Transcript slides

Automatic Abstraction
Refinement for GSTE
Yan Chen, Yujing He, and Fei Xie
Portland State University
Jin Yang
Intel
Nov 13, 2007
Our Contributions



AutoGSTE – An automatic approach to
abstraction refinement for GSTE
Quickly converge to good abstractions that
enable verifications that are not possible before
Allow assertion graphs to be high-level w/o
adapting too much to circuit implementation
2
Outline



Overview of (G)STE
Quaternary Abstraction and its Imprecision
Our Solution – AutoGSTE




Counterexample-guided abstraction refinement
Model refinement and specification refinement
Experiments
Conclusion & Future Work
3
Symbolic Trajectory Evaluation
[Bryant & Seger]

Scalability



Model checking complexity largely depends on the
complexity of the assertion rather than the circuit
Pros: Highly efficient
Cons:

False negatives due to insufficient input constraints



R. Tzoref, O. Grumberg, Automatic refinement and vacuity detection for
STE, CAV’06
J. Roorda, K. Clarssen, Sat-based assistance to abstraction refinement for
STE, CAV’06
Only properties over finite time  GSTE
4
Generalized STE [Yang & Seger]

ω-regular properties represented by assertion graphs

G = { (V, v0, E, ant, cons) }
Non-deterministic execution
Fixed-point computation

a8/c8
a4/c4
V2
Start
V0
a0/c0
a2/c2
V1
a5/c5
V4
a6/c6
V5
a1/c1
a7/c7
V3
a3/c3
5
GSTE Algorithm
Algorithm: GSTE(G, post)
(* initialize symbolic simulation *)
1. for each edge e in G
2.
if e is from the initial vertex
3.
sim(e) := ant(e);
4.
put e in EventQueue;
5.
else
6.
sim(e) := { };
(* perform symbolic simulation *)
7. while EventQueue is not empty
8.
get an edge e from the queue,
9.
for each successor edge e’ of e begin
10.
sim(e’) := sim(e’)  post(sim(e))  ant(e’);
11.
if there is a change in sim(e’)
12.
put e’ into EventQueue;
end
(* check consequence *)
13. for each edge e in G
14. if !(sim(e)  cons(e))
return false;
15. return true;
end.
6
Outline



Overview of (G)STE
Quaternary Abstraction and its Imprecision
Our Solution – AutoGSTE




Counterexample-guided abstraction refinement
Model refinement and specification refinement
Experiments
Conclusion & Future Work
7
Quaternary-Value Logic
(Conflict)
X
1
X
0
X
(Unknown)
Information Partial Order
Propagation of “Unknown”
Two sides of a coin
 Significantly reduce state spaces by
quaternary abstraction 
 Over abstractions cause false negatives 
8
Causes of False Negative: Quaternary
State Set Unions
sim(e’) := sim(e’)  post(sim(e))  ant(e’);
Check whether the output is always 1 under certain inputs
0 1 1
1 0 1
A
B
Out
Abs.
111
X
1
X
X
1
9
Causes of False Negative: Existentially
Quantified-Out Symbolic Variables
[A=X, B=X]
Out=A|B=X
A
0 1 1
1 0 1B
True/Out=1
Out
A=c1 &
B=(!c1|c2)
/ Out=1
[A=c1, B=(!c1|c2)]
Out=A|B=c1|(!c1|c2)=1
c1,c2 is existentially quantified out after every single step simulation
10
Outline



Overview of (G)STE
Quaternary Abstraction and its Imprecision
Our Solution – AutoGSTE




Counterexample-guided abstraction refinement
Model refinement and specification refinement
Experiments
Conclusion & Future Work
11
AutoGSTE: Automatic Abstraction Refinement
Circuit
Impl.
Assertion
holds
Assertion
Graph
(1) GSTE
Abstraction refinement: (monotonic)
(1) Constraining inputs with symbolic constants/variables
(2) Model refinement: introducing precise nodes
(3) Spec refinement: assertion graph transformations
Refined
Abstraction
(3) Abstraction
Refinement
(2) Counter
Example Analysis
Causes of
Imprecision
Counter
Example
Assertion
fails
Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;
(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables
Counter Example Analysis



Counter Example
 [(edge1,src1,dest1),…,(edgeT, srcT,destT)]
Identify “X” nodes in destT that violates consequent on edgeT
Backtrack to identify the causes for “X” node N
X
1

