UCAM-CL-TR-601 Technical Report ISSN 1476-2986 Number 601 Computer Laboratory Combining model checking and theorem proving Hasan Amjad September 2004 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2004 Hasan Amjad This technical report is based on a dissertation submitted March 2004 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Trinity College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/TechReports/ ISSN 1476-2986 Abstract We implement a model checker for the modal mu-calculus as a derived rule in a fully expan- sive mechanical theorem prover, without causing an unacceptable performance penalty. We use a restricted form of a higher order logic representation calculus for binary decision diagrams (BDDs) to interface the model checker to a high-performance BDD engine. This is used with a formalised theory of the modal mu-calculus (which we also develop) for model checking in which all steps of the algorithm are justified by fully expansive proof. This provides a fine-grained integration of model checking and theorem proving using a mathematically rigourous interface. The generality of our theories allows us to perform much of the proof offline, in contrast with earlier work. This substantially reduces the inevitable performance penalty of doing model checking by proof. To demonstrate the feasibility of our approach, optimisations to the model checking algorithm are added. We add naive caching and also perform advanced caching for nested non-alternating fixed-point computations. Finally, the usefulness of the work is demonstrated. We leverage our theory by proving translations to simpler logics that are in more widespread use. We then implement an executable theory for counterexample-guided abstraction refinement that also uses a SAT solver. We verify properties of a bus architecture in use in industry as well as a pedagogical arithmetic and logic unit. The benchmarks show an acceptable performance penalty, and the results are correct by construction. 3 Contents 1 Introduction 11 1.1 Motivating Formal Verification . 11 1.2 An Overview of Formal Verification . 12 1.3 ModelChecking................................. 13 1.4 TheoremProving ................................ 15 1.5 AHybridApproach............................... 16 1.6 OurContribution ................................ 17 1.7 TheThesis.................................... 19 1.7.1 Prerequisites............................... 19 1.7.2 Structure ................................ 19 1.8 TerminologyandNotation . 19 2 An embedded model checker 21 2.1 Introduction................................... 21 2.2 Representing BDDs in a Theorem Prover . 22 2.3 ModelChecking................................. 24 2.4 ModelCheckingFormalised . 27 2.4.1 FormalisingtheTheory. 28 2.4.2 FormalisingtheModelChecker . 32 2.5 RelatedWork .................................. 35 2.6 ConcludingRemarks .............................. 36 3 Optimisations 37 3.1 Introduction................................... 37 3.2 NaiveCaching.................................. 38 3.2.1 ImplementationIssues . 39 3.3 TheAlternationDepthOptimization . 40 3.3.1 ImplementationIssues . 42 3.4 ConcludingRemarks .............................. 43 4 Extension I: A temporal logic 45 4.1 Introduction................................... 45 4.2 CTL ....................................... 45 4.3 TheTranslation................................. 49 4.4 CTL ModelChecking .............................. 50 4.4.1 Totalising the Transition Relation . 51 4.5 ConcludingRemarks .............................. 52 4 CONTENTS 5 5 Extension II: An abstraction framework 53 5.1 Introduction................................... 53 5.2 AbstractionRefinementinHOL . 54 5.2.1 GeneratingtheInitialAbstraction. 56 5.2.2 Counterexample Generation . 56 5.2.3 Concrete Counterexample Detection . 57 5.2.4 RefiningtheAbstraction . 58 5.3 ImplementationIssues ............................. 59 5.3.1 Constructing Equivalence Classes . 59 5.4 RelatedWork .................................. 61 5.5 Conclusion.................................... 61 6 Case study I: A bus architecture 63 6.1 AMBAOverview ................................ 63 6.2 AMBAAPB................................... 64 6.2.1 Specification............................... 64 6.2.2 Implementation ............................. 65 6.2.3 Verification ............................... 67 6.3 AMBAAHB .................................. 70 6.3.1 Specification............................... 70 6.3.2 Implementation ............................. 74 6.3.3 Verification ............................... 80 6.4 VerifyingAMBA ................................ 84 6.5 RelatedWork .................................. 85 6.6 Conclusion.................................... 86 7 Case study II: An ALU 87 7.1 TheTestSystem ................................ 87 7.2 Benchmarks ................................... 89 7.3 ConcludingRemarks .............................. 91 8 Related work 92 8.1 Overview..................................... 92 8.1.1 ModelCheckersasOracles. 92 8.1.2 Theorem Provers as Organizers . 93 8.1.3 VerifyingtheModelChecker . 94 8.1.4 High-level Integration . 94 8.2 HOL-Voss,VossProverandThmTac. 95 8.3 ModelCheckinginPVS ............................ 96 8.4 TheSymbolicModelProver . 98 8.5 Conclusion.................................... 99 9 Summary 101 9.1 WorkDone ...................................101 9.2 Limitations ...................................102 9.2.1 TheoreticalIssues. .102 9.2.2 PracticalShortcomings . 103 6 CONTENTS 9.3 FutureDirections ................................ 103 A The HOL theorem prover 105 B Formalised version of theorem 4.10 107 C Usage example 111 List of Tables 2.1 Primitive Operations for Representation Judgements . ......... 23 2.2 Satisfiability theorems for model checking based on Defn 2.13........ 31 6.1 AMBAAPBSignals .............................. 65 6.2 AMBAAHBMasterSignals .......................... 71 6.3 AMBAAHBSlaveSignals ........................... 72 6.4 AMBA AHB System, Arbiter and Decoder Signals . 72 7 List of Figures 2.1 High-levelArchitecture . 22 5.1 Overview of Abstraction Refinement Framework . 55 5.2 Counterexample Detection Example . 57 5.3 AbstractionRefinementExample . 58 5.4 Overview of Implementation in hol ...................... 59 6.1 Typical AMBA-based Microcontroller . 64 7.1 SimplePipelinedALU ............................. 88 7.2 Relativebenchmarks .............................. 90 8.1 ApproachestoIntegration . 99 C.1 Concreteandabstractedmodel . 112 8 Acknowledgements I would like to thank... Mike Gordon. I could not have wished for a better supervisor than Mike. He suggested the initial idea for the thesis, encouraged my better ideas and steered me away from countless dead-ends. He was always available and always gave excellent advice, deep insights and useful references. Michael Norrish and Konrad Slind for help with hol above and beyond the call of duty. Anthony Fox and Joe Hurd for myriad helpful suggestions about everything under the sun. Myra van Inwegen and Mick Compton for tea time. The Computer Laboratory for providing a great working environment and for con- tributing towards participation in conferences. Trinity College for awarding me an External Research Studentship which financed my studies and living from October 2000 to September 2003. I would also like to thank the Rouse Ball and Eddington Grant trustees for their financial contribution towards my participation in conferences. Mama, Baba, and Sajjad, who, even from thousands of miles away, have been a never- ending source of support and encouragement. Sadia, for love, happiness, and making it all worthwhile. 9 Chapter 1 Introduction This dissertation addresses the verification problem in computer science. The broad area of research is known as formal verification. Formal verification provides a mathematical justification that a given system of artificial design and construction does what it was designed to do: it exhibits all the desired properties and no undesirable ones. 1.1 Motivating Formal Verification On 4 June 1996, the Ariane 5 space launcher broke up 40 seconds into its maiden flight. The cost of this failure was estimated at about half a billion US dollars. The inquiry board set up to investigate this disaster traced the fault to a small error in the flight control software [115]. The inquiry board concluded: This loss of information was due to specification and design errors in the software of the inertial reference system. ... The extensive reviews and tests carried out during the Ariane 5 Development Programme did not include adequate analysis and testing of the inertial refer- ence system or of the complete flight control system, which could have detected the potential failure. ... This means that critical software – in the sense that failure of the software puts the mission at risk – must be identified at a very detailed level, that exceptional behaviour must be confined, and that a reasonable back-up policy must take software failures into account. The pervasive presence of computers in our lives means that we rely on the correct functioning of computer software and hardware systems for countless tasks, some of them critical. They are the engines that run modern information economies and mistakes in hardware and software design can have serious economic and commercial repurcussions [96, 187]. Flaws in such systems have caused