Results 1  10
of
40
A Methodology for Hardware Verification Using Compositional Model Checking
, 1999
"... A methodology for systemlevel hardware verification based on compositional model checking is described. This methodology relies on a simple set of proof techniques, and a domain specific strategy for applying them. The goal of this strategy is to reduce the verification of a large system to fini ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
A methodology for systemlevel hardware verification based on compositional model checking is described. This methodology relies on a simple set of proof techniques, and a domain specific strategy for applying them. The goal of this strategy is to reduce the verification of a large system to finite state subgoals that are tractable in both size and number. These subgoals are then discharged by model checking. The proof strategy uses proof techniques for design refinement, temporal case splitting, data type reduction and the exploitation of symmetry. Uninterpreted functions can be used to abstract operations on data. A proof system supporting this approach generates verification subgoals to be discharged by the SMV symbolic model checker. Application of the methodology is illustrated using an implementation of Tomasulo's algorithm, a packet buffering device and a cache coherence protocol as examples. c fl1999 Cadence Berkeley Labs, Cadence Design Systems. 1 1 Introduction F...
A simple method for parameterized verification of cache coherence protocols
 in Formal Methods in Computer Aided Design
, 2004
"... Abstract. We present a simple method for verifying the safety properties of cache coherence protocols with arbitrarily many nodes. Our presentation begins with two examples. The first example describes in intuitive terms how the German protocol with arbitrarily many nodes can be verified using a com ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a simple method for verifying the safety properties of cache coherence protocols with arbitrarily many nodes. Our presentation begins with two examples. The first example describes in intuitive terms how the German protocol with arbitrarily many nodes can be verified using a combination of Murphi model checking and apparently circular reasoning. The second example outlines a similar proof of the FLASH protocol. These are followed by a simple theory based on the classical notion of simulation proofs that justifies the apparently circular reasoning. We conclude the paper by discussing what remains to be done and by comparing our method with other approaches to the parameterized verification of cache coherence protocols, such as compositional model checking, machineassisted theorem proving, predicate abstraction, invisible invariants, and cutoff theorems. 1
On the completeness of compositional reasoning
 Computer Aided Verification, 12th International Conference, CAV 2000
"... ..."
(Show Context)
Modular Certification
, 2002
"... Airplanes are certified as a whole: there is no established basis for separately certifying some components, particularly softwareintensive ones, independently of their specific application in a given airplane. The absence of separate certification inhibits the development of modular components tha ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
Airplanes are certified as a whole: there is no established basis for separately certifying some components, particularly softwareintensive ones, independently of their specific application in a given airplane. The absence of separate certification inhibits the development of modular components that could be largely "precertified" and used in several different contexts within a single airplane, or across many different airplanes.
An Overview of Formal Verification for the TimeTriggered Architecture
, 2002
"... We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications. ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications.
Proving That NonBlocking Algorithms Don’t Block
"... A concurrent datastructure implementation is considered nonblocking if it meets one of three following liveness criteria: waitfreedom, lockfreedom,orobstructionfreedom. Developers of nonblocking algorithms aim to meet these criteria. However, to date their proofs for nontrivial algorithms have b ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
(Show Context)
A concurrent datastructure implementation is considered nonblocking if it meets one of three following liveness criteria: waitfreedom, lockfreedom,orobstructionfreedom. Developers of nonblocking algorithms aim to meet these criteria. However, to date their proofs for nontrivial algorithms have been only manual pencilandpaper semiformal proofs. This paper proposes the first fully automatic tool that allows developers to ensure that their algorithms are indeed nonblocking. Our tool uses relyguarantee reasoning while overcoming the technical challenge of sound reasoning in the presence of interdependent liveness properties.
AssumeGuarantee Based Compositional Reasoning for Synchronous Timing Diagrams
"... The explosion in the number of states due to several interacting components limits the application of model checking in practice. Compositional reasoning ameliorates this problem by reducing reasoning about the entire system to reasoning about individual components. Such reasoning is often carried o ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
The explosion in the number of states due to several interacting components limits the application of model checking in practice. Compositional reasoning ameliorates this problem by reducing reasoning about the entire system to reasoning about individual components. Such reasoning is often carried out in the assumeguarantee paradigm: each component guarantees certain properties based on assumptions about the other components. Naïve applications of this reasoning can be circular and, therefore, unsound. We present a new rule for assumeguarantee reasoning, which is sound and complete. We show how to apply it, in a fully automated manner, to properties specified as synchronous timing diagrams. We show that timing diagram properties have a natural decomposition into assumeguarantee pairs, and liveness restrictions that result in simple subgoals which can be checked efficiently. We have implemented our method in a timing diagram analysis tool, which carries out the compositional proof in a fully automated manner. Initial applications of this method have yielded promising results, showing substantial reductions in the space requirements for model checking.
LTL types FRP: Lineartime temporal logic propositions as types, proofs as functional reactive programs
 In Proc. ACM Workshop Programming Languages meets Program Verification
, 2012
"... Functional Reactive Programming (FRP) is a form of reactive programming whose model is pure functions over signals. FRP is often expressed in terms of arrows with loops, which is the type class for a Freyd category (that is a premonoidal category with a cartesian centre) equipped with a premonoid ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
(Show Context)
Functional Reactive Programming (FRP) is a form of reactive programming whose model is pure functions over signals. FRP is often expressed in terms of arrows with loops, which is the type class for a Freyd category (that is a premonoidal category with a cartesian centre) equipped with a premonoidal trace. This type system suffices to define the dataflow structure of a reactive program, but does not express its temporal properties. In this paper, we show that Lineartime Temporal Logic (LTL) is a natural extension of the type system for FRP, which constrains the temporal behaviour of reactive programs. We show that a constructive LTL can be defined in a dependently typed functional language, and that reactive programs form proofs of constructive LTL properties. In particular, implication in LTL gives rise to stateless functions on streams, and the “constrains ” modality gives rise to causal functions. We show that reactive programs form a partially traced monoidal category, and hence can be given as a form of arrows with loops, where the type system enforces that only decoupled functions can be looped.
Automatic Analysis of Scratchpad Memory Code for Heterogeneous Multicore Processors
"... Abstract. Modern multicore processors, such as the Cell Broadband Engine, achieve high performance by equipping accelerator cores with small, “scratchpad” memories. The price for increased performance is programming complexity – the programmer must manually orchestrate data movement using direct mem ..."
Abstract

Cited by 13 (10 self)
 Add to MetaCart
(Show Context)
Abstract. Modern multicore processors, such as the Cell Broadband Engine, achieve high performance by equipping accelerator cores with small, “scratchpad” memories. The price for increased performance is programming complexity – the programmer must manually orchestrate data movement using direct memory access (DMA) operations. Programming using asynchronous DMAs is errorprone, and DMA races can lead to nondeterministic bugs which are hard to reproduce and fix. We present a method for DMA race analysis which works by instrumenting a program with assertions modelling the semantics of a memory flow controller. To enable automatic verification of instrumented programs, we present a new formulation of kinduction geared towards software, as a proof rule operating on loops. We present a tool, SCRATCH, which we apply to a large set of programs supplied with the IBM Cell SDK, in which we discover a previously unknown bug. Our experimental results indicate that our kinduction method performs extremely well on this problem class. To our knowledge, this marks both the first application of kinduction to software verification, and the first example of software model checking for heterogeneous multicore processors. 1