View
215
Download
0
Tags:
Embed Size (px)
Citation preview
*Carnegie Mellon University†IBM
Exploiting Positive EqualityExploiting Positive Equalityin a Logic ofin a Logic ofEquality withEquality with
Uninterpreted FunctionsUninterpreted Functions
Exploiting Positive EqualityExploiting Positive Equalityin a Logic ofin a Logic ofEquality withEquality with
Uninterpreted FunctionsUninterpreted Functions
http://www.cs.cmu.edu/~bryant
Randal E. Bryant*Steven German†
Miroslav Velev*
– 2 –
OutlineOutline
Application DomainApplication Domain Verify correctness of a pipelined processor Based on Burch-Dill correspondence checking
Burch & Dill CAV ‘94
Verification TaskVerification Task Abstracted representation of data manipulation Must decide validity of formula in logic of Equality with
Uninterpreted Functions (EUF)
New ContributionNew Contribution Exploit properties of formulas to reduce verification
complexity Significant performance improvement when modeling
microprocessor operation
– 3 –
Reg.File
IF/ID
InstrMem
+4
PCID/EX
ALU
EX/WB
=
=
Rd
Ra
Rb
Imm
Op
Adat
Control Control
Bdat
Microprocessor ModelingMicroprocessor Modeling
Simplified RISC pipeline Described at RTL level
Words viewed as bit vectorsBit-level functionality
– 4 –
Abstracting DataAbstracting Data
View Data as Symbolic “Terms”View Data as Symbolic “Terms” No particular properties or operations
Except for equations: x = y
Can store in memories & registers Can select with multiplexors
ITE: If-Then-Else operation
x0
x1
x2
xn-1
x
T
F
xy
p
ITE(p, x, y)T
F
xy
T
xT
F
xy
F
y
– 5 –
Abstraction Via Uninterpreted FunctionsAbstraction Via Uninterpreted Functions
For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Assume functional consistency
x = y f(x) = f(y)
Reg.File
IF/ID
InstrMem
+4
PCID/EX
ALU
EX/WB
=
=
Rd
Ra
Rb
Imm
Op
Adat
Control Control
F1
F 2
F3
– 6 –
=
f
T
F
T
F
fT
F
=
e1
e0x0
d0
Decision ProblemDecision ProblemLogic of Equality with Uninterpreted Functions (EUF)Logic of Equality with Uninterpreted Functions (EUF)
Domain ValuesSolid linesUninterpreted functions If-Then-Else operation
Truth ValuesDashed LinesUninterpreted predicatesLogical connectivesEquations
TaskTask Determine whether formula is universally valid
True for all interpretations of variables and function symbols
– 7 –
Some HistorySome History
Ackermann, 1954Quantifier-free decision problem can be decided based on finite
instantiations
Automatic Theorem ProvingTradition of using uninterpreted functions when modeling hardwareE.g., Warren Hunt, 1985
Burch & Dill, CAV ‘94Automatic decision procedure
» Davis-Putnam enumeration
» Congruence closure to enforce functional consistencyVerified single-issue DLX
» Simple 5-stage RISC pipelineBecomes less effective for more complex processors
» Burch, DAC ‘96 & FMCAD ‘96
– 8 –
Previous Attempts to Use BDDsPrevious Attempts to Use BDDs
Hojati, et al., IWLS ‘97Hojati, et al., IWLS ‘97 Generate binary encodings of limited-range integer variables Hit exponential blow-up
Goel, et al., CAV ‘98Goel, et al., CAV ‘98 Encode equality relation among variables as propositional
variables Results not compelling
Velev & Bryant, FMCAD ‘98Velev & Bryant, FMCAD ‘98 Work with modified RTL model
Replace memory & function blocks with special behavioral blocks
Exponential blow-up for processor with branch or load/store instructions
– 9 –
Why Did BDDs Fail?Why Did BDDs Fail?
Result of Load instruction used in address computationSimilar effect for branch instruction
Impossible to have good BDD variable orderingVariables encoding addresses must precede those encoding dataLeads to circular constraints on ordering
DataMemory
Address
Data
Address
Data
Pipeline Logic
– 10 –
Decision Problem Example #1Decision Problem Example #1
)))((),(()))((),(( xggyghxggxgh
yx
h
x y
=
=
g
g
gh
– 11 –
EUF SyntaxEUF Syntax
Logic of Equality with Uninterpreted Functions
TermsTermsITE(F, T1, T2) If-then-else
f (T1, …, Tk) Function application
FormulasFormulasF, F1 F2, F1 F2 Boolean connectives
T1 = T2 Equation
p (T1, …, Tk) Predicate application
Special CasesSpecial Casesv Domain variable (order-0
function)
a Propositional variable (order-0 predicate)
– 12 –
PEUF SyntaxPEUF Syntax Logic of Positive Equality with Uninterpreted Functions
Formulas (General)Formulas (General)F, F1 F2, F1 F2
GT1 = GT2
p (PT1, …, PTk)
P-Formulas (Special)P-Formulas (Special)F
PF1 PF2, PF1 PF2
PT1 = PT2
Key PropertiesKey Properties P-formulas cannot be negated & cannot control ITEs P-terms only used as funct. args. and in positive equations Applications of p-function symbols occur only in p-terms
G-Terms (General)G-Terms (General)ITE(F, GT1, GT2)
fg(PT1, …, PTk)
P-Terms (Special)P-Terms (Special)GT
ITE(F, PT1, PT2)
fp(PT1, …, PTk)
– 13 –
Analyzing Example #1Analyzing Example #1
h
x y
=
=
g
g
gh
P-Function SymbolsP-Function Symbolsg, h
G-Function SymbolsG-Function Symbols Appear in negated equation
x, y
G-terms
P-terms
P-formulas
Formulas
– 14 –
Example #2Example #2
)))((),((
)))]((),(())),((),((,[
xggxgh
xggyghxggxghyxITE
h
x y
=
=g
g
gh
T
F
– 15 –
Analyzing Example #2Analyzing Example #2
ITE control must be formula “Interesting” things happen when false
G-terms
P-terms
P-formula
Formula
h
x y
=
=g
g
gh
T
F
– 16 –
Maximally Diverse InterpretationsMaximally Diverse Interpretations
P-Function SymbolsP-Function Symbols Equal results only for
equal arguments
G-Function SymbolsG-Function Symbols Potentially yield equal
results for unequal arguments
PropertyProperty Formula valid only if
true under all maximally diverse interpretations
h
x y
=
=
g
g
gh
Terms Equal?x y Potentiallyg (x) g (y) Only if x = yg (x) y Nog (g (x)) g (y) Nog (g (x)) g (x) No
– 17 –
Justification of Maximal Diversity PropertyJustification of Maximal Diversity Property
h
x y
=
=
g
g
ghCreate Worst Case for Create Worst Case for
ValidityValidity Falsify positive equation
Create Worst Case for Create Worst Case for ValidityValidity Falsify positive equation Function applications yield
distinct results
Create Worst Case for Create Worst Case for ValidityValidity Falsify positive equation Function applications yield
distinct results Function arguments distinct
Key ArgumentKey Argument For every interpretation I, there is a maximally diverse
interpretation I such that I [F] I[F]
– 18 –
Equations in Processor VerificationEquations in Processor Verification
Data TypesData Types EquationsEquations Register Ids Control stalling & forwarding
+ Addresses for register file Instruction Address Only top-level verification condition Program Data Only top-level verification condition
Reg.File
IF/ID
InstrMem
+4
PCID/EX
ALU
EX/WB
=
=
Rd
Ra
Rb
Imm
Op
Adat
Control Control
– 19 –
Modeling MemoriesModeling Memories
Conventional Expansion of Memory OperationsConventional Expansion of Memory Operations Effects of writes represented as nested ITEs Initial memory state represented by uninterpreted function fM
Write(a1, d1);Write(a2, d2);Write(a3, d3);Read(a) T
FfM
=
d3
d2
d1
= =a1
a2
a3
T
F
T
F
a
ProblemProblem Equations over addresses control ITEs Addresses must be g-terms
OK for register file, but not for data memory
– 20 –
Data Memory ModelingData Memory Modeling
Generic State MachineGeneric State Machine Memory state represented as
term Initial state given by variable vM
Write operation causes arbitrary state changeUninterpreted function fu
Read operation function of address & stateUninterpreted function fr
MemoryState
fu
frRaddr
Waddr
Wdata
RdataRead
Write
– 21 –
Data Memory Modeling (Cont.)Data Memory Modeling (Cont.)
No equations over addresses! Can keep as p-terms
LimitationsLimitations Does not capture full semantics of memory Only works when processor preserves program order for:
Writes relative to each otherReads relative to writes
fu
d3
d2
d1
a1
a2
a3
a
fu fu
frvMWrite(a1, d1);
Write(a2, d2);Write(a3, d3);Read(a)
– 22 –
Function Symbols in Processor VerificationFunction Symbols in Processor VerificationG-Function SymbolsG-Function Symbols
Register Ids 20--25% of function applications
P-Function SymbolsP-Function Symbols Program data Data & instruction addresses Opcodes 75--80% of function applications
EffectEffect Breaks dependency loop that caused exponential blow-up
– 23 –
Decision ProcedureDecision Procedure
StepsSteps Eliminate function applications Assign limited ranges to domain variables Encode domain variables as bit vectors Translate into propositional logic
h
x y
=
=
hg
g
g
– 24 –
f
f
fx1
x2
x3
vf1
vf2
T
F
=
==
T
F
vf3
T
F
Eliminating Function ApplicationsEliminating Function Applications
Replacing ApplicationReplacing Application Introduce new domain variable Nested ITE structure maintains functional consistency
– 25 –
Exploiting Positive EqualityExploiting Positive Equality
PropertyProperty P-function symbol f Introduce variables vf1, …, vfn during elimination
Consider only diverse interpretations for variables vf1, …, vfn
vfi v for any other variable v
ExampleExample Assuming vf1 vf2 :
x1
x2
vf1
vf2
T
F
= = iff x1=x2
– 26 –
f
fvf1
vf2
Compare: Ackermann’s MethodCompare: Ackermann’s Method
Replacing ApplicationReplacing Application Introduce new domain variable Enforce functional consistency by global constraints
Unclear how to generate diverse interpretations
x1
x2
F= =
– 27 –
h
x y
=
=
hg
g
g
h
x y vg1 vg2vg3
=
=
=
=
T
F
T
F
T
F
h
Eliminating Function Symbol gEliminating Function Symbol g
– 28 –
h
x y vg1 vg2vg3
=
=
=
=
T
F
T
F
T
F
h
=
=
x y vg1 vg2vg3 vh1vh2
=
=
=
=
T
F
T
F
T
F
T
F
Eliminate Function Symbol hEliminate Function Symbol h
Final FormFinal Form Only domain and propositional variables
– 29 –
Instantiating VariablesInstantiating Variables
Can assign fixed interpretations to variables arising from eliminating p-function applications
Need to consider only two different cases y = 0 vs. y = 1
x
y
vg1 vg2vg3 vh1vh2
=
=
=
=
=
=
T
F
T
F
T
F
T
F
{2} {3} {4} {5} {6}{0}
{0,1}
– 30 –
Evaluating FormulaEvaluating Formula
Actual implementation uses BDD evaluation
=
=
x
y
vg1 vg2vg3 vh1vh2
=
=
=
=
T
F
T
F
T
F
T
F
{0}
{0,1}
{2} {3} {4} {5} {6}
y=0
F
F
44
ITE(y=0,2,3)
2
T
y=0
y=05
ITE(y=0,5,6)
y=0
y0
T
– 31 –
Pnueli, et al., CAV ‘99Pnueli, et al., CAV ‘99
SimilaritiesSimilarities Examine structure of equations
Whether used in positive or negative form
Exploit structure to limit variable domains
Differences in Their ApproachDifferences in Their Approach Examine equation structure after function applications
eliminated Use Ackermann’s method to eliminate function applications
– 32 –
Ackermann’s Method ExampleAckermann’s Method Example
Many more equations2 8
P-formula / P-term structure destroyed
vh1vh2
=
x y vg1 vg2vg3
=
=
=
=
=
=
=
h
x y
=
=
g
g
gh
– 33 –
Comparison to Pnueli, et al.Comparison to Pnueli, et al.
Relative Advantage of Their MethodRelative Advantage of Their Method Better at exploiting equation structure among g-terms Worse at exploiting structure among p-terms
– 34 –
Experimental ResultsExperimental Results
Verify Modified RTL CircuitsVerify Modified RTL Circuits Replace memories, latches, and function blocks by special
functional models.Bryant & Velev, FMCAD ‘98
Small modification to generate fixed bit patterns for p-function block
Simplified MIPS ProcessorSimplified MIPS Processor Reg-Reg, and Reg-Immediate only
Before: 48 s / 7 MB After: 6 s / 2 MB
RR, RI + Load/StoreBefore: Space-Out After: 12 s / 1.8 MB
RR, RI, L/S, BranchBefore: Space-Out After: 169 s / 7.5 MB
– 35 –
ConclusionConclusion
Exploiting Positive EqualityExploiting Positive Equality Greatly reduces number of interpretations to consider Our function elimination scheme provides encoding
mechanism Enables verification of complete processor using BDDs
Ongoing WorkOngoing Work New implementation using pure term-level models Velev & Bryant, CHARME ‘99 Single-issue DLX now takes 0.15 s. Dual-issue DLX takes 35 s.