Carnegie Mellon University Formal Verification Formal Verification Using Using Infinite-State Models Infinite-State Models http://www.cs.cmu.edu/~bryant Randal E. Bryant Contributions by graduate students: Miroslav Velev, Sanjit Seshia, Shuvendu Lahiri
55
Embed
Carnegie Mellon University Formal Verification Using Infinite-State Models Formal Verification Using Infinite-State Models bryant.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Carnegie Mellon University
Formal VerificationFormal VerificationUsingUsing
Infinite-State ModelsInfinite-State Models
Formal VerificationFormal VerificationUsingUsing
Infinite-State ModelsInfinite-State Models
http://www.cs.cmu.edu/~bryant
Randal E. Bryant
Contributions by graduate students:Miroslav Velev, Sanjit Seshia, Shuvendu Lahiri
– 2 –
OutlineOutline
TaskTask Formally verify hardware and software systems Build on success in verifying finite models
Infinite-State ModelsInfinite-State Models How do they arise Need logic that is suitably expressive, yet remains
reasonably tractable.
Verification TechniquesVerification Techniques Range of methods with varying capabilities and limitations Solve problems by mapping into propositional logic
Pipeline StatePipeline State Multiple caches Instruction queues Dynamically-
allocated registers Memory queue Many buffers
between stages
Verification TasksVerification Tasks Does it implement
the Alpha ISA? Do specific units
satisfy desired properties?
– 4 –
Temporal Logic Model CheckingTemporal Logic Model Checking
Verify Reactive SystemsVerify Reactive Systems Construct state machine representation of reactive system
Nondeterminism expresses range of possible behaviors “Product” of component state machines
Express desired behavior as formula in temporal logic Determine whether or not property holds
Traffic LightController
Design
Traffic LightController
Design
“It is never possible to have a green light for both N-S and E-W.”
ModelChecker
True
False+ Counterexample
– 5 –
Finite System Modeling ExampleFinite System Modeling Example
Distributed, SharedMemory System
Simplifying Simplifying AbstractionsAbstractions Single word cache Single bit/word Abstract other
clusters Imprecise timing
Interface
Cluster #2Abstraction
Cluster #3Abstraction
Interface
Mem.Cache
Control.Cache
Control.
Global Bus
Cluster #1 Bus
Proc. Proc.
Arbitrary reads & writes
– 6 –
Symbolic FSM Analysis ExampleSymbolic FSM Analysis Example K. McMillan, E. Clarke (CMU) J. Schwalbe (Encore Computer)
Encore Gigamax Cache SystemEncore Gigamax Cache System Distributed memory multiprocessor Cache system to improve access time Complex hardware and synchronization protocol.
VerificationVerification Create “simplified” finite state model of system (109 states!) Verify properties about set of reachable states
Bug DetectedBug Detected Sequence of 13 bus events leading to deadlock With random simulations, would require 2 years to generate
failing case. In real system, would yield MTBF < 1 day.
FunctionsFunctions All outputs of 4-bit adder Functions of data inputs
A
B
Cout
SADD
Shared RepresentationShared Representation Graph with multiple roots 31 nodes for 4-bit adder 571 nodes for 64-bit adder Linear growth
– 9 –
Reg.File
IF/ID
InstrMem
+4
PCID/EX
ALU
EX/WB
=
=
Rd
Ra
Rb
Imm
Op
Adat
Control Control
Bdat
Simplified Processor ExampleSimplified Processor Example
Simplified RISC pipeline Register-Register and Register-Immediate operations Data hazards handled by register forwarding Each step of operation defined by function pipe
– 10 –
Reg.File
InstrMem
+4
ALU
Rd
Ra
Rb
Imm
Op
Adat
Control
Bdat
ISA Reference ModelISA Reference Model
Only programmer-visible state Much simpler control logic Assume verified against instruction set definition Each step of operation defined by function spec
PC
– 11 –
Abstracting Data from Bits to IntegersAbstracting Data from Bits to Integers
View Data as Symbolic “Terms”View Data as Symbolic “Terms” Arbitrary integers
Verification proves correctness of design for all possible word sizes
Can store in memories & registers Can select with multiplexors
ITE: If-Then-Else operation
x0
x1
x2
xn-1
x
1
0
xy
p
ITE(p, x, y)1
0
xy
T
x1
0
xy
F
y
– 12 –
Abstraction Via Uninterpreted FunctionsAbstraction Via Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency:
a = x b = y f (a, b) = f (x, y)
ALUf
– 13 –
Abstraction Via Uninterpreted FunctionsAbstraction Via Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Also view instruction memory as function
Reg.File
IF/ID
InstrMem
+4
PCID/EX
ALU
EX/WB
=
=
Rd
Ra
Rb
Imm
Op
Adat
Control Control
F1
F 2
F3
– 14 –
Reg.File
InstrMem
+4
ALU
Rd
Ra
Rb
Imm
Op
Adat
Control
Bdat
PC
F1
F 2
F3
Abstracting Reference ModelAbstracting Reference Model
Abstract with identical functions as in pipeline model
– 15 –
EUF: Equality with Uninterp. FunctsEUF: Equality with Uninterp. Functs Decidable fragment of first order logic
Formulas (Formulas (F F )) Boolean ExpressionsBoolean ExpressionsF, F1 F2, F1 F2 Boolean connectives
Predicates (Predicates (PP)) Integer Integer Boolean Booleanp Uninterpreted predicate symbol
– 16 –
Correctness of PipelineCorrectness of Pipeline
Abstraction Function Abstraction Function AbsAbs Relates state of pipeline to program state Result of completing partially-executed instructions
RequirementRequirement Pipeline step pipe matches k instruction executions k
spec
For our pipeline k = 1When pipeline stalls have k =0Superscalar pipelines can have k > 1
Qpipe Qpipepipe
Abs
Qspec Qspeckspec
Abs
– 17 –
Correspondence CheckingCorrespondence Checking
Burch & Dill, Computer-Aided Verification ‘94
Exploit State StructureExploit State Structure State held in memories and pipeline latches Memories match those of instruction set model Latches hold additional pipeline state
Pipeline State can be “flushed”Pipeline State can be “flushed” Control logic to support external interrupts Complete in-flight instructions Without fetching any new ones
– 18 –
Computing Abstraction FunctionComputing Abstraction Function
MethodMethod Start with arbitrary pipeline state Qpipe
Symbolically simulate processor with stall asserted Project out all but programmer-visible state
EffectEffect Processor computes its own abstraction function!
Compare results of two symbolic simulations Starting from same initial state Number of simulation steps ~ pipeline depth
Check that resulting user-visible states identical Disjunctive acceptance condition Extra clock cycle causes either 0 or 1 new instructions to complete
Using BDD Evaluation to Prove TautologyUsing BDD Evaluation to Prove TautologyCircuit BDD Vars. BDD Nodes CPU Secs.1xDLX 63 2,127 0.22xDLX-CC 173 51,826 202xDLX-* 418 986,740 2,635
Using SAT Checkers to Prove TautologyUsing SAT Checkers to Prove Tautology Chaff (Malik, Princeton) Major advances in last few yearsCircuit CNF Vars. Clauses CPU Secs.2xDLX-* 4,583 41,704 22
– 27 –
An Out-of-order Processor (OOO)An Out-of-order Processor (OOO)
Data Dependencies Resolved by Register RenamingData Dependencies Resolved by Register Renaming Mapping from register ID to instruction in reorder buffer that will
generate register value
Inorder Retirement Managed by Retirement BufferInorder Retirement Managed by Retirement Buffer FIFO buffer keeping pending instructions in program order
Propositional formula checked with BDD or SAT tools
Bryant, Lahiri, Seshia [CAV02]
LambdaExpansion
Function&
PredicateElimination
Convert to BooleanFormula
BooleanSatisfiability
CLUFormula
-freeFormula
Function-freeFormula
BooleanFormula
– 36 –
Finite Model Property for CLUFinite Model Property for CLU
ObservationObservation Need to encode all possible relative orderings of
expressions Each symbolic value has maximum range of increments &
decrements Can use Boolean encodings of small integer ranges
x y succ(x) > pred(y)
x x+1
y –1 y y –1 y
x x+1
y –1 y
x x+1
y –1 y
x x+1 x x+1
y –1 y
x = 0, y = 3 x = 2, y = 1
– 37 –
Verification Techniques in UCLIDVerification Techniques in UCLID
Bounded Property CheckingBounded Property Checking Start in reset state Symbolically simulate for fixed number of steps Verify a safety property for all states reachable within the
fixed number of steps from the start state
Correspondence Checking Correspondence Checking Run 2 different simulations starting in most general state Prove that final states equivalent e.g. Burch-Dill Technique
Invariant CheckingInvariant Checking Start in general state s Prove Inv(s) Inv(next[s]) Limited support for automatic quantifier instantiation
– 38 –
Verification of OOO : Automation vs. GuaranteeVerification of OOO : Automation vs. Guarantee
Presence of decision procedurePresence of decision procedure Efficiency : Allows improved bounded property checking
and Burch-Dill method Automation : Reduces manual guidance in proving
invariants Automatic Instantiation of quantifiers
Method Resources Verification (# of steps)
Auxiliary variables
Invariants
Bounded Property Checking
Unbounded Bounded None None
Burch-Dill Technique
Fixed Unbounded None Very few
Inductive Invariant Checking
Unbounded Unbounded Significant Significant, including those for auxiliary variables
SVC (Stanford) : Another decision procedure to solve CLU formulas SVC (Stanford) : Another decision procedure to solve CLU formulas Can decide more expressive class
CVC (Successor of SVC) runs out of memory on larger casesCVC (Successor of SVC) runs out of memory on larger cases
ModelModel stepssteps termsterms Term Term formula formula sizesize
Prop Prop Formula Formula SizeSize
UCLID UCLID time (s)time (s)
SVC time SVC time (s)(s)
OOO unitOOO unit 10 59 2566 15290 10.8 233.18
14 87 7480 62504 76.55 > 5 hrs
20 129 19921 263413 1679.12 > 1 day
Elf™Elf™ 6 33 218 942 1.2 10.9
8 70 1085 4481 8.4 1851.6
10 104 2467 16453 30.6 > 1 day
12 149 4553 54288 111.0 > 1 day
– 41 –
Burch-Dill Technique for OOOBurch-Dill Technique for OOO
Exponential blowup with the number of ROB entriesExponential blowup with the number of ROB entries Limited to r = 8 entries currently r = 8 finished after case-splitting in 2.5hrs
Deriving the inductive invariantsDeriving the inductive invariants Require additional (auxiliary) variables to express invariants Auxiliary variables do not affect system operation
Proving that the invariants are inductiveProving that the invariants are inductive Automate proof of invariants in UCLID Eliminates need for large (often fragile) proof script
– 43 –
Restricted Invariants and ProofsRestricted Invariants and Proofs
Restricted classes of invariantsRestricted classes of invariants x1x2…xk (x1…xk)
(x1…xk) is a CLU formula without quantifiers
x1…xk are integer variables free in (x1…xk)
Proving these invariants requires quantifiersProving these invariants requires quantifiersx1x2…xk (x1…xk) y1y2…ym (y1…ym)
x1 x2…xk y1y2…ym [(x1…xk) (y1…ym)]
Automatic instantiation of Automatic instantiation of x1…xk with concrete termswith concrete terms Sound but incomplete method
Reduce the quantified formula to a CLU formulaReduce the quantified formula to a CLU formula Can use the decision procedure for CLU
– 44 –
Proving InvariantsProving Invariants
Proved automaticallyProved automatically Quantifier instantiation was sufficient in these cases Relieves the user of writing proof scripts to discharge the
proofs Time spent = 54s on 1.4GHz m/c Total effort = 2 person days