306 research outputs found
STRICT: a language and tool set for the design of very large scale integrated circuits
PhD ThesisAn essential requirement for the design of large VLSI circuits is a design methodology
which would allow the designer to overcome the complexity and correctness issues associated
with the building of such circuits.
We propose that many of the problems of the design of large circuits can be solved by using
a formal design notation based upon the functional programming paradigm, that embodies
design concepts that have been used extensively as the framework for software construction.
The design notation should permit parallel, sequential, and recursive decompositions
of a design into smaller components, and it should allow large circuits to be constructed
from simpler circuits that can be embedded in a design in a modular fashion. Consistency
checking should be provided as early as possible in a design. Such a methodology would
structure the design of a circuit in much the same way that procedures, classes, and control
structures may be used to structure large software systems.
However, such a design notation must be supported by tools which automatically check the
consistency of the design, if the methodology is to be practical. In principle, the methodology
should impose constraints upon circuit design to reduce errors and provide' correctness
by construction' . It should be possible to generate efficient and correct circuits, by providing
a route to a large variety of design tools commonly found in design systems: simulators,
automatic placement and routing tools, module generators, schematic capture tools, and
formal verification and synthesis tools
Verified AIG Algorithms in ACL2
And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions
(like circuits). AIG simplification algorithms can dramatically reduce an AIG,
and play an important role in modern hardware verification tools like
equivalence checkers. In practice, these tricky algorithms are implemented with
optimized C or C++ routines with no guarantee of correctness. Meanwhile, many
interactive theorem provers can now employ SAT or SMT solvers to automatically
solve finite goals, but no theorem prover makes use of these advanced,
AIG-based approaches.
We have developed two ways to represent AIGs within the ACL2 theorem prover.
One representation, Hons-AIGs, is especially convenient to use and reason
about. The other, Aignet, is the opposite; it is styled after modern AIG
packages and allows for efficient algorithms. We have implemented functions for
converting between these representations, random vector simulation, conversion
to CNF, etc., and developed reasoning strategies for verifying these
algorithms.
Aside from these contributions towards verifying AIG algorithms, this work
has an immediate, practical benefit for ACL2 users who are using GL to
bit-blast finite ACL2 theorems: they can now optionally trust an off-the-shelf
SAT solver to carry out the proof, instead of using the built-in BDD package.
Looking to the future, it is a first step toward implementing verified AIG
simplification algorithms that might further improve GL performance.Comment: In Proceedings ACL2 2013, arXiv:1304.712
From LCF to Isabelle/HOL
Interactive theorem provers have developed dramatically over the past four
decades, from primitive beginnings to today's powerful systems. Here, we focus
on Isabelle/HOL and its distinctive strengths. They include automatic proof
search, borrowing techniques from the world of first order theorem proving, but
also the automatic search for counterexamples. They include a highly readable
structured language of proofs and a unique interactive development environment
for editing live proof documents. Everything rests on the foundation conceived
by Robin Milner for Edinburgh LCF: a proof kernel, using abstract types to
ensure soundness and eliminate the need to store proofs. Compared with the
research prototypes of the 1970s, Isabelle is a practical and versatile tool.
It is used by system designers, mathematicians and many others
NASA Formal Methods Workshop, 1990
The workshop brought together researchers involved in the NASA formal methods research effort for detailed technical interchange and provided a mechanism for interaction with representatives from the FAA and the aerospace industry. The workshop also included speakers from industry to debrief the formal methods researchers on the current state of practice in flight critical system design, verification, and certification. The goals were: define and characterize the verification problem for ultra-reliable life critical flight control systems and the current state of practice in industry today; determine the proper role of formal methods in addressing these problems, and assess the state of the art and recent progress toward applying formal methods to this area
Doctor of Philosophy
dissertationTrusted computing base (TCB) of a computer system comprises components that must be trusted in order to support its security policy. Research communities have identified the well-known minimal TCB principle, namely, the TCB of a system should be as small as possible, so that it can be thoroughly examined and verified. This dissertation is an experiment showing how small the TCB for an isolation service is based on software fault isolation (SFI) for small multitasking embedded systems. The TCB achieved by this dissertation includes just the formal definitions of isolation properties, instruction semantics, program logic, and a proof assistant, besides hardware. There is not a compiler, an assembler, a verifier, a rewriter, or an operating system in the TCB. To the best of my knowledge, this is the smallest TCB that has ever been shown for guaranteeing nontrivial properties of real binary programs on real hardware. This is accomplished by combining SFI techniques and high-confidence formal verification. An SFI implementation inserts dynamic checks before dangerous operations, and these checks provide necessary invariants needed by the formal verification to prove theorems about the isolation properties of ARM binary programs. The high-confidence assurance of the formal verification comes from two facts. First, the verification is based on an existing realistic semantics of the ARM ISA that is independently developed by Cambridge researchers. Second, the verification is conducted in a higher-order proof assistant-the HOL theorem prover, which mechanically checks every verification step by rigorous logic. In addition, the entire verification process, including both specification generation and verification, is automatic. To support proof automation, a novel program logic has been designed, and an automatic reasoning framework for verifying shallow safety properties has been developed. The program logic integrates Hoare-style reasoning and Floyd's inductive assertion reasoning together in a small set of definitions, which overcomes shortcomings of Hoare logic and facilitates proof automation. All inference rules of the logic are proven based on the instruction semantics and the logic definitions. The framework leverages abstract interpretation to automatically find function specifications required by the program logic. The results of the abstract interpretation are used to construct the function specifications automatically, and the specifications are proven without human interaction by utilizing intermediate theorems generated during the abstract interpretation. All these work in concert to create the very small TCB
The formal verification of generic interpreters
The task assignment 3 of the design and validation of digital flight control systems suitable for fly-by-wire applications is studied. Task 3 is associated with formal verification of embedded systems. In particular, results are presented that provide a methodological approach to microprocessor verification. A hierarchical decomposition strategy for specifying microprocessors is also presented. A theory of generic interpreters is presented that can be used to model microprocessor behavior. The generic interpreter theory abstracts away the details of instruction functionality, leaving a general model of what an interpreter does
Doctor of Philosophy
dissertationEmbedded systems are often deployed in a variety of mission-critical fields, such as car control systems, the artificial pace maker, and the Mars rover. There is usually significant monetary value or human safety associated with such systems. It is thus desirable to prove that they work as intended or at least do not behave in a harmful way. There has been considerable effort to prove the correctness of embedded systems. However, most of this effort is based on the assumption that embedded systems do not have any peripheral devices and interrupt handling. This is too idealistic because embedded systems typically depend on some peripheral devices to provide their functionality, and in most cases these peripheral devices interact with the processor core through interrupts so that the system can support multiple devices in a real time fashion. My research, which focuses on constrained embedded systems, provides a framework for verifying realistic device driver software at the machine code level. The research has two parts. In the first part of my research, I created an abstract device model that can be plugged into an existing formal semantics for an instruction set architecture. Then I instantiated the abstract model with a model for the serial port for a real embedded processor, and plugged it into the ARM6 instruction set architecture (ISA) model from the University of Cambridge, and verified full correctness of a polling-based open source driver for the serial port. In the second part, I expanded the abstract device model and the serial port model to support interrupts, modified the latest ARMv7 model from the University of Cambridge to be compatible with the abstract device model, and extended the Hoare logic from the University of Cambridge to support hardware interrupt handling. Using this extended tool chain, I verified full correctness of an interrupt-driven open source driver for the serial port. To the best of my knowledge, this is the first full correctness verification of an interrupt-driven device driver. It is also the first time a device driver with inherent timing constraints has been fully verified. Besides the proof of full correctness for realistic serial port drivers, this research produced an abstract device model, a formal specification of the circular bu er at assembly level, a formal specification for the serial port, a formal ARM system-on-chip (SoC) model which can be extended by plugging in device models, and the inference rules to reason about interrupt-driven programs
Formal Proofs for Nonlinear Optimization
We present a formally verified global optimization framework. Given a
semialgebraic or transcendental function and a compact semialgebraic domain
, we use the nonlinear maxplus template approximation algorithm to provide a
certified lower bound of over . This method allows to bound in a modular
way some of the constituents of by suprema of quadratic forms with a well
chosen curvature. Thus, we reduce the initial goal to a hierarchy of
semialgebraic optimization problems, solved by sums of squares relaxations. Our
implementation tool interleaves semialgebraic approximations with sums of
squares witnesses to form certificates. It is interfaced with Coq and thus
benefits from the trusted arithmetic available inside the proof assistant. This
feature is used to produce, from the certificates, both valid underestimators
and lower bounds for each approximated constituent. The application range for
such a tool is widespread; for instance Hales' proof of Kepler's conjecture
yields thousands of multivariate transcendental inequalities. We illustrate the
performance of our formal framework on some of these inequalities as well as on
examples from the global optimization literature.Comment: 24 pages, 2 figures, 3 table
- …