1 / 37

Sequential Encoding for Relational Analysis (SERA)

Validation and Verification of Software. Sequential Encoding for Relational Analysis (SERA). Fadi Zaraket, Sarfraz Khurshid, Adnan Aziz. Outline. Review of model checking with Alloy Finitization into a SAT problem Review of transformation based verification (TBV)

omar
Download Presentation

Sequential Encoding for Relational Analysis (SERA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Validation and Verification of Software Sequential Encoding for Relational Analysis (SERA) Fadi Zaraket, Sarfraz Khurshid, Adnan Aziz

  2. Outline • Review of model checking with Alloy • Finitization into a SAT problem • Review of transformation based verification (TBV) • Alloy SAT instances and TBV • Sequential encoding of Alloy • Less variables, more TBV transforms • Results • Conclusion

  3. Alloy model checking compile, synthesize Properties: predicate valid() {…} predicate … … assert IntelAgentsKnowAllValidPeople for 5 SAT CNF netlist ! Graph<Vertices,Edges,Targets,Constraints> Vertices [input, NOT, OR, AND] Edges: inputs  [NOT, OR] OR  [AND] AND  [AND] No combinational cycles Targets ½ Vertices Constraints ½ Vertices Verify: targets never true while constraints hold Alloy model sig id {…} sig license extends id {…} sig passport extends id {…} … Environment: fact { passport in license}

  4. Problem Under Consideration Compilers, Synthesizers, Optimizers Properties: safety, liveliness, [correctness, progress,...] annotated vhdl or verilog, sugar, PSL, CTL, LTL, … equiv1( inputs, outputs), …. assertN(inputs, outputs) Netlist ! Graph<Vertices,Edges,Targets,Constraints> Vertices [input, register, NAND] Edges: Vertices  Vertices no combinational cycles Register:Gate next state function Gate initial value function Targets ½ Vertices Constraints ½ Vertices Verify: Targets never true while constraints hold Design RTL: vhdl, verilog, … decl name (inputs, outputs, bidi, generic) begin …. end Environment: input constraints annotated vhdl or verilog, sugar, PSL, CTL, LTL stmnt1( inputs) …. stmntN(inputs)

  5. Tree example • A tree is a non-empty undirected graph • connected and acyclic • connected and |edges| == |vertices| -1 • acyclic and |edges| == |vertices| -1 • connected and if one edge removed then not connected • acyclic and if one edge added then cyclic • All the 5 statements are equivalent

  6. Tree model sig V { E: set V } { some V } fact undirected { E = ~E} pred inCycle(v: V, c: V -> V) { v in v.c || some v': v.c | v' in v.*( c - (v -> v') - (v' -> v) ) } pred aCyclic() { all v: V | ! inCycle(v, E)} pred cyclic(c: V->V){ some v : V | inCycle(v, c)} pred connected(c: V->V) { all v1, v2 : V | v2 in v1.*c} pred connectedAndAcyclic() { connected(E) and aCyclic()} pred connectedAndCardinality() { connected(E) and (#E = #V + #V - 2) } assert equivalentStatements { connectedAndAcyclic() iff connectedAndCardinality() } check equivalentStatementsfor 5

  7. Alloy semantics • Relational first-order (FO) • No nested relations • quantifiers • propositional logic • Types are sets • relations are also sets • Finitization • scope makes model finite

  8. Alloy encoding [Jackson SIGSOFT’00] • Each relation is encoded into a bit-matrix • R(i,j) == 1 iff R: ai2A  bj2B • quantifiers are folded with conjunction (8) or disjunction (9) • expression mapped to tree of parameterized matrices of Boolean formulas

  9. Alloy encoding (continued) • Environment binds quantified variables only • Transitive closure: quadratic expansion • Variables and CNF clauses: doubly exponential in terms of scope and highest arity

  10. Outline • Review of model checking with Alloy • Finitization into a SAT problem • Review of transformation based verification (TBV) • Alloy SAT instances and TBV • Sequential encoding of Alloy • Less variables, more TBV transforms • Results • Conclusion

  11. Transformation-based verification (TBV) - 1 • Formal verification (FV) very powerful at exposing design flaws • increasing industrial acceptance of automatic FV technologies • Significant gap between industrial design sizes and FV capacity • formal analysis generally requires exponential resources • invariant checking: PSPACE – complete • induction: NP – complete, often inconclusive • semi-formal: NP – complete, falsification only

  12. TBV - 2 • Large designs pose verification challenges • Numerous polynomial-time transforms to reduce size • retiming, constant propagation, redundancy removal… • resource-bounded BDD and SAT-based abstractions • localization refinement, parametric re-encoding,… • TBV [Kuehlmann and Baumgartner, CAV’01] • synergistically leverage various transformation algorithms • iteratively simplify and decompose large problems • encapsulate into engines that interact via modular API

  13. RET: retiming example • Move registers backward/forward to reduce their count • synthesis: can not retime R1 and R2 with incompatible initial states • FV: no need to preserve i/o if we preserve the property checked • synthesis: can only realize backward constraints • FV: symbolic verification can accept negative registers

  14. T1 T1 T1 T2 T2 T2 Localization (LOC) or predicate abstraction spurious: refine localize • Overapproximate behavior of the netlist and search • Target not reachable: proof • Counterexample: apply it to original netlist • If actual: bug found • If spurious: refine and try again verify abstract counter example unreachable Proof apply to original

  15. TBV typical iterative flow: Netlist RING (120,000 registers, 20,000 inputs) 11 components 173 representatives Redundancy removal 8,342 registers 9,763 inputs Retiming Results p1 CMSA Results p2 Redundancy removal Results p3 12 components 241 representatives Re-parameterization CMSA Results p6 6,722 registers 8,783 inputs Redundancy removal Results p7 Semi-formal search 4,598 registers 8,543 inputs • Iterative predicates generated by previous runs of CMSA • Illustrates power of bit-level partitioning

  16. SAT model • SAT returns assignments to Boolean variables • Berkmin, MCHAFF, ZCHAFF, RELSAT • map assignments back to Alloy model • If no assignment exists, we have a proof within the scope • Pass CNF to TBV • combinational only: limited number of engines • redundancy removal, localization, parametric re-encoding • decision: circuit SAT

  17. Results: combinational SAT vs. TBV

  18. Outline • Review of model checking with Alloy • Finitization into a SAT problem • Review of transformation based verification (TBV) • Alloy SAT instances and TBV • Sequential encoding of Alloy • Less variables, more TBV transforms • Results • Conclusion

  19. Sequential encoding • Use less variables to encode the problem • trade complexity in space for complexity in time • use sequential encoding • Existence vectors and production machines • atom: register index over a specialized existence vector • relation: index = encode (<atom>, <atom>) • boolean operators: propositional statements • formulas: finite state production machines • Basic atoms and relations can be randomly initialized to any state

  20. Difference between sequential netlists and FSM • 2/3 bit write enabled buffer and simplified FSMs • Arcs omitted in 3 bits, labels omitted in both • Sequential netlist often more succinct than FSMs

  21. SERA component (production machine) • Inputs: [Y: index, T: relational data, C: control] • Outputs: [B: predicate, M: membership, N: cardinality, Q: validity, queries] • State registers: [X: membership, K: cardinality, U: validity] • next state function: , initial values: primary inputs

  22. index start 2[.] Priority counter State valid access cardinality SERA component • States: {invalid, productive, done, idle} • Memory: existVec[ index(<atom, …>)] • Cardinality: simple priority encoder • counter may be needed in some cases • Control: {start, valid-input, reset} • Boolean predicate: 2, Æ, 9, 8, … • Compositional input: access to [memory, cardinality, predicate] of other components

