1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.
-
Upload
bailey-walker -
Category
Documents
-
view
222 -
download
0
Transcript of 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.
![Page 1: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/1.jpg)
1
Compositional Methodsand
Symbolic Model Checking
Ken McMillan
Cadence Berkeley Labs
![Page 2: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/2.jpg)
2
Compositional methods Reduce large verification problems to small ones by
– Decomposition
– Abstraction
– Specialization
– etc.
Based on symbolic model checking
System level verification
Will consider the implications of such an approach for symbolic model checking
![Page 3: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/3.jpg)
3
Example -- Cache coherence
S/F network
protocol
hostprotocol
host
protocol
host
Distributedcachecoherence
INTF
P P
M IO
to net
Nondeterministic abstract model
Atomic actions
Single address abstraction
Verified coherence, etc...
(Eiriksson 98)
![Page 4: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/4.jpg)
4
S/F networkprotocol
host otherhosts
Abstract model
Refinement to RTL level
CAMT
AB
LE
S
TAGS
RTL implementation(~30K lines of verilog)
refinement relations
![Page 5: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/5.jpg)
5
Contrast to block level verification Block verification approach to capacity problem
– isolate small blocks
– place ad hoc constraints on inputs
This is falsification because
– constraints are not verified
– block interactions not exposed to verification
Result: FV does not replace any simulation activity
![Page 6: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/6.jpg)
6
What are the implications for SMC? Verification and falsification have different needs
– Proof is as strong as its weakest link
– Hence, approximation methods are not attractive.
Importance of predictability and metrics
– Must have reliable decomposition strategies
Implications of using linear vs. branching time.
p q r s t
![Page 7: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/7.jpg)
7
Predictability Require metrics that predict model checking hardness
– Most important is number of state variables
1
0
Ver
ific
atio
n p
rob
ab
ilit
y
verification falsification # state bits
original systemreductionreduction
– Powerful MC can save steps, but is not essential
– Predictability more important than capacity
![Page 8: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/8.jpg)
8
Example -- simple pipeline
Goal: prove equivalence to unpipelined model
(modulo delay)
32 registers
+
bypass
32 bits
control
![Page 9: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/9.jpg)
9
Direct approach by model checking
Model checking completely intractable due to large number of state variables ( > 2048 )
referencemodel d
elay
pipeline
=?
ops
![Page 10: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/10.jpg)
10
Compositional refinement verification
Abstractmodel
System
Translations
![Page 11: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/11.jpg)
11
Localized verification
Abstractmodel
System
Translations
assume prove
![Page 12: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/12.jpg)
12
Localized verification
Abstractmodel
System
Translations
assumeprove
![Page 13: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/13.jpg)
13
Circular inference rule
SPEC
1 2
: :
: :
^
( )
( )
( )
2 1
1 2
1 2
U
U
G
(related: AL 95, AH 96)
1 up to t -1 implies 2 up to t
2 up to t -1 implies 1 up to t
always 1 and 2
![Page 14: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/14.jpg)
14
Decomposition for simple pipeline
32 registers
+
32 bits
control
correct valuesfrom reference
model
1 2
1 = operand correctness
2 = result correctness
![Page 15: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/15.jpg)
15
Lemmas in SMV Operand correctness
layer L1: if(stage2.valid){ stage2.opra := stage2.aux.opra; stage2.oprb := stage2.aux.oprb; stage2.res := stage2.aux.res; }
![Page 16: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/16.jpg)
16
Effect of decomposition
Bit slicing results from "cone of influence reduction"
(similarly in reference model)
32 registers
+
32 bits
control
correct valuesfrom reference
model
1 2 1 proved
2 assumed
![Page 17: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/17.jpg)
17
Resulting MC performance Operand correctness property
0
20
40
60
80
100
120
140
0 8 16 24 32
Number of registers
Run
tim
e (s
)80 state variables
3rd order fit
Result correctness property
– easy: comparison of 32 bit adders
![Page 18: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/18.jpg)
18
NOT! Previous slide showed hand picked variable order
Actually, BDD's blow up due to bad variable ordering
– ordering based on topological distance
0
50
100
150
200
250
300
0 8 16 24 32
Number of registers
Run
tim
e (s
)
![Page 19: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/19.jpg)
19
Problem with topological ordering
Register files should be interleaved, but this is not evident from topology
bypasslogic
=?results ref. reg. file
impl. reg. file
![Page 20: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/20.jpg)
20
Sifting to the rescue (?)
Lessons (?) :
– Cannot expect to solve PSPACE problems reliably
– Need a strategy to deal with heuristic failure
1
10
100
1000
10000
0 8 16 24 32
Number of registers
Run
tim
e (s
)
Note:- Log scale- High variance
![Page 21: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/21.jpg)
21
Predictability and metrics Reducing the number of state variables
1
0
Ver
ific
atio
n p
rob
ab
ilit
y
# state bits
decomposition
– If heuristics fail, other reductions are available
2048 bits?80 bits
~600 orders of magnitude in state space size
![Page 22: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/22.jpg)
22
SPEC
P PA
Big structures and path splitting
i
![Page 23: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/23.jpg)
23
Temporal case splitting Prove separately that p holds at all times when v = i.
i G v i p
G p
: ( )*
)
Path splitting
v
record register index
G v i p( ) )
i
![Page 24: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/24.jpg)
24
Case split for simple pipeline Show only correctness for operands fetched from register i
forall(i in REG) subcase L1[i] of stage2.opra//L1 for stage2.aux.srca = i;
Abstract remaining registers to "bottom"
Result
– 23 state bits in model
– Checking one case = ~1 sec
What about the 32 cases?
![Page 25: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/25.jpg)
25
Exploiting symmetry Symmetric types
– Semantics invariant under permutations of type.
– Enforced by type checking rules.
Symmetry reduction rule
– Choose a set of representative cases under symmetry
Type REG is symmetric
– One representative case is sufficient (~1 sec)
Estimated time savings from case split: 5 orders
But wait, there's more...
![Page 26: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/26.jpg)
26
Data type reductions Problem: types with large ranges
Solution: reduce large (or infinite) types
where T\i represents all the values in T except i.
Abstract interpretation
T i T i { , \ }
i T i
i
T i
\
\ { , }
1 0
0 0 1
![Page 27: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/27.jpg)
27
Type reduction for simple pipeline Only register i is relevant
Reduce type REG to two values:
using REG->{i} prove stage2.opra//L1[i];
Number of state bits is now 11
Verification time is now independent of register file size.
Note: can also abstract out arithmetic verification using uninterpreted functions...
![Page 28: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/28.jpg)
28
Effect of reduction1
0
Ver
ific
atio
n p
rob
ab
ilit
y
# state bits
original systemreductionreduction
– Manual decomposition produces order of magnitude reductions in number of state bits
– Inflexion point in curve crossed very rapidly
20488411
![Page 29: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/29.jpg)
29
Desirata for model checking methods Importance of predictability and metrics
– Proof strategy based on reliable metric (# state bits)
– Prefer reliable performance in given range to occasional success on large problems *
e.g., stabilize variable ordering
– Methods that diverge unpredictably for small problems are less useful (e.g., infinite state, widening)
Moderate performance improvements are not that important
– Reduction steps gain multiple orders of magnitude
Approximations not appropriate
* given PSPACE completeness
![Page 30: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/30.jpg)
30
Linear v branching time Model checking v compositional verification
M | | )
fixed model for all models
Verification complexity (in formula size)
compositional
model checking
CTL LTL
linear
EXP
PSPACE
PSPACE
In practice, with LTL, we can mostly recover linear complexity...
![Page 31: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/31.jpg)
31
Avoiding "tableau variables" Problem: added state variables for LTL operators
v p X vFp Fp _Fp
Eliminating tableau variables
– Push path quantifiers inward (LTL to CTL*)
– Transition formulas (CTL+)
– Extract transition and fairness constraints
![Page 32: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/32.jpg)
32
Translating LTL to CTL* Rewrite rules
A p Ep: :
A p q Ap Aq( )^ ^
AXp AXAp
E p Ap: :
E p q Ep Eq( )_ _
EXp EXEp
In addition, if p is boolean,
E p q p Eq( )^ ^A p q p Aq( )_ _
E p q E p Eq( ) ( )U Uno rule
By adding path quantifiers, we eliminate tableau variables
![Page 33: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/33.jpg)
33
Rewrites that don't work
A p U Xq
A p U AXq
( )
( )
p p p q
q
E Xp U Xq
E Xp U EXq
( )
( )
p p
q
![Page 34: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/34.jpg)
34
Examples LTL formulas that translate to CTL formulas
G p Fq AG p AFq( ) ( )) ) (note singly nested fixed point)
G p pWq AG p A pWq( ( )) ( ( ))) )
Incomplete rewriting (to CTL*)
G p F q Xq AG p AF q Xq( ( )) ( ( ))) ^ ) ^
Note: 3 tableau variables reduced to 1
Conjecture: all resulting formulas are forward checkable
![Page 35: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/35.jpg)
35
Transition modalities Transition formulas
p Xq) v v' 1 XXq
CTL+ state modalitiesA p U q( )E p U q( ) where p is a transition formula
XAFp
Example CTL+ formulas
CTL+ still checkable in linear time
AG A p Xq( ) : ^ : :̂E p p Xp U p q( ( ) ( ))
ApEp
![Page 36: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/36.jpg)
36
Constraint extraction Extracting path constraints
A Gp q A qp( ) ( , )) where p is a transition formula
A GFp q A qGFp( ) ( ,{ })) 1
Using rewriting and above...
GFp GFq AG AFq) w/ fairness const. GFp
Circular compositional reasoning
G U
A U
) : :̂
: :̂
( ( ))
( ( ))
If and are transitionformulas, this is in CTL+, hencecomplexity is linear
Note: typically, are very large, and is small
![Page 37: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/37.jpg)
37
Effect of reducing LTL to CTL+ In practice, tableau variables rarely needed
Thus, complexity exponential only in # of state variables
– Important metric for proof strategy
Doubly nested fixed points used only where needed
– I.e., when fairness constraints apply
Forward and backward traversal possible
– Curious point: backward is commonly faster in refinement verification
![Page 38: 1 Compositional Methods and Symbolic Model Checking Ken McMillan Cadence Berkeley Labs.](https://reader033.fdocuments.us/reader033/viewer/2022061305/55146125550346b0158b4906/html5/thumbnails/38.jpg)
38
SMC for compositional verification
Cannot expect to solve PSPACE complete problems reliably
– User reductions provide fallback when heuristics fail
– Robust metrics are important to proof strategy
Each user reductions gains many orders of magnitude
– Modest performance improvements not very important
Exact verification is important
Must be able to handle linear time efficiently
BDD's are great fun, but...