Proceedings of the

# Third HOL Users Meeting

Aarhus University, 1–2 October 1990

 $\begin{array}{c} {\rm DAIMI~PB-340} \\ {\rm December~1990} \end{array}$ 





# Foreword

This is a collection of papers, notes and copies of transparencies representing the talks and discussions of the Third HOL Users Meeting held at The Computer Science Department, Aarhus University 1 - 2 October 1990.

Glynn Winskel

# Contents

- Programme.
- Abstracts of talks.
- Copies of transparencies and relevant papers.

# THIRD INTERNATIONAL HOL USERS MEETING Aarhus University, Denmark

# PROGRAMME

# DAY 1 (Tuesday, October 1)

|             |                                                                                                      | page      |
|-------------|------------------------------------------------------------------------------------------------------|-----------|
| 09.00-10.00 | REGISTRATION                                                                                         |           |
| 10.00-10.15 | Welcome: Glynn Winskel, Aarhus University, DK.                                                       |           |
| 10.15-10.45 | Mike Gordon, Cambridge University, UK.<br>Current Research using HOL at Cambridge.                   | 1 – 6     |
| 10.45-11.15 | Tom Melham, Cambridge University, UK. A short overview of Version 1.12 of the system.                | 7 – 20    |
| 11.15-11.30 | BREAK                                                                                                |           |
| 11.30-12.00 | Konrad Slind, University of Calgary, Canada.<br>Details of a new HOL implementation in SML.          | 21 – 34   |
| 12.00-12.30 | R.D. Arthan, ICL, UK.<br>A High-Assurance Implementation of HOL.                                     | 35 – 46   |
| 12.30-14.00 | LUNCH BREAK                                                                                          |           |
| 14.00-15.00 | Elsa Gunter, AT & T Bell Labs, USA. The Implementation and Use of Abstract Theories in HOL.          | 47 – 64   |
| 15.00-15.30 | Myla M. Archer, University of California, USA.<br>A Tree-editor Interface to HOL.                    | 65 – 98   |
| 15.30-16.00 | BREAK                                                                                                |           |
| 16.00-16.30 | Aarhus students.<br>A Mutually Recursive Types Package in HOL.                                       | 99 – 114  |
| 16.30-17.00 | Malcolm Newey, The Australian National University,<br>Australia.<br>Another Iteration in Arithmetic. | 115 – 122 |
| 17.00       | Discussion on future developments of HOL.                                                            |           |
| 19.00       | CONFERENCE DINNER (Jacob's Barbeque)                                                                 |           |
|             |                                                                                                      |           |

# DAY 2 (Tuesday, October 2)

|             |                                                                                                                                   | page      |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------|-----------|
| 09.30-10.30 | Tom Melham, Cambridge University, UK.<br>A Mechanized Theory of the Pi-calculus in HOL.                                           | 123 – 150 |
| 10.30-11.00 | BREAK                                                                                                                             |           |
| 11.00-11.30 | Flemming Andersen, TFL (A Telecomms Research<br>Laboratory), DK<br>A Definitional Theory of UNITY in HOL.                         | 151 – 162 |
| 11.30-12.00 | Kim Dam Petersen, TFL (A Telecomms Research<br>Laboratory), DK.<br>Construction of the P(omega) lambda calculus model<br>in HOL.  | 163 – 174 |
| 12.00-12.30 | Wim Ploegaerts, IMEC, Belgium.<br>HOL theory for finite word length arithmetic.                                                   | 175 – 188 |
| 12.30-14.00 | LUNCH BREAK                                                                                                                       |           |
| 14.00-15.00 | Jeff Joyce, University of British Columbia, Canada.<br>More Reasons Why Higher-Order Logic is a Good<br>Formalism for Specifying. | 189 – 232 |
| 15.00-15.30 | Aarhus students.<br>A low-level circuit model in HOL.                                                                             | 233 – 252 |
| 15.30-16.00 | BREAK                                                                                                                             |           |
| 16.00-16.30 | Catia Marcondes Angelo, IMEC, Belgium. The Verification of a Parameterized Mead and Conway Alu Core in HOL.                       | 253 – 282 |
| 16.30-17.00 | Richard J. Boulton, Cambridge University, UK.<br>The HOL Verification of ELLA Designs.                                            | 283 –296  |
| 17.00-17.30 | Ton Kalker, Philips Research Laboratories, The<br>Netherlands.<br>HOL Semantics of SILAGE.                                        | 297 - 314 |

AUTHOR: M.J.C. Gordon

TITLE: Current Research using HOL at Cambridge

# SHORT ABSTRACT:

Discussion of some activities with HOL since the last meeting.

AUTHOR: Tom Melham

TITLE: A short overview of Version 1.12 of the system.

AUTHOR: Konrad Slind

TITLE: Details of a new HOL implementation in SML.

AUTHOR: R.D. Arthan

TITLE: A High-Assurance Implementation of HOL

# SHORT ABSTRACT:

ICL are engaged in an IED sponsored project to develop af highly assured version of HOL for use in industrial applications. The paper will report on this work.

AUTHOR: Elsa L. Gunter

TITLE: The Implementation and Use of Abstract Theories in HOL

# SHORT ABSTRACT:

At the last HOL meeting, I proposed that a notion of abstract theories be added to HOL. This year, I will discuss an implementation of that proposal which was implemented mostly on top of the existing notion of theories in HOL. We will discuss what modification were made to the underlying system, why they were made, why it is sound to have made them, and in what sense are they upwards-compatible. We will discuss how abstract theories are used in a variety of setting. Finally, time allowing we will discuss some of

the ways in which this implementation falls short of giving the user the full functionality that one might expect from abstract theories and what it would take to overcome these shortcomings.

AUTHOR: Myla M. Archer

TITLE: A Tree-editor Interface to HOL

# SHORT ABSTRACT:

We have developed a tree-editor interface (PM) to HOL, based on an Emacs-based programmable tree editor (Treemacs) developed at the Univ. of Illinois. PM ("proofmanager") permits convenient access to subgoals and convenient proof display, and maintains proof soundness. There are additional useful features, and plans for extending the tool.

AUTHOR: Malcolm Newey

TITLE: Another Iteration in Arithmetic.

# SHORT ABSTRACT:

I have used Tom Melham's axiomatisation of natural numbers (the one appearing in HOL88 1.11) but have changed the theory so much that I will (no doubt) incur the wrath of many HOL users when I suggest we make a change to this important standard fragment of the Basic HOL System. Nevertheless, I do intend to argue that the benefits of a major change in this area, even at this late stage, are worth the inconvenience that will be caused to users with a substantial investment in proofs using the current package.

**AUTHOR:** Tom Melham

TITLE: A Mechanized Theory of the pi-calculus in HOL.

# SHORT ABSTRACT:

This talk will describe work in progress on the construction of a mechanized formal theory in HOL of the pi-calculus, a process algebra developed by Milner and others for modelling communicating systems in which processes can have changing structure. The aim is to support reasoning in the pi-calculus about applications as well as proofs about the pi-calculus itself.

AUTHOR: Flemming Andersen

TITLE: A Definitional Theory of UNITY in HOL

# SHORT ABSTRACT:

Higher Order Logic is powerful enough to model the axiomatic definition of the UNITY logic as defined in [Chandy, Misra: Parallel Program Design, A Foundation. Addison Wesley 1988].

A method for defining relations in HOL using fixpoint equations is presented. It is shown that the UNITY relation 'leadsto', which models the graph of a transitive and disjunctive closure of binary relations, is a special case of these relations.

AUTHOR: Kim Dam Petersen

TITLE: Construction of the P  $\omega$  lambda calculus model in HOL

# SHORT ABSTRACT:

The P omega model may be constructed in Higher Order Logic, using the description given in [Barendregt: The Lambda Calculus, North-Holland 1984].

The construction of the model in HOL is presented, and an outline of solving selected reflexive domain equations using the model is given.

The final goal is to make a type package that is able to solve general reflexive domain equations.

AUTHOR: Wim Ploegaerts

TITLE: "HOL theory for finite word length arithmetic"

# SHORT ABSTRACT:

The ultimate goal of the ongoing research in our group is the verification of a silicon compiler for DSP (Digital Signal Processing) applications. As a first step, it has been tried to built the libraries that are required for the definition of the behavior of hardware components (such as adders, multipliers, ...) in terms of integer numbers. The work includes e.g. an extgention of the library "zet" (definition of integer division and remainder, a normalization conversion for integer expressions and some related tactics) and the

definition of the denotation and representation functions for both signed and unsigned arithmetic.

AUTHOR: Jeff Joyce

TITLE: More Reasons Why Higher-Order Logic is a Good Formalism

for Specifying and Verifying Hardware

# SHORT ABSTRACT:

The HOL community is often challenged to justify the choice of higher-order logic as a specification language over conventional description languages such as VHDL or less expressive formalisms such as first-order logic. The question, "why higher-order logic?" was partly answered by Gordon's 1985 paper, "Why Higher-Order Logic is a Good Formalism for Specifying and Verifying Hardware". Our (proposed) presentation will discuss why higher-order logic, in particular (as opposed to less expressive formalisms such as first-order logic), is a very good formalism for specifying and verifying hardware. We focus on two main reasons: (1) the ability to support generic specifications of hardware, (2) the ability to embed special-purpose formalisms such as temporal logic.

**AUTHOR:** Catia Marcondes Angelo

TITLE: "The Verification of a Parameterized Mead & Conway

Alu Core in HOL"

# SHORT ABSTRACT:

This work is concerned with the formal verification of the parameterized Mead & Conway Alu module core implemented in the Cathedral II Silicon Compiler using the Proof Assistant HOL from Cambridge University. The correctness proof is divided in two parts: the structural and the behavioral reasoning. The structural verification consists of a formal alu decomposition reflecting the basic design process knowledge to prove the hardware implementation behaves like an ideal alu. The behavioral reasoning formally verifies the ideal alu meets the specification.

AUTHOR: Richard J. Boulton

TITLE: The HOL Verification of ELLA Designs

# SHORT ABSTRACT:

ELLA is a hardware design language developed at the Royal Signals and Radar Establishment (RSRE) and marketed by Praxis. It supports simulation models at a variety of different abstraction levels.

A preliminary methodology for reasoning about ELLA designs using HOL is described. Our approach is to semantically embed a subset of the ELLA language in higher order logic, and then to make this embedding convenient to use with parsers and pretty-printers. There are a number of semantic issues that may impact on the ease of verification. We discuss some of these briefly. We also give a simple example to illustrate the methodology.

AUTHOR: Ton Kalker

TITLE: HOL Semantics of SILAGE

# SHORT ABSTRACT:

SILAGE is the input language for a prototype silicon compiler for DSP applications. An exercise to endow SILAGE with a formal semantics in HOL logic revealed several weak points of SILAGE. In the presentation I will argue that designing a language like SILAGE will benefit from using mathematical methods.

Overview of Current Activities

Hardware Verification Group

University of Cambridge

October 1990



Aarhus90

# Developments of HOL

- HOL88.1.12 to be released in November (details in talk by Tom Melham)
- New edition of documentation in progress
  - REFERENCE to be completed
  - DESCRIPTION and TUTORIAL revised and extended
  - Quick reference cards in preparation
  - Compatible with Calgary ног
  - Slides for HOL courses to be distributed with the system
- X-windows based demo tool (John Van Tassel) and theorem retrieval system (Richard Boulton) available



Aarhus90 (1)

# Kinds of Project

- Small projects
  - Typically a PhD student or individual researcher
  - Not supported by an external grant
- Large Projects
  - Several researchers, at least one full-time
  - Some external support

# Small Projects

- Protocol verification
- Architecture specification
- $\pi$ —calculus
- Compositional proof systems
- Formalisation of real-time systems
- VHDL semantics



University of Cambricomputer Laborator

Aarhus90 (3)

# Large Projects

- I/O hardware verification
- Viper UART & VISTA translator verification
- · Proof analysis and accounts
- Verified proof-checker
- SAFEMOS
- Processor verification
- · CHEOPS
- · HOL verification of ELLA designs



Aarhusso (4

# Protocol Verification

### · Research Goal:

Verification of code implementing protocols

## · Research Methods:

Specifications and real—time programs are modelled in HOL

### · Status:

In progress for 2 years with a preliminary case study available as part of the HOL documentation

#### · Researcher:

Rachel Cardell–Oliver — PhD Student at Cambridge, Cadet in Australian DSTO



ANTHERO (5)

# Computer Architecture Specification

## Research Goal:

Augment informal architecture specs with formal ones to reduce problems of ambiguous spec meaning, and to allow the use of theorem provers for testing those meanings

# Research Methods:

To formalise industrial-style specs, express them in HOL, and prove properties of them

# Status:

Going for 1.5 years with some simple examples completed Annotated bibliography on architecture specification has been produced

Researcher: Tim Leonard — PhD student,
 VAX architect with DEC



Aarhus90 (6

# $\pi$ -Calculus in HOL

# · Research Goals:

Provide proof support for the  $\pi$ -calculus (higher-order successor to Milner's CCs) in HOL, check proofs of existing meta-theorems, and investigate the calculus for modelling systems

## · Research Methods:

Define the calculus syntax as a recursive concrete type and specify its semantics via structured operational semantics. Existing informal proofs will then be replicated in HOL

- Status: Just started (syntax defined in HOL, some simple lemmas proved)
- Researchers:

Tom Melham and Mike Gordon



Aerhuu90 (7

# Compositional Proof Systems

#### Research Goals:

To build tools to support inductive definitions of compositional proof systems and automatic generation of induction tactics

## Research Methodology:

Driven by the need to define structured operational semantics based on minimal relations. The  $\pi$ -calculus and other process algebras will be used as examples

#### Status:

Some examples already done interactively. Automatic tools about to be written

#### · Researchers:

Tom Melham and Juanito Camilleri



Aarhus90 (

# Formalisation Of Real-Time Systems

#### · Research Goals:

Define a small language containing explicit timing constructs as defined by a deterministic scheduler. This environment should be seen as implementing some of the ideas from the world of process algebras, but with explicit real—time characteristics

## · Research Methods:

Specify a scheduler in HOL and verify its safety and liveness properties. An evaluation of the constructs based on this approach will be done along with a final definition of the syntax and a formalisation of the semantics

- Status: Early days
- Researcher: Neil Viljoen PhD student



Aarhus90 (9)

# **VHDL** Semantics

# Research Goal:

To define a subset of VHDL tractable for formal methods, to specify its semantics in HOL and hence to develop a set of proof tools

# Research Methods:

Build on the results and lessons of the HOL-ELLA project with the understanding that VHDL is a much more complex language

## Status:

To start on 1 October 1990

# • Researcher:

John Van Tassel - PhD Student



Aarhue90 (10)

# I/O Hardware Verification

# · Research Goal:

To design and verify a UART whose initial target is the VIPER, and will serve as a prototype of Transputer link verification (SAFEMOS)

## · Research Methods:

Specification and verification to be as general as possible so that the proofs can hopefully be reused. Fabrication will take place with XILINX user—programmable gate arrays

# Status:

Design and verification complete; fabrication to be conducted as part of the HOL-ELLA project

## · Researcher:

John Herbert



Aarhus90 (11

# VISTA Translator Verification

# · Research Goal:

Define the semantics of VISTA in HOL. Define and verify a translator from VISTA to VIPER machine code written in the HOL logic

## Research Method:

Define the syntax and a direct denotational semantics of both source and target language in HOL with the translator as a primitive recursive function

- Funding
   MOD (RSRE)
- Researcher:
   Paul Curzon



Aarhus90 (12)

## Proof Certification

# Research Goal: '

Understand the structure and parameterisation of large proofs; develop and test a technology for producing 'proof deliverables' (idea proposed by Newey, Hanna)

# · Research Method:

- Modify HOL to produce proof texts
- Code a checker for them in a programming language supported by HOL
- Verify the checker
- Status: SERC/MOD funding promised. Target start date is 1.4.91
- · Researcher: Avra Cohn



Aarhus90 (14)

# **Proof Analysis**

## · Research Goal:

Better understanding of the relationship between proofs and tactics. Implementation of prototype tools to generate proof summaries from tactics

# · Research Methods:

Detailed study of "naturally occurring" proofs and replicating them in HOL. Experimental programs to generate proof narratives from tactics have be written

# Status:

Funded by SERC

# Researcher:

Avra Cohn



Aarhus90 (13)

# SAFEMOS I

# · Research Goal:

- Demonstrate the possibility of totally verified systems by creating a verified application program running on a verified processor by means of a verified compiler
- Develop a methodolgy for building verified real-time systems

## Research Method:

Example driven with a programming language based on a subset of OCCAM, and the processor based on the Transputer. The proof will build on existing work such as the CLINC stack (Austin, Texas) and Joyce's work on Tamarack (Cambridge)



Aarhus90 (15)

that the remaining afficience to the

## SAFEMOS II

#### · Partners:

INMOS, SRI International Cambridge Research Centre, Oxford Programming Research Group, Cambridge Computer Laboratory

# • Funding SERC/DTI (IED)

# • Status: Started 1.1.90

# · Researchers:

- INMOS: David Shepard + 2

- SRI: Roger Hale,  $\frac{1}{2}$  John Herbert

- PRG: Jonathan Bowen, Paritosh Pandya

- CL: Mike Gordon, Juanito Camilleri

University of Cambridge Computer Laboratory

Aarhus90 (16

# HOL-ÉLLA II

# · Funding:

Initially SERC/DTI project with Praxis. Now a pure SERC project

## · Status:

Running since 1.10.89, with a simple case study completed. Subset of ELLA chosen and HOL semantics defined and implemented

# · Researchers:

Richard Boulton (until 30.9.90), John Harrison (from 1.10.90),  $\frac{1}{2}$  John Herbert

#### University of Cambridge Computer Laboratory

Aarhus90 (18)

## HOL-ELLA I

#### · Research Goal:

- Specification of the formal semantics of a subset of the ELLA hardware description language in HOL with theorem-proving support for reasoning about ELLA designs
- Development of a methodology for adding formal methods to conventional CAD

# • Research Method:

Translate ELLA to HOL via explicit semantics and test the methodology by designing XILINX chips



Aarhus90 (17)

# Processor Verification

## · Research Goal:

To design and verify a processor for real-time control applications as part of the SAFEMOS and HOL-ELLA projects

# • Research Methods:

Develop standard techniques which will transfer to the verification of the main Transputer–like SAFEMOS processor

# Status:

Early days

# Researcher:

John Herbert



Aarhus90 (19)

# CHEOPS I

### · Research Goal:

- Interface HOL to CATHEDRAL for the verification of synthesis functions (IMEC)
- Improve the HOL environment through new libraries, and a better user interface (Cambridge)
- Research Methods at Cambridge:
   General—purpose parsers and pretty-printers
   driven from declarative inputs. Interface tools
   implemented in X—windows
- Partners:
   IMEC (Belgium), Philips ERL (Netherlands),
   Cambridge Computer Laboratory

Computer Laboratory

Aarhus90 (20)

## CHEOPS II

# Funding: Esprit BRA

# • Status:

Running since 1.8.89 with the syntax tools complete. X—windows interface started with a prototype developed in an enhanced GNU emacs

## · Researchers:

- IMEC: Luc Claesen, Wim Ploegaerts, Catia Angelo
- Philips: Ton Kalker
- Cambridge: John Van Tassel (until 30.9.90),
   Sara Kalvala, Andy Gordon (from 1.1.91)



Aarhus 90 (21)

# Summary

- HOL88 system is now stable
- New improved Standard ML implementations are almost ready (Viz HOL90 from Calgary and ICL HOL)
- Polished documentation (for both HOL88 and HOL90) coming soon
- Increased automation and improved interfaces are on the horizon
- Many projects announced at first HOL Users Meeting are now up and running
- Lots of new projects, many unrelated to hardware verification, are starting up



Aarhue90 (22)

# HOL88: Version 12 overview

- Summary of changes already made.
- Some proposed changes.

T F Melham, 28 September 1988

# Current state of version 12

- Summary of changes already made:
  - preterms, and user-definable typechecking
  - revised 'resolution' tools
  - paired beta-conversion
  - new tactics, rules, etc.
    - revision/optimization of some tactics, rules, etc.
    - natural number MOD and DIV theorems added
    - total rewrite of type definition package
    - revised set theory library
    - new 'contrib' directory
    - many internal ML functions deleted/hidden

# New ML type of raw terms

# • A new ML type of untyped terms:

# has been added, together with:

```
preterm_to_term : preterm -> term
```

which invokes the standard HOL typechecker.

# User-definable typechecking

• To enable user-defined typechecking:

```
set_flag('preterm',true);;
```

• To install user-defined typechecking:

• Note: this has not been used much yet.

# Revised 'resolution' tools

In version 11, RES\_CANON does:

```
~t \Rightarrow t ==> F (at outermost level)

t1 /\ t2 \Rightarrow t1,t2

(t1/\t2)==>t \Rightarrow t1==>(t2==>t)

(t1\/t2)==>t \Rightarrow t1==>t, t2==>t

t1 = t2 \Rightarrow t1=t2, t1==>t2, t2==>t1
```

In version 12, RES\_CANON also does:

!x. 
$$t1==>t2 \Rightarrow t1==>!x.t2$$
 (x not free in t1)

• For example:

$$|-!n m. m < n ==> (!p. n m < p)$$

# Effect of this change

# • Given the assumptions:

[a < b] and [b < c] the tactic:

IMP\_RES\_TAC |- !m n p. m < n /\ n < p ==> m

[ !p. b a b

# Consequence:

- more new consequences generated, so
- more assumptions to work with,
- e.g. RES\_TAC will solve the goal more often;
- BUT: your existing proofs may not work.

# Paired beta-conversion

• New function for paired beta-conversion:

PAIRED\_BETA\_CONV : conv

For example, given the term:

the new conversion proves that:

It also works on arbitrarily-nested tuples.

Related conversion
LET - com
- coming soon

# Natural number division

# • In version 11:

```
|-0 < n ==> (?r q. (k = (q * n) + r) /  r < n)

|-MOD k n = @r. ?q. (k = (q * n) + r) /  r < n

|-DIV k n = @q. (k = (q * n) + (k MOD n))
```

# • In version 12:

$$|-0 < n ==> (?r q. (k = (q * n) + r) / r < n)$$
  
 $|-0 < n ==> (k = ((k DIV n)*n)+(k MOD n)) / (k MOD n) < n)$ 

• Plus built-in theorems, for example:

```
|- !k. k MOD (SUC 0) = 0

|- !n. 0 < n ==> (!k. (k DIV n) <= k)

|- !n r. r < n ==> (!q. ((q * n) + r) DIV n = q)

|- !n k. k < n ==> (k MOD n = k)

|- !n. 0 < n ==> (!k. (k * n) MOD n = 0)

|- !n. 0 < n ==> (0 MOD n = 0)
```

• Other arithmetic theorems have also been added.

# Type definition package

- Has been totally rewritten.
- The code is now:
  - Cleaner and better organized,
  - faster (sometimes much faster),
  - much better documented.
- The main changes visible are:
  - modifications to low-level tools,
  - define\_type now has a proper parser,
  - different variable names/priming behaviour.
- Coming soon:
  - more general function definitions

# Revised set theory library

# • Reorganization:

| Old name | New name    | Description              |  |
|----------|-------------|--------------------------|--|
| sets     | finite_sets | finite sets              |  |
| all_sets | sets        | finite and infinite sets |  |
| set      | pred_sets   | predicates-as-sets       |  |

• The library sets now supports the syntax:

Proof support for this notation (for example):

# returns:

$$|-t in \{x \mid P[x]\} = P[t/x]$$

• The parser/prettyprinter support is general.

# The contrib directory

- Contents: user contributions
- Purpose:

for easy distribution of items such as code, theories, and documentation which are useful but not suitable for the library

- Current contents:
  - CPO: complete partial orders (jac1)
  - PNF: prenex normal form (cj)
  - batch-hol-tool: simulate interactive session (rjb)
  - franz-cl-th: translate theories to common lisp (jac)
  - knuth-bendix: equational reasoning (slind)
  - select: how to deal with epsilon (grahamb)
  - temporal: temporal logic in HOL (jasuja)
  - tooltool: suntools interface (des)
- Further contributions very welcome!

# Hiding/Deleting Internal Functions

• The goal is:



- Many identifiers already deleted/hidden.
- For example:

| Redundant   | Old versions     | Unused      |  |
|-------------|------------------|-------------|--|
| AND_CLAUSE1 | HOL_IMP_RES_THEN | form_class  |  |
| AND_CLAUSE2 | HOL_MATCH_MP     | form_frees  |  |
| AND_CLAUSE3 | HOL_PART_MATCH   | form_tyvars |  |
| AND_CLAUSE4 | HOL_RESOLVE_THEN | form_vars   |  |
| AND_CLAUSE5 | HOL_RES_THEN     | , 1         |  |
|             | OLD_RES_TAC      | (etc)       |  |
| (etc)       |                  |             |  |
|             | $(\mathit{etc})$ |             |  |

# Proposed changes/developments

- Future developments and proposed changes:
  - rationalize resolution
  - faster rewriting
  - automatic abstract type definitions
  - new type-definition primitive
  - library revision
  - new version of the manuals

An SML Implementation

06

ho188

Konrad Slind + Graham Birtwistle, Rajagopal Magarajan, Todd Simpson

Funded by: - NSERC Stratogic Grant 89-72 Verifying Handwere Designs

> - Equipment grants from NSERC and CMC

# ho188

- Lisp + ML + ML compiler
- HOL (logic) implemented using PPLAMBDA code. Requires "bending" of HOL objects.
- primitive routines for terms are intricately coded and deserve to be held to the light.
- comments: sparse, multilingual, 1º... and now for a tricky but 2
- Heavy files have obscure, Lisp-dependent syntax
- unclear as to how the system builds
- SML

# hol90

- "done" (v.1.11 \ contributed libraries)
- provides same interface
- ~ 15,000 lines of 5mh
- ~ 1.3 M. core
- Speed. Not emphasized.
  - faster in forward inference.
  - slower in parsing terms
  - very slow in reading from theory files.
  - in PolyML
  - Core Language only.

# Which SML?

- Oall-of-them
- Implementation requires features not in the Standard:
  - 1. Embedding HOL in SML:

    New top level with

    macro expension phase

typical top level:

let top level() =

( prompt();

print (eval (read ()));

top-level ());

New top level: fum top-level () = (prompt (); print (eval (read (read\_HOL())); top\_level()); let tm = "VNV" let +m = mk-conj (mk-van ("v', mb-type "bool"), mk-van ('v', mk-type "bool"

Poly ML allows the installation of user-defined top levels

ML-yacc

2. pretty printing terms, types, theorems.

Given "final" top level:

form top-level():

( prompt();

print+ (eval (read (read-HOL())));

top-level());

POLYML allows the extension of the pretty printer of SML.

# Why no structures:

- had used them up to a point in time, but
  - 1. gc costs, core size
  - 2. Signature maintenance
  - 3. Flakiest part of implementation
  - We plan to add them before releasing HOL90

A tour of the implementation - divides neatly between - ML/Lip - doc'ed / undoc'ed ML Libraries ( Sats, groups, processes, ...) More powerful definitional mechanism (Recursive types Basic theories (N, sum, one, ...) Backwards proof interface ( goal stack) Conversions, tacticals, tactics Derived rules of inference : them ADT (primitive rules of inference, a kions basic definitional mechanism theory interface

Theory interface

passing Hol (quotation, antiquotation, top level)

type inference, pretty printing

Symbol table

terms

types 27

## Archaeological Results

· hol88 uses variable sharing

· conversion nots for fast rewriting

. "bootstrapping"

. we actually have an ADT of thm

. only primes when it has to

· entiquote suppresses type inference:

let v = "v: bool"

" \ \ ( v=1)" passes

but

"(v:bool) ~ (v=1)"

ADT then shouldn't use quotation,

REFL +m = mb.+hm([], "Atm = Atm")

for the correctness of them depends on correctness of read. HOL.

· aconv is "dynamic de Bruijn".

a conv " $\lambda_{x.}(x:bool)$ " " $\lambda_{x.}(x:*)$ " => true! can we get inconsistency?

- holdb uses property lists, we have a symbol table some of holds term handling routines are handwired in, e.g. who conjuntated from LCF
- · some cleanup, for example theory of pairs we can do tackwards proof of some theorems there, instead of using mk. Hhm.
  - . theory file interface cleaned up. Parson info not held as theorems.
    - . theory cache.

-

# Speed Revisited

# Completing the group

5un 3 1731 4hms 218 5. hol88
31 5. hol89 PolyML
16 5. hol90/ NJSML
10 5. sun f/NJSML.

### To do

- make parsors identical
- speed up panser,
  - . Heary file interface
  - · conversion nets for rewriting
- move to modules system
- attempt to move to NISML
- better DS/A for rewriting
- redesign theory interface
- hooks for UI work

ML -> SML



let x = ... in let y = ... in

let val x = ...

val y = ...

end

letrec or functional let -> fun

let x = e -> val x = e

· [a; b; c] -> [a, b, c]

 $[a,b] = [(a,b)] \longrightarrow [a,b] - bewere$ 

. Cambridge allows leaving the else arm off conditional. Not SML

taken as end

of comment!

# Cooperation Anyone?

- many interesting aspects of this work.
- If you want to dive in and add to the system, we would be happy.

A High Assurance Implementation of HOL

Rob Arthan ICL Secure Systems

1



#### The FST Project

(DTI Supported Project IED/1563)

#### Cambridge University

• foundational research

#### ICL Secure Systems

- lead partner
- · HOL technology and applications

#### Kent University

• VERITAS+

Program Validation Limited.

SPARK



#### Background

- Business is high-assurance secure systems.
- HOL used in applications for about 4 years
- Proof deliverables produced on several real secure system developments
- Piecemeal work to tailor the system to our needs:
  - Tied off loop-holes (e.g. mk\_thm)
  - Metalanguage and theory support
     (Z, hardware DA links, methods support)



#### **Directions**

Want to improve capability to produce formal proofs of critical properties in real applications.

HOL offers a tried and trusted basis. We would like:

- Greater integrity (possibility of accidental or malicious proof of F)
- Better support for the languages our customers want (Z, Ada)
- Improved ease of use (proof work is currently very costly)



#### High Assurance HOL

Basic idea (i.e. long term goal):

- (a) formally specify logic
- (b) formally specify critical properties of the proof development system in terms of (a)
- (c) verify implementation (or at least design against (b).

Result is a proof development system with assurance level analogous to that of a US A1+ (= UK level 6) secure system.

Want to take sensible and useful steps towards this.



#### State of Play

- · Have formal specifications of
  - language and inference rules
  - theory hierarchy
  - semantics
  - (= chapters 9&10 of the manual)
- Have a prototype system in Standard ML
  - Logical primitives based on formal spec
  - Theorem proving superstructure based on Cambridge documentation and implementation
  - Basis for experiments with proof automation etc.



#### Current Work

- designing a system to be implemented to product standards
- rationalising logic spec and planning out integrity proof
- modest steps in proof automation
- support for Z
- user interface issues (e.g. subgoal package improvements)
- compatibility and interchange



#### Logic Specification

- Specified HOL as a deductive system.
  - language
  - rules of inference
  - theories with theorems defined via derivability
  - PDS as a machine with a theory hierarchy in its state, making "derivable" transitions on the theories in it
- Treatment is quite long (30 pages of theory listing without consistency proofs)
- Now looking at incorporating semantics and reorganising to ease proof task



#### TOP LEVEL SPEC OF THE PDS

```
Parent : string→string→bool
theory : string→THEORY

(antisymmetric(ancestral parent)) ∧
(rooted parent) ∧

(∀init·root parent init ⇒ theory init = INIT)
(order_preserving theory parent extends)
```

```
HOL_SYSTEM ≅ (*INPUT × HOL_STATE) →

(HOL_STATE × *OUTPUT)
```

```
safe : (*INPUT, *OUTPUT) HOL\_SYSTEM \rightarrow bool
```

Similarly for conservative extensions etc.

9



#### **Proof Automation**

- · Many useful modest steps to be made
- Incorporate useful techniques from research on other theorem provers
- Have prototyped:
  - Several tautology proving algorithms
  - Divide-and-conquer techniques for finding normal forms (e.g. polynomials over a commutative ring)
  - Tools for justifying various forms of definition
  - Future work
    - Decision procedures etc.
    - Improved support for recursive types

# ICL

#### User Interface

- Main concerns are "deep" interface issues rather than "surface" ones
- Want a consistent and comprehensive collection of tools within HOL.
- · Have made some small experiments
  - Subgoal package using a theorem to represent the state (gives automatic validation of tactics safely, and other useful features).
  - Term surgery-style tools
  - Cross-referencing tools
- Future work
  - User interfaces for other languages (e.g. Z)
    - Better support for programming tactics and conversions

The Implementation and Use of Abstract Theories in HOL.

Elsa Gunter Bell Labs

# What do we want from a bstract theories?

Abstract theory should create a context of assumed information, and give that information scope.

Within an abstract theory, attempts to prove theorems have access to that information.

Outside abstract theory, access to that information is removed. Theorems proved using it have had it abstracted out.

To use a theorem from within an abstract theory outside, must supply abstracted information.

. ,

What will having abstract theories do for us?

Allow for the development of general mathematical theories.

Allow for modularity and cleaner organization of proofs in "theorem proving in the large".

Could be used in organizing verification proofs to make the implementation-specification layers clear.

More Specifically, what do we want from abstract theories?

An abstract theory should take a signature consisting of

- · list of type variables
- · list of term variables
- · list of assumptions

and create ascoped context in which, when proving theorems, the type variables and term variables are treated as type and term constants, and assumptions are treated as axioms.

F Desimitional Theory

of

UNITY

in

Higher Order Legie

#### Overview

- Programs as statetransitions and their properties
- Defining program properties in Higher Order Logic
  - The transitive & disjunctive dosure of progress
  - Introducing bounds on progress properties
  - Looking for a generalised dosme definition
  - How UNITY is derived
- Conclusion

#### Programs as statetransitions



Program Properties



Safety, Rs Liveness (progress), RT Direct, inferred properties Defining program properties i Higher Order Lagic

Safety

PRsq =

Vs, st & Prog: Rsafe (p,q,st,s)
(satisfied for all possible states)

Chandy , Misra !

punlass q = Vs, ste Prog: (ps 1 qs) ⇒
p(sts) vq (sts)

Liveness (pragress)

PRT q = Vs: Iste Prog: Rtmas (p,q,st,s) (express the existence of a state transition)

Chardy, Mista:

pensures q =
punless q 1

Vs: Jst∈P...., 517qs ⇒ q (sts)

The transitive and disjunctive closure of progress



What properties are wanted:

An axiomatic definition:

A Definition in Higher Order Lagic

Proving the definition satisfies the axioms:

Prove that

- 1) pRTq => pRcq
- y prernrag = preq
- 3) PIRCQ 1 PZRCQ = PLVPZRCQ

Trivially from the definition of Rc

But more properties may be wanted in the logic.

RelClose O RT P9 = PRT9 1

RelClose nH RT P9 =

(3r: RelClose n RT PT 1

RelClose n RT T9)

RelClose n p2 g. 1
RelClose n p2 g. 1

PRcq = In: Rel. Close n RT pq

Again, prove that the three axioms and varied theorems actually are satisfied.



we now need to generalise disjunction, since the proof of the above theorems assumed (Im: M=m)

Hence, the disjunction theorem (axion) becomes:

# Generalising the definition of Rc

PRCQ =

PRTQ V

(
$$\exists r: pRcr \wedge rRcq$$
) V

( $\exists P: (p = \exists is Pi) \wedge (\forall i: (Pi) Rcq.)$ )

Can we find a primitive recursive definition of

InfRedClose O RT pg = pRT 7 1
InfRedClose not RT pg =

(3P: (p= 3i:Pi) 1. (VishRelClose n Pr(Pi))

Mo, since we can't prove (Vi: (Pi) RC q)=> (Ji, Pi) Rcq

8

A pure relational approach to Re

GenRel Close R =

 $(\forall P, \uparrow: PRT \uparrow \Rightarrow PR \uparrow) \uparrow$   $(\forall P, \uparrow: (\exists r: PRT \land rR \uparrow) \Rightarrow PR \uparrow) \uparrow$   $(\forall P, \uparrow: (\exists r: PRT \land rR \uparrow) \Rightarrow PR \uparrow) \uparrow$  $(\forall P, \uparrow: (\exists r: PRT \land rR \uparrow) \Rightarrow PR \uparrow$ 

PRCq = VR: GoRel Close R = PRq

This definition actually satisfies the tree axioms, but infortunately we cannot prove

PRC false

However we do have: GenRal Class Rc.

and pRcq = PRTq V (3r: pRcr1rRcq)

V(3P! (p=3i:Pi)1

(Vi: (Pi)Rcq))

- 1) Take unless, ensures as defined before
- 2) Specialise the function which models the transitive and disjunctive clasure of single progress relations (RT) by the ensures relation.
- 3) Prove all the missing theorems valid for UNITY
- 4) Make (define) the appropriate representation of UNITY-pregrams as state-transitions
- 5) thats it !

# Condusion

- A complete UNITY-system except for the shown induction theorem and with only finite disjunction has been only finite disjunction has been implemented using the primitive recursive implemented using the primitive recursive function Rel Close for modelling leads to
- It is an open grussian (to me) whether infinite disjunction and hunce the propress induction discover is actually sound
- The was discovered that the substitution rule is only valid if the logic primitive unless, ensures and leadsto are restricted to the states reachable by the program. This means that HOL-UNITY doesn't have their rule!

# Solving Reflexive Domain Equations in HOL

Kim Dam Petersen

TFL

kimdom @ tfl.dk



### Contents

- Reflexive Domain Equations
- Methods for solving reflexive domain equations
- $D_{\infty}$
- ullet Type free  $\lambda$  calculus
- $\bullet$   $P^{\omega}$
- What has been done
- What needs to be done.

### Reflexive Domain Equations

- Reflexive domain equations has the form:  $D = \mathcal{E}(D)$ , where  $\mathcal{E}$  is composed from basic domains Bottom, Boolean and Number by Point, Pair, Union and Function contructions
- A solution of a domain equation is a domain D, which is isomorphic to  $\mathcal{E}(D)$
- Example:  $C = * \rightarrow C \rightarrow **$

# Method for solving reflexive domain equations

- ullet Use the  $D_{\infty}$  domain constructions [Schmidt]
- ullet Construct type free  $\lambda$  calculus [Barendregt]
- Construct  $P^{\omega}$  [Barendregt]

## $D_{\infty}$ construction [Schmidt]

- A domain is a (pointed) cpo
- ullet All domains are contained in a universe  ${\mathcal D}$  of domains
- A valid Domain Scheme  $\mathcal{E}:\mathcal{D}\to\mathcal{D}$  maps pointed cpos to pointed cpos
- Construct a sequence of domains  $D_n$  by:  $D_0 = \{\bot\}$  and  $D_{n+1} = \mathcal{E}(D_n), n \ge 0$
- A limit  $D_{\infty}$  of the domain sequence exists
- A pair of continuous functions  $(\Phi, \Psi) : D_{\infty} \leftrightarrow \mathcal{E}(D_{\infty})$  exists, such that:  $\Psi \circ \Phi = Id_{D_{\infty}}$  and  $\Phi \circ \Psi = Id_{\mathcal{E}(D_{\infty})}$
- Hence  $D_{\infty}$  is isomorphic to  $\mathcal{E}(D_{\infty})$

### HOL implementation problems

- Constructing an object *Domain* that represents the universe of all domains
- *Domain* should contain the basic domains Bottom, Number and Boolean
- *Domain* should be closed wrt. domain constructions Point, Pair, Union and (continuous) Function

## Type free $\lambda$ calculus

- Numbers, Booleans and Bottom are representable as closed  $\lambda$  expressions.
- Pairs, Unions and Functions may be represented as closed  $\lambda$  expression, if their components are
- Hence Domain may be represented as subsets of closed (type free)  $\lambda$  expressions

## Constructing type free $\lambda$ calculus [Barendregt]

- ullet A reflexive cpo may be used to construct a model of type free  $\lambda$  calculus
- A cpo  $(D, \sqsubseteq)$  is reflexive if there exists two functions  $f: D \to [D \to D]$  and  $g: [D \to D] \to D$  such that:  $f \circ g = \mathrm{id}_{[D \to D]}$

### The $P^{\omega}$ model of $\lambda$ calculus [Barendregt]

- $P^{\omega} = (\{x | x \subseteq \mathbb{N}_0\}, \subseteq)$
- $[n,m] \leftrightarrow \frac{1}{2}(n+m)(n+m+1)+m$ 
  - $\bullet \ \{k_0, ..., k_{m-1}\} \leftrightarrow \sum_{i < m} 2^{k_i}$
  - $graph(f) = \{[n, m] | m \in f(e_n)\}$
  - $graph: [P^{\omega} \to P^{\omega}] \to P^{\omega}$  is continuous
  - $fun(u)(x) = \{m | \exists e_n \subseteq x, [n, m] \in u\}$
  - $fun: P^{\omega} \to [P^{\omega} \to P^{\omega}]$  is continuous
  - fun(graph(f)) = f for any continuous function f
  - Hence  $P^{\omega}$  is a reflexive cpo
  - Hence  $P^{\omega}$  may be used to construct Domain
  - Hence  $P^{\omega}$  may be used to solve reflexive domain equations

### What needs to be done

- ullet Completion of the  $\lambda$  model
- Mapping basic domain values (Bottom, Booleans and Numbers) into  $\lambda$  expressions
- Mapping constructed domain values (Pairs, Unions and Functions) into  $\lambda$  expressions
- ullet Solve reflexive domain equations using  $\lambda$  expressions
- Make a type package for reflexive domains

## What has been done in HOL

- Theories for: cpo, topology etc. has been defined
- Properties concerning  $P^{\omega}$ , fun and graph has been proved
- A  $\lambda$  model based on  $P^{\omega}$  is being constructed

# Towards a HOL theory for

# Finite Wordlength Arithmetic ...

# Wim Ploegaerts<sup>†</sup>

Imec v.z.w. Kapeldreef 75 3000 Leuven - Belgium - \*Research Assistent with the Belgian National Fund for Scientiffe Research

Work partly sponsored by the CHEOPS-BRA

# 0. Introduction

1. Linking HOL to CATHEDRAL

The Missing Link ...

Some list theory ...

Integers: "zet" and more

The link ... ر. ک

Conclusions . و

Linking hardware behavior to its integer equivalent useful extensions of the library "zet"

which are available and documented



# 1. Linking HOL to CATHEDRAL..

# CATHEDRAL...

Synthesis Environment for the design

of ASIC's for DSP applications

- -> DSP = audio (CD), video, ...
- -> Optimizing results by limiting the application domain
- -> Cathedral 1,2,3,...

"From an idea to layout in 1 day..."

# HOL...

# The CHEOPS Project:

Setting up a Verication Environment for the CATHEDRAL results

# Therefore

- -> Realistic Complexity ...
- -> Automatic versus Soundness...
- A "designer" does not want to be confronted with HOL
  - General methodology instead of single proof



WP-2-10-90







# Prerequisites ...

- powerful library on integer numbers,
- -> importance of "2"
- a tactic to prove that integer expressions are equal
- list-theory (variable length)
- the link from bitstrings to integers

# What is available in HOL...

- list ...
- "zet" (T.Kalker)

# What is needed ...

# Implementation of

Semantics of Digital Systems" (R.T.Boute) "Representational and Denotational

- theory of number representations
- "detailed" transformational reasoning style
- functional formalism closely related to HOL



ds: (:bool)string -> (:zet)

(ds [] = 0)  $\land$  (ds (APPEND x [s]) = (du x) - s' 2

rs: (:zet) -> (:bool)string

$$(rs 0 = [F]) \land (rs -1 = [T]) \land$$

 $(ru\ 0 = []) \land (ru\ x = (CONS\ (x\ mod\ 2)\ (ru\ (x\ div\ 2))))$ 

 $(du [] = 0) \land (du (CONS \ a \ x)) = a' + 2 * (du \ x)$ 

ru: (:num) -> (:bool) string

du : (:bool)string -> (:num)

182

(rs m = (CONS (m mod 2) (rs (m div 2)))

WP-2-10-90

TL

LAST H

183

!1y. LAST (APPEND! [y]) = y

!1y. HL (APPEND! [y]) = 1

-!x f. ?!fa.

$$(fa[]=x) \land$$

$$(!ht.fa(APPENDt[h]) = f(fat)ht)$$

- Definitions

- induction tactic
- relation with constructs of "list "

Use: du, ds

"zet" (T.Kalker)

- formalization of integers
- -> zero (0), een (1)
- -> addition, subtraction, multiplication, less, leq
- -> SIGMA  $(\Sigma)$ , PI  $(\pi)$

184

- -> maximum and minimum of a subset
- recursive definitions in zet
- induction on integers
- several useful theorems, but ...

# extensions of "zet"

- absolute value and sign of an integer
- positive power of an integer
- integer division and remainder

|- ! m n .

$$\sim$$
 (  $n = 0$  ) ==>

$$(m = ((m \text{ div } n) * n) + (m \text{ mod } n)) \land$$

$$( \mid u \mid > ( n \text{ mod } n ) ) \land ( ( n \text{ mod } n ) \ge 0 )$$

$$-4 \text{ div } 3 = -2$$

 $-4 \mod 3 = 2$ 

- concept of even and odd integers

- div2, mod2, pow2

$$!n.(0 < n) ==>(?!k.(2 \le n) \land (n < 2))$$

- pos\_log : that "k" for which ....

185

- log2 : related to div2

in. (log2 0 = 0) 
$$\land$$
 (log2 -1 = 0)  $\land$ 

$$(\sim (n=0) \land \sim (n=-1) ==>$$

$$(\log_2 n = SUC(\log_2 (\dim_2 n)))$$

# INDUCTION TACTIC

(im. Qm ==> 
$$Q(2m)$$
)  $\land$ 

$$(!m. Qm ==> Q(2m+1)))$$

$$==>(!n.Qn)$$

Related to bitstrings:

WP-2-10-90

# expression integer

expression integer

$$(a+b)*(d+e) - db = eb + ad + ae$$

186

" 
$$m + n = k + l$$
"

$$[ "m - k = l - n "]$$

$$["a - b \le c - 1"]$$

# NORMAL\_FORM\_CONV

# Make normalized sum of products

$$\exp = p1 + (p2 + (p3 + ...))$$

ai = not an addition, subtraction or multiplication

# make syntactical normal form

use of "<<" and bubble sorting

to order

- subterms of pi (ai)
- ordered subterms of exp

du : (:bool)string -> (:zet)

 $(du [] = 0) \land (! a x . du (CONS a x)) = a' + 2 * (du x)$ 

ru: (:zet) -> (:bool) string

! n. (0 ≤ n) ==>

 $(\text{ru }0 = []) \wedge (\text{ru }n = (\text{CONS (n mod2) (ru (n div2))}))$ 

ds: (:bool)string -> (:zet)

(ds [] = 0)  $\wedge$  (! s x . ds (APPEND x [s]) = (du x) - s' 2

rs: (:zet) -> (:bool)string

 $(rs 0 = [F]) \land (rs -1 = [T]) \land$ 

(! m. ~( m = 0 )  $\land$  ~( m = -1 ) ==> (rs m = (CONS (m mod 2) (rs (m div 2)))

HOL Users Meeting

The following theories are available en documented:

- (documentation of "zet" and some tactics and conversions of general purpose extensions of the library "zet": div, mod, pow "auxiliary" included)
- a normalization conversion to prove integer expressions equal extensions of "zet" for the special case "2": div2, mod2, pow2, log2

The theory on the denotation and representation functions is available but not yet documented.

These theories are needed for the characterization of finite worldlength arithmetic.

**HOL Users Meeting** 

# More Reasons Why Higher-Order Logic is a Good Formalism for Specifying and Verifying Hardware

Jeff Joyce University of British Columbia

October 1990

"Why higher-order logic?"

Mike Gordon (September 1985) ...

"Why Higher-Order Logic is a Good Formalism for Specifying and Verifying Hardware"

(Cambridge Tech. Report No. 77)

... the opening paragraph reads:

The purpose of this paper is to show, via examples, that:

- 1. Many kinds of digital systems can be formally specified using the notation of formal logic; specialized hardware descriptions are not needed.
- 2. The inference rules of logic provide a practical means of proving systems correct; specialized deductive systems are not needed.

# Two Reasons "Why Higher-Order Logic?"

In this talk, I propose two reasons why higher-order logic is a good formalism for specifying and verifying hardware:

- 1. generic specification
- 2. embedded formalisms

# Outline of this Talk ...

- 1. Uses of Higher-Order Functions
  - some common uses
  - some more sophisticated uses
- 2. Alternatives to h.o.l.
- 3. Arguments against h.o.l.
- 4. Generic Specification
  - simple example
  - microprocessor specification
- 5. Embedding Other Formalisms
  - temporal logic
- 6. Conclusions

# Some Common Uses of Higher-Order Functions ...

- ... when specifying hardware with predicates,
  - 1. signals as functions of time



AndGate (a,b,out)

 $a,b,out : time \rightarrow bool$ 

## 2. signals as functions of position



RippleCarry n (a,b,cin,sumcout)

a,b,sum : postion →bool

cin,cout : bool

# More Sophisticated Uses of Higher-Order Functions...



... defining parameterized timing relationships,

... and deriving generalized theorems,

For example, ...

the generalized theorem,

|- 
$$\forall g$$
 r.  
( $\exists t. g$  t)  $\land$  ( $\forall t. g$  t  $\Longrightarrow$   $\exists m. Next g$  (t,t+m)  $\land$  r (t,t+m))  $\Longrightarrow$   
 $\forall u. r$  (TimeOf g u,TimeOf g (u+1))

can be used to reduce the problem of proving,

to a pair of simpler problems:

$$\exists t. g t ' \setminus \forall t. g t \Longrightarrow \exists m. Next g (t,t+m) \land r (t,t+m)$$

This generalized result provides the basis for a HOL tactic:

# Alternatives to Higher-Order Logic, $\dots$

- ··· as a hardware specification language:
- Conventional HDL's
  - generally oriented to simulation
  - limited ability to express behaviour
  - may lack underlying formal semantics
- Special Purpose Formalisms
  - fixed ideas about hardware
- First-Order Logic
  - sometimes expressibility is compromised further
    - e.g. disallowed "\(\exists\)" to make specifications execu
- may have extra constructs reminiscent of h.o.l.
  - e.g. parameterized specifications in OBJ



- - dependent types, but undecidable

#### Arguments Against the Higher-Order Approach ...

- notation is difficult
- undecidability concerns
- proofs are much harder
- expressibility not needed
- specifications not executable
- the "straw man" attack

To give you an idea of their flavour ...

...with respect to higher-order programming, one author writes:

"Unfortunately, the logic of higher-order functions is difficult, and in particular, higher order unification is undecidable. Moreover (and closely related), higher order expressions are notoriously difficult for humans to read and write correctly."

... and then, the same author goes on to say:

"Although higher-order logic cannot always be avoided in specification and verification, it should be avoided whenever possible, for the same reasons as in programming."

#### Quotations from:

Joseph Goguen, "Higher Order Functions Considered Unnecessary for Higher Order Programming", 1988 April 20.

#### Generic Specification

In 1989, under contract to NASA, CLI sub-contracted the task of writing a review of the HOL system to David Musser of Rensselaer Polytechnic.

In his report, Musser wrote:

"The major weakness of HOL appears to be the lack of effective support for constructing specifications and proofs at a high level of abstraction, ..."

and more specifically,

"HOL is also lacking in packaging features that would help in structuring large specifications, such as those of VIPER or more complex microprocessors"

#### Musser compared HOL to SRI's EHDM system which,

"... provides a parameterized module capability that permits structuring specifications as modules that can be instantiated in many different ways (similarly to Ada generic packages and subprograms)."

In this part of my talk, I will argue that:

- 1. generic specification does indeed offer many benefits
- 2. HOL logic can directly express genericity
  - ... without additional constructs!

## Advantages of Generic Specification ...

In addition to modularity, abstraction and re-usability, generic description can be used to filter out non-essential detail in the context of formal proof.

Filtering out non-essential details, ...

- sharpens the distinction between what has and what has not been formally considered in a correctness proof.
- supports a truely hierarchical approach to the formal verification of digital circuits where each level in a hierarchical specification is isolated from details only relevant to other levels.
- reduces the amount of special-purpose infrastructure needed to reason about particular application areas, e.g., hardware-oriented data types.

For example, ...

The formal specification of the 32-bit Viper major-state machine made extensive use of special-purpose data types and constants:

e.g., :word4, :word32, VAL4, WORD32

Consequently, these correctness results:

- were not as general as possiblee.g. what about a 64-bit version?
- needed clarification about what aspects of the computational model were formally considered:

"There was no computation of values at the major state level - that is, additions, comparisons, shifts, and so on - so the essential correctness of Viper was not really addressed; the proof did not require any analysis of the function representing the arithmetic-logic unit, at either level".

 could not be easily re-produced in other verification systems lacking special support for reasoning about hardware External View of the Resettable Counter,



Internal View of the Resettable Counter,



## A First Attempt, ...

 $\vdash_{thm}$  COUNT\_IMP (reset,out)  $\Longrightarrow$  COUNT (reset,out)

# The More Detailed, The Better?

```
| How the proof of the p
```

 $\vdash_{thm}$  COUNT\_IMP (n) (reset,out)  $\Longrightarrow$  COUNT (n) (reset,out)



Parameterizing with Function Variables, ...

```
| How the following that the following following the following fo
```

 $\vdash_{thm}$  COUNT\_IMP (inc) (reset,out)  $\Longrightarrow$  COUNT (inc) (reset,out)

Parameterizing with Type Variables, ...

```
Hef MUX (inc,zefo) (reset,i,out) = ∀t. out t = (reset t ⇒ zero | (i t))

Hef REG (inc,zero) (i,out) = ∀t. out (t+1) = i t

Hef INC (inc,zero) (i,out) = ∀t. out t = inc (i t)

Hef COUNT_IMP (inc,zero) (reset,out) =

Hef (inc,zero) (reset,p1,p2) ∧

REG (inc,zero) (p2,out) ∧

INC (inc,zero) (out,p1)

Hef COUNT (inc,zero) (reset,out) =

Vt. out (t+1) = (reset t ⇒ zero | (inc (out t)))
```

 $\vdash_{thm}$  COUNT\_IMP (inc,zero) (reset,out)  $\Longrightarrow$  COUNT (inc,zero) (reset,out)



#### Using "Representation Variables", ...

```
| Hoberton | Hoberton
```

```
rep: ((*word→*word) × *word)

(inc rep) - "the increment operation"
(zero rep) - "the representation of zero"

⊢thm COUNT_IMP (rep) (reset,out) ⇒ COUNT (rep) (reset,out)
```

This correctness theorem is fully generic:

 $\vdash_{thm}$  COUNT\_IMP (rep) (reset,out)  $\Longrightarrow$  COUNT (rep) (reset,out)

Recall Musser's remark that SRI's EHDM system,

"... provides a parameterized module capability that permits structuring specifications as modules that can be instantiated in many different ways."

This is quite straightforward with representation variables,

...here are two simple examples,

#### Example 1: Idealized Counter

Here again is the idealized counter:

REP\_num =  $(\lambda x. x + 1, 0)$   $\vdash_{thm}$  COUNT\_IMP (REP\_num) (reset,out)  $\Longrightarrow$  COUNT (REP\_num) (reset,out)

...which can be expanded to:  $\vdash_{thm}$  COUNT\_IMP (REP\_num) (reset,out)  $\Longrightarrow$   $\forall t. out (t+1) = (reset t \Rightarrow 0 | ((out t) + 1))$ 

#### Example 2: 8-bit Counter

Another instance could be an 8-bit version based on built-in HOL types:

```
REP8 = (\lambda x \ \text{WORD8} ((VAL8 x) + 1), \text{WORD8 0})

\[
\begin{align*}
\begin{alig
```

### Generic Specification of a Simple Microprocessor ...



datain - data from memory wmem - read/write select
dack - data acknowledge dataout - data to memory
idle - extended cycle mode dreq - data request
ireq - interrupt request addr - address to memory

iack

- interrupt acknowledge

| Instruction | Opcode Value |                       |
|-------------|--------------|-----------------------|
| JZR ·       | 0            | jump if zero          |
| JMP         | 1            | jump                  |
| ADD         | 2            | add accumulator       |
| SUB         | . 3          | subtract accumulator  |
| LDA         | 4            | load accumulator      |
| STA         | 5            | store accumulator     |
| RFI         | 6            | return from interrupt |
| NOP         | 7            | no operation          |

JZR - jump if zero

 $pc \leftarrow if iszero acc then inst else inc pc$ 

JMP - jump

 $pc \leftarrow inst$ 

ADD - add accumulator

acc ← add (acc, operand)

 $pc \leftarrow inc pc$ 

SUB - subtract accumulator

acc ← sub (acc, operand)

pc ← inc pc

LDA - load accumulator

acc ← operand pc ← inc pc

STA - store accumulator

 $mem \leftarrow store (mem, address inst, acc)$ 

pc ← inc pc

RFI - return from interrupt

 $pc \leftarrow rtn$  $iack \leftarrow F$ 

NOP - no operation

 $pc \leftarrow inc pc$ 

Interrupt

if iack = F then  $pc \leftarrow 0$   $rtn \leftarrow pc$   $iack \leftarrow T$ 



#### Data Types:

```
:bool - Boolean values {T,F}
:num - natural numbers {0,1,2,...}
:*wordn - full-size machine words
:*word3 - instruction opcodes
:*word4 - 4-bit words
:*address - memory addresses
:*memory - memory states
```

#### Generic Functions:

```
- "test if zero"
(iszero rep)
                 - "increment"
(inc rep)
                  - "addition"
(add rep)
                  - "subtraction"
(sub rep)
                  - "full-size word representation of a number"
(wordn rep)
                  - "value of a full-size word"
(valn rep)

    "extract opcode field"

(opcode rep)
                  - "value of an opcode"
(val3 rep)
                  - "extract address field"
(address rep)
                  - "read memory"
 (fetch rep)
                  - "write memory"
 (store rep)
                   - "value of a 4-bit word"
 (word4 rep)
                   - "4-bit word representation of a number"
 (val4 rep)
```

```
rep_ty =
  :(*wordn→bool)×
                                              % iszero %
   (*wordn→*wordn)×
                                              % inc %
   (*wordn×*wordn→*wordn)×
                                              % add %
   (*wordn×*wordn→*wordn)×
                                              % sub %
                                              % wordn %
   (num→*wordn) ×
   (*wordn→num) ×
                                              % valn %
   (*wordn→*word3)×
                                              % opcode %
   (*word3→num)×
                                              % val3 %
   (*wordn→*address)×
                                              % address %
   (*memory \times *address \rightarrow *wordn) \times
                                             % fetch %
   (*memory \times *address \times *wordn \rightarrow *memory) \times
                                             % store %
   (num→*word4)×
                                              % word4 %
   (*word4→num)
                                             % val4 %
```

```
Hdef TamarackImp (rep:rep_ty)
    (datain, dack, idle, ireq, mpc, mar, pc,
     acc,ir,rtn,arg,buf,iack,dataout,wmem,dreq,addr) =
    Exeroflag opc cnt/s.
      CntlUnit rep (dack,idle,ireq,iack,zeroflag,opc,mpc,cntls) A
      DataPath ( p)
         cntls, datain, mar, pc, acc, ir, rtn, iack,
         arg, buf, dataout, wmem, dreq, addr, zeroflag, opc)
Hdef DataPath (rep:rep_ty)
     (cntls, datail, mar, pc, acc, ir, rtn, iack,
      arg, buf, databut, wmem, dreq, addr, zeroflag, opc) =
    Bbus busokay alu pwr gnd rmem wmar wpc rpc
      wacc racc wir rir wrtn rrtn warg alu0 alui rbuf.
       DecodeCntls
         cntls.
         wmem, rmem, wmar, wpc, rpc, wacc, racc,
         wir, rir, wrth, rrtn, warg, alu0, alu1, rbuf) A
       BusOkay (rmem, rpc, racc, rir, rrtn, rbuf, busokay) A
       Interface rep (busokay, wmem, rmem, bus, datain, dataout) A
       OR (wmem, rmem, dreq) A
       Register (bhsokay, wmar, gnd, bus, bus, mar) A
       AddrField mep (mar, addr) A
       Register (busokay, wpc, rpc, bus, bus, pc) A
       Register (busokay, wacc, racc, bus, bus, acc) A
       TestZero rep (acc, zeroflag) A
       Register /(busokay,wir,rir,bus,bus,ir) A
       OpcField/rep (ir,opc) A
       Register (busokay, wrtn, rrtn, bus, bus, rtn) A
       JKFF (wrtn, rrtn, iack) A
       Register (busokay, warg, gnd, bus, bus, arg) A
       ALU rep (alu0, alu1, arg, bus, alu) A
       Register (busokay, pwr, rbuf, alu, bus, buf) A
       PWR pwr
       GND gnd
Hall (rep:rep)ty) (f0,f1,inp1,inp2,out) =
           out t = (((f0 t,f1 t) = (T,T)) \rightarrow ((inc rep) (inp2 t)) |
                     ((f0 t,f1 t) = (T,F)) \rightarrow ((add rep) (inp1 t,inp2 t)) |
                     ((f0 t,f1 t) = (F,T)) \rightarrow ((sub rep) (inp1 t,inp2 t)) |
                                                 ((wordn rep) 0))
```

```
HarackBeh (rep) rep_ty) (ireq,mem,pc,acc,rtn,iack) =
         (mem (u+1),pc (u+1),acc (u+1),rtn (u+1),iack (u+1)) =
       Vu:time.
         NextState rep (ireq u,mem u,pc u,acc u,rtn u,iack u)
Hef NextState (fep rep_ty) (ireq,mem,pc,acc,rtn,iack) =
        let opcval = OpcVal rep (mem,pc) in
         ((ireq ∧ ¬iack) . ⇒ IRQ_SEM rep (mem,pc,acc,rtn,iack) |
         (opcval = JZR_OPC) ⇒ JZR_SEM rep (mem,pc,acc,rtn,iack) |
          (opcval = JMP_OPC) = JMP_SEM rep (mem,pc,acc,rtn,iack) |
          (opcval = ADD_OPC) ⇒ ADD_SEM rep (mem,pc,acc,rtn,iack) |
          (opcval = SUB_OPC) \Rightarrow SUB_SEM rep (mem,pc,acc,rtn,iack) |
           (opcval = LDA_OPC) \Rightarrow LDA_SEM rep (mem,pc,acc,rtn,iack) |
           (opcval = STA_OPC) ⇒ STA_SEM rep (mem,pc,acc,rtn,iack) |
           (opcval = RFI_OPC) ⇒ RFI_SEM rep (mem,pc,acc,rtn,iack) |
                                NOP_SEM rep (mem,pc,acc,rtn,iack))
  Hdef JZR_SEM (rep)rep_ty)
         (mem: *memory,pc: *wordn,acc: *wordn,rtn: *wordn,iack: bool) =
         let inst = (fetch rep) (mem, (address rep) pc) in
         let nextpc = ((iszero rep) acc) \Rightarrow inst | ((inc rep) pc) in
            (mem, nextpc, acc, rtn, iack)
  Hdef JMP_SEM (rep:rep_ty)
          (mem:*memory,pc:*wordn,acc:*wordn,rtn:*wordn,iack:bool) =
          let inst =/(fetch rep) (mem,(address rep) pc) in
            (mem, inst, acc, rtn, iack)
   Hdef ADD_SEM (rep:rep_ty)
           (mem: *memory, pc: *wordn, acc: *wordn, rtn: *wordn, iack: bool) =
          let inst = (fetch rep) (mem, (address rep) pc) in
           let operand = (fetch rep) (mem,(address rep) inst) in
             (mem,(inc rep) pc,(add rep) (acc,operand),rtn,iack)
```

#### Re-usable Correctness Results, ...

```
|- Vdatain pwr dataout wmem dreq addr.
| Val3_CASES_ASM (rep:rep_ty) \( \)
| Val4Word4_ASM rep \( \)
| TamarackImp rep (
| datain,pwr,pwr,ireq,mpc,mar,pc,
| acc,ir,rtn,arg,buf,iack,dataout,wmem,dreq,addr) \( \)
| SynMemory rep (wmem,addr,dataout,mem,datain) \( \)
| PWR pwr \( \)
| (((val4 rep) o mpc) 0 = 0)
| \implies \)
| let f = TimeOfCycle rep (ireq,mem,pc,acc,rtn,iack) in
| TamarackBeh rep (ireq o f,mem o f,pc o f,acc o f,rtn o f,iack o f)
```

- independent of any fixed word size.
- independent of elaborate proof infrastructure
- could be linked into a verified stack

```
Define ("ISZER016 w = ((VAL16 w) = 0)");;
Define ("INC16 w = WORD16 ((VAL16 w) + 1)");;
Define ("ADD16 (w1,w2) = WORD16 ((VAL16 w1) + (VAL16 w2))");;
Define ("SUB16 (w1,w2) = WORD16 ((VAL16 w1) - (VAL16 w2))");;
Define ("OPCODE w = WORD3 (V (SEG (0,2) (BITS16 w)))");;
Define ("ADDRESS w = WORD13 (V (SEG (3,15). (BITS16 w)))");;
Define (
  "REP16 =
    ISZER016.
                                            % iszero %
  INC16,
                                            % inc %
    ADD16,
                                            % add %
    SUB16.
                                            % sub %
    WORD16,
                                            % wordn %
    VAL16,
                                            % valn %
    OPCODE,
                                            % opcode %
    VAL3,
                                            % val3 %
    ADDRESS,
                                            % address %
    (\lambda(x,y)). FETCH13 x y),
                                            % fetch %
    (\lambda(x,y,z)). STORE13 y z x),
                                            % store %
   WORD4,
                                            % word4 %
    VAL4");;
                                            % val4 %
```

... which is just "plugged into" the generic correctness theorem:

```
|- Vdatain pwr dataout wmem dreq addr.

Val3_CASES_ASM REP_16 \( \)

Val4Word4_ASM REP_16 \( \)

TamarackImp REP_16 \( \)

datain,pwr,pwr,ireq,mpc,mar,pc,
    acc,ir,rtn,arg,buf,iack,dataout,wmem,dreq,addr) \( \)

SynMemory REP_16 \( \)

wmem,addr,dataout,mem,datain \( \)

PWR pwr \( \)

\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
\( \)
```

# Fully generic description of hardware in VHDL,

```
package TYPES is

subtype word_3 is bit_vector (2 downto 0);
subtype word_4 is bit_vector (3 downto 0);
subtype word_n is bit_vector (15 downto 0);
subtype num is natural;
subtype bool is boolean;
end TYPES;
```

```
library tamarack;
use tamarack.types.all;

package TAM3 is

function iszero (inp:word_n) return bool;
function inc (inp:word_n) return word_n;
function add (inp1,inp2:word_n) return word_n;
function sub (inp1,inp2:word_n) return word_n;
function wordn (inp:num) return word_n;
function valn (inp:word_n) return num;
function opcode (inp:word_n) return word_3;
function val3 (inp:word_3) return num;
function word4 (inp:num) return word_4;
function val4 (inp:word_4) return num;
end TAM3;
```

```
function iszero (inp:word_n) return bool is
  variable result :bool := TRUE;
begin
  for i in inp'low to inp'high loop
    if inp(i) = '1' then
        result := FALSE;
    end if;
end loop;
return(result);
end iszero;
```

UBC HOL Course, 4-8 June 1990, © Cardell-Oliver, Herbert, Joyce

4

A typical formalism involves a set of operators,

e.g., the temporal logic operators

- □ "henceforth"
- ♦ "eventually"
- O "next"
- U "until"

... and a set of transformation rules:

e.g., 
$$\frac{P \text{ and (not Q)} \longrightarrow \bigcirc P}{P \longrightarrow (P \cup Q)}$$

To embed a formalism in HOL:

1. definitions are given for the operators based on a semantic theory for the formalism;

$$\square$$
 P =  $\lambda$ t.  $\forall$ n. P (t+n)

2. standard transformation rules are derived from operator definitions as theorems of higher-order logic

$$\forall P \ Q. \ VALID((P \land (\neg Q)) \longrightarrow (\bigcirc P)) \Longrightarrow VALID(P \longrightarrow (P \cup Q))$$

## Contrast with 'Syntax-Based' Approaches

This approach differs fundamentally from 'syntax-based' approaches of developing support tools for formalisms:

for instance, tools such as the Cornell Synthesizer Generator (CSG) have been used to develop support tools for the protocol specification language LOTOS.

In the 'syntax-based' approach, transformation rules are simply 'programmed' (prehaps inconsistently!) into the system.

#### ...but in a HOL approach,

Transformation rules are be formally dervied as logical consequences of the semantic theory (i.e. definitions of primitive operators).

While the HOL system is principally concerned the semantic aspects of representing an embedding formalism, it is often possible to also represent syntactic aspects of the formalism.



#### An Example

Here's an example of when an embedded notations makes a big difference!





Synchronizing Data Transfer with Handshaking Signals

7

UBC HOL Course, 4-8 June 1990, © Cardell-Oliver, Herbert, Joyce

The timing diagram is the standard way to describe constraints on the relative order of events in a handshaking sequence.

Some of these constraints, along with additional constraints, are expressed below in natual language.

"whenever the request signal becomes true, it must remain true until it is acknowledged"

"every request must eventually be acknowledged"

"whenever the acknowledgement signal becomes true, it must remain true until the request signal returns to false"

> "the request signal will eventually return to false after the request is acknowledged"

"whenever the request signal is false, it will remain false until the acknowledgement signal is also false"

"the acknowledgement signal will eventually return to false after the request signal returns to false"

"once false, the acknowledgement signal will remain false until there is a request"

> "whenever the acknowledgement signal is false, there will eventually be a request"

For handshaking to work correctly, these constraints must hold.



The natural language descriptions are the previous page could be translated into the following set of eight assertions:

$$\forall t. \ req \ t \Longrightarrow (\forall n. \ (\forall m. \ m < n \Longrightarrow \ ack(t+m)) \Longrightarrow req(t+n))$$
 
$$\forall t. \ req \ t \Longrightarrow (\exists n. \ ack(t+n))$$

$$\forall t. \ ack \ t \Longrightarrow (\forall n. \ (\forall m. \ m < n \Longrightarrow \ req(t+m)) \Longrightarrow ack(t+n))$$

$$\forall t. \ ack \ t \implies (\exists n. \ "req(t + n))$$

$$\forall t. \text{ req } t \Longrightarrow (\forall n. (\forall m. m < n \Longrightarrow ack(t+m)) \Longrightarrow req(t+n))$$

$$\forall t. \text{ "req } t \Longrightarrow (\exists n. \text{ "ack}(t + n))$$

$$\forall t. \ \ ack \ t \Longrightarrow (\forall n. \ (\forall m. \ m < n \Longrightarrow \ req(t+m)) \Longrightarrow \ \ ack(t+n))$$

$$\forall t. \text{ "ack } t \implies (\exists n. \text{ req}(t + n))$$

But this is not very easy to read!

UBC HOL Course, 4-8 June 1990, © Cardell-Oliver, Herbert, Joyce

9

For instance, the assertion,

$$\forall t. \text{ req } t \Longrightarrow (\forall n. (\forall m. m < n \Longrightarrow ack(t + m)) \Longrightarrow req(t + n))$$
 ... is supposed to say:

"whenever the request signal becomes true, it must remain true until it is acknowledged"

... but it is difficult to translate between this natural language description and the above description in higher-order logic.

#### A Better Idea!

A much easier notation for expressing constraints of this form is the notation of temporal logic:  $\lambda - m \lambda \lambda$ 

$$(req \longrightarrow (req \cup ack))$$

"whenever the request signal becomes true, it must remain true until it is acknowledged"

... where 'U' can informally be understood to mean "until".

Similarly, instead of,

$$\forall t. \text{ req } t \Longrightarrow (\exists n. \text{ ack}(t + n))$$

... we can use the notation of temporal logic to express this same condition,

$$(req \longrightarrow (\Diamond ack))$$

← ATAIL

"every request must eventually be acknowledged"

 $\dots$  where ' $\diamondsuit$ ' means "eventually".

(Note: there are no explicit time variables t in the temporal logic specifications.)

Here is the complete translations into temporal logic notation:

$$(req \longrightarrow (req \cup ack))$$

"whenever the request signal becomes true, it must remain true until it is acknowledged"

$$(req \longrightarrow (\Diamond ack))$$

"every request must eventually be acknowledged"

$$(ack \longrightarrow (ack \cup (\neg req)))$$

"whenever the acknowledgement signal becomes true, it must remain true until the request signal returns to false"

$$(ack \longrightarrow (\Diamond(\neg req)))$$

"the request signal will eventually return to false after the request is acknowledged"

$$((\neg req) \longrightarrow ((\neg req) \cup (\neg ack)))$$

"whenever the request signal is false, it will remain false until the acknowledgement signal is also false"



12

UBC HOL Course, 4-8 June 1990, © Cardell-Oliver, Herbert, Joyce

$$((\neg req) \longrightarrow (\Diamond(\neg ack)))$$

"the acknowledgement signal will eventually return to false after the request signal returns to false"

$$((\neg ack) \longrightarrow ((\neg ack) \cup req))$$

"once false, the acknowledgement signal will remain false until there is a request"

$$((\neg ack) \longrightarrow (\Diamond req))$$

"whenever the acknowledgement signal is false, there will eventually be a request" To take advantage of this concise notation, the notation of temporal can be embedded in higher-order logic:

We first define the primitive operators,

$$\vdash_{def} \Box P = \lambda t. \ \forall n. \ P \ (t+n)$$

$$\vdash_{def} \diamondsuit P = \lambda t. \ \exists n. \ P \ (t+n)$$

$$\vdash_{def} \bigcirc P = \lambda t. \ ((P \ (t+1)):bool)$$

$$\vdash_{def} P \cup Q = \lambda t. \ \forall n. \ (\forall m. \ m < n \implies \neg (Q \ (t+m))) \implies P \ (t+n)$$

$$\vdash_{def} \neg P = \lambda t. \ \neg (P \ t)$$

$$\vdash_{def} P \longrightarrow Q = \lambda t. \ P \ t \implies Q \ t$$

$$\vdash_{def} P \land Q = \lambda t. \ P \ t \land Q \ t$$

$$\vdash_{def} VALID P = \forall t. \ P \ t$$

... and derive rules of temporal logic as theorems of higher-order logic:

$$\forall P \ Q. \ VALID((P \land (\neg Q)) \longrightarrow (\bigcirc P)) \Longrightarrow VALID(P \longrightarrow (P \cup Q))$$

which corresponds to:

$$\frac{P \text{ and (not Q)} \longrightarrow \bigcirc P}{P \longrightarrow (P \cup Q)}$$

#### **Exercises:**

- 1. Create a theory for the above temporal logic operators (based on the definitions given). You will have to use some machine-readable symbols instead of  $\square$ ,  $\diamondsuit$ ,  $\cup$ , etc.
- 2. Derive some rules of temporal logic, namely:

$$\forall P \ Q \ S. \ VALID \ (P \longrightarrow Q) \ \land \ VALID \ (Q \longrightarrow S) \Longrightarrow VALID \ (P \longrightarrow S)$$

```
expandf (PURE_REWRITE_TAC [ ... ] THEN
    BETA_TAC THEN
    REPEAT STRIP_TAC THEN
    RES_TAC THEN
    RES_TAC);;
```

$$\forall P \ Q \ S.$$
 $VALID \ (P \longrightarrow (\diamondsuit \ Q)) \land VALID \ (Q \longrightarrow S) \Longrightarrow VALID \ (P \longrightarrow (\diamondsuit \ S))$ 

```
expandf (PURE_REWRITE_TAC [ ... ] THEN

BETA_TAC THEN

REPEAT STRIP_TAC THEN

RES_THEN (X_CHOOSE_TAC "n:num") THEN

EXISTS_TAC "n:num" THEN

RES_TAC);;
```

# A low-level circuit model in HOL

by

Brian Andersen and Carsten Rickers

### Outline of our talk

- Introduction
- -Presentation of the model
- -Implementation
- -Performing proofs
- -Future developments

### Introduction

### We need a model that:

- -introduce new voltage values
- -captures some of the informal arguments used by designers
- -introduce resistances and capacitances
- -deduce the flow of signals rather than imposing a flow
- -is compositional

### What is a circuit?



sort:

the set of connection points

Composition:

c1 o c2

Hiding:

 $c \setminus \alpha$ 

### The voltage values:

### The strength order:

### Attributes describing a circuit.



V:  $\Lambda \rightarrow V$  (the value function)

I:  $\Lambda \rightarrow V$  (the internal value function)

S:  $\Lambda \rightarrow S$  (the strength function)

 $\rightarrow$ :  $\Lambda \rightarrow \Lambda \rightarrow$  bool (the flow relation)

### A static configuration.

### **Definition:**

A static configuration of sort  $\Lambda$  is a structure

### which satisfy

$$\begin{split} S(\alpha) &= 0 \Leftrightarrow V(\alpha) = Z \\ I(\alpha) &\leq V(\alpha) \\ \alpha &\to \beta \Rightarrow S(\alpha) \geq S(\beta) \\ \alpha &\to \beta \Rightarrow I(\alpha) \leq i(\beta) \land V(\alpha) \leq V(\beta) \\ \alpha &\to \beta \land S(\beta) \in K \cup \{0\} \to S(\alpha) = S(\beta) \\ \alpha &\to \beta \land S(\alpha) = S(\beta) \Rightarrow \beta \to \alpha \end{split}$$

### Composition of two circuits.

 $\sigma 0 = (S0, V0, I0, \rightarrow 0)$  and  $\sigma 1 = (S1, V1, I1, \rightarrow 1)$  are static configurations of sort  $\Lambda 0$  and  $\Lambda 1$  respectively.

$$\sigma 0 \circ \sigma 1 = (S, V, I, \rightarrow)$$

if S0  $\Gamma \Lambda 1$  = S1  $\Gamma \Lambda 0$  and V0  $\Gamma \Lambda 1$  = V1  $\Gamma \Lambda 0$  and undefined otherwise

$$\begin{split} S &= S0 \cup S1 \text{ and } V = V0 \cup V1 \text{ and } \rightarrow = (\rightarrow 0 \cup \rightarrow 1)^* \text{ and} \\ I(\alpha) &= \Sigma \{I0(\beta) \mid \beta \in \Lambda 0 \text{ and } \beta \rightarrow \alpha\} + \\ &\qquad \Sigma \{I1(\beta) \mid \beta \in \Lambda 1 \text{ and } \beta \rightarrow \alpha\} \end{split}$$

for any  $\alpha \in \Lambda 0 \cup \Lambda 1$ .

### Hiding a point in a circuit.

 $\sigma = (S, V, I, \rightarrow)$  is a static configuration of sort  $\Lambda$ .

$$\sigma \setminus \alpha = (S \setminus \alpha, V \setminus \alpha, I \setminus \alpha, \rightarrow \setminus \alpha)$$

if  $\alpha \notin \Lambda$  or  $V(\alpha) = I(\alpha) + \Sigma \{V(\beta) \mid \beta \in \Lambda \setminus \alpha \text{ and } \beta \to \alpha\}$ , and to be undefined otherwise.

### A language to describe circuits.

#### Syntax:

c ::= Pow(
$$\alpha$$
) | Gnd( $\alpha$ ) |
capkH( $\alpha$ ) | capkL( $\alpha$ ) |
pt( $\alpha$ ) | wre( $\alpha$ ) | resg( $\alpha$ , $\beta$ ) |
ntran( $\alpha$ , $\beta$ , $\gamma$ ) | ptran( $\alpha$ , $\beta$ , $\gamma$ ) |
c o c | c \  $\alpha$ 



#### **Semantics:**

$$\begin{split} [[\text{ntran}(\alpha,\beta,\gamma)]] &= \{ \ \sigma \in \ \text{Sta}(\alpha,\beta,\gamma) \ \big| \ I(\alpha) = Z \land I(\beta) = Z \land \\ I(\gamma) &= Z \land \gamma \big| \big| \ \alpha \land \gamma \big| \big| \ \beta \land (\alpha \big| \big| \ \beta \lor \alpha \leftrightarrow \beta) \land \\ (V(\gamma) &= H \Leftrightarrow \alpha \leftrightarrow \beta) \land (V(\gamma) = L \Leftrightarrow \alpha \big| \big| \ \beta) \} \end{split}$$

 $[[c \circ d]] = \{ \sigma \circ \rho \mid \sigma \in [[c]] \text{ and } \rho \in [[d]] \text{ and } \sigma \circ \rho \downarrow \}$ 

### An assertion language.

#### Syntax:

Value terms:  $t := H \mid L \mid Z \mid X \mid V(\pi) \mid I(\pi)$ 

Strength terms:  $e := s \mid S(\pi) \mid e \bullet e \mid e + e$ 

Assertions for static configurations:

$$\phi ::= \pi 0 = \pi 1 \mid \pi 0 \rightarrow \pi 1 \mid$$

$$t0 = t1 \mid t0 \le t1 \mid$$

$$e0 = e1 \mid e0 \le e1 \mid$$

$$T \mid F \mid \phi \land \phi \mid \phi \lor \phi \mid \neg \phi \mid$$

$$\exists x. \phi \mid \forall x. \phi$$

#### **Semantics:**

$$[[t0 = t1]] = \{ \sigma \in Sta \mid [[t0]]\sigma \downarrow \text{ and } [[t1]]\sigma \downarrow \text{ and } [[t0]]\sigma = [[t1]]\sigma \}$$

# A Proof System in HOL

We will concentrate on goals as:  $[c] \subseteq [A]$ 

compositional model:

Requirements to the implementation:

Basic Concepts
Static Configurations
Basic Circuits
Hide, Comp
Assertion Language
Tactics

# **Basic concepts**

points  $\rightarrow$  num in HOL voltage, strength  $\rightarrow$  new types with operations:

let strength = define\_new\_type ('strength',
 strength = Zero\_str | Cap num | Res num | Inf\_str");;

let vlt = new\_definition('vlt', "\$vlt x y =  $\sim$ (x = y)  $\wedge$  (x = Z)  $\vee$  (y = X)");;

assertion language → build-in operations in HOL + expressions over the new types

f.x.: (v in = H) ==> (i out = L)

### Static configurations

```
sort is described by a point function (indirect sort)
```

### **Basic circuits**

The basic circuits are defined as predicates:

cnsvir

### Composition

```
comp c1 c2 = \n s v i r.
?n1 s1 v1 i1 1r n2 s2 v2 i2 r2.
(c1 n1 s1 v1 i1 r1) ∧ (static n1 s1 v1 i1 r1) ∧
(c2 n2 s2 v2 i2 r2) ∧ (static n2 s2 v2 i2 r2) ∧
(static n1 s1 v1 i1 r1) ∧
(!k. n1 k \land n2 k ==> (s1 k = s2 k) \land (v1 k = v2 k)) \land
(!k. n k = n1 k \vee n2 k) \wedge
(!k. n k ==> (s k = (n1 k => s1 k | s2 k)) \land
(!k. n k ==> (v k = (n1 k => v1 k | v2 k)) \land
(!a b. n1 a \land n1 b \land r1 a b = n1 a \land n1 b \land r a b) \land
(!a b. n2 a \land n2 b \land r2 a b = n2 a \land n2 b \land r a b) \land
(!a b c. n1 a \land ~n2 a \land n1 b \land n2 b \land ~n1 c \land n2 c \land
                    r1 a b \land r2 b c = n1 a \land n2 c \land r a c) \land
(!a b c. n2 a \land ~n1 a \land n1 b \land n2 b \land ~n2 c \land n1 c \land
                    r2ab \land r1bc = n2a \land n1c \land rac) \land
(!k. n k ==> (i k = vjoinset (\z. ? j. n j \land r j k \land
                ((n1 \ j \land (z = i1 \ j) \lor (n2 \ j \land (z = i2 \ j)))))
```

### **Tactics**

### An example:

can be shown by the properties of inv (+ comp)

proving methodology:

Rewrite with the definition of comp Tranfer to the assumption list Add Facts to the assumption list until enough to show the goal

# A proving step



### **A Dynamic Model**

### Dynamic model as sequence of steady states

#### time parameter:

$$!t.(v t in = H) ==> (i t out = L)$$

### **Future developments**

We have implemented a hardware model in HOL that works reasonable

Still some work to do

Better transistor description can be obtained

Extensions to other types of proves as: [c1] = [c2]

Can easily be extended to a dynamic model

### THE VERIFICATION OF A

### PARAMETERIZED MEAD&CONWAY

alu core in hol

CATIA ANGELO
LUC CLAESEN
HUGO DE MAN



MAY 90

#### OUTLINE

- PRELIMINARY CONSIDERATIONS
- INTRODUCTION
- THE DESIGN PROCESS
  - 1- LOGICAL FUNCTIONS
  - 2- ARITHMETIC FUNCTIONS
- THE PROOF
  - 1- USING THE KNOWLEDGE OF THE DESIGN PROCESS
  - 2- STRATEGY AND PROOF FLEXIBILITY
  - 3- GOING FROM A IRREGULAR STRUCTURE
    TO A REGULAR STRUCTURE
  - CONCLUSIONS

### PRELIMINARY CONSIDERATIONS

#### 1- GLOBAL GOALS:

- LEARN HOL;
- DEVELOP A METHODOLOGY FOR HARDWARE VERIFICATION USING HOL;
- IDENTIFY THE BOTTLENECKS OF THE METHODOLOGY AND HOL;
- LIBRARY OF PRE-PROVEN MODULES;
- LIBRARY OF USEFUL STRATEGIES TO PROVE HARDWARE CORRECTNESS (TACTICS AND TACTICALS).
- 2- LOCAL GOAL: ALU VERIFICATION IN HOL

THE ALU CORE IS A GOOD EXAMPLE BECAUSE THE BEHAVIOR IS SPREAD ALL OVER THE DATA FLOW AND IT IS NOT COMPLETELY STRUCTURED IN SUB-BEHAVIORS.

#### PRELIMINARY CONSIDERATIONS

#### 1- GLOBAL GOAL:

- DEVELOP A METHODOLOGY FOR HARDWARE VERIFICATION
  USING HOL AND BOYER MOORE IN SUITABLE LEVELS
- IDENTIFY THE BOTTLENECKS OF:
  - THE METHODOLOGY
  - HOL
  - BOYER MOORE
- HOL:
  - LIBRARY OF PRE-PROVEN MODULES
  - LIBRARY OF USEFUL STRATEGIES TO PROVE HARDWARE CORRECTNESS (TACTICS AND TACTICALS)

2- LOCAL GOAL: ALU VERIFICATION IN HOL

THE ALU CORE IS A GOOD EXAMPLE BECAUSE THE BEHAVIOR
IS SPREAD ALL OVER THE DATA FLOW AND IT IS NOT

COMPLETELY STRUCTURED IN SUB-BEHAVIORS

#### INTRODUCTION

- THE GOAL IS TO PROVE THAT:

  ALU IMPLEMENTATION = ALU SPECIFICATION
- THE ALU IS PARAMETERIZED ON THE WORD SIZE N



- THE ALU SOULD PERFORM LOGICAL OR ARITHMETIC OPERATIONS ON THE VECTORS "A" AND "B" DEPENDING ON THE CONTROLS.

  THE SPECIFICATION IS MADE IN A PROGRAMMING LANGUAGE LIKE.
- THE VERIFICATION LEVELS:



#### 1- LOGICAL FUNCTIONS:



| DECIMAL CODE | BINA | RY          | COD | E   | OUT             |
|--------------|------|-------------|-----|-----|-----------------|
| DECIMAL CODE | СТ3  | C <b>T2</b> | CT1 | СТ0 |                 |
| 0            | 0    | 0           | 0   | 0   | 1               |
| 1            | 0    | 0           | 0   | 1   | (A ∧ B)'        |
| 2            | 0    | 0           | 1   | 0   | (A' ∨ B)        |
| 3            | 0    | 0           | 1   | 1   | A'              |
| 4            | 0    | 1           | 0   | 0   | (A ∨ B)         |
| 5            | 0    | 1           | 0   | 1   | (A 🔀 B )        |
| 6            | 0    | 1           | 1   | 0   | В               |
| 7            | 0    | 1           | 1   | 1   | (A' ∧ B)        |
| 8            | 1    | 0           | 0   | 0   | (A V B')        |
| 9            | 1    | 0           | 0   | 1   | В'              |
| 10           | 1    | 0           | 1   | 0   | (A <b>(B</b> )' |
| 11           | 1    | 0           | 1   | 1   | (A ∨ B)'        |
| 12           | 1    | 1           | 0   | 0   | A               |
| 13           | 1    | 1           | 0   | 1   | (A ∧ B')        |
| 14           | 1    | 1           | 1   | 0   | (A ∧ B)         |
|              | 1    | 1           | 1   | 1   | 0               |
| 15           | 1    | 1           | 1   | A   |                 |



THE GFB BAR



THE GFB BAR PERFORMS ALL LOGICAL OPERATIONS WITH TWO VECTORS A AND B.

#### 2- ARITHMETIC FUNCTIONS THEY ARE ALL A KIND OF ADDITION

| С | A | В | K | Р | SUM | CARRY |
|---|---|---|---|---|-----|-------|
| 0 | 0 | 0 | 0 | 0 | 0   | 0     |
| 0 | 0 | 1 | 0 | 1 | 1   | 0     |
| 0 | 1 | 0 | 1 | 1 | 1   | 0     |
| 0 | 1 | 1 | 1 | 0 | 0   | 1     |
| 1 | 0 | 0 | 0 | 0 | 1   | 0     |
| 1 | 0 | 1 | 0 | 1 | 0   | 1     |
| 1 | 1 | 0 | 1 | 1 | 0   | 1     |
| 1 | 1 | 1 | 1 | 0 | 1   | 1     |

$$K = A$$
 $P = EXOR (A,B)$ 
 $CARRY = (P \land C) \lor (P' \land K)$ 
 $SUM = EXOR(P,C)$ 

#### FOR N BITS:

#### IDEAL CARRY CHAIN



BUT...



# HOW TO CASCADE? POSSIBLE SOLUTIONS:

1)



**BAD SOLUTION!** 

WASTE OF TIME AND AREA!



IF INSTEAD OF Kj = Aj ONE GENERATES Kj = Aj' IN THE K GFB BAR:



SINCE BUFFERING CIN AND COUT IS DESIRED THE CHAIN IS SHIFTED



263

# 'GFBB' BEHAVES LIKE GFBB BUT IT HAS A DIFFERENT HARDWARE





| DECIMAL CODE                                                           | BINARY CODE CT3 CT2 CT1 CT0                                                                           | OUT                                                                                                    |
|------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
| 0<br>1<br>2<br>3<br>4<br>5<br>6<br>7<br>8<br>9<br>10<br>11<br>12<br>13 | 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 0 0 1 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 | 1 (A' ∨ B) (A ∧ B)'  A' (A ∨ B') (A ⊕ B)'  B' (A ∨ B)' (A ∨ B)  B (A ⊕ B)  (A ∨ B)  A (A ∧ B)  (A ∧ B) |
| 15                                                                     | 1 1 1 1                                                                                               | 0                                                                                                      |

### **GFBB CIRCUIT**



### GFB CIRCUIT



### THE CARRY CHAIN CELLS





ODD CELL

**EVEN CELL** 







- THE OPERATION IS PERFORMED IN THE P BAR
- CR IS SUCH THAT OUT; = Pj
- WHAT HAPPENS IN THE K BAR AND IN THE CARRY CHAIN DOES NOT MATTER
- THE DATA FLOW IS HORIZONTAL

### **ARITHMETIC OPERATIONS:**

- THEY CAN BE SEEN AS A KIND OF ADDITION
- THE DATA FLOW IS BOTH HORIZONTAL AND VERTICAL
- HORIZONTAL FLOW: PARALLEL
- VERTICAL FLOW: SERIAL (SPEED BOTTLENECK)



#### P = 1 MEANS: CARRY INFORMATION IS PROPAGATED

$$(Pi = 1) \land (Pi+1 = 1) \land (Pi+2 = 1) \land (Pi+3 = 1)$$
  
==> ci+3 = ci-1



E: EVEN CELL; O: ODD CELL; B: BYPASS CELL
E O E O B E O E O B E O E O B ...

REMARK: THE CHAIN COULD BE FASTER ELIMINATING THE OUTPUT INVERSION OF THE BYPASS CELL AND CHANGING ITS STRUCTURE TO:

E O E O B O E O E B E O E O B...



#### THE PROOF

- 1 USING THE KNOWLEDGE OF THE DESIGN PROCESS WE HAVE A HINT ABOUT WHAT TO PROVE OR CONSIDER LIKE:
  - THE GFB PERFORMS THE LOGICAL OPERATIONS
  - GFBB (CT, A, B) = GFB (CT, A, B')
  - CARRY CHAIN WITH BYPASS = CARRY CHAIN WITHOUT BYPASS CELLS
  - CARRY CHAIN + RESULT BAR PERFORM SOME IDEAL OPERATIONS
  - WHEN EXECUTING A LOGICAL FUNCTION: ALU BEHAVIOR = P BAR BEHAVIOR
  - THE ARITHMETIC OPERATIONS ARE A KIND OF ADDITION

#### 2- STRATEGY AND PROOF FLEXIBILITY



## CONSIDER IN THE ALU THAT:

- SOMEONE USES A BYPASS OF SIZE DIFFERENT OF FOUR AND/OR
- SOMEONE CHANGES THE START POSITION OF THE BYPASS CELL AND/OR
- SOMEONE OMITS THE OUTPUT INVERTER IN THE BYPASS CELL AND CHANGES THE STRUCTURE OF THE CARRY CHAIN

#### GOING FROM IMPLEMENTATION TO IMPLEMENTATION' WOULD

- REQUIRE AN ADDITIONAL STEP
   NOT REQUIRE REDOING ALL THE VERIFICATION
- 3- GOING FROM A IRREGULAR STRUCTURE TO A REGULAR STRUCTURE:
  - THE BYPASS CELL ELIMINATION
  - THE CARRY CHAIN AND THE RESULT BAR TRANSFORMATIONS
  - THE FOUR BAR TRANSFORMATIONS

#### **EOEO BLOCK**





### **BYPASS BLOCK**





### BYPASS CELL ELIMINATION

cin' = cin\_bet' ==>





### **CARRY CHAIN TRANSFORMATIONS**



### CARRY CHAIN AND RESULT BAR TRANSFORMATIONS



### IDEAL CELL









### **EAT NEGATION CELL**





**GFB** 

outi 1

**GFBB** 

OUTi+1

### **CELL TRANSFORMATIONS**



OUTi

### FOUR BAR TRANSFORMATION



#### **ALU SLICE**



### REGULAR ALU



IRREGULAR ALU = REGULAR ALU

REGULAR ALU = SPECIFICATION

IRREGULAR ALU = SPECIFICATION

REGULAR ALU = SPECIFICATION ==>

SLICE REASONING AND INDUCTION

### **CONCLUSIONS:**

- 1- THE REASONING USED IN THE HARDWARE DESIGN SHOULD BE USED IN THE VERIFICATION
- 2- REMOVING IRREGULARITIES FROM THE IMPLEMENTATION
  BEFORE GOING TO THE SPECIFICATION LEVEL IS A
  POWERFUL STRATEGY TO STRUCTURE THE CORRECTNESS
  PROOF

## The HOL Verification of ELLA Designs

Richard Boulton, Mike Gordon, John Herbert, John Van Tassel

University of Cambridge Computer Laboratory
New Museums Site
Pembroke Street
Cambridge CB2 3QG
England

rjb@cl.cam.ac.uk

Phone: +44 223 334729 Fax: +44 223 334678

## Motivation

Two methods used to specify hardware:

- Hardware description languages, e.g. ELLA, VHDL
- Formal systems, e.g. HOL, Boyer-Moore logic

There is currently a gap between these two methods.

## Our Aims

To build a bridge between the two methods for ELLA and the HOL proof assistant.

- Make formal specification and proof available within a conventional design process
- Provide access to the engineering tools in a theorem proving environment

## Our Approach

To semantically embed a subset of ELLA in higher order logic.

### Semantic Embedding

Each construct in the chosen subset of ELLA is represented by a logical constant.

The constants are defined to have the behaviour of the corresponding language construct.

The use of 'semantic constants' gives us:

- A simple translation from ELLA to HOL terms
- The ability to pretty-print the HOL terms as the original ELLA constructs

The semantic constants can be expanded and simplified to yield a more conventional logical specification of the hardware.

The behavioural specification can be given as highlevel ELLA or in pure logic.

## The System





### An Example

A simple circuit:



The ELLA for the circuit:

```
BEGIN

MAKE INV: out.

JOIN in -> out.

OUTPUT out

END
```

The HOL representation of the ELLA:

```
\varepsilon \text{OUTPUT.} \exists \text{out out\_fn.} \text{SERIES} [\text{MAKE}[[\text{MAKEITEM INV out\_fn}]]; \text{JOIN} [\text{JOINITEM in out out\_fn}(\lambda x'. \varepsilon f1'. \forall t'. f1' \ t' = x' \ t')]] \text{OUTPUT} \text{out}
```

## **Eliminating Semantic Constants**

### Expanding

```
\varepsilonOUTPUT.
    ∃out out_fn.
     SERIES
     [MAKE[[MAKEITEM INV out_fn]];
      [JOINITEM in out out_fn(\lambdax'. \varepsilonf1'. \forallt'. f1' t' = x' t')]]
     OUTPUT
     out
with the definitions
   MAKEITEM (dev:*) fun = (fun = dev)
   JOINITEM in (out:***) fun (g:*\rightarrow**) = ((fun (g in)) = out)
and simplifying the type-casting function, yields
   \varepsilonOUTPUT.
    ∃out out_fn.
      SERIES
      [MAKE[[out_fn = INV]];
      JOIN[(out_fn ((\lambda x'. x') in)) = out]]
      OUTPUT
      out
```

## **Eliminating Semantic Constants**

### Expanding

```
\varepsilonOUTPUT.
    ∃out out_fn.
     SERIES
      [MAKE[[out_fn = INV]];
       JOIN[(out_fn ((\lambda x'. x') in)) = out]]
     OUTPUT
     out
with the definitions
   MAKE 1 = (ITLIST \ (MAP (\lambdax. ITLIST \ x T) 1) T)
   JOIN 1 = (ITLIST \$ \land 1 T)
   (SERIES [] output (unit:*) = (output = unit)) \(\lambda\)
   (SERIES (CONS x 1) output unit =
    (x \land (SERIES 1 output unit)))
and simplifying, yields
   \varepsilonOUTPUT.
    ∃out out_fn.
      (out_fn = INV) \wedge
      (out_fn in = out) \land
      (OUTPUT = out)
```

## **Simplification**

```
EOUTPUT.

∃out out_fn.

(out_fn = INV) ∧

(out_fn in = out) ∧

(OUTPUT = out)

simplifies to

EOUTPUT.

∃out.

(INV in = out) ∧

(OUTPUT = out)

which simplifies to

EOUTPUT. OUTPUT = INV in

which simplifies to

INV in
```

## **ELLA** constants

ELLA constants are used in two ways:

- As initial values for devices with state
- As 'patterns' in the CASE statement

There is only one syntactic category for constants. A given constant may make sense in only one of the two roles above.

Context-free translation of constants.

Constants are modelled as predicates. This is consistent with their use as patterns.

For initial values, Hilbert's  $\varepsilon$ -operator is used.

There is a problem with the semantics of constants when used as patterns ...

# The ELLA unspecified value and constants

ELLA features an unspecified value denoted by ?.

- ? may be generated:
  - by arithmetic operations producing a result out of range
  - by CASE statements with choosers which are not exhaustive
  - explicitly
  - ? represents one of the possible values of the appropriate type, but it is not known which.

## The ELLA unspecified value and constants

An unknown value of some type can readily be represented in higher order logic.

However, there is one place in the semantics of ELLA where? behaves as an additional value of the type. This is not so readily represented in HOL.

For an ELLA type bit with the two possible values hi and lo

hi | lo

is a constant which 'matches' hi or lo, but not ?.

bit

is a constant which 'matches' hi or lo or ?.

### Lifting

We represent an additional value of an ELLA type by using a *lifted* HOL type.

The ELLA type bit is represented by the HOL type (bit)lifted.

The type constructor lifted is defined by the HOL type definition

```
define_type 'lifted_Axiom' 'lifted = UU | LIFT *'
```

So, the ELLA value hi is represented by "LIFT hi".

lo is represented by "LIFT lo".

The unspecified value of type bit is represented by "UU: (bit)lifted".

Uniform approach.

Lifted Boolean values are also used.

### Conclusions and Future Work

- A semantics has been given for a substantial subset of the ELLA language, and a translator produced for the subset.
- The translation is simple. There is a straightforward relationship between ELLA syntax and its semantics in HOL.
- Parser and pretty-printer support has been provided.
- Lifting causes difficulties. New version of semantics without lifting and not quite conforming to the semantics of ELLA?
- Subset chosen is large. Discard lightly used parts?
- Research is required to decide whether we have a useful subset.
- Tools for simplification. Could be improved.
- Design and verification case studies: UART, small microprocessor.
- Develop a methodology for using the combined HOL/ELLA system.

## **HOL Semantics of SILAGE**

Presentation at the Third HOL User Meeting

Ton Kalker
Philips Research Laboratories Eindhoven
P.O. Box 80000
5600 JA Eindhoven
The Netherlands

### Overview

- 1. Introduction to place in contest.
- 2. SILAGE : language
- 3. Semantics: basics
- 4. Semantics: types
- 5. Semantics: basic types
- 6. Semantics: array types
- 7. Semantics: proposals
- 8. Example
- 9. Simultaneous induction: "deficience" of HOL
- 10. Conclusions

- Silicon compiler  $\equiv$  (Program  $\rightarrow$  Silicon)
- SILAGE: input language for CATHEDRAL (PIRAMID) silicon compiler for DSP applications
- SILAGE program  $P \xrightarrow{compilation}$  architecture:
  - 1. EXU'S (ALU, RAM, ROM),
  - 2. busses connecting the EXU's and a
  - 3. controller

### Introduction

- SILAGE  $\equiv$  linear representation of finite set  $S = \{G_1, \dots, G_n\}$  of signal flow graphs
- SILAGE programs denote stream transformers
- stream  $\equiv$  infinite vector in time ( $\simeq \mathbb{N}$ )
- Compiler determines absolute time-scale
- behavior ≡ abstraction from absolute timescale

## • Wanted:

- method to reason about behavior (  $\equiv$  semantics)
- method to compare SILAGE programs with mathematical formulae

## • Solution:

- mathematics ← HOL-logic
- express semantics in HOL-logic

## • Spin-off:

- discovery of bad language design
- proposals for improvement of SILAGE

5

# Sample SILAGE program:

```
FUNC main (in:NUM<3,0>) out:NUM<3,0> =
   NUM<3,0> : tmp;

BEGIN
  out = help(tmp).out;

tmp = in@1;

END;

FUNC help (in:NUM<3,0>) out:NUM<3,0> =
  BEGIN
  out = in + in@1;

END;
```

Semantics: basics

• 
$$Time \equiv T \stackrel{\text{def}}{=} N$$

- Stream  $\equiv (\alpha)str \stackrel{\text{def}}{=} \mathbb{T} \rightarrow \alpha$
- Delay (0):  $\Delta:(\alpha)str \rightarrow (\alpha)str$

 $\forall n \ a \ t$ .

$$(t \ge n) \Rightarrow$$
  
 $\triangle n \, a \, t = a(t - n)$ 

 $\Delta na$  (semantically) initially undefined!!!!

Semantics: types

SILAGE type:
 basic type & array structure

 $\sim$ 

NUM<w,d> [m1] [m2] ... [mn]

Basic type: NUM<w,d>:

~

array of w booleans with d < w booleans after the decimal point.

HOL-logic lacks parametrized types

 $\Rightarrow$ 

SILAGE types  $\sim$  predicates on a fixed HOL-type

Semantics : basic types

# Possibility 1

a: NUM<w,d> is translated to

- ullet a term a of HOL type  $(\mathbf{B} \times (\mathbf{B}) list \times (\mathbf{B}) list) str$  accompanied by
- the predicate

$$orall t.let \, (s,i,f) = (a\,t) \, in$$
 
$$(LENGTH \,\, i = w-d-1) \,\, \wedge \ (LENGTH \,\, f = d)$$

Suited for shift and bitwise operations!!

9

Semantics: basic types

# Possibility 2

a:NUM<w,d> is translated to

- ullet a term a of HOL type  $(\mathbf{Q})str$  accompanied by
- the predicate

$$\forall t. let b = (a t) \times 2^{d+1} in$$

$$let c = (2^w) in$$

$$(-c \le b) \land (b < c)$$

Suited for arithmetic operations!!

Semantics : basic types

• if-then-else construct

IF b: NUM<1,0> -> e1 || e2 FI

NUM<1,0> serves as the type B!!

- THE SILAGE TYPE SYSTEM DOES
   NOT MAKE EXPLICIT THE
   DIFFERENCE BETWEEN LOGICALLY
   DISTINCT TYPES!!
- Recommendation: Introduction of a more complex type system in SILAGE.

11

Semantics: array types

## Array types

a:  $baty[N_1]$  is most easily interpreted

- ullet a term a of HOL type ((baty)list)str accompanied by
- the predicates

$$\forall t. LENGTH(at) = N_1$$

$$\forall t \, n. (n < N_1) \Rightarrow (P(EL \, n(a \, t)))$$

Semantics: array types

Evaluation scheme of array types in SILAGE conflicts with with evaluation scheme of list types in HOL

```
.
#define SYMB NUM<1>[8] % abbreviation %
.
SYMB[16] : tmp % declaration %
.
tmp[12] = .... % indexing %
.
```

Highest index allowed in tmp is 7!!

Semantics: proposals

- Initialization:
  - 1. compiler independence
  - 2. no default values available (types)

Semantics: proposals

- Basic types :
  - 1. BOOL  $\sim$  **B**
  - 2. NUM<w,d>  $\rightarrow$  Q+
  - 3. INT< $w,d> \sim \mathbb{Q}$
  - 4. COMPLEX<w,d>  $\sim$   $\mathbb{C}_{\mathbb{Q}}$
- Functions with empty parameter list.
  - 1. a CONST construct : streams constant in time
  - 2. the possibility of defining functions with empty parameter list

#### Simultaneous induction

```
tmp1 = tmp2 + tmp1@1
tmp2 = tmp1 + tmp2@1
.
```

### translates to

$$tmp1(n+1) = (tmp2(n+1)) + (tmp1n)$$
  
 $tmp2(n+1) = (tmp1(n+1)) + (tmp2n)$ 

HOL needs induction mechanism which:

- fails on this example and
- succeeds on acyclic induction schemes

17

- Language design can benefit from mathematical methods
- Extension SILAGE+ suited for compilation as well as verification
- Automatic translation of SILAGE+ into HOL-logic necessitates a better natural induction scheme