K. McMillan. A compositional rule for hardware design re- finement. In International Conference on Computer-Aided Verification, Lecture Notes in Computer Science, pages 24-- 35. Springer-Verlag, 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of a module as part of its interface; this framework was designed to support separate development of components. Proof rules govern when a composition of modules is valid according to the assumptions, and dictate when safety properties hold of a composition of modules. Pnueli [26] McMillan [21], and others have developed proof rules for compositional model checking; these frameworks capture module constraints through temporal logic formulas. These works, however, are really about decompositional verification, in which the whole system is available at the same time, but is verified ....

K. McMillan. A compositional rule for hardware design refinement. In International Conference on Computer-Aided Verification, Lecture Notes in Computer Science, pages 24-- 35. Springer-Verlag, 1997.

....structure like a pipeline, a matrix, etc. These techniques rely on the concept of invariant [6] or the so called behavioral fixed point [17] to reason about the behavior of systems with any number of components. Formal frameworks that support assume guarantee reasoning with abstractions [11] often rely on: a preorder relation and a composition operator for processes, and a logic to specify properties. denotes that the abstraction captures more behaviors than , i.e. refines or implements . Since we verify safety properties, the only condition we have to enforce for ....

....in less than an hour of CPU time. The verification succeeds and also provides back annotation indicating a set of sufficient timing relations between events that guarantee the correctness of the implementation. These relations Vint Vint , Z VALID VALID Z , ACK Failure ACK [8,11] Vint [0,2] Z [0,2] Y [1,2] CLKE [3,4] Z [1,2] Y [1,2] VALID [5,Inf) CLKE [3,4] Vint [1,2] ACK [5,10] CLKE [3,4] VALID [5,Inf) VALID [15 ,Inf) e Y [1,2] ACK [8,11] Z [1,2] CLKE [3,4] Vint [1,2] VALID [15 ,Inf) e (e) d) c) b) a) f) Firing times 1 Figure ....

[Article contains additional citation context not shown here]

K. L. McMillan. A compositional rule for hardware design refinement. In LNCS: Computer-Aided Verication, volume 1254, pages 24--35. Springer-Verlag, 1997.

....If both are coherent with each other the property is checked on the abstracted system. This abstracted system is usually considerably smaller than the original one, so that in numerous practical cases this two phase approach proves to be globally more efficient than a direct model checking. [McMill97] Except for the following discussion in section 3.3.6, we don t enter in the details of the refinement technique in that report for place reasons. A good introduction to it can be found in [ McM99b] This technique is particularly well suited to hardware design, because most low level circuit ....

KENNETH L. MCMILLAN, A compositional rule for hardware design refinement, Computer Aided Verification (CAV97), O. Grumberg Ed., Haifa Israel, June 1997, pp. 24-35.

.... in which each component is verified separately using a specification of the other components [MC81, Jon83a] Several researchers have presented assume guarantee proof rules (see Section 2) and some verification tools that support assume guarantee reasoning on hardware have recently appeared [McM97, AHM 98] However, tools for assume guarantee reasoning on realistic software systems do not exist. In this paper, we describe the design and implementation of a static checker for multithreaded programs, based on an assume guarantee decomposition. This checker is targeted to the verification ....

....shared variables cannot be viewed as components in their framework, their work is not directly applicable to our problem. Collette and Knapp [CK95] extended the rule of Abadi and Lamport to the more operational setting of Unity [CM88] specifications. Alur and Henzinger [AH96] and McMillan [McM97] present assume guarantee proof rules for hardware components. A number of other compositional proof rules not based on assume guarantee reasoning have also been proposed, such as [BKP84, CM88, MP95] Yahav [Yah01] describes a method to model check multithreaded programs using a 3 valued logic ....

K.L. McMillan. A compositional rule for hardware design refinement. In O. Grumberg, editor, CAV 97: Computer Aided Verification, Lecture Notes in Computer Science 1254, pages 24--35. Springer-Verlag, 1997.

....necessary for reasoning about compositional proof systems. Proofs of the completeness of compositional reasoning systems for safety properties are found in [ZdRvE84] Pan88] PJ91] dRdBH 99] Other assume guarantee rules for safety properties are proposed in [Sta85] Pnu85] Kur87] AH96] McM97] More general rules that apply to both safety and liveness properties are proposed in [Pnu85] Jos87] CLM89] GL94] AL95] McM99] We have concentrated on the completeness question for general rules that apply to both safety and liveness properties. As shown in Section 3, the circular rules in ....

K.L. McMillan. A compositional rule for hardware design refinement. In CAV, volume 1254 of LNCS, 1997.

....structure like a pipeline, a matrix, etc. These techniques rely on the concept of invariant [6] or the so called behavioral fixed point [17] to reason about the behavior of systems with any number of components. Formal frameworks that support assume guarantee reasoning with abstractions [11] often rely on: a preorder relation and a composition operator k for processes, and a logic to specify properties. X X 0 denotes that the abstraction X 0 captures more behaviors than X , i.e. X refines or implements X 0 . Since we verify safety properties, the only condition we have to ....

....in less than an hour of CPU time. The verification succeeds and also provides back annotation indicating a set of sufficient timing relations between events that guarantee the correctness of the implementation. These relations Vint Vint , Z VALID VALID Z , ACK Failure ACK [8,11] Vint [0,2] Z [0,2] Y [1,2] CLKE [3,4] Z [1,2] Y [1,2] VALID [5,Inf) CLKE [3,4] Vint [1,2] ACK [5,10] CLKE [3,4] VALID [5,Inf) VALID [15 ,Inf) e Y [1,2] ACK [8,11] Z [1,2] CLKE [3,4] Vint [1,2] VALID [15 ,Inf) e (e) d) c) b) a) f) 0 Firing times 1 ....

[Article contains additional citation context not shown here]

K. L. McMillan. A compositional rule for hardware design refinement. In LNCS: Computer-Aided Verication, volume 1254, pages 24--35. Springer-Verlag, 1997.

....Target Figure 3: Configuration for verifying bus properties dle multiple masters and targets on a single bus and avoid the state explosion problem, we used some techniques including abstraction, assume guarantee reasoning, symmetry and case analysis. We developed a single bus model in CBL SMV [10] with 5 masters and 5 targets. In this model, there is symmetry within the masters, as well as the targets. For a bus driving property, we perform a case analysis on the actual master and the target that are active on the bus, then use symmetry to reduce the number of proof obligations. In order ....

K.L. McMillan. "A compositional rule for hardware design refinement ", Computer Aided Verification, pp 24-35, June 1997.

....in refinement proofs. In Section 4, we apply the methodology to verify a processor pipeline against an instruction set architecture. We are aware of two model checkers that provide explicit tool support for refinement checking using assume guarantee reasoning Mocha [AHM 98] and SMV [McM97, McM98, McM99] Assume guarantee refinement checking has been used successfully for verifying the correctness of algorithms, such as Tomasulo s algorithm [McM98] It has also been used successfully for verifying real world hardware designs against abstract specifications. Two such examples are ....

.... rules whose soundness relies on induction over time can be traced back to [MC81] A strong decomposition rule for asynchronous systems was given in [AL93, AL95] and for synchronous reactive systems, in [AH95, AH96] Proof methodologies for applying strong decomposition rules were developed in [McM97] and [HQR98] The strong decomposition rules and proof methodologies were recently generalized in many ways, for example, to accomodate multiple constraints on a single output port [McM98] branching time refinement [HQRT98] different implementation and specification time scales [HQR99] and ....

K.L. McMillan. A compositional rule for hardware design refinement. In O. Grumberg, editor, CAV 97: Computer-aided Verification, Lecture Notes in Computer Science 1254, pages 24--35. Springer-Verlag, 1997.

....from the code and the specification model S is extracted from the RFC document. We wish to verify that I S holds, where the notion of refinement is based on language inclusion. A recent promising approach to automated refinement checking combines assumeguarantee reasoning with search algorithms [19, 14, 4], and has been successfully applied to synchronous hardware designs such as pipelined processors [20] and a VGI chip [13] To establish the refinement, we employ the following three step methodology (advocated, for instance in [4] First, the refinement obligation is used to generate simpler ....

.... hardware designs such as pipelined processors [20] and a VGI chip [13] To establish the refinement, we employ the following three step methodology (advocated, for instance in [4] First, the refinement obligation is used to generate simpler subgoals by applying assume guarantee reasoning [23, 2, 5, 12, 19]. This reduces the verification of a composition of implementation components to individual components, but verifies an individual component only in the context of the specifications of the other components. Second concerns verification of a subgoal I S, when S has private variables. The ....

[Article contains additional citation context not shown here]

K. McMillan. A compositional rule for hardware design refinement. In CAV 97: Computer-Aided Verification, LNCS 1254, pages 24--35, 1997.

....Since VGI is a very big design, model checking cannot be applied directly. Previously, assumeguarantee methods have been developed for decomposing a refinement verification task into smaller proof obligations that can be discharged automatically with a model checker. In assumeguarantee reasoning [3, 7, 8, 9, 10], the different components of the implementation are verified in isolation by making appropriate assumptions about their environments. The environment assumptions are then discharged separately. In order to keep the sizes of the individual proof obligations within the capacity limits of model ....

.... to keep the sizes of the individual proof obligations within the capacity limits of model checking, it is essential to specify the environment assumptions for implementation components abstractly in terms of specification signals, using abstraction modules [10] also called refinement maps [9]) In the case of VGI, the specification describes the behavior of the implementation only at the sampling instants. Consequently, the abstraction modules specify the values of implementation signals only at those instants. But the correct behavior of implementation components may depend on ....

K. McMillan, "A compositional rule for hardware design refinement," in CAV 97: Computer Aided Verification, LNCS 1254, pp. 24--35, Springer, 1997.

....that behaves like P 2 , and similarly, P 2 may refine Q 2 only when constrained by an environment that behaves like P 1 . Under certain modeling assumptions (namely, nonblocking and finite nondeterminism) the compositional principle can be strengthened to an 2 assume guarantee principle [Sta85,CLM89,GL94,AL95,AH96,McM97]: in order to check P Q, it suffices to check both P 1 kQ 2 Q 1 and Q 1 kP 2 Q 2 . Three observations about this proof rule are important. First, the rule addresses the issue that the environment of P 1 may have to be suitably constrained in order to implement Q 1 , and similarly for P 2 . ....

K.L. McMillan. A compositional rule for hardware design refinement. In CAV 97: Computer-Aided Verification, Lecture Notes in Computer Science 1254, pages 24--35. Springer-Verlag, 1997.

....approach on an RTL synthesizable Verilog model. The abstract specification modules are also kept at the same RT level as the actual implementation. The verification is hence performed 13 without the need of intermediate abstraction layers between specification and implementation as in [9]. Given the simplicity of our abstraction approach, it is possible to systematically extract these abstract modules from the original design documents. The framework we described in this paper also has some limitations. For instance, the verification using nondeterministic machines is CPU time and ....

K. L. McMillan. Compositional rule for hardware design refinement. In Proc. Computer Aided Verification (CAV'97), pages 24--35, Haifa Israel, June 1997.

....While the specific functionality of the system is distributed in the cores, the wrappers can be automatically generated around them 16 . Furthermore, the validation of the system now can be e# ciently decomposed based on assume guarantee reasoning and compositional model checking [32] [33], 34] 35] each wrapper is verified assuming a given protocol, and the protocol is verified separately. With regard to the design of digital integrated circuit, the theory of latency insensitive design can be used as the formal basis for defining the latency insensitive design methodology that ....

K. L. McMillan, "A Compositional Rule for Hardware Design Refinement," in Proc. of the 9th Intl. Conf. on Computer-Aided Verification, Haifa, Israel, 1997.

....checked. We illustrate these advantages by examples, including a proof of safety and liveness of a version of the N process bakery mutual exclusion algorithm [Lam74] Our technique has been integrated into the SMV proof assistant, a proof system based on a first order temporal logic [McM97,McM98,McM99]. 1 Both the system to be verified and the specification are expressed in temporal logic, though with a great deal of syntactic sugar . Inductive proofs are reduced to finite state subgoals in the following way. To prove a predicate #n.#(n) inductively, we need to prove #(n 1) # #(n) ....

K. L. McMillan. A compositional rule for hardware design refinement. In O. Grumberg, editor, Computer Aided Verification (CAV'97), volume 1254 of LNCS, pages 24--35. Springer-Verlag, 1997.

No context found.

K. McMillan. A compositional rule for hardware design re- finement. In International Conference on Computer-Aided Verification, Lecture Notes in Computer Science, pages 24-- 35. Springer-Verlag, 1997.

No context found.

K. L. McMillan. A compositional rule for hardware design refinement. In LNCS: Computer-Aided Verication, volume 1254, pages 24--35. Springer-Verlag, 1997.

No context found.

K.L. McMillan. A compositional rule for hardware design refinement. In Computer-aided Verification, LNCS 1254, pp. 24--35. Springer-Verlag, 1997. 15

No context found.

K.L. McMillan. Compositional rule for hardware design refinement. In CAV, 1997.

No context found.

McMillan, K. L.: 1997, `A Compositional Rule for Hardware Design Refinement '. In: Proceedings of CAV, Vol. 1254. pp. 24--35.

No context found.

K. L. McMillan, "A compositional rule for hardware design refinement," CAV'97.

No context found.

K.L. McMillan. A compositional rule for hardware design refinement. In Computer-Aided Verification, volume 1254 of Lect. Notes in Comp. Sci., pages 24-- 35. Springer-Verlag, 1997.

No context found.

K. L. McMillan. A compositional rule for hardware design refinement. In Proc. of CAV, volume 1254. Springer LNCS, 1997.

No context found.

K.L. McMillan. "A compositional rule for hardware design refinement", Computer Aided Verification, pp 24-35, June 1997.

No context found.

K.L. McMillan. A compositional rule for hardware design refinement. In Computer-aided Verification, LNCS 1254, pp. 24--35, Springer-Verlag, 1997.

No context found.

K. L. McMillan, "A Compositional Rule for Hardware Design Refinement," Proc. 9th International Conference on Computer Aided Verification, June 1997, pp. 24-35.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC