Results 11  20
of
48
Automatic Verification of Safety and Liveness for XScaleLike Processor Models Using WEBRefinements
 In Design Automation and Test in Europe, DATE’04
, 2003
"... We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation ..."
Abstract

Cited by 23 (11 self)
 Add to MetaCart
(Show Context)
We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation to a formula in the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). We use UCLID to transform the resulting CLU formula into a CNF formula, which is then checked with a SAT solver. We define several XScalelike models with out of order completion, including models with precise exceptions, branch prediction, and interrupts. We use two types of refinement maps. In one, flushing is used to map pipelined machine states to instruction set architecture states; in the other, we use the commitment approach, which is the dual of flushing, since partially completed instructions are invalidated. We present experimental results for all the machines modeled, including verification times. For our application, we found that the SAT solver Siege provides superior performance over Chaff and that the amount of time spent proving liveness when using the commitment approach is less than 1% of the overall verification time, whereas when flushing is employed, the liveness proof accounts for about 10% of the verification time.
A lazy and layered SMT(BV) solver for hard industrial verification problems
 In Computer Aided Verification (CAV), LNCS
, 2007
"... Abstract. Rarely verification problems originate from bitlevel descriptions. Yet, most of the verification technologies are based on bit blasting, i.e., reduction to boolean reasoning. In this paper we advocate reasoning at higher level of abstraction, within the theory of bit vectors (BV), where s ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Rarely verification problems originate from bitlevel descriptions. Yet, most of the verification technologies are based on bit blasting, i.e., reduction to boolean reasoning. In this paper we advocate reasoning at higher level of abstraction, within the theory of bit vectors (BV), where structural information (e.g. equalities, arithmetic functions) is not blasted into bits. Our approach relies on the lazy Satisfiability Modulo Theories (SMT) paradigm. We developed a satisfiability procedure for reasoning about bit vectors that carefully leverages on the power of boolean SAT solver to deal with components that are more naturally “boolean”, and activates bitvector reasoning whenever possible. The procedure has two distinguishing features. First, it relies on the online integration of a SAT solver with an incremental and backtrackable solver for BV that enables dynamical optimization of the reasoning about bit vectors; for instance, this is an improvement over static encoding methods which may generate smaller slices of bitvector variables. Second, the solver for BV is layered (i.e., it privileges cheaper forms of reasoning), and it is based on a flexible use of term rewriting techniques. We evaluate our approach on a set of realistic industrial benchmarks, and demonstrate substantial improvements with respect to stateoftheart boolean satisfiability solvers, as well as other decision procedures for SMT(BV). 1
QB or not QB: An efficient execution verification tool for memory orderings
 In ComputerAided Verification (CAV), LNCS 3114
, 2004
"... Abstract. We study the problem of formally verifying shared memory multiprocessor executions against memory consistency models—an important step during postsilicon verification of multiprocessor machines. We employ our previously reported style of writing formal specifications for shared memory mod ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We study the problem of formally verifying shared memory multiprocessor executions against memory consistency models—an important step during postsilicon verification of multiprocessor machines. We employ our previously reported style of writing formal specifications for shared memory models in higher order logic (HOL), obtaining intuitive as well as modular specifications. Our specification consists of a conjunction of rules that constrain the global visibility order. Given an execution to be checked, our algorithm generates Boolean constraints that capture the conditions under which the execution is legal under the visibility order. We initially took the approach of specializing the memory model HOL axioms into equivalent (for the execution to be checked) quantified boolean formulae (QBF). As this technique proved inefficient, we took the alternative approach of converting the HOL axioms into a program that generates a SAT instance when run on an execution. In effect, the quantifications in our memory model specification were realized as iterations in the program. The generated Boolean constraints are satisfiable if and only if the given execution is legal under the memory model. We evaluate two different approaches to encode the Boolean constraints, and also incremental techniques to generate and solve Boolean constraints. Key results include a demonstration that we can handle executions of realistic lengths for the modern Intel Itanium memory model. Further research into proper selection of Boolean encodings, incremental SAT checking, efficient handling of transitivity, and the generation of unsatisfiable cores for locating errors are expected to make our technique practical. 1
Refinement Maps for Efficient Verification of Processor Models
 In Design Automation and Test in Europe, DATE’05
, 2005
"... While most of the effort in improving verification times for pipeline machine verification has focused on faster decision procedures, we show that the refinement maps used also have a drastic impact on verification times. We introduce a new class of refinement maps for pipelined machine verification ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
(Show Context)
While most of the effort in improving verification times for pipeline machine verification has focused on faster decision procedures, we show that the refinement maps used also have a drastic impact on verification times. We introduce a new class of refinement maps for pipelined machine verification, and using the stateoftheart verification tools UCLID and Siege we show that one can attain several orders of magnitude improvements in verification times over the standard flushingbased refinement maps, even enabling the verification of machines that are too complex to otherwise automatically verify. 1.
SWORD: a SAT like prover using word level information
 in Int’l Conference on Very Large Scale Integration, 2007
"... Abstract — Solvers for Boolean Satisfiability (SAT) are stateoftheart to solve verification problems. But when arithmetic operations are considered, the verification performance degrades with increasing datapath width. Therefore, several approaches that handle a higher level of abstraction have ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
Abstract — Solvers for Boolean Satisfiability (SAT) are stateoftheart to solve verification problems. But when arithmetic operations are considered, the verification performance degrades with increasing datapath width. Therefore, several approaches that handle a higher level of abstraction have been studied in the past. But the resulting solvers are still not robust enough to handle problems that mix word level structures with bit level descriptions. In this paper, we present the satisfiability solver SWORD – a SAT like solver that facilitates word level information. SWORD represents the problem in terms of modules that define operations over bit vectors. Thus, word level information and structural knowledge become available in the search process. The experimental results show that on our benchmarks SWORD is more robust than Boolean SAT, K*BMDs or SMT. I.
Optimizations for compiling declarative models into Boolean formulas
 In 8th International Conference on Theory and Applications of Satisfiability Testing (SAT 2005), St.Andrews
, 2005
"... Abstract. Advances in SAT solver technology have enabled many automated analysis and reasoning tools to reduce their input problem to a SAT problem, and then to use an efficient SAT solver to solve the underlying analysis or reasoning problem. The solving time for SAT solvers can vary substantially ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Advances in SAT solver technology have enabled many automated analysis and reasoning tools to reduce their input problem to a SAT problem, and then to use an efficient SAT solver to solve the underlying analysis or reasoning problem. The solving time for SAT solvers can vary substantially for semantically identical SAT problems depending on how the problem is expressed. This property motivates the development of new optimization techniques whose goal is to produce more efficiently solvable SAT problems, thereby improving the overall performance of the analysis or reasoning tool. This paper presents our experience using several mechanical techniques that enable the Alloy Analyzer to generate optimized SAT formulas from firstorder logic formulas. These techniques are inspired by similar techniques from the field of optimizing compilers, suggesting the potential presence of underlying connections between optimization problems from two very different domains. Our experimental results show that our techniques can deliver substantial performance improvement results—in some cases, they reduce the solving time by an order of magnitude. 1
Adaptive Eager Boolean Encoding for Arithmetic Reasoning in Verification
, 2005
"... senting the official policies, either expressed or implied, of any sponsoring institution, the U.S. Government, or any other entity. ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
senting the official policies, either expressed or implied, of any sponsoring institution, the U.S. Government, or any other entity.
From Propositional Satisfiability to Satisfiability Modulo Theories
 In Theory and Applications of Satisfiability Testing (SAT
, 2006
"... Abstract. In this paper we present a review of SATbased approaches for building scalable and efficient decision procedures for quantifierfree firstorder logic formulas in one or more decidable theories, known as Satisfiability Modulo Theories (SMT) problems. As applied to different system verific ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present a review of SATbased approaches for building scalable and efficient decision procedures for quantifierfree firstorder logic formulas in one or more decidable theories, known as Satisfiability Modulo Theories (SMT) problems. As applied to different system verification problems, SMT problems comprise of different theories including fragments of elementary theory of numbers, the theory of arrays, the theory of list structures, etc. In this paper we focus on different DPLLstyle satisfiability procedures for decidable fragments of the theory of integers. Leveraging the advances made in SAT solvers in the past decade, we introduce several SATbased SMT solving methods that in many applications have outperformed classical decision methods. Aside from the classical method of translating the SMT formula to a purely Boolean problem, in recent methods, a SAT solver is utilized to serve as the “glue ” that ties together the different theory atoms and forms the basis for reasoning and learning within and across them. Several methods have been developed to provide a combination framework for implications to flow through the theory solvers and to possibly activate other theory atoms based on the current assignments. Similarly, conflictbased learning is also extended to enable the creation of learned clauses comprising of the combination of theory atoms. Additional methods unique to one or more types of theory atoms have also been proposed that learn more expressive constraints and significantly increase the pruning power of these combination schemes. We will describe several combination strategies and their impact on scalability and performance of the overall solver in different settings and applications. 1
Verification of executable pipelined machines with bitlevel interfaces
 In ICCAD2005, International Conference on ComputerAided Design
, 2005
"... Abstract — We show how to verify pipelined machine models with bitlevel interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, i ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract — We show how to verify pipelined machine models with bitlevel interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, implement a small subset of the instruction set, and are far from executable. In contrast, we focus on verifying executable machines with bitlevel interfaces. Such proofs have previously required substantial expert guidance and the use of deductive reasoning engines. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bitlevel machine refines its instruction set architecture to a proof that a term level abstraction of the bitlevel machine refines the instruction set architecture, which is then handled automatically by UCLID. In this way, we exploit the strengths of ACL2 and UCLID to prove theorems that are not possible to even state using UCLID and that would require prohibitively more effort using just ACL2. I.
SDSAT: Tight Integration of Small Domain Encoding and Lazy Approaches in a Separation Logic Solver
 In Proc. TACAS’06, volume 3920 of LNCS
, 2006
"... Existing difference logic (DL) solvers can be broadly classified as eager or lazy, each with its own merits and demerits. We propose a novel difference logic solver SDSAT that combines the strengths of both these approaches and provides a robust performance over a wide set of benchmarks. The solver ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Existing difference logic (DL) solvers can be broadly classified as eager or lazy, each with its own merits and demerits. We propose a novel difference logic solver SDSAT that combines the strengths of both these approaches and provides a robust performance over a wide set of benchmarks. The solver SDSAT works in two phases: allocation and solve. In the allocation phase, it allocates nonuniform adequate ranges for variables appearing in difference predicates. This phase is similar to previous small domain encoding approaches, but uses a novel algorithm NuSMOD with 12 orders of magnitude improvement in performance and smaller ranges for variables. Furthermore, the difference logic formula is not transformed into an equisatisfiable Boolean formula in a single step, but rather done lazily in the following phase. In the solve phase, SDSAT uses a lazy refinement approach to search for a satisfying model within the allocated ranges. Thus, any partially DLtheory consistent model can be discarded if it cannot be satisfied within the allocated ranges. Note the crucial difference: in eager approaches, such a partially consistent model is not allowed in the first place, while in lazy approaches such a model is never discarded. Moreover, we dynamically refine the allocated ranges and search for a feasible solution within the updated ranges. This combined approach benefits from both the smaller search space (as in eager approaches) and also from the theoryspecific graphbased algorithms (characteristic of lazy approaches). Experimental results show that our method is robust and always better than or comparable to stateofthe art solvers using similar eager or lazy techniques.