## No full-text available

To read the full-text of this research,

you can request a copy directly from the authors.

Interactive theorem proving requires a lot of human guidance. Proving a
property involves (1) figuring out why it holds, then (2) coaxing the theorem
prover into believing it. Both steps can take a long time. We explain how to
use GL, a framework for proving finite ACL2 theorems with BDD- or SAT-based
reasoning. This approach makes it unnecessary to deeply understand why a
property is true, and automates the process of admitting it as a theorem. We
use GL at Centaur Technology to verify execution units for x86 integer, MMX,
SSE, and floating-point arithmetic.

To read the full-text of this research,

you can request a copy directly from the authors.

... dest g9 src width 64 opcode XADD src1 g8 dest width 64 exec unit int src2 8 write flags? no A function like xadd -def interprets this information, e.g., for the instruction above it would extract the value of gregs [8] and interpret it as 64-bit value, add it to src2, store the result in gregs [9], and not update any flags. Semantic functions for all types of uops are combined into a universal uop definition: ...

... For the block -precondition predicate we have an option to do a simple vacuity check. It exploits a symbolic simulator [8] that converts an ACL2 object that is defined over a finite domain into a symbolic object encoded as an And-Inverter Graph. Finding a state that satisfies the precondition is thus transformed into satisfiability of a Boolean formula, which we then translate into CNF and solve using an off-the-shelf SAT solver [9]. ...

... -We can use bit-level symbolic execution [8], which computes a Boolean formula representing the correctness condition and attempts to solve it using a SAT solver. This is preferred for short blocks whose correctness proofs do not depend on much mathematics. ...

Despite significant progress in formal hardware verification in the past decade, little has been published on the verification of microcode. Microcode is the heart of every microprocessor and is one of the most complex parts of the design: it is tightly connected to the huge machine state, written in an assembly-like language that has no support for data or control structures, and has little documentation and changing semantics. At the same time it plays a crucial role in the way the processor works.
We describe the method of formal microcode verification we have developed for an x86-64 microprocessor designed at Centaur Technology. While the previous work on high and low level code verification is based on an unverified abstract machine model, our approach is tightly connected with our effort to verify the register-transfer level implementation of the hardware. The same microoperation specifications developed to verify implementation of teh execution units are used to define operational semantics for the microcode verification.
While the techniques used in the described verification effort are not inherently new, to our knowledge, our effort is the first interconnection of hardware and microcode verification in context of an industrial size design. Both our hardware and microcode verifications are done within the same verification framework.

... Fully automatic tools like SAT and SMT solvers are now commonly used by interactive theorem provers to carry out certain proofs. For instance, in previous work [28] we developed a way to solve finite ACL2 problems using a BDD package or a SAT solver. Similarly, Fox [17] implemented a translation from bit-vector problems in HOL4 into SAT problems which-thanks to integration work by Weber and Amjad [31]-can be solved by zChaff or MiniSat. ...

... Besides these contributions to reasoning about AIG algorithms, we have integrated our stobj based representation and its CNF conversion algorithm into the GL [28] framework for bit-blasting finite ACL2 theorems. This allows GL to solve more theorems automatically, and opens up interesting possibilities for further scaling. ...

... In previous work [28] we introduced GL, a framework for automatically proving "finite" ACL2 theorems. GL works by symbolically executing ACL2 formulas to bit-blast (translate) them into Boolean formulas, which can then be solved using a tool like a BDD package or a SAT solver. ...

And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions
(like circuits). AIG simplification algorithms can dramatically reduce an AIG,
and play an important role in modern hardware verification tools like
equivalence checkers. In practice, these tricky algorithms are implemented with
optimized C or C++ routines with no guarantee of correctness. Meanwhile, many
interactive theorem provers can now employ SAT or SMT solvers to automatically
solve finite goals, but no theorem prover makes use of these advanced,
AIG-based approaches.
We have developed two ways to represent AIGs within the ACL2 theorem prover.
One representation, Hons-AIGs, is especially convenient to use and reason
about. The other, Aignet, is the opposite; it is styled after modern AIG
packages and allows for efficient algorithms. We have implemented functions for
converting between these representations, random vector simulation, conversion
to CNF, etc., and developed reasoning strategies for verifying these
algorithms.
Aside from these contributions towards verifying AIG algorithms, this work
has an immediate, practical benefit for ACL2 users who are using GL to
bit-blast finite ACL2 theorems: they can now optionally trust an off-the-shelf
SAT solver to carry out the proof, instead of using the built-in BDD package.
Looking to the future, it is a first step toward implementing verified AIG
simplification algorithms that might further improve GL performance.

... With a similar approach in this paper, GL is a framework for bit blasting finitely bounded ACL2 theorems into SAT queries [28]. Its bit blasting algorithm is formally verified in ACL2. ...

... A bit blasting algorithm is defined and verified in HOL4 as well [13]. Neither [28] nor [13] aims to develop a scalable SMT QF BV solver. CoqQFBV accepts SMT-LIB inputs with fully supported QF BV logic while adopting performance optimizations such as caches. ...

We present a certified SMT QF_BV solver CoqQFBV built from a verified bit blasting algorithm, Kissat, and the verified SAT certificate checker GratChk in this paper. Our verified bit blasting algorithm supports the full QF_BV logic of SMT-LIB; it is specified and formally verified in the proof assistant Coq . We compare CoqQFBV with CVC4, Bitwuzla, and Boolector on benchmarks from the QF_BV division of the single query track in the 2020 SMT Competition, and real-world cryptographic program verification problems. CoqQFBV surprisingly solves more program verification problems with certification than the 2020 SMT QF_BV division winner Bitwuzla without certification.

... Since its inception, users of ACL2 [12,13,11,15] have developed many tools that extend ACL2 or use ACL2 as an integral component. Extensions include improved termination analysis [18], the use of external solvers [16,17,28,24,26], support for bit-blasting proofs [16,17,31] and automatic counterexample generation [5]. Systems that are built on top of ACL2 include ACL2r [10] and the ACL2 Sedan (ACL2s) [9]. ...

ACL2 provides a systems programming capability that allows one to write code that uses and extends ACL2 inside of ACL2. However, for soundness reasons, ACL2 bars the unrestricted use of certain kinds of programming constructs, like destructive updates, higher-order functions, eval, and arbitrary macros. We devised a methodology for writing code in Common Lisp that allows one to access ACL2, ACL2s, and Common Lisp functionality in a unified way. We arrived at this methodology in the process of developing the ACL2 Sedan (ACL2s) and using it as a key component in formal-methods-enabled projects relating to gamified verification, education, proof checking, interfacing with external theorem provers and security. The methodology includes a library for performing ACL2 queries from Common Lisp, as well as guidelines and utilities that help address common needs. We call this methodology "ACL2s systems programming," to distinguish it from ACL2 systems programming. We show how our methodology makes it possible to easily develop tools that interface with ACL2 and ACL2s, and describe our experience using it in our research.

... Since its inception, users of ACL2 [12,13,11,15] have developed many tools that extend ACL2 or use ACL2 as an integral component. Extensions include improved termination analysis [18], the use of external solvers [16,17,28,24,26], support for bit-blasting proofs [16,17,31] and automatic counterexample generation [5]. Systems that are built on top of ACL2 include ACL2r [10] and the ACL2 Sedan (ACL2s) [9]. ...

... We have observed the same behavior with larger multipliers so much so that the returned term can sometimes give a hint as to where the bug exists within the design. Moreover, since these terms are often small, we use the FGL [26] or the GL [27], [28] utilities in ACL2 to send such returned terms to an external SAT Solver. We have seen through our experiments (Sec. ...

We have developed an algorithm, S-C-Rewriting, that can automatically and very efficiently verify arithmetic modules with embedded multipliers. These include ALUs, dot-product, multiply-accumulate designs that may use Booth encoding, Wallace-trees, and various vector adders. Outputs of the target multiplier designs might be truncated, right-shifted, or a combination of both. We evaluate the performance of other state-of-the-art tools on verification problems beyond isolated multipliers and we show that our method applies to a broader range of design techniques encountered in real-world modules. Our verification software is verified using the ACL2 theorem prover, and we can soundly verify 1024x1024-bit isolated multipliers and similarly large dot-product designs in minutes. We can also generate counterexamples in case of a design bug. Our tool and benchmarks are available online.

... FGL [4,39] is part of the ACL2 libraries and publicly available [9]. It is a significant rewrite and extension of GL ("G in the Logic") [38,41,42], which was itself a rewrite and extension of the G System of Boyer and Hunt [13]. The idea behind all of these is to recursively transform ACL2 terms into symbolic objects that represent the values of these terms and that consist mostly of structures containing Boolean function objects. ...

Formal methods are becoming an indispensable part of the design process in software and hardware industry. It takes robust tools and proofs to make formal validation of large scale projects reliable. In this paper, we will describe the current status of formal verification at Centaur Technology. We will explain our challenges and our methodology—how various proofs and verification artifacts are interconnected and how we keep them consistent over the duration of a project. We also describe our main engine—a powerful symbolic simulator with rewriting capabilities that is integrated in a theorem prover and proven correct.

... FGL is a bitblasting framework for ACL2 and a successor to GL [6,8]. Its aims are similar to those of GL: to allow finitary propositions written in idiomatic ACL2 to be solved using Boolean reasoning techniques, including state-of-the-art SAT solving and circuit-based simplification. ...

... FGL is a bitblasting framework for ACL2 and a successor to GL [6,8]. Its aims are similar to those of GL: to allow finitary propositions written in idiomatic ACL2 to be solved using Boolean reasoning techniques, including state-of-the-art SAT solving and circuit-based simplification. ...

FGL is a successor to GL, a proof procedure for ACL2 that allows complicated finitary conjectures to be translated into efficient Boolean function representations and proved using SAT solvers. A primary focus of FGL is to allow greater programmability using rewrite rules. While the FGL rewriter is modeled on ACL2's rewriter, we have added several features in order to make rewrite rules more powerful. A particular focus is to make it more convenient for rewrite rules to use information from the syntactic domain, allowing them to replace built-in primitives and meta rules in many cases. Since it is easier to write, maintain, and prove the soundness of rewrite rules than to do the same for rules programmed at the syntactic level, these features help make it feasible for users to precisely program the behavior or the rewriter. We describe the new features that FGL's rewriter implements, discuss the solutions to some technical problems that we encountered in their implementation, and assess the feasibility of adding these features to the ACL2 rewriter.

... The GL tool [37,36] is a verified prover of ACL2 theorems on finite domains. GL uses symbolic simulation of ACL2 function definitions to reduce finite ACL2 theorems into propositional logic formulas. ...

Verification of modern microprocessors is a complex task that requires a substantial allocation of resources. Despite significant progress in formal verification, the goal of complete verification of an industrial design has not been achieved. In this paper, we describe a current contribution of formal methods to the validation of modern x86 microprocessors at Centaur Technology. We focus on proving correctness of instruction implementations, which includes the decoding of an instruction, its translation into a sequence of micro-operations, any subsequent execution of traps to microcode ROM, and the implementation of these micro-operations in execution units. All these tasks are performed within one verification framework, which includes a theorem prover, a verified symbolic simulator, and SAT solvers. We describe the work of defining the needed formal models for both the architecture and micro-architecture in this framework, as well as tools for decomposing the requisite properties into smaller lemmas which can be automatically checked. We additionally cover the advantages and limitations of our approach. To our knowledge, there are no similar results in the verification of implementations of an x86 microprocessor.

... Our work is most directly based on SATLINK [5], which calls an external SAT solver executable on a single problem in a stateless manner. SATLINK provides a function that calls an external SAT solver on a CNF formula; that function is assumed to only return :unsat when the formula is unsatisfiable, and this can be used to perform ACL2 proofs using GL [12] or by otherwise appealing to that assumption. Similarly, SMTLINK [9] provides a trusted clause processor which encodes ACL2 formulas as SMT problems and calls the Z3 SMT solver to prove them, also statelessly. ...

We describe an effort to soundly use off-the-shelf incremental SAT solvers within ACL2 by modeling the behavior of a SAT solver library as an abstract stobj. The interface allows ACL2 programs to use incremental SAT solvers, and the abstract stobj model allows us to reason about the behavior of an incremental SAT library so as to show that algorithms implemented using it are correct, as long as the library is bug-free.

... Some examples of application programs verified using the model are a population count program, a word-count program, and a data-copy program. All of these programs except population count were verified by using the lemma libraries that are included in the x86isa library; the population count program was verified completely automatically using the GL library [26,27]. The 64-bit model is also compatible with the Codewalker library [2]; Codewalker has been used to reason about small application programs like the x86 machine-code routine to compute the factorial of a number. ...

The ACL2 model of the x86 Instruction Set Architecture was built for the 64-bit mode of operation of the processor. This paper reports on our work to extend the model with support for 32-bit mode, recounting the salient aspects of this activity and identifying the ones that required the most work.

... This is achieved by translating SVEX expressions into And-Inverter-Graphs (AIGs) and then translating AIGs to either to Conjunctive Normal Forms (CNFs) or BDDs. Translation and the AIG and BDD 'bit-blasting' are done with ACL2 functions that have been proven correct (some of the translations can be found in [41,44,45]; also see :DOC aig and :DOC gl). The CNF mode requires a SAT solver. ...

The ACL2 theorem prover has seen sustained industrial use since the mid-1990s. Companies that have used ACL2 regularly include AMD, Centaur Technology, IBM, Intel, Kestrel Institute, Motorola/Freescale, Oracle and Rockwell Collins. This paper introduces ACL2 and focuses on how and why ACL2 is used in industry. ACL2 is well-suited to its industrial application to numerous software and hardware systems, because it is an integrated programming/proof environment supporting a subset of the ANSI standard Common Lisp programming language. As a programming language ACL2 permits the coding of efficient and robust programs; as a prover ACL2 can be fully automatic but provides many features permitting domain-specific human-supplied guidance at various levels of abstraction. ACL2 specifications and models often serve as efficient execution engines for the modelled artefacts while permitting formal analysis and proof of properties. Crucially, ACL2 also provides support for the development and verification of other formal analysis tools. However, ACL2 did not find its way into industrial use merely because of its technical features. The core ACL2 user/development community has a shared vision of making mechanized verification routine when appropriate and has been committed to this vision for the quarter century since the Computational Logic, Inc., Verified Stack. The community has focused on demonstrating the viability of the tool by taking on industrial projects (often at the expense of not being able to publish much).
This article is part of the themed issue ‘Verified trustworthy software systems’.

... The GL framework for bit-level symbolic execution [8,9] is an important tool for hardware verification efforts at Centaur Technology [2]. To prove a theorem, GL attempts to symbolically interpret the conclusion and render it into a Boolean formula which can be proved via a satisfiability check. ...

ACL2 has long supported user-defined simplifiers, so-called metafunctions and clause processors, which are installed when corresponding rules of class :meta or :clause-processor are proved. Historically, such simplifiers could access the logical world at execution time and could call certain built-in proof tools, but one could not assume the soundness of the proof tools or the truth of any facts extracted from the world or context when proving a simplifier correct. Starting with ACL2 Version 6.0, released in December 2012, an additional capability was added which allows the correctness proofs of simplifiers to assume the correctness of some such proof tools and extracted facts. In this paper we explain this capability and give examples that demonstrate its utility.

... GL is an ACL2 framework for proving theorems using bit-level methods, namely BDD reasoning or SAT solving [6,5]. It works by computing bit-level symbolic representations of terms, which we also describe as symbolically executing them. ...

GL is a verified tool for proving ACL2 theorems using Boolean methods such as BDD reasoning and satisfiability checking. In its typical operation, GL recursively traverses a term, computing a symbolic object representing the value of each subterm. In older versions of GL, such a symbolic object could use Boolean functions to compactly represent many possible values for integer and Boolean subfields, but otherwise needed to reflect the concrete structure of all possiblealues that its term might take. When a term has many possible values that can't share such a representation, this can easily cause blowups because GL must then case-split. To address this problem, we have added several features to GL that allow it to reason about term-like symbolic objects using various forms of rewriting. These features allow GL to be programmed with rules much like the ACL2 rewriter, so that users may choose a better normal form for terms for which the default, value-like representation would otherwise cause case explosions. In this paper we describe these new features; as a motivating example, we show how to program the rewriter to reason effectively about the theory of records.

... Using the x86isa books, one can choose to verify the first program completely automaticallywithout using any rules provided by the x86isa books -by using the bit-blasting capabilities of GL [15,16] but at the expense of a general theorem of correctness. That is, one may need to constrain the initial x86 state by assigning concrete values instead of symbolic ones to certain components in order to reduce the complexity of the AIGs generated by GL, thereby making the problem tractable for bit-blasting. ...

The x86isa library, incorporated in the ACL2 community books project, provides a formal model of the x86 instruction-set architecture and supports reasoning about x86 machine-code programs. However, analyzing x86 programs can be daunting -- even for those familiar with program verification, in part due to the complexity of the x86 ISA. Furthermore, the x86isa library is a large framework, and using and/or contributing to it may not seem straightforward. We present some typical ways of working with the x86isa library, and describe some of its salient features that can make the analysis of x86 machine-code programs less arduous. We also discuss some capabilities that are currently missing from these books -- we hope that this will encourage the community to get involved in this project.

... This problem also applies to symbolic evaluation with the GL system [18]. GL is used in hardware verification at Centaur and elsewhere; it evaluates ACL2 functions on bit-level symbolic inputs, producing bit-level symbolic results, allowing the use of SAT or BDD reasoning to prove ACL2 theorems. ...

When using existing ACL2 datatype frameworks, many theorems require type
hypotheses. These hypotheses slow down the theorem prover, are tedious to
write, and are easy to forget. We describe a principled approach to types that
provides strong type safety and execution efficiency while avoiding type
hypotheses, and we present a library that automates this approach. Using this
approach, types help you catch programming errors and then get out of the way
of theorem proving.

... This paper presents Smtlink, a clause processor for using satisfiability modulo theory (SMT) solvers to discharge proof goals in ACL2. Prior work has [21,23] incorporated SAT solving into ACL2, and Manolios and Srinivasan [16,22] described an extension of ACL2 with the Yices SMT solver. Our work explores the use of SMT solvers for their decision procedures for linear and non-linear arithmetic which, to the best of our knowledge, has not been addressed in prior work. ...

We present our extension of ACL2 with Satisfiability Modulo Theories (SMT)
solvers using ACL2's trusted clause processor mechanism. We are particularly
interested in the verification of physical systems including Analog and
Mixed-Signal (AMS) designs. ACL2 offers strong induction abilities for
reasoning about sequences and SMT complements deduction methods like ACL2 with
fast nonlinear arithmetic solving procedures. While SAT solvers have been
integrated into ACL2 in previous work, SMT methods raise new issues because of
their support for a broader range of domains including real numbers and
uninterpreted functions. This paper presents Smtlink, our clause processor for
integrating SMT solvers into ACL2. We describe key design and implementation
issues and describe our experience with its use.

... It contains over 600 lemmas pertaining to bit vectors and logical operations, floating-point representations and arithmetic, and special-purpose techniques relevant to the implementation of elementary arithmetic operations. The latest version of the library includes a book that provides a connection with Centaur Technology's GL tool [8], which allows intermediate results that are susceptible to symbolic simulation to be proved automatically. The library belongs to the standard ACL2 release, residing in the Community Books directory "books/rtl/rel9/lib/", and is documented in an on-line reference manual [6]. ...

We describe the formal language MASC, based on a subset of SystemC and
intended for modeling algorithms to be implemented in hardware. By means of a
special-purpose parser, an algorithm coded in SystemC is converted to a MASC
model for the purpose of documentation, which in turn is translated to ACL2 for
formal verification. The parser also generates a SystemC variant that is
suitable as input to a high-level synthesis tool. As an illustration of this
methodology, we describe a proof of correctness of a simple 32-bit radix-4
multiplier.

Low-level systems code often needs to interact with data, such as page table entries or network packet headers, in which multiple pieces of information are packaged together as bitfield components of a single machine integer and accessed via bitfield manipulations (e.g., shifts and masking). Most existing approaches to verifying such code employ SMT solvers, instantiated with theories for bit vector reasoning: these provide a powerful hammer, but also significantly increase the trusted computing base of the verification toolchain.
In this work, we propose an alternative approach to the verification of bitfield-manipulating systems code, which we call BFF. Building on the RefinedC framework, BFF is not only highly automated (as SMT-based approaches are) but also foundational---i.e., it produces a machine-checked proof of program correctness against a formal semantics for C programs, fully mechanized in Coq. Unlike SMT-based approaches, we do not try to solve the general problem of arbitrary bit vector reasoning, but rather observe that real systems code typically accesses bitfields using simple, well-understood programming patterns: the layout of a bit vector is known up front, and its bitfields are accessed in predictable ways through a handful of bitwise operations involving bit masks. Correspondingly, we center our approach around the concept of a structured bit vector---i.e., a bit vector with a known bitfield layout---which we use to drive simple and predictable automation. We validate the BFF approach by verifying a range of bitfield-manipulating C functions drawn from real systems code, including page table manipulation code from the Linux kernel and the pKVM hypervisor.

We present a tool that primarily supports the ability to check bounded properties starting from a sequence of states in a run. The target design is compiled into an AIGNET which is then selectively and iteratively translated into an incremental SAT instance in which clauses are added for new terms and simplified by the assignment of existing literals. Additional applications of the tool can be derived by the user providing alternative attachments of constrained functions which guide the iterations and SAT checks performed. Some Verilog RTL examples are included for reference.

Construction of a formal model of a computing system is a necessary practice in formal verification. The results of formal analysis can only be valued to the same degree as the model itself. Model development is error-prone, not only due to the complexity of the system being modeled, but also because it involves addressing disparate requirements. For example, a formal model should be defined using simple constructs to enable efficient reasoning but it should also be optimized to offer fast concrete simulations. Models of large computing systems are themselves large software systems and must be subject to rigorous validation. We describe our formal, executable model of the x86 instruction-set architecture; we use our model to reason about x86 machine-code programs. Validation of our x86 ISA model is done by co-simulating it regularly against a physical x86 machine. We present design decisions made during model development to optimize both validation and verification, i.e., efficiency of both simulation and reasoning. Our engineering process provides insight into the development of a software verification and model animation framework from the points of view of accuracy, efficiency, scalability, maintainability, and usability.

Analysis of binary programs is important to ensure correct execution of corresponding higher-level programs, especially because it accounts for bugs introduced by compilers. Moreover, source code may not always be available for correctness analysis. Proving correctness of binaries often involves significant user expertise and time-consuming manual effort. We describe an approach to automatically verify some X86 binary programs using symbolic execution on an executable formal model of the X86 instruction set architecture. Our approach can reduce the time and effort involved in the proof development process for complex programs.

We describe the formal methodology we are using to verify components of a commercial 64-bit, x86-compatible microprocessor design at Centaur Technology. This methodology is based on the ACL2 theorem prover. In this methodology, we mechanically translate the RTL design into a formal HDL for which we have an interpreter in ACL2. We use AIG-and BDD-based symbolic simulation and theorem proving techniques to show that the hardware models satisfy their specifications, which are ACL2 functions. Completed verifications yield theorems admitted by ACL2, ensuring that the verification is based on sound reasoning. We have used this methodology to verify instructions such as SIMD floating-point addition and subtraction, integer and floating-point multiplication, comparisons, bit-wise logical operations, and integer/float conversions. We discuss our floating-point addition verification as a case study.

In recent years, leading microprocessor companies have made huge investments to improve the reliability of their products. Besides expanding their validation and CAD tools teams, they have incorporated formal verification methods into their design flows. Formal verification (FV) engineers require extensive training, and FV tools from CAD vendors are expensive. At first glance, it may seem that FV teams are not affordable by smaller companies. We have not found this to be true. This paper describes the formal verification framework we have built on top of publicly-available tools. This framework gives us the flexibility to work on myriad different problems that occur in microprocessor design.

Not available Computer Sciences

The floating-point division bug in Intel's Pentium processor and the overflow flag erratum of the FIST instruction in Intel's Pentium Pro and Pentium II processor have demonstrated the importance and the difficulty of verifying floating-point arithmetic circuits. In this paper, we present a "black box" version of verification of FP adders. In our approach, FP adders are verified by an extended word-level SMV using reusable specifications without knowing the circuit implementation. Word-level SMV is improved by using Multiplicative Power HDDs (*PHDDs), and by incorporating conditional symbolic simulation as well as a short-circuiting technique. Based on a case analysis, the adder specification is divided into several hundred implementation-independent sub-specifications. We applied our system and these specifications to verify the IEEE double precision FP adder in the Aurora III Chip from the University of Michigan. Our system found several design errors in this FP adder. Each specifica...

We have created an experimental extension to ACL2 that provides a means to symbolically evaluate ACL2 expres-sions. This modified implementation can be used to compute the 'general' application of an ACL2 function to generalized data. In particular, we use uBDDs to represent functions from Boolean variables to finite sets of ACL2 objects, and for guard-checked ACL2 functions we can automatically cre-ate corresponding generalized functions to operate on such generalized data. The DEFTHM hint mechanism has been extended to permit the direct application of symbolic simulation as a part of a proof attempt. This extension made it possible to di-rectly verify the Legato Challenge using only symbolic sim-ulation; this challenge involves proving the correctness of a 6502 assembly-language program that performs an 8-bit by 8-bit multiplication through repeated addition. We need only provide the initial symbolic data, i.e., two 8-bit, sym-bolic numbers, and we symbolically simulate the assembly-language program by symbolically simulating an ISA-level 6502-program interpreter that produces a symbolic result that we compare to its specification.

We have verified floating-point addition/subtraction instructions for the media unit from Centaur’s 64-bit, X86-compatible microprocessor. This unit implements over one hundred instructions, with the most complex being floating-point addition/subtraction. This media unit can add/subtract four pairs of floating-point numbers every clock cycle with an industry-leading two-cycle latency.
Using the ACL2 theorem proving system, we model the media unit by translating its Verilog design into an HDL that we have deeply embedded in the ACL2 logic. We specify the addition/subtraction instructions as integer-based ACL2 functions. Using a combination of AIG- and BDD-based symbolic simulation, case splitting, and theorem proving, we produce a mechanically checked theorem in ACL2 for each instruction examined stating that the hardware model yields the same result as the instruction specification.
In pursuit of these verifications, we implemented a formal HDL and symbolic simulation framework, including formally verified BDD and AIG operators, within the ACL2 theorem proving system. The HDL includes an extensible interpreter capable of performing concrete and symbolic simulations as well as non-functional analyses. We know of no other symbolic simulation-based floating-point verification that is performed within a single formal system and produces a theorem in that system without relying on unverified external tools.

We introduce the logical story behind file input in ACL2 and discuss the types of theorems that can be proven about file-reading operations. We develop a low level library for reasoning about the primitive input routines. We then develop a representation for Unicode text, and implement efficient functions to translate our representation to and from the UTF-8 encoding scheme. We introduce an efficient function to read UTF-8-encoded files, and prove that when files are well formed, the function produces valid Unicode text which corresponds to the contents of the file.We find exhaustive testing to be a useful technique for proving many theorems in this work. We show how ACL2 can be directed to prove a theorem by exhaustive testing.

We have developed an extension of ACL2 that includes the implementation of hash-based association lists and func- tion memoization; this makes some algorithms execute more quickly. This extension, enabled partially by the imple- mentation of Hash-CONS, represents ACL2 data objects in a canonical way, thus the comparison of any two such objects can be determined without the cost of descending through their CONS structures. A restricted set of ACL2 user- defined functions may be memoized; the underlying imple- mentation may conditionally retain the values of such func- tion calls so that if a repeated function application is re- quested, a previously computed value may instead be re- turned. We have defined a fast association list access and update functions using hash tables. We provide a file reader that identifies and eliminates duplicate representations of re- peated objects, and a file printer that produces output with no duplicate subexpressions.

This paper describes a new proof tool for deciding bit-vector problems in HOL4. The approach is based on “bit-blasting”, wherein
word expressions are mapped into propositional formulas, which are then handed to a SAT solver. Significantly, the implementation
uses the LCF approach, which means that the soundness of the tool is guaranteed by the soundness of HOL4’s logical kernel.

We present the mechanical verification of an algorithm for building a BDD from an AND/INVERTER graph (AIG). The algorithm
uses two methods to simplify an input AIG using BDDs of limited size; it repeatedly applies these methods while varying the
BDD size limit. One method is similar to dynamic weakening in that it replaces oversized BDDs by a conservative approximation;
the other method introduces fresh variables to represent oversized BDDs. This algorithm is written in the executable logic
of the ACL2 theorem prover. The primary contribution is the verification of our conversion algorithm. We state its correctness
theorem and outline the major steps needed to prove it.

Boolean Satisfiability (SAT) solvers are now routinely used in the verification of large industrial problems. However, their
application in safety-critical domains such as the railways, avionics, and automotive industries requires some form of assurance
for the results, as the solvers can (and sometimes do) have bugs. Unfortunately, the complexity of modern and highly optimized
SAT solvers renders impractical the development of direct formal proofs of their correctness. This paper presents an alternative
approach where an untrusted, industrial-strength, SAT solver is plugged into a trusted, formally verified, SAT proof checker
to provide industrial-strength certified SAT solving. The key characteristics of our approach are (i) that the checker is
not tied to a specific SAT solver but certifies any solver respecting the agreed format for satisfiability and unsatisfiability
claims, (ii) that the checker is automatically extracted from the formal development, and (iii) that the combined system can
be used as a standalone executable program independent of any supporting theorem prover. The core of the system is a checker
for unsatisfiability claims that is formally designed and verified in Coq. We present its formal design and outline the correctness
criteria. The actual standalone checker is automatically extracted from the the Coq development. An evaluation of the checker
on a representative set of industrial benchmarks from the SAT Race Competition shows that, albeit it is slower than uncertified
SAT checkers, it is significantly faster than certified checkers implemented on top of an interactive theorem prover.

We define the Subclass of Unrollable List Formulas in ACL2 (SULFA). SULFA is a subclass of ACL2 formulas based on list structures
that is sufficiently expressive to include invariants of finite state machines (FSMs). We have extended the ACL2 theorem prover
to include a new proof mechanism, which can recognize SULFA formulas and automatically verify them with a SAT-based decision
procedure. When this decision procedure is successful, a theorem is added to the ACL2 system database as a lemma for use in
future proof attempts. When unsuccessful, a counter-example to the SULFA property is presented.
We are using SULFA and its SAT-based decision procedure as part of a larger system to verify components of the TRIPS processor.
Our verification system translates Verilog designs automatically into ACL2 models. These models are written such that their
invariants are SULFA properties, which can be verified by our SAT-based decision procedure, traditional theorem proving, or
a mixture of the two.

We describe an approach to verifying bit-level pipelined machine models using a combination of deductive reasoning and decision
procedures. While theorem-proving systems such as ACL2 have been used to verify bit-level designs, they typically require
extensive expert user support. Decision procedures such as those implemented in UCLID can be used to automatically and efficiently
verify term-level pipelined machine models, but these models use numerous abstractions, implement a subset of the instruction set, and are
far from executable. We show that by integrating UCLID with the ACL2 theorem-proving system, we can use ACL2 to reduce the
proof that an executable, bit-level machine refines its instruction set architecture to a proof that a term-level abstraction
of the bit-level machine refines the instruction set architecture, which is then handled automatically by UCLID. We demonstrate
the efficiency of our approach by applying it to verify a complex, seven-stage, bit-level interface pipelined machine model
that implements 593 instructions and has features such as branch prediction, exceptions, and predicated instruction execution.
Such a proof is not possible using UCLID and would require prohibitively more effort using just ACL2.

This paper describes the integration of zCha and MiniSat, currently two leading SAT solvers, with Higher Order Logic (HOL) theorem provers. Both SAT solvers generate resolution-style proofs for (instances of) propositional tautologies. These proofs are verified by the theorem provers. The presented approach significantly improves the provers' performance on propositional problems, and exhibits coun- terexamples for unprovable conjectures. It is also shown that LCF-style theorem provers can serve as viable proof checkers even for large SAT problems. An ecient representation of the propositional problem in the theorem prover turns out to be crucial; several possible solutions are discussed.

Mechanized theorem proving is a promising means of formally establishing facts about complex systems. However, in applying theorem proving methodologies to industrial-scale hardware and software systems, a large amount of user interaction is required in order to prove useful properties. In practice, the human user tasked with such a verification must gain a deep understanding of the system to be verified, and prove numerous lemmas in order to allow the theorem proving program to approach a proof of the desired fact. Furthermore, proofs that fail during this process are a source of confusion: the proof may either fail because the conjecture was false, or because the prover required more help from the user in order to reach the desired conclusion. We have implemented a symbolic execution framework inside the ACL2 theorem prover in order to help address these issues on certain problem domains. Our framework introduces a proof strategy that applies bit-level symbolic execution using BDDs to finite-domain problems. This proof strategy is a fully verified decision procedure for such problems, and on many useful problem domains its capacity vastly exceeds that of exhaustive testing. Our framework also produces counterexamples for conjectures that it determines to be false. Our framework seeks to reduce the amount of necessary user interaction in proving theorems about industrial-scale hardware and software systems. By increasing the automation available in the prover, we allow the user to complete useful proofs while understanding less of the detailed implementation of the system. Furthermore, by producing counterexamples for falsified conjectures, our framework reduces the time spent by the user in trying to determine why a proof failed.

This memorandum is a continuation of Memo 8.

Functional verification is a critical problem facing the semiconductor industry: hardware designs are extremely complex and highly optimized, and even a single bug in deployed systems can cost more than $10 billion. We focus on the verification of pipelining, a key optimization that appears extensively in hardware systems such as microprocessors, multicore systems, and cache coherence protocols. Existing techniques for verifying pipelined machines either consume excessive amounts of time, effort, and resources, or are not applicable at the bit-level, the level of abstraction at which commercial systems are designed and functionally verified. We present a highly automated, efficient, compositional, and scalable refinement-based approach for the verification of bit-level pipelined machines. Our contributions include: (1) A complete compositional reasoning framework based on refinement. Our notion of refinement guarantees that pipelined machines satisfy the same safety and liveness properties as their instruction set architectures. In addition, our compositional framework can be used to decompose correctness proofs into smaller, more manageable pieces, leading to drastic reductions in verification times and a high-degree of scalability. (2) The development of ACL2-SMT, a verification system that integrates the popular ACL2 theorem prover (winner of the 2005 ACM Software System Award) with decision procedures. ACL2-SMT allows us to seamlessly take advantage of the two main approaches to hardware verification: theorem proving and decision procedures. (3) A proof methodology based on our compositional reasoning framework and ACL2-SMT that allows us to reduce the bit-level verification problem to a sequence of highly automated proof steps. (4) A collection of general-purpose refinement maps, functions that relate pipelined machine states to instruction set architecture states. These refinement maps provide more flexibility and lead to increased verification efficiency. The effectiveness of our approach is demonstrated by verifying various pipelined machine models, including a bit-level, Intel XScale inspired processor that implements 593 instructions and includes features such as branch prediction, precise exceptions, and predicated instruction execution. Ph.D. Committee Chair: Manolios, Panagiotis; Committee Member: Chatterjee, Abhijit; Committee Member: Gopalakrishnan, Ganesh; Committee Member: Lim, Sung-Kyu; Committee Member: Yalamanchili, Sudhakar

We describe the use of parametric representations of Boolean
predicates to encode data-space constraints and significantly extend the
capacity of formal verification. The constraints are used to decompose
verifications by sets of case splits and to restrict verifications by
validity conditions. Our technique is applicable to any symbolic
simulator. We illustrate our technique on state-of-the-art Intel(R)
designs, without removing latches or modifying the circuits in any way