320 likes | 459 Views
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool. Jun Sawada and Erik Reeber IBM Austin Research Laboratory University of Texas at Austin November 15, 2006. Outline of the Talk. ACL2 Theorem Prover and SixthSense Integration of Two Verification Tools
E N D
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool Jun Sawada and Erik Reeber IBM Austin Research Laboratory University of Texas at Austin November 15, 2006
Outline of the Talk • ACL2 Theorem Prover and SixthSense • Integration of Two Verification Tools • Step 1: External Hint Mechanism • Step 2: ACL2SIX Implementation • Soundness Argument • Multiplier Example • Conclusion ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL2 Theorem Prover • General-purpose theorem prover for first order logic (with induction) • Fast evaluator • Powerful lemma-based rewriter • Generalization and induction heuristics • Applied to large projects • AMD Athlon™ floating point unit • Rockwell Collins AAMP7 separation kernel • Java bytecode verifier • Unlike HOL, no mechanism for adding user-defined decision procedures ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
SixthSense • IBM internal verification tool • Operates on a finite-state machine described in VHDL. • Uses transformation-based verification approach combining many model-checking algorithms • BDDs & SAT Solvers • Re-timing engine • Localization engine • It formally proves safety properties of FSMs • When a property is found invalid, it returns a counter example. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Objective of the Integration • Make SixthSense and ACL2 work together. • Use SixthSense to verify properties on tedious low-level hardware logic circuits. • Use ACL2 to prove abstract concepts such as algorithmic or arithmetic properties. • Avoid embedding VHDL in the ACL2 logic ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Related Work • Prior ACL2 integration work: • UCLID: Manolios and Srinivasan • SAT: Hunt and Reeber • Other theorem provers • Model-checker with PVS • Elsa Gunter’s integration of HOL90 with external decision procedures • FORTE • White-box integration of “light-weight” theorem prover with STE ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Approach to Integration • Implement generic external tool mechanism as an ACL2 hint. • Little modification of ACL2 code. • Other model checkers, and decision procedures can be integrated in the same way. • Implement ACL2SIX with this mechanism • SixthSense becomes a new ACL2 proof engine for a subset of ACL2 formulas • Properties proven by SixthSense added to ACL2 database for use by other ACL2 proof engines ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL2SIX Implementation User Inputs SixthSense Other ACL2 Books ACL2SIX function New Process Call ACL2 External Hint Interface File Access VHDL source on Design Common Lisp ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Step 1: External Hint Mechanism • ACL2 user can direct the prover’s behavior by supplying (optional) hints. (defthm some-lemma (………) :hint ((“Goal” :cases ((< x 0))))) • Added a new ACL2 hint mechanism to dynamically extend the ACL2 theorem prover. (defthm some-lemma (………) :hint ((“Goal” :external ((fn opt-args))))) ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
How External Hint Mechanism Works (defthm some-lemma (………) :hint ((“Goal” :external (fn opt-args))) • fn is a user-defined function, we call a clause-processor. • The :external hint calls the clause processor fn. • fn inputs the clause under proof • And returns a clause list implying the original clause. • The theorem prover continues with the new clause list. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Summary of :External Hint • With the :External Hint, we can implement • new theorem proving procedures • external tool interfaces • Prototype modifies ACL2 source • Only 57 lines of modification • Soundness depends on the clause processor ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Step 2: ACL2SIX Implementation • ACL2SIX is a clause processor. • It is invoked through the :external hint mechanism. • When invoked, it translates ACL2 property to VHDL. • And calls SixthSense to verify it. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL2VHDL Translation SixthSense Execution Check Result ACL2SIX Hint Process Flow ACL2 SixthSense ACL2 Property about VHDL Design VHDL Property VHDL Design Yes No Reduced Clause Counter Example ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Property Representation • ACL2SIX accepts hardware properties written with the following: • Bit and bit-vector constants. • ACL2 functions on bit vectors in our library. • e.g. bv+, bv-and, and bv-or. • VHDL signals represented through two ACL2 functions: (sigbit entity signame cycle phase) (sigvec entity signame (lbit hbit) cycle phase) ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL2SIX Example ADD32 a sum ADD d q b clk clk (defthm adder-adds (implies (and (integerp n) (<= 1 n)) (equal (bv+ (sigvec (add32) a (0 31) (1- n) 2) (sigvec (add32) b (0 31) (1- n) 2)) (sigvec (add32) sum (0 31) n 2))) :hints ((“Goal” :external (acl2six ((:cycle-expr n) (:ignore-init-cycles 1)))))) ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Soundness of ACL2SIX Extension • Combining tools often leads to subtle soundness problems. • We have an argument that ACL2SIX is sound. • The FSM represented by VHDL could be defined in the ACL2 logic. • SixthSense verifies valid safety properties of the FSM. • Theoretically these properties could be proven in ACL2 by induction. • By constructing this argument we found (and fixed) a subtle soundness issue. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Outline of the Talk • ACL2 Theorem Prover and SixthSense • Related Work • Integration of Two Verification Tools • Step 1: External Hint Mechanism • Step 2: ACL2SIX Hint Implementation • Soundness Argument • Multiplier Example • Conclusion ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Example: Booth Multiplier • 53bit x 54bit multiplier • Used to compute double-precision floating-point multiplication • Written in VHDL • SixthSense cannot verify the entire multiplier. • This makes a good first example for ACL2SIX. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Multiplier Dataflow Cycle #: 0.5 1.0 1.5 2.0 2.5 3.5 4.0 S00 … A S50 … … Opt. Booth Encoder Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 C S51 … S026 Vectors: 27 18 12 6 4 2 A X C = Sum + Carry ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Booth Encoder • Booth encoder reduces n x n bit multiplication into the summation of n/2 vectors. • ACL2 provided the algorithmic proof of Booth encoding multiplier. • SixthSense proved that the VHDL design implements an ACL2 model. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Compression Algorithm • 3-to-2 Carry-Save Adder (CSA) takes 3 inputs and produces 2 outputs, preserving the sum. • Verified sum-preservation on a single CSA using SixthSense. • Used ACL2 to combine the results to prove S00 S10 S00 + S01 + S02 = S10 + S11 CSA0 S01 S11 S02 S00 + ... + S026 = S50 + S51 ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Multiplier Verification Summary • In Booth Encoding Proof: • ACL2 did arithmetic proof that requires induction. • SixthSense checked the low-level hardware detail is equivalent to ACL2 model • In compressor proof: • SixthSense proved the basic property on a small element of the multiplier. • ACL2 combined these results, with the use of rewriting rules. • Can re-run proof if multiplier is modified • Low-level modifications are only visible to SixthSense! ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Conclusion • Added prototype mechanism for extending ACL2 with external tools • Integrated SixthSense and ACL2 • Avoided VHDL embedding • Improved automation of ACL2 • Widened applicability of SixthSense • Future Work • External hint will be incorporated in future ACL2 releases • Verification of larger hardware verification examples • e.g. FPU divide and square root ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Acknowledgements • Built initial prototype • Sandip Ray • Helped design the :external extension • Matt Kaufmann • Helped with SixthSense • Jason Baumgartner, Viresh Paruthi, and Hari Mony ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Backup ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Soundness Problem by Instantiation • Sigbit and sigvec are actually partially constrained functions. • ACL2 allows functional instantiation of constrained functions. • But some of the constraints are unknown to the ACL2 theorem prover. • Solution: Disable functional instantiation of sigbit and sigvec. • Requires new feature available in upcoming ACL2 release. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
* Booth Encoder Encoding Table • Reduces the multiplication to summation • Half as many partial-products of the grade-school method. • Two’s Complement Notation • Looks at three bits at a time 100 → -2 * y 101 → -1 * y 110 → -1 * y 111 → 0 * y 000 → 0 * y 001 → 1 * y 010 → 1 * y 011 → 2 * y • Example: 23 * 3 • 000011 • 010111.0 110 -1 * 3 * 20 = -3 2 * 3 * 22 = 24 1 * 3 * 24 = 48 011 010 + 69 ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
In Upcoming ACL2 Release • Can disallow functional instantiation of sigbit and sigvec. • External hint mechanism will includes tagging mechanism. • Only tagged clause processors trusted. ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Guiding the Theorem Prover (defthm rewrite-plus-minus-1 (implies (and (natp a) (natp b)) (equal (+ a -1 b) (+ -1 a b)))) (thm (implies (and (natp a) (natp b)) (equal (nthcdr a (nthcdr b x)) (nthcdr (+ a b) x))) :hints (("Goal" :induct (nthcdr b x)))) • nthcdr removes n elements from a list • Rewrinte-plus-minus-1 lemma automatically used in proof of theorem • :induct hint guides the prover to use the induction suggested by (nthcdr b x) on the first “Goal” ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
:External Example (defun generalize-expr (clause expr new-var state) (cond ((or (not (symbolp new-var)) (var-in-expr-listp new-var clause)) (mv (list "ERROR: Target must be a new variable~%”) nil state)) (t (mv nil (list (substitute-expr-list expr new-var clause)) state)))) (thm (implies (and (natp a) (natp (foo))) (equal (nthcdr a (nthcdr (foo) x)) (nthcdr (+ a (foo)) x))) :hints (("Goal" :external (generalize-expr '(foo) 'b)) ("Goal'" :induct (nthcdr b x)))) ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL2 :External Hint Example (defun split-a-and-b (cl state) (mv nil (list (append '((booleanp a)) cl) (append '((booleanp b)) cl) (subst ''t 'b (subst ''t 'a cl)) (subst ''t 'b (subst ''nil 'a cl)) (subst ''nil 'b (subst ''t 'a cl)) (subst ''nil 'b (subst ''nil 'a cl))) state)) (defthm theorem-1 (implies (and (booleanp a) (booleanp b)) (or (not b) (and a b) (and (not a) b))) :hints (("Goal" :external (split-a-and-b)))) ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL2SIX Features • ignore-init-cycles: Ignore the specified number of initial cycles. • If the corresponding ACL2 hypothesis is not present the ACL2 proof will fail. • cycle-expr: The ACL2 expression for the cycle number • config-file: SixthSense configuration file • (view-last-waveform): View last counter-example waveform ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool