Presentation is loading. Please wait.

Presentation is loading. Please wait.

Randal E. Bryant Carnegie Mellon University SRC ‘07 Word-Level Modeling and Verification of Systems Using Selective Term-Level Abstraction Sanjit A. Seshia.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Randal E. Bryant Carnegie Mellon University SRC ‘07 Word-Level Modeling and Verification of Systems Using Selective Term-Level Abstraction Sanjit A. Seshia."— Presentation transcript:

1 Randal E. Bryant Carnegie Mellon University SRC ‘07 Word-Level Modeling and Verification of Systems Using Selective Term-Level Abstraction Sanjit A. Seshia U.C., Berkeley

2 – 2 – SRC ‘07 Task ID: 1355.001 Technical Thrust: Verification Task Leader: Randal E. Bryant PIs: R. E. Bryant (CMU), S. A. Seshia (UC Berkeley) Student: Bryan Brady (UC Berkeley, exp. grad. 8/2010) Industrial Liaisons: Steven M. German, IBMZurab Khasidashvili, Intel Andreas Kuehlmann, CadenceHillel Miller, Freescale Carl-Johan Seger, Intel M. Alper Sen, Freescale Eli Singerman, Intel Jin Yang, Intel Hai Vo-Ba, AMD ITRS Grand Challenge: 2003.12 -- Scaling of Maximum Quality Design Implementation Productivity

3 – 3 – SRC ‘07 Modeling Data in Formal Verification Symbolic or integer data Uninterpreted functions & predicates Fixed-width words of bits Specific encodings Standard arithmetic and logical operators Individual bits Boolean operations Bit Level Bit Vector Level Term Level

4 – 4 – SRC ‘07 Term-Level Modeling View Data as Symbolic “Terms” Arbitrary integer values Can store in memories & registers Abstract Functional Units as “Black Boxes” Uninterpreted functions x0x0 x1x1 x2x2 x n-1 x  ALUALUALUALU f 

5 – 5 – SRC ‘07 Formal Verification Tools Term-level verifiers E.g., UCLID Able to scale to much more complex systems Model checkers, equivalence checkers, … Capacity limited by too many state bits & details of bit manipulations Bit Level Bit Vector Level Term Level

6 – 6 – SRC ‘07 Creating Models UCLID HDL Nonstandard Difficult to reconcile with actual design Register-Transfer Level E.g., Verilog Gate level Bit Level Bit Vector Level Term Level Bit Blast

7 – 7 – SRC ‘07 Project Directions Bit Level Bit Vector Level Term Level Semiautomatic Abstraction UCLID Capabilities Term-level models Bit-vector models

8 – 8 – SRC ‘07 Project Directions Bit-Vector Decision Procedures Enables UCLID to model at bit-vector level Direct path from RTL to verifier Of interest to larger community Hardware, software, microcode verification Hardware & software testing Term-Level Abstraction Semiautomatic ways to generate term-level model from RTL Combined Effect Verify using mixed term and bit-vector models Range of trade-offs between modeling detail and verifier capacity

9 – 9 – SRC ‘07 Bit-Vector Decision Procedure Example Do these functions produce identical results? Strategy Represent and reason about bit-level program behavior Specific to machine word size, integer representations, and operations int abs(int x) { int mask = x>>31; return (x ^ mask) + ~mask + 1; } int test_abs(int x) { return (x < 0) ? -x : x; }

10 – 10 – SRC ‘07 BV Decision Procedures: Some History B.C. (Before Chaff) String operations (concatenate, field extraction) Linear arithmetic with bounds checking Modular arithmetic SAT-Based “Bit Blasting” Generate Boolean circuit based on bit-level behavior of operations Convert to Conjunctive Normal Form (CNF) and check with best available SAT checker Handles arbitrary operations Effective in many applications CBMC [Clarke, Kroening, Lerda, TACAS ’04] Microsoft Cogent + SLAM [Cook, Kroening, Sharygina, CAV ’05] CVC-Lite [Dill, Barrett, Ganesh], Yices [deMoura, et al], STP

11 – 11 – SRC ‘07 Challenge for BV-DPs Is there a better way than bit blasting? Requirements Provide same functionality as with bit blasting Find abstractions based on word-level structure Improve on performance of bit blasting A New Approach Bryant, Kroening, Ouaknine, Seshia, Stichman, Brady, TACAS ’07 Use bit blasting as core technique Apply to simplified versions of formula Successive approximations until solve or show unsatisfiable

12 – 12 – SRC ‘07 Approximating Formula Example Approximation Techniques Underapproximating Restrict word-level variables to smaller ranges of values Overapproximating Replace subformula with Boolean variable  Original Formula   +  + Overapproximation ++ More solutions: If unsatisfiable, then so is  Underapproximation  −   −− Fewer solutions: Satisfying solution also satisfies 

13 – 13 – SRC ‘07 Starting Iterations Initial Underapproximation (Greatly) restrict ranges of word-level variables Intuition: Satisfiable formula often has small-domain solution  1−1−

14 – 14 – SRC ‘07 First Half of Iteration SAT Result for SAT Result for  1 − Satisfiable Then have found solution for  Unsatisfiable Use UNSAT proof to generate overapproximation  1 + Replace irrelevant predicates with Boolean variables  1−1− If SAT, then done 1+1+ UNSAT proof: generate overapproximation

15 – 15 – SRC ‘07 Second Half of Iteration SAT Result for SAT Result for  1 + Unsatisfiable Then have shown  unsatisfiable Satisfiable Solution indicates variable ranges that must be expanded Generate refined underapproximation  1−1− If UNSAT, then done 1+1+ SAT: Use solution to generate refined underapproximation 2−2−

16 – 16 – SRC ‘07 Iterative Behavior Underapproximations Successively more precise abstractions of  Allow wider variable rangesOverapproximations No predictable relation UNSAT proof not unique  1−1− 1+1+ 2−2−      k−k− 2+2+ k+k+     

17 – 17 – SRC ‘07 Overall Effect Soundness Only terminate with solution on underapproximation Only terminate as UNSAT on overapproximationCompleteness Successive underapproximations approach  Finite variable ranges guarantee termination In worst case, get  k −    1−1− 1+1+ 2−2−      k−k− 2+2+ k+k+      SAT UNSAT

18 – 18 – SRC ‘07 Results: UCLID BV vs. Bit-blasting UCLID always better than bit blasting Generally better than other available procedures SAT time is the dominating factor [results on 2.8 GHz Xeon, 2 GB RAM]

19 – 19 – SRC ‘07 Future Work in BV DPs Lots of Refinement & Tuning Selecting under- and over-approximations Iterating within under- or over-approximation Reusing portions of bit-blasted formulas Take advantage of incremental SAT Additional Abstractions View term-level modeling as overapproximation technique Apply functional abstraction automatically

20 – 20 – SRC ‘07 Bit-Vector Level / Term Level Experimental Comparison What Is Performance Advantage of Term-Level Modeling? Experiment Multiple microprocessor designs Each at varying levels of detail Ranging from complete bit-vector modeling to complete term- level modeling

21 – 21 – SRC ‘07 Experiment: Y86 Processors Y86 5 stage pipeline single-threaded in-order execution simplified x86 R. E. Bryant and D. R. O’Hallaron. Computer Systems: A Programmer’s Perspective. Prentice-Hall 2002

22 – 22 – SRC ‘07 Y86 Experiments Processor Variations Handle data hazards with different stalling and forwarding schemes Different branch prediction schemes Creates variety of flushing schedules & modeling detailsModels Everything term level Bit-vector data, uninterpreted functions Bit-vector data, partially interpreted functions Bit-vector, “fully” interpreted functions Still represent memory and register file as mutable functions

23 – 23 – SRC ‘07 Y86 Relative Verification Times

24 – 24 – SRC ‘07 Observations Detailed bit-vector model comes at high cost Biggest problem was modeling ALU XOR operation Would get much worse for more complex microprocessor E.g., if model all details of instruction decoding Using abstraction in the “right” places can greatly reduce verification time

25 – 25 – SRC ‘07 Semiautomatic Abstraction Generate mixed bit-vector / term model from Verilog User annotates Verilog with type qualifiers Variables: Term, Bit Vector Operations: Uninterpreted, Interpreted Verifier generates hybrid model Using type inferencing Working Assumption Designers have good intuition about where abstraction can be applied Over time, will try to automate as much as possible

26 – 26 – SRC ‘07 Progress on Abstraction Requirements Type qualifiers: syntax, usage Type-inference rules Type-inference algorithms General Principles Formulated

27 – 27 – SRC ‘07 Conclusions Hybrid Bit-Vector / Term Modeling Capability Can use as much or as little abstraction as required Clear path from RTL to verification Bit-Vector Decision Procedures Iterative approach + SAT solvers provide powerful framework Multiple possible abstraction techniques Opportunity for parallel processing Term-Level Abstractions User provides minimal hints on where abstractions should be applied

Download ppt "Randal E. Bryant Carnegie Mellon University SRC ‘07 Word-Level Modeling and Verification of Systems Using Selective Term-Level Abstraction Sanjit A. Seshia."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
50.530: Software Engineering

50.530: Software Engineering
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Give qualifications of instructors: DAP

Give qualifications of instructors: DAP
1/1/ /e/e eindhoven university of technology Microprocessor Design Course 5Z008 Dr.ir. A.C. (Ad) Verschueren Eindhoven University of Technology Section.

1/1/ /e/e eindhoven university of technology Microprocessor Design Course 5Z008 Dr.ir. A.C. (Ad) Verschueren Eindhoven University of Technology Section.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.

Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
CS 151 Digital Systems Design Lecture 37 Register Transfer Level

CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.
Department of Electrical and Computer Engineering M.A. Basith, T. Ahmad, A. Rossi *, M. Ciesielski ECE Dept. Univ. Massachusetts, Amherst * Univ. Bretagne.

Department of Electrical and Computer Engineering M.A. Basith, T. Ahmad, A. Rossi *, M. Ciesielski ECE Dept. Univ. Massachusetts, Amherst * Univ. Bretagne.
Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification

Carnegie Mellon University Decision Procedures Customized for Formal Verification Decision Procedures Customized for Formal Verification
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.

1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
Modeling Data in Formal Verification Bits, Bit Vectors, or Words Randal E. Bryant Carnegie Mellon University.

Modeling Data in Formal Verification Bits, Bit Vectors, or Words Randal E. Bryant Carnegie Mellon University.

Similar presentations

Ads by Google