ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool

ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool

Jun Sawada and Erik ReeberIBM Austin Research Laboratory

University of Texas at AustinNovember 15, 2006

FMCAD 2006

ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated

Verification Tool

Outline of the Talk

ACL2 Theorem Prover and SixthSense Integration of Two Verification Tools

Step 1: External Hint Mechanism Step 2: ACL2SIX Implementation

Soundness Argument Multiplier Example Conclusion

FMCAD 2006


Verification Tool

ACL2 Theorem Prover

General-purpose theorem prover for first order logic (with induction) Fast evaluator Powerful lemma-based rewriter Generalization and induction heuristics

Applied to large projects AMD Athlon™ floating point unit Rockwell Collins AAMP7 separation kernel Java bytecode verifier

Unlike HOL, no mechanism for adding user-defined decision procedures

FMCAD 2006


Verification Tool

SixthSense

IBM internal verification tool Operates on a finite-state machine described

in VHDL. Uses transformation-based verification

approach combining many model-checking algorithms

BDDs & SAT Solvers Re-timing engine Localization engine

It formally proves safety properties of FSMs When a property is found invalid, it returns a

counter example.

FMCAD 2006


Verification Tool

Objective of the Integration

Make SixthSense and ACL2 work together. Use SixthSense to verify properties on

tedious low-level hardware logic circuits. Use ACL2 to prove abstract concepts such as

algorithmic or arithmetic properties. Avoid embedding VHDL in the ACL2 logic

FMCAD 2006


Verification Tool

Related Work

Prior ACL2 integration work: UCLID: Manolios and Srinivasan SAT: Hunt and Reeber

Other theorem provers Model-checker with PVS Elsa Gunter’s integration of HOL90 with

external decision procedures FORTE

White-box integration of “light-weight” theorem prover with STE

FMCAD 2006


Verification Tool

Approach to Integration

Implement generic external tool mechanism as an ACL2 hint. Little modification of ACL2 code. Other model checkers, and decision procedures

can be integrated in the same way. Implement ACL2SIX with this mechanism

SixthSense becomes a new ACL2 proof engine for a subset of ACL2 formulas

Properties proven by SixthSense added to ACL2 database for use by other ACL2 proof engines

FMCAD 2006


Verification Tool

ACL2SIX Implementation

ACL2

SixthSense

External Hint Interface

ACL2SIXfunction New

Process Call

Other ACL2Books

Common LispVHDL source

on Design

File Access

User Inputs

FMCAD 2006


Verification Tool

Step 1: External Hint Mechanism

ACL2 user can direct the prover’s behavior by supplying (optional) hints.

(defthm some-lemma

(………)

:hint ((“Goal” :cases ((< x 0))))) Added a new ACL2 hint mechanism to

dynamically extend the ACL2 theorem prover.(defthm some-lemma

(………)

:hint ((“Goal” :external ((fn opt-args)))))

FMCAD 2006


Verification Tool

How External Hint Mechanism Works

(defthm some-lemma (………):hint ((“Goal” :external (fn opt-args)))

fn is a user-defined function, we call a clause-processor.

The :external hint calls the clause processor fn.

fn inputs the clause under proof And returns a clause list implying the original

clause. The theorem prover continues with the new

clause list.

FMCAD 2006


Verification Tool

Summary of :External Hint

With the :External Hint, we can implement new theorem proving procedures external tool interfaces

Prototype modifies ACL2 source Only 57 lines of modification

Soundness depends on the clause processor

FMCAD 2006


Verification Tool

Step 2: ACL2SIX Implementation

ACL2SIX is a clause processor. It is invoked through the :external hint

mechanism. When invoked, it translates ACL2

property to VHDL. And calls SixthSense to verify it.

FMCAD 2006


Verification Tool

ACL2SIX Hint Process Flow

ACL2 Property about VHDL Design

ReducedClause

CounterExample

VHDLProperty

VHDLDesign

ACL2VHDLTranslation

Check Result

SixthSenseExecution

Yes No

ACL2 SixthSense

FMCAD 2006


Verification Tool

Property Representation

ACL2SIX accepts hardware properties written with the following: Bit and bit-vector constants. ACL2 functions on bit vectors in our library.

e.g. bv+, bv-and, and bv-or. VHDL signals represented through two ACL2

functions:(sigbit entity signame cycle phase)

(sigvec entity signame (lbit hbit) cycle phase)

FMCAD 2006


Verification Tool

ACL2SIX Example

AD

D

clkd q

b

a sum

clk

(defthm adder-adds (implies (and (integerp n) (<= 1 n)) (equal (bv+ (sigvec (add32) a (0 31) (1- n) 2) (sigvec (add32) b (0 31) (1- n) 2)) (sigvec (add32) sum (0 31) n 2))) :hints ((“Goal” :external (acl2six ((:cycle-expr n) (:ignore-init-cycles 1))))))

ADD32

FMCAD 2006


Verification Tool

Soundness of ACL2SIX Extension

Combining tools often leads to subtle soundness problems.

We have an argument that ACL2SIX is sound.

1. The FSM represented by VHDL could be defined in the ACL2 logic.

2. SixthSense verifies valid safety properties of the FSM.

3. Theoretically these properties could be proven in ACL2 by induction.

By constructing this argument we found (and fixed) a subtle soundness issue.

FMCAD 2006


Verification Tool

Outline of the Talk

ACL2 Theorem Prover and SixthSense Related Work Integration of Two Verification Tools

Step 1: External Hint Mechanism Step 2: ACL2SIX Hint Implementation

Soundness Argument Multiplier Example Conclusion

FMCAD 2006


Verification Tool

Example: Booth Multiplier

53bit x 54bit multiplier Used to compute double-precision

floating-point multiplication Written in VHDL SixthSense cannot verify the entire

multiplier. This makes a good first example for

ACL2SIX.

FMCAD 2006


Verification Tool

Multiplier Dataflow

Opt. B

ooth Encoder

Stage 1

Stage 2

Stage 3

Stage 4

Stage 5

……

… …

Cycle #: 0.5 1.0 1.5 2.0 2.5 3.5 4.0

Vectors: 27 18 12 6 4 2

A

C

A X C = Sum + Carry

S51

S50

S00

S026

FMCAD 2006


Verification Tool

Booth Encoder

Booth encoder reduces n x n bit multiplication into the summation of n/2 vectors.

ACL2 provided the algorithmic proof of Booth encoding multiplier.

SixthSense proved that the VHDL design implements an ACL2 model.

FMCAD 2006


Verification Tool

Compression Algorithm

3-to-2 Carry-Save Adder (CSA) takes 3 inputs and produces 2 outputs, preserving the sum.

Verified sum-preservation on a single CSA using SixthSense.

Used ACL2 to combine the results to prove

S00

S01

S02

S10

S11

CSA0S00 + S01 + S02 = S10 + S11

S00 + ... + S026 = S50 + S51

FMCAD 2006


Verification Tool

Multiplier Verification Summary

In Booth Encoding Proof: ACL2 did arithmetic proof that requires induction. SixthSense checked the low-level hardware detail

is equivalent to ACL2 model In compressor proof:

SixthSense proved the basic property on a small element of the multiplier.

ACL2 combined these results, with the use of rewriting rules.

Can re-run proof if multiplier is modified Low-level modifications are only visible to

SixthSense!

FMCAD 2006


Verification Tool

Conclusion

Added prototype mechanism for extending ACL2 with external tools

Integrated SixthSense and ACL2 Avoided VHDL embedding Improved automation of ACL2 Widened applicability of SixthSense

Future Work External hint will be incorporated in future

ACL2 releases Verification of larger hardware verification

examples e.g. FPU divide and square root

FMCAD 2006


Verification Tool

Acknowledgements

Built initial prototype Sandip Ray

Helped design the :external extension Matt Kaufmann

Helped with SixthSense Jason Baumgartner, Viresh Paruthi, and Hari

Mony

FMCAD 2006


Verification Tool

Backup

FMCAD 2006


Verification Tool

Soundness Problem by Instantiation

Sigbit and sigvec are actually partially constrained functions.

ACL2 allows functional instantiation of constrained functions. But some of the constraints are unknown to

the ACL2 theorem prover. Solution: Disable functional instantiation

of sigbit and sigvec. Requires new feature available in upcoming

ACL2 release.

FMCAD 2006


Verification Tool

Booth Encoder

100 → -2 * y101 → -1 * y110 → -1 * y111 → 0 * y000 → 0 * y001 → 1 * y010 → 1 * y011 → 2 * y

Reduces the multiplication to summation

Half as many partial-products of the grade-school method.

Two’s Complement Notation Looks at three bits at a time

Example: 23 * 3 000011 010111.0

-1 * 3 * 20 = -3 2 * 3 * 22 = 24 1 * 3 * 24 = 48

+69

*

011

110

010

Encoding Table

FMCAD 2006


Verification Tool

In Upcoming ACL2 Release

Can disallow functional instantiation of sigbit and sigvec.

External hint mechanism will includes tagging mechanism. Only tagged clause processors trusted.

FMCAD 2006


Verification Tool

Guiding the Theorem Prover

nthcdr removes n elements from a list Rewrinte-plus-minus-1 lemma automatically

used in proof of theorem :induct hint guides the prover to use the

induction suggested by (nthcdr b x) on the first “Goal”

(defthm rewrite-plus-minus-1 (implies (and (natp a) (natp b)) (equal (+ a -1 b) (+ -1 a b))))

(thm (implies (and (natp a) (natp b)) (equal (nthcdr a (nthcdr b x)) (nthcdr (+ a b) x))) :hints (("Goal" :induct (nthcdr b x))))

FMCAD 2006


Verification Tool

:External Example

(defun generalize-expr (clause expr new-var state) (cond ((or (not (symbolp new-var)) (var-in-expr-listp new-var clause)) (mv (list "ERROR: Target must be a new variable~%”) nil state)) (t (mv nil (list (substitute-expr-list expr new-var clause))

state))))

(thm (implies (and (natp a) (natp (foo))) (equal (nthcdr a (nthcdr (foo) x))

(nthcdr (+ a (foo)) x))) :hints (("Goal" :external (generalize-expr '(foo) 'b)) ("Goal'" :induct (nthcdr b x))))

FMCAD 2006


Verification Tool

ACL2 :External Hint Example

(defun split-a-and-b (cl state) (mv nil (list (append '((booleanp a)) cl) (append '((booleanp b)) cl) (subst ''t 'b (subst ''t 'a cl)) (subst ''t 'b (subst ''nil 'a cl)) (subst ''nil 'b (subst ''t 'a cl)) (subst ''nil 'b (subst ''nil 'a cl))) state))

(defthm theorem-1 (implies (and (booleanp a) (booleanp b)) (or (not b) (and a b) (and (not a) b))) :hints (("Goal" :external (split-a-and-b))))

FMCAD 2006


Verification Tool

ACL2SIX Features

ignore-init-cycles: Ignore the specified number of initial cycles. If the corresponding ACL2 hypothesis is not

present the ACL2 proof will fail. cycle-expr: The ACL2 expression for the

cycle number config-file: SixthSense configuration file (view-last-waveform): View last

counter-example waveform

Documents

ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool