Ramayya Kumar

Structuring and automating hardware proofs in a higher-order theorem-proving environment

In this article we present a structured approach to formal hardware verification by modeling circuits at the register-transfer level using a restricted form of higher-order logic. This restricted form of higher-order logic is sufficient for obtaining succinct descriptions of hierarchically designed register-transfer circuits. By exploiting the structure of the underlying hardware proofs and limiting the form of descriptions used, we have attained nearly complete automation in proving the equivalences of the specifications and implementations. A hardware-specific tool called MEPHISTO converts the original goal into a set of simpler subgoals, which are then automatically solved by a general-purpose, first-order prover called FAUST. Furthermore, the complete verification framework is being integrated within a commercial VLSI CAD framework.

Integrating A First-order Automatic prover In The HOL Environment

The HOL system is a powerful tool for proving higherorder formulae. However, proofs have to be performed interactively and only little automation using tactics is possible. Even though interaction is desirable to guide major and creative backward proof steps of complex proofs, a deluge of simple sub-goals may evolve which all have to be proven manually in order to accomplish the proof. Although these sub-goals are often simple formulae, their proof has not yet been automated in HOL. In this paper it is shown how it is possible to automate these tasks by integrating a first-order automated theorem proving tool, called FAUST, into HOL. It is based on an efficient variant of the well-known sequent calculus. In order to maintain the high confdence in HOL-generated proofs, FAUST is able to generate HOL tactics which may be used to post-justifr the theorem derived by FAUST in HOL. The underlying calculus of FAUST, the tactic generation, as well as experimental results are presented.

Formal Synthesis in Circuit Design - A Classification and Survey

This article gives a survey on different methods of formal synthesis. We define what we mean by the term formal synthesis and delimit it from the other formal methods that can also be used to guarantee the correctness of an implementation. A possible classification scheme for formal synthesis methods is then introduced, based on which some significant research activities are classified and summarized. We also briefly introduce our own approach towards the formal synthesis of hardware. Finally, we compare these approaches from different points of view.

Implementing a Methodology for Formally Verifying RISC Processors in HOL

In this paper a methodology for verifying RISC cores is presented. This methodology is based on a hierarchical model of interpreters. This model allows us to define formal specifications at each level of abstraction and successively prove the correctness between the neighbouring abstraction levels, so that the overall specification is correct with respect to its hardware implementation. The correctness proofs have been split into two steps so that the parallelism in the execution due to the pipelining of instructions, is accounted for. The first step shows that the instructions are correctly processed by the pipeline and the second step shows that the semantic of each instruction is correct. We have implemented the specification of the entire model and performed parts of the proofs in HOL.

A Practical Methodology for the Formal Verification of RISC Processors

In this paper a practical methodology for formally verifying RISC cores is presented. Using a hierarchical model which reflects the abstraction levels used by designers of real RISC processors, proofs between neighboring levels are performed for simplifying the verification process. The proofs are performed by showing that each instruction is executed correctly by the pipelined machine with respect to the semantics of the instruction set architecture. During this proof, temporal abstractions are used to find correspondences between the various levels of abstractions. Additionally, lower level implementational details such as, multiphased clocks and gate level descriptions of the final implementation, are accounted for. The overall correctness proof is managed in two complementary steps, namely, pipeline data and pipeline control correctness. In the former, we show that the cumulative effect of pipeline suboperations yields the data semantics of architecture instructions. While in the latter, we are concerned with interferences (conflicts) between the different instructions and suboperations in the pipeline. We have developed a set of parametrized proof scripts which highly automate the different proof tasks. In addition, the pipeline control proof is constructive, in the sense that the conditions under which the pipeline conflicts occur are automatically generated and explicitly stated thus aiding the user in its removal. All developed specifications and proof scripts are kept general, so that the methodology could be applied for a wide range of RISC cores (e.g., those used in embedded systems). In this paper, the described formalization and proof strategies are illustrated via the DLX RISC processor.

Towards a methodology for the formal hierarchical verification of RISC processors

A general methodology, based on a hierarchical model of interpreters, is presented for formally verifying RISC cores. The abstraction levels used by a designer in the implementation of RISC cores, namely the instruction set level, the pipeline stage level, the phase level and the hardware implementation, are mirrored by this hierarchical model. The use of this model allows us to successively prove the correctness between two neighboring levels of abstractions, so that the verification process is simplified. The parallelism in the execution of the instructions, resulting from the pipelined architecture of RISCs is handled by splitting the proof into simplified steps. The first step shows that, under certain assumptions, no conflicts can occur between simultaneously executed instructions, and the second step shows that each instruction is implemented correctly by the sequential execution of its pipeline steps.<<ETX>>

Implementation Issues About the Embedding of Existing High Level Synthesis Algorithms in HOL

This article describes the embedding of high level synthesis algorithms in HOL. For given standard synthesis steps, we describe, how its data can be mapped to terms in HOL and the synthesis process be expressed by means of a logical derivation. In contrast to post-synthesis verification techniques our approach is constructive in a sense that the proof is derived during synthesis rather than “guessed” afterwards. Therefore one does not get into the hardship of NP-completeness or undecidability. Our approach ensures correctness based on the HOL system and is also performed fully automatically.

Verification of synthesized circuits at register transfer level with flow graphs

Presents a new approach to the verification of automatically synthesized register transfer structures. Horizontal verification is performed on the flow graph which is largely a syntax independent representation of behavior. After extracting a flow graph from the register transfer structure by symbolic simulation, the extracted and the specified flow graphs are normalized into a normal form. A comparison of the normalized flow graphs gives the proof of correctness. The various synthesis steps have been classified into five classes and the normalization procedures have been evaluated.<<ETX>>

Control path oriented verification of sequential generic circuits with control and data path

Usually, digital circuits are split up into control and data path as there are specific synthesis methods for controllers and operation units. However, all known approaches to hardware verification which make use of this fact, model the operation unit also as a finite-state machine. This leads to enormous space requirements which limit the applicability of these approaches. In order to avoid this, abstraction mechanisms can be used to map Boolean tuples onto more complex data types. However, approaches to the verification of generic n-bit circuits have considered so far only circuits with simple controllers, such that the verification of only combinational circuits or special cases of sequential circuits is possible. In this paper, we present a new approach to hardware verification which allows the verification of generic circuits with non-trivial controllers.<<ETX>>

Alternative Proof Procedures for Finite-State Machines in Higher-Order Logic

Verification of digital circuits in higher-order logic often requires the proof of temporal propositional logic formulae. The implementation of decision procedures for this logic or finite-state machines is however not very easy within the HOL system, since it requires the proof of certain fixpoint theorems and a creation of a new theory based on it. The main contribution of this paper is to give some alternative proof procedures so that proof tactics can be developed for directly solving these goals. These proof procedures can be classified into two categories. Firstly, a set of easily implementable proof methods which do not use knowledge of fixpoint theorems are given. Since these methods are incomplete, the second category exploits an external program for computing fixpoint lemmata which can then be easily proved in HOL.