Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.

Published byLambert Norris Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke."— Presentation transcript:

1 1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke Appeared at Design Automation Conference (DAC) 2005

2 2 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

3 3 Introduction Computer system design –Hardware: Verilog, VHDL, … Specification –circuit computes floating point divison –program sorts an input array

4 4 Does my program work correctly Testing Bugs in design –Ariane 5 Explosion, cost $500M –Pentium floating point division bug, cost $400M

5 5 Formal Verification Act of proving or disproving the correctness of a system with respect to a specification Techniques –Theorem proving –Model Checking

6 6 An example Circuit for multiplication of two 32 bit numbers State = (A, B, O) State space = {(A,B,O)} Size of state space = (2 32 £ 2 32 ) £ 2 64 = 2 128 MULTIPLIER 32 A B 64 O

7 7 Model Checking Performing exhaustive search of the state space of the design MULTIPLIER 32 A B 64 O For all A, B: (O == A £ B)

8 8 Model checker Model checker Specification: (O == A £ B) B MULTIPLIER A O 32 64 Model: Property holds Bug found

9 9 Features of Model Checking No manual proofs Fast (compared to other rigorous methods such as theorem proving) Diagnostic counterexamples –Multiplier example: [A= 101, B = 2, O = 200]

10 10 Main Challenge State Space Explosion Problem: Large state space Much progress has been made on this problem! Abstraction – only focus on details needed to prove or disprove a given property

11 11 This talk is about model checking of hardware designs with help of automated abstraction

12 12 Hardware design Ease of design increases Gate level (netlists) Register Level ………… System Behavioral Formal verification support Gate Level (netlist):.model counter_cell.inputs carry_in.outputs carry_out.names value carry_in _n2.def 0 1 1 1.names _n2 carry_out$raw_n1 - =_n2.names value$raw_n3 0.names _n6 0.names value _n6 _n7.def 0 0 1 1 1 0 1.r value$raw_n3 value 0 1 ….. (120 lines) Register Level Verilog: module counter_cell(clk, carry_in, carry_out); input clk; input carry_in; output carry_out; reg value; assign carry_out = value & carry_in; initial value = 0; always @(posedge clk) begin // value = (value + carry_in) % 2; case(value) 0: value = carry_in; 1: if (carry_in ==0) value = 1; else value = 0; endcase end endmodule

13 13 Lack of verification support Gate level (netlists) Register Level ………… System Behavioral Need techniques from software verification Need automatic and scalable techniques

14 14 Software verification Predicate Abstraction –Developed by Graf and Saidi, 1997 Verification of C programs (2000 onwards) –SLAM, Microsoft research –MAGIC, CMU –BLAST, UC Berkeley –F-Soft, NEC Labs

15 15 Our contribution Gate level (netlists) Register Level ………… System Behavioral Predicate abstraction 

16 16 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

17 17 Abstraction void main() { int i; i = 0; while(even(i)){ i++; } if (i == 0) ERROR:; } assert ( odd(i)); void main() { int i; i = *; while(even(i)){ i = *; } if (i == 0) ERROR:; } assert ( odd(i)); Throw away irrelevant details P’ is a safe abstraction of P PP’

18 18 Safe Abstraction Let P’ be a safe abstraction of P If P’ satisfies a property , then P satisfies  P’ can be much easier to verify than P

19 19 An example module main (clk) input clk; reg [2:0] x, y; initial x= 1, y= 2; always @ (posedge clk) begin x <= y; y <= x; end endmodule Verilog program registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design

20 20 An example registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Property: assert (x == 1 Ç x == 2) 1, 22, 1 0,00,17,67,7 State: (x, y)

21 21 Predicate Abstraction Given a program and a set of predicates Abstracts data by keeping track of certain predicates Predicate abstraction is a safe abstraction

22 22 Predicate Abstraction Property: assert (x == 1 Ç x == 2) Initial set of predicates: {x == 1, x == 2} registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design

23 23 ?? Computing Predicate Abstraction {x == 1, x == 2} + x’ := y y’ := x Predicates Transition Relation 1,0 0,0 0,1 1,1 SATISFIABLE Plug in x=1,y=3, x’=3, y’=1

24 24 ?? Computing Predicate Abstraction {x == 1, x == 2} + x’ := y y’ := x Predicates Transition Relation 1,0 0,0 0,1 1,1 SATISFIABLE Plug in x=1,y=2, x’=2, y’=1

25 25 Computing Predicate Abstraction {x == 1, x == 2} + x’ := y y’ := x Predicates Transition Relation 1,0 0,0 0,1 1,1 

26 26 Abstract Model registers x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Property: assert (x == 1 or x == 2) Initial set of predicates: {x == 1, x == 2} Hardware design Initialstate Failure Failurestate 1,0 0,0 0,1 1,1

27 27 Model checking Failure Failurestate 1,0 0,0 0,1 1,1 Initialstate Abstract Model

28 28 Model checking 1,0 0,0 0,1 1,1 Initialstate Abstract Model Counterexample Failure Failurestate We need to check if this is a real bug in our hardware design

29 29 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

30 30 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Verification Predicateabstraction Simulator Bug found Spurious counterexample Counterexample

31 31 Simulation Failure Failurestate 1,0 0,0Initialstate Predicates:= {x == 1, x== 2} Counterexample is spurious Counterexample in abstract model registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design (x==1) Æ : (x == 2) : (x’ ==1) Æ : (x’ == 2) ?? 

32 32 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Bug found Refinement Spurious counterexample Counterexample

33 33 Recall Failure Failurestate 1,0 0,0 Initialstate Abstract counterexample registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Predicates:= {x == 1, x== 2} (x==1) Æ : (x == 2) : (x’ ==1) Æ : (x’ == 2)  Value of x’==2 not being tracked precisely

34 34 Refinement Find out predicates whose values are not tracked precisely in the abstract model –Example: x’==2 Track values of these predicates precisely

35 35 Weakest pre-condition { ? } x := y + 1 { x == 9} { (y + 1) == 9} x := y + 1 { x == 9} {  [ x à e]} x := e {  }

36 36 Refinement (x’ == 2) x’ := y (y == 2) weakestprecondition New predicate y == 2 registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Need to track value precisely

37 37 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Bug found Refinement Spurious counterexample Counterexample {x == 1, x == 2, y==2}

38 38 Abstraction-Refinement loop Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Bug found Refinement Spurious counterexample Counterexample {x == 1, x == 2, y ==2, y ==1}

39 39 Abstract again 1,0,0,1 0,1,1,0 Initialstate Next step: model check! New abstraction {x == 1, x == 2, y ==1, y== 2} Predicates registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design 0,0,0,00,0,0,1 1,1,1,1 16 states Property: assert (x == 1 Ç x == 2)

40 40 Abstract again 1,0,0,1 0,1,1,0Initialstate New abstraction {x == 1, x == 2, y ==1, y== 2} Predicates registers [2:0] x, y; initial x= 1, y= 2; Transition relation: x’ := y; y’ := x; Hardware design Property: assert (x == 1 Ç x == 2) Property holds in abstract model! Property holds!

41 41 Overall verification flow Verilog Program Safe abstract model Model Checker Get new predicates Verification Predicateabstraction Simulator Property holds Bug found Refinement Spurious counterexample Counterexample

42 42 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

43 43 Implementation These techniques have been implemented in the VCEGAR tool Inputs to the tool –Register Level Verilog description –Safety property (like an assert statement) Output –Property holds –Counterexample (real bug in design)

44 44 Experimental results Benchmark#StatesVCEGAR#Preds/ #Iter Cadence SMV (Previous work) ICRAM2KB2 16427 450.7s3/825s ICRAM4KB2 32796 843.3s3/8too many state elements ARITH2002 402 9.6s3/32147s ARITH5002 1002 32.2s3/3timeout ARITH10002 2002 122.6s3/3timeout

45 45 Experimental results (VIS benchmarks) Benchmark#StatesVCEGAR Time #Predicates#Iteration cache coherence 2 43 49s259 mpeg decoder 1 2 567 29s93 usb_phy2 50 104s4722 ethernet2 91 15s3015 SDLX2 41 139s4330 ITC99_b122 125 188s3223

46 46 Outline Introduction Predicate Abstraction Abstraction and Refinement loop Experimental results Conclusion

47 47 Conclusion Abstraction is key to make verification scale –Throw away irrelevant details Predicate abstraction –Eliminates data –Keeps track of certain predicates Abstraction and refinement loop –Automatically refine the abstraction when necessary

48 48 Conclusion: our contribution Gate level (netlists) Register Level ………… System Behavioral Predicate abstraction and refinement  Hardware Design

49 49 Future work Finding right predicates Efficient predicate abstraction computation Asynchronous hardware designs

50 50 Questions?

51 51 Example for Predicate Abstraction void main() { int i; i=0; while(even(i)){ i++; } if (i == 0) ERROR:; } + p1  i=0 p2  even(i) = void main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p2=!p2; if (p1){p1=false;} else {p1 = *;} } } Predicates C programAbstract model assert ( i != 0); assert ( !p1);

52 52 Challenges How to get the right set of predicates automatically How to compute the predicate abstraction

53 53 Making it work in practice Computation of predicate abstraction –Handling of large no. of predicates With 50 predicates there can be 2 100 predicate relationships!!

54 54 Predicate Partitioning Current state predicates p 1 := x = 100 p 2 := x = 200 p 3 := y = 100 p 4 := y = 200 + x’ := y y’ := x + p’ 1 := x’ = 100 p’ 2 := x’ = 200 p’ 3 := y’ = 100 p’ 4 := y’ = 200 Next state predicates Transition relationPartition+ + p 1 := x = 100 p 2 := x = 200 y’ := x p’ 3 := y’ = 100 p’ 4 := y’ = 200 p 3 := y = 100 p 4 := y = 200 x’ := y p’ 1 := x’ = 100 p’ 2 := x’ = 200 + +Æ

55 55 Counterexample in the abstract model –  (length = 1) –Each state is a valuation of h x = 100, x=200 i Simulation equation Simulation of the counterexample Initial values of the registers predicate values in the first state of the counterexample Transition relation predicate values in the second state of the counterexample equation is unsatisfiable So counterexample is spurious

Download ppt "1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Catching Bugs in Software Rajeev Alur Systems Design Research Lab University of Pennsylvania www.cis.upenn.edu/~alur/

Catching Bugs in Software Rajeev Alur Systems Design Research Lab University of Pennsylvania
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Table 7.1 Verilog Operators.

Table 7.1 Verilog Operators.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Give qualifications of instructors: DAP

Give qualifications of instructors: DAP
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.

1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Leveraging Assertion Based Verification by using Magellan Michal Cayzer.

Leveraging Assertion Based Verification by using Magellan Michal Cayzer.
Demonstration Of SPIN By Mitra Purandare

Demonstration Of SPIN By Mitra Purandare
CS 151 Digital Systems Design Lecture 37 Register Transfer Level

CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Similar presentations

Ads by Google