From An Invitation to Formal Methods, a collection of short papers edited by Hossein. Lessons from Hardware Design



Similar documents
Proving the Correctness of Pipelined Micro-Architectures

Model Checking based Software Verification

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

T Reactive Systems: Introduction and Finite State Automata

To appear in the Conference on Computer-Aided Verification, June 21-23, Automatic Verication of. Pipelined Microprocessor Control

Model Checking of Software

Formal Methods at Intel An Overview

Formal Specification and Verification

ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises

The Course.

Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software

OUTILS DE DÉMONSTRATION

Software Verification/Validation Methods and Tools... or Practical Formal Methods

Automated Theorem Proving - summary of lecture 1

Automatic Verification by Abstract Interpretation


Architecture bits. (Chromosome) (Evolved chromosome) Downloading. Downloading PLD. GA operation Architecture bits

AC : A PROCESSOR DESIGN PROJECT FOR A FIRST COURSE IN COMPUTER ORGANIZATION

Checking. E. M. Clarke O. Grumberg K. L. McMillan X. Zhao

Formal Methods in Security Protocols Analysis

Virtual Instrument and Object Oriented Programming Modules to Enhance Computer Networking Course

Verication Techniques for LOTOS [ISO:8807] was a collaborative project, from 1989 to 1993, funded by the UK SERC/IED research program.

Properties of Stabilizing Computations

The BBP Algorithm for Pi

Randal E. Bryant. Education. Employment

CS Master Level Courses and Areas COURSE DESCRIPTIONS. CSCI 521 Real-Time Systems. CSCI 522 High Performance Computing

Static Program Transformations for Efficient Software Model Checking

Design and Development of Virtual Instrument (VI) Modules for an Introductory Digital Logic Course

University of St. Thomas ENGR Digital Design 4 Credit Course Monday, Wednesday, Friday from 1:35 p.m. to 2:40 p.m. Lecture: Room OWS LL54

Software development process

Model Checking: An Introduction

COMPUTER ENGINEERING DEGREE FOCUS AREAS GUIDE

Rover. ats gotorock getrock gotos. same time compatibility. Rock. withrover 8-39 TIME

A Logic Approach for LTL System Modification

COMPUTER SCIENCE TRIPOS

MATHEMATICS: CONCEPTS, AND FOUNDATIONS Vol. III - Logic and Computer Science - Phokion G. Kolaitis

Technology WHITE PAPER

Formal Verification and Linear-time Model Checking

A Systematic Approach. to Parallel Program Verication. Tadao TAKAOKA. Department of Computer Science. Ibaraki University. Hitachi, Ibaraki 316, JAPAN

Method for Multiplier Verication Employing Boolean Equivalence Checking and Arithmetic Bit Level Description

Chapter 2 Logic Gates and Introduction to Computer Architecture

International Summer School on Embedded Systems

EE361: Digital Computer Organization Course Syllabus

focus Despite more than 30 years effort to improve software quality, guest editors introduction Inspection s Role in Software Quality Assurance

Formal Languages and Automata Theory - Regular Expressions and Finite Automata -

WRITING PROOFS. Christopher Heil Georgia Institute of Technology

Reasons for need for Computer Engineering program From Computer Engineering Program proposal

Introduction to Automata Theory. Reading: Chapter 1

Protocol for Byzantine Fault Tolerant Clock. Synchronization. Reprint from J. Vytopil, editor: Formal Techniques in Real-Time and Fault-

Building SMT-based Software Model Checkers: an Experience Report

Internet Protocol Address

Best Practices for Verification, Validation, and Test in Model- Based Design

PORT CONTROLLERS FABRIC

Software Verification: Infinite-State Model Checking and Static Program

Jieh Hsiang Department of Computer Science State University of New York Stony brook, NY 11794

High-Mix Low-Volume Flow Shop Manufacturing System Scheduling

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

A Contribution to Expert Decision-based Virtual Product Development

Regular Expressions and Automata using Haskell

35 th Design Automation Conference Copyright 1998 ACM

Oracle Turing machines faced with the verification problem

Software Engineering Transfer Degree

Extending Semantic Resolution via Automated Model Building: applications

The WIMP51: A Simple Processor and Visualization Tool to Introduce Undergraduates to Computer Organization

7 Gaussian Elimination and LU Factorization

TECH. Requirements. Why are requirements important? The Requirements Process REQUIREMENTS ELICITATION AND ANALYSIS. Requirements vs.

