Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)

Published byDevyn Finney Modified over 10 years ago

Similar presentations

Presentation on theme: "Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)"— Presentation transcript:

1 Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research) ICCAD 2000

2 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

3 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

4 Refinement Proof Implementation < Specification e.g. processore.g. ISA “conforms with”, “refines”, “implements” Every I/O behavior of impl. is an I/O behavior of spec.

5 < << Decomposed Refinement Proof

6 < Unsuccessful Proof Decomposition unconstrained < <

7 < Unsuccessful Proof Decomposition < unconstrained < x(0)=0 x(t+1)=y(t) x y y(0)=0 y(t+1)=x(t) x y x(t)=0y(t)=0

8 < Circular Proof Decomposition <<

9 Legal Circular Proof Decomposition < < < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x y y x S(x) S(y) S(z): z(t)=0 “I will not launch.”

10 Illegal Circular Proof Decomposition < < < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x y y x L(x) L(y) L(z): exists k s.t. z(t) = 0 if t<k 1 else { “I will disarm.” 1 k 0 1

11 Illegal Circular Proof Decomposition < < < x(t)=y(t) y(t)=1 x y y x x(t)=0y(t)=~x(t) 2

12 < Illegal Circular Proof Decomposition < x(t)=y(t) y(t)=1 1 1 1 0 x(t)=0y(t)=~x(t) 0 1 < 2

13 For program verification: Chandy & Misra [1981] Abadi & Lamport [1993] For model checking: Alur & Henzinger [1995] Mocha McMillan [1997] SMV Large applications: Eiriksson [1998]: 1M-gate ASICs (SMV) Liu, Qadeer, Rajamani [1999]: 64-processor array (Mocha) Circular Assume-Guarantee Reasoning

14 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

15 System S[P;Q] S 1 3 2 5 4 x1: Nat -> Bool x2: Nat -> Bool x3: Nat -> Bool y4: Nat -> Bool y5: Nat -> Bool input signals input ports P={1,2,3} output ports Q={4,5} output signals input behavior x = (x1,x2,x3) output behavior y = (y4,y5) I/O function S(x) = y x1 x2 x3 y4 y5 S

16 Moore System S[P;Q;init;next] x1 x2 x3 y4 y5 y(0) = init y(t+1) = next [ y(t), x(t+1) ] Inductive definition: Given input behavior x, unique output behavior y. init in Vals(Q) next: Vals(Q) x Vals(P) -> Vals(Q)

17 Reactive System S[P;Q;init;next] No combinational loop: Given input behavior x, unique output behavior y. x1 x2 x3 y4 y5 y(0) = init y4(t+1) = next4 [ y(t), x(t+1) ] y5(t+1) = next5 [ y(t), y4(t+1), x(t+1) ] 4 >> 1, 2, 3 5 >> 1, 2, 3, 4

18 Mealy System S[P;Q;init;next] Combinational loop: no output behavior y. x1 x2 x3 y4 y5 y4(t) = y5(t) y5(t) = ~ y4(t) 4 >> 5 5 >> 4

19 Mealy System S[P;Q;init;next] Combinational loop: no output behavior y, or multiple output behaviors y. x1 x2 x3 y4 y5 y4(t) = y5(t) y5(t) = y4(t) 4 >> 5 5 >> 4

20 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

21 Refinement For every I/O behavior (x1,x2,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6

22 Refinement S[P;Q;init;next] < S’[P’;Q’;init’;next’] ? Time complexity: 2 O( |P| + |Q| + |P’| + 2 ) |Q’| If P’ u Q’ subset of P u Q : 2 O( |P| + |Q| ) “Witnessed” Refinement

23 Witnessed Refinement For every I/O behavior (x1,x2,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 Every specification port is an implementation port.

24 Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 3 Every specification port is an implementation port.

25 Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 Construct witness for 3 Every specification port is an implementation port. 3

26 Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 7 Copy specification of 7 Every specification port is an implementation port. 3

27 Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 7 Every specification port is an implementation port. 3

28 Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, the projection (x1,x3,x4,x5,x7) is an I/O behavior of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 7 Every specification port is an implementation port. 3

29 Checking Witnessed Refinement: S[P;Q;init;next] < S’[P’;Q’;init’;next’] ? 1 Find the reachable states of the implementation S. 2 For each reachable state s, check that next ( s[P;Q] ) | = next’ ( s[P’;Q’] ). Q’ Synchronized Search This requires only a small extension of any reachability engine. See, for example, www.eecs.berkeley.edu/~mocha.www.eecs.berkeley.edu/~mocha

30 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

31 Composition S1[P1;Q1] || S2[P2;Q2] S1 1 3 2 6 4 S2 1 5 4 7 2 1. Q1 and Q2 disjoint 2. <<1 u <<2 acyclic

32 S1 1 3 2 6 4 S2 1 5 4 7 2 Composition S1[P1;Q1] || S2[P2;Q2]

33 (S1||S2) [(P1 u P2)\(Q1 u Q2); Q1 u Q2] 1 3 6 4 5 7 2 S1||S2

34 Q’-Slice of S[P;Q] Q’ subset of Q S 1 24 3 5 6 } Q’ = {3,4} x x

35 Q’-Slice of S[P;Q] 1 5 24 3 6 x x

36 1 5 24 3 6

37 (S| ) [P u (Q\Q’); Q’] S| 1 5 24 3 6 Q’

38 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

39 Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 4 5 6 2 5 < 4 5 One subproof for each specification output port

40 Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 5 6 2 < 4 5 One subproof for each specification output port

41 Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 5 6 2 < 4 5 One subproof for each specification output port 6

42 Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 5 6 2 < 4 5 One subproof for each specification output port 6 5

43 Weak Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 4 13 5 6 4 < 4 5 6 5 1

44 Weak Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1 Any slice of impl. 3-slice of spec.

45 Weak Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1

46 Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1 13 4 5

47 Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1 13 4 5

48 Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 < 4 5 6 1 4 5 Assumption: Any ~3-slice of spec. 3-slice of spec. Any slice of impl.

49 Example < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 y(0)=0 y(t+1)=x(t)

50 < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 y Example

51 < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 Example y(t)=0 x y

52 Example < x(t+1)=y(t) y(t+1)=x(t) x(t)=0 y(t)=0 y x(t+1)=y(t) < x(t)=0 y(t)=0 x y x y(t+1)=x(t) < y(t)=0 x(t)=0 x y

53 The Need for Abstractions One subproof for each specification output port 13 4 1 3 4 5 6 2 5 < 2 3 < 6 1 1 3 4 5 4 5

54 The Need for Abstractions One subproof for each specification output port 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 6

55 The Need for Abstractions One subproof for each specification output port 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 6 Construct abstraction for 6

56 The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 6 6

57 The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 4 5 3 4 6 6 6 5

58 The Need for Abstractions 13 4 1 3 4 5 6 2 5 < 6 7 Abstraction for 6 involves new 7

59 The Need for Abstractions 13 4 1 3 4 5 6 2 5 < 6 7 Abstraction for 6 involves new 7 7 Copy witness for 7

60 The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 7 6 7 7

61 The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 4 5 3 4 6 7 7 7 6 5 6 7

62 The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < < 3 4 5 6 77 7 6 1 3 4 5 7 6 1 Trivially true

63 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

64

65 Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Download ppt "Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)"

Similar presentations

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center
Operations with Functions.

Operations with Functions.
Some Slides from: U.C. Berkeley, U.C. Berkeley, Alan Mishchenko, Alan Mishchenko, Mike Miller, Mike Miller, Gaetano Borriello Gaetano Borriello Introduction.

Some Slides from: U.C. Berkeley, U.C. Berkeley, Alan Mishchenko, Alan Mishchenko, Mike Miller, Mike Miller, Gaetano Borriello Gaetano Borriello Introduction.
Use trace algebra to formalize the YAPI model EE290N Spring2002 Alessandro Pinto Mentors: Roberto Passerone Jerry Burch.

Use trace algebra to formalize the YAPI model EE290N Spring2002 Alessandro Pinto Mentors: Roberto Passerone Jerry Burch.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.

Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
VHDL Structural Architecture ENG241 Week #5 1. Fall 2012ENG241/Digital Design2 VHDL Design Styles Components and interconnects structural VHDL Design.

VHDL Structural Architecture ENG241 Week #5 1. Fall 2012ENG241/Digital Design2 VHDL Design Styles Components and interconnects structural VHDL Design.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
1 EE365 Sequential-circuit analysis. 2 Clocked synchronous seq. circuits A.k.a. “state machines” Use edge-triggered flip-flops All flip-flops are triggered.

1 EE365 Sequential-circuit analysis. 2 Clocked synchronous seq. circuits A.k.a. “state machines” Use edge-triggered flip-flops All flip-flops are triggered.
EECS 20 Lecture 38 (April 27, 2001) Tom Henzinger Review.

EECS 20 Lecture 38 (April 27, 2001) Tom Henzinger Review.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.
EECS 20 Lecture 15 (February 21, 2001) Tom Henzinger Simulation.

EECS 20 Lecture 15 (February 21, 2001) Tom Henzinger Simulation.
7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Causality Interfaces for Actor Networks Ye Zhou and Edward A. Lee University of California,

7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Causality Interfaces for Actor Networks Ye Zhou and Edward A. Lee University of California,
STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering.

STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering.
EECS 20 Lecture 13 (February 14, 2001) Tom Henzinger Minimization.

EECS 20 Lecture 13 (February 14, 2001) Tom Henzinger Minimization.
Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.

Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.

Similar presentations

Ads by Google