smtlink 2 0
play

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer - PowerPoint PPT Presentation

Feb 17, 2024 •137 likes •419 views

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of British Columbia November 6th 2018 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 1 / 21 Why Smtlink 2.0? 1 A Simple Ring Oscillator

  1. Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of British Columbia November 6th 2018 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 1 / 21

  2. Why Smtlink 2.0? 1 A Simple Ring Oscillator Example 2 The New Architecture 3 Exciting Future Work 4 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 2 / 21

  3. Smtlink 1.0 V v max � � Center Coarse 0:23 15:23 Σ DAC − code Frequency v hi 0:14 discarded F ref Control Bang−Bang Σ BBPFD f dco = f ref Frequency 0:7 Control F ref PFD Linear DCO v c Φ + up ref Phase Φ DCO φ − dn Control v lo Φ DCO/N ÷ N v min c c min c center c max Achievement: Smtlink ’s supports for linear and non-linear 1 arithmetics of integers and rationals helps forming the DPLL global convergence proof Limitations: thought of as only useful when it comes to 2 problems involving non-linear arithmetics But, Smtlink should be more than that . 3 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 3 / 21

  4. What’s New in Smtlink 2.0 An extensible architecture 1 Original Clause G process-hint clause-processor SMT Computed-hint precondition verified subgoal trusted a verified the trusted ACL2 clause-processor clause-processor SMT G_SMT solver The subgoals Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 4 / 21

  5. What’s New in Smtlink 2.0 An extensible architecture 1 A richer support of datatypes 2 Booleans Symbols Integers Reals (ACL2(r)) Rationals FTY types (selected) Lists Product types Alists Option types Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 4 / 21

  6. What’s New in Smtlink 2.0 An extensible architecture 1 A richer support of datatypes 2 Better user interface: follows the define convention and the 3 :hints convention :hints (("Goal" :smtlink (: functions (( foo :formals ((x real/rationalp)) :returns ((rx real/rationalp)) :level 0)) : hypotheses ((( <= 1 (foo x)) :hints (: use ((: instance foo- >=-1 (x x)))))) ))) Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 4 / 21

  7. What’s New in Smtlink 2.0 An extensible architecture 1 A richer support of datatypes 2 Better user interface: follows the define convention and the 3 :hints convention Now supports both Python 2 and Python 3 4 Python3 Python2 Calm down, Peace&Love, Smtlink has a solution Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 4 / 21

  8. Why Smtlink 2.0? 1 A Simple Ring Oscillator Example 2 The New Architecture 3 Exciting Future Work 4 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 5 / 21

  9. The Simple Ring Oscillator Example inv3 inv1 inv2 Q_Freq n3 n1 n2 A ring oscillator is an oscillator circuit consisting of an odd 1 number of inverters in a ring A 3-stage ring oscillator consists of three inverters 2 The one-safe property: 3 Theorem (One-Safe) Starting from a state where there is exactly one inverter ready-to-fire, for all future states, the ring oscillator will stay in a state where there is only one inverter ready-to-fire. Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 6 / 21

  10. The Simple Ring Oscillator Example inv1 inv2 inv3 L H Q_Freq L A ring oscillator is an oscillator circuit consisting of an odd 1 number of inverters in a ring A 3-stage ring oscillator consists of three inverters 2 The one-safe property: 3 Theorem (One-Safe) Starting from a state where there is exactly one inverter ready-to-fire, for all future states, the ring oscillator will stay in a state where there is only one inverter ready-to-fire. Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 6 / 21

  11. The Simple Ring Oscillator Example inv1 inv2 inv3 H H Q_Freq L A ring oscillator is an oscillator circuit consisting of an odd 1 number of inverters in a ring A 3-stage ring oscillator consists of three inverters 2 The one-safe property: 3 Theorem (One-Safe) Starting from a state where there is exactly one inverter ready-to-fire, for all future states, the ring oscillator will stay in a state where there is only one inverter ready-to-fire. Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 6 / 21

  12. Modeling the Ring Oscillator S 1 S 2 S n n1 n1 n1 T T T n2 n2 n2 F F F . . . . . . F step ( S 1 , S 2 ) … . . . . . . . . . . . . We model circuits using trace recognizers (based on [Dil87]) 1 A state is an alist mapping from signal paths to its state value 1 A stepping function constrains possible next state; allows 2 nondeterministic behaviors A trace is a list of states 3 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 7 / 21

  13. The Theorem (defthm ringosc3-one-safe (implies (and (ringosc3-p r) ( any-trace-p tr) (consp tr) ( ringosc3-valid r tr) ( ringosc3-one-safe-state r (car tr))) ( ringosc3-one-safe-trace r tr)) :hints (("Goal" :induct ( ringosc3-one-safe-trace r tr) :in-theory (e/d ...)) ("Subgoal *1/1.1" :use ((: instance ringosc3-one-safe-lemma (r r) (tr tr))) ))) ringoc3-one-safe-lemma : the inductive step proved using 1 Smtlink Smtlink expands out definitions and z3 is able to derive enough 2 relationships between terms to figure out the proof Smtlink is very good at flattened formulas with large amount of 3 details Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 8 / 21

  14. Extend the Proof to Arbitrary Number of Stages inv1 inv2 inv3 invk nk n1 n2 … Q_Freq We’ve proven a theorem that states the one-safe property with a 1 ring oscillator of arbitrary number of stages Some statistics of the proof: 2 FTY types Functions Total thms Smtlink thms LOC 5 17 55 23 2375 Smtlink is smarter than I thought it was 3 There are still potential of improvements 4 Much of the lengthiness of the proof is coming from having to 1 expand terms out enough, so that Smtlink can handle the proof Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 9 / 21

  15. Why Smtlink 2.0? 1 A Simple Ring Oscillator Example 2 The New Architecture 3 Exciting Future Work 4 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 10 / 21

  16. The Story for a New Architecture The old architecture is monolithic: one single trusted 1 clause-processor Clause Original ^ ^ … ^ C n C 1 C 2 Clause G Processor Clause returned by clause processor SMT C 1 ^ C 2 ^ ... ^ C n ) G solver After the 2015 workshop, based on Jared’s suggestions, Matt, 2 Dave, Dmitry, Mark and I discussed the possibility of using computed-hint. Lead to the file: books/hints/hint-wrapper.lisp The idea is to use a verified clause-processor that generates 3 multiple clauses, and put markers on clauses that can be recognized by computed-hints for further steps This further leads to the new architecture 4 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 11 / 21

  17. The Architecture The new architecture is both extensible and has a more compelling argument for soundness Original Clause verified User hints: use Smtlink and provide smtlink-hint G Translate smtlink-hint into internal data structure Smtlink interface add hint to invoke next transform step trusted the trusted Computed-hint clause-processor add function type uninterpreted SMT hypotheses expansion extraction function G_SMT solver Subgoals Subgoals Subgoals Subgoals Verified clause-processors transform ACL2 goal into SMT theories. Each verified clause-processors adds a hint indicating which step to take next. Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 12 / 21

  18. The Architecture - Cont’d Original Clause G process-hint clause-processor *smt-architecture* table SMT step tag next clause-processor Computed-hint precondition verified subgoal process-hint add-hypo-cp add-hypo expand-cp trusted expand type-extract-cp a verified the trusted ACL2 clause-processor clause-processor type-extract uninterpreted-fn-cp uninterpreted smt-trusted-cp SMT G_SMT uninterpreted-custom smt-trusted-cp-custom solver The subgoals Each step is a verified clause-processor that can be configured 1 through a single table Only the last step uses a trusted clause-processor 2 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 13 / 21

  19. The Trusted Clause Processor SMT precondition subgoal ACL2 Z3(python) Processing type generated clause SMT clause clause G_tcp information G_SMT G_py The trusted clause-processor not(G_py) Z3 SAT? Proved! sat, unsat, CEX unsat? unknown What’s not verified? The trusted clause-processor, Z3py 1 interface class, and Z3 SMT precondition subgoals: subgoals that have to be satisfied 2 to ensure soundness. Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 14 / 21

  20. There are Always Exceptions - Precondition Example (fty:: deflist intlist :elt-type integerp :true-listp t) (defthm bogus (implies (intlist-p x) (or (< (car x) 0) (equal (car x) 0) (> (car x) 0)))) x = nil is a counter-example to this bogus theorem: let x = nil : (or (< (car nil) 0) (equal (car nil) 0) (> (car nil) 0)) (car nil) = nil : (or (< nil 0) (equal nil 0) (> nil 0)) All comparisons of non-numbers produce nil : (or nil nil nil) = nil Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 15 / 21

More recommend