Presentation is loading. Please wait.

Presentation is loading. Please wait.

STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering."— Presentation transcript:

1 STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering & Computer Sciences University of California, Berkeley,

2 Outline l The STARI circuit u What needs to be verified? l Compositional and hierarchical verification u Why? u How? l Verification of STARI l Conclusion and future work

3 The STARI Interface Self-Timed At Receiver's Input, [Greenstreet ‘93], fabricated and tested. l Easy to distribute high frequency clock, hard to control skew. l Transmitter and receiver operate at the same clock frequency, but their clocks may have time-varying skew. l FIFO compensates for short-term differences in relative clock speeds. l Applications: u ATM networks u High performance I/O interfaces, e.g., dedicated graphics I/O, closely coupled multiprocessors. u Microprocessors? Transmitter Receiver data_in ack_out data_out ack_in Clock time varying delay FIFO 2 3... nn-1 1

4 What needs to be verified? l Self-timed FIFO. l Tx and Rx have illusion of synchrony. At each clock cycle u Tx sends data without checking acknowledgement  Rx reads data, asserts ack_in. Advantage: High throughput. Tx does not wait for ack_in. No handshakes between Tx, FIFO and Rx  Need to prove u No data dropped at FIFO input u No data duplicated at FIFO output. Properties depend on speed of FIFO stages, length of FIFO, bound on skew, and clock rate  Timing verification. Transmitter Receiver data_in ack_out data_out ack_in Clock time varying delay FIFO time varying delay... 2 3 nn-1 1

5 Why Hierarchical Verification? l k: “Size” of the model for one FIFO stage. l Size of model for FIFO = k n l If circuit modeled at gate level, k is large. One more stage  Time and memory required increases by k times. l State-space traversal based automatic verification limited to small n. l More efficient traversal techniques not likely to solve the problem. l Our approach: Reduce k. u Use an abstract model for the FIFO stage. FIFO 2 3... nn-1 1

6 The Hierarchical Approach l Construct smaller abstract model for FIFO stage. l Show that the abstract model is a correct abstraction. 4 Prove properties on abstract system. 4 Be assured that properties hold at gate level. F A A Tx FFF Rx F... F AAAA Tx Rx A

7 Modeling l Timed processes: Timed automata with input-output distinction. l Gates: Delayless gate followed by “inertial delay” buffer, a la [Maler, Pnueli, TAU ‘95]. l Most significant in terms of verification complexity: u Number of timers u Largest timing constant of interest for each timer. l At gate level, one timer per gate. è Automatic verification limited to 20-30 gates. i o 2  delay  3 2  x  3 i = 1, x  0 i = 0, x  3 x  3 true o = 1 true o = 0

8 Checking Refinement Need to check if one timed system correctly refines (or abstracts) another: F   A l In [Tasiran, Alur, Kurshan, Brayton, CONCUR ‘96] we investigated u Timed language inclusion u Timed simulation relations u “Timed” homomorphisms l h is a “timed” homomorphism iff for each run of F, its image under h is a run of A. l Algorithm implemented in COSPAN: u Checks if given h is a timed homomorphism. l For STARI, we used this algorithm to check refinement. Abstract description Refined description h h h F A

9 Homomorphisms and Timed Behavior l h preserves timed behavior iff the image of each run of A under h is a timed run of B. l Implies timed language inclusion. Timed run of A (s 0,  0 ) (s 1,  1 )... (s k-1,  k-1 ) (s k,  k ) (h(s 0 ),  0 ) (h(s 1 ),  1 )... (h(s k-1 ),  k-1 ) ( h(s k ),  k )      k  its image under h B A h h h

10 COSPAN Homomorphism Check  Untimed process R captures timing info of A and F.  A modified “region automaton”.  Input:  State of R = [ (  i,  i ) ].  Keeps track of equivalence classes that A and F’s clocks are in. u Moves to error state if edge is disallowed in A by timing constraints. s 0 s 1 s 2... s k-1 s k F (f 0, f’ 0 ) (f 1, f’ 1 ) (f k-1, f’ k-1 )  0  1  2...  k-1  k Timed run of F (s 0,  0 ) (s 1,  1 )... (s k-1,  k-1 ) (s k,  k ) (h(s 0 ),  0 ) (h(s 1 ),  1 )... (h(s k-1 ),  k-1 ) ( h(s k ),  k )      k  its image under h

11 COSPAN Flow Theorem: [CONCUR ‘96] h preserves timed behavior iff  h is an untimed homomorphism from A ut to (B ut  R), and  R ’s error state is not reached. Input: Timed processes A, B Untimed map of locations h Step 1: Construct A ut, B ut. Construct R Step 2: Check if h is a hom. from A ut to (B ut  R) Possible outputs: 1- h preserves timed behavior. 2- h fails because of timing. 3- h fails regardless of timing.

12 Compositional Verification Not powerful enough: F  A does not hold in all environments. Assumptions about the environment are needed to prove F  A ASSUME-GUARANTEE STYLE REASONING [CONCUR ‘96] F k  A k in the context of A 1  A n   F 1 ...  F n  A 1 ...  A n l Processes must be “non-blocking”. A 1 A 2... A n F 1 F 2... F n    COMPOSITIONALITY:  k, F k  A k  F 1  F n  A 1  A n A k A k+1... A n F k  A k-1 A 1...

