Download presentation

Presentation is loading. Please wait.

Published byBrooke Reyes Modified over 2 years ago

1
1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs

2
2 Automated methods curve system size (bits of state) verification probability research systems %

3
3 Automated methods curve system size (bits of state) verification probability unit-level FV decomposition % bug finding verification

4
4 Proof assistants l General purpose proof assistants +Expressive logics +Integration with model checking l Problem: Do not naturally produce finite-state subgoals –Result: Detailed manual case analysis Complex global invariants Long, fragile proof scripts

5
5 What's missing... l Proof strategy that produces finite-state lemmas l Infrastructure to support this strategy l Reduced interactivity –more reusable proofs –no global invariants (too design-specific)

6
6 Minimalist proof assistant l Approach –Minimal logical expressiveness –Appropriate domain-specific proof strategy –Proof rules designed to support this strategy –All proof obligations reduced to model checking l Result –Short proofs –Proof goals reduced to tractable MC problems –Proofs more easily reused related: Seger 98

7
7 Rules built into SMV system... l Circular compositional rule –decomposition by refinement relations –auxiliary state l Temporal case analysis –path splitting l Symmetry reductions –reduce by symmetry to tractable number of cases l Data type reductions –large and infinite types –uninterpreted functions support general proof strategy...

8
8 Compositional refinement verification Abstract model System Translations

9
9 Localized verification Abstract model System Translations assumeprove

10
10 Localized verification Abstract model System Translations assume prove

11
11 Circular inference rule SPEC (related: AL 95, AH 96) 1 up to t -1 implies 2 up to t 2 up to t -1 implies 1 up to t always 1 and 2

12
12 SPEC Auxiliary variables aux P PA Q Q * A is definitional * Q does not reference A (related: Owicki, Gries)

13
13 SPEC P PA Big structures and path splitting i

14
14 Temporal case splitting l Prove separately that p holds at all times when v = i. l Path splitting v record register index i

15
15 SPEC P PA Case explosion and symmetry i k

16
16 Exploiting symmetry l Symmetric types –Semantics invariant under permutations of type. –Enforced by type checking rules. l Symmetry reduction rule * i is of scalarset type * P references only constants 0..k-1 of type (related: Murphi)

17
17 Data type reductions l Problem: large data types yield state explosion l Solution: reduce large (or infinite) types where T\i represents all the values in T except i. l Abstract interpretation Note: use in conjunction with case splitting

18
18 Data types with large ranges l Words, addresses, sequence numbers, tags, etc... l Example: content addressable memory KEYVALUE = = = = = = = QUERY

19
19 Summary of proof strategy l Control logic –Structural decomposition (comp. rule) l Data path –Refinement maps (comp. rule + aux.) –Decompose large structures (path splitting) –Reduce large types (data type reduction) Case reduction (symmetry)

20
20 Illustration: Tomasulos algorithm l Execute instructions in data flow order OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE

21
21 Compositional rule l Decompose into two lemmas OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE Lemma 1: Correct operands Lemma 2: Correct results

22
22 Proving the operand lemma OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS Lemma 1: Correct operands Lemma 2: Correct results "cone of influence" eliminates

23
23 Auxiliary variables in Tomasulo l Used to store correct operands and results for each instruction EU RESULTS INSTRUCTIONS OP,DST opraoprb O1O2R if (~stallout & opin=ALU){ next(aux[st].opra) := opra; next(aux[st].oprb) := oprb; next(aux[st].res) := res; } SPEC

24
24 Lemmas in SMV l Operand correctness forall (k in TAG) layer lemma1 : if (rs[k].valid & rs[k].opra.valid) rs[k].opra.val := aux[k].opra; l Result correctness forall (i in TAG) layer lemma2[i] : if (rb.tag = i & rb.valid) rb.val := aux[i].res;

25
25 Path splitting in Tomasulo OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS "cone of influence" eliminates

26
26 SMV implementation l Split cases of operand correctness on –producer reservation station –holding register l SMV implementation subcase lemma1[i][j] of rs[k]//lemma1 for rs[k].opra.tag = i & aux[k].srca = j;

27
27 Case explosion problem l Number of cases in operand correctness property: TAGS REGS TAGS = O(n 3 ) l Symmetric data type declarations scalarset REG 0..31; scalarset TAG 0..31; l SMV verifies types used in symmetric way

28
28 Symmetry reduction in operands lemma OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS i j k l Reduces by symmetry to two cases: (i = 0, j = 0, k = 0) (i = 0, j = 0, k = 1)

29
29 Type reduction: infinite-state Tomasulo l Scalarsets with undefined range l Data type reduction TAG->{i,k}, REG ->{j} l Only include values we care about in reduced type l Reduces variable encodings to –1 bit per variable of type REG –2 bits per variable of type TAG (related: Kurshan)

30
30 OP,DST Uninterpreted functions l Verify Tomasulo for arbitrary EU function f(a,b). f(a,b) RESULTS INSTRUCTIONS SPEC OP,DST opraoprb opraoprb OP,DST opraoprb f(a,b) OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS f(a,b) (related: Burch, Dill, Jones, etc...)

31
31 Case splitting l Prove result correctness only for specific cases, e.g. opra = 0, oprb = 1, f[0][1] = 2 OP,DST 01 opraoprb OP,DST opraoprb f(a,b) OPS INSTRUCTIONS REG FILE VAL/TAG 2 3! = 6 cases verified (related: Hojati, Singhal, Bryant, Clarke)

32
32 Result l Verification problem reduced to tractable MC problems –Max 25 state bits –11 cases of lemmas to verify after symmetry –Verification time less than 4 seconds l Tomasulo implementation proved for –Arbitrary number of registers, reservation stations –Arbitrary data word size and EU function l The proof is concise

33
33 Summary of approach l Auxiliary variables and circular rule –operand and result lemmas l Temporal case splitting –data path splitting l Symmetry reductions –reduce to tractable number of cases l Data type reductions –reduce large or infinite data types to small finite –uninterpreted functions for data operations

34
34 More examples l Applications of the same general strategy: –Infopad packet multiplexer –SGI cache coherence

35
35 InfoPad example (Truman 98) Bus Bridge ARM processor subsystem RX ASIC FPGA (FEC, timing,…) Video Pen Speech TX Audio/ Speech VGA control Wireless Modems 32-bit word 8-bit word Serial, FEC encoded Packet Buffer Memory

36
36 Packet streams Decomposition -- data integrity tag data Packet mux P P path splitting induction

37
37 Cache coherence (Eiriksson 98) S/F network protocol host protocol host protocol host Distributed cache coherence INTF PP MIO to net l Nondeterministic abstract model l Atomic actions l Single address abstraction l Verified coherence, etc...

38
38 Mapping protocol to RTL S/F network protocol host other hosts Abstract model CAM TABLES TAGS ~30K lines of verilog

39
39 Conclusions l Goal –System-level verification by model checking l Approach –Appropriate domain-specific proof strategy –Proof rules designed to support this strategy l Result –Proof goals reduced to tractable MC problems –Short proofs -- no global invariants

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google