UCLID SVC Talk

1
Modeling and Verifying Systems using CLU Logic
Randal E. Bryant Shuvendu Lahiri Sanjit A. Seshia
CS ECE Departments Carnegie Mellon University
2
Infinite-State Systems

• State variables of unbounded integer or unbounded
  integer array type
• Systems with finite but very large or arbitrary
  size resources
• Microprocessor memories, buffers
• Parameterized systems
• Cache protocols
• Communication protocols with unbounded, lossy
  channels

3
Infinite-State VerificationAutomation vs.
Expressiveness

• General purpose techniques
• Model checking (using abstraction)
• Highly automated
• Finding the right abstraction is hard
• State space explosion
• Theorem proving for first higher order logics
• Very expressive
• Greater manual assistance needed
• Domain specific techniques e.g.,
• QDDs for communication protocols
• Logic of equality with uninterpreted functions
  (EUF) for pipelined processors
• Rely on specialized efficient data structures or
  decision procedures

4
Motivating Question

• How far can we generalize a domain specific
  technique, without losing efficiency?
• We focus on extending the EUF logic based
  approach that has worked well for pipelined
  processors

5
EUF Equality with Uninterp. Functs

• Decidable fragment of first order logic
• Formulas (F ) Boolean Expressions
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• P (T1, , Tk) Predicate application
• Terms (T ) Integer Expressions
• ITE(F, T1, T2) If-then-else
• Fun (T1, , Tk) Function application
• Functions (Fun) Integer ? Integer
• f Uninterpreted function symbol
• Read, Write Memory operations
• Predicates (P) Integer ? Boolean
• p Uninterpreted predicate symbol

6
Modeling and Verification Approach

• Model system at term-level
• State variables evaluate to expressions in EUF
  logic
• Correctness (safety) property is formula F in EUF
• Check validity of F using decision procedure for
  EUF
• F must be true under all interpretations of
  function/predicate symbols

7
Term-level Modeling in EUF

• View Data Word as Terms ( Integers )

View functional blocks as uninterpreted functions
?
Functional consistency a x ? b y ? f(a, b)
f(x, y)
8
Efficient Decision Procedure for EUF

• Bryant, German, Velev, CAV 99
• Translate EUF formula to equivalent Boolean
  formula
• Small-Model Property
• Need to consider only finitely many
  interpretations of terms
• Positive Equality
• Number of interpretations can be greatly reduced
  for some terms
• Equations appearing only under even of
  negations assigned false

9
Our Contributions

• Generalize EUF to get CLU logic
• Can model a richer set of systems
• Still retains the efficiency of
  Bryant-German-Velev decision procedure
• Small model property preserved
• Can exploit positive equality
• Efficient reduction to propositional logic
• UCLID verification tool
• Supports different types of verification
• Highly automated
• Counterexample traces similar to model checkers

10
Outline for Rest of Talk

• CLU logic
• Definition
• Modeling systems in CLU
• The UCLID verifier
• Decision procedure
• An example
• Benchmarking
• Counterexample generation
• Conclusions

11
The CLU Logic
Counter Arithmetic, Lambda Expressions, and
Uninterpreted Functions

• Generalization of EUF
• Four types of expressions
• Functions,
• Predicates,
• Terms,
• (Boolean) Formulas

12
EUF ? CLU

• Terms (T )
• ITE(F, T1, T2) If-then-else
• Fun (T1, , Tk) Function application
• Formulas (F )
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• P(T1, , Tk) Predicate application

13
EUF ? CLU (Cont.)

• Functions (Fun)
• f Uninterpreted function symbol
• Read, Write Memory operations
• Predicates (P)
• p Uninterpreted predicate symbol

14
Modeling with CLU

• Memories
• Contents represented by lambda
• Defines function mapping addresses to data values
• Unbounded and Bounded Queues
• Use counters to indicate head and tail
• Lambda to indicate buffer contents
• Unbounded arrays of identical processes
• Lambda for each state variable
• Indexed by process ID

15
Modeling Unbounded FIFO Buffer
Already Popped

• Queue is Subrange of Infinite Sequence
• Q.head h
• Index of oldest element
• Q.tail t
• Index of insertion location
• Q.val q
• Function mapping indices to values
• q(i) valid only when h ? i lt t
• Initial State Arbitrary Queue
• Q.head h0, Q.tail t0
• Impose constraint that h0 ? t0
• Q.val q0
• Uninterpreted function

q(h2)
q(h1)
q(h)
head
q(h1)

increasing indices
q(t2)
q(t1)
tail
q(t)
q(t1)
Not Yet Inserted
16
Modeling FIFO Buffer (cont.)
17
Sample Application of Modeling

• Out-of-Order Execution Unit
• Unbounded Register File -- Memory
• Reorder Buffer Queue, Content-addressable
  memory

18
UCLID

• Verification tool for systems in CLU logic
• Based on symbolic simulation and the decision
  procedure
• Generates counterexamples

19
UCLID Operation
CLU Formula
Symbolic Simulation
Decision Procedure
file.ucl
Model Specification
Invalid Counterexample
Valid
20
Verification Techniques in UCLID

• Bounded Property Checking
• Start in reset state
• Symbolically simulate for fixed number of steps
• Verify safety property for all states reachable
  within the fixed number of steps from the start
  state
• Invariant Checking
• Start in general state s
• Simulate one step
• Prove Inv(s) ? Inv(Nexts)
• Limited support for automatic quantifier
  elimination
• Correspondence Checking
• Run 2 different simulations starting in most
  general state
• Prove that final states equivalent

21
Sample Case Studies

• Simple out-of-order processor unit
• ALU instructions, unbounded resources, register
  renaming
• Performed inductive invariant checking to check
  refinement between OOO model and ISA
• Load-store unit of Motorola ELF processor
• Memory instructions, register renaming,
  completion buffer
• 20K lines of Verilog manually translated to 1K
  lines of UCLID
• Large state space About 150 total state
  variables, 80 of integer type
• Performed bounded property checking

22
The Decision Problem
CLU Formula Fclu
Decision Procedure
Valid
Invalid
23
Decision Procedure
CLU Formula Fclu
Lambda Expansion
?-free Formula, Fsubst
Function Predicate Elimination
Term Formula, Fconst

• Operation
• Series of transformations leading to
  propositional formula
• Propositional formula checked with BDD or SAT
  tools

Finite Instantiation
Boolean Formula, Fprop

Boolean Satisfiability
SAT ? Fclu invalid UNSAT ? Fclu valid
24
An Example
Fclu is ?a. ITE(agty, succ(g(y)), succ(g(a)))
x ?a. succ(ITE(agty, g(y), g(a))) x
25
Step 1 Lambda substitution
?a. ITE(agty, succ(g(y)), succ(g(a))) x
?a. succ(ITE(agty, g(y), g(a))) x
Fsubst is ITE(xgty, succ(g(y)), succ(g(x)))
succ(ITE(xgty, g(y), g(x)))
26
Step 2 Function elimination
ITE(xgty, succ(g(y)), succ(g(x)))
succ(ITE(xgty, g(y), g(x)))
P-function symbols g G-function symbols
x,y
P-variables gx, gy G-variables x, y
27
Step 3 Finite Instantiation (1)
Small-Model Property Sufficient to interpret
variables over finite domains
ITE(xgty, succ(gy), succ(gx))
succ(ITE(xgty, gy, ITE(xy, gy, gx)))
28
Step 3 Finite Instantiation (2)
Number of values
29
Theoretical Formula Blowup

• If ?-free formula Fsubst has size N
• Then final Boolean formula Fprop is
• O((N M2 P2) lg N)
• where M (function applications)
• P (predicate applications)
• In practice, O(N lg N) observed.

30
Decision Procedure Benchmarking

• Compared against Stanford Validity Checker (SVC)
• Decides CLU real linear arith. bit-vector
  arith.
• UCLID uses the Chaff SAT solver for Boolean SAT
• Time includes translation time Chaff time

Model Term formula DAG size Prop formula DAG size UCLID time (s) SVC time (s)
Out-of-order execution unit 735 3658 4.8 3.0
Out-of-order execution unit 1970 13755 18.3 102.4
Out-of-order execution unit 3929 37179 61.9 4257.3
Elf processor 218 942 1.2 10.9
Elf processor 1085 4481 8.4 1851.6
Elf processor 2467 16453 30.6 gt 1 day
Elf processor 4553 54288 111.0 gt 1 day
31
Impact of Positive Equality
Model Term formula size UCLID w/ p-eq. (s) UCLID w/o p-eq. (s)
Out-of-order execution unit 735 4.78 9.79
Out-of-order execution unit 1970 18.29 37.71
Out-of-order execution unit 3929 61.90 149.46
Cache Protocol 1829 6.29 26.50
Cache Protocol 2782 16.13 165.91
Cache Protocol 3939 61.08 gt 1 hr
DLX pipeline 639 13.22 1897
Positive equality can still be exploited to
improve performance
32
Counterexample Generation
Symbolic Simulation
Trace
Partial Interp. of Lambdas
Lambda Expansion
Partial Interpretation of UIFs
Function Predicate Elimination

• Counterexample
• Trace showing value of each state variable on
  each step.
• Value of a lambda is a set of argument/value
  pairs

Integer Assignment
Finite Instantiation
Boolean Assignment
Boolean Satisfiability
33
Conclusions

• Contributions
• Modeling capability of CLU
• Efficient decision procedure
• Builds on recent advances in Boolean SAT
• Verification techniques in UCLID
• Counterexample generation
• Ongoing work
• Decision procedure variants
• Encoding separation predicates Strichman et al.
  CAV02
• Using pseudo-Boolean constraint solver
• Other case studies
• MIPS processor
• Some support for instantiating quantifiers

34
Modeling Memories with ?s

• Memory M Modeled as Function
• M(a) Value at location a
• Initially
• Arbitrary state
• Modeled by uninterpreted function m0

35
UCLID Operation
file.ucl
CLU Formula
Model Specification
Lambda Expansion
?-free Formula
Function Predicate Elimination
Term Formula
Finite Instantiation
Boolean Formula
Boolean Satisfiability
36
Step 3 Finite Instantiation (2)
Encoding Value Classes
00
01
10
Final Encoding x
00bx y
00by gy
010
gx 100
37
Decision Procedure (recap)
CLU Formula Fclu
Lambda Expansion
?-free Formula, Fsubst
Function Predicate Elimination
Term Formula, Fconst
Finite Instantiation
Boolean Formula, Fprop

Boolean Satisfiability
SAT ? Fclu invalid UNSAT ? Fclu valid
38
Burch Dill

• Burch Dill, CAV 94
• Automatic decision procedure for the logic of
  Equality with Uninterpreted Function (EUF)
• Davis-Putnam enumeration
• Congruence closure to enforce functional
  consistency
• Verified single-issue DLX
• Used flushing as an abstraction function
• Simple 5-stage RISC pipeline
• Becomes less effective for more complex
  processors
• Burch, DAC 96, FMCAD 96
• Could not handle superscalar DLX with exceptions

39
Bryant Velev

• Based on work by Burch Dill
• Efficient Decision Procedure
• Use fragment of first-order logic that can be
  reduced to propositional logic
• Exploit the structure of terms which appear in
  positive contexts only
• Most terms in data-path appear only in positive
  contexts
• Then use efficient SAT procedures
• Specialized tool
• Only for modeling verifying pipelines
• Verified very advanced pipelines
• VLIW and superscalar pipelines with exceptions
• MCORE integer pipeline verification

40
Correctness of Pipeline
Qspec
Q?spec
Qpipe
Q?pipe

• Abstraction function Abs
• Relates state of pipeline to program state
• Result of completing partially-executed
  instructions
• Requirement
• Pipeline step dpipe matches k instruction
  executions dkspec
• For our pipeline k 1
• When pipeline stalls have k 0
• Superscalar pipelines can have k gt 1

