Minimalist proof assistants Interactions of technology and methodology

Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken Mc. Millan Cadence Berkeley Labs 1

100% verification probability Automated methods curve research systems 1 10 103 104 105 106 107 system size (bits of state) 2

100% verification probability Automated methods curve decomposition verification unit-level FV 1 10 103 104 bug finding 105 106 107 system size (bits of state) 3

Proof assistants l General purpose proof assistants +Expressive logics +Integration with model checking l Problem: Do not naturally produce finite-state subgoals – Result: Detailed manual case analysis Complex global invariants Long, fragile proof scripts 4

What's missing. . . l Proof strategy that produces finite-state lemmas l Infrastructure to support this strategy l Reduced interactivity – more reusable proofs – no global invariants (too design-specific) 5

Minimalist proof assistant l Approach – Minimal logical expressiveness – Appropriate domain-specific proof strategy – Proof rules designed to support this strategy – All proof obligations reduced to model checking l Result – Short proofs – Proof goals reduced to tractable MC problems – Proofs more easily reused related: Seger 98 6

Rules built into SMV system. . . l Circular compositional rule – decomposition by refinement relations – auxiliary state l Temporal case analysis – path splitting l Symmetry reductions – reduce by symmetry to tractable number of cases l Data type reductions – large and infinite types – uninterpreted functions support general proof strategy. . . 7

Compositional refinement verification Abstract model Translations System 8

Localized verification Abstract model Translations assume prove System 9

Localized verification Abstract model Translations assume prove System 10

Circular inference rule SPEC f 1 up to t -1 implies f 2 up to t -1 implies f 1 up to t always f 1 and f 2 (related: AL 95, AH 96) 11

Auxiliary variables SPEC A P P aux Q * A is “definitional” * Q does not reference A (related: Owicki, Gries) 12

Big structures and path splitting SPEC A P P i 13

Temporal case splitting l Prove separately that p holds at all times when v = i. l Path splitting record register index v i 14

Case explosion and symmetry SPEC A P i P k 15

Exploiting symmetry l Symmetric types – Semantics invariant under permutations of type. – Enforced by type checking rules. l Symmetry reduction rule * i is of scalarset type * P references only constants 0. . k-1 of type (related: Murphi) 16

Data type reductions l Problem: large data types yield state explosion l Solution: reduce large (or infinite) types where Ti represents all the values in T except i. l Abstract interpretation Note: use in conjunction with case splitting 17

Data types with large ranges l Words, addresses, sequence numbers, tags, etc. . . l Example: content addressable memory QUERY KEY VALUE = = = = 18

Summary of proof strategy l Control logic – Structural decomposition (comp. rule) l Data path – Refinement maps (comp. rule + aux. ) – Decompose large structures (path splitting) – Reduce large types (data type reduction) Case reduction (symmetry) 19

Illustration: Tomasulo’s algorithm l Execute instructions in data flow order REG FILE VAL/TAG TAGGED RESULTS OP, DST EU opra oprb INSTRUCTIONS OP, DST opra oprb OP, DST OPS EU EU opra oprb 20

Compositional rule l Decompose into two lemmas REG FILE VAL/TAG Lemma 2: Correct results TAGGED RESULTS OP, DST opra EU oprb INSTRUCTIONS OP, DST opra Lemma 1: Correct operands oprb OP, DST opra OPS EU EU oprb 21

Proving the operand lemma Lemma 2: Correct results REG FILE VAL/TAG TAGGED RESULTS OP, DST opra EU oprb INSTRUCTIONS OP, DST opra Lemma 1: Correct operands oprb OP, DST opra OPS EU EU oprb "cone of influence" eliminates 22

Auxiliary variables in Tomasulo l Used to store correct operands and results for each instruction SPEC RESULTS INSTRUCTIONS EU if (~stallout & opin=ALU){ next(aux[st]. opra) : = opra; next(aux[st]. oprb) : = oprb; next(aux[st]. res) : = res; } OP, DST opra oprb O 1 O 2 R 23

Lemmas in SMV l Operand correctness forall (k in TAG) layer lemma 1 : if (rs[k]. valid & rs[k]. opra. valid) rs[k]. opra. val : = aux[k]. opra; l Result correctness forall (i in TAG) layer lemma 2[i] : if (rb. tag = i & rb. valid) rb. val : = aux[i]. res; 24

Path splitting in Tomasulo REG FILE VAL/TAG TAGGED RESULTS OP, DST opra EU oprb INSTRUCTIONS OP, DST opra oprb OP, DST opra OPS EU EU oprb "cone of influence" eliminates 25

SMV implementation l Split cases of operand correctness on – producer reservation station – holding register l SMV implementation subcase lemma 1[i][j] of rs[k]//lemma 1 for rs[k]. opra. tag = i & aux[k]. srca = j; 26

Case explosion problem l Number of cases in operand correctness property: TAGS ´ REGS ´ TAGS = O(n 3) l Symmetric data type declarations scalarset REG 0. . 31; scalarset TAG 0. . 31; l SMV verifies types used in symmetric way 27

Symmetry reduction in operands lemma REG FILE VAL/TAG j TAGGED RESULTS i OP, DST opra EU oprb INSTRUCTIONS OP, DST opra oprb OPS OP, DST k l opra EU EU oprb Reduces by symmetry to two cases: (i = 0, j = 0, k = 0) (i = 0, j = 0, k = 1) 28

Type reduction: infinite-state Tomasulo l l Scalarsets with undefined range Data type reduction TAG->{i, k}, REG ->{j} l Only include values we care about in reduced type l Reduces variable encodings to – 1 bit per variable of type REG – 2 bits per variable of type TAG (related: Kurshan) 29

Uninterpreted functions l Verify Tomasulo for arbitrary EU function f(a, b). SPEC RESULTS INSTRUCTIONS f(a, b) REG FILE VAL/TAG TAGGED RESULTS OP, DST opra oprb INSTRUCTIONS OP, DST opra oprb (related: Burch, Dill, Jones, etc. . . ) f(a, b) OPS f(a, b) 30

Case splitting l Prove result correctness only for specific cases, e. g. opra = 0, oprb = 1, f[0][1] = 2 REG FILE VAL/TAG 3! = 6 cases verified 2 OP, DST 0 f(a, b) 1 INSTRUCTIONS OP, DST opra (related: Hojati, Singhal, Bryant, Clarke) oprb OP, DST opra OPS f(a, b) oprb 31

Result l Verification problem reduced to tractable MC problems – Max 25 state bits – 11 cases of lemmas to verify after symmetry – Verification time less than 4 seconds l Tomasulo implementation proved for – Arbitrary number of registers, reservation stations – Arbitrary data word size and EU function l The proof is concise 32

Summary of approach l Auxiliary variables and circular rule – operand result lemmas l Temporal case splitting – data path splitting l Symmetry reductions – reduce to tractable number of cases l Data type reductions – reduce large or infinite data types to small finite – uninterpreted functions for data operations 33

More examples l Applications of the same general strategy: – Infopad packet multiplexer – SGI cache coherence 34

Info. Pad example (Truman 98) Packet Buffer Memory Pen Speech TX Video ARM processor subsystem 32 -bit word RX ASIC Serial, FEC encoded FPGA (FEC, timing, …) Wireless Modems Bus Bridge Audio/ Speech VGA control 8 -bit word 35

Decomposition -- data integrity Packet streams P P tag induction path splitting Packet mux data 36

Cache coherence (Eiriksson 98) P P l INTF to net host Distributed cache coherence protocol IO l Atomic actions l M Nondeterministic abstract model Single address abstraction l Verified coherence, etc. . . host protocol S/F network 37

Mapping protocol to RTL Abstract model host S/F network protocol other hosts TAGS TABLES ~30 K lines of verilog CAM 38

Conclusions l Goal – System-level verification by model checking l Approach – Appropriate domain-specific proof strategy – Proof rules designed to support this strategy l Result – Proof goals reduced to tractable MC problems – Short proofs -- no global invariants 39