# Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)

## Presentation on theme: "Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)"— Presentation transcript:

Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research) ICCAD 2000

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Refinement Proof Implementation < Specification e.g. processore.g. ISA “conforms with”, “refines”, “implements” Every I/O behavior of impl. is an I/O behavior of spec.

< << Decomposed Refinement Proof

< Unsuccessful Proof Decomposition unconstrained < <

< Unsuccessful Proof Decomposition < unconstrained < x(0)=0 x(t+1)=y(t) x y y(0)=0 y(t+1)=x(t) x y x(t)=0y(t)=0

< Circular Proof Decomposition <<

Legal Circular Proof Decomposition < < < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x y y x S(x) S(y) S(z): z(t)=0 “I will not launch.”

Illegal Circular Proof Decomposition < < < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x y y x L(x) L(y) L(z): exists k s.t. z(t) = 0 if t { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/12/3388108/slides/slide_10.jpg", "name": "Illegal Circular Proof Decomposition < < < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x y y x L(x) L(y) L(z): exists k s.t.", "description": "z(t) = 0 if t

Illegal Circular Proof Decomposition < < < x(t)=y(t) y(t)=1 x y y x x(t)=0y(t)=~x(t) 2

< Illegal Circular Proof Decomposition < x(t)=y(t) y(t)=1 1 1 1 0 x(t)=0y(t)=~x(t) 0 1 < 2

For program verification: Chandy & Misra [1981] Abadi & Lamport [1993] For model checking: Alur & Henzinger [1995] Mocha McMillan [1997] SMV Large applications: Eiriksson [1998]: 1M-gate ASICs (SMV) Liu, Qadeer, Rajamani [1999]: 64-processor array (Mocha) Circular Assume-Guarantee Reasoning

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

System S[P;Q] S 1 3 2 5 4 x1: Nat -> Bool x2: Nat -> Bool x3: Nat -> Bool y4: Nat -> Bool y5: Nat -> Bool input signals input ports P={1,2,3} output ports Q={4,5} output signals input behavior x = (x1,x2,x3) output behavior y = (y4,y5) I/O function S(x) = y x1 x2 x3 y4 y5 S

Moore System S[P;Q;init;next] x1 x2 x3 y4 y5 y(0) = init y(t+1) = next [ y(t), x(t+1) ] Inductive definition: Given input behavior x, unique output behavior y. init in Vals(Q) next: Vals(Q) x Vals(P) -> Vals(Q)

Reactive System S[P;Q;init;next] No combinational loop: Given input behavior x, unique output behavior y. x1 x2 x3 y4 y5 y(0) = init y4(t+1) = next4 [ y(t), x(t+1) ] y5(t+1) = next5 [ y(t), y4(t+1), x(t+1) ] 4 >> 1, 2, 3 5 >> 1, 2, 3, 4

Mealy System S[P;Q;init;next] Combinational loop: no output behavior y. x1 x2 x3 y4 y5 y4(t) = y5(t) y5(t) = ~ y4(t) 4 >> 5 5 >> 4

Mealy System S[P;Q;init;next] Combinational loop: no output behavior y, or multiple output behaviors y. x1 x2 x3 y4 y5 y4(t) = y5(t) y5(t) = y4(t) 4 >> 5 5 >> 4

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Refinement For every I/O behavior (x1,x2,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6

Refinement S[P;Q;init;next] < S’[P’;Q’;init’;next’] ? Time complexity: 2 O( |P| + |Q| + |P’| + 2 ) |Q’| If P’ u Q’ subset of P u Q : 2 O( |P| + |Q| ) “Witnessed” Refinement

Witnessed Refinement For every I/O behavior (x1,x2,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 Every specification port is an implementation port.

Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 3 Every specification port is an implementation port.

Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 Construct witness for 3 Every specification port is an implementation port. 3

Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 7 Copy specification of 7 Every specification port is an implementation port. 3

Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 7 Every specification port is an implementation port. 3

Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, the projection (x1,x3,x4,x5,x7) is an I/O behavior of S’. S 41 5 S’ 1 7 5 < 2 3 4 6 7 Every specification port is an implementation port. 3

Checking Witnessed Refinement: S[P;Q;init;next] < S’[P’;Q’;init’;next’] ? 1 Find the reachable states of the implementation S. 2 For each reachable state s, check that next ( s[P;Q] ) | = next’ ( s[P’;Q’] ). Q’ Synchronized Search This requires only a small extension of any reachability engine. See, for example, www.eecs.berkeley.edu/~mocha.www.eecs.berkeley.edu/~mocha

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Composition S1[P1;Q1] || S2[P2;Q2] S1 1 3 2 6 4 S2 1 5 4 7 2 1. Q1 and Q2 disjoint 2. <<1 u <<2 acyclic

S1 1 3 2 6 4 S2 1 5 4 7 2 Composition S1[P1;Q1] || S2[P2;Q2]

(S1||S2) [(P1 u P2)\(Q1 u Q2); Q1 u Q2] 1 3 6 4 5 7 2 S1||S2

Q’-Slice of S[P;Q] Q’ subset of Q S 1 24 3 5 6 } Q’ = {3,4} x x

Q’-Slice of S[P;Q] 1 5 24 3 6 x x

1 5 24 3 6

(S| ) [P u (Q\Q’); Q’] S| 1 5 24 3 6 Q’

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 4 5 6 2 5 < 4 5 One subproof for each specification output port

Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 5 6 2 < 4 5 One subproof for each specification output port

Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 5 6 2 < 4 5 One subproof for each specification output port 6

Weak Decomposition Rule 13 4 13 4 5 6 2 5 < 13 4 13 5 6 2 < 4 5 One subproof for each specification output port 6 5

Weak Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 4 13 5 6 4 < 4 5 6 5 1

Weak Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1 Any slice of impl. 3-slice of spec.

Weak Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1

Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1 13 4 5

Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 4 < 4 5 6 5 1 13 4 5

Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port 13 4 13 4 5 6 2 5 < 2 3 13 < 4 5 6 1 4 5 Assumption: Any ~3-slice of spec. 3-slice of spec. Any slice of impl.

Example < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 y(0)=0 y(t+1)=x(t)

< x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 y Example

< x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 Example y(t)=0 x y

Example < x(t+1)=y(t) y(t+1)=x(t) x(t)=0 y(t)=0 y x(t+1)=y(t) < x(t)=0 y(t)=0 x y x y(t+1)=x(t) < y(t)=0 x(t)=0 x y

The Need for Abstractions One subproof for each specification output port 13 4 1 3 4 5 6 2 5 < 2 3 < 6 1 1 3 4 5 4 5

The Need for Abstractions One subproof for each specification output port 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 6

The Need for Abstractions One subproof for each specification output port 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 6 Construct abstraction for 6

The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 6 6

The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 4 5 3 4 6 6 6 5

The Need for Abstractions 13 4 1 3 4 5 6 2 5 < 6 7 Abstraction for 6 involves new 7

The Need for Abstractions 13 4 1 3 4 5 6 2 5 < 6 7 Abstraction for 6 involves new 7 7 Copy witness for 7

The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 3 4 5 4 5 6 7 6 7 7

The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < 2 3 < 1 1 4 5 3 4 6 7 7 7 6 5 6 7

The Need for Abstractions One subproof for each specification output port, including abstractions 13 4 1 3 4 5 6 2 5 < < 3 4 5 6 77 7 6 1 3 4 5 7 6 1 Trivially true

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

Download ppt "Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research)"

Similar presentations