formal verification of stack manipulation in the scip
play

Formal Verification of Stack Manipulation in the SCIP Processor J. - PowerPoint PPT Presentation

Mar 22, 2024 •193 likes •424 views

Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass High Level Challenges to developing capability in formal methods: Perceived high barrier to entry, Specialized tools and jargon, Need for a

  1. Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass

  2. High Level ◮ Challenges to developing capability in formal methods: ◮ Perceived high barrier to entry, ◮ Specialized tools and jargon, ◮ Need for a compelling but attainable demonstration. ◮ Why we chose the SCIP processor: ◮ Developed in house, ◮ General purpose processor, ◮ Simple design ( ∼ 5k lines VHDL), ◮ No advanced processor features (pipelining, out-of-order execution, etc.), ◮ For use in satellites ⇒ high reliability requirements. September 24, 2010

  3. Scope True Goal: To prove that the physical processor does what we want, English Design VHDL Design Hardware Document Formal ACL2 Specification Model but . . . ◮ proof tools work on an abstract model, ◮ “what we want” is not formally defined. September 24, 2010

  4. Scope True Goal: To prove that the physical processor does what we want, English Design VHDL Design Hardware Document Formal ACL2 Specification Model but . . . ◮ proof tools work on an abstract model, ◮ “what we want” is not formally defined. Instead we prove that a model of the VHDL design meets certain correctness properties. September 24, 2010

  5. Approach Embedding of VHDL in ACL2 ◮ Focus on building a syntactic layer on ACL2 for easy translation. ◮ Key Goals: ◮ Incremental semantic refinements, ◮ Direct manual translation of existing code, ◮ Target for automated translation. ACL2 Model of SCIP Design ◮ Test case for modeling framework. ◮ Translate VHDL code, then prove axiomatic summaries of components. September 24, 2010

  6. VHDL Modeling Framework Challenges ◮ Large semantic gap between VHDL and ACL2. ◮ VHDL processes all execute at the same time. ◮ Human checkable translation. ◮ Must match structure of original VHDL code. Solution ◮ Use ACL2 (LISP) macros to wrap ACL2 implementation behind VHDL like syntax. ◮ Based primarily on Georgelin, et al., “A framework for VHDL combining theorem proving and symbolic simulation.” September 24, 2010

  7. Supported VHDL Entities ◮ Uses defstructure book to generate data type predicates, accessors, updaters, etc. ◮ Nested components supported via copy-in/copy-out semantics. Processes ◮ Mapped to ACL2 functions. ◮ Generate theorems to guarantee some safety properties (e.g., no writing to inputs). September 24, 2010

  8. Supported VHDL Architectures ◮ Generate a single function that is the composition of all processes and subcomponent updates. ◮ Generate theorems to show processes are order independent. September 24, 2010

  9. Supported VHDL Architectures ◮ Generate a single function that is the composition of all processes and subcomponent updates. ◮ Generate theorems to show processes are order independent. But Wait . . . ◮ Order independence isn’t sufficient to guarantee the processes can be safely interleaved! September 24, 2010

  10. Supported VHDL Architectures ◮ Generate a single function that is the composition of all processes and subcomponent updates. ◮ Generate theorems to show processes are order independent. But Wait . . . ◮ Order independence isn’t sufficient to guarantee the processes can be safely interleaved! ◮ Fine for combinatorial processes (all of SCIP). ◮ Problem for sequential processes with shared state. ◮ But it is easy to change the macros to generate stronger theorems for guaranteeing determinism. September 24, 2010

  11. Supported VHDL Data Types ◮ Originally based on ACL2’s native integer type. ◮ Easy for arithmetic, challenging for bit slicing operations (concatenation, truncation, etc.). ◮ Simplification of VHDL’s 9 valued logic: U (uninitialized), X (undefined), 0 (strong drive, logic 0), 1, (strong drive, logic 1), Z (high impedance), W (weak drive, unknown value), L (weak drive, logic 0), H (weak drive, logic 1), - (don’t care). ◮ Used a symbolic instruction representation to avoid complex bit operations. ◮ Became problematic as we added type checking because data and instructions must traverse the same buses. September 24, 2010

  12. Supported VHDL Data Types ◮ Migrated to lists of logical symbols ◮ Operations such as truncation and concatenation become structurally recursive. ◮ Required very little modification to existing SCIP model (mostly search and replace). September 24, 2010

  13. SCIP Design A Simple Forth Microprocessor ◮ Designed for managing scientific instruments on satellites. ◮ Low power, light weight, low gate count. ◮ 16 and 32 bit versions (16 is standard). ◮ No pipelining, No superscalar, No out-of-order. ◮ Stack based design inspired by the Forth language. ◮ Two stacks: parameter stack (P-stack) and return stack (R-stack). ◮ Instructions may specify multiple behaviors such as an ALU operation, a P-stack modification, and a return. September 24, 2010

  14. SCIP Instructions Instructions Are Packed Structures ◮ Only 18 different kinds of instructions. ◮ ∼ 9356 different opcodes. Basic ALU Instruction 1011 1 01 010 00 0010 Pop Return Stack Ignored Addition After Execution Push Result On Top Of Operand Stack September 24, 2010

  15. SCIP Correctness Proofs Parameter Stack Design ◮ Many instructions can include a stack operation (Push, Pop, Swap, or Nop). ◮ Processor stacks are represented by a set of data registers and two index registers. ◮ On 16 bit SCIP: 16 2 15 0 byte data registers, 4 14 1 13 2 bit index registers. 12 3 OVERFLOW TOP ◮ If enabled, 11 4 overflow/underflow 10 5 may trigger 9 6 reading/writing main 8 7 memory. September 24, 2010

  16. SCIP Correctness Proofs Abstract Properties ◮ We’d like to show that the register ring actually implements a stack. ◮ In particular we need to show that the instructions correspond to abstract stack manipulation operations. ◮ e.g., s − push ( a ) ( a . s ) − − − → ◮ Model stacks using ACL2 lists ( push ≡ cons ). ◮ Focus on normal operation & detecting exception cases (overflow/underflow) September 24, 2010

  17. Graphically 4 3 15 0 14 1 2 13 2 1 OVERFLOW 12 3 0 11 4 15 10 5 14 TOP 9 6 8 7 13 12 September 24, 2010

  18. Actual Theorem ≡ (defthm scip push pstack cons (implies (and (scip pstack inputs ready p st) (not (equal (scip reset st) 1)) (not (rising edge (scip clk st))) (equal (scip stretch st) 0) (instr class stack (scip ir+ st)) (equal (stack op (scip ir+ st)) *st push*) (std logic defined list p (scip ptopi+ st)) (std logic defined list p (scip poveri+ st)) (integerp n) ( > = n 3)) (equal (scip get pstack regfile as list (scip step (scip raise clock (scip step n n st)))) (let ((p (scip ptopi+ st)) (o (scip poveri+ st))) (cond ((equal (std logic list to int p) (std logic list to int o)) (list (scip pnext+ st))) (t (cons (scip pnext+ st) (scip get pstack regfile as list st)))))))) September 24, 2010

  19. Actual Theorem ≡ If the SCIP is valid and in (defthm scip push pstack cons stable state, (implies (and (scip pstack inputs ready p st) (not (equal (scip reset st) 1)) (not (rising edge (scip clk st))) (equal (scip stretch st) 0) (instr class stack (scip ir+ st)) (equal (stack op (scip ir+ st)) *st push*) (std logic defined list p (scip ptopi+ st)) (std logic defined list p (scip poveri+ st)) (integerp n) ( > = n 3)) (equal (scip get pstack regfile as list (scip step (scip raise clock (scip step n n st)))) (let ((p (scip ptopi+ st)) (o (scip poveri+ st))) (cond ((equal (std logic list to int p) (std logic list to int o)) (list (scip pnext+ st))) (t (cons (scip pnext+ st) (scip get pstack regfile as list st)))))))) September 24, 2010

  20. Actual Theorem ≡ If the SCIP is valid and in (defthm scip push pstack cons stable state, (implies (and (scip pstack inputs ready p st) (not (equal (scip reset st) 1)) (not (rising edge (scip clk st))) (equal (scip stretch st) 0) (instr class stack (scip ir+ st)) then the P-stack at the next clock (equal (stack op (scip ir+ st)) *st push*) cycle, represented as a list... (std logic defined list p (scip ptopi+ st)) (std logic defined list p (scip poveri+ st)) (integerp n) ( > = n 3)) (equal (scip get pstack regfile as list (scip step (scip raise clock (scip step n n st)))) (let ((p (scip ptopi+ st)) (o (scip poveri+ st))) (cond ((equal (std logic list to int p) (std logic list to int o)) (list (scip pnext+ st))) (t (cons (scip pnext+ st) (scip get pstack regfile as list st)))))))) September 24, 2010

  21. Actual Theorem ≡ If the SCIP is valid and in (defthm scip push pstack cons stable state, (implies (and (scip pstack inputs ready p st) (not (equal (scip reset st) 1)) (not (rising edge (scip clk st))) (equal (scip stretch st) 0) (instr class stack (scip ir+ st)) then the P-stack at the next clock (equal (stack op (scip ir+ st)) *st push*) cycle, represented as a list... (std logic defined list p (scip ptopi+ st)) (std logic defined list p (scip poveri+ st)) (integerp n) ( > = n 3)) ... is equal to the original pnext register cons ' ed onto the original (equal (scip get pstack regfile as list P-stack represented as a list (scip step (scip raise clock (scip step n n st)))) (let ((p (scip ptopi+ st)) (o (scip poveri+ st))) (cond ((equal (std logic list to int p) (std logic list to int o)) (list (scip pnext+ st))) (t (cons (scip pnext+ st) (scip get pstack regfile as list st)))))))) September 24, 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Chapter Thirteen: Stack Machines Formal Language, chapter 13, slide 1 1 Stacks are

Chapter Thirteen: Stack Machines Formal Language, chapter 13, slide 1 1 Stacks are

Chapter Thirteen: Stack Machines Formal Language, chapter 13, slide 1 1 Stacks are ubiquitous in computer programming, and they have an important role in formal language as well. A stack machine is a kind of automaton that uses a stack for

854 views • 59 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

706 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
Collaboration between the SCiP Alliance and the SCISS network KATHERINE LAWRENCE SCIP ALLIANCE

Collaboration between the SCiP Alliance and the SCISS network KATHERINE LAWRENCE SCIP ALLIANCE

@scipalliance Collaboration between the SCiP Alliance and the SCISS network KATHERINE LAWRENCE SCIP ALLIANCE MANAGER 1 What makes service children great potential HE students? 2 The challenge Around 4 in 10 children from military families who

349 views • 9 slides
Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

ARTIST2 - ARTIST2 - MOTIVES MOTIVES Trento - - Italy, February 19 Italy, February 19- -23, 2007 23, 2007 Trento Session: Testing and Runtime Verification Formal Verification and Testing for Formal Verification and Testing for Reactive

881 views • 31 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA tools for students, hobbyists, enthusiasts FPGA Synthesis Formal Verification Free to use: Free to use: Xilinx Vivado WebPack,

818 views • 49 slides
Diagrams Tracing Programs by Hand Understanding how a program will evaluate depends on

Diagrams Tracing Programs by Hand Understanding how a program will evaluate depends on

Memory Diagrams Tracing Programs by Hand Understanding how a program will evaluate depends on systematically keeping track of many details. As your program is evaluated, there are many moving parts: 1. The current line of code, or

375 views • 34 slides
CS 240 Programming in C Pointers September 28, 2019 Haoyu Wang UMass Boston CS 240 September

CS 240 Programming in C Pointers September 28, 2019 Haoyu Wang UMass Boston CS 240 September

CS 240 Programming in C Pointers September 28, 2019 Haoyu Wang UMass Boston CS 240 September 28, 2019 1 / 10 Runtime Memory Layout Text segment: machine 0xFFFF instructions of program stack Data segment: constants, global variables

900 views • 10 slides
Final Review CS304 Introduc2on to C Why C? Difference

Final Review CS304 Introduc2on to C Why C? Difference

Final Review CS304 Introduc2on to C Why C? Difference between Python and C C compiler stages Basic syntax in C Pointers What is

482 views • 19 slides
Roadmap Memory & data Section 5: Procedures & Stacks Integers & floats Machine code

Roadmap Memory & data Section 5: Procedures & Stacks Integers & floats Machine code

University of Washington University of Washington Roadmap Memory & data Section 5: Procedures & Stacks Integers & floats Machine code & C C: Java: x86 assembly Stacks in memory and stack operations Car c = new Car();

456 views • 20 slides
Undo/Redo Principles, concepts, and Java implementation Direct Manipulation Principles There

Undo/Redo Principles, concepts, and Java implementation Direct Manipulation Principles There

Undo/Redo Principles, concepts, and Java implementation Direct Manipulation Principles There is a visible and continuous representation of the domain objects and their actions. Consequently, there is little syntax to remember. The

916 views • 28 slides
1 Meggy Jr Simple Library functions Example AVR-G++ program ClearSlate() --

1 Meggy Jr Simple Library functions Example AVR-G++ program ClearSlate() --

Meggy Jr Simple and AVR Today avr-gcc tool chain and provided Makefile Meggy Jr Simple library ATmega328p chip avr assembly CS453 Lecture Meggy Jr Simple and AVR 1 avr-gcc tool chain Meggy Jr Simple Library See Resources

211 views • 5 slides
Reflection: Stack as an Object Damien Cassou, Stphane Ducasse and Luc Fabresse W7S06

Reflection: Stack as an Object Damien Cassou, Stphane Ducasse and Luc Fabresse W7S06

Reflection: Stack as an Object Damien Cassou, Stphane Ducasse and Luc Fabresse W7S06 http://www.pharo.org Just to Reveal a Bit of It To let you know that it exists On demand the stack can be turned into an object We can walk but also

346 views • 13 slides
CS356 : Discussion #3 Assembly Instructions What about programs that operate on data? Integer

CS356 : Discussion #3 Assembly Instructions What about programs that operate on data? Integer

CS356 : Discussion #3 Assembly Instructions What about programs that operate on data? Integer and Floating-Point Formats Twos Complement IEEE 754 Machine-Level Programs Operand specifiers Data movement Arithmetic and

688 views • 31 slides

More recommend