Inventing IC design technologies that will be vital to Intel S CL 1 Compositional Specification and Verification in GSTE Jin Yang, joint work with Carl Seger Strategic CAD Labs, Intel Corp. CMU March 23, 2004

GSTE 2 Motivation GSTE  combines high capacity of STE with expressive power of traditional model checking (YS ICCD’00)  provides a multi-dim. approach to achieve high capacity while maintaining accuracy (YS FMCAD’02)  has been used by FVers for > 1 year successfully on next-gen. Intel  -processors (Schubert ICCAD’03)  part of FORTE public release However  assertion graph specification in GSTE is inherently sequential but circuit behavior may be concurrent  … …

GSTE 3 Sequential Ex.: Memory 1024 x 64 Memory wren din[63:0] addr[9:0] rden dout[63:0] vIvI v1v1 v2v2 ( wren & addr[9:0] = A[9:0] & din[63:0] = D[63:0], true ) ( rden & addr[9:0] = A[9:0], dout[63:0] = D[63:0] ) ( !wren | addr[9:0] != A[9:0], true ) antecedent consequent   “Always read from a cell the most recently written data”

GSTE 4 Concurrent Ex.: Voting Machine reset avail[1] vote[1] avail[2] vote[2] avail[3] vote[3] vout Voting Machine –a vote can be accepted at station i (through vote[i]=1,2,3) when it is available –it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as soon as all three votes are in, and then makes the stations available for next round. 2222

GSTE 5 Voting Machine (cont.)  Specification using an assertion graph causes exponential complexity –order 1: vote[1], …, vote[2], …, vote[3] –order 2: vote[1], …, vote[3], …, vote[2] –… …  Solution –concurrent extension to assertion graphs –implementation independent –utilizing and guiding GSTE model checking –(future) ability to reason about specifications

GSTE 6 Basics: Domain And Trace  Domain D –a finite non-empty alphabet e.g., the set of states in a FSM (circuit) –P(D) – power set of D e.g., all subsets of states (state predicates) in FSM  Trace  = d 1 d 2 d 3 … –an infinite word in D  e.g., an infinite state sequence (trace) in FSM

GSTE 7 Basics: Assertion Alphabet  Assertion alphabet  = P(D)  P(D) –set of antecedent/consequence pairs –  = (D 1,D 2 )   – assertion letter –antecedent: ant(  ) = D 1 –consequent: cons(  ) = D 2 + a[15:0] b[15:0] c[15:0] ( a[15:0] = A[15:0] & b[15:0] = B[15:0], c[15:0] = A[15:0] + B[15:0] )

GSTE 8 Basics: Assertion Language  Assertion word - any word w =  1  2 …  k in  * –STE assertion  assertion word  Assertion language - any set of words L in P(  * ) –assertion graph  regular assertion language ( wren & addr = A & din = D, true ) ( !wren | addr != A, true ) * ( rden & addr = A, dout = D ) vIvI v1v1 v2v2 ( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D ) ( !wren | addr != A, true )

GSTE 9 Basics: Trace Semantics  Trace Satisfiability –trace  satisfies a word  P(D)*, if  1  i  |  |,  (i)   [i]  Trace Language –assertion word  (w) = {  D  |  sat. ant(w)   sat. cons(w) } –assertion language (for all semantics)  (L) =  w  L  (w)  Theorem: L 1  L 2   (L 1 )  (L 2 ) L 1  L 2   (L 1 )  (L 2 ) “more words  more restricted behavior” “more words  more restricted behavior”

GSTE 10 The Meet Operator  Meet of assertion letters: ( C 1, C 2 )  ( D 1, D 2 ) = ( C 1  D 1, C 2  D 2 )  Meet of assertion words:  1  2 …  k   ’ 1  ’ 2 …  ’ k = (  1   ’ 1 ) (  2   ’ 2 ) … (  k   ’ k )  Meet of assertion languages: L 1  L 2 = { w 1  w 2 | w 1  L 1, w 2  L 2, |w 1 | = |w 2 | } L 1  L 2 = { w 1  w 2 | w 1  L 1, w 2  L 2, |w 1 | = |w 2 | }  ( vote[1]=1, true ) ( true, true )  ( true, true ) ( vote[2]=2, true )  ( vote[3]=2, true ) ( true, true ) = ( vote[1]=1 & vote[3]=2, true ) ( vote[2]=2, true ) Parallel composition

GSTE 11 Self Consistency  Repeated application  0 L = L,  k L = (  k-1 L)  L (k>0)  Lemma  k L   k+1 L but  (  k L ) =  (  k+1 L ) –proof sketch –(w 1  w 2  …  w k )  w k = w 1  w 2  …  w k –w  w ’ may be new, but  (w)   (w ’ )   (w  w ’ )  Theorem (about limit) L   k  0  k L but  ( L ) =  (  k  0  k L )

GSTE 12 Compositional Specification  Initialization: L 0 =  + L 0 (D,D)  Prefix: (1  i<h) L i = L j  j L i = L j  j  Summation: (h  i<l) L i = L i 1  … …  L i k (0  i j <h)  Meet: (l  i<n) L i = L i 1  … …  L i k (0  i j <l) Comment: there is a unique solution to the system  very much like CCS but with new 

GSTE 13 Example 1: Memory vIvI v1v1 v2v2 ( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D ) ( !wren | addr != A, true )  L I =  + L I (true, true)  L I, 1 = L I (wren & addr = A & din = D, true)  L 1,1 = L 1 (!wren | addr != A, true)  L 1 = L I, 1  L 1,1  L 2 = L 1 (rden & addr = A, dout = D)

GSTE 14 Example 2: Voting Machine (VM) reset avail[1] vote[1] avail[2] vote[2] avail[3] vote[3] vout Voting Machine –a vote can be accepted at station i (through vote[i]=1,2,3) when it is available –it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as soon as all three votes are in, and then makes the stations available for next round. 2222

GSTE 15 Example 2 (cont)  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])   L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3]))

GSTE 16 Model Checking Product Spec.  Theorem (product specification) for any language L in the solution,  k  0  k L is regular –proof sketch  k  0  k (L j  j ) = (  k  0  k L j )  j  k  0  k (L 1  L 2 ) = (  k  0  k L 1 )  (  k  0  k L 2 )  (  k  0  k L 1 )  (  k  0  k L 2 )  k  0  k (L 1  L 2 ) = (  k  0  k L 1 )  (  k  0  k L 2 ) construct transitions for the states in P({  k  0  k L 1,  k  0  k L 2, …,  k  0  k L n }) –since  (L) =  (  k  0  k L), this effectively provides a precise GSTE model checking solution for each L in the solution –but assertion graph for  k  0  k L may be exponentially large Need more efficient solution !

GSTE 17 Model  M = (S, R, L) –S is a finite set of states –R  S  S is a transition relation s.t.  s,  s’, (s, s’)  R –L: S  D is a labeling function  Semantics –run  : N  S s.t.  i  0, (  (i),  (i+1))  R –trace language  (M) = { L(  ) |  is a run of M } –satisfiability M |=  0  i  n L i :  (M)   (  0  i  n L i )  Post-Image post(S’) = { s |  s’  S’, s.t. (s’, s)  R }

GSTE 18 Simulation Relation  Definition any mapping R: {L 0, L 1, …, L n }  P(S) satisfying s  R(L i ), if  w  L i,  of M s.t.  (|w|)=s, L(  ) sat. ant(w)  Theorem  L i = L j , L(R(L i ))  cons(  )  M |=  0  i  n L i

GSTE 19 compGSTE  Initialization for all L i, R(L i ) := { };  Fix-point iteration repeat –R ’ := R; –for all L i, case –L i = L 0 : R(L i ) := S; –L i = L j  : if L j =L 0 then R(L j ) := {s | L(s)  ant(  )} else R(L j ) := post(R ’ (L j ))  {s | L(s)  ant(  )}; else R(L j ) := post(R ’ (L j ))  {s | L(s)  ant(  )}; if  (L(R(L i ))  cons(  )) then return false; if  (L(R(L i ))  cons(  )) then return false; –L i =  j L j : R(L j ) :=  j R’(L j ); –L i =  j L j : R(L j ) :=  j R’(L j ); until R = R’; return true;

GSTE 20 Ex: VM Implementation vout = avail[1] vote[1] 2 0 = avail[2] vote[2] 2 0 = avail[3] vote[3] f mux 0 vote_in[1] vote_in[2] vote_in[3] voted[1] voted[2] voted[3] reset clear clr en

GSTE 21 Ex: VM Model Checking vout avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp 1. true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i]

GSTE 22 Ex: VM Model Checking vout avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp 2. true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i] 2. reset

GSTE 23 Ex: VM Model Checking vout avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp 3. true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i] 3. reset | vote[i]=0 & vote_in[i]=0 3. !reset & vote[i]=V[i] & vote_in[i]=0

GSTE 24 Ex: VM Model Checking vout avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i] reset | vote[i]=0 & vote_in[i]=0 !reset & vote[i]=V[i] & vote_in[i]=0 !reset & vote_in[i]=V[i] &  j. … … reset |  i.vote[i]=0 & vote_in[i]=0  i.!reset & vote[i]=V[i] & vote_in[i]=0 &  j  i.(vote[j]=V[j] | vote_in[j]=V[j])  j  i.(vote[j]=V[j] | vote_in[j]=V[j])  i.vote_in[i]=V[i]

GSTE 25 Brief Discussions  compGSTE is approximate –sound but not complete –extended quaternary model abstraction (FMCAD 2002)  Abstraction refinement –model refinement vs spec. refinement (FMCAD 2002) –partial product construction on specifications (serialization)  Advantages over assume-guarantee based composition –pure specification, implementation independent –computed “intermediate assumptions” –much less sensitive to implementation changes

GSTE 26 Ex: Implementation Change 2 vote[i] decode bundle vout avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr = … 1 bundle 2 bundle 3 bundle vout reset avail[i]  Assume-guarantee based composition –re-partition the model, re-specify interface assumptions –re-run model checking  compGSTE –specification unchanged, only re-run model checking

GSTE 27 Industrial Ex.: Resource Scheduler Specification: when resource is available (avail = 1), schedule the oldest ready uop  handling 10 uops at a time, >1k state elements, >17000 gates  priority matrix, CAM, decision logic, power-saving feature etc. CAM receiving logic priority matrix ready logic Staging and CAM match scheduling logic Delivering logic uop alloc ready avail init out sched wrback

GSTE 28 Main Result  Previous work w/ a state-of-art in-house symbolic model checker –hundreds of small local properties –only on the priority matrix  Compositional specification (top down) –schedule uop[i], if “uop[i] is the oldest ready” and resource is available –uop[i] is oldest ready, if “uop[i] is ready” and for all j  i (  j  i ), either “uop[j] is not ready” or “uop[i] arrived earlier than uop[j]” –… … – 1k state elements  Compositional model checking –122.5 seconds, 36M on P4 1.5GHz –scalable - O(log 2 #uops), BDD was not a bottle-neck!  Detailed work is in writing –hopefully in time for ICCAD

GSTE 29 Conclusion  Summary of the compositional approach –compositional specification to handle concurrency –efficient compositional model checking –implementation independent –building for reasoning  Future work –reasoning about compositional specifications –extension to handle parameterized specification