Results 1  10
of
30
Formal Verification of the AAMP5 Microprocessor  A Case Study in the . . .
, 1995
"... This paper describes the experiences of Collins Commercial Avionics and SRI International in formally specifying and verifying the microcode for the AAMP5 microprocessor with the PVS verification system. This project was conducted to determine if an industrial microprocessor designed for use in real ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
This paper describes the experiences of Collins Commercial Avionics and SRI International in formally specifying and verifying the microcode for the AAMP5 microprocessor with the PVS verification system. This project was conducted to determine if an industrial microprocessor designed for use in realtime embedded systems could be formally specified at the instruction set and register transfer levels and if formal proofs could be used to prove the microcode correct. The paper provides a brief technical overview, but its emphasis is on the lessons learned in using PVS for an example of this size and the implications for using formal methods in an industrial setting. Keywords: Formal Methods, Formal Specification, Formal Verification, Microprocessor Verification, Microcode Verification, Hardware Verification, High Integrity Systems, Safety Critical Systems, PVS #### Software and digital hardware are increasingly being used in situations where failure could be life threatening, such as a...
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 62 (15 self)
 Add to MetaCart
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...
Architecture Validation for Processors
, 1995
"... Modern, high performance microprocessors are extremely complex machines which require substantial validation effort to ensure functional correctness prior to tapeout. Generating the corner cases to test these designs is a mostly manual process, where completion is hard to judge. Experience shows tha ..."
Abstract

Cited by 60 (0 self)
 Add to MetaCart
Modern, high performance microprocessors are extremely complex machines which require substantial validation effort to ensure functional correctness prior to tapeout. Generating the corner cases to test these designs is a mostly manual process, where completion is hard to judge. Experience shows that the errors that are caught late in the design, many postsilicon, are interactions between different components in very improbable corner case situations. In this paper we present a technique that targets such errorcausing interactions by automatically generating test vectors that will cause the processor to exercise all transitions of the control logic in simulation. We use techniques from formal verification to derive transition tours of a fully enumerated state graph of the control logic of the processor. Our system works from a Verilog description of the original machine and is currently being used to validate an embedded dualissue processor in the node controller of the Stanford FLA...
Efficient Detection of Vacuity in ACTL Formulas
 FMSD
, 1997
"... Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We ca ..."
Abstract

Cited by 41 (4 self)
 Add to MetaCart
Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We call this a vacuous pass, and extend the definition of vacuity to cover other kinds of trivial passes in temporal logic. We define wACTL, a subset of CTL and show by construction that for every wACTL formula \phi there is a formula w(\phi), such that: both \phi and w(\phi) are true in some model M iff \phi passes vacuously. A useful sideeffect of w(\phi) is that if false, any counterexample is also a nontrivial witness of the original formula \phi.
Coverage metrics for temporal logic model checking
 in Lecture Notes in Computer Science
, 2001
"... Abstract. In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study cov ..."
Abstract

Cited by 27 (12 self)
 Add to MetaCart
Abstract. In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We introduce two principles that we believe should be part of any coverage metric for model checking: a distinction between statebased and logicbased coverage, and a distinction between the system and its environment. We suggest several coverage metrics that apply these principles, and we describe two algorithms for finding the uncovered parts of the system under these definitions. The first algorithm is a symbolic implementation of a naive algorithm that model checks many variants of the original system. The second algorithm improves the naive algorithm by exploiting overlaps in the variants. We also suggest a few helpful outputs to the user, once the uncovered parts are found. 1
Enhanced Vacuity Detection in Linear Temporal Logic
, 2003
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to a correctness query with a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelche ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to a correctness query with a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness of the importance of suspecting the system or the specification of containing an error also in cases where model checking succeeds.
A practical approach to coverage in model checking
 In Computer Aided Verification, Proc. 13th International Conference
, 2001
"... Abstract. In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In th ..."
Abstract

Cited by 23 (8 self)
 Add to MetaCart
Abstract. In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking from a practical point of view. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We suggest several definitions of coverage, suitable for specifications given in linear temporal logic or by automata on infinite words. We describe two algorithms for computing the parts of the system that are not covered by the specification. The first algorithm is built on top of automatabased modelchecking algorithms. The second algorithm reduces the coverage problem to the modelchecking problem. Both algorithms can be implemented on top of existing model checking tools. 1
Efficient Detection of Vacuity in Temporal Model Checking
 Formal Methods in System Design
, 2001
"... Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to t ..."
Abstract

Cited by 23 (5 self)
 Add to MetaCart
Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to the user in the case that the formula is found to be valid, because valid formulas can hide real problems in the model. For instance, propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is trivially valid because the precondition of the implication is not satisfiable. We call this vacuity, and extend the definition to cover other kinds of trivial validity. For nonvacuously valid formulas, we define an interesting witness as a nontrivial example of the validity of the formula. We formalize the notions of vacuity and interesting witness, and show how to detect vacuity and generate interesting witnesses in temporal model checking. Finally, we provide a practical solution for a useful subset of ACTL formulas.
Search vs. symbolic techniques in satisfiability solving
 in Proceedings 7th International Conference on Theory and Applications of Satisfiability Testing
, 2004
"... Abstract. Recent work has shown how to use OBDDs for satisfiability solving. The idea of this approach, which we call symbolic quantifier elimination, is to view an instance of propositional satisfiability as an existentially quantified propositional formula. Satisfiability solving then amounts to q ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Abstract. Recent work has shown how to use OBDDs for satisfiability solving. The idea of this approach, which we call symbolic quantifier elimination, is to view an instance of propositional satisfiability as an existentially quantified propositional formula. Satisfiability solving then amounts to quantifier elimination; once all quantifiers have been eliminated we are left with either 1 or 0. Our goal in this work is to study the effectiveness of symbolic quantifier elimination as an approach to satisfiability solving. To that end, we conduct a direct comparison with the DPLLbased ZChaff, as well as evaluate a variety of optimization techniques for the symbolic approach. In comparing the symbolic approach to ZChaff, we evaluate scalability across a variety of classes of formulas. We find that no approach dominates across all classes. While ZChaff dominates for many classes of formulas, the symbolic approach is superior for other classes of formulas. Once we have demonstrated the viability of the symbolic approach, we focus on optimization techniques for this approach. We study techniques from constraint satisfaction for finding a good plan for performing the symbolic operations of conjunction and of existential quantification. We also study various variableordering heuristics, finding that while no heuristic seems to dominate across all classes of formulas, the maximumcardinality search heuristic seems to offer the best overall performance. 1
How vacuous is vacuous
 In Proc. 10th TACAS, LNCS 2988
, 2004
"... Abstract. Modelchecking gained wide popularity for analyzing software and hardware systems. However, even when the desired property holds, the property or the model may still require fixing. For example, a property ϕ: “on all paths, a request is followed by an acknowledgment”, may hold because no r ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
Abstract. Modelchecking gained wide popularity for analyzing software and hardware systems. However, even when the desired property holds, the property or the model may still require fixing. For example, a property ϕ: “on all paths, a request is followed by an acknowledgment”, may hold because no requests have been generated. Vacuity detection has been proposed to address the above problem. This technique is able to determine that the above property ϕ is satisfied vacuously in systems where requests are never sent. Recent work in this area enabled the computation of interesting witnesses for the satisfaction of properties (in our case, those that satisfy ϕ and contain a request) and vacuity detection with respect to subformulas with single and multiple subformula occurrences. Often, the answer “vacuous ” or “not vacuous”, provided by existing techniques, is insufficient. Instead, we want to identify all subformulas of a given CTL formula that cause its vacuity, or better, identify all maximal such subformulas. Further, these subformulas may be mutually vacuous. In this paper, we propose a framework for identifying a variety of degrees of vacuity, including mutual vacuity between different subformulas. We also cast vacuity detection as a multivalued modelchecking problem. 1