#### **Limitations of the Method**

- Formal proof can't guarantee actual chips will work:
  - design models are not always accurate
  - there may be fabrication defects
- Specifications may not capture requirements:
  - large specifications may be unreadable
  - some input conditions may be ignored

# **Modelling Hardware in Higher Order Logic**

Original slides by Tom Melham and Michael Norrish (edited by Mike Gordon)

Modelling Hardware: TFM/MN/MJCG - p.1/32

Modelling Hardware: TFM/MN/MJCG - p.3/32

#### Why Formal Specification?

Consider this device (J. Herbert's example):



This can be specified informally by

The input line *datain* accepts a stream of bits, and the output line *dataout* emits the same stream delayed by four cycles. The bus *out* is four bits wide. If the input *sample* is false then the 4-bit word at *out* is the last four bits input at *datain*. Otherwise, the output word is all zeros.

#### **Hardware Verification Method**

- Classical method of hardware verification:
  - 1. write a specification of intended behaviour Spec
  - 2. write specifications of the design components  $Part-1, \dots Part-n$
  - 3. define a formal model of the design
    - $\vdash$  Design = Part-1 +  $\cdots$  + Part-n
  - 4. formulate and prove correctness
    - ⊢ Design satisfies Spec
- This general verification approach
  - underlies various specific formal methods
  - requires mechanized support for large designs
  - is usually applied hierarchically

Modelling Hardware: TFM/MN/MJCG - p.4/32

## **Specification Examples**

• Simple combinational behaviour:



$$\vdash \mathsf{Xor}(i_1, i_2, o) = (o = \neg(i_1 = i_2))$$

• Bidirectional wires:



$$\vdash \mathsf{Ntran}(g,s,d) = (g \Rightarrow (d=s))$$

Modelling Hardware: TFM/MN/MJCG - p.7/32

## Why Formal Specification?

The informal specification is

- vague: does 'the last four bits input' include the current bit?
- incomplete: what is the value at *dataout* during the first three cycles?
- unusable: a natural language specification can't be simulated or compiled!

Modelling Hardware: TFM/MN/MJCG - p.5/32

## **Specification Examples**

Sequential (time-dependent) behaviour:



 $\vdash$  Dtype $(ck, d, q) = \forall t. q(t+1) = (if Rise <math>ck \ t \text{ then } d \ t \text{ else } q \ t)$ 

 $\vdash$  Rise  $ck \ t = \neg ck(t) \land ck(t+1)$ 

## **Formal Specification in HOL**

• Consider the following device:



This is specified by a boolean term S[a, b, c, d] with free variables a, b, c, and d.

- The idea is that
  - a, b, c, d model externally-observable values

• 
$$S[a,b,c,d] = \left\{ egin{array}{ll} T & \mbox{if } a,b,c, \mbox{ and } d \mbox{ could occur} \\ & \mbox{simultaneously on the} \\ & \mbox{corresponding external wires of the} \\ & \mbox{device Dev} \\ F & \mbox{otherwise} \end{array} \right.$$

Modelling Hardware: TFM/MN/MJCG - p.8/32

Modelling Hardware: TFM/MN/MJCG - p.6/32

#### **Composing Behaviours**

• Consider the following two devices:



• Logical conjunction (∧) models the effect of connecting components together:



Modelling Hardware: TFM/MN/MJCG - p.10/32

#### **Hiding Internal Structure**

• Consider the composite device



• Existential quantification (∃) models the effect of making wires internal to the design:



• Existential quantification is called a *hiding* operator—it 'hides' internal wires.

Modelling Hardware: TFM/MN/MJCG - p.11/32

#### **Specification of the Sampler**

• We can specify the sampler formally by

```
\forall t : \mathsf{time}.
(dataout(t) = datain(t-4))
\land (out(t) = \mathsf{if} \, sample(t)
\mathsf{then} \, [\mathsf{F}; \mathsf{F}; \mathsf{F}]
\mathsf{else} \, \left[ datain(t-4); \, datain(t-3); \\ datain(t-2); \, datain(t-1) \, \right])
```

Modelling Hardware: TFM/MN/MJCG - p.9/32

## **Specification of the Sampler**

• We can specify the sampler formally by

```
\forall t : time. \\ (dataout(t) = datain(t-4)) \\ \land \\ (out(t) = \text{ if } sample(t) \\ \text{ then } [\mathsf{F}; \mathsf{F}; \mathsf{F}] \\ \text{ else } [datain(t-4); \ datain(t-3); \\ datain(t-2); \ datain(t-1)])
```

- The formal specification is
  - precise: 'last four bits input' doesn't include current bit
  - complete: can infer that *dataout* equals *datain*(0) during the first three cycles.
  - usable: logic notation can be processed by machine

Modelling Hardware: TFM/MN/MJCG - p.9/32

#### **Hiererchical Verification**

The hierarchical verification method:



Modelling Hardware: TFM/MN/MJCG - p.14/32

## **Hierarchical Design—Advantages**

- Each type of module verified only once
  - the statement of its correctness will be reused many times
- Controls complexity through abstraction
  - each verification is done at the appropriate level of complexity

#### **Shallow embedding of Verilog**

• Some typical structural Verilog

```
module COMP (p1, ..., pm);
  wire w1, ..., wn;

COMP1 M1 (...);
  COMP2 M2 (...);
endmodule
```

- Assume formulas for COMP1, COMP2 already defined
- Logical representation:

$$COMP(p1, ..., pm) = \exists w1 ... wn. COMP1(...) \land COMP2(...)$$

Modelling Hardware: TFM/MN/MJCG - p.12/32

#### **Formulating Correctness**

- A key part of formal hardware verification is formalizing what 'correctness' *means*.
- The strongest formulation is *equivalence*:

$$\vdash \forall v_1 \ldots v_n. \ \mathbf{M}[v_1, \ldots, v_n] = \mathbf{S}[v_1, \ldots, v_n]$$

• For partial specifications, use implication:

$$\vdash \forall v_1 \ldots v_n. \ \mathbf{M}[v_1, \ldots, v_n] \Rightarrow \mathbf{S}[v_1, \ldots, v_n]$$

• In general, the satisfaction relationship

$$\vdash \mathbf{M}[v_1, \dots, v_n] \quad \mathbf{sat}_{abs} \quad \mathbf{S}[abs(v_1), \dots, abs(v_n)]$$

must be one of *abstraction*. The specification will be an abstraction of the design model. Various kinds of abstractions on signals (*abs*) will be discussed later.

Modelling Hardware: TFM/MN/MJCG - p.15/32

Modelling Hardware: TFM/MN/MJCG - p.13/32

#### **Design Model and Correctness**

• We define the design model using composition and hiding, as follows:

$$\vdash \mathsf{Inv}(i,o) = \ \exists g \ p. \ \mathsf{Pwr} \ p \land \mathsf{Gnd} \ g \land \ \mathsf{Ntran}(i,q,o) \land \mathsf{Ptran}(i,p,o)$$



• Correctness is formulated by the equivalence:

$$\vdash \forall i \ o. \ \mathsf{Inv}(i, o) = (o = \neg i)$$

This follows by purely logical inference...

Modelling Hardware: TFM/MN/MJCG - p.18/32

#### **The Correctness Proof**

Definition of Inv:

$$\vdash \mathsf{Inv}(i, o) = \\ \exists g \ p. \ \mathsf{Pwr} \ p \land \mathsf{Gnd} \ g \land \\ \mathsf{Ntran}(i, q, o) \land \mathsf{Ptran}(i, p, o)$$

• Expanding with definitions:

$$\vdash \mathsf{Inv}(i, o) = \\ \exists g \ p. \ (p = \mathsf{T}) \land (g = \mathsf{F}) \land \\ (i \Rightarrow (o = g)) \land (\neg i \Rightarrow (o = p))$$

• By simple logical reasoning:

$$\vdash \mathsf{Inv}(i, o) = (i \Rightarrow (o = \mathsf{F})) \land (\neg i \Rightarrow (o = \mathsf{T}))$$

Modelling Hardware: TFM/MN/MJCG - p.19/32

## **A Simple Correctness Proof**

- Here is the design of a CMOS inverter:
- Suppose we wish to verify that  $o = \neg i$ .
- There are three steps:
  - define a model of the circuit in logic
  - formulate the correctness of the circuit
  - prove the correctness of the circuit



Modelling Hardware: TFM/MN/MJCG - p.16/32

#### **CMOS Primitives**

• Formal specifications of primitives:

$$s \xrightarrow{\int} d \qquad \vdash \mathsf{Ptran}(g,s,d) = (\neg g \Rightarrow (d=s))$$
 
$$s \xrightarrow{g} d \qquad \vdash \mathsf{Ntran}(g,s,d) = (g \Rightarrow (d=s))$$
 
$$\xrightarrow{g} \vdash \mathsf{Gnd} \ g = (g=\mathsf{F})$$
 
$$\xrightarrow{Q} \vdash \mathsf{Pwr} \ p = (p=\mathsf{T})$$

• This is the so-called *switch model* of CMOS.

## **Another Example**

• An (n+1)-bit ripple-carry adder:



• We wish to prove that:

$$(2^{n+1} \times cout) + s = a + b + cin$$

- There are, as usual, three steps:
  - define a model of the circuit in logic
  - formulate the correctness of the circuit
  - prove the correctness of the circuit

Modelling Hardware: TFM/MN/MJCG - p.22/32

## **Defining the Model: types**

- Specification uses numbers, i.e. values of type num
- Implementation uses words values of type word
  - $n^{\text{th}}$  bit of w denoted by w[n]
  - w[m:n] denotes bits m to n of w
  - Bv(b) is the number represented by bit b
  - V(w) is the natural number represented by word w
- Abstraction from words to numbers (data abstraction):

$$\begin{array}{lll} \vdash \mathsf{Bv} \ b & = \mathsf{if} \ b \ \mathsf{then} \ 1 \ \mathsf{else} \ 0 \\ \vdash \mathsf{V} \ w[0:0] & = \mathsf{Bv} \ w[0] \\ \vdash \mathsf{V} \ w[n+1:0] & = \ 2^{n+1}(\mathsf{Bv} \ w[n+1]) \ + \ \mathsf{V} \ w[n:0] \end{array}$$

Modelling Hardware: TFM/MN/MJCG - p.23/32

#### The Correctness Proof continued

• Simplifying gives:

$$\vdash \mathsf{Inv}(i, o) = (i \Rightarrow \neg o) \land (\neg i \Rightarrow o)$$

• By the law of the contrapositive:

$$\vdash \mathsf{Inv}(i, o) = (o \Rightarrow \neg i) \land (\neg i \Rightarrow o)$$

• By the definition of boolean equality:

$$\vdash \mathsf{Inv}(i, o) = (o = \neg i)$$

• Generalizing the free variables gives:

$$\vdash \forall i \ o. \ \mathsf{Inv}(i, o) = (o = \neg i)$$

Modelling Hardware: TFM/MN/MJCG - p.20/32

#### **Scope of the Method**

- The inverter example is, of course, trivial!
- But the same method has been applied to
  - a commercial CMOS cell library
  - several complete microprocessors (e.g. ARM)
  - floating point algorithms and hardware
- Features of the approach:
  - the specification language is just logic \* logic can mimic HDL constructs
  - the rules of reasoning are also pure logic

    \* special-purpose derived rules are possible
  - big formal proofs require machine assistance

Modelling Hardware: TFM/MN/MJCG - p.21/32

#### **Defining the Model**

• Recursive view of an n+1-bit adder:



• Primitive recursive definition in logic:

$$\begin{aligned} \mathsf{AdderImp}(0)(a,b,cin,s,cout) = \\ \mathsf{Add1}(a[0],b[0],cin,s[0],cout) \end{aligned}$$

$$\begin{aligned} &\mathsf{AdderImp}\ n\ (a,b,cin,s,cout) = \\ &\exists c.\ \mathsf{Add1}(a[n],b[n],c,s[n],cout) \ \land \\ &\mathsf{AdderImp}(n-1)(a[n-1:0],b[n-1:0],cin,s[n-1:0],c) \end{aligned}$$

Modelling Hardware: TFM/MN/MJCG - p.26/32

#### **Formulation of Correctness**

• Logical formulation of correctness:

Spec 
$$n(a, b, cin, s, cout) = ((2^{n+1} cout) + s = a + b + cin)$$

 $\forall n \ a \ b \ cin \ s \ cout.$ 

$$\mathsf{AdderImp}\ n\ (a,b,cin,s,cout)$$

$$\stackrel{\cdot}{\mathsf{Spec}}\ n\ (\mathsf{V}\ a[n:0],\mathsf{V}\ b[n:0],\mathsf{Bv}\ cin,\mathsf{V}\ s[n:0],\mathsf{Bv}\ cout)$$

- Note the data abstraction (abs in an earlier slide)
- This is easy to prove (done later in the course)

#### **Defining the Model: recursive definition**

• If n > 0 an (n+1)-bit adder is built from an n-bit adder



Modelling Hardware: TFM/MN/MJCG - p.24/32

#### **Defining the Model:** Add1

• Diagram of a 1-bit full adder:



- Lines a, b, cin, sum and cout carry boolean values
- Specification (note data abstraction from *bool* to *num*):

$$\begin{array}{ll} \mathsf{Add1}(\mathtt{a},\mathtt{b},\mathtt{cin},\mathtt{sum},\mathtt{cout}) &= \\ (2 \times \mathsf{Bv}(\mathtt{cout}) + \mathsf{Bv}(\mathtt{sum}) &= \mathsf{Bv}(\mathtt{a}) + \mathsf{Bv}(\mathtt{b}) + \mathsf{Bv}(\mathtt{cin})) \end{array}$$

Modelling Hardware: TFM/MN/MJCG - p.27/32

## **Formulating Correctness**

• Then correctness is stated by:

```
\vdash \forall ck. \ \mathsf{Inf}(\mathsf{Rise} \ ck) \Rightarrow \\ \forall d \ q. \ \mathsf{Dtype}(ck,d,q) \Rightarrow \\ \mathsf{Del}(d \ \mathsf{when} \ (\mathsf{Rise} \ ck), q \ \mathsf{when} \ (\mathsf{Rise} \ ck))
```

• Note the formal *validity condition*:

$$\vdash \mathsf{Inf}\ P = \forall t.\ \exists\ t'.\ t' > t\ \land\ P\ t'$$

Modelling Hardware: TFM/MN/MJCG - p.30/32

**Industry use of theorem proving** 

- Intel
  - floating point algorithms (uses HOL Light system)
  - hardware (uses internal tools Forte/reFL<sup>ect</sup>)
- AMD
  - floating point (uses ACL2 prover)
- Sun
  - high level architecture verification (PVS)
- Rockwell Collins
  - low level code verification (ACL2)

.....

- · Use of model checking widespread
  - discussed in latter part of the course

Modelling Hardware: TFM/MN/MJCG - p.31/32

#### **Temporal Abstraction**

• Example—abstracting to unit delay:



- Notions of time involved:
  - coarse grain of time—unit time = 1 clock cycle
  - fine grain of time—unit time  $\approx 1$  gate delay

Modelling Hardware: TFM/MN/MJCG - p.28/32

#### **Formulating Correctness**

• A mapping between time-scales:



• Define the temporal abstraction functions:

 $\vdash$  Timeof P  $n = the time on <math>t_c$  such that P true for nth time

 $\vdash signal \text{ when } P = signal \circ (\mathsf{Timeof}\ P)$ 

where  $(f \circ q)x = f(q x)$  [o is function composition]

Modelling Hardware: TFM/MN/MJCG - p.29/32



## **Summary**

- Specifying behaviour:
  - predicates—S[a, b, c, d]
- Specifying structure:
  - composition— $S_1[a, x] \wedge S_2[x, b]$
  - hiding— $\exists x. \mathbf{S}_1[a,x] \wedge \mathbf{S}_2[x,b]$
- Formulating correctness:
  - $\vdash \forall v_1 \ldots v_n$ .  $\mathbf{M}[v_1, \ldots, v_n] = \mathbf{S}[v_1, \ldots, v_n]$
  - $\vdash \forall v_1 \ldots v_n. \ \mathbf{M}[v_1, \ldots, v_n] \Rightarrow \mathbf{S}[v_1, \ldots, v_n]$
  - $\vdash \forall v_1 \ldots v_n. \ \mathbf{M}[v_1, \ldots, v_n] \Rightarrow \mathbf{S}[abs \ v_1, \ldots, abs \ v_n]$
- Abstraction
  - data:  $w \mapsto V(w)$
  - temporal:  $sig \mapsto sig$  when (Rise clk)

Modelling Hardware: TFM/MN/MJCG - p.32/32