Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL

Tutorial ??
Formal Methods for
Hardware Veriﬁcation:
Overview and Application to VHDL
Carlos Delgado Kloos, Peter T. Breuer
Universidad Polit´ecnica de Madrid
<{cdk,ptb}@dit.upm.es>
VDHL-Forum for CAD in Europe – Nantes, 24 April 1995 1

Introduction Outline ??
⋆ Formal Hardware Veriﬁcation Approaches
⋆ Theorem Proving
⋆ Model Checking
⋆ Formal Reasoning with VHDL
⋆ Semantics
⋆ Logic
⋆ Algebra

Motivation Citation ??
“If you are faced by
a diﬃculty or a controversy in science,
an ounce of algebra is worth a ton of verbal argument.”
J.B.S. Haldane

Motivation Bryants comparison ??
simulate exhaustively a 256 bit RAM
⇒ 1080 possible combinations of input and state
⋆ use all matter in galaxy to build computers (1017 kg)
⋆ let each computer have the size of an electron (10−30 kg)
⋆ let each computer simulate 1012 cases per second
⋆ start simulation at the time of Big Bang (1010 years ago)
by now, we would have simulated 0, 05% of all cases

Motivation Pentium ??
The top ten reasons to buy a PENTIUM Machine:
10. Your current computer is too accurate.
9. You want to get into the Guiness book as
“Owner of Most Expensive Paperweight”.
8. Math errors add zest to life.
7. You need an alibi for the I.R.S.
6. You want to see what all the fuss is about.
5. You’ve always wondered what it would be like to be a plaintiﬀ.
4. The “Intel Inside” logo matches your decor perfectly.
3. You no longer have to worry about CPU overheating.
2. You got a great deal from JPL.
1. It’ll probably work.

Motivation Trends ??
⋆ systems are growing larger
⋆ systems are growing more complex
⋆ design teams are growing larger
⋆ time to market is getting more critical

Theorem proving Classiﬁcation ??
Systems that manipulate an object language
⋆ Term rewrite systems
⋆ Transformational systems
⋆ Theorem provers
There is a convergence of these kinds of systems

Theorem proving Theorem provers ??
Systems that help to prove theorems
⋆ Proof checkers
a posteriori check (eg. MIZAR)
⋆ Proof assistants
user guided proof, strategies can be deﬁned, forward and back-
ward proof
(eg. LCF, HOL, Isabelle, Veritas+)
⋆ Automatic theorem provers
(eg. Nqthm)

Theorem proving Comparison ??
⋆ Degree of interaction
⋆ Object language: underlying logic
⋆ Meta language: command language
⋆ Kinds of proofs
⋆ Proof management

Theorem proving Nqthm ??
The Boyer-Moore Theorem Prover
⋆ Quantifier-free first-order classical logic with equality
(free variables are implicitly universally quantified)
⋆
⋆
⋆

Theorem proving The LCF family ??
LCF = Logic for Computable Functions
⋆ Stanford LCF: proof checker with fixed commands (Scott 71–72)
⋆ Edinburgh LCF: meta-language: ML, object-language: PPλ (Mil-
ner 75–79)
⋆ Cambridge LCF: meta-lenguage: Standard ML, object-language:
PPλ (improved) (Paulson 84)
⋆ Göteborg LCF: supports Martin-Löf’s type theory (Petersson 82)
⋆ Cambridge HOL: meta-lenguage: ML, object-language: Higher-
Order Logic (Gordon 80–)

Theorem proving LCF-related provers ??
⋆ Veritas: meta-language: Miranda, object-language: Higher-Order
Intuitionistic Logic (Hanna, Daeche 85–)
⋆ Isabelle: meta-language: ML, object-language: parametrizable
(Paulson 86–)
⋆ Lambda: meta-language: Poly-ML, object-language: Higher-Order
Polymorphic Predicate Calculus of Partial Terms, interfaced to CAD-
system

Theorem proving Theory ??
A formal logic consists of
⋆ a notation (a set of well-formed formulas)
⋆ a ﬁnite set of axioms
⋆ a ﬁnite set of inference rules
A formal proof is a sequence of well-formed formulas f1, f2, ..., fn,
such that for all i
⋆ fi is an axiom, or
⋆ fi can be derived from {f1, f2, ..., fn} using an inference rule

Theorem proving HOL expressions ??
The expressions in HOL can be:
⋆ constants 1: num, +: num->num->num
⋆ variables x: num, x: num->bool
⋆ abstractions λx.(λy.x+y)
⋆ applications (λx.(λy.x+y)1)2

Theorem proving HOL types ??
The types in HOL can be:
⋆ atomic types bool, num
⋆ compound types num*bool, num->num->num
⋆ polymorphic types ’a->’b, (’a->bool)->bool

Theorem proving HOL ??
The Object Language HOL comprises
⋆ Typed λ-Calculus (functions, including higher-order)
⋆ Polymorphic objects (parametric polymorphism)
⋆ Higher-order Logic (quantiﬁers over values, predicates, etc.)
It can be manipulated from the Metalanguage ML (which is quite
similar).

Theorem proving Axioms ??
There are only 5 axioms in HOL: 4 for the theory of bool
⋆ ⊢ ∀t. (t=T) ∨ (t=F)
⋆ ⊢ ∀t1 t2. (t1⇒t2)⇒(t2⇒t1)⇒(t1=t2)
⋆ ⊢ ∀t. (λx. t x)=t
⋆ ⊢ ∀P x. P x ⇒P(ǫ P)
and one for the theory of ind
⋆ ⊢ ∃f. ONE ONE f ∧ ¬ ONTO f

Theorem proving Inference rules ??
There are only 8 primitive inference rules:
{t} ⊢ t ⊢ t=t ⊢ (λx.t1)t2 = t1[t2/x]
Γ1 ⊢ t1 ⇒ t2 Γ2 ⊢ t1
Γ1 ∪ Γ2 ⊢ t2
Γ ⊢ t1=t2
Γ ⊢ (λx.t1)=(λx.t2)
Γ ⊢ t2
Γ − {t1} ⊢ t1 ⇒ t2
Γ1 ⊢ t1=t2 Γ2 ⊢ t[t1]
Γ1 ∪ Γ2 ⊢ t[t2]
Γ ⊢ t
Γ ⊢ t[s1, ... sn/’a, ... ’n]

Theorem proving Theories ??
All information (types, constants, axioms, theorems, etc.)
is hierarchically structured in theories:
⋆ pairs
⋆ natural numbers
⋆ lists
⋆ primitive recursion
⋆ arithmetic
⋆ trees
⋆ etc.

Theorem proving Proof styles ??
There are essentially two ways to proceed:
⋆ Forward proof:
(Primitive or derived) inference rules are applied to (axioms or)
theorems until the desried theorem is proved
⋆ Backward proof:
A goal (a sequent to be proved into a theorem) is successively
decomposed into subgoals, until there are already proved theo-
rems

Theorem proving Example (J. Joyce) ??
i1
i2
x o2
⋆ specify behavioural models for NAND and NOT
⋆ specify intended behaviour of AND
⋆ specify implementation of AND in terms of NAND and NOT
⋆ prove that implementation satisﬁes intended behaviour for AND

Theorem proving Example (Specs) ??
Behaviours:
⊢def NAND(i1,i2,o1) ≡ o1 = ¬(i1∧i2)
⊢def NOT(i1,o1) ≡ o1 = ¬ i1
⊢def ANDspec(i1,i2,o1) ≡ o1 = i1∧i2
Structure:
⊢def ANDimpl(i1,i2,o1) ≡ ∃x. NAND(i1,i2,x) ∧ NOT(x,o1)

Theorem proving Example (Correctness) ??
⋆ Strong correctness
ANDimpl(i1,i2,o1) ≡ ANDspec(i1,i2,o1)
⋆ Weaker correctness
ANDimpl(i1,i2,o1) ⇒ ANDspec(i1,i2,o1)

Theorem proving Example (Proof) ??
1) ANDimpl(i1,i2,o1) {initial formula}
2) ∃x. NAND(i1,i2,x) ∧ NOT(x,o1) {def ANDimp}
3) NAND(i1,i2,x) ∧ NOT(x,o1) {strip oﬀ ∃x}
4) NAND(i1,i2,x) {left conjunt of 3)}
5) x=¬(i1∧i2) {def NAND}
6) NOT(x,o1) {right conjunt of 3)}
7) o1=¬x {def NOT}
8) o1=¬(¬(i1∧i2)) {subst. 5) in 7)}
9) o1=(i1∧i2) {simplify ¬¬t=t}
10) AND(i1,i2,o1) {def AND}
11) ANDimpl(i1,i2,o1) ⇒ AND(i1,i2,o1) {discharge assumption 1)}

Theorem proving Pros ??
⋆ generality
⋆ ﬂexibility
⋆ expresiveness
⋆ exploitation of regularity, hierarchy and abstraction
⋆ proof security
⋆ user extensibility

Theorem proving Cons ??
⋆ long learning curve
⋆ large expertise needed
⋆ requires deep knowledge of mathematics and logic
⋆ tedious proofs

Theorem proving Achievements ??
Several microprocessors have been veriﬁed
⋆ FM8501 (Nqthm, Warren Hunt, Univ. Texas, 1986)
⋆ Viper (HOL, Avra Cohn, Univ. Cambridge, 1988)
⋆ Tamarack-3 (HOL, Jeﬀ Joyce, Univ. Cambridge, 1989)
⋆ AVM–1 (HOL, Phil Windley, Univ. California, Davis, 1990)

Theorem proving The future ??
⋆ higher temporal complexity (pipelines, asynch. systems, real-time)
⋆ higher data complexity (IEEE floating point std, ...)
⋆ higher-level specifications (hardware/software verification, ...)
⋆ verification of classes of designs (microproc. families, ...)
⋆ verification of an ATM network (Fairisle)
⋆ TkHolWorkbench (a GUI for HOL)
⋆ BDDs in HOL
⋆ HOL 2000 initiative
⋆ several logic embeddings (CCS, TLA, Unity, Noden, ...)

Theorem proving More info about Nqthm ??
⋆ Computational Logic Inc.
1717 W. 6th St., Suite 290
Austin, TX 78703-4776, USA
⋆ <Software-Request@cli.com>
http://www.cli.com/
⋆ R.S. Boyer, J.S. Moore: A Computational Logic Handbook,
Academic Press 1988

Theorem proving More info about HOL ??
⋆ Cambridge Univ. Computer Laboratory
Pembroke Street, GB–Cambridge CB2 3QG, England (UK)
⋆ Sara Kalvala <sk@cl.cam.ac.uk>
http://www.comlab.ox.ac.uk/archive/formal-methods/hol.html (info)
http://lal.cs.byu.edu/lal/getting-hol.html (tool)
⋆ M. Gordon, T. Melham (eds.): Intr. to HOL: A Theorem Proving
Environment for Higher Order Logic, Cambridge Univ. Press 93
⋆ 8th International Workshop on Higher Order Logic Theorem Prov-
ing and its Applications, Utah September 11–14, 1995

Theorem proving More info about LAMBDA ??
⋆ LAMBDA: Logic and Mathematics Behind Design Automation
⋆ Abstract Hardware Ltd.
The Howell Building, Brunel University Science Park
GB–Uxbridge UB8 3PH, England (UK)
⋆ <lambda@ahl.co.uk>

Model checking Model of Computation ??
⋆ Finite state systems are modeled by labelled state-transition graphs
(Kripke structures)
⋆ Given an initial state, the structure can be unwound to an in-
finite tree (computation tree), whose paths represent possible
behaviours
⋆ A temporal logic is used to express properties of behaviours
⋆ Verification is carried out by exhaustive search of the state space
⋆ To speed up verification, efficient representation techniques are
used based on binary decision diagrams.

Model checking Temporal Logics ??
⋆ In a linear temporal logic, the operators describe events along a
single computation path
⋆ In a branching temporal logic, the operators describe events along
several computation paths
⋆ path quantiﬁers:
A (for every path), E: there exists a path
⋆ linear time operators:
Xf (f holds next time)
Ff (f holds sometime in the future)
Gf (f holds globally in the future)
fUg (f holds until g holds)

Model checking CTL: theory ??
Every atomic formula is a CTL formula.
If f and g are CTL formulae, then so are
¬f (not f)
f ∧ g (f and g)
AXf (for all paths, f holds in the next state)
EXf (for some path, in which f holds in the next state)
AFf (for all paths, f holds eventually)
EFf (for some path, in which f holds eventually)
AGf (for all paths, f holds in every state)
EGf (for some path, in which f holds in every state)
A(fUg) (for all paths, f holds until g holds)
E(fUg) (for some path, f holds until g holds)

Model checking CTL: some operators ??
M, s AF x M, s EF x M, s EG x

Model checking CTL: examples ??
⋆ AG(EF greenNS): always it is possible to get to the greenNS
state (at a traﬃc light) [liveness property]
⋆ AG(¬(greenNS∧greenEW )): never both greenNS and greenEW
hold (both lights are green)[safety property]
⋆ AG(req ⇒ AF ack): if a request occurs, it will be eventually
acknowledged
⋆ EF(started∧¬ready): it is possible to get to a state where started
holds, but ready does not hold.

Model checking Model Checking Problem ??
⋆ Let M be the Kripke structure representing the behaviour of a
system,
⋆ let f be a temporal logic formula representing a property to check,
⋆ the objective is to ﬁnd all states s of M that satisfy the formula
f: M, s f
⋆ in fact, there exist very eﬃcient algorithms for the logic CTL
(Clarke, Emerson and Sistla, ACM TOPLAS 8:2, 1986)
⋆ complexity linear in size of M and f

Model checking Model Checking Algorithm ??
M, s0 EGa ∧ AFb?

Model checking OBDDs ??
DAG-representation of Boolean functions

The importance of the variable ordering

⋆ S. Akers: Binary Decision Diagrams, IEEE Trans. Computers C–
27:6, June 78
⋆ R. Bryant: Graph-Based Algorithms for Boolean Function Ma-
nipulation, IEEE Trans. Computers C–35:8, August 86

Model checking Symbolic Model Checking ??
⋆ Representing state-transition graphs with OBDDs
⋆ The transition relation can be seen as a boolean formula
⋆ T(v1, ..., vn, v′
1, ..., v′
n), where (v1, ..., vn) represents the current state
and (v′
1, ..., v′
n) the next state
⋆ T is represented by a OBDD.

Model checking Pros ??
⋆ decision procedure completely automated: no proofs!
⋆ fast
⋆ counter-examples
⋆ symbolic techniques allow to handle a big number of states

Model checking Cons ??
⋆ speciﬁcation is enumeration of desired properties
⋆ completeness problem
⋆ state explosion problem
⋆ large data paths can introduce many states
⋆ no taking advantage of parametrization
⋆ temporal formulas can be diﬃcult to understand

Model checking Achievements ??
⋆ Formal veriﬁcation of the IEEE Futurebus+ cache consistency
protocol
(precise model deﬁned, bugs found) Clarke et al. 93
⋆
⋆
⋆

Model checking Some references ??
⋆ J. Burch, E. Clarke, et al.: Symbolic Model Checking: 1020 States
and Beyond, Conf. Logic in Computer Science 1990.
⋆ O. Coudert, J.C. Madre, C. Berthet: Verifying Teporal Properties
of Sequential Machines without Building their State Diagram,
DIMACS Worksh. Computer-Aided Veriﬁcation, June 1990
⋆ Th. Filkorn: A Method for Symbolic Veriﬁcation of Synchronous
Circuits, CHDL’91, April 1991

Conclusion Other approaches ??
⋆ Symbolic trajectory evaluation
similar to conventional simulation
considers symbols rather than actual values
VOSS, COSMOS
⋆ Automata-based Systems
COSPAN
⋆ Tautology checkers
Checking of combinational circuits
TACHE

Conclusion Combining approaches ??
⋆ HOL with a model checker
⋆ HOL with COSMOS [Bryant, Seger]
⋆ HOL with VOSS [Joyce, Seger]
⋆ embedding VHDL in HOL [van Tassel, Kropf]
⋆ a VDHL simulator in Acl2 [Boyer, Hunt]
⋆ interfacing HOL to GENESIL (silicon compiler) [Rushby]
⋆ Prevail calling Nqthm or Tache [Borrione, Pierre]

Conclusion Conclusions ??
⋆ the ﬁeld of formal methods is old
⋆ ﬁrst breakthroughs obtained recently
⋆ still primarily academic work
⋆ increasing interest of industry (Siemens, Bull, some CAD vendors)
⋆ still a long way to go

Conclusion Citation ??
“It is now a well-established phenomenon
that what is highly abstract
for a generation of mathematicians
is just commonplace for the next one.”
J. Dieudonn´e

Semantics Classical VHDL simulations ??
A VHDL signal is associated with a driver.
0 1 2 3 4 . . . future time →
Signal
VHDL signal assignments write to the driver.
VHDL wait statements read the driver and suspend execution of the
process until a time determined by the evolving condition of the driver.

Semantics Example 1 ??
Initial driver.
0 1 2 3 4 ...
Signal
future time
X <= transport 1.0 after 3 ns
Driver is altered.
0 1 2 3 4 ...
Signal
future time

Initial driver.
0 1 2 3 4 ...
Signal
future time
wait until X=1
Final driver:
0 1 2 3 4 ...
Signal
future time
Driver is essentially unaltered, but time has moved on.

Semantics Semantics of VHDL ??
VHDL statements relate:
1. an old driver set to a new driver set;
2. an old current timepoint to a new current timepoint;
3. a previous history to an extended history.
H × DS × T ↔ H × DS × T
The combination of history plus driver set is called a ‘world line’.
WL × T ↔ WL × T

X=0
X=0
X=0
X=0
X=1
T=1
T=2
T=3
X=0X=0 T=0
X=0X=0 T=-1
X <= transport 1.0 after 2 ns
X=1
Time
Initial WL Final WL
⋆ A transport assignment re-
lates two worldlines and two
current timepoints.
⋆ The timepoint has to be the
same either side, because the
statement takes no physical
time to execute.

X=0X=0
X=1
T=1
T=2
T=3
X=0X=0 T=0
X=0X=0 T=-1
X=1
Time
Initial WL Final WL
wait until X=1
X=1
X=1
⋆ A wait statement relates two
worldlines with the same sig-
nal values – for the signals of
the controlling process.
⋆ Other signals may diﬀer in any
way possible.
⋆ But time moves on.

X=0
X=1
X=0
X=0
X=1
Final WL
wait until X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=-1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=-1
Time
Initial WL Intermediate WL
X=0
X=0
X<=1 after 2 ns;
⋆ Two statements in se-
quence compose via re-
lational composition.

Semantics Process semantics ??
A process relates:
⋆ An initial worldline to a final worldline.
Note that:
⋆ The initial timepoint is zero. The final timepoint is ∞
⋆ The body of the process repeats ad infinitum.

Semantics A simple oscillator circuit ??
?
?
X <=not X after 2 ns
wait on X
begin
X <= transport not X after 2 ns
wait on X
end

X=0
X=1
X=0
X=0
X=1
Final WL
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=-1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=-1
Time
X=0
X=0
X<=not X after 2 ns; wait on X

X=0
X=1
X=0
X=0
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=-1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=-1
Time
Initial WL
X=0
X=0
X=0
Final WL
X=0
Initial WL
X=1
X<=¬ X after 2 ns;
X <=¬ X after 2 ns;
X=1
X=1
X=1
X=0
X=0
X=0
X=0
X=1
X=1
process
begin X <= transport ¬ X after 2 ns ; wait on X ; end
wait on X
wait on X
T=1
T=2
T=3
T=4
T=5 T=5
T=4
T=3
T=2
T=1

Semantics Time and processes ??
A process relates the initial world line with T=0 and the ultimate
world line with T=∞, but we are interested in what happens before
then.
A logical treatment will require two kinds of logic:
⋆ execution until termination;
⋆ execution until suspension.
Suspension corresponds to looking at intermediate worldlines.
Pressing ‘Ctrl-Z’.

Semantics Process semantics ??
. . .
. . . .
. . . . . . ..
.
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
.
.
.
.
.
. . ..
.
.
.
.
. . ..
.
.
.
.
. . . . . ..
.
.
.
.
WL0
WL1
WL2
T=3
T=2
T=1
T=0
T=1
T=2
T=3
X=1
X=1
X=0
X=0
X=0
X=1
X=1
X=0
X=1
X=1
X=0
X=0
X=1
X=1
A process relates developing worldlines to each other

Semantics Processes and parallelism ??
⋆ Processes in parallel have the semantics of the intersection of
relations.
⋆ They have to agree on how world lines change and how long the
change takes.
⋆ Knowledge of the driver set, history, and time are all shared ‘in-
stantaneously’ between processes.

Semantics A simple follower circuit ??
?
?
Y <= X after 1 ns
wait on X
wait on X;
Y <= transport X after 1 ns;
process begin
end

Semantics Oscillator and follower in parallel ??
?
?
?
?
wait on X
Y <= X after 1 ns
wait on X
process
begin
X <= not X after 2 ns;
end
process
begin
Y <= X after 1 ns;
wait on X;
end
wait on X;
X <= not X after 2 ns

X=0
X=1
X=0
X=1
Final WL
X=0 T=1
T=2
T=3
X=0 T=0
T=-1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
T=-1
Time
wait on XY<= X after 1 ns;
X<= ¬X after 2 lns; wait on X
X=1
X=1
X=1
X=1 X=1
Y=1
Y=1 Y=1
Y=1
Y=0
Y=0
Y=0
Y=1
Y=1
Y=1
Y=1
Y=1
Y=0
Y=0
Y=0

Semantics A useful theorem ??
⋆ Take the ultimate world line and feed it back in again to a process
as its initial world line, then the same world line comes out again.
⋆ So, look for invariant world lines.
⋆ Especially helpful when calculating for parallel processes.
⋆ A world line developed by process 1 can be used as a background
against which process 2 is evaluated.

Logic Plan ??
⋆ Insert predicative assertions and timing information in the gaps
between VHDL statements.
⋆ Predicates contain temporal modalities: “it will rain tomorrow”.
⋆ ⊙(x = 1) means “x = 1 will hold in the next instant”. This is the
same as ⊙x = 1.
⋆ x = ⊙x means “x will change in the next instant”.
⋆ Timed pre- and post- assertions {p, t1} s {q, t2} across statements
s are connected via a formal programming logic of triples.

Logic Meaning ??
The Hoare triple
Sρ : {P, T1} a {Q, T2}
means
if a begins to execute at time T1 and condition P holds then,
then, if it ﬁnishes at time T2, Q will hold then.
This is the logic of termination, denoted by S.

Logic Example 9 ??
Look at the oscillator process using the logic of termination.
{X= ⊙X,T}
X <= transport (not X) after 2 ns ;
{X= ⊙X= ⊙2X= ⊙3X,T}
wait on X ;
{⊙−2X= ⊙−1X=X= ⊙X,T+2}
The final condition (X has been stable and now will be stable with
a different value) has been forced by the initial condition (X is mo-
mentarily stable).
Note that the initial condition is re-established as the second part of
the final condition.

Logic Meaning ??
The Hoare triple
S′ρ : {P, T1} a {Q, T2}
means
if a begins to execute at time T1 and condition P holds then,
then, if it is suspended at time T2, Q will hold then.
This is the logic of suspension, denoted by S′.

Logic Example 10 ??
Now look using the logic of suspension. Suspension can only happen
in a blocked wait statement; everything else takes zero time.
Start with the condition established under the logic of termination.,
{⊙−2X= ⊙−1X=X= ⊙X,T}
X <= transport (not X) after 2 ns ;
{⊙−2X= ⊙−1X=X= ⊙X= ⊙2X= ⊙3X,T}
wait on X ;
{⊙−2X= ⊙−1X=X= ⊙X,T} ∨
{⊙−2X= ⊙−1X=X= ⊙X,T+1}
The ﬁnal condition is that X either has just changed or is just about
to change.

Logic Process logic ??
A process never terminates; it can only be suspended.
Suspension occurs within the process body, after some non-negative
number of executions of the body to termination.

Logic Example 11 ??
Each oscillator cycle takes 2ns. At this time, termination establishes
and thereafter re-establishes the condition:
{⊙−2X= ⊙−1X=X= ⊙X,T}
and then suspension sets up
{⊙−2X= ⊙−1X=X= ⊙X,T} ∨ {⊙−2X= ⊙−1X=X= ⊙X,T+1}

Logic The use of a useful theorem ??
{⊙−2X= ⊙−1X=X= ⊙X ∧ even(T)} ∨ {⊙−2X= ⊙−1X=X= ⊙X ∧ odd(T)}
is an invariant of the oscillator process body under the termination
and suspension semantics.

Logic Logical Rules ??
We reason by deriving one Hoare triple of the programming logic from
earlier derived Hoare triples.
The rules of reasoning take the form of
top
bottom
[condition]
in which the bottom is allowed to be derived from the top when
condition holds. Several hypotheses may appear:
top1 top2 top3 . . .
bottom
[condition]
or none
bottom
[condition]
in which case the rule represents an axiom.

Logic The S-logic for termination - seq ??
[∀T ∈ [T1, T2]]
Sρ : {P, T1} a {QAT, T} Sρ : {QBT, T} b {R, T2}
Sρ : {P, T1} a ; b {R, T2}
[QA → QB] (1)
If a sequence a;b runs to termination between times T1 and T2, then
it does so by running a from T1 to termination at some intermediate
time T, then running b to termination at T2.

Logic Example 12 ??
Take two consecutive signal assignments, each delayed by 1ns.
After the second, it will be the case that x is planned to be equal to
2 next.
Sx : {true, 3} x <= 1 after 1ns {⊙x = 1, 3} Sx : {true, 3} x <= 2 after 1ns {⊙x = 2, 3}
Sx : {true, 3} x <= 1 after 1ns ; x <= 2 after 1ns {⊙x = 2, 3}
The precondition for the second assignment is true, so it does not
matter what condition the ﬁrst statement sets up.

Logic Example 13 ??
Waiting for 1ns makes the things that are promised to happen next,
happen.
Sx : {⊙x = 1, 3} null {⊙x = 1, 3}
Sx : {⊙x = 1, 3} wait for 1 {x = 1, 4}
Waiting for 2ns is waiting for 1ns twice.
Sx : {⊙x = 1, 3} wait for 1 ; wait for 1 {⊙−1x = 1, 5}
Sx : {⊙x = 1, 3} wait for 2 {⊙−1x = 1, 5}

Logic The S-logic for termination - wait for ??
Sρ : {⊙P, T1} null {⊙Q, T2 − 1}
Sρ : {P, T1} wait for 1 {Q, T2}
Sρ : {P, T1} wait for 1 ; wait for n {Q, T2}
Sρ : {P, T1} wait for n + 1 {Q, T2}
(2)
A wait for 1ns will terminate (in 1ns). The (local) conditions that
hold then are those that are promised to hold now.
Longer waits are sequences of shorter ones.

Logic The S-logic for termination - wait on ??
A wait on can be viewed as a loop:
wait on x = do wait for 1ns while x = ⊙−1x
Sρ : {P∧x=⊙x, T1} wait for 1; wait on x {Q, T2} Sρ : {P∧x=⊙x, T1} wait for 1 {Q, T2}
Sρ : {P, T1} wait on x {Q, T2}
(3)
To run a wait to termination between times T1 and T2 either the
waited on variable has to be about to change, in which case we do
a wait for 1ns and terminate at T2=T1+1, or it isn’t, in which case we
have to wait for 1ns and then wait longer.

Logic The S-logic for termination - if ??
This logic requires us to be able to get to a desired postcondition
along either path down an if. In each branch we can assume the
appropriate extra precondition.
Sρ : {P ∧ c, T1} b1 {Q, T2} Sρ : {P ∧ ¬c, T1} b0 {Q, T2}
Sρ : {P, T1}if c then b1 else b0{Q, T2}
(4)
Example:
Sxy : {true ∧ x = 0, 4} y <= 1 after 1ns {y = 0, 4}
Sxy : {true ∧ x = 0, 4} y <= 2 after 1ns {y = 0, 4}
Sxy : {true, 4}if x = 0 then y <= 1 after 1ns else y <= 2 after 1ns{y = 0, 4}

Logic The S-logic for termination - while ??
While loops can be read as sequences of if branches.
while c do b = if c then b; while c do b else null
Sρ : {P ∧ c, T1} b; while x do b {Q, T2} Sρ : {P ∧ ¬c, T1} null {Q, T2}
Sρ : {P, T1}while c do b{Q, T2}
(5)
Example:
Sx : {true ∧ x = 0, 4} wait on x; while x = 0 do wait on x {x = 0, 5}
Sx : {true ∧ x = 0, 4} null {x = 0, 5}
Sx : {true, 4}while x = 0 do wait on x{x = 0, 5}

Logic The S-logic for termination - null ??
The simplest things are the hardest!
A null command won’t execute over a non-zero time, so anything we
care to say about this (impossible) situation is valid.
Sρ : {P, T1} null {Q, T2}
[T1 = T2] (6)
Over a zero time interval, a null command does nothing, so getting
from precondition P to postcondition Q requires that P entails Q at
that time.
Sρ : {P, T} null {Q, T}
[⊙T(P → Q)] (7)

Logic The S′-logic for suspension - seq ??
[∀T ∈ [T1, T2]]
Sρ : {P, T1} a {QT, T} S′ρ : {QT, T} b {R, T2}
S′ρ : {P, T1} a {R, T2}
S′ρ : {P, T1} a ; b {R, T2}
(8)
If a sequence a;b runs to suspension between times T1 and T2, then
it does so by either
1. running a from T1 to suspension at T2, or
2. running a to completion at some intermediate time T, then running
b to suspension at T2.

Logic Other parts of the S′-logic for suspension ??
The sequence logic of suspension is the only part that refers back to
the termination logic.
In general, suspension logic is simpler than termination logic.
⋆ Many constructs cannot suspend at all, so have no rules for rea-
soning about suspensions!
NULL and signal assignment are examples of constructs that can-
not suspend. WHILE loops can only suspend in the body.
⋆ WAIT statements cannot exit under suspension logic. They have
to be suspended strictly before they exit.

Logic The S′-logic for suspension - wait for ??
S′ρ : {P, T} wait for 1 {Q, T}
[⊙T(P → Q)] (9)
Example:
S′x : {x = 1, 3} wait for 1 {x = 0, 3}
[⊙3(x = 1 → x = 0)]

Logic Summary ??
The logic used here is weak in the sense that if we prove
S′ : {P, T1}foo{Q, T2}
then we have not proved that statement foo will suspend at time T2.
We have proved that if it is suspended at time T2, then condition Q
will hold then.
(Ditto for termination).
But processes can be suspended at any time. So the logic is always
applicable.

Logic Conclusion ??
Logic is useful for reasoning about the properties of VHDL descrip-
tions.

Algebra Another approach ??
Another approach to VHDL is to construct a process algebra.
An algebra is a set of equations asserting behavioural equivalences
between diﬀerent code fragments.
For example:
x <= 2 after 3ns; x <= 1 after 2ns = x <= 1 after 2ns
The algebra can be used to prove or disprove equivalences between
diﬀerent formulations.

Algebra Synthesis ??
The algebra has a “pure” component that only refers to events and
processes, and a “code” component that contains only VHDL.
Generally, algebra expressions are mixed (impure).
A pure process algebra description can be represented as a state
transition diagram.
The diagram can be transformed slowly via the algebraic laws into
VHDL code.
What comes out is code that implements the state transition diagram.

Algebra State transition diagram for follower ??
'
T
c

©
PQ
RS
Y!0 X?0
Y!0 X?0
Y!1 X?1
Y!0 X?1 Y!1 X?0
Entry = Y!0 X?0 PQ PQ = Y!0 X?0 PQ
| Y!0 X?1 RS
RS = Y!1 X?1 RS
| Y!1 X?0 PQ

Algebra Code/diagram equivalence ??
-
??
?
?
C!0 C!0
C!1
C!1 C!0
[C!
0
0];a
=
[C!
0
1];a
=
[C!
0
0];a
=
a = C = not C after 1ns; wait on C; a

Algebra Summary ??
Algebras make reasoning about VHDL programs via equalities possi-
ble.
The transformation can go in both directions.
We are beginning to find that algebra/transition diagram specifica-
tions are useful starting points for the synthesis of VHDL code.
The VHDL code can be formally derived by a calculus of refinement
from the initial diagram.

Conclusion Conclusion ??
Formal methods allow VHDL to be handled in ways that correspond
to classical activities, but based on secure foundations.

Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (15)

En vedette

En vedette (15)

Similaire à Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL

Similaire à Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL (20)

Plus de Peter Breuer

Plus de Peter Breuer (10)

Dernier

Dernier (20)

Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL