Results 1  10
of
23
Correctness of Pipelined Machines
 Formal Methods in ComputerAided Design–FMCAD 2000, volume 1954 of LNCS
"... The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness ..."
Abstract

Cited by 26 (13 self)
 Add to MetaCart
The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Wellfounded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (MicroArchitecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...
Correcting Deadlocking Service Choreographies Using a SimulationBased Graph Edit Distance
"... Abstract. Many work has been conducted to analyze service choreographies to assert manyfold correctness criteria. While errors can be detected automatically, the correction of defective services is usually done manually. This paper introduces a graphbased approach to calculate the minimal edit dist ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
Abstract. Many work has been conducted to analyze service choreographies to assert manyfold correctness criteria. While errors can be detected automatically, the correction of defective services is usually done manually. This paper introduces a graphbased approach to calculate the minimal edit distance between a given defective service and synthesized correct services. This edit distance helps to automatically fix found errors while keeping the rest of the service untouched. A prototypic implementation shows that the approach is applicable to reallife services. Key words: Choreographies, graph correction, correction of services, verification of services, service automata, operating guidelines, BPEL
Normed Simulations
 In Proceedings CAV'98
, 1998
"... . In existing simulation proof techniques, a single step in a lowlevel system may be simulated by an extended execution fragment in a highlevel system. As a result, it is undecidable whether a given relation is a simulation, even if tautology checking is decidable for the underlying specification l ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
. In existing simulation proof techniques, a single step in a lowlevel system may be simulated by an extended execution fragment in a highlevel system. As a result, it is undecidable whether a given relation is a simulation, even if tautology checking is decidable for the underlying specification logic. This paper introduces various types of normed simulations. In a normed simulation, each step in a lowlevel system can be simulated by at most one step in the high level system, for any related pair of states. We show that it is decidable whether a given relation is a normed simulation relation, given that tautology checking is decidable. We also prove that, at the semantic level, normed simulations form a complete proof method for establishing behavior inclusion, provided that the highlevel system has finite invisible nondeterminism. As an illustration of our method we discuss the verification in PVS of a leader election algorithm that is used within the IEEE 1394 protocol. 1 Introdu...
Linking Theorem Proving and ModelChecking with WellFounded Bisimulation
, 1999
"... . We present an approach to verification that combines the strengths of modelchecking and theorem proving. We use theorem proving to show a bisimulation up to stuttering on apotentially infinitestatesystem. Our characterization of stuttering bisimulation allows us to do such proofs by rea ..."
Abstract

Cited by 13 (6 self)
 Add to MetaCart
. We present an approach to verification that combines the strengths of modelchecking and theorem proving. We use theorem proving to show a bisimulation up to stuttering on apotentially infinitestatesystem. Our characterization of stuttering bisimulation allows us to do such proofs by reasoning only about single steps of the system. We present an onthefly method that extracts the reachable quotient structure induced by the bisimulation, if the structure is finite. If our specification is a temporal logic formula, we modelcheck the quotient structure. If our specification is a simpler system, we use an equivalence checker to show that the quotient structure is stuttering bisimilar to the simpler system. The results obtained on the quotient structure lift to the original system, because the quotient, by construction, is refined by the original system. We demonstrate our methodology by verifying the alternating bit protocol. This protocol cannot be directly modelch...
ProofChecking Protocols using Bisimulations
 IN PROC. CONCUR’99, LNCS 1664
, 1999
"... We report on our experience in using the Isabelle/HOL theorem prover to mechanize proofs of observation equivalence for systems with infinitely many states, and for parameterized systems. We follow the direct approach: An infinite relation containing the pair of systems to be shown equivalent is def ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
We report on our experience in using the Isabelle/HOL theorem prover to mechanize proofs of observation equivalence for systems with infinitely many states, and for parameterized systems. We follow the direct approach: An infinite relation containing the pair of systems to be shown equivalent is defined, and then proved to be a weak bisimulation. The weak bisimilarity proof is split into many cases, corresponding to the derivatives of the pairs in the relation. Isabelle/HOL automatically proves simple cases, and guarantees that no case is forgotten. The strengths and weaknesses of the approach are discussed.
A compositional theory of refinement for branching time
 12th IFIP WG 10.5 Advanced Research Working Conference, CHARME 2003, volume 2860 of LNCS
, 2003
"... Abstract. I develop a compositional theory of refinement for the branching time framework based on stuttering simulation and prove that if one system refines another, then a refinement map always exists. The existence of refinement maps in the linear time framework was studied in an influential pape ..."
Abstract

Cited by 10 (6 self)
 Add to MetaCart
Abstract. I develop a compositional theory of refinement for the branching time framework based on stuttering simulation and prove that if one system refines another, then a refinement map always exists. The existence of refinement maps in the linear time framework was studied in an influential paper by Abadi and Lamport. My interest in proving analogous results for the branching time framework arises from the observation that in the context of mechanical verification, branching time has some important advantages. By setting up the refinement problem in a way that differs from the Abadi and Lamport approach, I obtain a proof of the existence of refinement maps (in the branching time framework) that does not depend on any of the conditions found in the work of Abadi and Lamport e.g., machine closure, finite invisible nondeterminism, internal continuity, the use of history and prophecy variables, etc. A direct consequence is that refinement maps always exist in the linear time framework, subject only to the use of prophecylike variables. 1
A categorical approach to simulations, in
 of Lecture Notes in Computer Science
, 2005
"... Abstract. Simulations are a very natural way of relating concurrent systems, which are mathematically modeled by Kripke structures. The range of available notions of simulations makes it very natural to adopt a categorical viewpoint in which Kripke structures become the objects of several categories ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. Simulations are a very natural way of relating concurrent systems, which are mathematically modeled by Kripke structures. The range of available notions of simulations makes it very natural to adopt a categorical viewpoint in which Kripke structures become the objects of several categories while the morphisms are obtained from the corresponding notion of simulation. Here we define in detail several of those categories, collect them together in various institutions, and study their most interesting properties. 1
A complete compositional reasoning framework for the efficient verification of pipelined machines
 In ICCAD2005, International Conference on ComputerAided Design
, 2005
"... We present a compositional reasoning framework based on refinement for verifying that pipelined machines satisfy the same safety and liveness properties as their instruction set architectures. Our framework consists of a set of convenient, easilyapplicable, and complete compositional proof rules. W ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
We present a compositional reasoning framework based on refinement for verifying that pipelined machines satisfy the same safety and liveness properties as their instruction set architectures. Our framework consists of a set of convenient, easilyapplicable, and complete compositional proof rules. We show that our framework greatly extends the applicability of decision procedures by verifying a complex, deeply pipelined machine that stateoftheart tools cannot currently handle. We discuss how our framework can be added to the design cycle and highlight what arguably is the most important benefit of our approach over current methods, that the counterexamples generated are much simpler, as bugs are isolated to a particular step in the composition proof. I.
A computationally efficient method based on commitment refinement maps for verifying pipelined machines models
 In ACMIEEE International Conference on Formal Methods and Models for Codesign
, 2005
"... We introduce a new method of automating the verification of termlevel pipelined machine models that is based on commitment refinement maps. Our method is much simpler to implement than current alternatives. More importantly, as our extensive experiments show, our method leads to more than a 30fold ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
We introduce a new method of automating the verification of termlevel pipelined machine models that is based on commitment refinement maps. Our method is much simpler to implement than current alternatives. More importantly, as our extensive experiments show, our method leads to more than a 30fold improvement in verification times over the standard approaches to pipeline machine verification, which use refinement maps based on flushing and commitment. In addition, we can verify machines that are too complex to directly verify using flushingbased refinement maps. 1.
A Framework for Verifying BitLevel Pipelined Machines Based on Automated Deduction and Decision Procedures
 Journal of Automated Reasoning
, 2006
"... Abstract. We describe an approach to verifying bitlevel pipelined machine models using a combination of deductive reasoning and decision procedures. While theorem proving systems such as ACL2 have been used to verify bitlevel designs, they typically require extensive expert user support. Decision ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We describe an approach to verifying bitlevel pipelined machine models using a combination of deductive reasoning and decision procedures. While theorem proving systems such as ACL2 have been used to verify bitlevel designs, they typically require extensive expert user support. Decision procedures such as those implemented in UCLID can be used to automatically and efficiently verify termlevel pipelined machine models, but these models use numerous abstractions, implement a subset of the instruction set, and are far from executable. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bitlevel machine refines its instruction set architecture to a proof that a termlevel abstraction of the bitlevel machine refines the instruction set architecture, which is then handled automatically by UCLID. We demonstrate the efficiency of our approach by applying it to verify a complex seven stage bitlevel interface pipelined machine model that implements 593 instructions and has features such as branch prediction, exceptions, and predicated instruction execution. Such a proof is not possible using UCLID and would require prohibitively more effort using just ACL2.