Formal Processor Verification - PowerPoint PPT Presentation

1 / 37

About This Presentation

Title:

Formal Processor Verification

Description:

Modeling Unbounded FIFO Buffer. Queue is Subrange of Infinite Sequence. Q.head = h ... Finite Model Property for CLU. Observation ... – PowerPoint PPT presentation

Number of Views:65

Avg rating:3.0/5.0

Slides: 38

Provided by: randa162

Category:

more less

Transcript and Presenter's Notes

Title: Formal Processor Verification

1
System Modeling and Verification with UCLID
http//www.cs.cmu.edu/uclid
Randal E. Bryant
http//www.cs.cmu.edu/bryant
Contributions by graduate students Sanjit
Seshia, Shuvendu Lahiri
2
UCLID Capabilities

System Models
Abstract representation of hardware
Express variety of memory structures
RAM, CAM, queues
Syntax inspired by SMV
Verification Techniques
Bounded property checking
Burch-Dill pipeline-ISA comparison
Invariant checking
Manually constructed invariants
Automatically generated invariants

3
EUF Equality with Uninterp. Functs

Decidable fragment of first order logic
Formulas (F ) Boolean Expressions
?F, F1 ? F2, F1 ? F2 Boolean connectives
T1 T2 Equation
P (T1, , Tk) Predicate application
Terms (T ) Integer Expressions
ITE(F, T1, T2) If-then-else
Fun (T1, , Tk) Function application
Functions (Fun) Integer ? Integer
f Uninterpreted function symbol
Read, Write Memory operations
Predicates (P) Integer ? Boolean
p Uninterpreted predicate symbol

4
Modeling Memories as Mutable Functions

Memory M Modeled as Function
M(a) Value at location a
Initially
Arbitrary state
Modeled by uninterpreted function m0

Writing Transforms Memory
M? Write(M, wa, wd)
? a . ITE(a wa, wd, M(a))
Future reads of address wa will get wd

5
Modeling Unbounded FIFO Buffer
Already Popped

Queue is Subrange of Infinite Sequence
Q.head h
Index of oldest element
Q.tail t
Index of insertion location
Q.val q
Function mapping indices to values
q(i) valid only when h ? i lt t
Required Operations
Increment head tail pointers
Compare head to tail (emptiness)

q(h2)
q(h1)
q(h)
head
q(h1)

increasing indices
q(t2)
q(t1)
tail
q(t)
q(t1)
Not Yet Inserted
6
Required Logic

Scalar Data Types
Formulas (F ) Boolean Expressions
Control signals
Terms (T ) Integer Expressions
Data values
Functional Data Types
Functions (Fun) Integer ? Integer
Immutable Functional units
Mutable Memories
Predicates (P) Integer ? Boolean
Immutable Data-dependent control
Mutable Bit-level memories

7
EUF ? CLU

Terms (T )
ITE(F, T1, T2) If-then-else
Fun (T1, , Tk) Function application
Formulas (F )
?F, F1 ? F2, F1 ? F2 Boolean connectives
T1 T2 Equation
P(T1, , Tk) Predicate application

8
EUF ? CLU (Cont.)

Functions (Fun)
f Uninterpreted function symbol
Read, Write Memory operations
Predicates (P)
p Uninterpreted predicate symbol

9
Finite Model Property for CLU
x ? y ? succ(x) gt pred(y)

Observation
Need to encode all possible relative orderings of
expressions
Each symbolic value has maximum range of
increments decrements
Can use Boolean encodings of small integer ranges

10
UCLID Operation
file.ucl
UCLID Formula
Model Specification
Lambda Expansion
?-free Formula
Function Predicate Elimination

Operation
Series of transformations leading to
propositional formula
Except for lambda expansion, each has polynomial
complexity

Term Formula
Finite Instantiation
Boolean Formula
Boolean Satisfiability
11
Counterexample Generation
Symbolic Simulation
Trace
Partial Interp. of Lambdas
Lambda Expansion
Partial Interpretation of UIFs
Function Predicate Elimination

Counterexample
trace showing value of each state variable on
each step.
Value of a lambda is a set of argument/value
pairs

Integer Assignment
Finite Instantiation
Boolean Assignment
Boolean Satisfiability
12
Verifying Safety Properties
Bad States
Reachable States
Reset States
Reset

Prove System will never reach bad state

13
Bounded Model Checking
Bad States
R2

Repeatedly Perform Image Computations
Set of all states reachable by one more state
transition
Easy to Implement
Underapproximation of Reachable State Set
But, typically catch most bugs with 810 steps

R1
Reset States
14
True Model Checking
Bad States
R2

Impractical for Term-Level Models
Many systems never reach fixed point
Can keep adding elements to buffer
Convergence test undecidable

R1
Reset States

Reach Fixed-Point
Rn Rn1 Reachable

15
Invariant Checking
Bad States
Reachable States
Reset States

Key Properties of System that Make it Operate
Correctly
Formulate as formula I
Prove Inductive
Holds initially I(s0)
Preserved by all state changes I(s) ? I(?(i, s))

16
An Out-of-order Processor (OOO)
valid tag val
D E C O D E
incr
dispatch
Program memory
valid value src1valid src1val src1tag src2valid sr
c2val src2tag dest op
result
PC
Register Rename Unit
1st Operand
result bus
retire
2nd Operand
ALU

Reorder Buffer
execute
head
tail
Reorder Buffer Fields

Data Dependencies Resolved by Register Renaming
Map register ID to instruction in reorder buffer
that will generate register value
Inorder Retirement Managed by Retirement Buffer
FIFO buffer keeping pending instructions in
program order

17
Verifying OOO

Lahiri, Seshia, Bryant, FMCAD 2002
Goal
Each step of OOO consistent with Instruction Set
Architecture (ISA) model
Challenges
OOO holds partially executed instructions in
reorder buffer
States of two systems match only when reorder
buffer flushed

18
Adding Shadow State

McMillan, 98
Arons Pnueli, 99
Provides Link Between ISA OOO Models
Additional entries in ROB
Do not affect OOO behavior
Generated when instruction dispatched
Predict values of operands and result
From ISA model

OOO
Reg. File
PC
Reorder Buffer
19
State Consistency Invariants

Tag Consistency invariants (2)
Instructions only depend on instruction preceding
in program order
Register Renaming invariants (2)
Tag in a rename-unit should be in the ROB, and
the destination register should match
?r.?reg.valid(r)? (rob.head ? reg.tag(r) lt
rob.tail ? rob.dest(reg.tag(r)) r )
For any entry, the destination should have
reg.valid as false and tag should contain this or
later instruction
?robt.(?reg.valid(rob.dest(t)) ?
t ? reg.tag(rob.dest(t)) lt rob.tail)

20
OOO Invariants

Split into Formulas I1, , In
Ij(s0) holds for any initial state s0, for 1 ? j
? n
I1(s) ? I2(s) ? ? In(s) ? Ij(s? ) for any
current state s and successor state s? for 1 ? j
? n
Invariants for OOO (13)
Refinement maps (2)
Show relation between ISA and OOO models
Shadow state (3)
Shadow values correctly predict OOO values
State consistency (8)
Properties of OOO state that ensure proper
operation
Overall Correctness
Follows by induction on time

21
Extending the OOO Processor

base
Executes ALU instructions only
exc
Handles arithmetic exceptions
Must flush reorder buffer
exc/br
Handles branches
Predicts branch speculatively executes along
path
exc/br/mem-simp
Adds load store instructions
Store commits as instruction retires
exc/br/mem
Stores held in buffer
Can commit later
Loads must scan buffer for matching addresses

22
Comparative Verification Effort
23
I Just Want a Loaf of Bread
Ingredients
Result
Recipe
24
Cooking with Invariants
Ingredients Predicates
rob.head ? reg.tag(r)
Recipe Invariants
?r,t.?reg.valid(r) ? reg.tag(r) t ?
(rob.head ? reg.tag(r) lt rob.tail ?
rob.dest(t) r )
reg.valid(r)
Result Correctness
reg.tag(r) t
rob.dest(t) r
25
Automatic Recipe Generation
Ingredients
Result
Recipe Creator

Want Something More
Given any set of ingredients
Generate best recipe possible

26
Automatic Predicate Abstraction

Graf Saïdi, CAV 97
Idea
Given set of predicates P1(s), , Pk(s)
Boolean formulas describing properties of system
state
View as abstraction mapping States ? 0,1k
Defines abstract FSM over state set 0,1k
Form of abstract interpretation
Do reachability analysis similar to symbolic
model checking
Prior Implementations
Very weak inference capabilities
Call theorem prover or decision procedure to test
each potential transition
Little support for quantified predicates

27
Abstract State Space
Abstraction
Concretization
Abstract States
Abstract States
Concrete States
Concrete States
28
Abstract State Machine
Abstract System
Concrete System

Transitions in abstract system mirror those in
concrete

29
Generating Concrete Invariant

Reach Fixed-Point on Abstract System
Termination guaranteed, since finite state
Equivalent to Computing Invariant for Concrete
System
Strongest possible invariant that can be
expressed by formula over these predicates

Abstract System
30
Conventional Implementation of P.A.

Basis
Abstract state sets described as formulas over
Boolean variables B b1, , bk
Current state given by formula ?(b1, , bk)
Check whether candidate state ?(b1, , bk) is
successor

?
?
Abstract System
Concrete System
Intersect?
31
Drawbacks of Conventional Implementation
Intersect?
?P/B
?P/B ? ?P/B?/S Satisfiable?
?P/B?/S

Very Slow
Guess at possible next state
Construct term-level formula and test for
satisfiability
Possibly 2k calls to decision procedure
Can Only Handle Proposition Predicates
Cannot construct quantified invariants

32
Symbolic Approach to P.A.

Lahiri, Bryant, Cook CAV 2003
Generate Quantified Formula Describing Next
Abstract State Set
Current state given by formula ?(B)
Generate formula ??(B) describing all successors

??
?
Abstract System
33
Symbolic Approach (cont.)

Transform into Quantified Boolean Formula
Formula of form Next(B) ? S, X ?(S, X, B)
S, X Integer and function variables
B Abstract state variables
Translate into Boolean formula of form ? A ?(A,
B)
A Boolean variables encoding integer function
values
Key Property
B ?(S, X, B) satisfiable B ?(A, B)
satisfiable
Solve using either SAT enumeration or BDD
quantification

34
Quantified Invariant Generation

Lahiri, Bryant, VMCAI 2004
User supplies predicates containing free
variables
Generate globally quantified invariant
Example
Predicates
p1 reg.valid(r)
p2 rob.dest(t) r
p3 reg.tag(r) t
Abstract state satisfying (p1 ? p2 ? ?p3)
corresponds to concrete state satisfying
?r,t?reg.valid(r) ? reg.tag(r) t
? rob.dest(t) r
rather than
?r?reg.valid(r) ? ?r,treg.tag(r) t ?
?r,trob.dest(t) r