Loading...

PPT – Formal Verification of Pipelined Processors PowerPoint presentation | free to download - id: c62d0-ZDc1Z

The Adobe Flash plugin is needed to view this content

Formal Verification of Infinite-State

Systems Using Boolean Methods

Randal E. Bryant

Carnegie Mellon University

http//www.cs.cmu.edu/bryant

Contributions by graduate students Sanjit

Seshia, Shuvendu Lahiri

Outline

- Task
- Formally verify hardware and software systems
- Build on success in verifying finite models
- Infinite-State Models
- Need logic that is suitably expressive, yet

remains reasonably tractable - Verification Techniques
- Solve problems by mapping into propositional

logic - Proof engines can use powerful Boolean methods
- Different levels of automation and capacity

Truly Infinite-State Systems

- Systems where want to model real-world values

(temperature, speed, ...) - Hybrid systems
- Very difficult to verify
- Systems with real-valued time constraints
- E.g., timed automata
- Somewhat easier to verify, since all clocks move

at same rate

Theoretically Infinite-State Systems

- Systems with unbounded buffers
- Even though cant really build one

In Use

tail

head

Arbitrarily Large Finite-State Systems

- Synchronization protocol that should work for

arbitrary number of processes - Verify for arbitrary N
- Circular buffer with fixed, but arbitrary

capacity - Verify for arbitrary value of Max

In Use

tail

Very Large Finite-State Systems

- Abstract 32-bit words as arbitrary integers
- View memories as having unbounded capacity

Example HP/Compaq Alpha 21264

- Pipeline State
- Multiple caches
- Instruction queues
- Dynamically-allocated registers
- Memory queue
- Many buffers between stages
- Verification Tasks
- Does it implement the Alpha ISA?

Microprocessor Report, Oct. 28, 1996

Abstracting Data from Bits to Integers

x0

x1

x2

xn-1

- View Data as Symbolic Terms
- Arbitrary integers
- Verification proves correctness of design for all

possible word sizes - Can store in memories registers
- Can select with multiplexors
- ITE If-Then-Else operation

Abstraction Via Uninterpreted Functions

f

- For any Block that Transforms or Evaluates Data
- Replace with generic, unspecified function
- Only assumed property is functional consistency
- a x ? b y ? f (a, b) f (x, y)

Abstraction Via Uninterpreted Functions

F3

F2

F1

- For any Block that Transforms or Evaluates Data
- Replace with generic, unspecified function
- Also view instruction memory as function

EUF Equality with Uninterp. Functs

- Decidable fragment of first order logic
- Formulas (F ) Boolean Expressions
- ?F, F1 ? F2, F1 ? F2 Boolean connectives
- T1 T2 Equation
- P (T1, , Tk) Predicate application
- Terms (T ) Integer Expressions
- ITE(F, T1, T2) If-then-else
- Fun (T1, , Tk) Function application
- Functions (Fun) Integer ? Integer
- f Uninterpreted function symbol
- Read, Write Memory operations
- Predicates (P) Integer ? Boolean
- p Uninterpreted predicate symbol

Decision Problem

- Logic of Equality with Uninterpreted Functions

(EUF) - Truth Values
- Dashed Lines
- Model Control
- Logical connectives
- Equations
- Integer Values
- Solid lines
- Model Data
- Uninterpreted functions
- If-Then-Else operation
- Task
- Determine whether formula is universally valid
- True for all interpretations of variables and

function symbols

Finite Model Property for EUF

- Observation
- Any formula has limited number of distinct

expressions - Only property that matters is whether or not

different terms are equal

Boolean Encoding of Integer Values

Expression Possible Values Bit Encoding Bit Encoding

x0 0 0 0

d0 0,1 0 b10

f (x0) 0,1,2 b21 b20

f (d0) 0,1,2,3 b31 b30

- For Each Expression
- Either equal to or distinct from each preceding

expression - Boolean Encoding
- Use Boolean values to encode integers over small

range - EUF formula can be translated into propositional

logic - Tautology iff original formula valid

An Out-of-order Processor (OOO)

valid tag val

D E C O D E

incr

dispatch

Program memory

valid value src1valid src1val src1tag src2valid sr

c2val src2tag dest op

result

PC

Register Rename Unit

1st Operand

result bus

retire

2nd Operand

ALU

Reorder Buffer

execute

head

tail

Reorder Buffer Fields

- Data Dependencies Resolved by Register Renaming
- Map register ID to instruction in reorder buffer

that will generate register value - Inorder Retirement Managed by Retirement Buffer
- FIFO buffer keeping pending instructions in

program order

Access Modes for Reorder Buffer

- FIFO
- Insert when dispatch
- Remove when retire

- Content Addressable
- Broadcast result to all entries with matching

source tag

- Global
- Flush all queue entries when instruction at head

causes exception

Required Logic

- Increased Expressive Power
- Model queue pointers
- Increment decrement operations
- Relative ordering
- Ability to construct complex memory structures
- Not just set of fixed memory types
- Dont Go Too Far
- Want practical decision procedures
- Efficient reduction to propositional logic

EUF ? CLU

- Terms (T )
- ITE(F, T1, T2) If-then-else
- Fun (T1, , Tk) Function application
- Formulas (F )
- ?F, F1 ? F2, F1 ? F2 Boolean connectives
- T1 T2 Equation
- P(T1, , Tk) Predicate application

EUF ? CLU (Cont.)

- Functions (Fun)
- f Uninterpreted function symbol
- Read, Write Memory operations
- Predicates (P)
- p Uninterpreted predicate symbol

Modeling Memories with ?s

- Memory M Modeled as Function
- M(a) Value at location a
- Initially
- Arbitrary state
- Modeled by uninterpreted function m0

- Writing Transforms Memory
- M? Write(M, wa, wd)
- ? a . ITE(a wa, wd, M(a))
- Future reads of address wa will get wd

Modeling Unbounded FIFO Buffer

Already Popped

- Queue is Subrange of Infinite Sequence
- Q.head h
- Index of oldest element
- Q.tail t
- Index of insertion location
- Q.val q
- Function mapping indices to values
- q(i) valid only when h ? i lt t
- Initial State Arbitrary Queue
- Q.head h0, Q.tail t0
- Impose constraint that h0 ? t0
- Q.val q0
- Uninterpreted function

q(h2)

q(h1)

q(h)

head

q(h1)

increasing indices

q(t2)

q(t1)

tail

q(t)

q(t1)

Not Yet Inserted

Modeling FIFO Buffer (cont.)

Systems of Identical Processes

- Each Process has k State Variables
- Each state variable represented as array
- Indexed by process Id

sv1

sv2

svk

State of Process i

Modeling System of Identical Processes

- On Each Step
- Select arbitrary process index p
- As if chosen by nondeterministic scheduler
- Update state for selected process

nextstate lambda(i) case i p state(i)

IDLE TRYING i p state(i) TRYING

inuse TRYING i p state(i) TRYING

!inuse CRITICAL default state(i) esac

Decision Procedure

CLU Formula

Lambda Expansion

?-free Formula

Function Predicate Elimination

- Operation
- Series of transformations leading to

propositional formula - Propositional formula checked with BDD or SAT

tools - Bryant, Lahiri, Seshia CAV02

Function-free Formula

Convert to Boolean Formula

Boolean Formula

Boolean Satisfiability

Finite Model Property for CLU

x ? y ? succ(x) gt pred(y)

- Observation
- Need to encode all possible relative orderings of

expressions - Each symbolic value has maximum range of

increments decrements - Can use Boolean encodings of small integer ranges

Verifying OOO

- Lahiri, Seshia, Bryant, FMCAD 2002
- Goal
- Show that OOO implements Instruction Set

Architecture (ISA) model - For all possible execution sequences
- Challenges
- No bound on program length
- OOO holds partially executed instructions in

reorder buffer - States of two systems match only when reorder

buffer flushed

Adding Shadow State

- McMillan, 98
- Arons Pnueli, 99
- Provides Link Between ISA OOO Models
- Additional entries in ROB
- Do not affect OOO behavior
- Generated when instruction dispatched
- Predict values of operands and result
- From ISA model

OOO

Reg. File

PC

Reorder Buffer

Adding Shadow Structures

result bus

Updated directly from the ISA model during

dispatch

- shdw.src1valrob.tail ? Rfisa(src1)
- shdw.src2valrob.tail ? Rfisa(src2)
- shdw.valuerob.tail ? ALU(Rfisa(src1),

Rfisa(src2), op)

Invariant Checking

- Formulas I1, , In
- Ij(s0) holds for any initial state s0, for 1 ? j

? n - I1(s) ? I2(s) ? ? In(s) ? Ij(s? ) for any

current state s and successor state s? for 1 ? j

? n - Invariants for OOO (13)
- Refinement maps (2)
- Show relation between ISA and OOO models
- Shadow state (3)
- Shadow values correctly predict OOO values
- State consistency (8)
- Properties of OOO state that ensure proper

operation - Overall Correctness
- Follows by induction on time

Refinement Maps

- Correspondence with a sequential ISA model
- OOO and ISA synchronized at dispatch
- For Register File Contents
- ?r. reg.valid(r) ? reg.val(r) Rfisa(r)
- For Program Counter
- PCooo PCisa

Shadow Invariants

result bus

- ?robt. rob.valid(t) ? rob.value(t)

shdw.value(t) - ?robt. rob.src1valid(t) ? rob.src1val(t)

shdw.src1val(t) - ?robt. rob.src2valid(t) ? rob.src2val(t)

shdw.src2val(t)

State Consistency Invariants

- Tag Consistency invariants (2)
- Instructions only depend on instruction preceding

in program order - Register Renaming invariants (2)
- Tag in a rename-unit should be in the ROB, and

the destination register should match - ?r.?reg.valid(r)? (rob.head ? reg.tag(r) lt

rob.tail ? rob.dest(reg.tag(r)) r ) - For any entry, the destination should have

reg.valid as false and tag should contain this or

later instruction - ?robt.(?reg.valid(rob.dest(t)) ?
- t ? reg.tag(rob.dest(t)) lt rob.tail)

State Consistency Invariants (cont.)

- Executed instructions have operands ready
- ?robt. rob.valid(t) ?
- rob.src1valid(t) ? rob.src2valid(t)
- Shadow-Value-Operands Relationship
- ?robt. shdw.value(t) Alu(shdw.src1val(t),shdw.sr

c2val(t),rob.op(t)) - Producer-Consumer Values (2)
- ?robt. ?rob.src1valid(t) ?
- shdw.src1val(t) shdw.value(rob.src1tag(t))

Quantified Invariants and Proofs

- Allowed Form
- ?x1?x2?xk ?(x1xk)
- ?(x1xk) is a CLU formula without quantifiers
- x1xk are integer variables free in ?(x1xk)
- Proving these invariants requires quantifiers
- (?x1?x2?xk ?(x1xk)) ? ?y1?y2?ym ?(y1ym)
- Prove ?x1?x2?xk?(x1xk) ? ??(y1ym) is not

satisfiable - Undecidable
- Automatic instantiation of x1xk with concrete

terms - Sound but incomplete method
- Reduce the quantified formula to a CLU formula
- Can use the decision procedure for CLU

Proving Invariants

- Proved Automatically
- Quantifier instantiation was sufficient in these

cases - Time spent 54s on 1.4GHz machine
- Total effort 2 person days
- Comparison
- Previous efforts using theorem provers took weeks

of effort

Extending the OOO Processor

- base
- Executes ALU instructions only
- exc
- Handles arithmetic exceptions
- Must flush reorder buffer
- exc/br
- Handles branches
- Predicts branch speculatively executes along

path - exc/br/mem-simp
- Adds load store instructions
- Store commits as instruction retires
- exc/br/mem
- Stores held in buffer
- Can commit later
- Loads must scan buffer for matching addresses

Comparative Verification Effort

base exc exc / br exc / br / mem-simp exc / br / mem

Total Invariants 13 34 39 67 71

Manually instantiate 0 0 0 4 8

UCLID time 54 s 236 s 403 s 1594 s 2200 s

Person time 2 days 5 days 2 days 15 days 10 days

I Just Want a Loaf of Bread

Ingredients

Result

Recipe

Cooking with Invariants

Ingredients Predicates

rob.head ? reg.tag(r)

Recipe Invariants

?r,t.?reg.valid(r) ? reg.tag(r) t ?

