chasing minimal inductive validity cores in hardware
play

Chasing Minimal Inductive Validity Cores in Hardware Model Checking - PowerPoint PPT Presentation

Oct 12, 2023 •20 likes •490 views

Chasing Minimal Inductive Validity Cores in Hardware Model Checking Ryan Berryhill Andreas Veneris University of Toronto Outline Motivation Background The UMIVC Algorithm Experiments Conclusion Outline Motivation

  1. Chasing Minimal Inductive Validity Cores in Hardware Model Checking Ryan Berryhill Andreas Veneris University of Toronto

  2. Outline • Motivation • Background • The UMIVC Algorithm • Experiments • Conclusion

  3. Outline • Motivation • Background • The UMIVC Algorithm • Experiments • Conclusion

  4. Motivation • Model checkers give limited feedback for passing instances – Failing instance: counter-example showing how to falsify the property – Passing: a safe inductive invariant (for safety properties) • A similar situation in SAT solving – SAT: satisfying assignment, explains how to satisfy the formula – UNSAT: resolution refutation? RUP proof? – But UNSAT cores provide usable feedback • Inductive Validity Cores (IVCs) [1]: like UNSAT cores for safety checking – Originally developed for software safety checking – This paper introduces related algorithms for the hardware context and a wide range of variants [1] Ghassabani et. al, “Efficient Generation of Inductive Validity Cores for Safety Properties”, FSE 2016

  5. Outline • Motivation • Background • The UMIVC Algorithm • Experiments • Conclusion

  6. Safety Checking • Given a safety checking problem (𝐽𝑜𝑗𝑢, 𝑈𝑠, 𝐶𝑏𝑒) • U NSAFE iff there is a path from an initial state to a bad state: – A counter-example serves as a certificate – Typically something a human user can understand • S AFE iff there exists a safe inductive invariant – IC3 returns safe inductve invariants in CNF – Not related to the given input, just an opaque artifact of verification – Not likely to be understood by a human

  7. Inductive Validity Cores • Even in (rare) cases where a simple, understandable safe inductive invariant exists, we may not find it • Inductive Validity Cores (IVCs) – An abstraction of the circuit that is itself S AFE for the given property • Minimal IVCs (MIVCs) – An IVC where no abstraction is also an IVC • IVCs relate directly to the user’s input and are fit for human consumption

  8. Inductive Validity Cores 𝐽𝑜𝑗𝑢 = 𝑤 1 𝐶𝑏𝑒 = 𝑤 1

  9. Inductive Validity Cores 𝐽𝑜𝑗𝑢 = 𝑤 1 𝐶𝑏𝑒 = 𝑤 1

  10. Inductive Validity Cores • Abstraction operation: replace the output of any removed gates with a new primary input • This abstraction is an IVC

  11. Inductive Validity Cores • This is an MIVC: removing any gate would make it unsafe

  12. Inductive Validity Cores • This is an unsafe abstraction • Adding any gate would make it safe, so it is maximal (an MUA)

  13. Finding a Single MIVC • The IVC_UCBF algorithm [1] • Step 1: IVC_UC – Given a safe inductive invariant 𝐽𝑜𝑤 , find a high-level UNSAT core of the formula 𝐽𝑜𝑤 ∧ 𝑈𝑠 ∧ ¬𝐽𝑜𝑤′ – Minimization is only done over 𝑈𝑠 , using one clause group per gate – Yields a hopefully-small but non-minimal IVC • Step 2: IVC_BF – Repeatedly remove a gate and check for safety – If U NSAFE , back out the removal of the gate – Yields an MIVC [1] Ghassabani et. al, “Efficient Generation of Inductive Validity Cores for Safety Properties”, FSE 2016

  14. Finding All MIVCs • A MARCO-based algorithm [1], simplified here: • A CNF formula called the map tracks which abstractions are explored • Pick an arbitrary seed (unexplored abstraction) • Is it S AFE ? Use IVC_UCBF to shrink it to an MIVC – Block all supersets by adding a clause to the map • Is it U NSAFE ? Use brute-force to grow it to an MUA – Block all subsets by adding a clause to the map [1] Ghassabani et. al, “Efficient generation of all minimal inductive validity cores”, FMCAD 2017

  15. Finding All MIVCs • A MARCO-based algorithm [1], simplified here: • A CNF formula called the map tracks which abstractions are explored • Pick an arbitrary seed (unexplored abstraction) Use IVC_UC, can’t • Is it S AFE ? Use IVC_UCBF to shrink it to an MIVC find MIVCs until – Block all supersets by adding a clause to the map termination • Is it U NSAFE ? Use brute-force to grow it to an MUA – Block all subsets by adding a clause to the map [1] Ghassabani et. al, “Efficient generation of all minimal inductive validity cores”, FMCAD 2017

  16. Finding All MIVCs • A MARCO-based algorithm [1], simplified here: • A CNF formula called the map tracks which abstractions are explored maximum-cardinality • Pick an arbitrary seed (unexplored abstraction) Use IVC_UC, can’t • Is it S AFE ? Use IVC_UCBF to shrink it to an MIVC find MIVCs until – Block all supersets by adding a clause to the map termination • Is it U NSAFE ? Use brute-force to grow it to an MUA – Block all subsets by adding a clause to the map [1] Ghassabani et. al, “Efficient generation of all minimal inductive validity cores”, FMCAD 2017

  17. Finding All MIVCs • A MARCO-based algorithm [1], simplified here: • A CNF formula called the map tracks which abstractions are explored maximum-cardinality • Pick an arbitrary seed (unexplored abstraction) Use IVC_UC, can’t • Is it S AFE ? Use IVC_UCBF to shrink it to an MIVC find MIVCs until – Block all supersets by adding a clause to the map termination No need to grow because the seed is already maximal • Is it U NSAFE ? Use brute-force to grow it to an MUA – Block all subsets by adding a clause to the map [1] Ghassabani et. al, “Efficient generation of all minimal inductive validity cores”, FMCAD 2017

  18. Finding All MIVCs

  19. Finding All MIVCs Unexplored seeds exist

  20. Finding All MIVCs Seed Extraction Loop

  21. Outline • Motivation • Background • The UMIVC Algorithm • Experiments • Conclusion

  22. CAMIVC • CAMUS is another well-known MUS enumeration algorithm • Minimal correction subset (MCS): if you remove this set of clauses from the formula, the result is SAT – Hitting set duality: a minimal hitting set of the MCSes is an MUS – Similar definitions extend to circuits • Find all MCSes, then find MUSes/MIVCs as hitting sets • Simpler explanation – Find and block everything that is U NSAFE /SAT – Minimal unexplored seeds are now MIVCs/MUSes

  23. CAMIVC

  24. CAMIVC More unsafe abstractions exist Find MUA Unexplored seeds exist

  25. CAMIVC MCS/MUA Extraction Loop Seed Extraction Loop (all seeds guaranteed S AFE )

  26. CAMIVC • We can find MCSes/MUAs using Unreachability Debugging [1][2] – Enhanced TR 𝑈𝑠 𝑓𝑜 : Add a mux at each gate output with select line 𝑓 𝑗 – The select line is the output of a constant register that is assigned either 0 or 1 as part of the initial state assignment – Enhanced initial states: 𝐽𝑜𝑗𝑢 𝑓𝑜 = 𝐽𝑜𝑗𝑢 ∧ 𝐵𝑢𝑁𝑝𝑡𝑢(𝑂, 𝑓 1 , … , 𝑓 𝑜 ) – Solve (𝐽𝑜𝑗𝑢 𝑓𝑜 , 𝑈𝑠 𝑓𝑜 , 𝐶𝑏𝑒) for 𝑂 = 1, 2, 3, … – Counter-example indicates an MCS of cardinality 𝑂 e 2 s 1 s 1 D Q D Q l 2 0 1 w 2 FF FF x 1 x 1 e 1 0 l 1 x 2 x 2 1 w 1 [1] Berryhill and Veneris, “Methodologies for Diagnosis of Unreachable States via Property Directed Reachability,” TCAD 2017 [2] Smith et. al, “Fault Diagnosis and Logic Debugging Using Boolean Satisfiability,” TCAD 2005

  27. MARCO versus CAMIVC • Anytime performance – MARCO finds MIVCs early and often throughout its run – CAMIVC must find all MCSes/MUAs first, which may be intractable • Overall performance – MARCO must check each seed for safety with IC3 – very costly – CAMIVC does not need to check seeds – However, it does use IC3 to find MCSes – also very costly • Both algorithms find all MCSes/MUAs and MIVCs

  28. MARCO versus CAMIVC • Anytime performance – MARCO finds MIVCs early and often throughout its run – CAMIVC must find all MCSes/MUAs first, which may be intractable • Overall performance – MARCO must check each seed for safety with IC3 – very costly – CAMIVC does not need to check seeds – However, it does use IC3 to find MCSes – also very costly • Both algorithms find all MCSes/MUAs and MIVCs Iterations of MARCO seed extraction loop = Iterations of CAMIVC phase 1 + Iterations of CAMIVC phase 2

  29. UMIVC • The trade-off is just the result of shifting computation around – MARCO finds seeds in an arbitrary order – CAMIVC finds all U NSAFE seeds and then all S AFE ones • The UMIVC algorithm – Truncated MCS/MUA extraction loop finds all MCSes of size 𝑙 or less (no safety checks) – Fewer iterations of the seed extraction loop (with safety checks) • Subsumes MARCO and CAMIVC – In MARCO, 𝑙 = 0 – In CAMIVC, 𝑙 = ∞

  30. UMIVC

  31. UMIVC Truncated MCS/MUA Extraction Loop Seed Extraction Loop

  32. Why UMIVC? • Why do we need UMIVC? – Phase 1 iteration: find an MCS/MUA – Phase 2 iteration: find a seed, check for safety, grow or shrink – Certain optimizations allow phase 1 to avoid IC3 altogether – significantly more efficient than phase 2 • Does UMIVC also apply to MUS enumeration? – Technically yes – SAT checks on seeds are not nearly as expensive as IC3 – Phase 2 is simply not that big of a problem in the MUS domain Safety checking: cheap phase 1, expensive phase 2 SAT: moderate phase 1, moderate phase 2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High Performance Computing Cluster 1 1 HPCC Hardware 20 Compute nodes, 560 cores with room to

High Performance Computing Cluster 1 1 HPCC Hardware 20 Compute nodes, 560 cores with room to

High Performance Computing Cluster 1 1 HPCC Hardware 20 Compute nodes, 560 cores with room to expand All Nodes: Xeon Broadwell CPUs (2.6 GHz) 28 cores per node Infiniband EDR (Infinite Bandwidth) (Enhanced Data

219 views • 5 slides
Finding Minimal Unsatisfiable Cores of Declarative Specifications Emina Torlak, Felix Chang and

Finding Minimal Unsatisfiable Cores of Declarative Specifications Emina Torlak, Felix Chang and

Finding Minimal Unsatisfiable Cores of Declarative Specifications Emina Torlak, Felix Chang and Daniel Jackson Formal Methods 08 Turku, Finland May 30, 2008 Testing alone is not enough to establish correctness testing: a few cases

933 views • 66 slides
Incrementally Computing Minimal Unsatisfiable Cores of QBFs via a Clause Group Solver API Florian

Incrementally Computing Minimal Unsatisfiable Cores of QBFs via a Clause Group Solver API Florian

Incrementally Computing Minimal Unsatisfiable Cores of QBFs via a Clause Group Solver API Florian Lonsing and Uwe Egly Knowledge-Based Systems Group Institute of Information Systems Vienna University of Technology, Austria

390 views • 19 slides
!!"!#"$%& cs242 ! ! Multi-cores are coming! ! - For 50 years, hardware designers

!!"!#"$%& cs242 ! ! Multi-cores are coming! ! - For 50 years, hardware designers

!!"!#"$%& cs242 ! ! Multi-cores are coming! ! - For 50 years, hardware designers delivered 40-50% increases per year in sequential program speed. ! - Around 2004, this pattern failed because power and cooling issues made it impossible

148 views • 10 slides
Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners

Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners

Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners bioexcel.eu 1 Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License.

477 views • 30 slides
On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

Intro Why FPGA (and what the FPGA is all about) Software approach simulation first Going to the hardware Whats next Contact info On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why FPGA (and

770 views • 12 slides
Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7

Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7

Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7 Context Cover project. Verification of real Haskell programs. Haskell non-strict partial and infinite values relatively common. Chasing Bottoms

555 views • 7 slides
Accelerators For Everything Bolaji Bankole, Jens Ertman QsCores (Quasi-Specific Cores) What is a

Accelerators For Everything Bolaji Bankole, Jens Ertman QsCores (Quasi-Specific Cores) What is a

Accelerators For Everything Bolaji Bankole, Jens Ertman QsCores (Quasi-Specific Cores) What is a QsCore A hardware accelerator core connected to a CPU Composed to accelerate several specific segments of code Synthesized hardware

422 views • 18 slides
Efficient Top-K Query Processing on Massively Parallel Hardware ANIL SHANBHAG, HOLGER PIRK, SAM

Efficient Top-K Query Processing on Massively Parallel Hardware ANIL SHANBHAG, HOLGER PIRK, SAM

Efficient Top-K Query Processing on Massively Parallel Hardware ANIL SHANBHAG, HOLGER PIRK, SAM MADDEN 1 CPU GPU 16-24 Cores ~5000 Cores 60 GB/s 250-900 GB/s Main Mem GPU Mem 128-256GB 12-32GB 16-40 GB/s 2 Top-K SELECT id FROM tweets

635 views • 26 slides
Data Systems on Modern Hardware: Multi-cores, Solid-State Drives, and Non-Volatile Memories Prof.

Data Systems on Modern Hardware: Multi-cores, Solid-State Drives, and Non-Volatile Memories Prof.

CS 591: Da Data Systems Architectures Data Systems on Modern Hardware: Multi-cores, Solid-State Drives, and Non-Volatile Memories Prof. Manos Athanassoulis https://midas.bu.edu/classes/CS591A1 with slides developed at Harvard Some class

963 views • 74 slides
External Validity March 25 1 / 16 Definition How do we define external validity? Mundane

External Validity March 25 1 / 16 Definition How do we define external validity? Mundane

External Validity March 25 1 / 16 Definition How do we define external validity? Mundane realism (surface similarity) Generalizability of results 2 / 16 Discussion Experiments have strong internal validity. If that is why we do

552 views • 16 slides
Cue validity Cue validity - predictiveness of a cue for a given category Central

Cue validity Cue validity - predictiveness of a cue for a given category Central

Cue validity Cue validity - predictiveness of a cue for a given category Central intuition: Some features are more strongly associated with a distinct category than others Paw - shared by many animals Mane - only a few

334 views • 29 slides
(Minimal) Model Generation Useful for several tasks: hardware and software verification

(Minimal) Model Generation Useful for several tasks: hardware and software verification

ormal ethods roup Computing Minimal Models Modulo Subset-Simulation for Modal Logics Fabio Papacchini Renate A. Schmidt School of Computer Science The University of Manchester September 20, 2013 F. Papacchini, R. A. Schmidt

821 views • 43 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
Towards 1000x with Heterogeneous, Programmable Hardware Datacenter Name: Anton Burtsev, UC

Towards 1000x with Heterogeneous, Programmable Hardware Datacenter Name: Anton Burtsev, UC

Towards 1000x with Heterogeneous, Programmable Hardware Datacenter Name: Anton Burtsev, UC Irvine Summary: 1 Related work: What will hardware look like in 10-20 years? Massively heterogeneous Not just many-cores GPUs, Xeon

294 views • 11 slides
Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive definitions Inference rules in action Judgments, axioms, and rules Reasoning about inductive definitions Direct proofs Admissibility Rule induction

498 views • 25 slides
Presented by Dr Nishat Siddiqi on behalf of: Ischaemia-reperfusion-injury Can account for up

Presented by Dr Nishat Siddiqi on behalf of: Ischaemia-reperfusion-injury Can account for up

The effects of intravenous sodium nitrite in acute ST elevation myocardial infarction: a randomised controlled trial Presented by Dr Nishat Siddiqi on behalf of: Ischaemia-reperfusion-injury Can account for up to 50% of final infarct size

692 views • 15 slides
The Other Half of the Fracture Equation: Fall Prevention and Management Anna Chodos, MD, MPH

The Other Half of the Fracture Equation: Fall Prevention and Management Anna Chodos, MD, MPH

7/5/2017 OSTEOPOROSIS NEW INSIGHTS IN RESEARCH, DIAGNOSIS,AND CLINICAL CARE School of Medicine Division of Geriatrics The Other Half of the Fracture Equation: Fall Prevention and Management Anna Chodos, MD, MPH Geriatrics, Zuckerberg San

597 views • 33 slides
Gradients of pronominal and verbal deficiency Hakyung Jung (Seoul National University,

Gradients of pronominal and verbal deficiency Hakyung Jung (Seoul National University,

Slavic Linguistics Society 15 Indiana University September 46, 2020 Gradients of pronominal and verbal deficiency Hakyung Jung (Seoul National University, hakyungj@snu.ac.kr) Krzysztof Migdalski (University of Wroc aw,

222 views • 10 slides
Towards Exascale Across Scales! Shantenu Jha Rutgers Advanced DIstributed Cyberinfrastructure

Towards Exascale Across Scales! Shantenu Jha Rutgers Advanced DIstributed Cyberinfrastructure

Towards Exascale Across Scales! Shantenu Jha Rutgers Advanced DIstributed Cyberinfrastructure & Applications Laboratory (RADICAL) http://radical.rutgers.edu Big Science to the Long Tail of Science Convergence of HPC and Data

929 views • 45 slides
Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1 What is a VDF? Verifier 2 What is a VDF? Setup( , T ) public parameters pp pp specify domain X and range Y Eval( pp , x )

638 views • 37 slides
In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca

In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca

In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca <philip.tricca@citrix.com> Background Xen does security well Value is added when VMs communicate / cooperate Strong isolation using hardware

451 views • 14 slides
PhD Seminar - Autumn Semester 2020 Vinicius Azevedo CGL ETH Zurich (CNB G 102.2)

PhD Seminar - Autumn Semester 2020 Vinicius Azevedo CGL ETH Zurich (CNB G 102.2)

PhD Seminar - Autumn Semester 2020 Vinicius Azevedo CGL ETH Zurich (CNB G 102.2) vinicius.azevedo@inf.ethz.ch Objectives & Requirements Objectives Requirements Present and discuss current PhD students must present their research

178 views • 5 slides
1 Anthony Heath and Yizhang Zhao Centre for Social Investigation Nuffield College, Oxford

1 Anthony Heath and Yizhang Zhao Centre for Social Investigation Nuffield College, Oxford

1 Anthony Heath and Yizhang Zhao Centre for Social Investigation Nuffield College, Oxford Background: why occupation Measuring occupation -> class schemas Application in developing countries China India Chile and Brazil

475 views • 26 slides

More recommend