Formal Verification of Pipelined Processors

About This Presentation

Title:

Formal Verification of Pipelined Processors

Description:

Formally verify hardware and software systems. Build on success in verifying ... Air Bag Controller. Speedometer. Reading. Accelerometer. Reading. Deploy! 4 ... – PowerPoint PPT presentation

Number of Views:53

Avg rating:3.0/5.0

Slides: 67

Provided by: RandalE9

Learn more at: http://www.cs.cmu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Formal Verification of Pipelined Processors

1
Formal Verification of Infinite-State
Systems Using Boolean Methods
Randal E. Bryant
Carnegie Mellon University
http//www.cs.cmu.edu/bryant
Contributions by graduate students Sanjit
Seshia, Shuvendu Lahiri
2
Outline

Task
Formally verify hardware and software systems
Build on success in verifying finite models
Infinite-State Models
Need logic that is suitably expressive, yet
remains reasonably tractable
Verification Techniques
Solve problems by mapping into propositional
logic
Proof engines can use powerful Boolean methods
Different levels of automation and capacity

3
Truly Infinite-State Systems

Systems where want to model real-world values
(temperature, speed, ...)
Hybrid systems
Very difficult to verify
Systems with real-valued time constraints
E.g., timed automata
Somewhat easier to verify, since all clocks move
at same rate

4
Theoretically Infinite-State Systems

Systems with unbounded buffers
Even though cant really build one

In Use

tail
head
5
Arbitrarily Large Finite-State Systems

Synchronization protocol that should work for
arbitrary number of processes
Verify for arbitrary N
Circular buffer with fixed, but arbitrary
capacity
Verify for arbitrary value of Max

In Use

tail
6
Very Large Finite-State Systems

Abstract 32-bit words as arbitrary integers
View memories as having unbounded capacity

7
Example HP/Compaq Alpha 21264

Pipeline State
Multiple caches
Instruction queues
Dynamically-allocated registers
Memory queue
Many buffers between stages
Verification Tasks
Does it implement the Alpha ISA?

Microprocessor Report, Oct. 28, 1996
8
Abstracting Data from Bits to Integers
x0
x1
x2
xn-1

View Data as Symbolic Terms
Arbitrary integers
Verification proves correctness of design for all
possible word sizes
Can store in memories registers
Can select with multiplexors
ITE If-Then-Else operation

9
Abstraction Via Uninterpreted Functions
f

For any Block that Transforms or Evaluates Data
Replace with generic, unspecified function
Only assumed property is functional consistency
a x ? b y ? f (a, b) f (x, y)

10
Abstraction Via Uninterpreted Functions
F3
F2
F1

For any Block that Transforms or Evaluates Data
Replace with generic, unspecified function
Also view instruction memory as function

11
EUF Equality with Uninterp. Functs

Decidable fragment of first order logic
Formulas (F ) Boolean Expressions
?F, F1 ? F2, F1 ? F2 Boolean connectives
T1 T2 Equation
P (T1, , Tk) Predicate application
Terms (T ) Integer Expressions
ITE(F, T1, T2) If-then-else
Fun (T1, , Tk) Function application
Functions (Fun) Integer ? Integer
f Uninterpreted function symbol
Read, Write Memory operations
Predicates (P) Integer ? Boolean
p Uninterpreted predicate symbol

12
Decision Problem

Logic of Equality with Uninterpreted Functions
(EUF)
Truth Values
Dashed Lines
Model Control
Logical connectives
Equations
Integer Values
Solid lines
Model Data
Uninterpreted functions
If-Then-Else operation
Task
Determine whether formula is universally valid
True for all interpretations of variables and
function symbols

13
Finite Model Property for EUF

Observation
Any formula has limited number of distinct
expressions
Only property that matters is whether or not
different terms are equal

14
Boolean Encoding of Integer Values
Expression Possible Values Bit Encoding Bit Encoding
x0 0 0 0
d0 0,1 0 b10
f (x0) 0,1,2 b21 b20
f (d0) 0,1,2,3 b31 b30

For Each Expression
Either equal to or distinct from each preceding
expression
Boolean Encoding
Use Boolean values to encode integers over small
range
EUF formula can be translated into propositional
logic
Tautology iff original formula valid

15
An Out-of-order Processor (OOO)
valid tag val
D E C O D E
incr
dispatch
Program memory
valid value src1valid src1val src1tag src2valid sr
c2val src2tag dest op
result
PC
Register Rename Unit
1st Operand
result bus
retire
2nd Operand
ALU

Reorder Buffer
execute
head
tail
Reorder Buffer Fields

Data Dependencies Resolved by Register Renaming
Map register ID to instruction in reorder buffer
that will generate register value
Inorder Retirement Managed by Retirement Buffer
FIFO buffer keeping pending instructions in
program order

16
Access Modes for Reorder Buffer

FIFO
Insert when dispatch
Remove when retire

Content Addressable
Broadcast result to all entries with matching
source tag

Global
Flush all queue entries when instruction at head
causes exception

17
Required Logic

Increased Expressive Power
Model queue pointers
Increment decrement operations
Relative ordering
Ability to construct complex memory structures
Not just set of fixed memory types
Dont Go Too Far
Want practical decision procedures
Efficient reduction to propositional logic

18
EUF ? CLU

Terms (T )
ITE(F, T1, T2) If-then-else
Fun (T1, , Tk) Function application
Formulas (F )
?F, F1 ? F2, F1 ? F2 Boolean connectives
T1 T2 Equation
P(T1, , Tk) Predicate application

19
EUF ? CLU (Cont.)

Functions (Fun)
f Uninterpreted function symbol
Read, Write Memory operations
Predicates (P)
p Uninterpreted predicate symbol

20
Modeling Memories with ?s

Memory M Modeled as Function
M(a) Value at location a
Initially
Arbitrary state
Modeled by uninterpreted function m0

Writing Transforms Memory
M? Write(M, wa, wd)
? a . ITE(a wa, wd, M(a))
Future reads of address wa will get wd

21
Modeling Unbounded FIFO Buffer
Already Popped

Queue is Subrange of Infinite Sequence
Q.head h
Index of oldest element
Q.tail t
Index of insertion location
Q.val q
Function mapping indices to values
q(i) valid only when h ? i lt t
Initial State Arbitrary Queue
Q.head h0, Q.tail t0
Impose constraint that h0 ? t0
Q.val q0
Uninterpreted function

q(h2)
q(h1)
q(h)
head
q(h1)

increasing indices
q(t2)
q(t1)
tail
q(t)
q(t1)
Not Yet Inserted
22
Modeling FIFO Buffer (cont.)
23
Systems of Identical Processes

Each Process has k State Variables
Each state variable represented as array
Indexed by process Id

sv1

sv2

svk
State of Process i
24
Modeling System of Identical Processes

On Each Step
Select arbitrary process index p
As if chosen by nondeterministic scheduler
Update state for selected process

nextstate lambda(i) case i p state(i)
IDLE TRYING i p state(i) TRYING
inuse TRYING i p state(i) TRYING
!inuse CRITICAL default state(i) esac
25
Decision Procedure
CLU Formula
Lambda Expansion
?-free Formula
Function Predicate Elimination

Operation
Series of transformations leading to
propositional formula
Propositional formula checked with BDD or SAT
tools
Bryant, Lahiri, Seshia CAV02

Function-free Formula
Convert to Boolean Formula
Boolean Formula
Boolean Satisfiability
26
Finite Model Property for CLU
x ? y ? succ(x) gt pred(y)

Observation
Need to encode all possible relative orderings of
expressions
Each symbolic value has maximum range of
increments decrements
Can use Boolean encodings of small integer ranges

27
Verifying OOO

Lahiri, Seshia, Bryant, FMCAD 2002
Goal
Show that OOO implements Instruction Set
Architecture (ISA) model
For all possible execution sequences
Challenges
No bound on program length
OOO holds partially executed instructions in
reorder buffer
States of two systems match only when reorder
buffer flushed

28
Adding Shadow State

McMillan, 98
Arons Pnueli, 99
Provides Link Between ISA OOO Models
Additional entries in ROB
Do not affect OOO behavior
Generated when instruction dispatched
Predict values of operands and result
From ISA model

OOO
Reg. File
PC
Reorder Buffer
29
Adding Shadow Structures
result bus
Updated directly from the ISA model during
dispatch

shdw.src1valrob.tail ? Rfisa(src1)
shdw.src2valrob.tail ? Rfisa(src2)
shdw.valuerob.tail ? ALU(Rfisa(src1),
Rfisa(src2), op)

30
Invariant Checking

Formulas I1, , In
Ij(s0) holds for any initial state s0, for 1 ? j
? n
I1(s) ? I2(s) ? ? In(s) ? Ij(s? ) for any
current state s and successor state s? for 1 ? j
? n
Invariants for OOO (13)
Refinement maps (2)
Show relation between ISA and OOO models
Shadow state (3)
Shadow values correctly predict OOO values
State consistency (8)
Properties of OOO state that ensure proper
operation
Overall Correctness
Follows by induction on time

31
Refinement Maps

Correspondence with a sequential ISA model
OOO and ISA synchronized at dispatch
For Register File Contents
?r. reg.valid(r) ? reg.val(r) Rfisa(r)
For Program Counter
PCooo PCisa

32
Shadow Invariants
result bus

?robt. rob.valid(t) ? rob.value(t)
shdw.value(t)
?robt. rob.src1valid(t) ? rob.src1val(t)
shdw.src1val(t)
?robt. rob.src2valid(t) ? rob.src2val(t)
shdw.src2val(t)

33
State Consistency Invariants

Tag Consistency invariants (2)
Instructions only depend on instruction preceding
in program order
Register Renaming invariants (2)
Tag in a rename-unit should be in the ROB, and
the destination register should match
?r.?reg.valid(r)? (rob.head ? reg.tag(r) lt
rob.tail ? rob.dest(reg.tag(r)) r )
For any entry, the destination should have
reg.valid as false and tag should contain this or
later instruction
?robt.(?reg.valid(rob.dest(t)) ?
t ? reg.tag(rob.dest(t)) lt rob.tail)

34
State Consistency Invariants (cont.)

Executed instructions have operands ready
?robt. rob.valid(t) ?
rob.src1valid(t) ? rob.src2valid(t)
Shadow-Value-Operands Relationship
?robt. shdw.value(t) Alu(shdw.src1val(t),shdw.sr
c2val(t),rob.op(t))
Producer-Consumer Values (2)
?robt. ?rob.src1valid(t) ?
shdw.src1val(t) shdw.value(rob.src1tag(t))

35
Quantified Invariants and Proofs

Allowed Form
?x1?x2?xk ?(x1xk)
?(x1xk) is a CLU formula without quantifiers
x1xk are integer variables free in ?(x1xk)
Proving these invariants requires quantifiers
(?x1?x2?xk ?(x1xk)) ? ?y1?y2?ym ?(y1ym)
Prove ?x1?x2?xk?(x1xk) ? ??(y1ym) is not
satisfiable
Undecidable
Automatic instantiation of x1xk with concrete
terms
Sound but incomplete method
Reduce the quantified formula to a CLU formula
Can use the decision procedure for CLU

36
Proving Invariants

Proved Automatically
Quantifier instantiation was sufficient in these
cases
Time spent 54s on 1.4GHz machine
Total effort 2 person days
Comparison
Previous efforts using theorem provers took weeks
of effort

37
Extending the OOO Processor

base
Executes ALU instructions only
exc
Handles arithmetic exceptions
Must flush reorder buffer
exc/br
Handles branches
Predicts branch speculatively executes along
path
exc/br/mem-simp
Adds load store instructions
Store commits as instruction retires
exc/br/mem
Stores held in buffer
Can commit later
Loads must scan buffer for matching addresses

38
Comparative Verification Effort
base exc exc / br exc / br / mem-simp exc / br / mem
Total Invariants 13 34 39 67 71
Manually instantiate 0 0 0 4 8
UCLID time 54 s 236 s 403 s 1594 s 2200 s
Person time 2 days 5 days 2 days 15 days 10 days
39
I Just Want a Loaf of Bread
Ingredients
Result
Recipe
40
Cooking with Invariants
Ingredients Predicates
rob.head ? reg.tag(r)
Recipe Invariants
?r,t.?reg.valid(r) ? reg.tag(r) t ?
(rob.head ? reg.tag(r) lt rob.tail ?
rob.dest(t) r )
reg.valid(r)
Result Correctness
reg.tag(r) t
rob.dest(t) r
41
Automatic Recipe Generation
Ingredients
Result
Recipe Creator

Want Something More
Given any set of ingredients
Generate best recipe possible

42
Automatic Predicate Abstraction

Graf Saïdi, CAV 97
Idea
Given set of predicates P1(s), , Pk(s)
Boolean formulas describing properties of system
state
View as abstraction mapping States ? 0,1k
Defines abstract FSM over state set 0,1k
Form of abstract interpretation
Do reachability analysis similar to symbolic
model checking
Prior Implementations
Very weak inference capabilities
Call theorem prover or decision procedure to test
each potential transition
Little support for quantified predicates

43
Abstract State Space
Abstraction
Concretization
Abstract States
Abstract States
Concrete States
Concrete States
44
Abstract State Machine
Abstract System
Concrete System

Transitions in abstract system mirror those in
concrete

45
Overapproximation by Abstract Model
Abstract System
Concrete System

Path in abstract state space may not correspond
to one in concrete
OK when verifying safety properties
Possible false negatives, but no false positives

46
Predicate Abstraction Example

State Space
State variables x, y
Initial State
(2, 1)
Next State Behavior
x ? ?x
y ? ?y
Verification Task
Prove all bad states unreachable

Initial State
Bad States
47
Precise Analysis

Reachable States
(2, 1), (?2, ?1)

Reachable States
Bad States
48
Predicates

Use 3-valued predicates in this example

49
Abstract Initial State
Reached Set 0 LGG
50
Step 1 Concretize Reached Set 0
Reached Set 0 LGG
cx3
cxy
cy0
L
G
G
51
Compute Possible Successor States
x ? ?x y ? ?y
52
Abstract Newly Reached States
cx3
cxy
cy0
L
L
L
0
0
0
Reached Set 1 LLL, LGG
53
Step 2 Concretize Reached Set 1
Reached Set 1 LLL, LGG
cx3
cxy
cy0
L
L
L
54
Compute Possible Successor States
x ? ?x y ? ?y
55
Abstract Newly Reached States
Reached Set 2 LLL, LGG, EGG, GGG
56
Final Reached State Set
EGG
LGG
GGG
LLL
Bad States
57
Symbolic Formulation of Step 2
l1 x lt 3
l2 x lt y
g3 y gt 0
g1 x gt 3
g2 x gt y
l3 y lt 0
Reached Set 1 LLL, LGG

Concretized State Set
Encode each 3-valued L, E, G predicate with 2
Boolean variables (l, g)
Represent state set as formula
(l1 ? ?g1 ? l2 ? ?g2 ? l3 ? ?g3)
? (l1 ? ?g1 ? ?l2 ? g2 ? ?l3 ? g3)

58
Next-State Predicates

Next State (x?, y? )
Get predicates l?1, l?2, l?3 , g?1, g?2, g?3
Determine conditions under which predicates will
hold in next state
Express in terms of current state (x, y)

Next State Predicate Condition x? ?x y? ?y Current State Matches
l?1 x? lt 3 ?x lt 3 x gt ?3
l?2 x? lt y? ?x lt ?y x gt y g2
l?3 y? lt 0 ?y lt 0 y gt 0 g3
g?1 x? gt 3 ?x gt 3 x lt ?3
g?2 x? gt y? ?x gt ?y x lt y l2
g?3 y? gt 0 ?y gt 0 y lt 0 l3
59
Consistency Constraints

Eliminate impossible predicate combinations
In general, may need to introduce additional
variables
To express more complex transitivity constraints

60
Symbolic Form

Formulation
Express compatible combinations of current-state
next-state variables
Quantify out current-state variables
Gives formula over next-state variables

61
Extracting Next-State Set

Run SAT checker over formula
Generate blocking clause for each newly generated
state

(l1 ? ?g1 ? l2 ? ?g2 ? l3 ? ?g3)
? (l1 ? ?g1 ? ?l2 ? g2 ? ?l3 ? g3)
? ?(g1 ? g?1) ? ?(g?1 ? l?1) ? (g2 ? g3 ? l?1)
? l2 ? g?2 ? g2 ?l?2
? l3 ? g?3 ? g3 ? l?3

l1 g1 l2 g2 l3 g3 l?1 g?1 l?2 g?2 l?3 g?3 Next State
1 0 1 0 1 0 0 0 0 1 0 1 EGG
1 0 1 0 1 0 0 1 0 1 0 1 GGG
1 0 1 0 1 0 1 0 0 1 0 1 LGG
1 0 0 1 0 1 1 0 1 0 1 0 LLL
l1 g1 l2 g2 l3 g3 l?1 g?1 l?2 g?2 l?3 g?3 Next State
1 0 1 0 1 0 0 0 0 1 0 1 EGG
62
General Principle

Lahiri, Bryant, and Cook CAV 2003
Basis
Abstract state set described as formula over
Boolean variables P p1, , pk
Current state given by formula ?(p1, , pk)
Generate Quantified CLU Formula Describing Next
Abstract State Set
Concretize set of current states as formula
?(P1(s), , Pk(s))
Combine predicates with next-state functions to
get next-state predicates P ?1(s, x), , P ?k(s,
x)
Variables x encode nondeterministic choices
Get formula
?s, x ?(P1(s), , Pk(s))
? p?1?P ?1(s, x) ? ? p?k?P ?k(s, x)

63
General Principle (cont.)

Transform into Quantified Boolean Formula
Formula of form Next(P?) ? Z ?(Z, P?)
Z Integer and function variables
P? Abstract state variables
Translate into Boolean formula of form ? B ?(B,
P?)
B Boolean variables arising from small-domain
encoding
Key Property
P? ?(Z, P?) satisfiable P? ?(B,
P?) satisfiable
Form Encountered in Symbolic Model Checking
Next(S?) ?S Curr(S) ? Trans(S, S?)
S Boolean variables encoding current state
S? Boolean variables encoding next state
Solve using either SAT or BDDs

64
Quantified Invariant Generation

User supplies predicates containing free
variables
Generate globally quantified invariant
Example
Predicates
p1 reg.valid(r)
p2 rob.dest(t) r
p3 reg.tag(r) t
Abstract state satisfying (p1 ? p2 ? ?p3)
corresponds to concrete state satisfying
?r,t?reg.valid(r) ? reg.tag(r) t
? rob.dest(t) r
rather than
?r?reg.valid(r) ? ?r,treg.tag(r) t ?
?r,trob.dest(t) r

65
Generating Quantified Invariants

Use Quantifier Instantiation to Approximate ?
During Concretization
Causes even greater overapproximation
Similar technique used by Flanagan Qadeer, POPL
02

66
Systems Verified with Predicate Abstraction
Model Predicates Iterations CPU Time
Out-Of-Order Execution Unit 25 9 2,613s
Germans Cache Protocol 21 9 122s
Germans Protocol, unbounded channels 30 19 15,000s
Bounded Retransmission Buffer 22 9 11s
Lamports Bakery Algorithm 24 24 5,211s

Very general models
Unbounded processes, buffers, cache lines,
Safety properties only

67
Other Uses of UCLID Verifier

Invariant Checking
More complex version of OOO including speculative
execution, exceptions, buffered loads stores
Lahiri Bryant, CAV 2003
Predicate Abstraction
Core algorithm used to generate weakest Boolean
precondition for software model checking
SLAM project at Microsoft
Pipelined Processor Verification
Verify checker processor from U. Michigan
Model extracted directly from Verilog
Bounded check of load-store unit from industrial
microprocessor

68
Conclusions