Figure 7 - uploaded by Jin Yang
Content may be subject to copyright.
Monitor Scaling with k. The graph shows the monitor size for different example instances as we scale k. FIFO n denotes an n stage FIFO, and Mem n denotes a memory with n-bit addresses.
Source publication
Formal and dynamic (simulation, emulation, etc.) verification techniques are both needed to deal with the overall challenge of verification. Ideally, the same specification/testbench would work with both formal and dynamic techniques, with the same semantics in both. Unfortunately, this is typically not the case. In particular, generalized symbolic...
Similar publications
This work presents a security analysis of the QUIC handshake protocol based on symbolic model checking. As a newly proposed secure transport protocol, the purpose of QUIC is to improve the transport performance of HTTPS traffic and enable rapid deployment and evolution of transport mechanisms. QUIC is currently in the IETF standardization process a...
Power management is important for multicore architectures. One important challenge for multicore DPM schemes is verifying that they are both safe (can- not lead to power or thermal catastrophes) and efficient (achieve as much performance as possible without exceeding power constraints). The verification difficulty varies among designs, depending, f...
The growing popularity of SystemC has attracted research aimed at the formal verification of SystemC designs. In this paper
we present Kratos, a software model checker for SystemC. Kratos verifies safety properties, in the form of program assertions, by allowing users to explore two directions in the verification.
First, by relying on the translati...
We report our experience in the formal verification of the deposit smart contract, whose correctness is critical for the security of Ethereum 2.0, a new Proof-of-Stake protocol for the Ethereum blockchain. The deposit contract implements an incremental Merkle tree algorithm whose correctness is highly nontrivial, and had not been proved before. We...
Separation logic is a subset of the quantifier-free first order logic. It has been successfully used in the automated verification
of systems that have large (or unbounded) integer-valued state variables, such as pipelined processor designs and timed systems.
In this paper, we present a fast decision procedure for separation logic, which combines...
Citations
... Their goal was to investigate alternative semantic definitions to the trace semantics, as a way to correct problems with the early versions of PSL; if and how this was useful to guide an implementation of property checkers has not been published. The PSL language reference contains a set of restrictions to help create properties that are more suitable for simulation and dynamic verification, akin to the simulation–friendly restrictions proposed for the generalized symbolic trajectory evaluation (GSTE) monitors in [15]. In the checkers developed for GSTE assertion graphs, certain constructs are avoided or restricted in scope, for hardware implementation reasons. ...
Modern assertion languages such as property specification language (PSL) and SystemVerilog assertions include many language constructs. By far, the most economical way to process the full languages in automated tools is to rewrite the majority of operators to a small set of base cases, which are then processed in an efficient way. Since recent rewrite attempts in the literature have shown that the rules could be quite involved, sometimes counterintuitive, and that they can make a significant difference in the complexity of interpreting assertions, ensuring that the rewrite rules are correct is a major contribution toward ensuring that the tools are correct, and even that the semantics of the assertion languages are well founded. This paper outlines the methodology for computer-assisted proofs of several publicly known rewrite rules for PSL properties. We first present the ways to express the PSL syntax and semantics in the prototype verification system (PVS) theorem prover, and then prove or disprove the correctness of over 50 rewrite rules published without proofs in various sources in the literature. In doing so, we also demonstrate how to circumvent known issues with PSL semantics regarding the never and eventually ! operators, and offer our proposals on assertion language semantics.
... Other work includes compiling LTL or other formal assertions into dynamic checkers (e.g. [14]). These assertions involve RTL signals so no RM is necessary. ...
This paper discusses a methodology used on an industrial hardware development project to validate various cache-coherence protocol components. The idea is to use a high level model (HLM) written in Murphi for model checking purposes, and then to use the HLM as a checker during dynamic (i.e. simulation based-) validation of the RTL. Such a checker requires a formal notion of what it means for the RTL to implement the HLM. Due to RTL pipelining, concurrency, and different RTL/HLM semantics, an appropriate notion is non-obvious. We employ a notion we call behavioral refinement, and describe a methodology for creating refinement checkers. A novel aspect of our methodology is that all ¿ingredients¿ are specified using System Verilog (SV): even the Murphi model itself is compiled into SV. Thus any off-the-shelf SV simulation engine can be used. We report the successful use of our refinement checkers to catch bugs in a real project at Intel and give an example illustrating our methodology.
... During each step of the simulation, it indicates whether the system has obeyed the formal specification thus far. In [4, 7] methods for automatic construction of monitor circuits for GSTE assertion graphs are described. The method in [4] requires the use of a symbolic simulator if the assertion graph contains symbolic constants. ...
... The method in [4] requires the use of a symbolic simulator if the assertion graph contains symbolic constants. In [7] it is explained how, for the class of so-called simulation friendly assertion graphs, the method of [4] can be extended to deal with symbolic constants even in conventional non-symbolic simulation. The papers explain how monitor circuits can be used to make a bridge between GSTE model checking and conventional simulation. ...
... There exist several extensions of the GSTE algorithm that considerably improve the algorithm's proving power. Examples of such extensions are precise nodes [18, 15] and knots [7]. We would like to give semantic characterisations of these extensions. ...
Generalised Symbolic Trajectory Evaluation (GSTE) is a high-capacity formal verification technique for hardware. GSTE uses abstraction, meaning that details of the circuit behaviour are removed from the circuit model. A semantics for GSTE can be used to predict and understand why certain circuit properties can or cannot be proven by GSTE. Several semantics have been described for GSTE. These semantics, however, are not faithful to the proving power of GSTE-algorithms, that is, the GSTE-algorithms are incomplete with respect to the semantics. The abstraction used in GSTE makes it hard to understand why a specific property can, or cannot, be proven by GSTE. The semantics mentioned above cannot help the user in doing so. The contribution of this paper is a faithful semantics for GSTE. That is, we give a simple formal theory that deems a property to be true if-and-only-if the property can be proven by a GSTE-model checker. We prove that the GSTE algorithm is sound and complete with respect to this semantics.
... Yet, the method is generic and applicable also to rewrite rules intended for static property checking. PSL defines a set of restrictions to the language to help create properties that are more suitable for simulation and dynamic verification, akin to the simulation–friendly restrictions proposed for the Generalized Symbolic Trajectory Evaluation (GSTE) monitors in [7]. In the checkers developed for GSTE assertion graphs, certain constructs are avoided or restricted in scope, for hardware implementation reasons. ...
Modern assertion languages, such as PSL and SVA, include many constructs that are best handled by rewriting to a small set of base cases. Since previous rewrite attempts have shown that the rules could be quite involved, sometimes counterintuitive, and that they can make a significant difference in the complexity of interpreting assertions, workable procedures for proving the correctness of these rules must be established. In this paper, we outline the methodology for computer-assisted proofs of a set of previously published rewrite rules for PSL properties. We show how to express PSLpsilas syntax and semantics in the PVS theorem prover, and proceed to prove the correctness of a set of thirty rewrite rules. In doing so, we also demonstrate how to circumvent issues with PSL semantics regarding the never and eventually! operators.
... This distinction arises because of the nature of simulatable PSL. Nuances between formal and simulatable verification were also observed in [9], wherein a new simulation–friendly Generalized Symbollic Trajectory Evaluation (GSTE) specification is introduced. Unless the operator at a node forces a specific mode on its children nodes, this mode applies by default to the subtree of expressions rooted at the node. ...
Assertion-based verification (ABV) is emerging as a paramount technique for industrial-strength hardware verification, especially through the emerging Property Specification Language (PSL). Since PSL introduces significant overhead to simulators, in this paper we present the infrastructure for hardware emulation capable of supporting ABV. We develop a tool that generates hardware assertion checkers for inclusion into efficient circuit emulation. The MBAC checker generator is outlined, together with the algorithms for optimized assertion-circuit generation. Experiments show that MBAC outperforms the best known checker-generator.
... This can be overcome via manual specification of variable quantification points to avoid name conflicts. These points are called knots [NHY04] in GSTE terminology, because they conceptually permit the tying together of an infinite line of case-splits into a loop. ...
Symbolic trajectory evaluation is an industrial-strength formal hardware verification method, based on symbolic simulation, which has been highly successful in data-path verification, especially for microprocessor execution units. It is a ‘model-checking’ method in the basic sense that properties, expressed in a simple temporal logic, are verified by (symbolic) exploration of formal models of sequential circuits. Its defining characteristic is that it operates by symbolic simulation over abstractions of sets of states that only partially delineate the circuit states in the set. These abstract state sets are ordered in a lattice by information content, based on a three-valued domain for values on circuit nodes (true, false, and don’t know). The algorithm operates over families of these abstractions encoded by Boolean formulas, providing a flexible, specification-driven mechanism for partitioned data abstraction. We provide a basic introduction to symbolic trajectory evaluation and its extensions, and some details of how it is deployed in industrial practice. The aim is to get across the essence and value of the method in clear and accessible terms.
This short paper is the result of the invited talk I gave at the 2007 Haifa Verification Conference. Its purpose is to briefly
summarize the main points of my talk and to provide background references. The original talk abstract was, “Dynamic verification
(simulation, emulation) and formal verification often live in separate worlds, with minimal interaction between the two camps,
yet both have unique strengths that could complement the other. In this talk, I’ll briefly enumerate what I believe are the
best aspects of each verification style, and then explore some possibilities for drawing on the strengths of both camps.”
