CS & ECE Departments Carnegie Mellon University Modeling and Verifying Systems using CLU Logic Randal E. Bryant Shuvendu Lahiri Sanjit A. Seshia

2 “Infinite-State” Systems  State variables of unbounded integer or unbounded integer array type  Systems with finite but very large or arbitrary size resources Microprocessor memories, buffers  Parameterized systems Cache protocols  Communication protocols with unbounded, lossy channels

3 Infinite-State Verification: Automation vs. Expressiveness General purpose techniques Model checking (using abstraction)  Highly automated  Finding the right abstraction is hard  State space explosion Theorem proving for first & higher order logics  Very expressive  Greater manual assistance needed Domain specific techniques: e.g., QDDs for communication protocols Logic of equality with uninterpreted functions (EUF) for pipelined processors  Rely on specialized efficient data structures or decision procedures

4 Motivating Question How far can we generalize a domain specific technique, without losing efficiency? We focus on extending the EUF logic based approach that has worked well for pipelined processors

5 EUF: Equality with Uninterp. Functs Decidable fragment of first order logic Formulas ( F ) Boolean Expressions  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation P (T 1, …, T k ) Predicate application Terms ( T ) Integer Expressions ITE(F, T 1, T 2 ) If-then-else Fun (T 1, …, T k ) Function application Functions ( Fun ) Integer  Integer f Uninterpreted function symbol Read, Write Memory operations Predicates ( P ) Integer  Boolean p Uninterpreted predicate symbol

6 Modeling and Verification Approach  Model system at “term-level” State variables evaluate to expressions in EUF logic  Correctness (safety) property is formula F in EUF  Check validity of F using decision procedure for EUF F must be true under all interpretations of function/predicate symbols

7 Term-level Modeling in EUF View Data Word as “Terms” ( Integers ) View functional blocks as uninterpreted functions Functional consistency: a = x  b = y  f(a, b) = f(x, y) x0x0 x1x1 x2x2 x n-1 x  1010 x y p ITE(p, x, y) = xy ALUALU  ALUALU f

8 Efficient Decision Procedure for EUF [Bryant, German, & Velev, CAV ’99]  Translate EUF formula to equivalent Boolean formula  “Small-Model Property”  Need to consider only finitely many interpretations of terms  “Positive Equality”  Number of interpretations can be greatly reduced for some terms  Equations appearing only under even # of negations assigned false

9 Our Contributions Generalize EUF to get CLU logic Can model a richer set of systems Still retains the efficiency of Bryant-German-Velev decision procedure ‘Small model property’ preserved Can exploit positive equality Efficient reduction to propositional logic UCLID verification tool Supports different types of verification Highly automated Counterexample traces similar to model checkers

10 Outline for Rest of Talk  CLU logic  Definition  Modeling systems in CLU  The UCLID verifier  Decision procedure  An example  Benchmarking  Counterexample generation  Conclusions

11 The CLU Logic Generalization of EUF Four types of expressions:  Functions,  Predicates,  Terms,  (Boolean) Formulas Counter Arithmetic, Lambda Expressions, and Uninterpreted Functions

12 EUF  CLU Terms ( T ) ITE(F, T 1, T 2 ) If-then-else Fun (T 1, …, T k ) Function application Formulas ( F )  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation P(T 1, …, T k ) Predicate application succ (T) Increment pred (T) Decrement T 1 < T 2 Inequality

13 EUF  CLU (Cont.) Functions ( Fun ) f Uninterpreted function symbol Read, Write Memory operations Predicates ( P ) p Uninterpreted predicate symbol x 1, …, x k. T Function lambda expression x 1, …, x k. F Predicate lambda expression Arguments can only be terms Lambdas are just mutable arrays

14 Modeling with CLU Memories Contents represented by lambda Defines function mapping addresses to data values Unbounded and Bounded Queues Use counters to indicate head and tail Lambda to indicate buffer contents Unbounded arrays of identical processes Lambda for each state variable Indexed by process ID

15 Modeling Unbounded FIFO Buffer Queue is Subrange of Infinite Sequence Q.head = h Index of oldest element Q.tail = t Index of insertion location Q.val = q Function mapping indices to values q(i) valid only when h  i < t Initial State: Arbitrary Queue Q.head = h 0, Q.tail = t 0 Impose constraint that h 0  t 0 Q.val = q 0 Uninterpreted function q(h–2) q(h–1) q(h) q(h+1) q(t–2) q(t–1) q(t) q(t+1) tail head Already Popped Not Yet Inserted increasing indices

16 Modeling FIFO Buffer (cont.) t q(h–2) q(h–1) q(h) q(h+1) q(t–2) q(t–1) q(t) q(t+1) h next[h] := ITE(operation = POP, succ(h), h) next[q] := (i). ITE((operation = PUSH & i=t), x, q(i)) next[t] := ITE(operation = PUSH, succ(t), t) q(h–2) q(h–1) q(h) q(h+1) q(t–2) q(t–1) x q(t+1) next[t] next[h] op = PUSH Input = x

17 Sample Application of Modeling Out-of-Order Execution Unit Unbounded Register File -- Memory Reorder Buffer – Queue, Content-addressable memory Register File Reg. Value Tag V/T bit Reg ID Reorder Buffer RetireDispatch

18 UCLID  Verification tool for systems in CLU logic  Based on symbolic simulation and the decision procedure  Generates counterexamples

19 UCLID Operation Symbolic Simulation file.ucl Model + Specification CLU Formula Decision Procedure Valid Invalid + Counterexample

20 Verification Techniques in UCLID Bounded Property Checking Start in reset state Symbolically simulate for fixed number of steps Verify safety property for all states reachable within the fixed number of steps from the start state Invariant Checking Start in general state s Simulate one step Prove Inv(s)  Inv(Next[s]) Limited support for automatic quantifier elimination Correspondence Checking Run 2 different simulations starting in most general state Prove that final states equivalent

21 Sample Case Studies  Simple out-of-order processor unit  ALU instructions, unbounded resources, register renaming  Performed inductive invariant checking to check refinement between OOO model and ISA  Load-store unit of Motorola ELF processor  Memory instructions, register renaming, completion buffer  20K lines of Verilog manually translated to 1K lines of UCLID  Large state space: About 150 total state variables, 80 of integer type  Performed bounded property checking

22 The Decision Problem CLU Formula F clu Decision Procedure ValidInvalid

23 Decision Procedure Operation Series of transformations leading to propositional formula Propositional formula checked with BDD or SAT tools CLU Formula F clu Lambda Expansion Function & Predicate Elimination Finite Instantiation Boolean Satisfiability -free Formula, F subst Term Formula, F const Boolean Formula, F prop SAT  F clu invalid UNSAT  F clu valid ¬

24 An Example F clu is a. ITE(a>y, succ(g(y)), succ(g(a))) x = a. succ(ITE(a>y, g(y), g(a))) x

25 Step 1: Lambda substitution a. ITE(a>y, succ(g(y)), succ(g(a))) x = a. succ(ITE(a>y, g(y), g(a))) x F subst is ITE(x>y, succ(g(y)), succ(g(x))) = succ(ITE(x>y, g(y), g(x)))

26 Step 2: Function elimination ITE(x>y, succ(g(y)), succ(g(x))) = succ(ITE(x>y, g(y), g(x))) F const is ITE(x>y, succ(g y ), = succ(ITE(x>y, g y, succ( ITE(x=y, g y, g x ) )) ITE(x=y, g y, g x ) )) P-function symbols: {g} G-function symbols: {x,y} P-variables: {g x, g y } G-variables: {x, y}

27 Step 3: Finite Instantiation (1) ITE(x>y, succ(g y ), succ(g x )) = succ(ITE(x>y, g y, ITE(x=y, g y, g x ))) ‘Small-Model’ Property: Sufficient to interpret variables over finite domains P-variables: {g y, g x } G-variables: {x, y} 1.P-variables get distinct values 2.G-variables can get same value if there’s a potential comparison Value Classes: x,y gxgx gygy

28 Step 3: Finite Instantiation (2) x,y gxgx gygy 2 values 1 value, + 1 for succ(g y ) 1 value, + 1 for succ(g x ) Generate Boolean Formula F prop (Using bit-level encoding of arithmetic ops) Number of values: Values assigned: {0,1}{2,3}{4,5} Final Boolean Encoding: x {0,1} 00b x y {0,1} 00b y g y g x 4 100

29 Theoretical Formula Blowup If -free formula F subst has size N Then final Boolean formula F prop is O((N + M 2 + P 2 ) lg N) where M= #(function applications) P= #(predicate applications) In practice, O(N lg N) observed.

30 Decision Procedure Benchmarking ModelTerm formula DAG size Prop formula DAG size UCLID time (s) SVC time (s) Out-of-order execution unit Elf™ processor > 1 day > 1 day Compared against Stanford Validity Checker (SVC) Decides CLU + real linear arith. + bit-vector arith. UCLID uses the Chaff SAT solver for Boolean SAT Time includes translation time + Chaff time

31 Impact of Positive Equality ModelTerm formula size UCLID w/ p-eq. (s) UCLID w/o p- eq. (s) Out-of-order execution unit Cache Protocol > 1 hr DLX pipeline Positive equality can still be exploited to improve performance

32 Counterexample Generation Counterexample Trace showing value of each state variable on each step. “Value” of a lambda is a set of argument/value pairs Lambda Expansion Function & Predicate Elimination Finite Instantiation Boolean Satisfiability Symbolic Simulation Trace Partial Interp. of Lambdas Partial Interpretation of UIFs Integer Assignment Boolean Assignment

33 Conclusions  Contributions  Modeling capability of CLU  Efficient decision procedure  Builds on recent advances in Boolean SAT  Verification techniques in UCLID  Counterexample generation  Ongoing work  Decision procedure variants:  Encoding separation predicates [Strichman et al. CAV’02]  Using pseudo-Boolean constraint solver  Other case studies  MIPS processor  Some support for instantiating quantifiers

34 Modeling Memories with ’s Memory M Modeled as Function M(a): Value at location a Initially Arbitrary state Modeled by uninterpreted function m 0 M a M a m0m0 next [M] M a 1010 wd = wa Writing Transforms Memory Write(M, wa, wd) next[M ] = a. ITE(a = wa, wd, M(a)) Future reads of address wa will get wd

35 UCLID Operation Lambda Expansion Function & Predicate Elimination Finite Instantiation Boolean Satisfiability Symbolic Simulation file.ucl Model + Specification CLU Formula -free Formula Term Formula Boolean Formula

36 Step 3: Finite Instantiation (2) Encoding Value Classes x,y gxgx gygy values 1 value, + 1 for succ(g y ) Encoding Within Classes 1 value, + 1 for succ(g x ) Final Encoding: x 00b x y 00b y g y 010 g x 100 Generate Boolean Formula F prop

37 Decision Procedure (recap) CLU Formula F clu Lambda Expansion Function & Predicate Elimination Finite Instantiation Boolean Satisfiability -free Formula, F subst Term Formula, F const Boolean Formula, F prop SAT  F clu invalid UNSAT  F clu valid ¬

38 Burch & Dill Burch & Dill, CAV ‘94 Automatic decision procedure for the logic of Equality with Uninterpreted Function (EUF) Davis-Putnam enumeration Congruence closure to enforce functional consistency Verified single-issue DLX Used ‘flushing’ as an abstraction function Simple 5-stage RISC pipeline Becomes less effective for more complex processors Burch, DAC ‘96, FMCAD ’96 Could not handle superscalar DLX with exceptions

39 Bryant & Velev Based on work by Burch & Dill Efficient Decision Procedure Use fragment of first-order logic that can be reduced to propositional logic Exploit the structure of terms which appear in positive contexts only Most terms in data-path appear only in positive contexts Then use efficient SAT procedures Specialized tool Only for modeling & verifying pipelines Verified very advanced pipelines VLIW and superscalar pipelines with exceptions MCORE™ integer pipeline verification

40 Correctness of Pipeline Abstraction function Abs Relates state of pipeline to program state Result of completing partially-executed instructions Requirement Pipeline step  pipe matches k instruction executions  k spec For our pipeline k = 1 When pipeline stalls have k =0 Superscalar pipelines can have k > 1 Q pipe  pipe Abs Q spec  k spec Abs

41 Limitations Burch & Dill The decision procedure was not powerful to verify formulas for superscalar processors with load-store, exceptions etc Manual case splits required to complete the verification Could not model unbounded resources A reorder buffer of arbitrary length Bryant & Velev Could not model unbounded resources Logic is same as EUF, only efficient decision procedure No effective counterexample generation Specialized to model inorder pipelined processors No way to model parameterized Cache Coherence protocols

42 New Challenges Invariant Checking or Deductive verification To verify property p Discover the inductive invariant Inv Inv Holds in the initial state If Inv holds for an arbitrary state, Inv holds for the successor states Inv  p Prove Inv(s)  Inv(Next[s]) Proving Inv :  x.  (x) requires existential quantifiers  x.  (x)   x.  (x) =  x. ~  (x) V  x.  (x) In general undecidable (no algorithm exist to check the validity)

43 Term-Level Verification Challenges Right now, modeling capability exceeds what we can verify. Model Checking Need to detect convergence Have reached most general state Difficult algorithm In general, may never converge E.g., when start with empty buffers Invariant Checking Tedious to construct manually Negating antecedent requires existential quantifiers Can instantiate automatically in some cases Symbolic Simulation Cannot, in general, flush unbounded buffers

44 Verification Case Studies  Simple out-of-order processor unit  Load-store unit of Motorola ELF processor  Cache coherence protocol  Alternating bit protocol

45 Results : Out-of-order Processor Verification A simple out-of-order execution engine (OOO) Abstract model of OOO execution unit Unbounded retirement buffer Arbitrary size data Infinite memory size Arithmetic instructions only Register renaming Close to Intel® Pentium Pro™ out-of-order engine Verification Bounded property checking for completely automatic state space exploration (Refutation) Refinement between the out-of-order model and ISA model shown by deductive verification (Verification) All the proofs of invariants were automatically proved using UCLID In submission to Formal Methods in Computer-Aided Design 2002

46 Industrial Application : Modeling Motorola ELF™ Processor Modeling 5 stage pipeline Memory instructions Out-of-order execution, inorder retirement Pipelined load-store unit Memory part was about 20K lines Modeled compactly within 1K lines of UCLID Verification Bounded property checking with the ISA model Decision procedure allows a much larger automatic state space exploration

47 Industrial Application : Motorola ELF™ Processor 32-bit Dual issue with 64 GPRs 5 stage pipeline Out-of-order issue, inorder completion of up to 2 instructions Load/Store unit 3-cycle load latency Fully pipelined Load queue for loads that miss in cache Store queue for retiring store instruction Other buffers to hide cache miss latency

48 Modeling Motorola ELF™ Processor Modeled Memory instructions and load/store unit Most complicated of all the execution units Register Renaming Completion buffer for serialization and inorder retirement Method Manually translated 20,000 lines of Verilog into 1,000 lines of UCLID Summer intern project Some work at Michigan on automatic translation Verification Bounded property checking with the ISA model Decision procedure allows a much larger automatic state space exploration

49 Ongoing and Future Work  Verification case studies  General out-of-order execution unit (with different instruction types, load-store unit, exceptions)  Need more support for Invariant Checking  Decision procedure enhancements  Using decision procedure for separation theory, and even linear arithmetic [Ofer Strichman’s work]  Using pseudo-boolean constraint solver (0-1 integer programming-like problem) [U.Mich.]  More detailed benchmarking  Combining with Boolean Model Checking [w/ Ken McMillan]  Use to generate predicates for predicate abstraction