Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007.

Slides:

Advertisements

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

1 Constraint Satisfaction Problems A Quick Overview (based on AIMA book slides)

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Yongjian Li The State Key Laboratory of Computer Science Chinese Academy of Sciences William N. N. HungSynopsys Inc. Xiaoyu SongPortland State University.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

White Box Testing and Symbolic Execution Written by Michael Beder.

White Box Testing and Symbolic Execution Written by Michael Beder.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

The Theory of NP-Completeness

FunState – An Internal Design Representation for Codesign A model that enables representations of different types of system components. Mixture of functional.

White Box Testing and Symbolic Execution Written by Michael Beder.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

ECE Synthesis & Verification - L211 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Verification Equivalence checking.

Inventing IC design technologies that will be vital to Intel S CL 1 Compositional Specification and Verification in GSTE Jin Yang, joint work with Carl.

Overview of program analysis Mooly Sagiv html://

4/21/2005JHJ1 Structure-dependent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila

Using Mathematica for modeling, simulation and property checking of hardware systems Ghiath AL SAMMANE VDS group : Verification & Modeling of Digital systems.

Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.

Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.

Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,

Integrating high-level constructs into programming languages Language extensions to make programming more productive Underspecified programs –give assertions,

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.

Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.

School of Computer Science, The University of Adelaide© The University of Adelaide, Control Data Flow Graphs An experiment using Design/CPN Sue Tyerman.

Verification & Validation By: Amir Masoud Gharehbaghi

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Robert Könighofer and Roderick Bloem IAIK – Graz University.

Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL

1 Distributed BDD-based Model Checking Orna Grumberg Technion, Israel Joint work with Tamir Heyman, Nili Ifergan, and Assaf Schuster CAV00, FMCAD00, CAV01,

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

Equivalence checking Prof Shobha Vasudevan ECE 598SV.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.

Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Hybrid BDD and All-SAT Method for Model Checking

Abstraction and Refinement for Large Scale Model Checking

SS 2017 Software Verification Bounded Model Checking, Outlook

Hardware Verification

Edward Smith University of Oxford

Optimizing Automatic Abstraction Refinement for GSTE

Automatic Verification of Industrial Designs

Discrete Controller Synthesis

Scalability in Model Checking

State Abstraction Techniques for the Verification of Reactive Circuits

Verifying Programs with BDDs Sept. 22, 2006

Automatic Abstraction of Microprocessors for Verification

Presentation transcript:

Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007

Our Contributions AutoGSTE – An automatic approach to abstraction refinement for GSTE Quickly converge to good abstractions that enable verifications that are not possible before Allow assertion graphs to be high-level w/o adapting too much to circuit implementation 2

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE Counterexample-guided abstraction refinement Model refinement and specification refinement Experiments Conclusion & Future Work 3

Symbolic Trajectory Evaluation [Bryant & Seger] Scalability Model checking complexity largely depends on the complexity of the assertion rather than the circuit Pros: Highly efficient Cons: False negatives due to insufficient input constraints R. Tzoref, O. Grumberg, Automatic refinement and vacuity detection for STE, CAV’06 J. Roorda, K. Clarssen, Sat-based assistance to abstraction refinement for STE, CAV’06 Only properties over finite time  GSTE 4

Generalized STE [Yang & Seger] ω -regular properties represented by assertion graphs G = { (V, v 0, E, ant, cons) } Non-deterministic execution Fixed-point computation 5

GSTE Algorithm 6 Algorithm: GSTE(G, post) (* initialize symbolic simulation *) 1. for each edge e in G 2. if e is from the initial vertex 3. sim(e) := ant(e); 4. put e in EventQueue; 5. else 6. sim(e) := { }; (* perform symbolic simulation *) 7. while EventQueue is not empty 8. get an edge e from the queue, 9. for each successor edge e’ of e begin 10. sim(e’) := sim(e’)  post(sim(e))  ant(e’); 11. if there is a change in sim(e’) 12. put e’ into EventQueue; end (* check consequence *) 13. for each edge e in G 14. if !(sim(e)  cons(e)) return false; 15. return true; end.

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE Counterexample-guided abstraction refinement Model refinement and specification refinement Experiments Conclusion & Future Work 7

Quaternary-Value Logic (Unknown) (Conflict) Information Partial OrderPropagation of “Unknown” Two sides of a coin Significantly reduce state spaces by quaternary abstraction Over abstractions cause false negatives  8

1 X Causes of False Negative: Quaternary State Set Unions A B Out 1 0 1X X X Abs sim(e’) := sim(e’)  post(sim(e))  ant(e’); 11 Check whether the output is always 1 under certain inputs

Causes of False Negative: Existentially Quantified-Out Symbolic Variables c1,c2 is existentially quantified out after every single step simulation 10 [A=c1, B=(!c1|c2)] Out=A|B=c1|(!c1|c2)=1 [A=X, B=X] Out=A|B=X A B Out

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE Counterexample-guided abstraction refinement Model refinement and specification refinement Experiments Conclusion & Future Work 11

AutoGSTE: Automatic Abstraction Refinement (1) GSTE Circuit Impl. Assertion Graph Assertion holds Counter Example (2) Counter Example Analysis Assertion fails Causes of Imprecision (3) Abstraction Refinement Refined Abstraction Abstraction refinement: (monotonic) (1) Constraining inputs with symbolic constants/variables (2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs; (2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables

Counter Example Analysis Counter Example [(edge 1,src 1,dest 1 ),…,(edge T, src T,dest T )] Identify “X” nodes in dest T that violates consequent on edge T Backtrack to identify the causes for “X” node N In the end, the following causes will be identified: Output circuit nodes/assertion edges on which Xs are introduced. 13 InputUnionWeak

AutoGSTE: Automatic Abstraction Refinement (1) GSTE Circuit Impl. Assertion Graph Assertion holds Counter Example (2) Counter Example Analysis Assertion fails Causes of Imprecision (3) Abstraction Refinement Refined Abstraction Abstraction refinement: (1) Constraining inputs with symbolic constants/variables (2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs; (2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables

Model Refinement Symbolic Indexing (Verifier has to encode it in the specification) Abs. Partition Abs.rew. Finer Partition 15

Model Refinement (Cont.) Precise Nodes: Circuit nodes that must always have boolean values by symbolic indexing [Yang and Seger, FMCAD’02] Manually specify precise nodes to eliminate Xs caused by both unions and weaks. AutoGSTE automatically marks precise nodes Mark all the identified nodes as precise Mark one node at a time (control signals first?) 16

Specification Refinement Loop unrolling transformations address unions Allow the specification to be high level Dynamically adapt to the real computation flow of the circuit …… 17

Automating loop unrolling Unroll each problematic edge to prevent unwanted state set unions Specification Refinement (Cont.)

Case splitting transformations address weaks Symbolic variables symbolically index a set of edges with scalar values Remember the variable values by case splitting Specification Refinement (Cont.) 19

Outline Overview of (G)STE Quaternary Abstraction and its Imprecision Our solution – AutoGSTE Counterexample-guided abstraction refinement Model Refinement.vs. Specification Refinement Experiments Conclusion & Future Work 20

Experiment: FIFO 21

FIFO Model Refinement CircuitMark precise nodes all at onceMark precise nodes one a time FIFO Depth # of Nodes # of Iter. # of P. Nodes Time (Sec.) BDD Nodes # of P. Nodes Time (Sec.) BDD Nodes Better than manual analysis! 22

FIFO Specification Refinement CircuitGSTE on Original assertion graphSemantic-Preserving Transformation FIFO Depth # of Edges Time (Sec.) BDD Nodes Mem (MB) Result # of Edges Time (Sec.) BDD Nodes Mem (MB) Result Fail Pass Fail Pass Fail Pass Fail Pass Too complex to do manually! 23

Conclusion & Future Work An automatic approach to abstraction refinement for GSTE Quickly converge to good abstractions Future work Identify minimal set of precise nodes Reduce unnecessary loop-unrolling/case-splitting Integrate model refinement and spec refinement 27