carnegie mellon university convergence testing in term-level bounded model checking randal e. bryant...

Carnegie Mellon University

Convergence Testing in Convergence Testing in Term-level Bounded Model Term-level Bounded Model

CheckingChecking

Convergence Testing in Convergence Testing in Term-level Bounded Model Term-level Bounded Model

CheckingChecking

Randal E. BryantShuvendu K. Lahiri

Sanjit A. Seshia

– 2 –

Term-level modeling :Abstracting Data Term-level modeling :Abstracting Data

View Data as Symbolic “Terms”View Data as Symbolic “Terms” Arbitrary integers

Verification proves correctness of design for all possible word sizes Can store in memories & registers Can select with multiplexors

ITE: If-Then-Else operation

x0

x1

x2

xn-1

x

1

0

xy

p

ITE(p, x, y)1

0

xy

T

x1

0

xy

F

y

– 3 –

Term-level modeling:Abstraction Via Uninterpreted FunctionsTerm-level modeling:Abstraction Via Uninterpreted Functions

For any Block that Transforms or Evaluates Data:For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Only assumed property is functional consistency:

a = x b = y f (a, b) = f (x, y)

ALUf

– 4 –

MotivationMotivation

Model Checking expressive systemsModel Checking expressive systems Unbounded Integers, unbounded arrays Infinite state space

In general, undecidableIn general, undecidable Can express 2-counter systems Systems do not converge Convergence detection undecidable

Interesting systems which convergeInteresting systems which converge Pipelined processors

[Hojati, Isles, Brayton], Multiway Decision Graphs (MDG)

Procedures to detect convergence

– 5 –

Outline slideOutline slide

Background Background

CLUCLU

exampleexample

Formal definition of convergenceFormal definition of convergence

TechniqueTechnique

ResultsResults

ConclusionsConclusions

– 6 –

CLU : Logic of UCLIDCLU : Logic of UCLID

Terms (Terms (T T )) Integer Expressions ITE(F, T1, T2) If-then-else

Fun (T1, …, Tk) Function application

succ (T) Increment

pred (T) Decrement

Formulas (Formulas (F F )) Boolean ExpressionsF, F1 F2, F1 F2 Boolean connectives

T1 = T2 Equation

T1 < T2 Inequality

P(T1, …, Tk) Predicate application

Functions (Functions (FunFun)) Integers Integerf Uninterpreted function symbol

x1, …, xk . T Function definition

Predicates (Predicates (PP)) Integers Booleanp Uninterpreted predicate symbol

x1, …, xk . F Predicate definition

– 7 –

Modeling Memories with ’sModeling Memories with ’s

Memory M Modeled as FunctionMemory M Modeled as Function

M(a): Value at location a

Writing Transforms MemoryWriting Transforms Memory M = Write(M, wa, wd)

a . ITE(a = wa, wd, M(a)) Future reads of address wa

will get wd

Ma M

Ma 1

0

wd

=wa

– 8 –

Other modeling capabilitiesOther modeling capabilities

Other MemoriesOther Memories Content-addressable memories Simultaneous-update memories

Arbitrary subset of entries can be modified in a step

Ordered data structuresOrdered data structures Queues, Stacks

Limited Set operationsLimited Set operations Addition,deletion, empty-check, membership

Systems modeledSystems modeled Out-of-order processors Parameterized cache-coherence protocols, distributed

protocols

– 9 –

ExampleExample

Symbols Symbols V = {x : INT, y : INT, b : BOOL} # state variables

K = { f } # system parameters

I = {a} # initial state symbols

Next StateNext State x = ITE(b,f(x),x)

y = ITE(b,y,f(y))

b = b

Initial StatesInitial States q0

x = a

q0y = a

q0b = true

– 10 –

ExampleExample

SymbolsSymbols V = {x : INT, y : INT, b : BOOL}

K = { f }

I = {a}


x = a

q0y = a

q0b = true


y = ITE(b,y,f(y))

b = b

ExecutionExecution

StepStep bb xx yy

00 truetrue aa aa

11 falsefalse f(a)f(a) aa

22 truetrue f(a)f(a) f(a)f(a)

33 falsefalse f(f(a))f(f(a)) f(a)f(a)

44 truetrue f(f(a))f(f(a)) f(f(a))f(f(a))

Propertyb x = y ?

– 11 –

Example : convergenceExample : convergence

ExecutionExecution

StepStep bb xx yy

00 truetrue aa aa





StepStep bb xx yy

00 truetrue a’a’ a’a’

11 falsefalse f(a’)f(a’) a’a’

22 truetrue f(a’)f(a’) f(a’)f(a’)

33 falsefalse f(f(a’))f(f(a’)) f(a’)f(a’)

44 truetrue f(f(a’))f(f(a’)) f(f(a’))f(f(a’))

Alternate ExecutionAlternate Execution

– 12 –


ExecutionExecution

StepStep bb xx yy

00 truetrue aa aa





StepStep bb xx yy

00 truetrue a’a’ a’a’

11 falsefalse f(a’)f(a’) a’a’

22 truetrue f(a’)f(a’) f(a’)f(a’)

33 falsefalse f(f(a’))f(f(a’)) f(a’)f(a’)

44 truetrue f(f(a’))f(f(a’)) f(f(a’))f(f(a’))


– 13 –


ExecutionExecution

truetrue f(a)f(a) f(a)f(a)

truetrue a’a’ a’a’


Substitution/MatchingSubstitution/Matching (true) true ( a’) f(a)

subsumes

– 14 –


ExecutionExecution

StepStep bb xx yy

00 truetrue aa aa





Reachable States

Impliesb x = y ?

– 15 –

ContributionsContributions

New formal definition of convergence for term-level New formal definition of convergence for term-level modelsmodels Based on symbolic simulation

A sound algorithm to detect convergenceA sound algorithm to detect convergence Dealing with Function State Variables Based on a translation to Quantified Separation Formula

Preliminary Experimental ResultsPreliminary Experimental Results 3-stage pipeline processor

Related workRelated work

Conclusion and Future workConclusion and Future work

– 16 –

System Model (w/o inputs)System Model (w/o inputs)

SymbolsSymbols State Variables ( V ) Initial State Symbols ( I ) Parameters ( K )

Initial State Initial State qq00

q0a : one for each state element a V

Expression over I

Transition Function Transition Function a : one for each state element a V Expression over V K

Does not depend on the initial state symbols (I)

– 17 –

Symbolic SimulationSymbolic Simulation

Symbolic state expression Symbolic state expression ssii

Expression after “i” steps of symbolic simulation

Contains sai for each of the state elements a V

e.g. {x f(a), y a, b false}

Obtaining the expression for next stateObtaining the expression for next state

ssaai+1 i+1 aa[[ssii/V]/V]

Substitute the expression for sai in place of a V

– 18 –

DefinitionsDefinitions

Interpretation Interpretation X X

Assigns values to each symbol in X

Evaluation Evaluation X e evaluates e with respect to X

State of the systemState of the system An interpretation to the state elements a V

Boolean state elements assigned true/false Integers state elements assigned integer values Function state elements assigned a function from integers to integer Predicate state elements assigned a function from integers to true/false

Given Given II , , K K

I . K si represents a state

– 19 –

k-Convergencek-Convergence

The system is “k-convergent” if:The system is “k-convergent” if: For every interpretation I of initial state symbol, and K of

the parameter symbols, there exists a step i k and an

alternate interpretation I of initial state symbols, such that

I . K si = I . K sk+1

TheoremTheorem : : If a system is k-convergent, then no new If a system is k-convergent, then no new states are discovered after k steps of symbolic states are discovered after k steps of symbolic simulation.simulation.

Proof exploits the factsProof exploits the facts Transition relation independent of initial state symbols

– 20 –


The system is “k-convergent” if:The system is “k-convergent” if:

For every interpretation I of initial state symbol, and K of the

parameter symbols, there exists a step i k and an alternate

interpretation I of initial state symbols, such that

I . K si = I . K sk+1

FormulationFormulation Introduce I’ : set of symbols for alternate initial state symbols

Obtain ri by symbolic simulation with symbols in I’ Check for validity

K I I’ [i k ri = sk+1]

– 21 –


FormulationFormulation Introduce I’ : set of symbols for alternate initial state symbols

Obtain ri by symbolic simulation with symbols in I’ Check for validity


Comparing States Comparing States rri i andand ssk+1k+1

Compare each state element aV point-wise

rri i == ssk+1 k+1 [ aaVV rraai i == ssaa

k+1 k+1 ]

– 22 –

Example: Adding function stateExample: Adding function state

Symbols Symbols V = {x : INT, y : INT, b : BOOL, m : INT INT }

K = { f }

I = {a, m0}


y = ITE(b,y,f(y))

b = b

m = i. ITE(bi=x,y,m(i))


x = a

q0y = a

q0b = true

q0m = m0

– 23 –


ExecutionExecution

StepStep bb xx yy mm

00 truetrue aa aa mm00

11 falsefalse f(a)f(a) aa i. i. ITE(i=a, a, mITE(i=a, a, m00(i))(i))

22 truetrue f(a)f(a) f(a)f(a) i. i. ITE(i=a, a, mITE(i=a, a, m00(i))(i))

33 falsefalse f(f(a))f(f(a)) f(a)f(a) i. i. ITE(i=f(a),f(a),ITE(i=f(a),f(a),

ITE(i=a, a, mITE(i=a, a, m00(i)))(i)))

StepStep bb xx yy mm

00 truetrue a’a’ a’a’ mm00’’

– 24 –


Checking Convergence Checking Convergence

truetrue f(a)f(a) f(a)f(a) i. i. ITE(i=a, a, mITE(i=a, a, m00(i))(i))

truetrue a’a’ a’a’ mm00’’

ff aa mm00 a’ a’ mm00’ ’ [a’ = f(a) [a’ = f(a)

mm00’ = (’ = ( i. i. ITE(i=a, a, mITE(i=a, a, m00(i)))](i)))]

– 25 –

Handling function state variablesHandling function state variables

Second order equationsSecond order equations Comparing a function state element in two states

F = G F = G z. F(z) = G(z)z. F(z) = G(z)

New Quantifier StructureNew Quantifier Structure


K I I’Z [i k ri(Z) = sk+1(Z)]

Eliminate z from the equationEliminate z from the equation Generate constraints and rewrite

Source of Incompleteness (1)Source of Incompleteness (1) Rewrite rules not complete Complete for random-access memories

– 26 –

Deciding Second-Order formulas with One Quantifier AlternationDeciding Second-Order formulas with One Quantifier AlternationSecond-Order formulaSecond-Order formula

K I I’ is quantifier-free CLU formula

All equations are first order now

Obtained after eliminating Z

General formGeneral form A B

A K I B I’

– 27 –

Handling First order equationsHandling First order equations

General formGeneral form A B Undecidable

Provide a sound translation to a decidable fragmentProvide a sound translation to a decidable fragment Option 1 : Translate to Quantified Separation Formula

Decidable fragment of first-order logic with quantifiers

Option 2 : Remove the quantifiers from the formulaAll symbols are universally quantified

Source of Incompleteness (2)Source of Incompleteness (2)

– 28 –

Handling First order equationsHandling First order equations

General formGeneral form A B Undecidable

Provide a sound translation to a decidable fragmentProvide a sound translation to a decidable fragment Option 1 : Translate to Quantified Separation Formula

Decidable fragment of first-order logic with quantifiers

Option 2 : Remove the quantifiers from the formulaAll symbols are universally quantified

Source of Incompleteness (2)Source of Incompleteness (2)

– 29 –

Option 1: Normal FormOption 1: Normal Form

Function applications pushed through ITEFunction applications pushed through ITE f(ITE(x,y,z)) ITE(x,f(y),f(z))

Eliminate the ITE constructsEliminate the ITE constructs ITE(x,y,z) = ITE(x’,y’,z’) (xx’ y=y’) (xx’ y=z’) (xx’ z=y’) (xx’ z=z’)

Atomic Expressions (atoms)Atomic Expressions (atoms) Expressions with no Boolean operators (, , )

f(g(x)+1)+5, p(f(y)), x = y, …

– 30 –

Sound Translation of A B Sound Translation of A B

1.1. ’ Obtain a normal form of Obtain a normal form of F f,y x [ (x=f(x)) y = f(f(y))]

A B

2. Obtain a topological ordering 2. Obtain a topological ordering gg11,…,g,…,gnn of “atomic” of “atomic” function/predicate applicationsfunction/predicate applications Move applications of A as much to the left

y,f(y),f(f(y)),x,f(x)

3. 3. ” Replace Replace ggii by by vvii in in ’ ” [ (x=fx) y = ffy]

ggii vvii

x x

y y

f(y) fy

f(f(y))

ffy

f(x) fx

– 31 –


4. Get Ackerman’s constraints for 4. Get Ackerman’s constraints for ggii h(x),h(x), ggjj h(y)h(y)

C (x = y vi = vj )ggii vvii

x x

y y

f(y) fy

f(f(y))

ffy

f(x) fx

1. y = fy fy = ffy

2. y = x fy = fx

3. fy = x ffy = fx

5. Construct 5. Construct CCAA, C, CBB

If h A then CA C CA

If h B then CB C CB

CCA A (1)(1)(2)(2)(3)(3)

CCB B truetrue

– 32 –


6. 6. s QQ11 vv1 1 …… QQnn vvn n [[CCA A (CCB B ”) ]] Qi , if top-func-symbol(gi) A

, otherwise

s y,fy,ffy x fx [(y = fy fy = ffy

y = x fy = fx

fy = x ffy = fx)

( (x=fx) y = ffy)]

The above formula is validThe above formula is valid

– 33 –

Sound Translation to QSLSound Translation to QSL

Original formulaOriginal formula A B

New formulaNew formula s Q1 v1 … Qn vn [CA (CB ”)]

TheoremTheorem: If : If s is valid then is valid then ((AA BB ))is validis valid

s is a formula in Quantified Separation Logic (QSL)is a formula in Quantified Separation Logic (QSL) Terms are x,y,z Atomic formulas are : x y + c

Boolean Connectives: , , Quantifiers: , ,

– 34 –

Quantified Separation Logic (QSL)Quantified Separation Logic (QSL)

Decision procedures for QSLDecision procedures for QSL Difference Decision Diagrams (DDD): Möller, CADE02 Using Boolean Methods : Seshia and Bryant, CAV03

– 35 –

3-stage DLX pipeline (CMU-ISA)3-stage DLX pipeline (CMU-ISA)

Pipelined processor modelPipelined processor model 3-stage (Fetch-Decode, Execute, Write-back)

Stalling, forwarding Boolean state elements

Read/write enables, op-code etc. Integer state elements

Register identifiers, data value, program counter Function state elements

Unbounded Register file Uninterpreted function symbols

ALU, initial state of register file

Checking equivalence with an ISA modelChecking equivalence with an ISA model Contains user visible state elements

Program counter, register fileSame uninterpreted function for ALU, initial state of register file

– 36 –

ResultsResults

Complexity of QSF formula for 3 steps of simulationComplexity of QSF formula for 3 steps of simulation 43 integer variables 6 quantifier alternations ~800 nodes in the DAG for the formula

BDD-Based, DDD-based BDD-Based, DDD-based > 1GB

QBF-Based [Quaffle, QBF, …]QBF-Based [Quaffle, QBF, …] Times out

SAT Based Quantifier EliminationSAT Based Quantifier Elimination Too many enumerations

Verified a simplified modelVerified a simplified model Remove some state elements or 1 pipeline stage BDD-based approach finishes in less than 10s

– 37 –

Related WorkRelated Work

Hojati, Isles and Brayton, CAV ’98Hojati, Isles and Brayton, CAV ’98 Generates reachable states for the Boolean part of the state Less expressive logic (no , no ordered structures) Use a syntactic convergence test

Subsumed by our semantic criteria

Multiway decision graphs, FMSD ‘97Multiway decision graphs, FMSD ‘97 BDD-like canonical data structures with terms Does not handle function state variables Starts from a general initial state for termination Can handle first order temporal logic queries

– 38 –

Conclusions and Future DirectionsConclusions and Future Directions

Convergence checkingConvergence checking New formulation Based on reduction to QSL

Application to theorem provingApplication to theorem proving Proving Second order formulas with 1 quantifier alternation

Computationally expensiveComputationally expensive Large number of quantifier alternations

Relax functional consistency across different stepsRelax functional consistency across different steps Fewer constraints, simpler formula

Use “matching” to reduce to Boolean formulaUse “matching” to reduce to Boolean formula QBF solvers are not mature Similar to quantifier instantiation Instantiate second order function variables

– 39 –

Questions Questions

– 40 –

ConclusionsConclusions

Provided a convergence definitionProvided a convergence definition

Computationally expensiveComputationally expensive Translation to QSF/QBF

– 41 –

ExampleExample

Symbols Symbols X = { x : INT, y : INT, m : BOOL } # state variables K = { f , a } # system parameters I = { } # input symbols


x = a

q0y = a

q0m = true

Next StateNext State x = ITE(m,f(x),x)

y = ITE(m,y,f(y))

m = m

– 43 –


1. ’ Obtain a normal form of Obtain a normal form of

2.2. Obtain a topological ordering Obtain a topological ordering gg11,…,g,…,gnn of “atomic” of “atomic” function/predicate applicationsfunction/predicate applications

3. ” Replace Replace ggii by by vvii in in ’

4.4. Get Ackerman’s constraints for Get Ackerman’s constraints for ggii f(x),f(x), ggjj f(y)f(y)

1. C (x = y vi = vj )

5.5. Construct Construct CCAA, C, CBB

If f A then CA C CA

If f B then CB C CB

6. s QQ11 vv1 1 …… QQnn vvn n [[CCA A (CCB B ”) ]]

Qi , if top-func-symbol(gi) A

, otherwise

– 44 –

Syntactic vs. SemanticSyntactic vs. Semantic

carnegie mellon university convergence testing in term-level bounded model checking randal e. bryant...

Documents

y f y slide

state x

y alualu f slide

convergence slide

trueffaffa property

f predicate definition

wa slide

equation t