Eli Singerman

The ForSpec Temporal Logic: A New Temporal Property-Specification Language

In this paper we describe the ForSpec Temporal Logic (FTL), the new temporal property-specification logic of ForSpec, Intels new formal specification language. The key features of FTL are as follows: it is a linear temporal logic, based on Pnuelis LTL, it is based on a rich set of logical and arithmetical operations on bit vectors to describe state properties, it enables the user to define temporal connectives over time windows, it enables the user to define regular events, which are regular sequences of Boolean events, and then relate such events via special connectives, it enables the user to express properties about the past, and it includes constructs that enable the user to model multiple clock and reset signals, which is useful in the verification of hardware design.

Formal verification of backward compatibility of microcode

Microcode is used to facilitate new technologies in Intel CPU designs. A critical requirement is that new designs be backwardly compatible with legacy code when new functionalities are disabled. Several features distinguish microcode from other software systems, such as: interaction with the external environment, sensitivity to exceptions, and the complexity of instructions. This work describes the ideas behind MICROFORMAL,, a technology for fully automated formal verification of functional backward compatibility of microcode.

On Proving Safety Properties by Integrating Static Analysis, Theorem Proving and Abstraction

We present a new approach for proving safety properties of reactive systems, based on tight interaction between static analysis, theorem proving and abstraction techniques. The method incrementally constructs a proof or finds a counterexample. Every step consists of applying one of the techniques and makes constructive use of information obtained from failures in previous steps. The amount of user intervention is limited and is highly guided by the system at each step. We demonstrate the method on three simple examples, and show that by using it one can prove more properties than by using each component as a stand-alone.

GSTE Is Partitioned Model Checking

Verifying whether an ω-regular property is satisfied by a finite-state system is a core problem in model checking. Standard techniques build an automaton with the complementary language, compute its product with the system, and then check for emptiness. Generalized symbolic trajectory evaluation (GSTE) has been recently proposed as an alternative approach, extending the computationally efficient symbolic trajectory evaluation (STE) to general ω-regular properties. In this paper, we show that the GSTE algorithms are essentially a partitioned version of standard symbolic model-checking (SMC) algorithms, where the partitioning is driven by the property under verification. We export this technique of property-driven partitioning to SMC and show that it typically does speed up SMC algorithms.

Transaction based pre-to-post silicon validation

Intels move towards the SoC paradigm comes with a compelling requirement for shorter time-to-market. To address that, we need to make both pre and post silicon validation more efficient. In this paper we focus on post-si functional validation, which consumes an increasing share of the overall product development timeline. We present a coherent Pre-to-Post workflow that aims to improve productivity of post-si validation and debug by proper investment in design for debug / validation (DFx) and in test development during pre-si stages. In this workflow, a central transactions and events definition repository serves as the backbone across pre-Si and post-Si activities. The transaction spec guides DFx work in pre-Si as well as test suite preparation in order to make the post-Si validation work productive. Usage of micro-architectural events and transactions raises the level of abstraction, and can help in getting better productivy, manageability, reusability, and less error prone Post-Si validation work.

Fair Synchronous Transition Systems and Their Liveness Proofs

We present a compositional semantics of synchronous systems that captures both safety and progress properties of such systems. The fair synchronous transitions systems (Fsts) model we introduce in this paper extends the basic αSts model [KP96] by introducing operations for parallel composition, for the restriction of variables, and by addressing fairness. We introduce a weak fairness (justice) condition which ensures that any communication deadlock in a system can only occur through the need for external synchronization. We present an extended version of linear time temporal logic (Eltl) for expressing and proving safety and liveness properties of synchronous specifications, and provide a sound and compositional proof system for it.

Efficient symbolic simulation of low level software

Symbolic execution has long been a staple technique for formal hardware verification. Its application to software requires methods for dealing with software specific complexities. In this paper we elaborate methods for the efficient symbolic simulation of embedded software; some methods are new, others are improvements of existing methods. Using these techniques we have been able to symbolically execute real life microcode of thousands of lines, allowing formal methods to become an integral part of microcode validation in Intel Corporation.

Validation of SoC Firmware-Hardware Flows: Challenges and Solution Directions

In SoC, key infrastructure/backbone flows are distributed across many IPs and involve tight firmware and hardware interaction. Examples include resets, power management, security, and more. Traditional hardware validation techniques are no-longer adequate for such flows, due to the short time-to-market requirements, in particular, for mobile devices. In this paper, we articulate the challenges and discuss a few solution directions that are being pursued in this space at Intel.

Case study: Integrating FV and DV in the Verification of the Intel® Core^{TM} 2 Duo Microprocessor

The ever-growing complexity of Intel® CPUs, together with shortened time-to-market requirements, poses significant challenges for pre-silicon logic verification. To address the increasing verification gap, major improvements to verification practices are required. In Merom, the Intel® Core^{TM} 2 Duo microprocessor, we integrated Formal Verification (FV) with Dynamic Verification (DV) such that FV was also practiced by non-FV experts and replaced some traditional, simulation-based verification activities. This led to both higher productivity and better quality compared to previous projects. In this paper we report on the integration we used, including two examples, results, and future directions.

Embedded Software Validation: Applying Formal Techniques for Coverage and Test Generation

The validation of embedded software in VLSI designs is becoming increasingly important with their growing prevalence and complexity. In this paper we present a new, hybrid, automated, validation methodology combining formal techniques and simulation. We introduce compositional approach to generate a formal model of the design, and show how the list of its feasible paths can be extracted. This list is then used for coverage metrics, and for test generation. This method has been successfully applied to complex microcode of a state-of-the-art microprocessor, and it is applicable to other classes of embedded software. Its effectiveness and scalability was demonstrated on a set of complex IA32 instructions, where unknown bugs have been detected and validation convergence time was reduced from weeks in a previous project to a matter of days.