Results 1  10
of
28
Formal Verification of the AAMP5 Microprocessor  A Case Study in the . . .
, 1995
"... This paper describes the experiences of Collins Commercial Avionics and SRI International in formally specifying and verifying the microcode for the AAMP5 microprocessor with the PVS verification system. This project was conducted to determine if an industrial microprocessor designed for use in real ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
This paper describes the experiences of Collins Commercial Avionics and SRI International in formally specifying and verifying the microcode for the AAMP5 microprocessor with the PVS verification system. This project was conducted to determine if an industrial microprocessor designed for use in realtime embedded systems could be formally specified at the instruction set and register transfer levels and if formal proofs could be used to prove the microcode correct. The paper provides a brief technical overview, but its emphasis is on the lessons learned in using PVS for an example of this size and the implications for using formal methods in an industrial setting. Keywords: Formal Methods, Formal Specification, Formal Verification, Microprocessor Verification, Microcode Verification, Hardware Verification, High Integrity Systems, Safety Critical Systems, PVS #### Software and digital hardware are increasingly being used in situations where failure could be life threatening, such as a...
Architecture Validation for Processors
, 1995
"... Modern, high performance microprocessors are extremely complex machines which require substantial validation effort to ensure functional correctness prior to tapeout. Generating the corner cases to test these designs is a mostly manual process, where completion is hard to judge. Experience shows tha ..."
Abstract

Cited by 61 (0 self)
 Add to MetaCart
Modern, high performance microprocessors are extremely complex machines which require substantial validation effort to ensure functional correctness prior to tapeout. Generating the corner cases to test these designs is a mostly manual process, where completion is hard to judge. Experience shows that the errors that are caught late in the design, many postsilicon, are interactions between different components in very improbable corner case situations. In this paper we present a technique that targets such errorcausing interactions by automatically generating test vectors that will cause the processor to exercise all transitions of the control logic in simulation. We use techniques from formal verification to derive transition tours of a fully enumerated state graph of the control logic of the processor. Our system works from a Verilog description of the original machine and is currently being used to validate an embedded dualissue processor in the node controller of the Stanford FLA...
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 60 (14 self)
 Add to MetaCart
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...
Efficient Detection of Vacuity in ACTL Formulas
 FMSD
, 1997
"... Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We ca ..."
Abstract

Cited by 42 (4 self)
 Add to MetaCart
Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We call this a vacuous pass, and extend the definition of vacuity to cover other kinds of trivial passes in temporal logic. We define wACTL, a subset of CTL and show by construction that for every wACTL formula \phi there is a formula w(\phi), such that: both \phi and w(\phi) are true in some model M iff \phi passes vacuously. A useful sideeffect of w(\phi) is that if false, any counterexample is also a nontrivial witness of the original formula \phi.
Coverage metrics for temporal logic model checking
 in Lecture Notes in Computer Science
, 2001
"... Abstract. In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study cov ..."
Abstract

Cited by 27 (12 self)
 Add to MetaCart
Abstract. In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We introduce two principles that we believe should be part of any coverage metric for model checking: a distinction between statebased and logicbased coverage, and a distinction between the system and its environment. We suggest several coverage metrics that apply these principles, and we describe two algorithms for finding the uncovered parts of the system under these definitions. The first algorithm is a symbolic implementation of a naive algorithm that model checks many variants of the original system. The second algorithm improves the naive algorithm by exploiting overlaps in the variants. We also suggest a few helpful outputs to the user, once the uncovered parts are found. 1
Enhanced Vacuity Detection in Linear Temporal Logic
, 2003
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to a correctness query with a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelche ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to a correctness query with a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness of the importance of suspecting the system or the specification of containing an error also in cases where model checking succeeds.
A practical approach to coverage in model checking
 In Computer Aided Verification, Proc. 13th International Conference
, 2001
"... Abstract. In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In th ..."
Abstract

Cited by 23 (8 self)
 Add to MetaCart
Abstract. In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking from a practical point of view. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We suggest several definitions of coverage, suitable for specifications given in linear temporal logic or by automata on infinite words. We describe two algorithms for computing the parts of the system that are not covered by the specification. The first algorithm is built on top of automatabased modelchecking algorithms. The second algorithm reduces the coverage problem to the modelchecking problem. Both algorithms can be implemented on top of existing model checking tools. 1
Efficient Detection of Vacuity in Temporal Model Checking
 Formal Methods in System Design
, 2001
"... Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to t ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to the user in the case that the formula is found to be valid, because valid formulas can hide real problems in the model. For instance, propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is trivially valid because the precondition of the implication is not satisfiable. We call this vacuity, and extend the definition to cover other kinds of trivial validity. For nonvacuously valid formulas, we define an interesting witness as a nontrivial example of the validity of the formula. We formalize the notions of vacuity and interesting witness, and show how to detect vacuity and generate interesting witnesses in temporal model checking. Finally, we provide a practical solution for a useful subset of ACTL formulas.
Search vs. symbolic techniques in satisfiability solving
 in Proceedings 7th International Conference on Theory and Applications of Satisfiability Testing
, 2004
"... Abstract. Recent work has shown how to use OBDDs for satisfiability solving. The idea of this approach, which we call symbolic quantifier elimination, is to view an instance of propositional satisfiability as an existentially quantified propositional formula. Satisfiability solving then amounts to q ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Abstract. Recent work has shown how to use OBDDs for satisfiability solving. The idea of this approach, which we call symbolic quantifier elimination, is to view an instance of propositional satisfiability as an existentially quantified propositional formula. Satisfiability solving then amounts to quantifier elimination; once all quantifiers have been eliminated we are left with either 1 or 0. Our goal in this work is to study the effectiveness of symbolic quantifier elimination as an approach to satisfiability solving. To that end, we conduct a direct comparison with the DPLLbased ZChaff, as well as evaluate a variety of optimization techniques for the symbolic approach. In comparing the symbolic approach to ZChaff, we evaluate scalability across a variety of classes of formulas. We find that no approach dominates across all classes. While ZChaff dominates for many classes of formulas, the symbolic approach is superior for other classes of formulas. Once we have demonstrated the viability of the symbolic approach, we focus on optimization techniques for this approach. We study techniques from constraint satisfaction for finding a good plan for performing the symbolic operations of conjunction and of existential quantification. We also study various variableordering heuristics, finding that while no heuristic seems to dominate across all classes of formulas, the maximumcardinality search heuristic seems to offer the best overall performance. 1
A framework for microprocessor correctness statements
 In Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME
, 2001
"... Abstract Most verifications of outoforder microprocessors compare statemachinebased implementations and specifications, where the specification is based on the instructionset architecture. The different efforts use a variety of correctness statements, implementations, and verification approache ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Abstract Most verifications of outoforder microprocessors compare statemachinebased implementations and specifications, where the specification is based on the instructionset architecture. The different efforts use a variety of correctness statements, implementations, and verification approaches. We present a framework for classifying correctness statements about safety that is independent of implementation representation and verification approach. We characterize the relationships between the different statements and illustrate how existing and classical approaches fit within this framework. 1