Software Verification with ACL2

Similar documents
Introduction to ACL2. CS 680 Formal Methods for Computer Verification. Jeremy Johnson Drexel University

Reasoning About Programs Panagiotis Manolios

Proof-Pattern Recognition and Lemma Discovery in ACL2

Machines Reasoning about Machines

Functional programming with Common Lisp

handled appropriately. The design of MILS/MSL systems guaranteed to perform correctly with respect to security considerations is a daunting challenge.

Gene Kim 9/9/2016 CSC 2/444 Lisp Tutorial

Backtracking and Induction in ACL2

A Futures Library and Parallelism Abstractions for a Functional Subset of Lisp

Functional Programming. Pure Functional Programming

INF4820: Algorithms for Artificial Intelligence and Natural Language Processing. Common Lisp Fundamentals

Imperative, OO and Functional Languages A C program is

Industrial Hardware and Software Verification with ACL2

Parameterized Congruences in ACL2

Reasoning About Programs Panagiotis Manolios

Homework 1. Notes. What To Turn In. Unix Accounts. Reading. Handout 3 CSCI 334: Spring, 2017

Reasoning About Programs Panagiotis Manolios

A Tool for Simplifying ACL2 Definitions

Pierce Ch. 3, 8, 11, 15. Type Systems

Reasoning About Programs Panagiotis Manolios

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java

Common LISP Tutorial 1 (Basic)

Homework 1. Reading. Problems. Handout 3 CSCI 334: Spring, 2012

Finite Set Theory. based on Fully Ordered Lists. Jared Davis UT Austin. ACL2 Workshop 2004

Refinement and Theorem Proving

Symbolic Programming. Dr. Zoran Duric () Symbolic Programming 1/ 89 August 28, / 89

Proving Theorems about Java and the JVM

Verifying Centaur s Floating Point Adder

Functional Programming. Pure Functional Languages

Lecture Notes on Lisp A Brief Introduction

Induction Schemes. Math Foundations of Computer Science

ACL2: A Program Verifier for Applicative Common Lisp. Matt Kaufmann - AMD, Austin, TX J Strother Moore UT CS Dept, Austin, TX

An Industrially Useful Prover

Orc and ACL2. Nathan Wetzler May 4, University of Texas, Austin

Compositional Cutpoint Verification

A Mechanically Checked Proof of the Correctness of the Boyer-Moore Fast String Searching Algorithm

Announcement. Overview. LISP: A Quick Overview. Outline of Writing and Running Lisp.

Functional Programming. Pure Functional Languages

Common Lisp. Blake McBride

Improving Eliminate-Irrelevance for ACL2

CSCI337 Organisation of Programming Languages LISP

Look at the outermost list first, evaluate each of its arguments, and use the results as arguments to the outermost operator.

An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor

11/6/17. Functional programming. FP Foundations, Scheme (2) LISP Data Types. LISP Data Types. LISP Data Types. Scheme. LISP: John McCarthy 1958 MIT

by the evening of Tuesday, Feb 6

Lisp. Versions of LISP

TEITP User and Evaluator Expectations for Trusted Extensions. David Hardin Rockwell Collins Advanced Technology Center Cedar Rapids, Iowa USA

Machines Reasoning About Machines (2015) J Strother Moore Department of Computer Science University of Texas at Austin

ACL2 Challenge Problem: Formalizing BitCryptol April 20th, John Matthews Galois Connections

Functional Programming Languages (FPL)

Topic III. LISP : functions, recursion, and lists References: Chapter 3 of Concepts in programming languages by J. C. Mitchell. CUP, 2003.

Introduction to Functional Programming and basic Lisp

Functional Programming

15 Unification and Embedded Languages in Lisp

Common LISP-Introduction

A Small Interpreted Language

Scheme Tutorial. Introduction. The Structure of Scheme Programs. Syntax

Documentation for LISP in BASIC

Scheme: Data. CS F331 Programming Languages CSCE A331 Programming Language Concepts Lecture Slides Monday, April 3, Glenn G.

Using Hashtables to Find the Generation Point of a Problematic Cons

COP4020 Programming Languages. Functional Programming Prof. Robert van Engelen

Modern Programming Languages. Lecture LISP Programming Language An Introduction

Scheme. Functional Programming. Lambda Calculus. CSC 4101: Programming Languages 1. Textbook, Sections , 13.7

LECTURE 16. Functional Programming

Milawa an extensible proof checker

Summer 2017 Discussion 10: July 25, Introduction. 2 Primitives and Define

CSCE476/876 Fall Homework 3: Programming Assignment Using Emacs and Common Lisp. 1 Exercises (15 Points) 2. 2 Find (6 points) 4

Recursion & Iteration

CS 314 Principles of Programming Languages

Example Scheme Function: equal

Scheme: Expressions & Procedures

Chapter 15. Functional Programming Languages

Lambda Calculus. Gunnar Gotshalks LC-1

SCHEME 8. 1 Introduction. 2 Primitives COMPUTER SCIENCE 61A. March 23, 2017

Fall 2018 Discussion 8: October 24, 2018 Solutions. 1 Introduction. 2 Primitives

CPS 506 Comparative Programming Languages. Programming Language Paradigm

CS 480. Lisp J. Kosecka George Mason University. Lisp Slides

Lambda Calculus see notes on Lambda Calculus

CS A331 Programming Language Concepts

Lambda Calculus and Lambda notation in Lisp II. Based on Prof. Gotshalks notes on Lambda Calculus and Chapter 9 in Wilensky.

Function Memoization and Unique Object Representation for ACL2 Functions

An ACL2 Proof of Write Invalidate Cache Coherence

Functional Languages. Hwansoo Han

Allegro CL Certification Program

Creating Formally Verified Components for Layered Assurance with an LLVM-to-ACL2 Translator

Spring 2018 Discussion 7: March 21, Introduction. 2 Primitives

Functional Programming. Big Picture. Design of Programming Languages

Development of a Translator from LLVM to ACL2

Efficient execution in an automated reasoning environment

An ACL2 Tutorial. Matt Kaufmann and J Strother Moore

Mechanized Operational Semantics

FP Foundations, Scheme

Introduction 2 Lisp Part I

Fall 2017 Discussion 7: October 25, 2017 Solutions. 1 Introduction. 2 Primitives

Functions, Conditionals & Predicates

A little bit of Lisp

Progress Report: Term Dags Using Stobjs

;; definition of function, fun, that adds 7 to the input (define fun (lambda (x) (+ x 7)))

Symbolic Computation and Common Lisp

COP4020 Programming Assignment 1 - Spring 2011

Transcription:

Software Verification with ACL2 Francisco Palomo Lozano francisco.palomo@uca.es Software Verification and Validation Department of Computer Science

Summary Introduction 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 3 / 39

What is ACL2? Introduction 1 A Computational Logic for an Applicative Common Lisp 2 ACL2 is three things under the same name A pure functional programming language A computational logic formalizing this language An automated reasoning system for formal verification 3 ACL2 is regarded as an incarnation of McCarthy s dream 4 Landmarks A dream came true Reasoning about Lisp functions Successor of NQTHM, the Boyer-Moore theorem prover Developed by Moore and Kaufmann for more than 20 years ACM Software System Award 2005 Annual conferences Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 4 / 39

Introduction Where has ACL2 been used? I 1996 Motorola CAP DSP 20-bit, used in radio, 1024-point complex FFT in 131 µs Verification of microcode DSP programs 1998 IBM 4758 PCI Cryptographic Coprocessor Used in ATMs Security model and formal analysis of bootstrapping code 2000 AMD Athlon Microprocessor Floating-point addition, subtraction, multiplication, and division Floating-point square root 2002 IBM Power4 Microprocessor Floating-point division and square-root algorithms 2005 Rockwell Collins AAMP7G Cryptoprocessor NSA MILS certified, used by the DoD in military avionics Verification of security policies implemented by microcode Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 5 / 39

Introduction Where has ACL2 been used? II 2008 Freescale Semiconductor Inc. Flash memory verification 2010 Centaur VIA Nano Microprocessor Low-power, used in netbooks, a direct competitor of Intel Atom Verification of instructions in the Media Unit Floating-point addition, subtraction and comparison Integer and floating-point conversions Integer multiplication 2011 AMD Llano Microprocessor Next-generation AMD mobile processor Integer division Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 6 / 39

Introduction Why so much interest in hardware verification? 1994 Intel Pentium FDIV error 4195835 1.33382044914 1.33373906890 buggy 3145727 Dismissed as «not serious» when uncovered Defective chips had to be eventually recalled Intel recognised 475 000 000 USD in losses Moreover, the company s prestige was damaged Intel Pentium jokes became famous 1997 Intel Pentium F00F error Q: Know how the Republicans can cut taxes and pay the deficit at the same time? A: Their spreadsheet runs on a Pentium computer. Intel shares fell 5% in a week in December 1994 F00F C7C8 [lock cmpxchg8b eax] Processor hang! Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 7 / 39

Introduction Sure they learnt the lesson, didn t they? 2007 Intel Core 2 Specification Update http://download.intel.com/design/processor/specupdt/313279.pdf Reflections Intel lists 129 design errors OpenBSD identified more than 20 of them as unfixable A few of them, for which no workaround exist, seem exploitable 1 These problems are not exclusive to Intel 2 It is likely that any complex hardware is buggy 3 As hardware gets more complex it resembles software 4 It has to do with the sheer complexity of new products 5 It has to do with processes and time-to-market pressure 6 It has to do with the status of our current tools and technology Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 8 / 39

Introduction What about software verification? 1 Nowadays the line between hardware and software is thinning Algorithm Microcode Algorithm HDL/RTL NDL Silicon 2 Real Lisp code can be verified and executed with ACL2 ACL2 code is directly executable in its host Lisp system ACL2 is a pure subset of Common Lisp with some extensions 3 Custom languages can be embedded or translated into ACL2 Java Bytecode ACL2 Several models of the JVM are available for ACL2 In general, this approach requires considerable effort The first silicon JVM was produced in 1997 by Rockwell Collins 4 Algorithms can be verified with ACL2 Complex algorithms are usually hard to test or validate Being able to execute algorithms modelled in ACL2 is a plus Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 9 / 39

Summary First Steps 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 10 / 39

ACL2 features First Steps 1 ACL2 is a pure functional language Reasoning is easier on pure functional languages Function execution only depends on its arguments 2 ACL2 is a logic of total recursive functions Function termination must be proven Even on inputs outside the intended domain 3 ACL2 functions can be annotated with guards 4 ACL2 functions may abort when executed like a program Guard violation Resource exhaustion, as stack overflow or memory full 5 ACL2 functions are Lisp functions 6 The reciprocal is not always true Lisp functions may not terminate Lisp functions can depend on state and even modify it Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 11 / 39

First Steps Your first steps in ACL2 1 Installing ACL2 Debian and Ubuntu sudo apt-get install acl2 Detailed instructions available for other systems http://www.cs.utexas.edu/users/moore/acl2 2 Executing ACL2 and running your first program acl2... ACL2!> (defun f (n) (if (zp n) 1 (* n (f (- n 1)))))... ACL2!> (f 32) 263130836933693530167218012160000000 3 Finishing the ACL2 session ACL2!> (exit) Also C-d, (quit) or (good-bye) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 12 / 39

Development in ACL2 First Steps 1 You do not usually work at the ACL2 prompt Typically you use an editor and save to.lisp files However the ACL2 command line is useful for other tasks 2 ACL2.lisp files can be Fed into ACL2 acl2 < file.lisp Loaded inside ACL2 (ld "file.lisp") Converted in books and included (include-book "file") 3 Development environments Emacs with a shell buffer ACL2 Sedan http://acl2s.ccs.neu.edu DrACuLa http://www.ccs.neu.edu/home/cce/acl2 4 Dual mode of operation It can be used as an interpreter for rapid development Code can be compiled for efficient execution when desired Compiled and interpreted code can be used together at will Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 13 / 39

The Lisp host system First Steps 1 ACL2 runs on top of a Lisp host system 2 CCL, SBCL, GCL, Allegro CL, CLISP, and CMUCL supported 3 The ACL2 command loop is a typical Lisp read-eval-print loop Exiting to the host Lisp system ACL2!> :q Exiting the ACL2 read-eval-print loop. To re-enter, execute (LP). ACL2> Resuming from a correctable error or interruption ACL2!> ^C User C-c interruption Correctable error: Console interrupt.... ACL2[RAW LISP]>> :q ACL2!> Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 14 / 39

First Steps Dissecting your first program 1 The mathematical factorial function f (0) = 1 f (n) = nf (n 1) if n > 0 2 The ACL2 factorial function (defun f (n) function name and arguments (if (zp n) conditional expression 1 then branch value (* n (f (- n 1))))) else branch value A fundamental difference The mathematical function is implicitly defined on N The ACL2 function is defined on the universe of ACL2 objects Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 15 / 39

First Steps Expression evaluation 1 Lisp syntax ACL2!> (+ (* 5 (- 4 1)) 1) prefix notation 16 2 Guards ACL2!> (/ 1 0) ACL2 Error in TOP-LEVEL: The guard for the function call (UNARY-/ X), which is (AND (ACL2-NUMBERP X) (NOT (EQUAL X 0))), is violated by the arguments in the call (/ 0)... ACL2!> (set-guard-checking :none)... ACL2 > (/ 1 0) all functions are total 0 Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 16 / 39

First Steps Guarded and unguarded evaluation 1 Some functions have attached a guard Guards warns about evaluations outside the intended domain Guards are checked during evaluation by default Guards are not used when proving properties 2 No guard was explicitly attached to f but... ACL2!> (f -1) ACL2 Error in TOP-LEVEL: The guard for the function call (ZP X), which is (AND (INTEGERP X) (<= 0 X)), is violated by the arguments in the call (ZP -1)... ACL2!> (set-guard-checking :none)... ACL2 > (f -1) (zp -1) is t 1 Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 17 / 39

First Steps Your first formal verification 1 Another function for computing factorials (defun g (n p) (if (zp n) p (g (- n 1) (* p n)))) (defun f* (n) (g n 1)) 2 Function g is just a certain generalisation of f (defthm g-generalises-f (implies (and (integerp n) (integerp p)) (equal (g n p) (* p (f n))))) 3 Functions f* and f are simply equivalent (defthm equivalence-of-f*-and-f (equal (f* n) (f n))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 18 / 39

Summary Atoms and Lists 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 19 / 39

Atoms and Lists Common data types 1 Atoms predicate atom Form the basic components of pairs and lists Include booleans, characters, strings, numbers and symbols 2 Pairs or conses predicate consp ACL2!> (cons 1 2) (1. 2) dotted pair ACL2!> (car (cons 1 2)) also first 1 ACL2!> (cdr (cons 1 2)) also rest 2 3 Lists predicate listp ACL2!> (cons 1 (cons 2 '())) (1 2) (1. (2. ())) ACL2!> (consp '(1. (2. (3. ()))))) '(1 2 3) T Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 20 / 39

Booleans Atoms and Lists 1 Booleans predicate booleanp Literals nil and t Unary not Conditional n-ary and and or Binary implies and iff 2 Generalised booleans Just a useful convention Anything different than false is regarded as true 3 Formal definitions (not x) (if x nil t) (or x y) (if x x y) (and x y) (if x y nil) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 21 / 39

Atoms and Lists Characters, strings, numbers, and symbols 1 Characters predicate characterp 2 Strings predicate stringp 3 Numbers Integers predicate integerp Rationals predicate rationalp Complex rationals predicate complex-rationalp ACL2 numbers of any kind predicate acl2-numberp 4 Symbols predicate symbolp Can be used as names of functions and variables Live in packages, akin to namespaces in other languages Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 22 / 39

Equality Atoms and Lists 1 Different notions of equality equal is general eql is just for characters, symbols or numbers eq requires that one of the arguments is a symbol = is just for numbers 2 Specialised versions for some types char-equal is case insensitive string-equal is case insensitive int= is just for integers and very fast 3 Equality to zero zerop requires that the argument is a number zp means zero or not natural basis for recursion on naturals zip means zero or not integer basis for recursion on integers Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 23 / 39

Summary Sorted Lists 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 24 / 39

Orders Sorted Lists 1 Non-strict orders x y y x x = y x y y z x z x y y x 2 Commonly used orders char<= is just for characters string<= is just for strings <= is just for integers and rationals 3 Total order on ACL2 atoms alphorder 4 Total order on ACL2 objects lexorder Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 25 / 39

Sorted lists Sorted Lists (defun sortedp (x) (if (atom x) (null x) empty lists are sorted (if (atom (rest x)) (null (rest x)) one-element lists are sorted (and (lexorder (first x) (second x)) first two in order (sortedp (rest x)))))) the rest is sorted Question Is this enough to specify the correctness of a sorting algorithm? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 26 / 39

Summary Sorting by Insertion 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 27 / 39

Sorting by Insertion Insertion in a sorted list (defun insertion (x y) (if (atom y) (list x) (if (lexorder x (first y)) (cons x y) (cons (first y) (insertion x (rest y)))))) (defthm sortedp-insertion (implies (sortedp y) (sortedp (insertion x y)))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 28 / 39

Insertion sort Sorting by Insertion (defun insertion-sort (x) (if (atom x) nil (insertion (first x) (insertion-sort (rest x))))) (defthm sortedp-insertion-sort (sortedp (insertion-sort x))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 29 / 39

Summary Sorting by Merging 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 30 / 39

Sorting by Merging Merging sorted lists (defun merging (x y) (if (atom x) y (insertion (first x) (merging (rest x) y)))) (defthm sortedp-merging (implies (and (sortedp x) (sortedp y)) (sortedp (merging x y)))) Question Why is this way of merging not efficient and why use it? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 31 / 39

Sorting by Merging Splitting a list into two halves (defun split (x) (if (atom x) (list nil nil) (if (atom (rest x)) (list x nil) (let ((s (split (rest (rest x))))) (list (cons (first x) (first s)) (cons (second x) (second s))))))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 32 / 39

Mergesort Sorting by Merging (defconst *N0* 8) threshold (defun merge-sort (x) (if (or (atom x) (atom (rest x)) (< (len x) *N0*)) (insertion-sort x) insertion sorting under the threshold (let ((s (split x))) (merging (merge-sort (first s)) (merge-sort (second s)))))) Fail! ACL2 cannot prove termination without our help. Which is the informal argument for termination here? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 33 / 39

The missing link Sorting by Merging (defthm split-decreases-size (implies (and (consp x) (consp (rest x))) (and (< (acl2-count (first (split x))) (acl2-count x)) (< (acl2-count (second (split x))) (acl2-count x))))) Success! ACL2 can prove termination now. Why is so important for ACL2 avoiding functions whose termination is not established? Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 34 / 39

Sorting by Merging Joining the pieces of the puzzle 1 Mergesort returns sorted lists (defthm sortedp-merge-sort (sortedp (merge-sort x))) 2 Inductive step Subgoal *1/2 (IMPLIES (AND (NOT (OR (ATOM X) (ATOM (CDR X)) (< (LEN X) 8))) (SORTEDP (MERGE-SORT (CAR (SPLIT X)))) (SORTEDP (MERGE-SORT (CADR (SPLIT X))))) (SORTEDP (MERGE-SORT X))). But simplification reduces this to T, using the :definitions ATOM, LEN and MERGE-SORT, the :rewrite rule SORTEDP-MERGING and the :type-prescription rule SORTEDP. Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 35 / 39

Summary Parallelism 1 Introduction 2 First Steps 3 Atoms and Lists 4 Sorted Lists 5 Sorting by Insertion 6 Sorting by Merging 7 Parallelism Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 36 / 39

Parallel constructs Parallelism 1 Experimental feature Requires a special ACL2 image Great for multicore programming Simple but efficient parallel model 2 Parallel constructs Parallel argument evaluation parg Parallel let plet Lazy parallel or por Lazy parallel and pand 3 Granularity control through declarations Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 37 / 39

Parallel mergesort Parallelism 1 Parallel argument evaluation (defun merge-sort (x) (if (or (atom x) (atom (rest x)) (< (len x) *N0*)) (insertion-sort x) (let ((s (split x))) (pargs (merging (merge-sort (first s)) (merge-sort (second s)))))) 2 Granularity control (defun merge-sort (x) (let ((n (len x))) (if (or (atom x) (atom (rest x)) (< n *N0*)) (insertion-sort x) (let ((s (split x))) (pargs (declare (granularity (>= n *N1*))) (merging (merge-sort (first s)) (merge-sort (second s)))))))) Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 38 / 39

References D. S. Hardin, editor. Design and Verification of Microprocessor Systems for High-Assurance Applications. Springer, 2010. M. Kaufmann, P. Manolios, and J S. Moore, editors. Computer-Aided Reasoning: ACL2 Case Studies. Kluwer Academic Publishers, 2000. M. Kaufmann, P. Manolios, and J S. Moore. Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, 2000. S. Ray, editor. Scalable Techniques for Formal Verification. Springer, 2010. Francisco Palomo (UCA) Software Verification with ACL2 Version 1.1 39 / 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback