verification of synchronization in specc description with the use of difference decision diagrams

Verification of Synchronization in Verification of Synchronization in SpecC Description with the Use of SpecC Description with the Use of

Difference Decision DiagramsDifference Decision Diagrams

Thanyapat SakunkonchakThanyapat SakunkonchakMasahiro FujitaMasahiro Fujita

Department of Electronic EngineeringDepartment of Electronic EngineeringUniversity of TokyoUniversity of Tokyo

FDL'02 Sep.26FDL'02 Sep.26 T. Sakunkonchak and M. FujitaT. Sakunkonchak and M. Fujita 22

ContentContent

IntroductionIntroduction BackgroundBackground Verification FlowsVerification Flows Experimental ResultsExperimental Results Conclusion and OutlookConclusion and Outlook


IntroductionIntroduction More and more complex and larger VLSI More and more complex and larger VLSI

must be designed with shorter time-to-must be designed with shorter time-to-marketmarket

SoC needs simultaneous development of SoC needs simultaneous development of both HW and SW both HW and SW

Needs ways to describe HW/SW seamlesslyNeeds ways to describe HW/SW seamlessly C-based specification/design languages are C-based specification/design languages are

promisingpromising SpecC SpecC [http://www.SpecC.org][http://www.SpecC.org]

Standardized for HW/SW co-designStandardized for HW/SW co-design Based on ANSI-C and extendedBased on ANSI-C and extended


ContentContent



Synchronization in SpecCSynchronization in SpecC

Two processes a, b are Two processes a, b are running in parallelrunning in parallel par a.main(); b.main();par a.main(); b.main(); a: <st1> <st2>a: <st1> <st2> b: <st3>b: <st3>

Without scheduling Without scheduling (synchronization), (synchronization), ambiguous results ambiguous results may happenmay happen st1->st2->st3 st1->st2->st3 st3->st1->st2 ?st3->st1->st2 ? st1->st3->st2st1->st3->st2Any orderings are allowed Any orderings are allowed

!!

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e TaeTbs T3s T3e Tbe

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e TaeTbs T3s T3e Tbe


main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ }} behavior b { main() { x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e Tae

Tbs T3s T3e Tbe

main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3


Tbs T3s T3e Tbe

Synchronization by Notify/wait

Synchronization in SpecCSynchronization in SpecC

Ambiguous results on y causing from x = 10; /*st1*/x = 20; /*st3*/

y = 20 (always)


main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ }} behavior b { main() { x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3


Tbs T3s T3e Tbe

Synchronization in SpecC Synchronization in SpecC (cont.)(cont.)

Ambiguous results on y causing from x = 10; /*st1*/x = 20; /*st3*/

Tas=Tbs, Tae=TbeTas=Tbs, Tae=Tbe Tas<=T1s<T1e<=T2s<T2e<=TasTas<=T1s<T1e<=T2s<T2e<=Tas Tbs<=T3s<T3e<=TbeTbs<=T3s<T3e<=Tbe


Synchronization in SpecC Synchronization in SpecC (cont.)(cont.) main() {

par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3


Tbs T3s T3e Tbe

Synchronization by Notify/wait

y = 20 (always)

Tas=Tbs, Tae=TbeTas=Tbs, Tae=Tbe Tas<=T1s<T1e<=T2s<T2e<=TasTas<=T1s<T1e<=T2s<T2e<=Tas Tbs<=T3s<T3e<=TbeTbs<=T3s<T3e<=Tbe T2e<=T3sT2e<=T3s


The verification problemThe verification problem Given SpecC programs, check if Given SpecC programs, check if

specific ordering of executions are specific ordering of executions are guaranteed or notguaranteed or not

Along with well-accepted Boolean Along with well-accepted Boolean comparison techniques for logic comparison techniques for logic designs , this could be a basic designs , this could be a basic verification method to check if verification method to check if sequential and parallel version of the sequential and parallel version of the same SpecC are equivalent or notsame SpecC are equivalent or not(Sequential)

CSequential

SpecCParallelSpecC

Equivalence checking


Boolean ProgramBoolean Program

Proposed by Ball and Rajamani under Proposed by Ball and Rajamani under SLAM project at Microsoft ResearchSLAM project at Microsoft Research

Think of SW like a model (like FSM in Think of SW like a model (like FSM in HW) and verify it by first abstracting HW) and verify it by first abstracting away unnecessary statements with away unnecessary statements with user-defined predicatesuser-defined predicates

BP abstracts the original program:BP abstracts the original program:

if properties on BP hold, so as original if properties on BP hold, so as original oneone


Our Boolean SpecC based on Our Boolean SpecC based on the original Boolean programthe original Boolean program

is a subset of original programis a subset of original program ‘‘if-else’ conditions are replaced by if-else’ conditions are replaced by

proportional vars. e.g. if(x<y) -> if(c0)proportional vars. e.g. if(x<y) -> if(c0) Statements other than ‘notify/wait’ Statements other than ‘notify/wait’

and ‘if’, (ones that don’t effect the and ‘if’, (ones that don’t effect the sync.) are abstracted away (abstract sync.) are abstracted away (abstract unnecessary info.) unnecessary info.)

Only for verification of synchronizationOnly for verification of synchronization


Difference Decision Diagrams Difference Decision Diagrams ((DDDDDD))

Introduce by MIntroduce by MΦΦller, et ller, et al.al.

Symbolic representation Symbolic representation of ‘non-boolean’, such of ‘non-boolean’, such as inequality: less as inequality: less efficient if using BDDefficient if using BDD

DDD represents DDD represents difference constraints difference constraints (x-y≤c), x,y are (x-y≤c), x,y are integers, c is constantintegers, c is constant

Represents graph for¬(x−z<1)Λ(x−y≤0)Λ(y−z≤2)


ContentContent



Verification FlowsVerification Flows

Goals:Goals: Check whether given SpecC codes (with Check whether given SpecC codes (with

‘par’, ‘notify/wait’) are properly ‘par’, ‘notify/wait’) are properly synchronizedsynchronized

If checking fails, counter-examples should If checking fails, counter-examples should be generated (trace to source of errors)be generated (trace to source of errors)

Based on:Based on: Boolean SpecC, DDD, SVC, Program Boolean SpecC, DDD, SVC, Program

Slicing, ... Slicing, ...


Verification Flows(1)Verification Flows(1)

Yes

SpecC Source Program

Boolean SpecC

C++ with DDD

Parsed & Translated (1)


Verify:

PASS?

Users add some propertiesto be check

Synchronizationis

SATISFIED

Verification of SpecC synchronization

Verifying Stage:(current implementation)

SpecC source is parsed and translated into Boolean SpecC and then to C++ accompanied with DDD. Then, check for synchronization whether it is satisfied. If it is, terminates with SATISFIED. Otherwise, go to the next stage.

No



Yes


Boolean SpecC

C++ with DDD



Verify:

PASS?


Synchronizationis

SATISFIED




No


From Boolean SpecC to C++ From Boolean SpecC to C++ with DDDwith DDD

Header

Branching func.for DDD

Declare timing variables

Setup DDD graphs

Verify



Yes


Boolean SpecC

C++ with DDD



Verify:

PASS?


Synchronizationis

SATISFIED




No



No

Not realizableRealizable

VerifyCondition on Ci

PASS?

Refinement

Program Slicing

SVC

NO COUNTER-EXAMPLE DON’T KNOW COUNTER-EXAMPLE


Counter-example & Refinement Stage:(on-going work)

‘SVC’ and ‘Program Slicing’ may be considered to help verifying and refining the condition of predicate Ci. If it is not realizable, it means that the result is concrete enough to use as the COUNTER-EXAMPLE. UNSATISFIED when it is realizable, and DON’T KNOW, otherwise.

…


ContentContent



Verification ResultsVerification Results

Sleeping barber problemSleeping barber problem

barbercustomerempty chair

barber chair

• barber: finished cutting->call customer• barber: no customer->wait• customer: barber wait->has hair cut• customer: chairs occupied->come again• customer: a chair empty->wait


Verification ResultsVerification Results All take only a couple of seconds to All take only a couple of seconds to

verifyverify


ContentContent



Conclusion and Outlook(1)Conclusion and Outlook(1)

Verification of sync. in SpecC is Verification of sync. in SpecC is introducedintroduced

Boolean SpecC & DDD are accompanied Boolean SpecC & DDD are accompanied for abstraction and helping verificationfor abstraction and helping verification

Current implementation:Current implementation: Can handle basic SpecC constructs onlyCan handle basic SpecC constructs only Able to get some properties to be checkedAble to get some properties to be checked Verify for Satisfied or Unsatisfied (no error Verify for Satisfied or Unsatisfied (no error

trace): “Don’t know” is don’t know (no trace): “Don’t know” is don’t know (no support)support)


Conclusion and Outlook(2)Conclusion and Outlook(2)

Future plan:Future plan: When verification fails, try to give the When verification fails, try to give the

counter-examples (error trace)counter-examples (error trace) Based on error traces, plan to develop Based on error traces, plan to develop

automatic “refinement of abstractions”automatic “refinement of abstractions” Expand capability to support more Expand capability to support more

complex SpecC structure, e.g. loop, complex SpecC structure, e.g. loop, functions, recursivefunctions, recursive


Future plan (cont.)Future plan (cont.)

No

Not realizableRealizable

VerifyCondition on Ci

PASS?

Refinement

Program Slicing

SVC

NO COUNTER-EXAMPLE DON’T KNOW COUNTER-EXAMPLE


Counter-example & Refinement Stage:(on-going work)

‘SVC’ and ‘Program Slicing’ may be considered to help verifying and refining the condition of predicate Ci. If it is not realizable, it means that the result is concrete enough to use as the COUNTER-EXAMPLE. UNSATISFIED when it is realizable, and DON’T KNOW, otherwise.

…

Automatic

verification of synchronization in specc description with the use of difference decision diagrams

Documents

specc cont

specc description

specc codes

fujitaour boolean specc

st3 st3st1

original boolean programis

original onet

difference constraints