Randal E. Bryant

Carnegie Mellon University

SRC ‘07

Word-Level ModelingWord-Level Modelingand Verification of Systemsand Verification of Systems

Using Selective Term-Level AbstractionUsing Selective Term-Level Abstraction

Sanjit A. Seshia

U.C., Berkeley

– 2 – SRC ‘07

Task ID: 1355.001

Technical Thrust: Verification

Task Leader: Randal E. Bryant

PIs: R. E. Bryant (CMU), S. A. Seshia (UC Berkeley)

Student: Bryan Brady (UC Berkeley, exp. grad. 8/2010)

Industrial Liaisons:

Steven M. German, IBM Zurab Khasidashvili, Intel

Andreas Kuehlmann, Cadence Hillel Miller, Freescale

Carl-Johan Seger, Intel M. Alper Sen, Freescale

Eli Singerman, Intel Jin Yang, Intel

Hai Vo-Ba, AMD

ITRS Grand Challenge: 2003.12 -- Scaling of Maximum Quality Design Implementation Productivity

– 3 – SRC ‘07

Modeling Data in Formal VerificationModeling Data in Formal Verification

Symbolic or integer data Uninterpreted functions &

predicates

Fixed-width words of bits Specific encodings Standard arithmetic and

logical operators

Individual bits Boolean operations

Bit Level

Bit Vector Level

Term Level

– 4 – SRC ‘07

Term-Level ModelingTerm-Level Modeling

View Data as Symbolic “Terms”View Data as Symbolic “Terms” Arbitrary integer values Can store in memories & registers

Abstract Functional Units as “Black Boxes”Abstract Functional Units as “Black Boxes” Uninterpreted functions

x0x1x2

xn-1

x

ALU

ALU

f

– 5 – SRC ‘07

Formal Verification ToolsFormal Verification Tools

Term-level verifiersE.g., UCLIDAble to scale to much more

complex systems

Model checkers, equivalence checkers, …

Capacity limited by too many state bits & details of bit manipulations

Bit Level

Bit Vector Level

Term Level

– 6 – SRC ‘07

Creating ModelsCreating Models

UCLID HDLNonstandardDifficult to reconcile with

actual design

Register-Transfer LevelE.g., Verilog

Gate levelBit Level

Bit Vector Level

Term Level

Bit Blast

– 7 – SRC ‘07

Project DirectionsProject Directions

Bit Level

Bit Vector Level

Term Level

SemiautomaticAbstraction

UCLID CapabilitiesUCLID Capabilities Term-level models Bit-vector models

– 8 – SRC ‘07

Project DirectionsProject Directions

Bit-Vector Decision ProceduresBit-Vector Decision Procedures Enables UCLID to model at bit-vector level Direct path from RTL to verifier Of interest to larger community

Hardware, software, microcode verificationHardware & software testing

Term-Level AbstractionTerm-Level Abstraction Semiautomatic ways to generate term-level model from RTL

Combined EffectCombined Effect Verify using mixed term and bit-vector models Range of trade-offs between modeling detail and verifier

capacity

– 9 – SRC ‘07

Bit-Vector Decision Procedure ExampleBit-Vector Decision Procedure Example

Do these functions produce identical results?Do these functions produce identical results?

StrategyStrategy Represent and reason about bit-level program behavior Specific to machine word size, integer representations,

and operations

int abs(int x) { int mask = x>>31; return (x ^ mask) + ~mask + 1;}

int test_abs(int x) { return (x < 0) ? -x : x; }

– 10 – SRC ‘07

BV Decision Procedures:Some HistoryBV Decision Procedures:Some HistoryB.C. (Before Chaff)B.C. (Before Chaff)

String operations (concatenate, field extraction) Linear arithmetic with bounds checking Modular arithmetic

SAT-Based “Bit Blasting”SAT-Based “Bit Blasting” Generate Boolean circuit based on bit-level behavior of

operations Convert to Conjunctive Normal Form (CNF) and check with

best available SAT checker Handles arbitrary operations Effective in many applications

CBMC [Clarke, Kroening, Lerda, TACAS ’04]Microsoft Cogent + SLAM [Cook, Kroening, Sharygina, CAV ’05]CVC-Lite [Dill, Barrett, Ganesh], Yices [deMoura, et al], STP

– 11 – SRC ‘07

Challenge for BV-DPsChallenge for BV-DPs

Is there a better way than bit blasting?Is there a better way than bit blasting?

