*Carnegie Mellon University † IBM Exploiting Positive Equality in a Logic of Equality with Uninterpreted Functions Exploiting Positive Equality in a Logic of Equality with Uninterpreted Functions Randal E. Bryant* Steven German † Miroslav Velev*

– 2 – Outline Application Domain Verify correctness of a pipelined processor Based on Burch-Dill correspondence checking Burch & Dill CAV ‘94 Verification Task Abstracted representation of data manipulation Must decide validity of formula in logic of Equality with Uninterpreted Functions (EUF) New Contribution Exploit properties of formulas to reduce verification complexity Significant performance improvement when modeling microprocessor operation

– 3 – Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control Bdat Microprocessor Modeling Simplified RISC pipeline Described at RTL level Words viewed as bit vectors Bit-level functionality

– 4 – Abstracting Data View Data as Symbolic “Terms” No particular properties or operations Except for equations: x = y Can store in memories & registers Can select with multiplexors ITE: If-Then-Else operation x0x0 x1x1 x2x2 x n-1 x  TFTF x y p ITE(p, x, y) TFTF x y T x TFTF x y F y

– 5 – Abstraction Via Uninterpreted Functions For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Assume functional consistency x = y  f(x) = f(y) Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control F1F1 F2F2 F3F3

– 6 – Decision Problem Logic of Equality with Uninterpreted Functions (EUF) Domain Values Solid lines Uninterpreted functions If-Then-Else operation Truth Values Dashed Lines Uninterpreted predicates Logical connectives EquationsTask Determine whether formula is universally valid True for all interpretations of variables and function symbols

– 7 – Some History Ackermann, 1954 Quantifier-free decision problem can be decided based on finite instantiations Automatic Theorem Proving Tradition of using uninterpreted functions when modeling hardware E.g., Warren Hunt, 1985 Burch & Dill, CAV ‘94 Automatic decision procedure »Davis-Putnam enumeration »Congruence closure to enforce functional consistency Verified single-issue DLX »Simple 5-stage RISC pipeline Becomes less effective for more complex processors »Burch, DAC ‘96 & FMCAD ‘96

– 8 – Previous Attempts to Use BDDs Hojati, et al., IWLS ‘97 Generate binary encodings of limited-range integer variables Hit exponential blow-up Goel, et al., CAV ‘98 Encode equality relation among variables as propositional variables Results not compelling Velev & Bryant, FMCAD ‘98 Work with modified RTL model Replace memory & function blocks with special behavioral blocks Exponential blow-up for processor with branch or load/store instructions

– 9 – Why Did BDDs Fail? Result of Load instruction used in address computation Similar effect for branch instruction Impossible to have good BDD variable ordering Variables encoding addresses must precede those encoding data Leads to circular constraints on ordering Data Memory Address Data Address Data Pipeline Logic

– 10 – Decision Problem Example #1 h xy =  =  g g g h

– 11 – EUF Syntax Logic of Equality with Uninterpreted FunctionsTerms ITE(F, T 1, T 2 ) If-then-else f (T 1, …, T k ) Function applicationFormulas  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation p (T 1, …, T k ) Predicate application Special Cases v Domain variable (order-0 function) a Propositional variable (order-0 predicate)

– 12 – PEUF Syntax Logic of Positive Equality with Uninterpreted Functions Formulas (General)  F, F 1  F 2, F 1  F 2 GT 1 = GT 2 p (PT 1, …, PT k ) P-Formulas (Special) F PF 1  PF 2, PF 1  PF 2 PT 1 = PT 2 Key Properties P-formulas cannot be negated & cannot control ITEs P-terms only used as funct. args. and in positive equations Applications of p-function symbols occur only in p-terms G-Terms (General) ITE(F, GT 1, GT 2 ) f g (PT 1, …, PT k ) P-Terms (Special) GT ITE(F, PT 1, PT 2 ) f p (PT 1, …, PT k )

– 13 – Analyzing Example #1 h xy =  =  g g g h P-Function Symbols g, h G-Function Symbols Appear in negated equation x, y G-terms P-terms P-formulas Formulas

– 14 – Example #2 h xy = = g g g h T F

– 15 – Analyzing Example #2 ITE control must be formula “Interesting” things happen when false G-terms P-terms P-formula Formula h xy = = g g g h T F

– 16 – Maximally Diverse Interpretations P-Function Symbols Equal results only for equal arguments G-Function Symbols Potentially yield equal results for unequal argumentsProperty Formula valid only if true under all maximally diverse interpretations h xy =  =  g g g h TermsEqual? xy Potentially g (x)g (y) Only if x = y g (x)y No g (g (x))g (y) No g (g (x))g (x) No

– 17 – Justification of Maximal Diversity Property h xy =  =  g g g h Create Worst Case for Validity Falsify positive equation Create Worst Case for Validity Falsify positive equation Function applications yield distinct results Create Worst Case for Validity Falsify positive equation Function applications yield distinct results Function arguments distinct Key Argument For every interpretation I, there is a maximally diverse interpretation I such that I [ F ]  I [ F ]

– 18 – Equations in Processor Verification Data TypesEquations Register IdsControl stalling & forwarding + Addresses for register file Instruction AddressOnly top-level verification condition Program DataOnly top-level verification condition Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control

– 19 – Modeling Memories Conventional Expansion of Memory Operations Effects of writes represented as nested ITEs Initial memory state represented by uninterpreted function f M Write( a 1, d 1 ); Write( a 2, d 2 ); Write( a 3, d 3 ); Read( a ) T F f M = d 3 d 2 d 1 == a 1 a 2 a 3 T F T F aProblem Equations over addresses control ITEs Addresses must be g-terms OK for register file, but not for data memory

– 20 – Data Memory Modeling Generic State Machine Memory state represented as term Initial state given by variable v M Write operation causes arbitrary state change Uninterpreted function f u Read operation function of address & state Uninterpreted function f r Memory State fufu frfr Raddr Waddr Wdata Rdata Read Write

– 21 – Data Memory Modeling (Cont.) No equations over addresses! Can keep as p-termsLimitations Does not capture full semantics of memory Only works when processor preserves program order for: Writes relative to each other Reads relative to writes f u d 3 d 2 d 1 a 1 a 2 a 3 a f u f u f r v M Write( a 1, d 1 ); Write( a 2, d 2 ); Write( a 3, d 3 ); Read( a )

– 22 – Function Symbols in Processor Verification G-Function Symbols Register Ids % of function applications P-Function Symbols Program data Data & instruction addresses Opcodes % of function applicationsEffect Breaks dependency loop that caused exponential blow-up

– 23 – Decision Procedure Steps Eliminate function applications Assign limited ranges to domain variables Encode domain variables as bit vectors Translate into propositional logic h xy =  =  h g g g

– 24 – fff x1x1 x2x2 x3x3 vf 1 vf 2 TFTF = = = TFTF vf 3 TFTF Eliminating Function Applications Replacing Application Introduce new domain variable Nested ITE structure maintains functional consistency

– 25 – Exploiting Positive Equality Property P-function symbol f Introduce variables vf 1, …, vf n during elimination Consider only diverse interpretations for variables vf 1, …, vf n vf i  v for any other variable vExample Assuming vf 1  vf 2 : x1x1 x2x2 vf 1 vf 2 TFTF = = iff x 1 =x 2

– 26 – ff vf 1 vf 2 Compare: Ackermann’s Method Replacing Application Introduce new domain variable Enforce functional consistency by global constraints Unclear how to generate diverse interpretations x1x1 x2x2 F ==   

– 27 – h xy =  =  h g g g Eliminating Function Symbol g

– 28 – Eliminate Function Symbol h Final Form Only domain and propositional variables

– 29 – Instantiating Variables Can assign fixed interpretations to variables arising from eliminating p-function applications Need to consider only two different cases y = 0 vs. y = 1 x y vg 1 vg 2 vg 3 vh 1 vh 2 {2}{3}{4}{5}{6} {0} {0,1}

– 30 – Evaluating Formula Actual implementation uses BDD evaluation = = x y vg 1 vg 2 vg 3 vh 1 vh 2 = = =  =   T F T F T F T F {0} {0,1} {2}{3}{4}{5}{6} y=0 F F 4 4 ITE(y=0,2,3) 2 T y=0 5 ITE(y=0,5,6) y=0 y0y0 T

– 31 – Pnueli, et al., CAV ‘99 Similarities Examine structure of equations Whether used in positive or negative form Exploit structure to limit variable domains Differences in Their Approach Examine equation structure after function applications eliminated Use Ackermann’s method to eliminate function applications

– 32 – Ackermann’s Method Example Many more equations 2  8 P-formula / P-term structure destroyed h xy =  =  g g g h 

– 33 – Comparison to Pnueli, et al. Relative Advantage of Their Method Better at exploiting equation structure among g-terms Worse at exploiting structure among p-terms

– 34 – Experimental Results Verify Modified RTL Circuits Replace memories, latches, and function blocks by special functional models. Bryant & Velev, FMCAD ‘98 Small modification to generate fixed bit patterns for p- function block Simplified MIPS Processor Reg-Reg, and Reg-Immediate only Before:48 s / 7 MBAfter:6 s / 2 MB RR, RI + Load/Store Before:Space-Out After:12 s / 1.8 MB RR, RI, L/S, Branch Before:Space-Out After:169 s / 7.5 MB

– 35 – Conclusion Exploiting Positive Equality Greatly reduces number of interpretations to consider Our function elimination scheme provides encoding mechanism Enables verification of complete processor using BDDs Ongoing Work New implementation using pure term-level models Velev & Bryant, CHARME ‘99 Single-issue DLX now takes 0.15 s. Dual-issue DLX takes 35 s.