Docstoc

yang

Document Sample
yang Powered By Docstoc
					        Compositional
Specification and Verification
           in GSTE

       Jin Yang,
       joint work with Carl Seger
       Strategic CAD Labs, Intel Corp.

       CMU
       March 23, 2004


                                              SCL
                                         Inventing IC design technologies
                                              that will be vital to Intel 1
       Motivation
   GSTE
    combines high capacity of STE with expressive
     power of traditional model checking (YS ICCD’00)
    provides a multi-dim. approach to achieve high
     capacity while maintaining accuracy (YS FMCAD’02)
    has been used by FVers for > 1 year successfully on
     next-gen. Intel -processors (Schubert ICCAD’03)
    part of FORTE public release
   However
    assertion graph specification in GSTE is inherently
     sequential but circuit behavior may be concurrent
    ……

GSTE
                                                           2
       Sequential Ex.: Memory

                         wren
                     addr[9:0]
                                        1024 x 64                rden

                                         Memory                  dout[63:0]
                     din[63:0]




        “Always read from a cell the most recently written data”


               ( wren & addr[9:0] = A[9:0] &         ( rden & addr[9:0] = A[9:0],        antecedent
                                                                                     
                        din[63:0] = D[63:0],           dout[63:0] = D[63:0] )             consequent
                 true )
          vI                                   v1                                    v2
                                                    ( !wren | addr[9:0] != A[9:0],
                                                      true )




GSTE
                                                                                                       3
       Concurrent Ex.: Voting Machine
                                      reset




                     avail[1]
                     vote[1]
                                2

                     avail[2]
                                     Voting       vout
                     vote[2]
                                2
                                    Machine   2



                     avail[3]
                     vote[3]
                                2




       – a vote can be accepted at station i (through vote[i]=1,2,3)
         when it is available
       – it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as
         soon as all three votes are in, and then makes the stations
         available for next round.

GSTE
                                                                            4
       Voting Machine (cont.)
        Specification using an assertion graph causes
         exponential complexity
          – order 1: vote[1], …, vote[2], …, vote[3]
          – order 2: vote[1], …, vote[3], …, vote[2]
          – ……

        Solution
          –   concurrent extension to assertion graphs
          –   implementation independent
          –   utilizing and guiding GSTE model checking
          –   (future) ability to reason about specifications



GSTE
                                                                5
       Basics: Domain And Trace
   Domain
                                          D
       – a finite non-empty alphabet
          e.g., the set of states in a FSM (circuit)
       – P(D) – power set of D
          e.g., all subsets of states (state predicates) in FSM

   Trace
                                     = d1d2d3…
       – an infinite word in D
          e.g., an infinite state sequence (trace) in FSM




GSTE
                                                                  6
       Basics: Assertion Alphabet
  Assertion alphabet
                                 = P(D)  P(D)
       – set of antecedent/consequence pairs
       –  = (D1,D2)  – assertion letter
          – antecedent: ant() = D1
          – consequent: cons() = D2


                      a[15:0]

                                    +        c[15:0]
                      b[15:0]



                 ( a[15:0] = A[15:0] & b[15:0] = B[15:0],
                   c[15:0] = A[15:0] + B[15:0] )


GSTE
                                                            7
       Basics: Assertion Language
   Assertion word - any word w = 12…k in  *
       – STE assertion  assertion word

   Assertion language - any set of words L in P( *)
       – assertion graph  regular assertion language


               ( wren & addr = A & din = D, true )         ( rden & addr = A, dout = D )


              vI                                     v1    ( !wren | addr != A, true )
                                                                                            v2




         ( wren & addr = A & din = D, true ) ( !wren | addr != A, true ) * ( rden & addr = A, dout = D )




GSTE
                                                                                                           8
   Basics: Trace Semantics
  Trace Satisfiability
       – trace  satisfies a word P(D)*, if 1i||, (i)   [i]

  Trace Language
       – assertion word
                (w) = {D |  sat. ant(w)   sat. cons(w) }
       – assertion language (for all semantics)
                              (L) = wL (w)

  Theorem:
                      L1  L2   (L1)  (L2 )

             “more words  more restricted behavior”


GSTE
                                                                       9
        The Meet Operator
     Meet of assertion letters:
                              ( C1, C2 )  ( D1, D2 ) = ( C1  D1, C2  D2 )

     Meet of assertion words:
                       12…k  ’1’2…’k = (1’1) (2’2) … (k’k)

     Meet of assertion languages:
                          L1  L2 = { w1 w2 | w1 L1, w2 L2, |w1| = |w2| }


                                  Parallel composition

    ( vote[1]=1, true ) ( true, true )  ( true, true ) ( vote[2]=2, true )  ( vote[3]=2, true ) ( true, true )
=
    ( vote[1]=1 & vote[3]=2, true ) ( vote[2]=2, true )


GSTE
                                                                                                                     10
       Self Consistency
   Repeated application
                         0 L =   L,    k L = ( k-1 L)    L (k>0)

   Lemma
                     k L     k+1 L but (  k L ) = (  k+1 L )
       – proof sketch
          – (w1  w2  …  wk)  wk = w1  w2  …  wk
          – w  w’ may be new, but (w)  (w’)  (w  w’)

   Theorem (about limit)
                    L  k0  k L but ( L ) = ( k0  k L )




GSTE
                                                                           11
       Compositional Specification
   Initialization:
                              L0 =  + L0 • (D,D)
   Prefix: (1i<h)
                                    Li = Lj • j
   Summation: (hi<l)
                        Li = Li1  … …  Lik (0ij<h)
   Meet: (li<n)
                        Li = Li1  … …  Lik     (0ij<l)


          Comment:
          • there is a unique solution to the system
          • very much like CCS but with new 

GSTE
                                                              12
       Example 1: Memory
         ( wren & addr = A & din = D, true )        ( rden & addr = A, dout = D )


         vI                                    v1   ( !wren | addr != A, true )
                                                                                    v2




         LI     =  + LI • (true, true)
         LI, 1 = LI • (wren & addr = A & din = D, true)

         L1,1 = L1 • (!wren | addr != A, true)

         L1 = LI, 1  L1,1
         L2 = L1 • (rden & addr = A, dout = D)


GSTE
                                                                                         13
       Example 2: Voting Machine (VM)
                                      reset




                     avail[1]
                     vote[1]
                                2

                     avail[2]
                                     Voting       vout
                     vote[2]        Machine   2
                                2

                     avail[3]
                     vote[3]
                                2




       – a vote can be accepted at station i (through vote[i]=1,2,3)
         when it is available
       – it outputs a voting result (vout=f(vote[1], vote[2], vote[3]) as
         soon as all three votes are in, and then makes the stations
         available for next round.

GSTE
                                                                            14
       Example 2 (cont)
        Linit      =  + Linit • (true, true)
        Lready[i] = Linit • (reset, true) 
                     (Lready[i]  Lpoll) • (reset | vote[i]=0, avail[i])
        Lvoting[i] = (Lready[i]  Lpoll) • (!reset & vote[i]=V[i]>0, avail[i])
        Lvoted[i] = ((Lvoting[i]  Lvoted[i])  Lwait) • (!reset, !avail[i])
       




        Lwait      = 1i3 Lready[i]
        Lpoll      = 1i3 (Lvoting[i]  ( ji(Lvoting[j]  Lvoted[i])))
        Loutp      = Lpoll • (true, vote=f(V[1], V[2], V[3]))




GSTE
                                                                                  15
       Model Checking Product Spec.
 Theorem (product specification)
        for any language L in the solution, k0  k L is regular
           – proof sketch
               •   k0k (Lj • j) = (k0k Lj) • j
               •   k0k (L1  L2) = (k0k L1)  (k0k L2)  (k0k L1)  (k0k L2)
               •   k0k (L1  L2) = (k0k L1)  (k0k L2)
               •   construct transitions for the states in P({k0k L1 , k0k L2 , …,
                   k0k Ln})

   – since (L) = (k0  k L), this effectively provides a precise
     GSTE model checking solution for each L in the solution
   – but assertion graph for k0kL may be exponentially large


                   Need more efficient solution !
GSTE
                                                                                                    16
       Model
        M = (S, R, L)
          – S is a finite set of states
          – R  SS is a transition relation s.t. s, s’, (s, s’)  R
          – L: SD is a labeling function
        Semantics
          – run
                              : NS s.t. i0, ((i), (i+1))R
          – trace language
                               (M) = { L() |  is a run of M }
          – satisfiability M |= 0in Li:
                                     (M)  (0in Li)
        Post-Image
                           post(S’) = { s | s’S’, s.t. (s’, s)R }


GSTE
                                                                         17
       Simulation Relation
   Definition
       any mapping
                             R: {L0, L1, …, Ln} P(S)
       satisfying s R(Li), if wLi,  of M s.t. (|w|)=s, L() sat. ant(w)

   Theorem
                Li = Lj • , L(R(Li))  cons()  M |= 0in Li




GSTE
                                                                           18
       compGSTE
        Initialization
           for all Li, R(Li) := { };
        Fix-point iteration
           repeat
           – R’ := R;
           – for all Li, case
                – Li = L0:       R(Li) := S;
                – Li = Lj • : if Lj=L0 then R(Lj) := {s | L(s)ant()}
                                         else R(Lj) := post(R’(Lj))  {s | L(s)ant()};
                                if (L(R(Li))  cons()) then return false;
                – Li = j Lj: R(Lj) := j R’(Lj);
                – Li =  j Lj: R(Lj) := j R’(Lj);
           until R = R’;
           return true;


GSTE
                                                                                           19
       Ex: VM Implementation
                                                              reset


          avail[1]
                               0




                                   =
                         en            voted[1]
          vote[1]
                     2   clr       vote_in[1]
                                              clear
                                                      +


          avail[2]
                               0
                                   =
                                                                0




                                                                      mux
                         en            voted[2]                             vout
          vote[2]                                         f
                     2   clr       vote_in[2]




          avail[3]
                               0
                                   =




                         en            voted[3]
          vote[3]
                     2   clr       vote_in[3]



GSTE
                                                                                   20
                Ex: VM Model Checking
                                                      reset
                                                                                   Linit
                          ……                clear
                                                     +                                          1. true

avail[i]
                                                                                   Lready[i]

                      0
                          =




                                                              0




                                                                      mux
                en            voted[i]
                                                                            vout
vote[i]     2   clr         vote_in[i]                   f                         Lvoting[i]




                                                                                   Lvoted[i]
                          ……

   Linit      =  + Linit • (true, true)
   Lready[i] = Linit • (reset, true)                                             Lwait
                  (Lready[i]  Lpoll) • (reset | vote[i]=0, avail[i])
   Lvoting[i] = (Lready[i]  Lpoll) • (!reset & vote[i]=V[i]>0, avail[i])
   Lvoted[i] = ((Lvoting[i]  Lvoted[i])  Lwait) • (!reset, !avail[i])          Lpoll
   Lwait     = 1i3 Lready[i]
   Lpoll       = 1i3 (Lvoting[i]  ( ji(Lvoting[j]  Lvoted[i])))
   Loutp       = Lpoll • (true, vote=f(V[1], V[2], V[3]))
                                                                                   Loutp


     GSTE
                                                                                                          21
                Ex: VM Model Checking
                                                      reset
                                                                                   Linit
                          ……                clear
                                                     +                                          2. true

avail[i]
                                                                                   Lready[i]

                      0                                                                         2. reset
                          =




                                                              0




                                                                      mux
                en            voted[i]
                                                                            vout
vote[i]     2   clr         vote_in[i]                   f                         Lvoting[i]




                                                                                   Lvoted[i]
                          ……

   Linit      =  + Linit • (true, true)
   Lready[i] = Linit • (reset, true)                                             Lwait
                  (Lready[i]  Lpoll) • (reset | vote[i]=0, avail[i])
   Lvoting[i] = (Lready[i]  Lpoll) • (!reset & vote[i]=V[i]>0, avail[i])
   Lvoted[i] = ((Lvoting[i]  Lvoted[i])  Lwait) • (!reset, !avail[i])          Lpoll
   Lwait     = 1i3 Lready[i]
   Lpoll       = 1i3 (Lvoting[i]  ( ji(Lvoting[j]  Lvoted[i])))
   Loutp       = Lpoll • (true, vote=f(V[1], V[2], V[3]))
                                                                                   Loutp


     GSTE
                                                                                                           22
                Ex: VM Model Checking
                                                      reset
                                                                                   Linit
                          ……                clear
                                                     +                                          3. true

avail[i]
                                                                                   Lready[i]

                      0                                                                         3. reset | vote[i]=0 & vote_in[i]=0
                          =




                                                              0




                                                                      mux
                en            voted[i]
                                                                            vout
vote[i]     2   clr         vote_in[i]                   f                         Lvoting[i]

                                                                                                3. !reset & vote[i]=V[i] & vote_in[i]=0

                                                                                   Lvoted[i]
                          ……

   Linit      =  + Linit • (true, true)
   Lready[i] = Linit • (reset, true)                                             Lwait
                  (Lready[i]  Lpoll) • (reset | vote[i]=0, avail[i])
   Lvoting[i] = (Lready[i]  Lpoll) • (!reset & vote[i]=V[i]>0, avail[i])
   Lvoted[i] = ((Lvoting[i]  Lvoted[i])  Lwait) • (!reset, !avail[i])          Lpoll
   Lwait     = 1i3 Lready[i]
   Lpoll       = 1i3 (Lvoting[i]  ( ji(Lvoting[j]  Lvoted[i])))
   Loutp       = Lpoll • (true, vote=f(V[1], V[2], V[3]))
                                                                                   Loutp


     GSTE
                                                                                                                                      23
                Ex: VM Model Checking
                                                      reset
                                                                                   Linit
                          ……                clear
                                                     +                                          true

avail[i]
                                                                                   Lready[i]

                      0                                                                         reset | vote[i]=0 & vote_in[i]=0
                          =




                                                              0




                                                                      mux
                en            voted[i]
                                                                            vout
vote[i]     2   clr         vote_in[i]                   f                         Lvoting[i]

                                                                                                !reset & vote[i]=V[i] & vote_in[i]=0

                                                                                   Lvoted[i]
                          ……
                                                                                                !reset & vote_in[i]=V[i] & j. … …
   Linit      =  + Linit • (true, true)
   Lready[i] = Linit • (reset, true)                                             Lwait
                  (Lready[i]  Lpoll) • (reset | vote[i]=0, avail[i])
                                                                                                reset | i.vote[i]=0 & vote_in[i]=0
   Lvoting[i] = (Lready[i]  Lpoll) • (!reset & vote[i]=V[i]>0, avail[i])
   Lvoted[i] = ((Lvoting[i]  Lvoted[i])  Lwait) • (!reset, !avail[i])          Lpoll
   Lwait     = 1i3 Lready[i]
   Lpoll       = 1i3 (Lvoting[i]  ( ji(Lvoting[j]  Lvoted[i])))                       i.!reset & vote[i]=V[i] & vote_in[i]=0 &
                                                                                                   ji.(vote[j]=V[j] | vote_in[j]=V[j])
   Loutp       = Lpoll • (true, vote=f(V[1], V[2], V[3]))
                                                                                   Loutp


     GSTE                                                                                       i.vote_in[i]=V[i]
                                                                                                                                       24
       Brief Discussions
        compGSTE is approximate
          – sound but not complete
          – extended quaternary model abstraction (FMCAD 2002)
        Abstraction refinement
          – model refinement vs spec. refinement (FMCAD 2002)
          – partial product construction on specifications (serialization)

        Advantages over assume-guarantee based composition
          – pure specification, implementation independent
          – computed “intermediate assumptions”
          – much less sensitive to implementation changes




GSTE
                                                                             25
               Ex: Implementation Change
                                                 reset                                                reset


                         ……                                                              ……
                                         clear
                                                 +
                                                                          avail[i]                    0 bundle
avail[i]

                                                                                                      1 bundle
                                                                                                                      vout




                                                                                                                 ……
                     0
                          =




                                                         0                                        0




                                                             mux
                                                                          vote[i]




                                                                                         decode
               en             voted[i]                                                            1
                                                                                                      2 bundle
                                                                   vout                           2
vote[i]    2   clr         vote_in[i]                f                               2            3
                                                                                                      3 bundle




                         ……                                                                 ……


                          Assume-guarantee based composition
                               – re-partition the model, re-specify interface assumptions
                               – re-run model checking

                          compGSTE
                               – specification unchanged, only re-run model checking
   GSTE
                                                                                                                      26
       Industrial Ex.: Resource Scheduler




                                                                                                        Delivering logic
                          receiving logic
                   uop                                  CAM                                                                out




                                                        Staging and
                                            CAM match
                  alloc




                                                                      ready logic
                wrback




                                                                                     scheduling logic
                                                                                                                           sched
                 ready

                   init
                                            priority matrix


                                                                                    avail


       Specification:
       when resource is available (avail = 1), schedule the oldest ready uop
        handling 10 uops at a time, >1k state elements, >17000 gates
        priority matrix, CAM, decision logic, power-saving feature etc.

GSTE
                                                                                                                                   27
Main Result
   Previous work w/ a state-of-art in-house symbolic model checker
       – hundreds of small local properties
       – only on the priority matrix

   Compositional specification (top down)
       – schedule uop[i], if “uop[i] is the oldest ready” and resource is available
           – uop[i] is oldest ready, if “uop[i] is ready” and for all j  i (j  i), either “uop[j] is
             not ready” or “uop[i] arrived earlier than uop[j]”
               – ……
       – < 50 boolean variables for >1k state elements
   Compositional model checking
       – 122.5 seconds, 36M on P4 1.5GHz
       – scalable - O(log2 #uops), BDD was not a bottle-neck!
   Detailed work is in writing
       – hopefully in time for ICCAD



GSTE
                                                                                                           28
       Conclusion
        Summary of the compositional approach
         –   compositional specification to handle concurrency
         –   efficient compositional model checking
         –   implementation independent
         –   building for reasoning
        Future work
         – reasoning about compositional specifications
         – extension to handle parameterized specification




GSTE
                                                                 29

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:10/13/2011
language:English
pages:29