511-33 N96-10037

/

## Formal Development of a Clock Synchronization Circuit

Paul S. Miner

This talk presents the latest stage in a formal development of a fault-tolerant clock synchronization circuit. The development spans from a high level specification of the required properties to a circuit realizing the core function of the system.

An abstract description of an algorithm has been verified to satisfy the high-level properties using the mechanical verification system EHDM [2]. This abstract description is recast as a behavioral specification input to the Digital Design Derivation system (DDD) developed at Indiana University [1]. DDD provides a formal design algebra for developing correct digital hardware. Using DDD as the principle design environment, a core circuit implementing the clock synchronization algorithm was developed [3]. The design process consisted of standard DDD transformations augmented with an ad hoc refinement justified using the Prototype Verification System (PVS) from SRI International [4].

Subsequent to the above development, Wilfredo Torres-Pomales discovered an area-efficient realization of the same function [5]. Establishing correctness of this optimization requires reasoning in arithmetic, so a general verification is outside the domain of both DDD transformations and model-checking techniques.

DDD represents digital hardware by systems of mutually recursive stream equations. A collection of PVS theories was developed to aid in reasoning about DDD-style streams. These theories include a combinator for defining streams that satisfy stream equations, and a means for proving stream equivalence by exhibiting a stream bisimulation.

DDD was used to isolate the sub-system involved in Torres-Pomales' optimization. The equivalence between the original design and the optimized verified was verified in PVS by exhibiting a suitable bisimulation. The verification depended upon type constraints on the input streams and made extensive use of the PVS type system. The dependent types in PVS provided a useful mechanism for defining an appropriate bisimulation.

### References

- Bhaskar Bose. DDD A Transformation System for Digital Design Derivation. Technical Report 331, Computer Science Dept. Indiana University, May 1991.
- [2] Paul S. Miner. Verification of fault-tolerant clock synchronization systems. Technical Paper 3349, NASA, Langley Research Center, Hampton, VA, November 1993.
- [3] Paul S. Miner, Shyamsundar Pullela, and Steven D. Johnson. Interaction of formal design systems in the development of a fault-tolerant clock synchronization circuit. In *Proceedings 13th Symposium on Reliable Distributed Systems*, pages 128-137, Dana Point, CA, October 1994.
- [4] Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke. Formal verification for faulttolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107-125, February 1995.
- [5] Wilfredo Torres-Pomales. An optimized implementation of a fault-tolerant clock synchronization circuit. Technical Memorandum 109176, NASA, Langley Research Center, Hampton, VA, February 1995.

## Outline

# Formal Development of a Fault-Tolerant Clock Synchronization Circuit

Paul S. Miner May 12, 1995

- Summary of Prior work
- Description of Torres-Pomales' Optimization
- Verification of Optimization
- Definition of Streams in PVS

  - Proof by Co-Induction

## **Prior Verification**

- Developed verified design of clock synchronization circuit using a combination of formal techniques.
- Mechanized Proof System (EHDM, PVS)
  - Digital Design Derivation
- OBDD-based tautology checking

Design Hierarchy-Old



| Informal Description of Algorithm | <ul> <li>Welch &amp; Lynch Algorithm</li> <li>System of N clocks designed to tolerate F arbitrary faults</li> <li>Completely connected network</li> <li>Each Clock periodically</li> <li>Each Clock periodically</li> <li>Gathers estimates of readings of all other clocks in the system</li> <li>Discards the F largest and F smallest readings</li> <li>Discards the F largest and F mallest readings</li> <li>Sets self to mid-point of the range of the remaining readings</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ه<br>Intermediate Stage                        | <ul> <li>Circuit implements core function of algorithm <ul> <li>Network interconnect in different partition of design</li> <li>Independent of number of clocks in the system</li> <li>Independent of number of clocks in the system</li> </ul> </li> <li>This stage was reached via a combination of standard DDD transformations and an <i>ad hoc</i> refinement verified using PVS</li> </ul> |
|-----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design HierarchyNew               | Anoreitation Projection         Outeral Epincontration Projection         Outeral Epincontration Projection         Outeral Epincontration Projection         Anoreitation         Oto Epincinication         Outeral Epincontration Projection         Outeral Epincontration Projection         Anoreitation         Outeral Epincontration         Outeral Epincontration <tr< td=""><td>s<br/>Intermediate Stage of Previous Derivation</td><td></td></tr<> | s<br>Intermediate Stage of Previous Derivation |                                                                                                                                                                                                                                                                                                                                                                                                 |



Ξ

Streams in **PVS** 

AXIOMS

Stream\_eq: AXIOM  $X = Y \leq FORALL n: nth(X, n) = nth(Y, n)$ Stream\_cs\_eta: AXIOM cs(hd(S), tl(S)) = S Stream\_tl\_cs: AXIOM tl(cs(a, S)) = S Stream\_hd\_cs: AXIOM hd(cs(a, S)) = Stream\_inclusive: AXIOM cs?(S) END Stream\_adt

**Proof by Co-Induction** 

2

Stream\_coinduct[alpha: TYPE]: THEORY BEGIN

IMPORTING Stream\_adt

X, Y: VAR Stream[alpha]

R: VAR PRED[[Stream[alpha], Stream[alpha]]]

{R | FORALL X, Y: R(X, Y) = hd(X) = hd(Y) & R(tl(X), tl(Y))} Bisimulation: TYPE =

co\_induct: THEOREM (EXISTS (R: Bisimulation): R(X, Y)) => X = Y

END Stream\_coinduct

2

**Defining Streams** 

Stream\_corec[alpha, beta: TYPE]: THEORY IMPORTING Stream\_adt[beta] BEGIN

f: VAR [alpha -> beta] g: VAR [alpha -> alpha] a: VAR alpha corec(f, g, a): Stream[beta]

corec\_def: AXIOM corec(f, g, a) = cs(f(a), corec(f, g, g(a)))

[...]

END Stream\_corec

Ξ

**Stream Equations for Original Sub-Circuit** 

THETA-NF = cs(i, MUX(NF, RD, THETA-NF))THETA-F1 + THETA-NF| THETA-F1 = cs(i, MUX(F1, RD, THETA-F1))2 CFN =9



| <b>PVS Definitions for Circuit Verification</b> | A, B, C, R: VAR Stream[bool]<br>a, b, c, r: VAR bool<br>I, J, K: VAR Stream[int]<br>i, j, k: VAR int      | THETA( $A, I, i$ ): Stream[int] %defined using corec | <pre>CFN(A, B, I, i, j): Stream[int] = DIV2(THETA(A, I, i) + THETA(B, I, j))</pre> | HOLD $(A, a)$ : Stream[bool] %defined using corec | CIN(A, B): Stream[bool] = A AND NOT B | OPT(A, C, I, i): Stream[int] %defined using corec | 8 | Type Declarations for Assumptions on Input<br>Signals | $S(R): \text{ TYPE} = $ $\{A \mid \text{Invariant(IF } R $ $\text{THEN NOT tl(A)} $ $\text{ELSE } A \Rightarrow \text{tl(A)} $ $\text{ENDIF} \}$                              | C(R): TYPE =<br>{I   Invariant(NOT $R \Rightarrow Eq(tl(I), INC(I))$ } |
|-------------------------------------------------|-----------------------------------------------------------------------------------------------------------|------------------------------------------------------|------------------------------------------------------------------------------------|---------------------------------------------------|---------------------------------------|---------------------------------------------------|---|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| Stream Equations for Optimized Sub-Circuit      | HOLD = $cs(false, F1 \& \neg HOLD)$<br>$cin = HOLD \& \neg NF$<br>OPT = cs(i, WUX(F1, RD, INC(OPT, CIN))) | FI CIN                                               |                                                                                    |                                                   |                                       | -                                                 | 5 | Recursive Stream Definitions                          | THETA(A, I, i) = $cs(i, MUX(A, I, THETA(A, I, i)))$<br>HOLD(A, a) = $cs(a, A \not k \rightarrow HOLD(A, a))$<br>OPT(A, C, I, i) = $cs(i, MUX(A, I, INC(OPT(A, C, I, i), C)))$ |                                                                        |

| <b>Proof of</b> Optimize_correct by co-induction | Define Bisimulation B as:<br>$\{(X, Y) \\ \exists R, (RD) : C(R)), (F1 : S(R)), (NF : \{A : S(R) A \Rightarrow F1\}), (i : int) \\ (j : int hd(F1) \land \neg (hd(NF)) \Rightarrow hd(RD) = j + 1), \\ (j : int hd(F1) \land \neg (hd(NF)) \Rightarrow b = odd?(i + j)) : \\ (b : bool hd(F1) \land \neg (hd(NF)) \Rightarrow b = odd?(i + j)) : \\ X = CFN(F1, NF, RD, i, j) \& \\ Y = OPT(F1, CIN(HOLD(F1, b), NF), RD, \lfloor(i + j)/2\rfloor)\}$ | 2  | Concluding Remarks        | <ul> <li>Proof by co-induction effective technique for verifiying circuit refinements.</li> <li>Possible to exploit circuit context to complete proof</li> <li>Developed general Stream library for PVS 2</li> <li>Torres-Pomales' optimization verified in PVS using proof by co-induction</li> <li>PVS dependent type mechanism useful</li> <li>Posign implemented in VLSI (hand layout)</li> </ul>                                                                                          |
|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Correctness Theorem                              | <pre>Optimize_correct: THEOREM <math display="block">\forall R, (RD : C(R)), (F1 : S(R)  \neg hd(F1)), (i : int): (NF : S(R) Invariant(NF <math>\Rightarrow</math> F1)), (i : int): CFN(F1,NF,RD,i,i) = OPT(F1,CIN(HOLD(F1,false),NF),RD,i)</math></pre>                                                                                                                                                                                              | 12 | Proof—B is a Bisimulation | Heads: For any $(X, Y) \in B$ , $hd(X) = hd(Y) = [(i+j)/2]$ .<br>Tails: For any $(X, Y) \in B$ , show $(tl(X), tl(Y)) \in B$ .<br>tl(CFN(F1, NF, RD, i, j))<br>= CFN(tl(F1), tl(NF), tl(RD),<br>IF hd(F1), THEN i ELSE hd(RD) ENDIF,<br>tl(OPT(F1, CIN(HOLD(F1, b), NF), RD, [(i + j)/2])))<br>$tl(OPT(F1, CIN(HOLD(tl(F1), (hd(F1) \land b))), tl(NF)),$<br>tl(RD),<br>tl(RD),<br>tl(RD),<br>IF hd(F1) THEN $([(i + j)/2])))tl(NF)),tl(RD),tl(RD),tl(RD),tl(RD),tl(RD),tl(RD),tl(RD),tl(NF))$ |