Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification.

Compositional methods

Scaling up to large systems


Issue of scalability

• Model checking does not scale– State/BDD explosion– High asymptotic complexity (PSPACE complete)

• Can be applied– locally, to small modules– globally to simplified models

• Hence, model checking is mainly used as a “debugging” tool.

How do we “scale up” the method so we can use it for“verification”, not “refutation”?


Compositional proof

• Idea: use proof techniques to reduce a property to easier, localized properties.

property

decomposition

verification

proof assistant

model checker/decision procedure

abstraction


Simple assume/guarantee proof

• Thus, we localize the verification process• Note abstraction is needed to benefit from

decomposition.

pp q

q

A Bp q

verify using A

verify using B


Mutual property dependence• What about the case of mutual dependence?

• Note, this doesn’t work (why)?

A Bp q

q pp qp q


q pp q

Gp Gq

“Circular” compositional proofs

• Let p q stand for “if p up to time t-1, then q at t”

• Equivalent in LTL of (p U q)

• Now we can reason as follows:

That is, A only has to “behave” as long as B does, and vice-versa.

verify using A

verify using B


Temporal case splitting

p1 p2 p3 p4 p5

v1

...

Idea:Split cases on mostrecent writer w attime t.

: I'm O.K. attime t.

Rule can be used to decompose large arrays

i: G((w=i) )G


Combine with circular reasoning

p1 p2 p3 p4 p5

v1

...


To prove case w=i at time t, assume general case up to t-1:

still have many cases to prove...

i: ((w=i) )G


Reduction by symmetry

p1 p2 p3 p4 p5

v1

...


By symmetry, suffices to prove that writes by p1 are O.K.:

((w=1) )G

verify using p1


Example -- simple pipeline

• Goal: prove equivalence to unpipelined model(modulo delay)

32 registers

+

bypass

32 bits

control


Direct approach by model checking

• Model checking completely intractable due to large number of state variables ( > 2048 )

referencemodel d

elay

pipeline

=?

ops


Using reference model

Ref. Model

A

B

verify using A

verify using B

q p

q pp q

Gp Gq

unpipelined version


Decomposition for simple pipeline

32 registers

+

32 bits

control

correct valuesfrom reference

model

p = operand correctness

q = result correctnessp q

unit delay


Lemmas in “circular” proof

• Operand correctness– prove Gpa and Gpb, where:

pa is “stage2.valid stage2.opra = stage2.aux.opra”

pb is “stage2.valid stage2.oprb = stage2.aux.oprb”

• Result correctness– prove Gpr, where:

pa is “stage2.valid stage2.res = stage2.aux.res”

pa pb pr

pr pa

pr pb

Gpa Gpb Gpr


Abstraction for operands

Bit slicing results from "cone of influence reduction"(similarly in reference model)

32 registers

+

32 bits

control

correct valuesfrom reference

model

check q p withthis abstraction

p q


Resulting MC performance

• Operand correctness property

0

50

100

150

0 8 16 24 32

Number of registers

Run

tim

e (s

)80 state variables

3rd order fit

• Result correctness property– easy: comparison of 32 bit adders


Well, not really...

• That was a hand picked variable order• Actually, BDD's blow up due to bad

variable ordering– ordering based on topological distance

0

100

200

300

0 8 16 24 32

Number of registers

Run

tim

e (s

)


Problem with topological ordering

Register files should be interleaved, but this is not evident from topology

bypasslogic

=?results ref. reg. file

impl. reg. file


Sifting to the rescue (?)

• Lessons (?) :– Cannot expect to solve PSPACE problems

reliably– Need a strategy to deal with heuristics failure

1

10

100

1000

10000

0 8 16 24 32

Number of registers

Run

tim

e (s

)

Note:- Log scale- High variance


Predictability and metrics

• Reducing the number of state variables

1

0

Ver

ific

atio

n p

rob

ab

ilit

y

# state bits

decomposition

– If heuristics fail, other reductions are available

2048 bits?80 bits

~600 orders of magnitude in state space size


Case split for simple pipeline

• Show only correctness for operands fetched from register i

Abstract remaining registers to "bottom"

• Result– 23 state bits in model

– Checking one case = ~1 sec

What about the 32 cases?

i: G(srca=i pa)

Gpa)


Exploiting symmetry

• Symmetric types– Semantics invariant under permutations of type.– Enforced by type checking rules.

• Symmetry reduction rule– Choose a set of representative cases under symmetry

• Type REG is symmetric– One representative case is sufficient (~1 sec)

• Time savings from case split: ~5 orders

But wait, there's more...


Data type reductions

• Problem: types with large ranges• Solution: reduce large (or infinite) types

where T\i represents all the values in T except i.

• Abstract interpretation

T i T i { , \ }

i T i

i

T i

\

\ { , }

1 0

0 0 1


Type reduction for simple pipeline

• Only register i is relevant• Reduce type REG to two values:

REG {i,REG\i}

• Number of state bits is now 11• Verification time is now independent of register file size.

Note: can also abstract out arithmetic verification using uninterpreted functions...


Overview of proof strategy

• Decompose structurally using circular compositional proof

• Parameterize to decompose large structures

• Reduce to finite number of cases using symmetry

• Reduce to bounded variables using data abstraction

• Check validity with model checker


Effect of decomposition

1

0

Ver

ific

atio

n p

rob

ab

ilit

y

# state bits

original systemreductionreduction

– Manual decomposition produces order of magnitude reductions in number of state bits

– Inflexion point in curve crossed very rapidly

20488411


Tomasulo’s algorithm

• Execute instructions in data flow order

OP,DST

opra oprb

OP,DST

opra oprb

OP,DST

opra oprb

EU

EU

EU

OPS

TAGGED RESULTS

INSTRUCTIONS

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

REGFILE


Compositional proof

• Decompose into two lemmas

OP,DST

opra oprb

OP,DST

opra oprb

OP,DST

opra oprb

EU

EU

EU

OPS

TAGGED RESULTS

INSTRUCTIONS

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

REGFILE

Lemma 1:Correct operands

Lemma 2:Correct results

Essentially the same lemmas as in the simple pipeline


Refinement of cache protocol

S/F network

protocol

hostprotocol

host

protocol

host

Distributedcachecoherence

INTF

P P

M IO

to net

• Non-deterministic reference model• Atomic actions• Single address abstraction• Verified coherence, etc...


Mapping protocol to RTL

S/F network

protocol

host otherhostsAbstract

model

CAMT

AB

LE

S

refinementrelations

TAGS

~30K lines of Verilog


Linear v. branching time

• Model checking v. compositional verificationM | | )

fixed model for all models

• Verification complexity (in formula size)

compositional

model checking

CTL LTL

linear

EXP

PSPACE

PSPACE

In practice, with LTL, we can mostly recover linear complexity...


Compositional w/ branching

• Assume/guarantee [GL94]:– {q} M {p} means M satisfies p in all

environments satisfying q.– For ACTL, check is exponential in q but linear in

p– Compositional proof:{q} M1 {r}

{r} M2 {p}

{q} M1 || M2 {p}Problems: - limited expressiveness of ACTL - no “circular” proofs

Thus, LTL is preferred for compositional.


Theorem provers

• General purpose tools, characterized by– highly expressive logics– detailed user guidance

• Strategy: proof by invariant

• Tradeoff:– Q cannot be temporal temporal– Q can be first-order (not finite-state!)

Q(0), Q(t) Q(t+1), Q(t) P(t)t: P(t)


Decomposition of invariants

• Problem: invariants of complex systems (esp. with complex control) are very large.

• Solution: decompose invariants...

iQi(t) Q(t)

Q0(0), Q(t) Q0(t+1)

Q1(0), Q(t) Q1(t+1)

...t: Q(t)


TP v. CMC

• Compositional model checking– Temporal properties are “free”– Function symbols and quantifiers handles manually

• Theorem proving– Must use inductive invariants

• very complex for control-intensive systems

– Function symbols and quantifiers are “free”

So, TP tends to be good for arithmetic [MLK98], whileCMC is good for control-dominated systems [Eir98].

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Documents

cadence design systems

p b p r p r p

abstraction p q slide

ab pq q p p q slide

p r p b gp

p p q q ab pq

reference model p

b slide