* carnegie mellon university † ibm
DESCRIPTION
Exploiting Positive Equality in a Logic of Equality with Uninterpreted Functions. Randal E. Bryant * Steven German † Miroslav Velev *. * Carnegie Mellon University † IBM. http://www.cs.cmu.edu/~bryant. Outline. Application Domain Verify correctness of a pipelined processor - PowerPoint PPT PresentationTRANSCRIPT
*Carnegie Mellon University†IBM
Exploiting Positive EqualityExploiting Positive Equalityin a Logic ofin a Logic ofEquality withEquality with
Uninterpreted FunctionsUninterpreted Functions
http://www.cs.cmu.edu/~bryant
Randal E. Bryant*Steven German†
Miroslav Velev*
– 2 –
Outline
Application DomainApplication Domain Verify correctness of a pipelined processor Based on Burch-Dill correspondence checking
Burch & Dill CAV ‘94
Verification TaskVerification Task Abstracted representation of data manipulation Must decide validity of formula in logic of Equality with
Uninterpreted Functions (EUF)
New ContributionNew Contribution Exploit properties of formulas to reduce verification
complexity Significant performance improvement when modeling
microprocessor operation
– 3 –
Reg.File
IF/ID
InstrMem
+4
PC ID/EX
ALU
EX/WB
=
=
RdRa
Rb
Imm
Op
Adat
Control Control
Bdat
Microprocessor Modeling
Simplified RISC pipeline Described at RTL level
Words viewed as bit vectorsBit-level functionality
– 4 –
Abstracting Data
View Data as Symbolic “Terms”View Data as Symbolic “Terms” No particular properties or operations
Except for equations: x = y Can store in memories & registers Can select with multiplexors
ITE: If-Then-Else operation
x0
x1
x2
xn-1
x
T
F
xy
p
ITE(p, x, y)T
F
xy
T
xT
F
xy
F
y
– 5 –
Abstraction Via Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Assume functional consistency
x = y f(x) = f(y)
Reg.File
IF/ID
InstrMem
+4
PC ID/EX
ALU
EX/WB
=
=
RdRa
Rb
Imm
Op
Adat
Control Control
F1
F 2
F3
– 6 –
=
f
T
F
T
F
f T
F
=
e1
e0x0
d0
Decision ProblemLogic of Equality with Uninterpreted Functions (EUF)Logic of Equality with Uninterpreted Functions (EUF)
Domain ValuesSolid linesUninterpreted functions If-Then-Else operation
Truth ValuesDashed LinesUninterpreted predicatesLogical connectivesEquations
TaskTask Determine whether formula is universally valid
True for all interpretations of variables and function symbols
– 7 –
Some History Ackermann, 1954
Quantifier-free decision problem can be decided based on finite instantiations
Automatic Theorem ProvingTradition of using uninterpreted functions when modeling hardwareE.g., Warren Hunt, 1985
Burch & Dill, CAV ‘94Automatic decision procedure
» Davis-Putnam enumeration » Congruence closure to enforce functional consistency
Verified single-issue DLX» Simple 5-stage RISC pipeline
Becomes less effective for more complex processors» Burch, DAC ‘96 & FMCAD ‘96
– 8 –
Previous Attempts to Use BDDsHojati, et al., IWLS ‘97Hojati, et al., IWLS ‘97
Generate binary encodings of limited-range integer variables Hit exponential blow-up
Goel, et al., CAV ‘98Goel, et al., CAV ‘98 Encode equality relation among variables as propositional
variables Results not compelling
Velev & Bryant, FMCAD ‘98Velev & Bryant, FMCAD ‘98 Work with modified RTL model
Replace memory & function blocks with special behavioral blocks Exponential blow-up for processor with branch or load/store
instructions
– 9 –
Why Did BDDs Fail? Result of Load instruction used in address computation
Similar effect for branch instruction Impossible to have good BDD variable ordering
Variables encoding addresses must precede those encoding dataLeads to circular constraints on ordering
DataMemory
AddressData
AddressData
Pipeline Logic
– 10 –
Decision Problem Example #1
)))((),(()))((),(( xggyghxggxgh
yx
h
x y
=
=
g
g
g h
– 11 –
EUF Syntax Logic of Equality with Uninterpreted Functions
TermsTermsITE(F, T1, T2) If-then-elsef (T1, …, Tk) Function application
FormulasFormulasF, F1 F2, F1 F2 Boolean connectivesT1 = T2 Equationp (T1, …, Tk) Predicate application
Special CasesSpecial Casesv Domain variable (order-0 function)a Propositional variable (order-0 predicate)
– 12 –
PEUF Syntax Logic of Positive Equality with Uninterpreted Functions
Formulas (General)Formulas (General)F, F1 F2, F1 F2
GT1 = GT2
p (PT1, …, PTk)
P-Formulas (Special)P-Formulas (Special)FPF1 PF2, PF1 PF2
PT1 = PT2
Key PropertiesKey Properties P-formulas cannot be negated & cannot control ITEs P-terms only used as funct. args. and in positive equations Applications of p-function symbols occur only in p-terms
G-Terms (General)G-Terms (General)ITE(F, GT1, GT2)fg(PT1, …, PTk)
P-Terms (Special)P-Terms (Special)GTITE(F, PT1, PT2)fp(PT1, …, PTk)
– 13 –
Analyzing Example #1
h
x y
=
=
g
g
gh
P-Function SymbolsP-Function Symbolsg, h
G-Function SymbolsG-Function Symbols Appear in negated equationx, y
G-terms
P-terms
P-formulas
Formulas
– 14 –
Example #2
)))((),((
)))]((),(())),((),((,[
xggxgh
xggyghxggxghyxITE
h
x y
=
=g
g
gh
T
F
– 15 –
Analyzing Example #2
ITE control must be formula “Interesting” things happen when false
G-terms
P-terms
P-formula
Formula
h
x y
=
=g
g
gh
T
F
– 16 –
Maximally Diverse Interpretations
P-Function SymbolsP-Function Symbols Equal results only for
equal arguments
G-Function SymbolsG-Function Symbols Potentially yield equal
results for unequal arguments
PropertyProperty Formula valid only if
true under all maximally diverse interpretations
h
x y
=
=
g
g
gh
Terms Equal?x y Potentiallyg (x) g (y) Only if x = yg (x) y Nog (g (x)) g (y) Nog (g (x)) g (x) No
– 17 –
Justification of Maximal Diversity Property
h
x y
=
=
g
g
ghCreate Worst Case for Create Worst Case for
ValidityValidity Falsify positive equation
Create Worst Case for Create Worst Case for ValidityValidity Falsify positive equation Function applications yield
distinct results
Create Worst Case for Create Worst Case for ValidityValidity Falsify positive equation Function applications yield
distinct results Function arguments distinct
Key ArgumentKey Argument For every interpretation I, there is a maximally diverse
interpretation I such that I [F] I[F]
– 18 –
Equations in Processor Verification
Data TypesData Types EquationsEquations Register Ids Control stalling & forwarding
+ Addresses for register file Instruction Address Only top-level verification condition Program Data Only top-level verification condition
Reg.File
IF/ID
InstrMem
+4
PC ID/EX
ALU
EX/WB
=
=
RdRa
Rb
Imm
Op
Adat
Control Control
– 19 –
Modeling Memories
Conventional Expansion of Memory OperationsConventional Expansion of Memory Operations Effects of writes represented as nested ITEs Initial memory state represented by uninterpreted function fM
Write(a1, d1);Write(a2, d2);Write(a3, d3);Read(a) T
FfM
=
d3d2d1
= =a1 a2 a3
T
F
T
F
a
ProblemProblem Equations over addresses control ITEs Addresses must be g-terms
OK for register file, but not for data memory
– 20 –
Data Memory Modeling
Generic State MachineGeneric State Machine Memory state represented as
term Initial state given by variable vM
Write operation causes arbitrary state changeUninterpreted function fu
Read operation function of address & stateUninterpreted function fr
MemoryState
fu
frRaddr
WaddrWdata
RdataRead
Write
– 21 –
Data Memory Modeling (Cont.)
No equations over addresses! Can keep as p-terms
LimitationsLimitations Does not capture full semantics of memory Only works when processor preserves program order for:
Writes relative to each otherReads relative to writes
fu
d3
d2
d1
a1
a2
a3
a
fu fu
frvMWrite(a1, d1);Write(a2, d2);Write(a3, d3);Read(a)
– 22 –
Function Symbols in Processor VerificationG-Function SymbolsG-Function Symbols
Register Ids 20--25% of function applications
P-Function SymbolsP-Function Symbols Program data Data & instruction addresses Opcodes 75--80% of function applications
EffectEffect Breaks dependency loop that caused exponential blow-up
– 23 –
Decision Procedure
StepsSteps Eliminate function applications Assign limited ranges to domain variables Encode domain variables as bit vectors Translate into propositional logic
h
x y
=
=
hg
g
g
– 24 –
f
f
fx1
x2
x3
vf1
vf2
T
F
=
==
T
F
vf3
T
F
Eliminating Function Applications
Replacing ApplicationReplacing Application Introduce new domain variable Nested ITE structure maintains functional consistency
– 25 –
Exploiting Positive Equality
PropertyProperty P-function symbol f Introduce variables vf1, …, vfn during elimination Consider only diverse interpretations for variables vf1, …, vfn
vfi v for any other variable v
ExampleExample Assuming vf1 vf2 :
x1
x2
vf1
vf2
T
F
= = iff x1=x2
– 26 –
f
fvf1
vf2
Compare: Ackermann’s Method
Replacing ApplicationReplacing Application Introduce new domain variable Enforce functional consistency by global constraints
Unclear how to generate diverse interpretations
x1
x2
F= =
– 27 –
h
x y
=
=
hg
g
g
h
x y vg1 vg2vg3
=
=
=
=
T
F
T
F
T
F
h
Eliminating Function Symbol g
– 28 –
h
x y vg1 vg2vg3
=
=
=
=
T
F
T
F
T
F
h
=
=
x y vg1 vg2vg3 vh1vh2
=
=
=
=
T
F
T
F
T
F
T
F
Eliminate Function Symbol h
Final FormFinal Form Only domain and propositional variables
– 29 –
Instantiating Variables
Can assign fixed interpretations to variables arising from eliminating p-function applications
Need to consider only two different casesy = 0 vs. y = 1
x
y
vg1 vg2vg3 vh1vh2
=
=
=
=
=
=
T
F
T
F
T
F
T
F
{2} {3} {4} {5} {6}{0}
{0,1}
– 30 –
Evaluating Formula
Actual implementation uses BDD evaluation
=
=
x
y
vg1 vg2vg3 vh1vh2
=
=
=
=
T
F
T
F
T
F
T
F
{0}
{0,1}
{2} {3} {4} {5} {6}
y=0
F
F
44
ITE(y=0,2,3)
2
T
y=0
y=05
ITE(y=0,5,6)
y=0
y0
T
– 31 –
Pnueli, et al., CAV ‘99
SimilaritiesSimilarities Examine structure of equations
Whether used in positive or negative form Exploit structure to limit variable domains
Differences in Their ApproachDifferences in Their Approach Examine equation structure after function applications
eliminated Use Ackermann’s method to eliminate function applications
– 32 –
Ackermann’s Method Example
Many more equations2 8
P-formula / P-term structure destroyed vh1vh2
=
x y vg1 vg2vg3
=
=
=
=
=
=
=
h
x y
=
=
g
g
gh
– 33 –
Comparison to Pnueli, et al.
Relative Advantage of Their MethodRelative Advantage of Their Method Better at exploiting equation structure among g-terms Worse at exploiting structure among p-terms
– 34 –
Experimental Results
Verify Modified RTL CircuitsVerify Modified RTL Circuits Replace memories, latches, and function blocks by special
functional models.Bryant & Velev, FMCAD ‘98
Small modification to generate fixed bit patterns for p-function block
Simplified MIPS ProcessorSimplified MIPS Processor Reg-Reg, and Reg-Immediate only
Before: 48 s / 7 MB After: 6 s / 2 MB RR, RI + Load/Store
Before: Space-Out After: 12 s / 1.8 MB RR, RI, L/S, Branch
Before: Space-Out After: 169 s / 7.5 MB
– 35 –
Conclusion
Exploiting Positive EqualityExploiting Positive Equality Greatly reduces number of interpretations to consider Our function elimination scheme provides encoding
mechanism Enables verification of complete processor using BDDs
Ongoing WorkOngoing Work New implementation using pure term-level models Velev & Bryant, CHARME ‘99 Single-issue DLX now takes 0.15 s. Dual-issue DLX takes 35 s.