## A unified approach for combining different formalisms for hardware verification (1996)

Venue: | PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON FORMAL METHODS IN COMPUTER-AIDED DESIGN, VOLUME 1166 OF LECTURE NOTES IN COMPUTER SCIENCE |

Citations: | 4 - 1 self |

### BibTeX

@INPROCEEDINGS{Schneider96aunified,

author = {Klaus Schneider and Thomas Kropf},

title = {A unified approach for combining different formalisms for hardware verification},

booktitle = {PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON FORMAL METHODS IN COMPUTER-AIDED DESIGN, VOLUME 1166 OF LECTURE NOTES IN COMPUTER SCIENCE},

year = {1996},

pages = {202--217},

publisher = {Springer Verlag}

}

### OpenURL

### Abstract

Model Checking as the predominant technique for automatically verifying circuits suffers from the well-known state explosion problem. This hinders the verification of circuits which contain non-trivial data paths. Recently, it has been shown that for those circuits it may be useful to separate the control and data part prior to verification. This paper is also based on this idea and presents an approach for combining various proof approaches like model checking and theorem proving in a unifying framework. In contrast to other approaches, special proof procedures are available to verify circuits with data sensitive controllers, where a bidirectional signal flow between controller and data path can be found. Generic circuits can be verified by induction or by model checking finite instantiations. By giving the system `proof hints', also the verification effort for model checking based proofs can be considerably reduced in many cases. The paper presents an introduction to the different proof strategies as well as an algorithm for their combination. The underlying C@S system also allows the efficiency evaluation of different approaches to verify the same circuits. This is shown in different case studies, demonstrating the tradeoff between interaction and verifiable circuit size.

### Citations

2921 | Graph-based algorithms for boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ... Although more powerful than traditional simulation, a breakthrough in industrial use has been achieved only after the introduction of binary decision diagrams and symbolic state traversal algorithms =-=[1, 2]-=-, leading to powerful techniques like symbolic model checking [3]. Using these approaches, a fully automated verification of significantly large circuits has become possible. However, as only finite s... |

2403 | Model Checking
- Clarke, Grumberg, et al.
- 1999
(Show Context)
Citation Context ...cation by incorporating automated reasoning procedures [5, 6] or by adding abstraction and compositional verification techniques to allow larger systems to be verified than by finite state approaches =-=[7, 8, 9]-=-. Many circuits are composed of a controller and a data path. Recently it has been shown, that it is useful to separate these parts prior to verification [10, 11, 12, 13, 14]. Proceeding this way, fin... |

1359 | An Axiomatic Basis for Computer Programming - Hoare - 1969 |

1294 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ...rification goals are split up interactively into subgoals until they can be finally proved by decision procedures. C@S has been implemented on top of the HOL [15] system and has interfaces to the SMV =-=[16]-=- system and RRL [17]. As a result, C@S currently enriches HOL by the following decision procedures and proof methods: -- linear temporal logic theorem proving and model checking -- CTL model checking ... |

1108 | Temporal and Modal Logic
- Emerson
- 1990
(Show Context)
Citation Context ...nd expressiveness, linear temporal logic is in most cases the best choice for specifying the temporal behavior of a system. For this reason, temporal properties are usually specified using this logic =-=[20]-=- in C@S. Especially for the specification of event-oriented properties, the W operator has proved to be convenient. [x W b] expresses the fact, that x must hold when the event signal b becomes 1 for t... |

622 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1994
(Show Context)
Citation Context ...cation by incorporating automated reasoning procedures [5, 6] or by adding abstraction and compositional verification techniques to allow larger systems to be verified than by finite state approaches =-=[7, 8, 9]-=-. Many circuits are composed of a controller and a data path. Recently it has been shown, that it is useful to separate these parts prior to verification [10, 11, 12, 13, 14]. Proceeding this way, fin... |

500 |
T.: Introduction to HOL: A Theorem Proving Environment for Higher Order Logic: Cambridge
- Melham
- 1993
(Show Context)
Citation Context ...mizable proof goals are detected. Other verification goals are split up interactively into subgoals until they can be finally proved by decision procedures. C@S has been implemented on top of the HOL =-=[15]-=- system and has interfaces to the SMV [16] system and RRL [17]. As a result, C@S currently enriches HOL by the following decision procedures and proof methods: -- linear temporal logic theorem proving... |

395 |
A Computational Logic Handbook
- Boyer, Moore
- 1988
(Show Context)
Citation Context ...cursively defined circuits by applying induction rules. The induction principle follows directly the structure of the circuit, which is assumed to be well-defined as in the Boyer-Moore theorem prover =-=[28]-=-. According to the induction hypotheses, the implementation descriptions in the induction step(s) are immediately replaced by the specifications and the thereby obtained goals are also fed into Verify... |

177 |
Sequential circuit verification using symbolic model checking
- Burch, Clarke, et al.
- 1990
(Show Context)
Citation Context ...nit rdy rdy1 ONE_LOOP_CNTRL 1 0 MUX sel REG load n n 1 0 MUX sel REG load 1 1 B A n n 1 0 MUX sel REG load n AND n XOR 0 0 LSH cin cout OR carry C Fig. 1.: Implementation of a sequential adder (BDDs) =-=[30]-=- is used as a decision procedure. It is well-known that the size of the BDDs is important for the efficiency of the verification and depends crucially on the variable ordering. For the verification of... |

103 |
Verification of sequential machines using boolean functional vectors
- Coudert, Berthet, et al.
- 1989
(Show Context)
Citation Context ... Although more powerful than traditional simulation, a breakthrough in industrial use has been achieved only after the introduction of binary decision diagrams and symbolic state traversal algorithms =-=[1, 2]-=-, leading to powerful techniques like symbolic model checking [3]. Using these approaches, a fully automated verification of significantly large circuits has become possible. However, as only finite s... |

101 |
An Introduction to the General Theory of Algorithms
- Machtey, Young
- 1978
(Show Context)
Citation Context ... directly related to timing diagrams and allow hence a graphical visualization. The proofs proceed usually manually by using induction and decision procedures such as Pre��burger or Skolem arithme=-=tic [27]-=-. 3.3 Strategies for Verifying Abstract Data Types In this section, different strategies for handling the data expressions in verification goals are discussed. Strategy \Theta B This strategy transfor... |

93 |
Formal Hardware Verification Methods: A Survey". Formai Methods
- Gupta
- 1992
(Show Context)
Citation Context ...ve been developed, e.g. equivalence checking of finitestate machines, symbolic simulation, language containment, model checking, fixpoint calculi, and theorem proving with first or higher order logic =-=[1]-=-. These approaches can be roughly classified into decidable and undecidable methods. Decidable methods usually represent the circuit as a finite state machine and allow completely automated verificati... |

88 |
Why higher-order logic is a good formalism for specifying and verifying hardware
- Gordon
- 1985
(Show Context)
Citation Context ...not hold for theorem prover based approaches, where mostly higher-order ? This work has been financed by the DFG project Automated System Design, SFB No.358. logic is used as the underlying formalism =-=[4]-=-. Unfortunately, these approaches require a considerable amount of manual interaction. Thus various approaches have been presented to partially automate the verification by incorporating automated rea... |

83 |
Model Checking, Abstraction, and Compositional Verification
- Long
- 1993
(Show Context)
Citation Context ...cation by incorporating automated reasoning procedures [5, 6] or by adding abstraction and compositional verification techniques to allow larger systems to be verified than by finite state approaches =-=[7, 8, 9]-=-. Many circuits are composed of a controller and a data path. Recently it has been shown, that it is useful to separate these parts prior to verification [10, 11, 12, 13, 14]. Proceeding this way, fin... |

81 |
A Temporal Fixpoint Calculus
- Vardi
- 1988
(Show Context)
Citation Context ...roofs proceed usually manually by usin induction and decision procedures such as Pre��burger or Skolem arithmetic [15]. 3.2.4 Strategy \Phi �� Temporal Logic has also relations to fixed point =-=calculi [16, 17]-=- as temporal operators can be defined as greatest or least fixed points of functions. For example, the WHEN operator can be defined as [x WHEN b] = maxfy j y = (b ) xj fl y)g 3.3 Strategies for Abstra... |

80 |
Proofs by induction in equational theories with constructors," J. of Computer and System Sciences 25, 239--266. (Previous version
- Huet, Hullot
- 1982
(Show Context)
Citation Context ...ant to be a specification for the controller. There are well-known proof procedures for temporal logic (see [20] for an overview) and for proving the consistency of equations with abstract data types =-=[21, 22, 23]-=-. However, it is difficult to combine both classes of proof procedures. In order to combine these approaches, a class of higher-order formulae called hardware formulae have been developed in [18]. Har... |

40 |
A strong restriction of the inductive completion procedure
- Fribourg
- 1986
(Show Context)
Citation Context ...ant to be a specification for the controller. There are well-known proof procedures for temporal logic (see [20] for an overview) and for proving the consistency of equations with abstract data types =-=[21, 22, 23]-=-. However, it is difficult to combine both classes of proof procedures. In order to combine these approaches, a class of higher-order formulae called hardware formulae have been developed in [18]. Har... |

38 |
RRL: A Rewrite Rule Laboratory
- KAPUR, ZHANG
(Show Context)
Citation Context ... split up interactively into subgoals until they can be finally proved by decision procedures. C@S has been implemented on top of the HOL [15] system and has interfaces to the SMV [16] system and RRL =-=[17]-=-. As a result, C@S currently enriches HOL by the following decision procedures and proof methods: -- linear temporal logic theorem proving and model checking -- CTL model checking as implemented in SM... |

38 | Abstraction Mechanisms for Hardware Verification - Melham - 1987 |

34 |
Automatic proofs by induction in equational theories without constructors
- Jouannaud, Kounalis
- 1989
(Show Context)
Citation Context ...ant to be a specification for the controller. There are well-known proof procedures for temporal logic (see [20] for an overview) and for proving the consistency of equations with abstract data types =-=[21, 22, 23]-=-. However, it is difficult to combine both classes of proof procedures. In order to combine these approaches, a class of higher-order formulae called hardware formulae have been developed in [18]. Har... |

29 |
Temporal logic with fixed points
- Banieqbal, Barringer
- 1987
(Show Context)
Citation Context ...roofs proceed usually manually by usin induction and decision procedures such as Pre��burger or Skolem arithmetic [15]. 3.2.4 Strategy \Phi �� Temporal Logic has also relations to fixed point =-=calculi [16, 17]-=- as temporal operators can be defined as greatest or least fixed points of functions. For example, the WHEN operator can be defined as [x WHEN b] = maxfy j y = (b ) xj fl y)g 3.3 Strategies for Abstra... |

28 |
Automatic Datapath Abstraction of Hardware Systems
- Hojati, Brayton
- 1995
(Show Context)
Citation Context ...fied than by finite state approaches [7, 8, 9]. Many circuits are composed of a controller and a data path. Recently it has been shown, that it is useful to separate these parts prior to verification =-=[10, 11, 12, 13, 14]-=-. Proceeding this way, finite state approaches may be used for the controller part `guiding' the verification of the data path, whereas the latter often requires theorem proving techniques. However, t... |

20 | Structuring and automating hardware proofs in a higher-order theorem-proving environment
- Kumar, Schneider, et al.
- 1993
(Show Context)
Citation Context ...hese approaches require a considerable amount of manual interaction. Thus various approaches have been presented to partially automate the verification by incorporating automated reasoning procedures =-=[5, 6]-=- or by adding abstraction and compositional verification techniques to allow larger systems to be verified than by finite state approaches [7, 8, 9]. Many circuits are composed of a controller and a d... |

15 | A Tutorial Using PVS For Hardware Verification
- Owre, Rushby, et al.
- 1994
(Show Context)
Citation Context ...hese approaches require a considerable amount of manual interaction. Thus various approaches have been presented to partially automate the verification by incorporating automated reasoning procedures =-=[5, 6]-=- or by adding abstraction and compositional verification techniques to allow larger systems to be verified than by finite state approaches [7, 8, 9]. Many circuits are composed of a controller and a d... |

9 | What if model checking must be truly symbolic
- Hungar, Grumberg, et al.
- 1995
(Show Context)
Citation Context ...fied than by finite state approaches [7, 8, 9]. Many circuits are composed of a controller and a data path. Recently it has been shown, that it is useful to separate these parts prior to verification =-=[10, 11, 12, 13, 14]-=-. Proceeding this way, finite state approaches may be used for the controller part `guiding' the verification of the data path, whereas the latter often requires theorem proving techniques. However, t... |

8 |
An Extended OBDD Representation for Extended FSMs
- Langevin, Cemy
- 1994
(Show Context)
Citation Context ...fied than by finite state approaches [7, 8, 9]. Many circuits are composed of a controller and a data path. Recently it has been shown, that it is useful to separate these parts prior to verification =-=[10, 11, 12, 13, 14]-=-. Proceeding this way, finite state approaches may be used for the controller part `guiding' the verification of the data path, whereas the latter often requires theorem proving techniques. However, t... |

4 |
Ein einheitlicher Ansatz zur Unterstützung von Abstraktionsmechanismen der Hardwareverifikation, volume 116
- Schneider
- 1996
(Show Context)
Citation Context ...he adaption of proof goals to different proof approaches, a class of higher-order formulas called hardware formulas has been defined as a uniform representation for specifications and implementations =-=[18]-=-. In hardware formulas, time and data is represented separately. Once a proof goal has been transformed in hardware formulas, it may be converted according to the proof method to be used. We have prov... |

4 |
Translating LTL Model Checking to CTL Model Checking
- Schneider
- 1996
(Show Context)
Citation Context ...utomata, which are related to the Staiger/Wagner class [24] of !-regular languages. Hence, these hardware formulae are decidable and symbolic traversal techniques can be used directly for their proof =-=[18, 25]-=-. On the other hand, hardware formulae can be interpreted as rewrite systems if only the safety properties are considered. Hence, a translation of the temporal logic part \Phi(' 1 ; : : : ; 'n ) of a ... |

4 | Tracking design changes with formal verification
- Curzon
- 1994
(Show Context)
Citation Context ...ation. The first case study, a generic arbiter from [16], shows that small and medium-sized circuits can often be automatically verified. The second case study, a switching element for an ATM network =-=[29]-=-, shows that the design hierarchy of a circuit can be exploited to reduce the costs of verification. The third case study, an n-bit adder, shows how circuits with abstract data types can be verified a... |

3 | Control-path oriented verification of sequential generic circuits with control and data path
- Schneider, Kropf, et al.
- 1994
(Show Context)
Citation Context |

3 |
Automatentheoretische Charakterisierungen topologischer Klassen regularer Folgenmengen
- Staiger, Wagner
- 1974
(Show Context)
Citation Context ...r be generic) and a finite set of safety, liveness and fairness properties. In the non-generic form, hardware formulae correspond directly to !-automata, which are related to the Staiger/Wagner class =-=[24]-=- of !-regular languages. Hence, these hardware formulae are decidable and symbolic traversal techniques can be used directly for their proof [18, 25]. On the other hand, hardware formulae can be inter... |

1 | Word level symbolic model checking
- Clarke, Zhao
- 1995
(Show Context)
Citation Context |

1 |
On the use of the Boyer-Moore theorem prover for
- Verkest, Claesen, et al.
- 1990
(Show Context)
Citation Context ... handle regularly defined hardware structures and specifications with abstract data types. Similar to VHDL's generic statement,`abstract' n-bit circuits allow to abstract away from concrete bitwidths =-=[3]-=-. Therefore, there is no combinatorical explosion in the proof due to the bitwidth of the considered circuits. Especially higher order logic has proved to be a convenient specification formalism [4]. ... |