- PDF Free Download

Transcription

1 GateLevelDescriptionofSynchronous ThesisfortheDegreeofDoctorofPhilosophy AutomaticVericationBasedon Hardware TheoremProving and PerBjesse ChalmersUniversityofTechnologyandGoteborgUniversity DepartmentofComputingScience SE-41296Goteborg,Sweden Goteborg,May2001

2 GateLevelDescriptionofSynchronousHardwareand ISBN AutomaticVericationBasedonTheoremProving Nyserienr1702 DoktorsavhandlingarvidChalmersTekniskaHogskola, ISSN x cperbjesse,2001 ComputingScience ChalmersUniversityofTechnologyandGoteborgUniversity SE-41296Goteborg,Sweden PrintedatChalmers,Goteborg,2001

3 PerBjesse ComputingScience ChalmersUniversityofTechnologyandGoteborgUniversity AutomaticVericationBasedonTheoremProving GateLevelDescriptionofSynchronousHardwareand Today'shardwaredevelopmentindustryfacesenormousproblems.Theprimaryreason forthisisthatthecomplexityofstate-of-the-arthardwaredevicesisgrowingfaster thanthecapacityofthetoolsthatareusedtocheckthattheyarecorrect.this Abstract productsarecorrect. developmenttimeasshortaspossible.asaconsequence,componentsunderdesign problematicsituationisfurtheraggravatedbyanincreasingpressuretomakethe Inthisthesis,wecontributetoimprovedhardwaredesignmethodsintwoways. aremorelikelytocontainerrors,whilelesstimecanbespentmakingsurethatnished dedinthefunctionallanguagehaskell.lavausesthecapabilitiesofthehostlanguage toexpresssynchronouscircuitsinamathematicallypreciseway,andallowseasyconnectiontoexternalvericationtools.lavaalsousesthecapabilitiesofhaskellto First,wepresentLava,ahardwaredescriptionandvericationplatformthatisembed- allowthedesignertodeviseinterconnectionpatterns,andtowriteparametrisedcircuitdescriptions.weillustratethepoweroflavabydescribingandverifyinghardware Second,wepresentanumberoftechniquesandcasestudiesthatdemonstratehowautomatictheoremprovingcanbeusedtoprovecorrectnessandndbugsinsynchronous hardware.weshowhowvericationcanbedonebothatthelevelofcomplexarith- componentsforcomputingthefastfouriertransform(fft). logictheoremprovers.theresultingconvertedmethodsareshowntogiveorderof metic,andatthebooleanlevel.inthecaseofthevericationatthearithmeticlevel, magnitudespeedupscomparedtocurrentstate-of-theartvericationtechniques. orderlogictheoremprover.inthecaseofthevericationatthebooleanlevel,we convertanumberofstandardnitestatevericationmethodstousepropositional weuselavatoconstructspecialpurposeproofstrategiesthatinterfacewitharst Keywords:hardwaredescription,hardwareverication,modelchecking,reachabilityanalysis,symbolictrajectoryevaluation,theoremproving,satisability,induction, signalprocessing,functionallanguages.

4

5 Thisthesiscollectstogethervearticlesthatarepublishedoracceptedfor publication,whichappearaschapters2,3,5,6,and7: Lava:HardwareDesigninHaskell,writtentogetherwithKoenClaessen, AutomaticVericationofCombinationalandPipelinedFFTCircuits,publishedin1999[25] MarySheeranandSatnamSingh,publishedin1998[11] SymbolicReachabilityAnalysisBasedonSAT-Solvers,writtentogether SAT-basedVericationwithoutStateSpaceTraversal,writtentogether withkoenclaessen,publishedin2000[10] withparoshazizabdullaandniklaseen,publishedin2000[2] FindingBugsinanAlphaMicroprocessorUsingSatisabilitySolvers, Thethesisalsocontainsatechnicalreport,Chapter4,andajournalpaper writtentogetherwithtimleonardandabdelmokkedem,acceptedfor submittedforpublication,chapter8: publicationin2001[12] SAT-basedModelChecking:ATutorialandOverview,writtenduring2000 SymbolicModelCheckingwithSetsofStatesRepresentedasFormulas, publishedin1999[9] togetherwithmarysheeranandgunnarstalmarck[13] 5

6 morethanoneauthor: Thefollowingoutlinesmyparticipationonthearticlesinthisthesisthathave Lava:HardwareDesigninHaskell,writtentogetherwithClaessen,Sheeran, SymbolicReachabilityAnalysisBasedonSAT-Solvers,writtentogetherwith andsingh:iparticipatedindiscussions,didthefftmodellingandverication,andwrotesection4ofthepaper. AbdullaandEen:Iparticipatedindiscussions,didsomeoftheexperimentalwork,andwroteSections1-3and6-8ofthepaper. SAT-basedVericationwithoutStateSpaceTraversal,writtentogetherwith FindingBugsinanAlphaMicroprocessorUsingSatisabilitySolvers,writtentogetherwithLeonardandMokkedem:Iparticipatedindiscussions, Claessen:Iparticipatedindiscussions,implementedthecorealgorithms, andwrotehalfthepaper. SAT-basedModelChecking:ATutorialandOverview,writtentogetherwith implementedthesat-basedvericationalgorithms,andwrotethewhole exceptionofsection3andsection4.3. Sheeran:Iparticipatedindiscussionsandwrotethewholepaperwiththe paper.

7 Contents 1Introduction 1.1TheHardwareDevelopmentCrisis FormalMethods ABriefHistoryofFormalMethods FormalMethods Whatarethey? AimoftheThesis FormalHardwareVericationMethods Lava:HardwareDesigninHaskell 1.4Synopsis Introduction OverviewoftheSystem Monads TypeClasses Interpretations Combinators PrimitiveDataTypes UsingaSymbolicCircuit SymbolicInterpretation StandardInterpretation AnExample:FFT OtherInterpretations Verication ComplexNumbers...24 i

8 2.4.2DiscreteFourierTransform TwoFFTCircuits Components TheCircuitDescriptionsinLava RelatedWork RunningInterpretations Conclusions RelatedWorkonFFTDescriptionandVerication AutomaticVericationofCombinationalandPipelinedFFT Circuits 2.7FutureWork Introduction TheLavaHardwareDevelopmentPlatform VericationofComponents FFTLow-levelDescriptions TheFastFourierTransforms CombinationalFFTVerication TheoreticalBasisoftheVerications LessonsLearned ManualPreparation PipelinedFFTVerication RelatedWork Conclusions FutureWork SymbolicModelCheckingwithSetsofStatesRepresentedas 3.10Appendix...50 Formulas TheRadix-2FFTdescription Introduction Overview CTLModelChecking Conventions...54 ii

9 4.5RequirementsonaRepresentationforSetsofStates ComputingModelsofCTLFormulas SyntaxandSemantics EncodingsSetsofStatesinPropositionalLogic ModelCheckingusingStalmarck'sMethod FormulaRepresentation EquivalenceChecking FormulaMinimisation Discussion BooleanQuanticationformAX,mEX TheConnectiveOperatorsm#,m: OtherLogics ASimpleUseofFirstOrderLogic QuantiedBooleanFormulas SymbolicReachabilityAnalysisBasedonSAT-Solvers 4.9Conclusions AndMore Introduction Preliminaries Quantication ReachabilityAnalysis Satisability RepresentationofFormulas SAT-basedVericationwithoutStateSpaceTraversal 5.8ConclusionsandFutureWork ExperimentalResults Introduction VanEijk'sMethod Stalmarck'sMethodInsteadofBDDs Induction StrongerInductioninvanEijk'sMethod...96 iii

10 6.6Approximations ConclusionsandFutureWork RelatedWork ExperimentalResults FindingBugsinanAlphaMicroprocessorUsingSatisability Solvers 7.1Introduction Preliminaries TheMergeBuer SymbolicTrajectoryEvaluation BoundedModelChecking Verication AnalysisCycle BDD-basedSymbolicModelChecking AProposalforaMethodology SAT-basedSymbolicTrajectoryEvaluation BoundedModelChecking SAT-basedModelChecking:ATutorialandOverview 7.9Conclusions Introduction Preliminaries UsingSAT-solverstoVerifyReachableStateInvariants ModellingSystemsinPropositionalLogic ExpressingPropertiesofSystemsinPropositionalLogic ReachabilityAnalysis ImplementingtheAnalyses Induction BoundedModelChecking Analysis FormulaRepresentation ComparisonBetweentheSAT-basedMethods QBFTranslation iv

11 Bibliography 8.7InterestingFutureQuestions AComparisontoBDD-basedModelChecking v

12 vi

13 Chapter1 Introduction In1965,GordonMooregaveatalkwherehepredictedthatthecomplexity ofhardwaredeviceswoulddoubleevery18months.moore'spredictionhas 1.1 TheHardwareDevelopmentCrisis bythefactthattoday'sindustry-standardhardwaredescriptionlanguagesare ofhardwareisstaggering. Theresultingconstantlyincreasingpressureondesignersisfurtheraggravated turnedouttobeveryaccurate,andasaconsequence,thecurrentcomplexity meansthattheinterpretationofagivenlanguagedierssignicantlybetween verboseandcomplexlanguagesthatdonothaveawell-denedsemantics.this usabledesignswithalanguageisalsoverylong,andecientuseofalanguage resultinnonsenseafteranupgrade.thelearningtimetobeabletoproduce ferentversionsofthesametool;whatworkedtwoweeksagomayverywell reliesheavilyonintimateknowledgeofthequirksofaparticulartoolsuite. toolsfromdierentvendors.theinterpretationmightevendierbetweendif- Moreover,today'sdesignersmustnotonlycopewithverycomplexdesignsusing lessthanperfectlanguages;thedevelopmenttimeforagivendevicemustalso bekepttoanabsoluteminimumtoreducethetime-to-market.thishasled toaparadoxicalsituation,wherethefrequencyoferrorsconstantlygoesupas largerdesignshavetobeproducedinshortertime,whilelesstimecanbespent design,oramodelofit,onasetoftestvectors.thisisasimple,natural, onvalidation makingsurethatwhathasbeenbuiltindeedcorrespondstothe wayofmakingsurethatthecorrectdesignhasbeenbuilt.unfortunatelythis Thestandardwayofmakingsurethathardwareiscorrectistorunanished intendeddesign. validationmethodhasamajordrawback:onlyextremelysimpledesignscan realisethis,considerthatasimplecombinationalgatewithninputshastobe besimulatedexhaustivelysothatthefullfunctionalityofthechipistested.to 1

14 morethanhalfamillionyearstotestthefullfunctionalityofthemultiplier. Exhaustivetestingofrealisticcombinationalcircuitsishenceintractable,and testedon2ninputpatterns.thismeansthatinordertocheckthataninteger thegeneralcaseoftestingsequentialcircuitsisharderbyfar. multipliercorrectlymultipliestwo32-bitwords,wehavetotestiton264input vectors.assumingthatwecantestamillionpatternsasecond,wewouldneed ahandfulofoatingpointnumbers.thecostofrecallingthefaultychipswas astrous,asillustratedbythefailureofintel'spentiumchiptocorrectlydivide Unfortunately,failingbehaviourevenonasmallnumberofvectorscanbedis- Today'shardwaredevelopmentindustryisthusinabothersomesituation,which 475milliondollars. needstobeaddressedinatleasttwoways.first,itisvitalthathardware descriptionlanguagesareimprovedsothattheydonothinderthedesigner. Themosturgentofthenecessaryimprovementsistoconstructlanguagesthat haveamathematicallyprecisemeaning.second,thesupportforverifyingthat whathasbeendesignediscorrectmustbeimprovedsignicantly.itisimportant engineeringtogetherwithsimulation.thequestionishowthiscanbedone. tondalternativewaysofincreasingthecondenceindesignsotherthancareful industry-standarddevelopmentmethods. Inthisthesis,wewillconsiderformalmethodsasacomplementtotoday's 1.2 FormalMethods Aformalmethodideallyconsistsofthreecomponents:(1)Aformallanguage; 1.2.1FormalMethods Whatarethey? bepresent. aboutstatementsintheformallanguage.inpractice,notalloftheseneedto thatis,alanguagewhereeverywell-formedstatementhasamathematically denedmeaning;(2)toolsthathelptheuserdescribesystemsandrequirements Thepurposeofthethreecomponentsoftheformalmethodareasfollows:The intheformallanguage;and(3)aproofsystemthatallowstheusertoreason modelofthesystem,andoptionallyalsoconstructaspecication.whenthis language,togetherwiththetools,shouldletthedesignerwriteortranslatea isdone,theproofsystemshouldbeusedtodoasystemanalysis.hopefully, thisprocesswillallowthedesignertopredictwhethertheunderlyingsystem hasunintendedpropertiesthatwillcostmoney,orputhumansatrisk. ciselanguagethatisusedtowritedownaspecicationforagivensystem.the Aspecicationorientedformalmethodprovidesarichandmathematicallypre- Therearetwomainapproachestoformalmethods:(1)specicationoriented, and(2)vericationoriented. 2

15 thathasaformallydenedmeaning,itispossibletoreasonaboutthespecication.thepurposeofthisistovalidatethespecication tomakesurethe precisedescription.furthermore,asthespecicationiswritteninalanguage itforcesthespeciertothinkthroughthesystemcarefullyinordertomakea specicationmatchestheintentionofthedesigner.thiscanforexamplebe donebysimulatingthespecication,byprovingthatthespecicationiscon- processofwritingdownformalspecicationscanbringbenetstoaproject,as animplementationconformstosomespecication.inordertodothis,the theirreasonableness. Avericationorientedmethod,incontrast,hasthegoalofmakingsurethat sistent,orbyderivingconsequencesofthespecicationthatcanbecheckedfor atalowerlevelofabstraction.vericationtoolsarethenusedtotrytoestablish designerwritesaspecicationofthesystem,andamodelofanimplementation conformance.thiscanbedoneinanumberofways,afewofwhichwewill considerinsection1.2.3.ifnecessary,theprocesscanthenbereiteratedby writinganewspecicationatanevenlowerlevelandestablishingconformance ispost-hoc,meaningthatthesystemalreadyhasbeenbuilt,thegoalistoreach notbeenbuiltyet,thelowestlevelofspecicationcanbeusedasatemplate betweentheoldimplementation-levelandthenewlowerlevel.iftheverication theleveloftheexistingsystemmodel.ontheotherhand,ifthesystemhas systems.theanalysistoolscanonlybeappliedtothesemodels,nottothe realsystemsthemselves.thismeans,forexample,thataproofthatthemodel Itisimportanttorealisethatformalmethodsareconcernedwithmodelsof forautomaticormanualimplementation. specicationthatisdierentfromourintendedspecication,thentheproofis conformstothespecicationimpliespreciselythis,andnothingelse.ifthe modeldoesnotadequatelydescribetherealsystem,orifwehavewrittena worthless.ifwemodelacircuitatthelevelofbooleangates,wecanclearlynot 1.2.2ABriefHistoryofFormalMethods accountforerrorsatthetransistorlevel. Formalmethodsareintimatelyconnectedwithlogic,aslogicsareparticular recordedthoughtsaboutlogicdatebacktoaristotle'stime.aristotlemodelled situationsasacollectionofinformalstatements,andappliedwhatisknownas syllogisticreasoningtoanalysetheproblemathand. formallanguagesthatareusedtomodelandreasonaboutproblems.therst dreamtofconstructingalanguagerichenoughtomodelanykindofphenomena: TherstmodernproponentofformalmethodswasLeibnitz( ),who thecharacteristicauniversalis.anykindofquestionthatahumancouldenquire aboutshouldbepossibletoformulateinthislanguage.agivenquestionshould thenbedecidedusingadeviceleibnitzcalledthecalculusratiocinator.in thiswayeverydayquestionswouldbedecidedinascienticmannerbythe applicationofalgorithmictechniques.3

16 betherstcharacterisationofageneralpurposeformallanguagerichenough Leibnitz'dreamwasneverappreciatedbyhiscontemporaries;itwouldtake todeviseatheoryofsetsandelementaryarithmetic[37].thatfregewas ForemostoftheseearlypioneerswasGottlobFrege,whomadewhatwould ofthe19thcentury,manylogiciansstartedtothinkalongthelinesofleibnitz. almosttwohundredyearsbeforesimilarideasresurfaced.however,attheend interestedinthiswasnotverysurprising;hisoverallgoalwastoshowthat KurtGodeldeliveredacrushingblowtothishopebyprovingthatnonite allmathematicalreasoningcouldbereducedtologic.unfortunately,in1931 systemofaxiomsandinferencerulescouldbedevisedthatwouldgenerateall Godel'sresultsparkedalotofresearchintothelimitsofautomatedprocedures thetheoremsofelementaryarithmetic,andnonon-theorems[39]. non-trivial(inaprecise,technicalsense)propertyofprogramsisimpossibleto decidebyautomatedanalyses[80].muchofthecomputation-orientedresearch procedureswasseverelyrestricted.forexample,in1953riceprovedthatevery sequenceofsimilarresultsshowedthatthepowerofcompletelyautomated fordecidingwhetherformallanguagestatementsweretheoremsornot.awhole results",andfewresearcherswereinterestedinpursuingleibnitz'dream. duringthe1950sand1960swashencecenteredaroundderiving\impossibility Itwasnotuntilthelate1960sandearly1970sthatresearchersonceagaingot newupsurgeofinterestinrigour;manyresearchlanguagesweregivenmathematicallydenedsemantics,andthisallowedproofsaboutthelanguages,and aboutindividualprograms. seriouslyinterestedinapplyingformaltechniquestoreasoningandtheresearch comeinterestingtoindustry,andmanyresearcherswereinvolvedincreating tooko.itwasaboutthistimethatprogrammablecomputersstartedtobe- dierentkindsofformallanguages:programminglanguages.withthiscamea andhardwaresystems,andthedomainofcomputeraidedreasoningaboutthe models. methodswerelaid,bothinthedomainofmathematicalmodelsofsoftware Thenewfoundinterestinrigourledtotheestablishmentofmanynewresearch elds,anditwasduringthistimethefoundationsformuchoftoday'sformal byfloyd,hoare,anddijkstra[36,52,31].theseresearcherswereinterestedin Someoftherstattemptstoreasonformallyaboutprogramswereundertaken ofaprogramfragmentguaranteedtheassertedstateaftertheexecution. informalreasoninginrstorderlogictoprovethatthestatebeforetheexecution programannotationswithassertionsabouttheprogramstate.theythenused correctnessproofsforimperativeprograms,anddevelopedmethodsbasedon andchandy,whoinventedtheunitylogic[71];andlamport,whoinvented ThetechniquesforimperativeprogramvericationwereextendedbyOwicki thetemporallogicofactions[61].4 andgriestothemoregeneralcaseofparallelprograms[73].totallydierent calculiforspecifyingandreasoningaboutconcurrentprocesses[53,70];misra approachesweretakenbyhoareandmilner,whodevelopedspecialpurpose

17 velopingpowerfulspecicationmethodslikez,vdm,andlarch[91,58,44]. Whilesomeresearcherswerefocusingonprogramverication,otherswerede- Theeortsonprogramspecicationandvericationalsoinspiredresearchinto programminglanguagealgol60[19]. softwaresystems.earlysuccessstoriesincludeibm'suseofvdmtodenethe Thesemethodswereusedsuccessfullytospecifyandperformanalysisonlarge themodellingandvericationofhardware.someresearchersattemptedtouse extensionsofthetechniquesdevisedforprogramverication[30,88],whileothersdevelopednewformalismsaimedspecicallyathardwareandhardware-like vericationtechniqueswerestartingtobeappliedtosystemsofindustrialrelevanceandsize.examplesincludeshunt'smodellingandvericationofthefm 8501microprocessor[55]andCohns'correspondenceproofbetweendierent circuits[98],andmilne'sworkoncircal[69].inthemid-eighties,hardware workonveritas[49],wagner'sworkontransformationalcorrectnessproofsfor workonfp[83],johnson'sworkoncircuitderivation[57],daecheandhanna's system.earlyattemptstomodelandreasonaboutcircuitsincludesheeran's levelsofdescriptionsofthevipermicroprocessor[23]. tomaticmethods. Today'shardwarevericationmethodscanbedividedintointeractive,andau FormalHardwareVericationMethods Ininteractivemethods,theuserguidesthevericationprocess.Oftenthespecicationlanguageisrichenoughtobeundecidable;fullyautomaticverication provinginhigherorderlogic[40].inthisapproach,themodelofthecircuit,and isthereforenotevenattainableintheory. Aprimeexampleofaninteractivemethodishardwarevericationbytheorem bystartingfromaxiomsofthelogic,andapplyinginferencerulestogenerate theprocessistoestablishthatthecompoundstatementthatexpressesthatthe modelimplementsthespecicationisalogicaltruthinthesystem.thisisdone thespecicationisexpressedasstatementsinaverypowerfullogic.thegoalof new,logicallytrue,statements.thenatureoftheinferencerulesguaranteesthat ifthecorrectnessstatementisderivablebyanitechainofapplicationsofrules, startingfromaxiomsonly,thenthemodelmustimplementthespecication. Evenbetweendierentinteractivemethods,thelevelofinteractivenesscanvary substantially.forexample,certainhigherorderlogictheoremprovers,such aspvs[29],containsautomaticdecisionproceduresthatcanbeappliedto statementsofparticularforms.suchautomateddecisionproceduresexistfor onlyaxiomsareusedasstartingpointsforproofs. exampleforpresburgerarithmetic[76](arithmeticstatementsusingaddition butnotmultiplication).otherinteractivetheoremprovers,suchasisabelle[75], bymakingsurethateveryapplicationofaninferenceruleisvalid,andthat providemuchlessautomation;theymainlyhelptheuserwiththebookkeeping 5

18 Automaticmethods,incontrast,attempttoseparatetheuserfromtheindividualvericationsteps.Thismeansthatdesigners,whoseareaofexpertiseisthe workstouseit.however,tocontinuetheanalogywithcircuitsynthesis,the usermuststillknowsomethingaboutthetooltogetsucientlygoodresults. constructionofthecircuitsthemselves,candotheirownvericationwithout muchlikedesignersdonotneedtofullyunderstandhowahardwaresynthesiser spendingalongperiodoftimelearningaboutthetheoryunderlyingthemethod, relativelyweakproperties.forexample,fullhigherorderlogicwillprobably Inordertoachievefullautomation,itisnecessarytorestrictthecheckingto neverbeusedsuccessfullyasaspecicationlanguageaimedatautomaticproofs, thatcanbeachieved.forexample,duetorice'stheorem,ifthemodellingand asitistoocomplex.thereexistsacleartradeobetweenthecomplexityofthe modellinglanguageandthepropertiestocheck,andthedegreeofautomation Oneofthemostwidelyusedautomaticmethodsofverifyinghardwareismodel programs,thentherearemanyquestionsthatcannotbedecidedautomatically. checking[21,79].theaimofthisvericationmethodistotakeadescriptionofa specicationlanguageisstrongenoughtomodelprogramsandpropertiesof expressedinaweaklogicholdbyexhaustivelysearchingthroughthestatespace hardwarecomponentasanitestatemachine,andestablishwhetherproperties beexpressedarestillsolimitedthatthelogicitselfcanbedecided(thereexists propertiesofsystemsthatchangeovertime.however,thepropertiesthatcan oftime".thespecicationlanguageiscalledatemporallogic,asitcanexpress xistrue",\ifsignalxistrue,thensignalymustbefalseaftersomeniteperiod ofthemodel.examplesofpropertiesthatcanbecheckedare\atalltimes,signal aprocedurethatalwaysisabletotellwhetherastatementisalogicaltruthor not). isimportanttorealisethatthisalsoistrueonthedesignsideofhardwaredevelopment.whenindividualcomponentsaredesignedfromtransistors,idealised technology,asthemathematicsthatisinvolvedistoocomplicated.however,it entlevels.thelevelofelectronowisbeyondthereachoftoday'sverication Independentofthevericationmethoditself,circuitscanbemodelledatdier- modelsareusedforthetransistorsinordertofacilitatespeedyanalysis. accordingtoa\truthtable",withoutconsideringanyotherpossibilities.vericationatthislevelmayconsistinestablishingthatsimpletemporalproperties Thelowestlevelofmodellingthatisroutinelyprocessedtodayistransistorlevel transistorsasdevicesthatpropagateeitherofthevalues0,1,orx(unknown) hold. descriptions.modelsatthislevelarestilloftensimpliedbydescribingthe individualbuildingblocksarelogicalgatessuchasand-gatesandor-gates.at thislevel,vericationmayconsistofestablishingthatatransistorlevelimplementationimplementsagatenetwork,orcheckingthatatemporalspecication holds. Thenextlevelupinthehierarchyisthelevelofgateleveldesigns.Herethe 6

19 Fromthegatelevelup,thereexistsamultitudeoflevelsthatcircuitscanbe modelledat.forexample,atthelevelofarithmetic,anadditionoftwonumbers fromaninnitedomainisamonolithicoperation.justasgodel'stheorem predicts,thisisthelevelwhereautomationstartstobecometroublesome,and usersoftenturntomethodssuchasinteractivetheoremproving. Inthisthesis,wecontributetobettermethodsfordesigninghardwareintwo ways. 1.3 AimoftheThesis thatfunctionallanguagesoeracleanwayofdescribingsynchronoushardware, precisedescriptionsofsynchronoushardware,andallowstheusertointerfaceto vericationtoolsthroughaprogrammableinterface.thethesisofthisworkis First,wepresentahardwaredescriptionandvericationplatform,Lava,embeddedinthefunctionallanguageHaskell.Thisplatformsupportsmathematically andthatmodernprogramminglanguagefeaturesareusefultoolsalsoforhardwaredesigners.wealsoshowhowusefulitisthatlavaisaprogrammablevericationplatform,whichallowsustodevisespecialpurposevericationstrategies forparticularfamiliesofhardwarecomponents. hardware.weillustratethisbypresentingcasestudiesandnewtechniques canbeusedasanecientvehicleforprovingcorrectnessandndingbugsin Themajorthesisofthispartoftheworkisthatautomatictheoremproving forthevericationofsequentialhardwareatdierentlevelsonabstraction. Second,wefocusonhowautomatictheoremprovingcanbeusedasatool vericationmethods. thatgiveorderofmagnitudespeedupscomparedtostate-of-the-artautomatic 1.4 PaperASynopsis ThepapercontainsanoverviewoftheLavahardwaredescriptionandveri- 1998,andisjointworkwithKoenClaessen,MarySheeran,andSatnamSingh. paperappearedintheinternationalconferenceonfunctionalprogramming Therstpaperinthisthesisiscalled\Lava:HardwaredesigninHaskell".The cationplatform,whichisspeciallydesignedfordescribing,andanalysingsyn- chronoushardwareatthegatelevel. allowsthedesignertoeasilyconstructparametrisedcircuits,anddeneinterateanewcircuitbypluggingthebuildingblockstogether.acrucialfeatureof KeyelementsoftheLavaapproachisacleanwayofdescribingcircuitsthat connectionpatterns meta-circuitsthatgivenanumberofothercircuitsgener- 7

20 besentotoexternaltheoremprovers. andveriedbyinterpretingitinanotherwaythatproducesformulasthatcan example,thesamedescriptioncanbesimulatedbyinterpretingitinoneway, Lavaisthepossibilitytointerprethardwaredescriptionsinmultipleways.For (FFT).TheFFTisaparticularweightedsumofcomplexnumbersthatfor Thepresentationincludesacasestudy:Thespecicationandvericationofa frequencyinformationfromsampledsignals.thefactthatthecircuitoperates parametrisedcombinationalcircuitforperformingthefastfouriertransform instancecanbeusedtodoquickmultiplicationofpolynomials,andtoextract Lavacouldbeusedtomodelandverifythekindsofcomponentstheywere ThecasestudyisjointworkwithEricssonCadlab,whowantedtostudyhow some,asmanystandardtechniquesareunabletocopewitharithmetic. onthelevelofcomplexnumbersmeansthatautomaticvericationistrouble- interestedin InthispaperwecontinuetheworkondescribingandverifyingFFTcircuitry, anditappearedintheinternationalconferenceoncomputeraidedverication PaperBiscalled\AutomaticVericationofCombinationalandPipelinedFFTs", Inordertoverifythepipelinedimplementation,wedeviseaspecialpurpose FFTweprovedcorrectinpaperA. byusinglavatoimplementasequential,pipelined,versionofthecombinational simulationandinduction,inadditiontothetheoremprovingtechniqueswe apipelinedcircuitimplementation.thisprooftechniquereliesonsymbolic appliedinordertoverifythecombinationalfftcomponent. prooftechniqueforestablishingcorrespondencebetweenacombinationaland analyses,andimplementtheprooftechniqueasananalysisparametrisedbya WetakeadvantageoftheeasewithwhichLavacanbeextendedwithcustom sequentialandacombinationalcircuit. PaperCiscalled\SymbolicModelCheckingwithSetsofStatesRepresented asformulas".thispaperisarevisedversionoftechnicalreportcs99903, ChalmersUniversityofTechnology. Here,inspiredbytheworkwedidonverifyingsequentialcircuitsbytheorem ingcanbeconvertedtousepropositionallogictheoremprovingratherthanthe provinginpaperb,wepresentanideaforhowstandardsymbolicmodelcheck- morestandardchoiceofbinarydecisiondiagrams(bdds). 8

21 gorithmstouseformulasasasymbolicrepresentationforthesystemthatis analysed.weremovebooleanquantiersthatariseduringstatespacetraversal byapplyinganaiveunfoldingrule.inordertomakesurethattherepresentationsdonotgrowtoomuch,wesuggestanalgorithmforminimisingformulas Thepaperpresentsaconversionofthestandardsymbolicmodelcheckingalformulas. Weconcludethepaperbydiscussinghowtheideatousepropositionalformulas thatusesstalmarck'smethodofpropositionalprooftodetectequivalentsub- asarepresentation,andtheoremprovingtoimplementoperationsontherepresentationcanbeextendedtostrongerlogics,andthepossiblebenetsthereof. Thispaperiscalled\SymbolicReachabilityAnalysisbasedonSAT-solvers".It PaperD appearedintheinternationalconferenceontoolsandalgorithmsfortheconstructionandanalysisofsystems2000,andisjointworkwithparoshabdullvertingstandardmodelcheckingalgorithmstouseformulasandpropositional logictheoremproving.here,werestrictthepresentationtothecaseofsymbolic InthispaperwepresentFIXIT,apracticalimplementationoftheideaofcon- andniklaseen. inpaperc),butourimplementationhandlesthefulllogic. reachabilityanalysis(asingleoperatorfromthetemporallogicthatwascovered Keyelementsofourapproacharetouseaspecialpurposerepresentationfor formulasthatdoessimplereductionsautomatically,andtousesomeextrarules inthequantiertranslatorinsteadofthesinglerulewesuggestedinpaperc. PaperE someexamplesthatareveryhardfortwomaturebdd-basedmodelcheckers. Weillustratethattheresulting,fairlynaive,modelcheckercanstillcopewith Thispaper,\SAT-basedVericationwithoutStateSpaceTraversal",isjoint workwithkoenclaessen.itappearedintheinternationalconferenceonformalmethodsincomputeraideddesign2000. Algorithmsthatavoidthebooleanquantication,butstillusepropositional algorithmswepresentedinpaperdworksverypoorlyforcertainexamples. Thetranslationofbooleanquantiersnecessaryforstatespacetraversalinthe logictheoremproving,arethereforeveryinteresting. sothatitcanndmoreinformation,andmakeitcomplete.furthermore,by Stalmarck'salgorithmratherthanBDDs.Wealsostrengthenthealgorithm fordoingsequentialequivalencecheckingwithoutstatespacetraversal,touse InthispaperweconvertVanEijk'salgorithm,apreviouslypresentedmethod 9

22 examiningtheconnectionbetweenthealgorithmandoverapproximativesymbolicreachabilityanalysis,wedeviseananalogousdualalgorithmandamutual compareresultswithtworelatedmethodsbasedonpropositionallogictheorem proving,andamaturebdd-basedmodelchecker. Weillustratethepoweroftheresultinganalysesonsomebenchmarks,and improvementalgorithm. PaperF,\FindingBugsinanAlphaMicroprocessorusingSatisabilitySolvers", isjointworkwithtimleonardandabdelmokkedem.itisacceptedforpublicationattheinternationalconferenceoncomputeraidedverication2001. Herewepresenttheresultsofusingacombinationoftwomodelcheckingtechniquesbasedonsatisabilitysolverstondbugsinthememorysubsystemof anext-generationmicroprocessor. Therstofthesetechniquesiscalledboundedmodelchecking.Wecompare theperformanceofboundedmodelcheckingtobdd-basedmodelchecking, anddemonstratethatitcanbeusedtoreducetheruntimenecessaryfornding Thisanalysisisaversionofmodelcheckingthatconsistsofablendofabstract certainbugsinrealdesignsfromdaystominutes. ThesecondtechniqueissymbolictrajectoryevaluationbasedonSAT-solving. developingspecications. ocomparedtoboundedmodelcheckingisthatwehavetospendmoretime ofthelengthofminimumfailuretraces,usingnegligibleruntimes.thetradebolictrajectoryevaluationcanbeusedtondverycomplexbugs,interms interpretationandsymbolicsimulation.wedemonstratethatsat-basedsym- Weconcludethepaperbypresentingsomeadviceonusingacombinationofthe twomodelcheckingtechniquesforindustrial-strengthverication. PaperG Thispaperiscalled\SymbolicModelCheckingbasedonSAT-solvers:An logictheoremprovingbypresentingthreedierentapproachesthathaveappearedintheliterature. overviewandtutorial".itisjointworkwithmarysheeranandgunnarstalmarck, Herewegiveanoverviewoftheeldofmodelcheckingbasedonpropositional andissubmittedforpublication. PaperD,andsomeconclusionswehavecometowhileworkingwiththethree toimplementtheanalysesintheresearchmodelcheckerfixitwepresentedin Ourpresentationisgiveninatutorialstyle,andweputemphasisondemonstratinghowthemethodsarerelated.Wepresentsometechniquesthatareused 10