Edward Smith University of Oxford A Logic for GSTE Edward Smith University of Oxford Introduction

Generalized Symbolic Trajectory Evaluation (GSTE) Based on gate-level simulation Ternary simulation over {0,1,X} Symbolic simulation layer Fine control over abstraction Fixed-points allow unbounded properties Regular properties X s 1 Formal verification based on gate-level simulation Don’t care value X allows us to calculate multiple concrete runs by ignoring the values of certain circuit nodes (Ternary Simulation) Simulation also symbolic: variables can be introduced to generalize conditions, and each valuation of these variables represents a different ternary run Xs lose information, variables capture information – together we get good trade-offs, which can be manually tailored to specific implementations Unlike it’s parent technique, STE, GSTE simulation includes fixed-points so that it can model check unbounded properties

Traditional Specification Using assertion graphs Shape and labels drive model checking Affect efficiency and abstraction level Drive input A Assert correct output Drive input B Each edge of the graph represents one time step in the simulation Therefore the shape drives the flow of model checking Operations such as node splitting and edge annotations allow abstraction refinement. Direct translation to forall automata.

Verification Process High-level Specification Assertion Graph An example specification For a simple GSTE property that isn’t too hard to verify Hopefully not I hope, but you never really know, Assertion Graph Manually Refine or Decompose Here is how GSTE assertion graphs are used in practice. Specification typically given in English, and a first attempt at an assertion graph is manually constructed from it. This first attempt typically fails, usually as a case of either over- or under-abstraction. The graph can then be reformed with new shape and simulation conditions, to give a better balance between loss and retention of information. Although assertion graphs can be good for illustrating simple simulations, their graphical nature places limitations on useability. GSTE Fails GSTE Succeeds Circuit

Verification Process Rules difficult to express, apply and justify High-level Specification An example specification For a simple GSTE property that isn’t too hard to verify Hopefully not I hope, but you never really know, Assertion Graph Manually Refine or Decompose Here is how GSTE assertion graphs are used in practice. Specification typically given in English, and a first attempt at an assertion graph is manually constructed from it. This first attempt typically fails, usually as a case of either over- or under-abstraction. The graph can then be reformed with new shape and simulation conditions, to give a better balance between loss and retention of information. Although assertion graphs can be good for illustrating simple simulations, their graphical nature places limitations on useability. GSTE Fails GSTE Succeeds Circuit

Generalized Trajectory Logic A clean specification notation based on temporal logic f k f b f c Trace-based semantics Symbolic set of words What we check GSTE simulation state Upper-approximation How we simulate The language we describe is called ‘Generalised Trajectory Logic’. Each formula of the logic can be interpreted in two ways. Firstly, it has a formal trace semantics that describes the behaviours that it represents. This can then be used to define *what* we are checking. Secondly, the formula structure defines the simulation approach. In particular, the abstract syntax tree of the formula defines the flow of the simulator. GTL describes the simulation at a lower-level than that of assertion graphs. Each construct corresponds directly with an atomic model checking step. We find that this correspondence results in a range of useful algebraic rules that are much less apparent at higher-levels. This is modeled by as a function from formulas to ternary states, that either apply a ternary value to each node in N, or else consist of the over-constraint state, bottom. In both cases, these interpretations are symbolic. That is, their value depends on the context valuation of the variables they contain. The connection between the two interpretations is that the ternary state simulated by f describes an upper approximation of the *last* states in those traces that satisfy f. Now I’m going to talk through each construct of the logic in turn.

Circuit Model Kripke structure Nodes K = ( S ; T ) t r a c e s ( K ) µ + First of all, we describe how we model the system under analysis. We use a Kripke structure, K, consisting of a set of consistent circuit states, S, and a total transition relation on these states. We model the behaviour using the set of finite non-empty traces of the circuit. A post-image function gives the set of successors of a set of states. The circuit state is structured using a set of circuit nodes, N, which represent observable points in the circuit. n 2 N

Formulas of GTL f k f b f c S t X : ; f ? f ¾ : s 2 S j ( n ) g X 1 : + t X : ; f ? The true formula satisfies any trace. Therefore, we can approximate the last states using the unconstrained ternary state where every node is assigned X. The false formula is satisfied by no traces. This can be approximated by the over-constrained state, bottom. The formula ‘n’ represents those states where ‘n’ is high in the last state. We can therefore approximate it using the ternary state where every node is assigned X except for node n which is assigned high. Similarly, not ‘n’ represents that node ‘n’ is low in the last state. f ¾ : s 2 S + j ( n ) g X 1 : n f ¾ : s 2 S + j ( n ) g X : : n

Formulas of GTL f k f b f c g ^ h k g \ h b g c u h X 1 u = k g [ h g = For any formulas g and h, we can form the conjunction, g and h. This is satisfied by those traces that satisfy g and also satisfy h. The ternary simulation of g and h consists of any constraints that appear in either the simulation of g or the simulation of h. For example, …. Similarly, we can also form the disjunction. This time, we only take those ternary constraints that are common to both the simulations of g and h. k g [ h g _ h b g c t h 1 X t =

Yesterday f k f b f c f ¾ : s 2 S j k g Y g s t e p ( b g c ) Y g g + j k g Y g s t e p ( b g c ) Allows compositional simulation We use past time rather than future time because it makes simulation compositional. This complements the fact that GSTE simulation goes forwards. For example, we can simulate Yg by simulating g and then performing one step of (forwards) simulation. forward step simulate g Y g g

Symbolic Formulas Q ! g j h I f Q t h e n g l s e . g b u ! n j : c = X We introduce two logical constructs for the symbolic aspect of GSTE. The first is a conditional expression that allows us to introduce variables into the simulation. The first is ‘If Q then g else h’ where Q is a boolean predicate over the set of variables being used, and g and h are formulas of GTL. Simulating this expression results in a simulation of g in valuations where Q holds, and h otherwise. For example,… The second construct is explicit subsitution. This allows us to specialize the result of a symbolic simulation to a particular valuation. f ( u : = Q ) f w h e r u a s v l Q e . g b ( u ! n j : ) = 1 c X

Fixed-points f ; g ( ) : ¹ Z w h e r Y b i n d s v y Z g Mu-calculus style fixed-points capture iteration f ; g ( ) : ¹ Z w h e r Y b i n d s v y Z g Finally, fixed-points are expressed as mu-expressions. This captures iterative simulation from a state starting a bottom, and repeating the simulation g an arbitrary number of times.

Fixed-points f ; g ( ) : ¹ Z w h e r Y b i n d s v y Z g P f : = ¹ Z _ Mu-calculus style fixed-points capture iteration E.g. ‘Previously f’ and ‘f Since g’ f ; g ( ) : ¹ Z w h e r Y b i n d s v y Z g Finally, fixed-points are expressed as mu-expressions. This captures iterative simulation from a state starting a bottom, and repeating the simulation g an arbitrary number of times. P f : = ¹ Z _ Y f S g : = ¹ Z _ ( ^ Y )

Vector Fixed-points Z E R O = r e s t _ : ^ Y ( N ) Nested mu-expressions are messy in practice Fixed-points are unique Can therefore use systems of recursive equations: Finally, fixed-points are expressed as mu-expressions. This captures iterative simulation from a state starting a bottom, and repeating the simulation g an arbitrary number of times. Z E R O = r e s t _ : ^ Y ( N )

Shorthand ( 9 u : f ) = T _ F 8 ^ ( n i s Q ) : = ! j Quantification Calculated directly using BDD quantification Symbolic node value ( 9 u : f ) = T _ F 8 ^ From these two simple constructs, we can create some higher-level notations. Existential quantification over a variable is defined as disjunction across each of its values. Forall is defined dually. Although these definitions are defined using f twice in each case, we can create a fast simulation by simulating f only once, then using bdd quantification. We will also use the expression n is Q for ‘If Q then n else not n’. ( n i s Q ) : = ! j

GTL Properties A ) C t 2 k A i m p l e s C r e a d ^ ( : w ) S i n s o when, for every trace t and in every symbolic valuation: e.g. Register correctness: t 2 k A i m p l e s C Now we will explain how we can form GSTE properties from GTL formulas. Properties are written in the form antecedent A leads to consequent C. Model checking then takes place by simulating A and C and asserting that every condition in C is met by the simulation of A. The only simulation operations that approximate are Y and \/. Therefore, if the consequent is atemporal without disjunction, then model checking implies the property under test. r e a d ^ ( : w ) S i n s o u t

Model Checking b A c v C i m p l e s ) Upper-approximation simulation Precise simulation, when C does not contain disjunction or Y Now we will explain how we can form GSTE properties from GTL formulas. Properties are written in the form antecedent A leads to consequent C. Model checking then takes place by simulating A and C and asserting that every condition in C is met by the simulation of A. The only simulation operations that approximate are Y and \/. Therefore, if the consequent is atemporal without disjunction, then model checking implies the property under test.

Reasoning with GTL f ^ g = g ^ f = n ^ : = f Y f ^ g = ( ) ¹ Z : f ( ) Simple rules for traced-based equivalence Rules do not imply simulation equivalence Property-preserving simulation transformations f ^ g = g ^ f = n ^ : = f Y f ^ g = ( ) ¹ Z : f ( ) = So what does this give us over assertion graphs? Because we describe simulation in terms of it’s atomic operations, the logic has useful algebraic properties. For example,…. These properties represent ways we can transform the simulation without affecting it’s property semantics. This can allow us to soundly refine the specification. b f c 6 = g

Optimization Rules Simplification, e.g. Symbolic/explicit conversion g ^ f = Once application of this observation is in optimizing simulations. For example, Furthermore, we can use rules to convert between explicit state exploration, and symbolic state exploration. This rule states that if we symbolically simulate, and then substitute, it’s the same effect as simulating the formula f with u substituted by Q. f ( u : = Q ) [ / ]

Example n n n 9 s : ( ! n j ) n _ : ( s ! n j : ) = 1 _ = = 1 f s 1 f 1 f n s 1 f n 1 1 f n For example, the first formula simulate circuit f twice – once for n high and once for n low. The second use the variable s for the value on node n, and performs a single symbolic simulation of f. We can demonstrate equivalence by using the substitution rule. 9 s : ( ! n j ) n _ : = = ( s ! n j : ) = 1 _

Decomposition Rules A ) B C A B C A ) C [ = ] A C A C Transitivity connects simulations Monotonicity connects branching simulations A ) B C A B C GTL also has clean decomposition rules that can be used to break apart a simulation. The leads to relation is naturally transitive, showing that simulations can be chained together. Furthermore, since GTL is also monotonic, we can in fact chain together branching simulations. The, interfaces between connecting simulations need not be in exact alignment. A 1 ) C 2 [ = ] A 1 C 1 A 2 C 2

Abstraction Refinement ‘Less abstract than’ relation Only and lose information f - g _ Y Y ( f ^ g ) - Another important aspect of GSTE verification is abstraction refinement. Modeling abstraction refinement using the curly less than relation, we can derive rules that help us find the right level of abstraction. Our analysis of simulation steps shows that only the Y and \/ operators result in loss of information. As a result, distributive laws involving these operations affect the level of detail with which the simulation proceeds. For example, …. Instead of doing one simulation, you perform two simulations and then merge their results. Information loss occurs earlier in simulation f ( g ) _ h -

a b a ^ b Y ( a ^ b ) a Y a Y a ^ b b Y b 1 1 a b a b a 1 1 1 a b 1 b a ^ b Y ( a ^ b ) a b 1 a b a b a Y a a b Here is an example of that rule in practice. If we simulate a and b, then take the conjunction and form the post-image, enough information is retained to deduce that the output is 1. If, however, we take the post-image earlier in the process, then we lose the two bits of information before they have had a chance to interact. We have demonstrated this rule on a very simple example, but in practice, of course, ‘a’ and ‘b’ might be replaced by any formulas of GTL. a b 1 Y a ^ b b Y b Affects which circuit segments are simulated independently

Conclusions GTL is a temporal logic for GSTE Textual form is easier to manage Fine granularity induces algebraic nature Logical rules express sound refinements Simple rules exist for decomposition/refinement So, to summarize. GTL is a temporal logic for specifying GSTE simulations. Because it is textual, it’s form is easier to manage than that of GSTE assertion graphs. By describing GSTE simulations at a finer level of granularity than assertion graphs, we give rise to a wide selection of algebraic laws that are familiar from propositional logic. Our choice of semantics and logical constructs brings about simple laws for decomposition, and revealing laws about abstraction refinement.

Previously f f Since g P f : = ¹ Z _ Y f S g : = ¹ Z _ ( ^ Y )

Fixed-points are unique Can also use systems of equations, e.g. Z E R O = : r e s t _ Y ( N )

Our Approach Describe these atomic steps in a logical form Assertion Graph: Simulation Steps: µ \ First of all, we describe how we model the system under analysis. We use a Kripke structure, K, consisting of a set of consistent circuit states, S, and a total transition relation on these states. We model the behaviour using the set of finite non-empty traces of the circuit. A post-image function gives the set of successors of a set of states. The circuit state is structured using a set of circuit nodes, N, which represent observable points in the circuit. [ I m [ \ I m Describe these atomic steps in a logical form Hope to gain reasoning rules