1 Inventing IC design technologies that will be vital to Intel S S C C L L Compositional Compositional Specification and Specification and Verification Verification in GSTE in GSTE Jin Yang, Jin Yang, joint work with Carl Seger joint work with Carl Seger Strategic CAD Labs, Intel Strategic CAD Labs, Intel Corp. Corp. CMU CMU March 23, 2004 March 23, 2004
29
Embed
Compositional Specification and Verification in GSTE
Compositional Specification and Verification in GSTE. Jin Yang, joint work with Carl Seger Strategic CAD Labs, Intel Corp. CMU March 23, 2004. Motivation. GSTE combines high capacity of STE with expressive power of traditional model checking (YS ICCD’00) - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1Inventing IC design technologies that will be vital to Intel
SSCCLL
Compositional Compositional Specification and Specification and
Verification Verification in GSTEin GSTE
Jin Yang, Jin Yang, joint work with Carl Segerjoint work with Carl SegerStrategic CAD Labs, Intel Corp.Strategic CAD Labs, Intel Corp.
CMUCMUMarch 23, 2004March 23, 2004
GSTE2
MotivationMotivation
GSTEGSTE combines high capacity of STE with expressive combines high capacity of STE with expressive
power of traditional model checking (YS ICCD’00)power of traditional model checking (YS ICCD’00) provides a multi-dim. approach to achieve high provides a multi-dim. approach to achieve high
capacity while maintaining accuracy (YS FMCAD’02)capacity while maintaining accuracy (YS FMCAD’02) has been used by FVers for > 1 year successfully on has been used by FVers for > 1 year successfully on
next-gen. Intel next-gen. Intel -processors (Schubert ICCAD’03)-processors (Schubert ICCAD’03) part of FORTE public releasepart of FORTE public release
HoweverHowever assertion graph specification in GSTE is inherently assertion graph specification in GSTE is inherently
sequential but circuit behavior may be concurrentsequential but circuit behavior may be concurrent … … … …
– a vote can be accepted at station a vote can be accepted at station ii (through (through vote[i]=1,2,3vote[i]=1,2,3) ) when it is availablewhen it is available
– it outputs a voting result (it outputs a voting result (vout=f(vote[1], vote[2], vote[3]vout=f(vote[1], vote[2], vote[3]) as ) as soon as all three votes are in, and then makes the stations soon as all three votes are in, and then makes the stations available for next round. available for next round.
2
2
2
2
GSTE5
Voting Machine (cont.)Voting Machine (cont.)
Specification using an assertion graph causes Specification using an assertion graph causes exponential complexityexponential complexity– order 1:order 1: vote[1], …, vote[2], …, vote[3] vote[1], …, vote[2], …, vote[3]
Basics: Assertion LanguageBasics: Assertion Language
Assertion word - any word Assertion word - any word w = w = 1122……kk in in **
– STE assertion STE assertion assertion word assertion word
Assertion language - any set of words Assertion language - any set of words LL in in P(P( **))– assertion graph assertion graph regular assertion language regular assertion language
( wren & addr = A & din = D, true ) ( !wren | addr != A, true ) * ( rden & addr = A, dout = D )
vI v1v2
( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D )
( !wren | addr != A, true )
GSTE9
Basics: Trace SemanticsBasics: Trace Semantics
Trace SatisfiabilityTrace Satisfiability– trace trace satisfies a word satisfies a word P(D)*, P(D)*, ifif 11ii|||, |, (i) (i) [i][i]
Trace LanguageTrace Language– assertion wordassertion word
Comment:• there is a unique solution to the system• very much like CCS but with new
GSTE13
Example 1: MemoryExample 1: Memory
vI v1v2
( wren & addr = A & din = D, true ) ( rden & addr = A, dout = D )
( !wren | addr != A, true )
LLII = = + + LLII • • (true, true)(true, true)
LLI, 1I, 1 = L = LI I • • (wren & addr = A & din = D, true)(wren & addr = A & din = D, true)
LL1,11,1 = L = L11 • • (!wren | addr != A, true)(!wren | addr != A, true)
LL11 = L = LI, 1I, 1 L L1,1 1,1
LL22 = L = L1 1 • • (rden & addr = A, dout = D)(rden & addr = A, dout = D)
GSTE14
Example 2: Voting Machine (VM)Example 2: Voting Machine (VM)reset
avail[1]vote[1]
avail[2]vote[2]
avail[3]vote[3]
voutVoting
Machine
– a vote can be accepted at station a vote can be accepted at station ii (through (through vote[i]=1,2,3vote[i]=1,2,3) ) when it is availablewhen it is available
– it outputs a voting result (it outputs a voting result (vout=f(vote[1], vote[2], vote[3]vout=f(vote[1], vote[2], vote[3]) as ) as soon as all three votes are in, and then makes the stations soon as all three votes are in, and then makes the stations available for next round. available for next round.
for any language for any language LL in the solution, in the solution, kk0 0 k k LL is regular is regular
– proof sketch k0
k (Lj • j) = (k0k Lj) • j
k0k (L1 L2) = (k0
k L1) (k0k L2) (k0
k L1) (k0k L2)
k0k (L1 L2) = (k0
k L1) (k0k L2)
• construct transitions for the states in P({k0k L1 , k0
k L2 , …, k0k
Ln})
– since since (L) = (L) = ((kk0 0 k k L)L), this effectively provides a precise , this effectively provides a precise GSTE model checking solution for each GSTE model checking solution for each LL in the solution in the solution
– but assertion graph for but assertion graph for kk00kkLL may be exponentially large may be exponentially large
Need more efficient solution !
GSTE17
ModelModel M = (S, R, L)M = (S, R, L)
– SS is a finite set of states is a finite set of states– R R S SSS is a transition relation s.t. is a transition relation s.t. s, s, s’, (s, s’) s’, (s, s’) R R– L: SL: SDD is a labeling function is a labeling function
SemanticsSemantics– run run
: N: NS S s.t.s.t. ii0, (0, ((i), (i), (i+1))(i+1))RR– trace languagetrace language
(M) = { L((M) = { L() | ) | is a run of M } is a run of M }
– satisfiability satisfiability M |= M |= 00iin n LLii::
(M) (M) ((00iin n LLii) )
Post-ImagePost-Imagepost(S’) = { s | post(S’) = { s | s’s’S’, s.t. (s’, s)S’, s.t. (s’, s)R }R }
GSTE18
Simulation RelationSimulation Relation
DefinitionDefinitionany mappingany mapping
R: {LR: {L00, L, L11, …, L, …, Lnn} } P(S) P(S)
satisfying satisfying s s R(LR(Lii),), if if wwLLii, , of M s.t. of M s.t. (|w|)=s, L((|w|)=s, L() sat. ant(w)) sat. ant(w)
TheoremTheorem
LLii = L = Ljj • • , L(R(L, L(R(Lii)) )) cons( cons() ) M |= M |= 00iin n LLi i
GSTE19
compGSTEcompGSTE
InitializationInitialization
for all Lfor all Lii, R(L, R(Lii) := { };) := { };
compGSTE is approximatecompGSTE is approximate– sound but not completesound but not complete
– extended quaternary model abstraction (FMCAD 2002)extended quaternary model abstraction (FMCAD 2002)
Abstraction refinementAbstraction refinement– model refinement vs spec. refinement (FMCAD 2002)model refinement vs spec. refinement (FMCAD 2002)
– partial product construction on specifications (serialization)partial product construction on specifications (serialization)
Advantages over assume-guarantee based compositionAdvantages over assume-guarantee based composition– pure specification, implementation independentpure specification, implementation independent
Assume-guarantee based compositionAssume-guarantee based composition– re-partition the model, re-specify interface assumptionsre-partition the model, re-specify interface assumptions
– re-run model checkingre-run model checking
compGSTEcompGSTE– specification unchanged, only re-run model checkingspecification unchanged, only re-run model checking
when resource is available (avail = 1), schedule the oldest ready uop when resource is available (avail = 1), schedule the oldest ready uop handling 10 uops at a time, >1k state elements, >17000 gateshandling 10 uops at a time, >1k state elements, >17000 gates priority matrix, CAM, decision logic, power-saving feature etc.priority matrix, CAM, decision logic, power-saving feature etc.
CAM
receiving
log
ic
priority matrix
ready lo
gic
Stag
ing
an
d
CA
M m
atc
h
sched
ulin
g lo
gic
Deliverin
g lo
gic
uop
alloc
ready
avail
init
out
sched
wrback
GSTE28
Main ResultMain Result
Previous work w/ a state-of-art in-house symbolic model checkerPrevious work w/ a state-of-art in-house symbolic model checker– hundreds of small local properties hundreds of small local properties
– only on the priority matrix only on the priority matrix
Compositional specification (top down)Compositional specification (top down)– schedule uop[i], if “schedule uop[i], if “uop[i] is the oldest readyuop[i] is the oldest ready” and resource is available” and resource is available
– uop[i] is oldest ready, if “uop[i] is oldest ready, if “uop[i] is readyuop[i] is ready” and for all j ” and for all j i ( i (j j i i), either “), either “uop[j] uop[j] is not readyis not ready” or “” or “uop[i] arrived earlier than uop[j]uop[i] arrived earlier than uop[j]””
– … …
– < 50 boolean variables for >1k state elements< 50 boolean variables for >1k state elements
Compositional model checking Compositional model checking – 122.5 seconds, 36M on P4 1.5GHz122.5 seconds, 36M on P4 1.5GHz
– scalable - O(logscalable - O(log22 #uops), BDD was not a bottle-neck! #uops), BDD was not a bottle-neck!
Detailed work is in writingDetailed work is in writing– hopefully in time for ICCADhopefully in time for ICCAD
GSTE29
ConclusionConclusion
Summary of the compositional approachSummary of the compositional approach– compositional specification to handle concurrencycompositional specification to handle concurrency
– efficient compositional model checkingefficient compositional model checking