Carnegie Mellon University Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant...
-
date post
22-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Carnegie Mellon University Convergence Testing in Term-level Bounded Model Checking Randal E. Bryant...
Carnegie Mellon University
Convergence Testing in Convergence Testing in Term-level Bounded Model Term-level Bounded Model
CheckingChecking
Convergence Testing in Convergence Testing in Term-level Bounded Model Term-level Bounded Model
CheckingChecking
Randal E. BryantShuvendu K. Lahiri
Sanjit A. Seshia
– 2 –
Term-level modeling :Abstracting Data Term-level modeling :Abstracting Data
View Data as Symbolic “Terms”View Data as Symbolic “Terms” Arbitrary integers
Verification proves correctness of design for all possible word sizes Can store in memories & registers Can select with multiplexors
ITE: If-Then-Else operation
x0
x1
x2
xn-1
x
1
0
xy
p
ITE(p, x, y)1
0
xy
T
x1
0
xy
F
y
– 3 –
Term-level modeling:Abstraction Via Uninterpreted FunctionsTerm-level modeling:Abstraction Via Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency:
a = x b = y f (a, b) = f (x, y)
ALUf
– 4 –
MotivationMotivation
Model Checking expressive systemsModel Checking expressive systems Unbounded Integers, unbounded arrays Infinite state space
In general, undecidableIn general, undecidable Can express 2-counter systems Systems do not converge Convergence detection undecidable
Interesting systems which convergeInteresting systems which converge Pipelined processors
[Hojati, Isles, Brayton], Multiway Decision Graphs (MDG)
Procedures to detect convergence
– 5 –
Outline slideOutline slide
Background Background
CLUCLU
exampleexample
Formal definition of convergenceFormal definition of convergence
TechniqueTechnique
ResultsResults
ConclusionsConclusions
– 6 –
CLU : Logic of UCLIDCLU : Logic of UCLID
Terms (Terms (T T )) Integer Expressions ITE(F, T1, T2) If-then-else
Fun (T1, …, Tk) Function application
succ (T) Increment
pred (T) Decrement
Formulas (Formulas (F F )) Boolean ExpressionsF, F1 F2, F1 F2 Boolean connectives
T1 = T2 Equation
T1 < T2 Inequality
P(T1, …, Tk) Predicate application
Functions (Functions (FunFun)) Integers Integerf Uninterpreted function symbol
x1, …, xk . T Function definition
Predicates (Predicates (PP)) Integers Booleanp Uninterpreted predicate symbol
x1, …, xk . F Predicate definition
– 7 –
Modeling Memories with ’sModeling Memories with ’s
Memory M Modeled as FunctionMemory M Modeled as Function
M(a): Value at location a
Writing Transforms MemoryWriting Transforms Memory M = Write(M, wa, wd)
a . ITE(a = wa, wd, M(a)) Future reads of address wa
will get wd
Ma M
Ma 1
0
wd
=wa
– 8 –
Other modeling capabilitiesOther modeling capabilities
Other MemoriesOther Memories Content-addressable memories Simultaneous-update memories
Arbitrary subset of entries can be modified in a step
Ordered data structuresOrdered data structures Queues, Stacks
Limited Set operationsLimited Set operations Addition,deletion, empty-check, membership
Systems modeledSystems modeled Out-of-order processors Parameterized cache-coherence protocols, distributed
protocols
– 9 –
ExampleExample
Symbols Symbols V = {x : INT, y : INT, b : BOOL} # state variables
K = { f } # system parameters
I = {a} # initial state symbols
Next StateNext State x = ITE(b,f(x),x)
y = ITE(b,y,f(y))
b = b
Initial StatesInitial States q0
x = a
q0y = a
q0b = true
– 10 –
ExampleExample
SymbolsSymbols V = {x : INT, y : INT, b : BOOL}
K = { f }
I = {a}
Initial StatesInitial States q0
x = a
q0y = a
q0b = true
Next StateNext State x = ITE(b,f(x),x)
y = ITE(b,y,f(y))
b = b
ExecutionExecution
StepStep bb xx yy
00 truetrue aa aa
11 falsefalse f(a)f(a) aa
22 truetrue f(a)f(a) f(a)f(a)
33 falsefalse f(f(a))f(f(a)) f(a)f(a)
44 truetrue f(f(a))f(f(a)) f(f(a))f(f(a))
Propertyb x = y ?
– 11 –
Example : convergenceExample : convergence
ExecutionExecution
StepStep bb xx yy
00 truetrue aa aa
11 falsefalse f(a)f(a) aa
22 truetrue f(a)f(a) f(a)f(a)
33 falsefalse f(f(a))f(f(a)) f(a)f(a)
44 truetrue f(f(a))f(f(a)) f(f(a))f(f(a))
StepStep bb xx yy
00 truetrue a’a’ a’a’
11 falsefalse f(a’)f(a’) a’a’
22 truetrue f(a’)f(a’) f(a’)f(a’)
33 falsefalse f(f(a’))f(f(a’)) f(a’)f(a’)
44 truetrue f(f(a’))f(f(a’)) f(f(a’))f(f(a’))
Alternate ExecutionAlternate Execution
– 12 –
Example : convergenceExample : convergence
ExecutionExecution
StepStep bb xx yy
00 truetrue aa aa
11 falsefalse f(a)f(a) aa
22 truetrue f(a)f(a) f(a)f(a)
33 falsefalse f(f(a))f(f(a)) f(a)f(a)
44 truetrue f(f(a))f(f(a)) f(f(a))f(f(a))
StepStep bb xx yy
00 truetrue a’a’ a’a’
11 falsefalse f(a’)f(a’) a’a’
22 truetrue f(a’)f(a’) f(a’)f(a’)
33 falsefalse f(f(a’))f(f(a’)) f(a’)f(a’)
44 truetrue f(f(a’))f(f(a’)) f(f(a’))f(f(a’))
Alternate ExecutionAlternate Execution
– 13 –
Example : convergenceExample : convergence
ExecutionExecution
truetrue f(a)f(a) f(a)f(a)
truetrue a’a’ a’a’
Alternate ExecutionAlternate Execution
Substitution/MatchingSubstitution/Matching (true) true ( a’) f(a)
subsumes
– 14 –
Example : convergenceExample : convergence
ExecutionExecution
StepStep bb xx yy
00 truetrue aa aa
11 falsefalse f(a)f(a) aa
22 truetrue f(a)f(a) f(a)f(a)
33 falsefalse f(f(a))f(f(a)) f(a)f(a)
44 truetrue f(f(a))f(f(a)) f(f(a))f(f(a))
Reachable States
Impliesb x = y ?
– 15 –
ContributionsContributions
New formal definition of convergence for term-level New formal definition of convergence for term-level modelsmodels Based on symbolic simulation
A sound algorithm to detect convergenceA sound algorithm to detect convergence Dealing with Function State Variables Based on a translation to Quantified Separation Formula
Preliminary Experimental ResultsPreliminary Experimental Results 3-stage pipeline processor
Related workRelated work
Conclusion and Future workConclusion and Future work
– 16 –
System Model (w/o inputs)System Model (w/o inputs)
SymbolsSymbols State Variables ( V ) Initial State Symbols ( I ) Parameters ( K )
Initial State Initial State qq00
q0a : one for each state element a V
Expression over I
Transition Function Transition Function a : one for each state element a V Expression over V K
Does not depend on the initial state symbols (I)
– 17 –
Symbolic SimulationSymbolic Simulation
Symbolic state expression Symbolic state expression ssii
Expression after “i” steps of symbolic simulation
Contains sai for each of the state elements a V
e.g. {x f(a), y a, b false}
Obtaining the expression for next stateObtaining the expression for next state
ssaai+1 i+1 aa[[ssii/V]/V]
Substitute the expression for sai in place of a V
– 18 –
DefinitionsDefinitions
Interpretation Interpretation X X
Assigns values to each symbol in X
Evaluation Evaluation X e evaluates e with respect to X
State of the systemState of the system An interpretation to the state elements a V
Boolean state elements assigned true/false Integers state elements assigned integer values Function state elements assigned a function from integers to integer Predicate state elements assigned a function from integers to true/false
Given Given II , , K K
I . K si represents a state
– 19 –
k-Convergencek-Convergence
The system is “k-convergent” if:The system is “k-convergent” if: For every interpretation I of initial state symbol, and K of
the parameter symbols, there exists a step i k and an
alternate interpretation I of initial state symbols, such that
I . K si = I . K sk+1
TheoremTheorem : : If a system is k-convergent, then no new If a system is k-convergent, then no new states are discovered after k steps of symbolic states are discovered after k steps of symbolic simulation.simulation.
Proof exploits the factsProof exploits the facts Transition relation independent of initial state symbols
– 20 –
k-Convergencek-Convergence
The system is “k-convergent” if:The system is “k-convergent” if:
For every interpretation I of initial state symbol, and K of the
parameter symbols, there exists a step i k and an alternate
interpretation I of initial state symbols, such that
I . K si = I . K sk+1
FormulationFormulation Introduce I’ : set of symbols for alternate initial state symbols
Obtain ri by symbolic simulation with symbols in I’ Check for validity
K I I’ [i k ri = sk+1]
– 21 –
k-Convergencek-Convergence
FormulationFormulation Introduce I’ : set of symbols for alternate initial state symbols
Obtain ri by symbolic simulation with symbols in I’ Check for validity
K I I’ [i k ri = sk+1]
Comparing States Comparing States rri i andand ssk+1k+1
Compare each state element aV point-wise
rri i == ssk+1 k+1 [ aaVV rraai i == ssaa
k+1 k+1 ]
– 22 –
Example: Adding function stateExample: Adding function state
Symbols Symbols V = {x : INT, y : INT, b : BOOL, m : INT INT }
K = { f }
I = {a, m0}
Next StateNext State x = ITE(b,f(x),x)
y = ITE(b,y,f(y))
b = b
m = i. ITE(bi=x,y,m(i))
Initial StatesInitial States q0
x = a
q0y = a
q0b = true
q0m = m0
– 23 –
Example : convergenceExample : convergence
ExecutionExecution
StepStep bb xx yy mm
00 truetrue aa aa mm00
11 falsefalse f(a)f(a) aa i. i. ITE(i=a, a, mITE(i=a, a, m00(i))(i))
22 truetrue f(a)f(a) f(a)f(a) i. i. ITE(i=a, a, mITE(i=a, a, m00(i))(i))
33 falsefalse f(f(a))f(f(a)) f(a)f(a) i. i. ITE(i=f(a),f(a),ITE(i=f(a),f(a),
ITE(i=a, a, mITE(i=a, a, m00(i)))(i)))
StepStep bb xx yy mm
00 truetrue a’a’ a’a’ mm00’’
– 24 –
Example : convergenceExample : convergence
Checking Convergence Checking Convergence
truetrue f(a)f(a) f(a)f(a) i. i. ITE(i=a, a, mITE(i=a, a, m00(i))(i))
truetrue a’a’ a’a’ mm00’’
ff aa mm00 a’ a’ mm00’ ’ [a’ = f(a) [a’ = f(a)
mm00’ = (’ = ( i. i. ITE(i=a, a, mITE(i=a, a, m00(i)))](i)))]
– 25 –
Handling function state variablesHandling function state variables
Second order equationsSecond order equations Comparing a function state element in two states
F = G F = G z. F(z) = G(z)z. F(z) = G(z)
New Quantifier StructureNew Quantifier Structure
K I I’ [i k ri = sk+1]
K I I’Z [i k ri(Z) = sk+1(Z)]
Eliminate z from the equationEliminate z from the equation Generate constraints and rewrite
Source of Incompleteness (1)Source of Incompleteness (1) Rewrite rules not complete Complete for random-access memories
– 26 –
Deciding Second-Order formulas with One Quantifier AlternationDeciding Second-Order formulas with One Quantifier AlternationSecond-Order formulaSecond-Order formula
K I I’ is quantifier-free CLU formula
All equations are first order now
Obtained after eliminating Z
General formGeneral form A B
A K I B I’
– 27 –
Handling First order equationsHandling First order equations
General formGeneral form A B Undecidable
Provide a sound translation to a decidable fragmentProvide a sound translation to a decidable fragment Option 1 : Translate to Quantified Separation Formula
Decidable fragment of first-order logic with quantifiers
Option 2 : Remove the quantifiers from the formulaAll symbols are universally quantified
Source of Incompleteness (2)Source of Incompleteness (2)
– 28 –
Handling First order equationsHandling First order equations
General formGeneral form A B Undecidable
Provide a sound translation to a decidable fragmentProvide a sound translation to a decidable fragment Option 1 : Translate to Quantified Separation Formula
Decidable fragment of first-order logic with quantifiers
Option 2 : Remove the quantifiers from the formulaAll symbols are universally quantified
Source of Incompleteness (2)Source of Incompleteness (2)
– 29 –
Option 1: Normal FormOption 1: Normal Form
Function applications pushed through ITEFunction applications pushed through ITE f(ITE(x,y,z)) ITE(x,f(y),f(z))
Eliminate the ITE constructsEliminate the ITE constructs ITE(x,y,z) = ITE(x’,y’,z’) (xx’ y=y’) (xx’ y=z’) (xx’ z=y’) (xx’ z=z’)
Atomic Expressions (atoms)Atomic Expressions (atoms) Expressions with no Boolean operators (, , )
f(g(x)+1)+5, p(f(y)), x = y, …
– 30 –
Sound Translation of A B Sound Translation of A B
1.1. ’ Obtain a normal form of Obtain a normal form of F f,y x [ (x=f(x)) y = f(f(y))]
A B
2. Obtain a topological ordering 2. Obtain a topological ordering gg11,…,g,…,gnn of “atomic” of “atomic” function/predicate applicationsfunction/predicate applications Move applications of A as much to the left
y,f(y),f(f(y)),x,f(x)
3. 3. ” Replace Replace ggii by by vvii in in ’ ” [ (x=fx) y = ffy]
ggii vvii
x x
y y
f(y) fy
f(f(y))
ffy
f(x) fx
– 31 –
Sound Translation of A B Sound Translation of A B
4. Get Ackerman’s constraints for 4. Get Ackerman’s constraints for ggii h(x),h(x), ggjj h(y)h(y)
C (x = y vi = vj )ggii vvii
x x
y y
f(y) fy
f(f(y))
ffy
f(x) fx
1. y = fy fy = ffy
2. y = x fy = fx
3. fy = x ffy = fx
5. Construct 5. Construct CCAA, C, CBB
If h A then CA C CA
If h B then CB C CB
CCA A (1)(1)(2)(2)(3)(3)
CCB B truetrue
– 32 –
Sound Translation of A B Sound Translation of A B
6. 6. s QQ11 vv1 1 …… QQnn vvn n [[CCA A (CCB B ”) ]] Qi , if top-func-symbol(gi) A
, otherwise
s y,fy,ffy x fx [(y = fy fy = ffy
y = x fy = fx
fy = x ffy = fx)
( (x=fx) y = ffy)]
The above formula is validThe above formula is valid
– 33 –
Sound Translation to QSLSound Translation to QSL
Original formulaOriginal formula A B
New formulaNew formula s Q1 v1 … Qn vn [CA (CB ”)]
TheoremTheorem: If : If s is valid then is valid then ((AA BB ))is validis valid
s is a formula in Quantified Separation Logic (QSL)is a formula in Quantified Separation Logic (QSL) Terms are x,y,z Atomic formulas are : x y + c
Boolean Connectives: , , Quantifiers: , ,
– 34 –
Quantified Separation Logic (QSL)Quantified Separation Logic (QSL)
Decision procedures for QSLDecision procedures for QSL Difference Decision Diagrams (DDD): Möller, CADE02 Using Boolean Methods : Seshia and Bryant, CAV03
– 35 –
3-stage DLX pipeline (CMU-ISA)3-stage DLX pipeline (CMU-ISA)
Pipelined processor modelPipelined processor model 3-stage (Fetch-Decode, Execute, Write-back)
Stalling, forwarding Boolean state elements
Read/write enables, op-code etc. Integer state elements
Register identifiers, data value, program counter Function state elements
Unbounded Register file Uninterpreted function symbols
