View
214
Download
0
Category
Tags:
Preview:
Citation preview
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Jun Sawada and Erik ReeberIBM Austin Research Laboratory
University of Texas at AustinNovember 15, 2006
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Outline of the Talk
ACL2 Theorem Prover and SixthSense Integration of Two Verification Tools
Step 1: External Hint Mechanism Step 2: ACL2SIX Implementation
Soundness Argument Multiplier Example Conclusion
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
ACL2 Theorem Prover
General-purpose theorem prover for first order logic (with induction) Fast evaluator Powerful lemma-based rewriter Generalization and induction heuristics
Applied to large projects AMD Athlon™ floating point unit Rockwell Collins AAMP7 separation kernel Java bytecode verifier
Unlike HOL, no mechanism for adding user-defined decision procedures
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
SixthSense
IBM internal verification tool Operates on a finite-state machine described
in VHDL. Uses transformation-based verification
approach combining many model-checking algorithms
BDDs & SAT Solvers Re-timing engine Localization engine
It formally proves safety properties of FSMs When a property is found invalid, it returns a
counter example.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Objective of the Integration
Make SixthSense and ACL2 work together. Use SixthSense to verify properties on
tedious low-level hardware logic circuits. Use ACL2 to prove abstract concepts such as
algorithmic or arithmetic properties. Avoid embedding VHDL in the ACL2 logic
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Related Work
Prior ACL2 integration work: UCLID: Manolios and Srinivasan SAT: Hunt and Reeber
Other theorem provers Model-checker with PVS Elsa Gunter’s integration of HOL90 with
external decision procedures FORTE
White-box integration of “light-weight” theorem prover with STE
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Approach to Integration
Implement generic external tool mechanism as an ACL2 hint. Little modification of ACL2 code. Other model checkers, and decision procedures
can be integrated in the same way. Implement ACL2SIX with this mechanism
SixthSense becomes a new ACL2 proof engine for a subset of ACL2 formulas
Properties proven by SixthSense added to ACL2 database for use by other ACL2 proof engines
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
ACL2SIX Implementation
ACL2
SixthSense
External Hint Interface
ACL2SIXfunction New
Process Call
Other ACL2Books
Common LispVHDL source
on Design
File Access
User Inputs
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Step 1: External Hint Mechanism
ACL2 user can direct the prover’s behavior by supplying (optional) hints.
(defthm some-lemma
(………)
:hint ((“Goal” :cases ((< x 0))))) Added a new ACL2 hint mechanism to
dynamically extend the ACL2 theorem prover.(defthm some-lemma
(………)
:hint ((“Goal” :external ((fn opt-args)))))
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
How External Hint Mechanism Works
(defthm some-lemma (………):hint ((“Goal” :external (fn opt-args)))
fn is a user-defined function, we call a clause-processor.
The :external hint calls the clause processor fn.
fn inputs the clause under proof And returns a clause list implying the original
clause. The theorem prover continues with the new
clause list.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Summary of :External Hint
With the :External Hint, we can implement new theorem proving procedures external tool interfaces
Prototype modifies ACL2 source Only 57 lines of modification
Soundness depends on the clause processor
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Step 2: ACL2SIX Implementation
ACL2SIX is a clause processor. It is invoked through the :external hint
mechanism. When invoked, it translates ACL2
property to VHDL. And calls SixthSense to verify it.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
ACL2SIX Hint Process Flow
ACL2 Property about VHDL Design
ReducedClause
CounterExample
VHDLProperty
VHDLDesign
ACL2VHDLTranslation
Check Result
SixthSenseExecution
Yes No
ACL2 SixthSense
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Property Representation
ACL2SIX accepts hardware properties written with the following: Bit and bit-vector constants. ACL2 functions on bit vectors in our library.
e.g. bv+, bv-and, and bv-or. VHDL signals represented through two ACL2
functions:(sigbit entity signame cycle phase)
(sigvec entity signame (lbit hbit) cycle phase)
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
ACL2SIX Example
AD
D
clkd q
b
a sum
clk
(defthm adder-adds (implies (and (integerp n) (<= 1 n)) (equal (bv+ (sigvec (add32) a (0 31) (1- n) 2) (sigvec (add32) b (0 31) (1- n) 2)) (sigvec (add32) sum (0 31) n 2))) :hints ((“Goal” :external (acl2six ((:cycle-expr n) (:ignore-init-cycles 1))))))
ADD32
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Soundness of ACL2SIX Extension
Combining tools often leads to subtle soundness problems.
We have an argument that ACL2SIX is sound.
1. The FSM represented by VHDL could be defined in the ACL2 logic.
2. SixthSense verifies valid safety properties of the FSM.
3. Theoretically these properties could be proven in ACL2 by induction.
By constructing this argument we found (and fixed) a subtle soundness issue.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Outline of the Talk
ACL2 Theorem Prover and SixthSense Related Work Integration of Two Verification Tools
Step 1: External Hint Mechanism Step 2: ACL2SIX Hint Implementation
Soundness Argument Multiplier Example Conclusion
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Example: Booth Multiplier
53bit x 54bit multiplier Used to compute double-precision
floating-point multiplication Written in VHDL SixthSense cannot verify the entire
multiplier. This makes a good first example for
ACL2SIX.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Multiplier Dataflow
Opt. B
ooth Encoder
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
……
… …
Cycle #: 0.5 1.0 1.5 2.0 2.5 3.5 4.0
Vectors: 27 18 12 6 4 2
A
C
A X C = Sum + Carry
S51
S50
S00
S026
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Booth Encoder
Booth encoder reduces n x n bit multiplication into the summation of n/2 vectors.
ACL2 provided the algorithmic proof of Booth encoding multiplier.
SixthSense proved that the VHDL design implements an ACL2 model.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Compression Algorithm
3-to-2 Carry-Save Adder (CSA) takes 3 inputs and produces 2 outputs, preserving the sum.
Verified sum-preservation on a single CSA using SixthSense.
Used ACL2 to combine the results to prove
S00
S01
S02
S10
S11
CSA0S00 + S01 + S02 = S10 + S11
S00 + ... + S026 = S50 + S51
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Multiplier Verification Summary
In Booth Encoding Proof: ACL2 did arithmetic proof that requires induction. SixthSense checked the low-level hardware detail
is equivalent to ACL2 model In compressor proof:
SixthSense proved the basic property on a small element of the multiplier.
ACL2 combined these results, with the use of rewriting rules.
Can re-run proof if multiplier is modified Low-level modifications are only visible to
SixthSense!
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Conclusion
Added prototype mechanism for extending ACL2 with external tools
Integrated SixthSense and ACL2 Avoided VHDL embedding Improved automation of ACL2 Widened applicability of SixthSense
Future Work External hint will be incorporated in future
ACL2 releases Verification of larger hardware verification
examples e.g. FPU divide and square root
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Acknowledgements
Built initial prototype Sandip Ray
Helped design the :external extension Matt Kaufmann
Helped with SixthSense Jason Baumgartner, Viresh Paruthi, and Hari
Mony
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Backup
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Soundness Problem by Instantiation
Sigbit and sigvec are actually partially constrained functions.
ACL2 allows functional instantiation of constrained functions. But some of the constraints are unknown to
the ACL2 theorem prover. Solution: Disable functional instantiation
of sigbit and sigvec. Requires new feature available in upcoming
ACL2 release.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Booth Encoder
100 → -2 * y101 → -1 * y110 → -1 * y111 → 0 * y000 → 0 * y001 → 1 * y010 → 1 * y011 → 2 * y
Reduces the multiplication to summation
Half as many partial-products of the grade-school method.
Two’s Complement Notation Looks at three bits at a time
Example: 23 * 3 000011 010111.0
-1 * 3 * 20 = -3 2 * 3 * 22 = 24 1 * 3 * 24 = 48
+69
*
011
110
010
Encoding Table
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
In Upcoming ACL2 Release
Can disallow functional instantiation of sigbit and sigvec.
External hint mechanism will includes tagging mechanism. Only tagged clause processors trusted.
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
Guiding the Theorem Prover
nthcdr removes n elements from a list Rewrinte-plus-minus-1 lemma automatically
used in proof of theorem :induct hint guides the prover to use the
induction suggested by (nthcdr b x) on the first “Goal”
(defthm rewrite-plus-minus-1 (implies (and (natp a) (natp b)) (equal (+ a -1 b) (+ -1 a b))))
(thm (implies (and (natp a) (natp b)) (equal (nthcdr a (nthcdr b x)) (nthcdr (+ a b) x))) :hints (("Goal" :induct (nthcdr b x))))
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
:External Example
(defun generalize-expr (clause expr new-var state) (cond ((or (not (symbolp new-var)) (var-in-expr-listp new-var clause)) (mv (list "ERROR: Target must be a new variable~%”) nil state)) (t (mv nil (list (substitute-expr-list expr new-var clause))
state))))
(thm (implies (and (natp a) (natp (foo))) (equal (nthcdr a (nthcdr (foo) x))
(nthcdr (+ a (foo)) x))) :hints (("Goal" :external (generalize-expr '(foo) 'b)) ("Goal'" :induct (nthcdr b x))))
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
ACL2 :External Hint Example
(defun split-a-and-b (cl state) (mv nil (list (append '((booleanp a)) cl) (append '((booleanp b)) cl) (subst ''t 'b (subst ''t 'a cl)) (subst ''t 'b (subst ''nil 'a cl)) (subst ''nil 'b (subst ''t 'a cl)) (subst ''nil 'b (subst ''nil 'a cl))) state))
(defthm theorem-1 (implies (and (booleanp a) (booleanp b)) (or (not b) (and a b) (and (not a) b))) :hints (("Goal" :external (split-a-and-b))))
FMCAD 2006
ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated
Verification Tool
ACL2SIX Features
ignore-init-cycles: Ignore the specified number of initial cycles. If the corresponding ACL2 hypothesis is not
present the ACL2 proof will fail. cycle-expr: The ACL2 expression for the
cycle number config-file: SixthSense configuration file (view-last-waveform): View last
counter-example waveform
Recommended