MDGThesis.pdf

8/14/2019 MDGThesis.pdf

1/171

The Ver i f i ca t ion o f MDG Algor i thms in t he HOLT h e o r e m P r o v e r

S a ' e d R a s m i H . A b e d

A Thesisin

The Depar tmen tof

Electrical and Computer Engineering

Presented in Partial Fulfillment of the Requirementsfor the Degree of Doctor of Philosophy at

Concordia UniversityMontreal , Quebec, Canada

June 2008

Sa'ed Rasmi H. Abed, 2008


2/171

1*1 Library andArchives CanadaPublished HeritageBranch395 Wellington StreetOttawa ON K1A0N4Canada

Bibliotheque etArchives CanadaDirection duPatrimoine deI'edition395, rue WellingtonOttawa ON K1A0N4Canada

Your file Votre referenceISBN: 978-0-494-42548-0Our file Notre referenceISBN: 978-0-494-42548-0

NOTICE:The author has granted a nonexclusive l icense allowing Libraryand Arch ives C anada to reproduce,publ ish, archive, preserve, conserve,communicate to the publ ic bytelecommunication or on the Internet,loan, d istr ibute and sel l thesesworldwide, for commercia l or noncommercial purposes, in microform,paper, electronic and/or any otherformats.

AVIS:L'auteur a accorde une l icence non exclusivpermettant a la Bibl iotheque et ArchivesCanada de reproduire, publier, archiver,sauvegarder, conserver, transmettre au publpar telecommunication ou par Plntemet, prefdistr ibuer et vendre des theses partout dansle monde, a des f ins commerciales ou autresur support microforme, papier, e lectroniqueet/ou autres formats.

The author retains copyrightownership and moral r ights inthis thesis. Neither the thesisnor substantial extracts from itmay be printed or otherwisereproduced without the author'spermission.

L'auteur conserve la propriete du droit d'auteet des droits moraux qui protege cette theseNi la these ni des extraits substantiels decel le-ci ne doivent etre imprimes ou autremereproduits sans son autorisation.

In compliance with the CanadianPrivacy Act some support ingforms may have been removedfrom this thesis.

Conformement a la lo i canadiennesur la protection de la vie privee,quelques formulaires secondairesont ete enleves de cette these.While these forms may be includedin the document page count,their removal does not representany loss of content from thethesis.

Bien que ces formulairesaient inclus dans la pagination,i l n 'y aura aucun contenu manquant.


3/171

A B S T R A C TThe Verification of MDG Algorithms in the HOL Theorem Prover

Sa'ed Rasmi H. Abed, Ph. D.Concordia University, 2008

Formal verification of digital systems is achieved, today, using one of two mainapproache s: state s exploration (mainly mode l checking and equivalence checking)or deductive reasoning (theorem proving ). Indeed, the comb ination of th e two approaches, states exploration and deductive reasoning promises to overcome the limitation and to enhance the capabilities of each. Our research is motivated by this goal.In this thesis, we provide the entire necessary infrastructure (da ta stru ctu re + algorithms) to define high level states exploration in the HOL theorem prover named asMDG-HOL platform. While related work has tackled the same problem by representing primitive Binary Decision Diagram (BDD) operations as inference rules added tothe core of the theorem prover, we have based our approach on the Multiway DecisionGraphs (MDGs). MDG general izes ROBDD to represent and manipulate a subset offirst-order logic formulae. W ith MD Gs, a da ta value is represented by a single variableof an abstract type and operations on data are represented in terms of uninterpretedfunction. Considering M DG s instead of BD Ds will raise the a bstra ction level of wh atcan be verified using a sta te exploration within a theorem prover. Th e MD Gs embedding is based on the logical formulation of an MDG as a Directed Formulae (DF).The DF syntax is defined as HOL built-in data types. We formalize the basic MDGoperations using this syntax within HOL following a deep embedding approach. Suchapproach ensures the consistency of our embedding. Then, we derive the correctness

i i i


4/171

proof for each MDG basic operator.Based on this platform, the MDG reachability analysis is defined in HOL as

a conversion that uses the MDG theory within HOL. Then, we demonstrate the effectiveness of our platform by considering four case studies. Our o btained resul tsshow that this verification framework offers a considerable gain in terms of automation without sacrificing CPU time and memory usage compared to automatic modelchecker tools.

Finally, we propose a reduction technique to improve MDGs model checkingbased on the MD G-H OL platform. Th e idea is to prune the transitio n relation ofthe circuits using pre-proved theorems and lemmas from the specification given atsystem level. We also use the consistency of the specifications to verify if the reducedmodel is faithful to the original one. We provide two case studies, the first one is thereduction using SAT-MDG of an Island Tunnel Controller and the second one is theMD G-HO L assum e-guaran tee reduction of the Look-Aside Interface. Th e obtaine dresults of our approach offers a considerable gain in terms of heuristics and reductiontechniques correctness as to commercial model checking; however a small penalty ispaid in terms of CPU time and memory usage.

IV


5/171

To My Family

v


6/171

A C K N O W L E D G E M E N T S

I would like to express my gra titu de to my supervisor, Dr. O tm an e Ait Mo-hamed, whose expertise, understanding, and patience, added considerably to my graduate experience. I am deeply grateful for his support and encouragement throughoutmy Ph.D. s tudies .

I would like to thank the other members of my committee, Dr. Sofiene Tahar,Dr. Rac hida Dssouli, and Dr. Asim J. Al-Khalili for th e assistance they providedat all levels of the research project. Finally, I would like to tha nk Dr. El-M ostap haAboulhamid from Montreal University for taking time out from his busy schedule toserve as my external examiner.

Very special thank s go out to my colleagues in the H ardwa re Verification G rou p(HVG), without their help, motivation and encouragement I would not have reachedthis point in my research. I have spent thre e years and half in the HVG labs andwill never forget th e great mom ents, and achievem ents we had to gethe r durin g the seyears. Also, I would like to than k Dr. G hiat h Al Sam ma ne, a post doctoral in our(HVG) group, for many discussions and helpful suggestions, which are invaluable tothis thesis.

Last but not least, I would like to reserve my deepest thanks for my parents,sisters and bro ther, for their supp ort and enco uragem ent. My wife, who has beenwith me in every moment of my PhD tenure, is my source of strength and withouther sup po rt thi s thesis would never have sta rte d mu ch less finished. I would like tomention my children, Bara', Baha and Lina, for bringing joy and fun in my life andfor their sacrifices and patience. I can never thank them enough.

vi


7/171

T A B L E O F C O N T E N T S

LIST OF TABLE S xiLIST OF FIGU RE S xiiL IST OF ACRONY MS x iv1 I n t r o d u c t io n 1

1.1 Form al Verification Techn iques 41.1.1 Th eore m Prov ing 51.1.2 Mod el Checking 7

Binary Decision Diag ram s 9SAT Based Me thods 10

1.2 Re lated Wo rk 111.2.1 Hy brid Ap proac h 111.2.2 Deep Em bedding App roach 15

Em beddin g of Model Checking Algorithm s in The orem Pro vers . 16Correctness Proof of Model Checking Algorithm s 18

1.3 Propose d Method ology 211.4 Thesis Co ntribu tions 241.5 Thesis Orga nization 25

2 P r e l i m i n a r i e s 2 72.1 The HOL Theo rem Prover 272.2 Multiway Decision Gra phs 31

2.2.1 Form al Logic 312.2.2 Ab strac t Sta te Machines 33

vii


8/171

2.2.3 Stru ctur e 342.2.4 Th e MD G-Tool 362.2.5 MD Gs Model Checking 37

3 F o r m a l i z a t io n o f M D G S y n t a x 3 93.1 Transition Relation: Gr aph or Form ula 393.2 Em bedding Directed Formulae in HO L 413.3 Well-formedness Con ditions 473.4 MIN-MAX Example 51

4 F o r m a l i z a t io n o f M D G Op e r a t io n s 5 54.1 Th e Conjunction Op eratio n . 55

4.1.1 Th e Conjunction Co nstrai nts: 564.1.2 Th e Conjunc tion Em beddin g: . 58

4.2 The Relat ional Produ ct (RelP) Op erat ion 634.2 .1 The RelP Constra ints : 644.2.2 The RelP Embed ding: 65

4.3 The Disjunction Op eration 664.3.1 Th e Disjunction Co nstra ints: 674.3.2 Th e Disjunction Em beddin g: 68

4.4 The Pruning by Subsum ption (PbyS) Operat ion 714.4.1 Th e PbyS Co nstrain ts: 724.4.2 Th e PbyS Em beddin g: 724.4.3 Th e PbyS Performance: 75

4.5 The Correctne ss Proof 764.6 Em beddin g and Proof Discussion 79

viii


9/171

5 F o r m a l i z a t io n o f M D G Re a c h a b i l i t y An a ly s i s 8 15.1 Reach ability Analysis Algo rithm . 815.2 Form alization of Reacha bility Analysis 835.3 Exam ple: The MIN-MA X revisi ted 865.4 The MD G-HO L Platform 87

6 Ap p l i c a t io n s a n d Ca s e S t u d ie s 9 16.1 Model Red uction Techniques 936.2 SAT-M DG Red uction Verification 95

6.2.1 Boo lean Satisfiability 956.2.2 Com bining SAT and MD G Me thodology 976.2.3 Ab strac ting CN F from D F 976.2.4 Ex trac ting Variables from Prop erties 996.2.5 Island Tunnel Controller (ITC ) 100

System Description 100Verification 102

6 .3 T h e A s s u m e- G u a ra n te e Re d u ct io n V e rif ic ati on i n M D G - H O L . . . . . . 1 036.3 .1 The Assum e-Guarantee Reduction Methodology 1036.3.2 Gen eration of Directed Form ulae 105

From High Level Lang uage 105From the Propert ies 108

6.3.3 Verification of th e Re duc tion Soun dness 108The Reduction-Soundness Algori thm 110Correctness of the Algori thm I l lTh e False Negative 112The RAM Example 113

ix


10/171

6.3.4 Case Stud ies . 114Look-A side Interfac e (LA-1) 114Island Tunnel Con troller (ITC ) 119

7 Co n c lu s io n s a n d F u t u r e W o r k 1 2 27.1 Sum ma ry 1227.2 Fut ure Research Directions 124

B ib l io g r a p h y 1 2 7

A T h e M D G - H O L P l a t fo r m 1 3 9A .l The MDG Syntax 139A.2 Th e Conjun ction Op eratio n 142A.3 The RelP Opera t ion 145A.4 Th e Disjunction Op eration 146A.5 The PbyS Ope rat ion 147A.6 Th e Reach ability Analysis 149

x


11/171

LIST OF TABLES

1.1 Deductive theorem proving vs. sta te exploration m etho d . 31.2 Raisin g th e A bst rac tio n Level 102.1 Term s of th e HO L Logic 293.1 Well-Formedness (W F) Inference Rules 494.1 The PbyS Performance 765.1 MD G-HO L Benchmarks 885.2 FormalCheck Bench marks 886.1 Com paring the Original MD Gs Model Checking Results with the Re

duced MC and Soundness Verification Resu lts 1036.2 Com paring the Original MD Gs Model Checking Results with the Re

duced MC and Soundness Verification Resu lts 1196.3 Com paring the Original MD Gs Model Checking Results with the Re

duced MC and Soun dness Verification Re sults 120

X I


12/171

L I S T O F F I G U R E S

1.1 Theore m Proving and Model Checking Interface . 121.2 Em beddin g Model Checking inside Theo rem Proving Tool 151.3 Overview of th e Em beddin g Method ology in HO L . 222.1 Exam ple of Multiway Decision Gr aph s Stru ctur e . 352.2 Th e Stru cture of the MD Gs-tool 36

3.1 MIN-MAX State Machine 514.1 Th e conjunction opera tion 564.2 MD G1 and MD G2 634 .3 MD G1 CON J MDG 2 644.4 MD G1 RelP MD G2 664.5 Th e disjunction opera tion 664.6 MD G1 and MD G2 704.7 MD G1 DISJ MD G2 704.8 Th e PbyS opera tion 714.9 Th e PbyS Performance 774.10 Correctness Method ology 785.1 MD G-HOL and FormalCheck Small Benchm arks 895.2 MD G-H OL and FormalCheck Big Bench marks 896.1 Overview of th e Me thodolog y 986.2 Th e Island Con troller 1016.3 Island Tunnel Controller Stru cture 101

xi i


13/171

6.4 Overview of the Redu ction Method ology 1046.5 Overview of the Soundness-V erification Me thodo logy 1086.6 Look-A side Interface 1166.7 Look-A side Interface Design 117

xin


14/171

L I ST O F A C R O N Y M S

CA DASMBD DR O B D DSATD FDAGFSMHDLM D GM CBM CSTELTLCTLHOLA T PLCFMLFLCN FQ F BRTL

Computer Aided DesignAbstract Sta te MachineBinary Decision DiagramReduced Ordered Binary DecisionSatisfiability CheckingDirected FormulaeDirected Acyclic GraphFini te Sta te MachineHardware Description LanguageMultiway Decision GraphModel CheckingBounded Model CheckingSymbolic Trajecto ry EvaluationLinear time Temporal LogicComputat ional Tree LogicHigher-Order LogicAutomatic Theorem ProverLogic of Computable FunctionMeta LanguageFunctional LanguageConjunctive Normal FormQuantified Boolean FormulaeRegister Transfer Level

Diagram

xiv


15/171

LHS Left Ha nd SideRH S Right Ha nd SideVLSI Very Large Scale Integ rationIT C Island Tunn el ControllerLA-1 Look-Aside InterfaceRelP Relat ional Prod uctPbyS Prunin g by Subsum ption

xv


16/171

C hap t e r 1I n t r oduc t i onWith the increasing complexity of the design of digital systems and the size of thecircuits in VLSI technology, the role of design verification has gained a lot of importance. Serious design errors and bugs take a lot of time and effort to be detected andcorrec ted especially wh en they are discovered late in the verification proc ess. Th iswill increase the total cost of the chip. In order to overcome these limitations, formalverification techniques arose as a complement to simulation for detecting errors asearly as possible, thus ensuring the correctness of the design.

Formal techniques are the application of applied mathematics in order to proveth at the design implem entation satisfies its specifications, and en tail reasoning in someformal logic. In general, formal verification of digital systems is achieved, today, usingone of two main approaches: stat es exploration [49] (mainly model checking andequivalence checking) or deductive reasoning (theorem proving). It is accepted thatboth approaches have complementary strengths and weaknesses.

State exploration approaches use states space traversal algorithms on finite-statemo dels to check if the im plem enta tion satisfies its specification. Th ey are focusedmostly on automatic decision procedures for solving the verification problem. In case

1


17/171

the verification fails, the user can track with the counter example produced as to whyit failed.

Mod el checking is an au to m ati c approa ch for verifying finite-state syste ms a ndmain ly used in hardwa re and protocol verification. The circuit is described as a sta temachine with a transition to describe the circuit behavior. The specifications are described as properties that the machine should satisfy. Furthermore, they can producea counterexample when the property does not hold , which can be very importantfor correcting the corresponding error in the implementation under verification or inthe specification itself. Traditionally, model checkers used explicit representations ofthe sta te transition gra ph, for all but th e smallest stat e mach ines. However, modelchecking suffers from the state explosion problem [19]: the number of the exploredstates grows exponentially in the size of the system description.

Equivalence checking is used to prove functional equivalence of two design represe ntati on m odeled at the sam e or different levels of abs tra ctio n. It can be dividedinto combinational equivalence checking and sequential equivalence checking. Com binational equivalence checking is based on the canonical representations of Booleanfunctions or Binary Decision Diagrams (BDDs). Equivalence checking verifies for allinput sequences that an implementation has the same outputs as the specification,both modeled as Finite State Machines (FSM). Sequential equivalence checking isused to verify the equivalence between two sequential designs at each state. Sequential equivalence checking consider only the behavior of two designs while ignoringtheir implementation details such as register mapping. It can verify the equivalencebetween Register Transfer Level (RTL) and netlist or RTL and the behavioral modelwhich is very imp orta nt in design verification. Th e disadvan tage of sequential equivalence checking is that it cannot handle large design because it enumerates state space

2


18/171

explosion problem very fast.In deductive reasoning approach, the correctness of a design is formulated as

a theorem in a mathematical logic and the proof is checked using a general-purposetheorem-prover. Based on first-order and high-order logic, these theorem provers areknown for their abilities to express relationships over unbounded data structures.Therefore, theorem proving tools are not sensitive to the state explosion problemwhen used to reason formally about such data and relationships. Unfortunately, if theprop erty fails to hold, deductive me thod s do not give a coun terexam ple. Fur therm ore,this frequent situation requires skilled manual guidance for verification and humaninsight for debugging. Yet theorem provers, today, provide feedback, but only expertuser can track the proof trace and determine whether the fault lies within the system,the property being verified, or within the failed proof tactic.

There has been a great deal of work over the past decade to combine the twoapproaches to gain the stren gths of bo th, and alleviate the weaknesses. Successfulcom binatio ns of this kind have been achieved in [2, 44, 46, 48, 57, 75, 78]. T hestrengths and weaknesses of model checking and deductive theorem proving, as discussed above, are summarized in Table 1.1.

Table 1.1: Deductive theorem proving vs. state exploration methodMethodAutomat ionDomain size

Debugging

State explorat ion methodcomplete ly automaticfinite system(large)generatescounter-example

Deductive methodinteractiveinfinite system(complex)expert based

Hybrid methodsemi-automaticfinite system(very large)rarely generatescounter-example

The combination of the two approaches can be performed either by adding a

3


19/171

layer of deduction theorems and rules on top of the model checking tool (hybrid approach) or by embedding model checking algorithms inside theorem provers (deepembedding app roach ). Our research is motiva ted by using th e deep emb edding ap proach to blend the best of model checker and theorem prover.

The structure of the rest of this chapter is as follows: In Section 1.1, we brieflyintroduce th e formal verification techniques. Section 1.2 surveys the literatu re a ndpresents the related work. An overview of the research and the contribution of thisthesis is explained in Sections 1.3 and 1.4, respectively. Finally, th e outline of thethesis is presented in Section 1.5.

1.1 F o r m a l Ve r i f i c a t io n T e c h n i q u e sFormal verification problem consists of mathematically establishing that an implementati on behav es accordin g to a given set of requ irem ents or specification. To classifythe various approaches, we first look at the three main aspects of the verificationprocess: the system under investigation (implementation), the set of requirements toobey (specification) and the formal verification tool to verify the process (relationshipbetween implementation and specification).

The implementation refers to the description of the design that is to be verified.It can be described at different levels of abstraction which results in different verification metho ds. An other im por tan t issue with the implem entation is th e class ofthe system or circuit to be verified, i .e., whether it is combinational/sequential, synchronous/asynchronous, pipelined or parameterized hardware. These variations mayrequire different approaches. The specification refers to the property with respect towhich the correctness is to be determ ined. In practice, one needs to model bot h theimplementation and the specification in the tool, and then uses one of the formal

4


20/171

verification algorithms of the tool to check the correctness of the system or in somecases give a trace of error (counter-example).

Formal techniques have long been developed within th e com puting research community as they provide sound mathematical foundation for the specification, impleme ntatio n an d verification of com puter system. Thu s, formal verification is proposedas a method to help certify hardware and software, and consequently, to increase confidence in new designs. A correctness proof cannot guarantee that the real device willnever malfunction; the design of the device may be proved correct, but the hardwareactually built can still behave in a way unintended by the designer. Wrong specification can play a major rule in this, because it has been verified that the system willfunction as specified, bu t it has not been verified t ha t it will work correctly. Defectsin physical fabrication can cause this problem too. In formal verification a model ofthe design is verified, not the real physical implementation. Therefore, a fault in themodeling process can give false negatives (errors in the design which do not exist).Although sometimes, the fault covers some real errors.

Form al verification approaches can be generally divided into two m ain categories:theorem proving methods and state exploration methods such as model checkers asdescribed in the following subsections.

1 .1 .1 Th eo r em Pr ov i ngTheorem proving is an approach where the specification and the implementation areusually expressed in first-order or higher-order logic. Their relationship is formed asa theor em to be proved with in the logic syste m. Thi s logic is a set of axiom s and aset of inference rules. Steps in the proof appeal to the axioms and rules, and possiblyderived definitions and intermediate lemmas. The axioms are usually "elementary"

5


21/171

in the sense that they capture the basic properties of the logic 's operators [32].Theorem proving utilizes the proof inference technique. Th e problem itself is

transformed into a sequent, a working representation for the theorem proving problem.Then a sequent holds if the formula / holds in any model:

A proof system is collection of inference rules of the form:Pi. .. Pn(name) -^

whereC is a conclusion sequent, and P / s are premisses sequents. Th e meaning ofan inference rule is, if all the premisses are derivable, then the conclusion is guaranteedto hold. Some inference rules may have no premisses, in which case their conclusionautomatically holds. Such rules are also called axioms, and they are the only meansto complete the proof derivation.

Traditionally, the logic used in theorem proving is the classical First- or Higher-Ord er logic (FOL and H OL respectively). Some other kinds of logics are also used,but since all of them can be expressed in the higher-order logic, the latter is usedmuch more often as a general property language.

Theorem proving methods have been in use in hardware and software verificat ion for a num ber of years in various research proj ects. Some of th e well-knowntheorem provers are HOL (Higher-Order Logic), ISABELLE, PVS (Prototype Verification S ystem ), Coq and ACL2 [23, 36, 42, 47, 66]. These system s are d istinguishedby, among other aspects, the underlying mathematical logic, the way automatic decision procedures are integrated into the system, and the user interface. Even thoughthey are powerful, they require expertise in using a theorem prover. User is expectedto know the whole design leading to a white box verification approach. It is not fully

6


22/171

automated and requires a large amount of time to verify the system. Another shortcoming is the inability to produce counter-examples in the event of a failed proof,because the user does not know whether the required property is not derivable orwhe ther the person conducting the derivation is not ingenious enough. Th e advantage of the deductive verification approach is that it can handle very complex systemsbecause th e logics of theorem provers are more expressive. In the nex t chap ter, wewill overview the HOL theorem proving system, which we intend to use in this thesis.

1.1 .2 M od el Ch eckingModel checking is a state exploration based verification technique developed in the1980s by Clarke and Emerson [19] and independently by Quielle and Sifakis [68]. Inmodel checking, a state of the system under consideration is a snapshot of the systemat certain time, given by the set of the variables values of that system at that time.The system is then modeled as a set of stat es toge ther w ith a set of transiti ons betweenstates that describe how the system moves from one state to another in response tointernal or external stimu lus. Model checking tools are then used to verify tha t desiredproperties (expressed in some temporal logic) hold in the system.

Model checker has two important advantages. First, once the correct design ofthe system and the required properties has been fed in, the verification process is fullyauto m atic. Second, in the event of a property no t holding, the verification processis able to produce a counter-example (i.e. an instance of the behavior of the systemthat violates the property) which is extremely useful in helping the human designerspinpoint and fix the flaw. On the other hand, model checkers are unable to handlevery large designs due to the state space explosion problem [19]. Another drawback isthe problematic description of specifications as properties, this description sometimes

7


23/171

may not give full system coverage.Model checkers such as SPIN [40], COSPAN [51], SMV [54], and MDG [88] take

as input, essentially, a finite-state system and temporal property in some variety orsubset of Computation Tree Logic (CTL*), and automatically check that the systemsatisfies the property. Moreover, th e model is often restricted to a finite-state tran sition system , for which finite-state m odel checking is know n to be decidable. Th edesign or model is formalized in terms of a state machine (Transition System), or aKripke s tructure:

M = (P ,S, I, R, L)where M is a state machine (model) with a transition to describe the circuit behavior,P is a set of atomic propositions, S is a finite set of states, / C S is a set of initials ta te s , R C Sx S is a transit ion relation th at m ust be tot al (i .e. for every s S thereexists s' S such that (s ' R)), and L : S > 2P maps each state to the set of atomicproposi t ions t rue in that s ta te . The property is formalized as a logical formula thatth e machine should satisfy. Th e verification prob lem is sta ted as checking th e formula(j) in the model M:

M\= < f>

If the model M is represented explicitly as a transition relation, then the sizeof the model is limited to the number of states that can be stored in the computermemory, which are a few million states with the current technology. To increase thesize of the model, more efficient state representations can be used to manipulate theseformulae using BDDs or SAT solving techniques.

8


24/171

B i n a r y D e c i s i o n D i a g r a m sBinary Decision Diagrams (BDDs) [13] are data structures used as a compact representation for the Boolean function which improves the capacity of the model checker.BD Ds have several useful properties. Man y common functions have small BD Ds inaddition to the fact tha t the BD Ds are easy to mani pula te. Also a function can beevaluated in linear time in the number of variables and also can be existentially oruniversally quantified (Boolean) variables in time quadratic in the size of the BDD.Moreover, the order in which the variables appear can be fixed and hence the BDDis a canonical representation for the Boolean function.

BD Ds are used to overcome the cap acity lim itation of the model checkers, different representations of ROBDDs (Reduced Order Binary Decision Diagrams) [14] areused to manipulate the state transition relations as diagrams and this allows modelcheckers to verify larger systems. Still, most model checkers face the state space explosion prob lem s [19] even using Sym bolic Mod el Checking. To be able to app ly m odelchecking to larger designs, state reduction techniques are used that exploit some features of the model, the properties, or the problem domain to reduce the state space toa tractable size. Examples include partitioned transition relation, dynamic variablereordering, cone of influence reduction, abstraction, problem-specific techniques, e.g.when the original design is rewritten in a simpler way, omitting the irrelevant details,but preserving the important behavior for the property being verified.

In this thesis, we intend to use the Multiway Decision Graphs (MDGs), a newclass of decision graph. MDG was proposed as a solution to the state space explosionproblem [21]. In MDGs based model checking approach, data signals are denotedby abs tract variables, and data oper ators are represented by unin terpre ted functionsymbols. As a result, a verification based on abstract-implicit-state-enumeration can

9


25/171

be carried out independently of datapath width, substantially lessening the stateexplosion problem. Table 1.2 shows the abstraction level of MDG corresponding totradi t ional methods.

Table 1.2: Raising the Abstraction LevelC o n v e n t i o n a l M e t h o d

ROBDD [14]Fini te Sta te Machine (FSM)Implic i t s ta te enumerat ionCTL based model-checking

M u l t i w a y D e c i s i o n G r a p h sMDGs [21]

Abstract Sta te Machine (ASM)Abstract s ta te implic i t enumerat ion of ASM

Based on first-order abstract CTL*

S A T B a s e d M e t h o d sAn alternative for decision graphs is to represent the transition relation in CNF anduse Satisfiability Checking (SAT) [26, 81] with several prope rties th at make the mattra ctiv e compared to B DD s. SAT solvers can decide satisfiability of very largeBoolean formulae in reasonable time, but they are not canonical and require additionalefforts to check for equivalence of formulas. As a resu lt, vario us researchers havedeveloped routin es for performing Boun ded M odel Checking (BM C) [3, 11, 30] usingSAT. The common theme is to convert the problem of interest into a SAT problem,by devising the appropriate propositional Boolean formula, and to utilize other non-canonical representations of state sets. However, they all exploit the known ability ofSAT solvers to find a single satisfying solution when it exists. Moreover, SAT solvertechnology has improved significantly in recent years with a number of sophisticatedpackages now available. Well known state-of-th e-art SAT solvers include C H A FF [59],GRASP [52] and SATO [89]. Since state sets can be represented as Boolean formulae,

10


26/171

and since most model checking techniques manipulate state sets, SAT solvers haveenormously boosted their speed and applicability.

1.2 R e l a t e d W o r kModel checking is automatic while theorem proving is not. On the other hand, theorem proving can handle complex systems while model checking can not. Today, thereexist a number of integration tools of theorem proving and model checking. The motivation is to achieve the benefits of bot h tools an d to m ake the verification simpler andmo re effective. In this section, we explore two ap proac hes of linking proof sy stem s t oexternal automated verification tools. The approaches can be divided in two kinds:

1. Hybrid ap proach : adding a layer of deduc tion th eorem s and rules on top ofDecision Diagrams tool, i.e. combining theorem prov ers with other powerfulmodel checking tool.

2. Deep embedding approach: adding Decis ion Diagrams algori thms to theoremprovers.

We first review the most related w ork to every approach and th en, we contra st betweenthem according to their efficiency, complexity and feasibility.

1 .2 .1 H yb r i d A pp r oa chThe hybrid approach implements a tool linking model checking and theorem proving.During the verification procedure, the user deals mainly with the theorem proving tool.Verification using hybrid approach proceeds as shown in Figure 1.1. The user startsby providing the theorem proving with the design (specification or implementation),the pro perty and th e goal to be proven. If the goal fits th e required pat ter n, the

11


27/171

theorem proving tool generates the required model checking files (sub-goals). Th elat ter a re sent to the model checking tool for verification. If th e pr op ert y holds, atheorem is created (Make-Theorem). Otherwise, the proof is performed interactively.

Theorem ProverI tSub-goals

Interface L-Property

Model Checker

*i

Vlake-Thec>rei

True

Counter exampleFigure 1.1: Theorem Proving and Model Checking Interface

The linkage between both tools is carried out using scripting languages (translators) to be able to automatically verify small subgoals generated by the theoremprover from a large system. Th e disadvanta ge of this appro ach lies in achieving anefficient and correct translation from theorem prover logic to a model checker andfrom model checker to theorem prover (import the result or give a counter-example).Successful c om bina tions of thi s kind have be en achieved in [46, 48, 57, 75, 78].

Rajan et al. [74, 75] described an ap proach where a BDD -based model checkerfor the propositional /f-calculus has been used as a decision procedure within theframework of PVS. An extension of the //-calculus, which consists of QuantifiedBoolean Formulae (QF B), is defined using PVS higher-order logic. The tem por aloperators are then defined using the //-calculus. These temporal operators apply to

12


28/171

arbitr ary st ate spaces. In the case where the state typ e is constru cted in a hereditarily finite manner, ^-calculus expressions are translated into input acceptable by a/^-calculus model checker. This model checker can then be used as a decision procedure to prove certain subgoals. The model checker accepts the translated input from/i-calculus expression. The generated subgoals are verified by the model checker andthe results are used in the proof process of PVS.

Schneider et al. [46] used higher order hardware formulae to express the safetyand liveness properties hierarchically. They proposed an approach of invoking modelchecking within HOL where properties are translated from HOL to temporal logic. Anew class of higher-order formulae was presented, which allows a unified description ofhardware structure and behavior at different levels of abstraction. Datapath orientedverification goals involving abstract data types can be expressed by these formulaas well as control dominated verification goals with irregular structure. To ease theproofs of the goals in HOL, a translation procedure was presented which converts thegoals into several Computational Tree Logic (CTL) model checking problems, whichare then solved outside HOL.

Schneider an d Hoffmann [78] linked the SMV m odel checker to H OL usingPROSPER. It provides an open proof architecture for the integration of different verification too ls in a uniform higher-order logic environment. They embed ded th e lineartime temporal logic (LTL) in HOL and translated LTL formulae into o;-Automata,a form that can be reasoned about within SMV. The translation is completely implemented by means of HOL rules. HO L term s are expo rted to SMV throug h t hePROSPER plug-in interface. On successful model checking, the results are returnedto HOL and turn ed t o theorems. This integration tool allows SMV to be used as aHOL decision procedure. The deep embedding of the SMV specification language in

13


29/171

HOL allows LTL specifications to be manipulated in HOL.In [67], Pisini and Tahar proposed a hybrid app roach for formal hardw are ver

ification which uses the strengths of the HOL theorem prover and the advantagesof the au tom ated tool MDG which supp orts equivalence and m odel checking. The ydeveloped a linkage tool between HOL and MDG which uses the specification and implementation of a circuit written in HOL to automatically generates all required MDGfiles. Th e imp lemen tation of th e methodo logy is achieved by building a linkage toolusing Moscow ML to translate from HOL to MDG. It then calls the MDG equivalencechecking procedure and reports the MDG verification results back to HOL.

The MDG-HOL system [48] is a hybrid system which links the HOL interactiveproof system and the MDG automated hardware verification system. It supports ahierarchical verification approach and fits the use of MDG verification n atur ally withinthe HOL framework for a compositional hierarchical verification. The HOL system isused to manage the proof. The MDG system is called to verify the submodules of adesign. When the MDG-HOL system is used to verify a design, the design is modeledas a hierarchy structure with modules divided into submodules.

An extension of the above work was presented in [57] to link HOL and the MD Gmodel checker. They described a hybrid tool that links the HOL theorem prover andthe MDG model checker. For this purpose, they developed an interface which readsa HOL goal, generates the required MDG files, calls the MDG model checker, andgenerates the HOL theorem on successful verification. The interface between the twotools is implemented using ML.

14


30/171

1.2 .2 D e e p E m b e d d i n g A p p r o a c hIn this approach, the emphasis is to establish a secure platform for new verificationalgorithms. The performance penalty will be compensated by the secure infrastructure. The approach implements a model checking inside a theorem proving tool. Asshown in Figure 1.2, the design and the property are fed to the model checking tocheck if the prop erty holds and create a theorem . Otherw ise, the proof cann ot beperformed.

Figure 1.2: Embedding Model Checking inside Theorem Proving Tool

The result of the model checker is correct by construction, since both of thetheory and the implementation are proved correct in the theorem prover. Thus a highassurance of soundness is guaranteed because more work is backed up by mechanizedfully-expansive proof. Th e price for the ext ra proof and flexibility is in increaseddevelo pm ent effort. Th is app roac h differs from the hybrid app roac h in th e way theverification is perform ed. In fact, we do no t use an extern al checking too l, inste adwe deeply embed the model checker algorithms inside the theorem prover. Thus thecriteria of correctness by construction, efficiency, flexibility and expressiveness can bem et. Successful w orks have been achieved in [7, 34, 35, 37, 44, 56].

T he deep embedding " approach [69] introdu ce the m odel checker syntax as a15


31/171

new higher order logic type and then define the operations and algorithms based onthis syntax within the theorem prover. This contrasts within a "shallow embedding"where the syntax is not formally represented in the logic, only in the meta-language.In general, a deep embedding allows one to reason about the language itself ratherthan just the semantics of programs in the language.

We consider two categories of related work: the first category regarding embedding of model checking algorithms in theorem provers. The second category regardingcorrectness proof of the model checker algorithms.

E m b e d d i n g o f M o d e l C h e c k i n g A l g o r i t h m s i n T h e o r e m P r o v e r sMod el checkers [54] are usually b uilt on to p of BDD s [13], or some other set ofefficiently implemented algorithms for representing and manipulating Boolean formu lae. Th e closest work, in app roach to our own is th at of Joyce and Seger [79],Gordon [34, 35] and later Amjad [7].

Voss system [79], an implem entation of Symbolic Trajectory Evalua tion (ST E),was implemented in a lazy Functional Language (FL). In [44] Voss was interfacedto HOL and the verification using a combination of deduction and STE was demonstra ted. The HOL-Voss system integrates HOL88 deduction with BDD com putat ions.The BD D tools are programm ed in FL as a buil t -in data ty pe. The asser t ion languageof Voss was formalized in HOL and a HOL tactic, which can make an external callsto the Voss system, checks wether an assertion is tru e. The n the proved as sertionwas retu rned as a HO L theorem. The early experim ents with HOL-Voss suggestedthat a lighter theorem prover component was sufficient, since all that was needed isa way to combine results obtained from STE. A system based on this idea, calledVoss-ThmTac, was later developed by Aagaard et al. [2]; com bination of the Th m Ta c

16


32/171

theorem prover with the Voss system . The n the development of HOL-Voss evolvedinto a new system called Forte [1]. More recently, with industrial take-up at Intel,Forte [55] has become one of the most mature formal verification environments basedon tool integration.

Gordon integrated the BDD based verification system BuDDy (BDD packageimplemented in C) into HOL by implementing BDD-based verification algorithmsinside HOL, the embedding is built on top of provided primitives. The aim of usingBuDDy is to get near the performance of C-based model checker, whilst remainingfully expansive, though with a radically extended set of inference rules [35].

In [37], Harrison implem ented BD Ds inside the HOL system w ithout mak inguse of external oracle. T he BD D algorith ms were used by a tautology-checker. However, the performance was about thousand times slower than with a BDD engineimplemented in C. Harrison argued that by re-implementing some of HOL's primitiverules, the performance could be improved by around ten times.

Am jad [7] dem onst rated how BD D based symbolic model checking algorithm sfor the propositional n-calculus (L^) can be embedded in HOL theorem prover . Thisapproach allows results returned from the model checker to be treated as theorems inHOL. By representing primitive BDD operations as inference rules added to the coreof the theorem prover, the execution of a model checker for a given property is modeledas a formal derivation tree rooted at the required property. These inference rules arehooked to a high performance B DD engine [35] which is externa l to the theor emprover. Thu s, the HOL logic is extende d with these ext ra primitives. Em piricalevidence suggests that the efficiency loss in this approach is within reasonable bounds.The approach still leaves results reliant on the soundness of the underlying BDD tools.A high assu ranc e of soundn ess is obt ain ed at th e expenses of some efficiency. Th us

17


33/171

the security of the theorem prover is compromised only to the extent that the BDDengine or the BDD inference rules may be unsound.

Our work, deals with embed ding M DG s [21] rath er tha n BD Ds. In fact, whileBDDs are widely used in state-exploration methods, they can only represent Booleanformulae. By contr ast, M DG s represent a subset of first-order term s allowing theabstr act repre sentation of da ta and hence raising the level of abstr action . An othermajor difference is th at it impleme nts the related inference rules for BDD ope rato rsin the core of HOL as a plugged in code, whereas we implement the MDG operationsinside HOL itself.

Mh amd i and Taha r [56] follow a similar approach to the B uDD y work [35]. T hework builds on the M DG -HOL [48] project, b ut uses a tightly integrated s ystem withthe MDG primit ives wri t ten in ML rather than two tools communicat ing as in MDG-HOL system. In their work, the syntax is partially embedded and the conditions forwell-formedness must be respected by the user. By contrast, we provide a completeembedding of the MDG syntax and the conditions could be checked automatically inHOL.

C o r r e c t n e s s P r o o f o f M o d e l C h e c k i n g A l g o r i t h m sVerification of BDD algorithms has been a subject of active research using differentproof assistants such tha t HO L, PV S, Coq, and AC L2 [23, 36, 42, 47]. A comm ongoal of these papers is to extend the prover with a certified BDD package to enhancethe BDD performance, while still inside a formal proof system. Moreover, there is ageneral consensus in the formal verification community that correctness proofs shouldbe checked, par tly or wholly, by comp uter s. Some efforts have been m ad e to verifymodel checkers and theorem provers.

18


34/171

In [71], th e autho rs successfully carried ou t the verification ta sk of th e RA VENmodel checker. RAVEN is a real-time model checker which uses time-extended finitestate machines (interval structure) to represent the system and a timed version ofCTL (CCTL) to describe its properties. The specification and the correctness proofwere carried out using an interactive specification and verification system KIV.

In [62], th e autho r showed a mec hanism of how certifying m odel checker canbe constructed. The idea is that, a model checker can produce a deductive proof oneither success or failure. The proof acts as a certificate of the result, since it can bechecked indepe nden tly. A certifying mod el checker thu s provides a bridg e from t hemod el-theoretic to the proof-theoretic approach to verification. Th e auth or developeda deductive proof system for verifying branching time properties expressed in the //-calculus, and showed it to be sound and relatively complete. Then, a proof generationin this system from a model checking run is presented. This is done by storing andanalyzing sets of states that are generated by the fixpoint computations performedduring model checking.

Krstic and M atthew s [50] provided a technique for proving correctness of highperformance BDD packages. In their work, they adop ted an abs tracti on m eth odcalled monadic interpretation for verifying an abstraction of the BDD programs withthe primitives specified axiomatically. The method is suitable for higher order logictheorem provers such as Isabel le /HOL. The monadic in terpreter t ransla tes sourceprograms of input type A and ou tpu t type B into function of type A => MB in th etarget functional language, where the type constructors M is a sui table monad th atencapsulate the notion of computation used by the source language to describe BDDprograms. At this level, they modeled the BDD programs as a function in higher orderlogic in the style of monadic interpreters. Then the correctness proof was carried out

19


35/171

on the BDD abstract model.W right [86] described anembeddingofhigher order proof theory withinthelogic

ofthe HOLtheorem proving system. Types, term sand inferences w ere represented asnew types in the logicof the HOLsystem, and notionsof proof and provability weredefined. Using this forma lization, it was possible to reason about the correctnessofderived inference rules and abou t the relations between different notions of proofs: aBoolean term isprovable if and only if there exists a proof for it. The formalizationis also intendedhim to makeit possibleto reason about programs that handle proofsas their data (e.g., proof checker).

Harrison [38] answered a question concerning the correctness of the theoremprover itself. The au tho r verified formally t ha t the abs t rac t HOL logic is correctand tha t the OCaml code does correctly implement this logic. The verification isconducted with respect to a set-theoretic semantics within the HOLLight itself.

The authorsin [85]implemented andproved thecorrectnessof BDDa lgori thmsusingCoq. One oftheir goalswas to extract a certified algorithm manipulating BDDsin Caml (theimplementat ion languageof Coq). BDD s were represented asD A G sandmaps were used to mode l a s ta te of the memory in which all the BD D s are stored.The authors used reflection toprovea given propertyP applied to some term t wherethe program is described and proved in Coq. This means that wri t ing a programixthat takes tas an inpu t and re turns t rue exact ly when P(t) holds . Then, to show TXis correct with respect to P they needed to be sure that whenever ir(t) re turns t rueP(t) holds and this is done inside the Coq proof assistant itself (i.e. the proof of Phas been replacedby the computat ion of -K and reflect thisby allowing thesystem toaccept meta-level computation as actual proof).

Another concept toprovetheprogram correctness using Hoare logicasdescribed

20


36/171

by Ortne r and Schirmer [64]. The principle of this logic is to an no tate th e pr ogra mwith pre- and post-conditions and to observe the changes made by each statementof the program. Ortner and Schirmer modeled the graph structure of the BDD as akind of heap and p resented th e verification of BDD norm alization. The y follow theoriginal algorithm presented by Bryant in [13]: transforming an ordered BDD into areduced, ordered and shared BDD. The work is based on Schirmer's research on theVerification Condition Generator (VCG) to generate the proof obligations for HoareLogic. The proofs are carried out in the theorem prover Isabelle/HOL.

Haiyan et al. [87] verified formally the linkage between a simplified version ofMDG tool and the HOL theorem prover. The verification is based on the importing ofMDG results to HOL theorems. Then, they combined transla tor correctness theorem swith the linkage theorems in order to allow low level MDG verification results to beimported into HOL in terms of the semantics of MDG-HDL. The work was concernedwith ways of increasing trust in the linked systems.

Ou r work follows the verification of the Boolean ma nipu lating package, but usingMDG instead. We provided a complete formalization of the MDG logic and its well-formedness conditions as DFs in HOL mechanically. Based on this infrastructure weformalized the basic MDG operations in HOL following a deep embedding approachand proved their correctness. Our work focuses more on how one can raise the levelof assurance by embedding and proving formally the correctness of those operators inHOL to use them as an infrastructure for MDG model checker.

1.3 P ro po sed M ethod o log yThe intention of our research is to provide a secure platform that combines an automatic high level MDGs model checking tool within the HOL theorem prover. While

21


37/171

related work hastackled thesame problem by representing p rimitive B inary D ecis ion Diagrams (BDD) operat ions [13] as inference rules add ed to the core of thetheorem prover [35],wehave based ourapproach on theMultiway Decision G rap hs(MDGs) [21]. MDG general izes ROBDD to represent andman ipu la te a subsetoffirst-order logic formulae which is more sui table for defining m odel checking insidea theorem prover . With MDGs, a data value is represented by a single variableofan abstract type andoperat ions on d a t a arerepresented in t e r m s of uninterpretedfunctions. Considering MDG instead of BDD will rise theabstr action level of whatcan beverified usin g a s ta te explorat ion within a theorem prover . Furtherm ore,anMDG s t ruc tu re in HOL al lows bet ter proof autom ation forlarger data pat hs systems.

In this thesis,weprovide theentire necessary infrastru cture (da ta structu re +algori thms) todefineahigh level state exploration inthe H OL theorem prover nam edas MDG-HOL platform.

MDG

The MDG SyntaxDirected Formulae & Well-formedness Conditions

1M D G O p e r a t i o n s

1 ' 1Conjunction ReiP Disjunction PbyS

'

Correctness Prooffor each operation

MDG Reachability Analysis

Figure 1.3:Overview ofthe E mbedding Methodology inHOL

22


38/171

Firstly, as shown in Figure 1.3, we define the MDG structure inside the HOLtheorem prover to be able to construct and manipulate MDGs as formulae in HOL.This step implies a formal logic representation for the MDG Syntax. This representation is based on the Directed Formulae DF: an alternative vision for MDG in termsof logic and set theory [6]. Secondly, a HOL tactic is defined to check the satisfactionof the well-formedness conditions of any directed formula.This step is important toguarantee the canonical representation of the MDG as a DF. Then, the definition ofeach MDG operations is defined and a correctness proof is derived within HOL.

Based on this platform, the MDG reachability analysis is defined in HOL as aconversion th at uses the MD G theory w ithin HOL .Then, we dem ons trate th e effectiveness of our platform by considering four case studies.Our obtained results show thatthis verification framework offers a considerable gain in terms of automation withoutsacrificing CPU time and memory usage compared to automatic model checker tools.

Finally, we propose a reduction technique to improve MDGs model checkingbased on the MD G-H OL platform. Th e idea is to prune the transitio n relation ofthe circuits using pre-proved theorems and lemmas from the specification given atsystem level. We also use th e consistency of the sp ecifications to verify if th e reduced m odel is faithful to the original one. We provide two case stu dies , the firstone is the reduction using SAT-MDG of an Island Tunnel Controllerand the secondone is the MD G-H OL assu me-g uarantee redu ction of the Look-Aside Interface. Th eperformance penalty in the case of SAT-MDG reduction verification is acceptable ascompared with commercial model checking tools. In the case of assume guarantee inMDG-HOL, the reduction strategy results still satisfactory in terms of heuristics andreduction techniques correctness, however a small penalty is paid in terms of time andmemory.

23


39/171

1.4 The s i s C on t r ib u t ion sThe objective of our research is to explore a way of increasing the degree of trust of theMDG system by embedding the MDG system in HOL. In light of the above relatedwork review, proposed methodology, and discussions, we believe the contributions ofthe thesis can be specified as follows:

We have provided a secure platform (da ta struc ture + algorithm s) of MD Gsystem in HOL. This step consists of the following phases:

1. Embedding of the MDG formal logic underlying the abstract state machinesin HOL.

2. Defining the notion of well formed HO L term s. These term s could berepresented canonically by MDGs.

3. Embedding the MDG algori thms (conjunction, re la t ional product (RelP) ,disjunction, and pruning by subsumption (PbyS)) following deep embedding approach. Also, we have two kinds of theorems: one theorem regarding the correctness proof of each MDG operation, and the other one forpreserving the well-formedness of the operation results.

Th e MD G based reachability analysis is the n defined in HOL as a conversionthat uses the MDG-HOL platform and a fixpoint theorem is then proven forsome particular circuits.

We have evaluated th e performance of th e MD G-H OL platform using a set ofbenchmarks to ensure the applicability of our approach.

We have proposed a reduction m ethodology to improve the MDG s model checking as well as to verify the soundness of model checking reduction techniques.

24


40/171

We have provided two case studies, the first one is the red uction using the SAT -MDG technique of the Island Tunnel Controller (ITC), and the second one is theMDG-HOL assume-guarantee reduction technique of the Look-Aside Interface(LA-1).In summary, we have created a new formal theory for MDGs (data structure +

operations) inside the HOL theorem prover which provides us with several theoreticaladvanta ges without to o high performanc e penalty. We used this theo ry or platformto verify the soundness of model checking reduction techniques. We thus hope thatthis work will be of interest to the research community and also be of use to industrialpract i t ioners .

1.5 Th es i s O rga niz a t ionThe rest of the thesis is organized as follows:

In Chap ter 2, we review the basics of th e HO L theore m prover. We alsointroduce the basic concepts of Multiway Decision Graphs (MDGs).

Ch apte r 3 presents the formal logic underlyin g MD Gs as well as w ell-formednessconditions and its embedding inside HOL.

In Ch apte r 4, we formalize the MDG basic opera tions and prove the co rrectnessof each operation.

In Chapter 5 , we show the formalization of the MDG reachability analysisand the proposed conversion for proving a fixpoint. We also consider four casestudies to measure the performance of the MDG-HOL platform.

25


41/171

Ch apter 6 considers the applications and case studies for the proposed re ductiontechniques.

Ch apte r 7 concludes the thesis and indicates the future work.

26


42/171

C h a p t e r 2P r e l i m i n a r i e sIn this chapter, we give a brief description to the HOL theorem prover as well as tothe Multiway Decision Graph s (MD Gs) system . The intent is to familiarize the read erwith the main concepts and notations that are used in the rest of the thesis. Section2.1 starts by a basic description of higher-order logic concepts. Then, we describe thesyntax and semantics of the particular logical system supported by HOL notation, aswell as the proof methods supported by the HOL theorem prover.

Section 2.2 describes the underlying formal logic of MDGs, the MDGs structure,the Abstract Sta te Machine (ASM), the MDG tool and the MDG model checker .

2 .1 T h e H O L T h e o r e m P r o v e rThe HOL system is an LCF [33] (Logic of Computable Functions) style proof system.Originally intended for hardware verification, HOL uses higher-order logic to modeland verify variety of applications in different areas; serving as a general purposeproof syste m. We cite for exam ple: reaso ning abo ut security, verification of fault-tolerant computers, compiler verification, program refinement calculus, software and

27


43/171

algorithms verification, modeling, and automation theory.HOL provides a wide range of proof commands, including rewriting tools and

decision procedures. The system is user-programmable which allows proof tools to bedeveloped for specific applicatio ns; w itho ut comp rom ising reliability [36].

The set of types, type operator, constants, and axioms available in HOL areorganized in the form of theories. There are many theories, which are arranged in ahierarchy, have been added to axiomatize lists, products, sums, numbers, primitiverecursion, and arithmetic. On top of these, users are allowed to introduce application-dependent theories by adding relevant types, constants, axioms, and definitions.

The HOL system supports higher order logic with three main expressions: Variables can range over functions and p redi cate s. Th e logic is typed . The re is no separate syntactic category of formulae.

The HOL syntax contains syntactic categories of types and terms whose elements areintended to denote respectively certain sets and elements of sets. The types of theHOL logic are expressions that denote sets (in the universe IX). There are four kind oftypes in HOL logic. Type variables stand for arbitrary sets in the universe, they arepart of the meta-language and are used to range over object language types. Atomictypes denote fixed sets in the universe. For exam ple, the standa rd atom ic type sbooldenotes the distinguished two-element set 2. Com pound type s have the form(


44/171

The terms of the HOL logic are expressions that denote elements of the setsdenote d by types. Th ere are four kinds of term s in HOL logic. The variables aresequences of letters or digits beginning with a letter. The co nstan ts have the sam esyntax as variables, but stand for fixed values. The function applications or combinations have the general form t\(t2) where tx is called the operator and t2 is the operand.The result of such a function application can itself be a function. The lambda terms(A-terms) or abs trac tion s denote for functions. Such a ter m has the form Xx.t (wheret is a term) and denotes the function / defined by f(x) = t. The syntax and semantics of the particular logical system supported by HOL notation used in this paper issummarized in Table 2.1. Note that the cons infix operator (::) is used to representan enumerated list (h d :: tl) and the (t) notation is used to instantiate the value ofthe term t as shown in the bottom of the table.

K ind of termTruthFalsityNegationDisjunctionConjunctionImplicationEqualityV-quantification3-quantificatione-termConditionalList TypeAntiquotat ions

HOL notationTFt

h\/t2h/\t2*i = = > t2U=h\[email protected] t then t\ else t2h::t1

Standard notationT1- i f

t i v t2h M2h=>t2t\andt2V x i3x.tex.t( t - > t i , t 2 )[h;t]

t

Descriptiont ruefalsenot tt\ ort-iti and t2ti implies t2ti equal t2for all x:tfor some x:tan x such that : tif t then ti else t2[hd;tl]Evaluates to theML value of t

Table 2.1: Terms of the HOL Logic

29


45/171

The basic interface to the system is a Standard Meta Language (SML) interpreter . SML [65] is bo th the implementat ion languageof the system and the MetaLanguage in which proofs are wri t ten . The HOL system supports twom ain differentproof methods: forward and backward proofs in a natural-deduction style calculus.

In forwardproof, thes tepsof aproof are implem ented by applying inference ruleschosenby theuser,and HOLchecks tha t thes tepsaresafe. All derived inference rulesare built on top of a small number of primitive inference rules. This approa ch hassome limitations sinceit isha rd toknow wheretos ta tethe proof and, for large proofs,to determine which sequence of rules to apply. The resul ts are s trong and the usercan have great confidence since the most primitive rulesare used to provea theorem.

In backward proof, the user sets the desired theorem as a goal. Small programswrit ten in SML called ta ctics and tact icals areapplied to break thegoal into a listofsubgoals. Tactics and tact icals are repeatedly applied to the subgoals until theycanbe resolved. In practice, forward proof isoften used within bac kw ard proof to converteach goal 's assumptions into a suitable form.

Theorems in the HOL system are represented by values of the ML abstracttype thm. There is no way to construct a theorem except by carrying out a proofbased on the primitive inference rules and axioms. HOL system has many built-ininference rulesandul t imately alltheoremsareprovedint e r m sof theaxiomsandbasicinferences of the calculus. By applying a set of primitive inference rules, a theoremca n be created. Once a theorem is proved, it can be used in further proofs withoutrecomputat ion of its own proof. In th isway, the ML type system protectsthe HOLlogic from arbitrary construction of a theorem, so th at every compu ted valueof thetype-representing theorem is a theorem. Theuser canhavea great dealof confidencein the resultsof the system.

30


46/171

The applications of the HOL system can be found in hardware verification,reasoning about security, verification of fault-tolerant computers, and reasoning aboutreal-time systems. It is also used in compiler verification, program refinement calculus,software and algorithms verification, modeling, and automation theory.

HOL also has a rudimentary library facility which enable theories to be shared.This provides a file structure and documentation format for self contained HOL developmen ts. Many basic reasoners are given as libraries such as m e s o n L ib , b o s s L ib ,and s im p L ib . These libraries integrate rewriting, conversion and decision proceduresto free the user from performing low-level proof.

2 .2 M u l t i w a y D e c i s i o n G r a p h s2 . 2 . 1 F o r m a l L o g i cThe formal logic underlying MDG is many-sorted First Order Logic (FOL). The vocabulary consists of sorts, constan ts, v ariables, and function symbo ls or (operators).Co nstan ts and variables have sorts. An n-ary function sym bol (n > 0) has a typeQi x a 2 x x a > a +i , whe re ct \ -an+ \ are sorts . Two kinds of sorts aredistinguished: concrete and abstract:

Con crete sort: is equipped w ith finite enum erations, lists of individual c ons tants.Concrete sorts are used to represent control signals.

Ab strac t sort: ha s no enum eration available. A signal of an abstr act sort represents a data signal.

The enumeration of a concrete sort n is a set of distinct constants of sort a. We referto constants occurring in enumerations as individual constants, and to other constants

31


47/171

as generic constants. An individual constan t can app ear in the enum eration of mo rethan one sort a, arid is said to be of sort a for each of them. Variables and genericconstants, on the other hand, have unique sorts.

T h e terms and their types (sorts) are defined inductively as follows: a constantor a variable of sort a; and if / is a function sym bol of typ e i x a 2 x x -a n + i, where cvi a n + 1 , n > 1, and Ai, ,An are terms of types a\ an+ i, thenf{Ai A J + I ) is a term of type an+ \. A ter m consisting of a single occu rren ce ofan individual constant has multiple types (the sorts of the constant) but every otherterm has a unique type.

We say that a term, variable or constant is concrete (resp. abstract) to indicatetha t it is of concrete (resp. ab stra ct) so rt. A term is concretely reducediff it co nta ins :(i) the individual constants; (ii) the abstract generic constants; (iii) the abstractvariable; and (iv) the terms of the form f(Ai An+i) where / is an abs trac t symboland A\, ,An are concretely-reduced terms. Thus, the concretely-reduced terms arethose that have no concrete sub terms other tha n individual constants . A term of theform f(Ai An+i) where / is a cross-opera tor and Ai,---,An are concretely-reducedterms is called cross-term. A n equation is an expression A\, ,An where A\ and Anare terms of same type a. Atomic formulae are the equations, p lus T ( tr u th ) , and F(falsity). Formulae are built from the atomic formulae in the usual way using logicalconnectives and quantifiers.

A n interpretation is a map ping $ th at assigns a den otatio n to each sort, c onsta ntand function symbol such that:

1 . The denotat ion ty(a) of an abstract sort a is a non-empty set.2. If a is a concrete sort w ith en um erat ion o,i, a2, ,an then

* ( o j = * ( ) , \J>(a2), , $( a ) and *( ,) ^ *( % ) for 1


48/171

3. If c is a generic constant of sort a, then \P(c) e ^ / ( a ) . If / is a function symbolof type a. \x ct2x *xo tn > a+i then \&(/) is a function from cartesian product* ( i ) x $(an) into the set ^ ( a n + i ) .Let X be a set of variables, a variable assignment with domain X compatible

with an interp retatio n $ is a function


49/171

2 .2 .3 S t r uc t u r eMDGs are graph representation of a class of quantifier-free and negation-free first-order many sorted formulae. It subsumes th e class of Br yan t's (R OB DD s) [13] whileaccommodating abstract data and uninterpreted function symbols. It can be seen asa Directed Acyclic Graph (DAG) with one root, whose leaves are labeled by formulaeof the logic True (T)[21], such that:

1. Every leaf node is labeled by the formula T, except if the graph G has a singlenode, which may be labeled T or F.

2. The internal nodes are labeled by terms, and the edges issuing from an internalnode v are labeled by terms of the same sort as the label of v.Then, a graph G can be viewed as representing a formula defined inductively

as follows: (i) if G consists of a single leaf node labeled by a formula P , then Grepresents P; (ii) ifG has a root node labeled A with edges labeled B\,---, Bn leadingto subgraphs G\, ,Grn, and if each G\ represents a formula P( , then G representsthe formulae Vi


50/171

Figure 2.1: Example of Multiway Decision Graphs StructureMD Gs represent and m anipu late a certain subset of first order formulae, w hich

we call Directed Formulae (DFs). DFs can represent the transition and output relations of a state machine, as well as the set of possible initial states and the sets ofstates that arise during reachability analysis.

The MDG operations and verification procedures are packaged as a tool andimplem ented in Prolog [20]. We show below the basic MD G operatio ns:

C o n j u n c t i o n O p e r a t io n : The conjunction operation performs conjunction fortwo DFs not having any abstract variables in common.

R e l a t i o n a l P r o d u c t O p e r a t i o n ( R e l P ) : The RelP operat ion performs conjunction and existential quantifying for a two DFs. It is used for image computation.

D i s j u n c t i o n O p e r a t i o n : The disjunction operation performs disjunction fortwo DFs having the same set of abstract primary variables.

P r u n i n g B y S u b s u m p t i o n O p e r a t i o n ( P b y S ) : The PbyS operat ion usedto approximate the logical difference operation between two sets represented as DF.It removes all the paths of a DF P from another DF Q.

35


51/171

2 .2 .4 T he M DG - To o lTh e MD G- tool [90] provides facilities for invaria nt checking, verification of comb inational circu its, sequential verification, equivalence checking of two sta te m achines andmodel checking.

The input language of the MDGs tool is a Prolog-style hardware descriptionlanguage called (MDG-HDL) [21], which sup port s stru ctur al specification, behav ioralspecification or a m ixtu re of bo th . A str uc tur al specification is usually a netlist ofcomponents connected by signals, and a behavioral specification is given by a tabularrepresentat ion of t ransi t ion/output re la t ions or a t ru th table .

PropertySpecif ication

AlgebraicSpecif ication

VariablesOrder

BehavioralMo d e l

MDG Construct ionModel Checking

Equivalence CheckingInvariant Checking

StructuralMode l

Yes/No(Counterexample)Figure 2 .2: The Structure of the MDGs-tool

As shown in Figure 2.2, in order to verify a design with the tool, we first need tospecify it in MDG-HDL (design specification and design implementation). Moreover,an algebraic specification is to be given to declare sorts, function types, and genericconstants that are used in the MDG-HDL description. Rewrite rules that are neededto interpret function symbols should be provided here as well. Like for ROBDDs, asymbol order according to which the MDG is built could be provided by the user.This symbol order can affect critically the size of the generated MDG. Otherwise,

36


52/171

MDG can use an automatic dynamic ordering.

2 .2 .5 M D G s M o d e l C h e c k i n gTh e MDG s model checking is based on an abstra ct implicit state enume ration. Th ecircuit to be verified is expressed as an Abstract State Machine (ASM) and propertiesto be verified are expressed by formulae in CMDG [88]. The ASM describes digitalsystems under verification at a higher level of abstraction.

C-MDG atomic formulae are Boolean constants (True and False), or equationsof the form (t \ = t2), where ti is an ASM variable (input, output or state variable)and t2 is either an ASM system variable, an individual constant, an ordinary variable or a function of ordinary variables. Ordinary variables are defined to memorizethe values of the system variables in the cu rrent sta te. The basic formulas (calledNext Jet-formulas) in which only the tempo ral ope rator X (next time ) is defined asfollows [6]:

Each atom ic formula is a Next Jet-formulas; If p, q are Next Jet-formulas, the n so are: p (not p), p& q (p and q), p |q (p

or q), p > q (p implies q), Xp (next-time p) and LET (v=t) IN p, where t is asystem variable and v an ordinary variable.Using the temporal operators A G (always), A F (eventually) a n d A U (until),

the supported CMDG prope rties are defined in the following BN F gra mm ar:

37


53/171

Property ::= A(Next Jet-formula)|AG (Next Jet-formula)|AF (Next Jet-formula)|A(NextJet-f'orrnula) U(Next Jet-formula)|AG (Next Jet .formula) =>F(Next Jet-formula)\AG ((Next Jet-formula) =>

((Next Jet-formula) UNext Jet-formula)))

Model checking in the MDGs system is carried out by building automaticallyadditional circuit that represents the Next Jet-formulas appearing in the propertyto be verified, compose it with the original circuit, and then check a simpler propertyon the composite machine [88].

38


54/171

C h a p t e r 3F o r m a l i z a t i o n of M D G S y n t a xIn this chapter, we describe the way we used to represent the transition relation fromgraph repre sentatio n to Directed Form ulae DF . The n, we justify the em bedding ofthe DF and the well-formedness conditions in HOL. Finally, we provide an exampleto illustrate our embedding.

3 .1 Tran s i t i on Re la t ion : G ra ph o r Form ulaDifferent approaches have been used to formalize transition relations either as termsand formulae or as Dire cted Acyclic G rap hs (D AG s). Th e first is a formal logicrepresen tation u sing data typ e definitions [7, 35], while th e latter is a graphicalrepresen tation using trees and graphs [64, 85].

First of all, the graph is represented as a data structure in the theorem prover.This representation should reflect the abstract properties of graphs and should be flexible to be suitable for different domains and for many applications to model complexdesigns. Several examples can be cited: to model communication networks (railway

39


55/171

track network [8]), also in trans por t ind ustry, th e problem of finding the m ost economical route of delivering goods and the problem of maximizing the network capacitycan be solved using graphs.

Chou [15] gradually formalized a considerable am oun t of graph the ory in theHOL theorem proving. The theory of undirected graphs is formalized in HOL notionsas the empty graphs, single-node graphs, finite graphs, subgraphs, paths, reachability,acyclicity, trees, subtree s, and merging disjoint subgrap h of a graph. Based on th isforma lization, th e correctness of dis trib ute d alg orith m s is verified in HO L [16].

Ridge [72] mechanized some results concerning graphs and tree s. His formalization is very close to th at found in [15]. The edges are sets of vertices in th e caseof Ridge while [15] tak es edges as atom ic objects, a nd uses an inciden ce relation todescribe when an edge connects two vertices. The main objective of the work is to beable to handle infinite graphs and trees.

Modeling the decision diagram as a decision tree or graph is motivated by reducing memory space and computation time needed to build a BDD: by eliminatingredun danc y from the canonical represe ntation s as described by [64, 85]. The m aindifficulties are caused by data structure sharing and by the side-effects resulted in thecom putatio n. Th e algorithms usually mark the processed nodes or store the resu ltscalculated for a subtree or subgraph in a hash-table to avoid recalculation. The definition of such a mechanism is quite complex for automatic reasoning. The advantageof course is tha t t here is a little work in this are a so probably much scope for research.

On the other hand, modeling the transition relations as terms and formulae issmoo ther for proofs especially those based on induction . Also, in application s likemo del checking, one would deal wit h several term s, and an y efficient im ple m ent atio nmust define sharing. The work presented in [7, 35, 37, 44] is an example of the logical

40


56/171

approach.Th e choice between th e two approaches dep ends on the objectives. If we wan t

to reason about the implementation itself and its correctness, then its better to definetransition relations as graphs and do sharing of common sub-trees. Clearly this makesthe development and the proofs complex. On the other hand, if we are only interestedin a high-level view of the alg orithm s, then a logical representatio n is preferred. Thi sis why, we choose the logical representation in terms of Directed Formulae (DF) tomodel the MDG syntax in HOL.

3 .2 Em be dd ing D i rec t e d Form ulae in H OLLet T be a set of function sym bol and V a set of variab les. We deno te the set ofterm s freely generated from JF and V by T (J 7 , V). The syntax of a Directed Formulais given by th e gra m m ar below [88]. The und erline is used to differentiate betw eenthe concrete and abstract variables.

41


57/171

Sort SAbst ract Sor t SConcrete Sort S_Gener ic Cons tant CConcrete Cons tant C_Variable XAbstract Variable VConcrete Variable _Directed formulae DFDisjConj

::=::=::=::=::=::=::=::=::=::=::=

s1a |a |a |a |^ 1x |2i 1Disj

Si 1 7

^ 1 1& | c

1 Sz2/ 1 zy 1 i

| TConj VD i s jEg/N Conj

Eq ::= A = C {AeT{T,V))

\V = A (AeT{T,X))

The vocabulary consists of generic constants , concrete constants (individuals), abstract variables, concrete variables and funct ion symbols. DFs are always disjunct ions ofconjunct ions of equat ions or T (t rue) or (false). T he conjunct ion Conj is defined to bean equat ion only Eq or a conjunct ion of at least two equa t ions. Atomic formulae are theequations, generated by the clause Eq . Equation can be an equal i ty of concrete terms and anindividual constant , equal i ty of a concrete variable and an individual constant , or equal i tyof an abstract variable and an abstract term.

DFs are used for two purposes: to represent sets (viz. sets of states as well as sets ofinput vectors and output vectors) and to represent relat ions (viz. the t ransi t ion and outputrelat ions).

In order to i l lustrate th e M DG . we consider the fol lowing exam ple D F of type {ui, u-i}

42


58/171

{v\,V2], whereu\ andv\ arevariablesof a concrete sort 600/with enum erat ion {0,1}while2 and V2are variables of an abs t ract sor t a, 3 is an abstract funct ion symbol of typea a and / is a cross-operator of type a >600/.T h e n , the Figure below showsthe MDGrepresent ing this example as wellas itscorresponding DF formula.

( ( / ( 2 )= 0) A(v2= u2)) Vc i > CJE> ((/(W2)=1} (ui=0) {v i=0) {v2=g{u2 v

( ( / ( 2 ) = 1) A (:= 1) A ( = 1) A(v2 = g{u2)))

UsingHOL recurs ive da ta type , the MDG sorts are embedded us ing two cons t ructorscal led Abs t_Sor t and Conc_Sort . This is declared in HOL as follows:

Sor t : := Abst_Sort of ' a l pha | Conc_Sort of s t r i n g > s t r i n g l i s tThe Abs t_Sor t t akes as a rgum en t an abs t ract sor t name of type alpha (which means thatthe sor t is actually ab s t ract andhencecanrepresentany HOLt ype ) . For example , if wordnisan abstract sort , then it isdefined in HOL as:

-def wordn = Abst_Sort "wordn"The Conc_Sort t akes a concrete sort name and its enumerat ion of type string as an inputa rgum en t . For example , if boolis a concrete sort with ["0";"1"] as enumerat ion , then it isdefined in HOL as:

\-def bool = Conc_Sort "bool" ["0";"1"]To determine whether the sort is concrete or abs t r ac t , we define predicates over the cons t ructor cal led Is_AbstJ3or t and Is_Conc_Sort .

43


59/171


60/171

W c ha ve de f ine d a da t a t y pe D _F . T he D F c a n be T rue o r Fa l se o r a d i s jun c t ion o fc o n j u n c t i o n o f e q u a t i o n s . E q u a t i o n s a r c d e f i n ed a s a n e q u a l i t y of L e f t H a n d S i d e ( L H S ) a n dR i g h t H a n d S i d e ( R H S ) b a s e d o n t h e D F g r a m m a r g i v e n e a r l i er a n d c o u l d b e o n e o f t h efol lowing cases:

LH S i s a c on c re t e va r i a b l e = R H S i s a n ind iv id ua l c on s t a n t

LH S is a n a bs t r a c t va r i a b l e R H S is a c ro ss - fun c t ion , o r a bs t r a c t va r i a b l e o r ge ne r i cc o n s t a n t .

LH S i s a c ro ss - fun c t ion = R H S i s a n ind iv id ua l c on s t a n tThe n w e de f ine t he t ype de f in i t i on o f a d i r e c t e d fo rmu la :

D_F : : = DF1 of 'a l p h a DF | TRUE | FALSEDF : : = DISJ of 'a lp h a MDG_Conj -> DF | C0NJ1 of ' a l p h a MDG_ConjMDG_Conj : : = Eqn of 'a l p h a Eqn | CONJ of ' a lp h a Eqn -> MDG_ConjEqn ::= EQUAL1 of 'a lp h a Conc_Var > 'a lp h a Ind_ Con s

| EQUAL2 of 'a lp h a Ab st_ Va r > 'a lp h a Abst_F un| EQUAL3 of 'a lp ha Cro ss_ Fun > ( 'a l ph a Abs t_V ar) l i s t

> 'a lp ha Ind_Con s| EQUAL4 of 'a lp ha Abs t_Var -> 'a lp ha Abst_V ar| EQUAL5 of 'a lp h a Ab st_ Va r - 'a lp h a Gen_Cons

DF1, D I S J , C 0 N J 1 , Eqn , a nd CO NJ a re d i s t i n c t c o ns t ruc to r s a nd t he c o ns t ruc to r s EQU AL1,EQUAL2, EQUAL3, EQUAL4, an d EQUAL5 arc us ed to def in e an a to m ic eq ua t io n . T h e ty p ed e f i n i ti o n p a c k a g e r e t u r n s a t h e o r e m w h i c h c h a r a c t e r i z e s t h e t y p e D_F a n d a l l o w s r e a s o n i n ga b o u t t h i s t y p e . N o t e t h a t t h e t y p e is p o l y m o r p h i c i n a s e n s e t h a t t h e v a r i a b l e c o u l d b ere p re s e n t e d by a s t r i ng o r a n in t e ge r nu mb e r o r a ny u se r de f ine d type : i n ou r c a se w e ha ve

u s e d t h e s t r i n g t y p e .In t e rn a l ly , t he D F i s im p le me n te d a s a l i s t t o s imp l i fy t he c he c k ing of w e l l - fo rm e dne ss

c o n d i t i o n s a n d t h e e m b e d d i n g o f M D G o p e r a t i o n s . H o w e v e r , t h i s r e p r e s e n t a t i o n i s c o m p l e t e l y t r a n s p a r e n t f or t h e u s e r o f t h e e m b e d d e d M D G o p e r a t i o n s l a t e r . T h e n i t is s u f f ic ie n t

45


61/171

to input the DF as formulae and the t ransform at ions (proved correct ) i s done autom at ical ly .The DF representat ion as a l i s t having the fol lowing format :

equ eqin eqmi eq mn, " S / * S / " s. , * N

[[[lhsn;rhsu};---;[lhsv v ' s v 'disjuncti disjunctmwhere a DF is given as:

D F = eq u A e(/12 Aeq 2i Ae q22 A

eq ml Ae qm2 A A eqrun

We extract th e DF using the STR IP_DF_lis t funct ion:h d e / ( S T R I P _ D F _ l i s t ( DF 1 ( C 0 N J 1 (C ON J E M ) ) ) =

[ ( b o t h _ s i d e _ e q E ) ] : : S T R I P _ D F _ l i s t ( D F l (C 0 N J1 M ) ) ) A( S T R I P _ D F _ l i s t ( D F 1 ( D I S J ( E qn E ) D ) ) =

[ ( b o t h _ s i d e _ e q E ) ] : : S T R I P _ D F _ l i s t ( D F l D) ) A( S T R I P _ D F _ l i s t (T RU E) = [ [ [ " T R U E " ] ] ] ) A( S T R I P _ D F _ l i s t ( FA LS E) = [ [ [ " F A L S E " ] ] ] ) A( S T R I P _ D F _ l i s t ( DF 1 a ) = S T R I P _ D I S J _ l i s t a )

STRIP_DISJ_list function is used to extract each disjunct and store it in a l ist , whileSTRIP-CONJ_l is t funct ion is used to extract both s ide of equat ions and s tore them in theinner sublist . Similarly, STRIP_Fun function is used to ex trac t the argu m en ts of abst rac tand cross funct ions and s tore them in a l i s t . The HOL defini t ions of the mapping funct ionsand th e wel l -formedness c ondi t ions are included in Appen dix A . This map ping s impl if ies ourimplementat ion and enables us to automate MDG operat ions by using the infras t ructure ofthe predefined List Theory in HOL to inheri t al l defini t ions and theorems.

On the other hand, we defined a STRIP_INV_DF function (Appendix A) to map liststo DF format . We proved a theorem to show tha t our map ping from any wel l-formed DFto list format and from lists to DF is correct as shown by the following theorem:

46

Aeqln V Ae q2n V


62/171

T h e o r e m 3 .2 .1 DF Mapping CorrectnessDF Mapping Correctness h Vdf. Is- WelLFormed.DF df = >STRIPJNV-DF (STRIP-DFJist df) = df)PROOF:The proof is conducted by structural induction on df. D

3 .3 W e l l - fo r m e d n e s s C o n d i t i o n sM DG s provide efficient repr esen tatio n to a class of well-formed first-ord er formulasdefined on well-typed equation s. A well-typed equ ation is an expression A\ = A2,where A\ and A2 are term s of the sam e sort. Given two disjoint sets of variablesU and V, a Directed Formulae of typ e U > V is a formula in Disjunctive NormalForm (DNF). Just as ROBDD must be reduceda nd ordered,DF s m ust obey a set ofwell-formedness con dition s given in [21] such t ha t:

1. Each disjunct is a conjunction of equations of the form:A = a, where A is a term of concrete sort a containing no variables other thanelements of U, and a is an individual constant in the enumeration of a, oru = a, where u E (UUV) is a variable of concrete sort a and a is an individualconstant in the enumeration of a, orv = A, where v E V is a variable of abstract sort a and A is a term of type acontaining no variables other than elements of U;

2. In each disjunct, the LHSs of the equations are pairwise distinct; and3. Every abstract variable v E V appears as the LHS of an equation v = A in each

of the disjimcts. (Note th at there is no need of an equatio n v = a for everyconcrete variable v E V).

47


63/171

Intuitively, in a DF of type U> V, th e U variables play the role of independentvariables (secondary variables), the V variables play the role of dependent variables(primary variables), and the disjuncts enumerate possible cases. In each disjunct, theequations of the form u = a and A = a specify a case in terms of the U variables,while the other equations specify the values of (some of the) V variables in that case.The cases need not be mutually exclu

MDGThesis.pdf

Documents

Transcript of MDGThesis.pdf