ACL 2 SIX A Hint used to Integrate
- Slides: 32
ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool Jun Sawada and Erik Reeber IBM Austin Research Laboratory University of Texas at Austin November 15, 2006
Outline of the Talk n n ACL 2 Theorem Prover and Sixth. Sense Integration of Two Verification Tools n n n Step 1: External Hint Mechanism Step 2: ACL 2 SIX Implementation Soundness Argument Multiplier Example Conclusion FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL 2 Theorem Prover n General-purpose theorem prover for first order logic (with induction) n n Applied to large projects n n Fast evaluator Powerful lemma-based rewriter Generalization and induction heuristics AMD Athlon™ floating point unit Rockwell Collins AAMP 7 separation kernel Java bytecode verifier Unlike HOL, no mechanism for adding userdefined decision procedures FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Sixth. Sense n n n IBM internal verification tool Operates on a finite-state machine described in VHDL. Uses transformation-based verification approach combining many model-checking algorithms n n n BDDs & SAT Solvers Re-timing engine Localization engine It formally proves safety properties of FSMs When a property is found invalid, it returns a counter example. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Objective of the Integration n Make Sixth. Sense and ACL 2 work together. n n n Use Sixth. Sense to verify properties on tedious lowlevel hardware logic circuits. Use ACL 2 to prove abstract concepts such as algorithmic or arithmetic properties. Avoid embedding VHDL in the ACL 2 logic FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Related Work n Prior ACL 2 integration work: n n n Other theorem provers n n n UCLID: Manolios and Srinivasan SAT: Hunt and Reeber Model-checker with PVS Elsa Gunter’s integration of HOL 90 with external decision procedures FORTE n White-box integration of “light-weight” theorem prover with STE FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Approach to Integration n Implement generic external tool mechanism as an ACL 2 hint. n n n Little modification of ACL 2 code. Other model checkers, and decision procedures can be integrated in the same way. Implement ACL 2 SIX with this mechanism n n Sixth. Sense becomes a new ACL 2 proof engine for a subset of ACL 2 formulas Properties proven by Sixth. Sense added to ACL 2 database for use by other ACL 2 proof engines FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL 2 SIX Implementation User Inputs Other ACL 2 Books ACL 2 SIX function External Hint Interface New Process Call Sixth. Sense ACL 2 Common Lisp FMCAD 2006 File Access VHDL source on Design ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Step 1: External Hint Mechanism n ACL 2 user can direct the prover’s behavior by supplying (optional) hints. (defthm some-lemma (………) : hint ((“Goal” : cases ((< x 0))))) n Added a new ACL 2 hint mechanism to dynamically extend the ACL 2 theorem prover. (defthm some-lemma (………) : hint ((“Goal” : external ((fn opt-args))))) FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
How External Hint Mechanism Works (defthm some-lemma (………) : hint ((“Goal” : external (fn opt-args))) n fn is a user-defined function, we call a clause- processor. n n The : external hint calls the clause processor fn. fn inputs the clause under proof And returns a clause list implying the original clause. The theorem prover continues with the new clause list. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Summary of : External Hint n With the : External Hint, we can implement n n n Prototype modifies ACL 2 source n n new theorem proving procedures external tool interfaces Only 57 lines of modification Soundness depends on the clause processor FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Step 2: ACL 2 SIX Implementation n n ACL 2 SIX is a clause processor. It is invoked through the : external hint mechanism. When invoked, it translates ACL 2 property to VHDL. And calls Sixth. Sense to verify it. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL 2 SIX Hint Process Flow ACL 2 Sixth. Sense ACL 2 Property about VHDL Design VHDL Property ACL 2 VHDL Translation VHDL Design Sixth. Sense Execution Check Result Yes No Reduced Clause FMCAD 2006 Counter Example ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Property Representation n ACL 2 SIX accepts hardware properties written with the following: n n n Bit and bit-vector constants. ACL 2 functions on bit vectors in our library. n e. g. bv+, bv-and, and bv-or. VHDL signals represented through two ACL 2 functions: (sigbit entity signame cycle phase) (sigvec entity signame (lbit hbit) cycle phase) FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL 2 SIX Example ADD 32 b ADD a d q clk sum clk (defthm adder-adds (implies (and (integerp n) (<= 1 n)) (equal (bv+ (sigvec (add 32) a (0 31) (1 - n) 2) (sigvec (add 32) b (0 31) (1 - n) 2)) (sigvec (add 32) sum (0 31) n 2))) : hints ((“Goal” : external (acl 2 six ((: cycle-expr n) (: ignore-init-cycles 1)))))) FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Soundness of ACL 2 SIX Extension n n Combining tools often leads to subtle soundness problems. We have an argument that ACL 2 SIX is sound. 1. 2. 3. n The FSM represented by VHDL could be defined in the ACL 2 logic. Sixth. Sense verifies valid safety properties of the FSM. Theoretically these properties could be proven in ACL 2 by induction. By constructing this argument we found (and fixed) a subtle soundness issue. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Outline of the Talk n n n ACL 2 Theorem Prover and Sixth. Sense Related Work Integration of Two Verification Tools n n n Step 1: External Hint Mechanism Step 2: ACL 2 SIX Hint Implementation Soundness Argument Multiplier Example Conclusion FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Example: Booth Multiplier n n n 53 bit x 54 bit multiplier Used to compute double-precision floatingpoint multiplication Written in VHDL Sixth. Sense cannot verify the entire multiplier. This makes a good first example for ACL 2 SIX. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Multiplier Dataflow Cycle #: 0. 5 2. 0 2. 5 3. 5 4. 0 Stage 5 Stage 4 Stage 3 … Stage 2 … … Stage 1 S 50 S 51 S 026 Vectors: 27 A X C FMCAD 2006 1. 5 S 00 … C Opt. Booth Encoder A 1. 0 18 12 6 4 = Sum + Carry ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool 2
Booth Encoder n n n Booth encoder reduces n x n bit multiplication into the summation of n/2 vectors. ACL 2 provided the algorithmic proof of Booth encoding multiplier. Sixth. Sense proved that the VHDL design implements an ACL 2 model. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Compression Algorithm S 00 CSA 0 S 01 n n S 00 + S 01 + S 02 = S 10 + S 11 S 02 n S 10 3 -to-2 Carry-Save Adder (CSA) takes 3 inputs and produces 2 outputs, preserving the sum. Verified sum-preservation on a single CSA using Sixth. Sense. Used ACL 2 to combine the results to prove S 00 +. . . + S 026 = S 50 + S 51 FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Multiplier Verification Summary n In Booth Encoding Proof: n n n In compressor proof: n n n ACL 2 did arithmetic proof that requires induction. Sixth. Sense checked the low-level hardware detail is equivalent to ACL 2 model Sixth. Sense proved the basic property on a small element of the multiplier. ACL 2 combined these results, with the use of rewriting rules. Can re-run proof if multiplier is modified n Low-level modifications are only visible to Sixth. Sense! FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Conclusion n n Added prototype mechanism for extending ACL 2 with external tools Integrated Sixth. Sense and ACL 2 n n Avoided VHDL embedding Improved automation of ACL 2 Widened applicability of Sixth. Sense Future Work n n External hint will be incorporated in future ACL 2 releases Verification of larger hardware verification examples n e. g. FPU divide and square root FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Acknowledgements n Built initial prototype n n Helped design the : external extension n n Sandip Ray Matt Kaufmann Helped with Sixth. Sense n Jason Baumgartner, Viresh Paruthi, and Hari Mony FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Backup FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Soundness Problem by Instantiation n n Sigbit and sigvec are actually partially constrained functions. ACL 2 allows functional instantiation of constrained functions. n n But some of the constraints are unknown to the ACL 2 theorem prover. Solution: Disable functional instantiation of sigbit and sigvec. n Requires new feature available in upcoming ACL 2 release. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Booth Encoder n Reduces the multiplication to summation n Encoding Table Half as many partial-products of the grade-school method. Two’s Complement Notation Looks at three bits at a time Example: 23 * 3 000011 010111. 0 * 110 011 010 + 100 → -2 * y 101 → -1 * y 110 → -1 * y 111 → 0 * y 000 → 0 * y 001 → 1 * y 010 → 1 * y 011 → 2 * y -1 * 3 * 20 = -3 2 * 3 * 22 = 24 1 * 3 * 24 = 48 69 FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
In Upcoming ACL 2 Release n n Can disallow functional instantiation of sigbit and sigvec. External hint mechanism will includes tagging mechanism. n Only tagged clause processors trusted. FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Guiding the Theorem Prover (defthm rewrite-plus-minus-1 (implies (and (natp a) (natp b)) (equal (+ a -1 b) (+ -1 a b)))) (thm (implies (and (natp a) (natp b)) (equal (nthcdr a (nthcdr b x)) (nthcdr (+ a b) x))) : hints (("Goal" : induct (nthcdr b x)))) n nthcdr removes n elements from a list Rewrinte-plus-minus-1 lemma automatically used in proof of theorem : induct hint guides the prover to use the induction suggested by (nthcdr b x) on the first “Goal” FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
: External Example (defun generalize-expr (clause expr new-var state) (cond ((or (not (symbolp new-var)) (var-in-expr-listp new-var clause)) (mv (list "ERROR: Target must be a new variable~%”) nil state)) (t (mv nil (list (substitute-expr-list expr new-var clause)) state)))) (thm (implies (and (natp a) (natp (foo))) (equal (nthcdr a (nthcdr (foo) x)) (nthcdr (+ a (foo)) x))) : hints (("Goal" : external (generalize-expr '(foo) 'b)) ("Goal'" : induct (nthcdr b x)))) FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL 2 : External Hint Example (defun split-a-and-b (cl state) (mv nil (list (append '((booleanp a)) cl) (append '((booleanp b)) cl) (subst ''t 'b (subst ''t 'a cl)) (subst ''t 'b (subst ''nil 'a cl)) (subst ''nil 'b (subst ''t 'a cl)) (subst ''nil 'b (subst ''nil 'a cl))) state)) (defthm theorem-1 (implies (and (booleanp a) (booleanp b)) (or (not b) (and a b) (and (not a) b))) : hints (("Goal" : external (split-a-and-b)))) FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
ACL 2 SIX Features n ignore-init-cycles: Ignore the specified number of initial cycles. n n If the corresponding ACL 2 hypothesis is not present the ACL 2 proof will fail. cycle-expr: The ACL 2 expression for the cycle number config-file: Sixth. Sense configuration file (view-last-waveform): View last counterexample waveform FMCAD 2006 ACL 2 SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool
Iso 9000 norma
Proiect tematic animale domestice grupa mica
Integrate product rule
Nic in nursing
Access my machine siemens download
Integrate synonyms
Integration rule
Dialogue quote vs flow quote
Sistem informatic definitie
Nasa space shuttle
Haidlmair jobs
Integrate synonyms
Sa-sd
Quotation integration examples
Kentico infor integration
How to successfully integrate new employees
Topic modeling with bert
Acl test
Cisco acl mac address
Acl okul
Fipa acl
Acl ppp
Natalie kon-yu
Eldercare.acl.gov
Acl audit exchange
Acl 9000
Acl training
Acl vs capability list
Fuzzy duplicates acl
Acl rules
Netcentric acl tool
Aruba vap
Decatipus acl
