1 / 43

Carnegie Mellon University

Convergence Testing in Term-level Bounded Model Checking. Randal E. Bryant Shuvendu K. Lahiri Sanjit A. Seshia. Carnegie Mellon University. . x. p. T. F. x. 1 0. ITE ( p , x , y ). x. x. 1 0. 1 0. y. x. y. y. y. Term-level modeling :Abstracting Data. x 0. x 1.

saad
Download Presentation

Carnegie Mellon University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant Shuvendu K. Lahiri Sanjit A. Seshia Carnegie Mellon University

  2. x p T F x 1 0 ITE(p, x, y) x x 1 0 1 0 y x y y y Term-level modeling :Abstracting Data x0 x1 • View Data as Symbolic “Terms” • Arbitrary integers • Verification proves correctness of design for all possible word sizes • Can store in memories & registers • Can select with multiplexors • ITE: If-Then-Else operation x2 xn-1

  3. ALU Term-level modeling:Abstraction Via Uninterpreted Functions • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Only assumed property is functional consistency: a = x b = y f(a, b) = f(x, y) f

  4. Motivation • Model Checking expressive systems • Unbounded Integers, unbounded arrays • Infinite state space • In general, undecidable • Can express 2-counter systems • Systems do not converge • Convergence detection undecidable • Interesting systems which converge • Pipelined processors • [Hojati, Isles, Brayton], • Multiway Decision Graphs (MDG) • Procedures to detect convergence

  5. Outline slide • Background • CLU • example • Formal definition of convergence • Technique • Results • Conclusions

  6. CLU : Logic of UCLID • Terms (T ) Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application succ (T) Increment pred (T) Decrement • Formulas (F ) Boolean Expressions F, F1F2, F1F2 Boolean connectives T1 = T2 Equation T1 < T2 Inequality P(T1, …, Tk) Predicate application • Functions (Fun) Integers  Integer f Uninterpreted function symbol  x1, …, xk . T Function definition • Predicates (P) Integers  Boolean p Uninterpreted predicate symbol  x1, …, xk . F Predicate definition

  7. Memory M Modeled as Function M(a): Value at location a Writing Transforms Memory M  = Write(M, wa, wd) a . ITE(a = wa, wd, M(a)) Future reads of address wa will get wd M a M wa = wd a M 1 0 Modeling Memories with ’s

  8. Other modeling capabilities • Other Memories • Content-addressable memories • Simultaneous-update memories • Arbitrary subset of entries can be modified in a step • Ordered data structures • Queues, Stacks • Limited Set operations • Addition,deletion, empty-check, membership • Systems modeled • Out-of-order processors • Parameterized cache-coherence protocols, distributed protocols

  9. Example • Symbols • V = {x : INT, y: INT, b : BOOL} # state variables • K = { f } # system parameters • I = {a} # initial state symbols • Initial States • q0x=a • q0y=a • q0b=true • Next State •  x=ITE(b,f(x),x) •  y=ITE(b,y,f(y)) • b=  b

  10. Example • Symbols • V = {x : INT, y: INT, b : BOOL} • K = { f } • I = {a} • Initial States • q0x=a • q0y=a • q0b=true • Next State •  x=ITE(b,f(x),x) •  y=ITE(b,y,f(y)) • b=  b • Execution Property b  x = y ?

  11. Example : convergence • Execution • Alternate Execution

  12. Example : convergence • Execution • Alternate Execution

  13. Example : convergence • Execution • Alternate Execution subsumes • Substitution/Matching •  (true)  true • (a’)  f(a)

  14. Implies b  x = y ? Example : convergence • Execution Reachable States

  15. Contributions • New formal definition of convergence for term-level models • Based on symbolic simulation • A sound algorithm to detect convergence • Dealing with Function State Variables • Based on a translation to Quantified Separation Formula • Preliminary Experimental Results • 3-stage pipeline processor • Related work • Conclusion and Future work

  16. System Model (w/o inputs) • Symbols • State Variables ( V ) • Initial State Symbols ( I ) • Parameters ( K ) • Initial State q0 • q0a : one for each state element a  V • Expression over I • Transition Function  • a : one for each state element a  V • Expression over VK • Does not depend on the initial state symbols (I)

  17. Symbolic Simulation • Symbolic state expression si • Expression after “i” steps of symbolic simulation • Contains sai for each of the state elements a  V • e.g. {x  f(a), y  a, b  false} • Obtaining the expression for next state • sai+1 a[si/V] • Substitute the expression for sai in place of a  V

  18. Definitions • Interpretation X • Assigns values to each symbol in X • Evaluation   • X  e  evaluates e with respect toX • State of the system • An interpretation to the state elements a  V • Boolean state elements assigned true/false • Integers state elements assigned integer values • Function state elements assigned a function from integers to integer • Predicate state elements assigned a function from integers to true/false • Given I, K • I.K si represents a state

  19. k-Convergence • The system is “k-convergent” if: • For every interpretation Iof initial state symbol, and K of the parameter symbols, there exists a step i  k and an alternate interpretation Iof initial state symbols, such that I . Ksi = I.Ksk+1 • Theorem : If a system is k-convergent, then no new states are discovered after k steps of symbolic simulation. • Proof exploits the facts • Transition relation independent of initial state symbols

  20. k-Convergence • The system is “k-convergent” if: • For every interpretation Iof initial state symbol, and K of the parameter symbols, there exists a step i  k and an alternate interpretation Iof initial state symbols, such that I . Ksi = I.Ksk+1 • Formulation • Introduce I’ : set of symbols for alternate initial state symbols • Obtain riby symbolic simulation with symbols in I’ • Check for validity K I I’ [i  kri =sk+1]

  21. k-Convergence • Formulation • Introduce I’ : set of symbols for alternate initial state symbols • Obtain riby symbolic simulation with symbols in I’ • Check for validity K I I’ [i  kri =sk+1] • Comparing States ri andsk+1 • Compare each state element aV point-wise • ri =sk+1  [ aVrai =sak+1 ]

  22. Example: Adding function state • Symbols • V = {x : INT, y: INT, b : BOOL, m : INT  INT } • K = { f } • I = {a, m0} • Initial States • q0x=a • q0y=a • q0b=true • q0m =m0 • Next State •  x=ITE(b,f(x),x) •  y=ITE(b,y,f(y)) • b=  b • m=  i. ITE(bi=x,y,m(i))

  23. Example : convergence • Execution

  24. Example : convergence • Checking Convergence fam0a’ m0’ [a’ = f(a)  m0’ = ( i. ITE(i=a, a, m0(i)))]

  25. Handling function state variables • Second order equations • Comparing a function state element in two states • F = G z. F(z) = G(z) • New Quantifier Structure K I I’[i  kri =sk+1] K I I’Z[i  kri(Z)=sk+1(Z)] • Eliminate z from the equation • Generate constraints and rewrite • Source of Incompleteness (1) • Rewrite rules not complete • Complete for random-access memories

  26. Deciding Second-Order formulas with One Quantifier Alternation • Second-Order formula • K I I’  •  is quantifier-free CLU formula • All equations are first order now • Obtained after eliminating Z • General form • A B  • A  K I • B  I’

  27. Handling First order equations • General form • A B  • Undecidable • Provide a sound translation to a decidable fragment • Option 1 : Translate to Quantified Separation Formula • Decidable fragment of first-order logic with quantifiers • Option 2 : Remove the  quantifiers from the formula • All symbols are universally quantified • Source of Incompleteness (2)

  28. Handling First order equations • General form • A B  • Undecidable • Provide a sound translation to a decidable fragment • Option 1 : Translate to Quantified Separation Formula • Decidable fragment of first-order logic with quantifiers • Option 2 : Remove the  quantifiers from the formula • All symbols are universally quantified • Source of Incompleteness (2)

  29. Option 1: Normal Form • Function applications pushed through ITE • f(ITE(x,y,z))  ITE(x,f(y),f(z)) • Eliminate the ITE constructs • ITE(x,y,z) = ITE(x’,y’,z’)  (xx’  y=y’)  (xx’  y=z’) (xx’  z=y’)  (xx’  z=z’) • Atomic Expressions (atoms) • Expressions with no Boolean operators (, , ) f(g(x)+1)+5, p(f(y)), x = y, …

  30. A B  Sound Translation of A B  • 1. ’ Obtain a normal form of  • F  f,y x [ (x=f(x)) y = f(f(y))] 2. Obtain a topological ordering g1,…,gn of “atomic” function/predicate applications • Move applications of A as much to the left • y,f(y),f(f(y)),x,f(x) 3. ” Replace gi by vi in ’ • ”  [ (x=fx)  y = ffy]

  31. Sound Translation of A B  • 4. Get Ackerman’s constraints for gi h(x),gjh(y) • C (x = y  vi =vj) • y = fy  fy=ffy • y = x  fy=fx • fy = x  ffy=fx 5. Construct CA, CB • If h Athen CA C  CA • If h  B thenCB C  CB CA  (1)(2)(3) CB  true

  32. Sound Translation of A B  • 6. s  Q1v1 …Qnvn [CA (CB  ”)] • Qi , if top-func-symbol(gi)  A  , otherwise s  y,fy,ffy x fx [(y = fy  fy=ffy  y = x  fy=fx  fy = x  ffy=fx)  ( (x=fx)  y = ffy)] The above formula is valid

  33. Sound Translation to QSL • Original formula • A B  • New formula • s  Q1v1 …Qnvn [CA (CB  ”)] • Theorem: If s is valid then (AB )is valid • s is a formula in Quantified Separation Logic (QSL) • Terms arex,y,z • Atomic formulas are : x  y + c • Boolean Connectives: , ,  • Quantifiers: , 

  34. Quantified Separation Logic (QSL) • Decision procedures for QSL • Difference Decision Diagrams (DDD): Möller, CADE02 • Using Boolean Methods : Seshia and Bryant, CAV03

  35. 3-stage DLX pipeline (CMU-ISA) • Pipelined processor model • 3-stage (Fetch-Decode, Execute, Write-back) • Stalling, forwarding • Boolean state elements • Read/write enables, op-code etc. • Integer state elements • Register identifiers, data value, program counter • Function state elements • Unbounded Register file • Uninterpreted function symbols • ALU, initial state of register file • Checking equivalence with an ISA model • Contains user visible state elements • Program counter, register file • Same uninterpreted function for ALU, initial state of register file

  36. Results • Complexity of QSF formula for 3 steps of simulation • 43 integer variables • 6 quantifier alternations • ~800 nodes in the DAG for the formula • BDD-Based, DDD-based • > 1GB • QBF-Based [Quaffle, QBF, …] • Times out • SAT Based Quantifier Elimination • Too many enumerations • Verified a simplified model • Remove some state elements or 1 pipeline stage • BDD-based approach finishes in less than 10s

  37. Related Work • Hojati, Isles and Brayton, CAV ’98 • Generates reachable states for the Boolean part of the state • Less expressive logic (no , no ordered structures) • Use a syntactic convergence test • Subsumed by our semantic criteria • Multiway decision graphs, FMSD ‘97 • BDD-like canonical data structures with terms • Does not handle function state variables • Starts from a general initial state for termination • Can handle first order temporal logic queries

  38. Conclusions and Future Directions • Convergence checking • New formulation • Based on reduction to QSL • Application to theorem proving • Proving Second order formulas with 1 quantifier alternation • Computationally expensive • Large number of quantifier alternations • Relax functional consistency across different steps • Fewer constraints, simpler formula • Use “matching” to reduce to Boolean formula • QBF solvers are not mature • Similar to quantifier instantiation • Instantiate second order function variables

  39. Questions

  40. Conclusions • Provided a convergence definition • Computationally expensive • Translation to QSF/QBF

  41. Example • Symbols • X = { x : INT, y : INT, m : BOOL } # state variables • K = { f , a } # system parameters • I = { } # input symbols • Initial States • q0x=a • q0y=a • q0m=true • Next State •  x=ITE(m,f(x),x) •  y=ITE(m,y,f(y)) • m=  m

  42. Sound Translation of A B  • ’ Obtain a normal form of  • Obtain a topological ordering g1,…,gn of “atomic” function/predicate applications • ” Replace gi by vi in ’ • Get Ackerman’s constraints for gi f(x),gjf(y) • C (x = y  vi =vj) • Construct CA, CB • If f Athen CA C  CA • If f  B thenCB C  CB • s  Q1v1 …Qnvn [CA (CB  ”)] • Qi  , if top-func-symbol(gi)  A , otherwise

  43. Syntactic vs. Semantic

More Related