* carnegie mellon university † ibm

*Carnegie Mellon University†IBM

Exploiting Positive EqualityExploiting Positive Equalityin a Logic ofin a Logic ofEquality withEquality with

Uninterpreted FunctionsUninterpreted Functions

http://www.cs.cmu.edu/~bryant

Randal E. Bryant*Steven German†

Miroslav Velev*

– 2 –

Outline

Application DomainApplication Domain Verify correctness of a pipelined processor Based on Burch-Dill correspondence checking

Burch & Dill CAV ‘94

Verification TaskVerification Task Abstracted representation of data manipulation Must decide validity of formula in logic of Equality with

Uninterpreted Functions (EUF)

New ContributionNew Contribution Exploit properties of formulas to reduce verification

complexity Significant performance improvement when modeling

microprocessor operation

– 3 –

Reg.File

IF/ID

InstrMem

+4

PC ID/EX

ALU

EX/WB

=

=

RdRa

Rb

Imm

Op

Adat

Control Control

Bdat

Microprocessor Modeling

Simplified RISC pipeline Described at RTL level

Words viewed as bit vectorsBit-level functionality

– 4 –

Abstracting Data

View Data as Symbolic “Terms”View Data as Symbolic “Terms” No particular properties or operations

Except for equations: x = y Can store in memories & registers Can select with multiplexors

ITE: If-Then-Else operation

x0

x1

x2

xn-1

x

T

F

xy

p

ITE(p, x, y)T

F

xy

T

xT

F

xy

F

y

– 5 –

Abstraction Via Uninterpreted Functions

For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Assume functional consistency

x = y f(x) = f(y)

Reg.File

IF/ID

InstrMem

+4

PC ID/EX

ALU

EX/WB

=

=

RdRa

Rb

Imm

Op

Adat

Control Control

F1

F 2

F3

– 6 –

=

f

T

F

T

F

f T

F

=

e1

e0x0

d0

Decision ProblemLogic of Equality with Uninterpreted Functions (EUF)Logic of Equality with Uninterpreted Functions (EUF)

Domain ValuesSolid linesUninterpreted functions If-Then-Else operation

Truth ValuesDashed LinesUninterpreted predicatesLogical connectivesEquations

TaskTask Determine whether formula is universally valid

True for all interpretations of variables and function symbols

– 7 –

Some History Ackermann, 1954

Quantifier-free decision problem can be decided based on finite instantiations

Automatic Theorem ProvingTradition of using uninterpreted functions when modeling hardwareE.g., Warren Hunt, 1985

Burch & Dill, CAV ‘94Automatic decision procedure

» Davis-Putnam enumeration » Congruence closure to enforce functional consistency

Verified single-issue DLX» Simple 5-stage RISC pipeline

Becomes less effective for more complex processors» Burch, DAC ‘96 & FMCAD ‘96

– 8 –

Previous Attempts to Use BDDsHojati, et al., IWLS ‘97Hojati, et al., IWLS ‘97

Generate binary encodings of limited-range integer variables Hit exponential blow-up

Goel, et al., CAV ‘98Goel, et al., CAV ‘98 Encode equality relation among variables as propositional

variables Results not compelling

Velev & Bryant, FMCAD ‘98Velev & Bryant, FMCAD ‘98 Work with modified RTL model

Replace memory & function blocks with special behavioral blocks Exponential blow-up for processor with branch or load/store

instructions

– 9 –

Why Did BDDs Fail? Result of Load instruction used in address computation

Similar effect for branch instruction Impossible to have good BDD variable ordering

Variables encoding addresses must precede those encoding dataLeads to circular constraints on ordering

DataMemory

AddressData

AddressData

Pipeline Logic

– 10 –

Decision Problem Example #1

)))((),(()))((),(( xggyghxggxgh

yx

h

x y

=

=

g

g

g h

– 11 –

EUF Syntax Logic of Equality with Uninterpreted Functions

TermsTermsITE(F, T1, T2) If-then-elsef (T1, …, Tk) Function application

FormulasFormulasF, F1 F2, F1 F2 Boolean connectivesT1 = T2 Equationp (T1, …, Tk) Predicate application

