A Comparative Study of Coq and HOL

This paper illustrates the differences between the style of theory mechanisation of Coq and of HOL. This comparative study is based on the mechanisation of fragments of the theory of computation in these systems. Examples from these implementations are given to support some of the arguments discussed in this paper. The mechanisms for specifying definitions and for theorem proving are discussed separately, building in parallel two pictures of the different approaches of mechanisation given by these systems

Doctor of Philosophy

dissertationEmbedded systems are often deployed in a variety of mission-critical fields, such as car control systems, the artificial pace maker, and the Mars rover. There is usually significant monetary value or human safety associated with such systems. It is thus desirable to prove that they work as intended or at least do not behave in a harmful way. There has been considerable effort to prove the correctness of embedded systems. However, most of this effort is based on the assumption that embedded systems do not have any peripheral devices and interrupt handling. This is too idealistic because embedded systems typically depend on some peripheral devices to provide their functionality, and in most cases these peripheral devices interact with the processor core through interrupts so that the system can support multiple devices in a real time fashion. My research, which focuses on constrained embedded systems, provides a framework for verifying realistic device driver software at the machine code level. The research has two parts. In the first part of my research, I created an abstract device model that can be plugged into an existing formal semantics for an instruction set architecture. Then I instantiated the abstract model with a model for the serial port for a real embedded processor, and plugged it into the ARM6 instruction set architecture (ISA) model from the University of Cambridge, and verified full correctness of a polling-based open source driver for the serial port. In the second part, I expanded the abstract device model and the serial port model to support interrupts, modified the latest ARMv7 model from the University of Cambridge to be compatible with the abstract device model, and extended the Hoare logic from the University of Cambridge to support hardware interrupt handling. Using this extended tool chain, I verified full correctness of an interrupt-driven open source driver for the serial port. To the best of my knowledge, this is the first full correctness verification of an interrupt-driven device driver. It is also the first time a device driver with inherent timing constraints has been fully verified. Besides the proof of full correctness for realistic serial port drivers, this research produced an abstract device model, a formal specification of the circular bu er at assembly level, a formal specification for the serial port, a formal ARM system-on-chip (SoC) model which can be extended by plugging in device models, and the inference rules to reason about interrupt-driven programs

A Proof Planning Framework For Isabelle

Centre for Intelligent Systems and their ApplicationsProof planning is a paradigm for the automation of proof that focuses on encoding intelligence to guide the proof process. The idea is to capture common patterns of reasoning which can be used to derive abstract descriptions of proofs known as proof plans. These can then be executed to provide fully formal proofs. This thesis concerns the development and analysis of a novel approach to proof planning that focuses on an explicit representation of choices during search. We embody our approach as a proof planner for the generic proof assistant Isabelle and use the Isar language, which is human-readable and machine-checkable, to represent proof plans. Within this framework we develop an inductive theorem prover as a case study of our approach to proof planning. Our prover uses the difference reduction heuristic known as rippling to automate the step cases of the inductive proofs. The development of a flexible approach to rippling that supports its various modifications and extensions is the second major focus of this thesis. Here, our inductive theorem prover provides a context in which to evaluate rippling experimentally. This work results in an efficient and powerful inductive theorem prover for Isabelle as well as proposals for further improving the efficiency of rippling. We also draw observations in order to direct further work on proof planning. Overall, we aim to make it easier for mathematical techniques, and those specific to mechanical theorem proving, to be encoded and applied to problems

Using Proof-Planning to Investigate the Structure of Proof in Non-Standard Analysis

Centre for Intelligent Systems and their Applicationsaward number 99303126This thesis presents an investigation into the structure of proof in non-standard analysis using proof-planning. The theory of non-standard analysis, developed by Robinson in the 1960s, offers a more algebraic way of looking at proof in analysis. Proof-planning is a technique for reasoning about proof at the meta-level. In this thesis, we use it to encapsulate the patterns of reasoning that occur in non-standard analysis proofs. We first introduce in detail the mathematical theory and the proof-planning architecture. We then present our research methodology, describe the formal framework, which includes an axiomatisation, and develop suitable evaluation criteria. We then present our development of proof-plans for theorems involving limits, continuity and differentiation. We then explain how proof-planning applies to theorems which combine induction and non-standard analysis. Finally we give a detailed evaluation of the results obtained by combining the two attractive approaches of proof-planning and non-standard analysis, and draw conclusions from the work

On the simulation and design of manycore CMPs

The progression of Moore’s Law has resulted in both embedded and performance computing systems which use an ever increasing number of processing cores integrated in a single chip. Commercial systems are now available which provide hundreds of cores, and academics have proposed architectures for up to 1024 cores. Embedded multicores are increasingly popular as it is easier to guarantee hard-realtime constraints using individual cores dedicated for tasks, than to use traditional time-multiplexed processing. However, finding the optimal hardware configuration to meet these requirements at minimum cost requires extensive trial and error approaches to investigate the design space. This thesis tackles the problems encountered in the design of these large scale multicore systems by first addressing the problem of fast, detailed micro-architectural simulation. Initially addressing embedded systems, this work exploits the lack of hardware cache-coherence support in many deeply embedded systems to increase the available parallelism in the simulation. Then, through partitioning the NoC and using packet counting and cycle skipping reduces the amount of computation required to accurately model the NoC interconnect. In combination, this enables simulation speeds significantly higher than the state of the art, while maintaining less error, when compared to real hardware, than any similar simulator. Simulation speeds reach up to 370MIPS (Million (target) Instructions Per Second), or 110MHz, which is better than typical FPGA prototypes, and approaching final ASIC production speeds. This is achieved while maintaining an error of only 2.1%, significantly lower than other similar simulators. The thesis continues by scaling the simulator past large embedded systems up to 64-1024 core processors, adding support for coherent architectures using the same packet counting techniques along with low overhead context switching to enable the simulation of such large systems with stricter synchronisation requirements. The new interconnect model was partitioned to enable parallel simulation to further improve simulation speeds in a manner which did not sacrifice any accuracy. These innovations were leveraged to investigate significant novel energy saving optimisations to the coherency protocol, processor ISA, and processor micro-architecture. By introducing a new instruction, with the name wait-on-address, the energy spent during spin-wait style synchronisation events can be significantly reduced. This functions by putting the core into a low-power idle state while the cache line of the indicated address is monitored for coherency action. Upon an update or invalidation (or traditional timer or external interrupts) the core will resume execution, but the active energy of running the core pipeline and repeatedly accessing the data and instruction caches is effectively reduced to static idle power. The thesis also shows that existing combined software-hardware schemes to track data regions which do not require coherency can adequately address the directory-associativity problem, and introduces a new coherency sharer encoding which reduces the energy consumed by sharer invalidations when sharers are grouped closely together, such as would be the case with a system running many tasks with a small degree of parallelism in each. The research concludes by using the extremely fast simulation speeds developed to produce a large set of training data, collecting various runtime and energy statistics for a wide range of embedded applications on a huge diverse range of potential MPSoC designs. This data was used to train a series of machine learning based models which were then evaluated on their capacity to predict performance characteristics of unseen workload combinations across the explored MPSoC design space, using only two sample simulations, with promising results from some of the machine learning techniques. The models were then used to produce a ranking of predicted performance across the design space, and on average Random Forest was able to predict the best design within 89% of the runtime performance of the actual best tested design, and better than 93% of the alternative design space. When predicting for a weighted metric of energy, delay and area, Random Forest on average produced results within 93% of the optimum result. In summary this thesis improves upon the state of the art for cycle accurate multicore simulation, introduces novel energy saving changes the the ISA and microarchitecture of future multicore processors, and demonstrates the viability of machine learning techniques to significantly accelerate the design space exploration required to bring a new manycore design to market