Combining Theorem Proving and Model Checking with WEBs'

1
Combining Theorem Proving and Model Checking with
WEBs.
Task ID 685.002 Combining Theorem Proving
and Model Checking with WEBs J Strother
Moore Pete Manolios University of Texas
at Austin
2
Project Overview

• We will investigate methods of combining theorem
  proving and model-checking. ...
• We will add WEB, quotient extraction, and
  model-checking support to ACL2 and will apply
  these tools and techniques to verify a simple
  pipelined machine.
• We will apply these methods to a more elaborate
  pipeline microprocessor model ... .
• We will explore ways in which ACL2 can be used in
  a lightweight fashion.

3
Overview

• The ACL2 Project Status Report
• What is ACL2?
• Past Industrial Applications.
• Ongoing Industrial Applications.
• Improvements.
• Correctness of Pipelined Machines
• A simple pipeline example.
• Correctness based on WEBs.
• Automating the proofs.
• Extensions and future work.

4
What is ACL2?

• ACL2 is
• a functional programming language,
• a mathematical logic, and
• an interactive automated theorem proving system.
• It is being developed by Matt Kaufmann and J
  Strother Moore.
• It is the successor to the Boyer-Moore theorem
  prover, NQTHM.

5
ACL2 Home Page

• http//www.cs.utexas.edu/users/moore/acl2
• Sources and installation instructions (GNU
  General Public License).
• Several megabytes of hypertext documentation.
• Books and papers, including
• Computer-Aided Reasoning An Approach, Kaufmann,
  Manolios and Moore, Kluwer Academic Publishers,
  2000.
• Computer-Aided Reasoning ACL2 Case Studies,
  Kaufmann, Manolios and Moore (eds), Kluwer
  Academic Publishers, 2000.
• Lemma libraries.

6
Past Industrial Applications

• ACL2 is interesting in part because it allows the
  construction of efficiently executable formal
  models and supports mechanically checked proofs
  about them.

• Motorola
• AMD
• IBM
• Rockwell Collins
• Union Switch and Signal

7
Motorola

• Formalization of a DSP chip at two levels
• pipelined architecture
• sequential ISA (microcode engine)
• Definition of an executable hazard detection
  program.
• Proof that absence of hazards implies
  equivalence of the two formal models.
• Check that 50 microcode programs (written by
  Motorola engineers and extracted from the ROM)
  were hazard free.
• Proof of correctness of two microcode programs
  (FIR filter and Peak Finding).

8
AMD and IBM

• AMD
• IEEE 754 compliance of K5 microcode for FDIV and
  FSQRT.
• IEEE 754 compliance of Athlon RTL for all
  elementary floating point operations.
• IBM
• Security model for the IBM 4758 secure
  co-processor and FIPS 140-1 Level Four (highest)
  certification for hardware and software.

9
Rockwell, Union SS

• Rockwell Collins Avionics
• Formal model of first silicon JVM (used primarily
  as the pre-fab simulation engine).
• The JEM1 chip is now marketed by Ajile Systems,
  Inc.
• Some proofs of properties.
• Union Switch and Signal
• Verification of a safety critical compiler
  checker for trainborne real time control software.

10
Ongoing Industrial Applications

• The weekly ACL2 Users Meeting in Austin is open
  to all and is regularly attended by users from
  AMD, IBM, and UT.
• The ACL2 Workshop is held roughly every 18 months
  (last meeting October, 2000, in Austin, TX) and
  is attended by many industrial users and other
  interested parties. See the home page.
• Some of the ongoing ACL2-related activity is
  described next.

11
AMD

• Inhouse modeling and proofs of various
  microprocessor components and protocols.
• Introduction of a total order on ACL2 objects (in
  collaboration with Pete).
• A new record package that simplifies state
  machine models (in collaboration with Pete).
• Verified (sound and complete) BDD tool.
• Proofs of several distributed algorithms (in
  collaboration with Pete and other UT grad
  students).
• Definition and lemma libraries supporting RTL
  models.
• Definition and lemma libraries supporting
  floating point reasoning.

12
Industrial Applications

• IBM
• CAD tool implemented in ACL2 (to be verified).
• Rockwell Collins Avionics
• Several formal microprocessor models used for
  both simulation and proof.
• Correctness proofs.
• Development of rewriting techniques for coping
  with big state-based models.
• Compaq
• Disk Paxos Project UT is using ACL2 to check a
  proof that the Disk Paxos algorithm implements a
  fault-tolerant distributed system maintaining
  consistency between a network of processors and
  disks.

13
Improvements

• ACL2 is constantly undergoing improvements. The
  current release is Version 2.5. Version 2.6 will
  be out in a few months and includes

• A total ordering on ACL2 objects.
• Optimization of compiled code for state-based
  models.
• Simplification of proof obligations related to
  state-based models.
• New rewriting strategy for state-based models
  that combines lazy rewriting with
  special-purpose handling of state assignments,
  lambda expressions, and certain function
  definitions, and caching.
• Metafunction support opening'' many ACL2 proof
  techniques for user-customization.

14
Improvements

• New libraries for records and finite set theory.
• We are also working on a sweeping improvement to
  the arithmetic package of ACL2.
• Currently a linear arithmetic decision procedure
  is integrated into the rewriter.
• The new system will include many heuristics for
  non-linear reasoning.

15
Correctness of Pipelined Machines.

• Pipeline Example due to Sawada.
• Correctness via Well-founded Equivalence
  Bisimulation WEB.
• Verification of the pipeline example (Appeared in
  FMCAD and ACL2 workshop).

16
Pipeline Example

• State ?pc, ?ra,rb??
• Instruction ?opcode, target, src1, src2?
• ISA (Instruction Set Architecture)
• MA (Micro Architecture) 3-stage

fetch
set-up
write
17
Pipeline Example
?op, target, src1, src2?
Inst 0 add rb ra ra 1 add ra
rb ra
Step ISA MA
Inst 0 Inst1 0 ?0, ?1,1??
?00, ?01,01?? 1 ?1, ?1,2?? ?01,
?01,01?? fetch 2 ?2, ?3,2??
?10, ?01,01?? set-up fetch 3
?10, ?01,10?? write
stall 4 ?-
-, ?01,10?? set-up 5
?- -, ?11,10??
write
18
Pipeline Example
Our goal is to show that the ISA and MA machines
have equivalent infinite traces.

• ISA MA MA
  MA
• ?0, ?1,1?? ?0, ?1,1??
  ?0, ?1,1?? ?0, ?1,1??
• ?1, ?1,2?? ?1, ?1,1??
  ?0, ?1,1?? ?1, ?1,2??
• ?2, ?3,2?? ?2, ?1,1??
  ?0, ?1,1?? ?2, ?3,2??
• ?2, ?1,2??
  ?1, ?1,2??
• ?-, ?1,2??
  ?1, ?1,2??
• ?-, ?3,2??
  ?2, ?3,2??

19
Correctness of Pipelined Machines.

• Pipeline Example due to Sawada.
• Correctness via Well-founded Equivalence
  Bisimulation WEB.
• Verification of the pipeline example (Appeared in
  FMCAD and ACL2 workshop).

20
Well-founded Equivalence Bisimulation
Transition System (TS) M ?S, ? , L? B is a
WEB Man01 on M iff 1. B is an equivalence
relation on S and 2. ??s,w ? S sBw ? L(s)
L(w)? and 3. States related by B have related
infinite paths, up to finite stuttering Lam83.

• This notion is called stuttering bisimulation
  BCG88, Nam97.
• Since (3) mentions infinite paths, it requires
  global reasoning which makes mechanical
  verification arduous.
• An equivalent formalization based on well-founded
  orderings that requires only local reasoning
  follows.

21
WEB
3. There is a function rank S ? S ? W such
that ?W, ?? is well-founded and
??s,u,w ? S (sBw ? s ? u) ? ? ??v
w ? v ? uBv? ? (uBw ? rank(u,u) ?
rank(s,s)) ? ??v w ? v ? sBv ?
rank(u,v) ? rank(u,w)??
22
An Example
B
L
23
An Example
24
WEBs preserve CTL\X
Theorem. If B is a WEB on M and sBw then for
any CTL\X formula f, M,s f iff M,w
f.
Corollary. States related by a WEB satisfy the
same LTL\X formulas.
25
Refinement
Our goal is to prove that MA implements ISA with
respect to the map that converts binary numbers
to decimal numbers and modifies the PC as
previously discussed. The technical term for
this is refinement. In the context of WEBs we
have
Let M ?S, ?, L?, M ?S, ?, L? be
disjoint let r S ? S. M is a refinement of
M with respect to r if there is a WEB on ?S ?
S, ? ? ?, L ? s ?L(r(s))? that relates s
to r(s).
26
Composition
We will find that it often helps to prove a
refinement in a sequence of manageable steps.
The following theorem allows us to perform this
kind of compositional reasoning.
Theorem. If M is a refinement
of M with respect to r and M
is a refinement of M with respect to q, then
M is a refinement of M with respect to q?r.
27
Correctness of Pipelined Machines.

• Pipeline Example due to Sawada.
• Correctness via Well-founded Equivalence
  Bisimulation WEB.
• Verification of the pipeline example
• Appeared in FMCAD and ACL2 workshop.

28
Manual Component of the Proof
We start by defining the ISA and MA machines in
ACL2. We then require the following definitions
(not proofs)

• How to invalidate an MA state invalidate the
  latches and modify the PC as before.
• The refinement map the ISA visible components
  after invalidating.
• The good MA states those equal to invalidating
  and stepping the state.
• The MA rank function based on which latches are
  valid.

29
Automatic Component of Proof
I have defined libraries that automate the rest
of the proof.
The disjoint structure is generated and the
following core theorem is proved. (defthm
B-is-a-WEB-core (let ((u (ISA-step s)) (v
(MA-step w))) (implies (and (B-core s w)
(not (B-core u v)))
(and (B-core s v) (e0-ord-lt
(MA-rank v)
(MA-rank w)))))) It takes 10 seconds vs. 30 hours
for a naïve translation. Finally, the fully
quantified version is proved by instantiation of
general theorems in our library.
30
Comparison with Sawadas Proof
Variant of Burch-Dill correctness used by Sawada
Liveness condition Every MA state can be
flushed.

• I prove that a pipelined machine which
  invalidates the latches and keeps other
  components intact satisfies Sawadas notion.
• Any machine that satisfies my notion of
  correctness has the same behaviors as the ISA,
  which does not deadlock.
• My proof 3K / 30sec. Sawadas proof 94K /
  460sec.

31
Extension to the Machine

• Arithmetic operations mod 2128. Overflows are
  handled by an exception handler.
• Interrupts handled by an interrupt handler.
• ALU based on the serial adder and multiplier from
  our ACL2 book.
• ALU described in netlist (the gate level).
• Proofs by composition we prove that MA-netlist
  refines MA-serial refines MA refines ISA, hence,
  by composition, MA-netlist refines ISA.

32
Future Work

• Correctness of highly optimized systems, e.g.,
  superscalar machines and distributed transaction
  systems.
• PhD.