a framework on synchronization verification in system-level design
DESCRIPTION
A Framework on Synchronization Verification in System-Level Design. Thanyapat Sakunkonchak Satoshi Komatsu Masahiro Fujita Fujita Laboratory University of Tokyo. Contents. Introduction System-level design VS Verification Counterexample-guided abstraction refinement (CEGAR) - PowerPoint PPT PresentationTRANSCRIPT
A Framework on Synchronization Verification in System-Level Design
Thanyapat SakunkonchakSatoshi KomatsuMasahiro Fujita
Fujita LaboratoryUniversity of Tokyo
Contents
Introduction System-level design VS Verification Counterexample-guided abstraction
refinement (CEGAR) Why synchronization verification? Verification flow Preliminary experimental results Summary & Future direction
System-Level Design & Verification
Recover as many bugs as possible in the earlier stages is necessary
Verification in system-level design
Bugs fix timeCost due to the delay/late time-to-marketRevenue loss
System-Level
RTL
Layout
System synthesisHigh-level synthesis
Logic synthesisLayout synthesis
30 minutes delayModify source & re-compile
3 days delayModify RTL & re-synthesis
3 weeks delayRe-layout
Basic Idea
To increase productivity and fast prototype Apply formal verification at system-level
Counter-Example Guided Abstraction Refinement (CEGAR) paradigm Apply abstraction to the design Verify the abstracted design
Property hold Property does not hold + abstract counter-example
Abstraction refinement: validate the abstract counter-example
Valid: the real counter-example is given Invalid: refine abstraction
Formal Verification with Abstraction Refinement (CEGAR)
Model checkerDesign
Property
+ abstract counterexample
The abstract design’s size is enough to be
handled
Abstract Design
Check abstract counterexample
Refine
+ real counterexample
Widely used verification philosophy:Counter-Example GuidedAbstraction Refinement(CEGAR)
Contents
Introduction System-level design VS Verification Counterexample-guided abstraction
refinement (CEGAR) Why synchronization verification? Verification flow Preliminary experimental results Summary & Future direction
Why synchronization verification?
Usually the abstracted design is still too large
There are many parallel processes in system-level design To operate properly, those parallel
processes must be properly synchronized
Targeting only synchronization verification, the problem size can be significantly reduced
void A() {
}void B() {
}
void main() { A(); B(); C();}
void C() {
}
Concurrency: Par Statement in SpecC
A
A B
C Language SpecC Language
B
C
void A() {
}void B() {
}
void main() { par{ A.main(); B.main(); } C.main();}
void C() {
}
C
Synchronization in SpecC Add notify/wait of event e for sync.
‘wait’ will stop process until it is ‘notify’
A B
void A() {
}void B() {
}
void main() { par { A.main(); B.main(); }}
notify e1;wait e2;
wait e1;notify e2; wait e1
Process B stopsand wait untile1 is notified
notify e1
B resumeswait e2
Process A stopsand wait untile2 is notified
notify e2
A resumes
Synchronization in SpecC (cont.)
main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}
time
a.main()
b.main()
St1 St2
St3
Tas T1s T1e T2s T2e Tae
Tbs T3s T3e Tbe
Synchronization by Notify/wait
These equations can be solved withInteger Linear Programming Solver
Tas=Tbs, Tae=Tbe Tas<=T1s<T1e<=T2s<T2e<=Tas Tbs<=T3s<T3e<=Tbe T2e<=T3s
Contents
Introduction System-level design VS Verification Counterexample-guided abstraction
refinement (CEGAR) Why synchronization verification? Verification flow Preliminary experimental results Summary & Future direction
Synchronization verification
Boolean SpecC
Original SpecC program
Predicate abstraction
MILP Solver
Sync. property
(Deadlock)
Property proved
(correct result)
Reasoning tool
Abstract error trace
Concrete
counter-example
Set of predicates
behavior A(out event e, inout int x, inout int y)
{ void main() { if(x > 0) { notify e; y = x – 1; } if(y < 3) : :
behavior A() { void main() { if(C0) { notify e; ... } if(C1) : :
Mathematical model
Equality/Inequality
Predicate discovery
1 2
3
4 5
Synchronization property
Synchronization is completed if ‘wait’ was notified
A deadlock occurs once ‘wait’ is reached but ‘notify’ is not
Process A Process B
notify
waitDeadlock in B
NOT FEASIBLE
Check path feasibility
a1 = true&
b1 = false&
b2 = true
!waitCustomer = true&
!waitCustomer = false&
!chairOccupied = true
/* Barber */
void main() {
while(1) {
if (!waitCustomer)
DayDreaming();
else {
if (chairOccupied) {
notify call;
chairOccupied = false;
}
else {
KeepCutting();
chairOccupied = true;
}
};
/* Customer */
void main() {
while(1) {
if (!waitCustomer)
waitCustomer = true;
else {
waitCustomer = false;
if (!chairOccupied)
wait call;
}
};
/* Barber */
void main() {
while(a0) {
if (a1)
...
else {
if (a2) {
notify call;
...
}
else {
...
...
}
};
/* Customer */
void main() {
while(b0) {
if (b1)
...
else {
...
if (b2)
wait call;
}
}; Refine#0
/* Barber */
void main() {
while(a0) {
if (a1)
...
else {
if (a2) {
notify call;
...
}
else {
...
...
}
};
/* Customer */
void main() {
while(b0) {
if (a1)
a1_1 = true;
else {
a1_1 = false;
if (b2)
wait call;
}
};Refine#1
Check path feasibility
a1 = false&
a2 = false&
b1 = false&
b2 = true
!waitCustomer = false&
chairOccupied = false&
!waitCustomer = false&
!chairOccupied = true
FEASIBLE
‘notify’ is not reached: ‘wait’ is reached
Contents
Introduction System-level design VS Verification Counterexample-guided abstraction
refinement (CEGAR) Why synchronization verification? Verification flow Preliminary experimental results Summary & Future direction
Verification conditions
Real applications are verified Focusing only synchronization (notify/wait u
nder par{ }), problem size can be significantly reduced
Running on linux machine, P4 1.7GHz & 512 MB RAM, deadlock can be detected within few minutes
Preliminary experimental result
Check all designs with properties “there is no deadlock”
There is no such a case where ‘wait’ is executed while ‘notify’ is not
Property1,2,3 are the different pairs of notify/wait Simulation results
All properties hold No deadlock
Abstraction refinement is not conducted in this experiments
Original Sync. Ver. Property1 Property2 Property3
FIFO 260 240 30.7 31.2 35.8
Point- to-Point Protocol 850 500 71.8 64.1 69.7
Elevator Control System 2000 800 107.4 119.6 106.7
# of lines Verification Time (seconds)
Contents
Introduction System-level design VS Verification Counterexample-guided abstraction
refinement (CEGAR) Why synchronization verification? Verification flow Preliminary experimental results Summary & Future direction
Summary & Future Direction
A framework for synchronization verification of SpecC was described
Abstraction/abstraction refinement algorithm was presented Abstraction Insertion of deadlock property Verification Abstraction refinement
Now targeting only for synchronization property, but we can further extend to verify other properties, e.g. safety
Implementation of abstraction refinement