Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.

Similar presentations

Presentation on theme: "1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs."— Presentation transcript:

1 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs

2 2 Compositional methods l Reduce large verification problems to small ones by –Decomposition –Abstraction –Specialization –etc. l Based on symbolic model checking l System level verification Will consider the implications of such an approach for symbolic model checking

3 3 Example -- Cache coherence S/F network protocol host protocol host protocol host Distributed cache coherence INTF PP MIO to net l Nondeterministic abstract model l Atomic actions l Single address abstraction l Verified coherence, etc... (Eiriksson 98)

4 4 S/F network protocol host other hosts Abstract model Refinement to RTL level CAM TABLES TAGS RTL implementation (~30K lines of verilog) refinement relations

5 5 Contrast to block level verification l Block verification approach to capacity problem –isolate small blocks –place ad hoc constraints on inputs l This is falsification because –constraints are not verified –block interactions not exposed to verification Result: FV does not replace any simulation activity

6 6 What are the implications for SMC? l Verification and falsification have different needs –Proof is as strong as its weakest link –Hence, approximation methods are not attractive. l Importance of predictability and metrics –Must have reliable decomposition strategies l Implications of using linear vs. branching time. pqrst

7 7 Predictability l Require metrics that predict model checking hardness –Most important is number of state variables 1 0 Verification probability verificationfalsification# state bits original systemreduction –Powerful MC can save steps, but is not essential –Predictability more important than capacity

8 8 Example -- simple pipeline l Goal: prove equivalence to unpipelined model (modulo delay) 32 registers + bypass 32 bits control

9 9 Direct approach by model checking l Model checking completely intractable due to large number of state variables ( > 2048 ) reference model delay pipeline = ? ops

10 10 Compositional refinement verification Abstract model System Translations

11 11 Localized verification Abstract model System Translations assumeprove

12 12 Localized verification Abstract model System Translations assume prove

13 13 Circular inference rule SPEC (related: AL 95, AH 96) 1 up to t -1 implies 2 up to t 2 up to t -1 implies 1 up to t always 1 and 2

14 14 Decomposition for simple pipeline 32 registers + 32 bits control correct values from reference model = operand correctness = result correctness

15 15 Lemmas in SMV l Operand correctness layer L1: if(stage2.valid){ stage2.opra := stage2.aux.opra; stage2.oprb := stage2.aux.oprb; stage2.res := stage2.aux.res; }

16 16 Effect of decomposition l Bit slicing results from "cone of influence reduction" (similarly in reference model) 32 registers + 32 bits control correct values from reference model proved assumed

17 17 Resulting MC performance l Operand correctness property 80 state variables 3rd order fit l Result correctness property –easy: comparison of 32 bit adders

18 18 NOT! l Previous slide showed hand picked variable order l Actually, BDD's blow up due to bad variable ordering –ordering based on topological distance

19 19 Problem with topological ordering Register files should be interleaved, but this is not evident from topology bypass logic = ? results ref. reg. file impl. reg. file

20 20 Sifting to the rescue (?) l Lessons (?) : –Cannot expect to solve PSPACE problems reliably –Need a strategy to deal with heuristic failure Note: - Log scale - High variance

21 21 Predictability and metrics l Reducing the number of state variables 1 0 Verification probability # state bits decomposition –If heuristics fail, other reductions are available 2048 bits ? 80 bits ~600 orders of magnitude in state space size

22 22 SPEC P PA Big structures and path splitting i

23 23 Temporal case splitting l Prove separately that p holds at all times when v = i. l Path splitting v record register index i

24 24 Case split for simple pipeline l Show only correctness for operands fetched from register i forall(i in REG) subcase L1[i] of stage2.opra//L1 for stage2.aux.srca = i; l Abstract remaining registers to "bottom" l Result –23 state bits in model –Checking one case = ~1 sec What about the 32 cases?

25 25 Exploiting symmetry l Symmetric types –Semantics invariant under permutations of type. –Enforced by type checking rules. l Symmetry reduction rule –Choose a set of representative cases under symmetry l Type REG is symmetric –One representative case is sufficient (~1 sec) l Estimated time savings from case split: 5 orders But wait, there's more...

26 26 Data type reductions l Problem: types with large ranges l Solution: reduce large (or infinite) types where T\i represents all the values in T except i. l Abstract interpretation

27 27 Type reduction for simple pipeline l Only register i is relevant l Reduce type REG to two values: using REG->{i} prove stage2.opra//L1[i]; l Number of state bits is now 11 l Verification time is now independent of register file size. Note: can also abstract out arithmetic verification using uninterpreted functions...

28 28 Effect of reduction 1 0 Verification probability # state bits original system reduction –Manual decomposition produces order of magnitude reductions in number of state bits –Inflexion point in curve crossed very rapidly 2048 8411

29 29 Desirata for model checking methods l Importance of predictability and metrics –Proof strategy based on reliable metric (# state bits) –Prefer reliable performance in given range to occasional success on large problems * e.g., stabilize variable ordering –Methods that diverge unpredictably for small problems are less useful (e.g., infinite state, widening) l Moderate performance improvements are not that important –Reduction steps gain multiple orders of magnitude l Approximations not appropriate * given PSPACE completeness

30 30 Linear v branching time l Model checking v compositional verification fixed modelfor all models l Verification complexity (in formula size) compositional model checking CTLLTL linear EXP PSPACE In practice, with LTL, we can mostly recover linear complexity...

31 31 Avoiding "tableau variables" l Problem: added state variables for LTL operators l Eliminating tableau variables –Push path quantifiers inward (LTL to CTL*) –Transition formulas (CTL+) –Extract transition and fairness constraints

32 32 Translating LTL to CTL* l Rewrite rules l In addition, if p is boolean, no rule By adding path quantifiers, we eliminate tableau variables

33 33 Rewrites that don't work p p p q q p p q

34 34 Examples l LTL formulas that translate to CTL formulas (note singly nested fixed point) l Incomplete rewriting (to CTL*) Note: 3 tableau variables reduced to 1 Conjecture: all resulting formulas are forward checkable

35 35 Transition modalities l Transition formulas l CTL+ state modalities where p is a transition formula l Example CTL+ formulas CTL+ still checkable in linear time

36 36 Constraint extraction l Extracting path constraints where p is a transition formula l Using rewriting and above... w/ fairness const. l Circular compositional reasoning If and are transition formulas, this is in CTL+, hence complexity is linear Note: typically, are very large, and is small

37 37 Effect of reducing LTL to CTL+ l In practice, tableau variables rarely needed l Thus, complexity exponential only in # of state variables –Important metric for proof strategy l Doubly nested fixed points used only where needed –I.e., when fairness constraints apply l Forward and backward traversal possible –Curious point: backward is commonly faster in refinement verification

38 38 SMC for compositional verification l Cannot expect to solve PSPACE complete problems reliably –User reductions provide fallback when heuristics fail –Robust metrics are important to proof strategy l Each user reductions gains many orders of magnitude –Modest performance improvements not very important l Exact verification is important l Must be able to handle linear time efficiently BDD's are great fun, but...

Download ppt "1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs."

Similar presentations

Ads by Google