carnegie mellon university symbolic, word-level hardware verification bryant randal e. bryant...
Post on 21-Dec-2015
220 views
TRANSCRIPT
Carnegie Mellon University
Symbolic, Word-Level Symbolic, Word-Level Hardware VerificationHardware VerificationSymbolic, Word-Level Symbolic, Word-Level Hardware VerificationHardware Verification
http://www.cs.cmu.edu/~bryant
Randal E. Bryant
Contributions by graduate students:Sanjit Seshia, Shuvendu Lahiri
– 2 –
OutlineOutline
Word-Level Abstraction of HardwareWord-Level Abstraction of Hardware Abstract details of data
While keeping detailed control and cycle-level timing
Enables verification of entire system
Automated Formal VerificationAutomated Formal Verification Provide capabilities similar to model checking Automate via automatic predicate abstraction
– 3 –
Alpha 21264 Microprocessor
Microprocessor Report, Oct. 28, 1996
Challenge: System-Level VerificationChallenge: System-Level Verification
Verification TaskVerification Task Does processor
implement its ISA?
Why is it Hard?Why is it Hard? Lots of internal state Complex control
logic Complex
functionality
– 4 –
Sources of ComplexitySources of Complexity
StateState ISA: registers, memory Microarchitectural: caches, buffers, reservation stations Conceptually finite state, but practically unbounded
ControlControl Pipelines spread execution across multiple cycles Out-of-order execution modifies processing order Superscalar operation creates parallelism Control logic coordinates everything
Resulting behavior matches that of sequential ISA model
FunctionalityFunctionality Arithmetic functions, instruction decoding
– 5 –
Existing Verification MethodsExisting Verification Methods
Simulators, equivalence checkers, model checkers, …
All Operate at Bit LevelAll Operate at Bit Level RTL model
State encoded as words and arrays of wordsComprised of bits
Most Operate at Cycle or Subcycle LevelMost Operate at Cycle or Subcycle Level How each bit of state gets updated
System Modeling LanguagesSystem Modeling Languages Abstract time up to transaction level Still view state as collection of bits
– 6 –
Word-Level AbstractionWord-Level Abstraction
Data: Data: Abstract details of form & functionsAbstract details of form & functions
Control:Control: Keep at bit levelKeep at bit level
Timing: Timing: Keep at cycle levelKeep at cycle level
Control LogicControl Logic
Data PathData Path
Com.Log.
1
Com.Log.
2
– 7 –
Data Abstraction #1: Bits → IntegersData Abstraction #1: Bits → Integers
View Data as Symbolic WordsView Data as Symbolic Words Arbitrary integers
No assumptions about size or encodingClassic model for reasoning about software
Can store in memories & registers
x0x1x2
xn-1
x
– 8 –
Modeling Data SelectionModeling Data Selection
If-Then-Else OperationIf-Then-Else Operation Mulitplexor Allows control-dependent data flow
1
0
xy
p
ITE(p, x, y)1
0
xy
1
x1
0
xy
0
y
– 9 –
Data PathData Path
Com.Log.
1
Com.Log.
2
Abstracting Data BitsAbstracting Data Bits
Control LogicControl Logic
Data PathData Path
Com.Log.
1
Com.Log.
1? ?
What do we do about logic functions?
– 10 –
Abstraction #2:Uninterpreted Functions
Abstraction #2:Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency:
a = x b = y f (a, b) = f (x, y)
ALUf
– 11 –
Abstracting FunctionsAbstracting Functions
For Any Block that Transforms Data:For Any Block that Transforms Data: Replace by uninterpreted function Ignore detailed functionality Conservative approximation of actual system
Data PathData Path
Control LogicControl Logic
Com.Log.
1
Com.Log.
1F1 F2
– 12 –
Modeling Data-Dependent ControlModeling Data-Dependent Control
Model by Uninterpreted PredicateModel by Uninterpreted Predicate Yields arbitrary Boolean value for each control + data
combination Produces same result when arguments match
Pipeline & reference model will branch under same conditions
Cond
Adata
Bdata
Branch?
Bra
nch
Lo
gic
p
– 13 –
Abstraction #3: Modeling Memories as Mutable FunctionsAbstraction #3: Modeling Memories as Mutable Functions
Memory M Modeled as FunctionMemory M Modeled as Function
M(a): Value at location a
InitiallyInitially
Arbitrary state Modeled by uninterpreted function m0
Ma
M
a m0
– 14 –
Effect of Memory Write OperationEffect of Memory Write Operation
Writing Transforms MemoryWriting Transforms Memory M = Write(M, wa, wd)
Reading from updated memory:
Address wa will get wdOtherwise get what’s
already in M
Express with Lambda NotationExpress with Lambda Notation Notation for defining
functions M =
a . ITE(a = wa, wd, M(a))
M
Ma 1
0
wd
=wa
– 15 –
Systems with BuffersSystems with Buffers
Modeling MethodModeling Method Mutable function to describe buffer contents Integers to represent head & tail pointers
• • • ••• •••
tailtail headhead
In Use
••••••
tailtailheadheadheadhead
In Use
•••
0 0 0 0 MaxMax--11MaxMax--11
Unbounded Buffer Circular Queue
– 16 –
Some HistorySome History
HistoricallyHistorically Standard model used for program verification Widely used with theorem-proving approaches to hardware
verificationE.g, Hunt ’85
Automated Approaches to Hardware VerificationAutomated Approaches to Hardware Verification Burch & Dill, ’95
Tool for verifying pipelined microprocessors Implemented by form of symbolic simulation
Continued application to pipelined processor verification
– 17 –
UCLIDUCLID
Seshia, Lahiri, Bryant, CAV ‘02
Term-Level Verification SystemTerm-Level Verification System Language for describing systems
Inspired by CMU SMV
Symbolic simulatorGenerates integer expressions describing system state after
sequence of steps
Decision procedureDetermines validity of formulas
Support for multiple verification techniques
Available by DownloadAvailable by Downloadhttp://www.cs.cmu.edu/~uclid
– 18 –
Challenge: Model GenerationChallenge: Model Generation
How to generate term-level model How to guarantee faithfulness to RTL description
Comparison of ModelsComparison of Models RTL
Abstracts functional elements from gate-level modelSynthesis allows automatic map to gate level
Term levelAbstracts bit-level data representations to wordsAbstracts memories to mutable functionsNo direct connection to synthesizable model
– 19 –
Generating Term-Level ModelGenerating Term-Level Model
Manually Generate from RTLManually Generate from RTL How do we know it is a valid abstraction? Hard to keep consistent with changing RTL
Automatically Generate from RTLAutomatically Generate from RTL Andraus & Sakallah, DAC ‘04 Must decide which signals to keep Boolean, which to
abstractConfused by bit field extraction primitives of HDL
Synthesize RTL from Word-Level ModelSynthesize RTL from Word-Level Model Difficult to make efficient
– 20 –
Underlying LogicUnderlying Logic
Existing Approaches to Formal VerificationExisting Approaches to Formal Verification E.g., symbolic model checking State encoded as fixed set of bits
Finite state systemAmenable to Boolean methods (SAT, BDDs)
Our TaskOur Task State encoded with unbounded data types
Arbitrary integersFunctions over integers
Must use decision proceduresDetermine validity of formula in some subset of first-order logicAdapt methods historically used by automated theorem provers
– 21 –
EUF: Equality with Uninterp. FunctsEUF: Equality with Uninterp. Functs Decidable fragment of first order logic
Formulas (Formulas (F F )) Boolean ExpressionsBoolean ExpressionsF, F1 F2, F1 F2 Boolean connectives
T1 = T2 Equation
P (T1, …, Tk) Predicate application
Terms (Terms (T T )) Integer ExpressionsInteger ExpressionsITE(F, T1, T2) If-then-else
Fun (T1, …, Tk) Function application
Functions (Functions (FunFun)) Integer Integer Integer Integerf Uninterpreted function symbol
x1, …, xk . T Function lambda expression
Predicates (Predicates (PP)) Integer Integer Boolean Booleanp Uninterpreted predicate
symbol
– 22 –
EUF Decision ProblemEUF Decision ProblemCircuit Representation of FormulaCircuit Representation of Formula
Truth Values Dashed Lines Logical connectives Equations
Integer Values Solid lines Uninterpreted functions If-Then-Else operation
TaskTask Determine whether formula F is universally valid
True for all interpretations of variables and function symbols
» E.g., all values of integer x0 & d0, all Booleans e0 and e1, and all integer functions f
=
f
T
F
T
F
fT
F
=
e1
e0x0
d0
T
F
T
F
T
F
e1
e0x0
d0
=
f
f
=
– 23 –
=
f
T
F
T
F
fT
F
=
e1
e0x0
d0
T
F
T
F
T
F
e1
e0x0
d0
=
f
f
=
Finite Model Property for EUFFinite Model Property for EUF
ObservationObservation Any formula has limited number of distinct expressions Only property that matters is whether or not different terms
are equal
x0 d0 f (x0) f (d0)
– 24 –
Boolean Encoding of Integer ValuesBoolean Encoding of Integer Values
For Each ExpressionFor Each Expression Either equal to or distinct from each preceding expression
Boolean EncodingBoolean Encoding Use Boolean values to encode integers over small range EUF formula can be translated into propositional logic
Logic circuit with multiplexors, comparators, logic gatesTautology iff original formula valid
ExpressionExpression Possible Possible ValuesValues
Bit Bit EncodingEncoding
x0 {0}{0} 00 00
d0 {0,1}{0,1} 00 bb1010f (x0) {0,1,2}{0,1,2} bb2121 bb2020f (d0) {0,1,2,3}{0,1,2,3} bb3131 bb3030
– 26 –
UCLID OperationUCLID Operation
OperationOperation Series of
transformations leading to propositional formula
Except for lambda expansion, each has polynomial complexity
LambdaExpansion
Function&
PredicateElimination
FiniteInstantiation
BooleanSatisfiability
SymbolicSimulation
file.ucl
Model+
Specification
UCLIDFormula
-freeFormula
TermFormula
BooleanFormula
– 31 –
ReachableStates
Verifying Safety PropertiesVerifying Safety Properties
State Machine ModelState Machine Model State encoded as Booleans, integers, and functions Next state function expresses how updated on each step
Prove: System will never reach bad stateProve: System will never reach bad state
ResetStates
BadStates
PresentState
NextState
Inputs(Arbitrary)
Reset
– 32 –
Reachable
• • •
Rn
R2
Bounded Model CheckingBounded Model Checking
Repeatedly Perform Image Repeatedly Perform Image ComputationsComputations Set of all states reachable
by one more state transition
Easy to ImplementEasy to Implement
Underapproximation of Underapproximation of Reachable State SetReachable State Set But, typically catch most
bugs with 8–10 steps
BadStates
R1
ResetStates
– 33 –
• • •
Rn
R2
True Model CheckingTrue Model Checking
Reach Fixed-PointReach Fixed-Point Rn = Rn+1 = Reachable
Impractical for Term-Level Impractical for Term-Level ModelsModels
Many systems never reach fixed point
Can keep adding elements to buffer
Convergence test undecidable
BadStates
R1
ResetStates
– 34 –
I
Inductive Invariant CheckingInductive Invariant Checking
Key Properties of System that Make it Operate CorrectlyKey Properties of System that Make it Operate Correctly Formulate as formula I
Prove InductiveProve Inductive Holds initially I(s0)
Preserved by all state changes I(s) I((i, s))
ReachableStates
ResetStates
BadStates
– 35 –
An Out-of-order Processor (OOO)An Out-of-order Processor (OOO)
Data Dependencies Resolved by Register RenamingData Dependencies Resolved by Register Renaming Map register ID to instruction in reorder buffer that will generate
register value
Inorder Retirement Managed by Retirement BufferInorder Retirement Managed by Retirement Buffer FIFO buffer keeping pending instructions in program order
Reorder BufferFields
PC
Programmemory
Reorder Buffer
validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop
result bus
DECODE Register
Rename Unit
valid tag val
ALU
head tail
incrdispatch
retire
execute
result
1st
Operand
2nd
Operand
– 36 –
OOO InvariantsOOO Invariants
Split into Formulas Split into Formulas II11, …, , …, IInn
Ij(s0) holds for any initial state s0, for 1 j n
I1(s) I2(s) … In(s) Ij(s ) for any current state s and successor state s for 1 j n
Invariants for OOO (13)Invariants for OOO (13) Refinement maps (2)
Show relation between ISA and OOO models
State consistency (8)Properties of OOO state that ensure proper operation
Added state (3)Shadow values correctly predict OOO values
Overall CorrectnessOverall Correctness Follows by induction on time
– 37 –
State Consistency Invariant Examples State Consistency Invariant Examples Register Renaming invariants (2)Register Renaming invariants (2)
Tag in a rename-unit should be in the ROB, and the destination register should matchr.reg.valid(r) (rob.head reg.tag(r) < rob.tail
rob.dest(reg.tag(r)) = r )
For any entry, the destination should have reg.valid as false and tag should contain this or later instructionrobt.(reg.valid(rob.dest(t))
t reg.tag(rob.dest(t)) < rob.tail)
– 38 –
Extending the OOO ProcessorExtending the OOO Processor
baseExecutes ALU instructions only
excHandles arithmetic exceptionsMust flush reorder buffer
exc/brHandles branchesPredicts branch & speculatively executes along path
exc/br/mem-simpAdds load & store instructionsStore commits as instruction retires
exc/br/memStores held in bufferCan commit laterLoads must scan buffer for matching addresses
– 39 –
Comparative Verification EffortComparative Verification Effort
base exc exc / br exc / br / mem-simp
exc / br / mem
Total Invariants
13 34 39 67 71
Manually instantiate
0 0 0 4 8
UCLID time
54 s 236 s 403 s 1594 s 2200 s
Person time
2 days 7 days 9 days 24 days 34 days
(Person time shown cumulatively)
– 40 –
“I Just Want a Loaf of Bread”“I Just Want a Loaf of Bread”Ingredients
Recipe Result
– 41 –
Cooking with InvariantsCooking with InvariantsIngredients: Predicates
Recipe: Invariants
Result: Correctness
reg.valid(r)
r,t.reg.valid(r) reg.tag(r) = t (rob.head reg.tag(r) < rob.tail rob.dest(t) = r )
rob.head reg.tag(r)
reg.tag(r) = t
rob.dest(t) = r
– 42 –
Automatic Recipe GenerationAutomatic Recipe Generation
Want Something MoreWant Something More Given any set of ingredients Generate best recipe possible
Ingredients
Recipe Creator Result
– 43 –
Automatic Predicate AbstractionAutomatic Predicate Abstraction
Graf & Saïdi, CAV ‘97
IdeaIdea Given set of predicates P1(s), …, Pk(s)
Boolean formulas describing properties of system state
View as abstraction mapping: States {0,1}k
Defines abstract FSM over state set {0,1}k
Form of abstract interpretationDo reachability analysis similar to symbolic model checking
ImplementationImplementation Early ones had weak inference capabilities
Call theorem prover or decision procedure to test each potential transition
Recent ones make better use of symbolic encodings
– 44 –
Abstract State SpaceAbstract State Space
ConcreteStates
AbstractStates
P1(s), …, Pk(s)
s
AbstractionFunction
t
Abstraction
ConcreteStates
AbstractStates
s t
ConcretizationFunction
Concretization
– 45 –
Abstract State MachineAbstract State Machine
Transitions in abstract system mirror those in concrete
Abstract
ConcreteSystem
AbstractSystem
s
Concretize
t t
s
Concrete Transition
Abstract Transition
– 46 –
Generating Concrete InvariantGenerating Concrete Invariant
Reach Fixed-Point on Reach Fixed-Point on Abstract SystemAbstract System Termination guaranteed,
since finite state
Equivalent to Computing Equivalent to Computing Invariant for Concrete Invariant for Concrete SystemSystem Strongest possible
invariant that can be expressed by formula over these predicates
• • •Rn
R2
R1
ResetStates
A
AbstractSystem
Concretize
ConcreteSystem
I
ResetStates
C
– 47 –
Predicate Abstraction ExamplePredicate Abstraction Example
State SpaceState Space State variables: { x, y }
Initial StateInitial State { (2, 1) }
Next State BehaviorNext State Behavior x x y y
Verification TaskVerification Task Prove all bad states unreachable
InitialState
BadStates
– 48 –
Precise AnalysisPrecise Analysis
Reachable StatesReachable States { (2, 1), (2, 1) } Reachable
States
BadStates
– 49 –
PredicatesPredicates
Use 3-valued predicates in this example
cx:3
L
E
G
cx:y
L
E
G
cy:0
G
E
L
– 50 –
Abstract Initial StateAbstract Initial State
Reached Set #0{ LGG }
cx:3
L
cx:y
G
cy:0
G
– 51 –
Step 1: Concretize Reached Set #0Step 1: Concretize Reached Set #0Reached Set #0
{ LGG }
L
G
G
cx:3 cx:y cy:0
(Note loss of precision)
s
Concretize
s
Concretize
s
Concretize
– 52 –
Compute Possible Successor StatesCompute Possible Successor States
x xy y
s
Concrete Transition
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 53 –
Abstract Newly Reached StatesAbstract Newly Reached States
0 0 0
Reached Set #1{ LLL, LGG }
L L
L
cx:3 cx:y cy:0
s
Concrete Transition
Abstract
Abstract
Abstract
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 54 –
Step 2: Concretize Reached Set #1Step 2: Concretize Reached Set #1Reached Set #1
{ LLL, LGG }
L
cx:3 cx:y cy:0
(Note loss of precision)
L
L
s
Concretize
s
Concretize
s
Concretize
– 55 –
Compute Possible Successor StatesCompute Possible Successor States
x xy y
s
Concrete Transition
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 56 –
Abstract Newly Reached StatesAbstract Newly Reached States
Reached Set #2{ LLL, LGG, EGG, GGG }
cx:3
G
E
cx:y
G
cy:0
G
s
Concrete Transition
Abstract
Abstract
Abstract
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 57 –
EGG
Final Reached State SetFinal Reached State Set
LLLLGG GGG
BadStates
– 59 –
Systems Verified with Predicate AbstractionSystems Verified with Predicate Abstraction
Very general modelsUnbounded processes, buffers, cache lines, …
Safety properties only
Model Predicates Iterations CPU Time
Out-Of-Order Execution Unit 25 9 1,207s
German’s Cache Protocol 13 9 14s
German’s Protocol, unbounded channels
24 17 427s
Bounded Retransmission Buffer 22 9 11s
Lamport’s Bakery Algorithm 33 18 471s
– 60 –
Predicate Abstraction ConvergencesPredicate Abstraction Convergences
Powerful method for generating & evaluating abstract model of system
Applicable to variety of systems with different modeling levels
HardwareHardware SoftwareSoftware
Word-LevelWord-Level UCLID
Seshia, Lahiri, Bryant, CAV ‘02
SLAM
Ball, Rajamani, SPIN ‘01
Bit-LevelBit-Level Clarke, Talupar, Wang, SAT ‘03
CBMC
Kroening, Clarke, ICCAD ‘04
– 61 –
Ongoing Research AreasOngoing Research Areas
Decision ProceduresDecision Procedures Expand class of logic
Linear relations
Improved encoding techniques Application to software & hardware verification
Predicate AbstractionPredicate Abstraction Improving efficiency
Increases rapidly with number of predicates
Automatic generation of predicatesBased on property to be verified & system model
Real-Life ApplicationReal-Life Application Closing gap with actual hardware models