1 / 55

Carnegie Mellon University

Formal Verification Using Infinite-State Models. Randal E. Bryant. Carnegie Mellon University. http://www.cs.cmu.edu/~bryant. Contributions by graduate students: Miroslav Velev, Sanjit Seshia, Shuvendu Lahiri. Outline. Task Formally verify hardware and software systems

rjacqueline
Download Presentation

Carnegie Mellon University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Verification Using Infinite-State Models Randal E. Bryant Carnegie Mellon University http://www.cs.cmu.edu/~bryant Contributions by graduate students: Miroslav Velev, Sanjit Seshia, Shuvendu Lahiri

  2. Outline • Task • Formally verify hardware and software systems • Build on success in verifying finite models • Infinite-State Models • How do they arise • Need logic that is suitably expressive, yet remains reasonably tractable. • Verification Techniques • Range of methods with varying capabilities and limitations • Solve problems by mapping into propositional logic • Proof engines can use powerful Boolean methods

  3. Example: HP/Compaq Alpha 21264 • Pipeline State • Multiple caches • Instruction queues • Dynamically-allocated registers • Memory queue • Many buffers between stages • Verification Tasks • Does it implement the Alpha ISA? • Do specific units satisfy desired properties? Microprocessor Report, Oct. 28, 1996

  4. Temporal Logic Model Checking • Verify Reactive Systems • Construct state machine representation of reactive system • Nondeterminism expresses range of possible behaviors • “Product” of component state machines • Express desired behavior as formula in temporal logic • Determine whether or not property holds Traffic Light Controller Design Model Checker True False + Counterexample “It is never possible to have a green light for both N-S and E-W.”

  5. Global Bus Interface Cluster #2 Abstraction Cluster #3 Abstraction Interface Cluster #1 Bus Mem. Cache Control. Cache Control. Proc. Proc. Finite System Modeling Example • Simplifying Abstractions • Single word cache • Single bit/word • Abstract other clusters • Imprecise timing Distributed, Shared Memory System Arbitrary reads & writes

  6. Symbolic FSM Analysis Example • K. McMillan, E. Clarke (CMU) J. Schwalbe (Encore Computer) • Encore Gigamax Cache System • Distributed memory multiprocessor • Cache system to improve access time • Complex hardware and synchronization protocol. • Verification • Create “simplified” finite state model of system (109 states!) • Verify properties about set of reachable states • Bug Detected • Sequence of 13 bus events leading to deadlock • With random simulations, would require 2 years to generate failing case. • In real system, would yield MTBF < 1 day.

  7. Boolean Manipulation with OBDDs • Ordered Binary Decision Diagrams • Data structure for representing Boolean functions • Key to success in hardware verification • Example: (x1x2)  x3 Nodes represent variable tests Branches represent variable values • Dashed for value 0 • Solid for value 1 Canonical representation • when reduction rules applied • Makes equivalence trivial

  8. Representing Circuit Functions • Functions • All outputs of 4-bit adder • Functions of data inputs • Shared Representation • Graph with multiple roots • 31 nodes for 4-bit adder • 571 nodes for 64-bit adder • Linear growth

  9. IF/ID ID/EX EX/WB PC Control Control Op Instr Mem Rd Ra = Adat Reg. File ALU Imm +4 = Rb Simplified Processor Example • Simplified RISC pipeline • Register-Register and Register-Immediate operations • Data hazards handled by register forwarding • Each step of operation defined by function dpipe Bdat

  10. Control Op Instr Mem Rd Ra Adat Reg. File ALU Bdat Imm +4 Rb ISA Reference Model • Only programmer-visible state • Much simpler control logic • Assume verified against instruction set definition • Each step of operation defined by function dspec PC

  11. x p T F x 1 0 ITE(p, x, y) x x 1 0 1 0 y x y y y Abstracting Data from Bits to Integers x0 x1 • View Data as Symbolic “Terms” • Arbitrary integers • Verification proves correctness of design for all possible word sizes • Can store in memories & registers • Can select with multiplexors • ITE: If-Then-Else operation x2 xn-1

  12. ALU Abstraction Via Uninterpreted Functions • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Only assumed property is functional consistency: a = x b = y f(a, b) = f(x, y) f

  13. IF/ID ID/EX EX/WB PC Control Control Op Instr Mem Rd Ra = Adat Reg. File ALU Imm +4 = Rb Abstraction Via Uninterpreted Functions • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Also view instruction memory as function F3 F2 F1

  14. Control Op F3 Instr Mem Rd Ra Adat Reg. File F2 ALU Bdat Imm F1 +4 Rb Abstracting Reference Model • Abstract with identical functions as in pipeline model PC

  15. EUF: Equality with Uninterp. Functs • Decidable fragment of first order logic • Formulas (F ) Boolean Expressions F, F1F2, F1F2 Boolean connectives T1 = T2 Equation P (T1, …, Tk) Predicate application • Terms (T ) Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application • Functions (Fun) Integer  Integer f Uninterpreted function symbol Read, Write Memory operations • Predicates (P) Integer  Boolean p Uninterpreted predicate symbol

  16. kspec Abs Abs pipe Correctness of Pipeline Qspec Qspec • Abstraction Function Abs • Relates state of pipeline to program state • Result of completing partially-executed instructions • Requirement • Pipeline step dpipe matches k instruction executions dkspec • For our pipeline k = 1 • When pipeline stalls have k =0 • Superscalar pipelines can have k > 1 Qpipe Qpipe

  17. Correspondence Checking • Burch & Dill, Computer-Aided Verification ‘94 • Exploit State Structure • State held in memories and pipeline latches • Memories match those of instruction set model • Latches hold additional pipeline state • Pipeline State can be “flushed” • Control logic to support external interrupts • Complete in-flight instructions • Without fetching any new ones

  18. Stall = 1 Stall = 1 Stall = 1 Arbitrary Qpipe pipe pipe pipe Proj Pipeline Flushed Computing Abstraction Function • Method • Start with arbitrary pipeline state Qpipe • Symbolically simulate processor with stall asserted • Project out all but programmer-visible state • Effect • Processor computes its own abstraction function! Qspec

  19. Stall = 1 Stall = 1 Stall = 1 k=0 k=1 pipe pipe pipe Proj spec =? Stall= 0 Stall= 1 Stall= 1 Stall= 1 pipe pipe pipe pipe Proj Computational Task: Single-Issue Processor • Compare results of two symbolic simulations • Starting from same initial state • Number of simulation steps ~ pipeline depth • Check that resulting user-visible states identical • Disjunctive acceptance condition • Extra clock cycle causes either 0 or 1 new instructions to complete Qpipe =?

  20. k=2 k=0 spec k=1 Flush Proj spec Stall= 0 Qpipe =? =? =? pipe Proj Flush Computational Task: Dual-Issue Processor • Extra clock cycle causes 0, 1, or 2 new instructions to complete

  21. T = 0 T = 1 T = 2 T = 3 Ra Ra Ra Ra x x x x x x x x b a b a b b a a ALU ALU ALU ALU f f f f f f Rb Rb Rb Rb Term-Level Symbolic Simulation • Simulator Operation • Register states are term-level expressions • Denoted by pointers to nodes in Directed Acyclic Graph (DAG) • Simulate each cycle of circuit by adding new nodes to DAG • Based on circuit operations • Construct DAG denoting correctness condition

  22. e 1 f T F Ù e Ø 0 = x f 0 T Ú = F T F d 0 Decision Problem • Logic of Equality with Uninterpreted Functions (EUF) • Truth Values • Dashed Lines • Model Control • Logical connectives • Equations • Integer Values • Solid lines • Model Data • Uninterpreted functions • If-Then-Else operation • Task • Determine whether formula is universally valid • True for all interpretations of variables and function symbols

  23. e 1 f T x0 d0 f(x0) f(d0) F Ù e Ø 0 = x f 0 T Ú = F T F d 0 Finite Model Property for EUF • Observation • Any formula has limited number of distinct expressions • Only property that matters is whether or not different terms are equal

  24. Boolean Encoding of Integer Values • For Each Expression • Either equal to or distinct from each preceding expression • Boolean Encoding • Use Boolean values to encode integers over small range • EUF formula can be translated into propositional logic • Tautology iff original formula valid

  25. Benchmark Circuits • Single Issue Pipeline: 1xDLX • Analogous to DLX model in Hennessy & Patterson • Verified in ‘94 by Burch & Dill • Dual Issue Pipeline : 2xDLX-CC • Superscalar operation with two complete pipelines • Full-Featured Pipeline: 2xDLX-* • Multi-cycle function units, exception handling & branch prediction

  26. Evaluation • Using BDD Evaluation to Prove Tautology Circuit BDD Vars. BDD Nodes CPU Secs. 1xDLX 63 2,127 0.2 2xDLX-CC 173 51,826 20 2xDLX-* 418 986,740 2,635 • Using SAT Checkers to Prove Tautology • Chaff (Malik, Princeton) • Major advances in last few years Circuit CNF Vars. Clauses CPU Secs. 2xDLX-* 4,583 41,704 22

  27. An Out-of-order Processor (OOO) valid tag val incr D E C O D E dispatch • Data Dependencies Resolved by Register Renaming • Mapping from register ID to instruction in reorder buffer that will generate register value • Inorder Retirement Managed by Retirement Buffer • FIFO buffer keeping pending instructions in program order Program memory valid value src1valid src1val src1tag src2valid src2val src2tag dest op result PC Register Rename Unit 1st Operand result bus retire 2nd Operand ALU execute Reorder Buffer head tail Reorder Buffer Fields

  28. FIFO Insert when dispatch Remove when retire Content Addressable Broadcast result to all entries with matching source tag Retire Dispatch result bus ALU execute head tail • Directly Addressable • Select particular entry for execution • Retrieve result value from executed instruction Access Modes for Reorder Buffer • Global • Flush all queue entries when instruction at head causes exception

  29. Required Logic • Increased Expressive Power • Model queue pointers • Increment & decrement operations • Relative ordering • Ability to construct complex memory structures • Not just set of fixed memory types • Don’t Go Too Far • Want practical decision procedures • Efficient reduction to propositional logic

  30. succ (T) Increment pred (T) Decrement T1 < T2 Inequality EUF  CLU • Terms (T ) ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application • Formulas (F ) F, F1F2, F1F2 Boolean connectives T1 = T2 Equation P(T1, …, Tk) Predicate application

  31.  x1, …, xk . T Function lambda expression  x1, …, xk . F Predicate lambda expression • Arguments can only be terms • Lambdas are just mutable arrays EUF  CLU (Cont.) • Functions (Fun) f Uninterpreted function symbol Read, Write Memory operations • Predicates (P) p Uninterpreted predicate symbol

  32. Memory M Modeled as Function M(a): Value at location a Initially Arbitrary state Modeled by uninterpreted function m0 Writing Transforms Memory M = Write(M, wa, wd) a . ITE(a = wa, wd, M(a)) Future reads of address wa will get wd M a M wa = M wd a m0 M a 1 0 Modeling Memories with ’s

  33. • • • • • Modeling Unbounded FIFO Buffer Already Popped • Queue is Subrange of Infinite Sequence • Q.head = h • Index of oldest element • Q.tail = t • Index of insertion location • Q.val = q • Function mapping indices to values • q(i) valid only when hi < t • Initial State: Arbitrary Queue • Q.head = h0, Q.tail = t0 • Impose constraint that h0 t0 • Q.val = q0 • Uninterpreted function q(h–2) q(h–1) head q(h) q(h+1) • • • increasing indices q(t–2) q(t–1) tail q(t) q(t+1) Not Yet Inserted

  34. op = PUSH Input = x • • • next[h] := ITE(operation = POP, succ(h), h) • • • • • • q(h–2) q(h–2) q(h–1) q(h–1) next[h] q(h) q(h) h q(h+1) q(h+1) next[t] := ITE(operation = PUSH, succ(t), t) • • • • • • q(t–2) q(t–2) q(t–1) q(t–1) next[q] :=  (i). ITE((operation = PUSH & i=t), x, q(i)) t q(t) x next[t] q(t+1) q(t+1) • • • Modeling FIFO Buffer (cont.)

  35. Decision Procedure CLU Formula • Operation • Series of transformations leading to propositional formula • Propositional formula checked with BDD or SAT tools • Bryant, Lahiri, Seshia [CAV02] Lambda Expansion -free Formula Function & Predicate Elimination Function-free Formula Convert to Boolean Formula Boolean Formula Boolean Satisfiability

  36. y –1 x x y –1 y –1 y –1 x x y –1 x x+1 y x+1 y y y x+1 x+1 y x+1 x = 0, y = 3 x = 2, y = 1 Finite Model Property for CLU x  y  succ(x) > pred(y) • Observation • Need to encode all possible relative orderings of expressions • Each symbolic value has maximum range of increments & decrements • Can use Boolean encodings of small integer ranges

  37. Verification Techniques in UCLID • Bounded Property Checking • Start in reset state • Symbolically simulate for fixed number of steps • Verify a safety property for all states reachable within the fixed number of steps from the start state • Correspondence Checking • Run 2 different simulations starting in most general state • Prove that final states equivalent • e.g. Burch-Dill Technique • Invariant Checking • Start in general state s • ProveInv(s)  Inv(next[s]) • Limited support for automatic quantifier instantiation

  38. Verification of OOO : Automation vs. Guarantee • Presence of decision procedure • Efficiency : Allows improved bounded property checking and Burch-Dill method • Automation : Reduces manual guidance in proving invariants • Automatic Instantiation of quantifiers

  39. Technique 1 : Bounded Property Checking • Debugging OOO using Bounded Property Checking • All the errors were discovered during this phase • Counterexample trace of great help • Debugging Motorola ELF™ • Superscalar out-of-order processor • Reorder Buffer, memory unit, load-store queues etc. • Applied during early design exploration phase

  40. Bounded Property Checking Results • SVC (Stanford) : Another decision procedure to solve CLU formulas • Can decide more expressive class • CVC (Successor of SVC) runs out of memory on larger cases

  41. Burch-Dill Technique for OOO • Exponential blowup with the number of ROB entries • Limited to r = 8 entries currently • r = 8 finished after case-splitting in 2.5hrs

  42. Technique 3 : Invariant Checking • Deriving the inductive invariants • Require additional (auxiliary) variables to express invariants • Auxiliary variables do not affect system operation • Proving that the invariants are inductive • Automate proof of invariants in UCLID • Eliminates need for large (often fragile) proof script

  43. Restricted Invariants and Proofs • Restricted classes of invariants • x1x2…xk (x1…xk) • (x1…xk) is a CLU formula without quantifiers • x1…xk are integer variables free in (x1…xk) • Proving these invariants requires quantifiers x1x2…xk (x1…xk)  y1y2…ym (y1…ym) x1 x2…xk y1y2…ym [(x1…xk)  (y1…ym)] • Automatic instantiation of x1…xk with concrete terms • Sound but incomplete method • Reduce the quantified formula to a CLU formula • Can use the decision procedure for CLU

  44. Proving Invariants • Proved automatically • Quantifier instantiation was sufficient in these cases • Relieves the user of writing proof scripts to discharge the proofs • Time spent = 54s on 1.4GHz m/c • Total effort = 2 person days

  45. Extending the Design • base • Executes ALU instructions only • exc • Handles arithmetic exceptions • Must flush reorder buffer • exc/br • Handles branches • Predicts branch & speculatively executes along path • exc/br/mem-simp • Adds load & store instructions • Store commits as instruction retires • exc/br/mem • Stores held in buffer • Can commit later • Loads must scan buffer for matching addresses

  46. Comparative Verification Effort

  47. Beyond Processor Verification • Systems of Identical Processes • E.g., synchronization protocols • Arbitrary number of processes, each having same operation • Software • Create finite model by predicate abstraction

  48. Systems of Identical Processes • Each Process has k State Variables • Each state variable represented as array • Indexed by process Id • • • • • • sv1 • • • • • • sv2 • • • • • • svk State of Process i

  49. • • • • • inuse p 0/1 state CRITICAL IDLE TRYING Modeling System of Identical Processes • On Each Step: • Select arbitrary process index p • As if chosen by nondeterministic scheduler • Update state for selected process next[state] := lambda(i) case i = p &state(i) = IDLE: TRYING i = p &state(i) = TRYING & inuse : TRYING i = p &state(i) = TRYING & !inuse: CRITICAL default: state(i) esac

  50. Model Checking Software • Program is Hard to Model as Finite-State Machine • Large number of large data words means lots of bits • Although “finite”, bound is very large • Recursion requires stack • Conceptually unbounded • Creating Finite State Abstraction • Microsoft SLAM verifier • Focus on device drivers • Start with very abstract model of program • Every conditional can arbitrarily be taken/not-taken • Check properties • E.g., always close files • Refine when find counterexample • More careful analysis of conditionals

More Related