Correct Hardware Design and Verification Methods

We survey two synchronous languages for circuit design. Esterel is dedicated to controllers implemented either in software or in hardware. Esterel programs are imperative, concurrent, and preemption based. Programs are translated into circuits that are optimized using specific sequential optimization algorithms. A verification system restricted to the pure control part of programs is available. Esterel is currently used by several CAD vendors and circuit design companies.Jazz is a newer language designed for fancy arithmetic circuits. Jazz resembles ML but has a richer type-system that supports inheritance. The current environment comprises a compiler, simulators, and code generators for the Pamette Xilinx-based board. Both languages are not only formal but based on real mathematics. We discuss why this is essential for good language design.

The number of Embedded Control Units (ECUs) in the car is permanently increasing. Also complexity and interconnection is increased. Conventional design processes can not cope with this complexity. In the first part of this paper we show the current development-process at BMW, the second part deals with our results of using model checking to verify Statemate-models.

The Completion Functions Approach was proposed in [9] as a systematic way to decompose the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function using completion functions, one per unfinished instruction, each of which specifies the effect (on the observables) of completing the instruction. However, its applicability depends on the fact that the implementation “commits” the unfinished instructions in the pipeline in program order. In this paper, we extend the completion functions approach when this is not true and demonstrate it on an implementation of Tomasulo’s algorithm without a reorder buffer. The approach leads to an elegant decomposition of the proof of the correctness criterion, does not involve the construction of an explicit intermediate abstraction, makes heavy use of an automatic case-analysis strategy based on decision procedures and rewriting, and addresses both safety and liveness issues.

The trend in microprocessor design is to extend instruction-set architectures with features—such as parallelism annotations, predication, speculative memory access,or multimedia instructions—that allow the compiler or programmer to express more instruction-level parallelism than the microarchitecture is willing to derive. In this paper we show how these instruction-set extensions can be put to use when formally verifying the correctness of a microarchitectural model. Inspired by Intel’s IA-64, we develop an explicitly parallel instruction-set architecture and a clustered microarchitectural model. We then describe how to formally verify that the model implements the instruction set. The contribution of this paper is a specification and verification method that facilitates the decomposition of microarchitectural correctness proofs using instruction-set extensions.

We present a collection of ideas that allows the pipeline verification method pioneered by Burch and Dill [5] to scale very efficiently to dual-issue super- scalar processors. We achieve a significant speedup in the verification of such processors, compared to the result by Burch [6], while using an entirely automatic tool. Instrumental to our success are exploiting the properties of positive equality [3][4] and the simplification capabilities of BDDs.

TLA+ is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full first-order logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finite-state model of the specification. It accepts a subclass of TLA+ specifications that should include most descriptions of real system designs. It has been used by engineers to find errors in the cache coherence protocol for a new Compaq multiprocessor. We describe TLA+ specifications and their TLC models, how TLC works, and our experience using it.

Timing diagrams are widely used in industrial practice to express precedence and timing relationships amongst a collection of signals. This graphical notation is often more convenient than the use of temporal logic or automata. We introduce a class of timing diagrams called Regular Timing Diagrams (RTD’s). RTD’s have a precise syntax, and a formal semantics that is simple and corresponds to common usage. Moreover, RTD’s have an inherent compositional structure, which is exploited to construct an efficient algorithm for model checking a RTD with respect to a system description. The algorithm has time complexity that is linear in the system size and a small polynomial in the representation of the diagram. The algorithm can be easily used with symbolic (BDDbased) model checkers. We illustrate the workings of our algorithm with the verification of a simple master-slave system.

One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications.For example, verifying a system with respect to the specification ϕ = AG(req → AFgrant) (“every request is eventually followed by a grant”), we say that ϕ is satisfied vacuously in systems in which requests are never sent. An interesting witness for the satisfaction of ϕ is then a computation that satisfies ϕ and contains a request. Beer et al. considered only specifications of a limited fragment of ACTL, and with a restricted interpretation of vacuity. In this paper we present a general method for detection of vacuity and generation of interesting witnesses for specifications in CTL✶. Our definition of vacuity is stronger, in the sense that we check whether all the subformulas of the specification affect its truth value in the system. In addition, we study the advantages and disadvantages of alternative definitions of vacuity, study the problem of generating linear witnesses and counterexamples for branching temporal logic specifications, and analyze the complexity of the problem. Supported in part by the NSF grants CCR-9628400 and CCR-9700061, and by a grant from the Intel Corporation.

Stålmarck’s proof procedure is a method of tautology checking that has been used to verify railway interlocking software.Recently,it has been proposed [13] that the method has potential to increase the capacity of formal verification tools for hardware.In this paper,we examine this potential in light of an experiment in the opposite direction: the application of symbolic model checking to railway interlocking software previously verified with Stålmarck’s method.We show that these railway systems share important characteristics which distinguish them from most hardware designs,and that these differences raise some doubts about the applicability of Stålmarck’s method to hardware verification.

We describe the application of model checking using FormalCheck to an industrial RTL design. It was used as a complement to classical simulation on portions of the chip that involved complex interactions and were difficult to verify by simulation. We also identify certain circuit structures that for a certain type of queries lend themselves to manual model reductions which were not detected by the automatic reduction algorithm. These reductions were instrumental in allowing us to complete the formal verification of the design and to detect two design errors that would have been hard to detect by simulation. We also provide a technique to estimate the length of a random simulation needed to detect a particular design error with a given probability; this length can be used as a measure of its difficulty.

In this paper we argue that the semantic issues of discrete vs. dense time should be separated as much as possible from the pragmatics of state-space representation. Contrary to some misconceptions, the discrete semantics is not inherently bound to use state-explosive techniques any more than the dense one. In fact, discrete timed automata can be analyzed using any representation scheme (such as DBM) used for dense time, and in addition can benefit from enumerative and symbolic techniques (such as BDDs) which are not naturally applicable to dense time. DBMs, on the other hand, can still be used more efficiently by taking into account the activity of clocks, to eliminate redundancy. To support these claims we report experimental results obtained using an extension of Kronos with BDDs and variable-dimension DBMs where we verified the asynchronous chip STARI, a FIFO buffer which provides for skew-tolerant communication between two synchronous systems. Using discrete time and BDDs we were able to prove correctness of a STARI implementation with 18 stages (55 clocks), better than what has been achieved using other techniques. The verification results carry over to the dense semantics.Using variable-dimension DBMs we have managed to verify STARI for up to 8 stages (27 clocks). In fact, our analysis shows that at most one third of the clocks are active at any reachable state, and about one fourth of the clocks are active in 90% of the reachable states.

It is often the case that systems are “nearly symmetric”; they exhibit symmetry in a part of their description but are, nevertheless, globally asymmetric. We formalize several notions of near symmetry and show how to obtain the benefits of symmetry reduction when applied to asymmetric systems which are nearly symmetric. We show that for some nearly symmetric systems it is possible to perform symmetry reduction and obtain a bisimilar (up to permutation) symmetry reduced system.Using a more general notion of “sub-symmetry” we show how to generate a reduced structure that is simulated (up to permutation) by the original asymmetric program.In the symbolic model checking paradigm, representing the symmetry reduced quotient structure entails representing the BDD for the orbit relation. Unfortunately, for many important symmetry groups, including the full symmetry group, this BDD is provably always intractably large, of size exponential in the number of bits in the state space. In contrast, under the assumption of full symmetry, we show that it is possible to reduce a textual program description of a symmetric system to a textual program description of the symmetry reduced system. This obviates the need for building the BDD representation of the orbit relation on the program states under the symmetry group. We establish that the BDD representing the reduced program is provably small, essentially polynomial in the number of bits in the state space of the original program.

Boolean equivalence checking has turned out to be a powerful method for verifying combinatorial circuits and has been widely accepted both in academia and industry. In this paper, we present a method for localizing and correcting errors in combinatorial circuits for which equivalence checking has failed. Our approach is general and does not assume any error model. Thus, it allows the detection of arbitrary design errors. Since our method is not structure-based, the pro]duced results are independent of any structural similarities between the implementation circuit and its specification. It can even be applied if the specification is given, e.g., as a propositional formula, a BDD, or in form of a truth table.Furthermore, we discuss two kinds of circuit abstractions and prove compatibility with our rectification method. In combination with abstractions, we show that our method can be used to rectify large circuits.We have implemented our approach in the AC/3 equivalence checker and circuit rectifier and evaluated it with the Berkeley benchmark circuits [6] and the ISCAS85 benchmarks [7] to show its practical strength.

We propose a new methodology for exploiting abstraction in the context of model-checking. Our new technique uses abstract BDDs as its underlying data structure. We show that this technique builds a more refined model than traditional compiler-based methods proposed by Clarke, Grumberg and Long. We also provide experimental results to demonstrate the usefulness of our method. We have verified a pipelined carry-save multiplier and a simple version of the PCI local bus protocol. Our verification of the PCI bus revealed a subtle inconsistency in the PCI standard. We believe this is an interesting result by itself.

In our terminology, the term “formal synthesis” stands for a synthesis process where the implementation is derived from the specification by applying elementary mathematical rules within a theorem prover. As a result the implementation is guaranteed to be correct. In this paper we introduce a new methodology to formally derive register-transfer structures from descriptions at the algorithmic level via program transformations. Some experimental results at the end of the paper show how the run-time complexity of the synthesis process in our approach could be.

This paper describes a semantic connection between the symbolic trajectory evaluation model-checking algorithm and relational verification in higher-order logic. We prove a theorem that translates correctness results from trajectory evaluation over a four-valued lattice into a shallow embedding of temporal operators over Boolean streams. This translation connects the specialized world of trajectory evaluation to a general-purpose logic and provides the semantic basis for connecting additional decision procedures and model checkers.

A method of compositional verification is presented that uses the combination of temporal case splitting and data type reductions to reduce types of infinite or unbounded range to small finite types, and arrays of infinite or unbounded size to small fixed-size arrays. This supports the verification by model checking of systems with unbounded resources and uninterpreted functions. The method is illustrated by application to an implementation of Tomasulo’s algorithm, for arbitrary or infinite word size, register file size, number of reservation stations and number of execution units.

A new approach for the automatic equivalence checking of behavioral or structural descriptions of designs with complex control is presented. The verification tool combines symbolic simulation with a hierarchy of equivalence checking methods, including decision-diagram based techniques, with increasing accuracy in order to optimize overall verification time without giving false negatives. The equivalence checker is able to cope with different numbers of control steps and different implementational details in the two descriptions to be compared.

Symbolic model checking is an increasingly popular debugging tool based on Binary Decision Diagrams (BDDs). The size of the diagrams, however, often prevents its application to large designs. The lack of flexibility of the conventional breadth-first approach to state search is often responsible for the excessive growth of the BDDs. In this paper we show that the use of hints to guide the exploration of the state space may result in orders-of-magnitude reductions in time and space requirements. We apply hints to invariant checking. The hints address the problems posed by difficult image computations, and are effective in both proving and refuting invariants. We show that good hints can often be found with the help of simple heuristics by someone who understands the circuit well enough to devise simulation stimuli or verification properties for it. We present an algorithm for guided traversal and discuss its efficient implementation.

In this paper we present a new modeling formalism that is well suited for modeling real-time systems in different application areas and on various levels of abstraction. These I/O-interval structures extend interval structures by a new communication method, where input sensitive transitions are introduced. The transitions can be labeled time intervals as well as with communication variables. For interval structures, efficient model checking techniques based on MTBDDs exist. Thus, after composing networks of I/O-interval structures, efficient model checking of interval structures is applicable. The usefulness of the new approach is demonstrated by various real-world case studies, including experimental result.

This work presents a novel approach for evaluatingthe quality of the model checkingpro cess. Given a model of a design (or implementation) and a temporal logic formula that describes a specification, model checkingde termines whether the model satisfies the specification. Assume that all specification formulas were successfully checked for the implementation. Are we sure that the implementation is correct? If the specification is incomplete, we may fail to find an error in the implementation. On the other hand, if the specification is complete, then the model checkingpro cess can be stopped without adding more specification formulas. Thus, knowingwh ether the specification is complete may both avoid missed implementation errors and save precious verification time.The completeness of a specification with respect to a given implementation is determined as follows. The specification formula is first transformed into a tableau. The simulation preorder is then used to compare the implementation model and the tableau model. We suggest four comparison criteria, each revealinga certain dissimilarity between the implementation and the specification. If all comparison criteria are empty, we conclude that the tableau is bisimilar to the implementation model and that the specification fully describes the implementation. We also conclude that there are no redundant states in the implementation. The method is exemplified on a small hardware example. We implemented our method symbolically as an extension to SMV. The implementation involves efficient OBDD manipulations that reduce the number of OBDD variables from 4n to 2n.

Hardware description languages (HDLs) are used today to describe circuits at all levels. In large HDL programs, there is a need for source code reduction techniques to address a myriad of problems in formal verification, design, simulation, and testing. Program slicing is a static program analysis technique that allows an analyst to automatically extract portions of programs relevant to the aspects being analyzed. We extend program slicing to HDLs, thus allowing for automatic program reduction to allow the user to focus on relevant code portions. We have implemented a VHDL slicing tool composed of a general inter-procedural slicer and a front-end that captures VHDL execution semantics. This paper provides an overview of program slicing, a discussion of how to slice VHDL programs, a description of the resulting tool, and a brief overview of some applications and experimental results.

Using a theorem prover, we have verified a microprocessor design, FM9801. We define our correctness criterion for processors with speculative execution and interrupts. Our verification approach defines an invariant on an intermediate abstraction that records the history of instructions. We verified the invariant first, and then proved the correctness criterion. We found several bugs during the verification process.

We describe two approaches to use the model checking tool COSPAN to check the hazard freedom in speed—independent circuits. First, we propose a straight forward approach to implement a speed—independent circuit in S/R. Second, we propose a reduction technique over the first approach by restricting the original system with certain constraints. This reduction is implemented on the top of COSPAN which also applies its own reductions, including symbolic representation (BDD).

A subset of LTL is presented that can be translated to ω automata with only a linear number of states. The translation is completely based on closures under temporal and boolean operators. Moreover, it is shown how this enhancement can be combined with traditional translations so that all LTL formulas can be translated. Exponential savings are possible in terms of reachable states, as well as in terms of runtime and memory requirements for model checking.

The top-down design of VLSI-systems typically features a step-wise refinement of intermediate solutions. Even though these refinements do usually not preserve time-scales, current formal verification approaches are largely based on the assumption that both specification and implementation utilize the same scales of time. In this paper, a symbolic methodology is presented to verify the step-wise refinement of finite state machines, allowing for possible differences in timing-granularity.

Recent advances in fabrication technology have pushed the digital designers’ perspective towards higher levels of abstraction. Previous work has shown that attribute grammars, used in traditional compiler construction, can also be effectively adopted to describe in a formal and uniform way high-level hardware compilation heuristics, their main advantages being modularity and declarative notation. In this paper, a more abstract form of attribute grammars, relational attribute grammars, are further applied as a framework over which formal hardware verification is performed along with synthesis. The overall hardware design methodology proposed is a novel idea that supports provable correct designs.

A transformation method based on incrementalization and value caching, generalizes a broad family of loop refinement techniques. This method and CACHET, an interactive tool supporting it, are presented. Though highly structured and automatable, better results are obtained with intelligent interaction, which provides insight and proofs involving term equality. Significant performance improvements are obtained in many representative program classes, including iterative schemes that characterize Today’s hardware specifications. Incrementalization is illustrated by the derivation of a hardware-efficient nonrestoring square-root algorithm.

State space minimization techniques are crucial for combating state explosion. A variety of verification tools use bisimulation minimization to check equivalence between systems, to minimize components before composition, or to reduce a state space prior to model checking. This paper explores the third use in the context of verifying invariant properties. We consider three bisimulation minimization algorithms. From each, we produce an on-the-fly model checker for invariant properties and compare this model checker to a conventional one based on backwards reachability. Our comparisons, both theoretical and experimental, lead us to conclude that bisimulation minimization does not appear to be viable in the context of invariance verification because performing the minimization requires as many, if not more, computational resources as model checking the unminimized system through backwards reachability.

Compositional proofs about systems of many components often involve apparently circular arguments. That is, correctness of component A must be assumed when verifying component B, and vice versa. The apparent circularity of such arguments can be resolved by induction over time. However, previous methods for such circular compositional proofs apply only to safety properties. This paper presents a method of circular compositional reasoning that applies to liveness properties as well. It is based on a new circular compositional rule implemented in the SMV proof assistant. The method is illustrated using Tomasulo’s algorithm for out-of-order instruction execution. An implementation is proved live for arbitrary resources using compositional model checking.

We present a technique for doing symbolic simulation of microprocessor models in the functional programming language Haskell.We use polymorphism and the type class system, a unique feature of Haskell, to write models that work over both concrete and symbolic data.We offer this approach as an alternative to using uninterpreted constants. When the full generality of rewriting is not needed, the performance of symbolic simulation by evaluation is much faster than previously reported symbolic simulation efforts in theorem provers.

There has been much interest recently in combining the strengths of formal verification techniques and simulation for functional validation of large designs [6].Typically, a formal test model is first obtained from the design. Then, test sequences which satisfy certain coverage criteria are generated from the test model, which are simulated on the design for functional validation. In this paper, we focus on automatic abstractions for obtaining the test model from the design for simulation vector generation under the transition tour coverage model. Since most efforts using guided simulation have concentrated only on state/transition coverage, without relating these to error coverage of the original design, there is hardly any notion of preserving correctness, which has made it hard to use abstraction effectively.

In this paper we present the notion of an input fault model for embedded systems and outline how to obtain minimal complete test suites for a fault model. The system software is expected to be embedded and specified as a finite state machine.

Reusability and evolutivity are important advantages to introduce objectoriented modeling and design also for embedded systems [12]. For this domain, one of the most important issues is to validate the interactions of a set of object with concurrent methods. We apply model checking (see [3] for a survey) for the systematic debugging of concurrent designs to detect errors in the behavior and interactions of the object community. As we assume a fixed finite maximal number of objects and also finite data types, we can only show the correctness for finite instances and detect only errors that appear in such a finite setting. Nevertheless, the approach is useful for embedded systems, where the system’s size is limited by strong hardware constraints. Moreover, we claim that most errors in the concurrent behavior already occur with a small number of components. To handle larger designs, we emphasize that it is often obvious that several attributes of an object do not affect the property of interest. Thus, there is no need to model the objects completely. This obvious abstraction leads to significantly better results because the resulting models are smaller. More sophisticated abstractions can be found e.g. in [45]. In the next section, we briefly explain how to derive in general a finite state system from an object-oriented concurrent design. Then, we illustrate the method by a case study taken from [6].