The Future of Formal Methods and GALS Design

AbstractThe System-on-Chip era has arrived, and it arrived quickly. Modular composition of components through a shared interconnect is now becoming the standard, rather than the exotic. Asynchronous interconnect fabrics and globally asynchronous locally synchronous (GALS) design has been shown to be potentially advantageous. However, the arduous road to developing asynchronous on-chip communication and interfaces to clocked cores is still nascent. This road of converting to asynchronous networks, and potentially the core intellectual property block as well, will be rocky. Asynchronous circuit design has been employed since the 1950's. However, it is doubtful that its present form will be what we will see 10 years hence. This treatise is intended to provoke debate as it projects what technologies will look like in the future, and discusses, among other aspects, the role of formal verification, education, the CAD industry, and the ever present tradeoff between greed and fear

An Alloy Verification Model for Consensus-Based Auction Protocols

Max Consensus-based Auction (MCA) protocols are an elegant approach to establish conflict-free distributed allocations in a wide range of network utility maximization problems. A set of agents independently bid on a set of items, and exchange their bids with their first hop-neighbors for a distributed (max-consensus) winner determination. The use of MCA protocols was proposed, $e.g.$, to solve the task allocation problem for a fleet of unmanned aerial vehicles, in smart grids, or in distributed virtual network management applications. Misconfigured or malicious agents participating in a MCA, or an incorrect instantiation of policies can lead to oscillations of the protocol, causing, $e.g.$, Service Level Agreement (SLA) violations. In this paper, we propose a formal, machine-readable, Max-Consensus Auction model, encoded in the Alloy lightweight modeling language. The model consists of a network of agents applying the MCA mechanisms, instantiated with potentially different policies, and a set of predicates to analyze its convergence properties. We were able to verify that MCA is not resilient against rebidding attacks, and that the protocol fails (to achieve a conflict-free resource allocation) for some specific combinations of policies. Our model can be used to verify, with a "push-button" analysis, the convergence of the MCA mechanism to a conflict-free allocation of a wide range of policy instantiations

Fast and Compact Distributed Verification and Self-Stabilization of a DFS Tree

We present algorithms for distributed verification and silent-stabilization of a DFS(Depth First Search) spanning tree of a connected network. Computing and maintaining such a DFS tree is an important task, e.g., for constructing efficient routing schemes. Our algorithm improves upon previous work in various ways. Comparable previous work has space and time complexities of $O(n\log \Delta)$ bits per node and $O(nD)$ respectively, where $\Delta$ is the highest degree of a node, $n$ is the number of nodes and $D$ is the diameter of the network. In contrast, our algorithm has a space complexity of $O(\log n)$ bits per node, which is optimal for silent-stabilizing spanning trees and runs in $O(n)$ time. In addition, our solution is modular since it utilizes the distributed verification algorithm as an independent subtask of the overall solution. It is possible to use the verification algorithm as a stand alone task or as a subtask in another algorithm. To demonstrate the simplicity of constructing efficient DFS algorithms using the modular approach, We also present a (non-sielnt) self-stabilizing DFS token circulation algorithm for general networks based on our silent-stabilizing DFS tree. The complexities of this token circulation algorithm are comparable to the known ones

A new look at the conditions for the synthesis of speed-independent circuits

This paper presents a set of sufficient conditions for the gate-level synthesis of speed-independent circuits when constrained to a given class of gate library. Existing synthesis methodologies are restricted to architectures that use simple AND-gates, and do not exploit the advantages offered by the existence of complex gates. The use of complex gates increases the speed and reduces the area of the circuits. These improvements are achieved because of (1) the elimination of the distributivity, signal persistency and unique minimal state requirements imposed by other techniques; (2) the reduction in the number of internal signals necessary to guarantee the synthesis; and finally (3) the utilization of optimization techniques to reduce the fan-in of the involved gates and the number of required memory elements.Peer ReviewedPostprint (published version

Special Session on Industry 4.0

No abstract available

Specification and Verification of Distributed Embedded Systems: A Traffic Intersection Product Family

Distributed embedded systems (DESs) are no longer the exception; they are the rule in many application areas such as avionics, the automotive industry, traffic systems, sensor networks, and medical devices. Formal DES specification and verification is challenging due to state space explosion and the need to support real-time features. This paper reports on an extensive industry-based case study involving a DES product family for a pedestrian and car 4-way traffic intersection in which autonomous devices communicate by asynchronous message passing without a centralized controller. All the safety requirements and a liveness requirement informally specified in the requirements document have been formally verified using Real-Time Maude and its model checking features.Comment: In Proceedings RTRTS 2010, arXiv:1009.398

Using the PALS Architecture to Verify a Distributed Topology Control Protocol for Wireless Multi-Hop Networks in the Presence of Node Failures

The PALS architecture reduces distributed, real-time asynchronous system design to the design of a synchronous system under reasonable requirements. Assuming logical synchrony leads to fewer system behaviors and provides a conceptually simpler paradigm for engineering purposes. One of the current limitations of the framework is that from a set of independent "synchronous machines", one must compose the entire synchronous system by hand, which is tedious and error-prone. We use Maude's meta-level to automatically generate a synchronous composition from user-provided component machines and a description of how the machines communicate with each other. We then use the new capabilities to verify the correctness of a distributed topology control protocol for wireless networks in the presence of nodes that may fail.Comment: In Proceedings RTRTS 2010, arXiv:1009.398

Formal Model Engineering for Embedded Systems Using Real-Time Maude

This paper motivates why Real-Time Maude should be well suited to provide a formal semantics and formal analysis capabilities to modeling languages for embedded systems. One can then use the code generation facilities of the tools for the modeling languages to automatically synthesize Real-Time Maude verification models from design models, enabling a formal model engineering process that combines the convenience of modeling using an informal but intuitive modeling language with formal verification. We give a brief overview six fairly different modeling formalisms for which Real-Time Maude has provided the formal semantics and (possibly) formal analysis. These models include behavioral subsets of the avionics modeling standard AADL, Ptolemy II discrete-event models, two EMF-based timed model transformation systems, and a modeling language for handset software.Comment: In Proceedings AMMSE 2011, arXiv:1106.596