Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research) ICCAD 2000
Download ReportTranscript Decomposing Refinement Proofs using Assume-Guarantee Reasoning Tom Henzinger (UC Berkeley) Shaz Qadeer (Compaq Research) Sriram Rajamani (Microsoft Research) ICCAD 2000
Decomposing Refinement Proofs
using
Assume-Guarantee Reasoning
Tom Henzinger (UC Berkeley)
Shaz Qadeer (Compaq Research)
Sriram Rajamani (Microsoft Research)
ICCAD 2000
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array
Refinement Proof
Implementation
e.g. processor
<
Specification
e.g. ISA
“conforms with”,
“refines”,
“implements”
Every I/O behavior of impl. is an I/O behavior of spec.
Decomposed Refinement Proof
<
<
<
Unsuccessful Proof Decomposition
unconstrained
<
<
unconstrained
<
Unsuccessful Proof Decomposition
unconstrained
<
<
unconstrained
x(0)=0
x(t+1)=y(t)
x
y
x
y(0)=0
y(t+1)=x(t)
<
y
x(t)=0
y(t)=0
Circular Proof Decomposition
<
<
<
Legal Circular Proof Decomposition
<
<
x(0)=0
x(t+1)=y(t)
x
y
y(0)=0
y(t+1)=x(t)
<
S(x) x
y
S(y)
S(z): z(t)=0
“I will not launch.”
Illegal Circular Proof Decomposition 1
<
<
x(0)=0
x(t+1)=y(t)
L(x) x
x
y
y(0)=0
y(t+1)=x(t)
<
y
L(y)
L(z): exists k s.t. z(t) =
0
{
k
“I will disarm.”
0 if t<k
1 else
1
Illegal Circular Proof Decomposition 2
<
<
x(t)=y(t)
x
x
y
y(t)=1
<
y
x(t)=0
y(t)=~x(t)
Illegal Circular Proof Decomposition 2
0
<
1
<
x(t)=y(t)
0
1
1
y(t)=1
<
1
x(t)=0
y(t)=~x(t)
Circular Assume-Guarantee Reasoning
For program verification:
Chandy & Misra [1981]
Abadi & Lamport [1993]
For model checking:
Alur & Henzinger [1995]
Mocha
McMillan [1997]
SMV
Large applications:
Eiriksson [1998]:
1M-gate ASICs (SMV)
Liu, Qadeer, Rajamani [1999]: 64-processor array (Mocha)
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array
System S[P;Q]
input
signals
x1
x2
x3
input ports
P={1,2,3}
x1: Nat -> Bool
1
x2: Nat -> Bool
2
output ports
Q={4,5}
output
signals
4
y4: Nat -> Bool
x3: Nat -> Bool
3
5
y5: Nat -> Bool
input behavior
x = (x1,x2,x3)
I/O function
S(x) = y
output behavior
y = (y4,y5)
S
S
y4
y5
Moore System S[P;Q;init;next]
x1
x2
y(0) = init
y(t+1) = next [ y(t), x(t+1) ]
x3
y4
y5
init in Vals(Q)
next: Vals(Q) x Vals(P) -> Vals(Q)
Inductive definition:
Given input behavior x, unique output behavior y.
Reactive System S[P;Q;init;next]
x1
x2
y(0)
= init
y4(t+1) = next4 [ y(t),
x(t+1) ]
y5(t+1) = next5 [ y(t), y4(t+1), x(t+1) ]
x3
4 >> 1, 2, 3
5 >> 1, 2, 3, 4
No combinational loop:
Given input behavior x, unique output behavior y.
y4
y5
Mealy System S[P;Q;init;next]
x1
x2
y4(t) = y5(t)
y5(t) = ~ y4(t)
x3
4 >> 5
5 >> 4
Combinational loop:
no output behavior y.
y4
y5
Mealy System S[P;Q;init;next]
x1
x2
y4(t) =
y5(t) =
y5(t)
y4(t)
x3
y4
y5
4 >> 5
5 >> 4
Combinational loop:
no output behavior y, or multiple output behaviors y.
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array
Refinement
1
4
2
5
S
6
1
<
3
4
S’
5
7
For every I/O behavior (x1,x2,x4,x5,x6) of S,
there is an I/O behavior (x1,x3,x4,x5,x7) of S’.
Refinement
S[P;Q;init;next] < S’[P’;Q’;init’;next’] ?
Time complexity:
If P’ u Q’ subset of P u Q :
2
2
O( |P| + |Q| + |P’| + 2
O( |P| + |Q| )
“Witnessed” Refinement
|Q’|
)
Witnessed Refinement
Every specification port is an implementation port.
1
4
2
5
S
6
1
<
3
4
S’
5
7
For every I/O behavior (x1,x2,x4,x5,x6) of S,
there is an I/O behavior (x1,x3,x4,x5,x7) of S’.
Witnessed Refinement
Every specification port is an implementation port.
1
4
2
5
3
S
6
1
<
3
4
S’
5
7
For every I/O behavior (x1,x2,x3,x4,x5,x6) of S,
there is an I/O behavior (x1,x3,x4,x5,x7) of S’.
Witnessed Refinement
Every specification port is an implementation port.
1
4
2
5
S
6
3
1
<
3
4
S’
5
7
Construct witness for 3
For every I/O behavior (x1,x2,x3,x4,x5,x6) of S,
there is an I/O behavior (x1,x3,x4,x5,x7) of S’.
Witnessed Refinement
Every specification port is an implementation port.
1
4
2
5
3
S
6
7
1
<
3
4
S’
5
7
Copy specification of 7
For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S,
there is an I/O behavior (x1,x3,x4,x5,x7) of S’.
Witnessed Refinement
Every specification port is an implementation port.
1
4
2
5
3
S
6
7
1
<
3
4
S’
5
7
For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S,
there is an I/O behavior (x1,x3,x4,x5,x7) of S’.
Witnessed Refinement
Every specification port is an implementation port.
1
4
2
5
3
S
6
7
1
<
3
4
S’
5
7
For every I/O behavior (x1,x2,x3,x4,x5,x6,x7) of S,
the projection (x1,x3,x4,x5,x7) is an I/O behavior of S’.
Checking Witnessed Refinement:
S[P;Q;init;next] < S’[P’;Q’;init’;next’] ?
Synchronized Search
1 Find the reachable states of the implementation S.
2 For each reachable state s, check that
next ( s[P;Q] ) | Q’ = next’ ( s[P’;Q’] ) .
This requires only a small extension of any reachability engine.
See, for example, www.eecs.berkeley.edu/~mocha .
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array
Composition S1[P1;Q1] || S2[P2;Q2]
1
2
S1
3
4
6
1. Q1 and Q2 disjoint
2. <<1 u <<2 acyclic
1
4
5
S2
2
7
Composition S1[P1;Q1] || S2[P2;Q2]
1
2
S1
3
1
4
5
S2
4
6
2
7
(S1||S2) [(P1 u P2)\(Q1 u Q2); Q1 u Q2]
1
3
4
6
S1||S2
2
5
7
Q’-Slice of S[P;Q]
1
3
2
4
S
5
6
Q’ subset of Q
} Q’ = {3,4}
x
x
Q’-Slice of S[P;Q]
1
3
2
4
5
6
x
x
Q’-Slice of S[P;Q]
1
3
2
4
5
6
(S| Q’ ) [P u (Q\Q’); Q’]
1
3
2
4
5
6
S| Q’
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array
Weak Decomposition Rule
1
3
2
4
5
<
6
1
3
2
4
5
6
<
1
3
4
4
5
5
1
3
4
5
One subproof
for each
specification
output port
Weak Decomposition Rule
1
3
2
4
5
<
3
2
4
5
6
3
4
One subproof
for each
specification
output port
5
6
1
1
<
1
3
4
5
Weak Decomposition Rule
1
3
2
4
5
6
6
1
3
2
4
5
6
<
1
3
4
One subproof
for each
specification
output port
5
<
1
3
4
5
Weak Decomposition Rule
1
3
2
4
5
5
6
6
1
3
2
4
5
6
<
1
3
4
One subproof
for each
specification
output port
5
<
1
3
4
5
Weak Decomposition Rule
1
2
3
4
4
5
5
6
6
1
3
2
4
5
6
<
<
1
3
One subproof
for each
specification
output port
4
5
1
3
4
5
Weak Decomposition Rule
Any slice of impl.
3-slice of spec.
1
2
3
4
<
5
6
1
3
2
4
5
6
<
1
3
One subproof
for each
specification
output port
4
5
1
3
4
5
Weak Decomposition Rule
1
2
3
4
<
5
6
1
3
2
4
5
6
<
1
3
One subproof
for each
specification
output port
4
5
1
3
4
5
Strong (Assume-Guarantee) Decomposition Rule
1
3
4
5
1
2
3
4
<
5
6
1
3
2
4
5
6
<
1
3
One subproof
for each
specification
output port
4
5
1
3
4
5
Strong (Assume-Guarantee) Decomposition Rule
1
3
4
5
1
2
3
4
<
5
6
1
3
2
4
5
6
<
1
3
One subproof
for each
specification
output port
4
5
1
3
4
5
Strong (Assume-Guarantee) Decomposition Rule
Assumption:
Any ~3-slice
of spec.
4
5
3-slice of spec.
1
2
Any slice
of impl.
3
<
6
1
3
2
4
5
6
<
1
3
One subproof
for each
specification
output port
4
5
1
3
4
5
Example
x(0)=0
x(t+1)=y(t)
y(0)=0
y(t+1)=x(t)
x(0)=0
x(t+1)=y(t)
y(0)=0
y(t+1)=x(t)
<
<
x(t)=0
y
x(t)=0
y(t)=0
Example
x(0)=0
x(t+1)=y(t)
y
x(0)=0
x(t+1)=y(t)
y(0)=0
y(t+1)=x(t)
<
<
x(t)=0
y
x(t)=0
y(t)=0
Example
x
y(t)=0
x(0)=0
x(t+1)=y(t)
y
x(0)=0
x(t+1)=y(t)
y(0)=0
y(t+1)=x(t)
<
<
x(t)=0
y
x(t)=0
y(t)=0
Example
x
y(t+1)=x(t)
x(t)=0
y
<
x
y(t)=0
<
x(t)=0
x
y(t)=0
x(t+1)=y(t)
y
x(t+1)=y(t)
y(t+1)=x(t)
<
y
x(t)=0
y(t)=0
The Need for Abstractions
4
5
1
3
4
1
2
3
<
5
One subproof
for each
specification
output port
6
1
3
2
4
5
6
1
<
3
4
5
The Need for Abstractions
4
5
1
3
4
1
2
3
6
6
1
3
2
4
5
6
<
5
1
<
One subproof
for each
specification
output port
3
4
5
The Need for Abstractions
4
5
1
3
4
1
2
3
<
5
One subproof
for each
specification
output port
6
1
3
2
4
5
6
1
<
3
4
5
6
Construct abstraction
for 6
The Need for Abstractions
4
5
6
1
3
4
1
2
3
<
5
6
1
3
2
4
5
6
1
<
3
4
5
6
One subproof
for each
specification
output port,
including
abstractions
The Need for Abstractions
4
5
3
1
3
1
<
2
4
5
6
1
3
6
1
3
2
4
5
6
<
4
5
6
One subproof
for each
specification
output port,
including
abstractions
The Need for Abstractions
1
3
2
4
5
6
1
<
3
4
5
6
7
Abstraction for 6
involves new 7
The Need for Abstractions
1
3
2
4
5
Copy witness
for 7
6
7
1
<
3
4
5
6
7
Abstraction for 6
involves new 7
The Need for Abstractions
4
5
6
1
7
1
2
3
1
3
2
4
5
6
7
3
4
<
5
1
<
3
4
5
6
7
One subproof
for each
specification
output port,
including
abstractions
The Need for Abstractions
4
5
1
7
1
2
3
3
<
6
1
3
2
4
5
6
7
4
5
6
7
1
<
3
4
5
6
7
One subproof
for each
specification
output port,
including
abstractions
The Need for Abstractions
1
3
Trivially
true
4
5
6
7
1
3
2
4
5
6
7
<
<
1
3
4
5
6
7
1
3
4
5
6
7
One subproof
for each
specification
output port,
including
abstractions
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array
Outline
1 Informal Introduction
2 Formal Definitions
Reactive Systems
Witnessed Refinement Proofs
Slicing Reactive Systems
Decomposing Refinement Proofs
3 Formal Example: Three-Stage Pipeline
4 Informal Example: Dataflow Processor Array