Industrial Hardware and Software Verification with ACL2

Similar documents
Industrial Hardware and Software Verification with ACL2

Machines Reasoning about Machines

An Industrially Useful Prover

Machines Reasoning About Machines (2015) J Strother Moore Department of Computer Science University of Texas at Austin

ACL2: A Program Verifier for Applicative Common Lisp. Matt Kaufmann - AMD, Austin, TX J Strother Moore UT CS Dept, Austin, TX

A Futures Library and Parallelism Abstractions for a Functional Subset of Lisp

A Framework for Asynchronous Circuit Modeling and Verification in ACL2

An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor

An ACL2 Proof of Write Invalidate Cache Coherence

Turning proof assistants into programming assistants

Verifying Centaur s Floating Point Adder

Verification Condition Generation via Theorem Proving

Functional Programming in Hardware Design

Interplay Between Language and Formal Verification

TEITP User and Evaluator Expectations for Trusted Extensions. David Hardin Rockwell Collins Advanced Technology Center Cedar Rapids, Iowa USA

Orc and ACL2. Nathan Wetzler May 4, University of Texas, Austin

Design Process. Design : specify and enter the design intent. Verify: Implement: verify the correctness of design and implementation

ACL2 Challenge Problem: Formalizing BitCryptol April 20th, John Matthews Galois Connections

EDA: Electronic Design Automation

Software Verification with ACL2

An ACL2 Tutorial. Matt Kaufmann and J Strother Moore

For a long time, programming languages such as FORTRAN, PASCAL, and C Were being used to describe computer programs that were

A Brief Introduction to Oracle's Use of ACL2 in Verifying Floating- Point and Integer Arithmetic

Dr. Ishaq Unwala Rockwell Pl Phone #: (512)

Relational STE and Theorem Proving for Formal Verification of Industrial Circuit Designs. John O Leary and Roope Kaivola, Intel Tom Melham, Oxford

Calendar Description

Advanced VLSI Design Prof. Virendra K. Singh Department of Electrical Engineering Indian Institute of Technology Bombay

101-1 Under-Graduate Project Digital IC Design Flow

Formal Verification in Industry

CS 250 VLSI Design Lecture 11 Design Verification

Choosing an Intellectual Property Core

When Girls Design CPUs!

URL: Offered by: Should already know how to design with logic. Will learn...

ADMINISTRATIVE MANAGEMENT COLLEGE

A Verifying Core for a Cryptographic Language Compiler

FPGA Based Digital Design Using Verilog HDL

Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series

VERIFYING THE FM9801 MICROARCHITECTURE

handled appropriately. The design of MILS/MSL systems guaranteed to perform correctly with respect to security considerations is a daunting challenge.

FPGA Implementation and Validation of the Asynchronous Array of simple Processors

CISC / RISC. Complex / Reduced Instruction Set Computers

implement several algorithms useful for digital signal processing [6]. Others verications involve a stack of veried systems [2], an operating system k

SYSTEMS ON CHIP (SOC) FOR EMBEDDED APPLICATIONS

Modeling Asynchronous Circuits in ACL2 Using the Link-Joint Interface

Evolution of Computers & Microprocessors. Dr. Cahit Karakuş

Digital System Design Lecture 2: Design. Amir Masoud Gharehbaghi

Formal Verification of Stack Manipulation in the SCIP Processor. J. Aaron Pendergrass

7/28/ Prentice-Hall, Inc Prentice-Hall, Inc Prentice-Hall, Inc Prentice-Hall, Inc Prentice-Hall, Inc.

Distributed Systems Programming (F21DS1) Formal Verification

Trend in microelectronics The design process and tasks Different design paradigms Basic terminology The test problems

Homeschool Enrichment. The System Unit: Processing & Memory

Outline. Proof Carrying Code. Hardware Trojan Threat. Why Compromise HDL Code?

ECE 2162 Intro & Trends. Jun Yang Fall 2009

Ten Reasons to Optimize a Processor

Computer Systems Architecture

lesson 3 Transforming Data into Information

6. Case Study: Formal Verification of RISC Processors using HOL

A Robust Machine Code Proof Framework for Highly Secure Applications

Copyright by Sol Otis Swords 2010

6. Case Study: Formal Verification of RISC Processors using HOL

Efficient execution in an automated reasoning environment

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Applied Theorem Proving: Modelling Instruction Sets and Decompiling Machine Code. Anthony Fox University of Cambridge, Computer Laboratory

Formal Equivalence Checking. Logic Verification

MODELING LANGUAGES AND ABSTRACT MODELS. Giovanni De Micheli Stanford University. Chapter 3 in book, please read it.

