1 / 33

CS & ECE Departments Carnegie Mellon University

Modeling and Verifying Systems using CLU Logic. Randal E. Bryant Shuvendu Lahiri Sanjit A. Seshia. CS & ECE Departments Carnegie Mellon University. “Infinite-State” Systems. State variables of unbounded integer or unbounded integer array type

vianca
Download Presentation

CS & ECE Departments Carnegie Mellon University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling and Verifying Systems using CLU Logic Randal E. Bryant Shuvendu Lahiri Sanjit A. Seshia CS & ECE Departments Carnegie Mellon University

  2. “Infinite-State” Systems • State variables of unbounded integer or unbounded integer array type • Systems with finite but very large or arbitrary size resources • Microprocessor memories, buffers • Parameterized systems • Cache protocols • Communication protocols with unbounded, lossy channels

  3. Infinite-State Verification:Automation vs. Expressiveness • General purpose techniques • Model checking (using abstraction) • Highly automated • Finding the right abstraction is hard • State space explosion • Theorem proving for first & higher order logics • Very expressive • Greater manual assistance needed • Domain specific techniques: e.g., • QDDs for communication protocols • Logic of equality with uninterpreted functions (EUF) for pipelined processors • Rely on specialized efficient data structures or decision procedures

  4. Motivating Question • How far can we generalize a domain specific technique, without losing efficiency? • We focus on extending the EUF logic based approach that has worked well for pipelined processors

  5. EUF: Equality with Uninterp. Functs • Decidable fragment of first order logic • Formulas (F ) Boolean Expressions F, F1F2, F1F2 Boolean connectives T1 = T2 Equation P (T1, …, Tk) Predicate application • Terms (T ) Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application • Functions (Fun) Integer  Integer f Uninterpreted function symbol Read, Write Memory operations • Predicates (P) Integer  Boolean p Uninterpreted predicate symbol

  6. Modeling and Verification Approach • Model system at “term-level” • State variables evaluate to expressions in EUF logic • Correctness (safety) property is formula F in EUF • Check validity of F using decision procedure for EUF • F must be true under all interpretations of function/predicate symbols

  7. x0 x1 x y x2 x  = xn-1 ALU ALU f p x 1 0 ITE(p, x, y) y Term-level Modeling in EUF • View Data Word as “Terms” ( Integers ) View functional blocks as uninterpreted functions  Functional consistency: a = x b = y f(a, b) = f(x, y)

  8. Efficient Decision Procedure for EUF • [Bryant, German, & Velev, CAV ’99] • Translate EUF formula to equivalent Boolean formula • “Small-Model Property” • Need to consider only finitely many interpretations of terms • “Positive Equality” • Number of interpretations can be greatly reduced for some terms • Equations appearing only under even # of negations assigned false

  9. Our Contributions • Generalize EUF to get CLU logic • Can model a richer set of systems • Still retains the efficiency of Bryant-German-Velev decision procedure • ‘Small model property’ preserved • Can exploit positive equality • Efficient reduction to propositional logic • UCLID verification tool • Supports different types of verification • Highly automated • Counterexample traces similar to model checkers

  10. Outline for Rest of Talk • CLU logic • Definition • Modeling systems in CLU • The UCLID verifier • Decision procedure • An example • Benchmarking • Counterexample generation • Conclusions

  11. The CLU Logic Counter Arithmetic, Lambda Expressions, and Uninterpreted Functions Generalization of EUF Four types of expressions: • Functions, • Predicates, • Terms, • (Boolean) Formulas

  12. succ (T) Increment pred (T) Decrement T1 < T2 Inequality EUF  CLU • Terms (T ) ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application • Formulas (F ) F, F1F2, F1F2 Boolean connectives T1 = T2 Equation P(T1, …, Tk) Predicate application

  13.  x1, …, xk . T Function lambda expression  x1, …, xk . F Predicate lambda expression • Arguments can only be terms • Lambdas are just mutable arrays EUF  CLU (Cont.) • Functions (Fun) f Uninterpreted function symbol Read, Write Memory operations • Predicates (P) p Uninterpreted predicate symbol

  14. Modeling with CLU • Memories • Contents represented by lambda • Defines function mapping addresses to data values • Unbounded and Bounded Queues • Use counters to indicate head and tail • Lambda to indicate buffer contents • Unbounded arrays of identical processes • Lambda for each state variable • Indexed by process ID

  15. • • • • • Modeling Unbounded FIFO Buffer Already Popped • Queue is Subrange of Infinite Sequence • Q.head = h • Index of oldest element • Q.tail = t • Index of insertion location • Q.val = q • Function mapping indices to values • q(i) valid only when hi < t • Initial State: Arbitrary Queue • Q.head = h0, Q.tail = t0 • Impose constraint that h0 t0 • Q.val = q0 • Uninterpreted function q(h–2) q(h–1) head q(h) q(h+1) • • • increasing indices q(t–2) q(t–1) tail q(t) q(t+1) Not Yet Inserted

  16. op = PUSH Input = x • • • next[h] := ITE(operation = POP, succ(h), h) • • • • • • q(h–2) q(h–2) q(h–1) q(h–1) next[h] q(h) q(h) h q(h+1) q(h+1) next[t] := ITE(operation = PUSH, succ(t), t) • • • • • • q(t–2) q(t–2) q(t–1) q(t–1) next[q] :=  (i). ITE((operation = PUSH & i=t), x, q(i)) t q(t) x next[t] q(t+1) q(t+1) • • • Modeling FIFO Buffer (cont.)

  17. Register File Reg. Value Tag Reorder Buffer V/T bit • • • Reg ID Retire Dispatch Sample Application of Modeling • Out-of-Order Execution Unit • Unbounded Register File -- Memory • Reorder Buffer – Queue, Content-addressable memory

  18. UCLID • Verification tool for systems in CLU logic • Based on symbolic simulation and the decision procedure • Generates counterexamples

  19. UCLID Operation CLU Formula Symbolic Simulation Decision Procedure file.ucl Model + Specification Invalid + Counterexample Valid

  20. Verification Techniques in UCLID • Bounded Property Checking • Start in reset state • Symbolically simulate for fixed number of steps • Verify safety property for all states reachable within the fixed number of steps from the start state • Invariant Checking • Start in general state s • Simulate one step • Prove Inv(s)  Inv(Next[s]) • Limited support for automatic quantifier elimination • Correspondence Checking • Run 2 different simulations starting in most general state • Prove that final states equivalent

  21. Sample Case Studies • Simple out-of-order processor unit • ALU instructions, unbounded resources, register renaming • Performed inductive invariant checking to check refinement between OOO model and ISA • Load-store unit of Motorola ELF processor • Memory instructions, register renaming, completion buffer • 20K lines of Verilog manually translated to 1K lines of UCLID • Large state space: About 150 total state variables, 80 of integer type • Performed bounded property checking

  22. The Decision Problem CLU Formula Fclu Decision Procedure Valid Invalid

  23. Decision Procedure CLU Formula Fclu Lambda Expansion -free Formula, Fsubst • Operation • Series of transformations leading to propositional formula • Propositional formula checked with BDD or SAT tools Function & Predicate Elimination Term Formula, Fconst Finite Instantiation Boolean Formula, Fprop ¬ Boolean Satisfiability SAT  Fclu invalid UNSAT  Fclu valid

  24. An Example Fclu is a. ITE(a>y, succ(g(y)), succ(g(a))) x = a. succ(ITE(a>y, g(y), g(a))) x

  25. Step 1: Lambda substitution a. ITE(a>y, succ(g(y)), succ(g(a))) x = a. succ(ITE(a>y, g(y), g(a))) x Fsubst is ITE(x>y, succ(g(y)), succ(g(x))) = succ(ITE(x>y, g(y), g(x)))

  26. Fconst is ITE(x>y, succ(gy), = succ(ITE(x>y, gy, succ( ITE(x=y, gy, gx) )) ITE(x=y, gy, gx) )) Step 2: Function elimination ITE(x>y, succ(g(y)), succ(g(x))) = succ(ITE(x>y, g(y), g(x))) P-function symbols: {g} G-function symbols: {x,y} P-variables: {gx, gy} G-variables: {x, y}

  27. P-variables: {gy, gx} G-variables: {x, y} • P-variables get distinct values • G-variables can get same value if • there’s a potential comparison Value Classes: x,y gy gx Step 3: Finite Instantiation (1) ‘Small-Model’ Property: Sufficient to interpret variables over finite domains ITE(x>y, succ(gy), succ(gx)) = succ(ITE(x>y, gy, ITE(x=y, gy, gx)))

  28. 1 value, + 1 for succ(gy) 1 value, + 1 for succ(gx) 2 values Values assigned: {0,1} {2,3} {4,5} Final Boolean Encoding: x {0,1} 00bx y {0,1} 00by gy 2 010 gx 4 100 Generate Boolean Formula Fprop (Using bit-level encoding of arithmetic ops) x,y gy gx Step 3: Finite Instantiation (2) Number of values:

  29. Theoretical Formula Blowup • If -free formula Fsubst has size N • Then final Boolean formula Fprop is • O((N + M2 + P2) lg N) • where M= #(function applications) • P= #(predicate applications) • In practice, O(N lg N) observed.

  30. Decision Procedure Benchmarking • Compared against Stanford Validity Checker (SVC) • Decides CLU + real linear arith. + bit-vector arith. • UCLID uses the Chaff SAT solver for Boolean SAT • Time includes translation time + Chaff time

  31. Impact of Positive Equality Positive equality can still be exploited to improve performance

  32. Counterexample Generation Symbolic Simulation Trace Partial Interp. of Lambdas • Counterexample • Trace showing value of each state variable on each step. • “Value” of a lambda is a set of argument/value pairs Lambda Expansion Partial Interpretation of UIFs Function & Predicate Elimination Integer Assignment Finite Instantiation Boolean Assignment Boolean Satisfiability

  33. Conclusions • Contributions • Modeling capability of CLU • Efficient decision procedure • Builds on recent advances in Boolean SAT • Verification techniques in UCLID • Counterexample generation • Ongoing work • Decision procedure variants: • Encoding separation predicates [Strichman et al. CAV’02] • Using pseudo-Boolean constraint solver • Other case studies • MIPS processor • Some support for instantiating quantifiers

More Related