Compositional Specification and Verification in GSTE

1Inventing IC design technologies that will be vital to Intel

SSCCLL

Compositional Compositional Specification and Specification and

Verification Verification in GSTEin GSTE

Jin Yang, Jin Yang, joint work with Carl Segerjoint work with Carl SegerStrategic CAD Labs, Intel Corp.Strategic CAD Labs, Intel Corp.

CMUCMUMarch 23, 2004March 23, 2004

GSTE2

MotivationMotivation

GSTEGSTE combines high capacity of STE with expressive combines high capacity of STE with expressive

power of traditional model checking (YS ICCD’00)power of traditional model checking (YS ICCD’00) provides a multi-dim. approach to achieve high provides a multi-dim. approach to achieve high

capacity while maintaining accuracy (YS FMCAD’02)capacity while maintaining accuracy (YS FMCAD’02) has been used by FVers for > 1 year successfully on has been used by FVers for > 1 year successfully on

next-gen. Intel next-gen. Intel -processors (Schubert ICCAD’03)-processors (Schubert ICCAD’03) part of FORTE public releasepart of FORTE public release

HoweverHowever assertion graph specification in GSTE is inherently assertion graph specification in GSTE is inherently

sequential but circuit behavior may be concurrentsequential but circuit behavior may be concurrent … … … …

GSTE3

Sequential Ex.: MemorySequential Ex.: Memory

1024 x 64Memory

wren

din[63:0]

addr[9:0]rden

dout[63:0]

vI v1v2

( wren & addr[9:0] = A[9:0] & din[63:0] = D[63:0], true )

( rden & addr[9:0] = A[9:0], dout[63:0] = D[63:0] )

( !wren | addr[9:0] != A[9:0], true )

antecedentconsequent

“Always read from a cell the most recently written data”

GSTE4

Concurrent Ex.: Voting MachineConcurrent Ex.: Voting Machinereset

avail[1]vote[1]

avail[2]vote[2]

avail[3]vote[3]

voutVoting

Machine

– a vote can be accepted at station a vote can be accepted at station ii (through (through vote[i]=1,2,3vote[i]=1,2,3) ) when it is availablewhen it is available

– it outputs a voting result (it outputs a voting result (vout=f(vote[1], vote[2], vote[3]vout=f(vote[1], vote[2], vote[3]) as ) as soon as all three votes are in, and then makes the stations soon as all three votes are in, and then makes the stations available for next round. available for next round.

2

2

2

2

GSTE5

Voting Machine (cont.)Voting Machine (cont.)

Specification using an assertion graph causes Specification using an assertion graph causes exponential complexityexponential complexity– order 1:order 1: vote[1], …, vote[2], …, vote[3] vote[1], …, vote[2], …, vote[3]

– order 2:order 2: vote[1], …, vote[3], …, vote[2] vote[1], …, vote[3], …, vote[2]

– … … … …

SolutionSolution– concurrent extension to assertion graphs concurrent extension to assertion graphs

– implementation independentimplementation independent

– utilizing and guiding GSTE model checkingutilizing and guiding GSTE model checking

– (future) ability to reason about specifications (future) ability to reason about specifications

GSTE6

Basics: Domain And TraceBasics: Domain And Trace

DomainDomainDD

– a finite non-empty alphabeta finite non-empty alphabet

e.g., the set of states in a FSM (circuit)e.g., the set of states in a FSM (circuit)

– P(D)P(D) – power set of – power set of DD

e.g., all subsets of states (state predicates) in FSMe.g., all subsets of states (state predicates) in FSM

TraceTrace

= d= d11dd22dd33……

– an infinite word in an infinite word in DD

e.g.,e.g., an infinite state sequence (trace) in FSMan infinite state sequence (trace) in FSM

GSTE7

Basics: Assertion AlphabetBasics: Assertion Alphabet

Assertion alphabetAssertion alphabet = P(D) = P(D) P(D) P(D)

– set ofset of antecedent/consequence pairsantecedent/consequence pairs

= (D= (D11,D,D22)) – assertion letter – assertion letter

– antecedent:antecedent: ant(ant() = D) = D11

– consequent:consequent: cons(cons() = D) = D22

+

a[15:0]

b[15:0]

c[15:0]

( a[15:0] = A[15:0] & b[15:0] = B[15:0], c[15:0] = A[15:0] + B[15:0] )

GSTE8

Basics: Assertion LanguageBasics: Assertion Language

Assertion word - any word Assertion word - any word w = w = 1122……kk in in **

– STE assertion STE assertion assertion word assertion word

Assertion language - any set of words Assertion language - any set of words LL in in P(P( **))– assertion graph assertion graph regular assertion language regular assertion language

( wren & addr = A & din = D, true ) ( !wren | addr != A, true ) * ( rden & addr = A, dout = D )

vI v1v2

( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D )

( !wren | addr != A, true )

GSTE9

Basics: Trace SemanticsBasics: Trace Semantics

Trace SatisfiabilityTrace Satisfiability– trace trace satisfies a word satisfies a word P(D)*, P(D)*, ifif 11ii|||, |, (i) (i) [i][i]

Trace LanguageTrace Language– assertion wordassertion word

(w) = {(w) = {DD | | sat. ant(w) sat. ant(w) sat. cons(w) } sat. cons(w) }

– assertion language (for all semantics)assertion language (for all semantics)

(L) = (L) = wwLL (w)(w)

Theorem:Theorem:

LL1 1 L L2 2 (L(L11)) (L(L2 2 ))

““more words more words more restricted behavior” more restricted behavior”

GSTE10

The Meet OperatorThe Meet Operator

Meet of assertion letters:Meet of assertion letters:

( C( C11, C, C2 2 ) ) ( D ( D11, D, D2 2 )) = ( C= ( C11 D D11, C, C22 D D2 2 ))

Meet of assertion words:Meet of assertion words:

1122……kk ’’11’’

22……’’kk = ( = (11’’

11) () (22’’22) … () … (kk’’

kk))

Meet of assertion languages:Meet of assertion languages:

LL11 L L2 2 = { w= { w11 w w2 2 | w| w11 L L11, w, w22 L L22, |w, |w11| | == |w |w22| }| }

( vote[1]=1, true ) ( true, true ) ( true, true ) ( vote[2]=2, true ) ( vote[3]=2, true ) ( true, true )= ( vote[1]=1 & vote[3]=2, true ) ( vote[2]=2, true )

Parallel composition

GSTE11

Self ConsistencySelf Consistency Repeated applicationRepeated application

0 0 LL = L, = L, k k LL = (= ( k-1 k-1 L) L) L (k>0)L (k>0)

LemmaLemma

k k L L k+1 k+1 LL but but ( ( k k L ) = L ) = ( ( k+1 k+1 L )L )

– proof sketchproof sketch

– (w(w11 w w22 … … w wkk) ) w wkk = w = w11 w w22 … … w wkk

– w w w w’’ may be new, but may be new, but (w) (w) (w(w’’) ) (w (w w w’’))

Theorem (about limit)Theorem (about limit)

L L kk0 0 k k LL but but (( L ) = L ) = ( ( kk0 0 k k LL ))

GSTE12

Compositional SpecificationCompositional Specification

Initialization:Initialization:

LL0 0 = = + L + L0 0 • • (D,D) (D,D)

Prefix: Prefix: (1(1i<h)i<h)

LLii = L = Ljj •• jj

Summation: Summation: (h(hi<l)i<l)

LLii = L = Lii11 … … … … L Liik k (0(0iijj<h)<h)

Meet: Meet: (l(li<n)i<n)

LLii = L = Lii1 1 … … … … L Liik k

(0(0iijj<l)<l)

Comment:• there is a unique solution to the system• very much like CCS but with new

GSTE13

Example 1: MemoryExample 1: Memory

vI v1v2

( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D )

( !wren | addr != A, true )

LLII = = + + LLII • • (true, true)(true, true)

LLI, 1I, 1 = L = LI I • • (wren & addr = A & din = D, true)(wren & addr = A & din = D, true)

LL1,11,1 = L = L11 • • (!wren | addr != A, true)(!wren | addr != A, true)

LL11 = L = LI, 1I, 1 L L1,1 1,1

LL22 = L = L1 1 • • (rden & addr = A, dout = D)(rden & addr = A, dout = D)

GSTE14

Example 2: Voting Machine (VM)Example 2: Voting Machine (VM)reset

avail[1]vote[1]

avail[2]vote[2]

avail[3]vote[3]

voutVoting

Machine

– a vote can be accepted at station a vote can be accepted at station ii (through (through vote[i]=1,2,3vote[i]=1,2,3) ) when it is availablewhen it is available

– it outputs a voting result (it outputs a voting result (vout=f(vote[1], vote[2], vote[3]vout=f(vote[1], vote[2], vote[3]) as ) as soon as all three votes are in, and then makes the stations soon as all three votes are in, and then makes the stations available for next round. available for next round.

2

2

2

2

GSTE15

Example 2 (cont)Example 2 (cont)

LLinitinit = = + L + Linit init • • (true, true)(true, true)

LLreadyready[i] = L[i] = Linit init • • (reset, true) (reset, true)

(L(Lreadyready[i][i] LLpollpoll) ) • • (reset | vote[i]=0, avail[i])(reset | vote[i]=0, avail[i])

LLvotingvoting[i] = (L[i] = (Lreadyready[i][i] LLpollpoll)) • • (!reset & vote[i]=V[i]>0, avail[i])(!reset & vote[i]=V[i]>0, avail[i])

LLvotedvoted[i] = ([i] = ((L(Lvotingvoting[i][i] LLvotedvoted[i]) [i]) L Lwaitwait)) • • (!reset, !avail[i])(!reset, !avail[i])

LLwaitwait = = 11ii33 L Lreadyready[i][i]

LLpollpoll = = 11ii33 (L (Lvotingvoting[i][i] ( ( jjii(L(Lvotingvoting[j] [j] LLvotedvoted[i])))[i])))

LLoutpoutp = L = Lpoll poll • • (true, vote=f(V[1], V[2], V[3]))(true, vote=f(V[1], V[2], V[3]))

GSTE16

Model Checking Product Spec.Model Checking Product Spec.

Theorem (product specification)Theorem (product specification)

for any language for any language LL in the solution, in the solution, kk0 0 k k LL is regular is regular

– proof sketch k0

k (Lj • j) = (k0k Lj) • j

k0k (L1 L2) = (k0

k L1) (k0k L2) (k0

k L1) (k0k L2)

k0k (L1 L2) = (k0

k L1) (k0k L2)

• construct transitions for the states in P({k0k L1 , k0

k L2 , …, k0k

Ln})

– since since (L) = (L) = ((kk0 0 k k L)L), this effectively provides a precise , this effectively provides a precise GSTE model checking solution for each GSTE model checking solution for each LL in the solution in the solution

– but assertion graph for but assertion graph for kk00kkLL may be exponentially large may be exponentially large

Need more efficient solution !

GSTE17

ModelModel M = (S, R, L)M = (S, R, L)

– SS is a finite set of states is a finite set of states– R R S SSS is a transition relation s.t. is a transition relation s.t. s, s, s’, (s, s’) s’, (s, s’) R R– L: SL: SDD is a labeling function is a labeling function

SemanticsSemantics– run run

: N: NS S s.t.s.t. ii0, (0, ((i), (i), (i+1))(i+1))RR– trace languagetrace language

(M) = { L((M) = { L() | ) | is a run of M } is a run of M }

– satisfiability satisfiability M |= M |= 00iin n LLii::

(M) (M) ((00iin n LLii) )

Post-ImagePost-Imagepost(S’) = { s | post(S’) = { s | s’s’S’, s.t. (s’, s)S’, s.t. (s’, s)R }R }

GSTE18

Simulation RelationSimulation Relation

DefinitionDefinitionany mappingany mapping

R: {LR: {L00, L, L11, …, L, …, Lnn} } P(S) P(S)

satisfying satisfying s s R(LR(Lii),), if if wwLLii, , of M s.t. of M s.t. (|w|)=s, L((|w|)=s, L() sat. ant(w)) sat. ant(w)

