System Modeling
and Verification
with UCLID
Randal E. Bryant
Carnegie Mellon University
http://www.cs.cmu.edu/~bryant
Contributions by former graduate students:
Sanjit Seshia, Shuvendu Lahiri
Applying Data Abstraction to
Hardware Verification
Idea


Abstract details of data encodings and operations
Keep control logic precise
Applications


Verify overall correctness of system
Assuming individual functional units correct
Technology



–2–
Use restricted subset of first-order logic
Implement efficient decision procedures
Multiple methods of performing verification
Challenge: System-Level Verification
Verification Task

Does processor
implement its ISA?
Why is it Hard?



–3–
Lots of internal state
Complex control
logic
Complex
functionality
Alpha 21264 Microprocessor
Microprocessor Report, Oct. 28, 1996
Sources of Complexity
State



ISA: registers, memory
Microarchitectural: caches, buffers, reservation stations
Conceptually finite state, but practically unbounded
Control




Pipelines spread execution across multiple cycles
Out-of-order execution modifies processing order
Superscalar operation creates parallelism
Control logic coordinates everything
 Resulting behavior matches that of sequential ISA model
Functionality

–4–
Arithmetic functions, instruction decoding
Existing Verification Methods

Simulators, equivalence checkers, model checkers, …
All Operate at Bit Level

RTL model
 State encoded as words and arrays of words
 Comprised of bits
Most Operate at Cycle or Subcycle Level

How each bit of state gets updated
System Modeling Languages


–5–
Abstract time up to transaction level
Still view state as collection of bits
Word-Level Abstraction
Control Logic
Com.
Log.
1
Com.
Log.
2
Data Path
Data:
Abstract details of form & functions
Control: Keep at bit level
Timing: Keep at cycle level
–6–
Data Abstraction #1: Bits → Integers
x0
x1
x2

xn-1
View Data as Symbolic Words

Arbitrary integers
 No assumptions about size or encoding
 Classic model for reasoning about software

–7–
Can store in memories & registers
x
Modeling Data Selection
If-Then-Else Operation


Mulitplexor
Allows control-dependent data flow
p
x
y
–8–
1
0
ITE(p, x, y)
1
x
y
1
0
x
0
x
y
1
0
y
Abstracting Data Bits
Control Logic
Com.
Log.
?
1
Com.
Log.
?
2
1
Data Path
What do we do about logic functions?
–9–
Abstraction #2:
Uninterpreted Functions
A
Lf
U
For any Block that Transforms or Evaluates Data:


Replace with generic, unspecified function
Only assumed property is functional consistency:
a = x  b = y  f (a, b) = f (x, y)
– 10 –
Abstracting Functions
Control Logic
Com.
Log.
F1
1
Com.
Log.
F2
1
Data Path
For Any Block that Transforms Data:



– 11 –
Replace by uninterpreted function
Ignore detailed functionality
Conservative approximation of actual system
Modeling Data-Dependent Control
Branch?
Adata
Branch
Logic
Cond
p
Bdata
Model by Uninterpreted Predicate


Yields arbitrary Boolean value for each control + data
combination
Produces same result when arguments match
 Pipeline & reference model will branch under same conditions
– 12 –
Abstraction #3: Modeling Memories
as Mutable Functions
Memory M Modeled as Function
M
a

M(a): Value at location a
Initially
M
a


– 13 –
m0
Arbitrary state
Modeled by uninterpreted function m0
Effect of Memory Write Operation
Writing Transforms Memory

M = Write(M, wa, wd)
M
wa
=
a
wd
M

1
0
Reading from updated
memory:
 Address wa will get wd
 Otherwise get what’s
already in M
– 14 –
Express with Lambda Notation
 Notation for defining
functions
 M =
 a . ITE(a = wa, wd, M(a))
Systems with Buffers
Circular Queue
Unbounded Buffer
In Use
0
head
Modeling Method


– 15 –
Mutable function to describe buffer contents
Integers to represent head & tail pointers
•
•
•
head
•
•
•
•
•
•
tail
•
•
•
•
•
•
•
•
•
In Use
tail
Max-1
Some History of Term-Level Modeling
Historically


Standard model used for program verification
Widely used with theorem-proving approaches to hardware
verification
 E.g, Hunt ’85
Automated Approaches to Hardware Verification

Burch & Dill, ’95
 Tool for verifying pipelined microprocessors
 Implemented by form of symbolic simulation

– 16 –
Continued application to pipelined processor verification
UCLID

Seshia, Lahiri, Bryant, CAV ‘02
Term-Level Verification System

Language for describing systems
 Inspired by CMU SMV

Symbolic simulator
 Generates integer expressions describing system state after
sequence of steps

Decision procedure
 Determines validity of formulas

Support for multiple verification techniques
Available by Download
http://www.cs.cmu.edu/~uclid
– 17 –
Challenge: Model Generation


How to generate term-level model
How to guarantee faithfulness to RTL description
Comparison of Models

RTL
 Abstracts functional elements from gate-level model
 Synthesis allows automatic map to gate level

Term level
 Abstracts bit-level data representations to words
 Abstracts memories to mutable functions
 No direct connection to synthesizable model
– 18 –
Generating Term-Level Model
Manually Generate from RTL


How do we know it is a valid abstraction?
Hard to keep consistent with changing RTL
Automatically Generate from RTL


Andraus & Sakallah, DAC ‘04
Must decide which signals to keep Boolean, which to
abstract
 Confused by bit field extraction primitives of HDL
Synthesize RTL from Word-Level Model

– 19 –
Difficult to make efficient
Underlying Logic
Existing Approaches to Formal Verification


E.g., symbolic model checking
State encoded as fixed set of bits
 Finite state system
 Amenable to Boolean methods (SAT, BDDs)
Our Task

State encoded with unbounded data types
 Arbitrary integers
 Functions over integers

Must use decision procedures
 Determine validity of formula in some subset of first-order logic
 Adapt methods historically used by automated theorem provers
– 20 –
EUF: Equality with Uninterp. Functs

Decidable fragment of first order logic
Formulas (F )
F, F1  F2, F1  F2
T1 = T2
P (T1, …, Tk)
Terms (T )
ITE(F, T1, T2)
Fun (T1, …, Tk)
Functions (Fun)
f
 x1, …, xk . T
Predicates (P)
p
– 21 –
Boolean Expressions
Boolean connectives
Equation
Predicate application
Integer Expressions
If-then-else
Function application
Integer  Integer
Uninterpreted function symbol
Function lambda expression
Integer  Boolean
Uninterpreted predicate symbol
file.ucl
Model
+
Specification
Symbolic
Simulation

– 22 –
UCLID
Formula
Lambda
Expansion
Operation

UCLID Operation
Series of
transformations
leading to
propositional formula
Except for lambda
expansion, each has
polynomial
complexity
-free
Formula
Function
&
Predicate
Elimination
Term
Formula
Finite
Instantiation
Boolean
Formula
Boolean
Satisfiability
UCLID Example
Boolean state
DLX Pipeline

Integer state
Single-issue, 5-stage pipeline
Function state
Pipeline
Fetch
pc
Decode
fd
Execute
de
Write
Back
Memory
em
mw
Branch
Arg1
Target
Arg2
Value
Instr
Arg2
Type
Type
Instr
Data
PC
PC
Type
Dest
Valid
Valid
Valid
Valid
Instr
pPC
– 23 –
RF
Mem
Writing & Reading Register File
Write
Back
Decode
fd
de
mw
Arg1
src1
RF
Instr
Arg2
src2
Data
Dest
Valid
– 24 –
Writing Register File
init[RF] := rf0; (* Uninterpreted Function *)
next[RF] := Lambda(a) .
Write
case
Back
mw_Valid & (a = mw_Dest) : mw_Data;
mw
default : RF(a);
esac;
RF
Data
Dest
Valid
– 25 –
Reading Register File
init[de_Arg1] := dea10;
(* Initially arbitary *)
next[de_Arg1] := next[RF](src1(fd_Instr));
init[de_Arg2] := dea20;
(* Initially arbitary *)
next[de_Arg2] := next[RF](src2(fd_Instr));
Decode
fd
de
Write-before-read
semantics
Arg1
src1
RF
Instr
src2
– 26 –
Arg2
Verifying Safety Properties
Present
State
Next
State

Reachable
States
Bad
States
Reset
States
Reset
Inputs
(Arbitrary)
State Machine Model


State encoded as Booleans, integers, and functions
Next state function expresses how updated on each step
Prove: System will never reach bad state
– 27 –
Bounded Model Checking
Reachable
Rn
Bad
States
R2
R1
Reset
States
Repeatedly Perform Image
Computations

Set of all states reachable
by one more state
transition
Easy to Implement
Underapproximation of
Reachable State Set

– 28 –
But, typically catch most
bugs with 8–10 steps
True Model Checking

Rn
Bad
States
R2
R1
Reset
States
Impractical for Term-Level
Models

 Can keep adding
Reach Fixed-Point

– 29 –
Rn = Rn+1 = Reachable
Many systems never
reach fixed point
elements to buffer

Convergence test
undecidable
Inductive Invariant Checking

I
Bad
States
Reachable
States
Reset
States
Key Properties of System that Make it Operate
Correctly

Formulate as formula I
Prove Inductive
– 30 –

Holds initially I(s0)

Preserved by all state changes I(s)  I((i, s))
An Out-of-order Processor (OOO)
incr
Program
memory
PC
result bus
valid tag val
D
E
C
O
D
E
dispatch
Register
Rename Unit
retire
ALU
execute
head
tail
Reorder
Buffer
valid
value
src1valid
src1val
src1tag
src2valid
src2val
src2tag
dest
op
result
1st
Operand
2nd
Operand
Reorder Buffer
Fields
Data Dependencies Resolved by Register Renaming

Map register ID to instruction in reorder buffer that will generate
register value
Inorder Retirement Managed by Retirement Buffer

– 31 –
FIFO buffer keeping pending instructions in program order
Verifying OOO

Lahiri, Seshia, & Bryant,
FMCAD 2002
Goal


Show that OOO implements
Instruction Set Architecture
(ISA) model
For all possible execution
sequences
Challenge

OOO holds partially executed
instructions in reorder buffer
 States of two systems match
only when reorder buffer
flushed
– 32 –
ISA
Reg.
File
PC
OOO
Reg.
File
PC
Reorder Buffer
Adding Shadow State


McMillan, ‘98
Arons & Pnueli, ‘99
Provides Link Between ISA
& OOO Models

ISA
Reg.
File
PC
Additional entries in ROB
 Do not affect OOO
OOO
behavior


Generated when
instruction dispatched
Predict values of operands
and result
 From ISA model
– 33 –
Reg.
File
PC
Reorder Buffer
Invariant Checking
Formulas I1, …, In
holds for any initial state s0, for 1  j  n
I1(s)  I2(s)  …  In(s)  Ij(s ) for any current state s and
successor state s for 1  j  n
 Ij(s0)

Invariants for OOO (13)

Refinement maps (2)
 Show relation between ISA and OOO models

Shadow state (3)
 Shadow values correctly predict OOO values

State consistency (8)
 Properties of OOO state that ensure proper operation
Overall Correctness

– 34 –
Follows by induction on time
OOO Invariants
Split into Formulas I1, …, In
holds for any initial state s0, for 1  j  n
I1(s)  I2(s)  …  In(s)  Ij(s ) for any current state s and
successor state s for 1  j  n
 Ij(s0)

Invariants for OOO (13)

Refinement maps (2)
 Show relation between ISA and OOO models

State consistency (8)
 Properties of OOO state that ensure proper operation

Added state (3)
 Shadow values correctly predict OOO values
Overall Correctness

– 36 –
Follows by induction on time
State Consistency Invariant
Examples
Register Renaming invariants (2)

Tag in a rename-unit should be in the ROB, and the
destination register should match
r.reg.valid(r) (rob.head  reg.tag(r) < rob.tail
 rob.dest(reg.tag(r)) = r )

For any entry, the destination should have reg.valid as
false and tag should contain this or later instruction
robt.(reg.valid(rob.dest(t)) 
t  reg.tag(rob.dest(t)) < rob.tail)
– 37 –
Extending the OOO Processor

base
 Executes ALU instructions only

exc
 Handles arithmetic exceptions
 Must flush reorder buffer

exc/br
 Handles branches
 Predicts branch & speculatively executes along path

exc/br/mem-simp
 Adds load & store instructions
 Store commits as instruction retires

exc/br/mem
 Stores held in buffer
 Can commit later
– 38 –
 Loads must scan buffer for matching addresses
Comparative Verification Effort
base
Total
Invariants
Manually
instantiate
UCLID
time
Person
time
exc
exc / br
exc / br /
exc / br /
mem-simp
mem
39
67
71
13
34
0
0
0
4
8
54 s
236 s
403 s
1594 s
2200 s
2 days
7 days
9 days
24 days
34 days
(Person time shown cumulatively)
– 39 –
“I Just Want a Loaf of Bread”
Ingredients
Recipe
– 40 –
Result
Cooking with Invariants
Ingredients: Predicates
rob.head  reg.tag(r)
Recipe: Invariants
reg.valid(r)
r,t.reg.valid(r)  reg.tag(r) = t

(rob.head  reg.tag(r) < rob.tail
 rob.dest(t) = r )
reg.tag(r) = t
Result: Correctness
rob.dest(t) = r
– 41 –
Automatic Recipe Generation
Ingredients
Recipe Creator
Result
Want Something More


– 42 –
Given any set of ingredients
Generate best recipe possible
Automatic Predicate Abstraction

Graf & Saïdi, CAV ‘97
Idea

Given set of predicates P1(s), …, Pk(s)
 Boolean formulas describing properties of system state


View as abstraction mapping: States  {0,1}k
Defines abstract FSM over state set {0,1}k
 Form of abstract interpretation
 Do reachability analysis similar to symbolic model checking
Implementation

Early ones had weak inference capabilities
 Call theorem prover or decision procedure to test each
potential transition

– 43 –
Recent ones make better use of symbolic encodings
Abstract State Space
Abstraction
Concretization
P1(s), …, Pk(s)
Abstract
States
Abstract
States
Abstraction
Function

Concrete
States
– 44 –
s
Concretization
Function

t
Concrete
States
s
t
Abstract State Machine
Abstract Transition
Abstract
System
Concretize

Concrete
System
Abstract

Concrete Transition
s
s
t

– 45 –
t
Transitions in abstract system mirror those in concrete
Generating Concrete Invariant
A
Rn
Abstract
System
Reach Fixed-Point on
Abstract System
R2

R1
Reset
States
Concretize

C
Concrete
System
I
Reset
States
– 46 –
Termination guaranteed,
since finite state
Equivalent to Computing
Invariant for Concrete
System

Strongest possible
invariant that can be
expressed by formula over
these predicates
Systems Verified with Predicate
Abstraction
Model
Predicates Iterations CPU Time
Out-Of-Order Execution Unit
25
9
1,207s
German’s Cache Protocol
13
9
14s
German’s Protocol, unbounded
channels
24
17
427s
Bounded Retransmission Buffer
22
9
11s
Lamport’s Bakery Algorithm
33
18
471s

Very general models
 Unbounded processes, buffers, cache lines, …

– 47 –
Safety properties only
Automatic Predicate Discovery
Strength of Predicate Abstraction

If give it right set of predicates, PA will put them together
into invariant
Weakness


Gets nowhere without right set of predicates
Typical failure mode: Generate “true” as invariant
Challenges


– 48 –
Too many predicates will overwhelm PA engine
Our use of quantified invariants precludes counterexamplegenerated refinement techniques
Implementation of Predicate
Discovery
Lahiri & Bryant, CAV ’04
 Initially: Extract predicates from verification condition
 Iterate: Add new predicates by composing next-state
formulas
 With some heuristics thrown in
Experience


– 49 –
Can automatically generate invariants for real examples
~10X slower than for hand-selected predicates
Future Prospects
Evaluation


Important to abstract data & data functions while
maintaining details about control
Demonstrated ability to verify complex, parameterized
systems
Model Generation is Weakest Link

Big jump from bit-level to term-level
 Look at intermediate levels of abstraction with bit-vectors

Need algorithmic connection between our model and RTL
Predicate Abstraction Shows Promise

– 50 –
Provides key automation advantage of model checking