Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Slides:



Advertisements
Similar presentations
Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.
1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.
Compositional Methods and Symbolic Model Checking
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Lecture 12 Reduce Miss Penalty and Hit Time
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Using Formal Specifications to Monitor and Guide Simulation: Verifying the Cache Coherence Engine of the Alpha Microprocessor Serdar Tasiran Systems.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Synthesis and Granularity Model-Based Programming and Verification.
Parallel Processing (CS526) Spring 2012(Week 6).  A parallel algorithm is a group of partitioned tasks that work with each other to solve a large problem.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
ISBN Chapter 3 Describing Syntax and Semantics.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.
© Janice Regan Problem-Solving Process 1. State the Problem (Problem Specification) 2. Analyze the problem: outline solution requirements and design.
A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.
Verification of Hierarchical Cache Coherence Protocols for Future Processors Student: Xiaofang Chen Advisor: Ganesh Gopalakrishnan.
Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.
Microarchitecture Verification by Compositional Model Checking Ken McMillan Ranjit Jhala Cadence Berkeley Labs / UC Berkeley.
Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach Ravi Hosabettu (Univ. of Utah) Mandayam Srivas (SRI International)
Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.
4/17/2017 Section 3.6 Program Correctness ch3.6.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Describing Syntax and Semantics
Counterexample Guided Invariant Discovery for Parameterized Cache Coherence Verification Sudhindra Pandav Konrad Slind Ganesh Gopalakrishnan.
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 0.
1 Reducing Verification Complexity of a Multicore Coherence Protocol Using Assume/Guarantee Xiaofang Chen 1, Yu Yang 1, Ganesh Gopalakrishnan 1, Ching-Tsun.
Router modeling using Ptolemy Xuanming Dong and Amit Mahajan May 15, 2002 EE290N.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Verifying a Commercial Microprocessor Design at the RTL level Ken McMillan Cadence Berkeley Labs
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Transactional Coherence and Consistency Presenters: Muhammad Mohsin Butt. (g ) Coe-502 paper presentation 2.
1/32 This Lecture Substitution model An example using the substitution model Designing recursive procedures Designing iterative procedures Proving that.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
“Towards Self Stabilizing Wait Free Shared Memory Objects” By:  Hopeman  Tsigas  Paptriantafilou Presented By: Sumit Sukhramani Kent State University.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
“Distributed Algorithms” by Nancy A. Lynch SHARED MEMORY vs NETWORKS Presented By: Sumit Sukhramani Kent State University.
1 Lecture 8: Snooping and Directory Protocols Topics: 4/5-state snooping protocols, split-transaction implementation details, directory implementations.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic Adam Chlipala Harvard University PLDI 2011.
Computer Organization
Formal Methods: Model Checkers and Theorem Provers
Processor (I).
Yogesh Mahajan, Sharad Malik Princeton University
CSCI1600: Embedded and Real Time Software
Logical architecture refinement
ABNF in ACL2 Alessandro Coglio Kestrel Institute Workshop 2017.
Introduction to verification
Programming with Shared Memory Specifying parallelism
CSCI1600: Embedded and Real Time Software
Presentation transcript:

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan

Verification approaches Informal verification (testing) –risk of escapes Partial formal verification –prove, for example, no arithmetic overflow –can use very coarse abstractions Formal functional verification –verify against functional spec

Outline Formal functional verification for hardware –combined theorem proving/ model checking –proof decomposition strategies that allow coarse abstractions Prospects of application to embedded systems –how are embedded systems different p.o.v. formal verification? –how might we apply formal hardware verification methods to embedded systems?

Mixed approach Model checking –automated verification of finite state systems –limited in scale by state explosion problem Theorem provers –in principle can scale up –in practice require substantial manual guidance Mixed approach –use theorem prover to break large problems into small, model-checkable problems

Proof decomposition: reduction to decidable/tractable problems do it in as few (and as simple) steps as possible Proof goal Undecidable/ intractable sub Decidable/ tractable...but how? proof assistant

Structural decompositions intermediate assertions must be temporal q captures everything M 2 must know about M 1 intermediate assertions can be quite complex {p} M 1 {q} {q} M 2 {r} {p} M 1 M 2 {r}

Functional decompositions Divide by units of work and not by syntax –instructions –packets –etc. Much simpler intermediate assertions –interaction between units of work is simpler than between system components Abstraction to finite state –if each unit of work uses finite resources –temporal assertions become model-checkable

Example : packet router Unit of work is a packet Packets dont interact Each packet uses finite resources –specializing the property allows a much coarser abstraction Switch fabric input buffersoutput buffers

Refinement framework Reference model System Refinement relations –Specify intermediate results with respect to reference model –Each intermediate result uses finite operations storage locations –Thus, can reduce local verification problems to finite state –Use circular proof! refinement relations

Circular proofs Reference model 1 up to t -1 implies 2 up to t 2 up to t -1 implies 1 up to t always 1 and 2 or, in temporal logic... ( 2 U 1 ) ( 1 U 2 ) G( 1 2 ) O.K., but how do we break into units of work?

Temporal case splitting p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... Idea: parameterize on most recent writer w at time t. : I'm O.K. at time t. Rule can be used to decompose large arrays i: p i G((w=i) ) ( i p i ) G

Combine with circular reasoning p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. To prove case w=i at time t, assume general case up to t-1: still have unbounded cases to prove... i: p i ((w=i) ) ( i p i ) G

Freeing processes p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... : I'm O.K. at time t. i: p i ((w=i) ) ( i p i ) G

Abstract interpretation Problem: variables range over unbounded set U Solution: reduce U to finite set Û by a parameterized abstraction, e.g., where U\i represents all the values in U except i. Need a sound abstract interpretation, s.t.: if is valid in the abstraction, then, for all parameter valuations, is valid in the original. Û = {{i}, U\i}

= {i} U\i {i} 1 0 U\i 0 Data type abstractions in SMV Abstract values represent sets of concrete values For sound abstraction of operator f, we need: Examples: –Equality Û = {{i}, U\i} f( x) fx)

–Arrays and function symbols –Other operators... boolean operators temporal operators quantifiers arithmetic/inequalities x {i} U\i f(x) f(i) Abstraction, continued... Unbounded array reduced to one fixed element!

Illustration: Tomasulos algorithm Execute instructions in data flow order OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE

EU Functional decomposition Unit of work is the instruction OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE OP,DST opraoprb

EU Functional decomposition Break instruction into operand fetch and op OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE OP,DST opraoprb

EU Intermediate assertion All previous instructions produce correct res OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE OP,DST opraoprb

Points about this proof Three simple intermediate assertions –operands of instruction are correct –results of instruction are correct –one non-interference property No invariants about control state No syntactic decomposition –Abstract interpretation reduces model to finite Much simpler than proof by invariant is there a useful structural decomposition?

A more complex example Unit of work = instruction OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS RETIRED RESULTS INSTRUCTIONS VAL/TAG REG FILE BUF RES PM PC branch predictor decdec LSQ DM branch results pc

Scaling problem Must consider up to three instructions: –instruction we want to verify –up to two previous instructions Soln: break instruction up into parts –write intermediate assertions ==> too much state for model checker

Memory operation Abstract out unneeded components OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS RETIRED RESULTS INSTRUCTIONS VAL/TAG REG FILE BUF RES PM PC branch predictor decdec LSQ DM branch results specify LSQ data

Points about this proof No interface specifications –specify internal data structures of units No invariants on control state First decomposition is functional –then abstract out structural components Compared to similar proof using invariants... –invariant proof approx. 2MB (!) –this proof approx. 20 KB

FLASH cache protocol Distributed protocol Maintains consistency of N processor caches PCPC PCPC PCPC PCPC PCPC home dir mem Reference model is programmers model of memory Unit of work = read/write

Proof decomposition Unit of work = read/write Non-interference lemmas –No two exclusive copies in network –No unexpected invalidate acks PCPC PCPC PCPC home reader writer get fwd put ack Abstracted nodes interference

Lamport's Bakery algorithm... p 1 (t 1 )p 2 (t 2 )p 3 (t 3 )p 4 (t 4 ) non-critical section read all tickets choose one larger wait for all processes with smaller ticket critical section

Unit of work = ticket number –Split cases on process p j that process p i is waiting for... –Assume by induction that j terminates if t j <t i. Note, p j must get higher ticket than p i on next iteration* –By induction on j, process p i exits wait loop Liveness proof (Qadeer and Saxe)... p j (t j )p i (t i )... Note: reduction to finite number of processes model checking gets property * automatically

Points about this proof No invariants used Two liveness lemmas: –one for termination of each loop –these reference specific code lines, but... No syntactic decomposition used

Overview of approach Specify by temporal refinement relations –circular temporal argument Specialize properties by restricting to a single unit of work –temporal case splitting Abstract to finite-state –specialization allows a coarser abstract interpretation This approach is supported by a special purpose proof assistant, built on the SMV model checker

Application to embedded systems Generic software issues Issues specific to embedded systems

Why is HW easier than SW? Finite-state is not the issue –Proofs above did not depend on bounded state Bad aspects of software –global store (hardware term: bottleneck) any component can interfere with any other we can expect an explosion of non-interference lemmas pointers are a chief culprit –inductive data structures requires complex invariants for recursive functions –arithmetic? –real time?

Can we make SW more HW-like? More structured communication –allows coarser abstractions for verification without introducing interference –good examples: Esterel, Polis, etc. Increase grain of atomicity –analog of clock cycle Separate timing from functionality –as in synchronous hardware Trends are in these directions, although languages are problematic (esp. C++)

Embedded systems issues How do embedded systems differ from other systems, from an FV point of view? –hardware differences processors tend to be simpler (good) many and heterogeneous processors –hard real time (see above) –greater software/hardware interaction more precisely: interaction at less abstract level

Abstracting hardware arch. Use FV to construct abstract reference models of custom hardware HW reference model hardware implementation refinement relation software model

Abstracting HW/SW comps Next layer up is provided by driver HW reference model refinement relation software driver driver reference model software

Platform based design Build an abstract layer using synthesis tools Formal framework for integrating models syntax intf refinement relations constraint compilation/ synthesis

Conclusions Functional approach to proof decomposition –divide problem into units of work –allows coarse abstractions for model checking –proof effort appears to scale well with system size –supported by special-purpose proof assistant Issues for application to embedded systems –Needs more structured communication –Needs separation of timing and function –Can provide reference models to abstract hardware/software interface –Can support platform-based design

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.