Presentation is loading. Please wait.

Presentation is loading. Please wait.

System Modeling and Verification with UCLID Randal E. Bryant Contributions by graduate students:

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "System Modeling and Verification with UCLID Randal E. Bryant Contributions by graduate students:"— Presentation transcript:

1 System Modeling and Verification with UCLID http://www.cs.cmu.edu/~bryant Randal E. Bryant http://www.cs.cmu.edu/~uclid Contributions by graduate students: Sanjit Seshia, Shuvendu Lahiri

2 – 2 – Memocode 2004 Applying Data Abstraction to Hardware Verification Idea Abstract details of data encodings and operations Keep control logic preciseApplications Verify overall correctness of system Assuming individual functional units correctTechnology Use restricted subset of first-order logic Implement efficient decision procedures Multiple methods of performing verification

3 – 3 – Memocode 2004 Microprocessor Report, Oct. 28, 1996 Example: HP/Compaq Alpha 21264 Pipeline State Multiple caches Instruction queues Dynamically- allocated registers Memory queue Many buffers between stages Verification Tasks Does it implement the Alpha ISA?

4 – 4 – Memocode 2004 Abstracting Data from Bits to Integers View Data as Symbolic “Terms” Arbitrary integers Verification proves correctness of design for all possible word sizes Can store in memories & registers x0x0 x1x1 x2x2 x n-1 x 

5 – 5 – Memocode 2004 Required Logic Scalar Data Types Formulas ( F ) Boolean Expressions Control signals Terms ( T ) Integer Expressions Data values Arbitrary values from some infinite domain

6 – 6 – Memocode 2004 Modeling Data Selection If-Then-Else Operation Mulitplexor Allows control-dependent data flow 1010 x y p ITE(p, x, y) 1010 x y T x 1010 x y F y

7 – 7 – Memocode 2004 Abstraction Via Uninterpreted Functions For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency: a = x  b = y  f (a, b) = f (x, y) ALUALU f

8 – 8 – Memocode 2004 Abstraction Via Uninterpreted Functions For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Also view instruction memory as function Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control F1F1 F2F2 F3F3

9 – 9 – Memocode 2004 Modeling Data-Dependent Control Model by Uninterpreted Predicate Yields arbitrary Boolean value for each control + data combination Produces same result when arguments match Pipeline & reference model will branch under same conditions Cond Adata Bdata Branch? Branch Logic p

10 – 10 – Memocode 2004 Modeling Memories as Mutable Functions Memory M Modeled as Function M(a): Value at location aInitially Arbitrary state Modeled by uninterpreted function m 0 Writing Transforms Memory M = Write(M, wa, wd) a. ITE(a = wa, wd, M(a)) Future reads of address wa will get wd M a M a m0m0 M M a 1010 wd = wa

11 – 11 – Memocode 2004 Required Logic Scalar Data Types Formulas ( F ) Boolean Expressions Control signals Terms ( T ) Integer Expressions Data values Functional Data Types Functions ( Fun ) Integer  Integer Immutable: Functional units Mutable: Memories Predicates ( P ) Integer  Boolean Immutable: Data-dependent control Mutable: Bit-level memories

12 – 12 – Memocode 2004 Modeling Unbounded FIFO Buffer Queue is Subrange of Infinite Sequence Q.head = h Index of oldest element Q.tail = t Index of insertion location Q.val = q Function mapping indices to values q(i) valid only when h  i < t Required Operations Increment head & tail pointers Compare head to tail (emptiness) q(h–2) q(h–1) q(h) q(h+1) q(t–2) q(t–1) q(t) q(t+1) tail head Already Popped Not Yet Inserted increasing indices

13 – 13 – Memocode 2004 CLU Logic Counter Arithmetic, and Lambda Expressions and Uinterpreted Functions Terms ( T )Integer Expressions ITE(F, T 1, T 2 ) If-then-else Fun (T 1, …, T k ) Function application succ (T) Increment pred (T) Decrement Formulas ( F )Boolean Expressions  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation T 1 < T 2 Inequality P(T 1, …, T k ) Predicate application

14 – 14 – Memocode 2004 CLU Logic (Cont.) Functions ( Fun )Integer  Integer f Uninterpreted function symbol x 1, …, x k. T Function definition Predicates ( P )Integer  Boolean p Uninterpreted predicate symbol x 1, …, x k. F Predicate definition

15 – 15 – Memocode 2004 Decision Problem Logic of Equality with Uninterpreted Functions Truth Values Dashed Lines Model Control Logical connectives Equations Integer Values Solid lines Model Data Uninterpreted functions If-Then-Else operationTask Determine whether formula is universally valid True for all interpretations of variables and function symbols

16 – 16 – Memocode 2004 Finite Model Property for EUF Observation Any formula has limited number of distinct expressions Only property that matters is whether or not different terms are equal x0x0 d0d0 f (x0)f (x0) f (d0)f (d0)

17 – 17 – Memocode 2004 Boolean Encoding of Integer Values For Each Expression Either equal to or distinct from each preceding expression Boolean Encoding Use Boolean values to encode integers over small range EUF formula can be translated into propositional logic Tautology iff original formula valid Expression Possible Values Bit Encoding x0x0{0}00 d0d0{0,1}0 b 10 f (x0)f (x0){0,1,2} b 21 b 20 f (d0)f (d0){0,1,2,3} b 31 b 30

18 – 18 – Memocode 2004 Finite Model Property for CLU Observation Need to encode all possible relative orderings of expressions Each symbolic value has maximum range of increments & decrements Can use Boolean encodings of small integer ranges x  y  succ(x) > pred(y) xx+1 y –1y y xx+1 y –1y xx+1 y –1y xx+1x y –1y x = 0, y = 3x = 2, y = 1

19 – 19 – Memocode 2004 UCLID Operation Operation Series of transformations leading to propositional formula Each has polynomial complexity Lambda Expansion Function & Predicate Elimination Finite Instantiation Boolean Satisfiability Symbolic Simulation file.ucl Model + Specification UCLID Formula -free Formula Term Formula Boolean Formula

20 – 20 – Memocode 2004 Counterexample Generation Counterexample trace showing value of each state variable on each step. “Value” of a lambda is a set of argument/value pairs Lambda Expansion Function & Predicate Elimination Finite Instantiation Boolean Satisfiability Symbolic Simulation Trace Partial Interp. of Lambdas Partial Interpretation of UIFs Integer Assignment Boolean Assignment

21 – 21 – Memocode 2004 Pipeline UCLID Example DLX Pipeline Single-issue, 5-stage pipeline pc pPC fd Valid PC Type Instr de Valid PC Type Instr Arg2 Arg1 mw Valid Dest Data em Branch Valid Type Instr Arg2 Value Target pRFpMem FetchDecodeExecuteMemory Write Back Term state Boolean state Function state

22 – 22 – Memocode 2004 Writing & Reading Register File fd Instr de Arg2 Arg1 mw Valid Dest Data pRF Decode Write Back src1 src2

23 – 23 – Memocode 2004 Writing Register File mw Valid Dest Data pRF Write Back init[pRF] := rf0; (* Uninterpreted Function *) next[pRF] := Lambda(a). case mw_Valid & (a = mw_Dest) : mw_Data; default : pRF(a); esac;

24 – 24 – Memocode 2004 Reading Register File fd Instr de Arg2 Arg1 pRF Decode src1 src2 init[de_Arg1] := dea10; (* Initially arbitary *) next[de_Arg1] := next[pRF](src1(fd_Instr)); init[de_Arg2] := dea20; (* Initially arbitary *) next[de_Arg2] := next[pRF](src2(fd_Instr)); Write-after-read semantics

25 – 25 – Memocode 2004 Reachable States Verifying Safety Properties Prove: System will never reach bad state Reset States Bad States  Present State Next State Inputs (Arbitrary) Reset

26 – 26 – Memocode 2004 Reachable RnRn R2R2 Bounded Model Checking Repeatedly Perform Image Computations Set of all states reachable by one more state transition Easy to Implement Underapproximation of Reachable State Set But, typically catch most bugs with 8–10 steps Bad States R1R1 Reset States

27 – 27 – Memocode 2004 RnRn R2R2 True Model Checking Reach Fixed-Point R n = R n+1 = Reachable Impractical for Term-Level Models Many systems never reach fixed point Can keep adding elements to buffer Convergence test undecidable Bad States R1R1 Reset States 

28 – 28 – Memocode 2004 I Invariant Checking Key Properties of System that Make it Operate Correctly Formulate as formula I Prove Inductive Holds initially I (s 0 ) Preserved by all state changes I (s)  I (  (i, s)) Reachable States Reset States Bad States 

29 – 29 – Memocode 2004 An Out-of-order Processor (OOO) Data Dependencies Resolved by Register Renaming Map register ID to instruction in reorder buffer that will generate register value Inorder Retirement Managed by Retirement Buffer FIFO buffer keeping pending instructions in program order Reorder Buffer Fields PC Program memory Reorder Buffer valid value src1valid src1val src1tag src2valid src2val src2tag dest op result bus DECODEDECODE Register Rename Unit valid tag val ALU headtail incr dispatch retire execute result 1 st Operand 2 nd Operand

30 – 30 – Memocode 2004 Verifying OOO Lahiri, Seshia, & Bryant, FMCAD 2002Goal Each step of OOO consistent with Instruction Set Architecture (ISA) modelChallenges OOO holds partially executed instructions in reorder buffer States of two systems match only when reorder buffer flushed ISA Reg. File PC OOO Reg. File PC Reorder Buffer

31 – 31 – Memocode 2004 Adding Shadow State McMillan, ‘98 Arons & Pnueli, ‘99 Provides Link Between ISA & OOO Models Additional entries in ROB Do not affect OOO behavior Generated when instruction dispatched Predict values of operands and result From ISA model ISA Reg. File PC OOO Reg. File PC Reorder Buffer

32 – 32 – Memocode 2004 State Consistency Invariants Tag Consistency invariants (2) Instructions only depend on instruction preceding in program order Register Renaming invariants (2) Tag in a rename-unit should be in the ROB, and the destination register should match  r.  reg.valid(r)  ( rob.head  reg.tag(r) < rob.tail  rob.dest(reg.tag(r)) = r ) For any entry, the destination should have reg.valid as false and tag should contain this or later instruction  rob t.(  reg.valid(rob.dest(t))  t  reg.tag(rob.dest(t)) < rob.tail)

33 – 33 – Memocode 2004 OOO Invariants Split into Formulas I 1, …, I n I j (s 0 ) holds for any initial state s 0, for 1  j  n I 1 (s)  I 2 (s)  …  I n (s)  I j (s ) for any current state s and successor state s for 1  j  n Invariants for OOO (13) Refinement maps (2) Show relation between ISA and OOO models Shadow state (3) Shadow values correctly predict OOO values State consistency (8) Properties of OOO state that ensure proper operation Overall Correctness Follows by induction on time

34 – 34 – Memocode 2004 Proving OOO Invariants Proved Automatically Time spent = 54s on 1.4GHz machine Total effort = 2 person daysComparison Previous efforts using theorem provers took weeks of effort

35 – 35 – Memocode 2004 Extending the OOO Processor base Executes ALU instructions only exc Handles arithmetic exceptions Must flush reorder buffer exc/br Handles branches Predicts branch & speculatively executes along path exc/br/mem-simp Adds load & store instructions Store commits as instruction retires exc/br/mem Stores held in buffer Can commit later Loads must scan buffer for matching addresses

36 – 36 – Memocode 2004 Comparative Verification Effort baseexcexc / brexc / br / mem-simp exc / br / mem Total Invariants 1334396771 Manually instantiate 00048 UCLID time 54 s236 s403 s1594 s2200 s Person time 2 days5 days2 days15 days10 days

37 – 37 – Memocode 2004 “I Just Want a Loaf of Bread” Ingredients Recipe Result

38 – 38 – Memocode 2004 Cooking with Invariants Ingredients: Predicates Recipe: Invariants Result: Correctness reg.valid(r)  r,t.  reg.valid(r)  reg.tag(r) = t  ( rob.head  reg.tag(r) < rob.tail  rob.dest(t) = r ) rob.head  reg.tag(r) reg.tag(r) = t rob.dest(t) = r

39 – 39 – Memocode 2004 Automatic Recipe Generation Want Something More Given any set of ingredients Generate best recipe possible Ingredients Recipe Creator Result

40 – 40 – Memocode 2004 Automatic Predicate Abstraction Graf & Saïdi, CAV ‘97Idea Given set of predicates P 1 (s), …, P k (s) Boolean formulas describing properties of system state View as abstraction mapping: States  {0,1} k Defines abstract FSM over state set {0,1} k Form of abstract interpretation Do reachability analysis similar to symbolic model checking Prior Implementations Very weak inference capabilities Call theorem prover or decision procedure to test each potential transition Little support for quantified predicates

41 – 41 – Memocode 2004 Abstract State Space Concrete States Abstract States  P 1 (s), …, P k (s)  s Abstraction Function  t Abstraction Concrete States Abstract States st Concretization Function  Concretization

42 – 42 – Memocode 2004 Abstract State Machine Transitions in abstract system mirror those in concrete Abstract  Concrete System Abstract System s Concretize  t t s Concrete Transition Abstract Transition

43 – 43 – Memocode 2004 Generating Concrete Invariant Reach Fixed-Point on Abstract System Termination guaranteed, since finite state Equivalent to Computing Invariant for Concrete System Strongest possible invariant that can be expressed by formula over these predicates RnRn R2R2 R1R1 Reset States AA Abstract System Concretize  Concrete System I Reset States CC

44 – 44 – Memocode 2004 Overapproximation by Abstract Model Path in abstract state space may not correspond to one in concrete OK when verifying safety properties Possible false negatives, but no false positives Concrete System Abstract System

45 – 45 – Memocode 2004 Conventional Implementation of P.A. Basis Abstract state sets described as formulas over Boolean variables B = b 1, …, b k Current state given by formula  ( b 1, …, b k ) Check whether candidate state  ( b 1, …, b k ) is successor Concrete System Abstract System Concretize  [P/B][P/B]   [P/B][P/B] Concretize  Intersect? Abstract Transition?  [P/ B ][  / S ] Predecessor

46 – 46 – Memocode 2004 Drawbacks of Conventional Implementation Very Slow Guess at possible next state Construct term-level formula and test for satisfiability Possibly 2 k calls to decision procedure Can Only Handle Proposition Predicates Cannot construct quantified invariants [P/B][P/B] Intersect?  [P/ B ][  / S ]   [P/ B ]   [P/ B ][  / S ] Satisfiable?

47 – 47 – Memocode 2004 Symbolic Approach to P.A. Lahiri, Bryant, Cook CAV 2003 Generate Quantified Formula Describing Next Abstract State Set Current state given by formula  ( B ) Generate formula  ( B ) describing all successors Abstract System  All Abstract Transitions   S, X  ( B, S, X ) How to reach abstract state B via concrete states S and X

48 – 48 – Memocode 2004 Symbolic Approach (cont.) Transform into Quantified Boolean Formula Formula of form Next( B ) =  S, X  ( S, X, B ) S, X : Integer and function variables B : Abstract state variables Translate into Boolean formula of form  A  ( A, B ) A : Boolean variables encoding integer & function values Key Property { B |  ( S, X, B ) satisfiable } = { B |  ( A, B ) satisfiable } Solve using either SAT enumeration or BDD quantification

49 – 49 – Memocode 2004 Quantified Invariant Generation User supplies predicates containing free variables Generate globally quantified invariantExample Predicates p 1 : reg.valid(r) p 2 : rob.dest(t) = r p 3 : reg.tag(r) = t Abstract state satisfying ( p 1  p 2   p 3 ) corresponds to concrete state satisfying  r,t[  reg.valid(r)  reg.tag(r) = t  rob.dest(t) = r] rather than  r[  reg.valid(r)]   r,t[reg.tag(r) = t]   r,t[rob.dest(t) = r]

50 – 50 – Memocode 2004 Systems Verified with Predicate Abstraction Very general models Unbounded processes, buffers, cache lines, … Safety properties only Model PredicatesIterationsCPU Time Out-Of-Order Execution Unit2592,613s German’s Cache Protocol219122s German’s Protocol, unbounded channels 301915,000s Bounded Retransmission Buffer22911s Lamport’s Bakery Algorithm24 5,211s

51 – 51 – Memocode 2004 Challenge: Model Generation How to generate term-level model How to guarantee faithfulness to RTL description Comparison of Models RTL Abstracts functional elements from gate-level model Synthesis allows automatic map to gate level Bluespec Abstracts synchronous timing to atomic transactions Synthesize to RTL by operator scheduling Term level Abstracts bit-level data representations to words Abstracts memories to mutable functions

52 – 52 – Memocode 2004 Gate Dimensions of Abstraction Temporal & Data are Orthogonal Abstractions Bluespec provides only temporal abstraction UCLID language supports cycle-level timing Can incorporate scheduler to model system operating with atomic transactions RTL Blue Spec Term Temporal Data Term with Scheduler

53 – 53 – Memocode 2004 Automatic Model Generation Task Program to automatically generate term-level models Abstract words Replace functional units by uninterpreted functionsChallenges Legacy code not written with abstraction in mind Hard to determine what to keep precise and what to extractImplementations Andraus & Sakallah, DAC ‘04 RTL Blue Spec Term Data Term with Scheduler Abstractors

54 – 54 – Memocode 2004 Conclusions CLU is Useful Logic Expressive enough to model wide range of systems Systems with unbounded resources Abstract away most data operations Simple enough to be tractable Small domain property allows exploiting Boolean methods Predicate Abstraction is Powerful Tool Removes requirement to hand-generate invariants Benefits similar to model checking

55 – 55 – Memocode 2004 Further Work Support for Proofs of Liveness Must make argument that progress being made Greater Automation Automatic generation of predicates More efficient implementation of predicate abstraction More Powerful Logic Linear arithmetic would be useful Potential blow-up when translate to Boolean formula Apply to Other Systems Software Network protocols

Download ppt "System Modeling and Verification with UCLID Randal E. Bryant Contributions by graduate students:"

Similar presentations

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Carnegie Mellon University Formal Verification of Infinite-State Systems Using Boolean Methods Formal Verification of Infinite-State Systems Using Boolean.

Carnegie Mellon University Formal Verification of Infinite-State Systems Using Boolean Methods Formal Verification of Infinite-State Systems Using Boolean.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.

Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
1 Lecture 11: Modern Superscalar Processor Models Generic Superscalar Models, Issue Queue-based Pipeline, Multiple-Issue Design.

1 Lecture 11: Modern Superscalar Processor Models Generic Superscalar Models, Issue Queue-based Pipeline, Multiple-Issue Design.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1 Lecture: Out-of-order Processors Topics: out-of-order implementations with issue queue, register renaming, and reorder buffer, timing, LSQ.

1 Lecture: Out-of-order Processors Topics: out-of-order implementations with issue queue, register renaming, and reorder buffer, timing, LSQ.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Spring 2003CSE P5481 Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers)

Spring 2003CSE P5481 Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers)
CPE 731 Advanced Computer Architecture ILP: Part IV – Speculative Execution Dr. Gheith Abandah Adapted from the slides of Prof. David Patterson, University.

CPE 731 Advanced Computer Architecture ILP: Part IV – Speculative Execution Dr. Gheith Abandah Adapted from the slides of Prof. David Patterson, University.
Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.

Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google