1 verification of infinite state systems by compositional model checking ken mcmillan cadence...
TRANSCRIPT
![Page 1: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/1.jpg)
1
Verification of Infinite StateSystems by
Compositional Model Checking
Ken McMillan
Cadence Berkeley Labs
![Page 2: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/2.jpg)
2
Is hardware really “finite state”? Unbounded/infinite structures may be appropriate...
– For model checking, sometimes 64 =
64 bit words, large address spaces, etc.
– Configurations not known a priori
– Hardware processes (conceptually) infinite sequences
e.g., a packet router
Thus, for hardware verification, it is useful to be able to treatdata structures of unknown or infinite size
![Page 3: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/3.jpg)
3
Methodology
Split property into case based on parameter
– e.g., memory output correct when addr = 0
Reduce data types
– map type “address” to 0 and “not 0”
– abstract Mem[not 0] to “unknown”
– problem becomes finite state -- apply model checking
Apply symmetry
– case “addr = 0” implies all other cases
Reduce unbounded types to fixed finite types by abstraction
![Page 4: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/4.jpg)
4
Uninterpreted functions
Advantages of uninterpreted functions
– Generic verification
– Separate “plumbing” from arithmetic
– Preserve symmetry
This methodology also allows us to use uninterpreted functionsin model checking.
Many functions can be abstracted this way, for example, the mappingfunction of a cache, or the routing table of a packet router.
![Page 5: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/5.jpg)
5
Refinement framework
Referencemodel
System
Translations
Refinement relations
– Specify intermediate results with respect to reference model
– Each intermediate result uses finite
operations
storage locations
– Thus, can reduce local verification problems to finite state
![Page 6: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/6.jpg)
6
SPEC
P PA
Decomposing arrays
i
![Page 7: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/7.jpg)
7
Temporal case splitting Prove separately that p holds at all times when v = i.
i G v i p
G p
: ( )*
)
Path splitting
v
record register index
G v i p( ) )
i
![Page 8: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/8.jpg)
8
Implementation in SMV system
In general, we can split cases using any set of assertions qi, where SMV can determine that _i qi = 1.
Example:
v : T;s : assert G p ;
forall (i in T) subcase c[i] of s for v = i;
c[0] : assert G (v=0 ) p) ;
c[1] : assert G (v=1 ) p) ;...
forall (i in T) subcase c[i] of s for v = i when r;
i.e., can split cases on future value of a variable
![Page 9: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/9.jpg)
9
SPEC
Case explosion
P PA
ik
... may even be unbounded.
Number of cases may explode exponentially...
![Page 10: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/10.jpg)
10
Exploiting symmetry Symmetric types
– Semantics invariant under permutations of type.
– Enforced by type checking rules.
Symmetry reduction rule
i k P
i P
0 :
:* * i is of scalarset type
* P references only constants 0..k-1 of type
(related: Murphi)
SMV can select a finite set of representative cases under symmetry.
![Page 11: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/11.jpg)
11
Data type reductions Problem: unbounded or infinite data types
Solution: reduce to finite types by abstraction
where T\i represents all the values in T except i.
Need a property-preserving abstract interpretation
T i T i { , \ }
M P
M P
T i T i
{ , \ } |
|
Abstraction must be both sound and generically applicable.
![Page 12: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/12.jpg)
12
Data type reduction in SMV Values in reduced model M’ are sets
For sound abstraction of operator f, we need:
Examples:
– Equality
i T i
i
T i
\
\ { , }
1 0
0 0 1
T i T i' {{ }, \ }
f x f x'{ } { ( ) }
![Page 13: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/13.jpg)
13
Abstraction, continued...– Array references
a[x] ...becomes... (x=i) ? a[i] :
– Other operators ...
Unbounded array reduced to one fixed element!
{ } ' { }0 0 { } '1
{ } '1 etc...
Must also account for quantifiers, temporal operators, etc...
![Page 14: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/14.jpg)
14
Thus, if then
Property preserving abstractions Homomorphism from M to M’
h hf
f h'
f
M ' { } 1 M 1
...but we may get M '
M M '
![Page 15: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/15.jpg)
15
Illustration: Tomasulo’s algorithm Execute instructions in data flow order
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
TAGGED RESULTS
INSTRUCTIONS
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
REGFILE
![Page 16: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/16.jpg)
16
Unbounded resources The following types are left undefined:
– REG (register file indices)
– TAG (reservation station indices)
– EU (execution unit indices)
– WORD (data words)
This allows for an unbounded (or infinite) number of registers,reservation stations, execution units, and bits in the data word.
![Page 17: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/17.jpg)
17
Compositional rule Decompose into two lemmas
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
TAGGED RESULTS
INSTRUCTIONS
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
REGFILE
Lemma 1:Correct operands
Lemma 2:Correct results
Computing each result and operand uses finite resources
![Page 18: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/18.jpg)
18
Lemmas in SMV Operand correctness
forall (k in TAG) layer lemma1 : if (rs[k].valid & rs[k].opra.valid)
rs[k].opra.val := aux[k].opra;
Result correctness
forall (i in TAG) layer lemma2[i] : if (rb.tag = i & rb.valid)
rb.val := aux[i].res;Note: only two signals specifiedin proof
![Page 19: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/19.jpg)
19
Path splitting in Tomasulo
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
TAGGED RESULTS
"cone of influence" eliminates
![Page 20: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/20.jpg)
20
Symmetry reduction in operands lemma
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
TAGGED RESULTS
i
j
k Symmetry reduces unbounded cases to two cases:
(i = 0, j = 0, k = 0)
(i = 0, j = 0, k = 1)
![Page 21: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/21.jpg)
21
Type reduction Reduce types of undefined range to finite types
Specific reduction is chosen based on property parametersTAG {i,k,~{i,k}}REG {j,~{j}}
Reduces variable encodings to
– 1 bit per variable of type REG
– 2 bits per variable of type TAG
What about data words?
i.e., only include values we care about in reduced types
![Page 22: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/22.jpg)
22
OP,DST
Uninterpreted functions Verify Tomasulo for arbitrary EU function f(a,b).
f(a,b)
RESULTS
INSTRUCTIONS
SPEC
OP,DST
opra oprb
opra oprb
OP,DST
opra oprb
f(a,b)OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
TAGGED RESULTS
f(a,b)
(related: Burch, Dill, Jones, etc...)
![Page 23: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/23.jpg)
23
Case splitting Prove result correctness only for specific cases, e.g.
opra = 0, oprb = 1, f[0][1] = 2
OP,DST
0 1
OP,DST
opra oprb
OP,DST
opra oprb
f(a,b)
f(a,b)
f(a,b)
OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
2
3! = 6 cases verified
(related: Hojati, Singhal, Bryant, Clarke)
![Page 24: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/24.jpg)
24
Result Verification problem reduced to tractable finite problems
– Max 25 state bits
– 11 cases of lemmas to verify after symmetry
– Verification time less than 4 seconds
Tomasulo implementation proved for
– Arbitrary number of registers, reservation stations
– Arbitrary data word size and EU function
note -- unbounded EU’s requires one more lemma
The proof is concise and robust
details in the paper...but in what way robust?
![Page 25: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/25.jpg)
25
Adding in-order retirement
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
RETIRED RESULTS
INSTRUCTIONS
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
REGFILE
BUF
BUF
BUF
RES
Forwarded results
...in order of entry
![Page 26: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/26.jpg)
26
Reusing the proof
Why?
– Refinement relations only specify two signals:
operand registers and result bus
– Function of these signals did not change
New version is verified without modifying one proof line...
Because a model checker computes the reachable states,we do not have to specify invariants of most signals.This improves reusability of the proof.
![Page 27: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/27.jpg)
27
Comparison to symbolic simulation
Use uninterpreted functions to abstract out arithmetic
Generating flushing function can be automatic
– in practice, manual decompositions are required
Inductive invariants can be complex
– reduces reusability of proof
flush
flush
impl
spec
require inductive invariant for this state
![Page 28: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/28.jpg)
28
Other related work Data independence (Wolper)
– require control to be independent of data
– does not reduce the size of arrays
Lazic and Roscoe
– complete procedure (for determinism)
– limitations to avoid undecidability:
no comparison of array elements (i.e., no cache tags)
no array indices stored in arrays (i.e., no Tomasulo)
– present method is (necessarily) incomplete
![Page 29: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/29.jpg)
29
Other applications Data type reductions
– One-address abstraction in cache coherence
– Content-addressable memories
– Infinite packet streams
– Circular buffers
Uninterpreted functions
– Routing tables, address decoding
– Hash functions (e.g., in caches)
– Replace any symmetry-breaking function
using ordered types,inductive proofs
![Page 30: 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs](https://reader034.vdocuments.us/reader034/viewer/2022051819/5514612b550346b0158b490a/html5/thumbnails/30.jpg)
30
Conclusion Hardware verification can involve large or unbounded structures
– problem for finite state methods
Case splitting and data type reduction:
– combine with compositional methods
– reduce to small finite scalars and arrays
fewer manual decompositions
– allows MC with uninterpreted functions
avoid writing inductive invariants
– concise, robust proofs with high degree of automation