CS & ECE DepartmentsCarnegie Mellon University

Modeling and Verifying Systems using CLU Logic

Modeling and Verifying Systems using CLU Logic

Randal E. BryantShuvendu LahiriSanjit A. Seshia

2

“Infinite-State” Systems“Infinite-State” Systems

State variables of unbounded integer or unbounded integer array type

Systems with finite but very large or arbitrary size resources• Microprocessor memories, buffers

Parameterized systems• Cache protocols

Communication protocols with unbounded, lossy channels

3

Infinite-State Verification:Automation vs. Expressiveness Infinite-State Verification:Automation vs. Expressiveness

General purpose techniques Model checking (using abstraction)

Highly automated Finding the right abstraction is hard State space explosion

Theorem proving for first & higher order logics Very expressive Greater manual assistance needed

Domain specific techniques: e.g., QDDs for communication protocols Logic of equality with uninterpreted functions (EUF) for

pipelined processors Rely on specialized efficient data structures or decision

procedures

4

Motivating QuestionMotivating Question

How far can we generalize a domain specific technique, without losing efficiency?

We focus on extending the EUF logic based approach that has worked well for pipelined processors

5

EUF: Equality with Uninterp. FunctsEUF: Equality with Uninterp. Functs Decidable fragment of first order logic

Formulas (F ) Boolean ExpressionsF, F1 F2, F1 F2 Boolean connectives

T1 = T2 Equation

P (T1, …, Tk) Predicate application

Terms (T ) Integer ExpressionsITE(F, T1, T2) If-then-else

Fun (T1, …, Tk) Function application

Functions (Fun) Integer Integerf Uninterpreted function symbolRead, Write Memory operations

Predicates (P) Integer Booleanp Uninterpreted predicate

symbol

6

Modeling and Verification ApproachModeling and Verification Approach

1. Model system at “term-level” • State variables evaluate to expressions in EUF logic

2. Correctness (safety) property is formula F in EUF

3. Check validity of F using decision procedure for EUF• F must be true under all interpretations of

function/predicate symbols

7

Term-level Modeling in EUFTerm-level Modeling in EUF

View Data Word as “Terms” ( Integers )

View functional blocks as uninterpreted functions

Functional consistency:

a = x b = y f(a, b) = f(x, y)

x0x1x2

xn-1

x 1

0

xy

p

ITE(p, x, y)=

x y

ALU

ALUf

8

Efficient Decision Procedure for EUFEfficient Decision Procedure for EUF[Bryant, German, & Velev, CAV ’99]

Translate EUF formula to equivalent Boolean formula

“Small-Model Property” Need to consider only finitely many interpretations of terms

“Positive Equality” Number of interpretations can be greatly reduced for some

terms Equations appearing only under even # of negations

assigned false

9

Our ContributionsOur Contributions

Generalize EUF to get CLU logic Can model a richer set of systems

Still retains the efficiency of Bryant-German-Velev decision procedure ‘Small model property’ preserved Can exploit positive equality Efficient reduction to propositional logic

UCLID verification tool Supports different types of verification Highly automated Counterexample traces similar to model checkers

10

Outline for Rest of TalkOutline for Rest of Talk

CLU logic Definition Modeling systems in CLU

The UCLID verifier

Decision procedure An example Benchmarking

Counterexample generation

Conclusions

11

The CLU LogicThe CLU Logic

Generalization of EUF

Four types of expressions: Functions, Predicates, Terms, (Boolean) Formulas

Counter Arithmetic, Lambda Expressions, and Uninterpreted Functions

12

EUF CLUEUF CLUTerms (T )

ITE(F, T1, T2) If-then-else

Fun (T1, …, Tk) Function application

Formulas (F )F, F1 F2, F1 F2 Boolean connectives

T1 = T2 Equation

P(T1, …, Tk) Predicate application

succ (T) Increment

pred (T) Decrement

T1 < T2 Inequality

13

EUF CLU (Cont.)EUF CLU (Cont.)

Functions (Fun)f Uninterpreted function

symbol

Read, Write Memory operations

Predicates (P)p Uninterpreted predicate

symbol

x1, …, xk . T Function lambda expression

x1, …, xk . F Predicate lambda expression

•Arguments can only be terms•Lambdas are just mutable arrays

14

Modeling with CLUModeling with CLU

Memories Contents represented by lambda Defines function mapping addresses to data values

Unbounded and Bounded Queues Use counters to indicate head and tail Lambda to indicate buffer contents

Unbounded arrays of identical processes Lambda for each state variable Indexed by process ID

15

Modeling Unbounded FIFO BufferModeling Unbounded FIFO Buffer

Queue is Subrange of Infinite Sequence Q.head = h

Index of oldest element

Q.tail = t Index of insertion location

Q.val = qFunction mapping indices to valuesq(i) valid only when h i < t

Initial State: Arbitrary Queue Q.head = h0, Q.tail = t0

Impose constraint that h0 t0

Q.val = q0

Uninterpreted function

q(h–2)

q(h–1)

q(h)

q(h+1)

•••

q(t–2)

q(t–1)

q(t)

q(t+1)

•••

•••

tailtail

headhead

AlreadyPopped

Not YetInserted

incr

ea

sin

g in

dic

es

16

Modeling FIFO Buffer (cont.)Modeling FIFO Buffer (cont.)

tt

q(h–2)

q(h–1)

q(h)

q(h+1)

•••

q(t–2)

q(t–1)

q(t)

q(t+1)

•••

•••

hh

next[h] := ITE(operation = POP, succ(h), h)

next[q] := (i).ITE((operation = PUSH & i=t), x, q(i))

next[t] :=ITE(operation = PUSH, succ(t), t)

q(h–2)

q(h–1)

q(h)

q(h+1)

•••

q(t–2)

q(t–1)

x

q(t+1)

•••

•••

next[t]next[t]

next[hnext[h]]

op = PUSHInput = x

17

Sample Application of ModelingSample Application of Modeling

Out-of-Order Execution Unit Unbounded Register File -- Memory Reorder Buffer – Queue, Content-addressable memory

Register File

Reg. Value

Tag

V/T bit

RegID

Reorder Buffer

• • •

Retire Dispatch

18

UCLIDUCLID

Verification tool for systems in CLU logic

Based on symbolic simulation and the decision procedure

Generates counterexamples

19

UCLID OperationUCLID Operation

SymbolicSimulation

file.ucl

Model+

Specification

CLUFormula

DecisionProcedure

Valid Invalid+

Counterexample

20

Verification Techniques in UCLIDVerification Techniques in UCLID

Bounded Property Checking Start in reset state Symbolically simulate for fixed number of steps Verify safety property for all states reachable within the fixed

number of steps from the start state

Invariant Checking Start in general state s Simulate one step Prove Inv(s) Inv(Next[s]) Limited support for automatic quantifier elimination

Correspondence Checking Run 2 different simulations starting in most general state Prove that final states equivalent

21

Sample Case StudiesSample Case Studies Simple out-of-order processor unit

ALU instructions, unbounded resources, register renaming Performed inductive invariant checking to check refinement

between OOO model and ISA

Load-store unit of Motorola ELF processor Memory instructions, register renaming, completion buffer 20K lines of Verilog manually translated to 1K lines of UCLID Large state space: About 150 total state variables, 80 of

integer type Performed bounded property checking

22

The Decision ProblemThe Decision Problem

CLUFormula

Fclu DecisionProcedure

Valid Invalid

23

Decision ProcedureDecision Procedure

Operation Series of

transformations leading to propositional formula

Propositional formula checked with BDD or SAT tools

CLUFormula

Fclu

LambdaExpansion

Function&

PredicateElimination

FiniteInstantiation

BooleanSatisfiability

-freeFormula, Fsubst

TermFormula, Fconst

BooleanFormula, Fprop

SAT Fclu invalidUNSAT Fclu valid

¬

24

An ExampleAn Example

Fclu is

a. ITE(a>y, succ(g(y)), succ(g(a))) x= a. succ(ITE(a>y, g(y), g(a))) x

25

Step 1: Lambda substitutionStep 1: Lambda substitution

a. ITE(a>y, succ(g(y)), succ(g(a))) x= a. succ(ITE(a>y, g(y), g(a))) x

Fsubst is

ITE(x>y, succ(g(y)), succ(g(x))) = succ(ITE(x>y, g(y), g(x)))

26

Step 2: Function elimination Step 2: Function elimination ITE(x>y, succ(g(y)), succ(g(x))) = succ(ITE(x>y, g(y), g(x)))

Fconst is

ITE(x>y, succ(gy), = succ(ITE(x>y, gy,

succ( ITE(x=y, gy, gx) ))

ITE(x=y, gy, gx) ))

P-function symbols: {g}G-function symbols: {x,y}

P-variables: {gx, gy}G-variables: {x, y}

27

Step 3: Finite Instantiation (1)Step 3: Finite Instantiation (1)

ITE(x>y, succ(gy), succ(gx)) = succ(ITE(x>y, gy, ITE(x=y, gy, gx)))

‘Small-Model’ Property:Sufficient to interpret variables over finite domains

P-variables: {gy, gx}G-variables: {x, y}

1. P-variables get distinct values2. G-variables can get same value if there’s a potential comparison

Value Classes:

x,y gxgy

28

Step 3: Finite Instantiation (2)Step 3: Finite Instantiation (2)x,y gxgy

2 values 1 value,+ 1 for succ(gy)

1 value,+ 1 for succ(gx)

GenerateBooleanFormula

Fprop

(Using bit-levelencoding of

arithmetic ops)

Numberof values:

Valuesassigned:

{0,1} {2,3} {4,5}

Final Boolean Encoding:

x {0,1} 00bx y {0,1} 00by

gy 2 010 gx 4 100

29

Theoretical Formula Blowup Theoretical Formula Blowup

If -free formula Fsubst has size N

Then final Boolean formula Fprop is

O((N + M2 + P2) lg N)

where M= #(function applications)

P= #(predicate applications)

In practice, O(N lg N) observed.

30

Decision Procedure BenchmarkingDecision Procedure Benchmarking

Model Term formula DAG size

Prop formula DAG size

UCLID time (s)

SVC time (s)

Out-of-order

execution unit

735 3658 4.8 3.0

1970 13755 18.3 102.4

3929 37179 61.9 4257.3

Elf™

processor

218 942 1.2 10.9

1085 4481 8.4 1851.6

2467 16453 30.6 > 1 day

4553 54288 111.0 > 1 day

Compared against Stanford Validity Checker (SVC)• Decides CLU + real linear arith. + bit-vector arith.

UCLID uses the Chaff SAT solver for Boolean SAT• Time includes translation time + Chaff time

31

Impact of Positive EqualityImpact of Positive Equality

Model Term formula size

UCLID w/ p-eq. (s)

UCLID w/o p-eq. (s)

Out-of-order

execution unit

735 4.78 9.79

1970 18.29 37.71

3929 61.90 149.46

Cache

Protocol

1829 6.29 26.50

2782 16.13 165.91

3939 61.08 > 1 hr

DLX pipeline 639 13.22 1897

Positive equality can still be exploited to improve performance

32

Counterexample Generation

Counterexample Generation

Counterexample Trace showing value

of each state variable on each step.

“Value” of a lambda is a set of argument/value pairs

LambdaExpansion

Function&

PredicateElimination

FiniteInstantiation

BooleanSatisfiability

SymbolicSimulation

TracePartial Interp.of Lambdas

Partial Interpretationof UIFs

IntegerAssignment

BooleanAssignment

33

ConclusionsConclusions Contributions

Modeling capability of CLU Efficient decision procedure

Builds on recent advances in Boolean SAT

Verification techniques in UCLID Counterexample generation

Ongoing work Decision procedure variants:

Encoding separation predicates [Strichman et al. CAV’02] Using pseudo-Boolean constraint solver

Other case studies MIPS processor

Some support for instantiating quantifiers