Formal Verification of Pipelined Processors

1
Symbolic Approaches to Invariant Checking and
Automatic Predicate Abstraction
Randal E. Bryant
Carnegie Mellon University
http//www.cs.cmu.edu/bryant
Contributions by graduate students Sanjit
Seshia, Shuvendu Lahiri
2
Outline

• Task
• Prove safety properties of term-level systems
• Method
• Generate prove inductive invariants by
  predicate abstraction
• Features
• Symbolic approach using SAT enumeration
• Handles important class of quantified predicates
• Augment with automated predicate discovery

3
Verifying Safety Properties
Bad States
Reachable States
Reset States
Reset

• State Machine Model
• State encoded as Booleans, integers, and
  functions
• Next state function expresses how updated on each
  step
• Prove System will never reach bad state

4
True Model Checking
Bad States
R2

• Impractical for Term-Level Models
• Many systems never reach fixed point
• Can keep adding elements to buffer
• Convergence test undecidable

R1
Reset States

• Reach Fixed-Point
• Rn Rn1 Reachable

5
Inductive Invariant Checking
Bad States
Reachable States
Reset States

• Key Properties of System that Make it Operate
  Correctly
• Formulate as formula I
• Prove Inductive
• Holds initially I(s0)
• Preserved by all state changes I(s) ? I(?(i, s))

6
Inductive Invariants

• Formulas I1, , In
• Ij(s0) holds for any initial state s0, for 1 ? j
  ? n
• I1(s) ? I2(s) ? ? In(s) ? Ij(s? ) for any
  current state s and successor state s? for 1 ? j
  ? n
• Overall Correctness
• Follows by induction on time
• Restricted form of invariants
• ?x1?x2?xk ?(x1xk)
• ?(x1xk) is a CLU formula without quantifiers
• x1xk are integer variables free in ?(x1xk)

7
Restricted Invariants and Proofs

• Proving invariants inductive requires quantifiers
• (?x1?x2?xk ?(x1xk)) ? ?y1?y2?ym ?(y1ym)
• ?x1?x2?xk ??(x1xk) ? ?y1?y2?ym ?(y1ym)
• Universally Quantified Variables Free
• Validity proves holds for all interpretations
• Existentially Quantified Variables Make Problem
  Undecidable
• Automatic instantiation of x1xk with concrete
  terms
• Sound but incomplete method
• Reduce the quantified formula to a CLU formula
• Can use the decision procedure for CLU

8
Constructing Invariants from Predicates
rob.head ? reg.tag(r)
Recipe Invariants
?r,t.?reg.valid(r) ? reg.tag(r) t ?
(rob.head ? reg.tag(r) lt rob.tail ?
rob.dest(t) r )
reg.valid(r)
Result Correctness
reg.tag(r) t
rob.dest(t) r
9
Automatic Predicate Abstraction

• Graf Saïdi, CAV 97
• Idea
• Given set of predicates P1(s), , Pk(s)
• Boolean formulas describing properties of system
  state
• View as abstraction mapping States ? 0,1k
• Defines abstract FSM over state set 0,1k
• Form of abstract interpretation
• Do reachability analysis similar to symbolic
  model checking
• Implementation
• Early ones had weak inference capabilities
• Call theorem prover or decision procedure to test
  each potential transition
• Recent ones make better use of symbolic encodings

10
Abstract State Space
Abstraction
Concretization
Abstract States
Abstract States
Concrete States
Concrete States
11
Abstract State Machine
Abstract System
Concrete System

• Transitions in abstract system mirror those in
  concrete

12
Generating Concrete Invariant

• Reach Fixed-Point on Abstract System
• Termination guaranteed, since finite state
• Equivalent to Computing Invariant for Concrete
  System
• Strongest possible invariant that can be
  expressed by formula over these predicates

Abstract System
13
Predicate Abstraction Example

• State Space
• State variables x, y
• Initial State
• (2, 1)
• Next State Behavior
• x ? ?x
• y ? ?y
• Verification Task
• Prove all bad states unreachable

Initial State
Bad States
14
Precise Analysis

• Reachable States
• (2, 1), (?2, ?1)

Reachable States
Bad States
15
Predicates

• Use 3-valued predicates in this example

16
Abstract Initial State
Reached Set 0 LGG
17
Step 1 Concretize Reached Set 0
Reached Set 0 LGG
cx3
cxy
cy0
L
G
G
18
Compute Possible Successor States
x ? ?x y ? ?y
19
Abstract Newly Reached States
cx3
cxy
cy0
L
L
L
0
0
0
Reached Set 1 LLL, LGG
20
Step 2 Concretize Reached Set 1
Reached Set 1 LLL, LGG
cx3
cxy
cy0
L
L
L
21
Compute Possible Successor States
x ? ?x y ? ?y
22
Abstract Newly Reached States
Reached Set 2 LLL, LGG, EGG, GGG
23
Final Reached State Set
EGG
LGG
GGG
LLL
Bad States
24
Conventional Implementation of P.A.

• Basis
• Abstract state sets described as formulas over
  Boolean variables B b1, , bk
• Current state given by formula ?(b1, , bk)
• Check whether candidate state ?(b1, , bk) is
  successor

?
?
Abstract System
Concrete System
Intersect?
25
Drawbacks of Conventional Implementation
Intersect?
?P/B
?P/B ? ?P/B?/S Satisfiable?
?P/B?/S

• Very Slow
• Guess at possible next state
• Construct term-level formula and test for
  satisfiability
• Possibly 2k calls to decision procedure
• Can Only Handle Proposition Predicates
• Cannot construct quantified invariants

26
Symbolic Approach to P.A.

• Lahiri, Bryant, Cook, CAV 2003
• Generate Quantified Formula Describing Next
  Abstract State Set
• Current state given by formula ?(B)
• Generate formula ??(B) describing all successors

??
?
Abstract System
27
Symbolic Approach (cont.)

• Transform into Quantified Boolean Formula
• Formula of form Next(B) ? S, X ?(S, X, B)
• S, X Integer and function variables
• B Abstract state variables
• Translate into Boolean formula of form ? A ?(A,
  B)
• A Boolean variables encoding integer function
  values
• Key Property
• B ?(S, X, B) satisfiable B ?(A, B)
  satisfiable
• Solve using either SAT enumeration or BDD
  quantification

28
Symbolic Formulation of Step 2
l1 x lt 3
l2 x lt y
g3 y gt 0
g1 x gt 3
g2 x gt y
l3 y lt 0
Reached Set 1 LLL, LGG

• Concretized State Set
• Encode each 3-valued L, E, G predicate with 2
  Boolean variables (l, g)
• Represent state set as formula
• (l1 ? ?g1 ? l2 ? ?g2 ? l3 ? ?g3)
• ? (l1 ? ?g1 ? ?l2 ? g2 ? ?l3 ? g3)

29
Next-State Predicates

• Next State (x?, y? )
• Get predicates l?1, l?2, l?3 , g?1, g?2, g?3
• Determine conditions under which predicates will
  hold in next state
• Express in terms of current state (x, y)

30
Consistency Constraints

• Eliminate impossible predicate combinations
• In general, may need to introduce additional
  variables
• To express more complex transitivity constraints

31
Symbolic Form

• Formulation
• Express compatible combinations of current-state
  next-state variables
• Quantify out current-state variables
• Gives formula over next-state variables

32
Extracting Next-State Set

• Run SAT checker over formula
• Generate blocking clause for each newly generated
  state

• (l1 ? ?g1 ? l2 ? ?g2 ? l3 ? ?g3)
• ? (l1 ? ?g1 ? ?l2 ? g2 ? ?l3 ? g3)
• ? ?(g1 ? g?1) ? ?(g?1 ? l?1) ? (g2 ? g3 ? l?1)
• ? l2 ? g?2 ? g2 ?l?2
• ? l3 ? g?3 ? g3 ? l?3

33
Quantified Invariant Generation

• (Lahiri Bryant, VMCAI 2004)
• User supplies predicates containing free
  variables
• Generate globally quantified invariant
• Example
• Predicates
• p1 reg.valid(r)
• p2 rob.dest(t) r
• p3 reg.tag(r) t
• Abstract state satisfying (p1 ? p2 ? ?p3)
  corresponds to concrete state satisfying
• ?r,t?reg.valid(r) ? reg.tag(r) t
• ? rob.dest(t) r
• rather than
• ?r?reg.valid(r) ? ?r,treg.tag(r) t ?
• ?r,trob.dest(t) r

34
Systems Verified with Predicate Abstraction

• Very general models
• Unbounded processes, buffers, cache lines,
• Safety properties only

35
Automatic Predicate Discovery

• Strength of Predicate Abstraction
• If give it right set of predicates, PA will put
  them together into invariant
• Weakness
• Gets nowhere without right set of predicates
• Typical failure mode Generate true as
  invariant
• Challenges
• Too many predicates will overwhelm PA engine
• Our use of quantified invariants precludes
  counterexample-generated refinement techniques

36
Iterative Generation of Predicates

• Lahiri Bryant, CAV 04
• Generate new set of predicates if current
  predicates not sufficient

37
Case Study 1 N-Bakery

• N-Process mutual exclusion protocol Lamport 76
  
• Each process contains
• An unbounded ticket
• A counter with range 1N
• Other Boolean state variables
• Safety Mutual exclusion property
• Constructs inductive invariant in 3 iterations of
  WP-based predicate discovery
• Iteration 1 Predicates 1, Time to
  construct inv .81s
• Does not imply mutual exclusion
• Iteration 2 Predicates 18, Time 55.8s
• Does not imply mutual exclusion
• Iteration 3 Predicates 33, Time 471s
• Implies mutual exclusion

38
Case Study 2 Germans Cache Protocol

• N-Client Directory based Cache Coherence Protocol
  German, IBM
• Each client contains Boolean state variables
• 3 single-entry channels to communicate with
  central process
• Central home process contains
• Directory 1..N ? 0,1 of clients sharing a
  line
• Current client id 1N
• Boolean variables
• Safety Mutual exclusion property
• Constructs inductive invariant in 4 iterations of
  WP-based predicate discovery
• Iteration 1 Predicates 4, Time (to
  construct inv) 1.46 s
• Iteration 2 Predicates 12, Time 11.94 s
• Iteration 3 Predicates 24, Time 207 s
• Iteration 4 Predicates 28, Time 1266s
• Implies mutual exclusion

39
Extension of Germans cache protocol

• Each client communicates with home with unbounded
  FIFO channels
• Unbounded number of unbounded channels
• Verification complexity goes up considerably
• 2 manually provided predicates for FIFOs required
• Predicates involved constant offsets
• Time to construct inductive invariant 3 hours

40
Predicate Abstraction Convergences

• Powerful method for generating evaluating
  abstract model of system
• Applicable to variety of systems with different
  modeling levels

41
Observations

• Predicate Abstraction
• Combines features of theorem proving model
  checking
• Very general and powerful technique
• Lots of ways to generalize
• Making More Efficient
• Symbolic formulation very general
• SAT enumeration limits capacity to 25 predicates
• Making Easier to Use
• Automatic predicate discovery
• Limitation Hard to find counterexamples