Special CasesSpecial Casesv Domain variable (order-0 function)a Propositional variable (order-0 predicate)

– 12 –

PEUF Syntax Logic of Positive Equality with Uninterpreted Functions

Formulas (General)Formulas (General)F, F1 F2, F1 F2

GT1 = GT2

p (PT1, …, PTk)

P-Formulas (Special)P-Formulas (Special)FPF1 PF2, PF1 PF2

PT1 = PT2

Key PropertiesKey Properties P-formulas cannot be negated & cannot control ITEs P-terms only used as funct. args. and in positive equations Applications of p-function symbols occur only in p-terms

G-Terms (General)G-Terms (General)ITE(F, GT1, GT2)fg(PT1, …, PTk)

P-Terms (Special)P-Terms (Special)GTITE(F, PT1, PT2)fp(PT1, …, PTk)

– 13 –

Analyzing Example #1

h

x y

=

=

g

g

gh

P-Function SymbolsP-Function Symbolsg, h

G-Function SymbolsG-Function Symbols Appear in negated equationx, y

G-terms

P-terms

P-formulas

Formulas

– 14 –

Example #2

)))((),((

)))]((),(())),((),((,[

xggxgh

xggyghxggxghyxITE

h

x y

=

=g

g

gh

T

F

– 15 –

Analyzing Example #2

ITE control must be formula “Interesting” things happen when false

G-terms

P-terms

P-formula

Formula

h

x y

=

=g

g

gh

T

F

– 16 –

Maximally Diverse Interpretations

P-Function SymbolsP-Function Symbols Equal results only for

equal arguments

G-Function SymbolsG-Function Symbols Potentially yield equal

results for unequal arguments

PropertyProperty Formula valid only if

true under all maximally diverse interpretations

h

x y

=

=

g

g

gh

Terms Equal?x y Potentiallyg (x) g (y) Only if x = yg (x) y Nog (g (x)) g (y) Nog (g (x)) g (x) No

– 17 –

Justification of Maximal Diversity Property

h

x y

=

=

g

g

ghCreate Worst Case for Create Worst Case for

ValidityValidity Falsify positive equation

Create Worst Case for Create Worst Case for ValidityValidity Falsify positive equation Function applications yield

distinct results

Create Worst Case for Create Worst Case for ValidityValidity Falsify positive equation Function applications yield

distinct results Function arguments distinct

Key ArgumentKey Argument For every interpretation I, there is a maximally diverse

interpretation I such that I [F] I[F]

– 18 –

Equations in Processor Verification

Data TypesData Types EquationsEquations Register Ids Control stalling & forwarding

+ Addresses for register file Instruction Address Only top-level verification condition Program Data Only top-level verification condition

Reg.File

IF/ID

InstrMem

+4

PC ID/EX

ALU

EX/WB

=

=

RdRa

Rb

Imm

Op

Adat

Control Control

– 19 –

Modeling Memories

Conventional Expansion of Memory OperationsConventional Expansion of Memory Operations Effects of writes represented as nested ITEs Initial memory state represented by uninterpreted function fM

Write(a1, d1);Write(a2, d2);Write(a3, d3);Read(a) T

FfM

=

d3d2d1

= =a1 a2 a3

T

F

T

F

a

ProblemProblem Equations over addresses control ITEs Addresses must be g-terms

OK for register file, but not for data memory

– 20 –

Data Memory Modeling

Generic State MachineGeneric State Machine Memory state represented as

term Initial state given by variable vM

Write operation causes arbitrary state changeUninterpreted function fu

Read operation function of address & stateUninterpreted function fr

MemoryState

fu

frRaddr

WaddrWdata

RdataRead

Write

– 21 –

Data Memory Modeling (Cont.)

No equations over addresses! Can keep as p-terms

LimitationsLimitations Does not capture full semantics of memory Only works when processor preserves program order for:

Writes relative to each otherReads relative to writes

fu

d3

d2

d1

a1

a2

a3

a

fu fu

frvMWrite(a1, d1);Write(a2, d2);Write(a3, d3);Read(a)

– 22 –

Function Symbols in Processor VerificationG-Function SymbolsG-Function Symbols

Register Ids 20--25% of function applications

P-Function SymbolsP-Function Symbols Program data Data & instruction addresses Opcodes 75--80% of function applications

EffectEffect Breaks dependency loop that caused exponential blow-up

– 23 –

Decision Procedure

StepsSteps Eliminate function applications Assign limited ranges to domain variables Encode domain variables as bit vectors Translate into propositional logic

h

x y

=

=

hg

g

g

– 24 –

f

f

fx1

x2

x3

vf1

vf2

T

F

=

==

T

F

vf3

T

F

Eliminating Function Applications

Replacing ApplicationReplacing Application Introduce new domain variable Nested ITE structure maintains functional consistency

– 25 –

Exploiting Positive Equality

PropertyProperty P-function symbol f Introduce variables vf1, …, vfn during elimination Consider only diverse interpretations for variables vf1, …, vfn

vfi v for any other variable v

ExampleExample Assuming vf1 vf2 :

x1

x2

vf1

vf2

T

F

= = iff x1=x2

– 26 –

f

fvf1

vf2

Compare: Ackermann’s Method

Replacing ApplicationReplacing Application Introduce new domain variable Enforce functional consistency by global constraints

Unclear how to generate diverse interpretations

x1

x2

F= =

– 27 –

h

x y

=

=

hg

g

g

h

x y vg1 vg2vg3

=

=

=

=

T

F

T

F

T

F

h

Eliminating Function Symbol g

– 28 –

h

x y vg1 vg2vg3

=

=

=

=

T

F

T

F

T

F

h

=

=

x y vg1 vg2vg3 vh1vh2

=

=

=

=

T

F

T

F

T

F

T

F

Eliminate Function Symbol h

Final FormFinal Form Only domain and propositional variables

– 29 –

Instantiating Variables

Can assign fixed interpretations to variables arising from eliminating p-function applications

Need to consider only two different casesy = 0 vs. y = 1

x

y

vg1 vg2vg3 vh1vh2

=

=

=

=

=

=

T

F

T

F

T

F

T

F

{2} {3} {4} {5} {6}{0}

{0,1}

– 30 –

Evaluating Formula

Actual implementation uses BDD evaluation

=

=

x

y

vg1 vg2vg3 vh1vh2

=

=

=

=

T

F

T

F

T

F

T

F

{0}

{0,1}

{2} {3} {4} {5} {6}

y=0

F

F

44

ITE(y=0,2,3)

2

T

y=0

y=05

ITE(y=0,5,6)

y=0

y0

T

– 31 –

Pnueli, et al., CAV ‘99

SimilaritiesSimilarities Examine structure of equations

Whether used in positive or negative form Exploit structure to limit variable domains

Differences in Their ApproachDifferences in Their Approach Examine equation structure after function applications

eliminated Use Ackermann’s method to eliminate function applications

– 32 –

Ackermann’s Method Example

Many more equations2 8

P-formula / P-term structure destroyed vh1vh2

=

x y vg1 vg2vg3

=

=

=

=

=

=

=

h

x y

=

=

g

g

gh

– 33 –

Comparison to Pnueli, et al.

Relative Advantage of Their MethodRelative Advantage of Their Method Better at exploiting equation structure among g-terms Worse at exploiting structure among p-terms

– 34 –

Experimental Results

Verify Modified RTL CircuitsVerify Modified RTL Circuits Replace memories, latches, and function blocks by special

functional models.Bryant & Velev, FMCAD ‘98

Small modification to generate fixed bit patterns for p-function block

Simplified MIPS ProcessorSimplified MIPS Processor Reg-Reg, and Reg-Immediate only

Before: 48 s / 7 MB After: 6 s / 2 MB RR, RI + Load/Store

Before: Space-Out After: 12 s / 1.8 MB RR, RI, L/S, Branch

Before: Space-Out After: 169 s / 7.5 MB

– 35 –

Conclusion

Exploiting Positive EqualityExploiting Positive Equality Greatly reduces number of interpretations to consider Our function elimination scheme provides encoding

mechanism Enables verification of complete processor using BDDs

Ongoing WorkOngoing Work New implementation using pure term-level models Velev & Bryant, CHARME ‘99 Single-issue DLX now takes 0.15 s. Dual-issue DLX takes 35 s.