1 integrating advanced techniques for formal hardware verification erik reeber may 12, 2005
TRANSCRIPT
1
Integrating Advanced Techniques for Formal Hardware
VerificationErik Reeber
May 12, 2005
2
Introduction• Hardware verification moving from academia to
industry– Hardware designs becoming more complex– High cost of failure– Power of model checking increasing– Difficulty of theorem proving decreasing
• Need for work on practical methodologies– Combine theorem proving and fully automatic
techniques– Industrial design languages– Advanced hardware designs
3
Outline
• Introduction• The DE2 Language• Decidable Fragment of ACL2• Integrating SAT-Solvers with ACL2• Methodology for RTL-level Verification• Verification of the Load Store Queue (LSQ)• Related Work• Conclusion
4
The DE2 Language
• Language Goals:– Economy of simplicity– Similar to Verilog, when possible
• Successor of DE, successor to DUAL-EVAL– Parameterized types (bit vectors)– Primitive Input expressions
5
DE2 Language Features
• Hierarchical, occurrence-oriented HDL
• Deeply-Embedded in ACL2
• FSM Memory abstraction
• Two-Pass Evaluation
• Parameterized Types
• Annotation Mechanisms
6
Example Schematic
MUX
+
sel 01
Register
in
loadaddOut
muxOut
out
Accumulator
clk clk
width
width
width
width
7
Example RTL
(accumulator (params width) (outs (out width)) (ins (in width) (load 1)) (wires (addOut width) (muxOut width)) (st reg) (occs (reg (out) (register width) (muxOut)) (agn0 (addOut) (bufn width) ((bvAdder width in out))) (agn1 (mux_out) (bufn width) ((bvIf load in addOut))))
module accumulator(out,clk,in,load); parameter width; output out[width]; input clk,in[width],load[1]; wire addOut[width], muxOut[width];
register#(width) reg(.out(out), .clk(clk), .in(muxOut));
assign addOut = in+out; assign muxOut = load?in:addOut;
endmodule;
Verilog DE2
8
Proposed Work
• Extend language as necessary to represent LSQ– Parameterized Loop– Case statements– More primitives
• Preprocessor– Infer bit-vector lengths
9
Decidable Fragment of ACL2
• Want a fully automatic procedure for determining the validity of ACL2 properties
• Unfortunately, the ACL2 logic is undecidable– As is any first-order logic with arithmetic
• Should be able to, however, express useful hardware properties in decidable logic
• Start with finite number of cycles– Theory of List Structure, plus limited functions
– Nelson & Oppen, 1980
10
Definition of Fragment
• ACL2 Primitives:– if, consp, car, cdr, cons, lambda
• Limited Function Definition:– Allow calls to recursively defined functions– Functions terminate for all inputs– Constant type formals – A formal a of f is a type formal if:
• a is used to compute the terminating measure of f or• a is used to compute a type formal of a function called in the
body of f
• Proof of decidability in document
11
Features of Fragment
• Efficient recognizer • In an ACL2 hardware model, type formals
correspond to types– i.e. sizes of bit vectors and structure of memory– Constant for synthesizable hardware
• Can express properties involving a finite number of cycles– e.g. Inv(S) Inv(step(S, I))– Induction leads to complete invariant proofs
12
Integrating SAT-Solvers with ACL2
• Want an efficient decision procedure for fragment• SAT solvers useful for hardware verification• Convert ACL2 property into CNF
– Create new variables to keep conversion cost low– Finite number of relevant Boolean expressions– CNF unsatisfiable only if ACL2 property valid– If in fragment, CNF satisfiable only if ACL2 property
invalid
• Use external SAT solver
13
Counter-Example Generation
• If CNF is satisfiable, we construct an ACL2 counter-example– Run example on ACL2 property– Unlike failed proof-attempt, can be certain
property is invalid– Useful even if ultimately going to use the
theorem prover (e.g. want property for all bit-widths)
14
Performance Comparison
N Example ACL2 BDD SAT
1 4 Adder Assoc 166.72s 0.02s 0.17s
2 32 Adder Assoc **** 0.55s 2.38s
3 200 Adder Assoc **** 50.67s 56.02s
4 32x6 Shift Zeros 106.54s 4.66s 3.27s
5 64x7 Shift Zeros **** 759.79 23.64
6 32x4 Added Shift **** 3.55s 4.13s
7 64x6 Added Shift **** 507.33s 136.13s
8 100 Digit Dec Inv **** 4.53s 11.88s
15
Lines of Code Comparison
N Example Model ACL2 BDD SAT
1 4 Adder Assoc 21 17 25 4
2 32 Adder Assoc 21 17 42 4
3 200 Adder Assoc 21 17 202 4
4 32x6 Shift Zeros 34 53 60 6
5 64x7 Shift Zeros 34 53 65 6
6 32x4 Added Shift 44 58 71 4
7 64x6 Added Shift 44 58 77 4
8 100 Digit Dec Inv 36 44 280 4
16
Proposed Work
• Use ACL2 external tool mechanism, if available– Currently implemented in ACL2 source
• Prove conversion algorithm correct– Hand proof, in dissertation– Prove both decidable and sound
17
Methodology for RTL-level Verification
• We begin with a Verilog design and an informal specification
Verilog Design
English Spec, C Model and Test Suite
Testing & Inspection
18
Compile Into DE2
DE2 Design
Compilers
Optimizations & Reductions(verified)
Verilog Design
English Spec, C Model and Test Suite
Acknowledgment: Compiler front end built by Vinod Viswanath
19
Translate Into ACL2
ACL2 Model
ACL2 Spec
Verifying Compiler
DE2 Design
Verilog Design
English Spec, C Model and Test Suite
Manual Translation
20
Verify Using A Theorem Prover and Decision Procedures
Simplified Invariants
ACL2 Model
ACL2 SpecDE2 Design
Verilog Design
English Spec, C Model and Test Suite
SAT-Based Decision Procedure
Guided Proof
21
Proposed Work
• Expand subset of Verilog to handle LSQ design– Modify compilers as necessary
• Increase scalability of DE2 to ACL2 compiler– Current proofs can handle only 200
instantiations or assignments– Needs to handle at least 1000
22
Proposed Application: Verification of the LSQ
• Important component in out-of-order processor• Approximately 3,000 lines of Verilog
1)Forwards uncommitted stores2)Detects load-store violations 3)Wakes differed loads4)Detects completion of instruction blocks5)commits stores
• TRIPS Processor contains four LSQs---one for each memory partition
• Will verify a correspondence between an n tile, pipelined LSQ and a 1 tile non-pipelined LSQ model
23
Verification of DSN• Approximately 600 lines of Verilog• The DSN handles LSQ communication
1) Accumulates miss-order exceptions2) Accumulates execution exceptions3) Accumulates stores
• Used methodology to produce ACL2 model• 6 ACL2 properties: 3 progress & 3 safety• Have verified two properties
– 20 hours per property– 6 bugs in spec, 0 bugs in design (5 found via CE)
• Will also verify DSN with ACL2 alone
24
Work Related to DE2 Language
• Richard Boulton et al, “Experience with Embedding Hardware Description Languages in HOL”, 1992– Introduced “deep” v. “shallow” terminology
• Mary Sheeran, “Generating Fast Multipliers Using Clever Circuits”, 2004– Shows that a function HDL can produce high-performance circuits
• Sava Krstic and John Matthews, “Semantics of the reFLect Language”, 2004– Intel’s new functional HDL
25
Work Related to Integration
• Panagiotis Manolios, Mechanical Verification of Reactive Systems, 2001– Formalized lambda-calculus in ACL2
• Sergey Berezin, Model Checking and Theorem Proving: A Unified Framework, 2002– General mathematical framework
• David Cyrluk, Proof Methodologies for Processor Verification, 2003– Used PVS and custom temporal logic
• Rob Sumners and Sandip Ray, “Reducing Invariant Proofs to Finite Search via Rewriting”, 2005– Automatic Invariant Discovery in ACL2
26
Work Related to Integration (continued)
• S. Owre et al, “PVS: Combining Specification, Proof Checking, and Model Checking”, 1996– Uses Mu-Calculus to communicate
– Decision procedures for arrays, tuples, and linear arithmetic
• Robert Jones et al, “Practical Formal Verification in Microprocessor Design,” 2001– Used BDD-based STE and FL theorem prover
• Joe Hurd, “Fast normalization in the HOL Theorem Prover”, 2002– Convert Boolean propositions to CNF in HOL
27
Conclusion• New hardware description language, DE2 • Identified a useful decidable fragment of ACL2• Built SAT-based decision procedure
– Will prove algorithm correct
• Created a hardware verification methodology – Makes use of DE2 and decidable fragment
• Will use methodology on LSQ– out-of-order instructions, pipelining, and multiple tiles– Will evaluate methodology v. theorem proving alone– Will expand language & compilers as needed
28
Backup Slides
29
Example Functional ModelOne function to access each state element:
accumulatorreg(S) car(S)
One function to calculate each wire value:
accumulatorout(S) registerout(accumulatorreg(S))
accumulatoradderOut(width, S, in) bvAdd(width, in, accumulatorout(S))
accumulatormuxOut(width, S, in, load) bvIf(load, in, accumulatoradderOut(width, S, in)))
One function to update state:
accumulatorupdateS(width, S, in) < accumulatormuxOut(width, S, in, load) >
30
Example Property
accn(n, S0)
where ADD = <nil> ZERO = <nil, nil, nil, nil, nil, nil, nil, nil>
We can use an ADD(0) instruction as a No-op:
accumulatorout(S0) =bv_8 x
accumulatorout(accn(n,S0)) =bv_8 x
Using induction, the theorem prover reduces this property to:
accumulatorout(S)=bv_8 x
accumulatorout(accumulatorupdateS(8,S,ZERO,ADD))=bv_8 x
S0 if n=0 n
accn(n-1,accumulatorupdateS(8,S0,ZERO,ADD)