# Getting Started with Uclid5 Alpha release, version 0.8

Pramod Subramanyan and Sanjit A. Seshia  $\{spramod, sseshia\}$  @eecs.berkeley.edu

January 2018

## **Contents**

| 1. | Introduction 5 |                                                |    |  |  |  |
|----|----------------|------------------------------------------------|----|--|--|--|
|    | 1.1.           | Getting Started: A Simple UCLID5 Model         | 5  |  |  |  |
|    | 1.2.           | Installing UCLID5                              | 7  |  |  |  |
|    |                | 1.2.1. Prerequisites                           | 7  |  |  |  |
|    |                | 1.2.2. Detailed Installation Instructions      | 8  |  |  |  |
|    |                | 1.2.3. Running UCLID5                          | 8  |  |  |  |
|    | 1.3.           | Looking Forward                                | 9  |  |  |  |
| 2. | Basi           | ics: Types and Statements                      | 10 |  |  |  |
|    | 2.1.           | Types in UCLID5                                | 10 |  |  |  |
|    | 2.2.           | Statements in UCLID5                           | 10 |  |  |  |
|    |                | 2.2.1. For Loops                               | 12 |  |  |  |
|    |                | 2.2.2. If and Case Statements                  | 12 |  |  |  |
|    |                | 2.2.3. Expressions                             | 12 |  |  |  |
|    | 2.3.           |                                                | 12 |  |  |  |
|    |                | 2.3.1. Initialization                          | 12 |  |  |  |
|    |                | 2.3.2. Next State Computation                  | 12 |  |  |  |
|    |                | 2.3.3. Verification                            | 13 |  |  |  |
|    |                | 2.3.4. Running UCLID5                          | 13 |  |  |  |
| 3. | Veri           | ification Techniques                           | 14 |  |  |  |
|    | 3.1.           | Inductive Proofs                               | 14 |  |  |  |
|    |                | 3.1.1. Debugging Counterexamples               | 14 |  |  |  |
|    |                | 3.1.2. Inductive Proof for the Fibonacci Model | 16 |  |  |  |
|    | 3.2.           |                                                | 17 |  |  |  |
|    |                | 3.2.1. Embedded assume and assert statements   | 17 |  |  |  |
|    |                | 3.2.2. Running UCLID5                          | 18 |  |  |  |
|    | 3.3.           | Future Directions                              | 19 |  |  |  |
| 4. | Com            | npositional Modeling and Abstraction           | 20 |  |  |  |
|    |                | •                                              | 20 |  |  |  |
|    | 4.2.           |                                                | 20 |  |  |  |
|    |                | 1                                              | 22 |  |  |  |
|    |                | , r                                            | 22 |  |  |  |
|    | 4.3.           |                                                |    |  |  |  |
|    |                |                                                | 24 |  |  |  |

## Contents

|    | 4.4. | Module Instantiation and Scheduling           | 24 |
|----|------|-----------------------------------------------|----|
|    |      | 4.4.1. Accessing Instance Variables           | 24 |
|    | 4.5. | Running UCLID5                                | 24 |
|    |      | 4.5.1. Exercise: Inductive Proof of CPU model | 24 |
| Α. | Арр  | endix: Uclid5 Grammar                         | 26 |
|    | A.1. | Grammar of Modules and Declarations           | 26 |
|    | A.2. | Statement Grammar                             | 28 |
|    | A.3. | Expression Grammar                            | 29 |
|    | A.4. | Types                                         | 30 |
|    | A.5. | Control Block                                 | 31 |
|    | A.6. | Miscellaneous Nonterminals                    | 31 |

## List of Uclid5 Examples

| 1.1. | A UCLID5 model that computes the Fibonacci sequence        | 6  |
|------|------------------------------------------------------------|----|
| 2.1. | Model of a simple ALU                                      | 11 |
| 3.1. | UCLID5 Fibonacci model using induction in the proof script | 14 |
| 3.2. | UCLID5 Fibonacci model with induction and print_cex        | 15 |
| 3.3. | Inductive proof for the Fibonacci model                    | 17 |
| 3.4. | Revisiting the Fibonacci model from Example 1.1            | 18 |
| 4.1. | Module common of the CPU model                             | 20 |
| 4.2. | Variable and Procedure Declarations of the cpu module      | 21 |
| 4.3. | init and next blocks of the cpu module                     | 22 |
| 4.4. | Module main in the CPU model                               | 23 |

## 1. Introduction

UCLID5 is a software toolkit for the formal modeling, specification, verification, and synthesis of computational systems. The UCLID5 toolchain aims to:

- 1. Enable compositional (modular) modeling of finite and infinite state transition systems across a range of concurrency models and background logical theories;
- 2. Verification of a range of properties, including assertions, invariants, and temporal properties, and
- 3. Integrate modeling and verification with algorithmic and inductive synthesis.

UCLID5 draws inspiration from the earlier UCLID system for modeling and verification of systems [2, 1], in particular the idea of modeling concurrent systems in first-order logic with a range of background theories, and the use of proof scripts within the model. However, the UCLID5 modeling language and verification capabilities go beyond the original modeling language, and the planned integration with synthesis is novel.

This document serves as introduction to the UCLID5 modeling language and toolchain. With the UCLID5 system under active development, we expect this document to undergo several changes as the system and its applications evolve.

## 1.1. Getting Started: A Simple Uclid5 Model

A simple UCLID5 module that computes the Fibonacci sequence is shown in Example 1.1. We will now walk through each line in this model to understand the basics of UCLID5.

The top-level syntactic structure in UCLID5 is a module. All modeling, verification and synthesis code in UCLID5 is contained within modules. In Example 1.1, we have defined one module named main. This module starts on line 1 and ends on line 18. The module can be conceptually split into three parts: a system model, a specification and proof script.

In the example, these three conceptual parts are also kept separate in the code.<sup>1</sup> The following subsections will describe each of these sections of the module.

<sup>&</sup>lt;sup>1</sup>This is not required by UCLID5 syntax, as invariant declarations and assumptions can be interleaved with init, next, var declarations as well other types of declarations. However, keeping these conceptually different parts separate is good design practice. UCLID5 does require that if a control block is specified, then it is the very last element of a module.

```
1 module main {
    // Part 1: System description.
2
    var a, b : integer;
3
4
     init {
5
       a = 0;
6
       b = 1;
8
9
    next {
10
      a, b = b, a + b;
11
     // Part 2: System specification.
13
     invariant \ a\_le\_b\colon \ a <= \ b\,;
14
15
    // Part 3: Proof script.
16
     control {
17
       unroll (3);
18
       check;
19
20
       print_results;
21
22 }
```

Example 1.1.: A UCLID5 model that computes the Fibonacci sequence

## The System Model

This part of a UCLID5 module describes the functionality of the transition system that is being modeled: it tells us what the system does.

The first item of interest within the module main are *state variables*. These are declared using the var keyword. The module main declares two state variables: a and b on line 2. These are both of type integer, which corresponds to mathematical integers.<sup>2</sup>

The init block appears next and spans lines 4 to 7. It defines the initial values of the state variables in the module. We see that a is initialized to 0 while b is initialized to 1.

The next block appears after this and it defines the transition relation of the module. In the figure, the next statement spans from lines 8 to 10; a is assigned to the (old) value of b, while b is assigned to the value a + b.

## The System Specification

The specification answers the question: what is the system supposed to do?.

In our example, we have a single invariant that comprises that entire specification. Line 12 defines this invariant. It is named a\_le\_b and as the name suggests, it

 $<sup>^{2}</sup>$ Mathematical integer types, as opposed to the machine integer types present in languages like C/C++ and Java, do not have a fixed bit-width and do not overflow.

states that a must be less than or equal to b for every reachable state of the system.

#### The Proof Script

The third and final part of the UCLID5 module is a set of commands to the UCLID5 verification engine. These tell how we should go about proving<sup>3</sup> that the system satisfies its specification.

The proof script is contained within the control block. The commands here execute the system for 3 steps and check whether all of the systems properties (in this case, we only have one invariant: a\_le\_b) are satisfied for each of these steps.

The command unroll executes the system for 3 steps. This execution generates four proof obligations. These proof obligations ask whether the system satisfies the invariant a\_le\_b in the initial state and in each of the 3 states reached next. The check command checks whether these proof obligations are satisfied and the print\_results prints out the results of these checks.

## 1.2. Installing Uclid5

Public releases of the UCLID5 can be obtained at: https://github.com/uclid-org/uclid/releases. For the impatient, the short version of the installation instructions is: download the archive with the latest release, unzip the archive and add the 'bin/' subdirectory to your PATH.

More detailed instructions for installation are as follows.

## 1.2.1. Prerequisites

UCLID5 has two prerequisites.

- 1. UCLID5 requires that the Java<sup>TM</sup> Runtime Environment be installed on your machine. You can download the latest Java Runtime Environment for your platform from https://www.java.com.com.
- 2. UCLID5 uses the Z3 SMT solver. You can install Z3 from: https://github.com/Z3Prover/z3/releases. Make sure the 'z3' or 'z3.exe' binary is in your path after Z3 installed. Also make sure, the shared libraries for libz3 and libz3java are in the dynamic library load path (LD\_LIBRARY\_PATH on Unix-like systems).

UCLID5 has been tested with Java<sup>TM</sup> SE Runtime Environment version 1.8.0 and Z3 versions 4.5.1 and 4.6.0.

<sup>&</sup>lt;sup>3</sup>We are using a broad definition of the word "prove" here to refer to any systematic method that gives us assurance that the specification is satisfied.

#### 1.2.2. Detailed Installation Instructions

First, down the platform independent package from https://github.com/uclid-org/uclid/releases.

Next, follow these instructions which are provided for the bash shell running on a Unix-like platform. Operations for Micosoft Windows, or a different shell should be similar.

• Unzip the archive.

```
$ unzip uclid-0.8.zip.
```

- Add the uclid binary to your path.
  - \$ export PATH=\$PATH:\$PWD/uclid-0.8/bin/
- Check that the uclid works.
  - \$ uclid

This should produce output similar to the following.

```
$ uclid

Usage: uclid [options] filename [filenames]
Options:
    -h/--help : This message.
    -m/--main : Set the main module.
    -d/--debug : Debug options.

Error : Unable to find main module.
```

## 1.2.3. Running Uclid5

Invoke UCLID5 on a model is easy. Just run the uclid binary and provide the file containing the model as a command-line argument. When invoked, UCLID5 looks for a module named main and executes the commands in its control block.<sup>4</sup> If no main module is found, UCLID5 will exit with an error, as we saw in the previous section when uclid was invoked without arguments.

Example 1.1 is part of the UCLID5 distribution in the examples/tutorial/ sub-directory. You can run UCLID5 on this model as:

```
$ uclid examples/tutorial/ex1.1-fib-model.ucl
```

This should produce the following output.

```
4 assertions passed.
0 assertions failed.
0 assertions indeterminate.
```

<sup>&</sup>lt;sup>4</sup>The --main command line argument can be used to specify a different name for the "main" module.

## 1. Introduction

## 1.3. Looking Forward

This chapter has provided an brief overview of UCLID5's features and toolchain. The rest of this tutorial will take a more detailed looked at more of UCLID5's features.

## 2. Basics: Types and Statements

This chapter will provide an overview of UCLID5's type system and modelling features. Let us start with Example 2.1, a model of a simple arithmetic logic unit (ALU).

## 2.1. Types in Uclid5

Types supported by UCLID5 are of the following kinds:

- 1. integer: the type of mathematical integers.
- 2. boolean: the Boolean type. This type has two values: true and false.
- 3. by W: The family of bit-vector types parameterized by their width (W).
- 4. enum: enumerated types.
- 5. Tuples and records.
- 6. Array types.
- 7. Uninterpreted types.

An enumerated type is used in line 4 of Example 2.1. This declares a *type synonym*: cmd\_t is an alias for the enumerated type consisting of three values: add, sub and mov\_imm. The input cmd is then declared to be of type cmd\_t in line 9.

The input valid is of type boolean. Register indices r1 and r2 are bit-vectors of width 3 (bv3), while immed, result, r1val and r2val are bit-vectors of width 8 (bv8).

Line 7 declares a type synonym for a record. It declares result\_t as being a record consisting of two fields: a Boolean field valid and a bit-vector field value. The output result is declared to be of type result t on Line 13.

The final point of interest, type-wise, is line 15. The state variable regs is declared to be of type array: indices to the array are of type bv3 and elements of the array are of type bv8. This is used to model an 8-entry register file, where each register is a bit-vector of width 8.

## 2.2. Statements in Uclid5

Example 2.1 also provides examples of the most commonly used statements in UCLID5.

```
1 module main
2 {
     type \ cmd_t = enum \ \{ add, sub, mov_imm \};
3
     type result_t = record { valid : boolean, value : bv8 };
4
5
                         : boolean;
     input valid
6
     input cmd
                         : cmd_t;
     input r1, r2
                         : bv3;
8
9
     input immed
                         : bv8;
10
     output result
                         : result_t;
11
                         : [bv3]bv8;
     var regs
     var r1val, r2val : bv8;
13
     var cnt
                         : bv8;
14
15
     init {
16
       for i in range(0bv3, 7bv3) {
17
        regs[i] = 1bv8;
18
19
       cnt = 1bv8;
20
       result.value = 1bv8;
21
22
23
24
     next {
       if (valid) { // Do we have a valid command?
25
         r1val = regs[r1];
26
         r2val = regs[r2];
27
         {\it case} // {\it Case-split} on the operation to be performed.
28
                             : \{ \operatorname{regs}[r1] = r1val + r2val; \}
            (cmd = add)
29
            (cmd = sub)
                                : \{ regs[r1] = r1val - r2val; \}
30
            (cmd = mov_imm) : \{ regs[r1] = immed; \}
31
32
         _{\rm esac}
33
         result.valid = true;
         result.value = regs[r1];
34
       } else {
35
         result.valid = false;
36
37
       // This code is only for testing this module.
38
       \mathrm{cnt} \, = \, \mathrm{cnt} \, + \, \mathrm{cnt} \, ;
39
     }
40
41
     // Specification.
42
                                    (r1 = 0bv3 \&\& r2 = 0bv3);
     assume regindex_zero:
43
     assume cmd_is_add:
                                    (cmd = add);
     assume cmd_is_valid:
                                    (valid);
45
     invariant result_eq_cnd: (cnt == result.value);
46
47
     // Proof script.
48
     control {
49
       f = unroll (5);
50
       check;
51
       print_results;
52
53
    }
54 }
```

Example 2.1.: Model of a simple ALU

#### 2.2.1. For Loops

The init block uses a for loop to initialize each value in the array regs to the bit-vector value 1. The loop iterates over the values between 0 and 7 (both-inclusive).

The range over which a for loop iterates must be defined by two numeric literals.

#### 2.2.2. If and Case Statements

Also worth pointing out are the if statement that appears on line 34, and the case statement that appears on line 38. Syntax for if statements should be familiar.

case statements are delimited by case and esac and contain within them a list of boolean expressions and associated statement blocks. These expressions are evaluated in the order in which appear, and if any of them evaluate to true, the corresponding block is executed. If none of the case-expressions evaluate to true, nothing is executed. The keyword default can be used as a "catch-all" case like in C/C++.

#### 2.2.3. Expressions

The syntax for expressions in UCLID5 is similar to languages like C/C++/Java. Index i of array regs is accessed using the syntax regs[i]. Field value in the record result is accessed as result.value.

## 2.3. Computation/Verification Model

This section briefly describes the execution semantics of Example 2.1.

#### 2.3.1. Initialization

Execution of the model in Example 2.1 starts with the init block. This block assigns initial values to regs, cnt and result.value. The other variables (e.g. r1val and r2val) are not assigned to in the init block and will be initialized non-deterministically.

## 2.3.2. Next State Computation

The next state of each state variable in the model is computed according to the next block. Any variables not assigned to in the next block retain their "old" values.

The input variables of the model are assigned (possibly different) non-deterministic values for each step of the transition system. These values can be controlled by using assumptions. Indeed, the model uses the three assumptions on lines 54, 55 and 56 to constrain the input to the ALU to always be an add operation, where both operands refer to register index 0.

<sup>&</sup>lt;sup>1</sup>1bv8 here refers to the bit-vector value 1 of width 8.

## 2.3.3. Verification

As in Example 1.1, the verification script in Example 2.1 unrolls the transition system for 5 steps and checks if the invariant on line 57 is violated in any of these steps.

## 2.3.4. Running Uclid5

Running UCLID5 on Example 2.1 produces the following output.

```
$ uclid examples/tutorial/ex2.1-alu.ucl
6 assertions passed.
0 assertions failed.
0 assertions indeterminate.
```

UCLID5 is able to prove that the invariant on line 57 holds for all states reachable within 5 steps of the initial state, under the assumptions specified in lines 54-56.

In the examples covered thus far, we have only used UCLID5 for bounded model checking of invariants. UCLID5 can also be used to do unbounded inductive proofs and also provides support for debugging counterexamples. This chapter will describe these features of UCLID5. Further features are being implemented and will be described in a future version of this document.

## 3.1. Inductive Proofs

Let us revisit the model from Example 1.1. This is now shown again in Example 3.1, but with a different proof script. Instead of using the unroll command for bounded model checking, we are using the induction command to attempt an inductive proof.

```
1 module main {
    // Part 1: System description.
    var a, b : integer;
    init {
      a = 0;
6
      b = 1;
9
    next {
10
     a, b = b, a + b;
11
    // Part 2: System specification.
13
    invariant a_le_b: a <= b;</pre>
14
15
    // Part 3: Proof script.
16
    control {
17
      induction;
18
19
      check;
       print_results;
22 }
```

Example 3.1.: UCLID5 Fibonacci model using induction in the proof script

## 3.1.1. Debugging Counterexamples

Let us try running UCLID5 on Example 3.1 with the new proof script.

```
$ uclid examples/tutorial/ex3.1-fib-induction.ucl
1 assertions passed.
1 assertions failed.
0 assertions indeterminate.
FAILED -> induction (step) [Step #1] property
a_le_b @ examples/tutorial/ex3-fib-induction.ucl, line 14
```

Uh oh, we seem to have a problem! UCLID5 is telling us that the inductive proof failed. We can try to examine why the proof failed by using the print\_cex command to examine the counterexample to the proof.

```
1 module main {
    // Part 1: System description.
     var a, b : integer;
4
     init {
5
      a = 0;
6
7
       b = 1;
8
9
    next {
10
     a, b = b, a + b;
11
12
     // Part 2: System specification.
13
     invariant a_le_b: a <= b;</pre>
14
    // Part 3: Proof script.
16
17
     control {
       vobj = induction;
18
19
       check;
20
       print_results;
21
       vobj \rightarrow print_cex(a, b);
22
    }
23 }
```

Example 3.2.: UCLID5 Fibonacci model with induction and print\_cex

The only changes between Example 3.1 and Example 3.2 are on lines 18 and 21. vobj on line 18 is a reference to the verification conditions generated by the induction command. On line 21, we pass this reference to the print\_cex command which prints out the values of a and b for the counterexample.

Running UCLID5 on Example 3.2 produces the following.

```
1 assertions passed.
1 assertions failed.
O assertions indeterminate.
 FAILED -> vobj [Step #1] property
 a_le_b @ examples/tutorial/ex3.2-fib-induction-cex.ucl,
 line 14
CEX for vobj [Step #1] property
a_le_b @ examples/tutorial/ex3.2-fib-induction-cex.ucl,
line 14
Step #0
 a : -1
 b : 0
Step #1
 a : 0
 b : -1
```

To understand the counterexample, it is helpful to review how the inductive proof engine works. When inductively proving the invariant a\_le\_b, UCLID5 considers some arbitrary state that satisfies this property, executes the next block, and checks whether a le b holds on the resultant state.

The counterexample shows us that we do start in a state where  $a \le b$  with a = -1 and b = 0. We execute the next block and now a gets the value of b, becoming 0 and b gets the value a + b, becoming -1. This new state does not satisfy the invariant!

What is the real problem here? Taking a closer look at Example 3.2, we see that this specific counterexample can never occur in our model because a and b are always  $\geq 0$ . But UCLID5 does not know this when attempting the inductive proof. Therefore, we have to strengthen the inductive argument with this information in order to help UCLID5's proof.

### 3.1.2. Inductive Proof for the Fibonacci Model

Example 3.3 shows the same model as Example 3.2, but with a stronger induction hypothesis. UCLID5's inductive engine will now start in an arbitrary state that assumes that both invariants a\_le\_b and a\_b\_ge\_0 hold and attempt to prove that both of these still hold after the next block is executed.

Let us now run UCLID5 on this new model.

```
1 module main {
    // Part 1: System description.
2
     var a, b : integer;
3
     init {
5
       a = 0;
6
       b = 1;
8
9
    next {
10
      a, b = b, a + b;
11
     // Part 2: System specification.
13
     invariant \ a\_le\_b\colon \ a <= \ b\,;
14
    invariant a_b_{ge_0}: (a >= 0 && b >= 0);
15
16
    // Part 3: Proof script.
17
     control {
18
       vobj = induction;
19
       check;
20
       print_results;
21
       vobj \rightarrow print_cex(a, b);
23
24 }
```

Example 3.3.: Inductive proof for the Fibonacci model

```
$ uclid examples/tutorial/ex3.3-fib-induction-proof.ucl
4 assertions passed.
0 assertions failed.
0 assertions indeterminate.
```

Success! We have shown that our system model satisfies its specification.

## 3.2. Bounded Model Checking

Let us return to the model of Example 1.1 which is reproduced as Example 3.2 with a few changes. We used the unroll command for verification. This command performs bounded model checking and takes a single argument – the number of steps to unroll the model for. In Example 3.2, we are unrolling the model for 3 steps.

#### 3.2.1. Embedded assume and assert statements

A second difference with between Example 1.1 and Example 3.2 is on lines 7 and 13. Instead of using a module-level assumption declarations as in Example 1.1, we have an embedded assumption in the init block on line 7, and an embedded assertion in the

```
1 module main {
    // System description.
    var a, b : integer;
3
    init {
5
      // embedded assumptions.
6
      assume (a \le b);
      assume (a >= 0 && b >= 0);
8
9
10
    next {
      a, b = b, a + b;
11
      // embedded assertion.
13
      assert (a \le b);
14
    // Proof script.
16
    control {
17
       unroll (3);
18
      check;
19
       print_results;
20
21
22 }
```

Example 3.4.: Revisiting the Fibonacci model from Example 1.1.

next block on line 13. A module-level assumption is assumed to hold by the solver at every step of execution, while an embedded assumption is assumed "instantaneously." In particular, the assumption on line 7 tells the solver to assume that  $a \le b$  at the end of the init block. Notice that we are not assigning specific values to a and b, instead we are asking UCLID5 to consider all values of a and b where  $a \le b$ ,  $a \ge 0$  and  $b \ge 0$ .

Similarly the assertion on line 13 is evaluated at that specific location in the code (the end of the next block), whereas a module-level assertion would be evaluated after the init block and after the next block is evaluated at each step.

## 3.2.2. Running Uclid5

Running UCLID5 on Example 3.2 shows that the embedded assertion does indeed hold for all states reachable within 3 steps of the initial state.

```
$ uclid examples/tutorial/ex3.4-fib-model-revisted.ucl
3 assertions passed.
0 assertions failed.
0 assertions indeterminate.
```

## 3.3. Future Directions

Future versions of UCLID5 will have support for the verification of properties specified in linear temporal logic (LTL), as well as support for synthesizing invariants using Syntax-Guided Synthesis (SyGuS).

## 4. Compositional Modeling and Abstraction

This chapter describes UCLID5's features for compositional and modular verification, and the use of abstraction.

We will use a running example of a CPU model constructed in the UCLID5 and use bounded model checking to prove that the execution of this CPU is deterministic: i.e. we show that given two identical instruction memories, the state updates performed by this CPU will be identical.

## 4.1. Common Type Definitions Across Modules

Example 4.1 shows a module that defines only type synonyms. Such a module can be used to share type definitions across other modules. The types declared in Example 4.1 are *imported* in lines 3-7 of module cpu declared in Example 4.2.

```
// This module declares types that are used in the rest of the model.

module common {

// addresses are uninterpreted types.

type addr_t = bv8;

type word_t = bv8;

// memory

type mem_t = [addr_t]word_t;

// CPU operation.

type op_t = enum { op_mov, op_add, op_sub, op_load, op_store };

type op_t = enum { op_mov, op_add, op_sub, op_load, op_store };
```

Example 4.1.: Module common of the CPU model

Isolating commonly used types into a single module in this manner allows the construction of large models parameterized by this types. These common types can be changed and the ramifications of these changes on the model's behavior can be studied easily.

## 4.2. Uninterpreted Functions and Types

A convenient mechanism for abstraction in UCLID5 is through the use of uninterpreted functions and types. This is one of the novel modeling aspects for transition systems introduced by the original UCLID system [2].

```
1 module cpu {
     // Import type aliases from common.
     \label{eq:type} \begin{array}{ll} \textbf{type} & addr\_t \, = \, common \; :: \; addr\_t \, ; \end{array}
     type mem_t = common :: mem_t;
4
     type word_t = common :: word_t;
5
     type op_t = common :: op_t;
6
     // type of register file.
9
     type regindex_t;
10
     type regs_t = [regindex_t]word_t;
     // imem is the program memory; an input to the module.
13
     input imem : mem_t;
14
     var dmem : mem_t;
15
     var regs : regs_t;
16
     var pc : addr_t;
17
18
     // These are uninterpreted functions.
19
     function inst2op (i : word_t) : op_t;
20
     function inst2reg0 (i : word_t) : regindex_t;
21
     function inst2reg1 (i : word_t) : regindex_t;
     function inst2imm (i : word_t) : word_t;
24
     function inst2addr (i : word_t) : addr_t;
25
                 : word_t;
26
     var inst
     \begin{array}{lll} \textbf{var} & \texttt{result} & : & \texttt{word\_t} \, ; \end{array}
27
28
     procedure exec_inst(inst : word_t, pc : addr_t)
29
       returns (result : word_t, pc_next : addr_t)
30
       modifies regs;
31
32
33
       var op
                    : op_t;
       var r0ind : regindex_t;
34
                   : regindex_t;
35
       var rlind
                    : word_t;
       var r0
36
                    : word_t;
       var r1
37
38
       op = inst2op(inst);
39
       r0ind = inst2reg0(inst);
40
       rlind = inst2reg1(inst);
41
       r0 = regs[r0ind];
42
       r1 = regs[r1ind];
       case
                               : \{ result = inst2imm(inst); \}
         (op = op_mov)
45
                              : \{ result = r0 + r1; \}
46
         (op = op_add)
         (op = op\_sub)
                              : \{ result = r0 - r1; \}
47
         (op = op_load)
                              : { result = dmem[inst2addr(inst)]; }
48
         (op = op_store)
                               : \{ result = r0; \}
49
50
       pc_next = pc + 1bv8;
51
       regs[r0ind] = result;
52
53
     // continued in Example 4.3.
```

Example 4.2.: Variable and Procedure Declarations of the cpu module

```
// continued from Example 4.2.
2
    // Define initial state for the modules.
3
    init {
4
     assume (forall (r : regindex_t) :: regs[r] = 0bv8);
5
     6
     pc = 0bv8;
     inst = 0bv8;
8
9
10
11
     // get the next instruction.
13
     inst = imem[pc];
     // execute it
14
     call (result , pc) = exec_inst(inst , pc);
15
   }
16
17 }
```

Example 4.3.: init and next blocks of the cpu module

## 4.2.1. Uninterpreted Types

Example 4.2 shows the use of the uninterpreted type: regindex\_t on line 9. The index type to the register is an abstract type, as opposed to a specific type (e.g. bv3). This allows us to reason about an abstract register file that has an undefined (and unbounded) number of entries, as opposed to proving facts about some specific register file implementation, potentially enabling more general proofs about system behavior.

#### 4.2.2. Uninterpreted Functions

Values belonging to an uninterpreted type can be created using uninterpreted functions. The functions inst2op, inst2reg0, inst2reg1, inst2imm and inst2addr on lines 20-24 of Example 4.2 are all examples of uninterpreted functions. An uninterpreted function f is a function about which we know nothing, except that it is a function; i.e.  $\forall x_1, x_2. \ x_1 = x_2 \implies f(x_1) = f(x_2).$ 

Uninterpreted functions allow us to reason about an abstract CPU model without considering specific instruction encodings or decoder models. This could potentially lead to more general proofs as well as more scalable automated proofs.

#### 4.3. Procedure Definition

Besides modules, another way of managing model complexity in UCLID5 is through the use of *procedures*. Example 4.2 defines the procedure exec\_inst on line 29. The procedure takes two arguments: inst and pc and returns two values: result and pc\_next.

```
1 module main {
2
     // Import types
3
     \label{eq:type_addr_t} \mbox{type addr\_t} \quad = \mbox{common} \; :: \; \mbox{addr\_t} \, ;
4
     type mem_t
                        = common :: mem_t;
5
     type word_t
                        = common :: word_t;
6
     type op t
                       = common :: op_t;
     type regindex_t = cpu :: regindex_t;
     // instruction memory is the same for both CPUs.
10
     var imem : mem_t;
11
12
     // Create two instances of the CPU module.
13
     instance cpu_i_1 : cpu(imem : (imem));
14
     instance cpu_i_2 : cpu(imem : (imem));
15
16
     init {
17
     }
18
19
20
     next {
      // Invoke CPU 1 and CPU 2.
21
       next (cpu_i_1);
22
       next (cpu_i_2);
23
     }
24
25
     // These are our properties.
26
27
     invariant eq_regs : (forall (ri : regindex_t) ::
                                cpu\_i\_1-\!\!>\!\!regs\left[\;ri\;\right]\;=\!\!=\;cpu\_i\_2-\!\!>\!\!regs\left[\;ri\;\right])\;;
28
                          : (forall (a : addr_t) :: cpu_i_1->dmem[a] == cpu_i_2->dmem[a]);
29
     invariant eq_mem
30
     invariant eq_pc : (cpu_i_1->pc == cpu_i_2->pc);
31
     invariant eq_inst : (cpu_i_1->inst == cpu_i_2->inst);
32
33
     // Proof script.
34
     control {
35
       unroll(3);
36
       check;
37
       print_results;
38
39
40 }
```

Example 4.4.: Module main in the CPU model

#### 4. Compositional Modeling and Abstraction

Note that all module-level state modified by the procedure must be declared using a modifies clause; this is shown on line 31.

#### 4.3.1. Procedure Invocation

Procedures are invoked using the call keyword. In Example 4.3, procedure exec\_-inst is called on line 15 of Example 4.3. The actual arguments to the procedure are inst and pc, and the return values of the procedure will be stored in the variables result and pc.

## 4.4. Module Instantiation and Scheduling

Modules are instantiated using the instance keyword. Lines 14 and 15 of Example 4.4 show two instantiations of the module cpu. For each instance, the module input imem is mapped to the state variable imem of module main.

Scheduling of instantiated modules is explicit and synchronous. The two next statements on lines 22 and 23 of Example 4.4 invoke the next state transitions of the two instances of the cpu module.

## 4.4.1. Accessing Instance Variables

The state variables of an instantiated module are accessed using the -> operator. The four invariants on lines 27-32 of Example 4.4, refer to the registers, memory, pc and instruction variables of the two instantiated modules. These invariants state that both instances must have identical values for these state variables.

## 4.5. Running Uclid5

Executing UCLID5 on the complete CPU model shows that CPU is in fact deterministic.

```
$ uclid examples/tutorial/ex4.1-cpu.ucl
16 assertions passed.
0 assertions failed.
0 assertions indeterminate.
```

#### 4.5.1. Exercise: Inductive Proof of CPU model

Prove determinism of the CPU model using induction rather than bounded model checking. You will need to add strengthening inductive invariants relating the two CPU instances.

## **Bibliography**

- [1] UCLID Verification System. Available at http://uclid.eecs.berkeley.edu.
- [2] Randal E. Bryant, Shuvendu K. Lahiri, and Sanjit A. Seshia. Modeling and verifying systems using a logic of counter arithmetic with lambda expressions and uninterpreted functions. In E. Brinksma and K. G. Larsen, editors, *Proc. Computer-Aided Verification (CAV'02)*, LNCS 2404, pages 78–92, July 2002.

## A. Appendix: Uclid5 Grammar

This appendix describes UCLID5's grammar.

## A.1. Grammar of Modules and Declarations

**A model** consist of a list of modules. Each module consists of a list of declarations followed by an optional control block.

```
 \langle Model \rangle & ::= \langle Module \rangle^* \\ \langle Module \rangle & ::= module \langle Id \rangle \quad `` \{' \ \langle Decl \rangle^* \ \langle ControlBlock \rangle? \ `` \}'
```

**Declarations** can be of the following types.

```
 \langle Decl \rangle & ::= \langle TypeDecl \rangle \\ & | \langle InputsDecl \rangle \\ & | \langle OutputsDecl \rangle \\ & | \langle VarsDecl \rangle \\ & | \langle ConstsDecl \rangle \\ & | \langle Shared VarsDecl \rangle \\ & | \langle FuncDecl \rangle \\ & | \langle FuncDecl \rangle \\ & | \langle InstanceDecl \rangle \\ & | \langle InitDecl \rangle \\ & | \langle NextDecl \rangle \\ & | \langle SpecDecl \rangle \\ \end{aligned}
```

**Type declarations** declare either a type synonym or an uninterpreted type.

```
 \langle \mathit{TypeDecl} \rangle \qquad \qquad ::= \ \mathsf{type} \ \langle \mathit{Id} \rangle \ \text{`='} \ \langle \mathit{Type} \rangle \ \text{`;'} \\ | \ \mathsf{type} \ \langle \mathit{Id} \rangle \ \text{`;'}
```

Variable declarations can refer to inputs, outputs, state variables or shared variables.

```
\langle InputsDecl \rangle ::= input \langle IdList \rangle ':' \langle Type \rangle ';' \langle OutputsDecl \rangle ::= output \langle IdList \rangle ':' \langle Type \rangle ';' \langle VarsDecl \rangle ::= var \langle IdList \rangle ':' \langle Type \rangle ';'
```

## A. Appendix: UCLID5 Grammar

```
\langle ConstsDecl \rangle ::= const \langle IdList \rangle ':' \langle Type \rangle ';' \langle SharedVarsDecl \rangle ::= sharedvar \langle IdList \rangle ':' \langle Type \rangle ';'
```

**Function declarations** refer to uninterpreted functions.

```
\langle FuncDecl \rangle ::= function \langle Id \rangle '(' \langle IdTypeList \rangle ')' ':' \langle Type \rangle ';'
```

**Procedure declarations** consist of a formal parameter list, a list of return values and types, followed by optional pre-/post-conditions and the list of state variables modified by procedure.

```
 \langle ProcedureDecl \rangle & ::= \operatorname{procedure} \langle Id \rangle \text{ ('} \langle IdTypeList \rangle \text{ ')'} \langle ProcReturnArg \rangle ? \\ & \langle RequireExprs \rangle \langle EnsureExprs \rangle \langle ModifiesExprs \rangle \\ & \text{ `{'}} \langle VarsDecls \rangle^* \langle Statement \rangle^* \text{ `{'}} \rangle ; \\ & \langle ProcReturnArg \rangle & ::= \operatorname{returns} \text{ ('} \langle IdTypeList \rangle \text{ ')'} \\ & \langle RequireExprs \rangle & ::= (\operatorname{requires} \langle Expr \rangle \text{ ';'})^* \\ & \langle EnsureExprs \rangle & ::= (\operatorname{ensures} \langle Expr \rangle \text{ ';'})^* \\ & \langle ModifiesExprs \rangle & ::= (\operatorname{modifies} \langle IdList \rangle \text{ ';'})^* \end{aligned}
```

**Instance declarations** allow the instantiation (duh!) of other modules. They consist of the instance name, the name of the module being instantiated and the list of mappings for the instances' inputs, output and shared variables.

```
 \langle InstanceDecl \rangle & ::= instance \langle Id \rangle \text{ `:' } \langle Id \rangle \langle ArgMapList \rangle \text{ `;'} 
 \langle ArgMapList \rangle & ::= \text{ `(' ')'} 
 | \text{ `(' } \langle ArgMap \rangle \text{ `,' } \langle ArgMap \rangle \text{ ')'} 
 \langle ArgMap \rangle & ::= \langle Id \rangle \text{ `:' } \text{ `(' ')'} 
 | \langle Id \rangle \text{ `:' } \text{ `(' } \langle Expr \rangle \text{ ')'}
```

**Axioms** refer to assumptions while a **specification declaration** refers to design invariants. Note axiom and assume are synonyms, as are property and invariant.

```
 \langle AxiomDecl\rangle & ::= \langle AxiomKW\rangle \langle Id\rangle `:` \langle Expr\rangle `;` \\ | \langle AxiomKW\rangle \langle Expr\rangle `;` \\ \langle AxiomKW\rangle & ::= axiom | assume \\ \langle SpecDecl\rangle & ::= \langle PropertyKW\rangle \langle Id\rangle `:` \langle Expr\rangle `;` \\ | \langle PropertyKW\rangle \langle Expr\rangle `;` \\ \langle PropertyKW\rangle & ::= property | invariant \\ | Init and next blocks consist of lists of statements. \\ | \langle InitDecl\rangle & ::= init `\{` \langle Statement\rangle ^* `\}` \\ | \langle NextDecl\rangle & ::= next `\{` \langle Statement\rangle ^* `\}`
```

## A.2. Statement Grammar

**Statements** are the following types, most of which should be familiar. Note the support for simultaneous assignment à la Python. The keyword next allows for synchronous scheduling of instantiated modules.

```
 \langle Statement \rangle & ::= \text{skip ';'} \\ & | \text{assert } \langle Expr \rangle \text{ ';'} \\ & | \text{assume } \langle Expr \rangle \text{ ';'} \\ & | \text{havoc } \langle Id \rangle \text{ ';'} \\ & | \langle LhsList \rangle \text{ '='} \langle ExprList \rangle \text{ ';'} \\ & | \text{call '('} \langle LhsList \rangle \text{ ')' '='} \langle Id \rangle \langle ExprList \rangle \text{ ';'} \\ & | \text{next '('} \langle Id \rangle \text{ ')' ';'} \\ & | \langle IfStmt \rangle \\ & | \langle CaseStmt \rangle \\ & | \langle ForLoop \rangle
```

**Assignments** and **call** statements refer to the nonterminal  $\langle LhsList \rangle$ . As the name suggests, this is a list of syntactic forms that can appear on the left hand side of an assignment.  $\langle Lhs \rangle$  are of four types: (i) identifiers, bitvector slices within identifiers, (iii) array indices, and (iv) fields within records.

```
\langle LhsList \rangle \qquad ::= \langle Lhs \rangle \ (`,` \langle Lhs \rangle)^* 
\langle Lhs \rangle \qquad ::= \langle Id \rangle 
| \langle Id \rangle \ `[` \langle Expr \rangle \ `:` \langle Expr \rangle \ `]` 
| \langle Id \rangle \ `[` \langle ExprList \rangle \ `]` 
| \langle Id \rangle \ (`.` \langle Id \rangle) +
```

If statements are as per usual. "Braceless" if statements are not permitted.

```
\langle \mathit{IfStmt} \rangle \qquad ::= \text{ if '('} \langle \mathit{IfExpr} \rangle \text{ ')' ' ' ' } \langle \mathit{Statement} \rangle \text{* '} \text{'} \\ = \text{ lse ' {'}} \langle \mathit{Statement} \rangle \text{* '} \text{'} \\ | \text{ if '('} \langle \mathit{IfExpr} \rangle \text{')' ' {'}} \langle \mathit{Statement} \rangle \text{* '} \text{'} \\ \langle \mathit{IfExpr} \rangle \qquad ::= \langle \mathit{Expr} \rangle \mid \text{*}
```

**Case** statements are as follows.

**For loops** allow iteration over a statically defined range of values.

```
\langle ForLoop \rangle ::= for \langle Id \rangle in range '(' \langle Number \rangle ',' \langle Number \rangle ')' 
 `{' \langle Statement \rangle* '}'
```

## A.3. Expression Grammar

Let us turn to **expressions**, which may be quantified.

$$\langle Expr \rangle$$
 ::=  $\langle E1 \rangle$ 

The usual logical and bitwise operators are allowed.

$$\langle E2 \rangle$$
 ::=  $\langle E3 \rangle$  '<==>'  $\langle E2 \rangle$  |  $\langle E3 \rangle$ 

$$\langle E3 \rangle$$
 ::=  $\langle E4 \rangle$  '==>'  $\langle E3 \rangle \mid \langle E4 \rangle$ 

As are relational operators, bitvector concatentation (++) and arithmetic.

$$\langle E5 \rangle$$
 ::=  $\langle E6 \rangle$   $\langle RelOp \rangle$   $\langle E6 \rangle$ 

$$\langle RelOp \rangle$$
 ::= '>' | '<' | '=' | '!=' | '>=' | '<='

$$\langle E6 \rangle$$
 ::=  $\langle E7 \rangle$  '++'  $\langle E6 \rangle$ 

$$\langle E7 \rangle$$
 ::=  $\langle E8 \rangle$  '+'  $\langle E7 \rangle$ 

$$\langle E8 \rangle$$
 ::=  $\langle E9 \rangle$  '-'  $\langle E9 \rangle$ 

$$\langle E9 \rangle$$
 ::=  $\langle E10 \rangle$  '\*'  $\langle E10 \rangle$ 

The unary operators are arithmetic negation (unary minus), logical negation and bitwise negation of bitvectors.

$$\langle E10 \rangle = \langle UnOp \rangle \langle E11 \rangle | \langle E11 \rangle$$

$$\langle UnOp \rangle$$
 ::= '-' | '!' | '~'

Array select, update and bitvector select operators are defined à la Boogie.

$$\langle E11 \rangle \qquad ::= \langle E12 \rangle \text{ `['} \langle Expr \rangle \text{ (','} \langle Expr \rangle) * \text{`]'} \\ | \langle E12 \rangle \text{ `['} \langle Expr \rangle \text{ (','} \langle Expr \rangle) * = \langle Expr \rangle \text{ `]'} \\ | \langle E12 \rangle \text{ `['} \langle Expr \rangle \text{ `:'} \langle Expr \rangle \text{ `]'} \\ | \langle E12 \rangle \end{cases}$$

Function invocation, record selection, and access to variables in instantiated modules is as follows.

## A. Appendix: UCLID5 Grammar

$$\langle E12 \rangle \qquad ::= \langle E13 \rangle \text{ (',' } \langle ExprList \rangle \text{ ')'}$$

$$| \langle E13 \rangle \text{ (', ',' } \langle Id \rangle) +$$

$$| \langle E13 \rangle \text{ (', ->' } \langle Id \rangle) +$$

And finally, we have the terminal symbols, identifiers, tuples and the if-then-else operator.

```
\langle E12 \rangle \qquad ::= \text{false} \mid \text{true} \mid \langle Number \rangle \\ \mid \langle Id \rangle \mid \langle Id \rangle \text{ `: '} \langle Id \rangle \\ \mid \text{`` {'}} \langle Expr \rangle \text{ (`, '} \langle Expr \rangle)* \text{ `} \text{'}} \\ \mid \text{ite `('} \langle Expr \rangle \text{ ', '} \langle Expr \rangle \text{ ', '} \langle Expr \rangle \text{ ', '}} \langle Expr \rangle \text{ ', '} \langle Expr \rangle \text{ ', '}}
```

## A.4. Types

```
\langle \mathit{Type} \rangle \qquad ::= \langle \mathit{PrimitiveType} \rangle \\ | \langle \mathit{EnumType} \rangle \\ | \langle \mathit{TupleType} \rangle | \langle \mathit{RecordType} \rangle \\ | \langle \mathit{ArrayType} \rangle \\ | \langle \mathit{SynonymType} \rangle \\ | \langle \mathit{ExternalType} \rangle
```

Supported primitive types are Booleans, integers and bit-vectors. Bit-vector types are defined according the regular expression 'bv[0-9]+' and the number following 'bv' is the width of the bit-vector.

```
\langle PrimitiveType \rangle ::= boolean | integer | \langle BitVectorType \rangle
```

Enumerated types are defined using the enum keyword.

```
\langle EnumType \rangle ::= enum '{' \langle IdList \rangle '}'
```

Tuple types are declared using curly brace notation.

$$\langle Tuple Type \rangle ::= `\{` \langle Type \rangle (`, ` \langle Type \rangle) * `\}`$$

Record types use the keyword record.

```
\langle Record type \rangle ::= record '{' \langle IdTypeList \rangle '}'
```

Array types are defined using square brackets. The list of types within square brackets defined the array's index type.

$$\langle Array Type \rangle$$
 ::= '['  $\langle Type \rangle$  (', '  $\langle Type \rangle$ )\* ']'  $\langle Type \rangle$ 

Type synonyms are just identifiers, while external types refer to synonym types defined in a different module.

```
\langle \mathit{SynonymType} \rangle \hspace{1cm} ::= \langle \mathit{Id} \rangle
```

$$\langle ExternalType \rangle ::= \langle Id \rangle `:: ` \langle Id \rangle$$

## A.5. Control Block

**The control block** consists of a list of commands. A command can have an optional result object, an optional argument object, an optional list of command parameters and finally an optional list of argument expressions.

## A.6. Miscellaneous Nonterminals

 $\langle IdList \rangle$ ,  $\langle IdTypeList \rangle$  and  $\langle ExprList \rangle$  are non-empty, comma-separated list of identifiers, identifier/type tuples and expressions respectively.

$$\langle IdList \rangle \qquad ::= \langle Id \rangle \\ | \langle Id \rangle \text{ ', '} \langle IdList \rangle$$

$$\langle IdTypeList \rangle \qquad ::= \langle Id \rangle \text{ ': '} \langle Type \rangle \\ | \langle Id \rangle \text{ ': '} \langle Type \rangle \text{ ', '} \langle IdTypeList \rangle$$

$$\langle ExprList \rangle \qquad ::= \langle Expr \rangle \\ | \langle Expr \rangle \text{ ', '} \langle ExprList \rangle$$