ABSTRACT INTRODUCTION MATERIALS AND METHODS

NP-Completeness and Cook s Theorem

Servos. Backup channel. Wing Sweep. Servos. Primary channel. Auxiliary Control Surfaces. Servos

Programming Risk Assessment Models for Online Security Evaluation Systems

Notes on Complexity Theory Last updated: August, Lecture 1

IMPROVING RESOURCE LEVELING IN AGILE SOFTWARE DEVELOPMENT PROJECTS THROUGH AGENT-BASED APPROACH

EE482: Advanced Computer Organization Lecture #11 Processor Architecture Stanford University Wednesday, 31 May ILP Execution

Prot Maximization and Cost Minimization

Design Cycle for Microprocessors

Verifying Semantic of System Composition for an Aspect-Oriented Approach

programming languages, programming language standards and compiler validation

Chapter 1: Key Concepts of Programming and Software Engineering

Describe the process of parallelization as it relates to problem solving.

DIABLO VALLEY COLLEGE CATALOG

Regular Languages and Finite Automata

COMPUTER SCIENCE. FACULTY: Jennifer Bowen, Chair Denise Byrnes, Associate Chair Sofia Visa

Research Design and Research Methods

Computer Organization

MICROPROCESSOR AND MICROCOMPUTER BASICS

Computer Science. General Education Students must complete the requirements shown in the General Education Requirements section of this catalog.

INFOBRIEF SRS. Instructional developers have been working for four SCHOOL MATHEMATICS AND SCIENCE PROGRAMS BENEFIT FROM INSTRUCTIONAL TECHNOLOGY

GameTime: A Toolkit for Timing Analysis of Software

Finite Automata. Reading: Chapter 2

KS3 Computing Group 1 Programme of Study hours per week

Assessment Plan for CS and CIS Degree Programs Computer Science Dept. Texas A&M University - Commerce

SYSTEMS, CONTROL AND MECHATRONICS

Instruction Set Design

Software Verification and System Assurance

Computing Concepts with Java Essentials

ADVANCED SCHOOL OF SYSTEMS AND DATA STUDIES (ASSDAS) PROGRAM: CTech in Computer Science

Computation Beyond Turing Machines

The Binomial Distribution

Domains and Competencies

Transcription:

From An Invitation to Formal Methods, a collection of short papers edited by Hossein Saiedian, IEEE Computer, April 1996, Vol. 29, No. 4, pp. 16{30. Acceptance of Formal Methods: Lessons from Hardware Design David L. Dill John Rushby Computer Science Department Computer Science Laboratory Stanford University SRI International Stanford CA 94305 Menlo Park CA 94025 Dill@cs.stanford.edu Rushby@csl.sri.com Despite years of research, the overall impact of formal methods on mainstream software design has been disappointing. By contrast, formal methods are beginning to make real inroads in commercial hardware design. This penetration is the result of sustained progress in automated hardware verication methods, an increasing accumulation of success stories from using formal techniques, and a growing consensus among hardware designers that traditional validation techniques are not keeping up with the increasing complexity of designs. For example, validation of a new microprocessor design typically requires as much manpower as the design itself, and the size of validation teams continues to grow. This manpower is employed in writing test cases for simulations that run for months on acres of high-powered workstations. In particular, the notorious FDIV bug in the Intel Pentium processor [13], has galvanized verication eorts, not because it was the rst or most serious bug in a processor design, but because it was easily repeatable and because the cost was quantied (at over $400 million). Hence, hardware design companies are increasingly looking to new techniques, including formal verication, to supplement and sometimes replace conventional validation methods. Indeed, many companies, including industry leaders such asat&t, Cadence, Hewlett-Packard, IBM, Intel, LSI Logic, Motorola, Rockwell, Texas Instruments, and Silicon Graphics have created formal verication groups to help with ongoing designs. 1 In many cases, these groups began by demonstrating the eectiveness of formal verication by nding subtle design errors that were overlooked by months of simulation. This work was partially sponsored by DARPA through NASA Ames Research Center Contract NASA-NAG-2-891. 1 See the attendance list for FMCAD [15] at http://www.csl.sri.com/fmcad96/attend.html: there were 190 attendees, with more than half coming from industry. 1

Why have formal methods been more successful for hardware than for software? We believe that the overriding reason is that applications of formal methods to hardware have become cost-eective. The decision to use a new methodology is driven by economics: do the benets of the new method exceed the costs of converting to it and using it by a sucient margin to justify the risks of doing so? The benets may include an improved product (e.g., fewer errors), but those most keenly desired are reduced validation costs and reduced time-to-market (for the same product quality). The chief impediments to applying traditional formal methods are that the costs are thought to be high (e.g., large amounts of highly skilled labor) or even unacceptable (a potential increase in time-to-market), while the benets are uncertain (a possible increase in product quality). Formal hardware verication has become attractive because it has focussed on reducing the cost and time required for validation rather than pursuit of perfection. Of course, hardware has some intrinsic advantages over software as a target for formal methods. In general, hardware has no pointers, no potentially unbounded loops or recursion, and no dynamically created processes, so its verication problem is more tractable. Furthermore, hardware is based on a relatively small number of major design elements, so that investment in mastering the formal treatment of, say, pipelining or cache coherence can pay o over many applications. And the cost of fabricating hardware is much greater than software, so the nancial incentive to reduce design errors is much greater. However, we believe there are some lessons and principles from hardware verication that can be transferred to the software world. Some of these are listed below. Provide Powerful Tools Technology is the primary source of increased productivity in most areas, and especially this one. In particular, tools that use formal specications as the starting point for mechanized formal calculations are the primary source of cost-eective applications of formal methods. This is exactly analogous to the use of mathematical modeling and calculation in other engineering disciplines. Without tools to deliver tangible benets, formal specications are just documentation, and there is little incentive for engineers to construct them, or to keep them up to date as the design evolves. For hardware, a spectrum of tools has evolved to perform formal calculations at dierent levels of the design hierarchy and with dierent benets and costs. At the lowest level are tools that check Boolean equivalence of combinational circuits (this is useful for checking manual circuit optimizations). Techniques based on Ordered Binary Decision Diagrams (BDDs) are able to check large circuits quite eciently, 2

and are now incorporated in commercial CAD tools [3]. At a higher level, designs can often be represented as interacting nite state machines, and tools that systematically explore the combined state space can check that certain desired properties always hold, or that undesired circumstances never arise. Tools based on explicit state enumeration can explore many millions of states in a few hours; tools that represent the state space symbolically (using BDDs) can sometimes explore vast numbers of states (e.g., 10 100 ) in the same time, and can check richer properties (e.g., those that can be specied in a temporal logic, in which case the technique is called \temporal logic model checking") [10]. At the highest levels, or when very complex properties or very large (or innite) state spaces are involved, highly automated theorem proving methods can be used to compare implementations with specications. These theorem proving methods include decision procedures for propositional calculus, equality, and linear arithmetic, combined with rewriting, and induction [7, 8, 2]. In all cases, the tools concerned are highly engineered so that they can deal with very large formulas, and require little or no user interaction when applied in familiar domains. Use Verication to Find Bugs A tool that simply blesses a design at the end of a laborious process is not nearly as impressive to engineers as a tool that nds a bug. Finding bugs is computationally easier than proving correctness, and a potential cost can be attached to every bug that is found, making it easy to see the payo from formal verication. Traditional validation methods already are used primarily as bug-nders, so formal methods are very attractive if they nd dierent bugs from those traditional methods a much more achievable goal than trying to guarantee correctness. Shortcuts can be taken when formal verication is used for nding bugs rather than proving correctness. For example, a system can be \down-scaled" the number or sizes of components can be drastically reduced. For example, a directory-based cache-coherence protocol can be checked with just four processors, one cache line, and two data values such a down-scaled description will still have many millions of states, but will be within reach of state exploration and model checking methods. These methods can check the reduced system completely; in contrast, simulation checks the full system very incompletely. Both techniques nd some bugs and miss others, but the formal methods often detect bugs that simulation does not. For example, cache-coherence bugs have been found in the IEEE standard FutureBus+ [6] and Scalable Coherent Interface (SCI) protocols [17] in just this way. Some researchers are now applying these techniques to software. 3

Formal Techniques Must Be Targeted In hardware, experience shows that control-dominated circuits are much harder to debug than data paths. So eort has gone into developing formal verication techniques for protocols and controllers rather than for data paths. Targeting maximizes the potential payo of formal methods by solving problems that are not handled by other means. Notice that the targeted problems often concern the hardest challenges in design: cache coherence, pipeline (and now superscalar) correctness, and oating point arithmetic. For software, correspondingly dicult and worthwhile challenges include those where local design decisions have complex global consequences, such as the fault-tolerance and real-time properties of concurrent distributed systems. Researchers Should Apply Their Work To Real Problems Our research priorities are completely dierent from what they would have been, had we not exercised our ideas on realistic problems. Such eorts have frequently raised interesting new theoretical problems, as well as highlighting the need for improvements in tools. Of course, applying verication strategies to real problems is also crucial for building credibility. There is now a long string of success stories from academia and industry where nite-state verication techniques have been applied to hardware and protocols. A few documented examples include the protocol bugs mentioned above in FutureBus+ (found using symbolic model checking with a version of CMU's SMV system [10]) and SCI (found using explicit state enumeration with Stanford's Murphi verier [9]), and formal verication of the microarchitecture and microcode of the Collins AAMP5 [16] and AAMP-FV avionics processors (using theorem proving with SRI's PVS system [12]). Several groups have also demonstrated the ability to detect bugs in the quotient-prediction tables of SRT division algorithms (similar to the Pentium FDIV bug), and some have been able to verify specic SRT circuits and tables [5, 14, 4, 11]. There have also been many unpublicized examples of problems found by industrial formal verication groups, which have helped them build credibility among designers and managers in their companies. Conclusion We attribute the growing acceptance of formal methods in commercial hardware design to the power and eectiveness of the tools that have been developed, to the pragmatic character of the ways in which those tools have been applied, and to the overall cost-eectiveness and utility that has been demonstrated. We believe that formal methods can achieve similar success in selected software applications by following the same principles. 4

References [1] Rajeev Alur and Thomas A. Henzinger, editors. Computer-Aided Verication, CAV '96, volume 1102 of Lecture Notes in Computer Science, New Brunswick, NJ, July/August 1996. Springer-Verlag. [2] Clark Barrett, David Dill, and Jeremy Levitt. Validity checking for combinations of theories with equality. In Srivas and Camilleri [15], pages 187{201. [3] Randal E. Bryant. Symbolic boolean manipulation with ordered binary-decision diagrams. ACM Computing Surveys, 24(3):293{318, September 1992. [4] Randal E. Bryant. Bit-level analysis of an SRT divider circuit. In Proceedings of the 33rd Design Automation Conference, pages 661{665, Las Vegas, NV, June 1996. [5] E. M. Clarke, S. M. German, and X. Zhao. Verifying the SRT division algorithm using theorem proving techniques. In Alur and Henzinger [1], pages 111{122. [6] Edmund M. Clarke, Orna Grumberg, Hiromi Haraishi, Somesh Jha, David E. Long, Kenneth L. McMillan, and Linda A. Ness. Verication of the Futurebus+ cache coherence protocol. Formal Methods in System Design, 6(2):217{232, March 1995. [7] D. Cyrluk, S. Rajan, N. Shankar, and M. K. Srivas. Eective theorem proving for hardware verication. In Ramayya Kumar and Thomas Kropf, editors, Theorem Provers in Circuit Design (TPCD '94),volume 910 of Lecture Notes in Computer Science, pages 203{222, Bad Herrenalb, Germany, September 1994. Springer-Verlag. [8] David Cyrluk, Patrick Lincoln, and N. Shankar. On Shostak's decision procedure for combinations of theories. In M. A. McRobbie and J. K. Slaney, editors, Automated Deduction CADE-13, volume 1104 of Lecture Notes in Articial Intelligence, pages 463{477, New Brunswick, NJ, July/August 1996. Springer- Verlag. [9] David L. Dill. The Mur verication system. In Alur and Henzinger [1], pages 390{393. [10] Kenneth L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, Boston, MA, 1993. [11] Paul S. Miner and James F. Leathrum, Jr. Verication of IEEE compliant subtractive division algorithms. In Srivas and Camilleri [15], pages 64{78. 5

[12] Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke. Formal verication for fault-tolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107{125, February 1995. [13] Vaughan Pratt. Anatomy of the Pentium bug. In TAPSOFT '95: Theory and Practice of Software Development, volume 915 of Lecture Notes in Computer Science, pages 97{107, Aarhus, Denmark, May 1995. Springer-Verlag. [14] H. Rue, N. Shankar, and M. K. Srivas. Modular verication of SRT division. In Alur and Henzinger [1], pages 123{134. [15] Mandayam Srivas and Albert Camilleri, editors. Formal Methods in Computer- Aided Design (FMCAD '96), volume 1166 of Lecture Notes in Computer Science, Palo Alto, CA, November 1996. Springer-Verlag. [16] Mandayam K. Srivas and Steven P. Miller. Formal verication of the AAMP5 microprocessor. In Michael G. Hinchey and Jonathan P. Bowen, editors, Applications of Formal Methods, Prentice Hall International Series in Computer Science, chapter 7, pages 125{180. Prentice Hall, Hemel Hempstead, UK, 1995. [17] Ulrich Stern and David L. Dill. Automatic verication of the SCI cache coherence protocol. In Advanced Research Working Conference on Correct Hardware Design and Verication Methods, pages 21{34. IFIP WG10.5, 1995. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information