## Formally verifying data and control with weak reachability invariants (1998)

Venue: | FORMAL METHOD IN COMPUTER-AIDED DESIGN |

Citations: | 2 - 2 self |

### BibTeX

@INPROCEEDINGS{Su98formallyverifying,

author = {Jeffrey Su and David L. Dill and Jens U. Skakkebæk},

title = {Formally verifying data and control with weak reachability invariants},

booktitle = { FORMAL METHOD IN COMPUTER-AIDED DESIGN},

year = {1998},

publisher = {}

}

### OpenURL

### Abstract

Existing formal verification methods do not handle systems that combine state machines and data paths very well. Model checking deals with finitestate machines efficiently, but model checking full designs is infeasible because of the large amount of state in the data path. Theorem-proving methods may be effective for verifying data path operations, but verifying the control requires finding and proving inductive invariants that characterize the reachable states of the system. We present a new approach to verification of systems that combine control FSMs and data path operations. Invariants are specified only for a small set of control states, called clean states, where the invariants are especially simple. We avoid the need to specify the invariants for the unclean states by symbolically simulating over all paths to find the possible next clean states. The set of all paths from one clean state to the next is represented by a regular expression, which is extracted from the control FSMs. The number of paths is infinite only if the regular expression contains stars. The method uses a heuristic to generalize the symbolic state to cover all of the paths of the starred expression. We have implemented a prototype tool for guiding an existing symbolic simulator and verification tool and used it successfully to prove properties of the Instruction Fetch Unit of TORCH, a superscalar microprocessor designed at Stanford. With much less effort, we were able to find all the bugs in the unit that were found earlier by manually strengthening the invariants.

### Citations

648 | Construction of abstract state graphs with PVS
- Graf, Säıdi
- 1997
(Show Context)
Citation Context ...iants in these designs, through automation or methodology. 1 Although the problem of automatic invariant discovery has been studied over the years, there is not yet a complete solution to the problem =-=[13, 11, 7, 3, 18, 2, 1]-=-. In particular most of the work seems not to be applicable to register transfer level (RTL) hardware designs. Most current designs are described at RTL using a hardware description language (HDL) suc... |

610 |
Assigning meaning to programs
- Floyd
- 1967
(Show Context)
Citation Context ...traction of the previous paragraph, there is little new about this approach. Indeed, it is very similar to very early work on program verification, especially the inductive assertions method of Floyd =-=[9]-=-, which cuts all cycles in a program flow graph, then finds assertions that hold at the end of the cycle if they hold at the beginning. King specifically used symbolic simulation was to derive invaria... |

418 | Simplification by cooperating decision procedures
- Nelson, Oppen
- 1979
(Show Context)
Citation Context ...VC (the Stanford Validity Checker) for checking. SVC is a decision procedure for quantifier-free first-order logic and uses an algorithm similar to the algorithms by Shostak [20, 19] and Nelson-Oppen =-=[17]-=-. The input Boolean formula to SVC can contain Boolean operators, uninterpreted functions and interpreted functions, and distinct constants such as the Boolean truth and bit constants. Symbolic Simula... |

183 |
Sequential circuit verification using symbolic model checking
- Burch, Clarke, et al.
- 1990
(Show Context)
Citation Context ... by manually strengthening the invariants. 1 Introduction Existing formal verification methods do not handle systems that combine finite-state machines (FSMs) and data paths very well. Model checking =-=[6, 5, 4]-=- the full design is infeasible because of the large amount of state in the data path. Verifying the control FSMs in isolation is difficult, because specifying them independently is difficult -- the de... |

168 | Deciding combinations of theories
- Shostak
- 1984
(Show Context)
Citation Context ...l formula is then fed to SVC (the Stanford Validity Checker) for checking. SVC is a decision procedure for quantifier-free first-order logic and uses an algorithm similar to the algorithms by Shostak =-=[20, 19]-=- and Nelson-Oppen [17]. The input Boolean formula to SVC can contain Boolean operators, uninterpreted functions and interpreted functions, and distinct constants such as the Boolean truth and bit cons... |

114 |
MIPS RISC Architecture
- Kane
- 1989
(Show Context)
Citation Context ...nford University from 1991-1992 and later optimized. It was constructed for research into microprocessor architectures and has not been fabricated. TORCH is an extension of the MIPS R2000/3000 design =-=[12]-=-, which is a 32 bit instruction architecture with a five stage pipeline. It has been simulated (nonsymbolically) extensively, although not to the same degree as in an industrial setting where the reso... |

100 | Computing abstractions of infinite state systems compositionally and automatically
- Bensalem, Lakhnech, et al.
- 1998
(Show Context)
Citation Context ...iants in these designs, through automation or methodology. 1 Although the problem of automatic invariant discovery has been studied over the years, there is not yet a complete solution to the problem =-=[13, 11, 7, 3, 18, 2, 1]-=-. In particular most of the work seems not to be applicable to register transfer level (RTL) hardware designs. Most current designs are described at RTL using a hardware description language (HDL) suc... |

92 | Powerful techniques for the automatic generation of invariants
- Bensalem, Lakhnech, et al.
- 1996
(Show Context)
Citation Context ...iants in these designs, through automation or methodology. 1 Although the problem of automatic invariant discovery has been studied over the years, there is not yet a complete solution to the problem =-=[13, 11, 7, 3, 18, 2, 1]-=-. In particular most of the work seems not to be applicable to register transfer level (RTL) hardware designs. Most current designs are described at RTL using a hardware description language (HDL) suc... |

85 | Boosting Beyond Static Scheduling in a Superscalar Processor
- Smith, Lam, et al.
- 1990
(Show Context)
Citation Context ...ed, but it would need to be proved for the symbolic states yielded by simulating over all paths from C back to C. This method has been used to prove invariants for the Instruction Fetch Unit of TORCH =-=[22, 21]-=-, a superscalar microprocessor designed at Stanford. The same bugs were found as in an earlier effort [23], but with a major reduction in effort. 2 The Verification Method Extracting regular expressio... |

80 | Efficient superscalar performance through boosting
- Smith, Horowitz, et al.
- 1992
(Show Context)
Citation Context ...ed, but it would need to be proved for the symbolic states yielded by simulating over all paths from C back to C. This method has been used to prove invariants for the Instruction Fetch Unit of TORCH =-=[22, 21]-=-, a superscalar microprocessor designed at Stanford. The same bugs were found as in an earlier effort [23], but with a major reduction in effort. 2 The Verification Method Extracting regular expressio... |

72 |
A Unified Approach to Path Problems
- Tarjan
- 1981
(Show Context)
Citation Context ...s between major states has also applied to formal verification of microprograms [8, 15, 16]. The idea of using regular expressions to represent all possible execution paths comes directly from Tarjan =-=[25]-=-, who suggested using regular algebra for program flow analysis. However, RTL hardware design is quite different from sequential program and microprogram verification. To a programmer, RTL designs wou... |

71 |
Representing circuits more efficiently in symbolic model checking
- Burch, Clarke, et al.
- 1991
(Show Context)
Citation Context ... by manually strengthening the invariants. 1 Introduction Existing formal verification methods do not handle systems that combine finite-state machines (FSMs) and data paths very well. Model checking =-=[6, 5, 4]-=- the full design is infeasible because of the large amount of state in the data path. Verifying the control FSMs in isolation is difficult, because specifying them independently is difficult -- the de... |

69 |
A practical decision procedure for arithmetic with function symbols
- Shostak
- 1979
(Show Context)
Citation Context ...l formula is then fed to SVC (the Stanford Validity Checker) for checking. SVC is a decision procedure for quantifier-free first-order logic and uses an algorithm similar to the algorithms by Shostak =-=[20, 19]-=- and Nelson-Oppen [17]. The input Boolean formula to SVC can contain Boolean operators, uninterpreted functions and interpreted functions, and distinct constants such as the Boolean truth and bit cons... |

66 |
A program verifier
- King
- 1971
(Show Context)
Citation Context ...ich cuts all cycles in a program flow graph, then finds assertions that hold at the end of the cycle if they hold at the beginning. King specifically used symbolic simulation was to derive invariants =-=[14]-=-. Symbolic simulation along paths between major states has also applied to formal verification of microprograms [8, 15, 16]. The idea of using regular expressions to represent all possible execution p... |

51 |
Automatic generation of invariants and intermediate assertions. Theoretical Computer Science 173, 1 (Feb.), 49{87. Preliminary version appeared
- Bjrner, Browne, et al.
- 1997
(Show Context)
Citation Context |

47 |
Formal hardware verification by symbolic ternary trajectory evaluation
- Bryant, Beatty, et al.
- 1991
(Show Context)
Citation Context ... by manually strengthening the invariants. 1 Introduction Existing formal verification methods do not handle systems that combine finite-state machines (FSMs) and data paths very well. Model checking =-=[6, 5, 4]-=- the full design is infeasible because of the large amount of state in the data path. Verifying the control FSMs in isolation is difficult, because specifying them independently is difficult -- the de... |

41 |
A Synthesizer of Inductive Assertions
- German, Wegbreit, et al.
- 1975
(Show Context)
Citation Context |

24 |
The language of machines: an introduction to computability and formal languages (Computer Science
- Beigel, Floyd
- 1994
(Show Context)
Citation Context ... clean states except at the beginning and end. The regular expression of all input sequences accepted by this finite automaton can be computed by standard algorithms from finite automaton theory (see =-=[10]-=-, for example). In the example of Figure 1, the desired regular expression is: new data + new data \Delta ready \Delta ready \Delta True \Delta True In this case, the Boolean combinations are all sing... |

13 |
Finding Invariant Assertations for Proving Programs
- Caplain
- 1975
(Show Context)
Citation Context |

11 |
A Heuristic Approach to Program Verification
- Katz, Manna
- 1973
(Show Context)
Citation Context |

11 | Verification of the island tunnel controller using Multiway Decision Graphs
- Zhou, Song, et al.
- 1996
(Show Context)
Citation Context ...find a symbolic state that subsumes the symbolic states that would be computed by exactly simulating all possible numbers of iterations. This approach is similar to that used with MDGs by Zhou et al. =-=[26]-=-. The basic method is to repeatedly simulate the expression inside the loop, merging the result with the previous result until the symbolic state is identical to the result from the previous iteration... |

8 |
Symbolic simulation for correct machine design
- Carter, Joyner, et al.
- 1979
(Show Context)
Citation Context ... the beginning. King specifically used symbolic simulation was to derive invariants [14]. Symbolic simulation along paths between major states has also applied to formal verification of microprograms =-=[8, 15, 16]-=-. The idea of using regular expressions to represent all possible execution paths comes directly from Tarjan [25], who suggested using regular algebra for program flow analysis. However, RTL hardware ... |

7 | Automatic generation of invariants in processor veri cation
- Su, Dill, et al.
- 1996
(Show Context)
Citation Context ...nvariants that relate the contents of consecutive latches which are clocked in different phases. The discovery and use of historyless invariants in RTL designs was explored in this conference in 1996 =-=[24]-=-. The discovery of historyless properties is also a component of the work cited above for finding invariants in software and protocol descriptions. This paper attacks the invariant problem in another,... |

2 |
Formal methods of microcode verification and synthesis
- Mueller, Ruda
- 1986
(Show Context)
Citation Context ... the beginning. King specifically used symbolic simulation was to derive invariants [14]. Symbolic simulation along paths between major states has also applied to formal verification of microprograms =-=[8, 15, 16]-=-. The idea of using regular expressions to represent all possible execution paths comes directly from Tarjan [25], who suggested using regular algebra for program flow analysis. However, RTL hardware ... |

1 |
Microcode verification using sdvs-the method and a case study
- Levy
- 1984
(Show Context)
Citation Context ... the beginning. King specifically used symbolic simulation was to derive invariants [14]. Symbolic simulation along paths between major states has also applied to formal verification of microprograms =-=[8, 15, 16]-=-. The idea of using regular expressions to represent all possible execution paths comes directly from Tarjan [25], who suggested using regular algebra for program flow analysis. However, RTL hardware ... |

1 | Formal verification of the TORCH microprocessor RTL design. Unpublished
- Su, Arditi, et al.
- 1998
(Show Context)
Citation Context ... C. This method has been used to prove invariants for the Instruction Fetch Unit of TORCH [22, 21], a superscalar microprocessor designed at Stanford. The same bugs were found as in an earlier effort =-=[23]-=-, but with a major reduction in effort. 2 The Verification Method Extracting regular expressions for control paths Regular expressions are used because they make it easy to identify and handle cycles ... |