Integrating Model Checking and Theorem Proving in a Reflective Functional Language

Forte is a formal verification system developed by Intel’s Strategic CAD Labs for applications in hardware design and verification. Forte integrates model checking and theorem proving within a functional programming language, which both serves as an extensible specification language and allows the system to be scripted and customized. The latest version of this language, called reFLect, has quotation and antiquotation constructs that build and decompose expressions in the language itself. This provides combination of pattern-matching and reflection features tailored especially for the Forte approach to verification. This short paper is an abstract of an invited presentation given at the International Conference on Integrated Formal Methods in 2004, in which the philosophy and architecture of the Forte system are described and an account is given of the role of reFLect in the system. 1 The Forte Verification Environment Forte [17] is a formal verification environment that has been very effective on large-scale, industrial hardware verification problems at Intel [10,11,12,15]. The Forte system combines several model checking and decision algorithms with lightweight theorem proving in higher-order logic. These reasoning tools are tightly integrated within a strongly-typed, higher-order functional programming language called FL. This allows the Forte environment to be customised and large proof efforts to be organized and scripted effectively. FL also serves as an expressive language for specifying hardware behaviour. Model checking using symbolic trajectory evaluation (‘STE’) lies at the core of the Forte environment. STE [16] can be viewed as a hybrid between a symbolic simulator and a symbolic model checker. As a simulator, STE can compute symbolic expressions giving outputs as a function of arbitrary inputs. As a model checker, it can automatically check the validity of a simple temporal logic formula—computing an exact characterization of the region of disagreement if the formula is not unconditionally satisfied. These features provide a seamless connection between simulation and verification as well as excellent feedback on failed proof attempts—two key elements of an effective usage methodology for large-scale formal verification [10,17]. E. Boiten, J. Derrick, G. Smith (Eds.): IFM 2004, LNCS 2999, pp. 36–39, 2004. c © Springer-Verlag Berlin Heidelberg 2004 Integrating Model Checking and Theorem Proving 37 STE is a particularly efficient model checking algorithm, in part because it has a very restricted temporal logic. But STE, like any model checker, still has very limited capacity. Forte therefore complements STE with a higher-order logic theorem prover of similar design to the HOL system [6]. Theorem proving bridges the gap between big, practically-important verification tasks and tractable model checking problems. The Forte philosophy is to have as thin a layer of theorem proving as possible, since using this technology is still difficult. But case studies have shown that a surprising amount of added value can be gained from even very simple (mathematically ‘shallow’) theorem proving. The Forte approach is to tightly integrate model checking and theorem proving within the single framework of a functional programming language and its runtime system. A highly engineered implementation of STE is built into the core of the language, with many entry points provided as user-visible functions. Two key aspects of this architecture are that it is a ‘white-box’ integration of model checking and theorem proving and that functional programming plays a central role in scripting verification efforts. 2 The reFLect Functional Language The successor to FL for future generations of Forte is a new functional language called reFLect [7]. The reFLect language is strongly typed and similar to ML [8], but has quotation and antiquotation constructs like those in LISP but in a typed setting. This provides combination of pattern-matching and reflection tailored especially for the Forte approach to verification. In what follows, a brief sketch is given of the motivation for the design of these features. In higher-order logic theorem provers like HOL the logical ‘object language’ in which reasoning is done is embedded as a data-type in the (functional) metalanguage used to control the reasoning. This makes the various term analysis and transformation functions required by a theorem prover straightforward to implement. But separating the object-language and meta-language also causes duplication and inefficiency. Many theorem provers, for example, need to include special code for efficient execution of object-language expressions [2,3]. In reFLect, the data-structure used by the underlying language implementation to represent syntax trees is made available as a data-type within the language itself. Functions on that data-structure, such as evaluation, are also made available. This approach retains all the term inspection and manipulation abilities of a conventional theorem prover while borrowing an efficient execution mechanism from the meta-language implementation. It also builds reflection [9] into the logic of the theorem prover. In systems like HOL, higher order logic is constructed along the lines of Church’s formulation of simple type theory [5], in which the logic is defined on top of the λ-calculus. Defining a logic on top of reFLect in the same way gives a higher-order logic that includes the reFLect reduction rules as well as certain reflection inference rules. These reflection capabilities allow Forte to make a logically principled connection between theorems in higher order logic and the results of invoking a model