R. Kumar, K. Schneider and T. Kropf. Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment. Formal Methods in System Design, 2:165--223, 1993.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....the system reproves the Gandalf theorems within HOL rather than just accepting the results. The Gandalf proof script is imported into the HOL system and used to develop a fast proof within HOL. The tool is thus used to discover proofs, rather than directly to prove theorems. The MEPHISTO system [12] was developed to manage the higher levels of a verification, producing first order subgoals to be proved by the FAUST first order prover. The goals of MEPHISTO are similar to ours: managing the subgoaling of a verification to produce goals that can be proved by another system. The difference is ....

R. Kumar, K. Schneider and T. Kropf. Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment. Formal Methods in System Design, 2:165--223, 1993.

.... veri cation systems are linked such as the Voss ThmTac System [2] and the SMVHOL linkage [10] and systems where external proof packages are tightly integrated as decision procedures for some subset of the logic by an interactive system [9] One focus of work is on proof management tools [1][8] used to break down and recombine subgoals in the interactive prover to give to the hybrid tool. Such tools have not previously provided direct support for hierarchical proof. In this paper we discuss how a hybrid tool linking HOL [5] a higher order logic theorem prover, and MDG [4] a decision ....

R. Kumar, K. Schneider and T. Kropf. Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment. Formal Methods in System Design, 2:165-223, 1993.

....or HOL [GM93] provide expressiveness and safety. They are expressive in that not only finite state machines or Boolean functions can be expressed in such systems, but actually most of mathematics. From the viewpoint of verification, this helps notably in expressing modular properties of circuits [KSK93] As a toy example, consider a processor with an adder A and a memory subsystem M connected in such a way that the adder takes its inputs in memory through M and writes the results to memory through M again. It is much easier to prove that this does the expected thing by showing that, first, A ....

Ramayya Kumar, Klaus Schneider, and Thomas Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal System Design, pages 165--230, 1993.

.... programs in GDT are written in the L programming language, 12] Our HOL2L compiler translates HOL design descriptions to cell generator programs in GDT [10] While we used GDT and HOL specifically, other reasoning and VLSI CAD tools can be used as reported by Kumar, Schneider, and Kropf, [9]. Once the instruction set descriptions are verified against gate level descriptions, these gate level descriptions can be used with gate to gate verification tools like Chrysalis [5] to verify modified or optimized gatelevel descriptions. This methodology is being integrated into the National ....

R. Kumar, K. Schneider, T. Kropf, "Structuring and Automating Hardware Proofs in a HigherOrder Theorem-Proving Environment," Formal Methods in System Design, 2, pp. 165--223, 1993.

.... verschiedenen Forschungsgruppen bereits eingesetzt (etwa zur Verifikation von Prozessoren [28, 29, 30, 31] Auch wenn in diesem Bereich keine vollstndige Automatisierung erzielbar ist, so lt sich durch geeignete Strukturierung der Beweisziele eine wenigstens teilweise Automatisierung erreichen [32]. Bei eingebetteten Systemen treten allerdings hufig Verifikationsaufgaben aus beiden Problemklassen auf. Aus diesem Grund wurde unser Verifikationswerkzeug C S nicht als monolithisches System fr eine bestimmte Verifikationsmethode konzipiert, sondern erlaubt eine flexible Integration bereits ....

R. Kumar, K. Schneider und T. Kropf. Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment. International Journal of Formal Methods in System Design, pp. 165--230, 1993.

....logic) Implementation: sequential, C on Commodore Amiga (Sun OS in preparation) Availability: source code, binaries and documentation available Contact Address: S. Gerberding email: gerberding inferenzsysteme.informatik.th darmstadt.de 5 FAUST There are three versions of the FAUST Prover [25, 40, 41]: the first one is based on a Sequent Calculus which is extended by a special form of unification in order to compute instances of Gamma rules. The second version of FAUST is based on structures called tableau graphs which resemble matrices of connection calculi. The third version of FAUST will be ....

R. Kumar, K. Schneider, and Th. Kropf. Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment. Journal of Formal Methods in System Design, 2(2):165--230, 1993. 12

....in the core strategy being applicable for large examples. The tactic in [1] is also designed to process predicative style of hardware specifications, whereas ours is suited for functional style. Kumar, Schneider, and Kropf have developed a system MEPHISTO and a sequent calculus prover FAUST [19] which jointly can automatically verify a class of bit level hardware circuits specified in a relational style popularized by Michael Gordon. Their system cannot automate proofs of complex circuits, such as microprocessors, that use data types since they do not have rewriting and arithmetic ....

R. Kumar, K. Schneider, and T. Kropf. Structuring and automating hardware proofs in a higher-order therem proving environment. Formal Methods in System Design, 2(2):165--223, 1993.

