Results 1  10
of
29
A Grand Challenge Proposal for Formal Methods: A Verified Stack
"... We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of their choice. The point is not to have just one integrated formal method or just one verified application, but to encourage groups to develop the techniques and methodologies necessary for systemlevel verification.
Automatic Verification of Safety and Liveness for XScaleLike Processor Models Using WEBRefinements
 In Design Automation and Test in Europe, DATE’04
, 2003
"... We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation ..."
Abstract

Cited by 23 (11 self)
 Add to MetaCart
(Show Context)
We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation to a formula in the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). We use UCLID to transform the resulting CLU formula into a CNF formula, which is then checked with a SAT solver. We define several XScalelike models with out of order completion, including models with precise exceptions, branch prediction, and interrupts. We use two types of refinement maps. In one, flushing is used to map pipelined machine states to instruction set architecture states; in the other, we use the commitment approach, which is the dual of flushing, since partially completed instructions are invalidated. We present experimental results for all the machines modeled, including verification times. For our application, we found that the SAT solver Siege provides superior performance over Chaff and that the amount of time spent proving liveness when using the commitment approach is less than 1% of the overall verification time, whereas when flushing is employed, the liveness proof accounts for about 10% of the verification time.
A framework for microprocessor correctness statements
 In Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME
, 2001
"... Abstract Most verifications of outoforder microprocessors compare statemachinebased implementations and specifications, where the specification is based on the instructionset architecture. The different efforts use a variety of correctness statements, implementations, and verification approache ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
(Show Context)
Abstract Most verifications of outoforder microprocessors compare statemachinebased implementations and specifications, where the specification is based on the instructionset architecture. The different efforts use a variety of correctness statements, implementations, and verification approaches. We present a framework for classifying correctness statements about safety that is independent of implementation representation and verification approach. We characterize the relationships between the different statements and illustrate how existing and classical approaches fit within this framework. 1
Refinement Maps for Efficient Verification of Processor Models
 In Design Automation and Test in Europe, DATE’05
, 2005
"... While most of the effort in improving verification times for pipeline machine verification has focused on faster decision procedures, we show that the refinement maps used also have a drastic impact on verification times. We introduce a new class of refinement maps for pipelined machine verification ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
(Show Context)
While most of the effort in improving verification times for pipeline machine verification has focused on faster decision procedures, we show that the refinement maps used also have a drastic impact on verification times. We introduce a new class of refinement maps for pipelined machine verification, and using the stateoftheart verification tools UCLID and Siege we show that one can attain several orders of magnitude improvements in verification times over the standard flushingbased refinement maps, even enabling the verification of machines that are too complex to otherwise automatically verify. 1.
A compositional theory of refinement for branching time
 12th IFIP WG 10.5 Advanced Research Working Conference, CHARME 2003, volume 2860 of LNCS
, 2003
"... Abstract. I develop a compositional theory of refinement for the branching time framework based on stuttering simulation and prove that if one system refines another, then a refinement map always exists. The existence of refinement maps in the linear time framework was studied in an influential pape ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
(Show Context)
Abstract. I develop a compositional theory of refinement for the branching time framework based on stuttering simulation and prove that if one system refines another, then a refinement map always exists. The existence of refinement maps in the linear time framework was studied in an influential paper by Abadi and Lamport. My interest in proving analogous results for the branching time framework arises from the observation that in the context of mechanical verification, branching time has some important advantages. By setting up the refinement problem in a way that differs from the Abadi and Lamport approach, I obtain a proof of the existence of refinement maps (in the branching time framework) that does not depend on any of the conditions found in the work of Abadi and Lamport e.g., machine closure, finite invisible nondeterminism, internal continuity, the use of history and prophecy variables, etc. A direct consequence is that refinement maps always exist in the linear time framework, subject only to the use of prophecylike variables. 1
Algorithms for ordinal arithmetic
 In 19th International Conference on Automated Deduction (CADE
, 2003
"... Abstract. Proofs of termination are essential for establishing the correct behavior of computing systems. There are various ways of establishing termination, but the most general involves the use of ordinals. An example of a theorem proving system in which ordinals are used to prove termination is A ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Proofs of termination are essential for establishing the correct behavior of computing systems. There are various ways of establishing termination, but the most general involves the use of ordinals. An example of a theorem proving system in which ordinals are used to prove termination is ACL2. In ACL2, every function defined must be shown to terminate using the ordinals up to ɛ0. We use a compact notation for the ordinals up to ɛ0 (exponentially more succinct than the one used by ACL2) and define efficient algorithms for ordinal addition, subtraction, multiplication, and exponentiation. In this paper we describe our notation and algorithms, prove their correctness, and analyze their complexity. 1
A complete compositional reasoning framework for the efficient verification of pipelined machines
 In ICCAD2005, International Conference on ComputerAided Design
, 2005
"... We present a compositional reasoning framework based on refinement for verifying that pipelined machines satisfy the same safety and liveness properties as their instruction set architectures. Our framework consists of a set of convenient, easilyapplicable, and complete compositional proof rules. W ..."
Abstract

Cited by 9 (7 self)
 Add to MetaCart
(Show Context)
We present a compositional reasoning framework based on refinement for verifying that pipelined machines satisfy the same safety and liveness properties as their instruction set architectures. Our framework consists of a set of convenient, easilyapplicable, and complete compositional proof rules. We show that our framework greatly extends the applicability of decision procedures by verifying a complex, deeply pipelined machine that stateoftheart tools cannot currently handle. We discuss how our framework can be added to the design cycle and highlight what arguably is the most important benefit of our approach over current methods, that the counterexamples generated are much simpler, as bugs are isolated to a particular step in the composition proof. I.
A parameterized benchmark suite of hard pipelinedmachineverification problems
 In Advanced Research Working Conference on Correct Hardware Design and Verification Methods
, 2005
"... ..."
(Show Context)
Verification of executable pipelined machines with bitlevel interfaces
 In ICCAD2005, International Conference on ComputerAided Design
, 2005
"... Abstract — We show how to verify pipelined machine models with bitlevel interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, i ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract — We show how to verify pipelined machine models with bitlevel interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, implement a small subset of the instruction set, and are far from executable. In contrast, we focus on verifying executable machines with bitlevel interfaces. Such proofs have previously required substantial expert guidance and the use of deductive reasoning engines. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bitlevel machine refines its instruction set architecture to a proof that a term level abstraction of the bitlevel machine refines the instruction set architecture, which is then handled automatically by UCLID. In this way, we exploit the strengths of ACL2 and UCLID to prove theorems that are not possible to even state using UCLID and that would require prohibitively more effort using just ACL2. I.
Fair Environment Assumptions in ACL2
 Fourth International Workshop on ACL2 Theorem Prover and Its Applications
, 2003
"... Liveness (or progress) proofs about reactive systems generally require assumptions ensuring the fair selection of particular components of the input to the reactive systems. We document our approach to de ning these fair environments and their use in liveness proofs in the theorem prover ACL2. ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Liveness (or progress) proofs about reactive systems generally require assumptions ensuring the fair selection of particular components of the input to the reactive systems. We document our approach to de ning these fair environments and their use in liveness proofs in the theorem prover ACL2.