Transition by Transition FSM Traversal for Reachability Analysis in Bounded Model Checking | EECS 578, Papers of Electrical and Electronics Engineering

Download Transition by Transition FSM Traversal for Reachability Analysis in Bounded Model Checking | EECS 578 and more Papers Electrical and Electronics Engineering in PDF only on Docsity! Transition-by-Transition FSM Traversal for Reachability Analysis in Bounded Model Checking Minh D. Nguyen, Dominik Stoffel, Markus Wedler, Wolfgang Kunz Department of Electrical and Computer Engineering University of Kaiserslautern, Germany {nguyen, stoffel, wedler, kunz}@eit.uni-kl.de Abstract— In bounded model checking (BMC)-based verifica- tion flows lack of reachability constraints often leads to false negatives. At present, it is daily practice of a verification engineer to identify the missing reachability constraints by manually inspecting the design code and by analyzing counterexamples. This, unfortunately, requires a lot of effort and is prone to errors. We propose an algorithm to determine reachability constraints automatically. The proposed approach applies to a design style where the operation of the design is controlled by a main FSM which can easily be extracted from the RTL description of the circuit. The algorithm decomposes and analyzes the state space of the circuit by considering transitions of the main FSM. Experimental results show that the proposed method can considerably reduce the manual work of verification engineers. I. INTRODUCTION A. Reachability constraints in a BMC-based verification flow In recent years, bounded model checking (BMC) [1] has been used successfully to verify large industrial designs for- mally. In the BMC-based verification flow, a sequential circuit is unrolled for a finite number of time frames and is then translated together with a property into a SAT instance. In practice, the property is not always checked from the set of initial states as in [1]. Instead of the general AG property, the practical property typically specifies a set of starting states, a set of stopping states and input/output conditions. The property is used to prove the correct execution of a certain operation by the circuit. Whenever the circuit starts in one of the starting states and goes through a sequence of states under the input conditions it should stop in one of the stopping states and fulfill the output conditions1. A simple example of such a property is (state = idle ∧ input = req) → AXn(state = ready ∧ output = ack) (1) where n is a small number. The sets of starting {state = idle} and stopping {state = ready} states used in the property should be reachable from the initial states of the circuit, otherwise it may lead to a false negative. For example, the circuit checked by the property in Equation 1 may use a counter cnt to keep track of time; it transfers to state ready iff cnt = n. Therefore, the property will fail because it does not specify the value of the counter. 1The property is similar to a property in a Symbolic Trajectory Evaluation (STE)-based verification flow [2]. Although we focus here on the BMC-based flow, the proposed method can be applied for the STE-based verification flow as well. automatic extraction writes properties property checking (BMC-based) bug report finds reachability constraints updates properties false negative? property holds property fails true negative? automatic analysis RTL description main FSM informal specification additional reachability constraints properties (bounded) counter example Fig. 1. BMC-based verification flow (non-shaded parts) and the proposed algorithm (shaded parted) For example, one false counterexample is that (state = idle∧ cnt = 1) leads to (state = ready∧output = ack) after n−1 cycles but not n cycles. The property holds if the condition cnt = 0 is added to the starting state idle of the property, e.g.: (state = idle ∧ cnt = 0 ∧ input = req) → AXn(state = ready ∧ output = ack) Reachability constraints such as the correspondence be- tween state and cnt in the example are necessary to avoid false negatives when properties are proven. They are cur- rently determined manually by inspecting the design code and by analyzing counterexamples. Note that the validity of manually found reachability constraints such as the invariant AG(state = idle → cnt = 0) in the example must be proven as well. In practice, they are included in the set of properties. In this paper, we consider a certain design style that is often used to implement protocols and other specifications consisting of many FSMs. We assume that the behavior of the design is controlled by a main FSM that interacts with a hierarchy of sub-FSMs. In the conventional verification flow shown as the non- shaded part in Figure 1, the verification engineer writes prop- erties based on the main FSM of the design. Note that there exist commercial tools to automatically extract the main FSM from the source code of a design. The properties specify functional operations of the design corresponding to a se- quence of states of the main FSM (main states). The sets of starting and stopping states of the properties are related to main states. Initially, reachability constraints involving the other 0-7803-9254-X/05/$20.00 ©2005 IEEE. 1068 state variables belonging to the sub-FSMs are not specified in the properties. Thus, the properties often fail because of false negatives when checked by a property checking method. The verification engineer needs to extend his analysis to the behavior of the sub-FSMs in order to identify reachability constraints and to update the properties. This, unfortunately, requires a lot of effort and is prone to errors. In this paper, we propose a technique to identify the reachability constraints automatically. Our algorithm and its output are represented as the shaded part in Figure 1. In order to provide the verification engineer with additional reachability constraints the algorithm analyzes the circuit using the information of the main FSM. These additional constraints help to eliminate false negatives. This means that the verification engineer only needs to focus on the main FSM which is usually fairly small. In this way, the number of false negatives as well as the effort of inspecting the code and of updating properties later are reduced dramatically. Moreover, in contrast to manually found reachability constraints, the constraints derived by the proposed method are proven to be valid, automatically. B. Related work The problem of state space explosion in model checking may be avoided by decomposing the characteristic functions of the state set and the transition relation into partitions. In [3], [4], [5] the characteristic function of the transition relation is considered as a conjunction of partitioned functions and is manipulated using an early quantification operation. In other approaches, the state set and the transition relation are decom- posed as a disjunction of the characteristic functions which are manipulated separately [6], [7], [8], [9]. In [10], [11], [12] the transition function is decomposed as a disjunction by means of input and output splitting. The combination of disjunctive and conjunctive decomposition is proposed in [13]. Cho et al. presented an approximate FSM traversal method based on state space decomposition [14]. Their basic idea is to partition the circuit into several sub-FSMs and to perform a symbolic traversal for each individual sub-FSM. There are two classes of approximate traversal algorithms in [14]: Machine By Machine (MBM) and Frame By Frame (FBF). The latter has two variants called Reached FBF (RFBF) and To FBF (TFBF). In [15], Cho et al. proposed methods to automatically determine good partitions of the circuit. Another method to partition the circuit using overlapping projections was presented in [16]. In [17], extensions were made to improve the convergence of the RFBF algorithm by proposing the Least fixpoint Machine By Machine (LMBM) algorithm. Another thread of research related to our work is Gen- eralized Symbolic Trajectory Evaluation (GSTE). Here the property under verification is specified as assertion graph and is used for decomposing the problem [18], [19], [20], [21]. As highlighted in [19], the GSTE algorithm decomposes the set of states satisfying the property using the assertion graph. C. Contribution Whereas the previous works aim at calculating or approxi- mating the reachable states for the whole circuit, our goal is to identify reachability constraints in relation to main states of the circuit being necessary to write properties in a BMC- based verification flow. This is done by calculating the sets of reachable states corresponding to main states. In our method, the state space is decomposed into sets of states corresponding to main states. The sets of reachable states are calculated exactly by considering state transitions in the main FSM (main transitions). Using the main FSM to guide the decomposition procedure clearly distinguishes our method from the previous decomposition methods. Although the core algorithm in GSTE [18] looks very similar to our FSM traversal algorithm, there are subtle (but important) differences. In GSTE, the state space satisfying the property is decomposed based on state predicates called antecedents being associated with the edges of the assertion graph. In our algorithm, not only the state space but also the transition relation is decomposed, and this decomposition is performed with respect to individual transitions in the main FSM. Whereas GSTE carries out conventional (uncon- strained) image computation for a given intermediate subset of states, the proposed algorithm performs image computation constrained to single transitions in the main FSM. This can significantly reduce the computational complexity. The algo- rithm proposed in this paper is therefore named Transition By Transition (TBT) FSM traversal. Another important difference is that TBT traversal can be applied as a pre-processing phase to the complete design. Unlike GSTE, it is not restricted to being driven by the property. Since the main FSM covers the complete state space of the design, TBT traversal performs a complete reachability analysis. To avoid the explosion problem of exact reachability com- putation we develop a new approximation technique that partitions the design into sub-FSMs using the information of the main FSM. Each sub-FSM is traversed individually in combination with the main FSM using our TBT algorithm. The traversed FSMs in our algorithm are not disjoint partitions as in [15] but they share the same main state variables. Also, they are not similar to overlapping projections as in [16] because our shared state variables are given exactly and are the same for all traversed sub-FSMs. Finally, we use SAT techniques instead of BDD techniques to approximate the set of states. D. Preliminaries Let C be a sequential circuit with a set of primary inputs X = {x1, . . . , xn}, a set of present-state variables V = {v1, . . . , vm}, a set of next-state variables V ′ = {v′1, . . . , v′m}. We can consider the set of state variables as a vector. A circuit C is modeled as an encoded finite state machine M = (I, S, S0,∆). I ⊆ Bn is the input alphabet, encoded by the primary inputs X , where B = {0, 1}. S ⊆ Bm is the set of states encoded by the state variables. The set S0 ⊆ S 1069 corresponding sets of states containing all initial states. Thus, all next states of the initial states are visited. Recursively, all reachable states of the circuit are visited by the procedure. According to Lemma 1, the calculated reachable states are partitioned into sets of states corresponding to the main states. III. DECOMPOSING THE STATE SPACE BY THE SUB-FSMS A. Partitioning into sub-FSMs In this section, we present a technique to partition the circuit into the sub-FSMs using the information of the main FSM. Main FSM boolean constraint propagation backtracing 0 1 1 0 0 Fig. 4. Determining the support set Given a main transition (ŝ1, ŝ2) ∈ R̂, we can approxi- mate the support set of the next-state function δj under the constraint of this main transition as illustrated in Figure 4. First, the state values ŝ1 and ŝ2 are assigned to the main state variables V̂ and the main next-state variables V̂ ′, respectively. These boolean constraints are then propagated to identify constant nodes in the circuit structure. Next, the support set of δj under the constraint of the main transition (ŝ1, ŝ2) is approximated by tracing the circuit structure backward from the next-state variable v′j to the inputs or the state variables. The backtracing procedure terminates whenever it reaches a constant node. If the procedure reaches a state variable vi, it returns vi as being in the support set of δj under the constraint of (ŝ1, ŝ2). The constrained support set determined in this way is denoted by suppŝ1→ŝ2(δj) in the following. Definition 5: Let R̂ be the main transition relation of a circuit C with the next-state function ∆. Let (ŝ1, ŝ2) ∈ R̂ be a main transition. The constrained dependency graph of state variables is a directed graph G(V,E) where the set of vertices is given by the set of state variables V . The set of edges E is defined as E = {(vi, vj) ∈ V 2|vi ∈ ⋃ (ŝ1,ŝ2)∈R̂ suppŝ1→ŝ2(δj)} where suppŝ1→ŝ2(δj) is the support set of function δj under the constraint of the transition (ŝ1, ŝ2). The constrained dependency graph is partitioned using a simple algorithm to identify strongly connected components (SCC). Each SCC corresponds to a sub-FSM. The graph of sub-FSMs is a directed acyclic graph, which can be levelized by a depth-first search algorithm. An example of the hierar- chical structure of the circuit after being partitioned is shown in Figure 5. The circuit consists of a main FSM and five sub- FSMs. The sets of state variables of the main FSM and the five main FSM (level 0) sub-FSM 3 (level 2) sub-FSM 4 (level 2) sub-FSM 5 (level 2) sub-FSM 1 (level 1) sub-FSM 2 (level 1) Fig. 5. Partitioned structure of a circuit sub-FSMs are V̂ , V1, . . . , V5 respectively. Sub-FSMs 1 and 2 are in level 1, the other sub-FSMs are in level 2. As shown in Figure 5, the SCC decomposition guarantees uni-directional interaction among the sub-FSMs of the circuit. The control information stored in the state variables goes into only one direction from the lower level sub-FSMs to the higher level sub-FSMs. Note that a non-constrained decomposition into SCCs is generally not useful for industrial designs because this type of decomposition will often produce only a single large SCC containing the whole design. If, however, the dependency graph is constrained by the transition of the main FSM the situation is different and a large number of small SCCs can often be identified. B. Traversing the sub-FSMs The sub-circuit Ck corresponding to a sub-FSM k and the main FSM is derived from circuit C by removing all state variables vj /∈ {V̂ ∪ Vk}. The removed state variables are considered as pseudo inputs. Moreover, the pseudo inputs are constrained by the reachable states of the sub-circuits l < k. Because of the uni-directional communication among sub- FSMs the next-state functions of a sub-FSM in level k only depend on the state variables in sub-FSMs in level l < k. Therefore, the characteristic function of the transition relation Rk of the sub-circuit Ck is approximated as χRk = ∏ vi∈V̂ ∪Vk (v′i ≡ δi) · ∏ l<k (χReachl) where χReachl is the characteristic function of reachable states of the sub-circuit Cl. Fig. 6. Approximate TBT traversal algorithm The algorithm in Figure 6 approximates the set of reachable states corresponding to the main states. Procedure approx TBT takes the transition relation, the initial states, the main FSM of the circuit and the partitions of state variables {Vk} as input 1072 parameters. In the procedure, all sub-FSMs are traversed in the order of their level. Consider a sub-FSM k, the procedure constrain R extracts the correspondent sub-circuit Ck from the circuit and imposes constraints representing the reachable states Reachl on the pseudo inputs. The sub-circuit Ck with the transition relation Rk obtained by procedure constrain R is then traversed by procedure TBT TRAVERSAL to calculate its reachable states Reachk composed from the Skŝ for each main state ŝ. The set of reachable states Reachk for the sub-circuit Ck is the union of Skŝ . Theorem 2: Given a circuit which is partitioned into a main FSM and sub-FSMs as described in Section III-A. The sub-FSMs are levelized by their dependencies. Procedure Approx TBT exactly calculates the sets of reachable states for all sub-circuits corresponding to sub-FSMs in level 1. Proof: Consider a sub-FSM k in level 1 and its state variables Vk. Because the sub-FSM k is in level 1, it only depends on state variables in V̂ ∪ Vk. Therefore, the other state variables can be removed without imposing constraints on the corresponding pseudo inputs. The sub-circuit Ck corre- sponding to sub-FSM k can be considered as an independent circuit with state variables V̂ ∪ Vk and free inputs. According to Theorem 1 procedure TBT TRAVERSAL exactly calculates all reachable states for the sub-circuit Ck. IV. IMPLEMENTATION We implemented our algorithms based on a SAT solver [22]. The transition relation of the circuit and the sets of states are represented by CNFs of their characteristic functions. The next states in the constrained img operation are enumerated using a SAT solver as follows. In the following, we represent CNFs as sets of clauses and clauses as disjunctions of literals. Let (ŝ1, ŝ2) be a main transition. The transition relation corresponding to (ŝ1, ŝ2) defined in Definition 3 is Cŝ1→ŝ2 = CR ∪ ⋃ vi∈V̂ {li} ∪ ⋃ v′ i ∈V̂ ′ {l′i} where CR is the set of clauses representing the transition re- lation of circuit C and li, l′i are literals representing the values of the main state variables in main states ŝ1, ŝ2 respectively. li and l′i are defined by li = { vi if ŝ1(vi) = 1 vi if ŝ1(vi) = 0 and l′i = { v′i if ŝ2(vi) = 1 v′i if ŝ2(vi) = 0 Procedure img in Figure 7 calculates the next states of the set of states Fromŝ1 corresponding to a main transition (ŝ1, ŝ2). First, a SAT instance C = Cŝ1→ŝ2 ∪ CFromŝ1 is calculated from the transition relation, the main states ŝ1, ŝ2 and the set of states Fromŝ1 . A satisfiable assignment A of the SAT instance is then found by a SAT solver. The values of the next-state variables encoding the next state s2 is extracted from A as a partial assignment. State s2 is added to the set of next states Nextŝ2 . A blocking clause CP preventing the next-state Fig. 7. img procedure variables from being reassigned is added to the SAT instance as in [23]. The blocking clause CP of s2 is defined by CP = ∨ v′ i ∈V ′ l′i where l′i is the literal representing the inverted value of the next-state variables i.e. l′i = { v′i if s2(vi) = 0 v′i if s2(vi) = 1 The SAT instance is solved again to find another assignment. The procedure finishes when the SAT instance becomes un- satisfiable. Let us illustrate procedure img by an example. Let the main state variables be v1, v2 and the other state variables be v3, v4. Consider a main transition ŝ1, ŝ2. In the main state ŝ1 the values of state variables v1 and v2 are 0. In the main state ŝ2 the values of next-state variables v′1 and v ′ 2 are 0 and 1, respectively. The set of states corresponding to the main state ŝ1 is S1(v3, v4) = {00, 10}. We want to calculate the set of next states corresponding to the main state ŝ2. The sets of clauses are calculated as 1) Cŝ1→ŝ2 = CR ∪ {v1} ∪ {v2} ∪ {v′1} ∪ {v′2}. 2) CFromŝ1 = cnf (v3 ∧ v4 ∨ v3 ∧ v4). Solving the SAT instance we get an assignment of the next- state variable A(v′3, v ′ 4) = 01. Therefore, a next state is s2 = 01. We add a blocking clause to the SAT instance: CP = v′3 ∨ v′4. The SAT instance is given to the solver again. However, the solver proves the instance to be unsatisfiable. Consequently, the set of next states corresponding to the main transition (ŝ1, ŝ2) is S1→3 = {01}. V. EXPERIMENTAL RESULT We conducted experiments based on two industrial and one public domain design. Table I gives a brief description of the experimental results. The main FSMs of two industrial designs, the flash memory controller and the AHB master, have been extracted automatically from design codes by the commercial tool Debussy R©. The main FSM of the public domain design has been extracted manually. The number of 1073 main states and the number of main transitions are shown in column 2. The last column shows the CPU time which our algorithm has spent to identify the reachable state sets corresponding to the main states. From these reachable state sets we derived all constant state variables as reachability constraints for our commercial BMC-based verification tool. The number of the reachability constraints are shown in column 4. The experiments were performed on an AMD64 PC with 2.2 GHz clock frequency and 1 GB RAM running SUSE Linux 9.3. TABLE I EXPERIMENTAL RESULTS Design State Main Constraints CPU variables FSM time(h) Flash 493 38/103 2524 2:55:10 memory controller AHB master 3371 14/51 1412 18:50:59 PCI target 182 6/24 291 0:03:21 To illustrate the usefulness of the found reachability con- straints, we tried to verify the first design which is is a flash memory controller using an AMBA-flavor protocol. 23 prop- erties were written to prove the compliance of the hardware with the protocol specification and the correct execution of all functional operations. The verification engineer spent about one week to analyze the main FSM and to write properties. Unfortunately, all properties failed because of false negatives. Using conventional verification methodology, it required three more weeks to manually inspect the design code. In order to identify the reachability constraints not only the main FSM but also some or all sub-FSMs had to be inspected. In the prop- erties, the manually found reachability constraints were then replaced by the reachability constraints which were generated by TBT algorithm. All properties could now be proven without false negatives. This means that the proposed approach can completely avoid the effort of manually inspecting the design code and counterexamples. TABLE II THE NUMBER OF REACHABILITY CONSTRAINTS IN MAIN STATES FOUND MANUALLY AND AUTOMATICALLY FOR THE FLASH MEMORY CONTROLLER Main state manually found automatically found ilde 28 151 error 22 53 wr w fifo 25 62 rd start 24 64 rd w fifo 29 61 Table II illustrates the evaluation of the manual effort in comparison with the proposed approach. It shows the number of reachability constraints in some main states. Finding reach- ability constraints manually is a process of trial and error. Whenever a false negative occurs the verification engineer needs to inspect the design code and identify reachability constraints to eliminate the false negative. Therefore, the number of manually found reachability constraints in Table II is proportional to the number of false negatives that have occurred and thus to the number of trials which the en- gineer needed to make. Hence, the number of reachability constraints in column 2 of Table II can approximate the manual verification effort. By contrast, using the proposed approach reachability constraints are automatically determined in a pre- processing phase. Similarly, a set of properties was written for the second design to prove the compliance of the hardware with the AHB protocol specification. The experimental results were similar and the verification effort was reduced dramatically. In addition, to make our experiments more transparent to the reader, let us explain in more detail another experiment conducted on a public domain PCI target block. The PCI target block was extracted from the PCI local bus in [24]. To avoid the explosion problem of the state space the creator of the benchmark has reduced the width of the address/data bus to 3. We re-expanded the width of the address/data bus to 32 bits. This makes the design more realistic. The modified benchmark is no longer feasible for BDD-based approaches. We wrote a property that checks the turnaround cycle of the PCI protocol. The property states that if the PCI target is in main state idle and the bus command is read, then the next cycle must be the turnaround cycle. This means the PCI target does not drive the bus lines in this cycle [25]. The property is written based on the main states as (main state = idle ∧ ReadCmd) → AX(OE TRDY = 0 ∧ OE DEVSEL = 0 ∧ OE AD = 0) where OE TRDY , OE DEVSEL and OE AD are the signals controlling the bus lines. When they are 0 the bus lines are not driven by the target. A BMC-based property checker failed to prove the property. There are many false counterexamples. One of them is that the values of OE TRDY , OE DEVSEL and OE AD are 1 when the main state is idle. Therefore, to avoid this false negative the following reachability constraint needed to be added to the property. (main state = idle∧ OE TRDY = 0 ∧ OE DEVSEL = 0 ∧ OE AD = 0) Instead of identifying these values manually, we performed approx TBT to automatically identify reachability constraints and added them to the properties. Thus, the property is (main state = idle ∧ ReadCmd ∧ TBT constraints) → AX(OE TRDY = 0 ∧ OE DEVSEL = 0 ∧ OE AD = 0) The modified property was now proven without any false negative. VI. DISCUSSION The paper presents a new approach to automatically deter- mine reachability constraints which are necessary in a BMC- based verification flow. Our algorithm is based on using information about a main FSM of the circuit which can 1074