41
Limitations

• Burch Dill
• The decision procedure was not powerful to verify
  formulas for superscalar processors with
  load-store, exceptions etc
• Manual case splits required to complete the
  verification
• Could not model unbounded resources
• A reorder buffer of arbitrary length
• Bryant Velev
• Could not model unbounded resources
• Logic is same as EUF, only efficient decision
  procedure
• No effective counterexample generation
• Specialized to model inorder pipelined processors
• No way to model parameterized Cache Coherence
  protocols

42
New Challenges

• Invariant Checking or Deductive verification
• To verify property p
• Discover the inductive invariant Inv
• Inv Holds in the initial state
• If Inv holds for an arbitrary state, Inv holds
  for the successor states
• Inv ? p
• Prove Inv(s) ? Inv(Nexts)
• Proving Inv ?x. Y(x) requires existential
  quantifiers
• ?x. Y(x) ? ?x. F(x)
• ?x. Y(x) V ?x. F(x)
• In general undecidable (no algorithm exist to
  check the validity)

43
Term-Level Verification Challenges

• Right now, modeling capability exceeds what we
  can verify.
• Model Checking
• Need to detect convergence
• Have reached most general state
• Difficult algorithm
• In general, may never converge
• E.g., when start with empty buffers
• Invariant Checking
• Tedious to construct manually
• Negating antecedent requires existential
  quantifiers
• Can instantiate automatically in some cases
• Symbolic Simulation
• Cannot, in general, flush unbounded buffers

44
Verification Case Studies

• Simple out-of-order processor unit
• Load-store unit of Motorola ELF processor
• Cache coherence protocol
• Alternating bit protocol

45
Results Out-of-order Processor Verification

• A simple out-of-order execution engine (OOO)
• Abstract model of OOO execution unit
• Unbounded retirement buffer
• Arbitrary size data
• Infinite memory size
• Arithmetic instructions only
• Register renaming
• Close to Intel Pentium Pro out-of-order engine
• Verification
• Bounded property checking for completely
  automatic state space exploration (Refutation)
• Refinement between the out-of-order model and
  ISA model shown by deductive verification
  (Verification)
• All the proofs of invariants were automatically
  proved using UCLID
• In submission to Formal Methods in Computer-Aided
  Design 2002

46
Industrial Application Modeling Motorola ELF
Processor

• Modeling
• 5 stage pipeline
• Memory instructions
• Out-of-order execution, inorder retirement
• Pipelined load-store unit
• Memory part was about 20K lines
• Modeled compactly within 1K lines of UCLID
• Verification
• Bounded property checking with the ISA model
• Decision procedure allows a much larger automatic
  state space exploration

47
Industrial Application Motorola ELF Processor

• 32-bit Dual issue with 64 GPRs
• 5 stage pipeline
• Out-of-order issue, inorder completion of up to 2
  instructions
• Load/Store unit
• 3-cycle load latency
• Fully pipelined
• Load queue for loads that miss in cache
• Store queue for retiring store instruction
• Other buffers to hide cache miss latency

48
Modeling Motorola ELF Processor

• Modeled
• Memory instructions and load/store unit
• Most complicated of all the execution units
• Register Renaming
• Completion buffer for serialization and inorder
  retirement
• Method
• Manually translated 20,000 lines of Verilog into
  1,000 lines of UCLID
• Summer intern project
• Some work at Michigan on automatic translation
• Verification
• Bounded property checking with the ISA model
• Decision procedure allows a much larger automatic
  state space exploration

49
Ongoing and Future Work

• Verification case studies
• General out-of-order execution unit (with
  different instruction types, load-store unit,
  exceptions)
• Need more support for Invariant Checking
• Decision procedure enhancements
• Using decision procedure for separation theory,
  and even linear arithmetic Ofer Strichmans
  work
• Using pseudo-boolean constraint solver (0-1
  integer programming-like problem) U.Mich.
• More detailed benchmarking
• Combining with Boolean Model Checking w/ Ken
  McMillan
• Use to generate predicates for predicate
  abstraction