Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL

Tutorial ??

Formal Methods for

Hardware Verification:

Overview and Application to VHDL

Carlos Delgado Kloos, Peter T. Breuer

Universidad Politecnica de Madrid

<{cdk,ptb}@dit.upm.es>

VDHL-Forum for CAD in Europe – Nantes, 24 April 1995 1

Introduction Outline ??

⋆ Formal Hardware Verification Approaches

⋆ Theorem Proving

⋆ Model Checking

⋆ Formal Reasoning with VHDL

⋆ Semantics

⋆ Logic

⋆ Algebra


Motivation Citation ??

“If you are faced by

a difficulty or a controversy in science,

an ounce of algebra is worth a ton of verbal argument.”

J.B.S. Haldane


Motivation Bryants comparison ??

simulate exhaustively a 256 bit RAM

⇒ 1080 possible combinations of input and state

⋆ use all matter in galaxy to build computers (1017 kg)

⋆ let each computer have the size of an electron (10−30 kg)

⋆ let each computer simulate 1012 cases per second

⋆ start simulation at the time of Big Bang (1010 years ago)

by now, we would have simulated 0,05% of all cases


Motivation Pentium ??

The top ten reasons to buy a PENTIUM Machine:

10. Your current computer is too accurate.

9. You want to get into the Guiness book as

“Owner of Most Expensive Paperweight”.

8. Math errors add zest to life.

7. You need an alibi for the I.R.S.

6. You want to see what all the fuss is about.

5. You’ve always wondered what it would be like to be a plaintiff.

4. The “Intel Inside” logo matches your decor perfectly.

3. You no longer have to worry about CPU overheating.

2. You got a great deal from JPL.

1. It’ll probably work.


Motivation Trends ??

⋆ systems are growing larger

⋆ systems are growing more complex

⋆ design teams are growing larger

⋆ time to market is getting more critical


Theorem proving Classification ??

Systems that manipulate an object language

⋆ Term rewrite systems

⋆ Transformational systems

⋆ Theorem provers

There is a convergence of these kinds of systems


Theorem proving Theorem provers ??

Systems that help to prove theorems

⋆ Proof checkers

a posteriori check (eg. MIZAR)

⋆ Proof assistants

user guided proof, strategies can be defined, forward and back-

ward proof

(eg. LCF, HOL, Isabelle, Veritas+)

⋆ Automatic theorem provers

(eg. Nqthm)


Theorem proving Comparison ??

⋆ Degree of interaction

⋆ Object language: underlying logic

⋆ Meta language: command language

⋆ Kinds of proofs

⋆ Proof management


Theorem proving Nqthm ??

The Boyer-Moore Theorem Prover

⋆ Quantifier-free first-order classical logic with equality

(free variables are implicitly universally quantified)

⋆

⋆

⋆


Theorem proving The LCF family ??

LCF = Logic for Computable Functions

⋆ Stanford LCF: proof checker with fixed commands (Scott 71–72)

⋆ Edinburgh LCF: meta-language: ML, object-language: PPλ (Mil-

ner 75–79)

⋆ Cambridge LCF: meta-lenguage: Standard ML, object-language:

PPλ (improved) (Paulson 84)

⋆ Goteborg LCF: supports Martin-Lof’s type theory (Petersson 82)

⋆ Cambridge HOL: meta-lenguage: ML, object-language: Higher-

Order Logic (Gordon 80–)


Theorem proving LCF-related provers ??

⋆ Veritas: meta-language: Miranda, object-language: Higher-Order

Intuitionistic Logic (Hanna, Daeche 85–)

⋆ Isabelle: meta-language: ML, object-language: parametrizable

(Paulson 86–)

⋆ Lambda: meta-language: Poly-ML, object-language: Higher-Order

Polymorphic Predicate Calculus of Partial Terms, interfaced to CAD-

system


Theorem proving Theory ??A formal logic consists of

⋆ a notation (a set of well-formed formulas)

⋆ a finite set of axioms

⋆ a finite set of inference rules

A formal proof is a sequence of well-formed formulas f1, f2, ..., fn,

such that for all i

⋆ fi is an axiom, or

⋆ fi can be derived from {f1, f2, ..., fn} using an inference rule


Theorem proving HOL expressions ??

