An Overview of Formal Mathematical Reasoning with applications to Digital System Verification

1
An Overview of Formal Mathematical Reasoningwith
applications to Digital System Verification

• Ganesh C. Gopalakrishnan
• Computer Science, Univ of Utah,
• Salt Lake City, UT 84112
• www.cs.utah.edu/formal_verification
• Supported by NSF Grant CCR-9800928
• and a generous grant from Intel Corporation

2
Overview

• Digital systems
• Mostly computers
• Often Finite State Machines or other special
  purpose memories or I/O peripherals
• Play various roles
• Need to specify whats desired of them
• Need to implement them economically
• Get them to work!

3
Overview

• How to unambiguously express whats desired?
• How to describe the implementation likewise?
• What does works correctly according to spec
  mean?
• How much does it cost to establish correctness?
• Is it worth it?
• Do users understand or notice the effect of
  correct operation? Do they react favorably?
• Do manufacturers believe in doing it right at any
  cost?
• Do lessons get reflected back into the design
  process?

4
Views of correctness

• It often exhibits flashes of plausibility!
• It boots NT
• It runs w/o crashing for 2 weeks
• It often does what the documentation says
• It is a gold-standard of predictable behavior
  (but timing vagaries are annoying)
• Its time-response is reasonably predictable
• With legal vectors, its fine but it is
  anybodys guess what they are
• Its so reliable that we dont even notice it!

5
Various precise lingo

• Precision is in the eye of the beholder
• Precision according to needs
• Dont just say it be able to do something with
  what you say (machine readable)
• Be able to trace all consequences of what you say
  (what if queries)
• Precise can be too verbose (the list of all I/O
  vectors is a precise description but useless for
  human reasoning)
• Be able to avoid saying the irrelevant
• Be able to generalize and round what you say
• Whats the sweet-spot of precision and reasoning
  convenience?

6
Logic versus Physics

• A computer does as much logic as a falling
  apple does Newtonian mechanics
• A computer is a mindless bit basher
• A computer is an oscillator on steroids
• A computer is a CMOS oven
• yet it curiously is the case that one can make
• sense of many things computers do using
• mathematical logic

7
Logic versus Physics

• Barwise Logic is in some sense more fundamental
  than physics because logic is what rational
  inquiry is all about. There is an overwhelming
  intuition that the laws of logic are somehow more
  fundamental, less subject to repeal, than the
  laws of the land, or even the laws of physics.
• Weve of course come a long way since we declared
  that Socrates was mortal since he was a man and
  all men are mortal. According to Manna, Logic now
  plays a role similar to that played by Calculus
  in Engineering

8
About this course

• I hope to take you through a segment of
  mathematical logic I know well
• I hope to drive a few examples home so that you
  have something concrete to reflect on
• I hope to set the stage for the (much more fun)
  course on tool usage to follow
• I hope to learn a lot from teaching you!

9
Course Outline

• Boolean Reasoning
• Propositional logic
• Being able to pump out only true sentences
• Being able to pump out sentences to corroborate
  all truths
• Is there an algorithm to do the above?
• Whats its run-time like?
• To truth through proofs
• Well, thats the classical way other (more
  practical ways) include being able to produce
  truths via computations
• Boolean algebras
• One of many meanings
• Other meanings decision diagrams

10
Propositional logic

• Gives a formal notation to write down truths
• The language consists of propositional variables
  that range over True and False
• The language provides connectives (., , and !)
  that allows one to compose propositions
• Every sentence in the language has a meaning
• Usually the meanings are in terms of Boolean
  algebras (value domains plus functions)
• One can also build data structures (e.g. BDDs)
  representing these truths

11
Soundness and Completeness

• One likes to have algorithmic means of proving
  all true assertions (completeness)
• One likes to have only sound proof systems (never
  be able to prove false)
• These attributes (soundness and completeness) are
  shared by many other formal mechanisms not just
  logics.
• For example, given a context-free grammar
• S -gt 0 S 1 1 S 0 S S Epsilon
• And the claim that the grammar generates all
  sentences with equal 0 and 1, one can define
• Soundness no string with unequal 0s and 1s
  generated
• Completeness all strings of equal 0s and 1s are
  generated
• Puzzle how do we prove this for this CFG?
• Hint soundness is easy completeness through
  induction.

