Formal Verification of Pipelined Processors

1
Exploiting Positive Equality in a Logic
of Equality with Uninterpreted Functions
Randal E. Bryant Steven German Miroslav Velev
Carnegie Mellon University IBM
http//www.cs.cmu.edu/bryant
2
Outline

• Application Domain
• Verify correctness of a pipelined processor
• Based on Burch-Dill correspondence checking
• Burch Dill CAV 94
• Verification Task
• Abstracted representation of data manipulation
• Must decide validity of formula in logic of
  Equality with Uninterpreted Functions (EUF)
• New Contribution
• Exploit properties of formulas to reduce
  verification complexity
• Significant performance improvement when modeling
  microprocessor operation

3
Microprocessor Modeling
Bdat

• Simplified RISC pipeline
• Described at RTL level
• Words viewed as bit vectors
• Bit-level functionality

4
Abstracting Data
x0
x1
x2
xn-1

• View Data as Symbolic Terms
• No particular properties or operations
• Except for equations x y
• Can store in memories registers
• Can select with multiplexors
• ITE If-Then-Else operation

5
Abstraction Via Uninterpreted Functions
F3
F2
F1

• For any Block that Transforms or Evaluates Data
• Replace with generic, unspecified function
• Assume functional consistency
• x y ? f(x) f(y)

6
Decision Problem

• Logic of Equality with Uninterpreted Functions
  (EUF)
• Domain Values
• Solid lines
• Uninterpreted functions
• If-Then-Else operation
• Truth Values
• Dashed Lines
• Uninterpreted predicates
• Logical connectives
• Equations
• Task
• Determine whether formula is universally valid
• True for all interpretations of variables and
  function symbols

7
Some History

• Ackermann, 1954
• Quantifier-free decision problem can be decided
  based on finite instantiations
• Automatic Theorem Proving
• Tradition of using uninterpreted functions when
  modeling hardware
• E.g., Warren Hunt, 1985
• Burch Dill, CAV 94
• Automatic decision procedure
• Davis-Putnam enumeration
• Congruence closure to enforce functional
  consistency
• Verified single-issue DLX
• Simple 5-stage RISC pipeline
• Becomes less effective for more complex
  processors
• Burch, DAC 96 FMCAD 96

8
Previous Attempts to Use BDDs

• Hojati, et al., IWLS 97
• Generate binary encodings of limited-range
  integer variables
• Hit exponential blow-up
• Goel, et al., CAV 98
• Encode equality relation among variables as
  propositional variables
• Results not compelling
• Velev Bryant, FMCAD 98
• Work with modified RTL model
• Replace memory function blocks with special
  behavioral blocks
• Exponential blow-up for processor with branch or
  load/store instructions

9
Why Did BDDs Fail?

• Result of Load instruction used in address
  computation
• Similar effect for branch instruction
• Impossible to have good BDD variable ordering
• Variables encoding addresses must precede those
  encoding data
• Leads to circular constraints on ordering

Data Memory
Address Data
Address Data
Pipeline Logic
10
Decision Problem Example 1
11
EUF Syntax

• Logic of Equality with Uninterpreted Functions
• Terms
• ITE(F, T1, T2) If-then-else
• f (T1, , Tk) Function application
• Formulas
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• p (T1, , Tk) Predicate application
• Special Cases
• v Domain variable (order-0 function)
• a Propositional variable (order-0 predicate)

12
PEUF Syntax

• Logic of Positive Equality with Uninterpreted
  Functions
• Formulas (General)
• ?F, F1 ? F2, F1 ? F2
• GT1 GT2
• p (PT1, , PTk)
• P-Formulas (Special)
• F
• PF1 ? PF2, PF1 ? PF2
• PT1 PT2
• Key Properties
• P-formulas cannot be negated cannot control
  ITEs
• P-terms only used as funct. args. and in positive
  equations
• Applications of p-function symbols occur only in
  p-terms

G-Terms (General) ITE(F, GT1, GT2) fg(PT1, ,
PTk) P-Terms (Special) GT ITE(F, PT1,
PT2) fp(PT1, , PTk)
13
Analyzing Example 1
Formulas
Ø

g
h
Ú
G-terms

P-formulas
g
h
g
P-terms
x
y

• P-Function Symbols
• g, h
• G-Function Symbols
• Appear in negated equation
• x, y

14
Example 2
15
Analyzing Example 2
Formula
G-terms
P-formula
P-terms

• ITE control must be formula
• Interesting things happen when false

16
Maximally Diverse Interpretations

• P-Function Symbols
• Equal results only for equal arguments
• G-Function Symbols
• Potentially yield equal results for unequal
  arguments
• Property
• Formula valid only if true under all maximally
  diverse interpretations

Terms Equal? x y Potentially g (x) g (y) Only if
x y g (x) y No g (g (x)) g (y) No g (g (x)) g
(x) No
17
Justification of Maximal Diversity Property

• Key Argument
• For every interpretation I, there is a maximally
  diverse interpretation I? such that I? F ? IF

18
Equations in Processor Verification

• Data Types Equations
• Register Ids Control stalling forwarding
• Addresses for register file
• Instruction Address Only top-level verification
  condition
• Program Data Only top-level verification condition

19
Modeling Memories

• Conventional Expansion of Memory Operations
• Effects of writes represented as nested ITEs
• Initial memory state represented by uninterpreted
  function fM

Write(a1, d1) Write(a2, d2) Write(a3,
d3) Read(a)

• Problem
• Equations over addresses control ITEs
• Addresses must be g-terms
• OK for register file, but not for data memory

20
Data Memory Modeling

• Generic State Machine
• Memory state represented as term
• Initial state given by variable vM
• Write operation causes arbitrary state change
• Uninterpreted function fu
• Read operation function of address state
• Uninterpreted function fr

Read
Write
21
Data Memory Modeling (Cont.)
Write(a1, d1) Write(a2, d2) Write(a3,
d3) Read(a)

• No equations over addresses!
• Can keep as p-terms
• Limitations
• Does not capture full semantics of memory
• Only works when processor preserves program order
  for
• Writes relative to each other
• Reads relative to writes

22
Function Symbols in Processor Verification

• G-Function Symbols
• Register Ids
• 20--25 of function applications
• P-Function Symbols
• Program data
• Data instruction addresses
• Opcodes
• 75--80 of function applications
• Effect
• Breaks dependency loop that caused exponential
  blow-up

23
Decision Procedure

• Steps
• Eliminate function applications
• Assign limited ranges to domain variables
• Encode domain variables as bit vectors
• Translate into propositional logic

24
Eliminating Function Applications

• Replacing Application
• Introduce new domain variable
• Nested ITE structure maintains functional
  consistency

25
Exploiting Positive Equality

• Property
• P-function symbol f
• Introduce variables vf1, , vfn during
  elimination
• Consider only diverse interpretations for
  variables vf1, , vfn
• vfi ? v for any other variable v
• Example
• Assuming vf1 ? vf2

26
Compare Ackermanns Method

• Replacing Application
• Introduce new domain variable
• Enforce functional consistency by global
  constraints

• Unclear how to generate diverse interpretations

27
Eliminating Function Symbol g
28
Eliminate Function Symbol h

• Final Form
• Only domain and propositional variables

29
Instantiating Variables
x
v
g
v
g
v
g
v
h
v
h
1
2
3
1
2
2
3
4
5
6
0
y
0,1

• Can assign fixed interpretations to variables
  arising from eliminating p-function applications
• Need to consider only two different cases
• y 0 vs. y 1

30
Evaluating Formula
Ø


T
T
Ú
F

Ù

T

F
T

T
F
F
x
v
g
v
g
v
g
v
h
v
h
1
2
3
1
2
2
3
4
5
6
0
y
0,1

• Actual implementation uses BDD evaluation

31
Pnueli, et al., CAV 99

• Similarities
• Examine structure of equations
• Whether used in positive or negative form
• Exploit structure to limit variable domains
• Differences in Their Approach
• Examine equation structure after function
  applications eliminated
• Use Ackermanns method to eliminate function
  applications

32
Ackermanns Method Example
?

• Many more equations
• 2 ? 8
• P-formula / P-term structure destroyed

33
Comparison to Pnueli, et al.

• Relative Advantage of Their Method
• Better at exploiting equation structure among
  g-terms
• Worse at exploiting structure among p-terms

34
Experimental Results

• Verify Modified RTL Circuits
• Replace memories, latches, and function blocks by
  special functional models.
• Bryant Velev, FMCAD 98
• Small modification to generate fixed bit patterns
  for p-function block
• Simplified MIPS Processor
• Reg-Reg, and Reg-Immediate only
• Before 48 s / 7 MB After 6 s / 2 MB
• RR, RI Load/Store
• Before Space-Out After 12 s / 1.8 MB
• RR, RI, L/S, Branch
• Before Space-Out After 169 s / 7.5 MB

35
Conclusion

• Exploiting Positive Equality
• Greatly reduces number of interpretations to
  consider
• Our function elimination scheme provides encoding
  mechanism
• Enables verification of complete processor using
  BDDs
• Ongoing Work
• New implementation using pure term-level models
• Velev Bryant, CHARME 99
• Single-issue DLX now takes 0.15 s.
• Dual-issue DLX takes 35 s.