BDDs & Theorem Proving Binary Decision Diagrams Dr. Eng. Amr T. Abdel-Hamid NETW 703 Winter 2012 Network Protocols Lectures are based on slides by: K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU. E. Clarke, Formal Methods, to be updated by course name S. Tahar, E. Cerny and X. Song, “ Formal Verification of Systems”.

Dr. Amr Talaat Network Protocols Binary Decision Diagrams  Ordered binary decision diagrams (OBDDs) are a canonical fo rm for Boolean formulas.  OBDDs are often substantially more compact than traditional n ormal forms.  Moreover, they can be manipulated very efficiently.  Introduced at:  R. E. Bryant. Graph-based algorithms for boolean function manip ulation. IEEE Transactions on Computers, C-35(8), 1986.

Dr. Amr Talaat Network Protocols Binary Decision Trees  A Binary decision tree is a rooted, directed tree with two types of vertices, terminal vertices and nonterminal vertices.  Each nonterminal vertex v is labeled by a variable var(v) and h as two successors:  low (v) corresponding to the case where the variable is assign ed 0, and high (v) corresponding to the case where the variabl e is assigned 1.  Each terminal vertex v is labeled by value(v) which is either 0 or 1

Dr. Amr Talaat Network Protocols Example  BDT for a two-bit comparator, f(a1,a2,b1,b2) = (a1  b1)  (a 2  b2)

Dr. Amr Talaat Network Protocols Binary Decision Diagram  i.e. exactly like decision TREE

Dr. Amr Talaat Network Protocols Reduced Ordered BDDs  In practical applications, it is desirable to have a canonical repr esentation for Boolean functions.  This simplifies tasks like checking equivalence of two formulas and deciding if a given formula is satisfiable or not.  Such a representation must guarantee that two Boolean functi ons are logically equivalent if and  only if they have isomorphic representations.

Dr. Amr Talaat Network Protocols Reduced Ordered BDD  Canonical Form property  A canonical representation for Boolean functions is desirable:  two Boolean functions are logically equivalent iff they have isomo rphic representations  This simplifies checking equivalence of two formulas and deciding if a formula is satisfiable  Two BDDs are isomorphic if there exists a bijection h between the g raphs such that  Terminals are mapped to terminals and nonterminals are mapped to nonterminals  For every terminal vertex v, value(v) = value(h(v)), and  For every nonterminal vertex v: var(v) = var(h(v)), h(low(v)) = low( h(v)), and h(high(v)) = high(h(v))

Dr. Amr Talaat Network Protocols Canonical Form property  Bryant (1986) showed that BDDs are a canonical repr esentation for Boolean functions under two restrictions:  the variables appear in the same order along each path from th e root to a terminal  there are no isomorphic subtrees or redundant vertices

Dr. Amr Talaat Network Protocols Reduced Ordered Binary Decision D iagrams (ROBDDs): CREATION  Canonical Form Property  Requirement (1): Impose total order “<” on the variables in the for mula: if vertex u has a nonterminal successor v, then var(u) < var( v)  Requirement (2): repeatedly apply three transformation rules (or i mplicitly in operations such as disjunction or conjunction)

Dr. Amr Talaat Network Protocols RoBDD Creation 1) Remove duplicate terminals: eliminate all but one terminal v ertex with a given label and redirect all arcs to the eliminated v ertices to the remaining one

Dr. Amr Talaat Network Protocols Comparator Example

Dr. Amr Talaat Network Protocols RoBDD Creation 2. Remove duplicate nonterminals: if nonterminals u and v hav e var(u) = var(v), low(u) = low(v) and high(u) = high(v), eliminat e one of the two vertices and redirect all incoming arcs to the o ther vertex

Dr. Amr Talaat Network Protocols 3. Remove redundant tests: if nonterminal vertex v has low(v) = high(v), eliminate v and redirect all incoming arcs to low(v)

Dr. Amr Talaat Network Protocols ROBDD Example  Creating the ROBDD for (x ⊕ y ⊕ z)

Dr. Amr Talaat Network Protocols Canonical Form Property (cont’d)  A canonical form is obtained by applying the transformation rul es until no further application is possible  Bryant showed how this can be done by a procedure called Re duce in linear time  Applications:  checking equivalence: verify isomorphism between ROBDDs  non-satisfiability: verify if ROBDD has only one terminal node, lab eled by 0  tautology: verify if ROBDD has only one terminal node, labeled by 1

Dr. Amr Talaat Network Protocols Variable Ordering Problem

Dr. Amr Talaat Network Protocols Variable Ordering Problem  The problem of finding the optimal variable order is NP-complete  Some Boolean functions have exponential size ROBDDs for any order (e.g., multiplier)  Heuristics for Variable Ordering  Heuristics developed for finding a good variable order (if it exists)  Intuition for these heuristics comes from the observation that ROBDDs tend to be smaller when related variables are close together in the order  Variables appearing in a subcircuit are related: they determine the subcircuit’s out put should usually be close together in the order  Dynamic Variable Ordering  Useful if no obvious static ordering heuristic applies  During verification operations (e.g., reachability analysis) functions change, hence initial order is not good later on  Good ROBDD packages periodically internally reorder variables to reduce ROBD D size  Basic approach based on neighboring variable exchange  Among a number of trials the best is taken, and the exchange is repeated

Dr. Amr Talaat Network Protocols Model Checking  The Good:  If it works, model checking (unlike theorem proving) is a pus h-button tool.  The Bad:  If the system is too large, model checking cannot be applied because of state explosion.  & The Ugly  The system (and/or property) then needs to be suitably “abst racted” in order to use model checking.

Dr. Amr Talaat Network Protocols Approximate Model Checking  Representing exact state sets may involve large BDDs Compute approximations to reachable states  Potentially smaller representation  Over-approximation :  No bugs found Circuit verified correct  Bugs found may be real or false  Under-approximation :  Bug found Real bug  No bugs found Circuit may still contain bugs Reachable states Buggy states

Dr. Amr Talaat Network Protocols Theorem Proving  Prove that an implementation satisfies a specification by mathematical re asoning  Implementation and specification expressed as formulas in a formal logic  Required relationship (logical equivalence/logical implication) described as a theorem to be proven within the context of a proof calculus  A proof system:  A set of axioms and inference rules (simplification, rewriting, induction, etc.)

Dr. Amr Talaat Network Protocols Theorem Proving Idea  Properties specified in a Logical Language (SPEC)  System behavior also in the same language (DES)  Establish (DES  SPEC) as a theorem.  A logical System:  A language defining constants, functions and predicates  A no. of axioms expressing properties of the constants, function, types, e tc.  Inference Rules  A Theorem  `follows' from axioms by application of inference rules has a proof

Dr. Amr Talaat Network Protocols First-Order Logic  Propositional logic: reasoning about complete sentences.  First-order logic: also reasoning about individual objects and rel ationships between them.  Syntax  Objects (in FOL) are denoted by expressions called terms:  Constants a, b, c,... ; Variables u, v, w,... ;  f(t1, t2,..., tn) where t1, t2,..., tn are terms and f a function symbol of n arguments  Predicates:  true (T) and false (F)  p(t1, t2,..., tn) where t1, t2,..., tn are terms and p a predicate symb ol of n arguments

Dr. Amr Talaat Network Protocols First-Order Logic (cont.)  Formulas:  Predicates:  P and Q formulas, then  P, P  Q, P  Q, P  Q, P  Q are formulas  x a variable, P a formula, then  x.P,  x.Q are formulas (x is not free in P, Q)

Dr. Amr Talaat Network Protocols First-Order Logic (cont’d)  The Validity Problem of FOL  To decide the validity for formulas of FOL, the truth table method does not work!  Reason: must deal with structures not just truth assignments.  Structures need not be finite...  Semi-decidable (partially solvable)  There is an algorithm which starts with an input, and 1. if the input is valid then it terminates after a finite number of steps, and outputs the correct value (Yes or No) 2.if the input is not valid then it reaches a reject halt or loops fo rever  Theorem (Church-Turing, 1936) The validity problem for formulas of FOL is undecidable, but semi-de cidable.  Some subsets of FOL are decidable.

Dr. Amr Talaat Network Protocols Higher-Order Logic  First-order logic: only domain variables can be quantified.  Second-order logic: quantification over subsets of variables (i.e., over predicates).  Higher-order logics: quantification over arbitrary predicates and functi ons.  Higher-Order Logic:  Variables can be functions and predicates,  Functions and predicates can take functions as arguments a nd return functions as values,  Quantification over functions and predicates.  Since arguments and results of predicates and functions can the mselves be predicates or functions, this imparts a first-class stat us to functions, and allows them to be manipulated just like or dinary values

Dr. Amr Talaat Network Protocols HOL  Example 1: (mathematical induction)   P. [P(0)  (  n. P(n)  P(n+1))]   n.P(n) (Impossible to express it in FOL)  Example 2: Function Rise defined as Rise (c, t) =  c(t)  c(t+1)  Rise expresses the notion that a signal c rises at time t.

Dr. Amr Talaat Network Protocols Higher-Order Logic  Advantage:  high expressive power!  Disadvantages:  Incompleteness of a sound proof system for most higher-order log ics  Theorem (Gödel, 1931)  “There is no complete deduction system for the second-order logi c”  Inconsistencies can arise in higher-order systems if semantics not ca refully defined  “Russell Paradox”:  Let P be defined by P(Q) = ¬Q(Q).  By substituting P for Q, leads to P(P) = ¬P(P),

Dr. Amr Talaat Network Protocols Theorem Proving Systems  Some theorem proving systems:  Boyer-Moore (first-order logic)  HOL (higher-order logic)  PVS (higher-order logic)  Lambda (higher-order logic) From PVS website: “PVS is a large and complex system and it takes a l ong while to learn to use it effectively. You should b e prepared to invest six months to become a modera tely skilled user”

Dr. Amr Talaat Network Protocols HOL  HOL (Higher-Order Logic) developed at University of Cambridge  Interactive environment (in ML, Meta Language) for machine assiste d theorem proving in higherorder logic (a proof assistant)  Steps of a proof are implemented by applying inference rules chosen by the user; HOL checks that the steps are safe  All inferences rules are built on top of eight primitive inference rules  Mechanism to carry out backward proofs by applying built-in ML func tions called tactics and tacticals  By building complex tactics, the user can customize proof strategies  Numerous applications in software and hardware verification

Dr. Amr Talaat Network Protocols HOL  HOL provides considerable built-in theorem-proving infrastructure:  a powerful rewriting subsystems  library facility containing useful theories and tools for general use  Decision procedures for tautologies and semi-decision  procedure for linear arithmetic provided as libraries  The approach to mechanizing formal proof used in HOL is due to Ro bin Milner.

Dr. Amr Talaat Network Protocols Proof Styles in HOL  Forward proof style: Goal-directed (or Backward) proof style:

Dr. Amr Talaat Network Protocols Backward Proofs

Dr. Amr Talaat Network Protocols Example 1: Logic AND  AND Specification: AND_SPEC (i1,i2,out) := out = i1 ∧ i2  NAND specification: NAND (i1,i2,out) := out = ¬(i1 ∧ i2)  NOT specification: NOT (i, out) := out = ¬ I  AND Implementation: AND_IMPL (i1,i2,out) := ∃ x. NAND (i1,i2,x) ∧ NOT (x, out)

Dr. Amr Talaat Network Protocols Example 1: Logic AND  Proof Goal: ∀ i1, i2, out. AND_IMPL(i1,i2,out) ⇒ ANDSPEC(i1,i2,out)  Proof (forward) AND_IMP(i1,i2,out) {from above circuit diagram} ∃ x. NAND (i1,i2,x) ∧ NOT (x,out) {by def. of AND impl} NAND (i1,i2,x) ∧ NOT(x,out) {strip off “ ∃ x.”} NAND (i1,i2,x) {left conjunct of line 3} x =¬ (i1 ∧ i2) {by def. of NAND} NOT (x,out) {right conjunct of line 3} out = ¬ x {by def. of NOT} out = ¬(¬(i1 ∧ i2) {substitution, line 5 into 7} out =(i1 ∧ i2) {simplify, ¬¬ t=t} AND (i1,i2,out) {by def. of AND spec} AND_IMPL (i1,i2,out) ⇒ AND_SPEC (i1,i2,out) Q.E.D.

Dr. Amr Talaat Network Protocols Inductive Proofs  Inductive Proofs Must Have:  Base Case (value):  where you prove it is true about the base case  Inductive Hypothesis (value):  where you state what will be assume in this proof  Inductive Step (value)  show:  where you state what will be proven below  proof:  where you prove what is stated in the show portion  this proof must use the Inductive Hypothesis sometime during th e proof

Dr. Amr Talaat Network Protocols Example 2  Prove this statement:  Base Case (n=1):  Inductive Hypothesis (n=p):  Inductive Step (n=p+1):  Show:

Dr. Amr Talaat Network Protocols Example 3 N-Bit Adder  Verification of Generic Circuits  used in datapath design and verification  idea: verify n-bit circuit then specialize proof for specific value of n, (i.e., once proven for n, a simple instantiation of the theorem fo r any concrete value, e.g. 32, gets a proven theorem for that insta nce).  use of induction proof  Specification  N-ADDER_SPEC (n,in1,in2,cin,sum,cout):= (in1 + in2 + cin = 2 n+1 * cout + sum)

Dr. Amr Talaat Network Protocols Example 3 N-Bit Adder  Implementation 38/8 0

Dr. Amr Talaat Network Protocols Example 3 N-Bit Adder  Recursive Definition: N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout):= ∃ w. N-ADDER_IMP(n-1,in1[0..n-2],in2[0..n-2],cin,sum[0..n-2],w) ∧ N-AD DER_IMP(1,in1[n-1],in2[n-1],w,sum[n-1],cout) Notes:  N-ADDER_IMP(1,in1[i],in2[i],cin,sum[i],cout) = ADDER_IMP(in1[i],in2 [i],cin,sum[i],cout)  Data abstraction function (vn: bitvec → nat) to relate bit vectors to natural numbers:  vn(x[0]):= bn(x[0])  vn(x[0,n]):= 2n * bn(x[n]) + vn(x[0,n-1] 39/8 0

Dr. Amr Talaat Network Protocols Example 3 N-Bit Adder  Proof goal: ∀ n, in1, in2, cin, sum, cout. N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],ci n,sum[0..n-1],cout) ⇒ N-ADDER_SPEC(n, vn(in1[0..n-1]), vn(in2[ 0..n-1]), vn(cin), vn(sum[0..n-1]), vn(cout))  As an example can be instantiated with n = 32: ∀ in1, in2, cin, sum, cout. N-ADDER_IMP(in1[0..31],in2[0..31],cin,sum[0..31],cout) ⇒ N-ADDER_SPEC(vn(in1[0..31]), vn(in2[0..31]), vn(cin), vn(sum[0..31]), vn(cout)) 40/8 0

Dr. Amr Talaat Network Protocols Example 3 N-Bit Adder  Proof by induction over n:  basis step: N-ADDER_IMP(1,in1[0],in2[0],cin,sum[0],cout) ⇒ N-ADDER_SPEC( 1,vn(in1[0]),vn(in2[0]),vn(cin),vn(sum[0]),vn(cout))  Induction Step: [N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout) ⇒ N-A DDER_SPEC(n,vn(in1[0..n-1]),vn(in2[0..n-1]),vn(cin),vn(sum[0..n-1]), vn(cout)) ] ⇒ [N-ADDER_IMP(n+1,in1[0..n],in2[0..n],cin,sum[0..n],co ut) ⇒ N-ADDER_SPEC(n+1,vn(in1[0..n]),vn(in2[0..n]),vn(cin),vn(sum [0..n]),vn(cout))] 41/8 0

Dr. Amr Talaat Network Protocols Conclusions  Advantages of Theorem Proving  High abstraction and expressive notation  Powerful logic and reasoning, e.g., induction  Can exploit hierarchy and regularity, puts user in control  Can be customized with tactics (programs that build larger proofs steps from ba sic ones)  Useful for specifying and verifying parameterized (generic) datapath-dominated designs  Unrestricted applications (at least theoretically)  Limitations of Theorem Proving:  Interactive (under user guidance): use many lemmas, large numbers of comma nds  Large human investment to prove small theorems  Usable only by experts: difficult to prove large / hard theorems  Requires deep understanding of the both the design and HOL (while-box verific ation)  must develop proficiency in proving by working on simple but similar problems.

Dr. Amr Talaat Network Protocols We are not alone Model che cking Testin g Theorem proving

Dr. Amr Talaat Network Protocols Hybrid Verification  Formal Verification using  Theorem Proving + Model Checking Model Checking Theorem Proving

Dr. Amr Talaat Network Protocols Hybrid Verification |- Goal Imp.  Spec. |- Goal Imp.(x  y  ….)  Spec.((y=..)  (…..)) G1GnG3G2 ……. Use model checking to verify Sub-Goals G3’’G2’’G1’’Gn’’ G1’ G2’G3’ Gn’

Dr. Amr Talaat Network Protocols Different Verification Methods  Testing (Simulation/Emulation)  Theorem Proving  Model checking (automatic verification) Testing Model Checking Theorem Proving

Dr. Amr Talaat Network Protocols Semi-formal Verification Simulation Driver Simulation Engine Simulation Monitor Symbolic Simulation Coverage Analysis Diagnosis of Unverified Portions Guided vector generation Conventional Extension Devadas and Keutzer’s proposal: A pragmatic suggestion for SOC verification

Dr. Amr Talaat Network Protocols Semi-formal Verification  Smart simulation:  Use properties to generate directed test vectors.  Maximize chances of detecting bugs at small cost  Coverage metrics crucial?  Use metrics to determine  Unexercised parts of design: Guide vector generation  Adequacy of verification: When to stop?

Dr. Amr Talaat Network Protocols Did you find the BUG yet?  Verification and testing problem is an open question with multi-Billion $ Research per year.  A great Masters Research Topic

Dr. Amr Talaat Network Protocols A Final Proof  Software engineers want to be real engineers.  Real engineers use mathematics.  Formal methods are the mathematics of software engineering.  Therefore, software engineers should use formal methods. Mike Holloway, NASA

Dr. Amr Talaat Network Protocols Scientists Quotes “Teaching to unsuspecting youngsters the effective use of formal methods is one of the joys of life be cause it is so extremely rewarding” “A formula is worth a thousand pictures” Edsger Wybe Dijkstra (1930–2002)