Curzon, P.: The Formal Verification of the Fairisle ATM Switching Element; Technical Reports No. 328 & No. 329, University of Cambridge, Computer Laboratory, March 1994.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....Address FIFO) from 168 to 5. However, in some cases a property could not be verified because of this reduction and a detailed gate level model was needed for certain blocks to pinpoint the source of the error. In general, however, the adopted data abstraction method was not quite adequate. Curzon [8] verified the 4 by 4 fabric of the Fairisle switch fabric using the HOL theorem prover [13] More details about the Fairisle ATM switch will be presented in Section 4 since the 4 verification of the same fabric is investigated in the current paper) He hierarchically verified each of the modules ....

....succeeding in the equivalence checking at a certain level of the design hierarchy and full model checking, the VIS tool failed in verifying the whole switch fabric using equivalence checking due to the state space explosion of even the most reduced model with a 4 bit datapath. Although Curzon [8] showed the effectiveness of HOL theorem proving for verifying an ATM switch, the use of HOL is interactive and requires much expertise to guide the verification process [14] The work at Fujitsu Ltd. 5] used the ROBDD based SMV model checker which is automatic and the authors succeed in checking ....

[Article contains additional citation context not shown here]

P. Curzon, "The Formal Verification of the Fairisle ATM Switching Element," Technical Reports 328 & 329, University of Cambridge, Computer Laboratory, March 1994.

....8 bits to 1 bit, and the number of addresses in a Write Address first in first out (FIFO) from 168 to five. However, in some cases a property could not be verified because of this reduction and a detailed gate level model was needed for certain blocks to pinpoint the source of the error. Curzon [13] verified the 4 4 fabric of the Fairisle switch fabric using the HOL theorem prover [18] More details about the Fairisle ATM switch will be presented in Section IV since the verification of the same fabric is investigated in the current paper) He hierarchically verified each of the modules used ....

....correctness for the whole switch fabric. They will, therefore, not be investigated further in this paper. Rather, a comparison of our approach with the work done by Curzon, Lu, and Chen will be elaborated in the following as these address the verification of the complete fabric. Although Curzon [13] showed the effectiveness of HOL theorem proving for verifying an ATM switch, the use of HOL is interactive and requires much expertise to guide the verification process [19] In contrast, the ATM verification performed by Lu et al. 22] using VIS was automatic. While succeeding with model ....

[Article contains additional citation context not shown here]

P. Curzon, "The formal verification of the fairisle ATM switching element," Univ. Cambridge, Comput. Lab., Tech. Reps. 328 and 329, Mar. 1994.

....such as theorem proving and model checking would be tedious and inefficient. We employ a pragmatic combination of theorem proving and model checking [RSS95] in conjunction with small scale conventional simulation. There have been other efforts in ATM switch verification earlier [TZS 96, Cur94] However, a major drawback with earlier efforts is that with any change of switch design requirements such as the clock ratio and the number of input output ports, one needs to repeatedly iterate through high level modeling, validation, and synthesis cycle until the design satisfies the design ....

....any change of switch design requirements such as the clock ratio and the number of input output ports, one needs to repeatedly iterate through high level modeling, validation, and synthesis cycle until the design satisfies the design objectives. Furthermore, earlier efforts [CYF94, TZS 96, Cur94] do not introduce formal validation early in the design cycle, rather describe application of formal verification on a completed design post facto. In order to cut down the modeling validation synthesis iteration cycle, the solution we propose in this paper is the development of a validated ....

Paul Curzon. The formal verification of the fairisle ATM switching element. Technical Report 328 and 329, Computer Laboratory, University of Cambridge, Cambridge, UK, March 1994.

....and [34] and on URL http: www.cl.cam.ac.uk Research SRG fairisle.html. Related work in formal verification about the Switching Element The Automated Reasoning Group in Cambridge have used the 4 by 4 Switching Fabric as a formal verification case study. This work have been done by Paul Curzon [18] [17] using the HOL theorem prover. Several other works on this circuit have been performed, in particular the work of Sofi ene Tahar and all [48] using MDG (Multiway Decision Graphs) which proposes an automated decision graph approach of the switching element. Then, Paul Curzon and Sofi ene Tahar ....

Paul Curzon. The Formal Verification of the Fairisle ATM Switching Element: an Overview. Technical Report 328, University of Cambridge, March 1994.

....in PVS. Its aim is to verify a synchronous fault tolerant circuit. More recently, Cachera [2] has shown how to use PVS to verify arithmetic circuits described in Haskell. The ATM Switch Fabric has been (and still is) widely used as a benchmark in the hardware community. Let us cite Curzon[7] [6] who has specified and proved this circuit in HOL. His study has been a helpful starting point for our investigations despite his approach is completely different in the sense that he specifies the structures as relations that are recursive on a time parameter and he represents the behaviours ....

P. Curzon. The Formal Verification of the Fairisle ATM Switching Element: an Overview. Technical Report 328, University of Cambridge, Mar. 1994.

....in PVS. Its aim is to verify a synchronous fault tolerant circuit. More recently, Cachera [2] has shown how to use PVS to verify arithmetic circuits described in Haskell. The ATM Switch Fabric has been (and still is) widely used as a benchmark in the hardware community. Let us cite Curzon[7] [6] who has specified and proved this circuit in HOL. His study has been a helpful starting point for our investigations despite his approach is completely different in the sense that he specifies the structures as relations that are recursive on a time parameter and he represents the behaviours by ....

P. Curzon. The Formal Verification of the Fairisle ATM Switching Element. Technical Report 329, University of Cambridge, Mar. 1994.

....checking procedure which is also applicable to machine equivalence checking. Property checking is used to verify that the design satisfies certain requirements. As a case study [7] we verified several useful safety properties of the Fairisle ATM switch fabric used in the Cambridge ATM network [5]. For the equivalence checking of two machines at the same time scale, we make a product machine for two circuits by putting them together and feeding same inputs, then we perform reachability analysis for the product machine and check an invariant stating the equivalence of the corresponding ....

P. Curzon. The Formal Verification of the Fairisle ATM Switching Element. Technical Reports No. 328 & No. 329, University of Cambridge, Computer Laboratory, March 1994.

....and reserved slots for which no reserved traffic arrives are allocated on the strictly round robin basis described above. Finally, as part of an ongoing SERC funded research project to apply formal techniques to networking problems, the fabric elements and fabric itself has been formally verified [Curzon94] using the HOL system. 2.2 The Port Controller Each Fairisle Port Controller provides an input port and the corresponding output port for the switching fabric. The port controller also interfaces to the transmission system. A detailed description of the hardware may be found in [Orange93] 2 . ....

Paul Curzon. The Formal Verification of the Fairisle ATM Switching Element. Technical Report, University of Cambridge Computer Laboratory, 1994. Awaiting confirmation of acceptance to conference. (p 9--3)

....the different verifications we accomplished using the models. Experimental results are presented in Section 7 and Section 8 finally concludes the paper. 2. Related works There exists in the literature only few work which addressed the formal verification of ATM related circuits. P. Curzon [4] formally verified the 4 by 4 fabric of the Fairisle switch using the HOL theorem prover [6] He verified each of the modules used in the design of the switching element separately by describing the behavioral and structural specifications down to the gate level, and then proving the related ....

....the property could not be checked because of this reduction. In these cases, a more detailed datapath model was built to pinpoint the source of the error. If the error was not identified in that block, then the more abstract model was used for the remaining verification. The approach of P. Curzon [4] provided a successful case study of applying HOL theorem prover to the verification of an ATM switch. However, the use of HOL is interactive and requires lots of expertise to guide the verification process. The work done at Fujitsu Ltd. showed the application of SMV for checking some important ....

[Article contains additional citation context not shown here]

Curzon, P.: The Formal Verification of the Fairisle ATM Switching Element; Technical Reports No. 328 & No. 329, University of Cambridge, Computer Laboratory, March 1994.

....Work Although the principles of ATM are viewed as the base technology for the next generation of global communications, there exist few published results addressing formal verification of ATM related circuits. To our best knowledge, there are only two such cases in the open literature. P. Curzon [4] formally verified the 4 by 4 fabric of the Fairisle switch using the HOL theorem prover [8] He hierarchically verified each of the modules used in the hardware design of the switching element, by describing the behavioral and structural specifications down to the gate level, and then proving the ....

....MDG s abstract representation and graph sharing, which results in an acceptable number of nodes. This supports the conclusion that the verification would be impossible if ROBDD representation in the reachability analysis were used. Our verification confirms the results done by P. Curzon using HOL [4], that no errors were discovered in the implementation of the switching element. In fact, the fabric has been in service for some time before it was verified by formal methods. To test the effectiveness of our approach, we experimented with three erroneous implementations: 1) we exchanged the ....

[Article contains additional citation context not shown here]

Curzon, P.: The Formal Verification of the Fairisle ATM Switching Element; Technical Reports No. 328 & No. 329, University of Cambridge, Computer Laboratory, March 1994.

....Transfer Mode) switch fabric [13] The Fairisle switch fabric is a real switch fabric designed and used at the University of Cambridge for multimedia applications. It switches cells of data from 4 input ports to 4 output ports as requested by information in header bytes in each cell. Curzon [6] formally verified this ATM switching element hierarchically using the pure HOL system. However, this verification was very time consuming. Verifying the fabric can be done hierarchically following exactly the same structure as the original design using our hybrid tool. However, with the tool, ....

....Table 1 shows the hierarchical verification statistics, including CPU time in seconds. Obviously, using our hybrid tool, the verification of the preprocessor is faster than proving in HOL that the implementation implies the high level specification. Given the formal specifications, Curzon [6] originally took several days to do the proofs of these blocks using interactive proof whereas the verification is done in minutes using our tool. Verification is also faster than using MDG alone: splitting the decoder block enabled verifying it within less than 1 minute using our hybrid tool ....

P. Curzon. The Formal Verification of the Fairisle ATM Switching Element. Technical Report 329, Computer Laboratory, University of Cambridge, U.K., 1994.

....which to derive confidence of correct behavior. An ATM network design is thus a timely application for verification research. There have been several projects on the verification of ATM switches. For instance, the formal verification of the Cambridge Fairisle switch fabric had been done by Curzon [3] using the HOL theorem prover. Tahar et al. 13] verified the same switch in an automatic fashion using the MDG (Multiway Decision Graphs) tools by property checking and equivalence checking. Lu et al. 10] also formally verified this same ATM switch fabric using VIS. Chen et al. 2] at Fujitsu ....

....of an arbitration unit, an acknowledgment unit and a dataswitch unit. The arbitration unit is composed of a Timing unit, a Decoder, a Priority Filter and a set of Arbiters. We do not describe the functionality of each module in this section. For more details about the implementation refer to [3]. To reflect the modifications suggested in [5] minor changes were made to the Timing unit, Arbiters, control path between the Arbitration and Dataswitch units and datapath to the Dataswitch unit of the original implementation. The modified Timing module ensures that the header and frame start ....

P. Curzon, "The Formal Verification of the Fairisle ATM Switching Element", Technical Reports 328 & 329, University of Cambridge, Computer Laboratory, March 1994.

....at the University of Cambridge. The component we considered is the Fairisle 4 by 4 switching fabric which performs the actual switching of data cells and forms the heart of the ATM Fairisle communication network [7] The Cambridge Fairisle switch fabric verification had been done by Curzon [2] using the HOL theorem prover. Tahar et al. 9] verified the same fabric in an automatic fashion using the MDG (Multiway Decision Graphs) tools. While verifying the original description of the switch fabric which we refer to as the Original switch fabric, Curzon et al. 4] noted the factors that ....

....6 shows a block diagram of the switch fabric implementation. It consists of an arbitration unit, an acknowledgment unit and a dataswitch unit. The arbitration unit is composed of a Timing unit, a Decoder, a Priority Filter and a set of Arbiters. For more details about the implementation refer to [2]. To reflect the modifications suggested in [4] minor changes were made to the Timing unit, Arbiters, control path between the Arbitration and Dataswitch units and datapath to the Dataswitch unit of the original implementation. The modified Timing module ensures that the header and frame start ....

P. Curzon, "The Formal Verification of the Fairisle ATM Switching Element", Technical Reports 328 & 329, University of Cambridge, Computer Lab., March 1994.