The expressions in HOL can be:

⋆ constants 1: num, +: num->num->num

⋆ variables x: num, x: num->bool

⋆ abstractions λx.(λy.x+y)

⋆ applications (λx.(λy.x+y)1)2


Theorem proving HOL types ??

The types in HOL can be:

⋆ atomic types bool, num

⋆ compound types num*bool, num->num->num

⋆ polymorphic types ’a->’b, (’a->bool)->bool


Theorem proving HOL ??

The Object Language HOL comprises

⋆ Typed λ-Calculus (functions, including higher-order)

⋆ Polymorphic objects (parametric polymorphism)

⋆ Higher-order Logic (quantifiers over values, predicates, etc.)

It can be manipulated from the Metalanguage ML (which is quite

similar).


Theorem proving Axioms ??

There are only 5 axioms in HOL: 4 for the theory of bool

⋆ ⊢ ∀t. (t=T) ∨ (t=F)

⋆ ⊢ ∀t1 t2. (t1⇒t2)⇒(t2⇒t1)⇒(t1=t2)

⋆ ⊢ ∀t. (λx. t x)=t

⋆ ⊢ ∀P x. P x ⇒P(ǫ P)

and one for the theory of ind

⋆ ⊢ ∃f. ONE ONE f ∧ ¬ ONTO f


Theorem proving Inference rules ??

There are only 8 primitive inference rules:

{t} ⊢ t ⊢ t=t ⊢ (λx.t1)t2 = t1[t2/x]

Γ1 ⊢ t1 ⇒ t2 Γ2 ⊢ t1

Γ1 ∪ Γ2 ⊢ t2

Γ ⊢ t1=t2

Γ ⊢ (λx.t1)=(λx.t2)

Γ ⊢ t2

Γ− {t1} ⊢ t1 ⇒ t2

Γ1 ⊢ t1=t2 Γ2 ⊢ t[t1]

Γ1 ∪ Γ2 ⊢ t[t2]

Γ ⊢ t

Γ ⊢ t[s1, ... sn/’a, ... ’n]


Theorem proving Theories ??All information (types, constants, axioms, theorems, etc.)

is hierarchically structured in theories:

⋆ pairs

⋆ natural numbers

⋆ lists

⋆ primitive recursion

⋆ arithmetic

⋆ trees

⋆ etc.


Theorem proving Proof styles ??

There are essentially two ways to proceed:

⋆ Forward proof:

(Primitive or derived) inference rules are applied to (axioms or)

theorems until the desried theorem is proved

⋆ Backward proof:

A goal (a sequent to be proved into a theorem) is successively

decomposed into subgoals, until there are already proved theo-

rems


Theorem proving Example (J. Joyce) ??

i1

i2x o2

⋆ specify behavioural models for NAND and NOT

⋆ specify intended behaviour of AND

⋆ specify implementation of AND in terms of NAND and NOT

⋆ prove that implementation satisfies intended behaviour for AND


Theorem proving Example (Specs) ??

Behaviours:

⊢def NAND(i1,i2,o1) ≡ o1 = ¬(i1∧i2)

⊢def NOT(i1,o1) ≡ o1 = ¬ i1

⊢def ANDspec(i1,i2,o1) ≡ o1 = i1∧i2

Structure:

⊢def ANDimpl(i1,i2,o1) ≡ ∃x. NAND(i1,i2,x) ∧ NOT(x,o1)


Theorem proving Example (Correctness) ??

⋆ Strong correctness

ANDimpl(i1,i2,o1) ≡ ANDspec(i1,i2,o1)

⋆ Weaker correctness

ANDimpl(i1,i2,o1) ⇒ ANDspec(i1,i2,o1)


Theorem proving Example (Proof) ??

1) ANDimpl(i1,i2,o1) {initial formula}

2) ∃x. NAND(i1,i2,x) ∧ NOT(x,o1) {def ANDimp}

3) NAND(i1,i2,x) ∧ NOT(x,o1) {strip off ∃x}

4) NAND(i1,i2,x) {left conjunt of 3)}

5) x=¬(i1∧i2) {def NAND}

6) NOT(x,o1) {right conjunt of 3)}

7) o1=¬x {def NOT}

8) o1=¬(¬(i1∧i2)) {subst. 5) in 7)}

9) o1=(i1∧i2) {simplify ¬¬t=t}

10) AND(i1,i2,o1) {def AND}

11) ANDimpl(i1,i2,o1) ⇒ AND(i1,i2,o1) {discharge assumption 1)}


Theorem proving Pros ??

⋆ generality

⋆ flexibility

⋆ expresiveness

⋆ exploitation of regularity, hierarchy and abstraction

⋆ proof security

⋆ user extensibility


Theorem proving Cons ??

⋆ long learning curve

⋆ large expertise needed

⋆ requires deep knowledge of mathematics and logic

⋆ tedious proofs


Theorem proving Achievements ??

Several microprocessors have been verified

⋆ FM8501 (Nqthm, Warren Hunt, Univ. Texas, 1986)

⋆ Viper (HOL, Avra Cohn, Univ. Cambridge, 1988)

⋆ Tamarack-3 (HOL, Jeff Joyce, Univ. Cambridge, 1989)

⋆ AVM–1 (HOL, Phil Windley, Univ. California, Davis, 1990)


Theorem proving The future ??⋆ higher temporal complexity (pipelines, asynch. systems, real-time)

⋆ higher data complexity (IEEE floating point std, ...)

⋆ higher-level specifications (hardware/software verification, ...)

⋆ verification of classes of designs (microproc. families, ...)

⋆ verification of an ATM network (Fairisle)

⋆ TkHolWorkbench (a GUI for HOL)

⋆ BDDs in HOL

⋆ HOL 2000 initiative

⋆ several logic embeddings (CCS, TLA, Unity, Noden, ...)


Theorem proving More info about Nqthm ??

⋆ Computational Logic Inc.

1717 W. 6th St., Suite 290

Austin, TX 78703-4776, USA

⋆ <[email protected]>

http://www.cli.com/

⋆ R.S. Boyer, J.S. Moore: A Computational Logic Handbook,

Academic Press 1988


Theorem proving More info about HOL ??

⋆ Cambridge Univ. Computer Laboratory

Pembroke Street, GB–Cambridge CB2 3QG, England (UK)

⋆ Sara Kalvala <[email protected]>

http://www.comlab.ox.ac.uk/archive/formal-methods/hol.html (info)

http://lal.cs.byu.edu/lal/getting-hol.html (tool)

⋆ M. Gordon, T. Melham (eds.): Intr. to HOL: A Theorem Proving

Environment for Higher Order Logic, Cambridge Univ. Press 93

⋆ 8th International Workshop on Higher Order Logic Theorem Prov-

ing and its Applications, Utah September 11–14, 1995


Theorem proving More info about LAMBDA ??

⋆ LAMBDA: Logic and Mathematics Behind Design Automation

⋆ Abstract Hardware Ltd.

The Howell Building, Brunel University Science Park

GB–Uxbridge UB8 3PH, England (UK)

⋆ <[email protected]>


Model checking Model of Computation ??

⋆ Finite state systems are modeled by labelled state-transition graphs

(Kripke structures)

⋆ Given an initial state, the structure can be unwound to an in-

finite tree (computation tree), whose paths represent possible

behaviours

⋆ A temporal logic is used to express properties of behaviours

⋆ Verification is carried out by exhaustive search of the state space

⋆ To speed up verification, efficient representation techniques are

used based on binary decision diagrams.


Model checking Temporal Logics ??⋆ In a linear temporal logic, the operators describe events along a

single computation path

⋆ In a branching temporal logic, the operators describe events along

several computation paths

⋆ path quantifiers:

A (for every path), E: there exists a path

⋆ linear time operators:

Xf (f holds next time)

Ff (f holds sometime in the future)

Gf (f holds globally in the future)

fUg (f holds until g holds)


Model checking CTL: theory ??

Every atomic formula is a CTL formula.

If f and g are CTL formulae, then so are

¬f (not f)

f ∧ g (f and g)

AXf (for all paths, f holds in the next state)

EXf (for some path, in which f holds in the next state)

AFf (for all paths, f holds eventually)

EFf (for some path, in which f holds eventually)

AGf (for all paths, f holds in every state)

EGf (for some path, in which f holds in every state)

A(fUg) (for all paths, f holds until g holds)

E(fUg) (for some path, f holds until g holds)


Model checking CTL: some operators ??M, s � AF x M, s � EF x M, s � EG x


Model checking CTL: examples ??

⋆ AG(EF greenNS): always it is possible to get to the greenNS

state (at a traffic light) [liveness property]

⋆ AG(¬(greenNS∧greenEW )): never both greenNS and greenEW

hold (both lights are green)[safety property]

⋆ AG(req ⇒ AF ack): if a request occurs, it will be eventually

acknowledged

⋆ EF(started∧¬ready): it is possible to get to a state where started

holds, but ready does not hold.


Model checking Model Checking Problem ??

⋆ Let M be the Kripke structure representing the behaviour of a

system,

⋆ let f be a temporal logic formula representing a property to check,

⋆ the objective is to find all states s of M that satisfy the formula

f : M, s�f

⋆ in fact, there exist very efficient algorithms for the logic CTL

(Clarke, Emerson and Sistla, ACM TOPLAS 8:2, 1986)

⋆ complexity linear in size of M and f


Model checking Model Checking Algorithm ??M, s0 � EGa ∧AFb?


Model checking OBDDs ??DAG-representation of Boolean functions


Model checking OBDDs ??The importance of the variable ordering


Model checking OBDDs ??

⋆ S. Akers: Binary Decision Diagrams, IEEE Trans. Computers C–

27:6, June 78

⋆ R. Bryant: Graph-Based Algorithms for Boolean Function Ma-

nipulation, IEEE Trans. Computers C–35:8, August 86


Model checking Symbolic Model Checking ??

⋆ Representing state-transition graphs with OBDDs

⋆ The transition relation can be seen as a boolean formula

⋆ T (v1, ..., vn, v′1, ..., v

′n), where (v1, ..., vn) represents the current state

and (v′1, ..., v′n) the next state

⋆ T is represented by a OBDD.


Model checking Pros ??

⋆ decision procedure completely automated: no proofs!

⋆ fast

⋆ counter-examples

⋆ symbolic techniques allow to handle a big number of states


Model checking Cons ??

⋆ specification is enumeration of desired properties

⋆ completeness problem

⋆ state explosion problem

⋆ large data paths can introduce many states

⋆ no taking advantage of parametrization

⋆ temporal formulas can be difficult to understand


Model checking Achievements ??

⋆ Formal verification of the IEEE Futurebus+ cache consistency

protocol

(precise model defined, bugs found) Clarke et al. 93

⋆

⋆

⋆


Model checking Some references ??

⋆ J. Burch, E. Clarke, et al.: Symbolic Model Checking: 1020 States

and Beyond, Conf. Logic in Computer Science 1990.

⋆ O. Coudert, J.C. Madre, C. Berthet: Verifying Teporal Properties

of Sequential Machines without Building their State Diagram,

DIMACS Worksh. Computer-Aided Verification, June 1990

⋆ Th. Filkorn: A Method for Symbolic Verification of Synchronous

Circuits, CHDL’91, April 1991


Conclusion Other approaches ??

⋆ Symbolic trajectory evaluation

similar to conventional simulation

considers symbols rather than actual values

VOSS, COSMOS

⋆ Automata-based Systems

COSPAN

⋆ Tautology checkers

Checking of combinational circuits

TACHE


Conclusion Combining approaches ??

⋆ HOL with a model checker

⋆ HOL with COSMOS [Bryant, Seger]

⋆ HOL with VOSS [Joyce, Seger]

⋆ embedding VHDL in HOL [van Tassel, Kropf]

⋆ a VDHL simulator in Acl2 [Boyer, Hunt]

⋆ interfacing HOL to GENESIL (silicon compiler) [Rushby]

⋆ Prevail calling Nqthm or Tache [Borrione, Pierre]


Conclusion Conclusions ??

⋆ the field of formal methods is old

⋆ first breakthroughs obtained recently

⋆ still primarily academic work

⋆ increasing interest of industry (Siemens, Bull, some CAD vendors)

⋆ still a long way to go


Conclusion Citation ??

“It is now a well-established phenomenon

that what is highly abstract

for a generation of mathematicians

is just commonplace for the next one.”

J. Dieudonne


Semantics Classical VHDL simulations ??

A VHDL signal is associated with a driver.

0 1 2 3 4 . . . future time →

Signal

VHDL signal assignments write to the driver.

VHDL wait statements read the driver and suspend execution of the

process until a time determined by the evolving condition of the driver.


Semantics Example 1 ??

Initial driver.

0 1 2 3 4 ...

Signal

future time

X <= transport 1.0 after 3 ns

Driver is altered.

0 1 2 3 4 ...

Signal

future time



Initial driver.

0 1 2 3 4 ...

Signal

future time

wait until X=1

Final driver:

0 1 2 3 4 ...

Signal

future time

Driver is essentially unaltered, but time has moved on.


Semantics Semantics of VHDL ??

VHDL statements relate:

1. an old driver set to a new driver set;

2. an old current timepoint to a new current timepoint;

3. a previous history to an extended history.

H ×DS × T ↔ H ×DS × T

The combination of history plus driver set is called a ‘world line’.

WL× T ↔ WL× T



X=0

X=0

X=0

X=0

X=1

T=1

T=2

T=3

X=0X=0 T=0

X=0X=0 T=-1

X <= transport 1.0 after 2 ns

X=1

Time

Initial WL Final WL

⋆ A transport assignment re-

lates two worldlines and two

current timepoints.

⋆ The timepoint has to be the

same either side, because the

statement takes no physical

time to execute.



X=0X=0

X=1

T=1

T=2

T=3

X=0X=0 T=0

X=0X=0 T=-1

X=1

Time

Initial WL Final WL

wait until X=1

X=1

X=1

⋆ A wait statement relates two

worldlines with the same sig-

nal values – for the signals of

the controlling process.

⋆ Other signals may differ in any

way possible.

⋆ But time moves on.



X=0

X=1

X=0

X=0

X=1

Final WL

wait until X=1

X=0 T=1

T=2

T=3

X=0 T=0

X=0 T=-1

X=1

X=1

X=0 T=1

T=2

T=3

X=0 T=0

X=0 T=-1

Time

Initial WL Intermediate WL

X=0

X=0

X<=1 after 2 ns;

⋆ Two statements in se-

quence compose via re-

lational composition.


Semantics Process semantics ??

A process relates:

⋆ An initial worldline to a final worldline.

Note that:

⋆ The initial timepoint is zero. The final timepoint is ∞

⋆ The body of the process repeats ad infinitum.


Semantics A simple oscillator circuit ??

?

?

X <=not X after 2 ns

wait on X

begin

X <= transport not X after 2 nswait on X

end



X=0

X=1

X=0

X=0

X=1

Final WL

X=0 T=1

T=2

T=3

X=0 T=0

X=0 T=-1

X=1

X=1

X=0 T=1

T=2

T=3

X=0 T=0

X=0 T=-1

Time


X=0

X=0

X<=not X after 2 ns; wait on X



X=0

X=1

X=0

X=0

X=1

X=0 T=1

T=2

T=3

X=0 T=0

X=0 T=-1

X=1

X=1

X=0 T=1

T=2

T=3

X=0 T=0

X=0 T=-1

Time

Initial WL

X=0

X=0

X=0

Final WL

X=0

Initial WL

X=1

X<=¬ X after 2 ns;

X <=¬ X after 2 ns;

X=1

X=1

X=1

X=0

X=0

X=0

X=0

X=1

X=1

process

begin X <= transport ¬ X after 2 ns ; wait on X ; end

wait on X

wait on X

T=1

T=2

T=3

T=4

T=5 T=5

T=4

T=3

T=2

T=1


Semantics Time and processes ??A process relates the initial world line with T=0 and the ultimate

world line with T=∞, but we are interested in what happens before

then.

A logical treatment will require two kinds of logic:

⋆ execution until termination;

⋆ execution until suspension.

Suspension corresponds to looking at intermediate worldlines.

Pressing ‘Ctrl-Z’.


Semantics Process semantics ??

. . .

. . . .

. . . . . . ......

. . ......

. . ......

. . .....

. . ......

. . ......

. . ......

. . ......

. . ......

. . ......

....

. . ......

. . ......

. . . . . ......

WL0

WL1

WL2

T=3

T=2

T=1

T=0T=1

T=2

T=3

X=1

X=1

X=0

X=0

X=0

X=1

X=1

X=0

X=1

X=1

X=0

X=0

X=1

X=1

A process relates developing worldlines to each other


Semantics Processes and parallelism ??

⋆ Processes in parallel have the semantics of the intersection of

relations.

⋆ They have to agree on how world lines change and how long the

change takes.

⋆ Knowledge of the driver set, history, and time are all shared ‘in-

stantaneously’ between processes.


Semantics A simple follower circuit ??

?

?

Y <= X after 1 ns

wait on X

wait on X;Y <= transport X after 1 ns;process begin

end


Semantics Oscillator and follower in parallel ??

?

?

?

?

wait on X

Y <= X after 1 ns

wait on X

processbeginX <= not X after 2 ns;

end

processbeginY <= X after 1 ns;wait on X;

endwait on X;

X <= not X after 2 ns



X=0

X=1

X=0

X=1

Final WL

X=0 T=1

T=2

T=3

X=0 T=0

T=-1

X=1

X=1

X=0 T=1

T=2

T=3

X=0 T=0

T=-1

Time


wait on XY<= X after 1 ns;

X<= ¬X after 2 lns; wait on X

X=1

X=1

X=1

X=1 X=1

Y=1

Y=1 Y=1

Y=1

Y=0

Y=0

Y=0

Y=1

Y=1

Y=1

Y=1

Y=1

Y=0

Y=0

Y=0


Semantics A useful theorem ??

⋆ Take the ultimate world line and feed it back in again to a process

as its initial world line, then the same world line comes out again.

⋆ So, look for invariant world lines.

⋆ Especially helpful when calculating for parallel processes.

⋆ A world line developed by process 1 can be used as a background

against which process 2 is evaluated.


Logic Plan ??

⋆ Insert predicative assertions and timing information in the gaps

between VHDL statements.

⋆ Predicates contain temporal modalities: “it will rain tomorrow”.

⋆ ⊙(x = 1) means “x = 1 will hold in the next instant”. This is the

same as ⊙x = 1.

⋆ x 6= ⊙x means “x will change in the next instant”.

⋆ Timed pre- and post- assertions {p, t1} s {q, t2} across statements

s are connected via a formal programming logic of triples.


Logic Meaning ??

The Hoare triple

Sρ : {P, T1} a {Q,T2}

means

if a begins to execute at time T1 and condition P holds then,

then, if it finishes at time T2, Q will hold then.

This is the logic of termination, denoted by S.


Logic Example 9 ??

Look at the oscillator process using the logic of termination.

{X= ⊙X,T}X <= transport (not X) after 2 ns ;

{X= ⊙X 6= ⊙2X= ⊙3X,T}wait on X ;

{⊙−2X= ⊙−1X 6=X= ⊙X,T+2}

The final condition (X has been stable and now will be stable with

a different value) has been forced by the initial condition (X is mo-

mentarily stable).

Note that the initial condition is re-established as the second part of

the final condition.


Logic Meaning ??

The Hoare triple

S ′ρ : {P, T1} a {Q,T2}

means

if a begins to execute at time T1 and condition P holds then,

then, if it is suspended at time T2, Q will hold then.

This is the logic of suspension, denoted by S ′.


Logic Example 10 ??

Now look using the logic of suspension. Suspension can only happen

in a blocked wait statement; everything else takes zero time.

Start with the condition established under the logic of termination.,

{⊙−2X= ⊙−1X 6=X= ⊙X,T}X <= transport (not X) after 2 ns ;

{⊙−2X= ⊙−1X 6=X= ⊙X 6= ⊙2X= ⊙3X,T}wait on X ;

{⊙−2X= ⊙−1X 6=X= ⊙X,T} ∨

{⊙−2X 6= ⊙−1X=X 6= ⊙X,T+1}

The final condition is that X either has just changed or is just about

to change.


Logic Process logic ??A process never terminates; it can only be suspended.

Suspension occurs within the process body, after some non-negative

number of executions of the body to termination.


Logic Example 11 ??Each oscillator cycle takes 2ns. At this time, termination establishes

and thereafter re-establishes the condition:

{⊙−2X= ⊙−1X 6=X= ⊙X,T}

and then suspension sets up

{⊙−2X= ⊙−1X 6=X= ⊙X,T} ∨ {⊙−2X 6= ⊙−1X=X 6= ⊙X,T+1}


Logic The use of a useful theorem ??{⊙−2X= ⊙−1X 6=X= ⊙X ∧ even(T)} ∨ {⊙−2X 6= ⊙−1X=X 6= ⊙X ∧ odd(T)}

is an invariant of the oscillator process body under the termination

and suspension semantics.


Logic Logical Rules ??We reason by deriving one Hoare triple of the programming logic from

earlier derived Hoare triples.

The rules of reasoning take the form of

top

bottom[condition]

in which the bottom is allowed to be derived from the top when

condition holds. Several hypotheses may appear:

top1 top2 top3 . . .

bottom[condition]

or none

bottom[condition]

in which case the rule represents an axiom.


Logic The S-logic for termination - seq ??

[∀T ∈ [T1, T2]]Sρ : {P, T1} a {QAT, T} Sρ : {QBT, T} b {R, T2}

Sρ : {P, T1} a ; b {R, T2}[QA → QB] (1)

If a sequence a;b runs to termination between times T1 and T2, then

it does so by running a from T1 to termination at some intermediate

time T, then running b to termination at T2.


Logic Example 12 ??Take two consecutive signal assignments, each delayed by 1ns.

After the second, it will be the case that x is planned to be equal to

2 next.

Sx : {true, 3} x <= 1 after 1ns {⊙x = 1, 3} Sx : {true, 3} x <= 2 after 1ns {⊙x = 2, 3}

Sx : {true, 3} x <= 1 after 1ns ; x <= 2 after 1ns {⊙x = 2, 3}

The precondition for the second assignment is true, so it does not

matter what condition the first statement sets up.


Logic Example 13 ??

Waiting for 1ns makes the things that are promised to happen next,

happen.

Sx : {⊙x = 1, 3} null {⊙x = 1, 3}

Sx : {⊙x = 1, 3} wait for 1 {x = 1, 4}

Waiting for 2ns is waiting for 1ns twice.

Sx : {⊙x = 1, 3} wait for 1 ; wait for 1 {⊙−1x = 1, 5}

Sx : {⊙x = 1, 3} wait for 2 {⊙−1x = 1, 5}


Logic The S-logic for termination - wait for ??

Sρ : {⊙P, T1} null {⊙Q, T2− 1}

Sρ : {P, T1} wait for 1 {Q, T2}

Sρ : {P, T1} wait for 1 ; wait for n {Q, T2}

Sρ : {P, T1} wait for n+ 1 {Q, T2}(2)

A wait for 1ns will terminate (in 1ns). The (local) conditions that

hold then are those that are promised to hold now.

Longer waits are sequences of shorter ones.


Logic The S-logic for termination - wait on ??A wait on can be viewed as a loop:

wait on x = do wait for 1ns while x = ⊙−1x

Sρ : {P∧x=⊙x, T1} wait for 1; wait on x {Q, T2} Sρ : {P∧x 6=⊙x, T1} wait for 1 {Q, T2}

Sρ : {P, T1} wait on x {Q, T2}

(3)

To run a wait to termination between times T1 and T2 either the

waited on variable has to be about to change, in which case we do

a wait for 1ns and terminate at T2=T1+1, or it isn’t, in which case we

have to wait for 1ns and then wait longer.


Logic The S-logic for termination - if ??

This logic requires us to be able to get to a desired postcondition

along either path down an if. In each branch we can assume the

appropriate extra precondition.

Sρ : {P ∧ c, T1} b1 {Q, T2} Sρ : {P ∧ ¬c, T1} b0 {Q, T2}

Sρ : {P, T1}if c then b1 else b0{Q, T2}(4)

Example:

Sxy : {true ∧ x 6= 0, 4} y <= 1 after 1ns {y 6= 0, 4}

Sxy : {true ∧ x = 0, 4} y <= 2 after 1ns {y 6= 0, 4}

Sxy : {true, 4}if x 6= 0 then y <= 1 after 1ns else y <= 2 after 1ns{y 6= 0, 4}


Logic The S-logic for termination - while ??

While loops can be read as sequences of if branches.

while c do b = if c then b; while c do b else null

Sρ : {P ∧ c, T1} b; while x do b {Q, T2} Sρ : {P ∧ ¬c, T1} null {Q, T2}

Sρ : {P, T1}while c do b{Q, T2}(5)

Example:

Sx : {true ∧ x 6= 0, 4} wait on x; while x 6= 0 do wait on x {x = 0, 5}

Sx : {true ∧ x = 0, 4} null {x = 0, 5}

Sx : {true, 4}while x 6= 0 do wait on x{x = 0, 5}


Logic The S-logic for termination - null ??

The simplest things are the hardest!

A null command won’t execute over a non-zero time, so anything we

care to say about this (impossible) situation is valid.

Sρ : {P, T1} null {Q, T2}[T1 6= T2] (6)

Over a zero time interval, a null command does nothing, so getting

from precondition P to postcondition Q requires that P entails Q at

that time.

Sρ : {P, T} null {Q, T}[⊙T(P → Q)] (7)


Logic The S ′-logic for suspension - seq ??

[∀T ∈ [T1, T2]]

Sρ : {P, T1} a {QT, T} S ′ρ : {QT, T} b {R, T2}

S ′ρ : {P, T1} a {R, T2}

S ′ρ : {P, T1} a ; b {R, T2}(8)

If a sequence a;b runs to suspension between times T1 and T2, then

it does so by either

1. running a from T1 to suspension at T2, or

2. running a to completion at some intermediate time T, then running

b to suspension at T2.


Logic Other parts of the S ′-logic for suspension ??

The sequence logic of suspension is the only part that refers back to

the termination logic.

In general, suspension logic is simpler than termination logic.

⋆ Many constructs cannot suspend at all, so have no rules for rea-

soning about suspensions!

NULL and signal assignment are examples of constructs that can-

not suspend. WHILE loops can only suspend in the body.

⋆ WAIT statements cannot exit under suspension logic. They have

to be suspended strictly before they exit.


Logic The S ′-logic for suspension - wait for ??

S ′ρ : {P, T} wait for 1 {Q, T}[⊙T(P → Q)] (9)

Example:

S ′x : {x = 1, 3} wait for 1 {x 6= 0, 3}[⊙3(x = 1 → x 6= 0)]


Logic Summary ??

The logic used here is weak in the sense that if we prove

S ′ : {P, T1}foo{Q,T2}

then we have not proved that statement foo will suspend at time T2.

We have proved that if it is suspended at time T2, then condition Q

will hold then.

(Ditto for termination).

But processes can be suspended at any time. So the logic is always

applicable.


Logic Conclusion ??

Logic is useful for reasoning about the properties of VHDL descrip-

tions.


Algebra Another approach ??

Another approach to VHDL is to construct a process algebra.

An algebra is a set of equations asserting behavioural equivalences

between different code fragments.

For example:

x <= 2 after 3ns; x <= 1 after 2ns = x <= 1 after 2ns

The algebra can be used to prove or disprove equivalences between

different formulations.


Algebra Synthesis ??

The algebra has a “pure” component that only refers to events and

processes, and a “code” component that contains only VHDL.

Generally, algebra expressions are mixed (impure).

A pure process algebra description can be represented as a state

transition diagram.

The diagram can be transformed slowly via the algebraic laws into

VHDL code.

What comes out is code that implements the state transition diagram.


Algebra State transition diagram for follower ??

�

6?

�

PQ

RS

Y!0 X?0

Y!0 X?0

Y!1 X?1

Y!0 X?1 Y!1 X?0

Entry = Y!0 X?0 PQ PQ = Y!0 X?0 PQ

| Y!0 X?1 RS

RS = Y!1 X?1 RS

| Y!1 X?0 PQ


Algebra Code/diagram equivalence ??

-

�??

?

?

C!0 C!0

C!1

C!1 C!0[C!

0

0];a=

[C!

0

1];a

=

[C!

0

0];a

=

a = C <= not C after 1ns; wait on C; a


Algebra Summary ??

Algebras make reasoning about VHDL programs via equalities possi-

ble.

The transformation can go in both directions.

We are beginning to find that algebra/transition diagram specifica-

tions are useful starting points for the synthesis of VHDL code.

The VHDL code can be formally derived by a calculus of refinement

from the initial diagram.


Conclusion Conclusion ??

Formal methods allow VHDL to be handled in ways that correspond

to classical activities, but based on secure foundations.


Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL

Education

Transcript of Tutorial: Formal Methods for Hardware Verification - Overview and Application to VDHL