Verifying an interactive consistency circuit: A case study in the reuse of a verification technology by Srivas, Mandayam & Bickford, Mark
N91-17570 '
Verifying an Interactive Consistency Circuit:
A Case Study in the Reuse of a Verification Technology
Mark Bickford
Mandayam Srivas
Odyssey Research Associates, Inc.
301A Harris B. Dates Drive
Ithaca, NY 14850.
This talk presented the work done at ORA for NASA-LRC in the design
and formal verification of a hardware implementation of a scheme for
attaining interactive consistency (byzantine agreement) among four
microprocessors. The microprocessors used in the design are an
updated version of a formally verified 32-bit, instruction-pipelined,
RISC processor, MiniCayuga. The 4-processor system, which is designed
under the assumption that the clocks of all the processors are
synchronized, provides ''software control'' over the interactive
consistency operation. Interactive consistency computation is
supported as an explicit instruction on each of the microprocessors.
An identical user program executing on each of the processors decides
when and on what data interactive consistency must be performed.
This exercise also served as a case study to investigate the
effectiveness of reusing the technology which had been developed
during the MiniCayuga effort for verifying synchronous hardware
designs. MiniCayuga was verified using the verification system Clio
which was also developed at ORA. To assist in reusing this technology
a computer-aided specification and verification tool was developed.
This tool specializes Clio to synchronous hardware designs and
significantly reduces the tedium involved in verifying such designs.
The talk presented the tool and described how it was used to specify
and verify the interactive consistency circuit.
i
i
https://ntrs.nasa.gov/search.jsp?R=19910008257 2020-03-19T19:40:15+00:00Z
Summary
Achievements
1. Formalization of abstract Byzantine agreement algorithm.
2. Use of this algorithm to specify a hardware device.
3. A mechanically checked proof that the device design is correct.
4. The implementation of the device form the low-level design.
l_imitations
I. Assumes synchronized behavior of the processes.
1| A_wt 1990
Verifying an Interactive Consistency
Circuit:
A Case Study in the Reuse of
a Verification Technology
Mark Bickford
Mandayam Srivas
Odyssey Research Associates, Inc.
301A Harris B. Dates Drive
ithaca, NY 14850.
Objectives of the Work
Design an
tion for a
efficient hardware implementa-
4-processor architecture
• Use verified MiniCayuga's in the design
• Verify the design
• Reuse MiniCayuga verification technology
A method of
ware designs
tem
modeling synchronous hard-
in the Clio verification sys-
Formalizing a class of properties most
commonly encountered in verifying de-
signs
-- A "standard" proof strategy
2
Q I____ "Fh__
Presentation Outline
• IC circuit design
The
tool
computer-aided hardware verification
• How we verified it
• General observations about the effort
The Hardware Design: Overview
prvt St
[1131 ID
ICVEC
Cayuga-FTl
prvt St
[ii]I ID
ICVEC
Cayuga-FT4
4
Ici
_O1
_,__.__ N I
NI
El
F, I
II
OI
------_ N 1
S!
prvt St
c--]l ID
ICVEC
Cayuga-FT2
prvt St
ICVEC
Cayuga-FT3
4
Two new instructions:
ICOP KEG
MOVE SREG REG
- initiates and co-orinates
IC computation
- moves special REG to
general KEG
II check if voter is free
Notfree MOVE STATUS KEG1
JIF KEG1Notfree
ICOP KEG2
II check if IC computation is
Notready MOVE STATUS REG1
I I move the
complete
JIF REGI
results
MOVE SREGO
MOVE SREGI
MOVE SREG2
Notready
of IC to
REG3
REG4
REG5
general registers
5
The Hardware Design: Overview
Fault Region 1
Cayuga-FT1 'i _
L12, 3 I ', _-j,,ffff i _ o
I voterl I, : 5 °
2 EI __ ___
____t-t___..... , T
[
I
ICayuga-FT4 I i
ii ti
Voter4
1
Fault Region 4
Fault Region2
ICayuga-FT2 I
ii t i'
voter2 i]
ICayuga-FT3 i
I,_i_ t _'
,. Voter3 il
Fault Region 3
• voter separate from processor: modularity
• point-to-point connection: electrical iso-
lation
• serialize data transfers: number of pins
Vs. time
• Fault region: processor, voter, and the
connections they feed
no absolute indexing scheme
sors/voters
-relative indexing scheme
s_cc 3
IC vectors will be stored
sors in the order of their
in the proces-
successors
Underlying assumption
chronized with at most
clocks are syn-
a bounded skew
hold sender's signal stable for one
longer than needed
phase
7
[C System Design Behavior
< ( _m2
]
• Initiate: draw the attention of voter (1)
• Load: transfer private values (2)
• Exchange: exchange received values (6)
• Compute" compute and store IC vector (3)
8
oII
t
r
o
,I
II
c
g
MTCI I
Dalapath
w_
f,
('lmt[oilcr .";talc M_hinc
f L
MiniCayuga Processor: Summary
• Inspired by Cayuga (Cornell University)
• 32-bit RISC processor
• Design characteristics
-- 32 general purpose registers
- small and simple instruction set
3-stage instruction
pute, writeback
pipeline: fetch, com-
delayed jump,
forwarding
pipeline stalling, internal
-interrupt
10
What do we prove ?
A£suming
• every Cayuga-FT is about to
ICOP,
execute an
• every Voter is ready to vote, and
• there is at most one faulty region,
then, 12 cycles later the system
isfy the following conditions:
state will sat-
The IC vectors in the processors are iden-
tical "up to rotation."
The ]C vectors are correct w.r.t, to the
processor private values 12 cycles earlier.
12
A Computer-Aided Verification Tool
• Specializes Clio to the domain of
state controller systems
finite
• Design specification generation
• Verification condition formulation
• Automatic proof support
13
1
C
O-
n
t 1 S
r
0 fall
-I
I
U
o 'L,/vm
',_la,l_ _
Q_ l The Voter Circuit j
I '__,D,
L
J/,
Conuoilcr State Machine
Finite State Controller Systems (FSCS)
• Central Controller -!- Data Path compo-
nents
• Component behavior is specified as a set
of actions
Controller
schedules
nents.
is specified as an FSM which
a set of actions on the com po-
Timing Model
- Every transition corresponds to a clock
cycle (with multiple phases)
An action may have
(phases) of delay
zero or more units
Actions are synchronized with state tran-
sitions
14
Specification technology reused
@ a method of formalizing the intended op-
erational model of an FSCS in Caliban/Clio
designspecgen ::
data-path-structure ->
controller-structure ->
controller-schedule ->
actions-behavior -> design-spec
Execute :: STATE -> STATE
"single clock cycle behavior of design"
15
Proof technology shared
Form of the most commonly
ditions
- Invariant conditions
proved con-
-- Advance conditions
A_ I_ _ _
• Proof strategy: "=ontrolled
uation (rewriting) with
symbolic eval-
selective case-splits"
16
Tile Specification Hierarchy
b_z_
II,_m_nm_u_nD 4
\
Rationale for the hierarchy
• Decompose proofs into manageable units
• Need for the black level
--introduce "error" actions
type of Execute
of act ion
is different from that
• Implication of intermediate levels
--pro: proof can take "bigger" steps
con: must come up with
abstract specification
intermediate
18
Top Level Specification
I I IcNetState : "~ <<(INDEX -> FTCstate),
II (INDEX -> Voterstate), Interrupts>>
IcNetStep <<ftc,vtr, int:rest>> =
<<newftc,newvtr ,rest>>
where newftc index
= fault_ftc_step index ftc (ftcinput index)
newvtr index
= fault_vtr_step index vtr (vtrinput index)
ftcinput index
= make_ftc_in
vtrinput index
= Voterinput
(select_int index int)
(fault_to_proc index ftc vtr)
index ftc vtr
(ftcinput index )
fault_ftc_step index s in =
FtCayugaStep (s index) in ,
byzCayugaStep (s index) in
"(faulty index)
fault_vtr_step index s =
voterstep (s index)
byzstep (s index)
, - (faulty index)
19
Formal Statement of Correctness
MainTheorem :=
Preconditions 's c => ResultConsistent (s'
ResultConsistent 'sO .'=
Consistent 'icvec s (Iterate #12 IcNetStep s) c
Consistent 'array' "=
'faulty indexC=CFalse ' =>
IndexConsistent 'array c 'index'
IndexConsistent 'array' 'index c "=
('faulty (succ index)'='False'=>
'(array index).succC='array (succ index) C)
& ('faulty (succ2 index)'='FalseC=>
'(array index).succ2C='array (succ2 index) ')
('faulty (succ3 index) C=CFalse'=>
'(array index).succSC='array (succ3 index)')
2O
nditions 's' "=Preco " , ,
Proper_icnet 's' _ Sync 'LDPI' s
All_go's
Sync 'cs' ,<<ftc,vtr,inlist>>' :=
('faulty ONE' = 'False' =>
'control (vtr ONE) '='cs')
a ('faulty TWO' = 'False' =>
Ccontrol (vtr TWO)'='cs')
('faulty THREE' = 'False' =>
'control (vtr THREE) '='cs')
a ('faulty FOUR' = 'False' =>
'control (vtr FOUR) '='cs')
All_go 's' :=
('faulty ONE '='False' =>
('go_of (vtr s ONE) '='False
a ('faulty TWO '='False' =>
('go_of (vtr s TWO) '='False' _
(
('faulty THR EE'='False =>
(ego_of (vtr s THREE) '='False
a ('faulty FOU R'='False' =>
('go_of (vtr s FOUR)''
, & 'go_signal s ONE '='G
'go_signal s TWO '='G
'go_signal s THREI
'False' _ 'go_signal s FOUR':
21
Preconditions 'sO "=
Proper_icnet 'sO Sync 'LDPI' 'sO All_go 's'
Sync Ccs' '<<ftc,vtr,inlist>>' :=
('faulty 0NE' = 'False c =>
'control (vtr ONE)'=Ccs')
& ('faulty TWO' = 'False' =>
'control (vtr TW0)'='cs')
a ('faulty THREE' = 'False c =>
'control (vtr THKEE)'=Ccs')
& ('faulty FOUR' = 'False' =>
'control (vtr FOUR) C='cs ')
All_go 's' :=
(tfaulty ONEC=CFalse' =>
('go_of (vtr s 0NE) C='False ' & 'go_signal s 0NE'='GO'))
& ('faulty TW0C='False' =>
('go_of (vtr s TW0)'='False' & 'go_signal s TWO'='G0'))
('faulty THREEC=CFalse ' =>
('go_of (vtr s THREE)'=CFalse'
'go_signal s THREE'=' GO' ) )
& ('faulty FOURC=CFalse' =>
(ego_of (vtr s FOUR) C=CFalse'
& 'go_signal s FOURC=CGO'))
21
The proof strategy
"controlled symbolic
reused
execution of design"
• lnstantiate the states of components and
inputs with appropriate symbolic constants.
o Add all the conditions on the constants
implied by the preconditions of the theo-
rem as hypothesis.
3. Symbolically evaluate design.
m Try case-splitting on all the
automatically.
conditionals
. If either of the previous two steps seem to
take too long, then case-spilt on the con-
troller states and inputs before symbolic
evaluation (step 3).
22
New technology needed
• Modeling faulty behavior
• Specification
- determining the right hierarchy
-- writing intermediate "abstract" spec
-- defining abstraction function (ABS)
Proof: "design
"abstract level
level properness"
properness"
implies
23
General Observations
O An engineering-oriented verification
rience
Lilith _ MiniCayuga -_ IC circuit
expe-
• Methodology: top-down 4- bottom-up
• Level of effort: 1 man year
-- building the tool
-- developing designs
- verification
24
Verification Effort Milestones
• formulated a top level
ment
correctness state-
• designed and verified a simple voter circuit
• specified voter and processor for a contin-
uous voting scheme
• designed and verified second voter design
25
discovered continuous
"hard to synchronize"
voting scheme was
respecified voter and
on-demand scheme
processor for a voting-
• redesign and reverify voter
• verified overall system
• verified processor
26
To integrate theorem proving based verifi-
cation technology into the design process
we need"
-- more machine assistance
-- domain specialization
• The next step ?
A useful way of reporting failed proof
attempts
Interaction
engineering
with motivated and patient
design teams and proJects
27
