Assume-Guarantee Validation for STE Properties within an SVA - PowerPoint PPT Presentation

Assume-Guarantee Validation for STE Properties within an SVA Environment Tom Melham Oxford University Zurab Khasidashvili & Gavirel Gavrielov Intel Israel Ltd.

Validation of STE Verification Environment • Assume (STE) • Guarantee (SVA) , P A ⇒ C =  ? Big processor EXE proofs • improve assumptions • catch environment bugs 2

Symbolic Trajectory Evaluation f := n is 0 | n is 1 stimulus | f 1 and f 2 A ⇒ C | N f response | P → f 3

Example v → a is 0 and v → b is 0 ⇒ out is 0 0 X X 0 a is 0 ⇒ out is 0 b is 0 ⇒ out is 0 4

Symbolic Simulation n is E = E → ( n is 1) and E → ( n is 0) a x x ∧ y ∧ o z y b z c (a is x ) and (b is y ) and (c is z ) ⇒ o is x ∧ y ∧ z 5

Symbolic Indexing a a b c b o 0 X X c X 0 X X X 0 1 1 1 ¬ p ∧ ¬ q → (a is 0) and ¬ p ∧ q → (b is 0) and p ∧ ¬ q → (c is 0) and p ∧ q → (a is 1) and (b is 1) and (c is 1) ⇒ ¬ ( p ∧ q) → (o is 0) ∧ ( p ∧ q) → (o is 1) 6

Environmental Constraints • Conditional verification | = P[xs] A[xs] ⇒ C[xs] • Parametric representation v1 f1 fs[vs] := param(xs, P[xs]) P v2 f2 f3 v3 • Efficient verification A[fs[vs]] ⇒ C[fs[vs]] 7

Translation to SVA? • Easy case x ∨ y a is x and b is y ⇒ … | = a || b • Harder… | = R [ z ] P → (a is z) and Q → (b is z) ⇒ … 8

Machine Representation - 5 Tuples ( guard , node , value , start , end ) f := n is 0 | n is 1 ( P → a is x ) and ( P → N(a is x )) | f 1 and f 2 ( P , a, x , 0, 2) | N f | P → f 9

STE Proof Environment – SVA Guarantee | = P A ⇒ C restrictions assumptions ignore signals how inputs driven timed global ignore behaviours input constraints not trigger or checker 10

Methodology Restrictions For Boolean Variables • For each x need at least one: (P, n, x , s, e) • Variable dependency z (Q[ y ], _, z , _, _) y (P[ x ], _, y , _, _) x is a strict partial order. 11

Finding a Representative Name T( x ,g) = {(g 1 , _, x , _, _), …, (g n , _, x , _, _)} g 1 ⊃ g … g n ⊃ g s = earliest start time n = node with earliest start time f = future reference time node(x,g) = $past(n,f-s) 12

Translating Boolean Constraints P - support = {x 1 , …, x n } θ = choose one node( x i ,g i ) for each x i . exp(P,θ) = (g 1 θ && … && g j θ) <= P θ Exp(P) = (exp(P,θ 1 ) && … && (exp(P,θ k )) Seq(P) = ##f Exp(P,θ) 13

Implicit Equality Constraints (g 1 , n 1 , x , s 1 , e 1 ) x (g 2 , n 2 , x , s 2 , e 2 ) x ##f Exp(g 1 ∧ g 2 ) <= $past(n 1 , f-e 1 ) == $past(n 2 , f-e 2 ) 14

Per-Tuple Stability Constraints (g, n, x , s, e) not(Seq(g)) or (##s+1($stable(n))[*e-s-1]) (g, n, E, s, e) not(Seq(g)) or ##f ($past(n,f-s) == Exp E) 15

Use of Reflection Normal evaluation Reflective overloading antecedent antecedent [ ... ( , n, , 1, 30) … ] [ ... ( , n, , 1, 30) … ] 16

Experimental Results 36 μop groups 173 cluster-level tests unused variables = 10s 1,035 μops wrong assumptions = 10s 3,161 SVA checkers 1,100 core-level tests global assumptions = 3,061 bugs (microcode) = 2 constant tuples = 471 equality constraints = 84 17

Runtimes 100 per SVA property Runtime (sec) 10 1 0.1 0 10 20 30 40 UOP group 18

Thank You 19