Transcript Model Checking - Ken McMillan's Home Page

Compositional Methods
and
Symbolic Model Checking
Ken McMillan
Cadence Berkeley Labs
1
Compositional methods

Reduce large verification problems to small ones by
– Decomposition
– Abstraction
– Specialization
– etc.

Based on symbolic model checking

System level verification
Will consider the implications of such an approach for symbolic model checking
2
Example -- Cache coherence
P
M
P
INTF
IO
to net
host
Distributed
cache
coherence
protocol
(Eiriksson 98)

Nondeterministic abstract model

Atomic actions

Single address abstraction

Verified coherence, etc...
host
protocol
host
protocol
S/F network
3
Refinement to RTL level
Abstract
model
host
S/F network
protocol
other
hosts
refinement
relations
TAGS
TABLES
RTL implementation
(~30K lines of verilog)
CAM
4
Contrast to block level verification

Block verification approach to capacity problem
– isolate small blocks
– place ad hoc constraints on inputs

This is falsification because
– constraints are not verified
– block interactions not exposed to verification
Result:
FV does not replace any simulation activity
5
What are the implications for SMC?

Verification and falsification have different needs
– Proof is as strong as its weakest link
p
q
r
s
t
– Hence, approximation methods are not attractive.

Importance of predictability and metrics
– Must have reliable decomposition strategies

Implications of using linear vs. branching time.
6
Predictability
Require metrics that predict model checking hardness
– Most important is number of state variables
1
Verification
probability

0
verification
reduction
falsification
reduction
# state bits
original system
– Powerful MC can save steps, but is not essential
– Predictability more important than capacity
7
Example -- simple pipeline
32 bits
32 registers
control
+
bypass

Goal: prove equivalence to unpipelined model
(modulo delay)
8
delay
Direct approach by model checking
reference
model
=
ops
?
pipeline

Model checking completely intractable due to large number of
state variables ( > 2048 )
9
Compositional refinement verification
Abstract
model
Translations
System
10
Localized verification
Abstract
model
Translations
assume
prove
System
11
Localized verification
Abstract
model
Translations
assume
prove
System
12
Circular inference rule
1 up to t -1 implies 2 up to t
2 up to t -1 implies 1 up to t
always 1 and 2
SPEC
1
2
: ( 2 U :  1 )
: ( 1 U :  2 )
G ( 1^  2 )
(related: AL 95, AH 96)
13
Decomposition for simple pipeline
32 bits
32 registers
control
+
1
correct values
from reference
model
2
1
= operand correctness
2
= result correctness
14
Lemmas in SMV

Operand correctness
layer L1:
if(stage2.valid){
stage2.opra := stage2.aux.opra;
stage2.oprb := stage2.aux.oprb;
stage2.res := stage2.aux.res;
}
15
Effect of decomposition
32 bits
32 registers
control
+
1
2
correct values
from reference
model

2
1
assumed
proved
Bit slicing results from "cone of influence reduction"
(similarly in reference model)
16
Resulting MC performance

Operand correctness property
80 state variables
140
Run time (s)
120
100
80
60
40
20
3rd order fit
0
0
8
16
24
32
Number of registers

Result correctness property
– easy: comparison of 32 bit adders
17
NOT!

Previous slide showed hand picked variable order

Actually, BDD's blow up due to bad variable ordering
– ordering based on topological distance
300
Run time (s)
250
200
150
100
50
0
0
8
16
24
32
Number of registers
18
Problem with topological ordering
results
ref. reg. file
=
?
bypass
logic
impl. reg. file
Register files should be interleaved, but this is not evident from topology
19
Sifting to the rescue (?)
Run time (s)
10000
Note:
- Log scale
- High variance
1000
100
10
1
0
8
16
24
32
Number of registers

Lessons (?) :
– Cannot expect to solve PSPACE problems reliably
– Need a strategy to deal with heuristic failure
20
Predictability and metrics
Reducing the number of state variables
1
Verification
probability

0
# state bits
?
80 bits
decomposition
2048 bits
~600 orders of magnitude in state space size
– If heuristics fail, other reductions are available
21
Big structures and path splitting
SPEC
A
P
P
i
22
Temporal case splitting

Prove separately that p holds at all times when v = i.
i: G(v  i ) p)
*
Gp

Path splitting
record register index
v
i
G ( v  i ) p)
23
Case split for simple pipeline

Show only correctness for operands fetched from register i
forall(i in REG)
subcase L1[i] of stage2.opra//L1
for stage2.aux.srca = i;

Abstract remaining registers to "bottom"

Result
– 23 state bits in model
– Checking one case = ~1 sec
What about the 32 cases?
24
Exploiting symmetry

Symmetric types
– Semantics invariant under permutations of type.
– Enforced by type checking rules.

Symmetry reduction rule
– Choose a set of representative cases under symmetry

Type REG is symmetric
– One representative case is sufficient (~1 sec)

Estimated time savings from case split: 5 orders
But wait, there's more...
25
Data type reductions

Problem: types with large ranges

Solution: reduce large (or infinite) types
T  {i , T \ i}
where T\i represents all the values in T except i.

Abstract interpretation

i
i
1
T \i
0
T \ i 0 {0,1}
26
Type reduction for simple pipeline

Only register i is relevant

Reduce type REG to two values:
using REG->{i} prove stage2.opra//L1[i];

Number of state bits is now 11

Verification time is now independent of register file size.
Note: can also abstract out arithmetic verification using
uninterpreted functions...
27
Effect of reduction
Verification
probability
1
0
11
# state bits
2048
original system
84
reduction
reduction
– Manual decomposition produces order of magnitude
reductions in number of state bits
– Inflexion point in curve crossed very rapidly
28
Desirata for model checking methods

Importance of predictability and metrics
– Proof strategy based on reliable metric (# state bits)
– Prefer reliable performance in given range to occasional
success on large problems *
e.g., stabilize variable ordering
– Methods that diverge unpredictably for small problems are
less useful (e.g., infinite state, widening)

Moderate performance improvements are not that important
– Reduction steps gain multiple orders of magnitude

Approximations not appropriate
* given PSPACE completeness
29
Linear v branching time

Model checking v compositional verification
M| 
|  )
fixed model

for all models
Verification complexity (in formula size)
CTL
model checking
compositional
linear
EXP
LTL
PSPACE
PSPACE
In practice, with LTL, we can mostly recover linear complexity...
30
Avoiding "tableau variables"

Problem: added state variables for LTL operators
Fp

v Fp  p _ X v Fp
Eliminating tableau variables
– Push path quantifiers inward (LTL to CTL*)
– Transition formulas (CTL+)
– Extract transition and fairness constraints
31
Translating LTL to CTL*

Rewrite rules
A: p
A( p^ q )
AXp

 : Ep


Ap^ Aq
AXAp
E: p
E ( p_ q )
 : Ap

Ep_ Eq
EXp

E ( p^ q )

p^ Eq
E ( p U q)

E ( p U Eq )
EXEp
In addition, if p is boolean,
A( p_ q )

no rule
p _ Aq
By adding path quantifiers, we eliminate tableau variables
32
Rewrites that don't work
q
A( p U Xq )

A( p U AXq )
p
p
q
p
q
E ( Xp U Xq )

E ( Xp U EXq )
p
p
33
Examples

LTL formulas that translate to CTL formulas
G ( p) Fq ) 
G ( p)( pWq )) 

AG ( p) AFq )
(note singly nested fixed point)
AG ( p) A( pWq ))
Incomplete rewriting (to CTL*)
G ( p) F (q^ Xq )) 
AG ( p) AF (q^ Xq ))
Note: 3 tableau variables reduced to 1
Conjecture: all resulting formulas are forward checkable
34
Transition modalities

Transition formulas
p) Xq

XXq
XAFp
CTL+ state modalities
Ap
Ep

v' v 1
A( p U q )
E ( p U q)
where p is a transition formula
Example CTL+ formulas
AG A( p  Xq )
: E ( p^ ( p  : Xp) U
( p^: q ))
CTL+ still checkable in linear time
35
Constraint extraction

Extracting path constraints
A(Gp ) q)  A( p,)q
A(GFp ) q)  A(1,{GFp})q

Using rewriting and above...
GFp ) GFq 

where p is a transition formula
AG AFq
w/ fairness const. GFp
Circular compositional reasoning
G ) : (  U (^:  ))

A : (  U (^:  ))
If , ,  and  are transition
formulas, this is in CTL+, hence
complexity is linear
Note: typically, , ,  are very large, and  is small
36
Effect of reducing LTL to CTL+

In practice, tableau variables rarely needed

Thus, complexity exponential only in # of state variables
– Important metric for proof strategy

Doubly nested fixed points used only where needed
– I.e., when fairness constraints apply

Forward and backward traversal possible
– Curious point: backward is commonly faster in refinement verification
37
SMC for compositional verification
BDD's are great fun, but...

Cannot expect to solve PSPACE complete problems reliably
– User reductions provide fallback when heuristics fail
– Robust metrics are important to proof strategy

Each user reductions gains many orders of magnitude
– Modest performance improvements not very important

Exact verification is important

Must be able to handle linear time efficiently
38