November 2005

Sequential Encoding for Relational Analysis (SERA)

Fadi Zaraket, Sarfraz Khurshid, Adnan Aziz

Validation and Verification of Software

2

Outline

Review of model checking with Alloy

Finitization into a SAT problem

Review of transformation based verification (TBV)

Alloy SAT instances and TBV

Sequential encoding of Alloy

Less variables, more TBV transforms

Results

Conclusion

3

Alloy model checking

Alloy model

sig id {…}sig license extends id {…} sig passport extends id {…}…

Environment:fact { passport in license}

Properties:

predicate valid() {…}predicate ……assert IntelAgentsKnowAllValidPeople for 5

compile, synthesize

SAT CNF netlist !

Graph<Vertices,Edges,Targets,Constraints>Vertices [input, NOT, OR, AND]

Edges: inputs [NOT, OR]OR [AND]AND [AND]No combinational cycles

Targets ½ Vertices Constraints ½ Vertices

Verify: targets never true while constraints hold

4

Problem Under Consideration

Design RTL: vhdl, verilog, …

decl name (inputs, outputs, bidi, generic)begin….end

Environment: input constraintsannotated vhdl or verilog, sugar, PSL, CTL, LTL

stmnt1( inputs)….stmntN(inputs)

Properties: safety, liveliness, [correctness, progress,...]annotated vhdl or verilog, sugar, PSL, CTL, LTL, …equiv1( inputs, outputs), ….assertN(inputs, outputs)

Compilers, Synthesizers, Optimizers

Netlist !

Graph<Vertices,Edges,Targets,Constraints>Vertices [input, register, NAND]Edges: Vertices Vertices

no combinational cycles

Register:Gate next state functionGate initial value function

Targets ½ Vertices Constraints ½ Vertices

Verify: Targets never true while constraints hold

5

Tree example

A tree is a non-empty undirected graph

connected and acyclic

connected and |edges| == |vertices| -1

acyclic and |edges| == |vertices| -1

connected and if one edge removed then not connected

acyclic and if one edge added then cyclic

All the 5 statements are equivalent

6

Tree modelsig V { E: set V } { some V }fact undirected { E = ~E}

pred inCycle(v: V, c: V -> V) { v in v.c || some v': v.c | v' in v.*( c - (v -> v') - (v' -> v) )}

pred aCyclic() { all v: V | ! inCycle(v, E)}pred cyclic(c: V->V){ some v : V | inCycle(v, c)}

pred connected(c: V->V) { all v1, v2 : V | v2 in v1.*c}

pred connectedAndAcyclic() { connected(E) and aCyclic()}pred connectedAndCardinality() { connected(E) and (#E = #V + #V - 2) }

assert equivalentStatements { connectedAndAcyclic() iff connectedAndCardinality() }

check equivalentStatements for 5

7

Alloy semantics

Relational first-order (FO)

No nested relations

quantifiers

propositional logic

Types are sets

relations are also sets

Finitization

scope makes model finite

8

Alloy encoding [Jackson SIGSOFT’00]

Each relation is encoded into a bit-matrix

R(i,j) == 1 iff R: ai 2 A bj 2 B

quantifiers are folded with conjunction (8) or disjunction (9)

expression mapped to tree of parameterized matrices of Boolean formulas

9

Alloy encoding (continued)

Environment binds quantified variables only

Transitive closure: quadratic expansion

Variables and CNF clauses: doubly exponential in terms of scope and highest arity

10

Outline

Review of model checking with Alloy

Finitization into a SAT problem

Review of transformation based verification (TBV)

Alloy SAT instances and TBV

Sequential encoding of Alloy

Less variables, more TBV transforms

Results

Conclusion

11

Transformation-based verification (TBV) - 1

Formal verification (FV) very powerful at exposing design flaws

increasing industrial acceptance of automatic FV technologies

Significant gap between industrial design sizes and FV capacity

formal analysis generally requires exponential resources

invariant checking: PSPACE – complete

induction: NP – complete, often inconclusive

semi-formal: NP – complete, falsification only

12

TBV - 2

Large designs pose verification challenges

Numerous polynomial-time transforms to reduce size

retiming, constant propagation, redundancy removal…

resource-bounded BDD and SAT-based abstractions• localization refinement, parametric re-encoding,…

TBV [Kuehlmann and Baumgartner, CAV’01]

synergistically leverage various transformation algorithms

iteratively simplify and decompose large problems

encapsulate into engines that interact via modular API

13

RET: retiming example

Move registers backward/forward to reduce their count

synthesis: can not retime R1 and R2 with incompatible initial states

FV: no need to preserve i/o if we preserve the property checked

synthesis: can only realize backward constraints

FV: symbolic verification can accept negative registers

14

Localization (LOC) or predicate abstraction

Overapproximate behavior of the netlist and search

Target not reachable: proof

Counterexample: apply it to original netlist

• If actual: bug found• If spurious: refine and try again

T2

T1

T2

T1

T2

T1

localizespurious: refine

abstract verify

counter exampleapply to original unreachableProof

15

TBV typical iterative flow:

Iterative predicates generated by previous runs of CMSA

Illustrates power of bit-level partitioning

Redundancyremoval

Retiming

Semi-formal search

Re-parameterization

Results p1

4,598 registers8,543 inputs

CMSA

Redundancyremoval

Redundancyremoval

CMSA

8,342 registers9,763 inputs

6,722 registers8,783 inputs

Netlist RING(120,000 registers, 20,000 inputs)

Results p2

Results p3

Results p6

Results p7

11 components173

representatives

12 components241

representatives

16

SAT model

SAT returns assignments to Boolean variables

Berkmin, MCHAFF, ZCHAFF, RELSAT

map assignments back to Alloy model• If no assignment exists, we have a proof within the scope

Pass CNF to TBV

combinational only: limited number of engines• redundancy removal, localization, parametric re-encoding

decision: circuit SAT

17

Results: combinational SAT vs. TBV

18

Outline

Review of model checking with Alloy

Finitization into a SAT problem

Review of transformation based verification (TBV)

Alloy SAT instances and TBV

Sequential encoding of Alloy

Less variables, more TBV transforms

Results

Conclusion

19

Sequential encoding

Use less variables to encode the problem

trade complexity in space for complexity in time

use sequential encoding

Existence vectors and production machines

atom: register index over a specialized existence vector

relation: index = encode (<atom>, <atom>)

boolean operators: propositional statements

formulas: finite state production machines

Basic atoms and relations can be randomly initialized to any state

20

Difference between sequential netlists and FSM

2/3 bit write enabled buffer and simplified FSMs

Arcs omitted in 3 bits, labels omitted in both

Sequential netlist often more succinct than FSMs

21

SERA component (production machine)

Inputs: [Y: index, T: relational data, C: control]

Outputs: [B: predicate, M: membership, N: cardinality, Q: validity, queries]

State registers: [X: membership, K: cardinality, U: validity]

next state function: , initial values: primary inputs

22

SERA component

States: {invalid, productive, done, idle}

Memory: existVec[ index(<atom, …>)]

Cardinality: simple priority encoder

counter may be needed in some cases

Control: {start, valid-input, reset}

Boolean predicate: 2, Æ, 9, 8, …

Compositional input: access to [memory, cardinality, predicate] of other components

2[.] Priority

State

counter

start index

accessvalidcardinality

23

Summary table for sequential encoding

24

Example: statement3 with a scope of 2

Pred: (all v1, v2 : V | v2 in v1.*c) and (#E = #V + #V – 2)

Two universal quantifier machines one contained in the other

Starts two V machines and gets two V atoms as indexes per step•Early termination: one valid false is enough to terminate

25

Statement3 executed

26

Example (continued)

Transitive closure (TC): v2 in v1.*c

Alloy rewrites as: <v1,v2> 2 *C

compositional access to the relation C

use iterative squaring and achieve logarithmic encoding• C0 = C• Cn+1 = ( Cn : Cn )[ Cn

Membership is valid after log(n)

function of C and log(n) local memory state variables

counter stores cardinality: avoids complex logic that checks total membership

usually drops with COI reductions since cardinality of TC is rarely checked

Kleene-star operation

27

Transitive-closure optimization

v2 in v1.*c Alloy rewrites as: <v1,v2> 2 *C

advantage: only one big quadratic machine

Subset C into T = v1.C and check v2 2 T

disadvantage: multiple smaller quadratic machines

early termination: may not need them all

redundancy: exploited well by TBV

may as well reuse some of them if one production is guaranteed to finish before the others

28

Set operators

Union: ordered sequential traversal of two machines

use unique order for variables: no duplicates

default: the order sigs appeared in the formula

Intersection: add a delay to preserve order

Complement: flag all compositional input

produce indexes with no flag

Subtract: implement with intersect and complement

Maybe interesting for redundancy: all these operations can be done by complement and transitive closure

29

Transpose operator

Challenge since it forces a change of variable ordering

SERA rewrites the formula and pushes the transpose in the relation

Conflicts may occur, example E = ~E

append a duplicate atom

add a target that indicates the equivalency of the added atom

redundancy removal will take care of it later

30

Predicates and propositional operators

Boolean operators trivial implementation:

the same Boolean construct with a valid state propagation

one valid truth is enough to propagate an OR

one valid false is enough to propagate an AND

Predicates generated from:

Boolean operators: Æ, Ç, !

8: fold(e, Æ) and 9: fold(e,Ç) with early termination

2: existsVec[index(atom, …)]

[=, <, >] integer comparison: finitized into atoms in Alloy • Alternative: we may use regular ring arithmetic

31

2[.

]P

riorit

y

Sta

te

counter

star

tin

dex

acce

ssva

lid card

inal

ity

2[.

]P

riorit

y

Sta

te

counter

star

tin

dex

acce

ssva

lid card

inal

ity

2[.

]P

riorit

y

Sta

tecounte

r

star

tin

dex

acce

ssva

lid card

inal

ity

2[.

]P

riorit

y

Sta

te

counter

star

tin

dex

acce

ssva

lid card

inal

ity

32

Implementation details

Limit scope to powers of two

Simplify counter logic used for indexing

Type determination is limited to a shift operation

Static analysis is now enough to determine the needed width of a tuple in a relation

Only one scope is allowed

Simplifies membership of types into a simple range check

No loss of generality: pick the highest

33

Implementation details

Constrain initial states

False initial bits in existence vectors are always MSB

A simple priority encoder is enough to detect the cardinality

No loss of generality since it does alter the order of existing variables

Optimize relations and transitive closures using facts

fact {E = ~E}: only half of the matrix is meaningful

34

Less variables and more transforms

Sequential encoding can be automated

Less variables and yet better: more TBV power

more cycles: may affect the complexity of the counter example

can be handled by BMC based counter example optimization techniques

Use sequential transforms

sequential equivalence, semi-formal search, target enlargement, compositional minimization, generalized retiming, bounded model checking…

Expert system is not an Alloy expert yet.

may get better in some time

35

Experimental Results

As expected localization and minimization played a big role in proofs

Semi-formal search significant in fast counter example generation

36

Conclusion

Reviewed Alloy and TBV

compared SAT with TBV on Alloy models

Automated sequential encoding of Alloy

enables TBV power

Less variables and more transforms

allowed us to scale our scopes up to 32 where Alloy Analyzer was limited to 7

Future work:

mutation is more native: add native next state construct?

detect a scope that is enough to complete proof

37

?/!