writing, verifying and exploiting formal specifications for hardware designs chapter 3: verifying...
DESCRIPTION
What they have ‘Spell check’ a specification Check for correctness properties Automatically generate test sequences Proof it can be implemented –With no explicit state machineTRANSCRIPT
![Page 1: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/1.jpg)
Writing, Verifying and Exploiting Formal Specifications for Hardware DesignsChapter 3: Verifying a Specification
Presenter: Scott Crosby
![Page 2: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/2.jpg)
The problem
• Specifications have problems– Incorrect– Buggy– No hardware to compare
![Page 3: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/3.jpg)
What they have
• ‘Spell check’ a specification• Check for correctness properties• Automatically generate test sequences• Proof it can be implemented
– With no explicit state machine
![Page 4: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/4.jpg)
Reminders
• Specification:– No explicit state machine– Monitor
• Judge• Deterministic
![Page 5: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/5.jpg)
Mealy Machine
![Page 6: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/6.jpg)
Properties of Properties
• List of properties– Grouped by the agent
• Correcti = agent i is correct
– ANTECEDENT CONSEQUENT• Consequent
– Λ,V,¬, prev()
• Antecedent– Λ,V,¬, prev()
– prev(trdy Λ stop) stop
![Page 7: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/7.jpg)
Temporal or Causal
• Cause Effect– prev(trdy) ¬prev(stop) V stop
• Past Conditions Current State– prev(trdy Λ stop) stop
![Page 8: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/8.jpg)
Property Representation
• Restricted linear time– prev(ANTECEDENT) CONSEQUENT
• Consequent– Λ,V,¬, and this agents outputs variables
• Antecedent– Λ,V,¬, prev(), any agents output variables
![Page 9: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/9.jpg)
Properties of Properties
• Separable– Only describes outputs of one agent– Eg, mutual exclusion not explicit
• No nondeterminism• Implementable• Correctness only function of own outputs
![Page 10: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/10.jpg)
Correctness of Specifications
• Problems– Too strict– Too loose
• What we want– No implementation– No state machines– Avoid state explosion– Easy to verify
![Page 11: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/11.jpg)
Past Solutions
• Model checking– Huge state explosion– What to check?
• Abstract representation– How abstract?
![Page 12: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/12.jpg)
What this offers
• Checking specifications for correctness• Generating sample outputs• Proof of implementability
![Page 13: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/13.jpg)
Checking Specifications
• Specification– Restricted LTL
• Model checker– CTL
• Three ‘Spell Checks’• Human written characteristics
![Page 14: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/14.jpg)
CTL
• Branching time logic• Logic operators
– Λ,V,¬• Temporal
– EX, EG, E[a U b]• Derived
– AX, EF, A[a U b], AF
![Page 15: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/15.jpg)
‘Spell Check’ of a specification
• Dead state
![Page 16: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/16.jpg)
‘Spell Check’ of a specification
• Dead state
address_phase=true
irdy=false
trdy=true
stop=false
![Page 17: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/17.jpg)
‘Spell Check’ of a specification
• Under-restriction
![Page 18: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/18.jpg)
‘Spell Check’ of a specification
• Vacuous property– Every property is used
![Page 19: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/19.jpg)
Characteristic Check
• Characteristics– User written properties– CTL formula– Human designed
• Requires debugging– Reusable
![Page 20: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/20.jpg)
Results
• Will see details next friday• Bugs found in PCI• Bugs found in Itanium bus protocol
![Page 21: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/21.jpg)
Generator
• Constraint solver• Traces
![Page 22: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/22.jpg)
Sample output
![Page 23: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/23.jpg)
Generator
• Find missing properties• Found bug
– Eg, signal must remain constant– Wasn’t discovered
• Nobody thought to check
![Page 24: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/24.jpg)
Receptiveness Proof
• What is receptiveness?• Implementability
– Can the spec be implemented?• Receptiveness
– Can the whole spec be implemented?– Every choice?
![Page 25: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/25.jpg)
A note
• Spec with dead states is implementable
![Page 26: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/26.jpg)
Property Representation
• Seperability– prev(ANTECEDENT) CONSEQUENT
• Consequent– Λ,V,¬, and this agents outputs variables
• Antecedent– Λ,V,¬, prev(), any agents output variables
![Page 27: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/27.jpg)
Theorem
• Any specification with– Separability– No dead states
• Is receptive– Whole thing is implementable– Behaves correctly, regardless of environment
![Page 28: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/28.jpg)
Setup of proof
• Mealy machine• You vs Environment
![Page 29: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/29.jpg)
You vs Environment
![Page 30: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/30.jpg)
Separability
Other agents
My choice
![Page 31: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/31.jpg)
No dead states
Other agents
![Page 32: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/32.jpg)
This Means:
• My correctness doesn’t depend on other’s behavior at the current time step.
• I always have a choice where I will be correct.
![Page 33: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/33.jpg)
Corollary 1: Implementability
• If – No dead states for anyone– Separability
• Exists a set of machines that implement the specification.
![Page 34: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/34.jpg)
Corollary 2: Receptiveness
• If – No dead states for anyone– Separability
• Exists a set of agent implementations that will go to every reachable state in system.
![Page 35: Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a…](https://reader036.vdocuments.net/reader036/viewer/2022062601/5a4d1c017f8b9ab0599efc62/html5/thumbnails/35.jpg)
Conclusion
• Debug a specification• Generate a sample run• Prove that it is implementable