1 / 39

Ken McMillan Cadence Berkeley Labs

Minimalist proof assistants Interactions of technology and methodology in formal system level verification. Ken McMillan Cadence Berkeley Labs. 1. Automated methods curve. 100%. verification probability. research. systems. 1. 10. 100. 10 3. 10 4. 10 5. 10 6. 10 7.

gaurav
Download Presentation

Ken McMillan Cadence Berkeley Labs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Minimalist proof assistantsInteractions of technology andmethodology in formal system level verification Ken McMillan Cadence Berkeley Labs 1

  2. Automated methods curve 100% verification probability research systems 1 10 100 103 104 105 106 107 system size (bits of state)

  3. Automated methods curve 100% decomposition verification probability verification unit-level FV bug finding 1 10 100 103 104 105 106 107 system size (bits of state)

  4. Proof assistants • General purpose proof assistants • Expressive logics • Integration with model checking • Problem: Do not naturally produce finite-state subgoals • Result: • Detailed manual case analysis • Complex global invariants • Long, fragile proof scripts

  5. What's missing... • Proof strategy that produces finite-state lemmas • Infrastructure to support this strategy • Reduced interactivity • more reusable proofs • no global invariants (too design-specific)

  6. Minimalist proof assistant • Approach • Minimal logical expressiveness • Appropriate domain-specific proof strategy • Proof rules designed to support this strategy • All proof obligations reduced to model checking • Result • Short proofs • Proof goals reduced to tractable MC problems • Proofs more easily reused related: Seger 98

  7. Rules built into SMV system... • Circular compositional rule • decomposition by refinement relations • auxiliary state • Temporal case analysis • path splitting • Symmetry reductions • reduce by symmetry to tractable number of cases • Data type reductions • large and infinite types • uninterpreted functions support general proof strategy...

  8. Compositional refinement verification Abstract model Translations System

  9. Localized verification Abstract model Translations assume prove System

  10. Localized verification Abstract model Translations assume prove System

  11. Circular inference rule f1 up to t -1 implies f2 up to t f2 up to t -1 implies f1 up to t always f1 and f2 SPEC (related: AL 95, AH 96)

  12. Auxiliary variables SPEC A P P aux Q * A is “definitional” * Q does not reference A aux Q (related: Owicki, Gries)

  13. Big structures and path splitting SPEC A P P i

  14. Temporal case splitting • Prove separately that p holds at all times when v = i. • Path splitting record register index v i

  15. i Case explosion and symmetry SPEC A P P k

  16. Exploiting symmetry • Symmetric types • Semantics invariant under permutations of type. • Enforced by type checking rules. • Symmetry reduction rule * i is of scalarset type * P references only constants 0..k-1 of type (related: Murphi)

  17. Data type reductions • Problem: large data types yield state explosion • Solution: reduce large (or infinite) types where T\i represents all the values in T except i. • Abstract interpretation Note: use in conjunction with case splitting

  18. Data types with large ranges • Words, addresses, sequence numbers, tags, etc... • Example: content addressable memory KEY VALUE = = = QUERY = = = =

  19. Summary of proof strategy • Control logic • Structural decomposition (comp. rule) • Data path • Refinement maps (comp. rule + aux.) • Decompose large structures (path splitting) • Reduce large types (data type reduction) Case reduction (symmetry)

  20. OP,DST OP,DST OP,DST opra opra opra oprb oprb oprb Illustration: Tomasulo’s algorithm • Execute instructions in data flow order VAL/TAG REG FILE VAL/TAG TAGGED RESULTS VAL/TAG VAL/TAG EU INSTRUCTIONS OPS EU EU

  21. VAL/TAG REG FILE VAL/TAG TAGGED RESULTS VAL/TAG VAL/TAG OP,DST OP,DST OP,DST EU opra opra opra oprb oprb oprb INSTRUCTIONS OPS EU EU Compositional rule • Decompose into two lemmas Lemma 2: Correct results Lemma 1: Correct operands

  22. OP,DST opra oprb Proving the operand lemma Lemma 2: Correct results VAL/TAG REG FILE VAL/TAG TAGGED RESULTS VAL/TAG VAL/TAG OP,DST EU opra oprb INSTRUCTIONS OP,DST OPS EU opra oprb EU Lemma 1: Correct operands "cone of influence" eliminates

  23. OP,DST opra oprb Auxiliary variables in Tomasulo • Used to store correct operands and results for each instruction SPEC RESULTS if (~stallout & opin=ALU){ next(aux[st].opra) := opra; next(aux[st].oprb) := oprb; next(aux[st].res) := res; } INSTRUCTIONS EU O1 O2 R

  24. Lemmas in SMV • Operand correctness forall (k in TAG) layerlemma1 : if (rs[k].valid & rs[k].opra.valid) rs[k].opra.val := aux[k].opra; • Result correctness forall (i in TAG) layerlemma2[i] : if (rb.tag = i & rb.valid) rb.val := aux[i].res;

  25. OP,DST opra oprb Path splitting in Tomasulo VAL/TAG REG FILE VAL/TAG TAGGED RESULTS VAL/TAG VAL/TAG OP,DST EU opra oprb INSTRUCTIONS OP,DST OPS EU opra oprb EU "cone of influence" eliminates

  26. SMV implementation • Split cases of operand correctness on • producer reservation station • holding register • SMV implementation subcase lemma1[i][j] of rs[k]//lemma1 for rs[k].opra.tag = i & aux[k].srca = j;

  27. Case explosion problem • Number of cases in operand correctness property: TAGS ´ REGS ´ TAGS = O(n3) • Symmetric data type declarations scalarset REG 0..31; scalarset TAG 0..31; • SMV verifies types used in symmetric way

  28. OP,DST opra oprb Symmetry reduction in operands lemma • Reduces by symmetry to two cases: (i = 0, j = 0, k = 0) (i = 0, j = 0, k = 1) j VAL/TAG REG FILE VAL/TAG TAGGED RESULTS VAL/TAG VAL/TAG i OP,DST EU opra oprb INSTRUCTIONS OP,DST OPS EU opra oprb EU k

  29. Type reduction: infinite-state Tomasulo • Scalarsets with undefined range • Data type reduction TAG->{i,k}, REG ->{j} • Only include values we care about in reduced type • Reduces variable encodings to • 1 bit per variable of type REG • 2 bits per variable of type TAG (related: Kurshan)

  30. OP,DST opra oprb Uninterpreted functions • Verify Tomasulo for arbitrary EU function f(a,b). SPEC RESULTS INSTRUCTIONS f(a,b) VAL/TAG REG FILE VAL/TAG TAGGED RESULTS VAL/TAG VAL/TAG OP,DST opra oprb f(a,b) INSTRUCTIONS OP,DST OPS opra oprb f(a,b) (related: Burch, Dill, Jones, etc...)

  31. Case splitting • Prove result correctness only for specific cases, e.g. opra = 0, oprb = 1, f[0][1] = 2 3! = 6 cases verified VAL/TAG REG FILE 2 VAL/TAG VAL/TAG VAL/TAG OP,DST f(a,b) 0 1 INSTRUCTIONS OP,DST OPS f(a,b) opra oprb f(a,b) OP,DST (related: Hojati, Singhal, Bryant, Clarke) opra oprb

  32. Result • Verification problem reduced to tractable MC problems • Max 25 state bits • 11 cases of lemmas to verify after symmetry • Verification time less than 4 seconds • Tomasulo implementation proved for • Arbitrary number of registers, reservation stations • Arbitrary data word size and EU function • The proof is concise

  33. Summary of approach • Auxiliary variables and circular rule • operand and result lemmas • Temporal case splitting • data path splitting • Symmetry reductions • reduce to tractable number of cases • Data type reductions • reduce large or infinite data types to small finite • uninterpreted functions for data operations

  34. More examples • Applications of the same general strategy: • Infopad packet multiplexer • SGI cache coherence

  35. InfoPad example (Truman 98) Packet Buffer Memory Pen Serial, FEC encoded Wireless Modems Speech FPGA (FEC, timing,…) TX Video RX ASIC ARM processor subsystem Bus Bridge 8-bit word Audio/ Speech 32-bit word VGA control

  36. Decomposition -- data integrity Packet streams P P tag tag induction path splitting Packet mux data data

  37. P P M IO INTF to net host host host protocol Distributed cache coherence protocol protocol S/F network Cache coherence (Eiriksson 98) • Nondeterministic abstract model • Atomic actions • Single address abstraction • Verified coherence, etc...

  38. protocol TABLES CAM Mapping protocol to RTL host other hosts S/F network Abstract model TAGS ~30K lines of verilog

  39. Conclusions • Goal • System-level verification by model checking • Approach • Appropriate domain-specific proof strategy • Proof rules designed to support this strategy • Result • Proof goals reduced to tractable MC problems • Short proofs -- no global invariants

More Related