Formal Verification of Pipelined Processors - PowerPoint PPT Presentation

About This Presentation
Title:

Formal Verification of Pipelined Processors

Description:

Verification Task. Abstracted representation of data manipulation ... Initial memory state represented by uninterpreted function fM. Write(a1, d1); Write(a2, d2) ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 36
Provided by: RandalE9
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Formal Verification of Pipelined Processors


1
Exploiting Positive Equality in a Logic
of Equality with Uninterpreted Functions
Randal E. Bryant Steven German Miroslav Velev
Carnegie Mellon University IBM
http//www.cs.cmu.edu/bryant
2
Outline
  • Application Domain
  • Verify correctness of a pipelined processor
  • Based on Burch-Dill correspondence checking
  • Burch Dill CAV 94
  • Verification Task
  • Abstracted representation of data manipulation
  • Must decide validity of formula in logic of
    Equality with Uninterpreted Functions (EUF)
  • New Contribution
  • Exploit properties of formulas to reduce
    verification complexity
  • Significant performance improvement when modeling
    microprocessor operation

3
Microprocessor Modeling
Bdat
  • Simplified RISC pipeline
  • Described at RTL level
  • Words viewed as bit vectors
  • Bit-level functionality

4
Abstracting Data
x0
x1
x2
xn-1
  • View Data as Symbolic Terms
  • No particular properties or operations
  • Except for equations x y
  • Can store in memories registers
  • Can select with multiplexors
  • ITE If-Then-Else operation

5
Abstraction Via Uninterpreted Functions
F3
F2
F1
  • For any Block that Transforms or Evaluates Data
  • Replace with generic, unspecified function
  • Assume functional consistency
  • x y ? f(x) f(y)

6
Decision Problem
  • Logic of Equality with Uninterpreted Functions
    (EUF)
  • Domain Values
  • Solid lines
  • Uninterpreted functions
  • If-Then-Else operation
  • Truth Values
  • Dashed Lines
  • Uninterpreted predicates
  • Logical connectives
  • Equations
  • Task
  • Determine whether formula is universally valid
  • True for all interpretations of variables and
    function symbols

7
Some History
  • Ackermann, 1954
  • Quantifier-free decision problem can be decided
    based on finite instantiations
  • Automatic Theorem Proving
  • Tradition of using uninterpreted functions when
    modeling hardware
  • E.g., Warren Hunt, 1985
  • Burch Dill, CAV 94
  • Automatic decision procedure
  • Davis-Putnam enumeration
  • Congruence closure to enforce functional
    consistency
  • Verified single-issue DLX
  • Simple 5-stage RISC pipeline
  • Becomes less effective for more complex
    processors
  • Burch, DAC 96 FMCAD 96

8
Previous Attempts to Use BDDs
  • Hojati, et al., IWLS 97
  • Generate binary encodings of limited-range
    integer variables
  • Hit exponential blow-up
  • Goel, et al., CAV 98
  • Encode equality relation among variables as
    propositional variables
  • Results not compelling
  • Velev Bryant, FMCAD 98
  • Work with modified RTL model
  • Replace memory function blocks with special
    behavioral blocks
  • Exponential blow-up for processor with branch or
    load/store instructions

9
Why Did BDDs Fail?
  • Result of Load instruction used in address
    computation
  • Similar effect for branch instruction
  • Impossible to have good BDD variable ordering
  • Variables encoding addresses must precede those
    encoding data
  • Leads to circular constraints on ordering

Data Memory
Address Data
Address Data
Pipeline Logic
10
Decision Problem Example 1
11
EUF Syntax
  • Logic of Equality with Uninterpreted Functions
  • Terms
  • ITE(F, T1, T2) If-then-else
  • f (T1, , Tk) Function application
  • Formulas
  • ?F, F1 ? F2, F1 ? F2 Boolean connectives
  • T1 T2 Equation
  • p (T1, , Tk) Predicate application
  • Special Cases
  • v Domain variable (order-0 function)
  • a Propositional variable (order-0 predicate)

12
PEUF Syntax
  • Logic of Positive Equality with Uninterpreted
    Functions
  • Formulas (General)
  • ?F, F1 ? F2, F1 ? F2
  • GT1 GT2
  • p (PT1, , PTk)
  • P-Formulas (Special)
  • F
  • PF1 ? PF2, PF1 ? PF2
  • PT1 PT2
  • Key Properties
  • P-formulas cannot be negated cannot control
    ITEs
  • P-terms only used as funct. args. and in positive
    equations
  • Applications of p-function symbols occur only in
    p-terms

G-Terms (General) ITE(F, GT1, GT2) fg(PT1, ,
PTk) P-Terms (Special) GT ITE(F, PT1,
PT2) fp(PT1, , PTk)
13
Analyzing Example 1
Formulas
Ø

g
h
Ú
G-terms

P-formulas
g
h
g
P-terms
x
y
  • P-Function Symbols
  • g, h
  • G-Function Symbols
  • Appear in negated equation
  • x, y

14
Example 2
15
Analyzing Example 2
Formula
G-terms
P-formula
P-terms
  • ITE control must be formula
  • Interesting things happen when false

16
Maximally Diverse Interpretations
  • P-Function Symbols
  • Equal results only for equal arguments
  • G-Function Symbols
  • Potentially yield equal results for unequal
    arguments
  • Property
  • Formula valid only if true under all maximally
    diverse interpretations

Terms Equal? x y Potentially g (x) g (y) Only if
x y g (x) y No g (g (x)) g (y) No g (g (x)) g
(x) No
17
Justification of Maximal Diversity Property
  • Key Argument
  • For every interpretation I, there is a maximally
    diverse interpretation I? such that I? F ? IF

18
Equations in Processor Verification
  • Data Types Equations
  • Register Ids Control stalling forwarding
  • Addresses for register file
  • Instruction Address Only top-level verification
    condition
  • Program Data Only top-level verification condition

19
Modeling Memories
  • Conventional Expansion of Memory Operations
  • Effects of writes represented as nested ITEs
  • Initial memory state represented by uninterpreted
    function fM

Write(a1, d1) Write(a2, d2) Write(a3,
d3) Read(a)
  • Problem
  • Equations over addresses control ITEs
  • Addresses must be g-terms
  • OK for register file, but not for data memory

20
Data Memory Modeling
  • Generic State Machine
  • Memory state represented as term
  • Initial state given by variable vM
  • Write operation causes arbitrary state change
  • Uninterpreted function fu
  • Read operation function of address state
  • Uninterpreted function fr

Read
Write
21
Data Memory Modeling (Cont.)
Write(a1, d1) Write(a2, d2) Write(a3,
d3) Read(a)
  • No equations over addresses!
  • Can keep as p-terms
  • Limitations
  • Does not capture full semantics of memory
  • Only works when processor preserves program order
    for
  • Writes relative to each other
  • Reads relative to writes

22
Function Symbols in Processor Verification
  • G-Function Symbols
  • Register Ids
  • 20--25 of function applications
  • P-Function Symbols
  • Program data
  • Data instruction addresses
  • Opcodes
  • 75--80 of function applications
  • Effect
  • Breaks dependency loop that caused exponential
    blow-up

23
Decision Procedure
  • Steps
  • Eliminate function applications
  • Assign limited ranges to domain variables
  • Encode domain variables as bit vectors
  • Translate into propositional logic

24
Eliminating Function Applications
  • Replacing Application
  • Introduce new domain variable
  • Nested ITE structure maintains functional
    consistency

25
Exploiting Positive Equality
  • Property
  • P-function symbol f
  • Introduce variables vf1, , vfn during
    elimination
  • Consider only diverse interpretations for
    variables vf1, , vfn
  • vfi ? v for any other variable v
  • Example
  • Assuming vf1 ? vf2

26
Compare Ackermanns Method
  • Replacing Application
  • Introduce new domain variable
  • Enforce functional consistency by global
    constraints
  • Unclear how to generate diverse interpretations

27
Eliminating Function Symbol g
28
Eliminate Function Symbol h
  • Final Form
  • Only domain and propositional variables

29
Instantiating Variables
x
v
g
v
g
v
g
v
h
v
h
1
2
3
1
2
2
3
4
5
6
0
y
0,1
  • Can assign fixed interpretations to variables
    arising from eliminating p-function applications
  • Need to consider only two different cases
  • y 0 vs. y 1

30
Evaluating Formula
Ø


T
T
Ú
F

Ù

T

F
T

T
F
F
x
v
g
v
g
v
g
v
h
v
h
1
2
3
1
2
2
3
4
5
6
0
y
0,1
  • Actual implementation uses BDD evaluation

31
Pnueli, et al., CAV 99
  • Similarities
  • Examine structure of equations
  • Whether used in positive or negative form
  • Exploit structure to limit variable domains
  • Differences in Their Approach
  • Examine equation structure after function
    applications eliminated
  • Use Ackermanns method to eliminate function
    applications

32
Ackermanns Method Example
?
  • Many more equations
  • 2 ? 8
  • P-formula / P-term structure destroyed

33
Comparison to Pnueli, et al.
  • Relative Advantage of Their Method
  • Better at exploiting equation structure among
    g-terms
  • Worse at exploiting structure among p-terms

34
Experimental Results
  • Verify Modified RTL Circuits
  • Replace memories, latches, and function blocks by
    special functional models.
  • Bryant Velev, FMCAD 98
  • Small modification to generate fixed bit patterns
    for p-function block
  • Simplified MIPS Processor
  • Reg-Reg, and Reg-Immediate only
  • Before 48 s / 7 MB After 6 s / 2 MB
  • RR, RI Load/Store
  • Before Space-Out After 12 s / 1.8 MB
  • RR, RI, L/S, Branch
  • Before Space-Out After 169 s / 7.5 MB

35
Conclusion
  • Exploiting Positive Equality
  • Greatly reduces number of interpretations to
    consider
  • Our function elimination scheme provides encoding
    mechanism
  • Enables verification of complete processor using
    BDDs
  • Ongoing Work
  • New implementation using pure term-level models
  • Velev Bryant, CHARME 99
  • Single-issue DLX now takes 0.15 s.
  • Dual-issue DLX takes 35 s.
Write a Comment
User Comments (0)
About PowerShow.com