System Modeling
and Formal Verification
with UCLID
Randal E. Bryant
Carnegie Mellon University
http://www.cs.cmu.edu/~bryant
Applying Data Abstraction to
Hardware Verification
Idea


Abstract details of data encodings and operations
Keep control logic precise
Applications


Verify overall correctness of system
Assuming individual functional units correct
Technology



–2–
Use restricted subset of first-order logic
Implement efficient decision procedures
Multiple methods of performing verification
Challenge: System-Level Verification
Verification Task

Does processor
implement its ISA?
Why is it Hard?



–3–
Lots of internal state
Complex control
logic
Complex
functionality
Alpha 21264 Microprocessor
Microprocessor Report, Oct. 28, 1996
Existing Verification Methods

Simulators, equivalence checkers, model checkers, …
All Operate at Bit Level

RTL model
 State encoded as words and arrays of words
 Comprised of bits
Most Operate at Cycle or Subcycle Level

How each bit of state gets updated
System Modeling Languages


–4–
Abstract time up to transaction level
Still view state as collection of bits
Word-Level Abstraction
Control Logic
Com.
Log.
1
Com.
Log.
2
Data Path
Data:
Abstract details of form & functions
Control: Keep at bit level
Timing: Keep at cycle level
–5–
Data Abstraction #1: Bits → Integers
x0
x1
x2

xn-1
View Data as Symbolic Words

Arbitrary integers
 No assumptions about size or encoding
 Classic model for reasoning about software

–6–
Can store in memories & registers
x
Abstracting Data Bits
Control Logic
Com.
Log.
?
1
Com.
Log.
?
2
1
Data Path
What do we do about logic functions?
–7–
Abstraction #2:
Uninterpreted Functions
A
Lf
U
For any Block that Transforms or Evaluates Data:


Replace with generic, unspecified function
Only assumed property is functional consistency:
a = x  b = y  f (a, b) = f (x, y)
–8–
Abstracting Functions
Control Logic
Com.
Log.
F1
1
Com.
Log.
F2
1
Data Path
For Any Block that Transforms Data:



–9–
Replace by uninterpreted function
Ignore detailed functionality
Conservative approximation of actual system
Modeling Data-Dependent Control
Branch?
Adata
Branch
Logic
Cond
p
Bdata
Model by Uninterpreted Predicate


Yields arbitrary Boolean value for each control + data
combination
Produces same result when arguments match
 Pipeline & reference model will branch under same conditions
– 10 –
Abstraction #3: Modeling Memories
as Mutable Functions
Memory M Modeled as Function
M
a

M(a): Value at location a
Initially
M
a


– 11 –
m0
Arbitrary state
Modeled by uninterpreted function m0
Effect of Memory Write Operation
Writing Transforms Memory

M = Write(M, wa, wd)
M
wa
=
a
wd
M

1
0
Reading from updated
memory:
 Address wa will get wd
 Otherwise get what’s
already in M
– 12 –
Express with Lambda Notation
 Notation for defining
functions
 M =
 a . ITE(a = wa, wd, M(a))
Systems with Buffers
Circular Queue
Unbounded Buffer
In Use
0
head
Modeling Method


– 13 –
Mutable function to describe buffer contents
Integers to represent head & tail pointers
•
•
•
head
•
•
•
•
•
•
tail
•
•
•
•
•
•
•
•
•
In Use
tail
Max-1
Some History of Term-Level Modeling
Historically


Standard model used for program verification
Widely used with theorem-proving approaches to hardware
verification
 E.g, Hunt ’85
Automated Approaches to Hardware Verification

Burch & Dill, ’95
 Tool for verifying pipelined microprocessors
 Implemented by form of symbolic simulation

Continued application to pipelined processor verification
Real World Applications

– 14 –
Recently used by Intel for microcode verification (CAV 2005)
UCLID

Seshia, Lahiri, Bryant, CAV ‘02
Term-Level Verification System

Language for describing systems
 Inspired by CMU SMV

Symbolic simulator
 Generates integer expressions describing system state after
sequence of steps

Decision procedure
 Determines validity of formulas

Support for multiple verification techniques
Available by Download
http://www.cs.cmu.edu/~uclid
– 15 –
Challenge: Model Generation


How to generate term-level model
How to guarantee faithfulness to RTL description
Comparison of Models

RTL
 Abstracts functional elements from gate-level model
 Synthesis allows automatic map to gate level

Term level
 Abstracts bit-level data representations to words
 Abstracts memories to mutable functions
 No direct connection to synthesizable model
– 16 –
Generating Term-Level Model
Manually Generate from RTL


How do we know it is a valid abstraction?
Hard to keep consistent with changing RTL
Automatically Generate from RTL


Andraus & Sakallah, DAC ‘04
Must decide which signals to keep Boolean, which to
abstract
 Confused by bit field extraction primitives of HDL
– 17 –
Generate Both from Common Model
Control Logic
Description
.hcl
RTL
Data Blocks
hcl2v
merge
Verilog
description


– 18 – 
UCLID
Data Blocks
hcl2u
merge
UCLID
description
Bryant, 2005
Separate data from control
Generate control logic for both models from common source
Underlying Logic
Existing Approaches to Formal Verification


E.g., symbolic model checking
State encoded as fixed set of bits
 Finite state system
 Amenable to Boolean methods (SAT, BDDs)
Our Task

State encoded with unbounded data types
 Arbitrary integers
 Functions over integers

Must use decision procedures
 Determine validity of formula in some subset of first-order logic
 Adapt methods historically used by automated theorem provers
– 19 –
EUF: Equality with Uninterp. Functs

Decidable fragment of first order logic
Formulas (F )
F, F1  F2, F1  F2
T1 = T2
P (T1, …, Tk)
Terms (T )
ITE(F, T1, T2)
Fun (T1, …, Tk)
Functions (Fun)
f
 x1, …, xk . T
Predicates (P)
p
– 20 –
Boolean Expressions
Boolean connectives
Equation
Predicate application
Integer Expressions
If-then-else
Function application
Integer  Integer
Uninterpreted function symbol
Function lambda expression
Integer  Boolean
Uninterpreted predicate symbol
file.ucl
Model
+
Specification
Symbolic
Simulation

– 21 –
UCLID
Formula
Lambda
Expansion
Operation

UCLID Operation
Series of
transformations
leading to
propositional formula
Except for lambda
expansion, each has
polynomial
complexity
-free
Formula
Function
&
Predicate
Elimination
Term
Formula
Finite
Instantiation
Decision
Procedure
Boolean
Formula
Boolean
Satisfiability
Valid / Invalid + counterexample
UCLID Example
Boolean state
DLX Pipeline

Integer state
Single-issue, 5-stage pipeline
Function state
Pipeline
Fetch
pc
Decode
fd
Execute
de
Write
Back
Memory
em
mw
Branch
Arg1
Target
Arg2
Value
Instr
Arg2
Type
Type
Instr
Data
PC
PC
Type
Dest
Valid
Valid
Valid
Valid
Instr
pPC
– 22 –
RF
Mem
Writing & Reading Register File
Write
Back
Decode
fd
de
mw
Arg1
src1
RF
Instr
Arg2
src2
Data
Dest
Valid
– 23 –
Writing Register File
init[RF] := rf0; (* Uninterpreted Function *)
next[RF] := Lambda(a) .
Write
case
Back
mw_Valid & (a = mw_Dest) : mw_Data;
mw
default : RF(a);
esac;
RF
Data
Dest
Valid
– 24 –
Reading Register File
init[de_Arg1] := dea10;
(* Initially arbitary *)
next[de_Arg1] := next[RF](src1(fd_Instr));
init[de_Arg2] := dea20;
(* Initially arbitary *)
next[de_Arg2] := next[RF](src2(fd_Instr));
Decode
fd
de
Write-before-read
semantics
Arg1
src1
RF
Instr
src2
– 25 –
Arg2
Verifying Safety Properties
Present
State
Next
State

Reachable
States
Bad
States
Reset
States
Reset
Inputs
(Arbitrary)
State Machine Model


State encoded as Booleans, integers, and functions
Next state function expresses how updated on each step
Prove: System will never reach bad state
– 26 –
Bounded Model Checking
Reachable
Rn
Bad
States
R2
R1
Reset
States
Repeatedly Perform Image
Computations

Set of all states reachable
by one more state
transition
Easy to Implement
Underapproximation of
Reachable State Set

– 27 –
But, typically catch most
bugs with 8–10 steps
True Model Checking

Rn
Bad
States
R2
R1
Reset
States
Impractical for Term-Level
Models

 Can keep adding
Reach Fixed-Point

– 28 –
Rn = Rn+1 = Reachable
Many systems never
reach fixed point
elements to buffer

Convergence test
undecidable
Inductive Invariant Checking

I
Bad
States
Reachable
States
Reset
States
Key Properties of System that Make it Operate
Correctly

Formulate as formula I
Prove Inductive
– 29 –

Holds initially I(s0)

Preserved by all state changes I(s)  I((i, s))
An Out-of-order Processor (OOO)
incr
Program
memory
PC
result bus
valid tag val
D
E
C
O
D
E
dispatch
Register
Rename Unit
retire
ALU
execute
head
tail
Reorder
Buffer
valid
value
src1valid
src1val
src1tag
src2valid
src2val
src2tag
dest
op
result
1st
Operand
2nd
Operand
Reorder Buffer
Fields
Data Dependencies Resolved by Register Renaming

Map register ID to instruction in reorder buffer that will generate
register value
Inorder Retirement Managed by Retirement Buffer

– 30 –
FIFO buffer keeping pending instructions in program order
Verifying OOO

Lahiri, Seshia, & Bryant,
FMCAD 2002
Goal


Show that OOO implements
Instruction Set Architecture
(ISA) model
For all possible execution
sequences
Challenge

OOO holds partially executed
instructions in reorder buffer
 States of two systems match
only when reorder buffer
flushed
– 31 –
ISA
Reg.
File
PC
OOO
Reg.
File
PC
Reorder Buffer
Adding Shadow State


McMillan, ‘98
Arons & Pnueli, ‘99
Provides Link Between ISA
& OOO Models

ISA
Reg.
File
PC
Additional entries in ROB
 Do not affect OOO
OOO
behavior


Generated when
instruction dispatched
Predict values of operands
and result
 From ISA model
– 32 –
Reg.
File
PC
Reorder Buffer
Access Modes for Reorder Buffer
Retire
Dispatch
result bus
ALU
execute
FIFO


head
tail
Content Addressable
Insert when dispatch
Remove when retire

Directly Addressable


– 33 –
Select particular entry for
execution
Retrieve result value from
executed instruction
Broadcast result to all
entries with matching
source tag
Global

Flush all queue entries when
instruction at head causes
exception
All handled by UCLID lambda notation
OOO Invariants
Split into Formulas I1, …, In
holds for any initial state s0, for 1  j  n
I1(s)  I2(s)  …  In(s)  Ij(s ) for any current state s and
successor state s for 1  j  n
 Ij(s0)

Invariants for OOO (13)

Refinement maps (2)
 Show relation between ISA and OOO models

State consistency (8)
 Properties of OOO state that ensure proper operation

Added state (3)
 Shadow values correctly predict OOO values
Overall Correctness

– 34 –
Follows by induction on time
State Consistency Invariants

Register rename unit & reorder buffer encode same
information redundantly
 Rename Unit: Registers  Tags
 Reorder Buffer: Tags  Registers
valid tag val
dispatch
Register
Rename Unit
head
– 35 –
tail
Reorder
Buffer
valid
value
src1valid
src1val
src1tag
src2valid
src2val
src2tag
dest
op
Reorder Buffer
Fields
State Consistency Invariant
Examples
valid tag val
dispatch
Register Renaming invariants (2)

Any mapped register should be in the ROB,
and the destination register should match
r.reg.valid(r)
(rob.head  reg.tag(r) < rob.tail 
rob.dest(reg.tag(r)) = r )

For any ROB entry, the destination should
have reg.valid as false and tag should be to
this or later instruction
robt.[reg.valid(rob.dest(t)) 
t  reg.tag(rob.dest(t)) 
reg.tag(rob.dest(t)) < rob.tail]
– 36 –
valid
value
src1valid
src1val
src1tag
src2valid
src2val
src2tag
dest
op
Extending the OOO Processor

base
 Executes ALU instructions only

exc
 Handles arithmetic exceptions
 Must flush reorder buffer

exc/br
 Handles branches
 Predicts branch & speculatively executes along path

exc/br/mem-simp
 Adds load & store instructions
 Store commits as instruction retires

exc/br/mem
 Stores held in buffer
 Can commit later
– 37 –
 Loads must scan buffer for matching addresses
Comparative Verification Effort
Decision Procedures


UCLID: Complete reduction to SAT
Barcelona DPLL(T): Iterative refinement to SAT
base
Total
Invariants
UCLID
time
DPLL(T)
time
Person
time
– 38 –
exc
exc / br
exc / br /
exc / br /
mem-simp
mem
39
67
71
13
34
54 s
236 s
403 s
1s
4s
7s
2 days
7 days
9 days
1594 s
2200 s
85 s
24 days
34 days
“I Just Want a Loaf of Bread”
Ingredients
Recipe
– 39 –
Result
Cooking with Invariants
Ingredients: Predicates
rob.head  reg.tag(r)
Recipe: Invariants
reg.valid(r)
r,t.reg.valid(r)  reg.tag(r) = t

(rob.head  reg.tag(r) < rob.tail
 rob.dest(t) = r )
reg.tag(r) = t
Result: Correctness
rob.dest(t) = r
– 40 –
Automatic Recipe Generation
Ingredients
Recipe Creator
Result
Want Something More


– 41 –
Given any set of ingredients
Generate best recipe possible
Automatic Predicate Abstraction

Graf & Saïdi, CAV ‘97
Idea

Given set of predicates P1(s), …, Pk(s)
 Boolean formulas describing properties of system state


View as abstraction mapping: States  {0,1}k
Defines abstract FSM over state set {0,1}k
 Form of abstract interpretation
 Do reachability analysis similar to symbolic model checking
Implementation

Early ones had weak inference capabilities
 Call theorem prover or decision procedure to test each
potential transition

– 42 –
Recent ones make better use of symbolic encodings
Abstract State Space
Abstraction
Concretization
P1(s), …, Pk(s)
Abstract
States
Abstract
States
Abstraction
Function

Concrete
States
– 43 –
s
Concretization
Function

t
Concrete
States
s
t
Abstract State Machine
Abstract Transition
Abstract
System
Concretize

Concrete
System
Abstract

Concrete Transition
s
s
t

– 44 –
t
Transitions in abstract system mirror those in concrete
Generating Concrete Invariant
A
Rn
Abstract
System
Reach Fixed-Point on
Abstract System
R2

R1
Reset
States
Concretize

C
Concrete
System
I
Reset
States
– 45 –
Termination guaranteed,
since finite state
Equivalent to Computing
Invariant for Concrete
System

Strongest possible
invariant that can be
expressed by formula over
these predicates
Quantified Invariant Generation
(Lahiri & Bryant, VMCAI 2004)
 User supplies predicates containing free variables
 Generate globally quantified invariant
Example

Predicates
p1: reg.valid(r)
p2: reg.tag(r) = t
p3: rob.dest(t) = r

Abstract state satisfying (p1  p2  p3) corresponds to
concrete state satisfying
r,t[reg.valid(r)  reg.tag(r) = t
 rob.dest(t) = r]
rather than
r[reg.valid(r)]  r,t[reg.tag(r) = t] 
r,t[rob.dest(t) = r]
– 46 –
Systems Verified with Predicate
Abstraction
Model
Predicates Iterations
UCLID
Time
DPLL(T)
Time
Out-Of-Order Execution Unit
25
9
921s
36s
German’s Cache Protocol
16
9
34s
1s
German’s Protocol, unbounded
channels
26
17
1,119s
23s
Lamport’s Bakery Algorithm
32
18
245s
11s

– 47 –
Safety properties only
Automatic Predicate Discovery
Strength of Predicate Abstraction

If give it right set of predicates, PA will put them together
into invariant
Weakness


Gets nowhere without right set of predicates
Typical failure mode: Generate “true” as invariant
Challenges


– 48 –
Too many predicates will overwhelm PA engine
Our use of quantified invariants precludes counterexamplegenerated refinement techniques
Implementation of Predicate
Discovery
Lahiri & Bryant, CAV ’04
 Initially: Extract predicates from verification condition
 Iterate: Add new predicates by composing next-state
formulas
 With some heuristics thrown in
Experience


– 49 –
Can automatically generate invariants for real examples
~10X slower than for hand-selected predicates
Future Prospects
Evaluation


Important to abstract data & data functions while
maintaining details about control
Demonstrated ability to verify complex, parameterized
systems
Model Generation is Weakest Link

Big jump from bit-level to term-level
 Look at intermediate levels of abstraction with bit-vectors

Need algorithmic connection between our model and RTL
Predicate Abstraction Shows Promise

– 50 –
Provides key automation advantage of model checking