RequirementsRequirements Provide same functionality as with bit blasting Find abstractions based on word-level structure Improve on performance of bit blasting

A New ApproachA New Approach Bryant, Kroening, Ouaknine, Seshia, Stichman, Brady,

TACAS ’07 Use bit blasting as core technique Apply to simplified versions of formula Successive approximations until solve or show unsatisfiable

– 12 – SRC ‘07

Approximating FormulaApproximating Formula

Example Approximation TechniquesExample Approximation Techniques Underapproximating

Restrict word-level variables to smaller ranges of values

Overapproximating Replace subformula with Boolean variable

Original Formula

+Overapproximation + More solutions:

If unsatisfiable, then so is

Underapproximation−

−

Fewer solutions:Satisfying solution also satisfies

– 13 – SRC ‘07

Starting IterationsStarting Iterations

Initial UnderapproximationInitial Underapproximation (Greatly) restrict ranges of word-level variables Intuition: Satisfiable formula often has small-domain solution

1−

– 14 – SRC ‘07

First Half of IterationFirst Half of Iteration

SAT Result for SAT Result for 1− Satisfiable

Then have found solution for Unsatisfiable

Use UNSAT proof to generate overapproximation 1+ Replace irrelevant predicates with Boolean variables

1−If SAT, then done

1+

UNSAT proof:generate overapproximation

– 15 – SRC ‘07

Second Half of IterationSecond Half of Iteration

SAT Result for SAT Result for 1+ Unsatisfiable

Then have shown unsatisfiable

Satisfiable Solution indicates variable ranges that must be expanded Generate refined underapproximation

1−

If UNSAT, then done1+

SAT:Use solution togenerate refined underapproximation

2−

– 16 – SRC ‘07

Iterative BehaviorIterative Behavior

UnderapproximationsUnderapproximations Successively more precise

abstractions of Allow wider variable ranges

OverapproximationsOverapproximations No predictable relation UNSAT proof not unique

1−

1+

2−

k−

2+

k+

– 17 – SRC ‘07

Overall EffectOverall Effect

SoundnessSoundness Only terminate with solution on

underapproximation Only terminate as UNSAT on

overapproximation

CompletenessCompleteness Successive underapproximations

approach Finite variable ranges guarantee

termination In worst case, get k−

1−

1+

2−

k−

2+

k+

SAT

UNSAT

– 18 – SRC ‘07

Results: UCLID BV vs. Bit-blastingResults: UCLID BV vs. Bit-blasting

UCLID always better than bit blasting Generally better than other available procedures SAT time is the dominating factor

[results on 2.8 GHz Xeon, 2 GB RAM]

– 19 – SRC ‘07

Future Work in BV DPs Future Work in BV DPs

Lots of Refinement & TuningLots of Refinement & Tuning Selecting under- and over-approximations Iterating within under- or over-approximation Reusing portions of bit-blasted formulas

Take advantage of incremental SAT

Additional AbstractionsAdditional Abstractions View term-level modeling as overapproximation technique

Apply functional abstraction automatically

– 20 – SRC ‘07

Bit-Vector Level / Term Level Experimental ComparisonBit-Vector Level / Term Level Experimental ComparisonWhat Is Performance Advantage of Term-Level What Is Performance Advantage of Term-Level

Modeling?Modeling?

ExperimentExperiment Multiple microprocessor designs

Each at varying levels of detailRanging from complete bit-vector modeling to complete term-

level modeling

– 21 – SRC ‘07

Experiment: Y86 ProcessorsExperiment: Y86 Processors

Y86• 5 stage pipeline• single-threaded• in-order execution• simplified x86

R. E. Bryant and D. R. O’Hallaron. Computer Systems: A Programmer’s Perspective. Prentice-Hall 2002

– 22 – SRC ‘07

Y86 ExperimentsY86 Experiments

Processor VariationsProcessor Variations Handle data hazards with different stalling and forwarding

schemes Different branch prediction schemes Creates variety of flushing schedules & modeling details

ModelsModels Everything term level Bit-vector data, uninterpreted functions Bit-vector data, partially interpreted functions Bit-vector, “fully” interpreted functions

Still represent memory and register file as mutable functions

– 23 – SRC ‘07

Y86 Relative Verification TimesY86 Relative Verification Times

– 24 – SRC ‘07

ObservationsObservations

Detailed bit-vector model comes at high costDetailed bit-vector model comes at high cost Biggest problem was modeling ALU XOR operation Would get much worse for more complex microprocessor

E.g., if model all details of instruction decoding

Using abstraction in the “right” places can greatly Using abstraction in the “right” places can greatly reduce verification timereduce verification time

– 25 – SRC ‘07

Semiautomatic AbstractionSemiautomatic Abstraction

Generate mixed bit-vector / term model from VerilogGenerate mixed bit-vector / term model from Verilog

User annotates Verilog with User annotates Verilog with type qualifierstype qualifiers Variables: Term, Bit Vector Operations: Uninterpreted, Interpreted

Verifier generates hybrid modelVerifier generates hybrid model Using type inferencing

Working AssumptionWorking Assumption Designers have good intuition about where abstraction can

be applied Over time, will try to automate as much as possible

– 26 – SRC ‘07

Progress on AbstractionProgress on Abstraction

RequirementsRequirements Type qualifiers: syntax, usage Type-inference rules Type-inference algorithms

General Principles FormulatedGeneral Principles Formulated

– 27 – SRC ‘07

ConclusionsConclusions

Hybrid Bit-Vector / Term Modeling CapabilityHybrid Bit-Vector / Term Modeling Capability Can use as much or as little abstraction as required Clear path from RTL to verification

Bit-Vector Decision ProceduresBit-Vector Decision Procedures Iterative approach + SAT solvers provide powerful

framework Multiple possible abstraction techniques Opportunity for parallel processing

Term-Level AbstractionsTerm-Level Abstractions User provides minimal hints on where abstractions should

be applied