Modeling and Verifying Systems using CLU Logic Randal

Modeling and Verifying Systems using CLU Logic Randal E. Bryant Shuvendu Lahiri Sanjit A. Seshia CS & ECE Departments Carnegie Mellon University 1

“Infinite-State” Systems 1. State variables of unbounded integer or unbounded integer array type 2. Systems with finite but very large or arbitrary size resources 1. Microprocessor memories, buffers 3. Parameterized systems 1. Cache protocols 4. Communication protocols with unbounded, lossy channels 2

Infinite-State Verification: Automation vs. Expressiveness General purpose techniques n Model checking (using abstraction) 1. Highly automated 2. Finding the right abstraction is hard 3. State space explosion 1. Theorem proving for first & higher order logics 1. Very expressive 2. Greater manual assistance needed Domain specific techniques: e. g. , n n Ø QDDs for communication protocols Logic of equality with uninterpreted functions (EUF) for pipelined processors Rely on specialized efficient data structures or decision procedures 3

Motivating Question How far can we generalize a domain specific technique, without losing efficiency? We focus on extending the EUF logic based approach that has worked well for pipelined processors 4

EUF: Equality with Uninterp. Functs n Decidable fragment of first order logic Formulas (F ) Boolean Expressions F, F 1 F 2 Boolean connectives T 1 = T 2 Equation P (T 1, …, Tk) Predicate application Terms (T ) Integer Expressions ITE(F, T 1, T 2) If-then-else Fun (T 1, …, Tk) Function application Functions (Fun) Integer f Uninterpreted function symbol Read, Write Memory operations Predicates (P) p Integer Boolean Uninterpreted predicate symbol 5

Modeling and Verification Approach 1. Model system at “term-level” 1. State variables evaluate to expressions in EUF logic 2. Correctness (safety) property is formula F in EUF 3. Check validity of F using decision procedure for EUF 1. F must be true under all interpretations of function/predicate symbols 6

Term-level Modeling in EUF View Data Word as “Terms” ( Integers ) x 0 x 1 x 2 x x y = xn-1 p x y 1 0 ITE(p, x, y) View functional blocks as uninterpreted functions ALU f ALU Functional consistency: a = x b = y f(a, b) = f(x, y) 7

Efficient Decision Procedure for EUF [Bryant, German, & Velev, CAV ’ 99] 1. Translate EUF formula to equivalent Boolean formula 2. “Small-Model Property” 1. Need to consider only finitely many interpretations of terms 3. “Positive Equality” 1. 2. Number of interpretations can be greatly reduced for some terms Equations appearing only under even # of negations assigned false 8

Our Contributions Generalize EUF to get CLU logic n Can model a richer set of systems Still retains the efficiency of Bryant-German-Velev decision procedure n n n ‘Small model property’ preserved Can exploit positive equality Efficient reduction to propositional logic UCLID verification tool n n n Supports different types of verification Highly automated Counterexample traces similar to model checkers 9

Outline for Rest of Talk § CLU logic § § Definition Modeling systems in CLU § The UCLID verifier § Decision procedure § § An example Benchmarking § Counterexample generation § Conclusions 10

The CLU Logic Counter Arithmetic, Lambda Expressions, and Uninterpreted Functions Generalization of EUF Four types of expressions: § § Functions, Predicates, Terms, (Boolean) Formulas 11

EUF CLU Terms (T ) ITE(F, T 1, T 2) If-then-else Fun (T 1, …, Tk) Function application succ (T) Increment pred (T) Decrement Formulas (F ) F, F 1 F 2 Boolean connectives T 1 = T 2 Equation P(T 1, …, Tk) Predicate application T 1 < T 2 Inequality 12

EUF CLU (Cont. ) Functions (Fun) f Uninterpreted function symbol Read, Write Memory operations x 1, …, xk. T Function lambda expression Predicates (P) p Uninterpreted predicate symbol x 1, …, xk. F Predicate lambda expression • Arguments can only be terms • Lambdas are just mutable arrays 13

Modeling with CLU Memories n Contents represented by lambda n Defines function mapping addresses to data values Unbounded and Bounded Queues n n Use counters to indicate head and tail Lambda to indicate buffer contents Unbounded arrays of identical processes n n Lambda for each state variable Indexed by process ID 14

Modeling Unbounded FIFO Buffer Queue is Subrange of Infinite Sequence Q. head = h Q. tail = t l Index of insertion location n q(h– 1) head q(h+1) Q. val = q • • • l Function mapping indices to values l q(i) valid only when h i < t q(t– 2) Initial State: Arbitrary Queue n Q. head = h 0, Q. tail = t 0 l Impose constraint that h 0 t 0 n Q. val = q 0 l Uninterpreted function q(h) q(t– 1) tail increasing indices n Already Popped q(h– 2) l Index of oldest element q(t) q(t+1) • • • n • • • Not Yet Inserted 15

Modeling FIFO Buffer (cont. ) next[t] : = ITE(operation = PUSH, succ(t), t) next[q] : = (i). ITE((operation = PUSH & i=t), x, q(i)) t • • • q(h– 2) q(h– 1) q(h) next[h] q(h) q(h+1) • • • q(t– 2) q(t– 1) q(t) x q(t+1) • • • h • • • next[t] q(t+1) • • • next[h] : = ITE(operation = POP, succ(h), h) op = PUSH Input = x 16

Sample Application of Modeling Out-of-Order Execution Unit n Unbounded Register File -- Memory n Reorder Buffer – Queue, Content-addressable memory Register File Reg. Value Reorder Buffer Tag • • • V/T bit Reg ID Retire Dispatch 17

UCLID § Verification tool for systems in CLU logic § Based on symbolic simulation and the decision procedure § Generates counterexamples 18

UCLID Operation file. ucl Model + Specification Symbolic Simulation CLU Formula Decision Procedure Valid Invalid + Counterexample 19

Verification Techniques in UCLID Bounded Property Checking n n n Start in reset state Symbolically simulate for fixed number of steps Verify safety property for all states reachable within the fixed number of steps from the start state Invariant Checking n n Start in general state s Simulate one step Prove Inv(s) Inv(Next[s]) Limited support for automatic quantifier elimination Correspondence Checking n n Run 2 different simulations starting in most general state Prove that final states equivalent 20

Sample Case Studies 1. Simple out-of-order processor unit 1. 2. ALU instructions, unbounded resources, register renaming Performed inductive invariant checking to check refinement between OOO model and ISA 2. Load-store unit of Motorola ELF processor 1. Memory instructions, register renaming, completion buffer 2. 20 K lines of Verilog manually translated to 1 K lines of UCLID Large state space: About 150 total state variables, 80 of integer type Performed bounded property checking 3. 4. 21

The Decision Problem CLU Formula Fclu Decision Procedure Valid Invalid 22

Decision Procedure CLU Formula Fclu Lambda Expansion Operation n n Series of transformations leading to propositional formula Propositional formula checked with BDD or SAT tools -free Formula, Fsubst Function & Predicate Elimination Term Formula, Fconst Finite Instantiation Boolean Formula, Fprop ¬ Boolean Satisfiability SAT Fclu invalid UNSAT Fclu valid 23

An Example Fclu is = a. ITE(a>y, succ(g(y)), succ(g(a))) x a. succ(ITE(a>y, g(y), g(a))) x 24

Step 1: Lambda substitution = a. ITE(a>y, succ(g(y)), succ(g(a))) x a. succ(ITE(a>y, g(y), g(a))) x Fsubst is = ITE(x>y, succ(g(y)), succ(g(x))) succ(ITE(x>y, g(y), g(x))) 25

Step 2: Function elimination = ITE(x>y, succ(g(y)), succ(g(x))) succ(ITE(x>y, g(y), g(x))) P-function symbols: {g} G-function symbols: {x, y} Fconst is ITE(x>y, succ(gy), succ( ITE(x=y, gx) )) = succ(ITE(x>y, gy, ITE(x=y, gx) )) P-variables: {gx, gy} G-variables: {x, y} 26

Step 3: Finite Instantiation (1) ‘Small-Model’ Property: Sufficient to interpret variables over finite domains = ITE(x>y, succ(gy), succ(gx)) P-variables: {gy, gx} G-variables: {x, y} succ(ITE(x>y, gy, ITE(x=y, gx))) 1. P-variables get distinct values 2. G-variables can get same value if 3. there’s a potential comparison Value Classes: x, y gy gx 27

Step 3: Finite Instantiation (2) x, y gy gx Number of values: 2 values 1 value, + 1 for succ(gy) 1 value, + 1 for succ(gx) Values assigned: {0, 1} {2, 3} {4, 5} Final Boolean Encoding: x y gy gx {0, 1} 2 4 00 bx 00 by 010 100 Generate Boolean Formula Fprop (Using bit-level encoding of arithmetic ops) 28

Theoretical Formula Blowup If -free formula Fsubst has size N Then final Boolean formula Fprop is O((N + M 2 + P 2) lg N) where M= #(function applications) P= #(predicate applications) In practice, O(N lg N) observed. 29

Decision Procedure Benchmarking Compared against Stanford Validity Checker (SVC) • Decides CLU + real linear arith. + bit-vector arith. UCLID uses the Chaff SAT solver for Boolean SAT • Time includes translation time + Chaff time Model Out-of-order execution unit Elf™ processor Term formula DAG size Prop formula DAG size UCLID time (s) SVC time (s) 735 3658 4. 8 3. 0 1970 13755 18. 3 102. 4 3929 37179 61. 9 4257. 3 218 942 1. 2 10. 9 1085 4481 8. 4 1851. 6 2467 16453 30. 6 > 1 day 4553 54288 111. 0 > 1 day 30

Impact of Positive Equality Model Out-of-order Term formula size UCLID w/ p -eq. (s) UCLID w/o peq. (s) 735 4. 78 9. 79 1970 18. 29 37. 71 3929 61. 90 149. 46 Cache 1829 6. 29 26. 50 Protocol 2782 16. 13 165. 91 3939 61. 08 > 1 hr 639 13. 22 1897 execution unit DLX pipeline Positive equality can still be exploited to improve performance 31

Trace Symbolic Simulation Counterexample Generation Partial Interp. of Lambdas Lambda Expansion Counterexample n n Trace showing value of each state variable on each step. “Value” of a lambda is a set of argument/value pairs Partial Interpretation of UIFs Function & Predicate Elimination Integer Assignment Finite Instantiation Boolean Assignment Boolean Satisfiability 32

Conclusions 1. Contributions 1. Modeling capability of CLU 2. Efficient decision procedure 1. Builds on recent advances in Boolean SAT 3. Verification techniques in UCLID 1. Counterexample generation 2. Ongoing work 1. Decision procedure variants: 1. Encoding separation predicates [Strichman et al. CAV’ 02] 2. Using pseudo-Boolean constraint solver 2. Other case studies 1. MIPS processor 3. Some support for instantiating quantifiers 33