1 minimalist proof assistants interactions of technology and methodology in formal system level...
TRANSCRIPT
1
Minimalist proof assistants Interactions of technology and
methodology in formal system level verification
Ken McMillan
Cadence Berkeley Labs
2
Automated methods curve
system size (bits of state)
veri
fica
tio
n p
rob
abil
ity
research
systems
1 10 100 103 104 105 106 107
100%
3
Automated methods curve
system size (bits of state)
veri
fica
tio
n p
rob
abil
ity
unit-level FV
decomposition
1 10 100 103 104 105 106 107
100%
bug finding
verification
4
Proof assistants General purpose proof assistants
+Expressive logics
+Integration with model checking
Problem: Do not naturally produce finite-state subgoals
– Result:
Detailed manual case analysis
Complex global invariants
Long, fragile proof scripts
5
What's missing... Proof strategy that produces finite-state lemmas
Infrastructure to support this strategy
Reduced interactivity
– more reusable proofs
– no global invariants (too design-specific)
6
Minimalist proof assistant Approach
– Minimal logical expressiveness
– Appropriate domain-specific proof strategy
– Proof rules designed to support this strategy
– All proof obligations reduced to model checking
Result
– Short proofs
– Proof goals reduced to tractable MC problems
– Proofs more easily reused
related: Seger 98
7
Rules built into SMV system... Circular compositional rule
– decomposition by refinement relations
– auxiliary state
Temporal case analysis
– path splitting
Symmetry reductions
– reduce by symmetry to tractable number of cases
Data type reductions
– large and infinite types
– uninterpreted functions
support general proof strategy...
8
Compositional refinement verification
Abstractmodel
System
Translations
9
Localized verification
Abstractmodel
System
Translations
assume prove
10
Localized verification
Abstractmodel
System
Translations
assumeprove
11
Circular inference rule
SPEC
1 2
: :
: :
^
( )
( )
( )
2 1
1 2
1 2
U
U
G
(related: AL 95, AH 96)
1 up to t -1 implies 2 up to t
2 up to t -1 implies 1 up to t
always 1 and 2
12
SPEC
Auxiliary variables
Q A P
Q v PA
^ )
)*
:aux
aux
P PA
Q
Q
* A is “definitional”* Q does not reference A
(related: Owicki, Gries)
13
SPEC
P PA
Big structures and path splitting
i
14
Temporal case splitting Prove separately that p holds at all times when v = i.
i G v i p
G p
: ( )*
)
Path splitting
v
record register index
G v i p( ) )
i
15
SPEC
P PA
Case explosion and symmetry
ik
16
Exploiting symmetry Symmetric types
– Semantics invariant under permutations of type.
– Enforced by type checking rules.
Symmetry reduction rule
i k P
i P
0 :
:* * i is of scalarset type
* P references only constants 0..k-1 of type
(related: Murphi)
17
Data type reductions Problem: large data types yield state explosion
Solution: reduce large (or infinite) types
where T\i represents all the values in T except i.
Abstract interpretation
T i T i { , \ }
i T i
i
T i
\
\ { , }
1 0
0 0 1
M P
M P
T i T i
{ , \ } |
|
Note: use in conjunction with case splitting
18
Data types with large ranges Words, addresses, sequence numbers, tags, etc...
Example: content addressable memory
KEY VALUE
=======
QU
ER
Y
19
Summary of proof strategy Control logic
– Structural decomposition (comp. rule)
Data path
– Refinement maps (comp. rule + aux.)
– Decompose large structures (path splitting)
– Reduce large types (data type reduction)
Case reduction (symmetry)
20
Illustration: Tomasulo’s algorithm Execute instructions in data flow order
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
TAGGED RESULTS
INSTRUCTIONS
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
REGFILE
21
Compositional rule Decompose into two lemmas
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
TAGGED RESULTS
INSTRUCTIONS
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
REGFILE
Lemma 1:Correct operands
Lemma 2:Correct results
22
Proving the operand lemma
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
TAGGED RESULTS
Lemma 1:Correct operands
Lemma 2:Correct results
"cone of influence" eliminates
23
Auxiliary variables in Tomasulo Used to store correct operands and results for each instruction
EU
RESULTS
INSTRUCTIONS
OP,DST
opra oprb
O1 O2 R
if (~stallout & opin=ALU){ next(aux[st].opra) := opra; next(aux[st].oprb) := oprb; next(aux[st].res) := res;}
SPEC
24
Lemmas in SMV Operand correctness
forall (k in TAG) layer lemma1 : if (rs[k].valid & rs[k].opra.valid)
rs[k].opra.val := aux[k].opra;
Result correctness
forall (i in TAG) layer lemma2[i] : if (rb.tag = i & rb.valid)
rb.val := aux[i].res;
25
Path splitting in Tomasulo
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
TAGGED RESULTS
"cone of influence" eliminates
26
SMV implementation Split cases of operand correctness on
– producer reservation station
– holding register
SMV implementationsubcase lemma1[i][j]
of rs[k]//lemma1
for rs[k].opra.tag = i & aux[k].srca = j;
27
Case explosion problem Number of cases in operand correctness property:
TAGS REGS TAGS = O(n3)
Symmetric data type declarations
scalarset REG 0..31;
scalarset TAG 0..31;
SMV verifies types used in symmetric way
28
Symmetry reduction in operands lemma
OP,DST
opra oprb
OP,DST
opra oprb
OP,DST
opra oprb
EU
EU
EU
OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
TAGGED RESULTS
i
j
k Reduces by symmetry to two cases:
(i = 0, j = 0, k = 0)
(i = 0, j = 0, k = 1)
29
Type reduction: infinite-state Tomasulo Scalarsets with undefined range
Data type reductionTAG->{i,k}, REG ->{j}
Only include values we care about in reduced type
Reduces variable encodings to
– 1 bit per variable of type REG
– 2 bits per variable of type TAG
(related: Kurshan)
30
OP,DST
Uninterpreted functions Verify Tomasulo for arbitrary EU function f(a,b).
f(a,b)
RESULTS
INSTRUCTIONS
SPEC
OP,DST
opra oprb
opra oprb
OP,DST
opra oprb
f(a,b)OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
TAGGED RESULTS
f(a,b)
(related: Burch, Dill, Jones, etc...)
31
Case splitting Prove result correctness only for specific cases, e.g.
opra = 0, oprb = 1, f[0][1] = 2
OP,DST
0 1
OP,DST
opra oprb
OP,DST
opra oprb
f(a,b)
f(a,b)
f(a,b)
OPS
INSTRUCTIONS
REGFILE
VAL/TAGVAL/TAGVAL/TAGVAL/TAG
2
3! = 6 cases verified
(related: Hojati, Singhal, Bryant, Clarke)
32
Result Verification problem reduced to tractable MC problems
– Max 25 state bits
– 11 cases of lemmas to verify after symmetry
– Verification time less than 4 seconds
Tomasulo implementation proved for
– Arbitrary number of registers, reservation stations
– Arbitrary data word size and EU function
The proof is concise
33
Summary of approach Auxiliary variables and circular rule
– operand and result lemmas
Temporal case splitting
– data path splitting
Symmetry reductions
– reduce to tractable number of cases
Data type reductions
– reduce large or infinite data types to small finite
– uninterpreted functions for data operations
34
More examples Applications of the same general strategy:
– Infopad packet multiplexer
– SGI cache coherence
35
InfoPad example (Truman 98)
BusBridge
ARMprocessorsubsystem
RXASIC
FPGA
(FEC,timing,…)
Video
Pen
SpeechTX
Audio/Speech
VGAcontrol
WirelessModems
32-bitword
8-bitword
Serial,FEC encoded
PacketBuffer
Memory
36
Packet streams
Decomposition -- data integrity
tag tag
data data
Packet mux
P P
path splitting
induction
37
Cache coherence (Eiriksson 98)
S/F network
protocol
hostprotocol
host
protocol
host
Distributedcachecoherence
INTF
P P
M IO
to net
Nondeterministic abstract model
Atomic actions
Single address abstraction
Verified coherence, etc...
38
Mapping protocol to RTL
S/F network
protocol
host otherhostsAbstract
model
CAMT
AB
LE
S
TAGS
~30K lines of verilog
39
Conclusions Goal
– System-level verification by model checking
Approach
– Appropriate domain-specific proof strategy
– Proof rules designed to support this strategy
Result
– Proof goals reduced to tractable MC problems
– Short proofs -- no global invariants