automatic abstraction refinement for gste yan chen, yujing he, and fei xie portland state university...
TRANSCRIPT
![Page 1: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/1.jpg)
Automatic Abstraction Refinement for GSTE
Yan Chen, Yujing He, and Fei Xie
Portland State University
Jin Yang
Intel
Nov 13, 2007
![Page 2: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/2.jpg)
Our Contributions
AutoGSTE – An automatic approach to abstraction refinement for GSTE
Quickly converge to good abstractions that enable verifications that are not possible before
Allow assertion graphs to be high-level w/o adapting too much to circuit implementation
2
![Page 3: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/3.jpg)
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE
Counterexample-guided abstraction refinement Model refinement and specification refinement
Experiments Conclusion & Future Work
3
![Page 4: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/4.jpg)
Symbolic Trajectory Evaluation [Bryant & Seger]
Scalability Model checking complexity largely depends on the
complexity of the assertion rather than the circuit Pros: Highly efficient Cons:
False negatives due to insufficient input constraints R. Tzoref, O. Grumberg, Automatic refinement and vacuity detection for
STE, CAV’06 J. Roorda, K. Clarssen, Sat-based assistance to abstraction refinement for
STE, CAV’06
Only properties over finite time GSTE4
![Page 5: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/5.jpg)
Generalized STE [Yang & Seger]
ω-regular properties represented by assertion graphs
G = { (V, v0, E, ant, cons) } Non-deterministic execution Fixed-point computation
5
V0 V1
V3
V5
a0/c0
a1/c1a7/c7
a3/c3
Start V2
a2/c2
V4a5/c5
a8/c8
a6/c6
a4/c4
![Page 6: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/6.jpg)
GSTE Algorithm
6
Algorithm: GSTE(G, post)(* initialize symbolic simulation *)1. for each edge e in G2. if e is from the initial vertex3. sim(e) := ant(e);4. put e in EventQueue;5. else6. sim(e) := { };(* perform symbolic simulation *)7. while EventQueue is not empty8. get an edge e from the queue,9. for each successor edge e’ of e begin10. sim(e’) := sim(e’) post(sim(e)) ant(e’);11. if there is a change in sim(e’)12. put e’ into EventQueue; end(* check consequence *)13. for each edge e in G14. if !(sim(e) cons(e)) return false;15. return true;end.
![Page 7: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/7.jpg)
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE
Counterexample-guided abstraction refinement Model refinement and specification refinement
Experiments Conclusion & Future Work
7
![Page 8: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/8.jpg)
Quaternary-Value Logic
(Unknown)
(Conflict)
Information Partial Order
1X X
0 X
Propagation of “Unknown”
Two sides of a coin Significantly reduce state spaces by
quaternary abstraction Over abstractions cause false negatives
8
![Page 9: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/9.jpg)
1X
Causes of False Negative: Quaternary State Set Unions
11
1A
B
Out10
1 XXX
Abs.
9
01
sim(e’) := sim(e’) post(sim(e)) ant(e’);
1 1
Check whether the output is always 1 under certain inputs
![Page 10: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/10.jpg)
Causes of False Negative: Existentially Quantified-Out Symbolic Variables
A=c1 &B=(!c1|c2)
/ Out=1
True/Out=1
c1,c2 is existentially quantified out after every single step simulation
10
[A=c1, B=(!c1|c2)]Out=A|B=c1|(!c1|c2)=1
[A=X, B=X]Out=A|B=X
A
B
Out11
10
01
![Page 11: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/11.jpg)
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our Solution – AutoGSTE
Counterexample-guided abstraction refinement Model refinement and specification refinement
Experiments Conclusion & Future Work
11
![Page 12: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/12.jpg)
AutoGSTE: Automatic Abstraction Refinement
(1) GSTE
CircuitImpl.
AssertionGraph
Assertionholds
CounterExample
(2) CounterExample Analysis
Assertion fails
Causes ofImprecision
(3) AbstractionRefinement
RefinedAbstraction
Abstraction refinement: (monotonic) (1) Constraining inputs with symbolic constants/variables
(2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations
Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;
(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables
![Page 13: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/13.jpg)
Counter Example Analysis Counter Example
[(edge1,src1,dest1),…,(edgeT, srcT,destT)]
Identify “X” nodes in destT that violates consequent on edgeT
Backtrack to identify the causes for “X” node N
In the end, the following causes will be identified:
Output circuit nodes/assertion edges on which Xs are introduced.
13
J
Q
Q
K
SET
CLR
X1 X
Input Union Weak
XInputJ
Q
Q
K
SET
CLR
01 X
n2=(variable v) &n3=(variable v)
True/n2=n3
![Page 14: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/14.jpg)
AutoGSTE: Automatic Abstraction Refinement
(1) GSTE
CircuitImpl.
AssertionGraph
Assertionholds
CounterExample
(2) CounterExample Analysis
Assertion fails
Causes ofImprecision
(3) AbstractionRefinement
RefinedAbstraction
Abstraction refinement: (1) Constraining inputs with symbolic constants/variables
(2) Model refinement: introducing precise nodes (3) Spec refinement: assertion graph transformations
Causes of imprecision in GSTE’s quaternary abstraction: (1) Under-constrained inputs;
(2) Quaternary state set unions; (3) Existentially quantified-out symbolic variables
![Page 15: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/15.jpg)
Model Refinement
Symbolic Indexing (Verifier has to encode it in the specification)
Abs.
0 1 11 0 1 1
0 1 11 0 1 X1
vv
!v?1:X 1
XX X
w1
v
10
v!v+w 1
Partition Abs. rew.
rew.Finer Partition
15
![Page 16: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/16.jpg)
Model Refinement (Cont.)
Precise Nodes: Circuit nodes that must always have boolean values by symbolic indexing
[Yang and Seger, FMCAD’02] Manually specify precise nodes to eliminate Xs caused by both unions and weaks.
AutoGSTE automatically marks precise nodes Mark all the identified nodes as precise Mark one node at a time (control signals first?)
16
![Page 17: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/17.jpg)
Specification Refinement Loop unrolling transformations address unions
Allow the specification to be high level Dynamically adapt to the real computation flow of the circuit
……
17
![Page 18: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/18.jpg)
Automating loop unrolling Unroll each problematic edge to prevent
unwanted state set unions
Specification Refinement (Cont.)
18
1
2
3 4
![Page 19: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/19.jpg)
Case splitting transformations address weaks Symbolic variables symbolically index a set of
edges with scalar values Remember the variable values by case splitting
V0 V1
enq=(variable v)deq=(variable v)
V0 V1
enq=deq=0
enq=deq=1
True/enq=deqTrue/enq=deq
Specification Refinement (Cont.)
19
![Page 20: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/20.jpg)
Outline
Overview of (G)STE Quaternary Abstraction and its Imprecision Our solution – AutoGSTE
Counterexample-guided abstraction refinement Model Refinement .vs. Specification Refinement
Experiments Conclusion & Future Work
20
![Page 21: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/21.jpg)
Experiment: FIFO
21
![Page 22: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/22.jpg)
FIFO Model Refinement
Circuit Mark precise nodes all at once Mark precise nodes one a time
FIFO Depth
# of Nodes
# of Iter.
# of P. Nodes
Time
(Sec.)BDD
Nodes# of P. Nodes
Time
(Sec.)BDD
Nodes
3 181 1 5 0.12 10232 3 0.26 8996
8 296 1 7 0.4 32923 4 0.81 26708
16 476 1 9 1.1 72189 5 2.37 58250
24 787 1 11 2.38 131236 6 6.83 104246
Better than manual analysis!22
![Page 23: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/23.jpg)
FIFO Specification Refinement
Circuit GSTE on Original assertion graph Semantic-Preserving Transformation
FIFO Depth
# of Edges
Time
(Sec.)BDD
NodesMem
(MB)Result
# of Edges
Time
(Sec.)BDD
NodesMem
(MB)Result
3 11 0.01 5 17 Fail 31 0.23 6 17 Pass
8 26 0.02 5 17 Fail 201 2.69 6 19 Pass
16 50 0.04 5 17 Fail 785 17.3 6 26 Pass
24 74 0.07 5 17 Fail 1753 54.2 6 39 Pass
Too complex to do manually!
23
![Page 24: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/24.jpg)
0
10
20
30
40
50
60
0 5 10 15 20 25 0
10
20
30
40
50
60R
un
Tim
e (
sec)
Me
mo
ry (
MB
)
FIFO Depth
time for spec ref.
![Page 25: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/25.jpg)
0
10
20
30
40
50
60
0 5 10 15 20 25 0
10
20
30
40
50
60R
un
Tim
e (
sec)
Me
mo
ry (
MB
)
FIFO Depth
time for spec ref.time for model ref.
![Page 26: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/26.jpg)
0
10
20
30
40
50
60
0 5 10 15 20 25 15
20
25
30
35
40R
un
Tim
e (
sec)
Me
mo
ry (
MB
)
FIFO Depth
time for spec ref.time for model ref.mem for spec ref.
mem for model ref.
![Page 27: Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007](https://reader036.vdocuments.us/reader036/viewer/2022062309/56649e495503460f94b3d63c/html5/thumbnails/27.jpg)
Conclusion & Future Work
An automatic approach to abstraction refinement for GSTE
Quickly converge to good abstractions Future work
Identify minimal set of precise nodes Reduce unnecessary loop-unrolling/case-splitting Integrate model refinement and spec refinement
27