and a bit-vector is defined as ..... repeating the most significant bit of the given bit vector: ..... Tutorial on Formal. Specification and. Verification. Using PVS. NASA.
NASA
Technical Memorandum
A Bitvectors
Library
110274
For PVS
Ricky W. Butler Paul S. Miner Langley
Research
Center,
Mandayam K. Srivas SRI International, Memlo Dave
Hampton,
Park,
California
A. Greve
Steven Rockwell
P. Miller Collins,
Cedar Rapids,
August
1996
National
Aeronautics
and
Space Administration Langley Research Center Hampton, Virginia 23681-0001
Virginia
Iowa
Contents 1
Introduction
3
2
Fundamental
3
Natural
4
Bitwise
5
Bitvector
Concatenation
6
6
Extraction
Operator
7
7
Shift
8
Bitvector
Rotation
9
Zero
Sign-Extend
Definition Number
Operations
Operations
10 Theorems 11 2's
Interpretations
Logical
and
on
of a Bitvector on
4
Bitvectors
5
Bitvectors
8
Operators Concatenation
Interpretations
9 and
Extraction
of a Bitvector
12
Definition
of Arithmetic
12.2
Arithmetic
Properties
12.3
Theorems
about
13 Overflow
10 11
Arithmetic
12.1
14 Library
3
8
Involving
Complement
12 Bitvector
of a Bitvector
Operators of Shifting
2's Complement
....................... ........................ Arithmetic
12 13
..................
14 15
Organization
15
1
Introduction
The
method
any
hardware
bits.
The
circuit
used for specifying verification.
ordered
design
integers,
set of bits
automatically
characters,
for these
interpretations. to bv in order
The mind:
bitvectors
functions
that
is simple
library
particular
should
provide
object,
that
for PVS
interpret
library
without
new axioms.
a complete
implementation
should
imposing
be accessible • The
without
library
should
Similar
libraries
have
theorem
prover
[7] and
The
be
set
used.
bitvectors
organized
a heavy being facilitate
constructed
the
Cambridge is available
called
reader
of a
2's complement explicitly
account
say bv2nat,
bv2nat
must
be
goals
in
(bv).
[1, 2, 3, 4, 5, 6] with
on bitvectors
In this way the
of operators Thus,
form same.
In other
exposed the
must
to
usually
a human
a function, i.e.
l's,
numbers,
model
operate
several
should
that
connection
be defined
via the
World
that
(e.g.,
the type
a list form),
a variety parts
hide
bitvector
the
of hardware,
of the
library
design
tools.
should
definitions.
other
Order
will be consistent
of the
form
specific
to different
for many Higher
definition
supports
words,
to extraneous
library
on bit-vectors
if the
to another
in a manner
overhead.
been
library
and
is fundamental
reusable.
were change from its current functional interface to the user would remain the The
a formal
number,
developed
and
Although as natural
if bv is a bitvector,
it to a natural
not introduce
bitvector
bitvectors
device
set of O's and
to as a bitvector.
encoded
has been
common
lines of a hardware
of an ordered
these
For example,
The library should if PVS is consistent. The
other
data
consist
is referred
to convert
library
in a manner
parallel
lines
"interprets"
or some
applied
All of the
the
These
hardware
systems
Logic Wide
including
(HOL) Web
system
the
Boyer-Moore
[8].
at
http://atb-www.larc.nasa.gov/ftp/larc/PVS-library/ in the
2
file bitvectors.chap.
Fundamental
There
are
several
candidates
Definition
methods
one
could
use
of a Bitvector to define
are:
• a list of bits • a finite • a function
sequence from
of bits {0,1,2,
..,N- 1} into
{0,1 }.
3
a bitvector
in PVS.
Three
reasonable
The
third
method
has been
used
in this library.
A bit is defined
as:
bit : TYPE = {n: nat I n bit]
the
specified
is defined
type using
below(i):
bvec the
is a function type
below
from
which
TYPE = {s: nat
below(N)
is predefined
into
the
basic
theory
in the
The PVS
domain
prelude
of the
function
is
as:
I s < i}
The symbol N is a constant natural number imported
to bit.
using
PVS's
representing the length of the bitvector. It is theory
parameterization
capability:
by [N : nal;]: THEORY BEGIN bit
: TYPE = {n: nat
bvec END by
I n bit]
This definition concatenation A bitvector
allows the use of empty bitvectors, operators defined in a subsequent of length N is defined as follows:
which section.
is primarily
useful
when
using
the
bv: VAR bvec[N] and the ith bit can be retrieved in two ways: bv(i) or bv'i. advantage
that
it is implementation
^(by: bvec, (i: below(N))):
3
Natural
Number
A bitvector is interpreted This function is defined
independent.
The
A operator
The lattermethod is defined
has the
as follows:
bit = by(i)
Interpretations
as a natural as follows:
number
bv_nat [N: nail : THEORY BEGIN IMPORTING bv[N], exp2
4
through
of a Bitvector use
of a function
named
bv2nat.
bv2nat_rec(n: upto(N), IF n = 0 THEN 0 ELSE exp2(n-1) ENDIF MEASURE
exp2
* bv*(n-l)
is the power
bv2nat
nat
+ bv2naZ_rec(n
: below(exp2(N))
=
- 1, bv)
function
contained
in the
function
bv2nat__rec.
posnat
returns
type
= bv2nat_rec(N,
by)
of 2 function defined in the exp2
exp2(n: na_c): RECURSIVE MEASURE n The
KECURSIVE
n
bv2nat (bv:bvec)
where
bv:bvec):
= IF n = 0 THEN
a natural
of the
function
The
function
number
a. The
that
bv2nat
bv2nat__rec
theory:
I ELSE
is less
2 * exp2(n
than
2 N.
function
is defined
is equivalent
to
- I) ENDIF
Note
that
in terms
this
fact
is
of a recursive
n--1
bv)
bv2nat_rec(n,
Note bit
that
this
is the
most
The
bv2nat
bv2nat_bij and
Thus,
function
0th
is bijective
: THEOREM
that
the
bitwise
: THEOREM
logical
bit
is the
(i.e.
is a one-to-one
least
significant
bit
and
the
N-1
exists:
: bvec
= inverse(bv2nat)
bv2nat(nat2bv(val))=
Logical operations
correspondence):
bijective?(bv2na_)
:below(exp2(N)))
Bitwise
_ Tbv^i i=0
bit.
the following relationship exists between
bv2nat_inv
The
designates
significant
thus an inverse function nat2bv
na_2bv(val
4
definition
=
these functions: val
Operations on
bitvectors
are
(val)
on defined
Bitvectors in the
bv
bitwise
theory
as follows:
1The PVS system provides a powerful type theory that is heavily exploited in this library. We have deliberately packed as much information as possible into the types of the functions. This provides two major benefits: (1) The information is automatically available in proofs, and (2) many theorems can be stated concisely, without explicit contraints.
i: VAR
below(N)
OR(bvl,bv2:
bvec[N])
: bvec
=
(LAMBDA
i: bvl(i)
OR bv2(i));
AND(bvl,bv2:
bvec[N]):
bvec
= (LAMBDA
i: bvl(i)
AND bv2(i))
;
IFF(bvl,bv2:
bvec[N]):
bvec
= (LAMBDA
i: bvl(i)
IFF bv2(i))
;
: bvec
=
(LAMBDA
i: NOT
bvec
=
(LAMBDA
i: XOR(bvl(i),bv2(i)))
NOT(by:
bvec[N])
XOR(bvl,bv2:
bvec[N]):
bv(i))
;
;
Ifthe user wishes to avoid the use of the underlying bitvector implementation, the following lemmas can be used rather than expanding these functions: by, bvl,
by2:
VAR bvec[N]
by_OR
: LEMMA
(bvl OR bv2)'i
by_AND
: LEMMA
(by1
AND
bv2)^i
=
(bvl'i
AND
bv2"i)
bv_IFF
: LEMMA
(bvl
IFF bv2)^i
=
(bvl"i
IFF
bv2Ai)
bv_XOR
: LEMMA
XOR(bvl,bv2)^i
by_NOT
: LEMMA
(NOT bv)^i
5
Bitvector
The
(bvl'i
OR bv2-i)
= XOR(bvlAi,bv2-i)
= NOT(by'i)
Concatenation
concatenation bv_concat
=
operator In:nat,
o on bitvectors
is defined
in the
bv_concat
theory
as follows:
re:nat ]: THEORY
BEGIN
o(bvn:
bvec[n], (LAMBDA
bvm:
bvec[m]):
(nm: below(n÷m)):
bvec[n+m] IF nm< ELSE
= m THEN
bvn(nm
bvm(nm)
- m)
ENDIF)
The
result
bitvector which
of concatenating of length
establish
bv_concat_lems.
that
n+m. the
a bitvector The triple
of length
n with
bitvector
is the
zero-length (bvec,
o,
null_by)
a bitvector identity.
is a monoid,
of length The
are
m is a new
following proved
theorems,
in the
theory
null_by: bvec[O] _ zero-length bit-vector concaZ_iden_izy_r
: LEMMA
concaZ_idenZity_l
: LEMMA
(FORALL
(n: nat),
(bvn:bvec[n]):
bvn
o null_by
= bvn)
(FORALL
(n: nat),
null_by
concat_associative
: LEMMA
(FORALL
(bvn:bvec[n]):
o bvn
(m,n,p:
= bvn)
nat),
(bvm:bvec[m]),
(bvn:bvec[n]), (bvm o bvn) The
bv_concat_lems
theory
not_over_concat
:
(FORALL
shows
that
NOT distributes
the
result
of applying
bv2nat
bvn:
VAR
bvec[n]
bvm:
VAR
bvec[m]
nm:
VAR
over
the
(n: nat),
(a,b: bvec[n]):
(a o b))
o operator
to a concatenated
: THEOREM
Extraction
The operator tions.
"(i
,j)
bvec[N],
(LAMBDA
the
a bitvector For
and
a) o
a lemma
(NOT b))
bvconcat2nat
that
provides
bv2naZ [n+m] (bvn o bvm)
extracts
sp:[il:
definition
is the
by'(4,2)
=
below(N),
fragment
upto(il)]):
formidable,
N. The
bitvector
(v,w,x).
* exp2(m)
+ bv2nat[m]
by
second = of
(bvm)
between
two
given
posi-
bvec[proj_l(sp)-proj_2(sp)+l]
=
+ I)):
;
the behavior
argument
(t,u,v,w,x,y,z) length
of a bitvector
- proj_2(sp)
+ proj_2(sp)))
looks
suppose
by'(4,2)
a contiguous
(ii: below(proj_l(sp)
of length
example,
(bvn)
Operator
bv(ii
Although
= (NOT
o bvp))
bitvector:
= bv2nat[n]
"(by:
(bvn
below(n+m)
bvconcat2nat
6
o
not_over_concat
(NOT
that
= bvm
a lemma
also provides
LEMMA
o bvp
(bvp:bvec[p]):
3 that
is quite
designates with contains
the z the
as
simple. subfield
the bits
first
that
least 4,
The
is to be extracted.
significant
3 and
argument
2.
In
bit.
Then,
other
words,
is
7
Shift
The
left
Operations
and
shift
on
operations
right_shift(i: nat, IF i = 0 THEN by
on a bitvector bv:
bvec[N]):
ELSIF i < N THEN bvecO[i] ELSE bvecO[N] ENDIF
left_shift(i: nat, IF i = 0 THEN bv
bv:
right_shift
bvec[N]
bvec[N]):
operation
are defined
o bv'(N-1,
ELSIF i < N THEN bv'(N-i-l, ELSE bvecO[N] ENDIF
The
Bitvectors
shifts
as follows:
=
i)
bvec[N]
=
O) o bvecO[i]
a bit vector
by a given
filling O's in the shifted bits. The left_shift operation of positions to the left, filling O's in the shifted bits.
8
Bitvector
The rotation
IF
on a bitvector
upto(N),
(k = O) 0R
ELSE
bv'(k-l,0)
bv:
The
bv'(N-k-l,
following
lemmas
rotate_right_lem
o bv^(N-l,
a bit vector
to the
by a given
right,
number
: LEMMA
bvec[N]
theory
as follows:
=
k) ENDIF
bvec[N]): by
the fields
: LEMMA
in the by_rotate
by
O) o bv^(N-I,N-k)
relate
defined
bvec[N]):
bvec[N]
=
ENDIF
of the
rotated
bitvector
rotate_right(k,bv)^i IF
rotate_left_lem
are
(k = N) THEN
rotate_left(k: upto(N), bv: IF (k=O) OR (k = N) THEN ELSE
shifts
of positions
Rotation
operations
rotate_right(k:
number
the
original
bitvector:
=
i+k < N THEN
bv-(i+k)
rotate_left(k,bv)-i IF i-k
with
ELSE
bv'(i+k-N)
ENDIF
=
>= 0 THEN
bv'(i-k)
ELSE
bv^(N+i-k)
ENDIF
The l-bitrotation functions are defined in terms of these as follows: ro:_rl(bv:
rot_ll
bvec [N] ) : bvec [N] = rotate_right
(by : bvec [N] ) : bvec [N] = rotate_left
The rotate_right (I ,by) and rotate_left of rot_rl and roZ_ll as follows:
(I ,by)
(1,bv)
(I ,bv) functions can also be expressed
in terms
iterate_rot_rl
: LEMMA iterate(rot_rl,k)(bv)
= rotate_right(k,bv)
iterate_rot_t1
: LEMMA
= rotate_left(k,bv)
where
is defined
iterate
iterate(rot_ll,k)(bv)
in the
function_iterate[T:
PVS
prelude
as follows:
TYPE] : THEORY
BEGIN f: VAR m, n: x:
[T -> T] VAR
nat
VAR T
iterate(f,
n)(x):
IF n = 0 THEN MEASURE
END
9 the
and
bits
Sign-Extend
operator with
zero_extend(k: (LAMBDA
repeating
the most
sign_extend(k: (LAMBDA
expands
above(N)): bv:
sign_extend_lem
These The
higher-order
of length
N into
a bitvector
of length
k filling
[bvec[N]
-> bvec[k]]
=
o by)
interpretation reinaJns the same:
: THEOREM
operator
bv2nat [k] (zero_extend(k)
returns
a function
(by)) = bv2nat(bv)
that extends
a bit vector
to length
significant bit of the given bit vector: above(N)) by:
: [bvec[N]
IF by(N-l) ELSE
2's complement
Operators a bit-vector
bvec0[k-N]
the natural number
sign_extend
The
ENDIF
zeros:
zero_extend_lem
The
n-1)(f(x))
n
zero_extend upper
Thus,
T =
iterate(f,
function_iterate
Zero
The
RECURSIVE x ELSE
=
i THEN
bvec0[k-N]
bv2int
bvecl[k-N]
o bv
the same:
[k] (sign_extend(k)
functions are defined in the theory
following useful theorem
=
o by ENDIF)
interpretation remains
: THEOREM
-> bvec[k]]
has been
proved
(by))
= bv2int
(by)
bv_extend.
about
the sign_extend
function:
k
by
.
sign_to_zero
: THEOREM
sign_ex%end(k)(bv) IF bv(N-1)
=
= i THEN
NOT(zero_ex%end(k)(NOT(bv)))
ELSE zero_extend(k)(bv) ENDIF
A function
is also defined
zero_ex%endlsend
vector to length k by padding interpretation of the argument zero_extend_isend(k: (LAMBDA
bv:
zero_extend_Isend:
O's at the least significant increases by :2(k-N).
above(N)) bv
to return
: [bvec[N]
function,
lsb_extend,
k by repeating
the
significant
The
lemmas
10
The
above(N)): by:
about
the
Theorems tion following
properties
bvn:
VAI{ bvec
In]
bvm:
VAR bvec
[m]
returns bit
[bvec[N] = 0 THEN
o bvecl[k-N]
functions
bv
are
Involving
of " and
bv2nat
a bit vector significant
=
ENDIF)
proved
in the
theory
bv_extend_lems.
Concatenation
o are
proved
in the
± < m IMPLIES
caret_concat_top
: THEOREM
i
>= m AND j (bvn
to length
end.
o bvecO[k-N]
: THEOREM
: THEOREM
extends
at its least
-> bvec[k]]
IF bv'O by
that
bit vector
caret_concat_boZ
caret_concat_all
is, the
* exp2(k-N)
a function
of the
ELSE
extend
That
a bit
bv2nat(zero_ex%end_isend(k)(bv))
A higher-order
(LAMBDA
of bvec.
extends
-> bvec [k]] =
= bv2nat(bv)
isb_exZend(k:
end
that
o bvecO[k-N])
THEOREM
least
a function
theory
(bvn
j
by_manipulations:
o bvm)'(i,j)
= bvm'(i,j))
= bvn'(i-m,
j-m))
< m IMPLIES
(bvn o bvm)'(i,j) bv_decomposition
: THEOREM
bvn'(n-l,k+l)
concat_bottom
: THEDP_EM
(bvn o bvm)^((m-1),
concat_top
: THEOREM
(bvn
= bvn^(i-m,O)
o bvn'(k,O)
o bvm)^((n+m-l),
I0
Extrac-
>= m IMPLIES
o bvm)'(i,j)
i >= m AND
and
= bvn
0) = bvm
m) = bvn
o bvm'(m-l,j)
)
The
first
part
to be extracted
two
theorems
caret_concat_zll
moves
similar
to
11
2's
The
the
first
from
defined
in the
The
except
bv
constants
to
one within
the
±nt
theory.
are
defined
in_
= -exp2(N-l)
maxint:
inz
=
the
parts
involves
of a bitvector -
1.
The
basic
to represent
exp2(N-1)
in_rng_2s_comp(i:
int):
= i: int
TYPE
Ts complement
of length for
minimum
and
bool
=
(minint
] mininz
bv2int
) over
smaller
bitvectors
from
constants " and
operations
sign extend
o on bitvectors
bit-wise
logical
operations
operations
extend
operations
interpretation to top
bitvectors
" that
bitvector
about
bvec
" operator
logical
zero
+ -
concerning
bit-wise
type
number
(i.e.
about
lemmas
defines
of the
definition
bvec
of a bitvector
bits
chain
is shown
in figure
Rushby,
J.M.:
The
1.
References [1] Owre,
S.;
Shankar,
Release).
[2] Owre,
[3] Shankar,
[4] Owre,
N.;
N.; Owre,
Sam;
S.; and
Rushby,
John;
on Software Natarajan;
Laboratory,
SRI
Owre,
Sam;
International,
Using
Ricky PVS.
W.: NASA
An
Menlo
Elementary
Technical
Menlo
Guide
for
Proof
Natarajan;
and
Park,
John: CA,
yon
to the
Feb.
Memorandum
on Formal 108991,
16
1993.
Sept.
Also
1993.
and
Manual CA,
Feb.
Formal
of PVS.
IEEE
107-125. Computer appears
Methods,
Specification
Park,
Friedrich:
Design pp.
1993.
International,
A Reference
Tutorial.
Formal
(Beta
Feb.
Specification
Menlo
1995,
CA,
SRI
Henke,
PVS
Industrial-Strength
Tutorial
PVS
Checker:
Prolegomena
Rushby,
the
SRI International,
Language
Park,
Laboratory,
vol. 21, no. 2, Feb.
and '93:
Specification
Science
The PVS
Architectures: Engineering,
Notes, Formal Methods Europe Odense, Denmark, April 1993. [6] Butler,
J. M.:
Laboratory,
; Shankar,
for Fault-Tolerant
User
Computer
Science
PVS
SRI International, J. M.:
Rushby,
Computer
Rushby,
Transactions [5] Shankar,
and
Laboratory,
System (Beta Release). CA, Feb. 1993.
Release).
Verification
and
Science
S.; Shankar,
Verification Menlo Park,
(Beta 1993.
N.;
Computer
in Tutorial
pages
and
Science 357-406,
Verification
larger
I
I bv_bi_ise
I
[
I
bv_extractors
[
J
by_f tact
[ bv_mt
by_shift
by exu'actors_lems
bv_rotate
]
I
I I
bv_arithmetic
,11
I I bv-bitwiseJems I
I bv-°vem°w Figure
[7] Hunt, Austin, [8] Wong,
Jr.,
Warren
Technical W.:
and
1: Importing
A.: report,
Modeling
! by_extend lemsJ
I
FM8501: 1985.
Proving
B.C.,
vol. 780 of Lecture
of Bitvectors
Verified
in HOL:
its Applications: Notes
A Technical
Bit Vectors
orem
Structure
Microprocessor.
Report the
word
6th International
in Computer
Science,
17
Library
University
of Texas
at
ICSCA-CMP-47. Library.
In Higher
Order
Workshop
(HUG'93),
pp. 371-381.
Springer
Logic
The-
Vancouver, Verlag,
1994.
I
REPORT
DOCUMENTATION
PAGE
Fo,_ Approved OMB No. 0704-0188
Public re!_:ltting burOe_ for this ¢ollectto_ o1=ntormat,_n Is est,'llateo to average 1 hour per response, inclt_lm.g the lime Ior rewew,"_g ,'lstruct=ons. searcfting existing data sources. gathenng anti maintaining 1he data nee_e(:l, and ¢oml_eting an(:lrewewing the collection of inlormalion. Send comments regarding this I::)utOe_est_mate or any other aspe¢'l ol _is ¢ollecbon of information, inctu0ing su_)est,_s for reducing this buraen, to Washington Hea0Quarters Serv_.es. Directorate for Information Operat=ons and Reports. 1215 Jefferson Daws H_ghway. Suwte 1204. Arlington. VA 22202-4302. and to the Office ot Management an= Buclget. Paperwork Re(:lucllon Protect (0704-0188). washington. DC 20503. 1. AGENCY
USE
ONLY
(Lure
b/ank)
2. REPORT
DATE
3.
August 1996 4. TITLE
AND
REPORT
TYPE
AND
DATES
COVERED
Technical Memorandum
SUBTITLE
5.
A Bitvectors Library For PVS
FUNDING
NUMBERS
WU 505-64-10-13
6. AUTHOR(S)
Ricky W. Butler, Paul S. Miner, Mandayam Steven P. Miller
K. Srivas, Dave A. Greve, and
7. PERFORMINGORGANIZATIONNAME(S)AND ADDRESS(ES) National
Aeronautics
Langley
Research
Hampton,
VA
and Space
8.
Administration
PERFORMING ORGANIZATION REPORT NUMBER
Center
23681-0001
9. SPONSORING/MONITORING AGENCY NAME(S)AND ADDRESS(ES)
10.
SPONSORING/MONITORING AGENCY
National
Aeronautics
Washington,
11.
D.C.
SUPPLEMENTARY
and Space
Administration
DISTRIBUTION
NUMBER
NASA TM-110274
20546-0001
NOTES
Butler: Langley Research Center; Miner: Collins; and Miller: Rockwell Collins. 12a.
REPORT
I AVAILABILITY
Langley Research Center; Srivas:
STATEMENT
SRI International; Greve:
12b.
DISTRIBUTION
Rockwell
CODE
Unclassified-Unlimited Subject Category 62
13.
ABSTRACT
(Maxz_num
200 words)
This paper describes a bitvectors library that has been developed for PVS. The library defines a bitvector as a function from a subrange of the integers into {0,1 }. The library provides functions that interpret a bitvector as a natural number, as a 2's complement number, as a vector of logical values and as a 2's complement fraction. The library provides a concatenation operator and an extractor. Shift, extend and rotate operations are also, defined. Fundamental properties of each of these operations have been proved in PVS.
14.
SUBJECT
TERMS
15.
Hardware Verification, Formal Verification.
Bitvectors,
Formal Methods, and
NUMBER
OF
PAGES
18 16.
PRICE
CODE
A03 17.
SECU_IIY OF
CLASSIFICATION
REPORT
Unclassified NSN
7540-01-280-5500
18.
SECURITY CLASSIFICATION OF THIS PAGE
19.
SECURITY
CLASSIFICATION
20.
UMITATION
OF ABSTRACT
OF ABSTRACT
Unclassified
Stondlrd Form 298 (Rev. 2-89) Prescnoeo by ANSI SIo Z39-lB 296102