ALU, initial state of register file
Checking equivalence with an ISA modelChecking equivalence with an ISA model Contains user visible state elements
Program counter, register fileSame uninterpreted function for ALU, initial state of register file
– 36 –
ResultsResults
Complexity of QSF formula for 3 steps of simulationComplexity of QSF formula for 3 steps of simulation 43 integer variables 6 quantifier alternations ~800 nodes in the DAG for the formula
BDD-Based, DDD-based BDD-Based, DDD-based > 1GB
QBF-Based [Quaffle, QBF, …]QBF-Based [Quaffle, QBF, …] Times out
SAT Based Quantifier EliminationSAT Based Quantifier Elimination Too many enumerations
Verified a simplified modelVerified a simplified model Remove some state elements or 1 pipeline stage BDD-based approach finishes in less than 10s
– 37 –
Related WorkRelated Work
Hojati, Isles and Brayton, CAV ’98Hojati, Isles and Brayton, CAV ’98 Generates reachable states for the Boolean part of the state Less expressive logic (no , no ordered structures) Use a syntactic convergence test
Subsumed by our semantic criteria
Multiway decision graphs, FMSD ‘97Multiway decision graphs, FMSD ‘97 BDD-like canonical data structures with terms Does not handle function state variables Starts from a general initial state for termination Can handle first order temporal logic queries
– 38 –
Conclusions and Future DirectionsConclusions and Future Directions
Convergence checkingConvergence checking New formulation Based on reduction to QSL
Application to theorem provingApplication to theorem proving Proving Second order formulas with 1 quantifier alternation
Computationally expensiveComputationally expensive Large number of quantifier alternations
Relax functional consistency across different stepsRelax functional consistency across different steps Fewer constraints, simpler formula
Use “matching” to reduce to Boolean formulaUse “matching” to reduce to Boolean formula QBF solvers are not mature Similar to quantifier instantiation Instantiate second order function variables
– 39 –
Questions Questions
– 40 –
ConclusionsConclusions
Provided a convergence definitionProvided a convergence definition
Computationally expensiveComputationally expensive Translation to QSF/QBF
– 41 –
ExampleExample
Symbols Symbols X = { x : INT, y : INT, m : BOOL } # state variables K = { f , a } # system parameters I = { } # input symbols
Initial StatesInitial States q0
x = a
q0y = a
q0m = true
Next StateNext State x = ITE(m,f(x),x)
y = ITE(m,y,f(y))
m = m
– 43 –
Sound Translation of A B Sound Translation of A B
1. ’ Obtain a normal form of Obtain a normal form of
2.2. Obtain a topological ordering Obtain a topological ordering gg11,…,g,…,gnn of “atomic” of “atomic” function/predicate applicationsfunction/predicate applications
3. ” Replace Replace ggii by by vvii in in ’
4.4. Get Ackerman’s constraints for Get Ackerman’s constraints for ggii f(x),f(x), ggjj f(y)f(y)
1. C (x = y vi = vj )
5.5. Construct Construct CCAA, C, CBB
If f A then CA C CA
If f B then CB C CB
6. s QQ11 vv1 1 …… QQnn vvn n [[CCA A (CCB B ”) ]]
Qi , if top-func-symbol(gi) A
, otherwise
– 44 –
Syntactic vs. SemanticSyntactic vs. Semantic