Carnegie Mellon University

Formal VerificationFormal Verificationof Infinite-State Systemsof Infinite-State SystemsUsing Boolean MethodsUsing Boolean Methods

Formal VerificationFormal Verificationof Infinite-State Systemsof Infinite-State SystemsUsing Boolean MethodsUsing Boolean Methods

http://www.cs.cmu.edu/~bryant

Randal E. Bryant

Contributions by graduate students:Sanjit Seshia, Shuvendu Lahiri

– 2 –

OutlineOutline

TaskTask Formally verify hardware and software systems Build on success in verifying finite models

Infinite-State ModelsInfinite-State Models Need logic that is suitably expressive, yet remains

reasonably tractable

Verification TechniquesVerification Techniques Solve problems by mapping into propositional logic

Proof engines can use powerful Boolean methods

Different levels of automation and capacity

– 3 –

Truly Infinite-State SystemsTruly Infinite-State Systems

Systems where want to model real-world values (temperature, speed, ...) Hybrid systems Very difficult to verify

Systems with real-valued time constraints E.g., timed automata Somewhat easier to verify, since all clocks move at same rate

Air Bag Controller

SpeedometerReading

AccelerometerReading

Deploy!

– 4 –

Theoretically Infinite-State SystemsTheoretically Infinite-State Systems

Systems with unbounded buffersEven though can’t really build one

• • • ••• •••

tailtail headhead

In Use

– 5 –

Arbitrarily Large Finite-State Systems Arbitrarily Large Finite-State Systems

Synchronization protocol that should work for arbitrary number of processes

Verify for arbitrary N

Circular buffer with fixed, but arbitrary capacity

Verify for arbitrary value of Max

••••••

tailtailheadhead

In Use

•••

0 0 Max-1Max-1

P 2 • • • P NP 1

– 6 –

Very Large Finite-State SystemsVery Large Finite-State Systems

Abstract 32-bit words as arbitrary integers View memories as having unbounded capacity

Reg.File

IF/ID

InstrMem

+4

PCID/EX

ALU

EX/WB

=

=

Rd

Ra

Rb

Imm

Op

Adat

Control Control

– 7 –

Microprocessor Report, Oct. 28, 1996

Example: HP/Compaq Alpha 21264Example: HP/Compaq Alpha 21264

Pipeline StatePipeline State Multiple caches Instruction queues Dynamically-

allocated registers Memory queue Many buffers

between stages

Verification TasksVerification Tasks Does it implement

the Alpha ISA?

– 8 –

Abstracting Data from Bits to IntegersAbstracting Data from Bits to Integers

View Data as Symbolic “Terms”View Data as Symbolic “Terms” Arbitrary integers

Verification proves correctness of design for all possible word sizes

Can store in memories & registers Can select with multiplexors

ITE: If-Then-Else operation

x0

x1

x2

xn-1

x

1

0

xy

p

ITE(p, x, y)1

0

xy

T

x1

0

xy

F

y

– 9 –

Abstraction Via Uninterpreted FunctionsAbstraction Via Uninterpreted Functions

For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency:

a = x b = y f (a, b) = f (x, y)

ALUf

– 10 –

Abstraction Via Uninterpreted FunctionsAbstraction Via Uninterpreted Functions

For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Also view instruction memory as function

Reg.File

IF/ID

InstrMem

+4

PCID/EX

ALU

EX/WB

=

=

Rd

Ra

Rb

Imm

Op

Adat

Control Control

F1

F 2

F3

– 11 –

EUF: Equality with Uninterp. FunctsEUF: Equality with Uninterp. Functs Decidable fragment of first order logic

Formulas (Formulas (F F )) Boolean ExpressionsBoolean ExpressionsF, F1 F2, F1 F2 Boolean connectives

T1 = T2 Equation

P (T1, …, Tk) Predicate application

Terms (Terms (T T )) Integer ExpressionsInteger ExpressionsITE(F, T1, T2) If-then-else