TheoremTheorem

LLii = L = Ljj • • , L(R(L, L(R(Lii)) )) cons( cons() ) M |= M |= 00iin n LLi i

GSTE19

compGSTEcompGSTE

InitializationInitialization

for all Lfor all Lii, R(L, R(Lii) := { };) := { };

Fix-point iterationFix-point iterationrepeatrepeat– RR’’ := R; := R;

– for all Lfor all Lii, case, case– LLii = L = L00: R(L: R(Lii) := S; ) := S;

– LLii = = LLjj • • : if : if LLjj=L=L0 0 then R(Lthen R(Ljj) := {s | L(s)) := {s | L(s)ant(ant()})}

else R(Lelse R(Ljj) := post(R) := post(R’’(L(Ljj)) )) {s | L(s) {s | L(s)ant(ant()};)};

if if ((L(R(LL(R(Lii)) )) cons( cons()) then return false;)) then return false;

– LLii = = j j LLjj: R: R(L(Ljj) := ) := j j R’(LR’(Ljj); );

– LLii = = j j LLjj: R: R(L(Ljj) := ) := j j R’(LR’(Ljj););

until R = R’;until R = R’;

return true;return true;

GSTE20

Ex: VM ImplementationEx: VM Implementation

vout

+

2

0 =

avail[1]

vote[1]

2

0 =

avail[2]

vote[2]

2

0 =

avail[3]

vote[3]

f

mu

x

0

vote_in[1]

vote_in[2]

vote_in[3]

voted[1]

voted[2]

voted[3]

reset

clear

clr

clr

clr

en

en

en

GSTE21

Ex: VM Model CheckingEx: VM Model Checking

vout

+

2

0

avail[i]

vote[i] f

mu

x

0

vote_in[i]

voted[i]

reset

clear

… …

… …

en

clr

LLinitinit

=

LLreadyready[i][i]

LLvotingvoting[i][i]

LLwaitwait

LLpollpoll

LLoutpoutp

1. true1. true




LLvotingvoting[i] = (L[i] = (Lreadyready[i][i] LLpollpoll)) • • (!reset & vote[i]=V[i]>0, avail[i])(!reset & vote[i]=V[i]>0, avail[i]) LLvotedvoted[i] = ((L[i] = ((Lvotingvoting[i][i] LLvotedvoted[i]) [i]) L Lwaitwait)) • • (!reset, !avail[i])(!reset, !avail[i])




LLvotedvoted[i][i]

GSTE22


vout

+

2

0

avail[i]

vote[i] f

mu

x

0

vote_in[i]

voted[i]

reset

clear

… …

… …

en

clr

LLinitinit

=

LLreadyready[i][i]


LLwaitwait

LLpollpoll

LLoutpoutp

2. true2. true








LLvotedvoted[i][i]

2. reset2. reset

GSTE23


vout

+

2

0

avail[i]

vote[i] f

mu

x

0

vote_in[i]

voted[i]

reset

clear

… …

… …

en

clr

LLinitinit

=

LLreadyready[i][i]


LLwaitwait

LLpollpoll

LLoutpoutp

3. true3. true








LLvotedvoted[i][i]

3. reset | vote[i]=0 & vote_in[i]=03. reset | vote[i]=0 & vote_in[i]=0

3. !reset & vote[i]=V[i] & vote_in[i]=03. !reset & vote[i]=V[i] & vote_in[i]=0

GSTE24


vout

+

2

0

avail[i]

vote[i] f

mu

x

0

vote_in[i]

voted[i]

reset

clear

… …

… …

en

clr

LLinitinit

=

LLreadyready[i][i]


LLwaitwait

LLpollpoll

LLoutpoutp

truetrue








LLvotedvoted[i][i]

reset | vote[i]=0 & vote_in[i]=0reset | vote[i]=0 & vote_in[i]=0

!reset & vote[i]=V[i] & vote_in[i]=0!reset & vote[i]=V[i] & vote_in[i]=0

!reset & vote_in[i]=V[i] & !reset & vote_in[i]=V[i] & j. … … j. … …

reset | reset | i.vote[i]=0 & vote_in[i]=0i.vote[i]=0 & vote_in[i]=0

i.!reset & vote[i]=V[i] & vote_in[i]=0 & i.!reset & vote[i]=V[i] & vote_in[i]=0 & jji.(vote[j]=V[j] | vote_in[j]=V[j])i.(vote[j]=V[j] | vote_in[j]=V[j])

i.vote_in[i]=V[i]i.vote_in[i]=V[i]

GSTE25

Brief DiscussionsBrief Discussions

compGSTE is approximatecompGSTE is approximate– sound but not completesound but not complete

– extended quaternary model abstraction (FMCAD 2002)extended quaternary model abstraction (FMCAD 2002)

Abstraction refinementAbstraction refinement– model refinement vs spec. refinement (FMCAD 2002)model refinement vs spec. refinement (FMCAD 2002)

– partial product construction on specifications (serialization)partial product construction on specifications (serialization)

Advantages over assume-guarantee based compositionAdvantages over assume-guarantee based composition– pure specification, implementation independentpure specification, implementation independent

– computed “intermediate assumptions”computed “intermediate assumptions”

– much less sensitive to implementation changesmuch less sensitive to implementation changes

GSTE26

Ex: Implementation ChangeEx: Implementation Change

2

vote[i]d

ecod

e

0123

0 bundle

vout

+

2

0

avail[i]

vote[i] f

mu

x

0

vote_in[i]

voted[i]

reset

clear

… …

… …

en

clr

=… …

… …

… …

1 bundle

2 bundle

3 bundle

vout

reset

avail[i]

Assume-guarantee based compositionAssume-guarantee based composition– re-partition the model, re-specify interface assumptionsre-partition the model, re-specify interface assumptions

– re-run model checkingre-run model checking

compGSTEcompGSTE– specification unchanged, only re-run model checkingspecification unchanged, only re-run model checking

GSTE27

Industrial Ex.: Resource SchedulerIndustrial Ex.: Resource Scheduler

Specification: Specification:

when resource is available (avail = 1), schedule the oldest ready uop when resource is available (avail = 1), schedule the oldest ready uop handling 10 uops at a time, >1k state elements, >17000 gateshandling 10 uops at a time, >1k state elements, >17000 gates priority matrix, CAM, decision logic, power-saving feature etc.priority matrix, CAM, decision logic, power-saving feature etc.

CAM

receiving

log

ic

priority matrix

ready lo

gic

Stag

ing

an

d

CA

M m

atc

h

sched

ulin

g lo

gic

Deliverin

g lo

gic

uop

alloc

ready

avail

init

out

sched

wrback

GSTE28

Main ResultMain Result

Previous work w/ a state-of-art in-house symbolic model checkerPrevious work w/ a state-of-art in-house symbolic model checker– hundreds of small local properties hundreds of small local properties

– only on the priority matrix only on the priority matrix

Compositional specification (top down)Compositional specification (top down)– schedule uop[i], if “schedule uop[i], if “uop[i] is the oldest readyuop[i] is the oldest ready” and resource is available” and resource is available

– uop[i] is oldest ready, if “uop[i] is oldest ready, if “uop[i] is readyuop[i] is ready” and for all j ” and for all j i ( i (j j i i), either “), either “uop[j] uop[j] is not readyis not ready” or “” or “uop[i] arrived earlier than uop[j]uop[i] arrived earlier than uop[j]””

– … …

– < 50 boolean variables for >1k state elements< 50 boolean variables for >1k state elements

Compositional model checking Compositional model checking – 122.5 seconds, 36M on P4 1.5GHz122.5 seconds, 36M on P4 1.5GHz

– scalable - O(logscalable - O(log22 #uops), BDD was not a bottle-neck! #uops), BDD was not a bottle-neck!

Detailed work is in writingDetailed work is in writing– hopefully in time for ICCADhopefully in time for ICCAD

GSTE29

ConclusionConclusion

Summary of the compositional approachSummary of the compositional approach– compositional specification to handle concurrencycompositional specification to handle concurrency

– efficient compositional model checkingefficient compositional model checking

– implementation independentimplementation independent

– building for reasoningbuilding for reasoning

Future workFuture work– reasoning about compositional specificationsreasoning about compositional specifications

– extension to handle parameterized specificationextension to handle parameterized specification

Documents

Compositional Specification and Verification in GSTE