ENHANCED TOOLS FOR RISC-V PROCESSOR DEVELOPMENT

The SOCks Design Platform. Johannes Grad

Computer Architecture = CS/ECE 552: Introduction to Computer Architecture. 552 In Context. Why Study Computer Architecture?

Cycles Per Instruction For This Microprocessor

Programmable Logic Devices II

The Formalization of a Simple Hardware Description Language

The Common Criteria, Formal Methods and ACL2

Reducing the cost of FPGA/ASIC Verification with MATLAB and Simulink

CS Computer Architecture

Copyright by Shilpi Goel 2016

Design and Verification of FPGA and ASIC Applications Graham Reith MathWorks

Now we are going to speak about the CPU, the Central Processing Unit.

CIT 668: System Architecture

Practical Approaches to Formal Verification. Mike Bartley, TVS

Hardware Design Environments. Dr. Mahdi Abbasi Computer Engineering Department Bu-Ali Sina University

Protection. Thierry Sans

Introducing the FPGA-Based Prototyping Methodology Manual (FPMM) Best Practices in Design-for-Prototyping

Chapter 1. Introduction

ASSEMBLY LANGUAGE MACHINE ORGANIZATION

Building Blocks for RTL Verification in ACL2

2 Chapter 4 driver and the state changes induced by each instruction (in terms of certain still undened bit-level functions such as the 8-bit signed a

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Outline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification)

SoC Verification Methodology. Prof. Chien-Nan Liu TEL: ext:

Incisive Enterprise Verifier

Mechanically-Verified Validation of Satisfiability Solvers

VLSI Test Technology and Reliability (ET4076)

Compositional Cutpoint Verification

Processor Verification with Precise Exceptions and Speculative Execution

The Microprocessor as a Microcosm:

Wisconsin Computer Architecture. Nam Sung Kim

New Advances in Micro-Processors and computer architectures

Improving Eliminate-Irrelevance for ACL2

Institute for Applied Information Processing and Communications VLSI Group Professor Horst Cerjak, Martin Feldhofer KU01_assignment

DIGITAL DESIGN TECHNOLOGY & TECHNIQUES

Transcription:

Industrial Hardware and Software Verification with ACL2 Warren A. Hunt, Jr. 1, Matt Kaufmann 1, J Strother Moore 1, and Anna Slobodova 2 1 Department of Computer Science University of Texas at Austin and 2 Centaur Technology, Inc. Austin, TX. April, 2016 1

Question: How did ACL2 come to be used by industry? Philippa Gardner Short Answer: It s an efficient programming language with a good prover, the user community is cohesive and largely industrial, and the goal of the project is to make hardware/software verification practical. 2

Introduction ACL2: A Computational Logic for Applicative Common Lisp Logic: first-order extended subset of applicative Common Lisp Home page: www.cs.utexas.edu/users/moore/acl2 Distribution: without charge, source-code form, 3-clause BSD license 3

Implementation: 87% of the 5.7 MB of source code is in ACL2; rest in raw Common Lisp; runs under six independent Common Lisp implementations on many hardware/os platforms Online Documentation: 68 MB Lemma Library: github.com/acl2/acl2; 5,780 certified books contributed by many users; 123,000 theorems 4

The Origin Story Computational Logic, Inc. (CLI) was founded in 1987 to spread verification technology to industry, initially using Nqthm. ACL2 was started at CLI in 1989 to address inadequacies of Nqthm in industrial-scale projects like the CLI Verified Stack and the verification of MC68020 binary code. 5

Design Goals for ACL2, Kaumann and Moore, 1994: Foremost among those inadequacies is the fact that Nqthm s logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages... must be executed... 6

Initial Industrial Demonstrations CLI was contracted to use ACL2 for: Motorola CAP DSP, 1993 modeled hardware and microcode and verified an executable predicate to recognize all pipeline hazards AMD K5 Microprocessor FDIV operation, 1995 verified IEEE 754 compliance of FDIV microcode, before fab. 7

In addition to stressing and improving the tool, these high-risk verification projects engendered a team-spirit and shared vision among CLI researchers using ACL2 8

Dispersion CLI closed its doors 1997-99. ACL2 users dispersed to CLI clients including AMD, Motorola, IBM, Rockwell-Collins ACL2 was subsequently used in many experimental industrial projects, led by ex-cli researchers 9

AMD: All elementary floating point on Athlon after running 100M test vectors comparing the ACL2 model to the AMD RTL simulator; Opteron and all AMD desktop machines Rockwell-Collins: silicon JVM chip, AAMP7 crypo-box, Greenhills OS IBM: Power 4 FDIV and SQRT; and a deep embedding of a hiearchical HDL 10

UT ACL2 Group: Sun JVM class loader and byte-code verifier Boyer and Hunt developed an experimental version of hash cons and a prototype Common Lisp tool for bit-blasting ACL2 expressions (verified in 2010) 11

Integration into Design Workflow In 2007, Centaur Technology, Inc., challenged Hunt to verify the VIA Nano floating-point adder design: handles single (32-bit), double (64-bit) and extended (80-bit) additions pipelined to deliver 4-results per cycle 33,700 lines of Verilog 12

680 modules 432,322 transistors part of the media unit with 1074 input signals (including 26 clocks) and 374 output signals 13

In about 9 months work, coding in ACL2, Hunt and a grad student (Swords): improved the ACL2 HDL to handle the Centaur Verilog subset producing an executable semantic model called E wrote a translator from Verilog to E developed techniques to slice models to use bit-blasting and glue pieces together with proof 14

executed E model of the media unit to test the adder and identify proper inputs to activate adder verified the adder finding a bug in the 80-bit case 15

ACL2 at Centaur Today ACL2 is an indispensable part of the Centaur design process Centaur FV team consists of 3 full-time employees and a couple of interns While its main focus is the validation of the RTL design, the FV team s wider goal is to provide design and verification support at various abstraction levels. 16

Centaur s current family of x86-based microprocessors is called VIA Eden Centaur has an ACL2 specification of the Eden subset of the x86 Validated by routinely running millions of tests comparing ACL2 x86 to Intel, AMD, and Centaur hardware The ACL2 tool-chain translates the entire Eden design (700,000+ lines of Verilog) into a formal object in a few minutes 17

The translated model is validated by running millions of tests against Cadence NC Verilog and Synopsys VCS Verilog simulators Centaur s Verilog tool-chain is distributed in the ACL2 books and is used by Intel and Oracle 18

Two main applications: proving correctness of parts of the RTL design wrt behavioral spec proving correctness of microcode (typically no longer than several hundred lines) All proofs are re-run nightly Bugs introduced today are found tonight and fixed tomorrow. 19

Centaur uses ACL2 and the Verilog translation of the design to build custom tools including a linter which is routinely run several times per day and sends reports to logic designers an RTL design browser a reverse engineering tool, e.g., to extract the clock tree 20

a tool to produce understandable reports about synthesized circuits by finding gate-to-rtl signal correspondences All Centaur analysis tools are driven off the same ACL2 object representing the design Analysis tools are written in ACL2 21

Other Ongoing Industrial Projects The paper additionally lists some ongoing ACL2 projects at AMD (transaction protocols) Intel (Elliptic curve crypto) Kestrel Institute (Android apps) Oracle (floating point) Rockwell-Collins (LLVN) 22

Strengths fast execution proof/expressive power programmable/verifiable extensibility system programming capabilities proof automation and re-play trust tags (allowing calls to unverified external code) 23

Weaknesses (reported by industry) inefficient execution of some primitives inconvenient as a scripting language does not support visualization/graphics tools 24

Centaur uses Perl, Ruby, Makefile, C, HTML, Javascript, CSS, and a Common Lisp web server, all connected to ACL2 (when necessary and non-critical) via the underlying Common Lisp features and trust tags Critical analysis tools are written in pure ACL2 Many critical tools (e.g., bit-blasting, Verilog transformations) are verified 25

Weaknesses (reported by industry) inefficient execution of some primitives inconvenient as a scripting language does not support visualization/graphics tools Note: Industry s complaints about ACL2 rarely concern absence of strong typing, explicit quantifiers, partial functions, or higher order functions 26

Support for Industrial Projects There have been over 1000 changes since Centaur started using ACL2 in May, 2009. Of those, these were requested by Centaur: Changes to Existing Features 95 New Features 44 Heuristic and Efficiency Improvements 22 Bug Fixes 72 Changes at the System Level 18 Total due to Centaur 251 27

Why ACL2 is Successful in Industry that was the goal of the project efficient, executable logic/programming language with native verifier dual-use bit- and cycle-accurate models access to Common Lisp programming (via trust tags) automatic prover with a human in the loop 28

rugged, well documented, free, open source form, many useful books, and a fairly unrestrictive license. coherent user community devoted to making mechanized verification practical industry needs help 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback