Transcript Slides [PPT]

Validation and Verification of Software
Sequential Encoding for Relational
Analysis (SERA)
Fadi Zaraket, Sarfraz Khurshid, Adnan Aziz
November 2005
Outline
 Review of model checking with Alloy
 Finitization into a SAT problem
 Review of transformation based verification (TBV)
 Alloy SAT instances and TBV
 Sequential encoding of Alloy
 Less variables, more TBV transforms
 Results
 Conclusion
2
Alloy model checking
compile, synthesize
Properties:
predicate valid() {…}
predicate …
…
assert
IntelAgentsKnowAllValidPeople for 5
Alloy model
sig id {…}
sig license extends id {…}
sig passport extends id {…}
…
Environment:
fact { passport in license}
3
SAT CNF netlist !
Graph<Vertices,Edges,Targets,Constraints>
Vertices [input, NOT, OR, AND]
Edges: inputs  [NO[[ OR]
OR  [AND]
AND  [AND]
No combinational cycles
Targets ½ Vertices
Constraints ½ Vertices
Verify:
targets never true while constraints hold
Problem Under Consideration
Properties: safety, liveliness,
[correctness, progress,...]
annotated vhdl or verilog, sugar, PSL,
CTL, LTL, …
equiv1( inputs, outputs),
….
assertN(inputs, outputs)
Design RTL: vhdl, verilog, …
Netlist !
Graph<Vertices,Edges,Targets,Constraints>
Vertices [input, register, NAND]
Edges: Vertices  Vertices
no combinational cycles
decl name (inputs, outputs, bidi, generic)
begin
….
end
Register:Gate  next state function
Gate  initial value function
Environment: input constraints
Targets ½ Vertices
Constraints ½ Vertices
annotated vhdl or verilog, sugar, PSL,
CTL, LTL
stmnt1( inputs)
….
stmntN(inputs)
4
Compilers, Synthesizers, Optimizers
Verify:
Targets never true while constraints hold
Tree example
 A tree is a non-empty undirected graph
 connected and acyclic
 connected and |edges| == |vertices| -1
 acyclic and |edges| == |vertices| -1
 connected and if one edge removed then not connected
 acyclic and if one edge added then cyclic
 All the 5 statements are equivalent
5
Tree model
sig V { E: set V } { some V }
fact undirected { E = ~E}
pred inCycle(v: V, c: V -> V) {
v in v.c ||
some v': v.c | v' in v.*( c - (v -> v') - (v' -> v) )
}
pred aCyclic() { all v: V | ! inCycle(v, E)}
pred cyclic(c: V->V){ some v : V | inCycle(v, c)}
pred connected(c: V->V) { all v1, v2 : V | v2 in v1.*c}
pred connectedAndAcyclic() { connected(E) and aCyclic()}
pred connectedAndCardinality() { connected(E) and (#E = #V + #V - 2) }
assert equivalentStatements {
connectedAndAcyclic() iff connectedAndCardinality() }
check equivalentStatements for 5
6
Alloy semantics
 Relational first-order (FO)
No nested relations
quantifiers
propositional logic
 Types are sets
relations are also sets
 Finitization
scope makes model finite
7
Alloy encoding [Jackson SIGSOFT’00]
 Each relation is encoded into a bit-matrix
R(i,j) == 1 iff R: ai 2 A  bj 2 B
quantifiers are folded with conjunction (8) or disjunction (9)
expression mapped to tree of parameterized matrices of Boolean formulas
8
Alloy encoding (continued)
 Environment binds quantified variables only
 Transitive closure: quadratic expansion
 Variables and CNF clauses: doubly exponential in terms of scope
and highest arity
9
Outline
 Review of model checking with Alloy
 Finitization into a SAT problem
 Review of transformation based verification (TBV)
 Alloy SAT instances and TBV
 Sequential encoding of Alloy
 Less variables, more TBV transforms
 Results
 Conclusion
10
Transformation-based verification (TBV) - 1
 Formal verification (FV) very powerful at exposing design flaws
 increasing industrial acceptance of automatic FV technologies
 Significant gap between industrial design sizes and FV capacity
 formal analysis generally requires exponential resources
 invariant checking: PSPACE – complete
11
 induction:
NP – complete, often inconclusive
 semi-formal:
NP – complete, falsification only
TBV - 2
Large designs pose verification challenges
Numerous polynomial-time transforms to reduce size
 retiming, constant propagation, redundancy removal…
 resource-bounded BDD and SAT-based abstractions
• localization refinement, parametric re-encoding,…
TBV [Kuehlmann and Baumgartner, CAV’01]
 synergistically leverage various transformation algorithms
 iteratively simplify and decompose large problems
 encapsulate into engines that interact via modular API
12
RET: retiming example
 Move registers backward/forward to reduce their count
synthesis: can not retime R1 and R2 with incompatible initial states
FV: no need to preserve i/o if we preserve the property checked
synthesis: can only realize backward constraints
FV: symbolic verification can accept negative registers
13
Localization (LOC) or predicate abstraction
spurious: refine
localize
T1
T1
T2
verify
abstract
apply to original
T1
T2
Proof
T2
counter
unreachable
example
Overapproximate behavior of the netlist and search
 Target not reachable: proof
 Counterexample: apply it to original netlist
• If actual: bug found
• If spurious: refine and try again
14
TBV typical iterative flow:
Netlist RING
(120,000 registers, 20,000 inputs)
Redundancy
removal
Retiming
8,342 registers
9,763 inputs
11 components
173
representatives
CMSA
Redundancy
removal
12 components
241
representatives
Re-parameterization
CMSA
Redundancy
removal
Semi-formal
search
6,722 registers
8,783 inputs
4,598 registers
8,543 inputs
 Iterative predicates generated by previous runs of CMSA
 Illustrates power of bit-level partitioning
15
SAT model
SAT returns assignments to Boolean variables
 Berkmin, MCHAFF, ZCHAFF, RELSAT
 map assignments back to Alloy model
• If no assignment exists, we have a proof within the scope
Pass CNF to TBV
 combinational only: limited number of engines
• redundancy removal, localization, parametric re-encoding
 decision: circuit SAT
16
Results: combinational SAT vs. TBV
17
Outline
 Review of model checking with Alloy
 Finitization into a SAT problem
 Review of transformation based verification (TBV)
 Alloy SAT instances and TBV
 Sequential encoding of Alloy
 Less variables, more TBV transforms
 Results
 Conclusion
18
Sequential encoding
Use less variables to encode the problem
 trade complexity in space for complexity in time
 use sequential encoding
Existence vectors and production machines
 atom: register index over a specialized existence vector
 relation: index = encode (<atom>, <atom>)
 boolean operators: propositional statements
 formulas: finite state production machines
Basic atoms and relations can be randomly initialized
to any state
19
Difference between sequential netlists and FSM
 2/3 bit write enabled
buffer and simplified
FSMs
 Arcs omitted in 3 bits,
labels omitted in both
 Sequential netlist often
more succinct than
FSMs
20
SERA component (production machine)
 Inputs: [Y: index, T: relational data, C: control]
 Outputs: [B: predicate, M: membership, N: cardinality, Q: validity,
queries]
 State registers: [X: membership, K: cardinality, U: validity]
next state function: , initial values: primary inputs
21
start
SERA component
2[.]
Cardinality: simple priority encoder
 counter may be needed in some cases
State
valid
access
cardinality
Control: {start, valid-input, reset}
Boolean predicate: 2, Æ, 9, 8, …
Compositional input: access to [memory, cardinality,
predicate] of other components
22
Priority
counter
States: {invalid, productive, done, idle}
Memory: existVec[ index(<atom, …>)]
index
Summary table for sequential encoding
23
Example: statement3 with a scope of 2
 Pred: (all v1, v2 : V | v2 in v1.*c) and (#E = #V + #V – 2)
 Two universal quantifier machines one contained in the other
Starts two V machines and gets two V atoms as indexes per step
•Early termination: one valid false is enough to terminate
24
Statement3 executed
25
Example (continued)
 Transitive closure (TC): v2 in v1.*c
 Alloy rewrites as: <v1,v2> 2 *C
 compositional access to the relation C
 use iterative squaring and achieve logarithmic encoding
• C0 = C
• Cn+1 = ( Cn : Cn )[ Cn
 Membership is valid after log(n)
 function of C and log(n) local memory state variables
 counter stores cardinality: avoids complex logic that checks total
membership
 usually drops with COI reductions since cardinality of TC is rarely
checked
 Kleene-star operation
26
Transitive-closure optimization
v2 in v1.*c Alloy rewrites as: <v1,v2> 2 *C
 advantage: only one big quadratic machine
Subset C into T = v1.C and check v2 2 T
 disadvantage: multiple smaller quadratic machines
 early termination: may not need them all
 redundancy: exploited well by TBV
 may as well reuse some of them if one production is
guaranteed to finish before the others
27
Set operators
 Union: ordered sequential traversal of two machines
 use unique order for variables: no duplicates
 default: the order sigs appeared in the formula
 Intersection: add a delay to preserve order
 Complement: flag all compositional input
 produce indexes with no flag
 Subtract: implement with intersect and complement
 Maybe interesting for redundancy: all these operations can be done
by complement and transitive closure
28
Transpose operator
Challenge since it forces a change of variable ordering
 SERA rewrites the formula and pushes the transpose in the
relation
Conflicts may occur, example E = ~E
 append a duplicate atom
 add a target that indicates the equivalency of the added atom
 redundancy removal will take care of it later
29
Predicates and propositional operators
Boolean operators trivial implementation:
 the same Boolean construct with a valid state propagation
 one valid truth is enough to propagate an OR
 one valid false is enough to propagate an AND
Predicates generated from:
 Boolean operators: Æ, Ç, !
 8: fold(e, Æ) and 9: fold(e,Ç) with early termination
 2: existsVec[index(atom, …)]
 [=, <, >] integer comparison: finitized into atoms in Alloy
• Alternative: we may use regular ring arithmetic
30
31
Priority
index
counter
valid
access
cardinality
Priority
index
valid
access
cardinality
State
2[.]
start
Priority
index
valid
access
cardinality
State
counter
State
2[.]
start
Priority
index
counter
valid
access
cardinality
State
2[.]
start
2[.]
start
counter
Implementation details
Limit scope to powers of two
 Simplify counter logic used for indexing
 Type determination is limited to a shift operation
 Static analysis is now enough to determine the needed
width of a tuple in a relation
Only one scope is allowed
 Simplifies membership of types into a simple range check
 No loss of generality: pick the highest
32
Implementation details
Constrain initial states
 False initial bits in existence vectors are always MSB
 A simple priority encoder is enough to detect the cardinality
 No loss of generality since it does alter the order of existing
variables
Optimize relations and transitive closures using facts
 fact {E = ~E}: only half of the matrix is meaningful
33
Less variables and more transforms
 Sequential encoding can be automated
 Less variables and yet better: more TBV power
 more cycles: may affect the complexity of the counter example
 can be handled by BMC based counter example optimization
techniques
 Use sequential transforms
 sequential equivalence, semi-formal search, target
enlargement, compositional minimization, generalized retiming,
bounded model checking…
 Expert system is not an Alloy expert yet.
 may get better in some time
34
Experimental Results
 As expected localization and minimization played a big role in proofs
 Semi-formal search significant in fast counter example generation
35
Conclusion
Reviewed Alloy and TBV
 compared SAT with TBV on Alloy models
Automated sequential encoding of Alloy
 enables TBV power
Less variables and more transforms
 allowed us to scale our scopes up to 32 where Alloy Analyzer
was limited to 7
Future work:
 mutation is more native: add native next state construct?
 detect a scope that is enough to complete proof
36
?/!
37