  23. Summary table for sequential encoding

  24. Example: statement3 with a scope of 2 • Pred: (all v1, v2 : V | v2 in v1.*c)and (#E = #V + #V – 2) • Two universal quantifier machines one contained in the other • Starts two V machines and gets two V atoms as indexes per step • Early termination: one valid false is enough to terminate

  25. Statement3 executed

  26. Example (continued) • Transitive closure (TC): v2 in v1.*c • Alloy rewritesas: <v1,v2> 2 *C • compositional access to the relation C • use iterative squaring and achieve logarithmic encoding • C0 = C • Cn+1 = ( Cn : Cn )[ Cn • Membership is valid after log(n) • function of C and log(n) local memory state variables • counter stores cardinality: avoids complex logic that checks total membership • usually drops with COI reductions since cardinality of TC is rarely checked • Kleene-star operation

  27. Transitive-closure optimization • v2 in v1.*c Alloy rewritesas: <v1,v2> 2 *C • advantage: only one big quadratic machine • Subset C into T = v1.C and check v22 T • disadvantage: multiple smaller quadratic machines • early termination: may not need them all • redundancy: exploited well by TBV • may as well reuse some of them if one production is guaranteed to finish before the others

  28. Set operators • Union: ordered sequential traversal of two machines • use unique order for variables: no duplicates • default: the order sigs appeared in the formula • Intersection: add a delay to preserve order • Complement: flag all compositional input • produce indexes with no flag • Subtract: implement with intersect and complement • Maybe interesting for redundancy: all these operations can be done by complement and transitive closure

  29. Transpose operator • Challenge since it forces a change of variable ordering • SERA rewrites the formula and pushes the transpose in the relation • Conflicts may occur, example E = ~E • append a duplicate atom • add a target that indicates the equivalency of the added atom • redundancy removal will take care of it later

  30. Predicates and propositional operators • Boolean operators trivial implementation: • the same Boolean construct with a valid state propagation • one valid truth is enough to propagate an OR • one valid false is enough to propagate an AND • Predicates generated from: • Boolean operators: Æ, Ç, ! • 8: fold(e, Æ) and 9: fold(e,Ç) with early termination • 2: existsVec[index(atom, …)] • [=, <, >] integer comparison: finitized into atoms in Alloy • Alternative: we may use regular ring arithmetic

  31. index index index index start start start start 2[.] 2[.] 2[.] 2[.] Priority Priority Priority Priority counter counter counter counter State State State State valid valid valid valid access access access access cardinality cardinality cardinality cardinality

  32. Implementation details • Limit scope to powers of two • Simplify counter logic used for indexing • Type determination is limited to a shift operation • Static analysis is now enough to determine the needed width of a tuple in a relation • Only one scope is allowed • Simplifies membership of types into a simple range check • No loss of generality: pick the highest

  33. Implementation details • Constrain initial states • False initial bits in existence vectors are always MSB • A simple priority encoder is enough to detect the cardinality • No loss of generality since it does alter the order of existing variables • Optimize relations and transitive closures using facts • fact {E = ~E}: only half of the matrix is meaningful

  34. Less variables and more transforms • Sequential encoding can be automated • Less variables and yet better: more TBV power • more cycles: may affect the complexity of the counter example • can be handled by BMC based counter example optimization techniques • Use sequential transforms • sequential equivalence, semi-formal search, target enlargement, compositional minimization, generalized retiming, bounded model checking… • Expert system is not an Alloy expert yet. • may get better in some time

  35. Experimental Results • As expected localization and minimization played a big role in proofs • Semi-formal search significant in fast counter example generation

  36. Conclusion • Reviewed Alloy and TBV • compared SAT with TBV on Alloy models • Automated sequential encoding of Alloy • enables TBV power • Less variables and more transforms • allowed us to scale our scopes up to 32 where Alloy Analyzer was limited to 7 • Future work: • mutation is more native: add native next state construct? • detect a scope that is enough to complete proof

  37. ?/!

More Related