slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Ken McMillan Cadence Berkeley Labs PowerPoint Presentation
Download Presentation
Ken McMillan Cadence Berkeley Labs

Loading in 2 Seconds...

play fullscreen
1 / 39

Ken McMillan Cadence Berkeley Labs - PowerPoint PPT Presentation


  • 151 Views
  • Uploaded on

Minimalist proof assistants Interactions of technology and methodology in formal system level verification. Ken McMillan Cadence Berkeley Labs. 1. Automated methods curve. 100%. verification probability. research. systems. 1. 10. 100. 10 3. 10 4. 10 5. 10 6. 10 7.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Ken McMillan Cadence Berkeley Labs' - gaurav


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Minimalist proof assistantsInteractions of technology andmethodology in formal system level verification

Ken McMillan

Cadence Berkeley Labs

1

automated methods curve
Automated methods curve

100%

verification probability

research

systems

1

10

100

103

104

105

106

107

system size (bits of state)

automated methods curve1
Automated methods curve

100%

decomposition

verification probability

verification

unit-level FV

bug finding

1

10

100

103

104

105

106

107

system size (bits of state)

proof assistants
Proof assistants
  • General purpose proof assistants
    • Expressive logics
    • Integration with model checking
  • Problem: Do not naturally produce finite-state subgoals
    • Result:
      • Detailed manual case analysis
      • Complex global invariants
      • Long, fragile proof scripts
what s missing
What's missing...
  • Proof strategy that produces finite-state lemmas
  • Infrastructure to support this strategy
  • Reduced interactivity
    • more reusable proofs
    • no global invariants (too design-specific)
minimalist proof assistant
Minimalist proof assistant
  • Approach
    • Minimal logical expressiveness
    • Appropriate domain-specific proof strategy
    • Proof rules designed to support this strategy
    • All proof obligations reduced to model checking
  • Result
    • Short proofs
    • Proof goals reduced to tractable MC problems
    • Proofs more easily reused

related: Seger 98

rules built into smv system
Rules built into SMV system...
  • Circular compositional rule
    • decomposition by refinement relations
    • auxiliary state
  • Temporal case analysis
    • path splitting
  • Symmetry reductions
    • reduce by symmetry to tractable number of cases
  • Data type reductions
    • large and infinite types
    • uninterpreted functions

support general proof strategy...

compositional refinement verification
Compositional refinement verification

Abstract

model

Translations

System

localized verification
Localized verification

Abstract

model

Translations

assume

prove

System

localized verification1
Localized verification

Abstract

model

Translations

assume

prove

System

circular inference rule
Circular inference rule

f1 up to t -1 implies f2 up to t

f2 up to t -1 implies f1 up to t

always f1 and f2

SPEC

(related: AL 95, AH 96)

auxiliary variables
Auxiliary variables

SPEC

A

P

P

aux

Q

* A is “definitional”

* Q does not reference A

aux

Q

(related: Owicki, Gries)

temporal case splitting
Temporal case splitting
  • Prove separately that p holds at all times when v = i.
  • Path splitting

record register index

v

i

exploiting symmetry
Exploiting symmetry
  • Symmetric types
    • Semantics invariant under permutations of type.
    • Enforced by type checking rules.
  • Symmetry reduction rule

* i is of scalarset type

* P references only constants 0..k-1 of type

(related: Murphi)

data type reductions
Data type reductions
  • Problem: large data types yield state explosion
  • Solution: reduce large (or infinite) types

where T\i represents all the values in T except i.

  • Abstract interpretation

Note: use in conjunction with case splitting

data types with large ranges
Data types with large ranges
  • Words, addresses, sequence numbers, tags, etc...
  • Example: content addressable memory

KEY

VALUE

=

=

=

QUERY

=

=

=

=

summary of proof strategy
Summary of proof strategy
  • Control logic
    • Structural decomposition (comp. rule)
  • Data path
    • Refinement maps (comp. rule + aux.)
    • Decompose large structures (path splitting)
    • Reduce large types (data type reduction)

Case reduction (symmetry)

illustration tomasulo s algorithm

OP,DST

OP,DST

OP,DST

opra

opra

opra

oprb

oprb

oprb

Illustration: Tomasulo’s algorithm
  • Execute instructions in data flow order

VAL/TAG

REG

FILE

VAL/TAG

TAGGED RESULTS

VAL/TAG

VAL/TAG

EU

INSTRUCTIONS

OPS

EU

EU

compositional rule

VAL/TAG

REG

FILE

VAL/TAG

TAGGED RESULTS

VAL/TAG

VAL/TAG

OP,DST

OP,DST

OP,DST

EU

opra

opra

opra

oprb

oprb

oprb

INSTRUCTIONS

OPS

EU

EU

Compositional rule
  • Decompose into two lemmas

Lemma 2:

Correct results

Lemma 1:

Correct operands

proving the operand lemma

OP,DST

opra

oprb

Proving the operand lemma

Lemma 2:

Correct results

VAL/TAG

REG

FILE

VAL/TAG

TAGGED RESULTS

VAL/TAG

VAL/TAG

OP,DST

EU

opra

oprb

INSTRUCTIONS

OP,DST

OPS

EU

opra

oprb

EU

Lemma 1:

Correct operands

"cone of influence" eliminates

auxiliary variables in tomasulo

OP,DST

opra

oprb

Auxiliary variables in Tomasulo
  • Used to store correct operands and results for each instruction

SPEC

RESULTS

if (~stallout & opin=ALU){

next(aux[st].opra) := opra;

next(aux[st].oprb) := oprb;

next(aux[st].res) := res;

}

INSTRUCTIONS

EU

O1

O2

R

lemmas in smv
Lemmas in SMV
  • Operand correctness

forall (k in TAG)

layerlemma1 :

if (rs[k].valid & rs[k].opra.valid)

rs[k].opra.val := aux[k].opra;

  • Result correctness

forall (i in TAG)

layerlemma2[i] :

if (rb.tag = i & rb.valid)

rb.val := aux[i].res;

path splitting in tomasulo

OP,DST

opra

oprb

Path splitting in Tomasulo

VAL/TAG

REG

FILE

VAL/TAG

TAGGED RESULTS

VAL/TAG

VAL/TAG

OP,DST

EU

opra

oprb

INSTRUCTIONS

OP,DST

OPS

EU

opra

oprb

EU

"cone of influence" eliminates

smv implementation
SMV implementation
  • Split cases of operand correctness on
    • producer reservation station
    • holding register
  • SMV implementation

subcase lemma1[i][j]

of rs[k]//lemma1

for rs[k].opra.tag = i & aux[k].srca = j;

case explosion problem
Case explosion problem
  • Number of cases in operand correctness property:

TAGS ´ REGS ´ TAGS = O(n3)

  • Symmetric data type declarations

scalarset REG 0..31;

scalarset TAG 0..31;

  • SMV verifies types used in symmetric way
symmetry reduction in operands lemma

OP,DST

opra

oprb

Symmetry reduction in operands lemma
  • Reduces by symmetry to two cases:

(i = 0, j = 0, k = 0)

(i = 0, j = 0, k = 1)

j

VAL/TAG

REG

FILE

VAL/TAG

TAGGED RESULTS

VAL/TAG

VAL/TAG

i

OP,DST

EU

opra

oprb

INSTRUCTIONS

OP,DST

OPS

EU

opra

oprb

EU

k

type reduction infinite state tomasulo
Type reduction: infinite-state Tomasulo
  • Scalarsets with undefined range
  • Data type reduction

TAG->{i,k}, REG ->{j}

  • Only include values we care about in reduced type
  • Reduces variable encodings to
    • 1 bit per variable of type REG
    • 2 bits per variable of type TAG

(related: Kurshan)

uninterpreted functions

OP,DST

opra

oprb

Uninterpreted functions
  • Verify Tomasulo for arbitrary EU function f(a,b).

SPEC

RESULTS

INSTRUCTIONS

f(a,b)

VAL/TAG

REG

FILE

VAL/TAG

TAGGED RESULTS

VAL/TAG

VAL/TAG

OP,DST

opra

oprb

f(a,b)

INSTRUCTIONS

OP,DST

OPS

opra

oprb

f(a,b)

(related: Burch, Dill, Jones, etc...)

case splitting
Case splitting
  • Prove result correctness only for specific cases, e.g.

opra = 0, oprb = 1, f[0][1] = 2

3! = 6 cases verified

VAL/TAG

REG

FILE

2

VAL/TAG

VAL/TAG

VAL/TAG

OP,DST

f(a,b)

0

1

INSTRUCTIONS

OP,DST

OPS

f(a,b)

opra

oprb

f(a,b)

OP,DST

(related: Hojati, Singhal,

Bryant, Clarke)

opra

oprb

result
Result
  • Verification problem reduced to tractable MC problems
    • Max 25 state bits
    • 11 cases of lemmas to verify after symmetry
    • Verification time less than 4 seconds
  • Tomasulo implementation proved for
    • Arbitrary number of registers, reservation stations
    • Arbitrary data word size and EU function
  • The proof is concise
summary of approach
Summary of approach
  • Auxiliary variables and circular rule
    • operand and result lemmas
  • Temporal case splitting
    • data path splitting
  • Symmetry reductions
    • reduce to tractable number of cases
  • Data type reductions
    • reduce large or infinite data types to small finite
    • uninterpreted functions for data operations
more examples
More examples
  • Applications of the same general strategy:
    • Infopad packet multiplexer
    • SGI cache coherence
infopad example truman 98
InfoPad example (Truman 98)

Packet

Buffer

Memory

Pen

Serial,

FEC encoded

Wireless

Modems

Speech

FPGA

(FEC,

timing,…)

TX

Video

RX

ASIC

ARM

processor

subsystem

Bus

Bridge

8-bit

word

Audio/

Speech

32-bit

word

VGA

control

decomposition data integrity
Decomposition -- data integrity

Packet streams

P

P

tag

tag

induction

path splitting

Packet mux

data

data

cache coherence eiriksson 98

P

P

M

IO

INTF

to net

host

host

host

protocol

Distributed

cache

coherence

protocol

protocol

S/F network

Cache coherence (Eiriksson 98)
  • Nondeterministic abstract model
  • Atomic actions
  • Single address abstraction
  • Verified coherence, etc...
mapping protocol to rtl

protocol

TABLES

CAM

Mapping protocol to RTL

host

other

hosts

S/F network

Abstract

model

TAGS

~30K lines of verilog

conclusions
Conclusions
  • Goal
    • System-level verification by model checking
  • Approach
    • Appropriate domain-specific proof strategy
    • Proof rules designed to support this strategy
  • Result
    • Proof goals reduced to tractable MC problems
    • Short proofs -- no global invariants