D.L. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-independent Circuits. The MIT Press, 1989.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....in the process algebra to illustrate the type of reasoning provided by our study. We also show that small perturbations of a process results in a nearby process. 7.1 A process algebra The process algebra describes probabilistically determinate processes. The processes are inputenabled [LT89, Dil88, Jos92] in a weak sense ( 8p 2 P ) 8a 2 A) a (p; P ) 0) and communication is via CSP style broadcast. The process combinators that we consider are parallel composition, pre xing and probabilistic choice. We do not consider hiding since this paper focuses on strong probabilistic ....

D. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

....SM interface compatibility checking, as well as the derivation of call assumptions for the composite interface, are graph problems that can be solved in quadratic time. If state is involved, checking optimistic compatibility between two interfaces A and B requires the solution of a two player game [9, 6, 7]. Player 1 represents both A and B, and player 2 represents the environment. If player 2 has a strategy of satisfying the call and availability assumptions of both A and B, then the two interfaces are compatible (because there is a helpful environment) otherwise they are incompatible. Note that ....

D.L. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speedindependent Circuits. MIT Press, 1989.

....The transitions are labelled with input or output signals; the latter are thought to be controlled by the circuit, the former by its environment. In such a setting, I,O automata [Lyn96] require that in each state each input can occur, and the same holds for the language theoretic framework of [Dil88] in STGs though, the occurrence of an input signal in some state might not be speci ed, which formulates the assumption on the environment not to produce this signal. Being Petri nets, STGs allow a causality based speci cation style, and they give a compact representation of the desired ....

....where the environment behaves as speci ed by the original STG N , i.e. the composition of the components might specify additional inputs, but we ignore these and any subsequent behaviour since they cannot occur if the implementation runs in an appropriate environment. The same is done e.g. in [Dil88, Ebe92] so both these features are not new but new in the context of STG decomposition. We achieve both these features with a bisimulation like correctness de nition. Since we restrict ourselves in this paper to the case that N and the C i are deterministic, bisimilarity actually coincides ....

[Article contains additional citation context not shown here]

D. Dill. Trace Theory for Automatic Hierarchical Veri cation of SpeedIndependent circuits. MIT Press, Cambridge, 1988.

....overall in its de nitions, result statements, and proofs than the earlier HIOA model of [53,54] Another simpli cation in the new framework appears in the de nitions and results involving receptiveness. In the original HIOA model of [53,54] and in other work that dealt with receptiveness [21,1,74] for discrete systems, receptiveness was de ned in terms of two player games between the system and its environment. In such a game, the goal of the system is to construct an in nite, non Zeno execution, and the goal of the environment is to prevent this from happening. The simpli cation in ....

....accommodate any inputs from the environment. The automaton cannot simply stop at some point and refuse to allow time to elapse; it must allow time to pass to in nity if the environment does so. Second, receptiveness is closed under composition. Previous studies of receptiveness properties include [21,1,74,54]. If HIOA A implements HIOA B and if A is receptive, then besides preservation of may properties (any trace of A is also a trace of B) we also have preservation of must properties. For instance, if in B an input action a always must be followed by an output b within 10 time units, then this ....

[Article contains additional citation context not shown here]

D. Dill. Trace Theory for Automatic Hierarchical Veri cation of SpeedIndependent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

.... on these two approaches for property veri cation using PNs although for veri cation of certain properties they can be complemented by the stubborn sets [54] and partial order techniques [16] Other approaches for asynchronous circuits veri cation using PNs or similar formalisms can be found in [11, 1, 49, 61]. After the circuit is synthesized, the implementation veri cation is required for checking if the implementation (the circuit) conforms to the speci cation (block V 2 in Figure 1) 11, 49] In a PN framework, this problem can be viewed as a comparison of two PNs: a PN describing the speci ....

.... approaches for asynchronous circuits veri cation using PNs or similar formalisms can be found in [11, 1, 49, 61] After the circuit is synthesized, the implementation veri cation is required for checking if the implementation (the circuit) conforms to the speci cation (block V 2 in Figure 1) [11, 49]. In a PN framework, this problem can be viewed as a comparison of two PNs: a PN describing the speci cation and a circuit PN corresponding to the implementation. The implementation veri cation is used for hand crafted designs, for automatically synthesized circuits if the synthesis method is ....

[Article contains additional citation context not shown here]

D.L. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits. The MIT Press, Cambridge, Mass., 1988.

....for the STG representation in the Figure 1. EXPERIMENTAL RESULTS We have implemented our synthesis algorithm on the Sparc workstation using C language. Also, we veri ed the correctness of our synthesis results successfully using the automatic veri er for speed independent circuits of Dill[7]. Because Beerel s algorithm yields more ecient circuits than Varshavsky s one, we compared our algorithm with Beerel s one in terms of the CPU time, the circuit area, and the circuit delay as shown in Table 1. In Table 1, S, N, and M denote the number of signals in the STG representation, the ....

D. Dill, \Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits", Ph.D. Thesis, Carnegie Mellon University, 1988.

....overall in its de nitions, result statements, and proofs than the earlier HIOA model of [50, 51] Another simpli cation in the new framework appears in the de nitions and results involving receptiveness. In the original HIOA model of [50, 51] and in other work that dealt with receptiveness [19, 1, 70] for discrete systems, receptiveness was de ned in terms of two player games between the system and its environment. In such a game, the goal of the system is to construct an in nite, non Zeno execution, and the goal of the environment is to prevent this from happening. The simpli cation in ....

....accommodate any inputs from the environment. The automaton cannot simply stop at some point and refuse to allow time to elapse; it must allow time to pass to in nity if the environment does so. Second, receptiveness is closed under composition. Previous studies of receptiveness properties include [19, 1, 70, 51]. We de ne receptiveness by rst de ning what it means for an HIOA to be progressive. A progressive HIOA never generates in nitely many locally controlled actions in nite time. Thus, in all of its execution fragments, it allows time to pass to in nity provided that its environment also does ....

[Article contains additional citation context not shown here]

D. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

....overall in its de nitions, result statements, and proofs than the earlier HIOA model of [49, 50] Another simpli cation in the new framework appears in the de nitions and results involving receptiveness. In the original HIOA model of [49, 50] and in other work that dealt with receptiveness [18, 1, 68] for discrete systems, receptiveness was de ned in terms of two player games between the system and its environment. In such a game, the goal of the system is to construct an in nite, non Zeno execution, and the goal of the environment is to prevent this from happening. The simpli cation in ....

....accommodate any inputs from the environment. The automaton cannot simply stop at some point and refuse to allow time to elapse; it must allow time to pass to in nity if the environment does so. Second, receptiveness is closed under composition. Previous studies of receptiveness properties include [18, 1, 68, 50]. We de ne receptiveness by rst de ning what it means for an HIOA to be progressive . A progressive HIOA never generates in nitely many locally controlled actions in nite time. Thus, in all of its execution fragments, it allows time to pass to in nity provided that its environment also ....

[Article contains additional citation context not shown here]

D. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

....behavior for TEL structures is de ned using timed trace theory [83] This section provides a brief overview of timed trace theory which provides the necessary mathematics for the proofs in the later chapters. Trace theory was rst applied to the veri cation of speed independent circuits by Dill [35]. Later, timing was added so that trace theory can be applied to the veri cation of timed circuits [25, 83] 34 A timed trace, x, for a circuit is a nite or in nite sequence of timed events (i.e. x = e 0 e 1 : Each timed event is of the form e i = w i ; t i ) where w is a wire name in ....

....a 37 failure in the environment, T does not cause one. The next lemma shows that if T conforms to T 0 , this conformance is maintained in any environment. Lemma 2.4.2 If T T 0 and T 00 is any trace structure, then T k T 00 T 0 k T 00 . Proofs of these lemmas can be found in [35]. The following example is a C element to illustrate how the trace structure models a circuit behavior. A C element is very useful in asynchronous designs. It is typically used to signal the completion of several concurrent computations. The output value of a C element remains constant until all ....

Dill, D. L. Trace Theory for Automatic Hierarchical Verication of SpeedIndependent Circuits. ACM Distinguished Dissertations. MIT Press, 1989.

....general, correctness is de ned by two di erent approaches. One approach is model checking [29] This approach explores the state space exhaustively and checks 7 if the speci ed properties are satis ed in every state. Another one is to check the conformance of the implementation to a speci cation [34]. Veri cation needs to show that the implementation exceeds the minimum requirements stated in the speci cation. These approaches raise another issue which is what properties need to be modeled and veri ed. Traditionally, there are two important properties to be modeled: safety properties and ....

....timing constraints for timed circuits, and so on. The meaningfulness of these properties depends on the interpretation of the formal model being used and on the application. Reachability analysis cannot handle arbitrary liveness properties, because it does not consider in nite behavior. In [34], Dill describes a hierarchical veri cation approach based on conformance checking using trace theory. In this approach, the circuit behavior is speci ed at di erent levels of abstraction. Speci cations at one level of abstraction are treated as the descriptions of implementations at the higher ....

[Article contains additional citation context not shown here]

Dill, D. L. Trace Theory for Automatic Hierarchical Verication of SpeedIndependent Circuits. MIT Press, 1989.

....is currently selected for execution. 3 Examples In this section, we look at the performance of the SMV symbolic model checker for two hardware examples a synchronous fair bus arbiter, and an asynchronous distributed mutual exclusion ring circuit (the one studied by David Dill in his thesis [Dil89] and designed by Alain Martin [Mar85] 3.1 Synchronous arbiter The synchronous arbiter circuit is an example of a synchronous nite state machine. It is composed of a daisy chain of arbiter cells depicted in Figure 2. Under normal operation, the arbiter grants the bus on each clock cycle to ....

D. L. Dill. Trace Theory for Automatic Hierarchical Verication of SpeedIndependent Circuits. ACM Distinguished Dissertations. MIT Press, 1989.

....in the process algebra to illustrate the type of reasoning provided by our study. We also show that small perturbations of a process results in a nearby process. 7.1 A process algebra The process algebra describes probabilistically determinate processes. The processes are inputenabled [LT89, Dil88, Jos92] in a weak sense ( 8s 2 P ) 8a 2 A) a (s; P ) 0) and communication is via CSP style broadcast. The process combinators that we consider are parallel composition, pre xing and probabilistic choice. We do not consider hiding since this paper focuses on strong probabilistic ....

D. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

....the above propery holds or not. We then discuss alternative e ective algorithms for conformance checking of bounded delay asynchronous circuits. I. Introduction Conformance of an implementation with respect to a speci cation was de ned as a correctness criterion for reactive systems in Dill [1]. In contrast to other veri cation methods like temporal logic model checking [2] in the conformance checking approach both speci cation and implementation are given graphically, e.g. as signal transition graphs or one safe Petri nets. Since such formalisms are familiar in engineering and ....

....conforms to the speci cation if the composition of implementation and the mirror of the speci cation is failure free. We call this property mirror property. Clearly, the notion of conformance and the mirror property depend on what we regard as a failure. For untimed systems, safety failure [1] is well understood. In timed systems, additional failures may arise by wrong timing. However, it is much less clear what an intuitive and generally acceptable de nition of timing failure could be. In this paper, we de ne and discuss several alternatives. In conformance checking for real time ....

[Article contains additional citation context not shown here]

David L. Dill, Trace theory for automatic hierarchical veri- cation of speed-independent circuits, MIT press, 1988.

.... hand, deep compositionality relates not only the syntax, but also the semantics: not only can we combine P and Q into PkQ, but the semantics [ P kQ] of PkQ can be obtained by combining [ P ] and [ Q] A simple model with deep compositionality is that of transition systems with trace semantics [Dil89,Lam93,Lyn96,AH99] In the variable based version of this model, a state is an assignment of values to a set of variables, a trace is a sequence of states, and the semantics [ P ] of a component P consists of the set of all traces that correspond to behaviors of P . If the variables written by P ....

D.L. Dill. Trace Theory for Automatic Hierarchical Verication of Speedindependent Circuits. The MIT Press, 1989.

....execution can be extended to an admissible execution, no matter what the environment does. A strategy for an HIOA A is an HIOA A 0 that di ers from A only in that D 0 D and T 0 T . A strategy A 0 for an HIOA A can be viewed as a nondeterministic memoryless strategy in the sense of [5, 20] that chooses some of the evolutions that are possible from each of the states of A. The fact that the states of A and A 0 are the same ensures that A 0 chooses evolutions for every state x of A. We say that an HIOA is receptive if it has a non locally Zeno strategy. Theorem 6. A receptive ....

D. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

....we transform a speci cation into a system that is guaranteed to satisfy the speci cation. Early work on synthesis consider closed systems. There, a system that meets the speci cation can be extracted from a constructive proof that the speci cation is satis able [MW80, EC82] As argued in [ALW89, Dil89, PR89a], such synthesis paradigms are not of much interest when applied to open systems, which interact with an environment. While synthesis that is based on satis ability assumes no environment or a cooperative one, synthesis of open systems should assume a hostile environment, and should generate a ....

D.L. Dill. Trace theory for automatic hierarchical verication of speed independent circuits. MIT Press, 1989.

....on feasibility for the study of receptiveness. As a consequence, in contrast with [25] which studies general liveness properties, our de nitions are simpler than those of [25] A strategy for an HIOA A is an HIOA A 0 that di ers from A only in that D 0 D and T 0 T . Traditionally [7, 25] a strategy describes how a system reacts to its environment so that the outcome of the interaction between the system and its environment satis es a target liveness requirement. A strategy A 0 for an HIOA A can be viewed as a nondeterministic memoryless strategy in the sense of [7, 25] that ....

....[7, 25] a strategy describes how a system reacts to its environment so that the outcome of the interaction between the system and its environment satis es a target liveness requirement. A strategy A 0 for an HIOA A can be viewed as a nondeterministic memoryless strategy in the sense of [7, 25] that chooses some of the evolutions that are possible from each of the states of A. The fact that the states of A and A 0 are the same ensures that A 0 chooses evolutions for each state x of A. An HIOA is receptive if it has a non locally Zeno strategy. Theorem 6. A receptive HIOA is I O ....

D. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

....after a product is shipped to market. This suggests a need for formal methods in modern VLSI design that is further evidenced by the introduction of formal method tools into commercial CAD suites. Trace theoretic veri cation is a formal method that can be e ectively applied to circuit veri cation [7]. Trace theoretic veri cation uses a conformance relation for trace structures that formalizes the notion of an implementation satisfying a speci cation. A circuit is said to conform to a speci cation when a circuit may have a failure in an arbitrary environment i the speci cation allows a ....

....This is done by framing the circuit in an underlying representation that captures essential behaviors necessary for the correctness de nition. Even though the underlying representation has a subset of behaviors of the circuit, the number of behaviors present is staggering. The initial algorithm in [7] on nite automata establishes conformance in time linear to the number of reachable states in the system; and the number of reachable states in the system is exponential in the number of signals. Thus, the reachable state space of a circuit representation is often immense for circuits even of ....

[Article contains additional citation context not shown here]

D. L. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits. MIT Press, 1989.

....use of controllability in automatic veri cation is relatively new (see, e.g. KV96,AHK97,AdAHM99] The work closest to ours is [ASSSV94] where transition systems for components are minimized by taking into account if a state satis es or violates a given CTL property under all environments. In [Dil88] autofailure captures the concept that no environment can prevent failure and is used to compare the equivalence of asynchronous circuits. 2 Preliminaries Given a set V of typed variables, a state s over V is an assignment for V that assigns to each x 2 V a value s[ x] We indicate with ....

D.L. Dill. Trace Theory for Automatic Hierarchical Verication of SpeedIndependent Circuits. MIT Press, 1988.

....as valid implementations of any speci cation since, clearly, they will have no physical realization. Therefore we only accept receptive HA s as implementations, i.e. HA s in which time can advance to in nity independently of the input provided by the environment. Inspired by earlier work of [14, 1, 42] on (timed) discrete event systems, we de ne receptivity in terms of a game between system and environment in which the goal of the system is to construct an in nite, non Zeno execution, and the goal of the environment is to prevent this. It is interesting to compare our games with the games of ....

....input and does not rely on any speci c behavior of its environment to let time advance forever. This informal explanation is not entirely correct though since, for example, there is no way to accept all input and let time advance to in nity if the environment provides input in a Zeno manner. In [14, 1, 42], various notions of receptivity have been de ned formally in terms of games. Below, we extend these ideas to the setting of hybrid systems. The interaction between a system and its environment is represented as a two player game in which the goal of the system is to construct an admissible ....

[Article contains additional citation context not shown here]

D. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

....so strong that assume guarantee reasoning is not required. One does not have to assume that the rest of the agents are correct; a particular agent is guaranteed to be correct irrespective of the correctness of the other agents. Receptiveness A monitor speci cation is de ned to be receptive [Dil89] if for every correctly reachable state in the monitor, there exist agent implementations, when connected to each other and to the monitor, can cause the monitor to reach that state. Receptiveness ensures that there is no illusory freedom in the speci cation. The following is an example of ....

David L. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speedindependent Circuits, 1989.

No context found.

D.L. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-independent Circuits. The MIT Press, 1989.

No context found.

D.L. Dill. Trace Theory for Automatic Hierarchical Veri cation of SpeedIndependent Circuits. MIT Press, 1988.

No context found.

D.L. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits. MIT Press, 1988.

No context found.

D. L. Dill. Trace theory for automatic hierarchical veri cation of speedindependent circuits. PhD thesis, Carnegie Mellon University, 1988. Technical report no. CMU-CS-88-119.

No context found.

D. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1988.

No context found.

D. L. Dill. Trace Theory for Automatic Hierarchical Veri- cation of Speed-Independent Circuits. MIT press, 1988.

No context found.

D. Dill. Trace Theory for Automatic Hierarchical Veri#cation of Speed-Independent Circuits.ACM Distinguished Dissertations. MIT Press, 1988.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC