McMillan, K.L.: The SMV system DRAFT. CarnegieMellon University. URL http://www2. cs.cmu.edu/~modelcheck/smv/smvmanual.ps, 2000.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....define possible paths through the training case. Furthermore, we use the temporal logic CTL [2] to describe necessary properties of those paths. For example, CTL allows to specify that the end page must be located on every possible path in the training case. We use the model checking tool SMV [9], which is able to read the CTL specifications together with Kripke representations of the navigation structure. We implemented a tool that transforms our training case representation into an SMV readable format (Transformer in Figure 2) and runs the model checker for a verification process. ....

McMillan, K.L.: The SMV system DRAFT. CarnegieMellon University. URL http://www2. cs.cmu.edu/~modelcheck/smv/smvmanual.ps, 2000.

.... (e.g. 13, 12, 8] Additionally, the methodology involves a scheme for coverage model specification so as to withstand state space explosion problems and focus on the most important targets for verification.To support the methodology, a transition coverage generator was implemented, based on SMV [17]. The tool was used on two different real systems. It is used now for all system testing in our laboratory. Currently we are working on extending on the application of this work in two directions: We are working on extending the model in example 2 to include a model for a level 2 cache (an extra ....

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

....generating architectural test programs from these tasks. This paper shows the first implementation of the methodology developed in [18] to a superscalar state of the art PowerPC implementation[17] 16] The experiment, which is described in detail, includes modeling of parts of that processor in SMV[10], generating abstract tests from the model using CFSM [7] converting the abstract tests into restric tions on architectural tests, converting the restrictions into directive for a test generation tool, generating the tests using Genesys [4] executing the tests on the real implementation and ....

....tests were also run on the simulator, and their coverage was compared with the coverage of the tests generated using CFSM. 5. 0 The debugging testing process The hardest, and the only manuel stage of this experiment is the one in which a state machine model of the implementation is written (in smv[10]) This model has to be debugged and then tested. As this process is different from debugging and testing for software or hardware we will elaborate on it. We debugged the model using rulebase[14] by writing temporal rules and checking that the model behaves correctly. We test the smv model by ....

K.L McMillan "The SMV System DRAFT", Carnegie Mellon University, Pittsburgh PA 1992

.... or ) Atomic formulas are constructed from expressions and relation symbols (e.g. or ) The set of all atomic formulas are called Atoms(M) The Support of an atomic formula f is the set of state variable that explicitly appear in f (e.g. A model can be defined by a program written in SMV [15] and translated into a Kripke structure Where , is a set of states, is a set of Initial states , is a transition relation and : is a labeling of the states in S given by = s f . Based on the Kripke structure of , formulas of the ACTL temporal logic can be constructed and evaluated (i.e. model ....

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

....( 3= idle ) 1= CPU sa state ) if(var sa= 1) print CPU to PCI address tenure ends ; 5. Experience The motivation of this work came from experience in formal verification and simulation based verification. The symbolic simulation engine used was the one implemented in SMV [20]. We enhanced the SMV user control as follows: 1. Two input files that contained the list of Coverage variables and the list of Ignore variables were added. 2. Three keywords, TEST, TRANSITION and INIT ST, were added to the SMV language in order to allow test generation assertion. For example, ....

....to be a bottleneck. Additionally, the methodology involves a scheme for coverage model specification so as to withstand state space explosion problems and focus on the most important targets for verification. To support the methodology, a transition coverage generator was implemented, based on SMV [20]. The tool was used on two different real systems. Currently we are working on extending on the application of this work in two directions: First, we are investigating application of this methodology to verification of processor pipelines [18] Additionally, we are working on applying this ....

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

....set is called a backward simulation step. Thus, a forward (or backward) simulation step is done from one set of states to another set of states. Additionally, the simulation is exhaustive, i.e. all possible states of the next step are generated. The model checker that this work relates to is SMV [9, 11]. SMV uses OBDDs to represent sets of states. Assume that the model to be verified has n binary state variables. Let M f0; 1g n be its state space, and let V = fv 1 ; v ng be its set of state variables. A state q 2 M of the model is an assignment of binary values to v i . Given a set S ....

....we ran. Six runs were executed for each example: Two runs without using partitioning, two runs using partitioningwith some arbitrary order and two runs where the partitions were ordered. The runs were done twice for the following reason: Once without proving any SPECs (temporal propositions [9]) measuring only the time to create the transition relation and another run with some SPECs evaluated. The difference in the run times is the time it took to evaluate SPECs. The transition relation was built incrementally in each run. The second column in the table is the number of model state ....

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

....small models for large designs with exact timing for pipeline execution. The difference is that their FSM variables are selected by designers, and the model extraction, as the authors admit, took 3 man months. Another difference is they use the counter example mechanism from the model checker SMV [9] and the test generator Genesys to translate abstract tests into system level tests. One way of measuring the effectiveness of simulation sequences is to develop a coverage measure for them. Coverage, in general, can be divided into two types: programbased and functional. Most coverage tools in ....

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

....are generated such that each reaches a new microarchitectural state. The difference is that their FSM variables are selected by designers, and the model extraction, as the authors admit, took 3 man months. Another difference is they use the counter example mechanism from the model checker SMV [24] to generate the abstract tests and the tool Genesys [25] to translate abstract tests into system level tests. Our approach is also different from those in [20, 2, 21, 11, 23, 22] These control behavior coverage metrics concentrate on state and transition coverage. Our proposed technique uses ....

.... control( fetch3: always (posedge clk) begin begin if ( IR[27:25] 3 b101) b = 0) d = 2 b11 ; if (reset) else if ( IR[27:25] 3 b100) b = 1) d = 2 b11 ; begin else d = 2 b00 ; state = start; state = exec ; int stop = 0; end IR = 32 h0000000; exec: end begin else if ( IR[24] = 1) IR[23] 0) k b= 0) k (IR[24:20] 5 b00110) k case ( state ) IR[24:20] 5 b00100)k( IR[24:20] 5 b01100) IR[28] 1) start: b = alu b ; begin if (IR[24] state = fetch1 ; int stop = 0 ; else state = fetch1 ; begin end if (IR[27:25] 3 b111) state = wr mem ; ....

[Article contains additional citation context not shown here]

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

....with 20 states. The tableau presented in [3] would have a state space of 2 15 states for this formula. It is interesting to note that in this example not all the implementation variables are observable. We implemented our method symbolically as an extension to the symbolic model checker SMV [7]. Given a model with n state variables, a straightforward implementation of this method can create intermediate results that consists of 4n OBDD variables. However, our implementation reduces the required number of OBDD variables from 4n to 2n. The main contributions of our paper can be ....

....ReachSIM j Gamma1 ReachSIM : ReachSIM j 5.2 Efficient OBDD Implementation We now turn our attention to improving the performance of the algorithms described in the previous section. We assume that an implementation of such an algorithm will be done within a symbolic model checker such as SMV [7]. Since formal analysis always suffers from state explosion it is necessary to find methods to efficiently utilize computer memory. When working with OBDDs one possible way to do so is to try to minimize the number of OBDD variables that any OBDD created during the computation will have. We can ....

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

....methods attempt to establish that the RTL design synthesized from the behavioral specification is mathematically correct. Theorem proving and model checking are two popular formal verification approaches. Our approach was to first model the behavior, by hand, in the Symbolic Model Verifier (SMV) [4] notation and use this model to develop interesting properties of the model that should hold both at the behavior and register transfer levels. We would verify these properties of the behavioral SMV model. Later, after the RTL design is synthesized, we would translate that from VHDL into the SMV ....

K.L. McMillan. "The SMV system DRAFT", February 1992.

....than 10 120 [BCL91] 3.2.1 Timing and Scheduling Analysis of Tasks Symbolic Model Checking can also be used to verify the timing constraints of a set of tasks scheduled with a fixed priority algorithm. For the analysis to be described here, we used the Symbolic Model Verification (SMV) tool [McM92] which can check finite state systems against their specifications expressed in the Computational Tree Logic (CTL) CCM96] To test task schedulability, we create a Finite State Machine (FSM) model of a preemptive task, transform the FSM model into a SMV module for each task, and test the timing ....

....BDD Nodes (sec min) Mbytes) 1 20 50 245 1 670 1566 8.8sec 1.13 2 40 100 490 1 670 1841 1.36min 1.56 3 60 150 735 1 670 2028 6min 1.94 4 80 200 980 1 670 2096 21.6min 2.31 5 100 250 1225 1 670 2318 45.78min 2. 44 Table 2: Empirical Results for Three Independent Tasks In the SMV manual [McM92] the overall time complexity of an SMV program is derived from three factors: an increase in the transition relation BDD nodes, an increase in the state set BDD nodes and an increase in the number of iterations. From Figure 7, we can see that the overall empirical time complexity required to ....

K.L. McMillan. The SMV system - DRAFT. Carnegie-Mellon University, February 1992.

....the intervals give the abstracted sizes of the data path elements. The abstraction methodology is embedded in a tool, called the Automatic Data path Abstraction Tool (ADAbT) The tool takes a register transfer level description of a design expressed in a subset of VHDL as input, and produces SMV [12](the symbolic model checker from Carnegie Mellon University) models of the original and abstracted design as output. These models are then subjected to verification, and their verification time and memory requirements compared to determine the effectiveness of the abstraction procedure. ....

.... end while; return(SymbolT able) end; Figure 7: Procedure for performing interval computation for a module 12 a b c d e f [1, 3] 2, 5] 1, 8] 10, 15] 8, 3] g [ 2, 16] 15, 120] Initial Intervals: a : 1, 3] b : 2, 5] c : 1, 4] d : 10, 15] e : 8, 3] f : [9, 12] g : 2, 2] f : 10, 15] 1, 8] U [9, 12] 15, 120] U [9, 12] 15, 120] c : 1, 3] 2, 5] U [ 1, 4] 1, 8] g : 1, 8] 8, 3] U [ 2, 2] 2, 16] U [ 2, 2] 2, 16] New Intervals: Figure 8: Interval Evaluation Technique x op y. op is a logical, arithmetic or ....

[Article contains additional citation context not shown here]

K.L. McMillan. "The SMV system DRAFT", February 1992. 17

....The end points of the intervals give the abstracted sizes of the data path elements. The approach is embedded in a tool that carries out automatic data path abstraction. The tool takes a register transfer level description of a design expressed in a subset of VHDL as input, and produces SMV [3] models of the original and abstracted design as output. The major steps of the spatial abstraction methodology (Figure 1) are discussed in brief below: Design Partitioning: The first step is to partition the design description into a module call graph. A module call graph is a collection of ....

K.L. McMillan. "The SMV system DRAFT", February 1992.

....of registers in the data path cannot be verified by model checking due to state space explosion. Bradley and Vemuri [8] reported verification efforts for entire designs (data path and controller) using model checking. Table 1 shows excerpts from their results using the Symbolic Model Verifier [9]. These results show that, while the verification efforts for the two behavior level models were successful, verification of the register level models did not terminate even after 15 days on a dedicated Sun Sparcstation 2. State System States CPU Memory Test Case Model Variables Reachable Total ....

....introduce the CTL (Computation Tree Logic) formalism we have used to state our specifications. CTL is a branching time temporal logic developed by Clarke et al. 23] In addition to the usual boolean connectives : and j, the logic has four operators for expressing temporal relationships [9]: X, the next time operator indicates a condition that holds in the next state. G, the global operator denotes a property that holds globally in all states of all the computation path. F, the eventual operator denotes a property that holds in some future state in the computation path. ....

[Article contains additional citation context not shown here]

K.L. McMillan. "The SMV system DRAFT", February 1992.

....model. The counter example presented by the model checker will be a valid execution path on the model which contains the transition. The inputs that drive the model along this path, taken from the counter example, is actually a tour that covers the transition. By using a model checker such as SMV [13] and writing the appropriate assertions, it is possible to generate a tour that covers a specific transition. For example if and are states in the model, then the assertion declares that if the model is in state than the next state cannot be . In many cases there are additional conditions on the ....

K.L McMillan "The SMV System DRAFT", Carnegie Mellon University, Pittsburgh PA 1992

....UNIX processes implementing verification functions and a graphical interface to invoke them. ffl The TempEst package. TempEst [35] is a tool set for the formal verification of safety properties (expressed in Temporal Logic) of Esterel programs. ffl The model checker SMV (Symbolic Model Verifier) [38]. SMV supports algorithmic verification of finite state systems. We use a compiler for pure Esterel 4 that was developed at GMD, in St. Augustin, Germany. This compiler produces code in the SMV language. ffl Tools for creating Argos specification and verification, developed at GMD 5 . We are ....

K.L. McMillan. The SMV system draft. CarnegieMellon University, 1992.

..... Address of all authors: Institut fur Informatik, Humboldt Universitat zu Berlin, Unter den Linden 6, 10099 Berlin, Germany. 2 Mathias Block, Clemens Gropl, Harry Preu , Hans Jurgen Promel, Anand Srivastav improve variable orders dynamically, the state of the art model checking programs (SMV [19], VIS [5] Rulebase [2] provide variants of Rudell s [26] sifting algorithm. The big advantage of sifting is that it often produces very good orders, but for large circuits it is time expensive. Another obstacle in model checking has been the computation of the monolithic transition relation. ....

....to give algorithms which go beyond the greedy approach. In this paper we give new heuristics for finding good orders of variables and of transition relation partitions based on simulated annealing. We present a fast and efficient model checking program called VERIFY, which is based on SMV [19]. In section 3.1, a greedy algorithm and a simulated annealing algorithm for finding an interleaved start order for sequential circuits is proposed. It works on the communication graph (defined in section 2) and uses an OBDDindependent objective function. In section 3.2, we suggest a fast ....

K. L. McMillan; The SMV System DRAFT. Carnegie Mellon University, 1992.

No context found.

K. L. McMillan. The SMV System DRAFT. Carnegie Mellon University, Pittsburgh, PA, 1992.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC