Randal E. Bryant Carnegie Mellon University SRC ‘07 Word-Level Modeling and Verification of...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Randal E. Bryant Carnegie Mellon University SRC ‘07 Word-Level Modeling and Verification of...
Randal E. Bryant
Carnegie Mellon University
SRC ‘07
Word-Level ModelingWord-Level Modelingand Verification of Systemsand Verification of Systems
Using Selective Term-Level AbstractionUsing Selective Term-Level Abstraction
Sanjit A. Seshia
U.C., Berkeley
– 2 – SRC ‘07
Task ID: 1355.001
Technical Thrust: Verification
Task Leader: Randal E. Bryant
PIs: R. E. Bryant (CMU), S. A. Seshia (UC Berkeley)
Student: Bryan Brady (UC Berkeley, exp. grad. 8/2010)
Industrial Liaisons:
Steven M. German, IBM Zurab Khasidashvili, Intel
Andreas Kuehlmann, Cadence Hillel Miller, Freescale
Carl-Johan Seger, Intel M. Alper Sen, Freescale
Eli Singerman, Intel Jin Yang, Intel
Hai Vo-Ba, AMD
ITRS Grand Challenge: 2003.12 -- Scaling of Maximum Quality Design Implementation Productivity
– 3 – SRC ‘07
Modeling Data in Formal VerificationModeling Data in Formal Verification
Symbolic or integer data Uninterpreted functions &
predicates
Fixed-width words of bits Specific encodings Standard arithmetic and
logical operators
Individual bits Boolean operations
Bit Level
Bit Vector Level
Term Level
– 4 – SRC ‘07
Term-Level ModelingTerm-Level Modeling
View Data as Symbolic “Terms”View Data as Symbolic “Terms” Arbitrary integer values Can store in memories & registers
Abstract Functional Units as “Black Boxes”Abstract Functional Units as “Black Boxes” Uninterpreted functions
x0x1x2
xn-1
x
ALU
ALU
f
– 5 – SRC ‘07
Formal Verification ToolsFormal Verification Tools
Term-level verifiersE.g., UCLIDAble to scale to much more
complex systems
Model checkers, equivalence checkers, …
Capacity limited by too many state bits & details of bit manipulations
Bit Level
Bit Vector Level
Term Level
– 6 – SRC ‘07
Creating ModelsCreating Models
UCLID HDLNonstandardDifficult to reconcile with
actual design
Register-Transfer LevelE.g., Verilog
Gate levelBit Level
Bit Vector Level
Term Level
Bit Blast
– 7 – SRC ‘07
Project DirectionsProject Directions
Bit Level
Bit Vector Level
Term Level
SemiautomaticAbstraction
UCLID CapabilitiesUCLID Capabilities Term-level models Bit-vector models
– 8 – SRC ‘07
Project DirectionsProject Directions
Bit-Vector Decision ProceduresBit-Vector Decision Procedures Enables UCLID to model at bit-vector level Direct path from RTL to verifier Of interest to larger community
Hardware, software, microcode verificationHardware & software testing
Term-Level AbstractionTerm-Level Abstraction Semiautomatic ways to generate term-level model from RTL
Combined EffectCombined Effect Verify using mixed term and bit-vector models Range of trade-offs between modeling detail and verifier
capacity
– 9 – SRC ‘07
Bit-Vector Decision Procedure ExampleBit-Vector Decision Procedure Example
Do these functions produce identical results?Do these functions produce identical results?
StrategyStrategy Represent and reason about bit-level program behavior Specific to machine word size, integer representations,
and operations
int abs(int x) { int mask = x>>31; return (x ^ mask) + ~mask + 1;}
int test_abs(int x) { return (x < 0) ? -x : x; }
– 10 – SRC ‘07
BV Decision Procedures:Some HistoryBV Decision Procedures:Some HistoryB.C. (Before Chaff)B.C. (Before Chaff)
String operations (concatenate, field extraction) Linear arithmetic with bounds checking Modular arithmetic
SAT-Based “Bit Blasting”SAT-Based “Bit Blasting” Generate Boolean circuit based on bit-level behavior of
operations Convert to Conjunctive Normal Form (CNF) and check with
best available SAT checker Handles arbitrary operations Effective in many applications
CBMC [Clarke, Kroening, Lerda, TACAS ’04]Microsoft Cogent + SLAM [Cook, Kroening, Sharygina, CAV ’05]CVC-Lite [Dill, Barrett, Ganesh], Yices [deMoura, et al], STP
– 11 – SRC ‘07
Challenge for BV-DPsChallenge for BV-DPs
Is there a better way than bit blasting?Is there a better way than bit blasting?
RequirementsRequirements Provide same functionality as with bit blasting Find abstractions based on word-level structure Improve on performance of bit blasting
A New ApproachA New Approach Bryant, Kroening, Ouaknine, Seshia, Stichman, Brady,
TACAS ’07 Use bit blasting as core technique Apply to simplified versions of formula Successive approximations until solve or show unsatisfiable
– 12 – SRC ‘07
Approximating FormulaApproximating Formula
Example Approximation TechniquesExample Approximation Techniques Underapproximating
Restrict word-level variables to smaller ranges of values
Overapproximating Replace subformula with Boolean variable
Original Formula
+Overapproximation + More solutions:
If unsatisfiable, then so is
Underapproximation−
−
Fewer solutions:Satisfying solution also satisfies
– 13 – SRC ‘07
Starting IterationsStarting Iterations
Initial UnderapproximationInitial Underapproximation (Greatly) restrict ranges of word-level variables Intuition: Satisfiable formula often has small-domain solution
1−
– 14 – SRC ‘07
First Half of IterationFirst Half of Iteration
SAT Result for SAT Result for 1− Satisfiable
Then have found solution for Unsatisfiable
Use UNSAT proof to generate overapproximation 1+ Replace irrelevant predicates with Boolean variables
1−If SAT, then done
1+
UNSAT proof:generate overapproximation
– 15 – SRC ‘07
Second Half of IterationSecond Half of Iteration
SAT Result for SAT Result for 1+ Unsatisfiable
Then have shown unsatisfiable
Satisfiable Solution indicates variable ranges that must be expanded Generate refined underapproximation
1−
If UNSAT, then done1+
SAT:Use solution togenerate refined underapproximation
2−
– 16 – SRC ‘07
Iterative BehaviorIterative Behavior
UnderapproximationsUnderapproximations Successively more precise
abstractions of Allow wider variable ranges
OverapproximationsOverapproximations No predictable relation UNSAT proof not unique
1−
1+
2−
k−
2+
k+
– 17 – SRC ‘07
Overall EffectOverall Effect
SoundnessSoundness Only terminate with solution on
underapproximation Only terminate as UNSAT on
overapproximation
CompletenessCompleteness Successive underapproximations
approach Finite variable ranges guarantee
termination In worst case, get k−
1−
1+
2−
k−
2+
k+
SAT
UNSAT
– 18 – SRC ‘07
Results: UCLID BV vs. Bit-blastingResults: UCLID BV vs. Bit-blasting
UCLID always better than bit blasting Generally better than other available procedures SAT time is the dominating factor
[results on 2.8 GHz Xeon, 2 GB RAM]
– 19 – SRC ‘07
Future Work in BV DPs Future Work in BV DPs
Lots of Refinement & TuningLots of Refinement & Tuning Selecting under- and over-approximations Iterating within under- or over-approximation Reusing portions of bit-blasted formulas
Take advantage of incremental SAT
Additional AbstractionsAdditional Abstractions View term-level modeling as overapproximation technique
Apply functional abstraction automatically
– 20 – SRC ‘07
Bit-Vector Level / Term Level Experimental ComparisonBit-Vector Level / Term Level Experimental ComparisonWhat Is Performance Advantage of Term-Level What Is Performance Advantage of Term-Level
Modeling?Modeling?
ExperimentExperiment Multiple microprocessor designs
Each at varying levels of detailRanging from complete bit-vector modeling to complete term-
level modeling
– 21 – SRC ‘07
Experiment: Y86 ProcessorsExperiment: Y86 Processors
Y86• 5 stage pipeline• single-threaded• in-order execution• simplified x86
R. E. Bryant and D. R. O’Hallaron. Computer Systems: A Programmer’s Perspective. Prentice-Hall 2002
– 22 – SRC ‘07
Y86 ExperimentsY86 Experiments
Processor VariationsProcessor Variations Handle data hazards with different stalling and forwarding
schemes Different branch prediction schemes Creates variety of flushing schedules & modeling details
ModelsModels Everything term level Bit-vector data, uninterpreted functions Bit-vector data, partially interpreted functions Bit-vector, “fully” interpreted functions
Still represent memory and register file as mutable functions
– 24 – SRC ‘07
ObservationsObservations
Detailed bit-vector model comes at high costDetailed bit-vector model comes at high cost Biggest problem was modeling ALU XOR operation Would get much worse for more complex microprocessor
E.g., if model all details of instruction decoding
Using abstraction in the “right” places can greatly Using abstraction in the “right” places can greatly reduce verification timereduce verification time
– 25 – SRC ‘07
Semiautomatic AbstractionSemiautomatic Abstraction
Generate mixed bit-vector / term model from VerilogGenerate mixed bit-vector / term model from Verilog
User annotates Verilog with User annotates Verilog with type qualifierstype qualifiers Variables: Term, Bit Vector Operations: Uninterpreted, Interpreted
Verifier generates hybrid modelVerifier generates hybrid model Using type inferencing
Working AssumptionWorking Assumption Designers have good intuition about where abstraction can
be applied Over time, will try to automate as much as possible
– 26 – SRC ‘07
Progress on AbstractionProgress on Abstraction
RequirementsRequirements Type qualifiers: syntax, usage Type-inference rules Type-inference algorithms
General Principles FormulatedGeneral Principles Formulated
– 27 – SRC ‘07
ConclusionsConclusions
Hybrid Bit-Vector / Term Modeling CapabilityHybrid Bit-Vector / Term Modeling Capability Can use as much or as little abstraction as required Clear path from RTL to verification
Bit-Vector Decision ProceduresBit-Vector Decision Procedures Iterative approach + SAT solvers provide powerful
framework Multiple possible abstraction techniques Opportunity for parallel processing
Term-Level AbstractionsTerm-Level Abstractions User provides minimal hints on where abstractions should
be applied