Formal Verification of Pipelined Processors

1
Convergence Testing in Term-level Bounded Model
Checking
Randal E. Bryant Shuvendu K. Lahiri Sanjit A.
Seshia
Carnegie Mellon University
2
Term-level modeling Abstracting Data
x0
x1
x2
xn-1

• View Data as Symbolic Terms
• Arbitrary integers
• Verification proves correctness of design for all
  possible word sizes
• Can store in memories registers
• Can select with multiplexors
• ITE If-Then-Else operation

3
Term-level modelingAbstraction Via Uninterpreted
Functions
f

• For any Block that Transforms or Evaluates Data
• Replace with generic, unspecified function
• Only assumed property is functional consistency
• a x ? b y ? f (a, b) f (x, y)

4
Motivation

• Model Checking expressive systems
• Unbounded Integers, unbounded arrays
• Infinite state space
• In general, undecidable
• Can express 2-counter systems
• Systems do not converge
• Convergence detection undecidable
• Interesting systems which converge
• Pipelined processors
• Hojati, Isles, Brayton,
• Multiway Decision Graphs (MDG)
• Procedures to detect convergence

5
Outline slide

• Background
• CLU
• example
• Formal definition of convergence
• Technique
• Results
• Conclusions

6
CLU Logic of UCLID

• Terms (T ) Integer Expressions
• ITE(F, T1, T2) If-then-else
• Fun (T1, , Tk) Function application
• succ (T) Increment
• pred (T) Decrement
• Formulas (F ) Boolean Expressions
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• T1 lt T2 Inequality
• P(T1, , Tk) Predicate application
• Functions (Fun) Integers ? Integer
• f Uninterpreted function symbol
• ? x1, , xk . T Function definition
• Predicates (P) Integers ? Boolean
• p Uninterpreted predicate symbol
• ? x1, , xk . F Predicate definition

7
Modeling Memories with ?s

• Memory M Modeled as Function
• M(a) Value at location a

• Writing Transforms Memory
• M ? Write(M, wa, wd)
• ? a . ITE(a wa, wd, M(a))
• Future reads of address wa will get wd

8
Other modeling capabilities

• Other Memories
• Content-addressable memories
• Simultaneous-update memories
• Arbitrary subset of entries can be modified in a
  step
• Ordered data structures
• Queues, Stacks
• Limited Set operations
• Addition,deletion, empty-check, membership
• Systems modeled
• Out-of-order processors
• Parameterized cache-coherence protocols,
  distributed protocols

9
Example

• Symbols
• V x INT, y INT, b BOOL state
  variables
• K f
  system parameters
• I a
  initial state symbols

• Next State
• ? x ITE(b,f(x),x)
• ? y ITE(b,y,f(y))
• ?b ? b

• Initial States
• q0x a
• q0y a
• q0b true

10
Example

• Symbols
• V x INT, y INT, b BOOL
• K f
• I a
• Initial States
• q0x a
• q0y a
• q0b true
• Next State
• ? x ITE(b,f(x),x)
• ? y ITE(b,y,f(y))
• ?b ? b

Execution
Step b x y
0 true a a
1 false f(a) a
2 true f(a) f(a)
3 false f(f(a)) f(a)
4 true f(f(a)) f(f(a))
Property b ? x y ?
11
Example convergence
Execution
Alternate Execution
Step b x y
0 true a a
1 false f(a) a
2 true f(a) f(a)
3 false f(f(a)) f(a)
4 true f(f(a)) f(f(a))
Step b x y
0 true a a
1 false f(a) a
2 true f(a) f(a)
3 false f(f(a)) f(a)
4 true f(f(a)) f(f(a))
12
Example convergence
Execution
Alternate Execution
Step b x y
0 true a a
1 false f(a) a
2 true f(a) f(a)
3 false f(f(a)) f(a)
4 true f(f(a)) f(f(a))
Step b x y
0 true a a
1 false f(a) a
2 true f(a) f(a)
3 false f(f(a)) f(a)
4 true f(f(a)) f(f(a))
13
Example convergence
Execution
Alternate Execution
true a a
subsumes
true f(a) f(a)

• Substitution/Matching
• ? (true) ? true
• ? ( a) ? f(a)

14
Example convergence
Execution
Step b x y
0 true a a
1 false f(a) a
2 true f(a) f(a)
3 false f(f(a)) f(a)
4 true f(f(a)) f(f(a))
Reachable States
15
Contributions

• New formal definition of convergence for
  term-level models
• Based on symbolic simulation
• A sound algorithm to detect convergence
• Dealing with Function State Variables
• Based on a translation to Quantified Separation
  Formula
• Preliminary Experimental Results
• 3-stage pipeline processor
• Related work
• Conclusion and Future work

16
System Model (w/o inputs)

• Symbols
• State Variables ( V )
• Initial State Symbols ( I )
• Parameters ( K )
• Initial State q0
• q0a one for each state element a ? V
• Expression over I
• Transition Function ?
• ?a one for each state element a ? V
• Expression over V ? K
• Does not depend on the initial state symbols (I)

17
Symbolic Simulation

• Symbolic state expression si
• Expression after i steps of symbolic simulation
• Contains sai for each of the state elements a ? V
• e.g. x ? f(a), y ? a, b ? false
• Obtaining the expression for next state
• sai1 ? ?asi/V
• Substitute the expression for sai in place of a ?
  V

18
Definitions

• Interpretation ?X
• Assigns values to each symbol in X
• Evaluation ? ?
• ?X ? e ? evaluates e with respect to ?X
• State of the system
• An interpretation to the state elements a ? V
• Boolean state elements assigned true/false
• Integers state elements assigned integer values
• Function state elements assigned a function from
  integers to integer
• Predicate state elements assigned a function from
  integers to true/false
• Given ?I , ?K
• ?I . ?K ?si? represents a state

19
k-Convergence

• The system is k-convergent if
• For every interpretation ?I of initial state
  symbol, and ?K of the parameter symbols, there
  exists a step i ? k and an alternate
  interpretation ?I of initial state symbols, such
  that
• ?I . ?K ?si? ?I . ?K ?sk1?
• Theorem If a system is k-convergent, then no
  new states are discovered after k steps of
  symbolic simulation.
• Proof exploits the facts
• Transition relation independent of initial state
  symbols

20
k-Convergence

• The system is k-convergent if
• For every interpretation ?I of initial state
  symbol, and ?K of the parameter symbols, there
  exists a step i ? k and an alternate
  interpretation ?I of initial state symbols, such
  that
• ?I . ?K ?si? ?I . ?K ?sk1?
• Formulation
• Introduce I set of symbols for alternate
  initial state symbols
• Obtain ri by symbolic simulation with symbols in
  I
• Check for validity
• ?K ?I ?I ?i ? k ri sk1

21
k-Convergence

• Formulation
• Introduce I set of symbols for alternate
  initial state symbols
• Obtain ri by symbolic simulation with symbols in
  I
• Check for validity
• ?K ?I ?I ?i ? k ri sk1
• Comparing States ri and sk1
• Compare each state element a?V point-wise
• ri sk1 ? ?a?V rai sak1

22
Example Adding function state

• Symbols
• V x INT, y INT, b BOOL, m INT ? INT
  
• K f
• I a, m0

• Next State
• ? x ITE(b,f(x),x)
• ? y ITE(b,y,f(y))
• ?b ? b
• ?m ? i. ITE(b?ix,y,m(i))

• Initial States
• q0x a
• q0y a
• q0b true
• q0m m0

23
Example convergence
Execution
Step b x y m
0 true a a m0
Step b x y m
0 true a a m0
1 false f(a) a ? i. ITE(ia, a, m0(i))
2 true f(a) f(a) ? i. ITE(ia, a, m0(i))
3 false f(f(a)) f(a) ? i. ITE(if(a),f(a), ITE(ia, a, m0(i)))
24
Example convergence
Checking Convergence
true a a m0
?f ?a ?m0 ?a ?m0 a f(a) ? m0 (? i.
ITE(ia, a, m0(i)))
true f(a) f(a) ? i. ITE(ia, a, m0(i))
25
Handling function state variables

• Second order equations
• Comparing a function state element in two states
• F G ? ?z. F(z) G(z)
• New Quantifier Structure
• ?K ?I ?I ?i ? k ri sk1
• ?K ?I ?I?Z ?i ? k ri(Z) sk1(Z)
• Eliminate z from the equation
• Generate constraints and rewrite
• Source of Incompleteness (1)
• Rewrite rules not complete
• Complete for random-access memories

26
Deciding Second-Order formulas with One
Quantifier Alternation

• Second-Order formula
• ?K ?I ?I ?
• ? is quantifier-free CLU formula
• All equations are first order now
• Obtained after eliminating Z
• General form
• ?A ?B ?
• A ? K ? I
• B ? I

27
Handling First order equations

• General form
• ?A ?B ?
• Undecidable
• Provide a sound translation to a decidable
  fragment
• Option 1 Translate to Quantified Separation
  Formula
• Decidable fragment of first-order logic with
  quantifiers
• Option 2 Remove the ? quantifiers from the
  formula
• All symbols are universally quantified
• Source of Incompleteness (2)

28
Handling First order equations

• General form
• ?A ?B ?
• Undecidable
• Provide a sound translation to a decidable
  fragment
• Option 1 Translate to Quantified Separation
  Formula
• Decidable fragment of first-order logic with
  quantifiers
• Option 2 Remove the ? quantifiers from the
  formula
• All symbols are universally quantified
• Source of Incompleteness (2)

29
Option 1 Normal Form

• Function applications pushed through ITE
• f(ITE(x,y,z)) ? ITE(x,f(y),f(z))
• Eliminate the ITE constructs
• ITE(x,y,z) ITE(x,y,z) ? (x?x
  ? yy) ? (x??x ? yz) ?(?x?x ? zy) ?
  (?x??x ? zz)
• Atomic Expressions (atoms)
• Expressions with no Boolean operators (?, ?, ?)
• f(g(x)1)5, p(f(y)), x y,

30
Sound Translation of ?A ?B ?

• 1. ? ? Obtain a normal form of ?
• F ? ?f,y ?x ? (xf(x))? y f(f(y))

• 2. Obtain a topological ordering g1,,gn of
  atomic function/predicate applications
• Move applications of A as much to the left
• y,f(y),f(f(y)),x,f(x)

gi vi
x x
y y
f(y) fy
f(f(y)) ffy
f(x) fx

• 3. ? ? Replace gi by vi in ?
• ? ? ? (xfx) ? y ffy

31
Sound Translation of ?A ?B ?

• 4. Get Ackermans constraints for gi? h(x), gj?
  h(y)
• C ? (x y ? vi vj )

gi vi
x x
y y
f(y) fy
f(f(y)) ffy
f(x) fx

1. y fy ? fy ffy
2. y x ? fy fx
3. fy x ? ffy fx

• 5. Construct CA, CB
• If h ? A then CA ? C ? CA
• If h ? B then CB ? C ? CB

CA ? (1)?(2)?(3) CB ? true
32
Sound Translation of ?A ?B ?

• 6. ?s ? Q1 v1 Qn vn CA ?(CB ? ?)
• Qi ? ?, if top-func-symbol(gi) ? A
• ? ?, otherwise

?s ? ?y,fy,ffy ?x ?fx (y fy ? fy ffy
? y x ? fy fx ? fy
x ? ffy fx) ? (? (xfx) ? y
ffy)
The above formula is valid
33
Sound Translation to QSL

• Original formula
• ?A ?B ?
• New formula
• ?s ? Q1 v1 Qn vn CA ?(CB ? ?)
• Theorem If ?s is valid then (?A ?B ?)is valid
• ?s is a formula in Quantified Separation Logic
  (QSL)
• Terms are x,y,z
• Atomic formulas are x ? y c
• Boolean Connectives ?, ?, ?
• Quantifiers ?, ?

34
Quantified Separation Logic (QSL)

• Decision procedures for QSL
• Difference Decision Diagrams (DDD) Möller,
  CADE02
• Using Boolean Methods Seshia and Bryant, CAV03

35
3-stage DLX pipeline (CMU-ISA)

• Pipelined processor model
• 3-stage (Fetch-Decode, Execute, Write-back)
• Stalling, forwarding
• Boolean state elements
• Read/write enables, op-code etc.
• Integer state elements
• Register identifiers, data value, program counter
• Function state elements
• Unbounded Register file
• Uninterpreted function symbols
• ALU, initial state of register file
• Checking equivalence with an ISA model
• Contains user visible state elements
• Program counter, register file
• Same uninterpreted function for ALU, initial
  state of register file

36
Results

• Complexity of QSF formula for 3 steps of
  simulation
• 43 integer variables
• 6 quantifier alternations
• 800 nodes in the DAG for the formula
• BDD-Based, DDD-based
• gt 1GB
• QBF-Based Quaffle, QBF,
• Times out
• SAT Based Quantifier Elimination
• Too many enumerations
• Verified a simplified model
• Remove some state elements or 1 pipeline stage
• BDD-based approach finishes in less than 10s

37
Related Work

• Hojati, Isles and Brayton, CAV 98
• Generates reachable states for the Boolean part
  of the state
• Less expressive logic (no ?, no ordered
  structures)
• Use a syntactic convergence test
• Subsumed by our semantic criteria
• Multiway decision graphs, FMSD 97
• BDD-like canonical data structures with terms
• Does not handle function state variables
• Starts from a general initial state for
  termination
• Can handle first order temporal logic queries

38
Conclusions and Future Directions

• Convergence checking
• New formulation
• Based on reduction to QSL
• Application to theorem proving
• Proving Second order formulas with 1 quantifier
  alternation
• Computationally expensive
• Large number of quantifier alternations
• Relax functional consistency across different
  steps
• Fewer constraints, simpler formula
• Use matching to reduce to Boolean formula
• QBF solvers are not mature
• Similar to quantifier instantiation
• Instantiate second order function variables

39
Questions
40
Conclusions

• Provided a convergence definition
• Computationally expensive
• Translation to QSF/QBF

41
Example

• Symbols
• X x INT, y INT, m BOOL state
  variables
• K f , a
  system parameters
• I
  input symbols
• Initial States
• q0x a
• q0y a
• q0m true
• Next State
• ? x ITE(m,f(x),x)
• ? y ITE(m,y,f(y))
• ?m ? m

42
Symbols

• ????????????????????????????????????
• ???????? ??????

43
Sound Translation of ?A ?B ?

• ? ? Obtain a normal form of ?
• Obtain a topological ordering g1,,gn of atomic
  function/predicate applications
• ? ? Replace gi by vi in ?
• Get Ackermans constraints for gi? f(x), gj? f(y)
  
• C ? (x y ? vi vj )
• Construct CA, CB
• If f ? A then CA ? C ? CA
• If f ? B then CB ? C ? CB
• ?s ? Q1 v1 Qn vn CA ?(CB ? ?)
• Qi ? ?, if top-func-symbol(gi) ? A
• ? ?, otherwise

44
Syntactic vs. Semantic