A Logic for GSTE Edward Smith University of Oxford
advertisement
A Logic for GSTE
Edward Smith
University of Oxford
Generalized Symbolic
Trajectory Evaluation (GSTE)
• Based on gate-level simulation
• Ternary simulation over {0,1,X}
• Symbolic simulation layer
• Fine control over abstraction
X
0
0
s
1
s
• Fixed-points allow unbounded properties
• Regular properties
Traditional Specification
• Using assertion graphs
Drive input A
Assert correct output
Drive input B
• Shape and labels drive model checking
– Affect efficiency and abstraction level
Verification Process
High-level
Specification
An example specification
For a simple GSTE
property that isn’t too hard to verify
I hope, but you never really know,
Hopefully not
Assertion
Graph
Manually Refine
or Decompose
GSTE
Fails
Circuit
GSTE
Succeeds
Verification Process
High-level
Specification
Rules difficult to express,
apply and justify
An example specification
For a simple GSTE
property that isn’t too hard to verify
I hope, but you never really know,
Hopefully not
Assertion
Graph
Manually Refine
or Decompose
GSTE
Fails
Circuit
GSTE
Succeeds
Generalized Trajectory Logic
• A clean specification notation based on temporal logic
f
kf k
bf c
• Trace-based semantics
• GSTE simulation state
• Symbolic set of words
• Upper-approximation
• What we check
• How we simulate
Circuit Model
• Kripke structure
K = (S; T )
traces(K) µ S +
• Nodes
n2N
f
Formulas
of
GTL
kf k
bf c
tt
S+
ff
;
XXX : : : X
?
n
f¾:s 2 S + j s(n)g
X1X : : : X
:n
f¾:s 2 S + j : s(n)g
X0X : : : X
f
g ^h
Formulas
of
GTL
kf k
bf c
kg k\kh k
bg c u bh c
X1X u 0XX = 01X
g _h
kg k[kh k
bg c t bh c
01X t 0XX = 0XX
f
Yg
Yesterday
kf k
f¾:s 2 S + j ¾ 2 k g kg
bf c
step(b g c )
• Allows compositional simulation
simulate g
g
forward
step
Yg
Symbolic Formulas
Q ! g jh
If Q then g else h
e.g. b u ! n j :n c = XuX : : :
f (u := Q)
f where u has value Q
e.g. b (u ! n j :n)(u := 1) c = X1X : : :
Fixed-points
• Mu-calculus style fixed-points capture iteration
ff ; g(ff) ; g(g(ff)) : : : ¹Z:g(Z)
where Y binds every Z in g
Fixed-points
• Mu-calculus style fixed-points capture iteration
ff ; g(ff) ; g(g(ff)) : : : ¹Z:g(Z)
where Y binds every Z in g
• E.g. ‘Previously f’ and ‘f Since g’
Pf
:= ¹Z:f _ YZ
f S g := ¹Z:g _ (f ^ YZ)
Vector Fixed-points
• Nested mu-expressions are messy in practice
• Fixed-points are unique
• Can therefore use systems of recursive equations:
ZERO = reset _ :reset ^ Y(ONE)
:reset ^ Y(ZERO)
ONE =
Shorthand
• Quantification
(9u : f )
:=
(f (u := T)) _ (f (u := F))
(8u : f )
:=
(f (u := T)) ^ (f (u := F))
• Calculated directly using BDD quantification
• Symbolic node value
(n is Q)
:=
(Q ! n j :n)
GTL Properties
A)C
when, for every trace t and in every symbolic valuation:
t 2 k A k implies t 2 k C k
e.g. Register correctness:
read ^ ((:wr) S (wr ^ (in is d))) ) out is d
Model Checking
b A c v b C c implies A ) C
Upper-approximation
simulation
Precise simulation, when C
does not contain disjunction or Y
Reasoning with GTL
• Simple rules for traced-based equivalence
f ^g =g ^f
n ^ :n = ff
Yf ^ Yg = Y(f ^ g)
g ^ ff = ff
¹Z:f (Z) = f (¹Z:f (Z))
• Rules do not imply simulation equivalence
b f c 6= b g c
• Property-preserving simulation transformations
Optimization Rules
• Simplification, e.g.
g ^ ff = ff
• Symbolic/explicit conversion
f(u := Q) = f[Q/u]
Example
n
n
0
1
f
f
1
s
f
1
1
n _ :n
=
n
9s:(s ! n j :n)
=
((s ! n j :n)(s := 1)) _ ((s ! n j :n)(s := 0))
Decomposition Rules
• Transitivity connects simulations
A)B B)C
A)C
A
B
C
• Monotonicity connects branching simulations
A1 ) C1 A2 ) C2
A2 [A1 =C1 ] ) C2
A1
C1
A2
C2
Abstraction Refinement
• ‘Less abstract than’ relation
• Only
_
and
Y
f - g
lose information
Y(f ^ g) - Yf ^ Yg
Information loss occurs
earlier in simulation
f (g) _ f (h) - f (g _ h)
a 1
a
b
a
a
b
b
1
b
b
b
Ya
1
Y(a ^ b)
b
b
a
b
a
a
1
a
a
a
b
1
a^b
b
a 1
1
1
Yb
Ya ^ Yb
• Affects which circuit segments are simulated independently
Conclusions
• GTL is a temporal logic for GSTE
• Textual form is easier to manage
• Fine granularity induces algebraic nature
• Logical rules express sound refinements
• Simple rules exist for decomposition/refinement
•Previously f
•f Since g
Pf
:= ¹Z:f _ YZ
f S g := ¹Z:f _ (g ^ YZ)
• Fixed-points are unique
• Can also use systems of equations, e.g.
ZERO = :reset _ Y(ONE)
ONE =
Y(ZERO)
Our Approach
Assertion
Graph:
Simulation
Steps:
[
Im
[
\
Im
\
µ
• Describe these atomic steps in a logical form
• Hope to gain reasoning rules
