Optimizing Automatic Abstraction Refinement for GSTE Yan Chen, Fei Xie Portland State University Jin Yang Intel

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision AutoGSTE: Automatic Abstraction Refinement Optimizing AutoGSTE More Accurate Fan-in Analysis Precise Nodes with Lifespans State Set Containment Check Conclusions

Symbolic Trajectory Evaluation [Bryant & Seger] Buffered Register mux din wr rd ck B R sel out !ck&wr& din=DATA ck&!wr& rd !ck ck out=DATA Simulation-based model checking ck din DATA True wr rd out False B R sel

Generalized STE Buffered Register mux GSTE Assertion Graph [Yang & Seger] Buffered Register mux din wr rd ck B R sel out ck din DATA True wr rd out False GSTE Assertion Graph wr& din=DATA out=DATA !wr&rd / an infinite collection of STE assertions Simulation with fixed-point computation

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision AutoGSTE: Automatic Abstraction Refinement Optimizing AutoGSTE More Accurate Fan-in Analysis Precise Nodes with Lifespans State Set Containment Check Conclusions

Quaternary Abstraction (Conflict) Two sides of a coin Significantly reduce state space representation by quaternary abstraction  Over abstractions cause false negatives  1 X (Unknown) Information Partial Order Propagation of “Unknown”

Causes of False Negatives: Quaternary State Set Unions mux din wr rd ck B R sel out wr& din=DATA out=DATA !wr&rd / 2 1 Edge 1 2 din=DATA, wr=1, rd=X, B=R=sel=X din=X, wr=0, rd=1, B=DATA, R=X, sel=0 Check out=DATA Quaternary Simulation Result Quaternary Union din=X, wr=0, rd=1, B=DATA, R=X, sel=X Check out=DATA fail din=X, wr=0, rd=1, B=DATA, R=DATA, sel=1 Check out=DATA

Causes of False Negatives: Quantified-out Symbolic Variables A=(variable v) B=(variable v) out=0 True / 1 2 Edge 1 2 A=v, B=v A=X, B=X Check out=0 fail Quaternary Simulation Result

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision AutoGSTE: Automatic Abstraction Refinement Optimizing AutoGSTE More Accurate Fan-in Analysis Precise Nodes with Lifespans State Set Containment Check Conclusions

AutoGSTE: Automatic Abstraction Refinement [FMCAD’07] Abstraction refinement: (monotonic) (1) Constraining inputs with symbolic constants/variables (2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations Circuit Impl. Assertion Graph Assertion holds (1) GSTE Refined Abstraction (3) Abstraction Refinement Counter Example Assertion fails (2) Counter Example Analysis Causes of Imprecision Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs; (2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision AutoGSTE: Automatic Abstraction Refinement Optimizing AutoGSTE More Accurate Fan-in Analysis Precise Nodes with Lifespans State Set Containment Check Conclusions

Counterexample Analysis -- Union mux din wr rd ck B R Sel Out wr& din=DATA out=DATA !wr&rd / 2 1 DATA X X X Counter Example Edge 1 din=DATA, wr=1, rd=X, B=R=sel=X Edge 2 din=X, wr=0, rd=1, B=DATA, R=X, sel=0 Edge 2 din=X, wr=0, rd=1, B=DATA, R=X, sel=X

Counterexample Analysis -- Weak A=(variable v) B=(variable v) out=0 True / 1 2 Counter Example Edge 1 A=v, B=v Edge 2 A=X, B=X

Inefficiency in Backward Reasoning The original counterexample analysis algorithm Did not consider post-image functions mux X A B C Out Can identify more causes than necessary

Consider Post-image Functions mux X A B C Out Get the post-image function for Out Substitute circuit nodes with values in counterexample Canonicalize post-image function using BDD

Effectiveness Speculative Design of FIFOs When the mux has 24 fan-ins, number of circuit nodes identified: Original algorithm: 120 Optimized algorithm: 5 1 n … In MUX Sel

Experimental Results

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision AutoGSTE: Automatic Abstraction Refinement Optimizing AutoGSTE More Accurate Fan-in Analysis Precise Nodes with Lifespans State Set Containment Check Conclusions

Model Refinement ∪ ∪ = = Quaternary Union Mark “sel” as precise node v B=DATA, R=X, sel=0 B=DATA, R=DATA, sel=1 B=DATA, R=X, sel=X ∪ = B=DATA R= sel= v 1 X DATA B=DATA, R=X, sel=0 B=DATA, R=DATA, sel=1 ∪ =

Inefficiency in Model Refinement Problem: May mark unnecessary nodes precise Solution: More accurate fan-in analysis help to reduce unnecessary precise nodes Problem: Precise nodes are made during the whole simulation Solution: Mark the circuit nodes precise only on certain assertion edges Monotonic precise node marking on each edge Trade-offs between iteration times and state spaces

Experiments on Staged Design with Speculation 1 n … In MUX Sel Staged design with speculation Hard to check using original AutoGSTE

Experimental Results

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision AutoGSTE: Automatic Abstraction Refinement Optimizing AutoGSTE More Accurate Fan-in Analysis Precise Nodes with Lifespans State Set Containment Check Conclusions

Specification Refinement Loop unrolling/case-splitting transformations on assertion graphs wr& din=DATA out=DATA !wr&rd / 2 1 wr& din=DATA out=DATA !wr&rd / 3 1 2 A=(variable v) B=(variable v) out=0 True / 1 2 A=1, B=1 2 True / out=0 3 1 A=0, B=0

Inefficiency in Specification Refinement GSTE sim(e) = { [C=1, D=1], [C=v, D=0], [C=0, D=0] } = [C=X, D=X] [C=1, D=1] [C=v, D=0] Expected Result [C=1, D=1] [C=v, D=0] AutoGSTE [C=0, D=0]

Improve Specification Refinement Check if a new state s’ is contained in the state set of that assertion edge If true, fixed-point found If a previous state is contained in s’, replace with s’ Containment Check Given two state: s1, s2. Build Boolean expression (Is s1 contained in s2?) s2  s1 Satisfibility of the expression Existentially quantify out all variables in BDD

Experiments Circuit Results Without Containment Check Results with Containment Check FIFO Depth # of Edges Time (Sec.) Mem (MB) 3 11 51 0.32 12 25 0.3 8 26 296 2.98 14 145 2.56 15 16 50 1104 16.97 22 545 13.9 17 24 74 2424 33 1201 44.3 20

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision AutoGSTE: Automatic Abstraction Refinement Optimizing AutoGSTE More Accurate Fan-in Analysis Precise Nodes with Lifespans State Set Containment Check Conclusions

Conclusions Optimization of Counterexample Analysis Consider post-image function and unknown conditions Effective in reducing unnecessary X-chasing Optimization of Model Refinement Extend precise node with lifespans Effective in reducing memory usage Optimization of Specification Refinement Containment check for state set unions Effective in reducing unnecessary loop unrolling and case splitting