Predicate Abstraction for Software and Hardware Verification - PowerPoint PPT Presentation

About This Presentation
Title:

Predicate Abstraction for Software and Hardware Verification

Description:

Predicate Abstraction for Software and Hardware Verification ... Extract a finite state model from an infinite ... HardwareC, SpecC, Handel-C, and SystemC ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 44
Provided by: csC76
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Predicate Abstraction for Software and Hardware Verification


1
Predicate Abstraction for Software and Hardware
Verification
  • Himanshu Jain
  • Model checking seminar
  • April 22, 2005

2
Introduction
  • Scalable software verification
  • Properties
  • Array bounds check, division by zero
  • Pointer safety
  • Assertion checking
  • Lock and unlocking
  • Focus on partial specifications

3
Predicate Abstraction
  • Extract a finite state model from an infinite
    state system
  • Used to prove assertions or safety properties
  • Successfully applied for verification of C
    programs
  • SLAM (used in windows device driver verification)
  • MAGIC, BLAST, F-Soft

4
Example for Predicate Abstraction
void main() bool p1, p2 p1TRUE
p2TRUE while(p2) p1p1?FALSEnondet()
p2!p2
int main() int i i0 while(even(i))
i


p1 ? i0 p2 ? even(i)
Predicates
C program
Boolean program
Graf, Saidi 97
Ball, Rajamani 01
5
Computing Predicate Abstraction
  • How to get predicates for checking a given
    property?
  • How do we compute the abstraction?
  • Predicate Abstraction is an over-approximation
  • How to refine coarse abstractions

6
Counterexample Guided Abstraction Refinement loop
7
Abstraction
1 x ctr 2 y ctr 1 3 if (x i-1) 4
if (y ! i) ERROR
1 skip 2 skip 3 if () 4 if ()
ERROR
Abstract
C program
No predicates available currently
8
Checking the abstract model
Is ERROR reachable?
1 skip 2 skip 3 if () 4 if ()
ERROR
yes
Abstract model has a path leading to error state
9
Simulation
Does this correspond to a real bug?
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
1 skip 2 skip 3 if () 4 if ()
ERROR
Concrete trace
Check using a SAT solver
Not possible
10
Refinement
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
1 skip 2 skip 3 if () 4 if ()
ERROR
Initial abstraction
Spurious Counterexample
11
Refinement
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
1 skip 2 skip 3 if () 4 if (b0)
ERROR
boolean b0 y ! i
12
Refinement
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
1 skip 2 skip 3 if (b1) 4 if (b0)
ERROR
boolean b0 y ! i boolean b1 x i-1
13
Refinement
Weakest precondition of y ! i
boolean b2 ctr 1 ! i
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
1 skip 2 b0 b2 3 if (b1) 4 if (b0)
ERROR
boolean b0 y ! i boolean b1 x i-1
14
Refinement
boolean b2 ctr 1 ! i boolean b3 ctr i -1
1 x ctr 2 y ctr 1 3 assume(x
i-1) 4 assume (y ! i)
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
boolean b0 y ! i boolean b1 x i-1
15
Refinement
boolean b2 ctr 1 ! i boolean b3 ctr i -1
What about initial values of b2 and b3?
1 b1 b3 2 b0 b2 3 if (b1) 4 if
(b0) ERROR
b2 and b3 are mutually exclusive. b2 1, b3
0 b2 0 , b3 1
So system is safe!
boolean b0 y ! i boolean b1 x i-1
16
Tools for Predicate Abstraction of C
  • SLAM at Microsoft
  • Used for verifying correct sequencing of function
    calls in windows device drivers
  • MAGIC at CMU
  • Allows verification of concurrent C programs
  • Found bugs in MicroC OS
  • BLAST at Berkeley
  • Lazy abstraction, interpolation
  • SATABS at CMU
  • Computes predicate abstraction using SAT
  • Can handle pointer arithmetic, bit-vectors
  • F-Soft at NEC Labs
  • Localization, register sharing

17
Applications of Predicate Abstraction in Hardware
Verification
18
System on chip design
  • Increase in complexity

Number of components
Level
System Level
10E0
Behavioral/RTL
Structural
10E3
Abstraction
10E5
Gate level (netlists)
10E7

19
Introduction
  • Emergence of system design languages
  • HardwareC, SpecC, Handel-C, and SystemC
  • Based on C / C
  • Allows joint modeling of both hardware and
    software components of a system
  • Support for bit vectors, concurrency,
    synchronization, exception handling, timing

20
Verification support
  • Most model-checkers used in hardware industry
    work at netlist level
  • Higher abstraction levels offered by languages
    like SpecC or RTL Verilog are not yet supported
  • Languages like SpecC are more closer to
    concurrent software
  • Verification tools must reason about
  • Programming languages constructs
  • Concurrency
  • Pointers, Objects
  • Bit vector operations like concatenation,
    extraction

21
Why predicate abstraction
  • Many properties depend on relationship between
    registers, and not the values stored in them
  • Predicate Abstraction
  • Keeps tracks of certain predicates on data
  • Successfully used in software verification
  • Can handle larger designs

22
Abstraction-Refinement loop
23
An example
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200)
Verilog program
24
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
25
Predicate Abstraction
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200)
Initial set of predicates x 100, x 200
Word level predicates
Verilog program
26
Computing Most Precise Abstraction
Next state
Current state
Transition Relation

ltx 100, x 200gt

ltx 100, x 200gt
x y y x
Equation passed to the SAT solver
27
Obtain transitions

Computing abstract transitions
10
00
01
and so on
11
28
Abstract Model
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200) Initial set
of predicates x 100, x 200
Failure state
Initial state
Verilog program
29
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
30
Model checking
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Abstract Model
Initial state
Failure state
10
00
01
11
Verilog program
31
Model checking
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Abstract Model
Counterexample
Initial state
Failure state
10
00
01
11
Verilog program
32
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
33
Simulation of the counterexample
  • Counterexample in the abstract model
  • lt1 , 0gt ? lt0 , 0gt (length 1)
  • Each state is a valuation of h x 100, x200 i

Initial values of the registers
predicate values in the first state of the
counterexample
Transition relation
predicate values in the second state of the
counterexample
equation is unsatisfiable
So counterexample is spurious
34
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
35
Refinement
  • Let length of spurious counterexample be k
  • Take weakest pre-condition of property for k
    steps with respect to transition functions
  • Pick atomic predicates from weakest precondition

36
Refinement
New predicates y 100, y 200
37
Abstract again
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200) Updated set
of predicates x 100, x 200, y100, y200
Model check
Verilog program
38
Model checking
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200) Updated set
of predicates x 100, x 200, y100, y200
Verilog program
39
Result
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200)
Property holds!
Verilog program
40
Experimental results (VIS benchmarks)
Benchmark Lines of code Latches Variables Veracity Time Predicates Iteration
cache coherence 549 43 170 49s 25 9
mpeg decoder 1 1215 567 800 29s 9 3
mpeg decoder 2 1215 567 800 47s 9 4
SDLX 898 41 81 139s 43 30
Miim 841 83 237 0.57s 4 2
PI-Bus 1020 312 863 2.42s 10 1
Using lazy abstraction
All use predicate partitioning
41
Bigger benchmarks
Benchmark Latches Veracity time Cadence SMV time
ICU 28 1.3s 0.1s
ICRAM2KB 16427 450.7s 25s
ICRAM4KB 32796 843.3s terminates
ARITH100 202 3.5s 182.4s
ARITH200 402 9.6s 2147s
ARITH500 1002 32.2s timeout
ARITH1000 2002 122.6s timeout
42
Tools
  • VCEGAR (Verilog Counterexample Guided
    Abstraction Refinement) at CMU
  • www.cs.cmu.edu/modelcheck/vcegar

43
Questions
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Predicate Abstraction for Software and Hardware Verification" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!