Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification

Similar presentations


Presentation on theme: "Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification"— Presentation transcript:

1 Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification http://www.cs.cmu.edu/~bryant Randal E. Bryant Contributions by former graduate students: Sanjit Seshia, Shuvendu Lahiri

2 – 2 – CADE ‘05 Outline Context Infinite state models of hardware systems Verification techniquesNeeds Requirements for decision procedures Dealing with quantifiers Our Solution SAT-based procedure “Eager” Boolean encoding

3 – 3 – CADE ‘05 Alpha 21264 Microprocessor Microprocessor Report, Oct. 28, 1996 Verification Example Task Verify that microprocessor correctly implements instruction set definition Even though heavily pipelined

4 – 4 – CADE ‘05 Existing Hardware Verification Methods Simulators, equivalence checkers, model checkers, … All Operate at Bit Level View each register or memory bit as state variable Behavior of each state variable defined by Boolean functionStrengths Finite-state systems conceptually simple BDDs & SAT procedures allow high degrees of automationLimitations State space can be very large Only verify fixed instantiation of system Specific memory sizes, number of processes, buffer lengths, …

5 – 5 – CADE ‘05 Alpha 21264 Microprocessor Microprocessor Report, Oct. 28, 1996 Verification Challenges Sources of Complexity Lots of internal state Complex control logicOpportunities Most of the logic serves to store, select, and communicate data

6 – 6 – CADE ‘05 Applying Data Abstraction to Hardware Verification Idea Abstract details of data encodings and operations Keep control logic preciseApplications Verify overall correctness of system Assuming individual functional units correct Advantages of Abstraction Abstract infinite-state system easier to verify than detailed finite-state one Parametric representation allows verification of many different system variants Arbitrary number of processes, buffer lengths, etc.

7 – 7 – CADE ‘05 Word Abstraction Data: Abstract details of form & functions Control: Keep at bit level Timing: Keep at cycle level Control Logic Data Path Com. Log. 1 Com. Log. 2

8 – 8 – CADE ‘05 Data Abstraction #1: Bits → Terms View Data as Symbolic Words Arbitrary integers No assumptions about size or encoding Classic model for reasoning about software Can store in memories & registers x0x0 x1x1 x2x2 x n-1 x 

9 – 9 – CADE ‘05 Modeling Data Selection If-Then-Else Operation Mulitplexor Allows control-dependent data flow 1010 x y p ITE(p, x, y) 1010 x y 1 x 1010 x y 0 y

10 – 10 – CADE ‘05 Data Path Com. Log. 1 Com. Log. 2 Abstracting Data Bits Control Logic Data Path Com. Log. 1 Com. Log. 1 ?? What do we do about logic functions?

11 – 11 – CADE ‘05 Abstraction #2: Uninterpreted Functions For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency: a = x  b = y  f (a, b) = f (x, y) ALUALU f

12 – 12 – CADE ‘05 Abstracting Functions For Any Block that Transforms Data: Replace by uninterpreted function Ignore detailed functionality Conservative approximation of actual system Data Path Control Logic Com. Log. 1 Com. Log. 1 F1F1 F2F2

13 – 13 – CADE ‘05 Modeling Data-Dependent Control Model by Uninterpreted Predicate Yields arbitrary Boolean value for each control + data combination Produces same result when arguments match Pipeline & reference model will branch under same conditions Cond Adata Bdata Branch? Branch Logic p

14 – 14 – CADE ‘05 Abstraction #3: Modeling Memories as Mutable Functions Memory M Modeled as Function M(a): Value at location aInitially Arbitrary state Modeled by uninterpreted function m 0 M a M a m0m0

15 – 15 – CADE ‘05 Effect of Memory Write Operation Writing Transforms Memory M = Write(M, wa, wd) Reading from updated memory: Address wa will get wd Otherwise get what’s already in M Express with Lambda Notation M = a. ITE(a = wa, wd, M(a)) M M a 1010 wd = wa

16 – 16 – CADE ‘05 Systems with Buffers Modeling Method Mutable function to describe buffer contents Integers to represent head & tail pointers Parameterize buffer capacity with symbolic value Max Unbounded Buffer Circular Queue

17 – 17 – CADE ‘05 Some History of Term-Level Modeling Historically Standard model used for program verification Unbounded integer data types Widely used with theorem-proving approaches to hardware verification E.g, Hunt ’85 Automated Approaches to Hardware Verification Burch & Dill, ’95 Tool for verifying pipelined microprocessors Implemented by form of symbolic simulation Continued application to pipelined processor verification

18 – 18 – CADE ‘05 UCLID Seshia, Lahiri, Bryant, CAV ‘02 Term-Level Verification System Language for describing systems Inspired by CMU SMV Symbolic simulator Generates integer expressions describing system state after sequence of steps Decision procedure Determines validity of formulas Support for multiple verification techniques Available by Download http://www.cs.cmu.edu/~uclid

19 – 19 – CADE ‘05 Required Logic Scalar Data Types Formulas ( F ) Boolean Expressions Control signals Terms ( T ) Integer Expressions Data values Functional Data Types Functions ( Fun ) Integer  Integer Immutable: Functional units Mutable: Memories Predicates ( P ) Integer  Boolean Immutable: Data-dependent control Mutable: Bit-level memories

20 – 20 – CADE ‘05 CLU Logic Counter Arithmetic, Lambda Expressions and Uinterpreted Functions Terms ( T )Integer Expressions ITE(F, T 1, T 2 ) If-then-else Fun (T 1, …, T k ) Function application succ (T) Increment pred (T) Decrement Formulas ( F )Boolean Expressions  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation T 1 < T 2 Inequality P(T 1, …, T k ) Predicate application To support pointer operations

21 – 21 – CADE ‘05 CLU Logic (Cont.) Functions ( Fun )Integer  Integer f Uninterpreted function symbol x 1, …, x k. T Function definition Predicates ( P )Integer  Boolean p Uninterpreted predicate symbol x 1, …, x k. F Predicate definition

22 – 22 – CADE ‘05 Outline Context Infinite state models of hardware systems Verification techniquesNeeds Requirements for decision procedures Dealing with quantifiers Our Solution SAT-based procedure “Eager” Boolean encoding

23 – 23 – CADE ‘05 Reachable States Verifying Safety Properties State Machine Model State encoded as Booleans, integers, and functions Next state function expresses how updated on each step Prove: System will never reach bad state Reset States Bad States  Present State Next State Inputs (Arbitrary) Reset

24 – 24 – CADE ‘05 Reachable RnRn R2R2 Bounded Model Checking Repeatedly Perform Image Computations Set of all states reachable by one more state transition Underapproximation of Reachable State Set But, typically catch most bugs with 8–10 steps Bad States R1R1 Reset States

25 – 25 – CADE ‘05 Implementing BMC Construct verification condition formula for step n by symbolically simulating system for n cycles Check with decision procedure Do as many cycles as tractable         S X1X1 X2X2 XnXn  Bad Reset Satisfiable?

26 – 26 – CADE ‘05 RnRn R2R2 True Model Checking Reach Fixed-Point R n = R n+1 = Reachable Impractical for Term-Level Models Many systems never reach fixed point Can keep adding elements to buffer Convergence test undecidable (Bryant, Lahiri, Seshia, CHARME ’03) Bad States R1R1 Reset States 

27 – 27 – CADE ‘05 I Inductive Invariant Checking Key Properties of System that Make it Operate Correctly Formulate as formula I Prove Inductive Holds initially I (s 0 ) Preserved by all state changes I (s)  I (  (i, s)) Reachable States Reset States Bad States 

28 – 28 – CADE ‘05 Inductive Invariants Formulas I 1, …, I n I j (s 0 ) holds for any initial state s 0, for 1  j  n I 1 (s)  I 2 (s)  …  I n (s)  I j (s ) for any current state s and successor state s for 1  j  n Overall Correctness Follows by induction on time Restricted form of invariants  x 1  x 2 …  x k  (x 1 …x k )  (x 1 …x k ) is a CLU formula without quantifiers x 1 …x k are integer variables free in  (x 1 …x k ) Express properties that hold for all buffer indices, register IDs, etc.

29 – 29 – CADE ‘05 Proving Invariants Proving invariants inductive requires quantifiers |= [  x 1  x 2 …  x k  (x 1 …x k ) ]  [  y 1  y 2 …  y m  (y 1 …y m ) ] Prove unsatisfiability of formula  x 1  x 2 …  x k  (x 1 …x k )    (y 1 …y m ) Undecidable Problem In logic with uninterpreted functions and equality

30 – 30 – CADE ‘05 Invariant Checking: Out-of-Order Processor Designs Generating invariants requires considerable human effort Impractical for realistic designs baseexcexc / brexc / br / mem-simp exc / br / mem Total Invariants 1334396771 UCLID time 54 s236 s403 s1594 s2200 s Person time 2 days7 days9 days24 days34 days

31 – 31 – CADE ‘05 Constructing Invariants from Predicates Invariant Result: Correctness reg.valid(r)  r,t.  reg.valid(r)  reg.tag(r) = t  ( rob.head  reg.tag(r) < rob.tail  rob.dest(t) = r ) rob.head  reg.tag(r) reg.tag(r) = t rob.dest(t) = r Predicates

