Michael Katelman

Redesign of the LMST Wireless Sensor Protocol through Formal Modeling and Statistical Model Checking

The local minimum spanning tree (LMST) topology control protocol tries to maintain connectivity in an ad-hoc wireless sensor network while minimizing power consumption and maximizing data bandwidth. Our formal, statistical model checking analysis of LMST under realistic deployment conditions shows that the invariant of maintaining network connectivity is easily lost. We then propose a formally-based system redesign methodology in which quantitative temporal logic formulas and further statistical model checking can be used to identify the causes of bugs, and to reach a correct system redesign. We show this methodology effective in the redesign of a version of LMST that ensures network connectivity under realistic deployment conditions.

A formal executable semantics of Verilog

This paper describes a formal executable semantics for the Verilog hardware description language. The goal of our formalization is to provide a concise and mathematically rigorous reference augmenting the prose of the official language standard, and ultimately to aid developers of Verilog-based tools; e.g., simulators, test generators, and verification tools. Our semantics applies equally well to both synthesizeable and behavioral designs and is given in a familiar, operational-style within a logic providing important additional benefits above and beyond static formalization. In particular, it is executable and searchable so that one can ask questions about how a, possibly nondeterministic, Verilog program can legally behave under the formalization. The formalization should not be seen as the final word on Verilog, but rather as a starting point and basis for community discussions on the Verilog semantics.

Getting Formal Verification into Design Flow

The ultimate goal of formal methods is to provide assurances about the quality, performance, security, etc. of systems. While formal tools have advanced greatly over the past two decades, widespread proliferation has not yet occurred, and the full impact of formal methods is still to be realized. This paper presents some ideas on how to catalyze the growth of formal techniques in day-to-day engineering practice. We draw on our experience as hardware engineers that want to use, and have tried to use, formal methods in our own designs. The points we make have probably been made before. However we illustrate each one with concrete designs. Our examples support three major themes: (1) correctness depends highly on the application and even a collection of formal methods cannot handle the whole problem; (2) high-level design languages can facilitate the interaction between design and formal methods; and (3) formal method tools should be presented as integrated debugging aids as opposed to one requiring mastering a foreign language or esoteric concepts.

A Rewriting Semantics for ABEL with Applications to Hardware/Software Co-Design and Analysis

We present a rewriting logic semantics in Maude of the ABEL hardware description language. Based on this semantics, and on Maudes underlying LTL model checker, we propose a scalable formal analysis framework and tool for hardware/software co-design. The analysis method is based on trace checking of finite system behaviors against LTL temporal logic formulas. The formal properties of the hardware, the embedded software, and the interactions between both can all be analyzed this way. We present two case studies illustrating our method and tool.

Concurrent rewriting semantics and analysis of asynchronous digital circuits

Modern asynchronous digital circuits are highly concurrent systems composed largely of customized gates, and can be elegantly modeled using the language of production rules (PRs). One of the present limitations of the state of the art in asynchronous circuit design is that no formal executable semantics of asynchronous circuits has yet been given at the PR level. The primary contribution of this paper is to define, using rewriting logic and Maude, an executable formal semantics of asynchronous circuits at the PR level under three common timing assumptions. Our semantics provides a circuit designer with a PR-level circuit interpreter and with a decision procedure for checking key circuit properties, including hazard-freedom and deadlock-freedom. We describe several reductions and optimizations that can be used to reduce the state space of circuits in our formal semantics and investigate the impact of these reductions experimentally. The analysis scales up to circuits of over 100 PRs in spite of the high levels of concurrency involved.

vlogsl: a strategy language for simulation-based verification of hardware

Languages such as SystemVerilog and e play an important role in contemporary hardware verification methodology. Through direct, language-level support for notions like constrained randoms, functional coverage, assertions, and so forth, they help verification engineers adopt useful paradigms. This paper demonstrates the usefulness of a new strategy-based paradigm for hardware test generation which is not directly supported by any language we are aware of. A strategy is formed by coordinating multiple simulations toward achieving a high-level goal, such as the generation of a targeted stimulus driving the device through a specific behavior. Strategies are made possible at the language level through constructs exerting meta-level control over simulation, making simulation traces first-class data objects that can be stored, queried, and otherwise manipulated programmatically. These ideas are embodied in a language and tool, called vlogsl. vlogsl is a domain-specific embedded language in Haskell, providing a sophisticated set of strategy language features, including first-order symbolic simulation and integration with an SMT solver. We motivate strategies, describe vlogsl, present several pedagogical examples using vlogsl, and finally a larger example involving an open-source I2C bus master.

Directed-Logical Testing for Functional Verification of Microprocessors

The length of the microprocessor development cycle is largely determined by functional verification, where contemporary practice relies primarily on constraint-based random stimulus generation to drive a simulation-based methodology. However, formal methods are, in particular, gaining wider adoption and are seen as having potential to bridge large gaps left by current techniques. And many gaps still remain. In this paper we propose directed- logical testing: a new method of stimulus generation based on purely logical techniques (i.e. formal methods). As far as we know, our methodology represents the first end-to-end mathematical formalization of the stimulus generation problem. Therefore, a major contribution of this paper is the definition of a class of logical propositions that relate the actual microprocessor implementation, the assembly program stimulus, and a coverage goal. These propositions are given in rewriting logic, and use the idea of rewriting semantics to automatically formalize within a common logical framework the microprocessor implementation and assembly programs. To solve these propositions, we demonstrate how narrowing and user-defined narrowing strategies can be used as a scalable logical framework. In addition, we describe two classes of effective strategies that can be used for many microprocessors and common coverage goals. Finally, we describe a prototype tool implementation and present empirical data to demonstrate the feasibility of our methodology. Since narrowing and user-defined narrowing strategies within rewriting logic do not yet have tool support, our prototype tool uses standard rewriting and user-defined rewriting strategies to simulate narrowing.

Rewriting semantics of production rule sets

This paper is about the semantics of production rule sets, a language used to model asynchronous digital circuits. Two formal semantics are developed and proved equivalent: a set-theoretic semantics that improves upon an earlier effort of ours, and an executable semantics in rewriting logic. The set-theoretic semantics is especially suited to meta-level proofs about production rule sets, whereas the executable semantics can be used with existing tools to establish, automatically, desirable properties of individual circuits. Experiments involving several small circuits are detailed wherein the executable semantics and the rewriting logic tool Maude are used to automatically check two important properties: hazard and deadlock freedom. In doing so, we derive several useful optimizations that make automatic checking of these properties more tractable.

Staging static analyses for program generation

Program generators are most naturally specified using a quote/antiquote facility; the programmer writes programs with holes which are filled in, at program generation time, by other program fragments. If the programs are generated at compile-time, analysis and compilation follow generation, and no changes in the compiler are needed. However, if program generation is done at run time, compilation and analysis need to be optimized so that they will not overwhelm overall execution time. In this paper, we give a compositional framework for defining program analyses which leads directly to a method of staging these analyses. The staging allows the analysis of incomplete programs to be started at compile time; the residual work to be done at run time may be much less costly than the full analysis. We give frameworks for forward and backward analyses, present several examples of specific analyses, and give timing results showing significant speed-ups for the run-time portion of the analysis relative to the full analysis.

Using the PALS Architecture to Verify a Distributed Topology Control Protocol for Wireless Multi-Hop Networks in the Presence of Node Failures

The PALS architecture reduces distributed, real-time asynchronous system design to the design of a synchronous system under reasonable requirements. Assuming logical synchrony leads to fewer system behaviors and provides a conceptually simpler paradigm for engineering purposes. One of the current limitations of the framework is that from a set of independent “synchronous machines”, one must compose the entire synchronous system by hand, which is tedious and error-prone. We use Maude’s meta-level to automatically generate a synchronous composition from user-provided component machines and a description of how the machines communicate with each other. We then use the new capabilities to verify the correctness of a distributed topology control protocol for wireless networks in the presence of nodes that may fail.