Motivation f g h P STE ckt A C (theorem proving) OKAY? SMC ckt - PDF document

A Stream-based Framework for Reasoning with STE and other LTL Verification Formalisms John O’Leary Tom Melham Dept of Computing Science Strategic CAD Labs Intel Corporation University of Glasgow Glasgow, Scotland, G12 8QQ 5200 NE Elam Young Pkwy Hillsboro, OR 97124, USA tfm@dcs.gla.ac.uk joleary@ichips.intel.com Page 1 Model checking and theorem proving | OKAY = | P - Page 2 1

Motivation f g h P ⇒ STE ckt A C (theorem proving) ⇒ OKAY? SMC ckt (G(r → F a)) � Use the tool most suited for each sub-task � Express and verify properties beyond the reach of a single model checking run Page 3 Our approach � Combine STE and SMC in a higher order logic theorem prover – A shallow embedding enables semantic reasoning about verification results � Employ reflection to – Make links between model checking and higher order logic explicit axioms rather than implicit in the metalogic – Enable a lightweight, logically-coherent bookkeeping system for model-checking runs – Make calls to model checkers explicit in proofs Page 4 2

Logical architecture Higher order logic ckt |= p AND c LTL ckt |= p ckt |= p --> c SMC_ax cLSTE_ax ∃ h. SMC ckt h <<p>> ∃ h.c 0 (cLSTE p h ckt) bookkeeping SMC ckt h <<p>> cLSTE p h ckt Forte Page 5 Physical architecture Higher order logic SMC ckt h <<p>> cLSTE p h ckt STE SMC Forte Page 6 3

LTL � A subset of Intel’s ForSpec Temporal Language n ∈ Nd LTL f ::= value n | f1 ∧ f2 | ¬ f | NEXT f | f1 UNTIL f2 | … Page 7 LTL semantics � State (assigning each node a Boolean value) St = Nd → bool � Trace (a sequence of states) Tr = nat → (Nd → bool) � Satisfaction _ sat _ :: (nat, Tr) → LTL → bool � Examples: i, σ sat [value n ] iff σ i n i, σ sat [ f1 ∧ f2 ] iff i, σ sat [ f1 ] and i, σ sat [ f2 ] i, σ sat [NEXT f ] iff i+1, σ sat [ f ] Page 8 4

LTL in higher order logic � LTL operators are shallowly embedded as functions of type nat → Tr → bool � Example: i, σ sat [ f1 ∧ f2 ] iff i, σ sat [ f1 ] and i, σ sat [ f2 ] def p && q = \t.\s. (p t s) AND (q t s); Page 9 LTL in higher order logic � A circuit satisfies a property iff all its traces do � We can treat in_L :: Tr->fsm->bool as an uninterpreted predicate for our purpose def ckt |= p = Forall s. (s in_L ckt) ==> p 0 s; Page 10 5

Reasoning in LTL NEXT_and = |- Forall p. Forall q. NEXT (p && q) = (NEXT p) && (NEXT q) time_shift = |- Forall ckt. Forall p. (ckt |= p) ==> (ckt |= ALWAYS p) Page 11 Logical architecture Higher order logic ckt |= p AND c LTL ckt |= p ckt |= p --> c SMC_ax cLSTE_ax ∃ h. SMC ckt h <<p>> ∃ h.c 0 (cLSTE p h ckt) bookkeeping cLSTE p h ckt SMC ckt h <<p>> Forte Page 12 6

SMC SMC ckt usefuls frees <<p>> – constructs a specification automaton from the LTL property p using standard tableau construction, runs the model checker and returns T/F – usefuls and frees are hints for pruning the circuit – Reflection: <<p>> means “the syntax of p” Page 13 Interface to SMC, using reflection def SMC_ax = |- Forall ckt. Forall p. (WF <<p>>) AND (Exists usefuls. Exists frees. SMC ckt usefuls frees <<p>>) ==> (ckt |= p) Page 14 7

Conventional solution � Interface to SMC is implicit: – A metafunction mk_SMC_ax takes the circuit, pruning info, and property as arguments, calls SMC, and generates the appropriate axiom if SMC succeeds mk_SMC_ax ckt [] [] <<spec>> |- (ckt |= spec) Page 15 STE cLSTE assump hints ckt – provides a trace-based interface to standard STE – cLSTE returns a trace (int->string->bool) generated under assumption asm that can be used to check satisfaction of a bounded LTL formula def cLSTE_ax = |- Forall ckt. Forall asm. Forall p. (Exists hints. p 0 (cLSTE asm hints ckt)) ==> (ckt |= (asm --> p)) Page 16 8

Example circuit a c b qclk pup vld clk rst Page 17 Helpful definitions � It is convenient to introduce these definitions let falling c = c && NEXT (! c); let rising c = (! c) && NEXT c; letrec repeat 0 f p = p /\ repeat n f p = f (repeat (n-1) f p); let weak_mutex a b = ! (a && b); Page 18 9

Control property let ctl_spec = (ALWAYS (clk ~= ! (NEXT clk))) && (ALWAYS (falling clk --> weak_mutex vld (repeat 2 NEXT vld))) --> ALWAYS ( (falling clk) && rst --> ALWAYS ( (falling clk && vld && ! rst && repeat 2 NEXT (! rst)) --> (repeat 2 NEXT pup) && (repeat 4 NEXT pup) qclk ) ); pup vld clk rst Page 19 Proving the control property Evaluation |- WF <<ctl_spec>> AND SMC ckt [“c2c”] [] <<ctl_spec>> “bookkeeping” |- WF <<ctl_spec>> AND (Exists usefuls. Exists frees. SMC ckt usefuls frees <<ctl_spec>>) SMC_ax |- ckt |= ctl_spec Page 20 10

Datapath property a c b clk pup let dp_spec = (ALWAYS (clk ~= ! (NEXT clk))) // dp_spec_a --> ALWAYS ( // dp_spec_c (falling clk && repeat 2 NEXT pup && repeat 4 NEXT pup) --> ((repeat 5 NEXT c) ~= ! ((NEXT a) || (NEXT b)))); Page 21 Proving the datapath property Evaluation |- dp_spec_c 0 (cLSTE dp_spec_a dp_hints ckt) “bookkeeping” |- Exists hints. dp_spec_c 0 (cLSTE dp_spec_a hints ckt) cLSTE_ax |- ckt |= dp_spec_a -> dp_spec_c Page 22 11

Combined property let top_spec = (ALWAYS (clk ~= ! (NEXT clk))) && (ALWAYS (falling clk --> weak_mutex vld (repeat 2 NEXT vld))) --> ALWAYS ( (falling clk) && rst --> ALWAYS ( (falling clk && vld && !rst && repeat 2 NEXT (! rst)) --> ((repeat 5 NEXT c) ~= ! ((NEXT a) || (NEXT b))))); Page 23 Proving the combined property |- ckt |= dp_spec_a |- ckt |= ctl_spec -> dp_spec_c Reasoning in LTL |- ckt |= top_spec Page 24 12

Summary � STE, SMC are combined within a higher order logic theorem prover with reflection – Calls to model checkers are explicit in proofs – Including directives, hints, etc – Theorem prover is used as a bookkeeping tool to manage model checking runs – Abstracting away directives, hints – Extensions can handle simple reasoning: case-splitting, assume-guarantee – Explicit links between STE, SMC and specification logic – Spec logic is shallowly embedded in higher order logic – Full power of the theorem prover is available for complex reasoning Page 25 13