13 One Stage of the FIFO l One timer is enough, because environment guarantees that only one gate has a pending output change at any time. l Abstract model correct only in the intended environment. è Must use assume-guarantee reasoning. C C stable wait for data out pend. ack_out pend. wait for ack Abstract model for the stage uses only one timer. l Implementation described at gate level has 3 timers

14 Abstracting the Environment Goal: Tx  F 1  F 2 ...  F n  Rx  Tx  A 1  A 2 ...  A n  Rx F  A not true. Must use assumptions about the environment. l Avoid separate refinement check for each i. Write abstractions: Left and Right. Tx Rx... Left Right F AA A A A F A 8

15 Verifying Environment Models To prove each “  ” u Specify mapping h from LHS to RHS u Use algorithm implemented in COSPAN to check if h is a timed homomorphism. Similar induction for Right Rx  Right A  Right  Right Rx... Right A A Left is a correct abstraction. By induction  Tx  Left  Left  A   Left Tx... Left AA

16 STARI Verification Left  F  Right  A Left Right F A l By the assume-guarantee rule, these imply Tx  F 1  F 2 ...  F n  Rx  Tx  A 1  A 2 ...  A n  Rx Verify properties on Tx  A 1  A 2 ...  A n  Rx

17 Verification Results l Verification at implementation level runs out of memory on 1GB for 3 stages. l Was able to show correct operation, using abstract model for 8 stage FIFO in < 2 hours, using < 93 MB. l Abstraction checks took < 5 min.’s and < ~10MB each. l Bottleneck: l Abstract model still exponential in n, but less severely. l Possibility: An abstract model parameterized wrt. n : u Verification of parameterized timed systems is complex. Undecidable for more than 3 timers [Alur, Henzinger, Vardi STOC ‘93]. Verify properties on Tx  A 1  A 2 ...  A n  Rx

18 Comparison with Previous Approaches PREVIOUS WORK l Original correctness proof used a theorem prover. [Leung, Greenstreet, TAU ‘95] u Arbitrary number n of FIFO stages. l Automatic proof of STARI for 3 stages [Hulgaard et. al., ICCAD ‘93] KEY DIFFERENCE: Previous approaches used abstract model of circuit that was not proven to be correct. è Actual circuit not verified. l They require oversimplified model, otherwise [ICCAD ‘93] becomes inapplicable and [TAU ‘95] becomes too complicated. OTHER DIFFERENCES: u Verification automatic once abstract model is constructed. u Was able to model FIFO implementation more accurately. u Was able to use more realistic gate delay model.

19 Conclusions and Future Work l Compositional and hierarchical verification techniques enabled us to u Decompose the verification problem into smaller pieces. u Verify a larger circuit than would have been possible otherwise. l Assume-guarantee reasoning was crucial. Difficulty with current approach: l Constructing abstract models and abstraction mappings requires a lot of user effort: l BUT: too complex to check abstractions without a user-given abstraction mapping. Possible solution: u Apply “abstraction templates”. Hope for the future: u More “top-down”, hierarchical designs.

Download ppt "STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering."

Similar presentations

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Courtesy RK Brayton (UCB) and A Kuehlmann (Cadence) 1 Logic Synthesis Sequential Synthesis.

Courtesy RK Brayton (UCB) and A Kuehlmann (Cadence) 1 Logic Synthesis Sequential Synthesis.
2011.07.21 - Presenter: PCLee VLSI Design, Automatic and Test, 2005. (VLSI-TSA-DAT).

Presenter: PCLee VLSI Design, Automatic and Test, (VLSI-TSA-DAT).
Timed Automata.

Timed Automata.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Computer Science & Engineering Department University of California, San Diego SPICE Diego A Transistor Level Full System Simulator Chung-Kuan Cheng May.

Computer Science & Engineering Department University of California, San Diego SPICE Diego A Transistor Level Full System Simulator Chung-Kuan Cheng May.
A Timed-Automaton Based Method for Accurate Computation of Delay in the Presence of Cross-Talk Serdar Tasiran, Sunil P. Khatri, Sergio Yovine, Robert K.

A Timed-Automaton Based Method for Accurate Computation of Delay in the Presence of Cross-Talk Serdar Tasiran, Sunil P. Khatri, Sergio Yovine, Robert K.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.

Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.
Formal Verification of Safety Properties in Timed Circuits Marco A. Peña (Univ. Politècnica de Catalunya) Jordi Cortadella (Univ. Politècnica de Catalunya)

Formal Verification of Safety Properties in Timed Circuits Marco A. Peña (Univ. Politècnica de Catalunya) Jordi Cortadella (Univ. Politècnica de Catalunya)
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Overview. Why data structures is a key course Main points from syllabus Survey Warmup program And now to get started...

Overview. Why data structures is a key course Main points from syllabus Survey Warmup program And now to get started...

Similar presentations

Ads by Google