actually, BDD's blow up due to bad variable ordering –ordering based on topological distance

18 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Problem with topological ordering Register files should be interleaved, but this is not evident from topology bypass logic = ? results ref. reg. file impl. reg. file

19 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Sifting to the rescue (?) Lessons (?) : –Cannot expect to solve PSPACE problems reliably –Need a strategy to deal with heuristics failure Note: - Log scale - High variance

20 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Predictability and metrics Reducing the number of state variables 1 0 Verification probability # state bits decomposition –If heuristics fail, other reductions are available 2048 bits ? 80 bits ~600 orders of magnitude in state space size

21 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Case split for simple pipeline Show only correctness for operands fetched from register i Abstract remaining registers to "bottom" Result –23 state bits in model –Checking one case = ~1 sec What about the 32 cases? i: G(src a =i p a ) G p a )

22 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Exploiting symmetry Symmetric types –Semantics invariant under permutations of type. –Enforced by type checking rules. Symmetry reduction rule –Choose a set of representative cases under symmetry Type REG is symmetric –One representative case is sufficient (~1 sec) Time savings from case split: ~5 orders But wait, there's more...

23 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Data type reductions Problem: types with large ranges Solution: reduce large (or infinite) types where T\i represents all the values in T except i. Abstract interpretation

24 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Type reduction for simple pipeline Only register i is relevant Reduce type REG to two values: REG {i,REG\i} Number of state bits is now 11 Verification time is now independent of register file size. Note: can also abstract out arithmetic verification using uninterpreted functions...

25 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Overview of proof strategy Decompose structurally using circular compositional proof Parameterize to decompose large structures Reduce to finite number of cases using symmetry Reduce to bounded variables using data abstraction Check validity with model checker

26 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Effect of decomposition 1 0 Verification probability # state bits original system reduction –Manual decomposition produces order of magnitude reductions in number of state bits –Inflexion point in curve crossed very rapidly 2048 8411

27 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Tomasulos algorithm Execute instructions in data flow order OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE

28 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional proof Decompose into two lemmas OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE Lemma 1: Correct operands Lemma 2: Correct results Essentially the same lemmas as in the simple pipeline

29 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Refinement of cache protocol S/F network protocol host protocol host protocol host Distributed cache coherence INTF PP MIO to net Non-deterministic reference model Atomic actions Single address abstraction Verified coherence, etc...

30 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Mapping protocol to RTL S/F network protocol host other hosts Abstract model CAM TABLES refinement relations TAGS ~30K lines of Verilog

31 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Linear v. branching time Model checking v. compositional verification fixed modelfor all models Verification complexity (in formula size) compositional model checking CTLLTL linear EXP PSPACE In practice, with LTL, we can mostly recover linear complexity...

32 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional w/ branching Assume/guarantee [GL94] : –{q} M {p} means M satisfies p in all environments satisfying q. –For ACTL, check is exponential in q but linear in p –Compositional proof: {q} M 1 {r} {r} M 2 {p} {q} M 1 || M 2 {p} Problems: - limited expressiveness of ACTL - no circular proofs Thus, LTL is preferred for compositional.

33 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Theorem provers General purpose tools, characterized by –highly expressive logics –detailed user guidance Strategy: proof by invariant Tradeoff: –Q cannot be temporal temporal –Q can be first-order (not finite-state!) Q(0), Q(t) Q(t+1), Q(t) P(t) t: P(t)

34 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Decomposition of invariants Problem: invariants of complex systems (esp. with complex control) are very large. Solution: decompose invariants... i Q i (t) Q(t) Q 0 (0), Q(t) Q 0 (t+1) Q 1 (0), Q(t) Q 1 (t+1)... t: Q(t)

35 Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. TP v. CMC Compositional model checking –Temporal properties are free –Function symbols and quantifiers handles manually Theorem proving –Must use inductive invariants very complex for control-intensive systems –Function symbols and quantifiers are free So, TP tends to be good for arithmetic [MLK98], while CMC is good for control-dominated systems [Eir98].

Download ppt "Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.

1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Compositional Methods and Symbolic Model Checking

Compositional Methods and Symbolic Model Checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Introduction to Model Checking

Introduction to Model Checking
Part II Concepts.

Part II Concepts.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Completeness and Expressiveness

Completeness and Expressiveness
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Secret Sharing, Matroids, and Non-Shannon Information Inequalities.

Secret Sharing, Matroids, and Non-Shannon Information Inequalities.

Similar presentations

Ads by Google