David Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Srivas and Camilleri [SC96], pages 172--186.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....no transformations are executed because in the case of flushing only one instruction has to be terminated. In the next iteration transformations are applied also in step 7 because the segment L 2 describes the flushing of two instructions. 3. 2 A simple Example of a Pipeline with three Stages In [Cyr96] a simple example of a pipeline with three stages is given and its correctness concerning the specification is shown: L0 : IR MEM[BITINT(PC) PC INC(PC) IF IR[0] 0B1 THEN (WBREG RF[BITINT(IR[6:10] RF[BITINT(IR[1:5] WBREG) ENDIF; L0; After the first iteration of the algorithm ....

....ENDIF) L2; The synthesis tool produces the result in 18 steps. It takes about 2 seconds to compute the result (300 MHz, SUN Ultra2) As a consequence of the transformation process the description encloses the filling as well as the flushing of the pipeline. Therefore abstraction mappings used by [Cyr96] to verify the pipeline are not required to get a correctness proof by an equivalence prover. 4 Advanced Strategies for Pipelining 4.1 Possible Constraints The transformations are applied to hardware descriptions. Therefore the available resources restrict the application of them. If, for ....

[Article contains additional citation context not shown here]

D. Cyrluk, "Inverting the abstraction mapping: a methodology for hardware verification", Proc. FMCAD'96, Springer LNCS 1166,

....synthesis and verification tools. An LLS description represents a closed, synchronously parallel transition system. A description consists of several segments of the form 4 label : segmentbody Fig. 2, for example, shows four segments. The description is a serial version of an example used in [6] to discuss the verification of pipelined systems. If the description starts at label L0 then an instruction is fetched from memory mem addressed by the program counter pc (bitint transforms a bit vector into an integer) and is stored in the instruction register ir. pc is incremented in parallel. ....

....of Fig. 6 can be viewed as segments, i.e. terminating computations, the prover of (2. is employed for this case, too. As pointed out above, the flushing of the pipeline is constructed automatically by the synthesis tool. Hence, no abstraction function has to be provided 15 manually as in [5, 6] which is extremely important for a fully mechanized verification procedure. The induction hypothesis, i.e. a proof of situations where the pipeline is not yet completely filled has also to be provided, and is performed automatically by our verification tool, too. 7 Implementation and Results ....

[Article contains additional citation context not shown here]

D. Cyrluk. Inverting the abstraction mapping: a methodology for hardware verification. In Proc. FMCAD '96. Springer LNCS 1166, 1996.

....Hanna has long argued for the use of a functional language with dependent types in hardware description and verification [49] Hanna s work inspired much research on using Higher Order Logic for hardware verification. The PVS theorem prover, which is increasingly used in hardware verification [28], is also based on a functional language with dependent types. We do not know of work in which circuit descriptions written in this language are used for anything other than proof in PVS. HML is a hardware description language based on ML, developed by Leeser and her group [62] The language ....

D. Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Proc. 1 st Int. Conf. on Formal Methods in Computer-Aided Design, volume 1166 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

.... of moderate complexity, and its verification in HOL [12] and [2] on a part of DLX [16] A refinement of the approach in [2] more applicable to out of order systems and long pipelines is [19, 20] In addition, work has been undertaken on the complex timing models of superscalar processors [30, 1, 5]: 18] additionally considers exception processing in such an environment. The work in [21, 4] uses Hawk,a variant of the functional language Haskell. Generaly, the intuitive models seen are conceptually similar to our own [14, 15, 8] though significant di#erences exist in the approach to time. ....

....in the manually directed proof. Combining the manual and automatic approaches, by defining sets of constants to identify groups of sub cases, and automatically verifying all subcases within a group. To adopt techniques seen in the literature to reduce verification complexity (for example, [5]) Note that because our principle aim is building coherent theoretical models of systems, and their correctness and verification, rather than performing verifications per se, it will be necessary for us to integrate such e#ciency increasing techniques into our theoretical model first. One of the ....

D Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In A Camilleri M Srivas, editor, Formal Methods in Computer-Aided Design, pages 172 -- 186. Lecture Notes in Computer Science 1166, Springer-Verlag, 1996.

.... a fragment of the DLX architecture [16] A refinement of this approach, more applicable to out of order systems and long pipelines is [19, 20] In addition, superscalar processors have been addressed: in particular, the increased complexity of verification in the face of complex timing behaviour [31, 1, 5, 25]. 21, 4] use a variant of Haskell called Hawk, and Isabelle for proofs; and [18] additionally considers exception processing in such an environment. The intuitive models in [25, 26, 32] are conceptually similar to our own [14, 15, 8] However, there are di#erences, particularly in the approach ....

....The first to construct the Maude module representing the subcases, and the second to perform the verification. In principle, the actual verification should be equivalent to the [highly e#cient] manual process. Finally, we can choose to integrate techniques found in the literature (for example [5]) to improve the e#ciency of proof strategies. Note however, since our principal aim is building theoretical models (the techniques described here are direct implementations of the theoretical model) such e#ciency improving techniques must be integrated into the theory first. The key advantages ....

D Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In A Camilleri M Srivas, editor, Formal Methods in Computer-Aided Design, pages 172 -- 186. Lecture Notes in Computer Science 1166, Springer-Verlag, 1996.

....Also of interest is Melham [1993] which again has a somewhat similar model of time. More recently, superscalar processors have been addressed: in particular, the increased complexity of verification in the face of complex timing behaviour (Windley and Burch [1996] Burch [1996] Su et al. 1996] Cyrluk [1996]) We consider this question further in 5 and 9.1. Other, earlier, work on microprocessors includes the following. Gordon s Computer (Gordon [1983] since considered, in various forms, by others: for example, Joyce [1987] Stavridou [1993] and Harman and Tucker [1997] Viper (Cohn [1987] ....

.... The same simplification has also been observed, within the framework of their own formalisms, by others working on microprocessor verification; for example, Windley and Coe [1994] Miller and Srivas [1995b] Miller and Srivas [1995a] Windley and Burch [1996] Burch [1996] Su et al. 1996] Cyrluk [1996]. There are several di#culties in the case of superscalar microprocessors. 1. The size of the state space makes establishing that State PM (1,#( # state) #(State AC (#( # state) 1) # state) di#cult, simply because of the number of cases to consider. A large proportion of the ....

Cyrluk [1996] D Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In A Camilleri M Srivas, editor, Formal Methods in ComputerAided Design, pages 172 -- 186. Lecture Notes in Computer Science 1166, Springer-Verlag, 1996.

.... in HOL [16] 29, 30] on AAMP5, a more complex processor, and its verification in PVS [32] and [6] on a fragment of the DLX architecture [20] More recently, superscalar processors have been addressed: in particular, the increased complexity of verification in the face of complex timing behaviour [41, 5, 38, 8, 29]. The intuitive models used by others in modelling and verifying [pipelined] microprocessors are conceptually similar to our own [18, 19, 12] However, there are substantial di#erences, particularly in the approach to time, and timing abstraction. The main focus of related, formal work on ....

D Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In A Camilleri M Srivas, editor, Formal Methods in Computer-Aided Design, pages 172 -- 186. Lecture Notes in Computer Science 1166, Springer-Verlag, 1996.

....very restricted case; for most problems of practical interest, the procedure is not sound, and can only be used as a heuristic to find counterexamples. Finally, a number of authors report the use of general purpose proof assistants, without model checking, in processor verification (for example [Cyr96, VB98b, WAH94, SWAH98] To conclude, the methods presented here are novel in several aspects: first the particular methods of circular compositional proof, symmetry reduction, and data type reduction and the method of handling uninterpreted functions are novel in and of themselves. Second, the ....

D. Cyrluk. Inverting the abstraction mapping: a methodology for hardware verification. In M. Srivas and A. Camilleri, editors, Formal Methods in Computer-Aided Design (FMCAD '96), volume 1166 of LNCS. Springer-Verlag, 1996.

....M has property P , use ffl induction, ffl open up definitions in P and M , and ffl apply known lemmas (as rewrite rules) Ripple carry adder proof is quite typical. Same methodology applies to invariance simulation proofs demonstrating cache consistency [PD96] and microcode or pipeline correctness [Cyr96, SM96]. 13 Deductive Verification Technology Ground decision procedures: For the combination of quantifier free theories of ffl Equality with uninterpreted functions ffl Linear arithmetic equalities and inequalities ffl Arrays with update and selection Simplification: Using decision ....

....of a particular data path and look up table 22 Processor Microcode Verification Theorem provers (Nqthm, HOL, PVS) have been used for microcode verification. Correspondence proofs involve symbolic execution (rewriting with decision procedures) Verified examples include: ffl Cyrluk [Cyr96]: DLX and superscalar DLX. ffl Srivas Miller [SM96] Rockwell Collins AAMP5 and AAMP FV. 23 A Pipelined Microprocessor [Burch, Clarke, Dill, McMillan] stall REGFILE opcode U L A CONTROL dsntdd dstnd stalld stalldd wbreg opreg2 opreg1 dstn opcoded src2 src1 Presented as a ....

David Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Srivas and Camilleri [SC96], pages 172--186. 32 ' & $ %

....symbolic model checking, and conditional rewriting and simplification. The ideas and implementation underlying PVS are still undergoing development but the system has already been used in some substantial verification projects. These projects include the verification of hardware processors [14, 25], floating point hardware [26, 31] real time, distributed, and fault tolerant algorithms [18,22,23,32] and in the construction of background libraries for use in verification. This paper is a tutorial on the use of PVS for mechanized verification. Verification, even when restricted to ....

David Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Srivas and Camilleri [33], pages 172--186.

....functions are defined based on the specification. Their method has the disadvantage that the implementation is verified against itself in the initial steps and that their transformations can get complex for superscalar processors and processors with out of order execution. Cyrluk s technique in [6], which has also been applied to a superscalar processor, tackles the term size and case explosion problem by lazily inverting the abstraction mapping to replace big implementation terms with smaller specification terms and using the conditions in the specification terms to guide the proof. Our ....

David Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Srivas and Camilleri [14], pages 172--186.

....They used case analysis to deal with pipeline stalls and were able to limit the proof to one stall case split by using a lemma to show that the pipeline cannot stall twice in a row. Researchers have used the Prototype Verification System to verify a number of pipelined processors [47] 52][55]. The Prototype Verification System (PVS) is an environment for specification and verification that has been developed at SRI[38] PVS combines a highly expressive specification language based on higher order logic, with a very effective interactive theorem prover in which most of the low level ....

....a highly expressive specification language based on higher order logic, with a very effective interactive theorem prover in which most of the low level proof steps are automated. 18 Cyrluk and others used PVS to verify the Saxe pipelined processor[47] and Burch and Dill s pipelined DLX processor[55]. The specification and implementation were specified as state transition systems. The correctness criteria related traces at both levels by using an abstraction function provided by the user. The limitation is that the user has to provide the number of cycles that it takes the implementation to ....

D. Cyrluk, "Inverting the Abstraction Mapping: A Methodology for Hardware Verification," Lecture Notes in Computer Science, Formal Methods in Computer-Aided Design, pp. 172186, November 1996.

....Hanna has long argued for the use of a functional language with dependent types in hardware description and verification [HD92] Hanna s work inspired much research on using Higher Order Logic for hardware verification. The PVS theorem prover, which is increasingly used in hardware verification [Cyr96], is also based on a functional language with dependent types. We do not know of work in which circuit descriptions written in this language are used for anything other than proof in PVS. HML is a hardware description language based on ML, developed by Leeser and her group [LL95] The language ....

David Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Formal Methods for Computer Aided Design of Electronic Circuits (FMCAD), number 1166 in Lecture Notes In Computer Science. Springer-Verlag, 1996.

.... [133 139] real time [140 153] reactive [154] and hybrid systems [155 157] to distributed systems [158 164] and communications protocols [165 167] to program development [168] software development steps [169 172] and refinement [173 175] to compilers [176 179] to hardware design [180 203] and synthesis [204 209] to memory models and cache coherence protocols [210 213] to multimedia collaborations [214] to testing program visualization tools [215] to validating fault tolerant systems [216] and to self stabilization [217] PVS has also been used to support other specification ....

David Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Mandayam Srivas and Albert Camilleri, editors, Formal Methods in Computer-Aided Design (FMCAD '96), volume 1166 of Lecture Notes in Computer Science, pages 172--186, Palo Alto, CA, November 1996. Springer-Verlag.

....zero, in which case the machine stutters. The visible state approach does not allow numabs steps to return zero, instead it iterates the implementation next state function enough times so that at least one specification step is taken. Verification of a simple superscalar machine is described in [7]. An alternative approach that seeks to provide greater automation was introduced by Burch and Dill [4] Their method can be seen as a modification of the stuttering approach that avoids use of explicit time by modifying the commutes condition to take stuttering into account. Commutes normal: ....

D. Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Srivas and Camilleri [20], pages 172--186.

No context found.

David Cyrluk. Inverting the abstraction mapping: A methodology for hardware verification. In Srivas and Camilleri [SC96], pages 172--186.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC