Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Background
Experimental Evaluation
Conclusions
References
All Topics
Computer Science
Distributed Systems

Applying SMT in symbolic execution of microcode

Profile image of Roberto SebastianiRoberto Sebastiani

Abstract

Microcode is a critical component in modern microprocessors, and substantial effort has been devoted in the past to verify its correctness. A prominent approach, based on symbolic execution, traditionally relies on the use of boolean SAT solvers as a backend engine. In this paper, we investigate the application of Satisfiability Modulo Theories (SMT) to the problem of microcode verification. We integrate MathSAT, an SMT solver for the theory of Bit Vectors, within the flow of microcode verification, and experimentally evaluate the effectiveness of some optimizations. The results demonstrate the potential of SMT technologies over pure boolean SAT.

Related papers

Beaver: Engineering an Efficient SMT Solver for Bit-Vector Arithmetic
Susmit Jha

Computer Aided Verification, 2009

We present the key ideas in the design and implementation of Beaver, an SMT solver for quantifier-free finite-precision bit-vector logic (QF BV). Beaver uses an eager approach, encoding the original SMT problem into a Boolean satisfiability (SAT) problem using a series of word-level and bit-level transformations. In this paper, we describe the most effective transformations, such as propagating constants and equalities at the word-level, and using and-inverter graph rewriting techniques at the bit-level. We highlight implementation details of these transformations that distinguishes Beaver from other solvers. We present an experimental analysis of the effectiveness of Beaver's techniques on both hardware and software benchmarks with a selection of back-end SAT solvers. Beaver is an open-source tool implemented in Ocaml, usable with any backend SAT engine, and has a well-documented extensible code base that can be used to experiment with new algorithms and techniques.

View PDFchevron_right
STABLE: A new QF-BV SMT solver for hard verification problems combining Boolean reasoning with computer algebra
Gert-Martin Greuel

2011 Design, Automation & Test in Europe, 2011

This paper presents a new SMT solver, STABLE, for formulas of the quantifier-free logic over fixed-sized bit vectors (QF-BV). The heart of STABLE is a computer-algebra-based engine which provides algorithms for simplifying arithmetic problems of an SMT instance prior to bit-blasting. As the primary application domain for STABLE we target an SMT-based property checking flow for System-on-Chip (SoC) designs. When verifying industrial data path modules we frequently encounter custom-designed arithmetic components specified at the logic level of the hardware description language being used. This results in SMT problems where arithmetic parts may include non-arithmetic constraints. STABLE includes a new technique for extracting arithmetic bit-level information for these nonarithmetic constraints. Thus, our algebraic engine can solve subproblems related to the entire arithmetic design component. STABLE was successfully evaluated in comparison with other state-of-the-art SMT solvers on a large collection of SMT formulas describing verification problems of industrial data path designs that include multiplication. In contrast to the other solvers STABLE was able to solve instances with bit-widths of up to 64 bits.

View PDFchevron_right
Efficiently Solving Quantified Bit-Vector Formulas Formal Methods
Christoph Wintersteiger

In recent years, bit-precise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifier-free fragment of bit-vector logic exist and often rely on SAT solvers for efficiency. However, many techniques require quantifiers in bit-vector formulas to avoid an exponential blow-up during construction. Solvers for quantified formulas usually flatten the input to obtain a quantified Boolean formula, losing much of the word-level information in the formula. We present a new approach based on a set of effective word-level simplifications that are traditionally employed in automated theorem proving, heuristic quantifier instantiation methods used in SMT solvers, and model finding techniques based on skeletons/templates. Experimental results on two different types of benchmarks indicate that our method outperforms the traditional flattening approach by multiple orders of magnitude of runtime.

View PDFchevron_right
Symbolic model checking using SAT procedures instead of BDDs
Alessandro Cimatti

Proceedings 1999 Design Automation Conference (Cat. No. 99CH36361), 1999

In this paper, we study the application of propositional decision procedures in hardware verification. We introduce the concept of bounded model checking. We show that bounded model checking for linear temporal logic formulas can be reduced to propositional satisfiability. We also present several optimizations that reduce the size of generated propositional formulas. To demonstrate our approach, we have implemented a tool BMC. BMC accepts a subset of the SMV language and uses state of the art SAT procedures to decide propositional satisfiability. As special cases, equivalence checking and invariant checking can also be handled. In many instances, our SAT-based approach can significantly outperform BDD-based approaches. We observe that SATbased techniques are particularly efficient in detecting errors in both combinational and sequential designs.

View PDFchevron_right
How to Optimize the Use of SAT and SMT Solvers for Test Generation of Boolean Expressions
Angelo Gargantini

The Computer Journal, 2015

In the context of automatic test generation, the use of propositional satisability (SAT) and Satisability Modulo Theories (SMT) solvers is becoming an attractive alternative to traditional algorithmic test generation methods, especially when testing Boolean expressions. The main advantages are the capability to deal with constraints over the inputs, the generation of compact test suites, and the support for fault detecting test generation methods. However, these solvers normally require more time and a greater amount of memory than classical test generation algorithms, making their applicability not always feasible in practice. In this paper we propose several ways to optimize the SAT/SMT-based process of test generation for Boolean expressions and we compare several solving tools and propositional transformation rules. These optimizations promise to make SAT/SMT-based techniques as ecient as standard methods for testing purposes, especially when dealing with Boolean expressions, as proved by our experiments.

View PDFchevron_right
Solving hard instances in QF-BV combining Boolean reasoning with computer algebra
Gert-Martin Greuel

2010

This paper describes our new satisfyability (SAT) modulo theory (SMT) solver STABLE for the quantifier-free logic over fixed size bit vectors. Our main application domain is formal verification of system-on-chip (SoC) modules designed for complex computational tasks, for example, in signal processing applications. Ensuring proper functional behavior for such modules, including arithmetic correctness of the data paths, is considered a very difficult problem. We show how methods from computer algebra can be integrated into an SMT solver such that instances can be handled where the arithmetic problem parts are specified mixing various levels of abstraction from the plain gate level for small highly optimized components up to the pure word level used in high-level specifications. If the arithmetic problem parts include multiplications such mixed problem descriptions quickly drive current SMT solvers towards their capacity limits. High performance data paths are often designed at a level...

View PDFchevron_right
Efficiently solving quantified bit-vector formulas
Christoph Wintersteiger

Proceedings of Formal Methods in …

In recent years, bit-precise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifier-free fragment of bit-vector logic exist and often rely on SAT solvers for efficiency. However, many techniques require quantifiers in bit-vector formulas to avoid an exponential blow-up during construction. Solvers for quantified formulas usually flatten the input to obtain a quantified Boolean formula, losing much of the word-level information in the formula. We present a new approach based on a set of effective word-level simplifications that are traditionally employed in automated theorem proving, heuristic quantifier instantiation methods used in SMT solvers, and model finding techniques based on skeletons/templates. Experimental results on two different types of benchmarks indicate that our method outperforms the traditional flattening approach by multiple orders of magnitude of runtime.

View PDFchevron_right
A satisfiability procedure for quantified Boolean formulae
Armin Biere

Discrete Applied Mathematics, 2003

We present a satisfiability tester Qsat for quantified Boolean formulae and a restriction Qsat CNF of Qsat to unquantified conjunctive normal form formulae. Qsat makes use of procedures which replace subformulae of a formula by equivalent formulae. By a sequence of such replacements, the original formula can be simplified to true or false. It may also be necessary to transform the original formula to generate a subformula to replace. Qsat CNF eliminates collections of variables from an unquantified clause form formula until all variables have been eliminated. Qsat and Qsat CNF can be applied to hardware verification and symbolic model checking.

View PDFchevron_right
Design and results of the first satisfiability modulo theories competition (SMT-COMP 2005)
Clark Barrett

Journal of Automated Reasoning, 2005

The Satisfiability Modulo Theories Competition (SMT-COMP) is intended to spark further advances in the decision procedures field, especially for applications in hardware and software verification. Public competitions are a well-known means of stimulating advancement in automated reasoning. Evaluation of SMT solvers entered in SMT-COMP took place while CAV 2005 was meeting. Twelve solvers were entered, 1352 benchmarks were collected in seven different divisions.

View PDFchevron_right
Modular Schemes for Constructing Equivalent Boolean Encodings of Cardinality Constraints and Application to Error Diagnosis in Formal Verification of Pipelined Microprocessors
Miroslav Velev

2011

We present a novel method for generating a wide range of equivalent Boolean encodings of cardinality, while in contrast all previous Boolean encodings of cardinality have only one form. Experiments for applying this method to automated error diagnosis in formal verification of buggy variants of a complex reconfigurable VLIW processor indicate speedup of up to two orders of magnitude, relative to previous encodings of cardinality. Besides automated debugging of hardware and software, the presented Boolean encodings of cardinality have applications to many other problems.

View PDFchevron_right

References (22)

  1. T. Arons, E. Elster, L. Fix, S. Mador-Haim, M. Mishaeli, J. Shalev, E. Singerman, A. Tiemeyer, M. Y. Vardi, and L. D. Zuck. Formal verification of backward compatibility of microcode. In CAV. 2005.
  2. T. Arons, E. Elster, T. Murphy, and E. Singerman. Embedded Software Validation: Applying Formal Techniques for Coverage and Test Gener- ation. Int. Workshop on Microprocessor Test and Verification, 2006.
  3. T. Arons, E. Elster, S. Ozer, J. Shalev, and E. Singerman. Efficient symbolic simulation of low level software. In DATE. ACM, 2008.
  4. G. Audemard and L. Simon. Predicting learnt clauses quality in modern SAT solvers. In IJCAI. Morgan Kaufmann, 2009.
  5. D. Babić and A. Hu. Approximating the safely reusable set of learned facts. STTT, 11(4), Oct. 2009.
  6. C. W. Barrett, R. Sebastiani, S. A. Seshia, and C. Tinelli. Satisfiability Modulo Theories. In Biere et al. [7].
  7. Part II, Chapter 26.
  8. A. Biere, M. Heule, H. van Maaren, and T. Walsh, editors. Handbook of Satisfiability, volume 185 of Frontiers in Artificial Intelligence and Applications. IOS Press, 2009.
  9. R. Bruttomesso, A. Cimatti, A. Franzén, A. Griggio, Z. Hanna, A. Nadel, A. Palti, and R. Sebastiani. A Lazy and Layered SMT(BV) Solver for Hard Industrial Verification Problems. In CAV. 2007.
  10. R. Bruttomesso, A. Cimatti, A. Franzén, A. Griggio, and R. Sebastiani. The MathSAT 4 SMT solver. In CAV. 2008.
  11. R. Bruttomesso and N. Sharygina. A Scalable Decision Procedure for Fixed-Width Bit-Vectors. In ICCAD 2009, 2009.
  12. N. Eén and N. Sörensson. Temporal induction by incremental SAT solving. Electronic Notes in Theoretical Computer Science, 89(4), 2003.
  13. A. Franzén. Efficient Solving of the Satisfiability Modulo Bit-Vectors Problem and Some Extensions to SMT. PhD thesis, DISI -University of Trento, 2010.
  14. P. Godefroid, M. Y. Levin, and D. Molnar. Automated Whitebox Fuzz Testing. Technical Report MSR-TR-2007-58, Microsoft Research Redmond, Redmond, WA, May 2007.
  15. D. Große and R. Drechsler. Acceleration of SAT-Based iterative property checking. In Correct Hardware Design and Verification Methods. 2005.
  16. G. Hinton, D. Sager, M. Upton, D. Boggs, D. P. Group, and I. Corp. The Microarchitecture of the Pentium R 4 Processor. Intel Technology Journal, 1, 2001.
  17. Z. Khasidashvili, A. Nadel, A. Palti, and Z. Hanna. Simultaneous SAT- Based model checking of safety properties. In Hardware and Software, Verification and Testing, volume 3875 of LNCS. Springer-Verlag, 2006.
  18. S. Khurshid, C. P. asȃreanu, and W. Visser. Generalized symbolic execution for model checking and testing. In TACAS. 2003.
  19. J. C. King. Symbolic execution and program testing. Commun. ACM, 19(7), 1976.
  20. O. Shtrichman. Pruning techniques for the SAT-Based bounded model checking problem. In CHARME. 2001.
  21. J. P. M. Silva and K. A. Sakallah. Robust search algorithms for test pattern generation. In FTCS. IEEE Computer Society, 1997.
  22. J. Whittemore, J. Kim, and K. Sakallah. SATIRE: a new incremental satisfiability engine. In DAC. ACM, 2001.

Related papers

Efficient Solving of the Satisfiability Modulo Bit-Vectors Problem and Some Extensions to SMT
Alessandro Cimatti

2010

Decision procedures for expressive logics such as linear arithmetic, bitvectors, uninterpreted functions, arrays or combinations of theories are becoming increasingly important in various areas of hardware and software development and verification such as test pattern generation, equivalence checking, assertion based verification and model checking. In particular, the need for bit-precise reasoning is an important target for research into decision procedures. In this thesis we will describe work on creating an efficient decision procedure for Satisfiability Modulo the Theory of fixed-width bit-vectors, and how such a solver can be used in a real-world application. We will also introduce some extensions of the basic decision procedure allowing for optimisation, and compact representation of constraints in a SMT solver, showing how these can be succinctly and elegantly described as a theory allowing for the extension with minimal changes to SMT solvers.

View PDFchevron_right
Efficient translation of Boolean formulas to CNF in formal verification of microprocessors
Miroslav Velev

ASP-DAC 2004: Asia and South Pacific Design Automation Conference 2004 (IEEE Cat. No.04EX753)

The paper presents a method for translating Boolean formulas to CNF by identifying gates with fanout count of 1, and merging them with their fanout gate to generate a single set of equivalent CNF clauses. This eliminates the intermediate CNF variable for the output of the first gate, and reduces the number of CNF clauses, compared to the conventional translation to CNF, where each gate is assigned an output variable and is represented with a separate set of CNF clauses. Chains of nested ITE operators, where each ITE is used only as else-argument of the next ITE, are similarly merged and represented with a single set of clauses without intermediate variables. This method was applied to Boolean formulas from formal verification of microprocessors. The formulas require up to hundreds of thousands of variables and millions of clauses, when translated to CNF with the conventional approach. The best translation reduced the CNF variables by up to 2×; the SAT-solver decisions by up to 5×; the SAT-solver conflicts by up to 6×; and accelerated the SAT checking by up to 7.6× for unsatisfiable formulas, and 136× for satisfiable ones.

View PDFchevron_right
Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays
Robert Daniel Brummayer

Satis ability Modulo Theories (SMT) is the problem of deciding satis ability of a logical formula, expressed in a combination of first-order theories. We present the architecture and selected features of Boolector, which is an efficient SMT solver for the quanti er-free theories of bit-vectors and arrays. It uses term rewriting, bit-blasting to handle bit-vectors, and lemmas on demand for arrays.

View PDFchevron_right
A Tutorial on Satisfiability Modulo Theories
Leonardo de Moura

2007

Solvers for satisfiability modulo theories (SMT) check the satisfiability of first-order formulas containing operations from various theories such as the Booleans, bit-vectors, arithmetic, arrays, and recursive datatypes. SMT solvers are extensions of Boolean satisfiability solvers (SAT solvers) that check the satisfiability of formulas built from Boolean variables and operations. SMT solvers have a wide range of applications in hardware and software verification, extended static checking, constraint solving, planning, scheduling, test case generation, and computer security. We briefly survey the theory of SAT and SMT solving, and present some of the key algorithms in the form of pseudocode. This tutorial presentation is primarily directed at those who wish to build satisfiability solvers or to use existing solvers more effectively.

View PDFchevron_right
Microcode Verification – Another Piece of the Microprocessor Verification Puzzle
swords swords

Despite significant progress in formal hardware verification in the past decade, little has been published on the verification of microcode. Microcode is the heart of every microprocessor and is one of the most complex parts of the design: it is tightly connected to the huge machine state, written in an assembly-like language that has no support for data or control structures, and has little documentation and changing semantics. At the same time it plays a crucial role in the way the processor works. We describe the method of formal microcode verification we have developed for an x86-64 microprocessor designed at Centaur Technology. While the previous work on high and low level code verification is based on an unverified abstract machine model, our approach is tightly connected with our effort to verify the register-transfer level implementation of the hardware. The same microoperation specifications developed to verify implementation of the execution units are used to define operational semantics for the microcode verification. While the techniques used in the described verification effort are not inherently new, to our knowledge, our effort is the first interconnection of hardware and microcode verification in context of an industrial size design. Both our hardware and microcode verifications are done within the same verification framework.

View PDFchevron_right

Related topics

  • Computer Science
  • Parallel Computing
  • SAT Solver Design
  • Symbolic Execution
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved