Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carnegie Mellon University Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant Shuvendu K. Lahiri Sanjit A. Seshia.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Carnegie Mellon University Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant Shuvendu K. Lahiri Sanjit A. Seshia."— Presentation transcript:

1 Carnegie Mellon University Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant Shuvendu K. Lahiri Sanjit A. Seshia

2 – 2 – Term-level modeling :Abstracting Data View Data as Symbolic “Terms” Arbitrary integers Verification proves correctness of design for all possible word sizes Can store in memories & registers Can select with multiplexors ITE: If-Then-Else operation x0x0 x1x1 x2x2 x n-1 x  1010 x y p ITE(p, x, y) 1010 x y T x 1010 x y F y

3 – 3 – Term-level modeling:Abstraction Via Uninterpreted Functions For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency: a = x  b = y  f (a, b) = f (x, y) ALUALU f

4 – 4 – Motivation Model Checking expressive systems Unbounded Integers, unbounded arrays Infinite state space In general, undecidable Can express 2-counter systems Systems do not converge Convergence detection undecidable Interesting systems which converge Pipelined processors [Hojati, Isles, Brayton], Multiway Decision Graphs (MDG) Procedures to detect convergence

5 – 5 – Outline slide Background CLU CLU example example Formal definition of convergence TechniqueResultsConclusions

6 – 6 – CLU : Logic of UCLID Terms ( T ) Terms ( T )Integer Expressions ITE(F, T 1, T 2 ) If-then-else Fun (T 1, …, T k ) Function application succ (T) Increment pred (T) Decrement Formulas ( F ) Formulas ( F )Boolean Expressions  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation T 1 < T 2 Inequality P(T 1, …, T k ) Predicate application Functions ( Fun ) Functions ( Fun )Integers  Integer f Uninterpreted function symbol x 1, …, x k. T Function definition Predicates ( P ) Predicates ( P )Integers  Boolean p Uninterpreted predicate symbol x 1, …, x k. F Predicate definition

7 – 7 – Modeling Memories with ’s Memory M Modeled as Function M(a): Value at location a Writing Transforms Memory M = Write(M, wa, wd) a. ITE(a = wa, wd, M(a)) Future reads of address wa will get wd M a M M a 1010 wd = wa

8 – 8 – Other modeling capabilities Other Memories Content-addressable memories Simultaneous-update memories Arbitrary subset of entries can be modified in a step Ordered data structures Queues, Stacks Limited Set operations Addition,deletion, empty-check, membership Systems modeled Out-of-order processors Parameterized cache-coherence protocols, distributed protocols

9 – 9 – Example Symbols V = { x : INT, y : INT, b : BOOL} # state variables K = { f } # system parameters I = { a } # initial state symbols Next State  x = ITE(b,f(x),x)  y = ITE(b,y,f(y))  b =  b Initial States q 0 x = a q 0 y = a q 0 b = true

10 – 10 – Example Symbols V = { x : INT, y : INT, b : BOOL} K = { f } I = { a } Initial States q 0 x = a q 0 y = a q 0 b = true Next State  x = ITE(b,f(x),x)  y = ITE(b,y,f(y))  b =  bExecution Stepbxy 0trueaa 1falsef(a)a 2truef(a)f(a) 3falsef(f(a))f(a) 4truef(f(a))f(f(a)) Property b  x = y ?

11 – 11 – Example : convergence Execution Stepbxy 0trueaa 1falsef(a)a 2truef(a)f(a) 3falsef(f(a))f(a) 4truef(f(a))f(f(a))Stepbxy0truea’a’ 1falsef(a’)a’ 2truef(a’)f(a’) 3falsef(f(a’))f(a’) 4truef(f(a’))f(f(a’)) Alternate Execution

12 – 12 – Example : convergence Execution Stepbxy 0trueaa 1falsef(a)a 2truef(a)f(a) 3falsef(f(a))f(a) 4truef(f(a))f(f(a))Stepbxy0truea’a’ 1falsef(a’)a’ 2truef(a’)f(a’) 3falsef(f(a’))f(a’) 4truef(f(a’))f(f(a’)) Alternate Execution

13 – 13 – Example : convergence Execution truef(a)f(a) truea’a’ Alternate Execution Substitution/Matching  (true)  true  ( a’)  f(a) subsumes

14 – 14 – Example : convergence Execution Stepbxy 0trueaa 1falsef(a)a 2truef(a)f(a) 3falsef(f(a))f(a) 4truef(f(a))f(f(a)) Reachable States Implies b  x = y ?

15 – 15 – Contributions New formal definition of convergence for term-level models Based on symbolic simulation A sound algorithm to detect convergence Dealing with Function State Variables Based on a translation to Quantified Separation Formula Preliminary Experimental Results 3-stage pipeline processor Related work Conclusion and Future work

16 – 16 – System Model (w/o inputs) Symbols State Variables ( V ) Initial State Symbols ( I ) Parameters ( K ) Initial State q 0 q 0 a : one for each state element a  V Expression over I Transition Function   a : one for each state element a  V Expression over V  K Does not depend on the initial state symbols ( I )

17 – 17 – Symbolic Simulation Symbolic state expression s i Expression after “i” steps of symbolic simulation Contains s a i for each of the state elements a  V e.g. { x  f(a), y  a, b  false } Obtaining the expression for next state s a i+1  a [ s i /V] s a i+1   a [ s i /V] Substitute the expression for s a i in place of a  V

18 – 18 – Definitions Interpretation  X Assigns values to each symbol in X Evaluation    X  e  evaluates e with respect to  X State of the system An interpretation to the state elements a  V Boolean state elements assigned true/false Integers state elements assigned integer values Function state elements assigned a function from integers to integer Predicate state elements assigned a function from integers to true/false Given  I,  K  I.  K  s i  represents a state

19 – 19 – k-Convergence The system is “k-convergent” if: For every interpretation  I of initial state symbol, and  K of the parameter symbols, there exists a step i  k and an alternate interpretation  I of initial state symbols, such that  I.  K  s i  =  I.  K  s k+1  Theorem : If a system is k-convergent, then no new states are discovered after k steps of symbolic simulation. Proof exploits the facts Transition relation independent of initial state symbols

20 – 20 – k-Convergence The system is “k-convergent” if: For every interpretation  I of initial state symbol, and  K of the parameter symbols, there exists a step i  k and an alternate interpretation  I of initial state symbols, such that  I.  K  s i  =  I.  K  s k+1 Formulation Introduce I’ : set of symbols for alternate initial state symbols Obtain r i by symbolic simulation with symbols in I’ Check for validity  K  I  I’ [  i  k r i = s k+1 ]

21 – 21 – k-Convergence Formulation Introduce I’ : set of symbols for alternate initial state symbols Obtain r i by symbolic simulation with symbols in I’ Check for validity  K  I  I’ [  i  k r i = s k+1 ] Comparing States r i and s k+1 Compare each state element a  V point-wise r i = s k+1 aV r a i = s a k+1 r i = s k+1  [  a  V r a i = s a k+1 ]

22 – 22 – Example: Adding function state Symbols V = { x : INT, y : INT, b : BOOL, m : INT  INT } K = { f } I = { a, m 0 } Next State  x = ITE(b,f(x),x)  y = ITE(b,y,f(y))  b =  b  m = i. ITE(b  i=x,y,m(i)) Initial States q 0 x = a q 0 y = a q 0 b = true q 0 m = m 0

23 – 23 – Example : convergence Execution Stepbxym 0trueaa m0 m0 m0 m0 1falsef(a)a i. ITE(i=a, a, m 0 (i)) i. ITE(i=a, a, m 0 (i)) 2truef(a)f(a) 3falsef(f(a))f(a) i. ITE(i=f(a),f(a), i. ITE(i=f(a),f(a), ITE(i=a, a, m 0 (i))) ITE(i=a, a, m 0 (i))) Stepbxym0truea’a’ m0’ m0’ m0’ m0’

24 – 24 – Example : convergence Checking Convergence truef(a)f(a) i. ITE(i=a, a, m 0 (i)) i. ITE(i=a, a, m 0 (i)) truea’a’ m0’ m0’ m0’ m0’  f  a  m 0  a’  m 0 ’ [a’ = f(a) [a’ = f(a)  m 0 ’ = ( i. ITE(i=a, a, m 0 (i)))]

25 – 25 – Handling function state variables Second order equations Comparing a function state element in two states F = G   z. F(z) = G(z) F = G   z. F(z) = G(z) New Quantifier Structure  K  I  I’ [  i  k r i = s k+1 ]  K  I  I’  Z [  i  k r i (Z) = s k+1 (Z) ] Eliminate z from the equation Generate constraints and rewrite Source of Incompleteness (1) Rewrite rules not complete Complete for random-access memories

26 – 26 – Deciding Second-Order formulas with One Quantifier Alternation Second-Order formula  K  I  I’   is quantifier-free CLU formula All equations are first order now Obtained after eliminating Z General form  A  B  A  K  I B  I’

27 – 27 – Handling First order equations General form  A  B  Undecidable Provide a sound translation to a decidable fragment Option 1 : Translate to Quantified Separation Formula Decidable fragment of first-order logic with quantifiers Option 2 : Remove the  quantifiers from the formula All symbols are universally quantified Source of Incompleteness (2)

28 – 28 – Handling First order equations General form  A  B  Undecidable Provide a sound translation to a decidable fragment Option 1 : Translate to Quantified Separation Formula Decidable fragment of first-order logic with quantifiers Option 2 : Remove the  quantifiers from the formula All symbols are universally quantified Source of Incompleteness (2)

29 – 29 – Option 1: Normal Form Function applications pushed through ITE f(ITE(x,y,z))  ITE(x,f(y),f(z)) Eliminate the ITE constructs ITE(x,y,z) = ITE(x’,y’,z’)  (x  x’  y=y’)  (x  x’  y=z’)  (  x  x’  z=y’)  (  x  x’  z=z’) Atomic Expressions (atoms) Expressions with no Boolean operators ( , ,  ) f(g(x)+1)+5, p(f(y)), x = y, …

30 – 30 – Sound Translation of  A  B  1.  Obtain a normal form of 1.  ’  Obtain a normal form of  F   f,y  x [  ( x=f(x))  y = f(f(y))]  AB 2. Obtain a topological ordering g 1,…,g n of “atomic” function/predicate applications Move applications of A as much to the left y,f(y),f(f(y)),x,f(x) 3.  Replace g i by v i in 3.  ”  Replace g i by v i in  ’  ”  [  ( x=fx)  y = ffy] gigigigi vivivivi xx yy f(y)fy f(f(y))ffy f(x)fx

31 – 31 – Sound Translation of  A  B  4. Get Ackerman’s constraints for g i h(x), g j h(y) 4. Get Ackerman’s constraints for g i  h(x), g j  h(y) C  (x = y  v i = v j ) gigigigi vivivivi xx yy f(y)fy f(f(y))ffy f(x)fx 1. y = fy  fy = ffy 2. y = x  fy = fx 3. fy = x  ffy = fx 5. Construct C A, C B If h  A then C A  C  C A If h  B then C B  C  C B C A  (1)(2)(3) C A  (1)  (2)  (3) C B  true

32 – 32 – Sound Translation of  A  B  6.  Q 1 v 1 … Q n v n [C A  C B  ] 6.  s  Q 1 v 1 … Q n v n [C A  (C B   ”) ] Q i  , if top-func-symbol ( g i )  A  , otherwise    s   y,fy,ffy  x  fx  [(y = fy  fy = ffy   y = x  fy = fx  fy = x  ffy = fx)  (  ( x=fx)  y = ffy)] The above formula is valid

33 – 33 – Sound Translation to QSL Original formula  A  B  New formula  s  Q 1 v 1 … Q n v n [C A  (C B   ”)] Theorem: If is valid then (  A  B) is valid Theorem: If  s is valid then (  A  B  ) is valid is a formula in Quantified Separation Logic (QSL)  s is a formula in Quantified Separation Logic (QSL) Terms are x,y,z Atomic formulas are : x  y + c Boolean Connectives: , ,  ,  Quantifiers: , 

34 – 34 – Quantified Separation Logic (QSL) Decision procedures for QSL Difference Decision Diagrams (DDD): Möller, CADE02 Using Boolean Methods : Seshia and Bryant, CAV03

35 – 35 – 3-stage DLX pipeline (CMU-ISA) Pipelined processor model 3-stage (Fetch-Decode, Execute, Write-back) Stalling, forwarding Boolean state elements Read/write enables, op-code etc. Integer state elements Register identifiers, data value, program counter Function state elements Unbounded Register file Uninterpreted function symbols ALU, initial state of register file Checking equivalence with an ISA model Contains user visible state elements Program counter, register file Same uninterpreted function for ALU, initial state of register file

36 – 36 – Results Complexity of QSF formula for 3 steps of simulation 43 integer variables 6 quantifier alternations ~800 nodes in the DAG for the formula BDD-Based, DDD-based > 1GB QBF-Based [Quaffle, QBF, …] Times out SAT Based Quantifier Elimination Too many enumerations Verified a simplified model Remove some state elements or 1 pipeline stage BDD-based approach finishes in less than 10s

37 – 37 – Related Work Hojati, Isles and Brayton, CAV ’98 Generates reachable states for the Boolean part of the state Less expressive logic (no , no ordered structures) Use a syntactic convergence test Subsumed by our semantic criteria Multiway decision graphs, FMSD ‘97 BDD-like canonical data structures with terms Does not handle function state variables Starts from a general initial state for termination Can handle first order temporal logic queries

38 – 38 – Conclusions and Future Directions Convergence checking New formulation Based on reduction to QSL Application to theorem proving Proving Second order formulas with 1 quantifier alternation Computationally expensive Large number of quantifier alternations Relax functional consistency across different steps Fewer constraints, simpler formula Use “matching” to reduce to Boolean formula QBF solvers are not mature Similar to quantifier instantiation Instantiate second order function variables

39 – 39 – Questions

40 – 40 – Conclusions Provided a convergence definition Computationally expensive Translation to QSF/QBF

41 – 41 – Example Symbols X = { x : INT, y : INT, m : BOOL } # state variables K = { f, a } # system parameters I = { } # input symbols Initial States q 0 x = a q 0 y = a q 0 m = true Next State  x = ITE(m,f(x),x)  y = ITE(m,y,f(y))  m =  m

42 – 42 – Symbols   

43 – 43 – Sound Translation of  A  B  1.  Obtain a normal form of 1.  ’  Obtain a normal form of   Obtain a topological ordering g 1,…,g n of “atomic” function/predicate applications 3.  Replace g i by v i in 3.  ”  Replace g i by v i in  ’  Get Ackerman’s constraints for g i f(x), g j f(y)  Get Ackerman’s constraints for g i  f(x), g j  f(y) 1. C  (x = y  v i = v j )  Construct C A, C B If f  A then C A  C  C A If f  B then C B  C  C B 6.  Q 1 v 1 … Q n v n [C A  C B  ] 6.  s  Q 1 v 1 … Q n v n [C A  (C B   ”) ] Q i  , if top-func-symbol( g i )  A  , otherwise

44 – 44 – Syntactic vs. Semantic

Download ppt "Carnegie Mellon University Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant Shuvendu K. Lahiri Sanjit A. Seshia."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.
Class Presentation on Binary Moment Diagrams by Krishna Chillara Base Paper: “Verification of Arithmetic Circuits using Binary Moment Diagrams” by.

Class Presentation on Binary Moment Diagrams by Krishna Chillara Base Paper: “Verification of Arithmetic Circuits using Binary Moment Diagrams” by.
Introduction to Computability Theory

Introduction to Computability Theory
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Carnegie Mellon University Boolean Satisfiability with Transitivity Constraints Boolean Satisfiability with Transitivity Constraints

Carnegie Mellon University Boolean Satisfiability with Transitivity Constraints Boolean Satisfiability with Transitivity Constraints
Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification

Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification

Similar presentations

Ads by Google