No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Balancing Automation and Control for Formal Verification of Microprocessors
Abstract
Formal methods are becoming an indispensable part of the design process in software and hardware industry. It takes robust tools and proofs to make formal validation of large scale projects reliable. In this paper, we will describe the current status of formal verification at Centaur Technology. We will explain our challenges and our methodology—how various proofs and verification artifacts are interconnected and how we keep them consistent over the duration of a project. We also describe our main engine—a powerful symbolic simulator with rewriting capabilities that is integrated in a theorem prover and proven correct.
... Our program is not designed to handle branches implemented for saturation. Therefore, after our program simplified the saturated designs, we sent the resulting terms to a SAT Solver (glucose [36]) with the FGL utility [26], [37], and we have seen that proofs finished successfully in a few seconds. ...
We have developed an algorithm, S-C-Rewriting, that can automatically and very efficiently verify arithmetic modules with embedded multipliers. These include ALUs, dot-product, multiply-accumulate designs that may use Booth encoding, Wallace-trees, and various vector adders. Outputs of the target multiplier designs might be truncated, right-shifted, or a combination of both. We evaluate the performance of other state-of-the-art tools on verification problems beyond isolated multipliers and we show that our method applies to a broader range of design techniques encountered in real-world modules. Our verification software is verified using the ACL2 theorem prover, and we can soundly verify 1024x1024-bit isolated multipliers and similarly large dot-product designs in minutes. We can also generate counterexamples in case of a design bug. Our tool and benchmarks are available online.
The Libra blockchain is designed to store billions of dollars in assets, so the security of code that executes transactions is important. The Libra blockchain has a new language for implementing transactions, called “Move.” This paper describes the Move Prover, an automatic formal verification system for Move. We overview the unique features of the Move language and then describe the architecture of the Prover, including the language for formal specification and the translation to the Boogie intermediate verification language .
The automatic formal verification of multiplier designs has been pursued since the introduction of BDDs. We present a new rewriter-based method for efficient and automatic verification of signed and unsigned integer multiplier designs. We have proved the soundness of this method using the ACL2 theorem prover, and we can verify integer multiplier designs with various architectures automatically, including Wallace, Dadda, and 4-to-2 compressor trees, designed with Booth encoding and various types of final stage adders. Our experiments have shown that our approach scales well in terms of time and memory. With our method, we can confirm the correctness of \(1024\times 1024\)-bit multiplier designs within minutes.
We describe how we have defined in ACL2 a weak version of the Common Lisp functional apply, which takes a function and list of actuals and applies the function to the actuals. Our version, called apply$, does not operate on functions but on ordinary objects—symbols and lists representing lambda expressions—some of which are interpreted as functions. We define a syntactic notion of “tameness” to identify the interpretable objects. This makes our apply$ weaker than a true second-order functional but we believe apply$ is powerful enough for many uses in ACL2. To maintain soundness and the conservativity of our Definitional Principle we require that certain hypotheses, called “warrants”, be present in any theorem relying on the behavior of apply$ on non-primitives. Within these constraints we can define “functionals” such as sum and foldr which map tame “functions” over lists and accumulate the results. This allows the ACL2 user to avoid defining specialized recursive functions for each such application. We can prove and use general-purpose lemmas about these “functionals.” We describe the formalization, explain how we keep the Definitional Principle conservative, show examples of useful functions using apply$ and theorems about them, sketch the proof that there is a model of any extension of the system using the new primitives, discuss issues arising in making these functions executable, and show some preliminary performance results.
Smtlink is an extension of ACL2 with Satisfiability Modulo Theories (SMT) solvers. We presented an earlier version at ACL2'2015. Smtlink 2.0 makes major improvements over the initial version with respect to soundness, extensibility, ease-of-use, and the range of types and associated theory-solvers supported. Most theorems that one would want to prove using an SMT solver must first be translated to use only the primitive operations supported by the SMT solver -- this translation includes function expansion and type inference. Smtlink 2.0 performs this translation using a sequence of steps performed by verified clause processors and computed hints. These steps are ensured to be sound. The final transliteration from ACL2 to Z3's Python interface requires a trusted clause processor. This is a great improvement in soundness and extensibility over the original Smtlink which was implemented as a single, monolithic, trusted clause processor. Smtlink 2.0 provides support for FTY defprod, deflist, defalist, and defoption types by using Z3's arrays and user-defined data types. We have identified common usage patterns and simplified the configuration and hint information needed to use Smtlink.
We report on the development and use of formal verification tools within Amazon Web Services (AWS) to increase the security assurance of its cloud infrastructure and to help customers secure themselves. We also discuss some remaining challenges that could inspire future research in the community.KeywordsFormal Verification ToolsTechnical Account ManagersCandidate ProofFinding SecurityRuntime Garbage CollectorThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
GL is a verified tool for proving ACL2 theorems using Boolean methods such as BDD reasoning and satisfiability checking. In its typical operation, GL recursively traverses a term, computing a symbolic object representing the value of each subterm. In older versions of GL, such a symbolic object could use Boolean functions to compactly represent many possible values for integer and Boolean subfields, but otherwise needed to reflect the concrete structure of all possiblealues that its term might take. When a term has many possible values that can't share such a representation, this can easily cause blowups because GL must then case-split. To address this problem, we have added several features to GL that allow it to reason about term-like symbolic objects using various forms of rewriting. These features allow GL to be programmed with rules much like the ACL2 rewriter, so that users may choose a better normal form for terms for which the default, value-like representation would otherwise cause case explosions. In this paper we describe these new features; as a motivating example, we show how to program the rewriter to reason effectively about the theory of records.
This paper surveys the emerging methods to automate reasoning over large libraries developed with formal proof assistants. We call these methods hammers. They give the authors of formal proofs a strong "one-stroke" tool for discharging difficult lemmas without the need for careful and detailed manual programming of proof search. The main ingredients underlying this approach are efficient automatic theorem provers that can cope with hundreds of axioms, suitable translations of the proof assistant's logic to the logic of the automatic provers, heuristic and learning methods that select relevant facts from large libraries, and methods that reconstruct the automatically found proofs inside the proof assistants. We outline the history of these methods, explain the main issues and techniques, and show their strength on several large benchmarks. We also discuss the relation of this technology to the QED Manifesto and consider its implications for QED-like efforts.
We describe the formal methodology we are using to verify components of a commercial 64-bit, x86-compatible microprocessor design at Centaur Technology. This methodology is based on the ACL2 theorem prover. In this methodology, we mechanically translate the RTL design into a formal HDL for which we have an interpreter in ACL2. We use AIG-and BDD-based symbolic simulation and theorem proving techniques to show that the hardware models satisfy their specifications, which are ACL2 functions. Completed verifications yield theorems admitted by ACL2, ensuring that the verification is based on sound reasoning. We have used this methodology to verify instructions such as SIMD floating-point addition and subtraction, integer and floating-point multiplication, comparisons, bit-wise logical operations, and integer/float conversions. We discuss our floating-point addition verification as a case study.
In recent years, leading microprocessor companies have made huge investments to improve the reliability of their products. Besides expanding their validation and CAD tools teams, they have incorporated formal verification methods into their design flows. Formal verification (FV) engineers require extensive training, and FV tools from CAD vendors are expensive. At first glance, it may seem that FV teams are not affordable by smaller companies. We have not found this to be true. This paper describes the formal verification framework we have built on top of publicly-available tools. This framework gives us the flexibility to work on myriad different problems that occur in microprocessor design.
Formal verification of arithmetic datapaths has been part of the established methodology for most Intel processor designs
over the last years, usually in the role of supplementing more traditional coverage oriented testing activities. For the recent
Intel
\circledR^{\tiny\circledR} CoreTM i7 design we took a step further and used formal verification as the primary validation vehicle for the core execution cluster,
the component responsible for the functional behaviour of all microinstructions. We applied symbolic simulation based formal
verification techniques for full datapath, control and state validation for the cluster, and dropped coverage driven testing
entirely. The project, involving some twenty person years of verification work, is one of the most ambitious formal verification
efforts in the hardware industry to date. Our experiences show that under the right circumstances, full formal verification
of a design component is a feasible, industrially viable and competitive validation approach.
Ordered Binary-Decision Diagrams (OBDDs) represent Boolean functions as directed acyclic graphs. They form a canonical representation, making testing of functional properties such as satisfiability and equivalence straightforward. A number of operations on Boolean functions can be implemented as graph algorithms on OBDD data structures. Using OBDDs, a wide variety of problems can be solved through symbolic analysis. First, the possible variations in system parameters and operating conditions are encoded with Boolean variables. Then the system is evaluated for all variations by a sequence of OBDD operations. Researchers have thus solved a number of problems in digital-system design, finite-state system analysis, artificial intelligence, and mathematical logic. This paper describes the OBDD data structure and surveys a number of applications that have been solved by OBDD-based symbolic analysis.
This is the first book to focus on the problem of ensuring the correctness of floating-point hardware designs through mathematical methods. Formal Verification of Floating-Point Hardware Design advances a verification methodology based on a unified theory of register-transfer logic and floating-point arithmetic that has been developed and applied to the formal verification of commercial floating-point units over the course of more than two decades, during which the author was employed by several major microprocessor design companies.
The book consists of five parts, the first two of which present a rigorous exposition of the general theory based on the first principles of arithmetic. Part I covers bit vectors and the bit manipulation primitives, integer and fixed-point encodings, and bit-wise logical operations. Part II addresses the properties of floating-point numbers, the formats in which they are encoded as bit vectors, and the various modes of floating-point rounding. In Part III, the theory is extended to the analysis of several algorithms and optimization techniques that are commonly used in commercial implementations of elementary arithmetic operations. As a basis for the formal verification of such implementations, Part IV contains high-level specifications of correctness of the basic arithmetic instructions of several major industry-standard floating-point architectures, including all details pertaining to the handling of exceptional conditions. Part V illustrates the methodology, applying the preceding theory to the comprehensive verification of a state-of-the-art commercial floating-point unit.
All of these results have been formalized in the logic of the ACL2 theorem prover and mechanically checked to ensure their correctness. They are presented here, however, in simple conventional mathematical notation. The book presupposes no familiarity with ACL2, logic design, or any mathematics beyond basic high school algebra. It will be of interest to verification engineers as well as arithmetic circuit designers who appreciate the value of a rigorous approach to their art, and is suitable as a graduate text in computer arithmetic.
The ACL2 theorem prover has seen sustained industrial use since the mid-1990s. Companies that have used ACL2 regularly include AMD, Centaur Technology, IBM, Intel, Kestrel Institute, Motorola/Freescale, Oracle and Rockwell Collins. This paper introduces ACL2 and focuses on how and why ACL2 is used in industry. ACL2 is well-suited to its industrial application to numerous software and hardware systems, because it is an integrated programming/proof environment supporting a subset of the ANSI standard Common Lisp programming language. As a programming language ACL2 permits the coding of efficient and robust programs; as a prover ACL2 can be fully automatic but provides many features permitting domain-specific human-supplied guidance at various levels of abstraction. ACL2 specifications and models often serve as efficient execution engines for the modelled artefacts while permitting formal analysis and proof of properties. Crucially, ACL2 also provides support for the development and verification of other formal analysis tools. However, ACL2 did not find its way into industrial use merely because of its technical features. The core ACL2 user/development community has a shared vision of making mechanized verification routine when appropriate and has been committed to this vision for the quarter century since the Computational Logic, Inc., Verified Stack. The community has focused on demonstrating the viability of the tool by taking on industrial projects (often at the expense of not being able to publish much).
This article is part of the themed issue ‘Verified trustworthy software systems’.
Despite 20+ years of research on processor verification, it remains hard to use formal verification techniques in commercial processor development. There are two significant factors: scaling issues and return on investment. The scaling issues include the size of modern processor specifications, the size/complexity of processor designs, the size of design/verification teams and the (non)availability of enough formal verification experts. The return on investment issues include the need to start catching bugs early in development, the need to continue catching bugs throughout development, and the need to be able to reuse verification IP, tools and techniques across a wide range of design styles.
This paper describes how ARM has overcome these issues in our Instruction Set Architecture Formal Verification framework “ISA-Formal.” This is an end-to-end framework to detect bugs in the datapath, pipeline control and forwarding/stall logic of processors. A key part of making the approach scale is use of a mechanical translation of ARM’s Architecture Reference Manuals to Verilog allowing the use of commercial model-checkers. ISA-Formal has proven especially effective at finding micro-architecture specific bugs involving complex sequences of instructions.
An essential feature of our work is that it is able to scale all the way from simple 3-stage microcontrollers, through superscalar in-order processors up to out-of-order processors. We have applied this method to 8 different ARM processors spanning all stages of development up to release. In all processors, this has found bugs that would have been hard for conventional simulation-based verification to find and ISA-Formal is now a key part of ARM’s formal verification strategy.
To the best of our knowledge, this is the most broadly applicable formal verification technique for verifying processor pipeline control in mainstream commercial use.
Despite significant progress in formal hardware verification in the past decade, little has been published on the verification of microcode. Microcode is the heart of every microprocessor and is one of the most complex parts of the design: it is tightly connected to the huge machine state, written in an assembly-like language that has no support for data or control structures, and has little documentation and changing semantics. At the same time it plays a crucial role in the way the processor works.
We describe the method of formal microcode verification we have developed for an x86-64 microprocessor designed at Centaur Technology. While the previous work on high and low level code verification is based on an unverified abstract machine model, our approach is tightly connected with our effort to verify the register-transfer level implementation of the hardware. The same microoperation specifications developed to verify implementation of teh execution units are used to define operational semantics for the microcode verification.
While the techniques used in the described verification effort are not inherently new, to our knowledge, our effort is the first interconnection of hardware and microcode verification in context of an industrial size design. Both our hardware and microcode verifications are done within the same verification framework.
The ACL2 theorem prover is a complex system. Its libraries are vast.
Industrial verification efforts may extend this base with hundreds of thousands
of lines of additional modeling tools, specifications, and proof scripts. High
quality documentation is vital for teams that are working together on projects
of this scale. We have developed XDOC, a flexible, scalable documentation tool
for ACL2 that can incorporate the documentation for ACL2 itself, the Community
Books, and an organization's internal formal verification projects, and which
has many features that help to keep the resulting manuals up to date. Using
this tool, we have produced a comprehensive, publicly available ACL2+Books
Manual that brings better documentation to all ACL2 users. We have also
developed an extended manual for use within Centaur Technology that extends the
public manual to cover Centaur's internal books. We expect that other
organizations using ACL2 will wish to develop similarly extended manuals.
We have created an experimental extension to ACL2 that provides a means to symbolically evaluate ACL2 expres-sions. This modified implementation can be used to compute the 'general' application of an ACL2 function to generalized data. In particular, we use uBDDs to represent functions from Boolean variables to finite sets of ACL2 objects, and for guard-checked ACL2 functions we can automatically cre-ate corresponding generalized functions to operate on such generalized data. The DEFTHM hint mechanism has been extended to permit the direct application of symbolic simulation as a part of a proof attempt. This extension made it possible to di-rectly verify the Legato Challenge using only symbolic sim-ulation; this challenge involves proving the correctness of a 6502 assembly-language program that performs an 8-bit by 8-bit multiplication through repeated addition. We need only provide the initial symbolic data, i.e., two 8-bit, sym-bolic numbers, and we symbolically simulate the assembly-language program by symbolically simulating an ISA-level 6502-program interpreter that produces a symbolic result that we compare to its specification.
We have verified floating-point addition/subtraction instructions for the media unit from Centaur’s 64-bit, X86-compatible microprocessor. This unit implements over one hundred instructions, with the most complex being floating-point addition/subtraction. This media unit can add/subtract four pairs of floating-point numbers every clock cycle with an industry-leading two-cycle latency.
Using the ACL2 theorem proving system, we model the media unit by translating its Verilog design into an HDL that we have deeply embedded in the ACL2 logic. We specify the addition/subtraction instructions as integer-based ACL2 functions. Using a combination of AIG- and BDD-based symbolic simulation, case splitting, and theorem proving, we produce a mechanically checked theorem in ACL2 for each instruction examined stating that the hardware model yields the same result as the instruction specification.
In pursuit of these verifications, we implemented a formal HDL and symbolic simulation framework, including formally verified BDD and AIG operators, within the ACL2 theorem proving system. The HDL includes an extensible interpreter capable of performing concrete and symbolic simulations as well as non-functional analyses. We know of no other symbolic simulation-based floating-point verification that is performed within a single formal system and produces a theorem in that system without relying on unverified external tools.
ABC is a public-domain system for logic synthesis and formal verification of binary logic circuits appearing in synchronous hardware designs. ABC combines scalable logic transformations based on And-Inverter Graphs (AIGs), with a variety of innovative algorithms. A focus on the synergy of sequential synthesis and sequential verification leads to improvements in both domains. This paper introduces ABC, motivates its development, and illustrates its use in formal verification.
The ACL2 system is based upon a first-order logic and implements traditional first-order reasoning techniques, notably (conditional)
rewriting, as well as extensions including mathematical induction and a “functional instantiation” capability for mimicking
second-order reasoning. Additionally, one can engage in meta-reasoning — using ACL2 to reason, and prove theorems, about ACL2’s
logic from within ACL2. One can then use these theorems to augment ACL2’s proof engine with custom extensions. ACL2 also supports
forms of meta-level control of its rewriter. Relatively recent additions of these forms of control, as well as extensions
to ACL2’s long-standing meta-reasoning capability, allow a greater range of rules to be written than was possible before,
allowing one to specify more comprehensive proof strategies.
We define the Subclass of Unrollable List Formulas in ACL2 (SULFA). SULFA is a subclass of ACL2 formulas based on list structures
that is sufficiently expressive to include invariants of finite state machines (FSMs). We have extended the ACL2 theorem prover
to include a new proof mechanism, which can recognize SULFA formulas and automatically verify them with a SAT-based decision
procedure. When this decision procedure is successful, a theorem is added to the ACL2 system database as a lemma for use in
future proof attempts. When unsuccessful, a counter-example to the SULFA property is presented.
We are using SULFA and its SAT-based decision procedure as part of a larger system to verify components of the TRIPS processor.
Our verification system translates Verilog designs automatically into ACL2 models. These models are written such that their
invariants are SULFA properties, which can be verified by our SAT-based decision procedure, traditional theorem proving, or
a mixture of the two.
Interactive theorem proving requires a lot of human guidance. Proving a
property involves (1) figuring out why it holds, then (2) coaxing the theorem
prover into believing it. Both steps can take a long time. We explain how to
use GL, a framework for proving finite ACL2 theorems with BDD- or SAT-based
reasoning. This approach makes it unnecessary to deeply understand why a
property is true, and automates the process of admitting it as a theorem. We
use GL at Centaur Technology to verify execution units for x86 integer, MMX,
SSE, and floating-point arithmetic.
Formal Verification of Libra Blockchain Smart Contracts. Recording of the keynote
- D L Dill
Dill, D.L.: Formal Verification of Libra Blockchain Smart Contracts. Recording of
the keynote (2020). https://www.youtube.com/watch?v=cYxxJU-Wt2U
Formal Verification of Application and System Programs Based on a Validated x86 ISA Model
- S Goel
Goel, S.: Formal Verification of Application and System Programs Based on a
Validated x86 ISA Model. Ph.D. thesis, Department of Computer Science, The
University of Texas at Austin (2016). http://hdl.handle.net/2152/46437
Evaluatable, high-assurance microprocessors
- D Greve
- M Wilding
Greve, D., Wilding, M.: Evaluatable, high-assurance microprocessors. In: NSA
High-Confidence Systems and Software Conference (HCSS), Linthicum, MD,
March 2002. http://hokiepokie.org/docs/hcss02/proceedings.pdf
Design and Verification of Microprocessor Systems for High-Assurance Applications
- Jr Hunt
- W A A Swords
- S Davis
- J Slobodova
Hunt, Jr., W.A.A., Swords, S., Davis, J., Slobodova, A.: Use of formal verification
at centaur technology. In: Hardin, D. (ed.) Design and Verification of Microprocessor Systems for High-Assurance Applications, pp. 65-88. Springer, Boston (2010).
https://doi.org/10.1007/978-1-4419-1539-9_3
Hybrid verification of a hardware modular reduction engine
- J Sawada
- P Sandon
- V Paruthi
- J Baumgartner
- M Case
- H Mony
Sawada, J., Sandon, P., Paruthi, V., Baumgartner, J., Case, M., Mony, H.:
Hybrid verification of a hardware modular reduction engine. In: Bjesse, P., Slobodova, A. (eds.) Proceedings of Formal Methods in Computer-Aided Design
(FMCAD). ACM/IEEE CEDA (2011). https://www.cs.utexas.edu/users/hunt/
FMCAD/FMCAD11/
A Verified Framework for Symbolic Execution in the ACL2 Theorem Prover
- S O Swords
Swords, S.O.: A Verified Framework for Symbolic Execution in the ACL2 Theorem
Prover. Ph.D. thesis, University of Texas at Austin, December 2010. http://hdl.
handle.net/2152/ETD-UT-2010-12-2210