Synchronization Verification in SystemLevel Design with ILP Solvers

Synchronization Verification in System-Level Design with ILP Solvers Thanyapat Sakunkonchak Satoshi Komatsu Masahiro Fujita VLSI Design and Education Center (VDEC) MEMOCODE'05

Contents n Introduction ¡ ¡ n n System-level design VS Verification Spec. C language & concurrency Related work & verification flow Verification based on equalities/inequalities interpretation Preliminary experimental results Summary & Future direction 10/7/2020 MEMOCODE'05 2

System-Level Design & Verification System-Level System synthesis High-level synthesis RTL Logic synthesis Layout synthesis 30 minutes delay Modify source & re-compile 3 days delay Modify RTL & re-synthesis 3 weeks delay Re-layout Layout Bugs fix time Cost due to the delay/late time-to-market Revenue loss Recover as many bugs as possible in the earlier stages is necessary Verification in system-level design 10/7/2020 MEMOCODE'05 3

Design methodology: From system-level design n n Requirement analysis Functional specification to architecture and then to implementation Behavior to structure Appropriately introduce “analog devices” for higher performance Requirement analysis Analog parts µProcessor Control IP Comp. Memory Pipeline RAM IF FSM IP Netlist State PC Interface IR Control Interface Processors IPs Memories Busses Functional specification + constraints 10/7/2020 Memory Analog parts Bus Interface Registers ALUs/FUs Memories Gates State Datapath Mem RF IF FSM Memory State ALU Custom HW System architecture + estimates MEMOCODE'05 RTL/IS Implementation + results 4

Proposed design methodology: From verification point of view n So. C System-level design/verification Equivalence Checking Specification (C language) Refined C Descriptions Design descriptions w/ concurrency (Spec. C) Use behavior synthesis RTL descriptions Pointers & recursive functions are not considered in the HW design Synchronization Verification • Many designers • Many modifications in designs ・Highly possible for bugs to be inserted ・High cost for fixing bugs in lower level Efficient formal verification methods are necessary 10/7/2020 MEMOCODE'05 5

Spec. C language n n System-level specification/design language based on C Supports System-on-a-Chip (So. C) design Can describe both hardware and software seamlessly Spec. C C + [par{ } + notify + waitfor] semantics Concurrency or parallelism Notes: • There are various of C-based verification researches & tools (SLAM, BLAST, MAGIC) • Since it’s C-based sequential • We apply the verification for C + “parallel behaviors” 10/7/2020 MEMOCODE'05 6

Concurrency: Par Statement in Spec. C C Language void A() { A Spec. C Language void A() { A } void B() { B } void C() { } void main() { A(); B(); C(); } 10/7/2020 } void C() { C C } void main() { par{ A. main(); B. main(); } C. main(); } MEMOCODE'05 7

Synchronization in Spec. C n Add notify/wait of event e for sync. ¡ ‘wait’ will stop process until it is ‘notify’ void A() { A notify e 1; wait e 2; B Process B stops and wait until e 1 is notified } void B() { wait e 1; notify e 2; } void main() { par { A. main(); B. main(); } } 10/7/2020 notify e 1 Process A stops and wait until e 2 is notified wait e 2 wait e 1 notify e 2 B resumes A resumes MEMOCODE'05 8

Synchronization in Spec. C (cont. ) n n Tas=Tbs, Tae=Tbe Tas<=T 1 s<T 1 e<=T 2 s<T 2 e<=Tas Tbs<=T 3 s<T 3 e<=Tbe T 2 e<=T 3 s These equations can be solved with Integer Linear Programming Solver 10/7/2020 MEMOCODE'05 9

Why synchronization verification? n n Usually the abstracted design is still too large There are many parallel processes in system-level design ¡ n To operate properly, those parallel processes must be properly synchronized Targeting only synchronization verification, the problem size can be significantly reduced 10/7/2020 MEMOCODE'05 10

Why synchronization verification? n n Checking property, e. g. “● will be executed after ●, ” in parallel processes is difficult It is easier once the execution order is guaranteed (correctly sync. ) Now targeting only “synchronization verification” Other properties, e. g. safety, can also be verified Process A N Process B Process C W N N ? W W N W 10/7/2020 MEMOCODE'05 11

Contents n Introduction ¡ ¡ n n System-level design VS Verification Spec. C language & concurrency Related work & verification flow Verification based on equalities/inequalities interpretation Preliminary experimental results Summary & Future direction 10/7/2020 MEMOCODE'05 12

Related work n Predicate abstraction ¡ n Abstraction refinement ¡ ¡ ¡ n Graf & Saidi ’ 97 Kurshan ’ 93 Clarke et al ’ 00 Ball & Rajamani ’ 00 C-based software verification ¡ ¡ ¡ SLAM MAGIC BLAST 10/7/2020 MEMOCODE'05 13

Related work n Spec. C-based verification ¡ ¡ Difference Decision Diagrams (DDDs) [Sakunkonchak & Fujita ’ 02] SAT-based predicate abstraction [Jain et al ’ 04] 10/7/2020 MEMOCODE'05 14

Formal Verification with Abstraction Refinement (CEGAR) The abstract design’s size is enough to be handled Design Abstract Design Property Model checker Widely used verification philosophy: + abstract counterexample Counter-Example Guided Abstraction Refinement (CEGAR) Refine Check abstract counterexample + real counterexample 10/7/2020 MEMOCODE'05 15

Synchronization verification 10/7/2020 MEMOCODE'05 16

Contents n Introduction ¡ ¡ n n System-level design VS Verification Spec. C language & concurrency Related work & verification flow Verification based on equalities/inequalities interpretation Preliminary experimental results Summary & Future direction 10/7/2020 MEMOCODE'05 17

Verification of 2 parallel behaviors (1/3) n Inside ‘while’ loops which contain notify/wait, we eliminate the loop ¡ Verification is fast but limit to concept ‘synchronization must (not) occur in the same iteration while (1) { if stmnt switch stmnt notify e 1 while (1) { if stmnt switch stmnt wait e 1 while (1) { if stmnt switch stmnt notify e 1 wait e 2 } 10/7/2020 if stmnt switch stmnt wait e 1 notify e 2 } while (1) { } MEMOCODE'05 } 18

Verification of 2 parallel behaviors (2/3) n N and M times unrolling ¡ Synchronization can occur in different iterations while (1) { if stmnt switch stmnt wait e 1 notify e 2 while (1) { if stmnt switch stmnt notify e 1 while (1) { if stmnt switch stmnt wait e 1 if stmnt switch stmnt notify e 1 wait e 2 } while (1) { notify e 2 if stmnt switch stmnt notify e 1 wait e 2 } } 10/7/2020 } MEMOCODE'05 } while (1) { if stmnt switch stmnt wait e 1 notify e 2 } 19

Verification of 2 parallel behaviors (3/3) n Translate ‘while’ loop into FSMs (can apply to nested loops) ¡ Ordinary model checkers can be applied but the computation is expensive while (1) { if stmnt switch stmnt notify e 1 while (1) { if stmnt switch stmnt wait e 1 notify e 2 wait e 2 } 10/7/2020 } MEMOCODE'05 if stmnt switch stmnt notify e 1 wait e 1 switch stmnt notify e 2 wait e 2 if stmnt 20

Example (1) n Par notify e 1 behavior 1 {notify e 1; a; wait e 2; b} wait e 1 behavior 2 {wait e 1; c; notify e 2; d} ¡ e 1 < a, a < e 2, e 2 < b, e 1 < c, c < e 2, e 2 < d ¡ Are there exist a, b, c, d, e 1, e 2 > 0 ? Yes → the result is correct n Par wait e 2 a wait e 2 b c notify e 2 d a notify e 1 b wait e 1 c notify e 2 behavior 1 {wait e 2; a; notify e 1; b} behavior 2 {wait e 1; c; notify e 2; d} ¡ e 2 < a, a < e 1, e 2 < b, e 1 < c, c < e 2, e 2 < d ¡ Are there a, b, c, d, e 1, e 2 > 0 ? No, due to conditions a < c and c < a → Deadlock 10/7/2020 MEMOCODE'05 d 21

Example (2) n Par behavior 1 {notify e 1; a; waitfor(10); wait e 2; b} behavior 2 {wait e 1; waitfor(10); c; notify e 2; d} ¡ e 1 < a, a + 10 < e 2, e 2 < b, e 1 + 10 < c, c < e 2, e 2 < d ¡ Are there exist a, b, c, d, e 1, e 2 > 0 ? notify e 1 a 　ｗaitfor(10) Yes → the result is correct ¡ Can we tell that b < c ? wait e 1 　ｗaitfor(10) c No → actually c < b n wait e 2 b notify e 2 d Par behavior 1 {notify e 1; a; wait e 2; waitfor(10); b} behavior 2 {wait e 1; waitfor(10); c; notify e 2; d} ¡ e 1 < a, a < e 2, e 2 + 10 < b, e 1 + 10 < c, c < e 2, e 2 < d ¡ Are there exist a, b, c, d, e 1, e 2 > 0 ? Yes → the result is correct ¡ Can we tell that b – e 1 < 20 ? notify e 1 No a wait e 1 　ｗaitfor(10) 10/7/2020 MEMOCODE'05 wait e 2 　ｗaitfor(10) b c notify e 2 d 22

Example (3) par A; if (x==y) notify e 1; B; wait e 2; C; if (x==y) wait e 1; D; notify e 2; par A; if (x==y) notify e 1; B; wait e 2; C; if (x>y) wait e 1; D; notify e 2; par A; if (x==y) notify e 1; waitfor(10); B; wait e 2; 10/7/2020 C; if (x==y) wait e 1; waitfor(10); D; notify e 2; Predicate: P 1 => (x == y) A < B < w_e 2; P 1 -> (A < n_e 1 < B); C < D < n_e 2; P 1 -> (C < w_e 1 < D); P 1 -> (n_e 1 < w_e 1); n_e 2 < w_e 2; Q: This design is OK? A: Yes Q: A < D? A: Not necessary Q: (x == y) & (A < D)? A: Yes Predicate: P 1 => (x == y); P 2 => (x < y) A < B < w_e 2; P 1 -> (A < n_e 1 < B); C < D < n_e 2; P 2 -> (C < w_e 1 < D); (P 1 & P 2) -> (n_e 1 < w_e 1); n_e 2 < w_e 2; Q: This design is OK? A: No Counterexample: P 1 & ~P 2 Predicate: P 1 => (x == y) A < W 4_x; W 4_x + 10 < B < w_e 2; P 1 -> (A < n_e 1 < W 4_x); C < W 4_y; W 4_y + 10 < D < n_e 2; P 2 -> (C < w_e 1 < W 4_y); P 1 -> (n_e 1 < w_e 1); n_e 2 < w_e 2; Q: This design is OK? A: No Q: A < D? A: Not necessary Q: (x == y) & (A < D)? A: Yes MEMOCODE'05 23

Synchronization verification 10/7/2020 MEMOCODE'05 24

Synchronization verification n Boolean Spec. C is automatically generated ¡ ¡ n Abstraction refinement ¡ n Expression statements other than synchronization ones (notify/waitfor) are abstracted away For conditional statements, the guarded predicates are replaced with boolean (or control) variables Analyze the false counterexample path according to the control variables Synchronization property ¡ ¡ Synchronization is completed if ‘wait’ was notified A deadlock occurs once ‘wait’ is reached but ‘notify’ is not 10/7/2020 MEMOCODE'05 25

Contents n Introduction ¡ ¡ n n System-level design VS Verification Spec. C language & concurrency Related work & verification flow Verification based on equalities/inequalities interpretation Preliminary experimental results Summary & Future direction 10/7/2020 MEMOCODE'05 26

Verification conditions n n n Real applications are verified Focusing only synchronization (notify/waitfor under par{ }), problem size can be significantly reduced Running on Linux machine, P 4 1. 7 GHz & 512 MB RAM, deadlock can be detected within few minutes 10/7/2020 MEMOCODE'05 27

Experimental results n The designs were prepared such that they do not contain the followings ¡ ¡ ¡ Recursive functions Pointers Synchronization of multiple events 10/7/2020 MEMOCODE'05 28

Contents n Introduction ¡ ¡ n n System-level design VS Verification Spec. C language & concurrency Related work & verification flow Verification based on equalities/inequalities interpretation Preliminary experimental results Summary & Future direction 10/7/2020 MEMOCODE'05 29

Summary n Synchronization verification of Spec. C based on equalities/inequalities interpretation was described ¡ ¡ ¡ n Abstraction Verification Abstraction refinement This work illustrates the verification based on synchronization property, but other properties, e. g. safety, can also be verified 10/7/2020 MEMOCODE'05 30

Future directions n Once the synchronization is guaranteed (for some parallel behaviors), can we generate an equivalent sequential behavior? This is one of the important issues in system-level design, “the equivalence checking” 10/7/2020 MEMOCODE'05 31

Thank You 10/7/2020 MEMOCODE'05 32