Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inventing IC design technologies that will be vital to Intel S CL 1 Compositional Specification and Verification in GSTE Jin Yang, joint work with Carl.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Inventing IC design technologies that will be vital to Intel S CL 1 Compositional Specification and Verification in GSTE Jin Yang, joint work with Carl."— Presentation transcript:

1 Inventing IC design technologies that will be vital to Intel S CL 1 Compositional Specification and Verification in GSTE Jin Yang, joint work with Carl Seger Strategic CAD Labs, Intel Corp. CMU March 23, 2004

2 GSTE 2 Motivation GSTE  combines high capacity of STE with expressive power of traditional model checking (YS ICCD’00)  provides a multi-dim. approach to achieve high capacity while maintaining accuracy (YS FMCAD’02)  has been used by FVers for > 1 year successfully on next-gen. Intel  -processors (Schubert ICCAD’03)  part of FORTE public release However  assertion graph specification in GSTE is inherently sequential but circuit behavior may be concurrent  … …

3 GSTE 3 Sequential Ex.: Memory 1024 x 64 Memory wren din[63:0] addr[9:0] rden dout[63:0] vIvI v1v1 v2v2 ( wren & addr[9:0] = A[9:0] & din[63:0] = D[63:0], true ) ( rden & addr[9:0] = A[9:0], dout[63:0] = D[63:0] ) ( !wren | addr[9:0] != A[9:0], true ) antecedent consequent   “Always read from a cell the most recently written data”

4 GSTE 4 Concurrent Ex.: Voting Machine reset avail[1] vote[1] avail[2] vote[2] avail[3] vote[3] vout Voting Machine –a vote can be accepted at station i (through vote[i]=1,2,3) when it is available –it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as soon as all three votes are in, and then makes the stations available for next round. 2222

5 GSTE 5 Voting Machine (cont.)  Specification using an assertion graph causes exponential complexity –order 1: vote[1], …, vote[2], …, vote[3] –order 2: vote[1], …, vote[3], …, vote[2] –… …  Solution –concurrent extension to assertion graphs –implementation independent –utilizing and guiding GSTE model checking –(future) ability to reason about specifications

6 GSTE 6 Basics: Domain And Trace  Domain D –a finite non-empty alphabet e.g., the set of states in a FSM (circuit) –P(D) – power set of D e.g., all subsets of states (state predicates) in FSM  Trace  = d 1 d 2 d 3 … –an infinite word in D  e.g., an infinite state sequence (trace) in FSM

7 GSTE 7 Basics: Assertion Alphabet  Assertion alphabet  = P(D)  P(D) –set of antecedent/consequence pairs –  = (D 1,D 2 )   – assertion letter –antecedent: ant(  ) = D 1 –consequent: cons(  ) = D 2 + a[15:0] b[15:0] c[15:0] ( a[15:0] = A[15:0] & b[15:0] = B[15:0], c[15:0] = A[15:0] + B[15:0] )

8 GSTE 8 Basics: Assertion Language  Assertion word - any word w =  1  2 …  k in  * –STE assertion  assertion word  Assertion language - any set of words L in P(  * ) –assertion graph  regular assertion language ( wren & addr = A & din = D, true ) ( !wren | addr != A, true ) * ( rden & addr = A, dout = D ) vIvI v1v1 v2v2 ( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D ) ( !wren | addr != A, true )

9 GSTE 9 Basics: Trace Semantics  Trace Satisfiability –trace  satisfies a word  P(D)*, if  1  i  |  |,  (i)   [i]  Trace Language –assertion word  (w) = {  D  |  sat. ant(w)   sat. cons(w) } –assertion language (for all semantics)  (L) =  w  L  (w)  Theorem: L 1  L 2   (L 1 )  (L 2 ) L 1  L 2   (L 1 )  (L 2 ) “more words  more restricted behavior” “more words  more restricted behavior”

10 GSTE 10 The Meet Operator  Meet of assertion letters: ( C 1, C 2 )  ( D 1, D 2 ) = ( C 1  D 1, C 2  D 2 )  Meet of assertion words:  1  2 …  k   ’ 1  ’ 2 …  ’ k = (  1   ’ 1 ) (  2   ’ 2 ) … (  k   ’ k )  Meet of assertion languages: L 1  L 2 = { w 1  w 2 | w 1  L 1, w 2  L 2, |w 1 | = |w 2 | } L 1  L 2 = { w 1  w 2 | w 1  L 1, w 2  L 2, |w 1 | = |w 2 | }  ( vote[1]=1, true ) ( true, true )  ( true, true ) ( vote[2]=2, true )  ( vote[3]=2, true ) ( true, true ) = ( vote[1]=1 & vote[3]=2, true ) ( vote[2]=2, true ) Parallel composition

11 GSTE 11 Self Consistency  Repeated application  0 L = L,  k L = (  k-1 L)  L (k>0)  Lemma  k L   k+1 L but  (  k L ) =  (  k+1 L ) –proof sketch –(w 1  w 2  …  w k )  w k = w 1  w 2  …  w k –w  w ’ may be new, but  (w)   (w ’ )   (w  w ’ )  Theorem (about limit) L   k  0  k L but  ( L ) =  (  k  0  k L )

12 GSTE 12 Compositional Specification  Initialization: L 0 =  + L 0 (D,D)  Prefix: (1  i<h) L i = L j  j L i = L j  j  Summation: (h  i<l) L i = L i 1  … …  L i k (0  i j <h)  Meet: (l  i<n) L i = L i 1  … …  L i k (0  i j <l) Comment: there is a unique solution to the system  very much like CCS but with new 

13 GSTE 13 Example 1: Memory vIvI v1v1 v2v2 ( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D ) ( !wren | addr != A, true )  L I =  + L I (true, true)  L I, 1 = L I (wren & addr = A & din = D, true)  L 1,1 = L 1 (!wren | addr != A, true)  L 1 = L I, 1  L 1,1  L 2 = L 1 (rden & addr = A, dout = D)

14 GSTE 14 Example 2: Voting Machine (VM) reset avail[1] vote[1] avail[2] vote[2] avail[3] vote[3] vout Voting Machine –a vote can be accepted at station i (through vote[i]=1,2,3) when it is available –it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as soon as all three votes are in, and then makes the stations available for next round. 2222

15 GSTE 15 Example 2 (cont)  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])   L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3]))

16 GSTE 16 Model Checking Product Spec.  Theorem (product specification) for any language L in the solution,  k  0  k L is regular –proof sketch  k  0  k (L j  j ) = (  k  0  k L j )  j  k  0  k (L 1  L 2 ) = (  k  0  k L 1 )  (  k  0  k L 2 )  (  k  0  k L 1 )  (  k  0  k L 2 )  k  0  k (L 1  L 2 ) = (  k  0  k L 1 )  (  k  0  k L 2 ) construct transitions for the states in P({  k  0  k L 1,  k  0  k L 2, …,  k  0  k L n }) –since  (L) =  (  k  0  k L), this effectively provides a precise GSTE model checking solution for each L in the solution –but assertion graph for  k  0  k L may be exponentially large Need more efficient solution !

17 GSTE 17 Model  M = (S, R, L) –S is a finite set of states –R  S  S is a transition relation s.t.  s,  s’, (s, s’)  R –L: S  D is a labeling function  Semantics –run  : N  S s.t.  i  0, (  (i),  (i+1))  R –trace language  (M) = { L(  ) |  is a run of M } –satisfiability M |=  0  i  n L i :  (M)   (  0  i  n L i )  Post-Image post(S’) = { s |  s’  S’, s.t. (s’, s)  R }

18 GSTE 18 Simulation Relation  Definition any mapping R: {L 0, L 1, …, L n }  P(S) satisfying s  R(L i ), if  w  L i,  of M s.t.  (|w|)=s, L(  ) sat. ant(w)  Theorem  L i = L j , L(R(L i ))  cons(  )  M |=  0  i  n L i

19 GSTE 19 compGSTE  Initialization for all L i, R(L i ) := { };  Fix-point iteration repeat –R ’ := R; –for all L i, case –L i = L 0 : R(L i ) := S; –L i = L j  : if L j =L 0 then R(L j ) := {s | L(s)  ant(  )} else R(L j ) := post(R ’ (L j ))  {s | L(s)  ant(  )}; else R(L j ) := post(R ’ (L j ))  {s | L(s)  ant(  )}; if  (L(R(L i ))  cons(  )) then return false; if  (L(R(L i ))  cons(  )) then return false; –L i =  j L j : R(L j ) :=  j R’(L j ); –L i =  j L j : R(L j ) :=  j R’(L j ); until R = R’; return true;

20 GSTE 20 Ex: VM Implementation vout + 2 0 = avail[1] vote[1] 2 0 = avail[2] vote[2] 2 0 = avail[3] vote[3] f mux 0 vote_in[1] vote_in[2] vote_in[3] voted[1] voted[2] voted[3] reset clear clr en

21 GSTE 21 Ex: VM Model Checking vout + 2 0 avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp 1. true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i]

22 GSTE 22 Ex: VM Model Checking vout + 2 0 avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp 2. true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i] 2. reset

23 GSTE 23 Ex: VM Model Checking vout + 2 0 avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp 3. true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i] 3. reset | vote[i]=0 & vote_in[i]=0 3. !reset & vote[i]=V[i] & vote_in[i]=0

24 GSTE 24 Ex: VM Model Checking vout + 2 0 avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr L init = L ready [i] L voting [i] L wait L poll L outp true  L init =  + L init (true, true)  L ready [i] = L init (reset, true)  (L ready [i]  L poll ) (reset | vote[i]=0, avail[i]) (L ready [i]  L poll ) (reset | vote[i]=0, avail[i])  L voting [i] = (L ready [i]  L poll ) (!reset & vote[i]=V[i]>0, avail[i])  L voted [i] = ((L voting [i]  L voted [i])  L wait ) (!reset, !avail[i])  L wait =  1  i  3 L ready [i]  L poll =  1  i  3 (L voting [i]  (  j  i (L voting [j]  L voted [i])))  L outp = L poll (true, vote=f(V[1], V[2], V[3])) L voted [i] reset | vote[i]=0 & vote_in[i]=0 !reset & vote[i]=V[i] & vote_in[i]=0 !reset & vote_in[i]=V[i] &  j. … … reset |  i.vote[i]=0 & vote_in[i]=0  i.!reset & vote[i]=V[i] & vote_in[i]=0 &  j  i.(vote[j]=V[j] | vote_in[j]=V[j])  j  i.(vote[j]=V[j] | vote_in[j]=V[j])  i.vote_in[i]=V[i]

25 GSTE 25 Brief Discussions  compGSTE is approximate –sound but not complete –extended quaternary model abstraction (FMCAD 2002)  Abstraction refinement –model refinement vs spec. refinement (FMCAD 2002) –partial product construction on specifications (serialization)  Advantages over assume-guarantee based composition –pure specification, implementation independent –computed “intermediate assumptions” –much less sensitive to implementation changes

26 GSTE 26 Ex: Implementation Change 2 vote[i] decode 0 1 2 3 0 bundle vout + 2 0 avail[i] vote[i] f mux 0 vote_in[i] voted[i] reset clear … en clr = … 1 bundle 2 bundle 3 bundle vout reset avail[i]  Assume-guarantee based composition –re-partition the model, re-specify interface assumptions –re-run model checking  compGSTE –specification unchanged, only re-run model checking

27 GSTE 27 Industrial Ex.: Resource Scheduler Specification: when resource is available (avail = 1), schedule the oldest ready uop  handling 10 uops at a time, >1k state elements, >17000 gates  priority matrix, CAM, decision logic, power-saving feature etc. CAM receiving logic priority matrix ready logic Staging and CAM match scheduling logic Delivering logic uop alloc ready avail init out sched wrback

28 GSTE 28 Main Result  Previous work w/ a state-of-art in-house symbolic model checker –hundreds of small local properties –only on the priority matrix  Compositional specification (top down) –schedule uop[i], if “uop[i] is the oldest ready” and resource is available –uop[i] is oldest ready, if “uop[i] is ready” and for all j  i (  j  i ), either “uop[j] is not ready” or “uop[i] arrived earlier than uop[j]” –… … – 1k state elements  Compositional model checking –122.5 seconds, 36M on P4 1.5GHz –scalable - O(log 2 #uops), BDD was not a bottle-neck!  Detailed work is in writing –hopefully in time for ICCAD

29 GSTE 29 Conclusion  Summary of the compositional approach –compositional specification to handle concurrency –efficient compositional model checking –implementation independent –building for reasoning  Future work –reasoning about compositional specifications –extension to handle parameterized specification

Download ppt "Inventing IC design technologies that will be vital to Intel S CL 1 Compositional Specification and Verification in GSTE Jin Yang, joint work with Carl."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Yongjian Li The State Key Laboratory of Computer Science Chinese Academy of Sciences William N. N. HungSynopsys Inc. Xiaoyu SongPortland State University.

Yongjian Li The State Key Laboratory of Computer Science Chinese Academy of Sciences William N. N. HungSynopsys Inc. Xiaoyu SongPortland State University.
Introduction to Computability Theory

Introduction to Computability Theory
1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.
Tractable and intractable problems for parallel computers

Tractable and intractable problems for parallel computers
Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.

Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Models of Computation for Embedded System Design Alvise Bonivento.

Models of Computation for Embedded System Design Alvise Bonivento.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 2.5.

Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University Textbook Chapter 2.5.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Similar presentations

Ads by Google