No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Verified AIG Algorithms in ACL2
Abstract
And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions
(like circuits). AIG simplification algorithms can dramatically reduce an AIG,
and play an important role in modern hardware verification tools like
equivalence checkers. In practice, these tricky algorithms are implemented with
optimized C or C++ routines with no guarantee of correctness. Meanwhile, many
interactive theorem provers can now employ SAT or SMT solvers to automatically
solve finite goals, but no theorem prover makes use of these advanced,
AIG-based approaches.
We have developed two ways to represent AIGs within the ACL2 theorem prover.
One representation, Hons-AIGs, is especially convenient to use and reason
about. The other, Aignet, is the opposite; it is styled after modern AIG
packages and allows for efficient algorithms. We have implemented functions for
converting between these representations, random vector simulation, conversion
to CNF, etc., and developed reasoning strategies for verifying these
algorithms.
Aside from these contributions towards verifying AIG algorithms, this work
has an immediate, practical benefit for ACL2 users who are using GL to
bit-blast finite ACL2 theorems: they can now optionally trust an off-the-shelf
SAT solver to carry out the proof, instead of using the built-in BDD package.
Looking to the future, it is a first step toward implementing verified AIG
simplification algorithms that might further improve GL performance.
... Several other efforts have resulted in integrations between ACL2 and external proof tools. Our work is most directly based on SATLINK [5], which calls an external SAT solver executable on a single problem in a stateless manner. SATLINK provides a function that calls an external SAT solver on a CNF formula; that function is assumed to only return :unsat when the formula is unsatisfiable, and this can be used to perform ACL2 proofs using GL [12] or by otherwise appealing to that assumption. ...
... Our logical model of an incremental SAT solver is built on the existing theory of conjunctive normal form satisfiability provided by the SATLINK library [5]. In particular, a literal is represented as a natural number with its least significant bit representing its polarity and the rest of its bits giving the index of its variable; a clause is a list of literals, and a formula is a list of clauses. ...
... We built on the IPASIR integration to implement SAT sweeping, or fraiging, on top of the AIGNET andinverter graph (AIG) library [5]. Circuit structures such as AIGs are often a good target for incremental SAT, since the logical relationships among the wires can be encoded in the permanent formula and the various queries encoded in the assumptions. ...
We describe an effort to soundly use off-the-shelf incremental SAT solvers within ACL2 by modeling the behavior of a SAT solver library as an abstract stobj. The interface allows ACL2 programs to use incremental SAT solvers, and the abstract stobj model allows us to reason about the behavior of an incremental SAT library so as to show that algorithms implemented using it are correct, as long as the library is bug-free.
... dest g9 src width 64 opcode XADD src1 g8 dest width 64 exec unit int src2 8 write flags? no A function like xadd -def interprets this information, e.g., for the instruction above it would extract the value of gregs [8] and interpret it as 64-bit value, add it to src2, store the result in gregs [9], and not update any flags. Semantic functions for all types of uops are combined into a universal uop definition: ...
... It exploits a symbolic simulator [8] that converts an ACL2 object that is defined over a finite domain into a symbolic object encoded as an And-Inverter Graph. Finding a state that satisfies the precondition is thus transformed into satisfiability of a Boolean formula, which we then translate into CNF and solve using an off-the-shelf SAT solver [9]. ...
... run-clr -loop-next(s) precondition: Let adr = s.gregs [9], cnt = s.gregs [8] in addr -ok (adr · (cnt − 1)) ∧ (cnt > 0) ∧ ¬empty(s.retstack ...
Despite significant progress in formal hardware verification in the past decade, little has been published on the verification of microcode. Microcode is the heart of every microprocessor and is one of the most complex parts of the design: it is tightly connected to the huge machine state, written in an assembly-like language that has no support for data or control structures, and has little documentation and changing semantics. At the same time it plays a crucial role in the way the processor works.
We describe the method of formal microcode verification we have developed for an x86-64 microprocessor designed at Centaur Technology. While the previous work on high and low level code verification is based on an unverified abstract machine model, our approach is tightly connected with our effort to verify the register-transfer level implementation of the hardware. The same microoperation specifications developed to verify implementation of teh execution units are used to define operational semantics for the microcode verification.
While the techniques used in the described verification effort are not inherently new, to our knowledge, our effort is the first interconnection of hardware and microcode verification in context of an industrial size design. Both our hardware and microcode verifications are done within the same verification framework.
... An alternative approach is to bypass the definition and proof of invariants and instead check the properties from a set of representative states of the system -one can then either prove that these states are in fact representative or accept the results of the property checks as a sufficient semi-formal check of the design and disregard a full proof. We briefly cover the design and definition of a tool (named exsim) which builds upon existing hardware verification work in the ACL2 community (VL [10], SV [10], AIGNET [3]) to add the capability to efficiently check bounded properties across a sequence of next-states of the design using incremental SAT [13]. An initial version of the tool and some example Verilog designs and runs are included in the supporting materials. ...
... The exsim function is split into two steps. The first step is the function exsim-prep which reads in a verilog design and compiles it into an AIGNET -an optimized "circuit" representation built from AND and XOR gates and inverters supporting efficient simplification procedures [3]. ...
We present a tool that primarily supports the ability to check bounded properties starting from a sequence of states in a run. The target design is compiled into an AIGNET which is then selectively and iteratively translated into an incremental SAT instance in which clauses are added for new terms and simplified by the assignment of existing literals. Additional applications of the tool can be derived by the user providing alternative attachments of constrained functions which guide the iterations and SAT checks performed. Some Verilog RTL examples are included for reference.
... This is achieved by translating SVEX expressions into And-Inverter-Graphs (AIGs) and then translating AIGs to either to Conjunctive Normal Forms (CNFs) or BDDs. Translation and the AIG and BDD 'bit-blasting' are done with ACL2 functions that have been proven correct (some of the translations can be found in [41,44,45]; also see :DOC aig and :DOC gl). The CNF mode requires a SAT solver. ...
The ACL2 theorem prover has seen sustained industrial use since the mid-1990s. Companies that have used ACL2 regularly include AMD, Centaur Technology, IBM, Intel, Kestrel Institute, Motorola/Freescale, Oracle and Rockwell Collins. This paper introduces ACL2 and focuses on how and why ACL2 is used in industry. ACL2 is well-suited to its industrial application to numerous software and hardware systems, because it is an integrated programming/proof environment supporting a subset of the ANSI standard Common Lisp programming language. As a programming language ACL2 permits the coding of efficient and robust programs; as a prover ACL2 can be fully automatic but provides many features permitting domain-specific human-supplied guidance at various levels of abstraction. ACL2 specifications and models often serve as efficient execution engines for the modelled artefacts while permitting formal analysis and proof of properties. Crucially, ACL2 also provides support for the development and verification of other formal analysis tools. However, ACL2 did not find its way into industrial use merely because of its technical features. The core ACL2 user/development community has a shared vision of making mechanized verification routine when appropriate and has been committed to this vision for the quarter century since the Computational Logic, Inc., Verified Stack. The community has focused on demonstrating the viability of the tool by taking on industrial projects (often at the expense of not being able to publish much).
This article is part of the themed issue ‘Verified trustworthy software systems’.
We describe the formal methodology we are using to verify components of a commercial 64-bit, x86-compatible microprocessor design at Centaur Technology. This methodology is based on the ACL2 theorem prover. In this methodology, we mechanically translate the RTL design into a formal HDL for which we have an interpreter in ACL2. We use AIG-and BDD-based symbolic simulation and theorem proving techniques to show that the hardware models satisfy their specifications, which are ACL2 functions. Completed verifications yield theorems admitted by ACL2, ensuring that the verification is based on sound reasoning. We have used this methodology to verify instructions such as SIMD floating-point addition and subtraction, integer and floating-point multiplication, comparisons, bit-wise logical operations, and integer/float conversions. We discuss our floating-point addition verification as a case study.
ACL2 allows users to define predicates whose logical behavior mimics that of universally or existentially quantified formulae. Proof support for such quantification, however, is quite limited. We present an ACL2 framework that employs tables, computed hints and clause processing to identify quantified formulae and to skolemize or instantiate them when possible. We demonstrate how the framework can be used to prove automatically the forall-p-append example presented in the ACL2 documentation.
SMT solvers are widely used as core engines in many applications. Therefore, robustness and correctness are essential criteria. Current testing techniques used by developers of SMT solvers do not satisfy the high demand for correct and robust solvers, as our testing experiments show. To improve this situation, we propose to complement traditional testing techniques with grammar-based blackbox fuzz testing, combined with delta-debugging. We demonstrate the effectiveness of our approach and report on critical bugs and incorrect results which we found in current state-of-the-art SMT solvers for bit-vectors and arrays.
Most, if not all, state-of-the-art complete SAT solvers are complex variations of the DPLL procedure described in the early
1960’s. Published descriptions of these modern algorithms and related data structures are given either as high-level state
transition systems or, informally, as (pseudo) programming language code. The former, although often accompanied with (informal)
correctness proofs, are usually very abstract and do not specify many details crucial for efficient implementation. The latter
usually do not involve any correctness argument and the given code is often hard to understand and modify. This paper aims
to bridge this gap by presenting SAT solving algorithms that are formally proved correct and also contain information required
for efficient implementation. We use a tutorial, top-down, approach and develop a SAT solver, starting from a simple design
that is subsequently extended, step-by-step, with a requisite series of features. The heuristic parts of the solver are abstracted
away, since they usually do not affect solver correctness (although they are very important for efficiency). All algorithms
are given in pseudo-code and are accompanied with correctness conditions, given in Hoare logic style. The correctness proofs
are formalized within the Isabelle theorem proving system and are available in the extended version of this paper. The given
pseudo-code served as a basis for our SAT solver argo-sat.
This paper presents versat, a formally verified SAT solver incorporating the essential features of modern SAT solvers, including clause learning, watched literals, optimized conflict analysis, non-chronological backtracking, and decision heuristics. Unlike previous related work on SAT-solver verification, our implementation uses efficient low-level data structures like mutable C arrays for clauses and other solver state, and machine integers for literals. The implementation and proofs are written in Guru, a verified-programming language. We compare versat to a state-of-the-art SAT solver that produces certified "unsat" answers. We also show through an empirical evaluation that versat can solve SAT problems on the modern scale.
This paper presents a technique for preprocessing combinational logic before technology mapping. The technique is based on the representation of combinational logic using And-Inverter Graphs (AIGs), a networks of two-input ANDs and inverters. The optimization works by alternating DAG-aware AIG rewriting, which reduces area by sharing common logic without increasing delay, and algebraic AIG balancing, which minimizes delay without increasing area. The new technology-independent flow is implemented in a public-domain tool ABC. Experiments on large industrial benchmarks show that the proposed methodology scales to very large designs and is several orders of magnitude faster than SIS and MVSIS while offering comparable or better quality when measured by the quality of the network after mapping.
SAT solvers are often challenged with very hard problems that remain unsolved after hours of CPU time. The research community meets the challenge in two ways: (1) by improving the SAT solver tech- nology, for example, perfecting heuristics for variable ordering, and (2) by inventing new ways of constructing simpler SAT problems, either us- ing domain specific information during the translation from the original problem to CNF, or by applying a more universal CNF simplification pro- cedure after the translation. This paper explores preprocessing of circuit- based SAT problems using recent advances in logic synthesis. Two fast logic synthesis techniques are considered: DAG-aware logic minimization and a novel type of structural technology mapping, which reduces the size of the CNF derived from the circuit. These techniques are experi- mentally compared to CNF-based preprocessing. The conclusion is that the proposed techniques are complementary to CNF-based preprocessing and speedup SAT solving substantially on industrial examples.
We present a way to enjoy the power of SAT and SMT provers in Coq without compromising soundness. This requires these provers to return not only a yes/no answer, but also a proof witness that can be independently rechecked. We present such a checker, written and fully certified in Coq. It is conceived in a modular way, in order to tame the proofs' complexity and to be extendable. It can currently check witnesses from the SAT solver ZChaff and from the SMT solver veriT. Experiments highlight the efficiency of this checker. On top of it, new reflexive Coq tactics have been built that can decide a subset of Coq's logic by calling external provers and carefully checking their answers.
The Satisfiability Modulo Theories (SMT) solver Z3 can generate proofs of unsatisfiability. We present independent reconstruction of unsatisfiability proofs for bit-vector theories in the theorem provers HOL4 and Isabelle/HOL. Our work shows that LCF-style proof reconstruction for the theory of fixed-size bit-vectors, although difficult because Z3's proofs provide limited detail, is often possible. We thereby obtain high correctness assurances for Z3's results, and increase the degree of proof automation for bit-vector problems in HOL4 and Isabelle/HOL.
The last several years have seen major enhancements to ACL2 functionality,
largely driven by requests from its user community, including utilities now in
common use such as 'make-event', 'mbe', and trust tags. In this paper we
provide user-level summaries of some ACL2 enhancements introduced after the
release of Version 3.5 (in May, 2009, at about the time of the 2009 ACL2
workshop) up through the release of Version 4.3 in July, 2011, roughly a couple
of years later. Many of these features are not particularly well known yet, but
most ACL2 users could take advantage of at least some of them. Some of the
changes could affect existing proof efforts, such as a change that treats pairs
of functions such as 'member' and 'member-equal' as the same function.
Modern combinational equivalence checking (CEC) engines are complicated programs which are difficult to verify. In this paper we show how a modern CEC engine can be modified to produce a proof of equivalence when it proves a miter unsatisfiable. If the CEC engine formulates the problem as a single SAT instance (call this naive), one can use the resolution proof of unsatisfiability as a proof of equivalence. However, a modern CEC engine does not directly invoke a SAT solver for the whole miter, but instead uses a variety of techniques such as structural hashing, detection of intermediate functional equivalences, and circuit re-writing to first simplify the problem. We show that in spite of using these simplification techniques, a CEC engine can be modified to generate a single (extended) resolution proof for the whole miter just as in the naive case. The benefit of having a single proof is that the proof verification program remains extremely simple, and its correctness is much easier to establish than that of the CEC engine.
The recently introduced model checking algorithm, IC3, has proved to be among the best SAT-based safety model checkers. Many implementations now exist. This paper provides the context from which IC3 was developed and explains how the originator of the algorithm understands it. Then it draws parallels between IC3 and the subsequently developed algorithms, FAIR and IICTL, which extend IC3's ideas to the analysis of ω-regular and CTL properties, respectively. Finally, it draws attention to certain challenges that these algorithms pose for the SAT and SMT community.
We present a mechanically-verified proof checker developed with the ACL2 theorem-proving system that is general enough to support the growing variety of increasingly complex satisfiability (SAT) solver techniques, including those based on extended resolution. A common approach to assure the correctness of SAT solvers is to emit a proof of unsatisfiability when no solution is reported to exist. Contemporary proof checkers only check logical equivalence using resolution-style inference. However, some state-of-the-art, conflict-driven clause-learning SAT solvers use preprocessing, inprocessing, and learning techniques, that cannot be checked solely by resolution-style inference. We have developed a mechanically-verified proof checker that assures refutation clauses preserve satisfiability. We believe our approach is sufficiently expressive to validate all known SAT-solver techniques.
Last spring, in March 2010, Aaron Bradley published the first truly new bit-level symbolic model checking algorithm since Ken McMillan's interpolation based model checking procedure introduced in 2003. Our experience with the algorithm suggests that it is stronger than interpolation on industrial problems, and that it is an important algorithm to study further. In this paper, we present a simplified and faster implementation of Bradley's procedure, and discuss our successful and unsuccessful attempts to improve it.
We present a new finite set theory implementation for ACL2 wherein sets are implemented as fully ordered lists. This order unifies the notions of set equality and element equality by creating a unique represen-tation for each set, which in turn enables nested sets to be trivially supported and eliminates the need for congruence rules. We demonstrate that ordered sets can be reasoned about in the traditional style of membership argu-ments. Using this technique, we prove the classic properties of set operations in a natural and effort-less manner. We then use the exciting new MBE feature of ACL2 to provide linear-time implementa-tions of all basic set operations. These optimizations are made "behind the scenes" and do not adversely impact reasoning ability. We finally develop a framework for reasoning about quantification over set elements. We also begin to provide common higher-order patterns from func-tional programming. The net result is an efficient library that is easy to use and reason about.
This paper describes an efficient implementation of sequential synthesis that uses induction to detect and merge sequentially-equivalent nodes. State-encoding, scan chains, and test vectors are essentially preserved. Moreover, the sequential synthesis results are sequentially verifiable using an independent inductive prover similar to that used for synthesis, with guaranteed completeness. Experiments with this sequential synthesis show effectiveness. When applied to a set of 20 industrial benchmarks ranging up to 26 K registers and up to 53 K 6 -LUTs, average reductions in register and area are 12.9% and 13.1% respectively while delay is reduced by 1.4%. When applied to the largest academic benchmarks, an average reduction in both registers and area is more than 30%. The associated sequential verification is also scalable and runs about 2times slower than synthesis. The implementation is available in the synthesis and verification system ABC.
We have developed an extension of ACL2 that includes the implementation of hash-based association lists and func- tion memoization; this makes some algorithms execute more quickly. This extension, enabled partially by the imple- mentation of Hash-CONS, represents ACL2 data objects in a canonical way, thus the comparison of any two such objects can be determined without the cost of descending through their CONS structures. A restricted set of ACL2 user- defined functions may be memoized; the underlying imple- mentation may conditionally retain the values of such func- tion calls so that if a repeated function application is re- quested, a previously computed value may instead be re- turned. We have defined a fast association list access and update functions using hash tables. We provide a file reader that identifies and eliminates duplicate representations of re- peated objects, and a file printer that produces output with no duplicate subexpressions.
ABC is a public-domain system for logic synthesis and formal verification of binary logic circuits appearing in synchronous hardware designs. ABC combines scalable logic transformations based on And-Inverter Graphs (AIGs), with a variety of innovative algorithms. A focus on the synergy of sequential synthesis and sequential verification leads to improvements in both domains. This paper introduces ABC, motivates its development, and illustrates its use in formal verification.
The ACL2 system is based upon a first-order logic and implements traditional first-order reasoning techniques, notably (conditional)
rewriting, as well as extensions including mathematical induction and a “functional instantiation” capability for mimicking
second-order reasoning. Additionally, one can engage in meta-reasoning — using ACL2 to reason, and prove theorems, about ACL2’s
logic from within ACL2. One can then use these theorems to augment ACL2’s proof engine with custom extensions. ACL2 also supports
forms of meta-level control of its rewriter. Relatively recent additions of these forms of control, as well as extensions
to ACL2’s long-standing meta-reasoning capability, allow a greater range of rules to be written than was possible before,
allowing one to specify more comprehensive proof strategies.
This paper describes a new proof tool for deciding bit-vector problems in HOL4. The approach is based on “bit-blasting”, wherein
word expressions are mapped into propositional formulas, which are then handed to a SAT solver. Significantly, the implementation
uses the LCF approach, which means that the soundness of the tool is guaranteed by the soundness of HOL4’s logical kernel.
We present the mechanical verification of an algorithm for building a BDD from an AND/INVERTER graph (AIG). The algorithm
uses two methods to simplify an input AIG using BDDs of limited size; it repeatedly applies these methods while varying the
BDD size limit. One method is similar to dynamic weakening in that it replaces oversized BDDs by a conservative approximation;
the other method introduces fresh variables to represent oversized BDDs. This algorithm is written in the executable logic
of the ACL2 theorem prover. The primary contribution is the verification of our conversion algorithm. We state its correctness
theorem and outline the major steps needed to prove it.
In this article, we present a small, complete, and efficient SAT-solver in the style of conflict-driven learning, as exemplified by Chaff. We aim to give sufficient details about implementation to enable the reader to construct his or her own solver in a very short time. This will allow users of SAT-solvers to make domain specific extensions or adaptions of current state-of-the-art SAT-techniques, to meet the needs of a particular application area. The presented solver is designed with this in mind, and includes among other things a mechanism for adding arbitrary boolean constraints. It also supports solving a series of related SAT-problems efficiently by an incremental SAT-interface.
Boolean Satisfiability (SAT) solvers are now routinely used in the verification of large industrial problems. However, their
application in safety-critical domains such as the railways, avionics, and automotive industries requires some form of assurance
for the results, as the solvers can (and sometimes do) have bugs. Unfortunately, the complexity of modern and highly optimized
SAT solvers renders impractical the development of direct formal proofs of their correctness. This paper presents an alternative
approach where an untrusted, industrial-strength, SAT solver is plugged into a trusted, formally verified, SAT proof checker
to provide industrial-strength certified SAT solving. The key characteristics of our approach are (i) that the checker is
not tied to a specific SAT solver but certifies any solver respecting the agreed format for satisfiability and unsatisfiability
claims, (ii) that the checker is automatically extracted from the formal development, and (iii) that the combined system can
be used as a standalone executable program independent of any supporting theorem prover. The core of the system is a checker
for unsatisfiability claims that is formally designed and verified in Coq. We present its formal design and outline the correctness
criteria. The actual standalone checker is automatically extracted from the the Coq development. An evaluation of the checker
on a representative set of industrial benchmarks from the SAT Race Competition shows that, albeit it is slower than uncertified
SAT checkers, it is significantly faster than certified checkers implemented on top of an interactive theorem prover.
This paper describes the integration of zCha and MiniSat, currently two leading SAT solvers, with Higher Order Logic (HOL) theorem provers. Both SAT solvers generate resolution-style proofs for (instances of) propositional tautologies. These proofs are verified by the theorem provers. The presented approach significantly improves the provers' performance on propositional problems, and exhibits coun- terexamples for unprovable conjectures. It is also shown that LCF-style theorem provers can serve as viable proof checkers even for large SAT problems. An ecient representation of the propositional problem in the theorem prover turns out to be crucial; several possible solutions are discussed.
Interactive theorem proving requires a lot of human guidance. Proving a
property involves (1) figuring out why it holds, then (2) coaxing the theorem
prover into believing it. Both steps can take a long time. We explain how to
use GL, a framework for proving finite ACL2 theorems with BDD- or SAT-based
reasoning. This approach makes it unnecessary to deeply understand why a
property is true, and automates the process of admitting it as a theorem. We
use GL at Centaur Technology to verify execution units for x86 integer, MMX,
SSE, and floating-point arithmetic.
ACL2 is a first-order applicative programming language based on Common Lisp. It is also a mathematical logic for which a mechanical theoremprover has been implemented in the style of the Boyer-Moore theorem prover. The ACL2 system is used primarily in the modeling and verification of computer hardware and software, where the executability of the language allows models to be used as prototype designs or "simulators." To support efficient execution of certain kinds of models, especially models of microprocessors, ACL2 provides "single-threaded objects," structures with the usual "copy on write" applicative semantics but for which writes are implemented destructively. Syntactic restrictions insure consistency between the formal semantics and the implementation. The design of single-threaded objects has been influenced both by the need to make execution efficient and the need to make proofs about them simple. We discuss the issues. 1 Background "ACL2" stands for "A Computational Logic for...
On the Complexity of Derivation in Propositional Calculus Zapiski nauchnykh seminarov LOMI 8 English translation of this volume: Consultants Bureau
- G S Tseitin
G. S. Tseitin (1968): On the Complexity of Derivation in Propositional Calculus. Zapiski nauchnykh seminarov LOMI 8, pp. 234–259, doi:10.1007/978-3-642-81955-1 28. English translation of this volume: Consultants Bureau, N.Y., 1970, pp. 115–125.
Department of Computer Science Series of Publications B B-2012-2
- Armin Biere
Armin Biere (2012): Lingeling and Friends Entering the SAT Challenge 2012. In: Proc. SAT Challenge 2012,
Department of Computer Science Series of Publications B B-2012-2, University of Helsinki, pp. 33-34.
On the Complexity of Derivation in Propositional Calculus. Zapiski nauchnykh seminarov LOMI 8
- G S Tseitin
G. S. Tseitin (1968): On the Complexity of Derivation in Propositional Calculus. Zapiski nauchnykh seminarov LOMI 8, pp. 234-259, doi:10.1007/978-3-642-81955-1 28. English translation of this volume: Consultants Bureau, N.Y., 1970, pp. 115-125.