32 – 32 – CADE ‘05 Automatic Predicate Abstraction Graf & Saïdi, CAV ’97Idea Given set of predicates P 1 (s), …, P k (s) Boolean formulas describing properties of system state View as abstraction mapping: States  {0,1} k Defines abstract FSM over state set {0,1} k Form of abstract interpretation Do reachability analysis similar to symbolic model checking Early Implementations Inefficient Guess at possible next abstract states Test with call to decision procedure

33 – 33 – CADE ‘05 P.E. as Invariant Generator Reach Fixed-Point on Abstract System Termination guaranteed, since finite state Equivalent to Computing Invariant for Concrete System Strongest possible invariant that can be expressed by formula over these predicates RnRn R2R2 R1R1 Reset States AA Abstract System Concretize  Concrete System I Reset States CC

34 – 34 – CADE ‘05 Symbolic Formulation of Predicate Abstraction Basic Operation Compute set of legal abstract next states  ( B ) given current abstract states  ( B ) B, B : Abstract current and next-state state variables ,  :Boolean formulas Create formula of form  ( S, B ) Possible combinations of current concrete state S and next abstract state B Formulate as Quantifier Elimination Problem Generate formula of form  ( B )   S  ( S, B ) S : Integer variables For interpretation of B, formula  true iff  ( S, B ) satisfiable Lahiri, Bryant, Cook, CAV ‘03

35 – 35 – CADE ‘05 Outline Context Infinite state models of hardware systems Verification techniquesNeeds Requirements for decision procedures Dealing with quantifiers Our Solution SAT-based procedure “Eager” Boolean encoding

36 – 36 – CADE ‘05 Decision Procedure Needs Bounded Model Checking Satisfiability of quantifier-free CLU formula Handled by decision procedure Invariant Checking Satisfiability of quantified CLU formula Undecidable Predicate Abstraction Eliminate quantifiers from CLU formula Role of Decision Procedure Apply in sound, but incomplete way

37 – 37 – CADE ‘05 UCLID Decision Procedure Operation Series of transformations leading to propositional formula Except for lambda expansion, each has polynomial complexity Lambda Expansion Function & Predicate Elimination Finite Instantiation Boolean Satisfiability CLU Formula -free Formula Term Formula Boolean Formula

38 – 38 – CADE ‘05 SAT-based Decision Procedures Input Formula Boolean Formula satisfiable unsatisfiable Satisfiability-preserving Boolean Encoder SAT Solver EAGER ENCODING Input Formula Boolean Formula satisfiable unsatisfiable Approximate Boolean Encoder SAT Solver satisfying assignment satisfiable First-order Conjunctions SAT Checker unsatisfiable additional clause LAZY ENCODING

39 – 39 – CADE ‘05 Eager Encoding Characteristics –Must encode all information about domain properties into Boolean formula –Some properties can give exponential blowup +Lets SAT solver do all of the work Good Approach for Some Domains Modern SAT solvers have remarkable capacity Good at extracting relevant portions out of very large formulas Learns about formula properties as search proceeds Input Formula Boolean Formula satisfiable unsatisfiable Satisfiability-preserving Boolean Encoder SAT Solver

40 – 40 – CADE ‘05 Advances in Eager SAT Encodings Per-constraint encoding of EUF (Equality + Uninterp. Functs.) Goel, et al., CAV ‘98 Exploit polarity structure of equations Bryant, German, Velev, CAV ’99 Reduce variable ranges in small-domain encodings Pnueli, Rodeh, Shtrichman, Siegel, CAV ’99 Sparse encoding of transitivity constraints Bryant, Velev, CAV ’00 Select encoding method using criteria trained by machine learning Lahiri, Seshia, Bryant, DAC ’03 Exploit sparseness in linear constraints Seshia, Bryant, LICS ’04

41 – 41 – CADE ‘05 Difference Logic Formula Per-Constraint Encoding (PC) Small Domain Encoding (SD) Encoding Methods Boolean Formula SAT Solver satisfiable/unsatisfiable

42 – 42 – CADE ‘05 Small Domain Encoding (SD) Can use Boolean encoding of finite range of values – 4 values in this case, so 2-bit encoding Observation: To check satisfiability, need to consider all possible relative orderings of finitely-many expressions xx+1 y z x y z Values increase [Bryant, Lahiri, Seshia, CAV’02] x  y  y  z  z  x+1 0x1x0  0y1y0  0y1y0  0z1z0  0z1z0  0x1x0+10x1x0  0y1y0  0y1y0  0z1z0  0z1z0  0x1x0+1

43 – 43 – CADE ‘05 Per-Constraint Encoding (PC)  Overall Boolean Encoding Transitivity Constraints [Strichman, Seshia, Bryant, CAV’02] x  y  y  z  z  x+1 e 1  e 2  e 4 e4e4 x  z New Difference Predicate e 4   e 3  e1e1 y  z z  x+1 x  y e2e2 e3e3 e 1  e 2  e 3

44 – 44 – CADE ‘05 Size of Boolean Encoding: SD better than PC Let N be size of original difference logic formula Size of a directed acyclic graph representation SD encoding size is worst-case O ( N 2 ) PC encoding size is worst-case O ( 2 N ) Can generate O ( 2 N ) transitivity constraints > 1000000PC 54465SD Boolean Encoding SizeMethod Example: N = 6813

45 – 45 – CADE ‘05 Impact on SAT problem: SD vs PC Experimentally compared zChaff performance on SD and PC encodings of several unsatisfiable formulas Sample result: PC better than SD for zChaff Method# Boolean variables # CNF Clauses # Conflict Clauses zChaff Time (sec) PC 572111693871500.56 SD 23112676991581121.63

46 – 46 – CADE ‘05 How to Choose Encoding Hybrid Strategy Partition variables into classes Which ones are compared to each other For each class, choose encoding method PC except SD when PC blows up How to Determine Whether PC Will Work Try to predict based on formula characteristics Number of constraints, density, … Selection procedure trained by machine learning

47 – 47 – CADE ‘05 Some Lessons We’ve Learned About Decision Procedures Preserve Boolean Structure Other approaches require collapsing to conjunctions of predicates (or extracting them dynamically) Exploit Problem Characteristics Sparseness Polarity structure Let SAT Solver Do the Work Eager encoding: provide sufficient set of constraints to prove / disprove formula They are good at digesting large volume of information

48 – 48 – CADE ‘05 Invariant Checking Revisited Prove Unsatisfiability of Formula  x 1  x 2 …  x k  (x 1 …x k )    (y 1 …y m ) General Form:  X  (X)    (Y) Quantifier Instantiation Generate expressions E 1 (Y), …, E n (Y) Using terms that appear in Q Expand as  (E 1 (Y))  …   (E n (Y))    (Y) If unsatisfiable, then so is quantified formula Sound, but incompleteTrade-off Be clever about instantiation, or Instantiate many terms and rely on decision procedure capacity

49 – 49 – CADE ‘05 Predicate Abstraction Revisited Formulate as Quantifier Elimination Problem Generate formula of form  ( B )   S  ( S, B ) S : Integer variables Use Eager SAT Encoding of  Get formula  A P( A, B ) A : Boolean variables Satisfying solutions for P w.r.t. B same as those for  Core problem of symbolic model checking

50 – 50 – CADE ‘05 Quantifier Elimination for P.A. Formula  A P( A, B ) A : Boolean variables Typically: 200+ variables for A, ~20 for BBDD-Based Use partitioning techniques developed for symbolic model checking Typically too many total Boolean variables SAT Enumeration Find satisfying solution  ( A )   ( B ) to P Enumerate solution  ( B ) Reformulate P as P   ( B ) Performance: about 1000 solutions / second

51 – 51 – CADE ‘05 Why Verification Tasks Feasible CLU Logic Fairly Simple Equality, uninterpreted functions, difference constraints Small model property “Deep” Reasoning Not Required Formulas large and messy, but straightforward Verifying systems that are designed to have constrained behaviors Only checking effect of a few cycles of system operation

52 – 52 – CADE ‘05 Decision Procedures Revisited SAT-Based Approaches Effective Good performance as decision procedures Key to implementing predicate abstraction Quantifier elimination Eager Encoding Gives Good Performance Avoids many iterations of theory-specific checkers Extends to linear integer arithmetic Seshia & Bryant, LICS ‘04 Quantifier-free Presburger Small domain encoding exploiting sparseness

53 – 53 – CADE ‘05 Areas of Research Bit-Vector Decision Procedures True model for hardware & low-level software Bit-field extraction Bit-wise Boolean operations Overflow effects Automatically apply abstractions Abstract to symbolic terms whenever possible Boolean Quantifier Elimination SAT enumeration still not good enough Limits predicate abstraction to ~25 predicates Core problem for symbolic model checking

54 – 54 – CADE ‘05 More Research Proof Generation Hard to see how to generate unsatisfiability proof for CLU formula Debugging Support Bounded model checking: provide counterexample trace Invariant checking: hard to determine why invariant fails And may be due to weakness in quantifier instantiation Predicate abstraction: Gets nowhere without right set of predicates Proving Liveness Current abstractions do not preserve liveness properties Can help in proving progress invariant

55 Questions?


Download ppt "Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification"

Similar presentations


Ads by Google