An Introduction to Symbolic Trajectory Evaluation
An Introduction to Symbolic Trajectory Evaluation Koen Lindström Claessen Chalmers University / Jasper AB Gothenburg, Sweden
An Example in0 in1 in2 in3
& OR
&
in4 in5 in6
A 7-input AND gate?
& OR
&
out
Verification by Simulation “Antecedent” driving
(in0 is 0) and (in1 is 0) and (in2 is 1) and (in3 is 1) and (in4 is 0) and (in5 is 1) and (in6 is 0) (out is 0) Simulation specification
“Consequent” checking
Simulation … 0 0 1 1
&
0
1
OR
&
& OR
&
0
0 1
0 0
27 = 128 simulations
1
0
0 ! OK 0?
Smarter Simulation … 0 0 1 1
&
0 0
1
OR
&
0
0
& OR
&
Good for 26 = 64 simulations!
0 ! OK 0?
Smarter Simulation (2)… 0 0 1 1
& OR
&
0
0
1
0 0
Good for 26 = 64 simulations
OR
&
&
0 ! OK 0?
Smarter Simulation? 0 0 1 1
Got stuck
& OR
&
0 0 0
& OR
&
0?
Three-Valued Simulation: Good 0,1,X for X X X X
26 = 64 simulations
&
X X = “unknown”
X
0
OR
&
X
X
OR
1
0 X
X
&
&
0 ! OK 0?
Simulating with 0,1,X x x 0 1 1 0 X X enough information not enough information
xy 00 01 10 11 X0 0X X1 1X XX
x&y 0 0 0 1 0 0 X X X
abstraction: X = {0,1}
x y x OR y 00 0 01 1 10 1 11 1 X0 X 0X X X1 1 1X 1 XX X
Three-Valued Specification
not mentioned in antecedent means driven with “X”
(in0 is 0) (out is 0) (in1 is 0) (out is 0) (in2 is 0) (out is 0) (in3 is 0) (out is 0) (in4 is 0) (out is 0) 8 simulations (in5 is 0) (out is 0) in total (in6 is 0) (out is 0) (in0 is 1) and (in1 is 1) and … and (in5 is 1) and (in6 is 1) (out is 0)
Symbolic Simulation
Boolean expression datatype Variables;
a, b, c Logical operations; not, and, or Compositional Canonical representation (Reduced Ordered) Binary Decision Diagrams (BDDs)
Compositional? F&G
F:
G:
a
&
b
0
b
1
c
0
1
Canonical? a & ~b
~(~a v b)
a
a
=
b
0
1
b
0
1
Symbolic Simulation … a b c d
&
OR
&
g
a&b&c&d
~(c&d)
&
~e
e f
~(a&b)
OR
&
~(f&g)
only 1 simulation! many variables give possible BDD blow-up a&b&c&d&e &f&g !
OK e&f&g
Symbolic Specification (in0 is a) and symbolic variable (in1 is b) and (in2 is c) and (in3 is d) and expected (in4 is e) and symbolic value (in5 is f) and (in6 is g) (out is (a&b&c&d&e&f&g)) circuit node
Symbolic Trajectory Evaluation (STE)
Summary symbolic three-valued simulation
three-valued simulation
symbolic simulation
standard simulationbased verification
Idea
128 ordinary simulations require
7 symbolic variables
8 three-valued simulations require
only 3 symbolic variables! call these p,q,r
“symbolic indexing”
When p=q=r=1, all inputs are 1 Otherwise, indicates which input is 0 Expected value of out?
out is (p&q&r)
is a new STE Specification operator
((~p&~q&~r) (in0 is 0)) and Only 3 symbolic variables; less ((~p&~q& r) (in1 is 0)) and risk of blow-up! ((~p& q&~r) (in2 is 0)) and ((~p& q& r) (in3 is 0)) and (( p&~q&~r) (in4 is 0)) and (( p&~q& r) (in5 is 0)) and (( p& q&~r) (in6 is 0)) and (( p& q& r) ((in0 is 1) and (in1 is 1) and … and (in5 is 1) and (in6 is 1))) (out is (p&q&r))
Conditional Driving PA Logically: Implication
Only use A to drive simulation when P is true Otherwise, nodes in A are unknown: X
Three-Valued Symbolic Expressions
Simulator needs to deal with boolean
values 0,1 unknown value X symbolic variables a, b, c expressions with &, OR, , over the above
Solutions new
datastructure dual-rail encoding
Dual-Rail Encoding x0 says when x is 0
x 0 1 X
x1 says when x is 1
(x0,x1) (1,0) (0,1) (0,0) X means neither 0 nor 1
Each three-valued entity is represented by a pair of twovalued entities (x0,x1) & (y0,y1) = (x0 OR y0, x1 & y1) (x0,x1) OR (y0,y1) = (x0 & y0, x1 OR y1) (x0,x1) = (x1,x0)
Symbolic Three-Valued Simulation …
(~p&~q&~r, p&q&r)
only 1 simulation, 3 variables
& OR
&
& OR
(~p& q& r, p&q&r)
&
(~(p&q&r), p&q&r)
Symbolic Trajectory Evaluation Invented in 1995 by Seger and Bryant Used industrially
Mainly
Intel; heavy use
Forte ReFLect/IDV
Memory-intensive
circuits
Hard for other verification methods
The Rest of this Lecture Some pitfalls More interesting example: Memory Semantics Current directions
What Does X Mean? …
X 1 0 …
no “second thoughts”
1
Pitfall 1
multiplexer a in0
&
a&X
OR
a in1
&
manual abstraction sel X
out a&X
a&X information loss
(sel is b) and (in0 is a) and (in1 is a) (out is a)
only forwards information propagation
Pitfall 2 a in0 X b in1 X
&
1 out 1 = a&b
(in0 is a) and (in1 is b) and (out is 1) (in0 is 1) and (in1 is 1) we need a semantics! predictability
Example: Memory rd
loc0
out0
wr loc1
out1 out
addr loc2 in
…
out2
Memory
Address width k 2^k
locations
Data width n n*(2^k)
state-holding elements
state-based model checkers?
k=16, n=16: 1048576 elements
A Specification (k=2,n=1) first we write d to address a0a1
(wr is 1) and (in is d) and (addr0 is a0) and (addr1 is a1) and then we read from N ((rd is 1) and address a0a1 (addr0 is a0) and (addr1 is a1)) next point N (out is d) in time
we expect d to come out
symbolic variables: a0,a1: address, d: data
Simulation (initially) rd
X
out0
wr X
out1 out
addr X in
…
out2
Simulation (time 1) if a0a1 = 00 then d else X X
e0 X
1 e1 X a0a1 e2 X d
… if a0a1 = 10 then d else X
Simulationif a0a1 (time = 00 2) then e0 else 0 1 X
if a0a1 = 00 then (if a0a1 = 00 then d else X) else 0
e0 X d
if a0a1 = 00 X then d e1 else 0
OK
a0a1 e2 X X
… if a0a1 = 10 then e2 else 0
if a0a1 = 10 then d else 0
Memory with STE
Address width k, data width n 2^k
locations n*(2^k) state-holding elements k+n symbolic variables
k=16, n=16: 32 symbolic variables
STE Theory
0/1 “clash”
T
0
information ordering
1
X information lattice
four-valued expressions!
4-Valued Gates
T&y =T T OR y = T T=T
y&T =T y OR T = T
Gates are monotonic w.r.t. information ordering no “second thoughts”
Circuit Model
example: {in0,in1,out}
Set of nodes N state-holding:
n vs n’
Set of states s : S = N {X,0,1,T} Circuits are modelled as closure functions F:SS
propagates given values to other nodes
can be easily constructed from the netlist
Closure Function F : S S
Monotonic s1
An Example in0 in1 in2 in3
& OR
&
in4 in5 in6
A 7-input AND gate?
& OR
&
out
Verification by Simulation “Antecedent” driving
(in0 is 0) and (in1 is 0) and (in2 is 1) and (in3 is 1) and (in4 is 0) and (in5 is 1) and (in6 is 0) (out is 0) Simulation specification
“Consequent” checking
Simulation … 0 0 1 1
&
0
1
OR
&
& OR
&
0
0 1
0 0
27 = 128 simulations
1
0
0 ! OK 0?
Smarter Simulation … 0 0 1 1
&
0 0
1
OR
&
0
0
& OR
&
Good for 26 = 64 simulations!
0 ! OK 0?
Smarter Simulation (2)… 0 0 1 1
& OR
&
0
0
1
0 0
Good for 26 = 64 simulations
OR
&
&
0 ! OK 0?
Smarter Simulation? 0 0 1 1
Got stuck
& OR
&
0 0 0
& OR
&
0?
Three-Valued Simulation: Good 0,1,X for X X X X
26 = 64 simulations
&
X X = “unknown”
X
0
OR
&
X
X
OR
1
0 X
X
&
&
0 ! OK 0?
Simulating with 0,1,X x x 0 1 1 0 X X enough information not enough information
xy 00 01 10 11 X0 0X X1 1X XX
x&y 0 0 0 1 0 0 X X X
abstraction: X = {0,1}
x y x OR y 00 0 01 1 10 1 11 1 X0 X 0X X X1 1 1X 1 XX X
Three-Valued Specification
not mentioned in antecedent means driven with “X”
(in0 is 0) (out is 0) (in1 is 0) (out is 0) (in2 is 0) (out is 0) (in3 is 0) (out is 0) (in4 is 0) (out is 0) 8 simulations (in5 is 0) (out is 0) in total (in6 is 0) (out is 0) (in0 is 1) and (in1 is 1) and … and (in5 is 1) and (in6 is 1) (out is 0)
Symbolic Simulation
Boolean expression datatype Variables;
a, b, c Logical operations; not, and, or Compositional Canonical representation (Reduced Ordered) Binary Decision Diagrams (BDDs)
Compositional? F&G
F:
G:
a
&
b
0
b
1
c
0
1
Canonical? a & ~b
~(~a v b)
a
a
=
b
0
1
b
0
1
Symbolic Simulation … a b c d
&
OR
&
g
a&b&c&d
~(c&d)
&
~e
e f
~(a&b)
OR
&
~(f&g)
only 1 simulation! many variables give possible BDD blow-up a&b&c&d&e &f&g !
OK e&f&g
Symbolic Specification (in0 is a) and symbolic variable (in1 is b) and (in2 is c) and (in3 is d) and expected (in4 is e) and symbolic value (in5 is f) and (in6 is g) (out is (a&b&c&d&e&f&g)) circuit node
Symbolic Trajectory Evaluation (STE)
Summary symbolic three-valued simulation
three-valued simulation
symbolic simulation
standard simulationbased verification
Idea
128 ordinary simulations require
7 symbolic variables
8 three-valued simulations require
only 3 symbolic variables! call these p,q,r
“symbolic indexing”
When p=q=r=1, all inputs are 1 Otherwise, indicates which input is 0 Expected value of out?
out is (p&q&r)
is a new STE Specification operator
((~p&~q&~r) (in0 is 0)) and Only 3 symbolic variables; less ((~p&~q& r) (in1 is 0)) and risk of blow-up! ((~p& q&~r) (in2 is 0)) and ((~p& q& r) (in3 is 0)) and (( p&~q&~r) (in4 is 0)) and (( p&~q& r) (in5 is 0)) and (( p& q&~r) (in6 is 0)) and (( p& q& r) ((in0 is 1) and (in1 is 1) and … and (in5 is 1) and (in6 is 1))) (out is (p&q&r))
Conditional Driving PA Logically: Implication
Only use A to drive simulation when P is true Otherwise, nodes in A are unknown: X
Three-Valued Symbolic Expressions
Simulator needs to deal with boolean
values 0,1 unknown value X symbolic variables a, b, c expressions with &, OR, , over the above
Solutions new
datastructure dual-rail encoding
Dual-Rail Encoding x0 says when x is 0
x 0 1 X
x1 says when x is 1
(x0,x1) (1,0) (0,1) (0,0) X means neither 0 nor 1
Each three-valued entity is represented by a pair of twovalued entities (x0,x1) & (y0,y1) = (x0 OR y0, x1 & y1) (x0,x1) OR (y0,y1) = (x0 & y0, x1 OR y1) (x0,x1) = (x1,x0)
Symbolic Three-Valued Simulation …
(~p&~q&~r, p&q&r)
only 1 simulation, 3 variables
& OR
&
& OR
(~p& q& r, p&q&r)
&
(~(p&q&r), p&q&r)
Symbolic Trajectory Evaluation Invented in 1995 by Seger and Bryant Used industrially
Mainly
Intel; heavy use
Forte ReFLect/IDV
Memory-intensive
circuits
Hard for other verification methods
The Rest of this Lecture Some pitfalls More interesting example: Memory Semantics Current directions
What Does X Mean? …
X 1 0 …
no “second thoughts”
1
Pitfall 1
multiplexer a in0
&
a&X
OR
a in1
&
manual abstraction sel X
out a&X
a&X information loss
(sel is b) and (in0 is a) and (in1 is a) (out is a)
only forwards information propagation
Pitfall 2 a in0 X b in1 X
&
1 out 1 = a&b
(in0 is a) and (in1 is b) and (out is 1) (in0 is 1) and (in1 is 1) we need a semantics! predictability
Example: Memory rd
loc0
out0
wr loc1
out1 out
addr loc2 in
…
out2
Memory
Address width k 2^k
locations
Data width n n*(2^k)
state-holding elements
state-based model checkers?
k=16, n=16: 1048576 elements
A Specification (k=2,n=1) first we write d to address a0a1
(wr is 1) and (in is d) and (addr0 is a0) and (addr1 is a1) and then we read from N ((rd is 1) and address a0a1 (addr0 is a0) and (addr1 is a1)) next point N (out is d) in time
we expect d to come out
symbolic variables: a0,a1: address, d: data
Simulation (initially) rd
X
out0
wr X
out1 out
addr X in
…
out2
Simulation (time 1) if a0a1 = 00 then d else X X
e0 X
1 e1 X a0a1 e2 X d
… if a0a1 = 10 then d else X
Simulationif a0a1 (time = 00 2) then e0 else 0 1 X
if a0a1 = 00 then (if a0a1 = 00 then d else X) else 0
e0 X d
if a0a1 = 00 X then d e1 else 0
OK
a0a1 e2 X X
… if a0a1 = 10 then e2 else 0
if a0a1 = 10 then d else 0
Memory with STE
Address width k, data width n 2^k
locations n*(2^k) state-holding elements k+n symbolic variables
k=16, n=16: 32 symbolic variables
STE Theory
0/1 “clash”
T
0
information ordering
1
X information lattice
four-valued expressions!
4-Valued Gates
T&y =T T OR y = T T=T
y&T =T y OR T = T
Gates are monotonic w.r.t. information ordering no “second thoughts”
Circuit Model
example: {in0,in1,out}
Set of nodes N state-holding:
n vs n’
Set of states s : S = N {X,0,1,T} Circuits are modelled as closure functions F:SS
propagates given values to other nodes
can be easily constructed from the netlist
Closure Function F : S S
Monotonic s1
