carnegie mellon university
DESCRIPTION
Formal Verification of Infinite-State Systems Using Boolean Methods. Randal E. Bryant. Carnegie Mellon University. http://www.cs.cmu.edu/~bryant. Contributions by graduate students: Sanjit Seshia, Shuvendu Lahiri. Outline. Task Formally verify hardware and software systems - PowerPoint PPT PresentationTRANSCRIPT
Carnegie Mellon University
Formal VerificationFormal Verificationof Infinite-State Systemsof Infinite-State SystemsUsing Boolean MethodsUsing Boolean Methods
Formal VerificationFormal Verificationof Infinite-State Systemsof Infinite-State SystemsUsing Boolean MethodsUsing Boolean Methods
http://www.cs.cmu.edu/~bryant
Randal E. Bryant
Contributions by graduate students:Sanjit Seshia, Shuvendu Lahiri
– 2 –
OutlineOutline
TaskTask Formally verify hardware and software systems Build on success in verifying finite models
Infinite-State ModelsInfinite-State Models Need logic that is suitably expressive, yet remains
reasonably tractable
Verification TechniquesVerification Techniques Solve problems by mapping into propositional logic
Proof engines can use powerful Boolean methods
Different levels of automation and capacity
– 3 –
Truly Infinite-State SystemsTruly Infinite-State Systems
Systems where want to model real-world values (temperature, speed, ...) Hybrid systems Very difficult to verify
Systems with real-valued time constraints E.g., timed automata Somewhat easier to verify, since all clocks move at same rate
Air Bag Controller
SpeedometerReading
AccelerometerReading
Deploy!
– 4 –
Theoretically Infinite-State SystemsTheoretically Infinite-State Systems
Systems with unbounded buffersEven though can’t really build one
• • • ••• •••
tailtail headhead
In Use
– 5 –
Arbitrarily Large Finite-State Systems Arbitrarily Large Finite-State Systems
Synchronization protocol that should work for arbitrary number of processes
Verify for arbitrary N
Circular buffer with fixed, but arbitrary capacity
Verify for arbitrary value of Max
••••••
tailtailheadhead
In Use
•••
0 0 Max-1Max-1
P 2 • • • P NP 1
– 6 –
Very Large Finite-State SystemsVery Large Finite-State Systems
Abstract 32-bit words as arbitrary integers View memories as having unbounded capacity
Reg.File
IF/ID
InstrMem
+4
PCID/EX
ALU
EX/WB
=
=
Rd
Ra
Rb
Imm
Op
Adat
Control Control
– 7 –
Microprocessor Report, Oct. 28, 1996
Example: HP/Compaq Alpha 21264Example: HP/Compaq Alpha 21264
Pipeline StatePipeline State Multiple caches Instruction queues Dynamically-
allocated registers Memory queue Many buffers
between stages
Verification TasksVerification Tasks Does it implement
the Alpha ISA?
– 8 –
Abstracting Data from Bits to IntegersAbstracting Data from Bits to Integers
View Data as Symbolic “Terms”View Data as Symbolic “Terms” Arbitrary integers
Verification proves correctness of design for all possible word sizes
Can store in memories & registers Can select with multiplexors
ITE: If-Then-Else operation
x0
x1
x2
xn-1
x
1
0
xy
p
ITE(p, x, y)1
0
xy
T
x1
0
xy
F
y
– 9 –
Abstraction Via Uninterpreted FunctionsAbstraction Via Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency:
a = x b = y f (a, b) = f (x, y)
ALUf
– 10 –
Abstraction Via Uninterpreted FunctionsAbstraction Via Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Also view instruction memory as function
Reg.File
IF/ID
InstrMem
+4
PCID/EX
ALU
EX/WB
=
=
Rd
Ra
Rb
Imm
Op
Adat
Control Control
F1
F 2
F3
– 11 –
EUF: Equality with Uninterp. FunctsEUF: Equality with Uninterp. Functs Decidable fragment of first order logic
Formulas (Formulas (F F )) Boolean ExpressionsBoolean ExpressionsF, F1 F2, F1 F2 Boolean connectives
T1 = T2 Equation
P (T1, …, Tk) Predicate application
Terms (Terms (T T )) Integer ExpressionsInteger ExpressionsITE(F, T1, T2) If-then-else
Fun (T1, …, Tk) Function application
Functions (Functions (FunFun)) Integer Integer Integer Integerf Uninterpreted function symbolRead, Write Memory operations
Predicates (Predicates (PP)) Integer Integer Boolean Booleanp Uninterpreted predicate symbol
– 12 –
Decision ProblemDecision ProblemLogic of Equality with Uninterpreted Functions (EUF)Logic of Equality with Uninterpreted Functions (EUF)
Truth ValuesDashed LinesModel ControlLogical connectivesEquations
Integer ValuesSolid linesModel DataUninterpreted functions If-Then-Else operation
TaskTask Determine whether formula is universally valid
True for all interpretations of variables and function symbols
=
f
T
F
T
F
fT
F
=
e1
e0x0
d0
– 13 –
Finite Model Property for EUFFinite Model Property for EUF
ObservationObservation Any formula has limited number of distinct expressions Only property that matters is whether or not different terms
are equal
=
f
T
F
T
F
fT
F
=
e1
e0x0
d0
x0 d0 f (x0) f (d0)
– 14 –
Boolean Encoding of Integer ValuesBoolean Encoding of Integer Values
For Each ExpressionFor Each Expression Either equal to or distinct from each preceding expression
Boolean EncodingBoolean Encoding Use Boolean values to encode integers over small range EUF formula can be translated into propositional logic
Tautology iff original formula valid
ExpressionExpression Possible Possible ValuesValues
Bit Bit EncodingEncoding
x0 {0}{0} 00 00
d0 {0,1}{0,1} 00 bb1010
f (x0) {0,1,2}{0,1,2} bb2121 bb2020
f (d0) {0,1,2,3}{0,1,2,3} bb3131 bb3030
– 15 –
An Out-of-order Processor (OOO)An Out-of-order Processor (OOO)
Data Dependencies Resolved by Register RenamingData Dependencies Resolved by Register Renaming Map register ID to instruction in reorder buffer that will generate
register value
Inorder Retirement Managed by Retirement BufferInorder Retirement Managed by Retirement Buffer FIFO buffer keeping pending instructions in program order
Reorder BufferFields
PC
Programmemory
Reorder Buffer
validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop
result bus
DECODE Register
Rename Unit
valid tag val
ALU
head tail
incrdispatch
retire
execute
result
1st
Operand
2nd
Operand
– 16 –
ALU
execute
Directly AddressableDirectly Addressable Select particular entry for
execution Retrieve result value from
executed instruction
Access Modes for Reorder BufferAccess Modes for Reorder Buffer
FIFOFIFO Insert when dispatch Remove when retire
Content AddressableContent Addressable Broadcast result to all
entries with matching source tag
head tail
Retire Dispatch
result bus
GlobalGlobal Flush all queue entries when
instruction at head causes exception
– 17 –
Required LogicRequired Logic
Increased Expressive PowerIncreased Expressive Power Model queue pointers
Increment & decrement operationsRelative ordering
Ability to construct complex memory structuresNot just set of fixed memory types
Don’t Go Too FarDon’t Go Too Far Want practical decision procedures Efficient reduction to propositional logic
– 18 –
EUF CLUEUF CLUTerms (Terms (T T ))
ITE(F, T1, T2) If-then-else
Fun (T1, …, Tk) Function application
Formulas (Formulas (F F ))F, F1 F2, F1 F2 Boolean connectives
T1 = T2 Equation
P(T1, …, Tk) Predicate application
succ (T) Increment
pred (T) Decrement
T1 < T2 Inequality
– 19 –
EUF CLU (Cont.)EUF CLU (Cont.)
Functions (Functions (FunFun))f Uninterpreted function symbol
Read, Write Memory operations
Predicates (Predicates (PP))p Uninterpreted predicate
symbol
x1, …, xk . T Function lambda expression
x1, …, xk . F Predicate lambda expression
• Arguments can only be terms• Lambdas are just mutable arrays
– 20 –
Modeling Memories with ’sModeling Memories with ’s
Memory M Modeled as FunctionMemory M Modeled as Function
M(a): Value at location a
InitiallyInitially
Arbitrary state Modeled by uninterpreted
function m0
Writing Transforms MemoryWriting Transforms Memory M = Write(M, wa, wd)
a . ITE(a = wa, wd, M(a)) Future reads of address wa
will get wd
Ma
M
a m0
M
Ma 1
0
wd
=wa
– 21 –
Modeling Unbounded FIFO BufferModeling Unbounded FIFO Buffer
Queue is Subrange of Infinite SequenceQueue is Subrange of Infinite Sequence Q.head = h
Index of oldest element
Q.tail = t Index of insertion location
Q.val = qFunction mapping indices to valuesq(i) valid only when h i < t
Initial State: Arbitrary QueueInitial State: Arbitrary Queue Q.head = h0, Q.tail = t0
Impose constraint that h0 t0
Q.val = q0
Uninterpreted function
q(h–2)
q(h–1)
q(h)
q(h+1)
•••
q(t–2)
q(t–1)
q(t)
q(t+1)
•••
•••
tailtail
headhead
AlreadyPopped
Not YetInserted
incr
ea
sin
g in
dic
es
– 22 –
Modeling FIFO Buffer (cont.)Modeling FIFO Buffer (cont.)
tt
q(h–2)
q(h–1)
q(h)
q(h+1)
•••
q(t–2)
q(t–1)
q(t)
q(t+1)
•••
•••
hh
next[h] := ITE(operation = POP, succ(h), h)
next[q] := (i).ITE((operation = PUSH & i=t), x, q(i))
next[t] :=ITE(operation = PUSH, succ(t), t)
q(h–2)
q(h–1)
q(h)
q(h+1)
•••
q(t–2)
q(t–1)
x
q(t+1)
•••
•••
next[t]next[t]
next[hnext[h]]
op = PUSHInput = x
– 23 –
Systems of Identical ProcessesSystems of Identical ProcessesEach Process has Each Process has kk State Variables State Variables
Each state variable represented as array Indexed by process Id
• • • ••• sv1• • • ••• sv2
• • • ••• svk
State of Process i
– 24 –
Modeling System of Identical ProcessesModeling System of Identical ProcessesOn Each Step:On Each Step:
Select arbitrary process index pAs if chosen by nondeterministic scheduler
Update state for selected process
next[state] := lambda(i)
case
i = p & state(i) = IDLE: TRYING
i = p & state(i) = TRYING & inuse : TRYING
i = p & state(i) = TRYING & !inuse: CRITICAL
default: state(i)
esac
IDLE
TRYING
CRITICAL
• • • ••• state 0/1
inuse p
– 25 –
Decision ProcedureDecision Procedure
OperationOperation Series of
transformations leading to propositional formula
Propositional formula checked with BDD or SAT tools
Bryant, Lahiri, Seshia [CAV02]
LambdaExpansion
Function&
PredicateElimination
Convert to BooleanFormula
BooleanSatisfiability
CLUFormula
-freeFormula
Function-freeFormula
BooleanFormula
– 26 –
Finite Model Property for CLUFinite Model Property for CLU
ObservationObservation Need to encode all possible relative orderings of
expressions Each symbolic value has maximum range of increments &
decrements Can use Boolean encodings of small integer ranges
x y succ(x) > pred(y)
x x+1
y –1 y y –1 y
x x+1
y –1 y
x x+1
y –1 y
x x+1 x x+1
y –1 y
x = 0, y = 3 x = 2, y = 1
– 27 –
Verifying OOOVerifying OOO Lahiri, Seshia, & Bryant,
FMCAD 2002
GoalGoal Show that OOO implements
Instruction Set Architecture (ISA) model
For all possible execution sequences
ChallengesChallenges No bound on program length OOO holds partially executed
instructions in reorder bufferStates of two systems match
only when reorder buffer flushed
ISA
Reg.File
PC
OOO
Reg.File
PCReorder Buffer
– 28 –
Adding Shadow StateAdding Shadow State
McMillan, ‘98 Arons & Pnueli, ‘99
Provides Link Between ISA Provides Link Between ISA & OOO Models& OOO Models Additional entries in ROB
Do not affect OOO behavior
Generated when instruction dispatched
Predict values of operands and result
From ISA model
ISA
Reg.File
PC
OOO
Reg.File
PCReorder Buffer
– 29 –
Adding Shadow StructuresAdding Shadow Structures
shdw.src1val[rob.tail] shdw.src1val[rob.tail] RfRfisaisa(src1)(src1)
shdw.src2val[rob.tail] shdw.src2val[rob.tail] RfRfisaisa(src2)(src2)
shdw.value[rob.tail] shdw.value[rob.tail] ALU(RfALU(Rfisaisa(src1), Rf(src1), Rfisaisa(src2), op)(src2), op)
shdw.value
shdw.src1val
shdw.src2val
Shadow Fields
Updated directly from theISA model during dispatch
result bus
ReorderBuffer Fields
PC
Programmemory
Reorder Buffer
validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop
DECODE Register
Rename Unit
valid tag val
ALU
head tail
incrdispatch
retire
execute
– 30 –
Invariant CheckingInvariant Checking
Formulas Formulas II11, …, , …, IInn
Ij(s0) holds for any initial state s0, for 1 j n
I1(s) I2(s) … In(s) Ij(s ) for any current state s and successor state s for 1 j n
Invariants for OOO (13)Invariants for OOO (13) Refinement maps (2)
Show relation between ISA and OOO models
Shadow state (3)Shadow values correctly predict OOO values
State consistency (8)Properties of OOO state that ensure proper operation
Overall CorrectnessOverall Correctness Follows by induction on time
– 31 –
Refinement MapsRefinement Maps
Correspondence with a sequential ISA modelCorrespondence with a sequential ISA model OOO and ISA synchronized at dispatch
For Register File ContentsFor Register File Contents r. reg.valid(r) reg.val(r) = Rfisa(r)
For Program CounterFor Program Counter PCooo = PCisa
shdw.value
shdw.src1val
shdw.src2val
Shadow Fields
validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop
ReorderBuffer Fields
PC
Programmemory
Reorder Buffer
result bus
DECODE
RegisterRename Unit
valid tag val
ALU
head tail
incr dispatch
retire
execute
– 32 –
Shadow InvariantsShadow Invariants
1. robt. rob.valid(t) rob.value(t) = shdw.value(t)
2. robt. rob.src1valid(t) rob.src1val(t) = shdw.src1val(t)
3. robt. rob.src2valid(t) rob.src2val(t) = shdw.src2val(t)
shdw.value
shdw.src1val
shdw.src2val
Shadow Fields
result bus
ReorderBuffer Fields
PC
Programmemory
Reorder Buffer
validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop
DECODE Register
Rename Unit
valid tag val
ALU
head tail
incrdispatch
retire
execute
– 33 –
State Consistency Invariants State Consistency Invariants
Tag Consistency invariants (2) Tag Consistency invariants (2) Instructions only depend on instruction preceding in
program order
Register Renaming invariants (2)Register Renaming invariants (2) Tag in a rename-unit should be in the ROB, and the
destination register should matchr.reg.valid(r) (rob.head reg.tag(r) < rob.tail
rob.dest(reg.tag(r)) = r )
For any entry, the destination should have reg.valid as false and tag should contain this or later instructionrobt.(reg.valid(rob.dest(t))
t reg.tag(rob.dest(t)) < rob.tail)
– 35 –
Quantified Invariants and ProofsQuantified Invariants and Proofs
Allowed FormAllowed Form x1x2…xk (x1…xk)
(x1…xk) is a CLU formula without quantifiers
x1…xk are integer variables free in (x1…xk)
Proving these invariants requires quantifiersProving these invariants requires quantifiers|= (x1x2…xk (x1…xk)) y1y2…ym (y1…ym)
Prove x1x2…xk[(x1…xk) (y1…ym)] is not satisfiable Undecidable
Automatic instantiation of Automatic instantiation of x1…xk with concrete termswith concrete terms Sound but incomplete method Reduce the quantified formula to a CLU formula
Can use the decision procedure for CLU
– 36 –
Proving InvariantsProving Invariants
Proved AutomaticallyProved Automatically Quantifier instantiation was sufficient in these cases Time spent = 54s on 1.4GHz machine Total effort = 2 person days
ComparisonComparison Previous efforts using theorem provers took weeks of effort
– 37 –
Extending the OOO ProcessorExtending the OOO Processor
baseExecutes ALU instructions only
excHandles arithmetic exceptionsMust flush reorder buffer
exc/brHandles branchesPredicts branch & speculatively executes along path
exc/br/mem-simpAdds load & store instructionsStore commits as instruction retires
exc/br/memStores held in bufferCan commit laterLoads must scan buffer for matching addresses
– 38 –
Comparative Verification EffortComparative Verification Effort
base exc exc / br exc / br / mem-simp
exc / br / mem
Total Invariants
13 34 39 67 71
Manually instantiate
0 0 0 4 8
UCLID time
54 s 236 s 403 s 1594 s 2200 s
Person time
2 days 5 days 2 days 15 days 10 days
– 39 –
“I Just Want a Loaf of Bread”“I Just Want a Loaf of Bread”Ingredients
Recipe Result
– 40 –
Cooking with InvariantsCooking with InvariantsIngredients: Predicates
Recipe: Invariants
Result: Correctness
reg.valid(r)
r,t.reg.valid(r) reg.tag(r) = t (rob.head reg.tag(r) < rob.tail rob.dest(t) = r )
rob.head reg.tag(r)
reg.tag(r) = trob.dest(t) = r
– 41 –
Automatic Recipe GenerationAutomatic Recipe Generation
Want Something MoreWant Something More Given any set of ingredients Generate best recipe possible
Ingredients
Recipe Creator Result
– 42 –
Automatic Predicate AbstractionAutomatic Predicate Abstraction
Graf & Saïdi, CAV ‘97
IdeaIdea Given set of predicates P1(s), …, Pk(s)
Boolean formulas describing properties of system state
View as abstraction mapping: States {0,1}k
Defines abstract FSM over state set {0,1}k
Form of abstract interpretationDo reachability analysis similar to symbolic model checking
Prior ImplementationsPrior Implementations Very weak inference capabilities
Call theorem prover or decision procedure to test each potential transition
Little support for quantified predicates
– 43 –
Abstract State SpaceAbstract State Space
ConcreteStates
AbstractStates
P1(s), …, Pk(s)
s
AbstractionFunction
t
Abstraction
ConcreteStates
AbstractStates
s t
ConcretizationFunction
Concretization
– 44 –
Abstract State MachineAbstract State Machine
Transitions in abstract system mirror those in concrete
Abstract
ConcreteSystem
AbstractSystem
s
Concretize
t t
s
Concrete Transition
Abstract Transition
– 45 –
Overapproximation by Abstract ModelOverapproximation by Abstract Model
Path in abstract state space may not correspond to one in concrete OK when verifying safety properties
Possible false negatives, but no false positives
ConcreteSystem
AbstractSystem
– 46 –
Predicate Abstraction ExamplePredicate Abstraction Example
State SpaceState Space State variables: { x, y }
Initial StateInitial State { (2, 1) }
Next State BehaviorNext State Behavior x x y y
Verification TaskVerification Task Prove all bad states unreachable
InitialState
BadStates
– 47 –
Precise AnalysisPrecise Analysis
Reachable StatesReachable States { (2, 1), (2, 1) }
ReachableStates
BadStates
– 48 –
PredicatesPredicates
Use 3-valued predicates in this example
cx:3
L
E
G
cx:y
L
E
G
cy:0
G
E
L
– 49 –
Abstract Initial StateAbstract Initial State
Reached Set #0{ LGG }
cx:3
L
cx:y
G
cy:0
G
– 50 –
Step 1: Concretize Reached Set #0Step 1: Concretize Reached Set #0Reached Set #0
{ LGG }
L
G
G
cx:3 cx:y cy:0
(Note loss of precision)
s
Concretize
s
Concretize
s
Concretize
– 51 –
Compute Possible Successor StatesCompute Possible Successor States
x xy y
s
Concrete Transition
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 52 –
Abstract Newly Reached StatesAbstract Newly Reached States
0 0 0
Reached Set #1{ LLL, LGG }
L L
L
cx:3 cx:y cy:0
s
Concrete Transition
Abstract
Abstract
Abstract
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 53 –
Step 2: Concretize Reached Set #1Step 2: Concretize Reached Set #1Reached Set #1
{ LLL, LGG }
L
cx:3 cx:y cy:0
(Note loss of precision)
L
L
s
Concretize
s
Concretize
s
Concretize
– 54 –
Compute Possible Successor StatesCompute Possible Successor States
x xy y
s
Concrete Transition
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 55 –
Abstract Newly Reached StatesAbstract Newly Reached States
Reached Set #2{ LLL, LGG, EGG, GGG }
cx:3
G
E
cx:y
G
cy:0
G
s
Concrete Transition
Abstract
Abstract
Abstract
s
Concretize
s
Concretize
s
Concretize
s
Concrete Transition
s
Concrete Transition
– 56 –
EGG
Final Reached State SetFinal Reached State Set
LLLLGG GGG
BadStates
– 57 –
Symbolic Formulation of Step 2Symbolic Formulation of Step 2
Concretized State SetConcretized State Set Encode each 3-valued {L, E, G}
predicate with 2 Boolean variables (l, g)
Represent state set as formula(l1 g1 l2 g2 l3 g3)
(l1 g1 l2 g2 l3 g3)
Reached Set #1{ LLL, LGG }
LLLLGG
l1:
x < 3
g1:
x > 3
l2:
x < y
g2:
x > y
g3:
y > 0
l3:
y < 0
– 58 –
Next-State PredicatesNext-State Predicates
Next State (Next State (xx, , yy )) Get predicates l1, l2, l3 , g1, g2, g3
Determine conditions under which predicates will hold in next state Express in terms of current state (x, y)
Next State Next State PredicatePredicate
ConditionCondition x = x
y = y
CurrentCurrent
StateState
MatchesMatches
l1x < 3 x < 3 x > 3 —
l2x < y x < y x > y g2
l3y < 0 y < 0 y > 0 g3
g1x > 3 x > 3 x < 3 —
g2x > y x > y x < y l2
g3y > 0 y > 0 y < 0 l3
– 59 –
Consistency ConstraintsConsistency Constraints Eliminate impossible predicate
combinations In general, may need to introduce
additional variablesTo express more complex transitivity
constraints
l1
g1
l2
g2
g2
l2
g3
l3
l3g3
l1
g1
(g1 g1)
(g1 l1)
(g2 g3 l1)
– 60 –
Symbolic FormSymbolic Form
FormulationFormulation Express compatible combinations of current-state & next-
state variables Quantify out current-state variables Gives formula over next-state variables
[ (ll1 gg1 ll2 gg2 ll3 gg3)
(ll1 gg1 ll2 gg2 ll3 gg3) ]
CurrentState
ll11, , ll22, , ll33 , , gg11, , gg22, , gg33
ConsistencyConstraints
(gg1 gg1) (gg1 ll1) (gg2 gg3 ll1)
ll2 gg2 gg2 ll2
ll3 gg3 gg3 ll3
– 61 –
l1 g1 l2 g2 l3 g3 l1 g1 l2 g2 l3 g3
Next State
1 0 1 0 1 0 0 0 0 1 0 1 EGG
1 0 1 0 1 0 0 1 0 1 0 1 GGG
1 0 1 0 1 0 1 0 0 1 0 1 LGG
1 0 0 1 0 1 1 0 1 0 1 0 LLL
l1 g1 l2 g2 l3 g3 l1 g1 l2 g2 l3 g3
Next State
1 0 1 0 1 0 0 0 0 1 0 1 EGG
Extracting Next-State SetExtracting Next-State Set Run SAT checker over formula Generate blocking clause for each newly generated state
[ (ll1 gg1 ll2 gg2 ll3 gg3)
(ll1 gg1 ll2 gg2 ll3 gg3) ]
(gg1 gg1) (gg1 ll1) (gg2 gg3 ll1)
ll2 gg2 gg2 ll2
ll3 gg3 gg3 ll3
(l1 g1 l2 g2 l3 g3)
– 64 –
Quantified Invariant GenerationQuantified Invariant Generation
User supplies predicates containing free variables Generate globally quantified invariant
ExampleExample Predicates
p1: reg.valid(r)
p2: rob.dest(t) = r
p3: reg.tag(r) = t
Abstract state satisfying (p1 p2 p3) corresponds to concrete state satisfying r,t[reg.valid(r) reg.tag(r) = t
rob.dest(t) = r] rather than r[reg.valid(r)] r,t[reg.tag(r) = t]
r,t[rob.dest(t) = r]
– 65 –
Generating Quantified InvariantsGenerating Quantified Invariants
Use Quantifier Instantiation to Approximate Use Quantifier Instantiation to Approximate During During ConcretizationConcretization Causes even greater overapproximation Similar technique used by Flanagan & Qadeer, POPL ‘02
– 66 –
Systems Verified with Predicate AbstractionSystems Verified with Predicate Abstraction
Very general modelsUnbounded processes, buffers, cache lines, …
Safety properties only
Model Predicates Iterations CPU Time
Out-Of-Order Execution Unit 25 9 2,613s
German’s Cache Protocol 21 9 122s
German’s Protocol, unbounded channels
30 19 15,000s
Bounded Retransmission Buffer 22 9 11s
Lamport’s Bakery Algorithm 24 24 5,211s
– 67 –
Other Uses of UCLID VerifierOther Uses of UCLID Verifier
Invariant CheckingInvariant Checking More complex version of OOO including speculative
execution, exceptions, & buffered loads & storesLahiri & Bryant, CAV 2003
Predicate AbstractionPredicate Abstraction Core algorithm used to generate weakest Boolean
precondition for software model checkingSLAM project at Microsoft
Pipelined Processor VerificationPipelined Processor Verification Verify checker processor from U. Michigan
Model extracted directly from Verilog
Bounded check of load-store unit from industrial microprocessor
– 68 –
ConclusionsConclusions
CLU is Useful LogicCLU is Useful Logic Expressive enough to model wide range of systems
Systems with unbounded resourcesAbstract away most data operations
Simple enough to be tractableSmall domain property allows exploiting Boolean methods
Predicate Abstraction is Powerful ToolPredicate Abstraction is Powerful Tool Removes requirement to hand-generate invariants Benefits similar to model checking
– 69 –
Further WorkFurther Work
Support for Proofs of LivenessSupport for Proofs of Liveness Must make argument that progress being made
Greater AutomationGreater Automation Automatic generation of predicates More efficient implementation of predicate abstraction
More Powerful LogicMore Powerful Logic Linear arithmetic would be useful
Potential blow-up when translate to Boolean formula
Apply to Other SystemsApply to Other Systems Software Network protocols