Motivation f g h P STE ckt A C (theorem proving) OKAY? SMC ckt - - PDF document

1

Page 1

A Stream-based Framework for Reasoning with STE and other LTL Verification Formalisms

John O’Leary Strategic CAD Labs Intel Corporation 5200 NE Elam Young Pkwy Hillsboro, OR 97124, USA joleary@ichips.intel.com Tom Melham Dept of Computing Science University of Glasgow Glasgow, Scotland, G12 8QQ tfm@dcs.gla.ac.uk

Page 2

Model checking and theorem proving

| OKAY

=

| P

2

Page 3

Motivation

f g h

P ⇒ STE ckt A C SMC ckt (G(r→F a)) (theorem proving) ⇒ OKAY? Use the tool most suited for each sub-task Express and verify properties beyond the reach of

a single model checking run

Page 4

Our approach

Combine STE and SMC in a higher order logic

theorem prover

– A shallow embedding enables semantic reasoning about

verification results

Employ reflection to – Make links between model checking and higher order

logic explicit axioms rather than implicit in the metalogic

– Enable a lightweight, logically-coherent bookkeeping

system for model-checking runs

– Make calls to model checkers explicit in proofs

3

Page 5

Forte

Logical architecture

∃h. SMC ckt h <<p>> ∃h.c 0 (cLSTE p h ckt) ckt |= p ckt |= p --> c ckt |= p AND c LTL cLSTE_ax SMC_ax bookkeeping cLSTE p h ckt SMC ckt h <<p>>

Higher order logic

Page 6

Physical architecture

Higher order logic

cLSTE p h ckt SMC ckt h <<p>> SMC STE

Forte

4

Page 7

LTL

A subset of Intel’s ForSpec Temporal Language

LTL f ::= value n n ∈ Nd | f1 ∧ f2 | ¬ f | NEXT f | f1 UNTIL f2 | …

Page 8

LTL semantics

State (assigning each node a Boolean value)

St = Nd → bool

Trace (a sequence of states)

Tr = nat → (Nd → bool)

Satisfaction

_ sat _ :: (nat, Tr) → LTL → bool

Examples:

i,σ sat [value n] iff σ i n i,σ sat [f1 ∧ f2] iff i,σ sat [f1] and i,σ sat [f2] i,σ sat [NEXT f] iff i+1,σ sat [f]

5

Page 9

LTL in higher order logic

LTL operators are shallowly embedded as

functions of type nat → Tr → bool

Example:

i,σ sat [f1 ∧ f2] iff i,σ sat [f1] and i,σ sat [f2] p && q = \t.\s. (p t s) AND (q t s);

def

Page 10

LTL in higher order logic

A circuit satisfies a property iff all its traces do We can treat in_L :: Tr->fsm->bool as an

uninterpreted predicate for our purpose ckt |= p = Forall s. (s in_L ckt) ==> p 0 s;

def

6

Page 11

Reasoning in LTL

NEXT_and = |- Forall p. Forall q. NEXT (p && q) = (NEXT p) && (NEXT q)

time_shift = |- Forall ckt. Forall p. (ckt |= p) ==> (ckt |= ALWAYS p)

Page 12

Forte

Logical architecture

∃h. SMC ckt h <<p>> ∃h.c 0 (cLSTE p h ckt) ckt |= p ckt |= p --> c ckt |= p AND c LTL cLSTE_ax SMC_ax bookkeeping cLSTE p h ckt SMC ckt h <<p>>

Higher order logic

7

Page 13

SMC

SMC ckt usefuls frees <<p>>

– constructs a specification automaton from the LTL

property p using standard tableau construction, runs the model checker and returns T/F

– usefuls and frees are hints for pruning the circuit – Reflection: <<p>> means “the syntax of p”

Page 14

Interface to SMC, using reflection

SMC_ax = |- Forall ckt. Forall p. (WF <<p>>) AND (Exists usefuls. Exists frees. SMC ckt usefuls frees <<p>>) ==> (ckt |= p)

def

8

Page 15

Conventional solution

Interface to SMC is implicit: – A metafunction mk_SMC_ax takes the circuit, pruning info,

and property as arguments, calls SMC, and generates the appropriate axiom if SMC succeeds

mk_SMC_ax ckt [] [] <<spec>> |- (ckt |= spec)

Page 16

STE

cLSTE assump hints ckt

– provides a trace-based interface to standard STE – cLSTE returns a trace (int->string->bool)generated

under assumption asm that can be used to check satisfaction of a bounded LTL formula

cLSTE_ax = |- Forall ckt. Forall asm. Forall p. (Exists hints. p 0 (cLSTE asm hints ckt)) ==> (ckt |= (asm --> p))

def

9

Page 17

Example circuit

clk vld rst a b c qclk pup

Page 18

Helpful definitions

It is convenient to introduce these definitions

let falling c = c && NEXT (! c); let rising c = (! c) && NEXT c; letrec repeat 0 f p = p /\ repeat n f p = f (repeat (n-1) f p); let weak_mutex a b = ! (a && b);

10

Page 19

let ctl_spec = (ALWAYS (clk ~= ! (NEXT clk))) && (ALWAYS (falling clk --> weak_mutex vld (repeat 2 NEXT vld)))

• ->

ALWAYS ( (falling clk) && rst --> ALWAYS ( (falling clk && vld && ! rst && repeat 2 NEXT (! rst))

• ->

(repeat 2 NEXT pup) && (repeat 4 NEXT pup) ) );

Control property

clk vld rst qclk pup

Page 20

Proving the control property

|- WF <<ctl_spec>> AND SMC ckt [“c2c”] [] <<ctl_spec>> |- WF <<ctl_spec>> AND (Exists usefuls. Exists frees. SMC ckt usefuls frees <<ctl_spec>>) |- ckt |= ctl_spec

Evaluation “bookkeeping”

SMC_ax

11

Page 21

Datapath property

a b c clk pup

let dp_spec = (ALWAYS (clk ~= ! (NEXT clk))) // dp_spec_a

• ->

ALWAYS ( // dp_spec_c (falling clk && repeat 2 NEXT pup && repeat 4 NEXT pup)

• ->

((repeat 5 NEXT c) ~= ! ((NEXT a) || (NEXT b))));

Page 22

Proving the datapath property

|- dp_spec_c 0 (cLSTE dp_spec_a dp_hints ckt) |- Exists hints. dp_spec_c 0 (cLSTE dp_spec_a hints ckt) |- ckt |= dp_spec_a -> dp_spec_c

Evaluation “bookkeeping”

cLSTE_ax

12

Page 23

Combined property

let top_spec = (ALWAYS (clk ~= ! (NEXT clk))) && (ALWAYS (falling clk --> weak_mutex vld (repeat 2 NEXT vld)))

• ->

ALWAYS ( (falling clk) && rst

• ->

ALWAYS ( (falling clk && vld && !rst && repeat 2 NEXT (! rst))

• ->

((repeat 5 NEXT c) ~= ! ((NEXT a) || (NEXT b)))));

Page 24

Proving the combined property

|- ckt |= dp_spec_a

• > dp_spec_c

|- ckt |= ctl_spec |- ckt |= top_spec

Reasoning in LTL

13

Page 25

Summary

STE, SMC are combined within a higher order logic

theorem prover with reflection

– Calls to model checkers are explicit in proofs – Including directives, hints, etc – Theorem prover is used as a bookkeeping tool to manage

model checking runs

– Abstracting away directives, hints – Extensions can handle simple reasoning: case-splitting, assume-guarantee – Explicit links between STE, SMC and specification logic – Spec logic is shallowly embedded in higher order logic – Full power of the theorem prover is available for complex reasoning