Formal Verification of Pipelined Processors

1
Convergence Testing in Term-level Bounded Model
Checking
Randal E. Bryant Shuvendu K. Lahiri Sanjit A.
Seshia
Carnegie Mellon University
2
Term-level modeling Abstracting Data
x0
x1
x2
xn-1

• View Data as Symbolic Terms
• Arbitrary integers
• Verification proves correctness of design for all
  possible word sizes
• Restricted set of operations on terms
• No bit-vector operations

3
Term-level modelingAbstraction Via Uninterpreted
Functions
f

• For any Block that Transforms or Evaluates Data
• Replace with generic, unspecified function
• Only assumed property is functional consistency
• a x ? b y ? f (a, b) f (x, y)

4
Motivation

• Model Checking term-level systems
• Approach to tackle the state-explosion problem
• Verification for arbitrary data-path width
• In general, undecidable
• Can express 2-counter systems
• Systems do not converge
• Interesting systems which converge
• Pipelined processors
• Procedures to detect convergence

5
Outline

• Logic of CLU
• Used for term-level modeling in UCLID
• Formal definition of convergence
• A sound technique to check convergence
• Preliminary results
• Conclusions and Future work

6
CLU Logic of UCLID

• Terms (T ) Integer Expressions
• ITE(F, T1, T2) If-then-else
• Fun (T1, , Tk) Function application
• succ (T) Increment
• pred (T) Decrement
• Formulas (F ) Boolean Expressions
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• T1 lt T2 Inequality
• P(T1, , Tk) Predicate application
• Functions (Fun) Integers ? Integer
• f Uninterpreted function symbol
• ? x1, , xk . T Function definition
• Predicates (P) Integers ? Boolean
• p Uninterpreted predicate symbol
• ? x1, , xk . F Predicate definition

7
Modeling Memories with ?s

• Memory M Modeled as Function
• M(a) Value at location a

• Writing Transforms Memory
• M ? Write(M, wa, wd)
• ? a . ITE(a wa, wd, M(a))
• Future reads of address wa will get wd

8
Modeling capabilities

• Other Memories
• Content-addressable memories
• Simultaneous-update memories
• Arbitrary subset of entries can be modified in a
  step
• Queues, Stacks
• Systems modeled
• Pipelined processors, Out-of-order processors
• Parameterized cache-coherence protocols,
  distributed protocols

9
Example

• Symbols
• V x INT, y INT, b BOOL state
  variables
• K f
  system parameters
• I a
  initial state symbols

• Next State
• ? x ITE(b,f(x),x)
• ? y ITE(b,y,f(y))
• ?b ? b

• Initial States
• q0x a
• q0y a
• q0b true

10
Example

• Symbols
• V x INT, y INT, b BOOL
• K f
• I a
• Initial States
• q0x a
• q0y a
• q0b true
• Next State
• ? x ITE(b,f(x),x)
• ? y ITE(b,y,f(y))
• ?b ? b

Execution
Property b ? x y ?
11
Example convergence
Execution
Alternate Execution
12
Example convergence
Execution
Alternate Execution
13
Example convergence
Execution
Alternate Execution
subsumes

• Substitution/Matching
• ? (true) ? true
• ? ( a) ? f(a)

14
Example convergence
Execution
Reachable States
15
Contributions

• New formal definition of convergence for
  term-level models
• Based on symbolic simulation
• A sound algorithm to detect convergence
• Dealing with Function State Variables
• Based on a translation to Quantified Separation
  Formula
• Preliminary Experimental Results
• 3-stage pipeline processor

16
System Model (w/o inputs)

• Symbols
• V x INT, y INT, b BOOL
• K f
• I a
• Initial States
• q0x a
• q0y a
• q0b true
• Next State
• ? x ITE(b,f(x),x)
• ? y ITE(b,y,f(y))
• ?b ? b

• Symbols
• State Variables ( V )
• Initial State Symbols ( I )
• Parameters ( K )
• Initial State q0
• q0a one for each state element a ? V
• Expression over I
• Transition Function ?
• ?a one for each state element a ? V
• Expression over V ? K
• Does not depend on the initial state symbols (I)

17
Symbolic Simulation

• Symbolic state expression si
• Expression after i steps of symbolic simulation
• Expression over I ? K
• Contains sai for each of the state elements a ? V
• e.g. x ? f(a), y ? a, b ? false
• Obtaining the expression for next state
• sai1 ? ?asi/V
• Substitute the expression for sai in place of a ?
  V

18
Definitions

• Interpretation ?X
• Assigns values to each symbol in X
• Evaluation ? ?
• ?X ? e ? evaluates e with respect to ?X
• State of the system
• An interpretation to the state elements a ? V
• Given ?I , ?K
• ?I . ?K ?si? represents a state reachable in i
  steps from initial state

19
k-Convergence

• The system is k-convergent if
• For every interpretation ?I of initial state
  symbol, and ?K of the parameter symbols, there
  exists a step i ? k and an alternate
  interpretation ?I of initial state symbols, such
  that
• ?I . ?K ?si? ?I . ?K ?sk1?
• Theorem If a system is k-convergent, then no
  new states are discovered after k steps of
  symbolic simulation.
• Proof exploits the facts
• Transition relation independent of initial state
  symbols

20
k-Convergence

• The system is k-convergent if
• For every interpretation ?I of initial state
  symbol, and ?K of the parameter symbols, there
  exists a step i ? k and an alternate
  interpretation ?I of initial state symbols, such
  that
• ?I . ?K ?si? ?I . ?K ?sk1?
• Formulation
• Introduce I set of symbols for alternate
  initial state symbols
• Obtain ri by symbolic simulation with symbols in
  I
• Check for validity
• ?K ?I ?I ?i ? k ri sk1

21
k-Convergence

• Formulation
• Introduce I set of symbols for alternate
  initial state symbols
• Obtain ri by symbolic simulation with symbols in
  I
• Check for validity
• ?K ?I ?I ?i ? k ri sk1
• Comparing States ri and sk1
• Compare each state element a?V point-wise
• ri sk1 ? ?a?V rai sak1

22
Example Adding function state

• Symbols
• V x INT, y INT, b BOOL, m INT ? INT
  
• K f
• I a, m0

• Next State
• ? x ITE(b,f(x),x)
• ? y ITE(b,y,f(y))
• ?b ? b
• ?m ? i. ITE(b?ix,y,m(i))

• Initial States
• q0x a
• q0y a
• q0b true
• q0m m0

23
Example convergence
Execution
24
Example convergence
Checking Convergence
?f ?a ?m0 ?a ?m0 a f(a) ? m0 (? i.
ITE(ia, a, m0(i)))
25
Handling function state variables

• Second order equations
• Comparing a function state element in two states
• F G ? ?z. F(z) G(z)
• New Quantifier Structure
• ?K ?I ?I ?i ? k ri sk1
• ?K ?I ?I?Z ?i ? k ri(Z) sk1(Z)
• Eliminate z from the equation
• Generate constraints and rewrite
• Source of Incompleteness (1)
• Complete for random-access memories
• Rewrite rules not complete in general

26
Deciding Second-Order formulas with One
Quantifier Alternation

• Second-Order formula
• ?K ?I ?I ?
• ? is quantifier-free CLU formula
• All equations are first order now
• Obtained after eliminating Z
• General form
• ?A ?B ?
• A ? K ? I
• B ? I

27
Deciding Second-Order formulas with One
Quantifier Alternation

• General form
• ?A ?B ?
• Undecidable Gurevich
• Even when B has no function symbols
• Provide a sound translation to a decidable
  fragment
• Option 1 Translate to Quantified Separation
  Formula
• Decidable fragment of first-order logic with
  quantifiers
• Option 2 Remove the ? quantifiers from the
  formula
• All remaining symbols are universally quantified
• Source of Incompleteness (2)

28
Deciding Second-Order formulas with One
Quantifier Alternation

• General form
• ?A ?B ?
• Undecidable Gurevich
• Even when B has no function symbols
• Provide a sound translation to a decidable
  fragment
• Option 1 Translate to Quantified Separation
  Formula
• Decidable fragment of first-order logic with
  quantifiers
• Option 2 Remove the ? quantifiers from the
  formula
• All remaining symbols are universally quantified
• Source of Incompleteness (2)

29
Option 1 Normal Form

• Function applications pushed through ITE
• f(ITE(x,y,z)) ? ITE(x,f(y),f(z))
• Eliminate the ITE constructs
• ITE(x,y,z) ITE(x,y,z) ? (x?x
  ? yy) ? (x??x ? yz) ?(?x?x ? zy) ?
  (?x??x ? zz)
• Function/predicate applications atomic
• Contains no Boolean operators (?, ?, ?) or ITE
• f(g(x)1), p(f(y)),

30
Sound Translation of ?A ?B ?

• 1. ? ? Obtain a normal form of ?
• F ? ?f,y ?x ? (xf(x))? y f(f(y))

• 2. Obtain a topological ordering g1,,gn of
  atomic function/predicate applications
• Move applications of A as much to the left
• y,f(y),f(f(y)),x,f(x)

• 3. ? ? Replace gi by vi in ?
• ? ? ? (xfx) ? y ffy

31
Sound Translation of ?A ?B ?

• 4. Get Ackermans constraints for gi? h(x), gj?
  h(y)
• C ? (x y ? vi vj )

• y fy ? fy ffy
• y x ? fy fx
• fy x ? ffy fx

• 5. Construct CA, CB
• If h ? A then CA ? C ? CA
• If h ? B then CB ? C ? CB

CA ? (1)?(2)?(3) CB ? true
32
Sound Translation of ?A ?B ?

• 6. ?s ? Q1 v1 Qn vn CA ?(CB ? ?)
• Qi ? ?, if top-func-symbol(gi) ? A
• ? ?, otherwise

?s ? ?y,fy,ffy ?x ?fx (y fy ? fy ffy
? y x ? fy fx ? fy
x ? ffy fx) ? (? (xfx) ? y
ffy)
The above formula is valid
33
Sound Translation to QSL

• Original formula
• ?A ?B ?
• New formula
• ?s ? Q1 v1 Qn vn CA ?(CB ? ?)
• No function symbols in ?s
• Theorem If ?s is valid then (?A ?B ?)is valid

34
Quantified Separation Logic (QSL)

• ?s is a formula in Quantified Separation Logic
  (QSL)
• Terms are x,y,z
• Atomic formulas are x ? y c
• Boolean Connectives ?, ?, ?
• Quantifiers ?, ?
• Decision procedures for QSL
• PSPACE-Complete Kourabakis KD94
• Difference Decision Diagrams (DDD) Möller,
  CADE02
• Semi-canonical representation of QSL formulas
• Using Boolean Methods Seshia and Bryant, CAV03
• Uses BDDs to solve Boolean quantifier elimination

35
3-stage DLX pipeline (CMU-ISA)

• Pipelined processor model
• 3-stage (Fetch-Decode, Execute, Write-back)
• Stalling, forwarding
• Boolean state elements
• Read/write enables, op-code etc.
• Integer state elements
• Register identifiers, data value, program counter
• Function state elements
• Unbounded Register file
• Uninterpreted function symbols
• ALU, initial state of register file
• Checking equivalence with an ISA model
• Contains user visible state elements
• Program counter, register file
• Same uninterpreted function for ALU, initial
  state of register file

36
Results

• Complexity of QSF formula for 3 steps of
  simulation
• 43 integer variables
• 6 quantifier alternations
• 800 nodes in the DAG for the formula
• BDD-Based, DDD-based
• gt 1GB
• QBF-Based Quaffle, QBF,
• Times out
• SAT Based Quantifier Elimination
• Too many enumerations
• Verified a simplified model
• Remove some state elements
• BDD-based approach finishes in less than 10s

37
Related Work

• Hojati, Isles and Brayton, CAV 98
• Generates reachable states for the Boolean part
  of the state
• Less expressive logic (no ?, no ordered
  structures)
• Use a syntactic convergence test
• Subsumed by our semantic criteria
• Multiway decision graphs, FMSD 97
• BDD-like canonical data structures with terms
• Does not handle function state variables
• Starts from a general initial state for
  termination
• Can handle first order temporal logic queries

38
Contributions

• Convergence checking for term-level models
• New formulation
• Based on reduction to QSL
• Application to theorem proving
• Proving Second order formulas with 1 quantifier
  alternation
• Computationally expensive
• Large number of quantifier alternations

39
Future Directions

• Use efficient quantifier elimination techniques
• Early quantification techniques
• Relax functional consistency across different
  steps
• Fewer constraints, simpler formula
• Result in over-approximation
• Use matching to reduce to Boolean formula
• QBF solvers are not mature
• Similar to quantifier instantiation
• Instantiate second order function variables

40
Questions
41
Other modeling capabilities

• Other Memories
• Content-addressable memories
• Simultaneous-update memories
• Arbitrary subset of entries can be modified in a
  step
• Ordered data structures
• Queues, Stacks
• Limited Set operations
• Addition,deletion, empty-check, membership
• Systems modeled
• Pipelined processors, Out-of-order processors
• Parameterized cache-coherence protocols,
  distributed protocols

42
Conclusions

• Provided a convergence definition
• Computationally expensive
• Translation to QSF/QBF

43
Example

• Symbols
• X x INT, y INT, m BOOL state
  variables
• K f , a
  system parameters
• I
  input symbols
• Initial States
• q0x a
• q0y a
• q0m true
• Next State
• ? x ITE(m,f(x),x)
• ? y ITE(m,y,f(y))
• ?m ? m

44
Symbols

• ????????????????????????????????????
• ???????? ??????

45
Sound Translation of ?A ?B ?

• ? ? Obtain a normal form of ?
• Obtain a topological ordering g1,,gn of atomic
  function/predicate applications
• ? ? Replace gi by vi in ?
• Get Ackermans constraints for gi? f(x), gj? f(y)
  
• C ? (x y ? vi vj )
• Construct CA, CB
• If f ? A then CA ? C ? CA
• If f ? B then CB ? C ? CB
• ?s ? Q1 v1 Qn vn CA ?(CB ? ?)
• Qi ? ?, if top-func-symbol(gi) ? A
• ? ?, otherwise

46
Syntactic vs. Semantic
47
Term-level modeling Abstracting Data
x0
x1
x2
xn-1

• View Data as Symbolic Terms
• Arbitrary integers
• Verification proves correctness of design for all
  possible word sizes
• Restricted set of operations on terms