Embed Size (px)
DESCRIPTION
State Abstraction Techniques for the Verification of Reactive Circuits. Title Page. Designing Correct Circuits, European Joint Conference on Theory and Practice of Software, Grenoble, France april 6-7 2002. - PowerPoint PPT Presentation
Citation preview
Title Page
State Abstraction Techniquesfor the Verification of Reactive Circuits
Designing Correct Circuits,European Joint Conference on Theory and Practice of Software,
Grenoble, France april 6-7 2002
Yannis Bres, CMA-EMP / INRIA Gérard Berry, Esterel Technologies Amar Bouali, Esterel Technologies
Ellen M. Sentovich, Cadence Berkeley Labs
Outline
Outline
IntroductionContext of our workFinite State Machines (FSMs)Reachable State Space (RSS) computation principle and algorithm
Computing Over-approximated Reachable State Space (ORSS)State variable inputizationVariable abstraction using ternary-valued logic
Refinement using the Esterel Selection TreeExperiment resultsConclusions
Reachable State Space Uses
Reachable State Space Uses
Computing the Reachable State Space of a design is used for:Formal verification by observersEquivalence checkingAutomated test pattern generationState minimizationState re-encoding…
Exact RSS computation is expensive
Exact RSS computation is expensive
Exponentially complex wrt. intermediate variables, in both memory and time:1 variable per input2 variables per state variable
Several (orthogonal) techniques to reduce complexity:Application-specific partial RSS computation (transitive network sweeping)BDD pruningDecomposed FSM RSS computationTurning state variables into inputs…Our approach : abstracting variables through ternary-valued logic
Context of our work
Context of our work
Synchronous logical circuits (RTL level) derived from high-level hierarchical programs written in SyncCharts, ECL or Esterel
Well-suited for control-dominated programs, both for hardware and software targets
Implicit state set representation using BDDs (TiGeR package)Application to safety property verification (synchronous observers)Implemented as a command-line tool
FSMs
FSMs
A Finite State Machine (FSM) is described by the tuple , whereis the number of inputs
is the number of state variables (registers)is the number of outputs
is the transition functionis the output function
describes the set of initial statesdescribes the valid input space
RSS computation principle
RSS computation principle
Find the limit of the converging sequence:
Where becomes:
Eventually, the equality becomes:
Basic RSS computation algorithm
Basic RSS computation algorithm
Complexity analysis
Complexity analysis
With BDDs:: constant, : polynomial, substitutions: exponential… with respect to the number of intermediate variables
Goal: reducing the number of intermediate variables !
Constraint: be “conservative”, i.e. compute an over-approximation of the RSSThus, if property holds on the “cheap” ORSS, it holds on the exact RSS
State variable inputization
State variable inputization
Reduces the number of register variables2 variables per register 1 variable per inputized register
Reduces the number of functionsIncreases the swept area
Maintains correlation between instances of a variablei i = 0 i i = 1
Same number of a posteriori existential quantificationsOver-approximated result because constraints between variables are relaxed
“Snow-ball” effect
Ternary-valued logic
Ternary-valued logic
Usual Boolean logic with a third value: d or (i.e. , X, …)Parallel extension of Boolean operators:
0 11 0d d
0 1 d0 0 1 d1 1 1 1d d 1 d
0 1 d0 0 0 01 0 1 dd 0 d d
Dual-rail encoding of constants:v v0 v1
0 1 01 0 1d 0 0
Ternary-valued logic
Ternary-valued logic
Ternary Valued Functions (TVFs) are encoded using a pair of Boolean functions( f 0 , f 1 )
( f 0 , f 1 ) = ( f 1 , f 0 )Standard Boolean operators are extended to TVFs:
( f 0 , f 1 ) ( g0 , g1 ) = ( f 0 g0, f 1 g1 )( f 0 , f 1 ) ( g0 , g1 ) = ( f 0 g0, f 1 g1 )
f 0f 1
f d
Application to RSS computation
Application to RSS computation
The Boolean transition function
is enlarged as:
f 0f 1
f d
f f
Variable abstraction
Variable abstraction
Abstracted variables are replaced by the constant dReduces the number of state variables
2 variables per register 0 variable per abstracted registerReduces the number of input variables
1 variable per input 0 variable per abstracted inputEven fewer a posteriori existential quantificationsReduces the number of functions
Increases the swept areaLoses correlation between instances of a variable
d d = d d d = dEven more over-approximated result
“Snow-ball” effect
Variables to be abstracted must be chosen with great care!
Refinement Using the Esterel Selection Tree
Refinement Using the Esterel Selection Tree
[ await I1 ; do something ; await I2 ; do something || await I3 ; do something] ;await I4 ;do something
1
2
3
4
#
#
Gives an overapproximation ceilingAllows to reinforce input care set for inputized registers
Experiment results #1
Experiment results #1
Industrial design: fuel management system of a jet aircraft from Dassault Aviation ensures that the engines are properly fed manages system components failures manages the fuel load balancing between the two sides of the aircraft manages in-flight refueling …
Experiment results #1
Experiment results #1
property method result depth time memory
4exact
correct5 >10mn 79Mb
inputization 3 3.8s / 150 6Mb / 13abstraction 4 1.5s / 400 6Mb / 13
6exact
correct7 >2mn 21Mb
inputization 4 0.6s / 200 5Mb / 4abstraction 4 0.3s / 400 5Mb / 4
Inputization gives excellent results on all propertiesAbstraction gives even better ones !
Experiment results #2
Experiment results #2
Undisclosed industrial design
property method result depth time memory
all exact correct 14 1h 11 475Mb
1exact
correct13 28mn 203Mb
inputization 9 20s / 85 9Mb / 22abstraction 7 7s / 250 10Mb / 20
2
exact
correct
13 30mn 238Mbinputization 10 1mn 30s / 20 21Mb / 11
+ sel tree 4 4s / 460 7Mb / 34abstraction 8 17mn / 2 378Mb * 1.5+ sel tree 4 47s / 40 51Mb / 5
Experiment results #2
Experiment results #2
property method result depth time memory
3_1
exact
correct
13 30mn 203Mbinputization
107s / 262
7Mb / 29+ sel tree 4s / 460
abstraction8
39s / 47 34Mb / 6+ sel tree 23s / 80 23Mb / 9
3_2
exactcorrect
13 33mn 206Mbinputization
1025s / 80 11Mb / 19
+ sel tree 11s / 180 8Mb / 26abstraction false 2 0.5s 7Mb+ sel tree correct 8 25s / 80 16Mb / 13
Abstraction gives very good on most properties, but inputization often gives better ones !
Conclusions
Conclusions
A method to ease Reachable State Space computation, by computing an over-approximation of it, through variable abstraction, using a ternary-valued logic.
Requires some abstraction hints from the designer, easy in a graphical IDE for hierarchical designs.
Refinements and over-approximation ceiling from design structural informations
Quite good results on a few experiments on industrial designs, although current implementation is rather crude
Abstraction figures vs. inputization ones can be improved
