Daniel Geist

Efficient Model Checking by Automated Ordering of Transition Relation Partitions

In symbolic model checking, the behavior of a model to be verified is captured by the transition relation of the state space implied by the model. Unfortunately, the size of the transition relation grows rapidly with the number of states even for small models, rendering them impossible to verify. A recent work

Have I written enough Properties? - A Method of Comparison between Specification and Implementation

This work presents a novel approach for evaluatingthe quality of the model checkingpro cess. Given a model of a design (or implementation) and a temporal logic formula that describes a specification, model checkingde termines whether the model satisfies the specification. Assume that all specification formulas were successfully checked for the implementation. Are we sure that the implementation is correct? If the specification is incomplete, we may fail to find an error in the implementation. On the other hand, if the specification is complete, then the model checkingpro cess can be stopped without adding more specification formulas. Thus, knowingwh ether the specification is complete may both avoid missed implementation errors and save precious verification time. The completeness of a specification with respect to a given implementation is determined as follows. The specification formula is first transformed into a tableau. The simulation preorder is then used to compare the implementation model and the tableau model. We suggest four comparison criteria, each revealinga certain dissimilarity between the implementation and the specification. If all comparison criteria are empty, we conclude that the tableau is bisimilar to the implementation model and that the specification fully describes the implementation. We also conclude that there are no redundant states in the implementation. The method is exemplified on a small hardware example. We implemented our method symbolically as an extension to SMV. The implementation involves efficient OBDD manipulations that reduce the number of OBDD variables from 4n to 2n.

AVPGEN-A test generator for architecture verification

This paper describes a system (AVPGEN) for generating tests (called architecture verification programs or AVPs) to check the conformance of processor designs to the specified architecture. To generate effective tests, AVPGEN uses novel concepts like symbolic execution and constraint solving, along with various biasing techniques. Unlike many earlier systems that make biased random choices, AVPGEN often chooses intermediate or final values and then solves for initial values that can lead to the desired values. A language called SIGL (symbolic instruction graph language) is provided in AVPGEN for the user to specify templates with symbolic constraints. The combination of user-specified constraints and the biasing functions is used to focus the tests on conditions that are interesting in that they are likely to activate various kinds of bugs. The system has been used successfully to debug many S/390 processors and is an integral part of the design process for these processors. >

Coverage-Directed Test Generation Using Symbolic Techniques

In this paper, we present a verification methodology that integrates formal verification techniques with verification by simulation, thereby providing means for generating simulation test suites that ensure coverage. We derive the test suites by means of BDD-based symbolic techniques for describing and traversing the implementation state space. In our approach, we provide a high-level of control over the generated test suites; a powerful abstraction mechanism directs the generation procedure to specific areas, that are the focus for verification, thereby withstanding the state explosion problem. The abstraction is achieved by partitioning the implementation state variables into categories of interest. We also depart from the traditional graph-algorithmic model for conformance testing; instead, using temporal logic assertions, we can generate a test suite where the set of state sequences (paths) satisfies some temporal properties as well as guaranteeing transition coverage. Our methodology has been successfully applied to the generation of test suites for IBM PowerPC and AS/400 systems.

Methodology and System for Practical Formal Verification of Reactive Hardware

Making formal verification a practicality in industrial environments is still difficult. The capacity of most verification tools is too small, their integration in a design process is difficult and the methodology that should guide their usage is unclear.

RuleBase: Model Checking at IBM

RuleBase is a symbolic model checking tool, developed by the IBM Haifa Research Laboratory. It is the result of four years of experience in practical formal verification of hardware which, we believe, has been a key factor in bringing the tool to its current level of maturity. Our experience shows that after a short training period, designers can operate the tool independently and achieve impressive results. We present the tool and summarize our development and usage experience, focusing on some work done during 1996.

Achieving Scalability in Parallel Reachability Analysis of Very Large Circuits

This paper presents a scalable method for parallel symbolic reachability analysis on a distributed-memory environment of workstations. Our method makes use of an adaptive partitioning algorithm which achieves high reduction of space requirements. The memory balance is maintained by dynamically repartitioning the state space throughout the computation. A compact BDD representation allows coordination by shipping BDDs from one machine to another, where different variable orders are allowed. The algorithm uses a distributed termination protocol with none of the memory modules preserving a complete image of the set of reachable states. No external storage is used on the disk; rather, we make use of the network which is much faster.

Model Checking at IBM

Over the past nine years, the Formal Methods Group at the IBM Haifa Research Laboratory has made steady progress in developing tools and techniques that make the power of model checking accessible to the community of hardware designers and verification engineers, to the point where it has become an integral part of the design cycle of many teams. We discuss our approach to the problem of integrating formal methods into an industrial design cycle, and point out those techniques which we have found to be especially effective in an industrial setting.

A Scalable Parallel Algorithm for Reachability Analysis of Very Large Circuits

This paper presents a scalable method for parallelizing symbolic reachability analysis on a distributed-memory environment of workstations. We have developed an adaptive partitioning algorithm that significantly reduces space requirements. The memory balance is maintained by dynamically repartitioning the state space throughout the computation. A compact BDD representation allows coordination by shipping BDDs from one machine to another. This representation allows for different variable orders in the sending and receiving processes. The algorithm uses a distributed termination protocol, with none of the memory modules preserving a complete image of the set of reachable states. No external storage is used on the disk. Rather, we make use of the network, which is much faster.We implemented our method on a standard, loosely-connected environment of workstations, using a high-performance model checker. Initial performance evaluation of several large circuits shows that our method can handle models too large to fit in the memory of a single node. The partitioning algorithm achieves reduction in space, which is linear in the number of workstations employed. A corresponding decrease in space requirements is measured throughout the reachability analysis. Our results show that the relatively slow network does not become a bottleneck, and that computation time is kept reasonably small.

Symbolic Localization Reduction with Reconstruction Layering and Backtracking

Localization reduction is an abstraction-refinement scheme for model checking which was introduced by Kurshan [12] as a means for tackling state explosion. It is completely automatic, but despite the work that has been done related to this scheme, it still suffers from computational complexity. In this paper we present algorithmic improvements to localization reduction that enabled us to overcome some of these problems. Namely, we present a new symbolic algorithm for path reconstruction including incremental refinement and backtracking. We have implemented these improvements and compared them to previous work on a large number of our industrial examples. In some cases the improvement was dramatic. Using these improvements we were able to verify circuits that we were not previously able to address.