Specifying circuit properties in PSL
description
Transcript of Specifying circuit properties in PSL
![Page 1: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/1.jpg)
Specifying circuit properties in PSL
![Page 2: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/2.jpg)
Formal methods
Mathematical and logical methods used in system development
Aim to increase confidence in riktighet of system
Apply to both hardware and software
![Page 3: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/3.jpg)
Formal methods
Complement other analysis methods
Are good at finding bugs
Reduce development (and test) time (Verification time is often 70% of total time in hardware design projects)
![Page 4: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/4.jpg)
Some fundamental facts
Low level of abstraction, Finite state systems
=> automatic proofs possible
High level of abstraction, Fancy data types, general programs
=> automatic proofs IMPOSSIBLE
![Page 5: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/5.jpg)
Two main approaches• Squeeze the problem down into one that can
be handled automatically– industrial success of model checkers– automatic proof-based methods very hot
• Use powerful interactive theorem provers and highly trained staff– for example Harrison’s work at Intel on floating
point algorithms (http://www.cl.cam.ac.uk/users/jrh/)
![Page 6: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/6.jpg)
Model Checking
MC
G(p -> F q)yes
nop
q
p
q
property
finite-state model
algorithm
counterexample
(Ken McMillan)
![Page 7: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/7.jpg)
Again two main approaches• Linear-time Temporal Logic (LTL)
– must properties, safety and liveness– Pnueli, 1977
• Computation Tree Logic (CTL)– branching time, may properties, safety and liveness– Clarke and Emerson, Queille and Sifakis, 1981
Linear time conceptually simplier (words vs trees)
Branching time computationally more efficientWe will return to this in a later lecture
![Page 8: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/8.jpg)
But
temporal logics hard to read and write!
![Page 9: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/9.jpg)
Computation Tree Logic
A sequence beginning with the assertion of signal strt, and containing two not necessarily consecutive assertions of signal get, during which signal kill is not asserted, must be followed by a sequence containing two assertions of signal put before signal end can be asserted
AG~(strt & EX E[~get & ~kill U get & ~kill & EX E[~get & ~kill U get & ~kill & E[~put U end] | E[~put & ~end U (put & ~end & EX E[~put U end])]]])
![Page 10: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/10.jpg)
Basis of PSL was Sugar (IBM, Haifa)
Grew out of CTL (I believe)
Added lots of syntactic sugar
Engineer friendly, used in many projects
Used in the industrial strength MC RuleBase
![Page 11: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/11.jpg)
Assertion Based Verification (ABV) can be done in two ways
During simulation – (dynamic, at runtime, called semi-formal verification,
checks only those runs)
As a static check – (formal verification, covers all possible runs, more
comprehensive, harder to do, restricted to a subset of the property language)
(Note: this duality has been important for PSL’s practical success, but it also complicates the semantics!)
![Page 12: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/12.jpg)
Properties
always (p)
states that p (a boolean expression made from signal names, constants and operators) is true on every cycle
always (! (gr1 & gr2))
![Page 13: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/13.jpg)
Safety Properties
always (p) ”Nothing bad will ever happen”Most common type of property checked
in practiceEasy to check (more later)Disproved by a finite run of the system
![Page 14: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/14.jpg)
Observer: a second approach
Observer written in same language as circuit
Safety properties only
Used in verification of control programs (and in Lava later)
FProp
ok
![Page 15: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/15.jpg)
Back to PSL
always (p) Talks about one cycle at a time
Sequential Extended Regular Expressions (SEREs) allow us to talk about spans of time
A SERE describes a set of tracesIt is a building block for a property
http://www.eda.org/vfv/docs/PSL-v1.1.pdf
![Page 16: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/16.jpg)
SERE examples
{req; busy; grnt}
All sequences of states, or traces, in which req is high on the first cycle, busy on the second, and grnt on the third.
(source Sugar 2.0 presentation from IBM’s Dana Fisman and Cindy Eisner, with thanks)
![Page 17: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/17.jpg)
SERE examples
{req; busy; grnt}
req
busy
grnt
is in the set of traces
![Page 18: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/18.jpg)
SERE examples
{req; busy; grnt}
req
busy
grnt
This too
![Page 19: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/19.jpg)
SERE examples
{req; busy; grnt}
req
busy
grnt
and this
![Page 20: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/20.jpg)
SERE examples
{req; busy; grnt}
req
busy
grnt
but not this
Why?
![Page 21: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/21.jpg)
SERE examples
How can we specify ONLY those traces that start like this?
req
busy
grnt
![Page 22: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/22.jpg)
SERE examples
req
busy
grnt
{req & !busy & !grnt; !req & busy & !grnt; !req & !busy & grnt}
![Page 23: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/23.jpg)
SERE examples
How do we say that the {req,busy,grnt} sequence can start anywhere?
req busy
grnt
![Page 24: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/24.jpg)
SERE examples
{[*]; req; busy; grnt}
req
busy
grnt
[*] means skipzero or more cycles
![Page 25: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/25.jpg)
SERE examples
{[*]; req; busy; grnt}
req
busy
grnt
so our original traceis still in the setdescribed
![Page 26: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/26.jpg)
SERE examples
{true; req; busy; grnt}
req
busy
grnt
says that the req, busy, grntsequence starts exactly in the second cycle. It constrains only cycles 2,3,4
![Page 27: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/27.jpg)
{true[*4]; req; busy; grnt} {true[+]; req; busy; grnt} true[+] =
[+]one or more trues
true[*] = [*]
![Page 28: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/28.jpg)
{[*]; req; busy[*3:5]; grnt}at least 3 and at most 5 busys
{[*]; req; {b1,b2}[*]; grnt}
{[*]; req; {b1,b2,b3}[*7]; grnt}subsequences can also be repeated
![Page 29: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/29.jpg)
&&
Simultaneous subsequencesSame length, start and end together
{start; a[*]; end} && {!abort[*]}
![Page 30: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/30.jpg)
|
One of the subsequences should be matchedDon’t need to be the same length
{request; {rd; !cncl_r; !dne[*]} | {wr;!cncl_w;!dne[*]};dne}
![Page 31: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/31.jpg)
Fancier properties at last!
SEREs are themselves properties (in the latest version of PSL). Properties are also built from subproperties.
{SERE1} |=> {SERE2} is a property
If a trace matches SERE1, then itscontinuation should match SERE2
![Page 32: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/32.jpg)
if then
{true[*]; req; ack} |=> {start; busy[*]; end}
![Page 33: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/33.jpg)
Not just the first req, ack{true[*]; req; ack} => {start; busy[*]; end}
if then
if then
![Page 34: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/34.jpg)
Overlap also possible!{true[*]; req; ack} => {start; busy[*]; end}
if then
ifthen
![Page 35: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/35.jpg)
if then
{true[*]; req; ack} => {start; data[*]; end}
![Page 36: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/36.jpg)
{true[*]; req; ack} => {start; data[=8]; end}
if then
1 2 3 4 5 6 7 8
Can check for data in non-consecutive cycles
![Page 37: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/37.jpg)
A form of implication
{SERE1} |=> {SERE2}If a trace matches SERE1, then itscontinuation should match SERE2
![Page 38: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/38.jpg)
Another form of implication
{SERE1} |-> {SERE2}If a trace matches SERE1, then SERE2
should be matched, starting from the last element of the trace matching SERE1
So there is one cycle of overlap in the middle
![Page 39: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/39.jpg)
Example
{[*]; start; busy[*]; end} |-> {success; done}
If signal start is asserted, signal end is asserted at the next cycle or later, and in the meantime signal busy holds, then success is asserted at the same time as end is, and in the next cycle done is asserted
![Page 40: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/40.jpg)
Example
{[*]; {start; c[*]; end}&&{!abort[*]}} |-> {success}
If there is no abort during {start,c[*],end}, success will be asserted with end
![Page 41: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/41.jpg)
{SERE1} |=> {SERE2} = {SERE1} |-> {true, SERE2}
Both are formulas of the linear fragment(which is based on LTL)In Jasper Gold, we use this linear part.
There is also an optional branching extension (which is where CTL comes back in)
![Page 42: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/42.jpg)
PSL has a small core and the rest is syntactic sugar, for example
b[=i] = {not b[*]; b}[*i] ; not b[*]
See formal semantics in LRM
![Page 43: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/43.jpg)
PSL
Regular expressions (plus some operators)+Linear temporal logic (LTL)+ Lots of syntactic sugar+ (optional)Computation tree logic (CTL)
![Page 44: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/44.jpg)
Example revisited
A sequence beginning with the assertion of signal strt, and containing two not necessarily consecutive assertions of signal get, during which signal kill is not asserted, must be followed by a sequence containing two assertions of signal put before signal end can be asserted
AG~(strt & EX E[~get & ~kill U get & ~kill & EX E[~get & ~kill U get & ~kill & E[~put U end] | E[~put & ~end U (put & ~end & EX E[~put U end])]]])
![Page 45: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/45.jpg)
In PSL (with 8 for 2)
A sequence beginning with the assertion of signal strt, and containing eight not necessarily consecutive assertions of signal get, during which signal kill is not asserted, must be followed by a sequence containing eight assertions of signal put before signal end can be asserted
always({strt; {get[=8]}&&{kill[=0]}}
|=> {{put[=8]}&&{end[=0]}})
![Page 46: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/46.jpg)
PSL
Seems to be reasonably simple, elegant and concise!
Jasper’s Göteborg based team have helped to define and simplify the formal semantics.
See the LRM and also the paper in FMCAD 2004
![Page 47: Specifying circuit properties in PSL](https://reader036.fdocuments.net/reader036/viewer/2022062323/56815493550346895dc2a364/html5/thumbnails/47.jpg)
Friday’s lecture
About Jiri Gaisler’s two process method of using VHDL
Next week, I will return to CTL and how to model check it
Note, I will omit LTL model checking in this year’s course