Results 1  10
of
19
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 3229 (69 self)
 Add to MetaCart
(Show Context)
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Symbolic Boolean manipulation with ordered binarydecision diagrams
 ACM COMPUTING SURVEYS
, 1992
"... Ordered BinaryDecision Diagrams (OBDDS) represent Boolean functions as directed acyclic graphs. They form a canonical representation, making testing of functional properties such as satmfiability and equivalence straightforward. A number of operations on Boolean functions can be implemented as grap ..."
Abstract

Cited by 1027 (13 self)
 Add to MetaCart
Ordered BinaryDecision Diagrams (OBDDS) represent Boolean functions as directed acyclic graphs. They form a canonical representation, making testing of functional properties such as satmfiability and equivalence straightforward. A number of operations on Boolean functions can be implemented as graph algorithms on OBDD
Symbolic model checking for sequential circuit verification
 IEEE TRANSACTIONS ON COMPUTERAIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS
, 1994
"... The temporal logic model checking algorithm of Clarke, Emerson, and Sistla [17] is modified to represent state graphs using binary decision diagrams (BDD’s) [7] and partitioned trunsirion relations [lo], 1111. Because this representation captures some of the regularity in the state space of circuit ..."
Abstract

Cited by 270 (12 self)
 Add to MetaCart
(Show Context)
The temporal logic model checking algorithm of Clarke, Emerson, and Sistla [17] is modified to represent state graphs using binary decision diagrams (BDD’s) [7] and partitioned trunsirion relations [lo], 1111. Because this representation captures some of the regularity in the state space of circuits with data path logic, we are able to verify circuits with an extremely large number of states. We demonstrate this new technique on a synchronous pipelined design with approximately 5 x 10^120 states. Our model checking algorithm handles full CTL with fairness constraints. Consequently, we are able to express a number of important liveness and fairness properties, which would otherwise not be expressible in CTL. We give empirical results on the performance of the algorithm applied to both synchronous and asynchronous circuits with data path logic.
Formal Verification by Symbolic Evaluation of PartiallyOrdered Trajectories
 Formal Methods in System Design
, 1993
"... Symbolic trajectory evaluation provides a means to formally verify properties of a sequential system by a modified form of symbolic simulation. The desired system properties are expressed in a notation combining Boolean expressions and the temporal logic "nexttime" operator. In its sim ..."
Abstract

Cited by 104 (24 self)
 Add to MetaCart
Symbolic trajectory evaluation provides a means to formally verify properties of a sequential system by a modified form of symbolic simulation. The desired system properties are expressed in a notation combining Boolean expressions and the temporal logic "nexttime" operator. In its simplest form, each property is expressed as an assertion [A =) C], where the antecedent A expresses some assumed conditions on the system state over a bounded time period, and the consequent C expresses conditions that should result. A generalization allows simple invariants to be established and proven automatically. The verifier operates on system models in which the state space is ordered by "information content". By suitable restrictions to the specification notation, we guarantee that for every trajectory formula, there is a unique weakest state trajectory that satisfies it. Therefore, we can verify an assertion [A =) C] by simulating the system over the weakest trajectory for A and testing...
Formal Verification of Digital Circuits Using Symbolic Ternary System Models
"... Ternary system modeling involves extending the traditional set of binary values f0; 1g with a third value X indicating an unknown or indeterminate condition. By making this extension, we can model a wider range of circuit phenomena. We can also efficiently verify sequential circuits in which the ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
(Show Context)
Ternary system modeling involves extending the traditional set of binary values f0; 1g with a third value X indicating an unknown or indeterminate condition. By making this extension, we can model a wider range of circuit phenomena. We can also efficiently verify sequential circuits in which the effect of a given operation depends on only a subset of the total system state.
A framework for microprocessor correctness statements
 In Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME
, 2001
"... Abstract Most verifications of outoforder microprocessors compare statemachinebased implementations and specifications, where the specification is based on the instructionset architecture. The different efforts use a variety of correctness statements, implementations, and verification approache ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
Abstract Most verifications of outoforder microprocessors compare statemachinebased implementations and specifications, where the specification is based on the instructionset architecture. The different efforts use a variety of correctness statements, implementations, and verification approaches. We present a framework for classifying correctness statements about safety that is independent of implementation representation and verification approach. We characterize the relationships between the different statements and illustrate how existing and classical approaches fit within this framework. 1
Automatic verification of pipelined microprocessors
 In Proc. DAC
, 1994
"... Abstract We address the problem of automatically verifying large digital designs at the logic level, against highlevel specifications. In this paper, we present a methodology which allows for the verification of a specific class of synchronous machines, namely pipelined microprocessors. The specif ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Abstract We address the problem of automatically verifying large digital designs at the logic level, against highlevel specifications. In this paper, we present a methodology which allows for the verification of a specific class of synchronous machines, namely pipelined microprocessors. The specification is the instruction set of the microprocessor with respect to which the correctness property is to be verified. A relation, namely the βrelation, is established between the input/output behavior of the implementation and specification. The relation corresponds to changes in the input/output behavior that result from pipelining, and takes into account data hazards and control transfer instructions that modify pipelined execution. The correctness requirement is that the βrelation hold between the implementation and specification. We use symbolic simulation of the specification and implementation to verify their functional equivalence. We characterize the pipelined and unpipelined microprocessors as definite machines (i.e. a machine in which for some constant k, the output of the machine depends only on the last k inputs) for verification purposes. We show that only a small number of cycles, rather than exhaustive state transition graph traversal and state enumeration, have to be simulated for each machine to verify whether the implementation is in βrelation with the specification. Experimental results are presented. 1
Symbolic SimulationTechniques and Applications
 In DAC
, 1990
"... Symbolic simulation involves evaluating circuit behavior using special symbolic values to encode a range of circuit operating conditions. In one simulation run, a symbolic simulator can compute what would require many runs of a traditional simulator. Symbolic simulation has applications in both logi ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
Symbolic simulation involves evaluating circuit behavior using special symbolic values to encode a range of circuit operating conditions. In one simulation run, a symbolic simulator can compute what would require many runs of a traditional simulator. Symbolic simulation has applications in both logic and timing verification, as well as sequential test generation.
A Practical Methodology for the Formal Verification of RISC Processors
, 1995
"... In this paper a practical methodology for formally verifying RISC cores is presented. This methodology is based on a hierarchical model of interpreters which reflects the abstraction levels used by a designer in the implementation of RISC cores, namely the architecture level, the pipeline stage leve ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
In this paper a practical methodology for formally verifying RISC cores is presented. This methodology is based on a hierarchical model of interpreters which reflects the abstraction levels used by a designer in the implementation of RISC cores, namely the architecture level, the pipeline stage level, the clock phase level and the hardware implementation. The use of this model allows us to successively prove the correctness between two neighbouring levels of abstractions, so that the verification process is simplified. The parallelism in the execution of the instructions, resulting from the pipelined architecture of RISCs is handled by splitting the proof into two independent steps. The first step shows that each architectural instruction is implemented correctly by the sequential execution of its pipeline stages. The second step shows that the instructions are correctly processed by the pipeline in that we prove that under certain constraints from the actual architecture, no conflic...