Fun (T1, …, Tk) Function application

Functions (Functions (FunFun)) Integer Integer Integer Integerf Uninterpreted function symbolRead, Write Memory operations

Predicates (Predicates (PP)) Integer Integer Boolean Booleanp Uninterpreted predicate symbol

– 12 –

Decision ProblemDecision ProblemLogic of Equality with Uninterpreted Functions (EUF)Logic of Equality with Uninterpreted Functions (EUF)

Truth ValuesDashed LinesModel ControlLogical connectivesEquations

Integer ValuesSolid linesModel DataUninterpreted functions If-Then-Else operation

TaskTask Determine whether formula is universally valid

True for all interpretations of variables and function symbols

=

f

T

F

T

F

fT

F

=

e1

e0x0

d0

– 13 –

Finite Model Property for EUFFinite Model Property for EUF

ObservationObservation Any formula has limited number of distinct expressions Only property that matters is whether or not different terms

are equal

=

f

T

F

T

F

fT

F

=

e1

e0x0

d0

x0 d0 f (x0) f (d0)

– 14 –

Boolean Encoding of Integer ValuesBoolean Encoding of Integer Values

For Each ExpressionFor Each Expression Either equal to or distinct from each preceding expression

Boolean EncodingBoolean Encoding Use Boolean values to encode integers over small range EUF formula can be translated into propositional logic

Tautology iff original formula valid

ExpressionExpression Possible Possible ValuesValues

Bit Bit EncodingEncoding

x0 {0}{0} 00 00

d0 {0,1}{0,1} 00 bb1010

f (x0) {0,1,2}{0,1,2} bb2121 bb2020

f (d0) {0,1,2,3}{0,1,2,3} bb3131 bb3030

– 15 –

An Out-of-order Processor (OOO)An Out-of-order Processor (OOO)

Data Dependencies Resolved by Register RenamingData Dependencies Resolved by Register Renaming Map register ID to instruction in reorder buffer that will generate

register value

Inorder Retirement Managed by Retirement BufferInorder Retirement Managed by Retirement Buffer FIFO buffer keeping pending instructions in program order

Reorder BufferFields

PC

Programmemory

Reorder Buffer

validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop

result bus

DECODE Register

Rename Unit

valid tag val

ALU

head tail

incrdispatch

retire

execute

result

1st

Operand

2nd

Operand

– 16 –

ALU

execute

Directly AddressableDirectly Addressable Select particular entry for

execution Retrieve result value from

executed instruction

Access Modes for Reorder BufferAccess Modes for Reorder Buffer

FIFOFIFO Insert when dispatch Remove when retire

Content AddressableContent Addressable Broadcast result to all

entries with matching source tag

head tail

Retire Dispatch

result bus

GlobalGlobal Flush all queue entries when

instruction at head causes exception

– 17 –

Required LogicRequired Logic

Increased Expressive PowerIncreased Expressive Power Model queue pointers

Increment & decrement operationsRelative ordering

Ability to construct complex memory structuresNot just set of fixed memory types

Don’t Go Too FarDon’t Go Too Far Want practical decision procedures Efficient reduction to propositional logic

– 18 –

EUF CLUEUF CLUTerms (Terms (T T ))

ITE(F, T1, T2) If-then-else

Fun (T1, …, Tk) Function application

Formulas (Formulas (F F ))F, F1 F2, F1 F2 Boolean connectives

T1 = T2 Equation

P(T1, …, Tk) Predicate application

succ (T) Increment

pred (T) Decrement

T1 < T2 Inequality

– 19 –

EUF CLU (Cont.)EUF CLU (Cont.)

Functions (Functions (FunFun))f Uninterpreted function symbol

Read, Write Memory operations

Predicates (Predicates (PP))p Uninterpreted predicate

symbol

x1, …, xk . T Function lambda expression

x1, …, xk . F Predicate lambda expression

• Arguments can only be terms• Lambdas are just mutable arrays

– 20 –

Modeling Memories with ’sModeling Memories with ’s

Memory M Modeled as FunctionMemory M Modeled as Function

M(a): Value at location a

InitiallyInitially

Arbitrary state Modeled by uninterpreted

function m0

Writing Transforms MemoryWriting Transforms Memory M = Write(M, wa, wd)

a . ITE(a = wa, wd, M(a)) Future reads of address wa

will get wd

Ma

M

a m0

M

Ma 1

0

wd

=wa

– 21 –

Modeling Unbounded FIFO BufferModeling Unbounded FIFO Buffer

Queue is Subrange of Infinite SequenceQueue is Subrange of Infinite Sequence Q.head = h

Index of oldest element

Q.tail = t Index of insertion location

Q.val = qFunction mapping indices to valuesq(i) valid only when h i < t

Initial State: Arbitrary QueueInitial State: Arbitrary Queue Q.head = h0, Q.tail = t0

Impose constraint that h0 t0

Q.val = q0

Uninterpreted function

q(h–2)

q(h–1)

q(h)

q(h+1)

•••

q(t–2)

q(t–1)

q(t)

q(t+1)

•••

•••

tailtail

headhead

AlreadyPopped

Not YetInserted

incr

ea

sin

g in

dic

es

– 22 –

Modeling FIFO Buffer (cont.)Modeling FIFO Buffer (cont.)

tt

q(h–2)

q(h–1)

q(h)

q(h+1)

•••

q(t–2)

q(t–1)

q(t)

q(t+1)

•••

•••

hh

next[h] := ITE(operation = POP, succ(h), h)

next[q] := (i).ITE((operation = PUSH & i=t), x, q(i))

next[t] :=ITE(operation = PUSH, succ(t), t)

q(h–2)

q(h–1)

q(h)

q(h+1)

•••

q(t–2)

q(t–1)

x

q(t+1)

•••

•••

next[t]next[t]

next[hnext[h]]

op = PUSHInput = x

– 23 –

Systems of Identical ProcessesSystems of Identical ProcessesEach Process has Each Process has kk State Variables State Variables

Each state variable represented as array Indexed by process Id

• • • ••• sv1• • • ••• sv2

• • • ••• svk

State of Process i

– 24 –

Modeling System of Identical ProcessesModeling System of Identical ProcessesOn Each Step:On Each Step:

Select arbitrary process index pAs if chosen by nondeterministic scheduler

Update state for selected process

next[state] := lambda(i)

case

i = p & state(i) = IDLE: TRYING

i = p & state(i) = TRYING & inuse : TRYING

i = p & state(i) = TRYING & !inuse: CRITICAL

default: state(i)

esac

IDLE

TRYING

CRITICAL

• • • ••• state 0/1

inuse p

– 25 –

Decision ProcedureDecision Procedure

OperationOperation Series of

transformations leading to propositional formula

Propositional formula checked with BDD or SAT tools

Bryant, Lahiri, Seshia [CAV02]

LambdaExpansion

Function&

PredicateElimination

Convert to BooleanFormula

BooleanSatisfiability

CLUFormula

-freeFormula

Function-freeFormula

BooleanFormula

– 26 –

Finite Model Property for CLUFinite Model Property for CLU

ObservationObservation Need to encode all possible relative orderings of

expressions Each symbolic value has maximum range of increments &

decrements Can use Boolean encodings of small integer ranges

x y succ(x) > pred(y)

x x+1

y –1 y y –1 y

x x+1

y –1 y

x x+1

y –1 y

x x+1 x x+1

y –1 y

x = 0, y = 3 x = 2, y = 1

– 27 –

Verifying OOOVerifying OOO Lahiri, Seshia, & Bryant,

FMCAD 2002

GoalGoal Show that OOO implements

Instruction Set Architecture (ISA) model

For all possible execution sequences

ChallengesChallenges No bound on program length OOO holds partially executed

instructions in reorder bufferStates of two systems match

only when reorder buffer flushed

ISA

Reg.File

PC

OOO

Reg.File

PCReorder Buffer

– 28 –

Adding Shadow StateAdding Shadow State

McMillan, ‘98 Arons & Pnueli, ‘99

Provides Link Between ISA Provides Link Between ISA & OOO Models& OOO Models Additional entries in ROB

Do not affect OOO behavior

Generated when instruction dispatched

Predict values of operands and result

From ISA model

ISA

Reg.File

PC

OOO

Reg.File

PCReorder Buffer

– 29 –

Adding Shadow StructuresAdding Shadow Structures

shdw.src1val[rob.tail] shdw.src1val[rob.tail] RfRfisaisa(src1)(src1)

shdw.src2val[rob.tail] shdw.src2val[rob.tail] RfRfisaisa(src2)(src2)

shdw.value[rob.tail] shdw.value[rob.tail] ALU(RfALU(Rfisaisa(src1), Rf(src1), Rfisaisa(src2), op)(src2), op)

shdw.value

shdw.src1val

shdw.src2val

Shadow Fields

Updated directly from theISA model during dispatch

result bus

ReorderBuffer Fields

PC

Programmemory

Reorder Buffer

validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop

DECODE Register

Rename Unit

valid tag val

ALU

head tail

incrdispatch

retire

execute

– 30 –

Invariant CheckingInvariant Checking

Formulas Formulas II11, …, , …, IInn

Ij(s0) holds for any initial state s0, for 1 j n

I1(s) I2(s) … In(s) Ij(s ) for any current state s and successor state s for 1 j n

Invariants for OOO (13)Invariants for OOO (13) Refinement maps (2)

Show relation between ISA and OOO models

Shadow state (3)Shadow values correctly predict OOO values

State consistency (8)Properties of OOO state that ensure proper operation

Overall CorrectnessOverall Correctness Follows by induction on time

– 31 –

Refinement MapsRefinement Maps

Correspondence with a sequential ISA modelCorrespondence with a sequential ISA model OOO and ISA synchronized at dispatch

For Register File ContentsFor Register File Contents r. reg.valid(r) reg.val(r) = Rfisa(r)

For Program CounterFor Program Counter PCooo = PCisa

shdw.value

shdw.src1val

shdw.src2val

Shadow Fields

validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop

ReorderBuffer Fields

PC

Programmemory

Reorder Buffer

result bus

DECODE

RegisterRename Unit

valid tag val

ALU

head tail

incr dispatch

retire

execute

– 32 –

Shadow InvariantsShadow Invariants

1. robt. rob.valid(t) rob.value(t) = shdw.value(t)

2. robt. rob.src1valid(t) rob.src1val(t) = shdw.src1val(t)

3. robt. rob.src2valid(t) rob.src2val(t) = shdw.src2val(t)

shdw.value

shdw.src1val

shdw.src2val

Shadow Fields

result bus

ReorderBuffer Fields

PC

Programmemory

Reorder Buffer

validvaluesrc1validsrc1valsrc1tagsrc2validsrc2valsrc2tagdestop

DECODE Register

Rename Unit

valid tag val

ALU

head tail

incrdispatch

retire

execute

– 33 –

State Consistency Invariants State Consistency Invariants

Tag Consistency invariants (2) Tag Consistency invariants (2) Instructions only depend on instruction preceding in

program order

Register Renaming invariants (2)Register Renaming invariants (2) Tag in a rename-unit should be in the ROB, and the

destination register should matchr.reg.valid(r) (rob.head reg.tag(r) < rob.tail

rob.dest(reg.tag(r)) = r )

For any entry, the destination should have reg.valid as false and tag should contain this or later instructionrobt.(reg.valid(rob.dest(t))

t reg.tag(rob.dest(t)) < rob.tail)

– 35 –

Quantified Invariants and ProofsQuantified Invariants and Proofs

Allowed FormAllowed Form x1x2…xk (x1…xk)

(x1…xk) is a CLU formula without quantifiers

x1…xk are integer variables free in (x1…xk)

Proving these invariants requires quantifiersProving these invariants requires quantifiers|= (x1x2…xk (x1…xk)) y1y2…ym (y1…ym)

Prove x1x2…xk[(x1…xk) (y1…ym)] is not satisfiable Undecidable

Automatic instantiation of Automatic instantiation of x1…xk with concrete termswith concrete terms Sound but incomplete method Reduce the quantified formula to a CLU formula

Can use the decision procedure for CLU

– 36 –

Proving InvariantsProving Invariants

Proved AutomaticallyProved Automatically Quantifier instantiation was sufficient in these cases Time spent = 54s on 1.4GHz machine Total effort = 2 person days

ComparisonComparison Previous efforts using theorem provers took weeks of effort

– 37 –

Extending the OOO ProcessorExtending the OOO Processor

baseExecutes ALU instructions only

excHandles arithmetic exceptionsMust flush reorder buffer

exc/brHandles branchesPredicts branch & speculatively executes along path

exc/br/mem-simpAdds load & store instructionsStore commits as instruction retires

exc/br/memStores held in bufferCan commit laterLoads must scan buffer for matching addresses

– 38 –

Comparative Verification EffortComparative Verification Effort

base exc exc / br exc / br / mem-simp

exc / br / mem

Total Invariants

13 34 39 67 71

Manually instantiate

0 0 0 4 8

UCLID time

54 s 236 s 403 s 1594 s 2200 s

Person time

2 days 5 days 2 days 15 days 10 days

– 39 –

“I Just Want a Loaf of Bread”“I Just Want a Loaf of Bread”Ingredients

Recipe Result

– 40 –

Cooking with InvariantsCooking with InvariantsIngredients: Predicates

Recipe: Invariants

Result: Correctness

reg.valid(r)

r,t.reg.valid(r) reg.tag(r) = t (rob.head reg.tag(r) < rob.tail rob.dest(t) = r )

rob.head reg.tag(r)

reg.tag(r) = trob.dest(t) = r

– 41 –

Automatic Recipe GenerationAutomatic Recipe Generation

Want Something MoreWant Something More Given any set of ingredients Generate best recipe possible

Ingredients

Recipe Creator Result

– 42 –

Automatic Predicate AbstractionAutomatic Predicate Abstraction

Graf & Saïdi, CAV ‘97

IdeaIdea Given set of predicates P1(s), …, Pk(s)

Boolean formulas describing properties of system state

View as abstraction mapping: States {0,1}k

Defines abstract FSM over state set {0,1}k

Form of abstract interpretationDo reachability analysis similar to symbolic model checking

Prior ImplementationsPrior Implementations Very weak inference capabilities

Call theorem prover or decision procedure to test each potential transition

Little support for quantified predicates

– 43 –

Abstract State SpaceAbstract State Space

ConcreteStates

AbstractStates

P1(s), …, Pk(s)

s

AbstractionFunction

t

Abstraction

ConcreteStates

AbstractStates

s t

ConcretizationFunction

Concretization

– 44 –

Abstract State MachineAbstract State Machine

Transitions in abstract system mirror those in concrete

Abstract

ConcreteSystem

AbstractSystem

s

Concretize

t t

s

Concrete Transition

Abstract Transition

– 45 –

Overapproximation by Abstract ModelOverapproximation by Abstract Model

Path in abstract state space may not correspond to one in concrete OK when verifying safety properties

Possible false negatives, but no false positives

ConcreteSystem

AbstractSystem

– 46 –

Predicate Abstraction ExamplePredicate Abstraction Example

State SpaceState Space State variables: { x, y }

Initial StateInitial State { (2, 1) }

Next State BehaviorNext State Behavior x x y y

Verification TaskVerification Task Prove all bad states unreachable

InitialState

BadStates

– 47 –

Precise AnalysisPrecise Analysis

Reachable StatesReachable States { (2, 1), (2, 1) }

ReachableStates

BadStates

– 48 –

PredicatesPredicates

Use 3-valued predicates in this example

cx:3

L

E

G

cx:y

L

E

G

cy:0

G

E

L

– 49 –

Abstract Initial StateAbstract Initial State

Reached Set #0{ LGG }

cx:3

L

cx:y

G

cy:0

G

– 50 –

Step 1: Concretize Reached Set #0Step 1: Concretize Reached Set #0Reached Set #0

{ LGG }

L

G

G

cx:3 cx:y cy:0

(Note loss of precision)

s

Concretize

s

Concretize

s

Concretize

– 51 –

Compute Possible Successor StatesCompute Possible Successor States

x xy y

s

Concrete Transition

s

Concretize

s

Concretize

s

Concretize

s

Concrete Transition

s

Concrete Transition

– 52 –

Abstract Newly Reached StatesAbstract Newly Reached States

0 0 0

Reached Set #1{ LLL, LGG }

L L

L

cx:3 cx:y cy:0

s

Concrete Transition

Abstract

Abstract

Abstract

s

Concretize

s

Concretize

s

Concretize

s

Concrete Transition

s

Concrete Transition

– 53 –

Step 2: Concretize Reached Set #1Step 2: Concretize Reached Set #1Reached Set #1

{ LLL, LGG }

L

cx:3 cx:y cy:0

(Note loss of precision)

L

L

s

Concretize

s

Concretize

s

Concretize

– 54 –

Compute Possible Successor StatesCompute Possible Successor States

x xy y

s

Concrete Transition

s

Concretize

s

Concretize

s

Concretize

s

Concrete Transition

s

Concrete Transition

– 55 –

Abstract Newly Reached StatesAbstract Newly Reached States

Reached Set #2{ LLL, LGG, EGG, GGG }

cx:3

G

E

cx:y

G

cy:0

G

s

Concrete Transition

Abstract

Abstract

Abstract

s

Concretize

s

Concretize

s

Concretize

s

Concrete Transition

s

Concrete Transition

– 56 –

EGG

Final Reached State SetFinal Reached State Set

LLLLGG GGG

BadStates

– 57 –

Symbolic Formulation of Step 2Symbolic Formulation of Step 2

Concretized State SetConcretized State Set Encode each 3-valued {L, E, G}

predicate with 2 Boolean variables (l, g)

Represent state set as formula(l1 g1 l2 g2 l3 g3)

(l1 g1 l2 g2 l3 g3)

Reached Set #1{ LLL, LGG }

LLLLGG

l1:

x < 3

g1:

x > 3

l2:

x < y

g2:

x > y

g3:

y > 0

l3:

y < 0

– 58 –

Next-State PredicatesNext-State Predicates

Next State (Next State (xx, , yy )) Get predicates l1, l2, l3 , g1, g2, g3

Determine conditions under which predicates will hold in next state Express in terms of current state (x, y)

Next State Next State PredicatePredicate

ConditionCondition x = x

y = y

CurrentCurrent

StateState

MatchesMatches

l1x < 3 x < 3 x > 3 —

l2x < y x < y x > y g2

l3y < 0 y < 0 y > 0 g3

g1x > 3 x > 3 x < 3 —

g2x > y x > y x < y l2

g3y > 0 y > 0 y < 0 l3

– 59 –

Consistency ConstraintsConsistency Constraints Eliminate impossible predicate

combinations In general, may need to introduce

additional variablesTo express more complex transitivity

constraints

l1

g1

l2

g2

g2

l2

g3

l3

l3g3

l1

g1

(g1 g1)

(g1 l1)

(g2 g3 l1)

– 60 –

Symbolic FormSymbolic Form

FormulationFormulation Express compatible combinations of current-state & next-

state variables Quantify out current-state variables Gives formula over next-state variables

[ (ll1 gg1 ll2 gg2 ll3 gg3)

(ll1 gg1 ll2 gg2 ll3 gg3) ]

CurrentState

ll11, , ll22, , ll33 , , gg11, , gg22, , gg33

ConsistencyConstraints

(gg1 gg1) (gg1 ll1) (gg2 gg3 ll1)

ll2 gg2 gg2 ll2

ll3 gg3 gg3 ll3

– 61 –

l1 g1 l2 g2 l3 g3 l1 g1 l2 g2 l3 g3

Next State

1 0 1 0 1 0 0 0 0 1 0 1 EGG

1 0 1 0 1 0 0 1 0 1 0 1 GGG

1 0 1 0 1 0 1 0 0 1 0 1 LGG

1 0 0 1 0 1 1 0 1 0 1 0 LLL

l1 g1 l2 g2 l3 g3 l1 g1 l2 g2 l3 g3

Next State

1 0 1 0 1 0 0 0 0 1 0 1 EGG

Extracting Next-State SetExtracting Next-State Set Run SAT checker over formula Generate blocking clause for each newly generated state

[ (ll1 gg1 ll2 gg2 ll3 gg3)

(ll1 gg1 ll2 gg2 ll3 gg3) ]

(gg1 gg1) (gg1 ll1) (gg2 gg3 ll1)

ll2 gg2 gg2 ll2

ll3 gg3 gg3 ll3

(l1 g1 l2 g2 l3 g3)

– 64 –

Quantified Invariant GenerationQuantified Invariant Generation

User supplies predicates containing free variables Generate globally quantified invariant

ExampleExample Predicates

p1: reg.valid(r)

p2: rob.dest(t) = r

p3: reg.tag(r) = t

Abstract state satisfying (p1 p2 p3) corresponds to concrete state satisfying r,t[reg.valid(r) reg.tag(r) = t

rob.dest(t) = r] rather than r[reg.valid(r)] r,t[reg.tag(r) = t]

r,t[rob.dest(t) = r]

– 65 –

Generating Quantified InvariantsGenerating Quantified Invariants

Use Quantifier Instantiation to Approximate Use Quantifier Instantiation to Approximate During During ConcretizationConcretization Causes even greater overapproximation Similar technique used by Flanagan & Qadeer, POPL ‘02

– 66 –

Systems Verified with Predicate AbstractionSystems Verified with Predicate Abstraction

Very general modelsUnbounded processes, buffers, cache lines, …

Safety properties only

Model Predicates Iterations CPU Time

Out-Of-Order Execution Unit 25 9 2,613s

German’s Cache Protocol 21 9 122s

German’s Protocol, unbounded channels

30 19 15,000s

Bounded Retransmission Buffer 22 9 11s

Lamport’s Bakery Algorithm 24 24 5,211s

– 67 –

Other Uses of UCLID VerifierOther Uses of UCLID Verifier

Invariant CheckingInvariant Checking More complex version of OOO including speculative

execution, exceptions, & buffered loads & storesLahiri & Bryant, CAV 2003

Predicate AbstractionPredicate Abstraction Core algorithm used to generate weakest Boolean

precondition for software model checkingSLAM project at Microsoft

Pipelined Processor VerificationPipelined Processor Verification Verify checker processor from U. Michigan

Model extracted directly from Verilog

Bounded check of load-store unit from industrial microprocessor

– 68 –

ConclusionsConclusions

CLU is Useful LogicCLU is Useful Logic Expressive enough to model wide range of systems

Systems with unbounded resourcesAbstract away most data operations

Simple enough to be tractableSmall domain property allows exploiting Boolean methods

Predicate Abstraction is Powerful ToolPredicate Abstraction is Powerful Tool Removes requirement to hand-generate invariants Benefits similar to model checking

– 69 –

Further WorkFurther Work

Support for Proofs of LivenessSupport for Proofs of Liveness Must make argument that progress being made

Greater AutomationGreater Automation Automatic generation of predicates More efficient implementation of predicate abstraction

More Powerful LogicMore Powerful Logic Linear arithmetic would be useful

Potential blow-up when translate to Boolean formula

Apply to Other SystemsApply to Other Systems Software Network protocols