Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Slides:



Advertisements
Similar presentations
Model Checking Base on Interoplation
Advertisements

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Compositional Methods and Symbolic Model Checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Introduction to Model Checking
Part II Concepts.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Completeness and Expressiveness
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Sublinear Algorithms … Lecture 23: April 20.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Secret Sharing, Matroids, and Non-Shannon Information Inequalities.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 Regression-Verification Benny Godlin Ofer Strichman Technion.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.
Verification of Hierarchical Cache Coherence Protocols for Future Processors Student: Xiaofang Chen Advisor: Ganesh Gopalakrishnan.
Microarchitecture Verification by Compositional Model Checking Ken McMillan Ranjit Jhala Cadence Berkeley Labs / UC Berkeley.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Counterexample Guided Invariant Discovery for Parameterized Cache Coherence Verification Sudhindra Pandav Konrad Slind Ganesh Gopalakrishnan.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
A Simple Model Checker for CTL. The problem n We need efficient algorithms to solve the problems [1]M,s  [2]M,s  where M should have finitely many states,
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
Verifying a Commercial Microprocessor Design at the RTL level Ken McMillan Cadence Berkeley Labs
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
Network Protocols Network Systems Security Mort Anvari.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Verification & Validation By: Amir Masoud Gharehbaghi
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
September 1999Compaq Computer CorporationSlide 1 of 16 Verification of cache-coherence protocols with TLA+ Homayoon Akhiani, Damien Doligez, Paul Harter,
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Complexity 27-1 Complexity Andrei Bulatov Interactive Proofs (continued)
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Formal Methods: Model Checkers and Theorem Provers
CSPs: Search and Arc Consistency Computer Science cpsc322, Lecture 12
SMT-Based Verification of Parameterized Systems
Automating Induction for Solving Horn Clauses
Over-Approximating Boolean Programs with Unbounded Thread Creation
Generating Optimal Linear Temporal Logic Monitors by Coinduction
CSCI1600: Embedded and Real Time Software
This Lecture Substitution model
Formal Methods in software development
Program correctness Model-checking CTL
Presentation transcript:

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Issue of scalability Model checking does not scale –State/BDD explosion –High asymptotic complexity (PSPACE complete) Can be applied –locally, to small modules –globally to simplified models Hence, model checking is mainly used as a debugging tool. How do we scale up the method so we can use it for verification, not refutation?

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional proof Idea: use proof techniques to reduce a property to easier, localized properties. property decomposition verification proof assistant model checker/ decision procedure abstraction

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Simple assume/guarantee proof Thus, we localize the verification process Note abstraction is needed to benefit from decomposition. p p q q AB pq verify using A verify using B

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Mutual property dependence What about the case of mutual dependence? Note, this doesnt work (why)? AB pq q p p q

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. q p p q Gp Gq Circular compositional proofs Let p q stand for if p up to time t-1, then q at t Equivalent in LTL of (p U q) Now we can reason as follows: That is, A only has to behave as long as B does, and vice-versa. verify using A verify using B

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Temporal case splitting p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... Idea: Split cases on most recent writer w at time t. : I'm O.K. at time t. Rule can be used to decompose large arrays i: G((w=i) ) G

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Combine with circular reasoning p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. To prove case w=i at time t, assume general case up to t-1: still have many cases to prove... i: ((w=i) ) G

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Reduction by symmetry p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. By symmetry, suffices to prove that writes by p 1 are O.K.: ((w=1) ) G verify using p 1

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Example -- simple pipeline Goal: prove equivalence to unpipelined model (modulo delay) 32 registers + bypass 32 bits control

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Direct approach by model checking Model checking completely intractable due to large number of state variables ( > 2048 ) reference model delay pipeline = ? ops

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Using reference model Ref. Model A B verify using A verify using B q p q p p q Gp Gq unpipelined version

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Decomposition for simple pipeline 32 registers + 32 bits control correct values from reference model p = operand correctness q = result correctness pq unit delay

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Lemmas in circular proof Operand correctness –prove Gp a and Gp b, where: p a is stage2.valid stage2.opra = stage2.aux.opra p b is stage2.valid stage2.oprb = stage2.aux.oprb Result correctness –prove Gp r, where: p a is stage2.valid stage2.res = stage2.aux.res p a p b p r p r p a p r p b Gp a Gp b Gp r

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction for operands Bit slicing results from "cone of influence reduction" (similarly in reference model) 32 registers + 32 bits control correct values from reference model check q p with this abstraction p q

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Resulting MC performance Operand correctness property 80 state variables 3rd order fit Result correctness property –easy: comparison of 32 bit adders

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Well, not really... That was a hand picked variable order Actually, BDD's blow up due to bad variable ordering –ordering based on topological distance

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Problem with topological ordering Register files should be interleaved, but this is not evident from topology bypass logic = ? results ref. reg. file impl. reg. file

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Sifting to the rescue (?) Lessons (?) : –Cannot expect to solve PSPACE problems reliably –Need a strategy to deal with heuristics failure Note: - Log scale - High variance

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Predictability and metrics Reducing the number of state variables 1 0 Verification probability # state bits decomposition –If heuristics fail, other reductions are available 2048 bits ? 80 bits ~600 orders of magnitude in state space size

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Case split for simple pipeline Show only correctness for operands fetched from register i Abstract remaining registers to "bottom" Result –23 state bits in model –Checking one case = ~1 sec What about the 32 cases? i: G(src a =i p a ) G p a )

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Exploiting symmetry Symmetric types –Semantics invariant under permutations of type. –Enforced by type checking rules. Symmetry reduction rule –Choose a set of representative cases under symmetry Type REG is symmetric –One representative case is sufficient (~1 sec) Time savings from case split: ~5 orders But wait, there's more...

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Data type reductions Problem: types with large ranges Solution: reduce large (or infinite) types where T\i represents all the values in T except i. Abstract interpretation

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Type reduction for simple pipeline Only register i is relevant Reduce type REG to two values: REG {i,REG\i} Number of state bits is now 11 Verification time is now independent of register file size. Note: can also abstract out arithmetic verification using uninterpreted functions...

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Overview of proof strategy Decompose structurally using circular compositional proof Parameterize to decompose large structures Reduce to finite number of cases using symmetry Reduce to bounded variables using data abstraction Check validity with model checker

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Effect of decomposition 1 0 Verification probability # state bits original system reduction –Manual decomposition produces order of magnitude reductions in number of state bits –Inflexion point in curve crossed very rapidly

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Tomasulos algorithm Execute instructions in data flow order OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional proof Decompose into two lemmas OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE Lemma 1: Correct operands Lemma 2: Correct results Essentially the same lemmas as in the simple pipeline

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Refinement of cache protocol S/F network protocol host protocol host protocol host Distributed cache coherence INTF PP MIO to net Non-deterministic reference model Atomic actions Single address abstraction Verified coherence, etc...

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Mapping protocol to RTL S/F network protocol host other hosts Abstract model CAM TABLES refinement relations TAGS ~30K lines of Verilog

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Linear v. branching time Model checking v. compositional verification fixed modelfor all models Verification complexity (in formula size) compositional model checking CTLLTL linear EXP PSPACE In practice, with LTL, we can mostly recover linear complexity...

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional w/ branching Assume/guarantee [GL94] : –{q} M {p} means M satisfies p in all environments satisfying q. –For ACTL, check is exponential in q but linear in p –Compositional proof: {q} M 1 {r} {r} M 2 {p} {q} M 1 || M 2 {p} Problems: - limited expressiveness of ACTL - no circular proofs Thus, LTL is preferred for compositional.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Theorem provers General purpose tools, characterized by –highly expressive logics –detailed user guidance Strategy: proof by invariant Tradeoff: –Q cannot be temporal temporal –Q can be first-order (not finite-state!) Q(0), Q(t) Q(t+1), Q(t) P(t) t: P(t)

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Decomposition of invariants Problem: invariants of complex systems (esp. with complex control) are very large. Solution: decompose invariants... i Q i (t) Q(t) Q 0 (0), Q(t) Q 0 (t+1) Q 1 (0), Q(t) Q 1 (t+1)... t: Q(t)

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. TP v. CMC Compositional model checking –Temporal properties are free –Function symbols and quantifiers handles manually Theorem proving –Must use inductive invariants very complex for control-intensive systems –Function symbols and quantifiers are free So, TP tends to be good for arithmetic [MLK98], while CMC is good for control-dominated systems [Eir98].

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.