Kevin D. Jones

Mural: A Formal Development Support System

1General introduction.- 1.1 Formal methods.- 1.2 VDM development.- 1.3 The IPSE 2.5 project.- 1.4 Proof assistant requirements.- 2 Introduction to mural.- 2.1 General introduction.- 2.2 The proof assistant.- 2.3 The VDM support tool.- 2.4 Reasoning about developments.- 3 Instantiation.- 3.1 Symbolic logic in mural.- 3.2 Classical first order predicate calculus.- 3.3 Some common data types.- 3.4 More complicated formulations.- 3.5 The theory of VDM.- 3.6 Some other logics.- 4 Foundation.- 4.1 Preamble.- 4.2 Syntax.- 4.3 Natural Deduction rules.- 4.4 Rule Schemas and instantiation.- 4.5 The mural store.- 4.6 Syntactic contexts and well-formedness.- 4.7 Proofs.- 4.8 Morphisms.- 4.9 Pattern matching.- 4.10 Reading the full specification.- 4.11 Limitations of the mural approach.- 5 The tactic language.- 5.1 Mechanising proof in mural.- 5.2 The language.- 5.3 The implementation of tactics.- 5.4 Examples.- 6 Implementing the mural proof assistant.- 6.1 The process of implementation.- 6.2 The implementation.- 6.3 Lessons learnt and advice to the young.- 6.4 The future.- 6.5 The final word.- 7 Supporting formal software development.- 7.1 Abstract specification.- 7.2 Relating specifications.- 7.3 Support for reasoning about formal developments.- 8 The mural VDM Support Tool.- 8.1 Specifying VDM developments in VDM.- 8.2 Theories from specifications.- 8.3 Scope for growth.- 9 Foundations of specification animation.- 9.1 Approaches to animation.- 9.2 Denotational semantics of symbolic execution.- 9.3 Operational semantics of symbolic execution.- 9.4 Theories to support symbolic execution.- 9.5 Conclusions.- 10 Case Studies.- 10.1 Specifications in VDM.- 10.2 Transformation of VDM into mural -theories.- 10.3 A watchdog for a reactor system.- 10.4 An algorithm for topological sorting.- 10.5 Theories for VDM in mural.- 11 Conclusions.- 11.1 Experimental use of mural.- 11.2 Detailed observations.- 11.3 Further developments.- 11.4 Summary.- Appendices.- A Summary of VDM Notation.- B Glossary of terms.- C The Specification of the Proof Assistant.- C.1 The Raw Syntax.- C.2 Subterm Access and Editing.- C.3 Sequents and Rules.- C.4 Instantiation and Pattern-matching.- C.5 Signatures.- C.6 Theories.- C.7 Morphisms and Theory Morphisms.- C.8 Proofs.- C.9 The Store.- D The specification of the animation tool.- D.1 Data structure and some auxiliary functions.- D.2 Operations.- E The Theorem Provers House.

Fast, non-Monte-Carlo estimation of transient performance variation due to device mismatch

This paper describes a noise-based method of estimating the effects of device random mismatch on circuits transient response, such as delay and frequency. The proposed method models DC mismatch as equivalent AC pseudo-noise and exploits the fast periodic noise analysis (PNOISE) available in RF circuit simulators to compute the resulting variation in the circuit response. While the method relies on Gaussian mismatch distributions and linear perturbation model, it can model and analyze correlations as well as identify the most sensitive design parameter to mismatches with no additional simulation cost. Three benchmarks measuring the variations in the input offset voltage of a comparator, the delay of a logic path, and the frequency of an oscillator demonstrate the speed improvement of 100-1000x compared to a 1000-point Monte-Carlo method.

Analog property checkers: a DDR2 case study

The formal specification component of verification can be exported to simulation through the idea of property checkers. The essence of this approach is the automatic construction of an observer from the specification in the form of a program that can be interfaced with a simulator and alert the user if the property is violated by a simulation trace. Although not complete, this lighter approach to formal verification has been effectively used in software and digital hardware to detect errors. Recently, the idea of property checkers has been extended to analog and mixed-signal systems.In this paper, we apply the property-based checking methodology to an industrial and realistic example of a DDR2 memory interface. The properties describing the DDR2 analog behavior are expressed in the formal specification language stl/psl in form of assertions. The simulation traces generated from an actual DDR2 interface design are checked with respect to the stl/psl assertions using the amt tool. The focus of this paper is on the translation of the official (informal and descriptive) specification of two non-trivial DDR2 properties into stl/psl assertions. We study both the benefits and the current limits of such approach.

The automatic generation of functional test vectors for Rambus designs

We present a method for the automatic generation of test vectors for functional verification, giving the advantages of random and directed testing. We show the use of a formal specification as input to a test generator. We present techniques for the efficient implementation of the generator. We discuss our experience with this method applied to commercial designs. We show how our approach is a stepping stone towards practical formal verification.

Variable domain transformation for linear PAC analysis of mixed-signal systems

This paper describes a method to perform linear AC analysis on mixed-signal systems which appear strongly nonlinear in the voltage domain but are linear in other variable domains. Common circuits like phase/delay-locked loops and duty-cycle correctors fall into this category, since they are designed to be linear with respect to phases, delays, and duty-cycles of the input and output clocks, respectively. The method uses variable domain translators to change the variables to which the AC perturbation is applied and from which the AC response is measured. By utilizing the efficient periodic AC (PAC) analysis available in commercial RF simulators, the circuits linear transfer function in the desired variable domain can be characterized without relying on extensive transient simulations. Furthermore, the variable domain translators enable the circuits to be macromodeled as weakly-nonlinear systems in the chosen domain and then converted to voltage-domain models, instead of being modeled as strongly-nonlinear systems directly.

Support Environments for VDM

This paper discusses the experiences and issues of building two different levels of system to support the use of VDM.

A Formal Semantics for a DataFlow Machine - Using VDM

This paper presents a formal description of a non-conventional machine architecture (The Manchester DataFlow Machine) in the denotational style, using an extension of the traditional VDM methods.

Verifying inevitability of phase-locking in a charge pump phase lock loop using sum of squares programming

Phase-locking in a charge pump (CP) phase lock loop (PLL) is said to be inevitable if all possible states of the CP PLL eventually converge to the equilibrium where the input and output phases are in lock. We verify this property for a CP PLL using a mixed deductive and bounded verification methodology. This involves a positivity check of polynomial inequalities (which is an NP-Hard problem) so we use the sound but incomplete Sum of Squares (SOS) relaxation algorithm to provide a numerical solution.

Verifying robust frequency domain properties of non linear oscillators using SMT

We present a novel mixed time and frequency domain approach to the formal verification of oscillators properties which are specified in the frequency domain. We use robust periodogram specification to specify the oscillator behaviour in the close vicinity of the limit cycle. Using SAT modulo ODE (SMO) for Bounded Model Checking (BMC) of the non-linear hybrid automata, we show that the oscillator hybrid timed traces satisfy frequency domain specifications.

Verifying Inevitability of Oscillation in Ring Oscillators Using the Deductive SOS-QE Approach

This article presents a deductive numeric-symbolic approach, using sum of squares (SOS) programming and quantifier elimination (QE). The authors take ring oscillator as an example to verify that it can start oscillating from all possible initial voltages.