Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.

Published byBrooke Reyes Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs."— Presentation transcript:

1 1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs

2 2 Automated methods curve system size (bits of state) verification probability research systems 110100 10 3 10 4 10 5 10 6 10 7 100%

3 3 Automated methods curve system size (bits of state) verification probability unit-level FV decomposition 110100 10 3 10 4 10 5 10 6 10 7 100% bug finding verification

4 4 Proof assistants l General purpose proof assistants +Expressive logics +Integration with model checking l Problem: Do not naturally produce finite-state subgoals –Result: Detailed manual case analysis Complex global invariants Long, fragile proof scripts

5 5 What's missing... l Proof strategy that produces finite-state lemmas l Infrastructure to support this strategy l Reduced interactivity –more reusable proofs –no global invariants (too design-specific)

6 6 Minimalist proof assistant l Approach –Minimal logical expressiveness –Appropriate domain-specific proof strategy –Proof rules designed to support this strategy –All proof obligations reduced to model checking l Result –Short proofs –Proof goals reduced to tractable MC problems –Proofs more easily reused related: Seger 98

7 7 Rules built into SMV system... l Circular compositional rule –decomposition by refinement relations –auxiliary state l Temporal case analysis –path splitting l Symmetry reductions –reduce by symmetry to tractable number of cases l Data type reductions –large and infinite types –uninterpreted functions support general proof strategy...

8 8 Compositional refinement verification Abstract model System Translations

9 9 Localized verification Abstract model System Translations assumeprove

10 10 Localized verification Abstract model System Translations assume prove

11 11 Circular inference rule SPEC (related: AL 95, AH 96) 1 up to t -1 implies 2 up to t 2 up to t -1 implies 1 up to t always 1 and 2

12 12 SPEC Auxiliary variables aux P PA Q Q * A is definitional * Q does not reference A (related: Owicki, Gries)

13 13 SPEC P PA Big structures and path splitting i

14 14 Temporal case splitting l Prove separately that p holds at all times when v = i. l Path splitting v record register index i

15 15 SPEC P PA Case explosion and symmetry i k

16 16 Exploiting symmetry l Symmetric types –Semantics invariant under permutations of type. –Enforced by type checking rules. l Symmetry reduction rule * i is of scalarset type * P references only constants 0..k-1 of type (related: Murphi)

17 17 Data type reductions l Problem: large data types yield state explosion l Solution: reduce large (or infinite) types where T\i represents all the values in T except i. l Abstract interpretation Note: use in conjunction with case splitting

18 18 Data types with large ranges l Words, addresses, sequence numbers, tags, etc... l Example: content addressable memory KEYVALUE = = = = = = = QUERY

19 19 Summary of proof strategy l Control logic –Structural decomposition (comp. rule) l Data path –Refinement maps (comp. rule + aux.) –Decompose large structures (path splitting) –Reduce large types (data type reduction) Case reduction (symmetry)

20 20 Illustration: Tomasulos algorithm l Execute instructions in data flow order OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE

21 21 Compositional rule l Decompose into two lemmas OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE Lemma 1: Correct operands Lemma 2: Correct results

22 22 Proving the operand lemma OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS Lemma 1: Correct operands Lemma 2: Correct results "cone of influence" eliminates

23 23 Auxiliary variables in Tomasulo l Used to store correct operands and results for each instruction EU RESULTS INSTRUCTIONS OP,DST opraoprb O1O2R if (~stallout & opin=ALU){ next(aux[st].opra) := opra; next(aux[st].oprb) := oprb; next(aux[st].res) := res; } SPEC

24 24 Lemmas in SMV l Operand correctness forall (k in TAG) layer lemma1 : if (rs[k].valid & rs[k].opra.valid) rs[k].opra.val := aux[k].opra; l Result correctness forall (i in TAG) layer lemma2[i] : if (rb.tag = i & rb.valid) rb.val := aux[i].res;

25 25 Path splitting in Tomasulo OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS "cone of influence" eliminates

26 26 SMV implementation l Split cases of operand correctness on –producer reservation station –holding register l SMV implementation subcase lemma1[i][j] of rs[k]//lemma1 for rs[k].opra.tag = i & aux[k].srca = j;

27 27 Case explosion problem l Number of cases in operand correctness property: TAGS REGS TAGS = O(n 3 ) l Symmetric data type declarations scalarset REG 0..31; scalarset TAG 0..31; l SMV verifies types used in symmetric way

28 28 Symmetry reduction in operands lemma OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS i j k l Reduces by symmetry to two cases: (i = 0, j = 0, k = 0) (i = 0, j = 0, k = 1)

29 29 Type reduction: infinite-state Tomasulo l Scalarsets with undefined range l Data type reduction TAG->{i,k}, REG ->{j} l Only include values we care about in reduced type l Reduces variable encodings to –1 bit per variable of type REG –2 bits per variable of type TAG (related: Kurshan)

30 30 OP,DST Uninterpreted functions l Verify Tomasulo for arbitrary EU function f(a,b). f(a,b) RESULTS INSTRUCTIONS SPEC OP,DST opraoprb opraoprb OP,DST opraoprb f(a,b) OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS f(a,b) (related: Burch, Dill, Jones, etc...)

31 31 Case splitting l Prove result correctness only for specific cases, e.g. opra = 0, oprb = 1, f[0][1] = 2 OP,DST 01 opraoprb OP,DST opraoprb f(a,b) OPS INSTRUCTIONS REG FILE VAL/TAG 2 3! = 6 cases verified (related: Hojati, Singhal, Bryant, Clarke)

32 32 Result l Verification problem reduced to tractable MC problems –Max 25 state bits –11 cases of lemmas to verify after symmetry –Verification time less than 4 seconds l Tomasulo implementation proved for –Arbitrary number of registers, reservation stations –Arbitrary data word size and EU function l The proof is concise

33 33 Summary of approach l Auxiliary variables and circular rule –operand and result lemmas l Temporal case splitting –data path splitting l Symmetry reductions –reduce to tractable number of cases l Data type reductions –reduce large or infinite data types to small finite –uninterpreted functions for data operations

34 34 More examples l Applications of the same general strategy: –Infopad packet multiplexer –SGI cache coherence

35 35 InfoPad example (Truman 98) Bus Bridge ARM processor subsystem RX ASIC FPGA (FEC, timing,…) Video Pen Speech TX Audio/ Speech VGA control Wireless Modems 32-bit word 8-bit word Serial, FEC encoded Packet Buffer Memory

36 36 Packet streams Decomposition -- data integrity tag data Packet mux P P path splitting induction

37 37 Cache coherence (Eiriksson 98) S/F network protocol host protocol host protocol host Distributed cache coherence INTF PP MIO to net l Nondeterministic abstract model l Atomic actions l Single address abstraction l Verified coherence, etc...

38 38 Mapping protocol to RTL S/F network protocol host other hosts Abstract model CAM TABLES TAGS ~30K lines of verilog

39 39 Conclusions l Goal –System-level verification by model checking l Approach –Appropriate domain-specific proof strategy –Proof rules designed to support this strategy l Result –Proof goals reduced to tractable MC problems –Short proofs -- no global invariants

Download ppt "1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
1 Knowledge and reasoning – second part Knowledge representation Logic and representation Propositional (Boolean) logic Normal forms Inference in propositional.

1 Knowledge and reasoning – second part Knowledge representation Logic and representation Propositional (Boolean) logic Normal forms Inference in propositional.
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.

1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
Compositional Methods and Symbolic Model Checking

Compositional Methods and Symbolic Model Checking
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2003 Chapter 11 Ethernet Evolution: Fast and Gigabit Ethernet.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2003 Chapter 11 Ethernet Evolution: Fast and Gigabit Ethernet.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Objectives: Generate and describe sequences. Vocabulary:

Objectives: Generate and describe sequences. Vocabulary:

Similar presentations

Ads by Google