Tamarah Arons

Formalizing UML Models and OCL Constraints in PVS

The Object Constraint Language (OCL) is the established language for the specification of properties of objects and object structures in UML models. One reason that it is not yet widely adopted in industry is the lack of proper and integrated tool support for OCL. Therefore, we present a prototype tool, which analyzes the syntax and semantics of OCL constraints together with a UML model and translates them into the language of the theorem prover PVS. This defines a formal semantics for both UML and OCL, and enables the formal verification of systems modeled in UML. We handle the problematic fact that OCL is based on a three-valued logic, whereas PVS is only based on a two valued one.

Formal verification of backward compatibility of microcode

Microcode is used to facilitate new technologies in Intel CPU designs. A critical requirement is that new designs be backwardly compatible with legacy code when new functionalities are disabled. Several features distinguish microcode from other software systems, such as: interaction with the external environment, sensitivity to exceptions, and the complexity of instructions. This work describes the ideas behind MICROFORMAL,, a technology for fully automated formal verification of functional backward compatibility of microcode.

tlpvs: A pvs-Based ltl Verification System

In this paper we present our pvs implementation of a linear temporal logic verification system. The system includes a set of theories defining a temporal logic, a number of proof rules for proving soundness and response properties, and strategies which aid in conducting the proofs. In addition to implementing a framework for existing rules, we have also derived new methods which are particularly useful in a deductive ltl system. A distributed rank rule for the verification of response properties in parameterized systems is presented, and a methodology is detailed for reducing compassion requirements to justice requirements (strong fairness to weak fairness). Special attention has been paid to the verification of unbounded systems — systems in which the number of processes is unbounded — and our verification rules are appropriate to such systems.

Verifying Tomasulo's algorithm by refinement

In this paper Tomasulos algorithm for out-of-order execution is shown to be a refinement of the sequential instruction execution algorithm. Correctness of Tomasulos algorithm is established by proving that the register files of Tomasulos algorithm and the sequential algorithm agree once all instructions have been completed.

A Comparison of Two Verification Methods for Speculative Instruction Execution

In this paper we describe and compare two methodologies for verifying the correctness of a speculative out-of-order execution system with interrupts. Both methods are deductive (we use PVS) and are based on refinement. The first proof is by direct refinement to a sequential system; the second proof combines refinement with induction over the number of retirement buffer slots.

Deductive Verification of UML Models in TLPVS

In recent years, UML has been applied to the development of reactive safety-critical systems, in which the quality of the developed software is a key factor. In this paper we present an approach for the deductive verification of such systems using the PVS interactive theorem prover. Using a PVS specification of a UML kernel language semantics, we generate a formal representation of the UML model. This representation is then verified using tlpvs, our PVS-based implementation of linear temporal logic and some of its proof rules. We apply our method by verifying two examples, demonstrating the feasibility of our approach on models with unbounded event queues, object creation, and variables of unbounded domain. We define a notion of fairness for UML systems, allowing us to verify both safety and liveness properties.

Efficient symbolic simulation of low level software

Symbolic execution has long been a staple technique for formal hardware verification. Its application to software requires methods for dealing with software specific complexities. In this paper we elaborate methods for the efficient symbolic simulation of embedded software; some methods are new, others are improvements of existing methods. Using these techniques we have been able to symbolically execute real life microcode of thousands of lines, allowing formal methods to become an integral part of microcode validation in Intel Corporation.

Verification of Data-Insensitive CIrcuits: An In-Order-Retirement Case Study

There is a large class of circuits (including pipeline and out-of-order execution components) which can be formally verified while completely ignoring the precise characteristics (e.g. word-size) of the data manipulated by the circuits. In the literature, this is often described as the use of uninterpreted functions, implying that the concrete operations applied to the data are abstracted into unknown and featureless functions. In this paper, we briefly introduce an abstract unifying model for such data-insensitive circuits, and claim that the development of such models, perhaps even a theory of circuit schemas, can significantly contribute to the development of efficient and comprehensive verification algorithms combining deductive as well as enumerative methods.As a case study, we present in this paper an algorithm for out-of-order execution with in-order retirement and show it to be a refinement of the sequential instruction execution algorithm. Refinement is established by deductively proving (using pvs) that the register files of the out-of-order algorithm and the sequential algorithm agree at all times if the two systems are synchronized at instruction retirement time.

Verification of an advanced MIPS-type out-of-order execution algorithm

In this paper we propose a method for the deductive verification of out-of-order scheduling algorithms. We use tlpvs, our pvs model of linear temporal logic (ltl), to deductively verify the correctness of a model based on the Mips R10000 design. Our proofs use the predicted values method to verify a system including arithmetic and memory operations and speculation. In addition to the abstraction refinement traditionally used to verify safety properties, we also use fairness constraints to prove progress, allowing us to detect errors which may otherwise be overlooked.

Embedded Software Validation: Applying Formal Techniques for Coverage and Test Generation

The validation of embedded software in VLSI designs is becoming increasingly important with their growing prevalence and complexity. In this paper we present a new, hybrid, automated, validation methodology combining formal techniques and simulation. We introduce compositional approach to generate a formal model of the design, and show how the list of its feasible paths can be extracted. This list is then used for coverage metrics, and for test generation. This method has been successfully applied to complex microcode of a state-of-the-art microprocessor, and it is applicable to other classes of embedded software. Its effectiveness and scalability was demonstrated on a set of complex IA32 instructions, where unknown bugs have been detected and validation convergence time was reduced from weeks in a previous project to a matter of days.