....features to control the desired level of automation in a proof. The proof of the microprocessor property shown below follows a certain general pattern that works successfully for most hardware proofs. This general proof pattern, variants of which have been used in other verification exercises [1, 18], consists of the following sequence of general proof tasks. Quantifier elimination: Since the decision procedures work on ground formulas, the user must eliminate the relevant universal quantifiers by skolemization or selecting variables on which to induct and existential quantifiers by suitable ....

R. Kumar, K. Schneider, and T. Kropf. Structuring and automating hardware proofs in a higher-order therem proving environment. Formal Methods in System Design, 2(2):165--223, 1993.

....or a hierarchical shared memory subsystem [24] directly at the register transfer level (RTL) without having to expand the description down to the logic level. Although the user of the theorem prover has to assist in the proof, some parts can be automated for restricted verification problems, as in [3, 19, 25, 26]. Methods based on special calculi, such as [1, 2] were also proposed to automate the verification for a restricted class of circuit behaviors described above the logic level. Automated state enumeration techniques provide automation for behavioral comparison or model checking, without imposing ....

R. Kumar, K. Schneider, and T. Kropf. Structuring and automating hardware proofs in a higherorder theorem-proving environment. Formal Methods in System Design, 2(2):165--223, 1993.

.... expressive, in that they can address a vast amount of rich mathematical theory (not just finite state machines or Boolean functions) The expressiveness provided by such systems makes them eminently suitable for diverse verification tasks, such as expressing modular properties of hardware circuits [22]. Proof assistants are also safe, in that they rest on firm logical foundations, for which consistency proofs are known. While implementations of proof assistants might of course be faulty, some design principles help limit this to an absolute minimum. In HOL, the main design principle, inherited ....

R. Kumar, K. Schneider, and T. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal System Design, 1993.

....rule based approaches are mostly based on higher order logic. Therefore, rule based approaches have a much more expressive specification language. In contrast to model based approaches, they allow the use of abstraction mechanisms [2] for structure, data and time by using hierarchical descriptions [3], complex data types [4] and special temporal operators [5] Especially the abstraction from concrete bitwidths is useful for the verification of This work has been partly financed by a german national grant, project Automated System Design, SFB No.358. 1 circuits with large data paths [6] ....

R. Kumar, K. Schneider, and Th. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165--223, 1993.

....System Design, SFB No.358. logic is used as the underlying formalism [4] Unfortunately, these approaches require a considerable amount of manual interaction. Thus various approaches have been presented to partially automate the verification by incorporating automated reasoning procedures [5, 6] or by adding abstraction and compositional verification techniques to allow larger systems to be verified than by finite state approaches [7, 8, 9] Many circuits are composed of a controller and a data path. Recently it has been shown, that it is useful to separate these parts prior to ....

R. Kumar, K. Schneider, and T. Kropf. Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment. International Journal of Formal System Design, pages 165--230, 1993.

....but correspond to a scheme for describing regular hardware structures. Concrete circuits can be derived from abstract circuits by type instantiation and variable substitution. In this paper, only the formalization of circuits is described. PML can be viewed as a more abstract layer for MEPHISTO [KuSK93, ScKK93c]. The verification of descriptions using PML is achieved by converting them into formulae which can be handled by MEPHISTO. After having given a description of PML in section 2, concrete and abstract circuits are formalized in section 3 and 4, respectively. Finally, we briefly discuss the use of ....

....evaluation and induction. For concrete circuits and some classes of abstract circuits, a more direct approach for verification is used. The PML terms can be converted into certain formulae, called hardware formulae [ScKK93c] which can be automatically verified within the MEPHISTO system [KuSK93] (see figure 12) Thus PML descriptions can also be used as a front end specification language within this verification framework. fun fulladder (cin, a,b) let val w1 = xor(a,b) in let val w2 = and(b,a) in let val sum = xor(cin,w1) in let val w3 = and(cin,w1) in let val cout = or(w3,w2) in ....

R. Kumar, K. Schneider, and Th. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165--223, 1993.

....this logic are therefore based on interactive theorem proving systems like HOL [6] where most proof steps have to be triggered manually. However, it has been shown recently, that more automation is possible by integrating first order automated theorem proving techniques within such an environment [7]. Moreover, in the context of hardware verification, the related proofs are in many cases structured in a similar manner, so that much automation is possible here also [7] Higher order logic is well suited for hierarchically describing circuits at different levels of abstraction [8] Since, in ....

.... that more automation is possible by integrating first order automated theorem proving techniques within such an environment [7] Moreover, in the context of hardware verification, the related proofs are in many cases structured in a similar manner, so that much automation is possible here also [7]. Higher order logic is well suited for hierarchically describing circuits at different levels of abstraction [8] Since, in contrast to FSM based techniques there are no size restrictions, this formalism is usable to describe and verify designs of realistic sizes, e.g. significant parts of the ....

[Article contains additional citation context not shown here]

R. Kumar, K. Schneider, and Th. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal System Design, 2(2):165--230, 1993.

....by a german national grant, project Automated System Design, SFB No. 358. is no complete automated proof procedure for this logic, the underlying proof systems are all interactive by nature. For this reason, we have integrated automated verification procedures in the higher order environment HOL [6, 7, 8], such that a complete automation has been obtained for concrete circuits 1 similar to model based approaches. Furthermore, higher order logic offers the possibility to verify abstract forms of circuits. For example, abstract circuits allow to abstract away from concrete bitwidths, similar to ....

....of the WHEN operator which can all be used as formal definitions in higher order logic. Each of these characterisations indicates connections to further formalisms, which can thus be embedded in our framework. The first characterisation of the WHEN operator is the definition by hardware formulae [6] which are normally used as normal forms of implementation descriptions. Hardware formulae have been considered in previous work (see [6] for a formal definition) and proof tactics have been implemented for them which allow a complete automation of correctness proofs for concrete circuits [12, 8] ....

[Article contains additional citation context not shown here]

R. Kumar, K. Schneider, and Th. Kropf. Structuring and automating hardware proofs in a higherorder theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165--223, 1993.

....to the one done by Windley in proving the correctness of microprogrammed processors [20] Each obtained theorem is then instantiated for each instruction at the instruction level. We have implemented tactics in the HOL theorem prover [6] using the hardware verification environment MEPHISTO [12], which automates the entire process, given the formal definitions of the specifications and implementations at each abstraction level [16] 3.2 Pipeline Correctness The pipeline correctness can be proved by showing that all possible combinations of n s instructions are executed correctly. This ....

Kumar, R.; Schneider, K.; Kropf, Th.: Structuring and Automating Hardware Proofs in a Higher-Order TheoremProving Environment; Journal of Formal Methods in System Design, Vol.2, No. 2, 1993, pp. 165-230.

....for converting netlists automatically into logical formulas, performs an expansion of the abbreviations used for the modules, simplifies the resultant formula by removing all possible internal lines and finally calls the first order prover based on C SG . The details of MEPHISTO can be found in [KuSK93]. The example used is called a delta circuit whose informal specification can be stated as c a b. This informal specification is then converted automatically into a formal specification (as shown below) 5 which uses predefined and prevalidated n Gammabit operators as described in ....

.... 0 a b lessOut = LESSNSPEC 0 a b lessOut The base case can be solved by first expanding the definitions of the specification and the implementations, i.e. LESS N IMP, LESS 1 IMP and the library components INV, AND and OR2, and then finally rewriting the internal lines away by their definitions [KuSK93]. 7 e (PUREASMREWRITETAC defs THEN SIMPLIFYTAC) OK. Goal proved. a b lessOut. l1 l2 l3 l4 l5. l1 = a 0) l2 = l1 b 0) l3 = l1 F) l5 = F b 0) l4 = l2 l3) lessOut = l4 l5) lessOut = a 0) b 0 Goal proved. a b lessOut. LESSNIMP 0 a b ....

[Article contains additional citation context not shown here]

R. Kumar, K. Schneider, and Th. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165--230, 1993.

....at the instruction level. We have implemented tactics in the HOL theorem prover [4] using the hardware verification environment 1Clock I 1 time instructions t o t oi t on s IF ID EX MEM WB I i . I n s IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB 4 MEPHISTO [9], which automates the entire process, given the formal definitions of the specifications and implementations at each abstraction level [15] 3.2 Pipeline Correctness Step (1) can be proved by showing that all possible combinations of n s instructions are executed correctly. This implies that the ....

Kumar, R.; Schneider, K.; Kropf, Th.: Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment; Journal of Formal Methods in System Design, Vol.2, No. 2, 1993, pp. 165-230.

....other formalisms such that the combined verification of complex temporal behaviour with abstract data types has been achieved. Hence, H 3 V is the first verification system that allows the verification of circuits with abstract data types and nontrivial temporal behaviour. The MEPHISTO system [8] is a direct predecessor of H 3 V. MEPHISTO was solely based on HOL, and did not contain the powerful decision procedures of H 3 V. The contribution of this paper is to show by using small examples how different proof procedures can be invoked in the H 3 V system in order to verify ....

R. Kumar, K. Schneider, and T. Kropf. Structuring and Automating Hardware Proofs in a HigherOrder Theorem-Proving Environment. International Journal of Formal System Design, pages 165--230, 1993.

....a class of higher order formulas, which is wellsuited for describing hardware structure and behaviour at different levels of abstraction. Proofs may be performed in HOL if they are simple or require higher order techniques like induction. In contrast to previous approaches presented by the authors [KuSK93], proof goals of this formula class may be equally well proved using standard model checking techniques. This is especially useful if correctness proofs are achievable by state enumeration techniques. In contrast to most model checking approaches, the presented methodology is also well suited for ....

R. Kumar, K. Schneider, and T. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165--223, 1993.

....for getting verification tools usable by VLSI designers. However, in the limited context of hardware verification, first results have been achieved to automate parts of hardware proofs in higher order logic by using a definite sequence of transformation steps and first order proving techniques [ScKK91a, KuSK93]. The work presented in this paper establishes a set of efficient algorithms aimed at a further automation of hardware correctness proofs in higher order logic. To our knowledge, for the first time, decision procedures for a certain class of higher order formulae are presented. This class is ....

....consideration that digital circuits are complex finite state systems, and hence corresponding notions such as output and state transition functions are found. The concept of this description goes back to Hanna and Daeche [HaDa86] and a detailed description of these formulae can also be found in [KuSK93]. In contrast to simple finite state machines, these formulae can contain an additional subformulae for handling hierarchy and complex data types. If we neglect this formula , i.e if we assume = T, then the obtained subclass is as powerful as finite state machines. If the formulae are ....

[Article contains additional citation context not shown here]

R. Kumar, K. Schneider, and Th. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165--223, 1993.

....processor. The objective of our endeavour is the development of a generic methodology (comparable to that of Windley [Wind90] for the formal verification of a large number of realistic RISC processor cores. Furthermore, we plan to integrate this methodology into a general verification framework [KuSK93]. In our previous work, we have developed and formalized a general hierarchical model for RISC cores and sketched the formal verification aspects using this model [TaKu93a,TaKu93b] The aim of this paper is to show the practicability of our methodology by implementing it in HOL. This work has ....

.... ext trap rw alu op a mux,b mux smdr mux lmdr mux rw Reg.File Reg.File alu op 8 Our approach is embedded within the MEPHISTO verification framework and the formal description of the circuit is obtained automatically from an EDIF output of a schematic representation, entered within a CAD tool [KuSK93]. The sub blocks of the hierarchical design are broken into elementary library cells whose formal specifications are contained in a HOL library. 5 Formal Verification Potentially, a RISC processor executes n s instructions in parallel, in n s different pipeline stages (where n s is the pipeline ....

[Article contains additional citation context not shown here]

Kumar, R., Schneider, K., Kropf, Th.: Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment; Journal of Formal Methods in System Design, Vol. 2, pp. 165-230, 1993.

....on the threshold of industrial use. On the other hand, verification at higher levels of abstraction requires higher order logic, which cannot be automated sufficiently. However, parts of digital circuits can nevertheless be verified very elegantly by finite state machine approaches. Moreover, in [KuSK93] first proof paradigms for the verification of circuits at register transfer level have been formulated and in [ScKK93c] these paradigms have been extended to decision procedures. The transformations which have been used in [ScKK93c] yield in subgoals which resemble classical finite state machine ....

.... more atoms than the ff j s and not all ff j s have to occur in Upsilon ) n j=1 (ff j j ) Upsilon (ff 1 ; ff n ) holds iff Upsilon ( 1 ; n ) holds 4 This methodology resembles the approach that we have taken for integrating automated first order provers in HOL [KuSK93]. First, the external prover is used to compute a proof with a list of instantiations which are then used to validate the proof in HOL. 5 It has not been stated that hi V n j=1 (ff j j ) j Upsilon (ff1 ; ff n) i Upsilon ( 1 ; n ) is a theorem. This is not the ....

R. Kumar, K. Schneider, and Th. Kropf. Structuring and automating hardware proofs in a higher-order theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165--223, 1993.

....to the one used by Windley in proving the correctness of microprogrammed processors [13] Later, these proofs are instantiated for each instruction at the instruction level. We have implemented proof scripts in the HOL theorem prover [3] using the hardware verification environment MEPHISTO [8], which automates the entire process, given the formal definitions of the specifications and implementations at each abstraction level. 3.2 Pipeline Correctness The correctness of step (1) consists in the proof that all possible combinations of n s instructions are executed correctly. This is ....

Kumar, R.; Schneider, K.; Kropf, Th.: Structuring and Automating Hardware Proofs in a Higher-Order TheoremProving Environment; Journal of Formal Methods in System Design, Vol.2, No. 2, 1993, pp. 165-230.

No context found.

KuSK93 Kumar, R., Schneider, K., Kropf, Th.: Structuring and Automating Hardware Proofs in a Higher-Order Theorem-Proving Environment; Journal of Formal Methods in System Design, Vol. 2, pp. 165-230, 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC