Extending ACL2 with SMT solvers Yan Peng & Mark Greenstreet - PowerPoint PPT Presentation

Motivation Integration architecture Customizing Smtlink Summary and Future work Extending ACL2 with SMT solvers Yan Peng & Mark Greenstreet University of British Columbia October 2nd, 2015 Smtlink handles tedious details of proofs so you can focus on the interesting parts. 1 / 24

Motivation Integration architecture Customizing Smtlink Summary and Future work Contents Motivation 1 AMS verification Examples Motivation Integration architecture 2 Architecture Interesting issues Soundness Customizing Smtlink 3 Customization interface Customizing Smtlink Our digital PLL proof example Summary and Future work 4 2 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work The digital Phase-Locked Loop example[CNA10] � Center � 0:23 15:23 Coarse Σ DAC − code Frequency 0:14 discarded F ref Control Bang−Bang BBPFD Σ Frequency 0:7 Control F ref PFD Linear DCO v c Φ + up ref Phase Φ DCO φ − dn Control Φ DCO/N ÷ N A PLL is a feedback control system that, given an input reference clock f ref , it outputs a clock at a frequency f DCO that’s N times of the input clock frequency and aligned with the reference in phase. Analog/Mixed-Signal design are composed of both analog and digital circuits. 3 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work Modelling the digital PLL The digital PLL is naturally modelled using non-linear recurrences that update the state variables on each rising edge of φ ref . c ( i + 1) = next c ( c ( i ) , v ( i ) , φ ( i )) v ( i + 1) = next v ( c ( i ) , v ( i ) , φ ( i )) next φ ( c ( i ) , v ( i ) , φ ( i )) 1 φ ( i + 1) = 1 Three state variables: capacitance setting c (digital), supply voltage v (linear), phase correction φ (time-difference of digital transitions). 4 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work Modelling the digital PLL In more details, c ( i + 1) = saturate( c ( i ) + g c sgn( φ ( i )) , c min , c max ) v ( i + 1) = saturate( v ( i ) + g v ( c center − c ( i )) , v min , v max ) φ ( i + 1) = wrap( φ ( i ) + ( f dco ( c ( i ) , v ( i )) − f ref ) − g φ φ ( i )) 1+ α v f dco ( c , v ) = 1+ β c f 0 saturate( x , lo , hi ) = min(max( x , lo ) , hi ) wrap( φ ) = wrap( φ + 1) , if φ ≤ − 1 = φ, if − 1 < φ < 1 = wrap( φ − 1) , if 1 ≤ φ Turns out to be a relatively large system of non-linear arithmetic formulas. 4 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work Convergence 0.01 � (continuous) 0.005 0 � 0.005 c 1 c 2 � (2n � 1) � 0.01 � 0.015 � 5 0 5 10 c (quantized) Requires reasoning about sequences of states. We want to show that each crossing of φ = 0 is closer to the origin than the previous one. 5 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work Example: polynomial inequalities Do you sometimes find it frustrating to prove a theorem like this? 3 0.5 2 0.4 1 0.3 0 y y 0.2 -1 0.1 -2 0 -3 -0.1 -3 -2 -1 0 1 2 3 1 1.05 1.1 1.15 X X 1 (defthm poly-ineq-example-a (implies (and (rationalp x) (rationalp y) 2 (<= (+ (* 4/5 x x) (* y y)) 1) 3 (<= (- (* x x) (* y y)) 1)) 4 (<= y (- (* 3 (- x 17/8) (- x 17/8)) 3)))) 5 6 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work Example: higher order polynomial inequalities Maybe this? With a higher order term? 3 0.5 2 0.4 1 0.3 0 y y 0.2 -1 0.1 -2 0 -3 -0.1 -3 -2 -1 0 1 2 3 1 1.05 1.1 1.15 1.2 1.25 X X 1 (defthm poly-ineq-example-b (implies (and (rationalp x) (rationalp y) 2 (<= (+ (* 2/3 x x) (* y y)) 1) 3 (<= (- (* x x) (* y y)) 1)) 4 (<= y (+ 2 (- (* 4/9 x)) (- (* x x x x)) (* 5 1/4 x x x x x x)) ))) 7 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work Example: exponential functions Or even this one with exponential functions? # 10 -5 z=0.5,n=3,m=2 z=0.5,n=20,m=15 0.5 7 0.4 6 0.3 5 0.2 function 4 function 0.1 3 0 2 -0.1 1 -0.2 0 -0.3 -1 -1 0 1 1 -1 0 -1 0 1 1 0.5 0 -0.5 -1 y x y x 1 (defun ||x^2+y^2||^2 (x y) (+ (* x x) (* y y))) 2 (defthm poly-of-expt-example (implies (and (rationalp x) (rationalp y) (rationalp z) 3 (integerp m) (integerp n) 4 (< 0 z) (< z 1) (< 0 m) (< m n)) 5 (<= (* 2 (expt z n) x y) 6 (* (expt z m) (||x^2+y^2||^2 x y) )))) 7 8 / 24

Motivation AMS verification Integration architecture Examples Customizing Smtlink Motivation Summary and Future work Motivation 1 Motivation: provide better proof capabilities for AMS and other physical systems. 2 ACL2 provides extensive support for induction proofs and for structuring large, complicated proofs. 3 Z3 has automatic procedures for solving arithmetic formulas. No direct support for induction. Need to avoid “too much information” – important to give Z3 the relevant facts to keep the problems tractable. 9 / 24

Motivation Architecture Integration architecture Interesting issues Customizing Smtlink Soundness Summary and Future work Starting with a clause processor Clause Original … C n C 1 ^ C 2 ^ ^ Clause G Processor Clause returned by clause processor SMT C 1 ^ C 2 ^ ... ^ C n ) G solver Verified clause processor & trusted clause processor. We use a trusted clause processor for the integration. We utilize clauses C 1 , C 2 ... C n to get ACL2 to check many of the steps of our translation. 10 / 24

Motivation Architecture Integration architecture Interesting issues Customizing Smtlink Soundness Summary and Future work Two-step translation architecture lisp (ACL2) python (z3) translation translation G ′ , A 1 , A 2 , ..., A m step 1 step 2 original expanded G SMT G expand & translate clause clause SMT clause simplify to smt−py ACL2 (lisp) ACL2 (lisp) (python) original expanded ¬ G SMT acl2SMT generate (implies (proven) Not(clause) Z3 return expanded satisfiable? clause original) yes A 1 ∧ A 2 ∧ ... ∧ A m ∧ ( G ′ ⇒ G ) return generate sat, unsat, return false unsat ? or unknown no clause First translation step: clause transformation Second translation step: transliteration 11 / 24

Motivation Architecture Integration architecture Interesting issues Customizing Smtlink Soundness Summary and Future work Extract type predicates G T T G Clause Original C 1 Clause G Processor Extract type predicates SMT C 1 = ( T ∨ G ) ∧ (( T ⇒ G T ) ⇒ G ) solver ACL2 is not typed while Z3 is typed. It is common for the users to include type-recognizers in the hypotheses. We are currently translating rationalp in ACL2 into real s in Z3. 12 / 24

Motivation Architecture Integration architecture Interesting issues Customizing Smtlink Soundness Summary and Future work Extract type predicates G T T G Clause Original C 1 Clause G Processor Extract type predicates SMT C 1 = ( T ∨ G ) ∧ (( T ⇒ G T ) ⇒ G ) solver (implies (and (rationalp x) (rationalp y) (rationalp z) (integerp m) (integerp n) (< 0 z) (< z 1) (< 0 m) (< m n)) G (<= (* 2 (expt z n) x y) (* (expt z m) (||x^2+y^2||^2 x y) ))) (and (rationalp x) (rationalp y) (rationalp z) T (integerp m) (integerp n)) (implies (and (< 0 z) (< z 1) (< 0 m) (< m n)) (<= (* 2 (expt z n) x y) G T (* (expt z m) (||x^2+y^2||^2 x y) ))) 12 / 24

Motivation Architecture Integration architecture Interesting issues Customizing Smtlink Soundness Summary and Future work Expand functions Extract type predicates G F G Clause Original ^ C 1 C 2 Clause G Processor Expand functions SMT C 2 = ( T func ∨ G ) ∧ ( G F ⇒ G ) solver Functions are expanded into primitive functions. Recursive functions are expanded to a user specified level then replaced with a variable of appropriate type. Uninterpreted functions stay the same. 13 / 24

Motivation Architecture Integration architecture Interesting issues Customizing Smtlink Soundness Summary and Future work Expand functions Extract type predicates G G F Clause Original ^ C 1 C 2 Clause G Processor Expand functions SMT C 2 = ( T func ∨ G ) ∧ ( G F ⇒ G ) solver (rationalp (||x^2+y^2||^2 x y)) T func function type clause (||x^2+y^2||^2 x y) function expansion ((lambda (VAR1 VAR2) (+ (* VAR1 VAR1) (* VAR2 VAR2))) x y) 13 / 24

Motivation Architecture Integration architecture Interesting issues Customizing Smtlink Soundness Summary and Future work Revisit the expt proof Let’s take a look at the expt theorem again: 1 (defun ||x^2+y^2||^2 (x y) (+ (* x x) (* y y))) 2 (defthm poly-of-expt-example (implies (and (rationalp x) (rationalp y) (rationalp z) 3 (integerp m) (integerp n) 4 (< 0 z) (< z 1) (< 0 m) (< m n)) 5 (<= (* 2 (expt z n) x y) 6 (* (expt z m) (||x^2+y^2||^2 x y) )))) 7 The reason that this is a theorem is because: 0 < z < 1 and 0 < m < n ⇒ 0 < z n < z m 2 xy ≤ x 2 + y 2 14 / 24