Convergence Testing in Termlevel Bounded Model Checking Randal
Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant Shuvendu K. Lahiri Sanjit A. Seshia Carnegie Mellon University
Term-level modeling : Abstracting Data x 0 x 1 x 2 x xn-1 View Data as Symbolic “Terms” n Arbitrary integers l Verification proves correctness of design for all possible word sizes n n Can store in memories & registers Can select with multiplexors l ITE: If-Then-Else operation p x y – 2– 1 0 ITE(p, x, y) T x y 1 0 x F x y 1 0 y
Term-level modeling: Abstraction Via Uninterpreted Functions ALU f For any Block that Transforms or Evaluates Data: n Replace with generic, unspecified function n Only assumed property is functional consistency: a = x b = y f (a, b) = f (x, y) – 3–
Motivation Model Checking expressive systems n Unbounded Integers, unbounded arrays n Infinite state space In general, undecidable n n n Can express 2 -counter systems Systems do not converge Convergence detection undecidable Interesting systems which converge n Pipelined processors l [Hojati, Isles, Brayton], l Multiway Decision Graphs (MDG) n – 4– Procedures to detect convergence
Outline slide Background l CLU l example Formal definition of convergence Technique Results Conclusions – 5–
CLU : Logic of UCLID Terms (T ) Integer Expressions ITE(F, T 1, T 2) If-then-else Fun (T 1, …, Tk) Function application succ (T) Increment pred (T) Decrement Formulas (F ) Boolean Expressions F, F 1 F 2 Boolean connectives T 1 = T 2 Equation T 1 < T 2 Inequality P(T 1, …, Tk) Predicate application Functions (Fun) Integers Integer f Uninterpreted function symbol x 1, …, xk. T Function definition Predicates (P) Integers Boolean p Uninterpreted predicate symbol x 1, …, xk. F Predicate definition – 6–
Modeling Memories with ’s Memory M Modeled as Function a Writing Transforms Memory n M = Write(M, wa, wd) M wa M = n M(a): Value at location a a wd M n n – 7– 1 0 a. ITE(a = wa, wd, M(a)) Future reads of address wa will get wd
Other modeling capabilities Other Memories n Content-addressable memories n Simultaneous-update memories l Arbitrary subset of entries can be modified in a step Ordered data structures n Queues, Stacks Limited Set operations n Addition, deletion, empty-check, membership Systems modeled n n – 8– Out-of-order processors Parameterized cache-coherence protocols, distributed protocols
Example Symbols n V = {x : INT, y : INT, b : BOOL} # state variables n K={f} # system parameters n I = {a} # initial state symbols Initial States n n n – 9– q 0 x = a q 0 y = a q 0 b = true Next State n n n x y b = ITE(b, f(x), x) = ITE(b, y, f(y)) = b
Example Symbols Execution n V = {x : INT, y : INT, b : BOOL} Step b x n K={f} 0 true a n I = {a} Initial States n n n q 0 x = a q 0 y = a q 0 b = true Next State n n n – 10 – x y b = ITE(b, f(x), x) = ITE(b, y, f(y)) = b y a 1 false f(a) a 2 true f(a) 3 false f(f(a)) f(a) 4 true f(a) f(f(a)) Property b x=y?
Example : convergence Execution Alternate Execution Step b x y 0 true a a 0 true a’ a’ 1 false f(a) a 1 false f(a’) a’ 2 true f(a) 2 true f(a’) 3 false f(f(a)) f(a) 3 false f(f(a’)) f(a’) 4 true – 11 – f(a) f(f(a)) f(a’) f(f(a’))
Example : convergence Execution Alternate Execution Step b x y 0 true a a 0 true a’ a’ 1 false f(a) a 1 false f(a’) a’ 2 true f(a) 2 true f(a’) 3 false f(f(a)) f(a) 3 false f(f(a’)) f(a’) 4 true – 12 – f(a) f(f(a)) f(a’) f(f(a’))
Example : convergence Execution Alternate Execution true f(a) a’ a’ subsumes Substitution/Matching n (true) true n ( a’) f(a) – 13 –
Example : convergence Execution Step b x y 0 a a true 1 false f(a) a 2 true f(a) 3 false f(f(a)) f(a) 4 true – 14 – f(a) f(f(a)) Reachable States Implies b x=y?
Contributions New formal definition of convergence for term-level models n Based on symbolic simulation A sound algorithm to detect convergence n n Dealing with Function State Variables Based on a translation to Quantified Separation Formula Preliminary Experimental Results n 3 -stage pipeline processor Related work Conclusion and Future work – 15 –
System Model (w/o inputs) Symbols n State Variables ( V ) n Initial State Symbols ( I ) n Parameters ( K ) Initial State q 0 n q 0 a n : one for each state element a V Expression over I Transition Function n a n : one for each state element a V Expression over V K l Does not depend on the initial state symbols (I) – 16 –
Symbolic Simulation Symbolic state expression si n Expression after “i” steps of symbolic simulation n Contains sai for each of the state elements a V n e. g. {x f(a), y a, b false} Obtaining the expression for next state sai+1 n – 17 – a[si/V] Substitute the expression for sai in place of a V
Definitions Interpretation X n Assigns values to each symbol in X Evaluation n X e evaluates e with respect to X State of the system n An interpretation to the state elements a V l Boolean state elements assigned true/false l Integers state elements assigned integer values l Function state elements assigned a function from integers to integer l Predicate state elements assigned a function from integers to true/false Given I , n – 18 – K I. K si represents a state
k-Convergence The system is “k-convergent” if: n For every interpretation I of initial state symbol, and K the parameter symbols, there exists a step i k and an of alternate interpretation I of initial state symbols, such that I. K si = I. K sk+1 Theorem : If a system is k-convergent, then no new states are discovered after k steps of symbolic simulation. Proof exploits the facts n – 19 – Transition relation independent of initial state symbols
k-Convergence The system is “k-convergent” if: n For every interpretation I of initial state symbol, and K of the parameter symbols, there exists a step i k and an alternate interpretation I of initial state symbols, such that I. K si = I. K sk+1 Formulation n Introduce I’ : set of symbols for alternate initial state symbols n Obtain ri by symbolic simulation with symbols in I’ n Check for validity K I I’ [ i k – 20 – ri = sk+1]
k-Convergence Formulation n Introduce I’ : set of symbols for alternate initial state symbols n Obtain ri by symbolic simulation with symbols in I’ n Check for validity K I I’ [ i k ri = sk+1] Comparing States ri and sk+1 n Compare each state element a V point-wise ri – 21 – = sk+1 [ a V rai = sak+1 ]
Example: Adding function state Symbols n V = {x : INT, y : INT, b : BOOL, m : INT } n K = {f} n I = {a, m 0} Initial States n n – 22 – q 0 x q 0 y q 0 b q 0 m = = a a true m 0 Next State n n x y b m = = ITE(b, f(x), x) ITE(b, y, f(y)) b i. ITE(b i=x, y, m(i))
Example : convergence Execution Step b 0 Step b x true a’ y m a’ m 0’ x y m 0 true a a m 0 1 false f(a) a i. ITE(i=a, a, m 0(i)) 2 true f(a) i. ITE(i=a, a, m 0(i)) 3 false f(f(a)) f(a) i. ITE(i=f(a), ITE(i=a, a, m 0(i))) – 23 –
Example : convergence Checking Convergence true a’ a’ m 0’ f a m 0 a’ m 0’ [a’ = f(a) m 0’ = ( i. ITE(i=a, a, m 0(i)))] true f(a) – 24 – f(a) i. ITE(i=a, a, m 0(i))
Handling function state variables Second order equations n Comparing a function state element in two states F = G z. F(z) = G(z) New Quantifier Structure K I I’ [ i k K I I’ Z ri = sk+1] [ i k ri(Z) = sk+1(Z)] Eliminate z from the equation n Generate constraints and rewrite Source of Incompleteness (1) n n – 25 – Rewrite rules not complete Complete for random-access memories
Deciding Second-Order formulas with One Quantifier Alternation Second-Order formula n K I I’ n is quantifier-free CLU formula l All equations are first order now n Obtained after eliminating Z General form n A B l A K I l B I’ – 26 –
Handling First order equations General form n A B n Undecidable Provide a sound translation to a decidable fragment n Option 1 : Translate to Quantified Separation Formula l Decidable fragment of first-order logic with quantifiers n Option 2 : Remove the quantifiers from the formula l All symbols are universally quantified Source of Incompleteness (2) – 27 –
Handling First order equations General form n A B n Undecidable Provide a sound translation to a decidable fragment n Option 1 : Translate to Quantified Separation Formula l Decidable fragment of first-order logic with quantifiers n Option 2 : Remove the quantifiers from the formula l All symbols are universally quantified Source of Incompleteness (2) – 28 –
Option 1: Normal Form Function applications pushed through ITE n f(ITE(x, y, z)) ITE(x, f(y), f(z)) Eliminate the ITE constructs n ITE(x, y, z) = ITE(x’, y’, z’) (x x’ y=y’) (x x’ y=z’) ( x x’ z=y’) Atomic Expressions (atoms) Expressions with no Boolean operators ( , f(g(x)+1)+5, p(f(y)), x = y, … n – 29 – , )
Sound Translation of A B 1. ’ Obtain a normal form of l F f, y x [ (x=f(x)) y = f(f(y))] A B 2. Obtain a topological ordering g 1, …, gn of “atomic” function/predicate applications vi n Move applications of A as much to the left gi x x l y, f(y), f(f(y)), x, f(x) y y f(y) fy 3. ” Replace gi by vi in ’ f(f(y)) ffy l ” [ (x=fx) y = ffy] f(x) fx – 30 –
Sound Translation of A B 4. Get Ackerman’s constraints for gi h(x), gj h(y) l C (x = y vi = vj ) 1. y = fy = ffy 2. y = x 3. fy = fx fy = x ffy = fx 5. Construct CA, CB n n – 31 – A then CA C CA If h B then CB C CB If h gi vi x x y y f(y) fy f(f(y)) ffy f(x) fx CA (1) (2) (3) CB true
Sound Translation of A B 6. s Q 1 v 1 … Qn vn [CA (CB ”) ] n Qi , if top-func-symbol(gi) A , otherwise s y, ffy x fx [(y = fy = ffy y = x fy = fx fy = x ffy = fx) ( (x=fx) y = ffy)] The above formula is valid – 32 –
Sound Translation to QSL Original formula n A B New formula n s Q 1 v 1 … Qn vn [CA (CB ”)] Theorem: If s is valid then ( A B )is valid s is a formula in Quantified Separation Logic (QSL) n Terms are x, y, z Atomic formulas are : x y + c n Boolean Connectives: n Quantifiers: , n – 33 – , ,
Quantified Separation Logic (QSL) Decision procedures for QSL – 34 – n Difference Decision Diagrams (DDD): Möller, CADE 02 n Using Boolean Methods : Seshia and Bryant, CAV 03
3 -stage DLX pipeline (CMU-ISA) Pipelined processor model n 3 -stage (Fetch-Decode, Execute, Write-back) l Stalling, forwarding n Boolean state elements l Read/write enables, op-code etc. n Integer state elements l Register identifiers, data value, program counter n Function state elements l Unbounded Register file n Uninterpreted function symbols l ALU, initial state of register file Checking equivalence with an ISA model n Contains user visible state elements l Program counter, register file l Same uninterpreted function for ALU, initial state of register file – 35 –
Results Complexity of QSF formula for 3 steps of simulation n 43 integer variables 6 quantifier alternations n ~800 nodes in the DAG for the formula n BDD-Based, DDD-based n > 1 GB QBF-Based [Quaffle, QBF, …] n Times out SAT Based Quantifier Elimination n Too many enumerations Verified a simplified model n n – 36 – Remove some state elements or 1 pipeline stage BDD-based approach finishes in less than 10 s
Related Work Hojati, Isles and Brayton, CAV ’ 98 n Generates reachable states for the Boolean part of the state n Less expressive logic (no , no ordered structures) Use a syntactic convergence test n l Subsumed by our semantic criteria Multiway decision graphs, FMSD ‘ 97 n n – 37 – BDD-like canonical data structures with terms Does not handle function state variables Starts from a general initial state for termination Can handle first order temporal logic queries
Conclusions and Future Directions Convergence checking n n New formulation Based on reduction to QSL Application to theorem proving n Proving Second order formulas with 1 quantifier alternation Computationally expensive n Large number of quantifier alternations Relax functional consistency across different steps n Fewer constraints, simpler formula Use “matching” to reduce to Boolean formula n n n – 38 – QBF solvers are not mature Similar to quantifier instantiation Instantiate second order function variables
Questions – 39 –
Conclusions Provided a convergence definition Computationally expensive n – 40 – Translation to QSF/QBF
Example Symbols n X = { x : INT, y : INT, m : BOOL } # state variables n K={f, a} I ={} n Initial States n n n q 0 x = a q 0 y = a q 0 m = true Next State n x y = ITE(m, f(x), x) = ITE(m, y, f(y)) n m = m n – 41 – # system parameters # input symbols
Sound Translation of A B 1. ’ Obtain a normal form of 2. Obtain a topological ordering g 1, …, gn of “atomic” function/predicate applications 3. ” Replace gi by vi in ’ 4. Get Ackerman’s constraints for gi f(x), gj f(y) 1. C (x = y vi = vj ) 5. Construct CA, CB n If f A then CA C CA n If f B then CB C CB 6. s Q 1 v 1 … Qn vn [CA (CB ”) ] n Qi , if top-func-symbol(gi) A – 43 – , otherwise
Syntactic vs. Semantic – 44 –
- Slides: 43
