Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog

1
Word Level Predicate Abstraction and Refinement
for Verifying RTL Verilog

• Himanshu Jain
• Daniel Kroening
• Natasha Sharygina
• Edmund Clarke

Carnegie Mellon University
2
Introduction

• Hardware design

Formal verification support
Level of abstraction
3
Verification support

• Languages like Verilog, SystemVerilog, SystemC
  are close to software
• Verification tools must reason about
• Programming languages constructs
• Bit-vector semantics (concatenation, extraction)
• Concurrency, Objects, Templates

4
This work
Model check
?
5
Handling state space explosion

• Abstraction for handling state space explosion
• Localization reduction Kurshan 94
• Tracks values of certain variables (visible)
• Predicate Abstraction Graf and Saidi 97
• Keeps tracks of certain predicates on data
• Captures relationship between variables
• Successfully used in software verification

6
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Counterexample
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
7
Our approach

• Apply predicate abstraction at RTL Level
• Allows abstraction using word-level predicates
• Example x lt y z, x z,z
• Use a SAT solver for computing abstraction
• Semantics of bit-wise operators take into
  account
• Obtaining suitable word level predicates
• Syntactic weakest pre-conditions of Verilog
  statements

8
Related work

• SAT-Based Predicate Abstraction Wang et al.
• Works at netlist level
• Refinement introduces bit-level predicates
• Vapor tool Andraus et al.
• Works on RTL level designs
• Abstraction to CLU models (equality of terms,
  uninterpreted functions, predicates)
• Lots of other related work

9
An example
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 Ç x 200)
Verilog program
10
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Counterexample
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
11
Predicate Abstraction
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 Ç x 200)
Initial set of predicates x 100, x 200
Word Level
Transition relation x y Æ y x
Verilog program
12
Computing Most Precise Abstraction
Next state
Current state
Transition Relation

ltx 100, x 200gt

ltx 100, x 200gt
x y y x
13
Obtain transitions

Computing abstract transitions
ltp1,p2gt
10
00
01
and so on
11
14
Abstract Model
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200) Initial set
of predicates x 100, x 200
Failure state
Initial state
Verilog program
15
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Counterexample
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
16
Model checking
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Abstract Model
Initial state
Failure state
10
00
01
11
Verilog program
17
Model checking
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Abstract Model
Abstract counterexample
Initial state
Failure state
10
00
01
11
Verilog program
18
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Counterexample
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
19
Simulation
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Abstract counterexample
Initial state
Failure state
10
00
Verilog program
Counterexample is spurious
20
Abstraction-Refinement loop
Initial Abstraction
Verification
No erroror bug found
VerilogProgram
ModelChecker
Abstract model
Property holds
Counterexample
Refinement
Simulator
Simulation sucessful
Abstraction refinement
Bug found
Spurious counterexample
21
Refinement

• Let length of spurious counterexample be k
• Take weakest pre-condition of property for k
  steps with respect to transition functions

22
Refinement
spurious counterexample
Property
New predicates y 100, y 200
AG (x 100 Ç x 200)
length 1

23
Abstract again
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200) Updated set
of predicates x 100, x 200, y100, y200
Model check
Verilog program
24
Model checking
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200) Updated set
of predicates x 100, x 200, y100, y200
Verilog program
25
Result
module main (clk) input clk reg 100 x,
y initial x 100, y 200 always _at_ (posedge
clk) begin x lt y y lt
x end endmodule
Property AG (x 100 or x 200)
Property holds!
Verilog program
26
Making it work in practice

• Computation of predicate abstraction
• Handling of large no. of predicates

With 50 predicates there can be 2100 predicate
relationships!!
27
Predicate Partitioning
Next state predicates
Current state predicates
Transition relation
Æ
28
Predicate Partitioning

• Speeds up abstraction computation
• Introduces over-approximation
• Refinement
• Handles over-approximation due to predicate
  partitioning
• Generate new predicates

29
Refinement by removing spurious transitions
Abstract transition ltb10, b21gt ) ltb10,
b20gt
Spurious
Constrain abstraction Das and Dill (b10 Æ
b21 Æ b10 Æ b20)
Proof of unsatisfiabilty (UNSAT) core (b21 Æ
b10)
30
Refinement by generating new predicates
Identify predicates whose weakest pre-condition
needs to be computed
Init x1, y2
(x1) Æ (x2)
PROOF OF UNSATISFIABILITY
x y y x
Predicate whose Weakest pre-condition is needed
(x1) Æ(x2)
31
Refinement by generating new predicates
Blowup in weakest pre-conditions size
Only add atomic predicates
((x lt 5) ? (x 2) x ) 2
Add x lt5 as a new predicate and run the loop
again
x (x lt 5) ? (x 2) x
x 2
32
A counterexample of same length
But now we get a value for x lt 5 from abstract
counterexample (say true)
New predicate
x 2 lt 3
x x 2
simplify
33
Experimental results
Benchmark Latches VCEGAR P/I Cadence SMV (using -absref3)
ICU 28 1.3s 5/1 0.1s
ICRAM2KB 16427 450.7s 3/8 25s
ICRAM4KB 32796 843.3s 3/8 too many BDD variables
ARITH100 202 3.5s 3/3 182.4s
ARITH200 402 9.6s 3/3 2147s
ARITH500 1002 32.2s 3/3 timeout
ARITH1000 2002 122.6s 3/3 timeout
34
Experimental results (VIS benchmarks)
Benchmark Lines of code Latches Variables VCEGAR Time Predicates Iteration
cache coherence 549 43 170 49s 25 9
mpeg decoder 1 1215 567 800 29s 9 3
usb_phy 1054 50 44 104s 47 22
ethernet 605 91 160 15s 30 15
SDLX 898 41 81 139s 43 30
ITC99_b12 558 125 119 188s 32 23
35
Summary

• Verification at RTL level without going to
  netlists
• Predicate abstraction using word-level predicates
• Handling large no. of predicates (predicate
  partitioning)
• Weakest pre-conditions for obtaining new
  predicates
• Techniques are completely automatic
• VCEGAR
• Encouraging results on industrial benchmarks
• www.cs.cmu.edu/modelcheck/vcegar

36
Questions?