Download presentation
1
and Formal Verification Carnegie Mellon University
System Modeling and Formal Verification with UCLID Randal E. Bryant Carnegie Mellon University
2
Applying Data Abstraction to Hardware Verification
Idea Abstract details of data encodings and operations Keep control logic precise Applications Verify overall correctness of system Assuming individual functional units correct Technology Use restricted subset of first-order logic Implement efficient decision procedures Multiple methods of performing verification
3
Challenge: System-Level Verification
Verification Task Does processor implement its ISA? Why is it Hard? Lots of internal state Complex control logic Complex functionality Alpha Microprocessor Microprocessor Report, Oct. 28, 1996
4
Existing Verification Methods
Simulators, equivalence checkers, model checkers, … All Operate at Bit Level RTL model State encoded as words and arrays of words Comprised of bits Most Operate at Cycle or Subcycle Level How each bit of state gets updated System Modeling Languages Abstract time up to transaction level Still view state as collection of bits
5
Word-Level Abstraction
Control Logic Data Path Com. Log. 1 Com.Log. 2 Data: Abstract details of form & functions Control: Keep at bit level Timing: Keep at cycle level
6
Data Abstraction #1: Bits → Integers
x0 x1 x x2 xn-1 View Data as Symbolic Words Arbitrary integers No assumptions about size or encoding Classic model for reasoning about software Can store in memories & registers
7
What do we do about logic functions?
Abstracting Data Bits Control Logic Data Path Com. Log. 1 Com.Log. 2 Data Path Com. Log. 1 ? What do we do about logic functions?
8
Abstraction #2: Uninterpreted Functions
ALU f For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency: a = x b = y f (a, b) = f (x, y)
9
Abstracting Functions
Control Logic Data Path F1 F2 Com. Log. 1 Com. Log. 1 For Any Block that Transforms Data: Replace by uninterpreted function Ignore detailed functionality Conservative approximation of actual system
10
Modeling Data-Dependent Control
Branch? Cond Adata p Branch Logic Bdata Model by Uninterpreted Predicate Yields arbitrary Boolean value for each control + data combination Produces same result when arguments match Pipeline & reference model will branch under same conditions
11
Abstraction #3: Modeling Memories as Mutable Functions
Memory M Modeled as Function M(a): Value at location a Initially Arbitrary state Modeled by uninterpreted function m0 M a M a m0
12
Effect of Memory Write Operation
Writing Transforms Memory M = Write(M, wa, wd) Reading from updated memory: Address wa will get wd Otherwise get what’s already in M Express with Lambda Notation Notation for defining functions M = a . ITE(a = wa, wd, M(a)) M M a 1 wd = wa
13
Systems with Buffers Modeling Method
Unbounded Buffer Circular Queue Modeling Method Mutable function to describe buffer contents Integers to represent head & tail pointers
14
Some History of Term-Level Modeling
Historically Standard model used for program verification Widely used with theorem-proving approaches to hardware verification E.g, Hunt ’85 Automated Approaches to Hardware Verification Burch & Dill, ’95 Tool for verifying pipelined microprocessors Implemented by form of symbolic simulation Continued application to pipelined processor verification Real World Applications Recently used by Intel for microcode verification (CAV 2005)
15
UCLID Term-Level Verification System Available by Download
Seshia, Lahiri, Bryant, CAV ‘02 Term-Level Verification System Language for describing systems Inspired by CMU SMV Symbolic simulator Generates integer expressions describing system state after sequence of steps Decision procedure Determines validity of formulas Support for multiple verification techniques Available by Download
16
Challenge: Model Generation
How to generate term-level model How to guarantee faithfulness to RTL description Comparison of Models RTL Abstracts functional elements from gate-level model Synthesis allows automatic map to gate level Term level Abstracts bit-level data representations to words Abstracts memories to mutable functions No direct connection to synthesizable model
17
Generating Term-Level Model
Manually Generate from RTL How do we know it is a valid abstraction? Hard to keep consistent with changing RTL Automatically Generate from RTL Andraus & Sakallah, DAC ‘04 Must decide which signals to keep Boolean, which to abstract Confused by bit field extraction primitives of HDL
18
Generate Both from Common Model
Control Logic Description RTL Data Blocks .hcl UCLID Data Blocks hcl2v hcl2u merge merge Verilog description UCLID description Bryant, 2005 Separate data from control Generate control logic for both models from common source
19
Underlying Logic Existing Approaches to Formal Verification Our Task
E.g., symbolic model checking State encoded as fixed set of bits Finite state system Amenable to Boolean methods (SAT, BDDs) Our Task State encoded with unbounded data types Arbitrary integers Functions over integers Must use decision procedures Determine validity of formula in some subset of first-order logic Adapt methods historically used by automated theorem provers
20
EUF: Equality with Uninterp. Functs
Decidable fragment of first order logic Formulas (F ) Boolean Expressions F, F1 F2, F1 F2 Boolean connectives T1 = T2 Equation P (T1, …, Tk) Predicate application Terms (T ) Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application Functions (Fun) Integer Integer f Uninterpreted function symbol x1, …, xk . T Function lambda expression Predicates (P) Integer Boolean p Uninterpreted predicate symbol
21
Valid / Invalid + counterexample
UCLID Operation Symbolic Simulation file.ucl UCLID Formula Model + Specification Lambda Expansion -free Formula Decision Procedure Function & Predicate Elimination Operation Series of transformations leading to propositional formula Except for lambda expansion, each has polynomial complexity Term Formula Finite Instantiation Boolean Formula Boolean Satisfiability Valid / Invalid + counterexample
22
UCLID Example DLX Pipeline Single-issue, 5-stage pipeline
Boolean state DLX Pipeline Single-issue, 5-stage pipeline Integer state Function state Pipeline Write Back Fetch Decode Execute Memory pc pPC fd Valid PC Type Instr de Arg2 Arg1 mw Dest Data em Branch Value Target RF Mem
23
Writing & Reading Register File
fd Instr de Arg2 Arg1 mw Valid Dest Data RF Decode Write Back src1 src2
24
Writing Register File init[RF] := rf0; (* Uninterpreted Function *)
next[RF] := Lambda(a) . case mw_Valid & (a = mw_Dest) : mw_Data; default : RF(a); esac; Write Back mw Valid Dest Data RF
25
Reading Register File init[de_Arg1] := dea10; (* Initially arbitary *)
next[de_Arg1] := next[RF](src1(fd_Instr)); init[de_Arg2] := dea20; (* Initially arbitary *) next[de_Arg2] := next[RF](src2(fd_Instr)); fd Instr de Arg2 Arg1 RF Decode src1 src2 Write-before-read semantics
26
Verifying Safety Properties
Present State Next Inputs (Arbitrary) Bad States Reachable States Reset States Reset State Machine Model State encoded as Booleans, integers, and functions Next state function expresses how updated on each step Prove: System will never reach bad state
27
Bounded Model Checking
Reachable Bad States • • • Rn R2 R1 Repeatedly Perform Image Computations Set of all states reachable by one more state transition Easy to Implement Underapproximation of Reachable State Set But, typically catch most bugs with 8–10 steps Reset States
28
True Model Checking Impractical for Term-Level Models
Bad States • • • Rn R2 R1 Impractical for Term-Level Models Many systems never reach fixed point Can keep adding elements to buffer Convergence test undecidable Reset States Reach Fixed-Point Rn = Rn+1 = Reachable
29
Inductive Invariant Checking
Bad States I Reachable States Reset States Key Properties of System that Make it Operate Correctly Formulate as formula I Prove Inductive Holds initially I(s0) Preserved by all state changes I(s) I((i, s))
30
An Out-of-order Processor (OOO)
valid tag val incr D E C O dispatch Program memory valid value src1valid src1val src1tag src2valid src2val src2tag dest op result PC Register Rename Unit 1st Operand result bus retire 2nd Operand ALU execute Reorder Buffer head tail Reorder Buffer Fields Data Dependencies Resolved by Register Renaming Map register ID to instruction in reorder buffer that will generate register value Inorder Retirement Managed by Retirement Buffer FIFO buffer keeping pending instructions in program order
31
Verifying OOO Goal Challenge Lahiri, Seshia, & Bryant, FMCAD 2002
Show that OOO implements Instruction Set Architecture (ISA) model For all possible execution sequences Challenge OOO holds partially executed instructions in reorder buffer States of two systems match only when reorder buffer flushed ISA Reg. File PC OOO Reg. File PC Reorder Buffer
32
Adding Shadow State Provides Link Between ISA & OOO Models
Reg. File PC McMillan, ‘98 Arons & Pnueli, ‘99 Provides Link Between ISA & OOO Models Additional entries in ROB Do not affect OOO behavior Generated when instruction dispatched Predict values of operands and result From ISA model OOO Reg. File PC Reorder Buffer
33
Access Modes for Reorder Buffer
head tail Retire Dispatch result bus ALU execute Directly Addressable Select particular entry for execution Retrieve result value from executed instruction FIFO Insert when dispatch Remove when retire Content Addressable Broadcast result to all entries with matching source tag Global Flush all queue entries when instruction at head causes exception All handled by UCLID lambda notation
34
OOO Invariants Split into Formulas I1, …, In Invariants for OOO (13)
Ij(s0) holds for any initial state s0, for 1 j n I1(s) I2(s) … In(s) Ij(s ) for any current state s and successor state s for 1 j n Invariants for OOO (13) Refinement maps (2) Show relation between ISA and OOO models State consistency (8) Properties of OOO state that ensure proper operation Added state (3) Shadow values correctly predict OOO values Overall Correctness Follows by induction on time
35
State Consistency Invariants
Register rename unit & reorder buffer encode same information redundantly Rename Unit: Registers Tags Reorder Buffer: Tags Registers Reorder Buffer Fields Reorder Buffer valid value src1valid src1val src1tag src2valid src2val src2tag dest op Register Rename Unit valid tag val head tail dispatch
36
State Consistency Invariant Examples
valid value src1valid src1val src1tag src2valid src2val src2tag dest op valid tag val dispatch Register Renaming invariants (2) Any mapped register should be in the ROB, and the destination register should match r.reg.valid(r) (rob.head reg.tag(r) < rob.tail rob.dest(reg.tag(r)) = r ) For any ROB entry, the destination should have reg.valid as false and tag should be to this or later instruction robt.[reg.valid(rob.dest(t)) t reg.tag(rob.dest(t)) reg.tag(rob.dest(t)) < rob.tail]
37
Extending the OOO Processor
base Executes ALU instructions only exc Handles arithmetic exceptions Must flush reorder buffer exc/br Handles branches Predicts branch & speculatively executes along path exc/br/mem-simp Adds load & store instructions Store commits as instruction retires exc/br/mem Stores held in buffer Can commit later Loads must scan buffer for matching addresses
38
Comparative Verification Effort
Decision Procedures UCLID: Complete reduction to SAT Barcelona DPLL(T): Iterative refinement to SAT base exc exc / br exc / br / mem-simp exc / br / mem Total Invariants 13 34 39 67 71 UCLID time 54 s 236 s 403 s 1594 s 2200 s DPLL(T) time 1 s 4 s 7 s 85 s Person time 2 days 7 days 9 days 24 days 34 days
39
“I Just Want a Loaf of Bread”
Ingredients Result Recipe
40
Cooking with Invariants
Ingredients: Predicates rob.head reg.tag(r) Recipe: Invariants r,t.reg.valid(r) reg.tag(r) = t (rob.head reg.tag(r) < rob.tail rob.dest(t) = r ) reg.valid(r) reg.tag(r) = t Result: Correctness rob.dest(t) = r
41
Automatic Recipe Generation
Ingredients Result Recipe Creator Want Something More Given any set of ingredients Generate best recipe possible
42
Automatic Predicate Abstraction
Graf & Saïdi, CAV ‘97 Idea Given set of predicates P1(s), …, Pk(s) Boolean formulas describing properties of system state View as abstraction mapping: States {0,1}k Defines abstract FSM over state set {0,1}k Form of abstract interpretation Do reachability analysis similar to symbolic model checking Implementation Early ones had weak inference capabilities Call theorem prover or decision procedure to test each potential transition Recent ones make better use of symbolic encodings
43
Abstract State Space Abstraction Concretization P1(s), …, Pk(s)
Function t Concretization Function Concrete States Concrete States s t s
44
Abstract State Machine
Abstract Transition Abstract Abstract System t s Concretize t Concrete System s Concrete Transition Transitions in abstract system mirror those in concrete
45
Generating Concrete Invariant
• • • Rn R2 R1 Reset States A Reach Fixed-Point on Abstract System Termination guaranteed, since finite state Equivalent to Computing Invariant for Concrete System Strongest possible invariant that can be expressed by formula over these predicates Abstract System Concretize Concrete System I Reset States C
46
Quantified Invariant Generation
(Lahiri & Bryant, VMCAI 2004) User supplies predicates containing free variables Generate globally quantified invariant Example Predicates p1: reg.valid(r) p2: reg.tag(r) = t p3: rob.dest(t) = r Abstract state satisfying (p1 p2 p3) corresponds to concrete state satisfying r,t[reg.valid(r) reg.tag(r) = t rob.dest(t) = r] rather than r[reg.valid(r)] r,t[reg.tag(r) = t] r,t[rob.dest(t) = r]
47
Systems Verified with Predicate Abstraction
Model Predicates Iterations UCLID Time DPLL(T) Time Out-Of-Order Execution Unit 25 9 921s 36s German’s Cache Protocol 16 34s 1s German’s Protocol, unbounded channels 26 17 1,119s 23s Lamport’s Bakery Algorithm 32 18 245s 11s Safety properties only
48
Automatic Predicate Discovery
Strength of Predicate Abstraction If give it right set of predicates, PA will put them together into invariant Weakness Gets nowhere without right set of predicates Typical failure mode: Generate “true” as invariant Challenges Too many predicates will overwhelm PA engine Our use of quantified invariants precludes counterexample-generated refinement techniques
49
Implementation of Predicate Discovery
Lahiri & Bryant, CAV ’04 Initially: Extract predicates from verification condition Iterate: Add new predicates by composing next-state formulas With some heuristics thrown in Experience Can automatically generate invariants for real examples ~10X slower than for hand-selected predicates
50
Future Prospects Evaluation Model Generation is Weakest Link
Important to abstract data & data functions while maintaining details about control Demonstrated ability to verify complex, parameterized systems Model Generation is Weakest Link Big jump from bit-level to term-level Look at intermediate levels of abstraction with bit-vectors Need algorithmic connection between our model and RTL Predicate Abstraction Shows Promise Provides key automation advantage of model checking
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.