Automatic Abstraction and Verification of Verilog Models

1
Automatic Abstraction and Verification of
Verilog Models

• Zaher Andraus and Karem Sakallah
• 41st Design Automation Conference
• June, 2004

2
Outline

• Abstraction-Refinement Flow for Verilog
• UCLID for Abstract Datapath
• Abstraction of Verilog Construct to UCLID
• Maintaining Bit Field Consistency in UCLID
• Abstraction of Verilog Constant
• Feasibility Check of Abstract Counterexamples
• Experimental Results
• Conclusions and Future Work

3
Abstraction Refinement for RTL Models
Verilog RTL
Abstraction
Abstract Model
Refinement
Verification
OK
Abstract Counterexample
Feasible?
False Counterexample
Real Counterexample
4
Datapath Abstraction
ID/EX
EX/MEM
IF/ID
EX_MEM_ AluOut
PCn
PCn
32
PC
Address
1816
IR
4
Instruction memory
1
RfA
AluOut
2321
ALU
Register File
RfB
2b00,IR10
Imm
M U X
5
Datapath Abstraction
ID/EX
EX/MEM
IF/ID
EX_MEM_ AluOut
PCn
PCn
F2
32
PC
F1
1816
IR
4
F5
1
F3
RfA
AluOut
F5
F6
RfB
F4
Imm
M U X
6
UCLID for Datapath-Abstracted Representation
nextoutput case mode const0 default
bitw_not(in) esac
ITE(mode, const0, bitw_not(in)) prope
rty0
Property Specification
UCL
CLU

• CLU Quantifier-free First Order Logic
• EUF Equality with Terms, Uninterpreted Function
  (UFs) and Predicates (UPs)
• Functional Consistency (x1x2)(y1y2)?F(x1,y1)F
  (x2,y2)
• Counting Arithmetic (xsucc(y) ypred(z))?xz
• Lambda Expressions symbolic writing to
  infinite arrays

7
UCLID for Datapath-Abstracted Representation
nextoutput case mode const0 default
bitw_not(in) esac
ITE(mode, const0, bitw_not(in)) prope
rty0
(x1x2) (x2x3x4)
Property Specification
UCL
CLU
SAT

• CLU Quantifier-free First Order Logic
• Efficient Decision Procedure PEUF and RPEUF
• Validation of CLU formula is done by reduction to
  a SAT instance
• CLU formula is VALID if and only if SAT instance
  is UNSAT

8
UCLID for Datapath-Abstracted Representation
always _at_(posedge clk) if (mode 1b1)
begin output lt 17d0 end else begin
output lt in end
Abstraction
Verilog
UCLID
Bit Vector
Term
Abstraction
Abstraction
Add
a
110010
Add(a,b)
111101
b
001011
Uninterpreted Function (UF)
Verilog Operator
9
Abstraction from RTL - Basics
(TERM)
(UF)
11001010
v1
add

v1
out
v2
v2
out
11001010
(UP)
11001010
bw_or
v
out
v
out
(UF)
Mem
1100101 0100010
mem
data
addr
addr
data
10
Abstraction from RTL (cont)
11001010
v1v2
v1
v2

(UF)
M U X
Full_Filter
Filter
out
queue
11
Tuning the Abstraction

• This pure syntactical mapping has limitations

• Many functional properties are not preserved
• Associativity, Commutativity,
• Relations among bit fields of bit vectors are
  not preserved
• Counting Arithmetic significantly increases the
  size of the encoding

12
Tuning the Abstraction

• This pure syntactical mapping has limitations

• Many functional properties are not preserved
• Associativity, Commutativity,
• Relations among bit fields of bit vectors are
  not preserved
• Counting Arithmetic significantly increases the
  size of the encoding

Abstraction Spectrum
More Abstract Easy to verify
Less Abstract Hard to verify
13
Enforcing Bit Field Consistency
Low V30 High V74
Extraction
TERM
TERM
11001010
V
Low
High
Low
High
?
V High,Low
Concatenation
1100
1010
High
Low
V
V
1100 1010
TERM
V
(UF)
extract_0_4
Low
V
VV ? extract_0_4(V)extract_0_4(V) ?LowLow
Low extract_0_4(V)
(UF)
LowLow HighHigh ? concat_4_4(Low,High)co
ncat_4_4(Low,High) ? VV
concat_4_4
Low
V
High
V concat_4_4(High,Low)
14
Interleaving Selections

• Bit Vector Structure

• Verilog Assignment

• UCLID Assignment

0
3
7
5
V73
V50
0
3
7
5
V50 lt X
nextV_5_0 X
5
0
3
7
nextV_7_3 X extract_0_3(X)extract_3_3(X)
nextV_7_3 Concat_2_3(extract_6_2(V_7_3),extra
ct_3_3(X))
0
2
3
7
8
10
11
15
16
15
Abstraction of Constants

• Constants can be abstracted away ? unordered
  terms
• Or, can be modeled using Counting Arithmetic
  5 is succ5(const0)
• const0 is used for zero across the whole code
  translation
• CLU is reduced to a propositional SAT instance
• The size (number of variables) of the encoding
  grows
• nlog(n), where n is the largest constant in
  the CLU formula

16
Abstraction of Constants (cont)

• Introduce an interpretation threshold
• All constants below it are interpreted
• All constants above it are uninterpreted ?
  abstraction
• Abstracted constants that appear in false
  counterexamples can be refined
• The threshold can be set automatically

17
Vapor Verilog Abstraction for Processor
Verification

• Performs Verilog-to-UCLID abstraction
• Can be integrated with BMC and Correspondence
  Checking
• Written in C and uses the Icarus Verilog
  front-end to abstract synthesizable Verilog

18
False Negatives
Verilog RTL

• False Negatives may arise due to
• Concatenation/Extraction
• Arithmetic and bit-level operators

Vapor
UCLID Model
CLU Verification
OK
Abstract Counterexample
Refinement
Feasible?
Real Counterexample
False Counterexample
19
Counterexample Analysis

• Using the ACL2 Theorem Prover
• Powerful proof engine for arithmetic
• Does not guarantee an explanation for
  infeasibility
• Hard to refine with the result from the prover
• Using a SAT Solver
• Synthesize the abstract counterexample to CNF
• Check the consistency of the counterexample using
  a SAT solver

20
Counterexample Analysis with SAT
extract_0_2(X)succ3(CONST0) extract_0_1(X)1
Xx7x6x5x4x3x2x1x0 X10x1x011 X00x01
Using original RTL bitvector
SAT
UCLID CLU Counterexample Trace
Interpretations Are feasible
REAL RTL Counterexample Trace
21
Verifying Compliance of DLX Pipeline to its ISA
Spec
ID/EX
EX/MEM
IF/ID
EX_MEM_ AluOut
PCn
PCn
32
PC
Address
1816
IR
Instruction memory
4
1
RfA
AluOut
2321
ALU
Register File
RfB
2b00,IR10
Imm

• 1008 lines of verilog were converted to 3244
  lines of UCLID
• 50 UFs/UPs (33 for extraction/concatenation), 726
  TERMS, 247K prop variables, 751K clauses,
  bug-free design
• One refinement iteration to resolve const00
  1
• Validation time 500s
• 300s when applying a constant threshold of 1

M U X
22
Verifying Equivalence Between Two FIFO
Implementations
23
Term Level Representation is Independent of Bit
Vector Sizes
24
Term Level Representation is Independent of Bit
Vector Sizes (cont)
25
Conclusions and Future Work

• Presented a systematic abstraction from Verilog
  to UCLID for scalable verification
• Refinement using minimal unsatisfiable
  subformulas
• Further optimization of the UCLID model size

26
References

• - www.eecs.umich.edu/zandrawi/vapor/vapor.htm
• - Oh, Mneimneh and Sakallah, AMUSE A Minimal
  Unsatisfiable Subset Extractor,to appear in DAC
  04.
• - J. R. Burch and D. L. Dill, Automatic
  Verification of Pipelined Microprocessor
  Control. CAV 94, D. L. Dill, ed., LNCS 818,
  Springer-Verlag, June 1994, pp. 68-80.
• - R. E. Bryant, S. German, and M. N. Velev,
  Exploiting positive equality in a logic of
  equality with uninterpreted functions. ACM
  Transactions on Computational Logic, 2(1)93-134,
  January 2001.
• - Shevendue K. Lahiri, Sanjit A. Seshia, Randal
  E. Bryant, Modeling and Verification of
  Out-of-Order Microprocessors in UCLID. FMCAD
  2002.
• - L. Zhang and S. Malik, Extracting Small
  Unsatisfiable Cores from Unsatisfiable Boolean
  Formula, presented at Sixth International
  Conference onTheory and Applications of
  Satisfiability Testing (SAT 2003), S. Margherita
  Ligure - Portofino, Italy, 2003.
• - Manolios and Srinivasan, Automatic
  Verification of Safety and Liveness for
  XScale-Like Processor Models Using WEB
  Refinements, DATE 04

27
Back Up Slide 1 Consistency Of Sub-Fields
0
16
15
UCLID
Verilog

• // 17-bit register
• reg 160 serial_xmt
• // 1-bit wire
• wire parity
• always _at_(posedge clk)
• if (mode 1b1)
• serial_xmt lt 17d0
• else begin
• serial_xmt16 lt parity
• end

// 17-bit register reg 160 serial_xmt //
1-bit wire wire parity always _at_(posedge
clk) if (mode 1b1) serial_xmt lt
17d0 else begin serial_xmt16 lt
parity end
// 17-bit register reg 160 serial_xmt //
1-bit wire wire parity always _at_(posedge
clk) if (mode 1b1) serial_xmt lt
17d0 else begin serial_xmt16 lt
parity end
serial_xmt_P_15_0 extract_0_16(serial_xmt_16
_0) nextserial_xmt_16_16 case mode_0_0
extract_16_0(CONST0) default
parity_0_0 esac nextserial_xmt_16_0
case mode_0_0 CONST0 default
concat_16_1(parity,serial_xmt_P_15_0) esac
serial_xmt_P_15_0 extract_0_16(serial_xmt_16
_0) nextserial_xmt_16_16 case mode_0_0
extract_16_0(CONST0) default
parity_0_0 esac nextserial_xmt_16_0
case mode_0_0 CONST0 default
concat_16_1(parity,serial_xmt_P_15_0) esac
serial_xmt_P_15_0 extract_0_16(serial_xmt_16
_0) nextserial_xmt_16_16 case mode_0_0
extract_16_0(CONST0) default
parity_0_0 esac nextserial_xmt_16_0
case mode_0_0 CONST0 default
concat_16_1(parity,serial_xmt_P_15_0) esac
28
Back Up Slide 2
Verilog
UCLID

• reg 160 word // 17-bit register
• wire 70 w_low // 8-bit bus
• wire 70 w_high // 8-bit bus
• wire 160 out // 17-bit bus
• wire parity // single-bit wire
• wire clk // clock
• reg mode // single flip-flop
• always _at_(posedge clk)
• if (mode 1b1)
• word103 lt 8b11001110
• else begin
• word16 lt parity
• word158 lt w_high
• word70 lt w_low
• end
• assign out word

DEFINE word_P_7_3_n case mode_0_0
extract_4_5(CONST53) default ... esac . .
. ASSIGN initword_7_0 INITS nextword_1
0_3 case mode_0_0 CONST53 default . .
. esac nextword_7_0 case mode_0_0
concat_5_3(word_P_7_3_n , word_P_2_0)
default bitw_and(w_low_7_0) esac . . .