A SAT-Based Procedure for Verifying Finite State Machines in ACL2 - - PowerPoint PPT Presentation

a sat based procedure for verifying finite state machines
SMART_READER_LITE
LIVE PREVIEW

A SAT-Based Procedure for Verifying Finite State Machines in ACL2 - - PowerPoint PPT Presentation

Oct 02, 2022 32 likes •252 views

A SAT-Based Procedure for Verifying Finite State Machines in ACL2 Warren A. Hunt, Jr. and Erik Reeber {reeber,hunt}@cs.utexas.edu The University of Texas ACL2 Workshop, August 16 , 2006 Introduction The ACL2 theorem prover is great

slide-1
SLIDE 1

A SAT-Based Procedure for Verifying Finite State Machines in ACL2

Warren A. Hunt, Jr. and Erik Reeber {reeber,hunt}@cs.utexas.edu

ACL2 Workshop, August 16, 2006

The University of Texas

slide-2
SLIDE 2

August 16, 2006 ACL2 2006 2

Introduction

  • The ACL2 theorem prover is great

– Scalable to large industrial verification problems

  • But…

– Proofs require a lot of human effort – Computer could do more

  • Especially when in decidable domains
  • Identify a decidable subclass of ALC2 properties

– Based on tree structures

  • New ACL2 hint for proving properties in this domain

– Available in a future version of ACL2

slide-3
SLIDE 3

August 16, 2006 ACL2 2006 3

Presentation Overview

  • Focus is on what you can do with the new hint

– If you want to know how it works

  • Read paper
  • Look at code: www.cs.utexas.edu/users/reeber
  • Outline

– Demo – Performance Results – Hardware Verification Methodology – Application: TRIPS Processor Components – Future Work – Conclusion

slide-4
SLIDE 4

August 16, 2006 ACL2 2006 4

Demo

slide-5
SLIDE 5

August 16, 2006 ACL2 2006 5

Performance Results

  • 25

25 75 125 175 225 275 4-bit Add Assoc 32-bit Add Assoc 200-bit Add Assoc 32x6 Shift-0 64x7 Shift-0 32x4 Add-Shift 64x6 Add-Shift 100 Digit Dec Inv Time(s)

ACL2 Clausifier BDD Engine SAT Engine

slide-6
SLIDE 6

August 16, 2006 ACL2 2006 6

Lines of Code

50 100 150 200 250 300 350 4-bit Add Assoc 32-bit Add Assoc 200-bit Add Assoc 32x6 Shift-0 64x7 Shift-0 32x4 Add-Shift 64x6 Add-Shift 100 Digit Dec Inv # Lines

ACL2 Clausifier BDD Engine SAT Engine

slide-7
SLIDE 7

August 16, 2006 ACL2 2006 7

Hardware Verification Methodology

SULFA Properties ACL2 Model ACL2 Spec DE2 Design Verilog Design English Spec, C Model and Test Suite

SAT-Based Decision Procedure Guided Proof Verifying Compiler Manual Translation Compiler Testing & Inspection

slide-8
SLIDE 8

August 16, 2006 ACL2 2006 8

TRIPS LSQ

  • TRIPS Processor

– Designed and built at University of Texas and IBM

  • Prototype next-generation processor

– Multi-core, speculative, pipelined processor

  • 4 memory partitions, 16 ALUs
  • 256 speculative out-of-order instructions,

partitioned into eight instruction blocks

  • Load Store Queue (LSQ)

– Queue for speculative loads and stores not ready for cache – Four LSQ tiles, one for each memory partition

  • Verified LSQ internal communication protocol
slide-9
SLIDE 9

August 16, 2006 ACL2 2006 9

Exception Mask Protocol

  • Exception can
  • ccur at each tile
  • Each tile stores a

mask of known exceptions

  • Mask sent up

each cycle

  • Eventually every

exception is known by Tile 0

  • Global flushes

remove exceptions

Tile 0

Flush_mask Local_Except UDT_EX_Mask DDT_EX_Mask

Tile 1

Flush_mask Local_Except UDT_EX_Mask DDT_EX_Mask

Tile 2

Flush_mask Local_Except UDT_EX_Mask DDT_EX_Mask

Tile 3

Flush_mask Local_Except UDT_EX_Mask DDT_EX_Mask

REG REG REG T0_Except T1_Except T2_Except T3_Except Flush_mask Exception_mask

slide-10
SLIDE 10

August 16, 2006 ACL2 2006 10

Verification of Exception Protocol

  • Compiled Verilog design into DE2
  • Compiled DE2 into ACL2 model

– proven equivalence

  • Wrote single-tile exception model
  • Specification:

– Safety. Tile 0 reports a subset of the exceptions reported by the single-tile model – Liveness. Eventually every exception produced by the single-tile model is reported by Tile 0.

slide-11
SLIDE 11

August 16, 2006 ACL2 2006 11

Exception Protocol Safety Property

(defthm specification-miss-exception-safety (implies (and (integerp tao) (<= 0 tao) (Tth-valid-inputsp tao input-list)) (submaskp 8 (acl2v-udt_miss_ordering_exceptions *t0* (Tth-model-state tao input-list) (nth tao input-list)) (spec-miss-exceptions (Tth-spec-state tao input-list) (nth tao input-list)))))

  • Tile 0 reports a subset of the exceptions reported by the single-tile

model

slide-12
SLIDE 12

August 16, 2006 ACL2 2006 12

Safety Invariant Properties

(defthm miss-order-inv-implies-thm (implies (and (miss-order-inv proof-st) (inputs-goodp proof-st ins)) (submaskp 8 (acl2v-udt_miss_ordering_exceptions *t0* (proof-st-dsn-state proof-st) ins) (update-proof-st-0th-miss-mask *t0* proof-st ins))) :hints (("Goal" :external (sat nil sat::$sat)))) (defthm miss-order-inv-is-invariant-step (implies (and (inputs-goodp proof-st ins) (miss-order-inv proof-st)) (miss-order-inv (update-proof-state proof-st ins))) :hints (("Goal" :external (sat nil sat::$sat))))

slide-13
SLIDE 13

August 16, 2006 ACL2 2006 13

Liveness Property

  • Eventually every exception produced by the single-

tile model is reported by Tile 0

  • ACL2 Specification

– Prove theorem below – Use defun-sk definition on next slide

  • Proof process same as before

– Unable to prove invariant directly with SAT

(defthm specification-miss-exception-liveness (implies (and (integerp tao) (<= 0 tao)) (eventually-1T-miss-subset-of-4T-P tao input-list))

slide-14
SLIDE 14

August 16, 2006 ACL2 2006 14

Liveness Property Defun-sk

(defun-sk eventually-1T-miss-subset-of-4T-P (tao input-list) (exists (tao-prime) (and (integerp tao-prime) (<= tao tao-prime) (implies (Tth-valid-inputsp tao-prime input-list) (submaskp 8 (spec-miss-exceptions (Tth-spec-state tao input-list) (nth tao input-list)) (bv-or 8 (recent-flushes tao tao-prime input-list) (acl2v-udt_miss_ordering_exceptions *t0* (Tth-model-state tao-prime input-list) (nth tao-prime input-list))))))))

slide-15
SLIDE 15

August 16, 2006 ACL2 2006 15

Store Mask Protocol

  • Each tile produces a mask of arrived stores
  • Protocol more complex than exception protocol

– Up to 256 entries in store mask – Store mask sent to both neighbors

  • Specification & verification methodology similar to

exception protocol

  • Analysis

– Problem size: ~1500 Boolean variables – 130 hours of human effort – Multi-hour proof

  • Improvement over pure theorem proving

– Counter examples especially helpful

slide-16
SLIDE 16

August 16, 2006 ACL2 2006 16

Future Work

  • More applications

– Full LSQ design – n-tile circuit generator

  • Performance improvements

– Try the new BDD system

  • Expand SULFA

– Constrained functions – Limited arithmetic

  • Add to ACL2 “waterfall”
  • Verify proof engine

– Theoretical issues: function body, proof of termination – Practical issues: complex code, large clause inputs

  • Counter-example guided refinement
slide-17
SLIDE 17

August 16, 2006 ACL2 2006 17

Conclusion

  • Defined decidable subclass of ACL2 formulas

– Includes primitives if, cons, car, cdr, consp, and equal – Can be extended with user-defined functions

  • New hint for proving properties in this subclass

– Fully automatic – Generates counter-examples to invalid properties

  • Applying to TRIPS processor

– Multi-core, pipelined, out-of-order processor – Combining SAT-based reasoning with pure theorem proving – Solid improvement over pure theorem proving

slide-18
SLIDE 18

August 16, 2006 ACL2 2006 18

Backup Slides

slide-19
SLIDE 19

August 16, 2006 ACL2 2006 19

Single-Tile Exception Model

  • Wrote a single-tile model in ACL2
  • The full mask of exceptions is generated each cycle

NOT EN-DECODE

* This input has been modified: an exception is disabled if it occurs

in an instruction that has already been flushed.

EN-DECODE EN-DECODE EN-DECODE O R A N D R E G Flush_mask T0_Except T1_Except* T2_Except* T3_Except* Spec_EX_mask

4 8 4 4 4 8 8 8 8 8

slide-20
SLIDE 20

August 16, 2006 ACL2 2006 20

Single-Tile Exception Model

  • Wrote a single-tile model in ACL2
  • The full mask of exceptions is generated each cycle

NOT EN-DECODE

* This input has been modified: an exception is disabled if it occurs

in an instruction that has already been flushed.

EN-DECODE EN-DECODE EN-DECODE O R A N D R E G Flush_mask T0_Except T1_Except* T2_Except* T3_Except* Spec_EX_mask

4 8 4 4 4 8 8 8 8 8

slide-21
SLIDE 21

August 16, 2006 ACL2 2006 21

Store Mask Protocol

  • Each tile keeps a mask
  • f arrived stores
  • Used in completion

detection & deferred load awakening

  • Up to three stores are

sent both upward and downward at the beginning of each cycle

  • Eventually all arrived

stores reach every tile

  • A flush or a commit

removes stores

UDT0_out UDT1_out UDT2_out UDT0_in UDT1_in UDT2_in DDT0_out DDT1_out DDT2_out DDT0_in DDT1_in DDT2_in Store_mask

Tile 1

Flush_mask Commit_mask Local_store

Tile 0… Tile 2…

REG REG Commit_mask Flush_mask

slide-22
SLIDE 22

August 16, 2006 ACL2 2006 22

Single-Tile Store Model

  • Similar to single-tile exception mask

NOR EN-DECODE

* This input has been modified: an exception is disabled if it occurs

in an instruction that has already been flushed.

EN-DECODE EN-DECODE EN-DECODE O R A N D R E G Flush_mask T0_Store T1_Store* T2_Store* T3_Store* Store_mask

9 9 9 9 256 8

Commit_mask Expand Mask

256 256