Automatic Abstraction Refinement for GSTE

Yan Chen, Yujing He, and Fei Xie

Portland State University

Jin Yang

Intel

Nov 13, 2007

Our Contributions

AutoGSTE – An automatic approach to abstraction refinement for GSTE

Quickly converge to good abstractions that enable verifications that are not possible before

Allow assertion graphs to be high-level w/o adapting too much to circuit implementation

2

Outline

Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE

Counterexample-guided abstraction refinement Model refinement and specification refinement

Experiments Conclusion & Future Work

3

Symbolic Trajectory Evaluation [Bryant & Seger]

Scalability Model checking complexity largely depends on the

complexity of the assertion rather than the circuit Pros: Highly efficient Cons:

False negatives due to insufficient input constraints R. Tzoref, O. Grumberg, Automatic refinement and vacuity detection for

STE, CAV’06 J. Roorda, K. Clarssen, Sat-based assistance to abstraction refinement for

STE, CAV’06

Only properties over finite time GSTE4

Generalized STE [Yang & Seger]

ω-regular properties represented by assertion graphs

G = { (V, v0, E, ant, cons) } Non-deterministic execution Fixed-point computation

5

V0 V1

V3

V5

a0/c0

a1/c1a7/c7

a3/c3

Start V2

a2/c2

V4a5/c5

a8/c8

a6/c6

a4/c4

GSTE Algorithm

6

Algorithm: GSTE(G, post)(* initialize symbolic simulation *)1. for each edge e in G2. if e is from the initial vertex3. sim(e) := ant(e);4. put e in EventQueue;5. else6. sim(e) := { };(* perform symbolic simulation *)7. while EventQueue is not empty8. get an edge e from the queue,9. for each successor edge e’ of e begin10. sim(e’) := sim(e’) post(sim(e)) ant(e’);11. if there is a change in sim(e’)12. put e’ into EventQueue; end(* check consequence *)13. for each edge e in G14. if !(sim(e) cons(e)) return false;15. return true;end.

Outline

Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE

Counterexample-guided abstraction refinement Model refinement and specification refinement

Experiments Conclusion & Future Work

7

Quaternary-Value Logic

(Unknown)

(Conflict)

Information Partial Order

1X X

0 X

Propagation of “Unknown”

Two sides of a coin Significantly reduce state spaces by

quaternary abstraction Over abstractions cause false negatives

8

1X

Causes of False Negative: Quaternary State Set Unions

11

1A

B

Out10

1 XXX

Abs.

9

01

sim(e’) := sim(e’) post(sim(e)) ant(e’);

1 1

Check whether the output is always 1 under certain inputs

Causes of False Negative: Existentially Quantified-Out Symbolic Variables

A=c1 &B=(!c1|c2)

/ Out=1

True/Out=1

c1,c2 is existentially quantified out after every single step simulation

10

[A=c1, B=(!c1|c2)]Out=A|B=c1|(!c1|c2)=1

[A=X, B=X]Out=A|B=X

A

B

Out11

10

01

Outline

Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE

Counterexample-guided abstraction refinement Model refinement and specification refinement

Experiments Conclusion & Future Work

11

AutoGSTE: Automatic Abstraction Refinement

(1) GSTE

CircuitImpl.

AssertionGraph

Assertionholds

CounterExample

(2) CounterExample Analysis

Assertion fails

Causes ofImprecision

(3) AbstractionRefinement

RefinedAbstraction

Abstraction refinement: (monotonic) (1) Constraining inputs with symbolic constants/variables

(2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations

Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;

(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables

Counter Example Analysis Counter Example

[(edge1,src1,dest1),…,(edgeT, srcT,destT)]

Identify “X” nodes in destT that violates consequent on edgeT

Backtrack to identify the causes for “X” node N

In the end, the following causes will be identified:

Output circuit nodes/assertion edges on which Xs are introduced.

13

J

Q

Q

K

SET

CLR

X1 X

Input Union Weak

XInputJ

Q

Q

K

SET

CLR

01 X

n2=(variable v) &n3=(variable v)

True/n2=n3

AutoGSTE: Automatic Abstraction Refinement

(1) GSTE

CircuitImpl.

AssertionGraph

Assertionholds

CounterExample

(2) CounterExample Analysis

Assertion fails

Causes ofImprecision

(3) AbstractionRefinement

RefinedAbstraction

Abstraction refinement: (1) Constraining inputs with symbolic constants/variables

(2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations

Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;

(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables

Model Refinement

Symbolic Indexing (Verifier has to encode it in the specification)

Abs.

0 1 11 0 1 1

0 1 11 0 1 X1

vv

!v?1:X 1

XX X

w1

v

10

v!v+w 1

Partition Abs. rew.

rew.Finer Partition

15

Model Refinement (Cont.)

Precise Nodes: Circuit nodes that must always have boolean values by symbolic indexing

[Yang and Seger, FMCAD’02] Manually specify precise nodes to eliminate Xs caused by both unions and weaks.

AutoGSTE automatically marks precise nodes Mark all the identified nodes as precise Mark one node at a time (control signals first?)

16

Specification Refinement Loop unrolling transformations address unions

Allow the specification to be high level Dynamically adapt to the real computation flow of the circuit

……

17

Automating loop unrolling Unroll each problematic edge to prevent

unwanted state set unions

Specification Refinement (Cont.)

18

1

2

3 4

Case splitting transformations address weaks Symbolic variables symbolically index a set of

edges with scalar values Remember the variable values by case splitting

V0 V1

enq=(variable v)deq=(variable v)

V0 V1

enq=deq=0

enq=deq=1

True/enq=deqTrue/enq=deq

Specification Refinement (Cont.)

19

Outline

Overview of (G)STE Quaternary Abstraction and its Imprecision Our solution – AutoGSTE

Counterexample-guided abstraction refinement Model Refinement .vs. Specification Refinement

Experiments Conclusion & Future Work

20

Experiment: FIFO

21

FIFO Model Refinement

Circuit Mark precise nodes all at once Mark precise nodes one a time

FIFO Depth

# of Nodes

# of Iter.

# of P. Nodes

Time

(Sec.)BDD

Nodes# of P. Nodes

Time

(Sec.)BDD

Nodes

3 181 1 5 0.12 10232 3 0.26 8996

8 296 1 7 0.4 32923 4 0.81 26708

16 476 1 9 1.1 72189 5 2.37 58250

24 787 1 11 2.38 131236 6 6.83 104246

Better than manual analysis!22

FIFO Specification Refinement

Circuit GSTE on Original assertion graph Semantic-Preserving Transformation

FIFO Depth

# of Edges

Time

(Sec.)BDD

NodesMem

(MB)Result

# of Edges

Time

(Sec.)BDD

NodesMem

(MB)Result

3 11 0.01 5 17 Fail 31 0.23 6 17 Pass

8 26 0.02 5 17 Fail 201 2.69 6 19 Pass

16 50 0.04 5 17 Fail 785 17.3 6 26 Pass

24 74 0.07 5 17 Fail 1753 54.2 6 39 Pass

Too complex to do manually!

23

0

10

20

30

40

50

60

0 5 10 15 20 25 0

10

20

30

40

50

60R

un

Tim

e (

sec)

Me

mo

ry (

MB

)

FIFO Depth

time for spec ref.

0

10

20

30

40

50

60

0 5 10 15 20 25 0

10

20

30

40

50

60R

un

Tim

e (

sec)

Me

mo

ry (

MB

)

FIFO Depth

time for spec ref.time for model ref.

0

10

20

30

40

50

60

0 5 10 15 20 25 15

20

25

30

35

40R

un

Tim

e (

sec)

Me

mo

ry (

MB

)

FIFO Depth

time for spec ref.time for model ref.mem for spec ref.

mem for model ref.

Conclusion & Future Work

An automatic approach to abstraction refinement for GSTE

Quickly converge to good abstractions Future work

Identify minimal set of precise nodes Reduce unnecessary loop-unrolling/case-splitting Integrate model refinement and spec refinement

27