J
K
SET
CLR
Q
X
Q
In the end, the following causes will be identified:
Input
Union
Weak
True/n2=n3
Input
X
0
1
J
K
SET
CLR
Q
Q
X
n2=(variable v) &
n3=(variable v)

Output circuit nodes/assertion edges on which Xs are introduced.
13
AutoGSTE: Automatic Abstraction Refinement
Circuit
Impl.
Assertion
holds
Assertion
Graph
(1) GSTE
Abstraction refinement:
(1) Constraining inputs with symbolic constants/variables
(2) Model refinement: introducing precise nodes
(3) Spec refinement: assertion graph transformations
Refined
Abstraction
(3) Abstraction
Refinement
(2) Counter
Example Analysis
Causes of
Imprecision
Counter
Example
Assertion
fails
Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;
(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables
Model Refinement

Symbolic Indexing (Verifier has to encode it in the
specification)
Abs.
011
101
1
Partition
X
X
X
0 1 1 Abs.
1 01
1
v
rew.
X
v
!v?1:X
1
v
Finer
Partition
rew.
1
w
0
v
!v+w
1
1
15
Model Refinement (Cont.)



Precise Nodes: Circuit nodes that must always
have boolean values by symbolic indexing
[Yang and Seger, FMCAD’02] Manually specify
precise nodes to eliminate Xs caused by both
unions and weaks.
AutoGSTE automatically marks precise nodes
 Mark all the identified nodes as precise
 Mark one node at a time (control signals first?)
16
Specification Refinement

Loop unrolling transformations address unions
 Allow the specification to be high level
 Dynamically adapt to the real computation flow of the circuit
……
17
Specification Refinement (Cont.)

Automating loop unrolling

Unroll each problematic edge to prevent
unwanted state set unions
2
1
3
4
18
Specification Refinement (Cont.)

Case splitting transformations address weaks


Symbolic variables symbolically index a set of
edges with scalar values
Remember the variable values by case splitting
enq=deq=1
True/enq=deq
V0
enq=(variable v)
deq=(variable v)
V1
V0
True/enq=deq
V1
enq=deq=0
19
Outline



Overview of (G)STE
Quaternary Abstraction and its Imprecision
Our solution – AutoGSTE




Counterexample-guided abstraction refinement
Model Refinement .vs. Specification Refinement
Experiments
Conclusion & Future Work
20
Experiment: FIFO
21
FIFO Model Refinement
Circuit
Mark precise nodes all at once
Mark precise nodes one a time
FIFO
Depth
# of
Nodes
# of
Iter.
# of P.
Nodes
Time
(Sec.)
BDD
Nodes
# of P.
Nodes
Time
(Sec.)
BDD
Nodes
3
181
1
5
0.12
10232
3
0.26
8996
8
296
1
7
0.4
32923
4
0.81
26708
16
476
1
9
1.1
72189
5
2.37
58250
24
787
1
11
2.38
131236
6
6.83
104246
Better than manual
analysis!
22
FIFO Specification Refinement
Circuit
GSTE on Original assertion graph
Semantic-Preserving Transformation
FIFO
Depth
# of
Edges
Time
(Sec.)
BDD
Nodes
Mem
(MB)
Result
# of
Edges
Time
(Sec.)
BDD
Nodes
Mem
(MB)
Result
3
11
0.01
5
17
Fail
31
0.23
6
17
Pass
8
26
0.02
5
17
Fail
201
2.69
6
19
Pass
16
50
0.04
5
17
Fail
785
17.3
6
26
Pass
24
74
0.07
5
17
Fail
1753 54.2
6
39
Pass
Too complex to do
manually!
23
60
60
time for spec ref.
50
40
40
Memory (MB)
50
30
30
20
20
10
10
0
0
0
5
10
15
FIFO Depth
20
25
60
60
time for spec ref.
time for model ref.
50
40
40
Memory (MB)
50
30
30
20
20
10
10
0
0
0
5
10
15
FIFO Depth
20
25
60
40
time for spec ref.
time for model ref.
mem for spec ref.
mem for model ref.
50
35
Memory (MB)
40
30
30
25
20
20
10
0
15
0
5
10
15
FIFO Depth
20
25
Conclusion & Future Work



An automatic approach to abstraction
refinement for GSTE
Quickly converge to good abstractions
Future work



Identify minimal set of precise nodes
Reduce unnecessary loop-unrolling/case-splitting
Integrate model refinement and spec refinement
27