J. X. Su, D. L. Dill, and C. Barrett. Automatic generation of invariants in processor verification. In FMCAD '96, volume 1166 of LNCS, 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....even the decidability of implications is lost. Our examples, will often be taken from the group of those where decidability of implication is given, but reaching of fixpoints cannot be guaranteed. Notice that generic techniques for generating and strengthening invariants (cf. MP95a,BBM97,BLS96,SDB96,BL99] seem to give limited results, except when the property to be proven invariant is in some sense almost an invariant or when the system is relatively simple. To summarize, the deductive method has three drawbacks: 1. it is often hard to find suitable auxiliary invariants, 2. when a ....

J. X. Su, D. L. Dill, and C. Barrett. Automatic generation of invariants in processor verification. In FMCAD '96, volume 1166 of LNCS, 1996.

....some of the invariant properties is obvious in our approach (like the exclusiveness and exhaustiveness of instruction phases) the discovery of many other invariant properties is a manual, time consuming process. Combining the recent advances in the automatic discovery of invariant properties ( [4, 52]) to discover some of the invariant properties needed in our approach (especially those pertaining to the control logic) with our method of proof decomposition has the potential to signi cantly enhance the automation provided Table 7.1. Examples veri ed and the e ort needed. Example veri ed E ort ....

Su, J., Dill, D., and Barrett, C. Automatic generation of invariants in processor verication. In Srivas and Camilleri [51], pp. 377-388.

....models. Also of interest is Melham [1993] which again has a somewhat similar model of time. More recently, superscalar processors have been addressed: in particular, the increased complexity of verification in the face of complex timing behaviour (Windley and Burch [1996] Burch [1996] Su et al. 1996], Cyrluk [1996] We consider this question further in 5 and 9.1. Other, earlier, work on microprocessors includes the following. Gordon s Computer (Gordon [1983] since considered, in various forms, by others: for example, Joyce [1987] Stavridou [1993] and Harman and Tucker [1997] Viper ....

.... # and # must satisfy) The same simplification has also been observed, within the framework of their own formalisms, by others working on microprocessor verification; for example, Windley and Coe [1994] Miller and Srivas [1995b] Miller and Srivas [1995a] Windley and Burch [1996] Burch [1996] Su et al. 1996], Cyrluk [1996] There are several di#culties in the case of superscalar microprocessors. 1. The size of the state space makes establishing that State PM (1,#( # state) #(State AC (#( # state) 1) # state) di#cult, simply because of the number of cases to consider. A large proportion ....

[Article contains additional citation context not shown here]

Su et al. [1996] J Su, D Dill, and C Barrett. Automatic generation of invariants in processor verification. In A Camilleri M Srivas, editor, Formal Methods in ComputerAided Design, pages 377 -- 388. Lecture Notes in Computer Science 1166, Springer-Verlag, 1996.

.... in HOL [16] 29, 30] on AAMP5, a more complex processor, and its verification in PVS [32] and [6] on a fragment of the DLX architecture [20] More recently, superscalar processors have been addressed: in particular, the increased complexity of verification in the face of complex timing behaviour [41, 5, 38, 8, 29]. The intuitive models used by others in modelling and verifying [pipelined] microprocessors are conceptually similar to our own [18, 19, 12] However, there are substantial di#erences, particularly in the approach to time, and timing abstraction. The main focus of related, formal work on ....

J Su, D Dill, and C Barrett. Automatic generation of invariants in processor verification. In A Camilleri M Srivas, editor, Formal Methods 28 in Computer-Aided Design, pages 377 -- 388. Lecture Notes in Computer Science 1166, Springer-Verlag, 1996.

....system. They also consider additional techniques, such as reaffirmed invariants with cycles, outside the scope of our generation process. In recent years, there has been a resurgence of interest in the automatic generation of invariants in conjunction with advances in automated proof techniques [5, 7, 13, 27, 34]. These methods may be classified as bottom up or top down [7] Bottom up methods, which generate local program invariants and our mode invariants, derive the invariants automatically from the state machine specification. Top down methods start with a candidate invariant and use this to ....

Su, J. X., Dill, D. L., and Barrett, C. W. Automatic generation of invariants in processor verification. In Proc. Int'l Conf. on Formal Methods in Computer-Aided Design (FMCAD'96) (Palo Alto, CA, Nov. 1996).

....models analyzed by model checkers are often incorrect. For example, when Dill et al. analyzed the errors detected by their model checker Murphi, they found that valid design errors were very rare, whereas human errors in translating the original design to the model analyzed by Murphi were frequent [38]. Hence, a serious problem is that reduced models generated informally and by hand may not be true abstractions of the original design. In contrast, our approach derives the abstract models systematically from the requirements specification and the formula to be analyzed. Users of our methods need ....

J. X. Su, D. L. Dill, and C. W. Barrett. Automatic generation of invariants in processor verification. In Proc. FMCAD'96, Int'l Conference on Formal Methods in Computer-Aided Design, November 1996.

....the basic method of proving invariants to span several cycles as well, so invariant resulting from consistency testing is proved using k step induction, where k is some constant that depends on the design. Many techniques have been developed in the literature for nding invariants automatically [9, 14, 16, 2, 1, 11]. In spite of the sophistication of these techniques, the process of nding invariants is still mostly manual. Symbolic simulation has been used as a tool to reduce the manual e ort in constructing the invariants [14, 15, 17] Manna and Pnueli [9] showed methods based on bottom up techniques for ....

....developed in the literature for nding invariants automatically [9, 14, 16, 2, 1, 11] In spite of the sophistication of these techniques, the process of nding invariants is still mostly manual. Symbolic simulation has been used as a tool to reduce the manual e ort in constructing the invariants [14, 15, 17]. Manna and Pnueli [9] showed methods based on bottom up techniques for verifying temporal properties of reactive systems, which are then used to extract assertions implied by the transition relation. These assertions are used to strengthen the invariant. Su et al. 14] presented some heuristics ....

[Article contains additional citation context not shown here]

Jerey X. Su, David L. Dill, and Clark W. Barrett. Automatic generation of invariants in processor veri cation. In FMCAD, 1996.

....first order logic and uses an algorithm similar to the algorithms by Shostak [25, 24] and Nelson Oppen [18] It is implemented in C and care has been taken to make it efficient. It has previously been used to verify a part of the memory system interaction of the FLASH Protocol Processor [30]. SVC can decide proof obligations as a logical formula written using: ffl the usual Boolean connectives. These are used to model the bitwise Boolean operators; ffl equality on terms, which is used to show equality between the symbolically simulated implementation and specification states; ffl ....

Jeffrey X. Su, David L. Dill, and Clark W. Barrett. Automatic generation of invariants in processor verification. In M. Srivas and A. Camilleri, editors, Formal Methods in Computer Aided Design (FMCAD) , number 1166 in Lecture Notes in Computer Science, pages 197--201. Springer-Verlag, November 1996. 19

....of registers are clocked on different phases of a single clock) tend to lead to historyless invariants that relate the contents of consecutive latches which are clocked in different phases. The discovery and use of historyless invariants in RTL designs was explored in this conference in 1996 [24]. The discovery of historyless properties is also a component of the work cited above for finding invariants in software and protocol descriptions. This paper attacks the invariant problem in another, complementary, way, by trying to simplify the problem. Examination of a number of designs has ....

....is also apparent from the HDL, or could be computed by extracting the next state function. There is also a simple invariant that says that the internal reset low when the input reset is low. Four of these were simple historyless invariants and were found by manually applying and existing method [24]. Here is a typical one: MemStallS1 ) FSMS1 = FSMS2) This invariant says that whenever MemStallS1 is false, the phase two variable (FSMS2) has been overwritten by the phase one variable (FSMS1) Four of the conjuncts (see Figure 9) had to be found by trial and error. Some of these may be ....

Jeffrey X. Su, David L. Dill, and Clark W. Barrett. Automatic generation of invariants in processor verification. In M. Srivas and A. Camilleri, editors, Formal Methods in Computer Aided Design (FMCAD), volume 1166 of Lecture Notes in Computer Science, pages 197--

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC