Using automata to characterise fixed point temporal logics

This work examines propositional fixed point temporal and modal logics called mu-calculi and their relationship to automata on infinite strings and trees. We use correspondences between formulae and automata to explore definability in mu-calculi and their fragments, to provide normal forms for formulae, and to prove completeness of axiomatisations. The study of such methods for describing infinitary languages is of fundamental importance to the areas of computer science dealing with non-terminating computations, in particular to the specification and verification of concurrent and reactive systems. To emphasise the close relationship between formulae of mu-calculi and alternating automata, we introduce a new first recurrence acceptance condition for automata, checking intuitively whether the first infinitely often occurring state in a run is accepting. Alternating first recurrence automata can be identified with mu-calculus formulae, and ordinary, non-alternating first recurrence automata with formulae in a particular normal form, the strongly aconjunctive form. Automata with more traditional Büchi and Rabin acceptance conditions can be easily unwound to first recurrence automata, i.e. to mu-calculus formulae. In the other direction, we describe a powerset operation for automata that corresponds to fixpoints, allowing us to translate formulae inductively to ordinary Büchi and Rabin-automata. These translations give easy proofs of the facts that Rabin-automata, the full mu-calculus, its strongly aconjunctive fragment and the monadic second-order calculus of n successors SnS are all equiexpressive, that Büchi-automata, the fixpoint alternation class Pi_2 and the strongly aconjunctive fragment of Pi_2 are similarly related, and that the weak SnS and the fixpoint-alternation-free fragment of mu-calculus also coincide. As corollaries we obtain Rabin's complementation lemma and the powerful decidability result of SnS. We then describe a direct tableau decision method for modal and linear-time mu-calculi, based on the notion of definition trees. The tableaux can be interpreted as first recurrence automata, so the construction can also be viewed as a transformation to the strongly aconjunctive normal form. Finally, we present solutions to two open axiomatisation problems, for the linear-time mu-calculus and its extension with path quantifiers. Both completeness proofs are based on transforming formulae to normal forms inspired by automata. In extending the completeness result of the linear-time mu-calculus to the version with path quantifiers, the essential problem is capturing the limit closure property of paths in an axiomatisation. To this purpose, we introduce a new \exists\nu-induction inference rule

Formal Verification of an Iterative Low-Power x86 Floating-Point Multiplier with Redundant Feedback

We present the formal verification of a low-power x86 floating-point multiplier. The multiplier operates iteratively and feeds back intermediate results in redundant representation. It supports x87 and SSE instructions in various precisions and can block the issuing of new instructions. The design has been optimized for low-power operation and has not been constrained by the formal verification effort. Additional improvements for the implementation were identified through formal verification. The formal verification of the design also incorporates the implementation of clock-gating and control logic. The core of the verification effort was based on ACL2 theorem proving. Additionally, model checking has been used to verify some properties of the floating-point scheduler that are relevant for the correct operation of the unit.Comment: In Proceedings ACL2 2011, arXiv:1110.447

Hardware Security Leak Detection by Symbolic Simulation

23441

Formal Verification of Iterative Algorithms in Microprocessors

Contemporary microprocessors implement many iterative algorithms. For example, the front-end of a microprocessor repeatedly fetches and decodes instructions while updating internal state such as the program counter; floating-point circuits perform divide and square root computations iteratively. Iterative algorithms often have complex implementations because of performance optimizations like result speculation, re-timing and circuit redundancies. Verifying these iterative circuits against high-level specifications requires two steps: reasoning about the algorithm itself and verifying the implementation against the algorithm. In this paper we discuss the verification of four iterative circuits from Intel microprocessor designs. These verifications were performed using Forte, a custom-built verification system; we discuss the Forte features necessary for our approach. Finally, we discuss how we maintained these proofs in the face of evolving design implementations