1
Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research) ICCAD 2000

2
Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

3
4
Refinement Proof Implementation < Specification e.g. processore.g. ISA “conforms with”, “refines”, “implements” Every I/O behavior of impl. is an I/O behavior of spec.

5
< << Decomposed Refinement Proof

6
< Unsuccessful Proof Decomposition unconstrained < <

7
< Unsuccessful Proof Decomposition < unconstrained < x(0)=0 x(t+1)=y(t) x y y(0)=0 y(t+1)=x(t) x y x(t)=0y(t)=0

8
< Circular Proof Decomposition <<

9
Legal Circular Proof Decomposition < < < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x y y x S(x) S(y) S(z): z(t)=0 “I will not launch.”

10
Illegal Circular Proof Decomposition < < < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x y y x L(x) L(y) L(z): exists k s.t. z(t) = 0 if t

11
Illegal Circular Proof Decomposition < < < x(t)=y(t) y(t)=1 x y y x x(t)=0y(t)=~x(t) 2

12
< Illegal Circular Proof Decomposition < x(t)=y(t) y(t)= x(t)=0y(t)=~x(t) 0 1 < 2

13
For program verification: Chandy & Misra [1981] Abadi & Lamport [1993] For model checking: Alur & Henzinger [1995] Mocha McMillan [1997] SMV Large applications: Eiriksson [1998]: 1M-gate ASICs (SMV) Liu, Qadeer, Rajamani [1999]: 64-processor array (Mocha) Circular Assume-Guarantee Reasoning

14
15
System S[P;Q] S x1: Nat -> Bool x2: Nat -> Bool x3: Nat -> Bool y4: Nat -> Bool y5: Nat -> Bool input signals input ports P={1,2,3} output ports Q={4,5} output signals input behavior x = (x1,x2,x3) output behavior y = (y4,y5) I/O function S(x) = y x1 x2 x3 y4 y5 S

16
Moore System S[P;Q;init;next] x1 x2 x3 y4 y5 y(0) = init y(t+1) = next [ y(t), x(t+1) ] Inductive definition: Given input behavior x, unique output behavior y. init in Vals(Q) next: Vals(Q) x Vals(P) -> Vals(Q)

17
Reactive System S[P;Q;init;next] No combinational loop: Given input behavior x, unique output behavior y. x1 x2 x3 y4 y5 y(0) = init y4(t+1) = next4 [ y(t), x(t+1) ] y5(t+1) = next5 [ y(t), y4(t+1), x(t+1) ] 4 >> 1, 2, 3 5 >> 1, 2, 3, 4

18
Mealy System S[P;Q;init;next] Combinational loop: no output behavior y. x1 x2 x3 y4 y5 y4(t) = y5(t) y5(t) = ~ y4(t) 4 >> 5 5 >> 4

19
Mealy System S[P;Q;init;next] Combinational loop: no output behavior y, or multiple output behaviors y. x1 x2 x3 y4 y5 y4(t) = y5(t) y5(t) = y4(t) 4 >> 5 5 >> 4

20
21
Refinement For every I/O behavior (x1,x2,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ <

22
Refinement S[P;Q;init;next] < S’[P’;Q’;init’;next’] ? Time complexity: 2 O( |P| + |Q| + |P’| + 2 ) |Q’| If P’ u Q’ subset of P u Q : 2 O( |P| + |Q| ) “Witnessed” Refinement

23
Witnessed Refinement For every I/O behavior (x1,x2,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ < Every specification port is an implementation port.

24
Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ < Every specification port is an implementation port.

25
Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ < Construct witness for 3 Every specification port is an implementation port. 3

26
Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ < Copy specification of 7 Every specification port is an implementation port. 3

27
Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, there is an I/O behavior (x1,x3,x4,x5,x7) of S’. S 41 5 S’ < Every specification port is an implementation port. 3

28
Witnessed Refinement For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S, the projection (x1,x3,x4,x5,x7) is an I/O behavior of S’. S 41 5 S’ < Every specification port is an implementation port. 3

29
Checking Witnessed Refinement: S[P;Q;init;next] < S’[P’;Q’;init’;next’] ? 1 Find the reachable states of the implementation S. 2 For each reachable state s, check that next ( s[P;Q] ) | = next’ ( s[P’;Q’] ). Q’ Synchronized Search This requires only a small extension of any reachability engine. See, for example,

30
31
Composition S1[P1;Q1] || S2[P2;Q2] S S Q1 and Q2 disjoint 2. <<1 u <<2 acyclic

32
S S Composition S1[P1;Q1] || S2[P2;Q2]

33
(S1||S2) [(P1 u P2)\(Q1 u Q2); Q1 u Q2] S1||S2

34
Q’-Slice of S[P;Q] Q’ subset of Q S } Q’ = {3,4} x x

35
Q’-Slice of S[P;Q] x x

36

37
(S| ) [P u (Q\Q’); Q’] S| Q’

38
39
Weak Decomposition Rule < < 4 5 One subproof for each specification output port

40
Weak Decomposition Rule < < 4 5 One subproof for each specification output port

41
Weak Decomposition Rule < < 4 5 One subproof for each specification output port 6

42
Weak Decomposition Rule < < 4 5 One subproof for each specification output port 6 5

43
Weak Decomposition Rule One subproof for each specification output port < <

44
Weak Decomposition Rule One subproof for each specification output port < < Any slice of impl. 3-slice of spec.

45
Weak Decomposition Rule One subproof for each specification output port < <

46
Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port < <

47
Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port < <

48
Strong (Assume-Guarantee) Decomposition Rule One subproof for each specification output port < < Assumption: Any ~3-slice of spec. 3-slice of spec. Any slice of impl.

49
Example < x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 y(0)=0 y(t+1)=x(t)

50
< x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 y Example

51
< x(0)=0 x(t+1)=y(t) y(0)=0 y(t+1)=x(t) x(t)=0 y(t)=0 y x(0)=0 x(t+1)=y(t) < x(t)=0 Example y(t)=0 x y

52
Example < x(t+1)=y(t) y(t+1)=x(t) x(t)=0 y(t)=0 y x(t+1)=y(t) < x(t)=0 y(t)=0 x y x y(t+1)=x(t) < y(t)=0 x(t)=0 x y

53
The Need for Abstractions One subproof for each specification output port < 2 3 <

54
The Need for Abstractions One subproof for each specification output port < 2 3 <

55
The Need for Abstractions One subproof for each specification output port < 2 3 < Construct abstraction for 6

56
The Need for Abstractions One subproof for each specification output port, including abstractions < 2 3 <

57
The Need for Abstractions One subproof for each specification output port, including abstractions < 2 3 <

58
The Need for Abstractions < 6 7 Abstraction for 6 involves new 7

59
The Need for Abstractions < 6 7 Abstraction for 6 involves new 7 7 Copy witness for 7

60
The Need for Abstractions One subproof for each specification output port, including abstractions < 2 3 <

61
The Need for Abstractions One subproof for each specification output port, including abstractions < 2 3 <

62
The Need for Abstractions One subproof for each specification output port, including abstractions < < Trivially true

63
64

65
