A method of verification in design: an operating system case study

This paper reports a study of verification in the high-level design phase of operating system development in which both a rigorous and formal verification are used, where the rigorous argument is used to determine a manageable formal proof to be carried out. A 2-sorted first order temporal language is used to express several possible high-level designs and the required properties of an operating system store manager. The case of large system limits is reduced to a case of small system limits by use of a rigorous argument. Corresponding proportional temporal logic (PTL) formulae are then verified using a PTL theorem prover

Towards a verification technique for large synchronous circuits

Journal ArticleWe present a symbolic simulation based verification approach which can be applied to large synchronous circuits. A new technique to encode the state and input constraints as parametric Boolean expressions over the state and input variables is used to make our symbolic simulation based verification approach efficient. The constraints which are encoded through parametric Boolean expressions can involve the Boolean connectives (-, + , ->), the relational operators (, >, =), and logical connectives (A, V). This technique of using parametric Boolean expressions vastly reduces the number of symbolic simulation vectors and the time for verification, thus making our verification approach applicable to large synchronous circuits. Our verification approach can also be applied for efficient modular verification of large designs; the technique used is to verify each constituent sub-module separately, however in the context of the overall design. Since regular arrays are part of many large designs, we have developed an approach for the verification of regular arrays which combines formal verification at the high level and symbolic simulation at the low level(e.g., switch-level). We show the verification of a circuit called Minmax, a pipelined cache memory system, and an LRU array implementation of the least recently used block replacement policy, to illustrate our verification approach. The experimental results are obtained using the COSMOS symbolic simulator

Cryogenic propellant management: Integration of design, performance and operational requirements

The integration of the design features of the Shuttle elements into a cryogenic propellant management system is described. The implementation and verification of the design/operational changes resulting from design deficiencies and/or element incompatibilities encountered subsequent to the critical design reviews are emphasized. Major topics include: subsystem designs to provide liquid oxygen (LO2) tank pressure stabilization, LO2 facility vent for ice prevention, liquid hydrogen (LH2) feedline high point bleed, pogo suppression on the Space Shuttle Main Engine (SSME), LO2 low level cutoff, Orbiter/engine propellant dump, and LO2 main feedline helium injection for geyser prevention

Functional verification framework of an AES encryption module

Over the time, the development of the digital design has increased dramatically and nowadays many different circuits and systems are designed for multiple purposes in short time lapses. However, this development has not been based only in the enhancement of the design tools, but also in the improvement of the verification tools, due to the outstanding role of the verification process that certifies the adequate performance and the fulfillment of the requirements. In the verification industry, robust methodologies such as the Universal Verification Methodology (UVM) are used, an example of this is [1], but they have not been implemented yet in countries such as Peru and they seem inconvenient for educational purposes. This research propose an alternative methodology for the verification process of designs at the industry scale with a modular structure that contributes to the development of more complex and elaborated designs in countries with little or none verification background and limited verification tools. This methodology is a functional verification methodology described in SystemVerilog and its effectiveness is evaluated in the verification of an AES (Advance Encryption Standard) encryption module obtained from [2]. The verification framework is based on a verification plan (developed in this research as well) with high quality standards as it is defined in the industry. This verification plan evaluates synchronization, data validity, signal stability, signal timing and behavior consistency using Assertions, functional coverage and code coverage. An analysis of the outcomes obtained shows that the AES encryption module was completely verified obtaining 100% of the Assertions evaluation, 100% of functional verification and over 95% of code coverage in all approaches (fsm, block, expression, toggle). Besides, the modular structure defines the intercommunication with the Design only in the bottom most level, which facilitates the reuse of the verification framework with different bus interfaces. Nonetheless, this unit level verification framework can be easily instantiated by a system level verification facilitating the scalability. Finally, the documentation, tutorials and verification plan templates were generated successfully and are aimed to the development of future projects in the GuE PUCP (Research group in Microelectronics). In conclusion, the methodology proposed for the verification framework of the AES encryption module is in fact capable of verifying designs at the industry scale with high level of reliability, defining a very detailed and standardized verification plan and containing a suitable structure for reuse and scalability.Tesi

Providing a formal linkage between MDG and HOL based on a verified MDG system.

Formal verification techniques can be classified into two categories: deductive theorem proving and symbolic state enumeration. Each method has complementary advantages and disadvantages. In general, theorem provers are high reliability systems. They can be applied to the expressive formalisms that are capable of modelling complex designs such as processors. However, theorem provers use a glass-box approach. To complete a verification, it is necessary to understand the internal structure in detail. The learning curve is very steep and modeling and verifying a system is very time-consuming. In contrast, symbolic state enumeration tools use a black-box approach. When verifying a design, the user does not need to understand its internal structure. Their advantages are their speed and ease of use. But they can only be used to prove relatively simple designs and the system security is much lower than the theorem proving system. Many hybrid tools have been developed to reap the benefits of both theorem proving Systems and symbolic state enumeration Systems. Normally, the verification results from one system are translated to another system. In other words, there is a linkage between the two Systems. However, how can we ensure that this linkage can be trusted? How can we ensure the verification system itself is correct? The contribution of this thesis is that we have produced a methodology which can provide a formal linkage between a symbolic state enumeration system and a theorem proving system based on a verified symbolic state enumeration system. The methodology has been partly realized in two simplified versions of the MDG system (a symbolic state enumeration system) and the HOL system (a theorem proving system) which involves the following three steps. First, we have verified aspects of correctness of two simplified versions of the MDG system. We have made certain that the semantics of a program is preserved in those of its translated form. Secondly, we have provided a formal linkage between the MDG system and the HOL system based on importing theorems. The MDG verification results can be formally imported into HOL to form the HOL theorems. Thirdly, we have combined the translator correctness theorems with the importing theorems. This combination allows the low level MDG verification results to be imported into HOL in terms of the semantics of a high level language (MDG-HDL). We have also summarized a general method which is used to prove the existential theorem for the specification and implementation of the design. The feasibility of this approach has been demonstrated in a case study: the verification of the correctness and usability theorems of a vending machine

Doctor of Philosophy

dissertationFormal verification of hardware designs has become an essential component of the overall system design flow. The designs are generally modeled as finite state machines, on which property and equivalence checking problems are solved for verification. Reachability analysis forms the core of these techniques. However, increasing size and complexity of the circuits causes the state explosion problem. Abstraction is the key to tackling the scalability challenges. This dissertation presents new techniques for word-level abstraction with applications in sequential design verification. By bundling together k bit-level state-variables into one word-level constraint expression, the state-space is construed as solutions (variety) to a set of polynomial constraints (ideal), modeled over the finite (Galois) field of 2^k elements. Subsequently, techniques from algebraic geometry -- notably, Groebner basis theory and technology -- are researched to perform reachability analysis and verification of sequential circuits. This approach adds a "word-level dimension" to state-space abstraction and verification to make the process more efficient. While algebraic geometry provides powerful abstraction and reasoning capabilities, the algorithms exhibit high computational complexity. In the dissertation, we show that by analyzing the constraints, it is possible to obtain more insights about the polynomial ideals, which can be exploited to overcome the complexity. Using our algorithm design and implementations, we demonstrate how to perform reachability analysis of finite-state machines purely at the word level. Using this concept, we perform scalable verification of sequential arithmetic circuits. As contemporary approaches make use of resolution proofs and unsatisfiable cores for state-space abstraction, we introduce the algebraic geometry analog of unsatisfiable cores, and present algorithms to extract and refine unsatisfiable cores of polynomial ideals. Experiments are performed to demonstrate the efficacy of our approaches

Compositional Model Checking of Concurrent Systems

This paper presents a compositional framework to address the state explosion problem in model checking of concurrent systems. This framework takes as input a system model described as a network of communicating components in a high-level description language, finds the local state transition models for each individual component where local properties can be verified, and then iteratively reduces and composes the component state transition models to form a reduced global model for the entire system where global safety properties can be verified. The state space reductions used in this framework result in a reduced model that contains the exact same set of observably equivalent executions as in the original model, therefore, no false counter-examples result from the verification of the reduced model. This approach allows designs that cannot be handled monolithically or with partial-order reduction to be verified without difficulty. The experimental results show significant scale-up of this compositional verification framework on a number of non-trivial concurrent system models

Safety Contracts for Timed ReactiveComponents in SysML

International audienceA variety of system design and architecture description languages, such as SysML, UML or AADL, allows the decomposition of complex system designs into communicating timed components. In this paper we consider the contract-based specification of such components. A contract is a pair formed of an assumption, which is an abstraction of the component’s environment, and a guarantee, which is an abstraction of the component’s behavior given that the environment behaves according to the assumption. Thus, a contract concentrates on a specific aspect of the component’s functionality and on a subset of its interface, which makes it relatively simpler to specify. Contracts may be used as an aid for hierarchical decomposition during design or for verification of properties of composites. This paper defines contracts for components formalized as a variant of timed input/output automata, introduces compositional results allowing to reason with contracts and shows how contracts can be used in a high-level modeling language (SysML) for specification and verification, based on an example extracted from a real-life system

Co-Emulation of Scan-Chain Based Designs Utilizing SCE-MI Infrastructure

Simulation times of complex System-on-Chips (SoC) have grown exponentially as designs reach the multi-million ASIC gate range. Verification teams have adopted emulation as a prominent methodology, incorporating high-level testbenches and FPGA/ASIC hardware for system-level testing (SLT). In addition to SLT, emulation enables software teams to incorporate software applications with cycle-accurate hardware early on in the design cycle. The Standard for Co-Emulation Modeling Interface (SCE-MI) developed by the Accelera Initiative, is a widely used communication protocol for emulation which has been accepted by major electronic design automation (EDA) companies. Scan-chain is a design-for-test (DFT) methodology used for testing digital circuits. To allow more controllability and observability of the system, design registers are transformed into scan registers, allowing verification teams to shift in test vectors and observe the behavior of combinatorial logic. As SoC complexity increases, thousands of registers can be used in a design, which makes it difficult to implement full-scan testing. More so, as the complexity of the scan algorithm is dependent on the number of design registers, large SoC scan designs can no longer be verified in RTL simulation unless portioned into smaller sub-blocks. To complete a full scan cycle in RTL simulation for large system-level designs, it may take hours, days, or even weeks depending on the complexity of the circuit. This thesis proposes a methodology to decrease scan-chain verification time utilizing SCE-MI protocol and an FPGA-based emulation platform. A high-level (SystemC) testbench and FPGA synthesizable hardware transactor models are developed for the ISCAS89 S400 benchmark circuit for high-speed communication between the CPU workstation and FPGA emulator. The emulation results are compared to other verification methodologies, and found to be 82% faster than regular RTL simulation. In addition, the emulation runs in the MHz speed range, allowing the incorporation of software applications, drivers, and operating systems, as opposed to the Hz range in RTL simulation