**Rockwell** Advanced Technology Center

# **Evaluatable, High-Assurance Microprocessors**

David Greve Matthew Wilding

{dagreve,mmwildin}@rockwellcollins.com

Rockwell Collins, Inc. Advanced Technology Center Cedar Rapids, Iowa

NSA HCSS research conference March 2002





- Advanced Communication and Aviation Equipment
  - Air Transport, Business, Regional, and Military Markets
  - \$2.5 Billion in Sales
- □ Headquartered in Cedar Rapids, IA
  - 17,000 Employees Worldwide







# **Advanced Technology Center**



# Advanced Technology Center

- □ The Advanced Technology Center (ATC) identifies, acquires, develops and transitions value-driven technologies to support the continued growth of Rockwell Collins.
- □ The Advanced Computing Systems department addresses emerging technologies for high assurance computing systems with particular emphasis on embedded systems.
- □ The Formal Methods Center of Excellence applies mathematical tools and reasoning to the problem of producing high assurance systems.



## **CAPS: Collins Adaptive Processing System**



CAPS is a processor family for critical applications

- □ RC processors have a 30+ yr history
- □ stack-based, Java bytecode-like
- □ microcoded, stack and instruction caches
- □ verified through extensive process of "walkthrus"
- □ microarchitecture simulator: 5K LOC
- □ Some CAPS family members used in ultra-critical applications



## Background: ACL2

- □ ACL2 is a system for modeling and mathematical reasoning.
  - One of a number of available "theorem provers"
  - ACL2 homepage at the University of Texas at Austin
- □ The logic of ACL2 is a subset of Common Lisp
  - basically, the *functional* (or *applicative*) part of standard Common Lisp
- □ ACL2 documented in 2 books and an extensive webpage
- **Some interesting applications outside Rockwell Collins:** 
  - communication protocol correctness
  - AMD K5 and Athlon floating-point operation implementation
    - numerical analysis
    - pipeline disentanglement
  - CLI "stack" (Nqthm)
  - A verified BDD package
  - proofs in mathematics



## Background: ACL2 (cont.)





## **Formal Informal Microprocessor Correctness**





#### **Formal Formal Microprocessor Correctness**



#### Rockwell Collins

## **Microarchitectural EFMs**

□ We build executable formal models (EFMs) of our machines.

Where some write imperative code

state.alu.z := 1;

state.alu.pc := state.alu.pc + 1

#### we write applicative code

(let ((st (update-nth (alu.z) 1 st)))

(let ((st (update-nth (alu.pc) (1+ (alu.pc st)) st)))

- □ Based on preexisting CAPS simulator
  - roughly 5K LOC, 337 elements integers and arrays in state
  - microcycle simulator let-expressions 300 x 4 = 1200 deep
  - No performance degradation vs. C no boxing!
- □ Imperative-speed execution now built into provers
  - initial RC EFMs used homegrown tools
  - STOBJs, starting with ACL2 2.4
  - PVS has added execution with destructive optimization

**Two papers about our EFM approach What, Why** *Efficient Simulation of Formal Processor Models* (FMSD, May 2001) **How** *High-Speed, Analyzable Simulators* (ACL2 Case Studies, July 2000, KAP)



## The READER

The reader is a Common Lisp/ACL2 macro that expands imperativelooking programs into EFMs.



The macro expansion has

□ single-threaded access to a list containing the state,

 $\hfill\square$  declarations so GCL compiles efficiently, and

□ state accessing using "update-nth" and "nth" functions.

#### Rockwell Collins

#### **CAPS Microarchitecture Model**

The ACL2 CAPS uarch model replaces the C model in the CAPS microcode simulator. The replacement is not observable to users.

CAPS ACL2 uarch model passes 3-hr standard CAPS regression test!

High-speed, formal models provide for evaluatability (looks like C, passes regression tests, integrated into dev process, proofs checked)

| – FACADE – uSim                                                                                                                                     |                                                                                            | FACADE – Console                                            |         |
|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|-------------------------------------------------------------|---------|
| uLoad Reset clkCyc micCyc mapCyc                                                                                                                    | backstep Refresh                                                                           | File Edit Options Window Setup usim                         | Help    |
| Current         Previous         uControl           S4:S5         0000         7009         S4:S5         000         7009         uADR         05a | Status         uInstruction Decode           ZERO         0         CONT         uADR: 05a | AAMP: Halted Bus: Halted T5sim: USIM Instr / Sec 20.0 MH:   | z       |
| S2:S3 0000 0915 S2:S3 0000 0915 UPC 05a                                                                                                             | SIGN 1 ZERO                                                                                | Go Halt Reset Run Previous IIp lines 0                      | Ilser 2 |
| R3 0000 0000 R3 0000 0000 CONST 000                                                                                                                 | V16 0 R<-A                                                                                 | IStep IStep Ov BackTrace History Next Down User 1           | User 3  |
| R2 0000 0022 R2 0000 0022 NIBL 0                                                                                                                    | V32 1 S<-0                                                                                 | No Source File                                              |         |
| R1 0000 0010 R1 0000 0010 026b 0 i                                                                                                                  | SXV 0 FK-S or R                                                                            |                                                             |         |
| Q 0000 7061 Q 0000 7061 010a 0 m                                                                                                                    | INTR 0 AK-STK2                                                                             | [diag]-> patch MACH.ROM<br>  diag]-> set 900 32             |         |
| PAGE 0000 449e PAGE 0000 449e 0203 0 j                                                                                                              | SKMT 0 B<-STK1                                                                             | **** BREAKPOINT OCCURRED ****                               |         |
| LENV 0000 7068 LENV 0000 7068 010c 0 j                                                                                                              | MODE 0 NOB LNKO                                                                            | LSUHPE key pressed                                          |         |
| PC 0000 049c PC 0000 049c 010a 0 m                                                                                                                  | LOCK 0 EXCLUDE uCycle                                                                      | 0 E.000249=5160 [00] 200 ns (4t)                            |         |
| Bout beef 01c9 Bout beef 01c9 0006 0 t                                                                                                              | OVR 0<br>7 4 OPC 0a OCC 4                                                                  | Executed 1 microcycle                                       |         |
| Sin 0000 0000 Sin 0000 0000 0058 0 j                                                                                                                | CC 0 Int Ctl Flt Mon                                                                       | 0 E 007009-0000 R E001 300 pp (6t)                          |         |
| Rin 01c9 0000 Rin 01c9 0000 0059 0                                                                                                                  | INT× 00 CAP 00 FM 10                                                                       | Executed 1 microcycle                                       |         |
| Fout 01c9 0000 Fout 01c9 0000 005a 0                                                                                                                | MASK ff IN 0 CNT 0                                                                         | 0 E.00024A=0A60 [00] 200 ns (4t)                            |         |
| Control Word Bus                                                                                                                                    |                                                                                            | Executed 1 microcycle                                       |         |
| 0000 0000 301f 3880 BUS:0 XRQ:0 XAK:0 IR:150a IH                                                                                                    | Hi:00 OP:0a DR:01c9 DBW:01c9                                                               |                                                             |         |
| show listing DEN:0 DIF:0 CEF:0 CEN:1 uCyc:                                                                                                          | :1 map:0 WD:0000 RD:150a                                                                   | 0 E.00090]=01C9 R [00] 300 ns (6t)<br>Executed 1 microcycle |         |
|                                                                                                                                                     |                                                                                            | 0 E.00024B=0915 [00] 200 ns (4t)                            |         |
|                                                                                                                                                     |                                                                                            | Executed 1 microcycle                                       |         |
| intfc::cycle = 0                                                                                                                                    |                                                                                            | 0 E.00024E=0900 [00] 200 ns (4t)                            |         |
| fcp_ext::set_reset(1)                                                                                                                               |                                                                                            |                                                             |         |
| useq::useq_do_reset()                                                                                                                               | Filter                                                                                     | 0 E.00024D=0000 E00] 200 ns (4t)<br>Executed 1 microcycle   |         |
| stub::FCP2K_CSTORE_LOAD_CS                                                                                                                          | ACL/fcp2k2/sim/*.sod                                                                       | 0 E 00074E-1500 E007 - 200 - 200 - 200                      |         |
| STUD::FUP2K_PPROM_LUAD                                                                                                                              |                                                                                            | Executed 1 microcycle                                       |         |
| stub::FCP2K_UENG_RESET                                                                                                                              | Directories Files                                                                          | Executed 1 microcycle                                       |         |
| useq::useq_do_reset()                                                                                                                               | /sim/ Dist.sod                                                                             | Executed 1 microcycle                                       |         |
| stub::FCP2K UENG RESET                                                                                                                              | /sim/dbg clean.sod                                                                         | 0 E.007061=BEEF W [00] 500 ns (10t)                         |         |
| useq::useq_do_reset()                                                                                                                               | /sim/gui cputest.sod                                                                       | Executed 1 microcycle                                       |         |
| fcp_ext::set_reset(1)<br>  stub::ECP2K_UENG_RESET                                                                                                   | /sim/prsdiag_um.sod                                                                        | Executed I withoughte                                       |         |
| useq::useq_do_reset()                                                                                                                               | /sim/sym f.sod                                                                             |                                                             |         |
| stub::FCP2K_CSTORE_LOAD_CS                                                                                                                          | sim/tests fixrs,sod                                                                        |                                                             |         |
| fcp_ext::set_reset(0)                                                                                                                               |                                                                                            | Command: I                                                  |         |
| intfc::cycle = 0                                                                                                                                    | Select command file to execute:                                                            |                                                             |         |
| cycle = 0<br>cycle = 1000                                                                                                                           | /fcp2k2/sim/diag.sod                                                                       |                                                             |         |
| cycle = 2000                                                                                                                                        |                                                                                            |                                                             |         |
| inttc::cycle = 10000                                                                                                                                | OK Filter Cancel                                                                           |                                                             |         |
| - cycle = 4000                                                                                                                                      |                                                                                            |                                                             |         |
|                                                                                                                                                     |                                                                                            | News for Nerds. Stuff that matters.                         |         |

#### Rockwell Collins

#### **CAPS** Correctness Theorem



Page 12























#### **Proving the CAPS Correctness Theorem**



Page 18

NSA HCSS March 2002



#### MAXOF2

We illustrate this proof architecture with a simple CAPS instruction. maxof2 pops 2 stack values and pushes the greater.

Goal theorem:

#### A relevant definition used in I:

```
(defun op-maxof2 (st)
(defthm maxof2-works
                                              (declare (xargs :stobjs (st)))
  (implies
                                              (CAPS *state->state*
                                                   (POP TS2)
   (and
                                                   (POP TS1)
    (caps_init_uinstp (uaddr::maxof2) st)
                                                   (TSr = (? (> (logext 16 TS1) (logext 16 TS2))
    (goodocc st)
                                                              TS1 TS2))
    (stk-adjusted (op::maxof2) st)
                                                   (PUSH TSr)
    (st-p st)
                                                   (pc = (\& (1+ (pc)) #xffffff))
    (normal-operation st)
                                                    st))
    (cache-loaded st))
   (equal (CAPS::map (m st (clock::maxof2 st)) CAPS::st)
     (CAPS::i (op::maxof2) (CAPS::map st CAPS::st)))))
```

Three or four 64-bit words of microcode are executed by the CAPS machine for maxof at locations 12F, 41C, 41D, and 41E.

#### Rockwell Collins

## **Specifying a Line of Microcode**

```
(defun line::x041c (st)
  (let ((st0 st))
  (^
        (V = (logext 16 (uC::V )))
        (VM1 = (logext 16 (uC::VM1)))
        (uadr = (uC::IF?=> (! (ext. mode)) (uaddr::ill_inst)))
        (skv = (> VM1 V))
        (st = (m-step st))
        (st = (m-step st))
        (st = (base-state st0 st))
        (st = (base-state st0 st))
        (st = (MACRO (misc-regs :sxv skv)))
        (st = (sequence uadr st))
        (return st))))
```

We only specify interesting parts of how a line of microcode changes the machine's state. Other parts are specified to work as defined by m.





#### **Theorems for a Line of Microcode**

#### (line::prove :uaddr #x041c)

generates many needed lemmas, such as:

#### (DEFTHM LINE::X041C-UINST-1

(DEFTHM LINE::X041C-EXECUTION

(IMPLIES (AND (CAPS\_INIT\_UINSTP 1052 ST) (ST-P ST) (NORMAL-OPERATION ST) (GOODOCC ST) (MAPPED-MICROCYCLE ST)) (EQUAL (M ST (CLOCK::X041C ST)) (LINE::X041C ST))))



#### Rockwell Collins

## **Proof of a Line of Microcode**

- Even after decomposing the proof, programming
   ACL2 to prove these kinds of theorems is a big job!
  - □ Super-IHS
    - We have proved hundreds of rules in our strategy for simplifying microprocessor operation expressions.
      - moving bits around easy
      - □ arithmetic easy
      - arithmetic and bit-vector hard
  - update-nth equality
  - thousands of rules get automatically generated and proved related to state updates and references
- □ ACL2 theorem prover itself enhanced to integrate efficient nth-update-nth reasoning into simplifier.

See J Moore's CAV'01 paper for nu-rewriter details





## Specifying a Block of Microcode



- **Defblock** generates what is needed to specify and verify a block of microcode, like **line::prove**.
- clock function
- □ spec function
- correctness theorems



## **Abstract Microcode Block Specification**

Abstract specs can be very helpful.

- Practically speaking, they are required for blocks containing loops in order to eliminate recursion over state.
- Like at the microcode-line level, these specs benefit from identifying interesting elements and specifying irrelevant elements using the lowerlevel model.

(MAXof2 is too simple to benefit from a more abstract spec for the execution of its microcode.)

Microcode block abstraction







#### MAXOF2 works!

We put the pieces together to prove the main theorem:

```
(defthm maxof2-works
  (implies
    (and
      (caps_init_uinstp (uaddr::maxof2) st)
      (goodocc st)
      (stk-adjusted (op::maxof2) st)
      (st-p st)
      (normal-operation st)
      (cache-loaded st))
  (equal (CAPS::map (m st (clock::maxof2 st)) CAPS::st)
            (CAPS::ii (op::maxof2) (CAPS::map st CAPS::st)))))
```





#### **New Stuff**

- □ Executable formal models (EFMs)
- □ A "reader" that greatly simplifies writing analyzable applicative code that runs with imperative speed.
- Proof decomposition
  - similar in some ways to other proof decomposition challenges
  - definition of level by using lower levels
- □ Nu-rewriter (JSM)
- Proof automation
  - Books of theorems that constitute a strategy (of course!)
  - Theorems generated from state description
  - Code that supports the proof decomposition process
    - Theorem-generating macros





#### Summary

#### At Rockwell Collins we are...

- □ writing software that is evaluatable and fast!
- □ modeling microprocessor microarchitectures,
- □ proving correctness using a theorem prover, and
- exploring how to use this in a certification context.



