A First-Order Logic based Framework for Verifying Simulations by Hui Meen Nyew et al.
A First-Order Logic based Framework for Verifying Simulations
Hui Meen Nyew, Nilufer Onder, Soner Onder and Zhenlin Wang
Dept. of Computer Science
Michigan Technological University
Houghton, MI 49931
fhnyew,nilufer,soner,zlwangg@mtu.edu
Abstract
Modern science relies on simulation techniques for un-
derstanding phenomenon, exploring design options, or
evaluating models. Assuring the correctness of sim-
ulators is a key problem where a multitude of solu-
tions ranging from manual inspection to formal veriﬁ-
cation are applicable. Formal veriﬁcation incorporates
the rigor necessary but not all simulators are generated
from formal speciﬁcations. Manual inspection is read-
ily available but lacks the rigor and is prone to errors. In
this paper, we describe an automated veriﬁcation sys-
tem (AVS) where the contraints that the system must
adhere to are speciﬁed by the user in general purpose
ﬁrst-order logic. AVS translates these constraints into a
veriﬁcation program that scans the simulator trace and
veriﬁes that no constraints are violated. The advantage
is the ability to verify any simulator trace using a formal
speciﬁcation of domain facts. Computer microarchitec-
ture simulations were used to demonstrate the proposed
approach. The system was implemented successfully to
yield preliminary results.
Introduction
Contemporary computer processor design inherently relies
on simulating new processors before they are built. The de-
sign of a new architecture typically starts with instruction
set design. Instruction set development and system software
development usually go hand-in-hand by using a functional
simulator which implements the semantics of instructions
and allows running programs in a simulated environment.
The design and development of the processor architecture is
then carried out using much more sophisticated and detailed
simulators that can provide accurate information about how
many processor cycles it will take to execute a given pro-
gram under the new design. These simulators are called cy-
cle accurate simulators and their implementation typically
takes tens of thousands of lines of high-level program code,
such as C. Once satisfactory results are obtained, the rest
of the design is carried out with the help of gate-level and
circuit-levelsimulators, which canprovidedetailedinforma-
tion about attainable clock speeds as well as the estimated
power consumption of the target processor before it is built.
Copyright c  2013, Association for the Advancement of Artiﬁcial
Intelligence (www.aaai.org). All rights reserved.
Formal techniques are increasingly being used at various
levels of the design process. At the cycle-accurate level, do-
main speciﬁc architecture description languages allow efﬁ-
cient automatic generation of cycle-accurate processors, at
the same time making it easier to apply formal validation
techniques. Examples of such languages include Mimola,
nML, Lisa,Expression, ASIP Meister, TIE, Madl, ADL++,
GNR, among others (Mishra and Dutt 2008). However,
because of the enormous complexity involved, application
of such formal techniques are limited. Furthermore, hand-
coded simulators are still widely used as companies rely on
their developed code base to improve future versions of ex-
isting processors. In this domain, veriﬁcation of simulators
is still a difﬁcult task and remains an area dominated by
ad-hoc techniques, except for simpler embedded processors
where a formal speciﬁcation language is used to describe the
architectural details.
Our motivation therefore in developing AVS has been to
provide a formal means of veriﬁcation outside the developed
simulator. In this paper, we describe a general purpose au-
tomated veriﬁcation system (AVS) which can be widely ap-
plied both to traditional hand-written simulators as well as to
those generated from a formal speciﬁcation. AVS has been
implemented and tested on microarchitecture simulations.
System overview
The AVS system veriﬁes a set of user speciﬁed constraints
in a trace ﬁle generated by a simulator. The trace ﬁle
contains a sequence of events, , represented as n-tuples:
 =< e1; ;en > where, ei refers to an attribute of an
event, each ei 2 Ei, and Ei is the domain of ei. For exam-
ple,  =< a;c;s;t > is an an event generated by a proces-
sor simulator where a is the address of an instruction, c is
the instance number of the instruction (each instruction can
execute multiple times), s is the pipeline stage, and t is the
cycle time of the event. A constraint is a quantiﬁed state-
ment that includes arithmetic and Boolean expressions and
contains the domain facts speciﬁed by the user. For exam-
ple, the following constraint speciﬁes that each instruction
that goes through the instruction decode (ID) stage should
go through the instruction issue (II) stage unless a rollback
that ﬂushes the pipeline occurs.
forall z in T exists y in T,
z.stage==IDiff y.addr==z.addr and y.count==z.count
and (y.stage==II
or (y.stage==ROLLBACK and y.time>=z.time));
We used Flex and Bison to implement a compiler for
AVS.Thecompilertakesthespeciﬁcationofﬁrst-orderlogic
statements and the constraints as input and creates one or
more independent C++ programs that perform the actual
simulation veriﬁcation. Fig. 1 depicts a sample program that
consists of nested loops to check the forall and exists
conditions for the constraint “forall z in T exists
y in T statements”.
Algorithm 1 Translation for “forall z in T exists y in T”
Input: Trace T
Output: status
1: for all windows w in T do
2: for all z 2 w do ,! forall z in w
3: zStatus   FALSE
4: for all y 2 w do ,! exists y in w
5: yStatus   FALSE
6: if statements = TRUE then
7: zStatus   TRUE
8: yStatus   TRUE
9: end if
10:
11: if yStatus = TRUE then ,! exists
12: break ,! quantiﬁer
13: end if
14: end for
15:
16: if zStatus = FALSE then ,! forall quantiﬁer
17: status   FALSE
18: return
19: end if
20: end for
21: end for
22:
23: status   TRUE
24: return
The current AVS implementation uses a sliding window
(Mannila, Toivonen, and Inkeri Verkamo 1997) to check the
constraints using a window size speciﬁed by the user. The
advantage of using sliding windows is to allow the algorithm
to process very large input or inﬁnite streams. The time and
memory requirements are also signiﬁcantly reduced. Our
next step will be to analyze the temporal relationships in the
constraints and automatically compute the window size by
using the maximum distance. Due to space restrictions, we
show only the highlights of the algorithm. Further details
can be found in the longer version of the paper (Nyew et al.
2013).
In addition to modeling the pipeline, we coded resource
and dependency constraints. Resource contraints ensure that
only the available number of resources are used. For ex-
ample only as many memory instructions as the number of
memory ports can complete simultaneously. An example of
adependency constraintis shownbelow. It speciﬁesthat two
dependent instructions must be ordered.
forall z in REG_T forall y in REG_T
exists x in STAGE_T exists w in STAGE_T,
(z.iter>y.iter and z.dir==SRC and
y.dir==DEST and z.reg==y.reg) implies
(x.addr==z.addr and x.count==z.count
and x.stage==EX and w.addr==y.addr
and w.count==y.count
and w.stage==EX and x.time>w.time);
Currently, weleaveittotheconstraintprogrammertofeed
multiple parallel constraints separately as different inputs or
merge them as one input. In the short term, the former ap-
proach will help generate multiple veriﬁers to enforce differ-
ent types of constraints. For instance, we can generate one
veriﬁer for time constraints and one for resources. Multiple
veriﬁers can run in parallel to take advantage of the comput-
ing power provided by modern machines.
Conclusion
We described a veriﬁcation system for microarchitecture
simulations. The system uses domain facts written by the
user in ﬁrst-order logic to scan the trace generated by a sim-
ulator and shows if any constraints are violated. Our imple-
mentation and preliminary experiments show that this ap-
proach is feasible. In addition to being able to verify basic
facts, we noticed that the framework helps the user to itera-
tively improve the constraints. For instance, we had initially
coded the example constraint to require each instruction’s
ID stage to be followed by an II stage. When the trace ﬁle
failed the veriﬁcation process, we coded the second part of
the constraint which tells that a processor “rollback” causes
the pipeline to be ﬂushed and instructions are discarded be-
forefullyexecuting. Ourfutureworkinvolvesimprovingthe
performance of AVS in two dimensions. First, microarchi-
tecture simulators typically generate gigabytes of data. We
plan to apply stream-mining techniques to address this issue.
Second, the user needs to specify a window size for the veri-
ﬁer to execute efﬁciently. For domains where a window size
cannot be speciﬁed or the window size is too large to bring
efﬁciency gains, it will be helpful to further restrict the lan-
guage to a precondition-effect based temporal language such
as Planning Domain Deﬁnition Language (PDDL) (Fox and
Long 2003).
References
Fox, M., and Long, D. 2003. PDDL2.1: An extension to PDDL
for expressing temporal planning domains. Journal of Artiﬁcial
Intelligence Research (JAIR) 20:61–124.
Mannila, H.; Toivonen, H.; and Inkeri Verkamo, A. 1997. Dis-
covery of frequent episodes in event sequences. Data Mining and
Knowledge Discovery 1(3):259–289.
Mishra, P., and Dutt, N. 2008. Processor Description Languages.
San Francisco, CA, USA: Morgan Kaufmann.
Nyew, H. M.; Onder, N.; Onder, S.; and Wang, Z. 2013. A ﬁrst-
order logic based framework for verifying microarchitecture simu-
lations. Technical Report CS-TR-13-01, Department of Computer
Science, Michigan Technological University. http://www.cs.
mtu.edu/˜hnyew/cs-tr-13-01.pdf.