## A Career in Research: Mike Gordon and Hardware Verification

Lawrence C Paulson

Automated Reasoning Workshop 2018

# The world of computing in 1975

### 16MB a *colossal* amount of memory



minicomputers, e.g. 16KB memory





mainframe disk, about 5MB

# The world of theory, 1975–80

C. A. R. Hoare. An axiomatic basis for computer programming *Communications of the ACM* **12** (10), Oct. 1969

Dana Scott. Outline of a mathematical theory of computation. Technical Report PRG-2, University of Oxford, Nov. 1970.

*operational semantics* just emerging *denotational semantics* and fixed-point theory

R. Milner. A Calculus of Communicating Systems. Springer, 1980.

*type theory* emerging

process algebras

# Edinburgh LCF (1975–1979)

M. J. C. Gordon, R. Milner, and C. P. Wadsworth. Edinburgh LCF: A Mechanised Logic of Computation. LNCS 78. Springer, 1979.

The first real proof assistant (for computation theory)

Introducing ML (the first *polymorphic* functional language)

# With so many nascent fields, what did Mike decide to do?

Software is being solved, so let's verify hardware.

He talked to the hardware experts at Edinburgh

and sketched out some theory

... and designed his own computer!

A model of register transfer systems with applications to microcode and VLSI correctness.

Technical Report CSR-82-81, University of Edinburgh, Mar. 1981. University of Edinburgh



#### **Department of Computer Science**

A Model of Register Transfer Systems with Applications to Microcode and VLSI correctness

> by Mike Gordon

| Internal Report                                                                        | CSR- 82-81  |  |
|----------------------------------------------------------------------------------------|-------------|--|
| James Clerk Maxwell Building,<br>The King's Buildings,<br>Mayfield Boad,<br>Edinburgh, | March, 1981 |  |
| EH9 3JZ.                                                                               |             |  |

#### the circuitry



Fig. XIV: The host machine for implementing the computer

#### a microprogram

| ROM     | Microinstruction          | Conments                                      |
|---------|---------------------------|-----------------------------------------------|
| address |                           |                                               |
| 0       | ready, idle; button + 1,0 | branch to 1 if button pressed, otherwise loop |
| 1       | ; knoh+1                  | decode knob position                          |
| 2       | rew, wpc ; 0              | switches + PC                                 |
| 3       | rew,wacc ; 0              | switches + ACC                                |
| 4       | rpc, wmar ; 7             | PC + MAR                                      |
| 5       | ready ; button +0,6       | begin fetch-decode-execute cycle              |
| 6       | rpo,wmar ; 8              | PC + MAR                                      |
| 7       | racc, write; 0            | ACC + MEM(MAR) , fetch                        |
| 8       | read, wir ; 9             | MEM(MAR) + IR                                 |
| 9       | ; opcode+10               | decode                                        |
| 10      | ; 0                       | halt                                          |
| 11      | rir,wpc ; 5               | JMP; IR + PC                                  |
| 12      | ; acc=0 + 11,17           | JZRO:                                         |
| 13      | rdoc,warg ; 19            | ADD:ACC + ARG                                 |
| 14      | race,warg ; 22            | SUB: ACC + ARG                                |
| 15      | rir,wmar ; 24             | LD:IR ~ MAR                                   |
| 16      | rir,umar ; 85             | ST: IR → MAR                                  |
| 17      | rpe,ine ; 18              | PC+1 + BUF                                    |
| 18      | rbuf, wpc ; 5             | BUF + FC increment program counter            |
| 19      | rir,wmar ; 20             | IR + MAR                                      |
| 20      | read,add ; 21             | ARG + MEM(MAR) + BUF                          |
| 21      | rbuf, wace; 17            | $BUF \rightarrow ACC$                         |
| 22      | rír,wmar ; 23             | IR + MAR                                      |
| 23      | read, sub ; 21            | ARG-MEM(ARG) + BUF                            |
| 24      | read,wace ; 17            | $MEM(MAR) \rightarrow ACC$                    |
| 26      | racc, write; 17           | ACC + MEN(MAR)                                |

#### internal specifications



= (w = 0 + ((b + 1,0) , 1, m No , w<sub>1</sub>, w<sub>2</sub>, w<sub>3</sub>, wy , ω5 ), w = 1+( w1 w 5 0 20 , W2 , W3 772 . ), wo w 5 W = 2 + 1 0 , 8W<0:18>, Wa m ), w5 0 wo  $\omega = 3 + ($ ), ws 2 w, W = 4+( w. 2, w 5 w = 5+1 b + 0,8) wo 1, w5 · w2 , w<sub>3</sub> 8 101 w = 6 + (ω, ), ws , wa w = 7+( 0 ,m[w\_/w\_], wo , w2 w1 win , . . ), w 5 , w, , m(w,), w, , 9 wo w, w = 8 + ( m ١, w5 wo  $\omega = 9 \rightarrow (\omega_2 < 13: 15 > + 10 \ ,$ 12 , w2 m , 1, w 5 w = 10 + ( 0 wo wi , w2 , w3 m , . ), w<sub>o</sub> , W3 (0:12>, W2 , w3 105 w=11+( 5 , w<sub>u</sub> , m . w1 3  $w = 12 + ((w_0 = 0 + 11, 17),$ w 5 ), wy , w<sub>o</sub> m , , 22 . ), NS wo w , 202 , wa w = 13 + (19 m , . ), , w2 , wa , w2 , Ws 22 w = 14 + ( m w<sub>o</sub> w . . ,w3<0:18>, 1, , w<sub>3</sub> w = 15 + ( 24 , m w , W2 WE wu , ,w<sub>3</sub><0:12>, , wy , 1, w = 16 + (25 m 3 , w2 , w3 WE ... , w3 , w4 , w1 <0:12>+1), , w2 w = 17 + ( 18 171 101 <sup>₩</sup>0 . , wa ,ws<0:12>, w, , w<sub>11</sub> , ), w = 18 + (5 т wo. ,w,<0:18>, ), w2 w = 19 + ( 20 ₩. ws m . , wa , wu ,  $w_3$  ,  $w_4$  ,  $w_4 + m(w_0)$  ), , w2 w = 20 + (21 w . 30 wo ١, w = 21 + ( 17 , w3 , w ...  $w_5$ w , w5 177 ,w3<0:12>, w = 22 + (1, 23 101 , w2 , w3 ws 171 , wu . ,  $w_2$  ,  $w_3$  ,  $w_4$  ,  $w_4 - m(w_0)$  ), w = 23 + 1 21 wo Nt m W = 24 + 612 , m(wo), w3 , w4 , w 1, WS 171 . )) W = 25 + ( 17 , m[w\_/w\_1, w<sub>o</sub> w1 , w<sub>2</sub> , w<sub>3</sub> , w<sub>4</sub> , w 5 .

#### even the industrial design!



- Mike wrote 21 pages on the computer alone
- 75 pages on a theory of hardware verification, from gates to computers
- Already many key insights by 1981, e.g. to treat combinational (stateless) devices like sequential ones.

### Three ideas for modelling devices

- \* 1981: recursive domain equations (too complicated)
- 1983: Logic for Sequential Machines, or LSM: Mike's hardware formalism, loosely based on CCS (*too ad-hoc*)
- 1985: higher-order logic! And all devices as relations.

A concerted effort to *minimise* reliance on theory!

# A counter using domains (1981)



### A counter in LSM (1983)



When the counter is clocked, the new value of the state variable n becomes n+1 (i.e. the old value plus one) if *false* is being input on line *switch*, otherwise it becomes the value input on line *in*. We can express this by:

```
CLOCK(n) \rightarrow CLOCK(switch \rightarrow in | n+1)
```

In LSM the behaviour of the counter would be specified by the formula

 $COUNT(n) == dev\{switch, in, out\}, \{out=n\}; COUNT(switch -> in | n+1)$ 

cin

a

a

b

# A CMOS full adder in HOL (1985)

Pwr Gnd p0 This circuit can be represented in logic by defining:  $^{\mathbf{p}}\mathbf{Add1\_Imp}(a^{3}, b, cin, sum, cout) \equiv^{\mathbf{p}^{7}}$  $a \rightarrow \exists p_0 \ p_1 \ p_2 \ p_3 \ p_4^{p_1} p_5 \ p_6 \ p_7 \ p_8^{in} p_9 \ p_{10} \ p_{11}. \ b$  $\mathsf{Ptran}(p_1, p_0, p_2) \land \mathsf{Ptran}(cin(cin(p_1, p_0, p_3)) \land \mathsf{Ptran}(b, p_2, p_3) \land \mathsf{Ptran}(a, p_2, p_4) \land$  $\mathsf{Ptran}(p_1,p_3,p_4) \land \mathsf{Ntram}(a,p_4,p_5) \land \mathsf{Ntran}(p_1,p_4,p_6) \land \mathsf{Ntran}(b,p_5,p_6) \land \mathsf{Ntran}(b,p_6)$ a - $\operatorname{Ntran}(p_1, p_5, p_{11}) \land \operatorname{Ntran}(cin, p_6, p_{11}) \land \operatorname{Ptran}(a, p_0, p_7) \land \operatorname{Ptran}(b, p_0, p_7) \land$  $\mathsf{Ptran}(a, p_0, p_8) \land \mathsf{Ptran}(ein, p_7, p_1) \land \mathsf{Ptran}(b, p_8, p_1) \land \mathsf{Ntran}(cin, p_1, p_9) \land \mathsf{Ntran}(cin, p_9) \land \mathsf{Ntra$ p1- $\frac{\mathsf{Ntran}(b, p_1, p_{10}) \land \mathsf{Ntran}(a, p_9, p_{11}) \land \mathsf{Ntran}(b, p_9, p_{11}) \land \mathsf{Ntran}(a, p_{10}, p_{11}) \land}{\mathsf{Ntran}(a, p_{10}, p_{11}) \land \mathsf{Ntran}(a, p_{10}, p_{11}) \land}$  $\mathsf{Pwr}(p_0) \wedge \mathsf{Ptran}(p_4, p_0, sum) \wedge \mathsf{Ntran}(p_4, sum, p_{11}) \wedge$  $Gnd(p_{11}) \wedge Ptran(p_1, p_0, cout) \wedge Ntran(p_1, cout, p_{11})$ 

This circuit can be represented in logic by defining:

#### **5.3** Verification<sup>in, sum, cout</sup>) =

 $\exists p_0 \ p_1 \ p_2 \ p_3 \ p_4 \ p_5 \ p_6 \ p_7 \ p_8 \ p_9 \ p_{10} \ p_{11}.$ 

lines a, b and p, then D1 constrains these values so that  $D_1(a, b, p)$  h constraint imposed by the whole device D we just conjoin (*i.e.*  $\wedge$ -te **Representing circuit structure with predicates** in formation of the structure with predicates in the structure is the combined constraint of thus: nsider the following structure (called D):

 $\mathsf{D}_1(a, b, p) \land \mathsf{D}_2(p, d, c) \land \mathsf{D}_3(q, b, d)$ is expression constrains the values  $\overline{g}_{\overline{p}}$  both the external lines **a**, **b**, **c** internal lines p and q. If we regard D as a 'black box' with the in isible, then we are really only interested in what constraints are im ernal lines. The variables a, b, c and d will denote possible values at es a, b, c and d if and only if the conjunction above holds for some We can therefore define a predicate D representing the behaviour of is device is built by connecting together three component devices D1, D2 and D3. e externa Dinas of  $\mathcal{D}_{q}$ ,  $\mathcal{D}_{q}$ ,  $\mathcal{D}_{q}$  of  $\mathcal{D}_{q}$ . The lines be appled a resulting a band around  $\mathcal{D}_{3}(q, b, d)$ nected to the 'outside world'. (External lines might correspond to the pins of an nus we see that the behaviour corresponding to a circuit is got by: uppose the behaviours of D1. D2 and D3 are specified by predicates D1. D2 and

### HO Logic was a radical choice!

"Unlike first-order logic and some of its less baroque extensions, second and higher-order logic have no coherent well-established theory; the existent material consisting merely of scattered remarks quite diverse with respect to character and origin." (Van Benthem and Kees Doets, 1983.)

And we need a type of *n*-bit words, so we need dependent types, right?

WRONG.

# Verifying Mike's computer

#### In 1983, using LCF\_LSM

"The entire specification and verification described here took several months, but this includes some extending and debugging of LCF\_LSM ... it would take me two to four weeks to do another similar exercise now. The complete proof requires several hours CPU time on a 2 megabyte Vax 750."

In 1986, with Jeff Joyce, Graham Birtwistle, using HOL

And — under the name Tamarack — by many others!



#### It was even fabricated!

# Verifying a real computer: VIPER

- designed by a UK defence lab for military purposes
- specified by a series of abstract layers
  - equivalence of the top three proved by Avra Cohn
  - controversy due to exaggerated claims made by the chip's marketers

*Hardware verification* went from plan (1981) to realisation (1989) in eight years!

### Some papers from that era

Mike Gordon. Proving a computer correct with the LCF LSM hardware verification system (1983).

Avra Cohn. A proof of correctness of the VIPER microprocessor: The first level (1987).

Avra Cohn. Correctness properties of the Viper block model: The second level (1988).

> Brian T. Graham. *The SECD Microprocessor, A Verification Case Study*. Kluwer, 1992.

"Verification involves a pair of models that bear an uncheckable and possibly imperfect relation to the *intended design* and to the *actual device*."

*Avra Cohn, 1989* 

### So what next?

"a long term project on verifying combined hardware/software systems by mechanized formal proof"

Mike Gordon, "Mechanizing programming logics in higher order logic", 1989

- Mike *derived* Hoare logic in HOL from the operational semantics of a programming language
- supporting the illusion by pretty-printing
- the first shallow embedding of one formalism within another

### Whooshing to the year 2000...

Lots of PhDs on floating point arithmetic, process calculi, BDDs, etc., etc...

# Verifying the ARM6 processor

a "commercial off-the-shelf" design

- joint project with Graham Birtwistle at Leeds
- verification by Anthony Fox at Cambridge
- the ARM6 microarchitecture implements its ISA
- And we have a complete formal spec of this machine

# Verification and assembly language

(Magnus Myreen, working with Mike)

- Hoare-style logics for assembly languages
- decompilation of assembler to HOL (for 3 machines!)
- proof-producing translation from HOL to assembler

"verifying combined hardware/software systems"

# Culminating in CakeML

A dialect of Standard ML, with semantics formalised in HOL

The compiler backend can generate code for 5 different architectures

Source code can be written directly or translated from HOL

Bootstrapped via compilation within HOL4, yielding a *"verified binary that provably implements the compiler itself"* 

The work of Ramana Kumar, Magnus Myreen, Scott Owens, etc.

### How Mike accomplished so much

- he ignored "hot topics" to pursue an original plan
- ... and talked to "the enemy" across the Department
- \* ... to learn another subject *really well*
- while using his own knowledge of theory (denotational semantics and CCS)

# Learn your application thoroughly

#### E.g. *cryptographic protocols*: such a **simple** field

... so much flawed research

... leading to more bad research

Because people weren't learning from *security* experts!

# Rely on robust tools and theory

- LCF provided a good verification engine
- Higher-order logic was old, solid theory (1940!)
- Standard ML was emerging; Mike didn't use it!]

*Type theory* would take many years to settle down and would have been a distraction back in 1985.

### Where are we today?

- LCF architectures dominate the landscape
- using higher-order logic or its extensions
- hardware verification is done extensively in industry
- academic research continues to push forward

But modern processors are *still* too complex to verify in full!

### Mike Gordon

1948–2017