....with the overall functionality of designs with complex datapaths. Designs that combine control hardware and datapaths can be verified. HOL scales better than MDG as illustrated by the fact that a 16 by 16 switch fabric constructed from elements similar to the 4 by 4 fabric has been verified in HOL [3] [4] This is beyond the capabilities of MDG on its own. To complete a verification, however, a very deep understanding of the internal structure of the design is required, as it is a white box approach. This enables the designer to gain greater insight into the system and thus achieve better ....

P. Curzon. The formal verification of the Fairisle ATM switching element. Technical Report 329, University of Cambridge, Computer Laboratory, March 1994.

....was required. The behavioural specifications were largely deduced by examining the implementations. The full details of the specifications of the first element verified are given in a literate document [4] derived from the HOL source files using the HOL mweb tool. An overview is given separately [5]. 2 The Fairisle Switch The Fairisle switch consists of three types of component: input port controllers, output port controllers and a switching fabric. Each port controller is connected to either an input or output transmission line of the switch, and to the switching fabric. The port ....

Paul Curzon. The formal verification of the Fairisle ATM switching element: an overview. Technical Report 328, University of Cambridge Computer Laboratory, March 1994.

....of the implementations had been produced. A significant amount of reverse engineering was required. The behavioural specifications were largely deduced by examining the implementations. The full details of the specifications of the first element verified are given in a literate document [4] derived from the HOL source files using the HOL mweb tool. An overview is given separately [5] 2 The Fairisle Switch The Fairisle switch consists of three types of component: input port controllers, output port controllers and a switching fabric. Each port controller is connected to either an ....

Paul Curzon. The formal verification of the Fairisle ATM switching element. Technical Report 329, University of Cambridge Computer Laboratory, March 1994.

....inputs of different types in HOL, we need to extend our formalization to accommodate a list of inputs (the first argument of the table definition) with different types. As an example we present the formalization of the state transition diagram of the timing block of the Fairisle ATM switch fabric [6] in terms of an MDG table in HOL. Fig. 2 shows the finite state machine of the behavior of this timing block, which consists of three symbolic states (Run,Wait,Route) and has two inputs (frameStart and anyActive) and one output routeEnable. else frameStart = 0 routeEnable= 0 RUN WAIT else else ....

P. Curzon. The Formal Verification of the Fairisle ATM Switching Element: an Overview. Technical Report no. 328, University of Cambridge, Computer Laboratory, March 1994.

No context found.

Paul Curzon. The formal verification of the Fairisle ATM switching element: an overview. Technical Report 328, University of Cambridge Computer Laboratory, March 1994.

....for the verification. This was also unsurprising since documentation of the design and its implementation was sparse. The full details of the specifications are given in a 100 page literate document [3] derived from the HOL source files using the HOL mweb tool. An overview is given separately [4]. 2 The Fairisle Switching Fabric The Fairisle switch consists of three types of component: input port controllers, output port controllers and a switching fabric. The port controllers process incoming or outgoing cells of data. They manage the routeing tables, setting up and breaking down ....

Paul Curzon. The formal verification of the Fairisle ATM switching element: an overview. Technical Report 328, University of Cambridge Computer Laboratory, 1994.

....were found, however, and many errors were discovered in the formal specifications written for the verification. This was also unsurprising since documentation of the design and its implementation was sparse. The full details of the specifications are given in a 100 page literate document [3] derived from the HOL source files using the HOL mweb tool. An overview is given separately [4] 2 The Fairisle Switching Fabric The Fairisle switch consists of three types of component: input port controllers, output port controllers and a switching fabric. The port controllers process incoming ....

....descriptions of a multiplexor component of the dataswitch DMUX4T2. We first give the Qudos HDL definition. DEF DMUX4T2(d[0. 3] x:IN;dOut[0. 1] IO) xBar:IO; BEGIN Clb: XiCLBMAP5i2o(d[0. 1] x,d[2. 3] dOut[0. 1] InvX: XiINV(x,xBar) B[0] AO(d[0] xBar,d[1] x,dOut[0] B[1] AO(d[2] xBar,d[3],x,dOut[1] END; The description starts with declarations. The first line states that we are defining the module DMUX4T2 and that it has two inputs: d which is 4 bits long (with bit positions numbered from 0 to 3) and x which is one bit. It has one two bit output, dOut. The second line declares ....

Paul Curzon. The formal verification of the Fairisle ATM switching element. Technical Report 329, University of Cambridge Computer Laboratory, 1994.

....timing and functional behaviour of the module, usually in the form of interval temporal style operators. Assumptions give the conditions on the environment (ie inputs) under which the module will satisfy the specification. Details of the specifications and correctness theorems are given elsewhere [2]. Once the separate modules have been verified, their correctness theorems are combined to give a correctness theorem for the whole device. 5 Duration of the Proof Effort The original 4 by 4 fabric was formally specified and verified in approximately 4 person months [1] Of this time, over half ....

Paul Curzon. The formal verification of the Fairisle ATM switching element. Technical Report 329, University of Cambridge Computer Laboratory, March 1994.

....Formal Verification of the Fairisle Switch: The 4x4 Switching Fabric Paul Curzon 8th March 1994 1 Introduction We describe work in progress to formally verify the Fairisle switch. To date we have formally verified the Fairisle 4x4 switching fabric using the HOL90 theorem prover [2, 1]. We formalised both the implementation and its behaviour. We then used formal logic to rigorously prove that the behaviour suggested by the description of the implementation satisfies the specified behaviour. In contrast to validation using inexhaustive testing, the results hold for all valid ....

Paul Curzon. The formal verification of the Fairisle ATM switching element: an overview. Technical Report 328, University of Cambridge Computer Laboratory, 1994. 37--4

....Formal Verification of the Fairisle Switch: The 4x4 Switching Fabric Paul Curzon 8th March 1994 1 Introduction We describe work in progress to formally verify the Fairisle switch. To date we have formally verified the Fairisle 4x4 switching fabric using the HOL90 theorem prover [2, 1]. We formalised both the implementation and its behaviour. We then used formal logic to rigorously prove that the behaviour suggested by the description of the implementation satisfies the specified behaviour. In contrast to validation using inexhaustive testing, the results hold for all valid ....

Paul Curzon. The formal verification of the Fairisle ATM switching element. Technical Report 329, University of Cambridge Computer Laboratory, 1994.

....by considering very simple pieces of hardware. In Sections 6, 7 and 8, we outline the formal behavioural and structural specifications of the switching element and their verification. Complete details of the specifications used and the correctness theorems proved can be found in a companion report [5]. In Section 9 we discuss the time taken to perform the formal specification and verification work. This was comparable to the time originally spent designing, implementing and informally testing the fabric. Finally, in Section 10, we discuss the errors discovered. None were found in the ....

Paul Curzon. The formal verification of the Fairisle ATM switching element. Technical Report 329, University of Cambridge Computer Laboratory, March 1994.

No context found.

Curzon, P.: The Formal Verification of the Fairisle ATM Switching Element; Technical Reports No. 328 & No. 329, University of Cambridge, Computer Laboratory, March 1994.

No context found.

Curzon, P.: The Formal Verification of the Fairisle ATM Switching Element; Technical Reports No. 328 & No. 329, University of Cambridge, Computer Laboratory, March 1994.

No context found.

P. Curzon. The Formal Verification of the Fairisle ATM Switching Element. Techical Report 329, Computer Laboratory, University of Cambridge, U.K., March 1994.

No context found.

P. Curzon, "The Formal Verification of the Fairisle ATM Switching Element," Technical Reports 329, University of Cambridge, Computer Laboratory, March 1994.

No context found.

Curzon, P.: The Formal Verification of the Fairisle ATM Switching Element; Technical Reports No. 328 & No. 329, University of Cambridge, Computer Laboratory, March 1994.

No context found.

P. Curzon, "The Formal Verification of the Fairisle ATM Switching Element", University of Cambridge, Computer Laboratory, Technical Report 329, 1994. (http://www.cl.cam.ac.uk/users/pc/el2tr94.html)

No context found.

P. Curzon, "The Formal Verification of the Fairisle ATM Switching Element: an Overview", University of Cambridge, Computer Laboratory, Technical Report 328, 1994. (http://www.cl.cam.ac.uk/users/pc/el1tr94.html)

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC