a framework on synchronization verification in system-level design

A Framework on Synchronization Verification in System-Level Design

Thanyapat SakunkonchakSatoshi KomatsuMasahiro Fujita

Fujita LaboratoryUniversity of Tokyo

Contents

Introduction System-level design VS Verification Counterexample-guided abstraction

refinement (CEGAR) Why synchronization verification? Verification flow Preliminary experimental results Summary & Future direction

System-Level Design & Verification

Recover as many bugs as possible in the earlier stages is necessary

Verification in system-level design

Bugs fix timeCost due to the delay/late time-to-marketRevenue loss

System-Level

RTL

Layout

System synthesisHigh-level synthesis

Logic synthesisLayout synthesis

30 minutes delayModify source & re-compile

3 days delayModify RTL & re-synthesis

3 weeks delayRe-layout

Basic Idea

To increase productivity and fast prototype Apply formal verification at system-level

Counter-Example Guided Abstraction Refinement (CEGAR) paradigm Apply abstraction to the design Verify the abstracted design

Property hold Property does not hold + abstract counter-example

Abstraction refinement: validate the abstract counter-example

Valid: the real counter-example is given Invalid: refine abstraction

Formal Verification with Abstraction Refinement (CEGAR)

Model checkerDesign

Property

+ abstract counterexample

The abstract design’s size is enough to be

handled

Abstract Design

Check abstract counterexample

Refine

+ real counterexample

Widely used verification philosophy:Counter-Example GuidedAbstraction Refinement(CEGAR)

Contents



Why synchronization verification?

Usually the abstracted design is still too large

There are many parallel processes in system-level design To operate properly, those parallel

processes must be properly synchronized

Targeting only synchronization verification, the problem size can be significantly reduced

void A() {

}void B() {

}

void main() { A(); B(); C();}

void C() {

}

Concurrency: Par Statement in SpecC

A

A B

C Language SpecC Language

B

C

void A() {

}void B() {

}

void main() { par{ A.main(); B.main(); } C.main();}

void C() {

}

C

Synchronization in SpecC Add notify/wait of event e for sync.

‘wait’ will stop process until it is ‘notify’

A B

void A() {

}void B() {

}

void main() { par { A.main(); B.main(); }}

notify e1;wait e2;

wait e1;notify e2; wait e1

Process B stopsand wait untile1 is notified

notify e1

B resumeswait e2

Process A stopsand wait untile2 is notified

notify e2

A resumes

Synchronization in SpecC (cont.)

main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e Tae

Tbs T3s T3e Tbe

Synchronization by Notify/wait

These equations can be solved withInteger Linear Programming Solver

Tas=Tbs, Tae=Tbe Tas<=T1s<T1e<=T2s<T2e<=Tas Tbs<=T3s<T3e<=Tbe T2e<=T3s

Contents



Synchronization verification

Boolean SpecC

Original SpecC program

Predicate abstraction

MILP Solver

Sync. property

(Deadlock)

Property proved

(correct result)

Reasoning tool

Abstract error trace

Concrete

counter-example

Set of predicates

behavior A(out event e, inout int x, inout int y)

{ void main() { if(x > 0) { notify e; y = x – 1; } if(y < 3) : :

behavior A() { void main() { if(C0) { notify e; ... } if(C1) : :

Mathematical model

Equality/Inequality

Predicate discovery

1 2

3

4 5

Synchronization property

Synchronization is completed if ‘wait’ was notified

A deadlock occurs once ‘wait’ is reached but ‘notify’ is not

Process A Process B

notify

waitDeadlock in B

NOT FEASIBLE

Check path feasibility

a1 = true&

b1 = false&

b2 = true

!waitCustomer = true&

!waitCustomer = false&

!chairOccupied = true

/* Barber */

void main() {

while(1) {

if (!waitCustomer)

DayDreaming();

else {

if (chairOccupied) {

notify call;

chairOccupied = false;

}

else {

KeepCutting();

chairOccupied = true;

}

};

/* Customer */

void main() {

while(1) {

if (!waitCustomer)

waitCustomer = true;

else {

waitCustomer = false;

if (!chairOccupied)

wait call;

}

};

/* Barber */

void main() {

while(a0) {

if (a1)

...

else {

if (a2) {

notify call;

...

}

else {

...

...

}

};

/* Customer */

void main() {

while(b0) {

if (b1)

...

else {

...

if (b2)

wait call;

}

}; Refine#0

/* Barber */

void main() {

while(a0) {

if (a1)

...

else {

if (a2) {

notify call;

...

}

else {

...

...

}

};

/* Customer */

void main() {

while(b0) {

if (a1)

a1_1 = true;

else {

a1_1 = false;

if (b2)

wait call;

}

};Refine#1

Check path feasibility

a1 = false&

a2 = false&

b1 = false&

b2 = true


chairOccupied = false&


!chairOccupied = true

FEASIBLE

‘notify’ is not reached: ‘wait’ is reached

Contents



Verification conditions

Real applications are verified Focusing only synchronization (notify/wait u

nder par{ }), problem size can be significantly reduced

Running on linux machine, P4 1.7GHz & 512 MB RAM, deadlock can be detected within few minutes

Preliminary experimental result

Check all designs with properties “there is no deadlock”

There is no such a case where ‘wait’ is executed while ‘notify’ is not

Property1,2,3 are the different pairs of notify/wait Simulation results

All properties hold No deadlock

Abstraction refinement is not conducted in this experiments

Original Sync. Ver. Property1 Property2 Property3

FIFO 260 240 30.7 31.2 35.8

Point- to-Point Protocol 850 500 71.8 64.1 69.7

Elevator Control System 2000 800 107.4 119.6 106.7

# of lines Verification Time (seconds)

Contents



Summary & Future Direction

A framework for synchronization verification of SpecC was described

Abstraction/abstraction refinement algorithm was presented Abstraction Insertion of deadlock property Verification Abstraction refinement

Now targeting only for synchronization property, but we can further extend to verify other properties, e.g. safety

Implementation of abstraction refinement

a framework on synchronization verification in system-level design

Documents