1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.

1

Minimalist proof assistants Interactions of technology and

methodology in formal system level verification

Ken McMillan

Cadence Berkeley Labs

2

Automated methods curve

system size (bits of state)

veri

fica

tio

n p

rob

abil

ity

research

systems

1 10 100 103 104 105 106 107

100%

3

Automated methods curve

system size (bits of state)

veri

fica

tio

n p

rob

abil

ity

unit-level FV

decomposition

1 10 100 103 104 105 106 107

100%

bug finding

verification

4

Proof assistants General purpose proof assistants

+Expressive logics

+Integration with model checking

Problem: Do not naturally produce finite-state subgoals

– Result:

Detailed manual case analysis

Complex global invariants

Long, fragile proof scripts

5

What's missing... Proof strategy that produces finite-state lemmas

Infrastructure to support this strategy

Reduced interactivity

– more reusable proofs

– no global invariants (too design-specific)

6

Minimalist proof assistant Approach

– Minimal logical expressiveness

– Appropriate domain-specific proof strategy

– Proof rules designed to support this strategy

– All proof obligations reduced to model checking

Result

– Short proofs

– Proof goals reduced to tractable MC problems

– Proofs more easily reused

related: Seger 98

7

Rules built into SMV system... Circular compositional rule

– decomposition by refinement relations

– auxiliary state

Temporal case analysis

– path splitting

Symmetry reductions

– reduce by symmetry to tractable number of cases

Data type reductions

– large and infinite types

– uninterpreted functions

support general proof strategy...

8

Compositional refinement verification

Abstractmodel

System

Translations

9

Localized verification

Abstractmodel

System

Translations

assume prove

10

Localized verification

Abstractmodel

System

Translations

assumeprove

11

Circular inference rule

SPEC

1 2

: :

: :

^

( )

( )

( )

2 1

1 2

1 2

U

U

G

(related: AL 95, AH 96)

1 up to t -1 implies 2 up to t

2 up to t -1 implies 1 up to t

always 1 and 2

12

SPEC

Auxiliary variables

Q A P

Q v PA

^ )

)*

:aux

aux

P PA

Q

Q

* A is “definitional”* Q does not reference A

(related: Owicki, Gries)

13

SPEC

P PA

Big structures and path splitting

i

14

Temporal case splitting Prove separately that p holds at all times when v = i.

i G v i p

G p

: ( )*

)

Path splitting

v

record register index

G v i p( ) )

i

15

SPEC

P PA

Case explosion and symmetry

ik

16

Exploiting symmetry Symmetric types

– Semantics invariant under permutations of type.

– Enforced by type checking rules.

Symmetry reduction rule

i k P

i P

0 :

:* * i is of scalarset type

* P references only constants 0..k-1 of type

(related: Murphi)

17

Data type reductions Problem: large data types yield state explosion

Solution: reduce large (or infinite) types

where T\i represents all the values in T except i.

Abstract interpretation

T i T i { , \ }

i T i

i

T i

\

\ { , }

1 0

0 0 1

M P

M P

T i T i

{ , \ } |

|

Note: use in conjunction with case splitting

18

Data types with large ranges Words, addresses, sequence numbers, tags, etc...

Example: content addressable memory

KEY VALUE

=======

QU

ER

Y

19

Summary of proof strategy Control logic

– Structural decomposition (comp. rule)

Data path

– Refinement maps (comp. rule + aux.)

– Decompose large structures (path splitting)

– Reduce large types (data type reduction)

Case reduction (symmetry)

20

Illustration: Tomasulo’s algorithm Execute instructions in data flow order

OP,DST

opra oprb

OP,DST

opra oprb

OP,DST

opra oprb

EU

EU

EU

OPS

TAGGED RESULTS

INSTRUCTIONS

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

REGFILE

21

Compositional rule Decompose into two lemmas

OP,DST

opra oprb

OP,DST

opra oprb

OP,DST

opra oprb

EU

EU

EU

OPS

TAGGED RESULTS

INSTRUCTIONS

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

REGFILE

Lemma 1:Correct operands

Lemma 2:Correct results

22

Proving the operand lemma

OP,DST

opra oprb

OP,DST

opra oprb

OP,DST

opra oprb

EU

EU

EU

OPS

INSTRUCTIONS

REGFILE

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

TAGGED RESULTS

Lemma 1:Correct operands

Lemma 2:Correct results

"cone of influence" eliminates

23

Auxiliary variables in Tomasulo Used to store correct operands and results for each instruction

EU

RESULTS

INSTRUCTIONS

OP,DST

opra oprb

O1 O2 R

if (~stallout & opin=ALU){ next(aux[st].opra) := opra; next(aux[st].oprb) := oprb; next(aux[st].res) := res;}

SPEC

24

Lemmas in SMV Operand correctness

forall (k in TAG) layer lemma1 : if (rs[k].valid & rs[k].opra.valid)

rs[k].opra.val := aux[k].opra;

Result correctness

forall (i in TAG) layer lemma2[i] : if (rb.tag = i & rb.valid)

rb.val := aux[i].res;

25

Path splitting in Tomasulo

OP,DST

opra oprb

OP,DST

opra oprb

OP,DST

opra oprb

EU

EU

EU

OPS

INSTRUCTIONS

REGFILE

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

TAGGED RESULTS

"cone of influence" eliminates

26

SMV implementation Split cases of operand correctness on

– producer reservation station

– holding register

SMV implementationsubcase lemma1[i][j]

of rs[k]//lemma1

for rs[k].opra.tag = i & aux[k].srca = j;

27

Case explosion problem Number of cases in operand correctness property:

TAGS REGS TAGS = O(n3)

Symmetric data type declarations

scalarset REG 0..31;

scalarset TAG 0..31;

SMV verifies types used in symmetric way

28

Symmetry reduction in operands lemma

OP,DST

opra oprb

OP,DST

opra oprb

OP,DST

opra oprb

EU

EU

EU

OPS

INSTRUCTIONS

REGFILE

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

TAGGED RESULTS

i

j

k Reduces by symmetry to two cases:

(i = 0, j = 0, k = 0)

(i = 0, j = 0, k = 1)

29

Type reduction: infinite-state Tomasulo Scalarsets with undefined range

Data type reductionTAG->{i,k}, REG ->{j}

Only include values we care about in reduced type

Reduces variable encodings to

– 1 bit per variable of type REG

– 2 bits per variable of type TAG

(related: Kurshan)

30

OP,DST

Uninterpreted functions Verify Tomasulo for arbitrary EU function f(a,b).

f(a,b)

RESULTS

INSTRUCTIONS

SPEC

OP,DST

opra oprb

opra oprb

OP,DST

opra oprb

f(a,b)OPS

INSTRUCTIONS

REGFILE

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

TAGGED RESULTS

f(a,b)

(related: Burch, Dill, Jones, etc...)

31

Case splitting Prove result correctness only for specific cases, e.g.

opra = 0, oprb = 1, f[0][1] = 2

OP,DST

0 1

OP,DST

opra oprb

OP,DST

opra oprb

f(a,b)

f(a,b)

f(a,b)

OPS

INSTRUCTIONS

REGFILE

VAL/TAGVAL/TAGVAL/TAGVAL/TAG

2

3! = 6 cases verified

(related: Hojati, Singhal, Bryant, Clarke)

32

Result Verification problem reduced to tractable MC problems

– Max 25 state bits

– 11 cases of lemmas to verify after symmetry

– Verification time less than 4 seconds

Tomasulo implementation proved for

– Arbitrary number of registers, reservation stations

– Arbitrary data word size and EU function

The proof is concise

33

Summary of approach Auxiliary variables and circular rule

– operand and result lemmas

Temporal case splitting

– data path splitting

Symmetry reductions

– reduce to tractable number of cases

Data type reductions

– reduce large or infinite data types to small finite

– uninterpreted functions for data operations

34

More examples Applications of the same general strategy:

– Infopad packet multiplexer

– SGI cache coherence

35

InfoPad example (Truman 98)

BusBridge

ARMprocessorsubsystem

RXASIC

FPGA

(FEC,timing,…)

Video

Pen

SpeechTX

Audio/Speech

VGAcontrol

WirelessModems

32-bitword

8-bitword

Serial,FEC encoded

PacketBuffer

Memory

36

Packet streams

Decomposition -- data integrity

tag tag

data data

Packet mux

P P

path splitting

induction

37

Cache coherence (Eiriksson 98)

S/F network

protocol

hostprotocol

host

protocol

host

Distributedcachecoherence

INTF

P P

M IO

to net

Nondeterministic abstract model

Atomic actions

Single address abstraction

Verified coherence, etc...

38

Mapping protocol to RTL

S/F network

protocol

host otherhostsAbstract

model

CAMT

AB

LE

S

TAGS

~30K lines of verilog

39

Conclusions Goal

– System-level verification by model checking

Approach

– Appropriate domain-specific proof strategy

– Proof rules designed to support this strategy

Result

– Proof goals reduced to tractable MC problems

– Short proofs -- no global invariants