Steven M. German

Reasoning about systems with many processes

Methods are given for automatically verifying temporal properties of concurrent systems containing an arbitrary number of finite-state processes that communicate using CCS actions. TWo models of systems are considered. Systems in the first model consist of a unique control process and an arbitrary number of user processes with identical definitions. For this model, a decision procedure to check whether all the executions of a process satisfy a given specification is presented. This algorithm runs in time double exponential in the sizes of the control and the user process definitions. It is also proven that it is decidable whether all the fair executions of a process satisfy a given specification. The second model is a special case of the first. In this model, all the processes have identical definitions. For this model, an efficient decision procedure is presented that checks if every execution of a process satisfies a given temporal logic specification. This algorithm runs in time polynomial in the size of the process definition. It is shown how to verify certain global properties such as mutual exclusion and absence of deadlocks. Finally, it is shown how these decision procedures can be used to reason about certain systems with a communication network.

Processor verification using efficient reductions of the logic of uninterpreted functions to propositional logic

The logic of Equality with Uninterpreted Functions (EUF) provides a means of abstracting the manipulation of data by a processor when verifying the correctness of its control logic. By reducing formulas in this logic to propositional formulas, we can apply Boolean methods such as ordered Binary Decision Diagrams (BDDs) and Boolean satisfiability checkers to perform the verification. We can exploit characteristics of the formulas describing the verification conditions to greatly simplfy the propostional formulas generated. We identify a class of terms we call “p-terms” for which equality comparisons can only be used in monotonically positive formulas. By applying suitable abstractions to the hardware model, we can express the functionality of data values and instruction addresses flowing through an instruction pipeline with p-terms. A decision procedure can exploit the restricted uses of p-terms by considering only “maximally diverse” interpretations of the associated function symbols, where every function application yields a different value execept when constrainted by functional consistency. We present two methods to translate formulas in EUF into propositional logic. The first interprets the formula over a domain of fixed-length bit vectors and uses vectors of propositional variables to encode domain variables. The second generates formulas encoding the conditions under which pairs of terms have equal valuations, introducing propostional variables to encode the equality relations between pairs of terms. Both of these approaches can exploit maximal diversity to greatly reduce the number of propositional variables that need to be introduced and to reduce the overall formula sizes. We present experimental results demonstrating the efficiency of this approach when verifying pipelined processors using the method proposed by Burch and Dill. Exploiting positive equality allows us to overcome the experimental blow-up experienced previously when verifying microprocessors with load, store, and branch instructions.

Verifying the SRT Division Algorithm Using Theorem Proving Techniques

We verify the correctness of an SRT division circuit similar to the one in the Intel Pentium processor. The circuit and its correctness conditions are formalized as a set of algebraic relations on the real numbers. The main obstacle to applying theorem proving techniques for hardware verification is the need for detailed user guidance of proofs. We overcome the need for detailed proof guidance in this example by using a powerful theorem prover called Analytica. Analytica uses symbolic algebra techniques to carry out the proofs in this paper fully automatically.

Multicore power management: ensuring robustness via early-stage formal verification

Dynamic power management (DPM) is important for multicore architectures. One important challenge for multicore DPM schemes is verifying that they are both safe (cannot lead to power or thermal catastrophes) and efficient (achieve as much performance as possible without exceeding power constraints). The verification difficulty varies among designs, depending, for example, on the particular power management mechanisms utilized and the algorithms used to adjust them. However, verification effort is often not considered in the early stages of DPM scheme design, leading to proposals that can be extremely difficult to verify. To address this problem, we propose using formal verification (with probabilistic model checking) of a high-level, early-stage model of the DPM scheme. Using the model checker, we estimate the required verification effort, providing insight on how certain design parameters impact this effort. Furthermore, we supplement the verifiability results with high-level estimates of power consumption and performance, which allow us to perform a trade-off analysis between power, performance, and verification. We show that this trade-off analysis uncovers design points that are better than those that consider only power and performance.

Automating proofs of the absence of common runtime errors

The Runcheck Verifier is a working system for proving the absence of common runtime errors. The language accepted is Pascal without variant records, side effects in functions, shared variable parameters to procedures, or functional arguments. The errors checked are: 1) accessing a variable that has not been assigned a value, 2) array subscripting out of range, 3) subrange type error, 4) dereferencing a NIL pointer, 5) arithmetic overflow, and 6) division by zero.

Formal Design of Cache Memory Protocols in IBM

We describe the formal design techniques currently used in IBM to develop cache protocol controllers for high-end servers. In our approach to formal design, formal specification and verification methods are incorporated into the hardware design process, starting from the earliest stages of a hardware project. We describe collaborations between a formal methods expert and hardware designers on two high performance server projects. Properties of the design are verified using both manual proof techniques and model checking. We discuss the modelling and model checking techniques we have developed and indicate future directions.

Executable Protocol Specification in ESL

Hardware specifications in English are frequently ambiguous and often self-contradictory.We propose a new logic ESL which facilitates formal specification of hardware protocols. Our logic is closely related to LTL but can express all regular safety properties. We have developed a protocol synthesis methodology which generates Mealy machines from ESL specifications. The Mealy machines can be automatically translated into executable code either in Verilog or SMV. Our methodology exploits the observation that protocols are naturally composed of many semantically distinct components. This structure is reflected in the syntax of ESL specifications. We use a modified LTL tableau construction to build a Mealy machine for each component. The Mealy machines are connected together in a Verilog or SMV framework. In many cases this makes it possible to circumvent the state explosion problem during code generation and to identify conflicts between components during simulation or model checking. We have implemented a tool based on the logic and used it to specify and verify a significant part of the PCI bus protocol.

Reasoning about procedures as parameters in the language L4

Abstract We provide a sound and relatively complete axiom system for partial correctness assertions in an Algol-like language with procedures passed as parameters, but with no global variables (traditionally known as the language L4). The axiom system allows us to reason syntactically about programs and to construct proofs for assertions about complicated programs from proofs of assertions about their components. Such an axiom system for a language with these features had been sought by a number of researchers, but no previously published solution has been entirely satisfactory. Our axiom system extends the natural style of reasoning used in previous Hoare axiom systems to programs with procedures of higher type. The details of the proof that our axiom system is relatively complete in the sense of Cook may be of independent interest, because we introduce results about expressiveness for programs with higher types that are useful beyond the immediate problem of the language L4. We also prove a new incompleteness result that applies to our logic and to similar Hoare logics.

Transaction Based Modeling and Verification of Hardware Protocols

Modeling hardware through atomic guard/action transitions with interleaving semantics is popular, owing to the conceptual clarity of modeling and verifying the high level behavior of hardware. In mapping such specifications into hardware, designers often decompose each specification transition into sequences of implementation transitions taking one clock cycle each. Some implementation transitions realizing a specification transition overlap. The implementation transitions realizing different specification transitions can also overlap. We present a formal theory of refinement, showing how a collection of such implementation transitions can be shown to realize a specification. We present a modular refinement verification approach by developing abstraction and assume-guarantee principles that allow implementation transitions realizing a single specification transition to be situated in sufficiently general environments. Illustrated on a non-trivial VHDL cache coherence engine, our work may allow designers to design high performance controllers without being constrained by fixed automated synthesis scripts, and still conduct modular verification.

Exploiting symmetry and transactions for partial order reduction of rule based specifications

Rule based specifications are popular for specifying protocols, such as cache coherence protocols specified in TLA+, Murphi, or the BlueSpec language. Specifications in these notations are a collection of unordered rules of the form guard → atomic_updates. There is no notion of a sequential process with local scope or specialized communication channels, and each rule tends to update multiple fields of the global state. It is believed that partial order (PO) reduction, a powerful state space reduction technique, is difficult to achieve in such a setting. Partial order reductions attempt to visit a smaller set of states by selectively exploring a subset of all enabled transitions at each state, based on the independence of transitions. In earlier work, we have reported a suitable algorithm for this purpose, where the independence relation is computed using symbolic analysis and SAT. In this paper, we expand on this algorithm and show how to exploit some commonly seen characteristics of rule based specifications. First, many of these systems have a transactional nature, such as the request/grant transactions of cache coherence protocols. We show how to use this information while picking subsets of transitions at each state. Second, many of these systems are parameterized, and also exhibit symmetry. We show that, for such systems, the SAT-based computation of the independence relation between rules can be performed once and for all in a manner that is accurate for all parameterized instances of the protocol. Third, we show that sharpening the SAT-based independence computation through local invariants can aid PO reduction. Here, we propose a way by which users may guess these invariants: we can check these invariants and the property of interest in one combined phase under PO reduction (we prove that there is no circularity in this process). Our results indicate that with the above measures, rule based systems can have efficient and effective PO reduction algorithms.