Carl-Johan H. Seger

Formal verification by symbolic evaluation of partially-ordered trajectories

Symbolic trajectory evaluation provides a means to formally verify properties of a sequential system by a modified form of symbolic simulation. The desired system properties are expressed in a notation combining Boolean expressions and the temporal logic “next-time” operator. In its simplest form, each property is expressed as an assertion [A⇒C], where the antecedentA expresses some assumed conditions on the system state over a bounded time period, and the consequentC expresses conditions that should result. A generalization allows simple invariants to be established and proven automatically.The verifier operates on system models in which the state space is ordered by “information content”. By suitable restrictions to the specification notation, we guarantee that for every trajectory formula, there is a unique weakest state trajectory that satisfies it. Therefore, we can verify an assertion [A⇒C] by simulating the system over the weakest trajectory forA and testing adherence toC. Also, establishing invariants correspond to simple fixed point calculations.This paper presents the general theory underlying symbolic trajectory evaluation. It also illustrates the application of the theory to the taks of verifying switch-level circuits as well as more abstract implementations.

Formal hardware verification by symbolic ternary trajectory evaluation

Symbolic trajectory evaluation is a new approach to formal hardware verification combining the circuit modeling capabilities of symbolic logic simulation with some of the analytic methods found in temporal logic model checkers. We have created such an evaluator by extending the symbolic switch-level simulator COSMOS. This program gains added efficiency by exploiting the ability of COSMOS to evaluate circuit operation over a ternary logic model, where the third value X represents an unknown logic value. This program can formally verify systems containing complex features such as switch-level models, detailed timing, and pipelining.

Higher Order Logic Theorem Proving and Its Applications

Program verification using HOL-UNITY.- Graph model of LAMBDA in higher order logic.- Mechanizing a programming logic for the concurrent programming language microSR in HOL.- Reasoning with the formal definition of standard ML in HOL.- HOL-ML.- Structure and behaviour in hardware verification.- Degrees of formality in shallow embedding hardware description languages in HOL.- A functional approach for formalizing regular hardware structures.- A proof development system for the HOL theorem prover.- A HOL package for reasoning about relations defined by mutual induction.- A broader class of trees for recursive type definitions for HOL.- Some theorems we should prove.- Using PVS to prove some theorems of David Parnas.- Extending the HOL theorem prover with a computer algebra system to reason about the reals.- The HOL-Voss system: Model-checking inside a general-purpose theorem-prover.- Linking Higher Order Logic to a VLSI CAD system.- Alternative proof procedures for finite-state machines in higher-order logic.- A formalization of abstraction in LAMBDA.- Report on the UCD microcoded Viper verification project.- Verification of the Tamarack-3 microprocessor in a hybrid verification environment.- Abstraction techniques for modeling real-world interface chips.- Implementing a methodology for formally verifying RISC processors in HOL.- Domain theory in HOL.- Predicates, temporal logic, and simulations.- Formalization of variables access constraints to support compositionality of liveness properties.- The semantics of statecharts in HOL.- Value-passing CCS in HOL.- TPS: An interactive and automatic tool for proving theorems of type theory.- Modelling bit vectors in HOL: The word library.- Eliminating higher-order quantifiers to obtain decision procedures for hardware verification.- Toward a super duper hardware tactic.- A mechanisation of name-carrying syntax up to alpha-conversion.- A HOL decision procedure for elementary real algebra.- AC unification in HOL90.- Server-process restrictiveness in HOL.- Safety in railway signalling data: A behavioural analysis.- On the style of mechanical proving.- From abstract data types to shift registers:.- Verification in higher order logic of mutual exclusion algorithm.- Using Isabelle to prove simple theorems.

An industrially effective environment for formal hardware verification

The Forte formal verification environment for datapath-dominated hardware is described. Forte has proven to be effective in large-scale industrial trials and combines an efficient linear-time logic model-checking algorithm, namely the symbolic trajectory evaluation (STE), with lightweight theorem proving in higher-order logic. These are tightly integrated in a general-purpose functional programming language, which both allows the system to be easily customized and at the same time serves as a specification language. The design philosophy behind Forte is presented and the elements of the verification methodology that make it effective in practice are also described.

Linking BDD-Based Symbolic Evaluation to Interactive Theorem-Proving

A novel approach to formal hardware verification results from the combination of symbolic trajectory evaluation and interactive theorem-proving. From symbolic trajectory evaluation we inherit a high degree of automation and accurate models of circuit behaviour and timing. From interactive theorem-proving we gain access to powerful mathematical tools such as induction and abstraction. We have prototyped a hybrid tool and used this tool to obtain verification results that could not be easily obtained with previously published techniques.

Formal Verification of Digital Circuits Using Symbolic Ternary System Models

Ternary system modeling involves extending the traditional set of binary values {0, 1} with a third value X indicating an unknown or indeterminate condition. By making this extension, we can model a wider range of circuit phenomena. We can also efficiently verify sequential circuits in which the effect of a given operation depends on only a subset of the total system state.

Symbolic Trajectory Evaluation

data types can be declared in FL. This means that data can be represented and manipulated at a high level. This is important for making specifications understandable, and critical for overcoming the limitations of BDDs. FL provides built-in functions that are the interface to the STE engine. The use of a fully programmable script language is a key factor in implementing our verification methodology. It means that our tool can be simple, but through the use of a flexible interface, a user can verify a wide range of problems. On top of Voss’s facilities, we have implemented a simple theorem prover to implement the compositional theory presented in Section 5.3 – we have called this augmented system called VossProver. We have actually implemented a number of such tools, experimenting with style and functionality. The description presented here is a general description of one of the latest versions.

The formal verification of a pipelined double-precision IEEE floating-point multiplier

Floating-point circuits are notoriously difficult to design and verify. For verification, simulation barely offers adequate coverage, conventional model-checking techniques are infeasible, and theorem-proving based verification is not sufficiently mature. In this paper we present the formal verification of a radix-eight, pipelined, IEEE double-precision floating-point multiplier. The verification was carried out using a mixture of model-checking and theorem-proving techniques in the Voss hardware verification system. By combining model-checking and theorem-proving we were able to build on the strengths of both areas and achieve significant results with a reasonable amount of effort.

Combining theorem proving and trajectory evaluation in an industrial environment

We describe the verification of the IM: a large, complex (12000 gates and 1100 latches) circuit that detects and marks the boundaries between Intel architecture (IA-32) instructions. We verified a gate-level model of the IM against an implementation-independent specification of IA-32 instruction lengths. We used theorem proving to to derive 56 model-checking runs and to verify that the model-checking runs imply that the IM meets the specification for all possible sequences of IA-32 instructions. Our verification discovered eight previously unknown bugs.

A simple theorem prover based on symbolic trajectory evaluation and BDD's

Formal hardware verification based on symbolic trajectory evaluation shows considerable promise in verifying medium to large scale VLSI designs with a high degree of automation. However, in order to verify todays designs, a method for composing partial verification results is needed. This paper presents a theory of composition for symbolic trajectory evaluation and shows how implementing this theory using a specialized theorem prover is very attractive. Symbolic trajectory evaluation is used to prove low level properties of a circuit, and these properties are combined using the prover. Providing a powerful and flexible interface to a coherent system (with automatic assistance in parts) reduces the load on the human verifier. This hybrid approach, coupled with powerful and simple data representation, increases the range of circuits which can be verified using trajectory evaluation. The paper concludes with two examples. One example is the complete verification of a 64 b multiplier which takes approximately 15 minutes on a SPARC 10 machine. >