Presentation is loading. Please wait.

Presentation is loading. Please wait.

Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon."— Presentation transcript:

1 Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon University

2 Hardware design Hardware design Introduction Level of abstraction Gate level (netlists) Structural/RTL ………… System Behavioral Formal verification support

3 Verification support Languages like Verilog, SystemVerilog, SystemC are close to software Languages like Verilog, SystemVerilog, SystemC are close to software Verification tools must reason about: Verification tools must reason about: –Programming languages constructs –Bit-vector semantics (concatenation, extraction) –Concurrency, Objects, Templates

4 This work Gate level (netlists) Structural/RTL ………… System Behavioral Model check 

5 Handling state space explosion Abstraction for handling state space explosion Abstraction for handling state space explosion Localization reduction [Kurshan ’94] Localization reduction [Kurshan ’94] –Tracks values of certain variables (visible) Predicate Abstraction [Graf and Saidi ’97] Predicate Abstraction [Graf and Saidi ’97] –Keeps tracks of certain predicates on data –Captures relationship between variables –Successfully used in software verification

6 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification InitialAbstraction No error or bug found Simulator Propertyholds Simulationsucessful Bug found Refinement Spurious counterexample Counterexample

7 Our approach Apply predicate abstraction at RTL Level Apply predicate abstraction at RTL Level –Allows abstraction using word-level predicates Example: x < y – z, x = {z,z}Example: x < y – z, x = {z,z} Use a SAT solver for computing abstraction Use a SAT solver for computing abstraction –Semantics of bit-wise operators take into account Obtaining suitable word level predicates Obtaining suitable word level predicates –Syntactic weakest pre-conditions of Verilog statements

8 Related work SAT-Based Predicate Abstraction [Wang et al.] SAT-Based Predicate Abstraction [Wang et al.] –Works at netlist level –Refinement introduces bit-level predicates Vapor tool [Andraus et al.] Vapor tool [Andraus et al.] –Works on RTL level designs –Abstraction to CLU models (equality of terms, uninterpreted functions, predicates) Lots of other related work Lots of other related work

9 An example module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 Ç x = 200) Verilog program

10 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification InitialAbstraction No error or bug found Simulator Propertyholds Simulationsucessful Bug found Refinement Spurious counterexample Counterexample

11 Predicate Abstraction module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 Ç x = 200) Initial set of predicates: {x = 100, x = 200} Verilog program Transition relation: x’ = y Æ y’ = x Word Level

12 Computing Most Precise Abstraction + x’ := y y’ := x + Current state Next state Transition Relation Computing abstract transitions

13 Obtain transitions Computing abstract transitions 10 00 01 11 … and so on …

14 Abstract Model module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Initial set of predicates: {x = 100, x = 200} Verilog program Initialstate Failure Failurestate 10 00 01 11

15 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification InitialAbstraction No error or bug found Simulator Propertyholds Simulationsucessful Bug found Refinement Spurious counterexample Counterexample

16 Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Verilog program Failure Failurestate 10 00 01 11 Initialstate Abstract Model

17 Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Verilog program Failure Failurestate 10 00 01 11 Initialstate Abstract Model Abstract counterexample

18 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification InitialAbstraction No error or bug found Simulator Propertyholds Simulationsucessful Bug found Refinement Spurious counterexample Counterexample

19 Simulation module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Verilog program Failure Failurestate 10 00 Initialstate Counterexample is spurious Abstract counterexample

20 Abstraction-Refinement loop Verilog Program Abstract model Model Checker Abstraction refinement Verification InitialAbstraction No error or bug found Simulator Propertyholds Simulationsucessful Bug found Refinement Spurious counterexample Counterexample

21 Refinement Let length of spurious counterexample be k Let length of spurious counterexample be k Take weakest pre-condition of property for k steps with respect to transition functions Take weakest pre-condition of property for k steps with respect to transition functions

22 Refinement (x’ = 100 Ç x’ = 200) Holds after one step x’ := y y’ := x (y = 100 Ç y = 200) weakestprecondition AG (x = 100 Ç x = 200) Property length =1 + spuriouscounterexample New predicates y = 100, y = 200

23 Abstract again module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program 1001 0110Initialstate Model check New abstraction

24 Model checking module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Updated set of predicates: {x = 100, x = 200, y=100, y=200} Verilog program 1001 0110Initialstate Property holds! New abstraction

25 Result module main (clk) input clk; reg [10:0] x, y; initial x= 100, y= 200; always @ (posedge clk) begin x <= y; y <= x; end endmodule Property: AG (x = 100 or x = 200) Verilog program Property holds!

26 Making it work in practice Computation of predicate abstraction Computation of predicate abstraction –Handling of large no. of predicates With 50 predicates there can be 2 100 predicate relationships!!

27 Predicate Partitioning Current state predicates p 1 := x = 100 p 2 := x = 200 p 3 := y = 100 p 4 := y = 200 + x’ := y y’ := x + p’ 1 := x’ = 100 p’ 2 := x’ = 200 p’ 3 := y’ = 100 p’ 4 := y’ = 200 Next state predicates Transition relationPartition+ + p 1 := x = 100 p 2 := x = 200 y’ := x p’ 3 := y’ = 100 p’ 4 := y’ = 200 p 3 := y = 100 p 4 := y = 200 x’ := y p’ 1 := x’ = 100 p’ 2 := x’ = 200 + +Æ

28 Predicate Partitioning Speeds up abstraction computation Speeds up abstraction computation Introduces over-approximation Introduces over-approximation Refinement Refinement –Handles over-approximation due to predicate partitioning –Generate new predicates

29 Refinement by removing spurious transitions Abstract transition: ) Spurious Constrain abstraction [Das and Dill]: : (b 1 =0 Æ b 2 =1 Æ b’ 1 =0 Æ b’ 2 =0) Proof of unsatisfiabilty (UNSAT) core: : (b 2 =1 Æ b’ 1 =0)

30 Refinement by generating new predicates Identify predicates whose weakest pre-condition needs to be computed x’ := y y’ := x (x=1) Æ : (x=2) : (x’=1) Æ: (x’=2) Init: x=1, y=2 PROOF OF UNSATISFIABILITY Predicate whose Weakest pre-condition is needed

31 Refinement by generating new predicates x’ = 2 x’ := (x < 5) ? (x + 2) : x ((x < 5) ? (x + 2) : x ) = 2 Blowup in weakest pre- conditions size Only add atomic predicates Add x <5 as a new predicate and run the loop again

32 A counterexample of same length x’ = 2 x’ := (x < 5) ? (x + 2) : x ((x < 5) ? (x + 2) : x ) = 2 But now we get a value for x < 5 from abstract counterexample (say true) x’ := x + 2 x + 2 < 3 simplify New predicate

33 Experimental results Benchmark#LatchesVCEGAR P/I P/I Cadence SMV (using -absref3) ICU281.3s5/10.1s ICRAM2KB16427450.7s3/825s ICRAM4KB32796843.3s3/8 too many BDD variables ARITH1002023.5s3/3182.4s ARITH2004029.6s3/32147s ARITH500100232.2s3/3timeout ARITH10002002122.6s3/3timeout

34 Experimental results (VIS benchmarks) Benchmark Lines of code #Latches#Variables VCEGAR Time #Predicates#Iteration cachecoherence5494317049s259 mpeg decoder 1 121556780029s93 usb_phy10545044104s4722 ethernet6059116015s3015 SDLX8984181139s4330 ITC99_b12558125119188s3223

35 Summary Verification at RTL level without going to netlists Verification at RTL level without going to netlists Predicate abstraction using word-level predicates Predicate abstraction using word-level predicates –Handling large no. of predicates (predicate partitioning) –Weakest pre-conditions for obtaining new predicates –Techniques are completely automatic VCEGAR VCEGAR –Encouraging results on industrial benchmarks –www.cs.cmu.edu/~modelcheck/vcegar www.cs.cmu.edu/~modelcheck/vcegar

36 Questions?

Download ppt "Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
The Design Process, RTL, Netlists, and Verilog

The Design Process, RTL, Netlists, and Verilog
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
CSE 201 Computer Logic Design * * * * * * * Verilog Modeling

CSE 201 Computer Logic Design * * * * * * * Verilog Modeling
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.

1 Software Verification Computer Science Club, Steklov Math Institute Lecture 1 Natasha Sharygina The University of Lugano, Carnegie Mellon University.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.

1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.

Similar presentations

Ads by Google