Software Verification with ACL2 Francisco Palomo Lozano francisco.palomo@uca.es Software Verification and Validation Department of Computer Science
Summary Introduction 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 3 / 39
What is ACL2? Introduction 1 A Computational Logic for an Applicative Common Lisp 2 ACL2 is three things under the same name A pure functional programming language A computational logic formalizing this language An automated reasoning system for formal verification 3 ACL2 is regarded as an incarnation of McCarthy s dream 4 Landmarks A dream came true Reasoning about Lisp functions Successor of NQTHM, the Boyer-Moore theorem prover Developed by Moore and Kaufmann for more than 20 years ACM Software System Award 2005 Annual conferences Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 4 / 39
Introduction Where has ACL2 been used? I 1996 Motorola CAP DSP 20-bit, used in radio, 1024-point complex FFT in 131 µs Verification of microcode DSP programs 1998 IBM 4758 PCI Cryptographic Coprocessor Used in ATMs Security model and formal analysis of bootstrapping code 2000 AMD Athlon Microprocessor Floating-point addition, subtraction, multiplication, and division Floating-point square root 2002 IBM Power4 Microprocessor Floating-point division and square-root algorithms 2005 Rockwell Collins AAMP7G Cryptoprocessor NSA MILS certified, used by the DoD in military avionics Verification of security policies implemented by microcode Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 5 / 39
Introduction Where has ACL2 been used? II 2008 Freescale Semiconductor Inc. Flash memory verification 2010 Centaur VIA Nano Microprocessor Low-power, used in netbooks, a direct competitor of Intel Atom Verification of instructions in the Media Unit Floating-point addition, subtraction and comparison Integer and floating-point conversions Integer multiplication 2011 AMD Llano Microprocessor Next-generation AMD mobile processor Integer division Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 6 / 39
Introduction Why so much interest in hardware verification? 1994 Intel Pentium FDIV error 4195835 1.33382044914 1.33373906890 buggy 3145727 Dismissed as «not serious» when uncovered Defective chips had to be eventually recalled Intel recognised 475 000 000 USD in losses Moreover, the company s prestige was damaged Intel Pentium jokes became famous 1997 Intel Pentium F00F error Q: Know how the Republicans can cut taxes and pay the deficit at the same time? A: Their spreadsheet runs on a Pentium computer. Intel shares fell 5% in a week in December 1994 F00F C7C8 [lock cmpxchg8b eax] Processor hang! Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 7 / 39
Introduction Sure they learnt the lesson, didn t they? 2007 Intel Core 2 Specification Update http://download.intel.com/design/processor/specupdt/313279.pdf Reflections Intel lists 129 design errors OpenBSD identified more than 20 of them as unfixable A few of them, for which no workaround exist, seem exploitable 1 These problems are not exclusive to Intel 2 It is likely that any complex hardware is buggy 3 As hardware gets more complex it resembles software 4 It has to do with the sheer complexity of new products 5 It has to do with processes and time-to-market pressure 6 It has to do with the status of our current tools and technology Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 8 / 39
Introduction What about software verification? 1 Nowadays the line between hardware and software is thinning Algorithm Microcode Algorithm HDL/RTL NDL Silicon 2 Real Lisp code can be verified and executed with ACL2 ACL2 code is directly executable in its host Lisp system ACL2 is a pure subset of Common Lisp with some extensions 3 Custom languages can be embedded or translated into ACL2 Java Bytecode ACL2 Several models of the JVM are available for ACL2 In general, this approach requires considerable effort The first silicon JVM was produced in 1997 by Rockwell Collins 4 Algorithms can be verified with ACL2 Complex algorithms are usually hard to test or validate Being able to execute algorithms modelled in ACL2 is a plus Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 9 / 39
Summary First Steps 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 10 / 39
ACL2 features First Steps 1 ACL2 is a pure functional language Reasoning is easier on pure functional languages Function execution only depends on its arguments 2 ACL2 is a logic of total recursive functions Function termination must be proven Even on inputs outside the intended domain 3 ACL2 functions can be annotated with guards 4 ACL2 functions may abort when executed like a program Guard violation Resource exhaustion, as stack overflow or memory full 5 ACL2 functions are Lisp functions 6 The reciprocal is not always true Lisp functions may not terminate Lisp functions can depend on state and even modify it Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 11 / 39
First Steps Your first steps in ACL2 1 Installing ACL2 Debian and Ubuntu sudo apt-get install acl2 Detailed instructions available for other systems http://www.cs.utexas.edu/users/moore/acl2 2 Executing ACL2 and running your first program acl2... ACL2!> (defun f (n) (if (zp n) 1 (* n (f (- n 1)))))... ACL2!> (f 32) 263130836933693530167218012160000000 3 Finishing the ACL2 session ACL2!> (exit) Also C-d, (quit) or (good-bye) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 12 / 39
Development in ACL2 First Steps 1 You do not usually work at the ACL2 prompt Typically you use an editor and save to.lisp files However the ACL2 command line is useful for other tasks 2 ACL2.lisp files can be Fed into ACL2 acl2 < file.lisp Loaded inside ACL2 (ld "file.lisp") Converted in books and included (include-book "file") 3 Development environments Emacs with a shell buffer ACL2 Sedan http://acl2s.ccs.neu.edu DrACuLa http://www.ccs.neu.edu/home/cce/acl2 4 Dual mode of operation It can be used as an interpreter for rapid development Code can be compiled for efficient execution when desired Compiled and interpreted code can be used together at will Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 13 / 39
The Lisp host system First Steps 1 ACL2 runs on top of a Lisp host system 2 CCL, SBCL, GCL, Allegro CL, CLISP, and CMUCL supported 3 The ACL2 command loop is a typical Lisp read-eval-print loop Exiting to the host Lisp system ACL2!> :q Exiting the ACL2 read-eval-print loop. To re-enter, execute (LP). ACL2> Resuming from a correctable error or interruption ACL2!> ^C User C-c interruption Correctable error: Console interrupt.... ACL2[RAW LISP]>> :q ACL2!> Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 14 / 39
First Steps Dissecting your first program 1 The mathematical factorial function f (0) = 1 f (n) = nf (n 1) if n > 0 2 The ACL2 factorial function (defun f (n) function name and arguments (if (zp n) conditional expression 1 then branch value (* n (f (- n 1))))) else branch value A fundamental difference The mathematical function is implicitly defined on N The ACL2 function is defined on the universe of ACL2 objects Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 15 / 39
First Steps Expression evaluation 1 Lisp syntax ACL2!> (+ (* 5 (- 4 1)) 1) prefix notation 16 2 Guards ACL2!> (/ 1 0) ACL2 Error in TOP-LEVEL: The guard for the function call (UNARY-/ X), which is (AND (ACL2-NUMBERP X) (NOT (EQUAL X 0))), is violated by the arguments in the call (/ 0)... ACL2!> (set-guard-checking :none)... ACL2 > (/ 1 0) all functions are total 0 Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 16 / 39
First Steps Guarded and unguarded evaluation 1 Some functions have attached a guard Guards warns about evaluations outside the intended domain Guards are checked during evaluation by default Guards are not used when proving properties 2 No guard was explicitly attached to f but... ACL2!> (f -1) ACL2 Error in TOP-LEVEL: The guard for the function call (ZP X), which is (AND (INTEGERP X) (<= 0 X)), is violated by the arguments in the call (ZP -1)... ACL2!> (set-guard-checking :none)... ACL2 > (f -1) (zp -1) is t 1 Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 17 / 39
First Steps Your first formal verification 1 Another function for computing factorials (defun g (n p) (if (zp n) p (g (- n 1) (* p n)))) (defun f* (n) (g n 1)) 2 Function g is just a certain generalisation of f (defthm g-generalises-f (implies (and (integerp n) (integerp p)) (equal (g n p) (* p (f n))))) 3 Functions f* and f are simply equivalent (defthm equivalence-of-f*-and-f (equal (f* n) (f n))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 18 / 39
Summary Atoms and Lists 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 19 / 39
Atoms and Lists Common data types 1 Atoms predicate atom Form the basic components of pairs and lists Include booleans, characters, strings, numbers and symbols 2 Pairs or conses predicate consp ACL2!> (cons 1 2) (1. 2) dotted pair ACL2!> (car (cons 1 2)) also first 1 ACL2!> (cdr (cons 1 2)) also rest 2 3 Lists predicate listp ACL2!> (cons 1 (cons 2 '())) (1 2) (1. (2. ())) ACL2!> (consp '(1. (2. (3. ()))))) '(1 2 3) T Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 20 / 39
Booleans Atoms and Lists 1 Booleans predicate booleanp Literals nil and t Unary not Conditional n-ary and and or Binary implies and iff 2 Generalised booleans Just a useful convention Anything different than false is regarded as true 3 Formal definitions (not x) (if x nil t) (or x y) (if x x y) (and x y) (if x y nil) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 21 / 39
Atoms and Lists Characters, strings, numbers, and symbols 1 Characters predicate characterp 2 Strings predicate stringp 3 Numbers Integers predicate integerp Rationals predicate rationalp Complex rationals predicate complex-rationalp ACL2 numbers of any kind predicate acl2-numberp 4 Symbols predicate symbolp Can be used as names of functions and variables Live in packages, akin to namespaces in other languages Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 22 / 39
Equality Atoms and Lists 1 Different notions of equality equal is general eql is just for characters, symbols or numbers eq requires that one of the arguments is a symbol = is just for numbers 2 Specialised versions for some types char-equal is case insensitive string-equal is case insensitive int= is just for integers and very fast 3 Equality to zero zerop requires that the argument is a number zp means zero or not natural basis for recursion on naturals zip means zero or not integer basis for recursion on integers Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 23 / 39
Summary Sorted Lists 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 24 / 39
Orders Sorted Lists 1 Non-strict orders x y y x x = y x y y z x z x y y x 2 Commonly used orders char<= is just for characters string<= is just for strings <= is just for integers and rationals 3 Total order on ACL2 atoms alphorder 4 Total order on ACL2 objects lexorder Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 25 / 39
Sorted lists Sorted Lists (defun sortedp (x) (if (atom x) (null x) empty lists are sorted (if (atom (rest x)) (null (rest x)) one-element lists are sorted (and (lexorder (first x) (second x)) first two in order (sortedp (rest x)))))) the rest is sorted Question Is this enough to specify the correctness of a sorting algorithm? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 26 / 39
Summary Sorting by Insertion 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 27 / 39
Sorting by Insertion Insertion in a sorted list (defun insertion (x y) (if (atom y) (list x) (if (lexorder x (first y)) (cons x y) (cons (first y) (insertion x (rest y)))))) (defthm sortedp-insertion (implies (sortedp y) (sortedp (insertion x y)))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 28 / 39
Insertion sort Sorting by Insertion (defun insertion-sort (x) (if (atom x) nil (insertion (first x) (insertion-sort (rest x))))) (defthm sortedp-insertion-sort (sortedp (insertion-sort x))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 29 / 39
Summary Sorting by Merging 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 30 / 39
Sorting by Merging Merging sorted lists (defun merging (x y) (if (atom x) y (insertion (first x) (merging (rest x) y)))) (defthm sortedp-merging (implies (and (sortedp x) (sortedp y)) (sortedp (merging x y)))) Question Why is this way of merging not efficient and why use it? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 31 / 39
Sorting by Merging Splitting a list into two halves (defun split (x) (if (atom x) (list nil nil) (if (atom (rest x)) (list x nil) (let ((s (split (rest (rest x))))) (list (cons (first x) (first s)) (cons (second x) (second s))))))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 32 / 39
Mergesort Sorting by Merging (defconst *N0* 8) threshold (defun merge-sort (x) (if (or (atom x) (atom (rest x)) (< (len x) *N0*)) (insertion-sort x) insertion sorting under the threshold (let ((s (split x))) (merging (merge-sort (first s)) (merge-sort (second s)))))) Fail! ACL2 cannot prove termination without our help. Which is the informal argument for termination here? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 33 / 39
The missing link Sorting by Merging (defthm split-decreases-size (implies (and (consp x) (consp (rest x))) (and (< (acl2-count (first (split x))) (acl2-count x)) (< (acl2-count (second (split x))) (acl2-count x))))) Success! ACL2 can prove termination now. Why is so important for ACL2 avoiding functions whose termination is not established? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 34 / 39
Sorting by Merging Joining the pieces of the puzzle 1 Mergesort returns sorted lists (defthm sortedp-merge-sort (sortedp (merge-sort x))) 2 Inductive step Subgoal *1/2 (IMPLIES (AND (NOT (OR (ATOM X) (ATOM (CDR X)) (< (LEN X) 8))) (SORTEDP (MERGE-SORT (CAR (SPLIT X)))) (SORTEDP (MERGE-SORT (CADR (SPLIT X))))) (SORTEDP (MERGE-SORT X))). But simplification reduces this to T, using the :definitions ATOM, LEN and MERGE-SORT, the :rewrite rule SORTEDP-MERGING and the :type-prescription rule SORTEDP. Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 35 / 39
Summary Parallelism 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 36 / 39
Parallel constructs Parallelism 1 Experimental feature Requires a special ACL2 image Great for multicore programming Simple but efficient parallel model 2 Parallel constructs Parallel argument evaluation parg Parallel let plet Lazy parallel or por Lazy parallel and pand 3 Granularity control through declarations Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 37 / 39
Parallel mergesort Parallelism 1 Parallel argument evaluation (defun merge-sort (x) (if (or (atom x) (atom (rest x)) (< (len x) *N0*)) (insertion-sort x) (let ((s (split x))) (pargs (merging (merge-sort (first s)) (merge-sort (second s)))))) 2 Granularity control (defun merge-sort (x) (let ((n (len x))) (if (or (atom x) (atom (rest x)) (< n *N0*)) (insertion-sort x) (let ((s (split x))) (pargs (declare (granularity (>= n *N1*))) (merging (merge-sort (first s)) (merge-sort (second s)))))))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 38 / 39
References D. S. Hardin, editor. Design and Verification of Microprocessor Systems for High-Assurance Applications. Springer, 2010. M. Kaufmann, P. Manolios, and J S. Moore, editors. Computer-Aided Reasoning: ACL2 Case Studies. Kluwer Academic Publishers, 2000. M. Kaufmann, P. Manolios, and J S. Moore. Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, 2000. S. Ray, editor. Scalable Techniques for Formal Verification. Springer, 2010. Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 39 / 39