12
Complexity Results

• Various notions in propositional logic
• Attributes of sentences
• Valid true under all variable-settings
  (interpretations)
• Satisfiable there is a variable-setting that
  makes the sentence true
• The complexity of determining satisfiability is
  unknown (best known is O(2n)). This is related
  to the famous 3-sat problem which is NP
  complete
• Basic property of the sat problem
• There is a non-deterministic algorithm to check
  satisfiability in polynomial-time (guess sat asg
  and check in poly time)
• If a computer algorithm can perform Boolean
  satisfiability checking in polynomial-time, then
  several problems for which only exponential exact
  algorithms are known can be solved by simulating
  them on top of a sat solver, with only an added
  polynomial simulation cost.

13
Hilbert-style Axiomatizations

• One axiomatization of propositional logic
• axiom scheme
• p gt (q gt p)
• s gt (p gt q) gt (sgtp) gt (sgtq)
• ((!qgt !p) gt (pgtq))
• rules of inference
• only one Modus ponens
• a a gt b
• -------------
• b

14
Proofs via primitive inferences .vs.proofs via
semantic reasoning

• Proof of p gt p
• p gt (q gt p)
• s gt (p gt q) gt (sgtp) gt (sgtq)
• ((!qgt !p) gt (pgtq))
• Modus Ponens
• p gt ((pgtp) gt p)
• (p gt ((p gtp) gt p)) gt ( ( pgt (pgtp)) gt
  (pgtp) )
• MP gives (p gt (p gt p)) gt (p gt p)
• (p gt (p gt p)) is an axiom
• MP gives (p gt p)
• Modern thought dont do the primitive inferences
  if you can help it instead, build a BDD and blow
  it away if you get all paths going to the 1
  leaf, the fmla is a tautology.

15
Illustration of quantificationand modular design
principles

• Propositional logic is surprisingly versatile for
  modeling
• Illustrated on a simple CMOS ckt design theory
  (Hoare)
• Illustrates the notion of refinement preorders
• Illustrates the construction of non-trivial
  equivalences
• Illustrates the notion of invariants
• Illustrates monotonicity
• Illustrates the notion of safe substitutability
• Concrete modeling of the above illustrated using
  the PVS theorem-prover

16
Existential Quantification is iterated
disjunction, and models information hiding

• Advanced Boolean reasoning
• Expressing information hiding
• R(u,v,x,z) Exists w . (wu.v) . (zxw)
• To calculate the new relation R(u,v,x,z) , simply
  do the summation
• (0 u.v) . (zx0)
• (1u.v) . (zx1)
• i.e.
• z uv x (!u !v)
• Existential quantification is basically an
  iterated disjunction (over all the values of the
  domain)

17
Universal Quantification is the Dual of
Existential also is iterated conjunction used
to model correctness for all inputs

• The dual of Existential Universal
• Exists x. P(x) not(forall x. not(P(x)))
• One use of Forall
• Forall inputs. Spec(inputs) Imp(inputs)
• Example The incorrect assertion
• Forall A, B. And(A,B) Or(A,B)
• This can be reduced to
• And(0,0) Or(0,0)
• . And(0,1) Or(0,1)
• . And(1,0) Or(1,0)
• . And(1,1) Or(1,1)

T F F T
F
18
A simple theory of CMOS combinational ckt design
(Hoare, 88)
How does one model a CMOS transistor? Nothing
models a transistor like a transistor (Lance
Glasser). Nevertheless we will create Simplistic
models just for the sake of illustration.
g gt sd
!g gt sd
But, these are poor models it doesnt convey the
notion of drive (good 0, good 1, etc.)
19
Hoares idea Use three attributes
Need for drive
Consistency
Drive
dg (sd)
g . dg . (!s !d) gt (ds dd)
g gt sd
!g . dg . (s d) gt (ds dd)
dg (sd)
!g gt sd
(C, D, N)
20
Now, lets build an inverter
1
o, do
i, di
inv((i,di),(o,do)) ntrans((i,di),(0,1),(o,do))
ptrans((i,di),(1,1),
(o,do)) where
0
ntrans((g,dg),(s,ds),(d,dd))
dg (sd)
g . dg . (!s !d) gt (ds dd)
)
,
(g gt sd,
ptrans((g,dg),(s,ds),(d,dd))
,
)
!g . dg . (s d) gt (ds dd)
dg (sd)
(!g gt sd,
and
(C1,D1,N1) (C2,D2,N2) (C1/\C2, D1/\D2,
N1/\N2)
( i gt o0 /\ !i gt o1 , i.di gt do /\
!i.di gt do, (dio).(di !o) )
( o !i, di gt do,
di)
21
Now, lets build a bad buffer
buf((i,di),(o,do)) ntrans((i,di),(1,1),(o,do))
ptrans((i,di),(0,1),(o,do)) i.di
. !o gt do /\ !i.di. o gt do, - i.e. when di
asserted, do when (o ! i) - so we can never
prove do
1
o, do
i, di
0
22
Circuit Equivalencefrom a practical perspective
(C1,D1,N1) (C2,D2,N2) exactly when 1,2,3
hold 1) C1C2 2) C1.D1 C2.D2 drives match
only in the legal - operating zone C1 and
C2 sort - of are like invariants 3)
C1.D1.N1 C2.D2.N2 need for drive only
- in states where the - ckt is consistent
and - produces drive (so some - of
its drive need might - be satisfied by the
ckt) A canonical representation for (C,D,N)
under the above equivalence is (C, C.D, C.D gt N)
23
Circuit betterness
(C1,D1,N1) (C2,D2,N2) reads ckt 2 is
better than ckt1 means C1 C2 -- same logic
function C2.D2 gt D1 ckt2 provides more drive
than ckt1 --whenever C2 is operating
consistently C1.D1.N1 gt N2 ckt2 needs less
drive than ck1 - whenever ckt1 is operating
- consistently and is obeying its - role
of providing drives
24
Circuit betterness

• If ckt1 ckt2 and ckt2 ckt1, we have
• ckt1 ckt2 where is as defined before.
• is a preorder
• reflexive
• transitive
• It is NOT anti-symmetric. Preorders are
• nice because they allow us to establish
• equivalences that are accommodative.
• (The conjunction of a partial-order and its
• inverse forces the identity equivalence relation
• that is too constraining.)

25
Monotonicity ability to substitute and preserve
goodness
If ckt1 ckt2 then we desire that ckt1 ckt
ckt2 ckt This is indeed true of the Hoare
ckt calculus. Monotonicity is an important
design principle, truly capturing modularity and
substitutivity without surprises. If we
substitute a better component for an existing
component, the whole system ends up to be no
worse than the original.
26
Hiding
If we want to hide a wire w from a ckt C,
we generally do exists w. C. However, in terms
of our (C,D,N) attributes, we do the
following. Let Hw.C denote hide w from C. Hw.
(C,D,N) (Exists w . C, -- willing
to settle for w0 or
-- w1 in terms of consistency Exists w,dw
. C.D, -- can only provide the weakest --
compromise drive over all w,dw Forall w,dw .
C.D gt N) -- the strongest need for
-- drive (over all
w,dw) must -- be met.
27
Discussion Problems

• Prove that a transmission-gate is better than
• (according to ) an N-type pass transistor.

R
(C1,D1,N1) ( g gt io, g.dg.(!s!d) gt dido,
dg(io) ) (C2,D2,N2)( g gt io, g.dg gt
(dido), dg(io) )
R
R is of the form P gt Q, and R of the form P
gt Q where P gt P. Thus R gt R.
Q
P
P
28
Summary of Module 1

• It all began with Boole in the 1850s people
  didnt pay
• attention even after Claude Shannon showed its
  merit
• It took several tries before Boolean reasoning
  caught on
• Need to tackle the complexity.
• Surprisingly versatile
• we saw a design calculus that has
• structural operators such as and hiding,
• the notion of improvement,
• that improvements are preorders, and
• that the improvement relation is
• monotonic (preserved in contexts).