A First-Order Logic based Framework for Verifying Simulations

Hui Meen Nyew, Nilufer Onder, Soner Onder and Zhenlin Wang
Dept. of Computer Science
Michigan Technological University
Houghton, MI 49931
{hnyew,nilufer,soner,zlwang}@mtu.edu

Abstract

Modern science relies on simulation techniques for understanding phenomenon, exploring design options, or evaluating models. Assuring the correctness of simulators is a key problem where a multitude of solutions ranging from manual inspection to formal verification are applicable. Formal verification incorporates the rigor necessary but not all simulators are generated from formal specifications. Manual inspection is readily available but lacks the rigor and is prone to errors. In this paper, we describe an automated verification system (AVS) where the constraints that the system must adhere to are specified by the user in general purpose first-order logic. AVS translates these constraints into a verification program that scans the simulator trace and verifies that no constraints are violated. The advantage is the ability to verify any simulator trace using a formal specification of domain facts. Computer microarchitecture simulations were used to demonstrate the proposed approach. The system was implemented successfully to yield preliminary results.

Introduction

Contemporary computer processor design inherently relies on simulating new processors before they are built. The design of a new architecture typically starts with instruction set design. Instruction set development and system software development usually go hand-in-hand by using a functional simulator which implements the semantics of instructions and allows running programs in a simulated environment. The design and development of the processor architecture is then carried out using much more sophisticated and detailed simulators that can provide accurate information about how many processor cycles it will take to execute a given program under the new design. These simulators are called cycle accurate simulators and their implementation typically takes tens of thousands of lines of high-level program code, such as C. Once satisfactory results are obtained, the rest of the design is carried out with the help of gate-level and circuit-level simulators, which can provide detailed information about attainable clock speeds as well as the estimated power consumption of the target processor before it is built.

Formal techniques are increasingly being used at various levels of the design process. At the cycle-accurate level, domain specific architecture description languages allow efficient automatic generation of cycle-accurate processors, at the same time making it easier to apply formal validation techniques. Examples of such languages include Mimola, nML, Lisa, Expression, ASIP Meister, TIE, Madl, ADL++, GNR, among others (Mishra and Dutt 2008). However, because of the enormous complexity involved, application of such formal techniques are limited. Furthermore, hand-coded simulators are still widely used as companies rely on their developed code base to improve future versions of existing processors. In this domain, verification of simulators is still a difficult task and remains an area dominated by ad-hoc techniques, except for simpler embedded processors where a formal specification language is used to describe the architectural details.

Our motivation therefore in developing AVS has been to provide a formal means of verification outside the developed simulator. In this paper, we describe a general purpose automated verification system (AVS) which can be widely applied both to traditional hand-written simulators as well as to those generated from a formal specification. AVS has been implemented and tested on microarchitecture simulations.

System overview

The AVS system verifies a set of user specified constraints in a trace file generated by a simulator. The trace file contains a sequence of events, \( \xi \), represented as n-tuples: \( \xi = < e_1, \ldots, e_n > \) where, \( e_i \) refers to an attribute of an event, each \( e_i \in E_i \), and \( E_i \) is the domain of \( e_i \). For example, \( \xi = < a, c, s, t > \) is an an event generated by a processor simulator where \( a \) is the address of an instruction, \( c \) is the instance number of the instruction (each instruction can execute multiple times), \( s \) is the pipeline stage, and \( t \) is the cycle time of the event. A constraint is a quantified statement that includes arithmetic and Boolean expressions and contains the domain facts specified by the user. For example, the following constraint specifies that each instruction that goes through the instruction decode (ID) stage should go through the instruction issue (II) stage unless a rollback that flushes the pipeline occurs.

\[
\text{forall } z \in T \text{ exists } y \in T, z.\text{stage}\neq\text{ID}
\]
forall consists of nested loops to check the simulation verification. Fig. 1 depicts a sample program that more independent C++ programs that perform the actual statements and the constraints as input and creates one or A VS. The compiler takes the specification of first-order logic and dependency constraints. Resource contraints ensure that the next step will be to analyze the temporal relationships in the memory requirements are also significantly reduced. Our advantage of using sliding windows is to allow the algorithm to process very large input or infinite streams. The time and efficiency gains, it will be helpful to further restrict the language to a precondition-effect based temporal language such as Planning Domain Definition Language (PDDL) (Fox and Long 2003).

The current AVS implementation uses a sliding window (Mannila, Toivonen, and Inkeri Verkamo 1997) to check the constraints using a window size specified by the user. The advantage of using sliding windows is to allow the algorithm to process very large input or infinite streams. The time and memory requirements are also significantly reduced. Our next step will be to analyze the temporal relationships in the constraints and automatically compute the window size by using the maximum distance. Due to space restrictions, we show only the highlights of the algorithm. Further details can be found in the longer version of the paper (Nyew et al. 2013).

In addition to modeling the pipeline, we coded resource and dependency constraints. Resource constraints ensure that only the available number of resources are used. For example only as many memory instructions as the number of memory ports can complete simultaneously. An example of a dependency constraint is shown below. It specifies that two dependent instructions must be ordered.

\[
\begin{align*}
\text{forall } z \in \text{REG}_T & \text{ forall } y \in \text{REG}_T \\
& \exists w \in \text{STAGE}_T, \exists w' \in \text{STAGE}_T, \\
& \text{if } w'.\text{iter} > y.\text{iter} \text{ and } w'.\text{dir} = \text{SRC} \text{ and } \\
& \text{y.dir} = \text{DEST} \text{ and } w'.\text{reg} = y.\text{reg} \text{ then } \\
& (x.\text{addr} = w'.\text{addr} \text{ and } x.\text{count} = w'.\text{count} \text{ and } \\
& x.\text{stage} = \text{EX} \text{ and } w.\text{addr} = y.\text{addr} \text{ and } \\
& w.\text{count} = y.\text{count} \text{ and } w.\text{stage} = \text{EX} \text{ and } x.\text{time} < w'.\text{time}); \\
\end{align*}
\]

Currently, we leave it to the constraint programmer to feed multiple parallel constraints separately as different inputs or merge them as one input. In the short term, the former approach will help generate multiple verifiers to enforce different types of constraints. For instance, we can generate one verifier for time constraints and one for resources. Multiple verifiers can run in parallel to take advantage of the computing power provided by modern machines.

**Conclusion**

We described a verification system for microarchitecture simulations. The system uses domain facts written by the user in first-order logic to scan the trace generated by a simulator and shows if any constraints are violated. Our implementation and preliminary experiments show that this approach is feasible. In addition to being able to verify basic facts, we noticed that the framework helps the user to iteratively improve the constraints. For instance, we had initially coded the example constraint to require each instruction’s ID stage to be followed by an II stage. When the trace file failed the verification process, we coded the second part of the constraint which tells that a processor “rollback” causes the pipeline to be flushed and instructions are discarded before fully executing. Our future work involves improving the performance of AVS in two dimensions. First, microarchitecture simulators typically generate gigabytes of data. We plan to apply stream-mining techniques to address this issue. Second, the user needs to specify a window size for the verifier to execute efficiently. For domains where a window size cannot be specified or the window size is too large to bring efficiency gains, it will be helpful to further restrict the language to a precondition-effect based temporal language such as Planning Domain Definition Language (PDDL) (Fox and Long 2003).

**References**


**Algorithm 1**

Translation for “forall z in T exists y in T”

**Input:** Trace T

**Output:** status

1. for all windows w in T do
2. for all z ∈ w do
3. zStatus ← FALSE
4. for all y ∈ w do
5. yStatus ← FALSE
6. if statements = TRUE then
7. zStatus ← TRUE
8. yStatus ← TRUE
9. end if
10. if yStatus = TRUE then
11. break
12. end if
13. end for
14. end for
15. if zStatus = FALSE then
16. status ← FALSE
17. return
18. end if
19. end for
20. end for
21. status ← TRUE
22. return

iff y.addr=z.addr and y.count=z.count
and (y.stage==II or (y.stage==ROLLBACK and y.time>=z.time));

We used Flex and Bison to implement a compiler for AVS. The compiler takes the specification of first-order logic statements and the constraints as input and creates one or more independent C++ programs that perform the actual simulations. The system uses domain facts written by the user in first-order logic to scan the trace generated by a simulator and shows if any constraints are violated. Our implementation and preliminary experiments show that this approach is feasible. In addition to being able to verify basic facts, we noticed that the framework helps the user to iteratively improve the constraints. For instance, we had initially coded the example constraint to require each instruction’s ID stage to be followed by an II stage. When the trace file failed the verification process, we coded the second part of the constraint which tells that a processor “rollback” causes the pipeline to be flushed and instructions are discarded before fully executing. Our future work involves improving the performance of AVS in two dimensions. First, microarchitecture simulators typically generate gigabytes of data. We plan to apply stream-mining techniques to address this issue. Second, the user needs to specify a window size for the verifier to execute efficiently. For domains where a window size cannot be specified or the window size is too large to bring efficiency gains, it will be helpful to further restrict the language to a precondition-effect based temporal language such as Planning Domain Definition Language (PDDL) (Fox and Long 2003).