(rob.head ? reg.tag(r) lt rob.tail ?

rob.dest(t) r )

reg.valid(r)

Result Correctness

reg.tag(r) t

rob.dest(t) r

Automatic Recipe Generation

Ingredients

Result

Recipe Creator

- Want Something More
- Given any set of ingredients
- Generate best recipe possible

Automatic Predicate Abstraction

- Graf Saïdi, CAV 97
- Idea
- Given set of predicates P1(s), , Pk(s)
- Boolean formulas describing properties of system

state - View as abstraction mapping States ? 0,1k
- Defines abstract FSM over state set 0,1k
- Form of abstract interpretation
- Do reachability analysis similar to symbolic

model checking - Prior Implementations
- Very weak inference capabilities
- Call theorem prover or decision procedure to test

each potential transition - Little support for quantified predicates

Abstract State Space

Abstraction

Concretization

Abstract States

Abstract States

Concrete States

Concrete States

Abstract State Machine

Abstract System

Concrete System

- Transitions in abstract system mirror those in

concrete

Overapproximation by Abstract Model

Abstract System

Concrete System

- Path in abstract state space may not correspond

to one in concrete - OK when verifying safety properties
- Possible false negatives, but no false positives

Predicate Abstraction Example

- State Space
- State variables x, y
- Initial State
- (2, 1)
- Next State Behavior
- x ? ?x
- y ? ?y
- Verification Task
- Prove all bad states unreachable

Initial State

Bad States

Precise Analysis

- Reachable States
- (2, 1), (?2, ?1)

Reachable States

Bad States

Predicates

- Use 3-valued predicates in this example

Abstract Initial State

Reached Set 0 LGG

Step 1 Concretize Reached Set 0

Reached Set 0 LGG

cx3

cxy

cy0

L

G

G

Compute Possible Successor States

x ? ?x y ? ?y

Abstract Newly Reached States

cx3

cxy

cy0

L

L

L

0

0

0

Reached Set 1 LLL, LGG

Step 2 Concretize Reached Set 1

Reached Set 1 LLL, LGG

cx3

cxy

cy0

L

L

L

Compute Possible Successor States

x ? ?x y ? ?y

Abstract Newly Reached States

Reached Set 2 LLL, LGG, EGG, GGG

Final Reached State Set

EGG

LGG

GGG

LLL

Bad States

Symbolic Formulation of Step 2

l1 x lt 3

l2 x lt y

g3 y gt 0

g1 x gt 3

g2 x gt y

l3 y lt 0

Reached Set 1 LLL, LGG

- Concretized State Set
- Encode each 3-valued L, E, G predicate with 2

Boolean variables (l, g) - Represent state set as formula
- (l1 ? ?g1 ? l2 ? ?g2 ? l3 ? ?g3)
- ? (l1 ? ?g1 ? ?l2 ? g2 ? ?l3 ? g3)

Next-State Predicates

- Next State (x?, y? )
- Get predicates l?1, l?2, l?3 , g?1, g?2, g?3
- Determine conditions under which predicates will

hold in next state - Express in terms of current state (x, y)

Next State Predicate Condition x? ?x y? ?y Current State Matches

l?1 x? lt 3 ?x lt 3 x gt ?3

l?2 x? lt y? ?x lt ?y x gt y g2

l?3 y? lt 0 ?y lt 0 y gt 0 g3

g?1 x? gt 3 ?x gt 3 x lt ?3

g?2 x? gt y? ?x gt ?y x lt y l2

g?3 y? gt 0 ?y gt 0 y lt 0 l3

Consistency Constraints

- Eliminate impossible predicate combinations
- In general, may need to introduce additional

variables - To express more complex transitivity constraints

Symbolic Form

- Formulation
- Express compatible combinations of current-state

next-state variables - Quantify out current-state variables
- Gives formula over next-state variables

Extracting Next-State Set

- Run SAT checker over formula
- Generate blocking clause for each newly generated

state

- (l1 ? ?g1 ? l2 ? ?g2 ? l3 ? ?g3)
- ? (l1 ? ?g1 ? ?l2 ? g2 ? ?l3 ? g3)
- ? ?(g1 ? g?1) ? ?(g?1 ? l?1) ? (g2 ? g3 ? l?1)
- ? l2 ? g?2 ? g2 ?l?2
- ? l3 ? g?3 ? g3 ? l?3

l1 g1 l2 g2 l3 g3 l?1 g?1 l?2 g?2 l?3 g?3 Next State

1 0 1 0 1 0 0 0 0 1 0 1 EGG

1 0 1 0 1 0 0 1 0 1 0 1 GGG

1 0 1 0 1 0 1 0 0 1 0 1 LGG

1 0 0 1 0 1 1 0 1 0 1 0 LLL

l1 g1 l2 g2 l3 g3 l?1 g?1 l?2 g?2 l?3 g?3 Next State

1 0 1 0 1 0 0 0 0 1 0 1 EGG

General Principle

- Lahiri, Bryant, and Cook CAV 2003
- Basis
- Abstract state set described as formula over

Boolean variables P p1, , pk - Current state given by formula ?(p1, , pk)
- Generate Quantified CLU Formula Describing Next

Abstract State Set - Concretize set of current states as formula

?(P1(s), , Pk(s)) - Combine predicates with next-state functions to

get next-state predicates P ?1(s, x), , P ?k(s,

x) - Variables x encode nondeterministic choices
- Get formula
- ?s, x ?(P1(s), , Pk(s))
- ? p?1?P ?1(s, x) ? ? p?k?P ?k(s, x)

General Principle (cont.)

- Transform into Quantified Boolean Formula
- Formula of form Next(P?) ? Z ?(Z, P?)
- Z Integer and function variables
- P? Abstract state variables
- Translate into Boolean formula of form ? B ?(B,

P?) - B Boolean variables arising from small-domain

encoding - Key Property
- P? ?(Z, P?) satisfiable P? ?(B,

P?) satisfiable - Form Encountered in Symbolic Model Checking
- Next(S?) ?S Curr(S) ? Trans(S, S?)
- S Boolean variables encoding current state
- S? Boolean variables encoding next state
- Solve using either SAT or BDDs

Quantified Invariant Generation

- User supplies predicates containing free

variables - Generate globally quantified invariant
- Example
- Predicates
- p1 reg.valid(r)
- p2 rob.dest(t) r
- p3 reg.tag(r) t
- Abstract state satisfying (p1 ? p2 ? ?p3)

corresponds to concrete state satisfying - ?r,t?reg.valid(r) ? reg.tag(r) t
- ? rob.dest(t) r
- rather than
- ?r?reg.valid(r) ? ?r,treg.tag(r) t ?
- ?r,trob.dest(t) r

Generating Quantified Invariants

- Use Quantifier Instantiation to Approximate ?

During Concretization - Causes even greater overapproximation
- Similar technique used by Flanagan Qadeer, POPL

02

Systems Verified with Predicate Abstraction

Model Predicates Iterations CPU Time

Out-Of-Order Execution Unit 25 9 2,613s

Germans Cache Protocol 21 9 122s

Germans Protocol, unbounded channels 30 19 15,000s

Bounded Retransmission Buffer 22 9 11s

Lamports Bakery Algorithm 24 24 5,211s

- Very general models
- Unbounded processes, buffers, cache lines,
- Safety properties only

Other Uses of UCLID Verifier

- Invariant Checking
- More complex version of OOO including speculative

execution, exceptions, buffered loads stores - Lahiri Bryant, CAV 2003
- Predicate Abstraction
- Core algorithm used to generate weakest Boolean

precondition for software model checking - SLAM project at Microsoft
- Pipelined Processor Verification
- Verify checker processor from U. Michigan
- Model extracted directly from Verilog
- Bounded check of load-store unit from industrial

microprocessor

Conclusions

- CLU is Useful Logic
- Expressive enough to model wide range of systems
- Systems with unbounded resources
- Abstract away most data operations
- Simple enough to be tractable
- Small domain property allows exploiting Boolean

methods - Predicate Abstraction is Powerful Tool
- Removes requirement to hand-generate invariants
- Benefits similar to model checking

Further Work

- Support for Proofs of Liveness
- Must make argument that progress being made
- Greater Automation
- Automatic generation of predicates
- More efficient implementation of predicate

abstraction - More Powerful Logic
- Linear arithmetic would be useful
- Potential blow-up when translate to Boolean

formula - Apply to Other Systems
- Software
- Network protocols