verification of synchronization in specc description with the use of difference decision diagrams

Verification of Synchronization in SpecC Description with the Use of Difference Decision Diagrams

Thanyapat SakunkonchakMasahiro Fujita

Department of Electronic EngineeringUniversity of Tokyo

July 23, 2002 T. SAKUNKONCHAK and M. FUJITA University of Tokyo

2

Content

Introduction Background Verification Flow Verification Results Conclusion & Future Work


3

Introduction

What is SpecC?

Why verification of synchronization?


4

What is SpecC?

Standard system design language for adoption in industry and academia

Handling system design specification->implementation, hardware/software co-design

Build based on ANSI-C


5

Why verification of synchronization?

Concurrency (parallel execution) is commonly exist in system design

A kind of scheduling scheme (synchronization) is succinctly needed

In many cases, sophisticated ones will be come up, takes developers lots of time and efforts to verify


6

Content



7

Background Timing diagram of statements

execution Concurrency in SpecC with ‘par’

semantic Sequentiality of each behavior in ‘par’ Synchronization semantics

‘notify/wait’ The use of Difference Decision

Diagrams (DDDs)


8

Timing diagram of statements execution

Tas<=T1s<T1e<=T2s<T2e<=Tae (sequentiality in a) Tbs<=T3s<T3e<=Tbe (sequentiality in b) Tas=Tbs, Tae=Tbe (concurrency between a and b)

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e TaeTbs T3s T3e Tbe

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e TaeTbs T3s T3e Tbe


9

main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ }} behavior b { main() { x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e Tae

Tbs T3s T3e Tbe

main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e Tae

Tbs T3s T3e Tbe

Synchronization by Notify/wait

Synchronization Example

Ambiguous results of y causing from x = 10; /*st1*/x = 20; /*st3*/

y = 20 (always)


10

Difference Decision Diagrams Symbolic representation of non-boolean with

BDD seem to be less efficient DDDs represent different constraints,e.g. x-y≤c,

x and y are integers, c is constant

Represents graph for¬(x−z<1)Λ(x−y≤0)Λ(y−z≤2)


11

Content



12

Verification Flow

Goal: check whether the given SpecC codes with ‘par’, ‘notify/wait’ are properly synchronized

Use the idea of ‘Boolean Program’ [Ball and Rajamani]


13

Boolean Program

is a subset of the original program obtained by abstracting any

conditionals in ‘if’ statements of the original program with a proportional variable, e.g. if(x > y) -> if(c0)

All statements other than ‘notify/wait’, ‘if’ statements are abstracted away

14

SpecC Source Program

Boolean SpecC

C++ with DDD

Parsed & Translated (1)

Parsed & Translated (2)

Verify: Pass?

Constraints from users

Yes

Synchronization is

satisfied

Counter-example No

Check with


15

From SpecC to Boolean SpecC

The event manipulation statements are sustained

The conditional or predicates of all ‘if-else’ statements are automatically replaced by dummy variables, e.g. if(x>0)->if(c0), if(x>4)->if(c1)

Other statements are abstracted away by replacing with SKIP (“…”)


16

From SpecC to Boolean SpecC


17

From Boolean SpecC to C++ with DDD

Header

Branching func.for DDD

Declare timing variables

Setup DDD graphs

Verify


18

Content



19

Verification Results

SpecC->Boolean SpecC->C++ with DDDthe process are automatic

Using C++ compiler and DDD package to verify the synchronization of SpecC


20

Verification Results

SATISFIED UNSATISFIED DON’T KNOW

In the case of UNSATISFIED, the counter-example is given to track the unsatisfied source


21

Verification Result Let see an example

There is no chance for the event e to be satisfied if the conditions (x<y) and (x>=y) must be true at the same time

if(x<y)

notify e;

else

statement;

if(x>=y)

wait e;

else

statement;

par

Thread a Thread b

if(c1)

notify e;

else

...;

if(c2)

wait e;

else

...;

par

Thread a Thread b


22

Content



23

Conclusion The verification of synchronization in

SpecC description was proposed The idea of Boolean program is used

to abstract away some details Collaborate with DDD, we can verify

for synchronization in original SpecC Counter-example and verification of it

is considered to be accomplished (on-going work)


24

Future Work

for users to interactively input constraints

provide counter-example when the synchronization is not satisfied

to be able to automatically generate ‘predicates’

refining predicates or add constraints on predicates

verification of synchronization in specc description with the use of difference decision diagrams

Documents

fujita university of

specc description

automaticusing c c

given specc codes

ifx y ifc0all statements

ifx4ifc1other statements

idea of boolean program

original program