1 a mathematical approach to rtl verification david m. russinoff july 5, 2007

1

A Mathematical Approach to RTL Verification

David M. RussinoffJuly 5, 2007

2

Outline

• Relevance of software verification

• Relevance of traditional mathematics

• Future directions

3

Outline

• Relevance of software verification

• Relevance of traditional mathematics

• Future directions

4

Background

• John McCarthy (1961): LISP

• Bob Boyer and J Moore (1971): NQTHM

• J Moore and Matt Kaufmann (1989) : ACL2

5

Requirements

• A problem of limited size and complexity • A concise and unambiguous specification of

correctness • Cooperative development of a program and

its proof of correctness• A simple and elegant programming solution• A programming language with clear and

simple semantics

6

Requirements

• A problem of limited size and complexity X • A concise and unambiguous specification of

correctness • Cooperative development of a program and

its proof of correctness• A simple and elegant programming solution• A programming language with clear and

simple semantics

7

Requirements

• A problem of limited size and complexity X • A concise and unambiguous specification of

correctness • Cooperative development of a program and

its proof of correctness• A simple and elegant programming solution• A programming language with clear and

simple semantics

8

Cooperative Development of Program and Proof

"A program and its proof should be developed hand-in-hand, with the proof usually leading the way." -- Edsger Dijkstra

9

Cooperative Development

of Program and Proof X "A program and its proof should be developed hand-

in-hand, with the proof usually leading the way." -- Edsger Dijkstra

"Do you think that we need some academic to tell us how to design a multiplier?" -- Anonymous FP designer (1997)

10

Simple and Elegant Solutions "There are two ways of constructing a software design.

One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies." -- Tony Hoare

"Elegant algorithms are easy to program correctly, as well as being efficient."

-- Robert Tarjan”

”A ditch dug in a straight line is both more appealing and more useful than one that zigzags at random ...." -- Daniel Kohansky,

"The Philosophical Programmer"

11

Simple and Elegant Solutions X "There are two ways of constructing a software design.

One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies." -- Tony Hoare

"Elegant algorithms are easy to program correctly, as well as being efficient."

-- Robert Tarjan”

”A ditch dug in a straight line is both more appealing and more useful than one that zigzags at random ...." -- Daniel Kohansky,

"The Philosophical Programmer"

12

A Naïve Floating-Point Adder

Compare Exponents

Right Shift

Add/Subtract

Detect Cancellation

Left Shift

Assemble Result

13

An Optimized Floating-Point Adder

Predict Leading 1 Compare Exponents

Left Shift Right ShiftSelect Path

Add/Subtract

Assemble Result

14

Simple Program Semantics

"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so-called 'powerful' programming languages belong to the solution set rather than to the problem set?” --Dijkstra

15

Simple Program Semantics "Are you quite sure that all those bells and whistles, all

those wonderful facilities of your so-called 'powerful' programming languages belong to the solution set rather than to the problem set?” --Dijkstra

Coding guidelines are effectively enforced to limit RTL design to a small and manageable subset of Verilog, thereby enabling formal analysis.

16

Verilog-ACL2 Translation

rc_co[70:0] = esub ? {1’b0, rc[70:1]} : {rc[69:0], rc[0]};

sum[70:0] <= rc[70:0] ^ a[70:0] ^ b[70:0];

(defun rc_co (n) (if (not (= (esub n) 0)) (bits (rc n) 70 1) (cat (bits (rc n) 69 0) (bitn (rc n) 0) 1)))

(defun sum (n) (if (zp n) (reset ‘sum 71) (logxor (logxor (bits (rc (1- n)) 70 0) (bits (a (1- n)) 70 0)) (bits (b (1- n)) 70 0))))

17

Outline

• Relevance of software verification

• Relevance of traditional mathematics

• Future directions

18

"The Mathematical Revolution"

"In 1976, Appel and Haken announced that they had solved the Four Colour Problem by a computer examination of nearly two thousand cases. ... the procedure employed by the machine to analyze each case of necessity involved billions of logical inferences; ... there is not even a remote chance that, in an entire lifetime, a human could trace the program's run on even one case ...

19

"The Mathematical Revolution"

"... Convictions derived in this manner might be valid but they are not mathematics. Such a result is still unproven, and should be so considered. ... Admitting the shenanigans of Appel and Haken to the ranks of mathematics would only leave us intellectually unfulfilled.”

-- Daniel Cohen, "The Superfluous Paradigm", 1991

20

"Last Doubts Removed About the Proof of the Four Color Theorem"

“What makes the new result particularly

significant from a reliability point of view is that the proof assistant Gonthiers employed, called Coq, is a widely used general-purpose utility, which has been verified experimentally, unlike the special-purpose programs used in the earlier proofs of the four color theorem.”

-- Keith Devlin, Mathematical Association of America Online, January 2005

21

ACL2

• Intended primarily for computer system verification rather than mathematics

• Efficient execution

• High degree of automation

• Weak logic

22

Illustration: A Test for Primality

(defun least-divisor (k n) (if (and (integerp n) (integerp k) (< 1 k) (<= k n)) (if (integerp (/ n k)) k (least-divisor (1+ k) n)) nil))

(defun primep (n) (and (integerp n) (= (least-divisor 2 n) n)))

23

Identifying Mersenne Primes (2p1)

(defthm mersenne-23 (not (primep (- (expt 2 23) 1))))

[Time: .02 seconds]

(defthm mersenne-31 (primep (- (expt 2 31) 1)))

[Time: 65 minutes]

(defthm mersenne-999671 (not (primep (- (expt 2 999671) 1))))[Time: 165 minutes]

(defthm mersenne-19876271 (not (primep (- (expt 2 19876271) 1))))[Error: Integer too large to represent.]

24

A Simple Optimization (defun least-divisor-fast (k n)

(if (and (integerp n) (integerp k) (< 1 k)

(<= k n)) (if (> (* k k) n)) n

(if (integerp (/ n k)) k (least-divisor-fast (1+ k) n))) nil))

(defthm least-divisor-rewrite (equal (least-divisor 2 n) (least-divisor-fast 2 n)))

(defthm mersenne-31 (primep (- (expt 2 31) 1)))[Time: .05 seconds]

(defthm mersenne-61 (primep (- (expt 2 61) 1)))[Time: 54 minutes]

25

A Little Number Theory

If p is an odd prime, then a is a quadratic residue modulo p x2 a (mod p) for some x a(p-1)/2 1 (mod p).

In particular, 2 is a quadratic residue modulo p p 1 (mod 8).

Theorem (Euler) If p = 4k+3 and q = 2p+1 are both prime, then q | 2p-1.

Proof: Since q = 2(4k+3)+1 = 8k+7 -1 (mod 8),

2p = 2(q-1)/2 1 (mod q), i.e., q | 2p-1. ■

26

Formalization of Euler's Theorem

(defthm euler-corollary (implies (and (primep p) (= (mod p 4) 3) (> p 3) (primep (+ (* 2 p) 1))) (not (primep (- (expt 2 p) 1)))))

(defthm mersenne-23-revisited (not (primep (- (expt 2 23) 1))))

[Time: .01 seconds]

(defthm mersenne-999671-revisited (not (primep (- (expt 2 999671) 1))))[Time: 1 second]

(defthm mersenne-19876271 (not (primep (- (expt 2 19876271) 1)))

[Time: 47 seconds]

27

The Value of Mathematical Proof

• Confidence in correctness of a result

• Explication of underlying principles

• Refinement of hypotheses

28

The Value of Mathematical Proof

• Confidence in correctness of a result • Explication of underlying principles • Refinement of hypotheses

All of these observations are as valid in the context of industrial hardware verification as they are in pure mathematics.

29

Case Study: AMD Athlon Processor Adder• Detailed hand-written (informal) proof

– 33 page paper– 4 week effort

• RTL model mechanically translated to ACL2 logic– 86 KB of RTL– 219 KB of ACL2

• Formal proof mechanically checked by ACL2– 2200 lemmas– 8 week effort

• 1 bug exposed and corrected• Proof published (18 months later)

30

A Bug in a Square Root Algorithm?

• q is a 64-bit underestimate of x, accurate to 38 bits. • c is a 64-bit correction term: q+c is an underestimate,

accurate to 74 bits, and 0 < c < 2-38q. • q+c is rounded to 64 bits in both directions to produce

r1 and r2 .

• In the case of rounding toward +, if (q+c) – r1 is not too big, then r2 is returned.

r1 q+c r2

31

A Bug in a Square Root Algorithm?

• q is a 64-bit underestimate of x, accurate to 38 bits. • c is a 64-bit correction term: q+c is an underestimate,

accurate to 74 bits, and 0 < c < 2-38q. • q+c is rounded to 64 bits in both directions to produce

r1 and r2 .

• In the case of rounding toward +, if (q+c) – r1 is not too big, then r2 is returned.

r1 q+c r2

But what if r1 = r2?

32

Mathematical Chaos

”It lacks so completely all plan and system that it is peculiar that so many men could have studied it. The worst of it is, it has never been treated stringently. There are very few theorems … which have been demonstrated in a logically tenable manner. Everywhere one finds this miserable way of concluding from the special to the general ….”

33

Mathematical Chaos

”It lacks so completely all plan and system that it is peculiar that so many men could have studied it. The worst of it is, it has never been treated stringently. There are very few theorems … which have been demonstrated in a logically tenable manner. Everywhere one finds this miserable way of concluding from the special to the general ….”

-- Niels Abel on the state of the calculus in 1826

34

An ACL2 Library of RTL and FP Arithmetic

• Bit vectors and logical operations• Floating-point formats and rounding• Special-purpose techniques for efficient

implementation of elementary operations

Some 600 lemmas pertaining to

(see www.russinoff.com/papers/ )

35

Interface Specifications in Verilog

• Accessibility to design engineers• Executability for the purpose of testing

Motivation:

Required Verilog extensions:

• Rational data type• Assertions representing safety and liveness constraints on inputs and outputs

36

Outline

• Relevance of software verification

• Relevance of traditional mathematics

• Future directions

37

Formal Methods at AMD Today

• New FP Designs routinely verified with ACL2

• Investigation of model-checking tools, etc.

• Increased staffing

• Expansion into other areas of functionality

38

Specification of Control Logic

• Interface with dcache, icache, and external memory

• Specification requires abstract model of internal state

• Bugs exposed in simulation with RTL

• Cooperation between specification and design is essential

Case study: a bus unit and L2 controller

39

A Formal Model of X86 ISA

• XFL: a simple formal language with C syntax, embedded in C++

• XFL encoding of instruction set forms the core of our simulation environment

• Same model is the foundation of a formally based APM

• Reliability is ensured by reciprocal validation

40

Future Directions

Block Specification

Block Verification

Fully Verified Processor

Micro-architectural Verification

Formal ISA Model

OS Verification

41

AMD, the AMD arrow logo, AMD Athlon, and combinations thereof are trademarks of Advanced Micro Devices, Inc. in the United States and/orother jurisdictions.