Papers by Phillip Windley
ACAD: A Hierarchical Approach to CMOS Desi ysis
A prototype system to aid analog design engineers in the synthesis and analysis of CMOS analog ci... more A prototype system to aid analog design engineers in the synthesis and analysis of CMOS analog circuits has been developed. ACAD (Analog Computer Aided Design), differs from other tools by its extensive use of hierarchy and two-port network theory to subdivide the process of solving the small signal network functions. This allows larger circuits to be analyzed.
Proceedings of the 8th International Workshop on Higher Order Logic Theorem Proving and Its Applications
Formal methods in computer-aided design : second international conference, FMCAD '98, Palo Alto, CA, USA, November 4-6, 1998 : proceedings
Formal Methods in Computer-Aided Design, 1998
... Ganesh Gopalakrishnan; Phillip Windley (ed.).-Berlin; Heidelberg; New York; Barcelona; Budape... more ... Ganesh Gopalakrishnan; Phillip Windley (ed.).-Berlin; Heidelberg; New York; Barcelona; Budapest; Hong Kong; London; Milan; Paris; Singapore; Tokyo ... Canada), Chuck Yount, Marten van Hulst, and John Mark Bouler (Intel), Koichiro Takayama and Vamsi Boppana (Fujitsu ...
Melham discusses the use of abstraction in hardware verification in general; we will concentrate ... more Melham discusses the use of abstraction in hardware verification in general; we will concentrate on the application of abstraction to modeling and verifying microprocessors. We ask the questions: 1. Are there particular forms of behavioral and structural abstraction that are more efficacious in the verification of microprocessors than others? 2. Can we formalize a general model that incorporates the behavioral, data, and temporal abstractions used in microprocessor verification so that they can be easily reused? As we will see in the chapters that follow, we beheve that the answer to both of these question is _/es and we will describe a hierarchical decomposition strategy and a generic interpreter model that make the verification of large microprocessors practical. 1.2 Main Ideas. This section introduces the main ideas in this paper. These concepts will be discussed in detail in later chapters. This theme is extended in Chapter 4 where we show how the mathematical deftnition can be formalized in the HOL verification system. We present two different models: a synchronous interpreter model and an asynchronous model. Chapter 5 contains an example of the use of the generic interpreter theory in specifying and verifying a microprocessor, AVM-I. AVM-1 is designed to serve as a testbed for the concepts in this dissertation. The architecture and organization of AVM-I are described, the formal specification is presented, and the verification is discussed. Appendix A provides a description of the ML package developed for using generic theories in HOL. Appendix B presents the technical details of the A VM-1 proof. The theory hierarchies are discussed and the run times for the proof scripts of the various theories constituting the verification of AVAt-1 are presented.
IEEE Transactions on Computers, 1995
Formal verification has long been promised as a means of reducing the amount of testing required ... more Formal verification has long been promised as a means of reducing the amount of testing required to ensure correct VLSI devices. Verification requires at least two mathematical models: one that describes the structure of a computer system and another that models its intended behavior. These models are called specijkations. Verification is a mathematical analysis showing that the behavior follows from the structure. Formal verification of microprocessor designs has been quite successful. Indeed, several verified microprocessors have been presented in the literature, and one microprocessor where formal modeling has been applied is commercially available. These efforts were virtuoso performances-largely academic exercises carried out by experts in logic and specification. This paper presents a methodology for microprocessor verification that significantly reduces the learning curve for performing verification. The methodology is formalized in the HOL theoremproving system. The paper includes a description of a large case study performed to evaluate the methodology. The novel aspects of this research include the use of abstract theories to formalize hardware models. Because our model is described using abstract theories, it provides a framework for both the specification and the verification. This framework reduces the number of ad hoc modeling decisions that must be made to complete the verification. Another unique aspect of our research is the use of hierarchical abstractions to reduce the number of difficult lemmas in completing the verification. Our formalism frees the user from directly reasoning about the difficult aspects of modeling the hierarchy, namely the temporal and data abstractions. We believe that our formalism, coupled with case studies and tools, allows microprocessor verification to be done by engineers with relatively little experience in microprocessor specification or logic. We are currently testing that hypothesis by using the methodology to teach graduate students formal microprocessor modeling. I. INTRODUCTION OMPUTERS are being used with increasing frequency C in areas in which the correct implementation of the computer hardware is critical. Testing has traditionally been used to exclude faults in computers; however, the effectiveness of testing is limited by the combinatorial explosion inherent in any testing technique. The limitations of testing, coupled with the ever-increasing size of VLSI devices, have led to a search for alternatives to testing, such as mathematical modeling and analysis.
Abstract Theories in HOL
Abstract Abstract theories are widely used in mathematics because the provide a convenient way to... more Abstract Abstract theories are widely used in mathematics because the provide a convenient way to reason about classes of structures. Abstract theories provide proofs about abstract structures which can then be used to reason about specific instances of those structures. Abstract theories are useful for specifying and verifying computer systems because they provide structure and guidance in the specification and verification processes and provide a convenient method of theorem reuse. This report describes and documents a package for using abstract theories in the HOL theorem proving system.
Springer eBooks, 1998
Alexandria is an implementation of the hierarchical verification methodology for the Higher-Order... more Alexandria is an implementation of the hierarchical verification methodology for the Higher-Order Logic (HOL) theorem prover. The main contribution of Alexandria is the reduction of effort required by the user to create and use hierarchical hardware proofs in HOL. We discuss the implementation and use of Alexandria with an example and outline our future work.
ACAD: A hierarchical approach to CMOS design analysis
A prototype system to aid analog design engineers in the synthesis and analysis of CMOS analog ci... more A prototype system to aid analog design engineers in the synthesis and analysis of CMOS analog circuits has been developed. ACAD (analog computer-aided design) differs from other tools by its extensive use of hierarchy and two-port network theory to subdivide the process of solving the small signal network functions. This allows larger circuits to be analyzed. ACAD solved and simplified all of the two-port network equations for an operational amplifier containing 29 MOS transistors, 2 resistors, and 3 capacitors by analyzing, simplifying, and combining four subcircuits. ACAD produced the correct results for the model being evaluated. These results show that computer-aided hierarchical small signal model analysis of analog circuits is possible
An HOL Theory For Logic States with Indeterminate Strengths
A signal value representation including both unknown state and a degree of strength indeterminacy... more A signal value representation including both unknown state and a degree of strength indeterminacy has been shown to provide greater modeling accuracy to the lattice theoretic approach. The lattice approach facilitates the development of higher-order logic functions that can be used to reason about VLSI circuits. Such signal value functions are required for the integration of verification environments, such as
Hardware verification is a technique for reducing the number of design faults in a device. Even t... more Hardware verification is a technique for reducing the number of design faults in a device. Even though much research has been done in the area, verification is still not used by circuit designers. This paper examines an engineering methodology f o r verifying micmpwcessors, describes two case studies using this methodology, and discusses research aimed at integmting verification with VLSI CAD tools. We believe that these steps are necessary if verification is to be used by engineers.
Verifying pipelined microprocessors
ABSTRACT Recently there has been much research in verifying pipelined microprocessors. Even so, t... more ABSTRACT Recently there has been much research in verifying pipelined microprocessors. Even so, there has been little consensus on what form the correctness statement should take. Put another way, what should we be verifying about pipelined microprocessors? We believe that the correctness statement should show that the parallel machine represented by the pipeline behaves in the same manner as the sequential machine represented by the instruction set semantics. In this paper, we present such a model and examine four pipeline verifications to see how they compare
Online social networks are formed when web applications allow users to contribute to an online co... more Online social networks are formed when web applications allow users to contribute to an online community. The explosive growth of these social networks taxes the management capacity of human administrators. The continued health of an online social network depends upon the identification and utilization of users who make positive contributions to the community, but finding these individuals can be difficult. In addition, these contributing users must be explicitly granted authority to help maintain and grow these networks. Automated reputation calculations based on user contributions and behavior can be used as an effective substitute for explicit authorization, giving online social networks greater flexibility and scalability. In this paper, we examine the underlying principles of online reputation, introduce Pythia, a flexible reputation system framework, and demonstrate the use of reputation calculations to augment explicit authorization in a web application.
Mechanically checking a lemma used in an automatic verification tool
Springer eBooks, 1996
Automatic formal verification methods sometimes depend on lemmas for decomposing proofs into part... more Automatic formal verification methods sometimes depend on lemmas for decomposing proofs into parts. The decomposition simplifies the verification task for automatic tools, such as model checkers. Typically the lemmas are proven by hand, and apply to all instances where the automatic tool is applied. Mechanically verifying these lemmas using a theorem prover provides greater assurance that the decomposition is correct
We present a state property called congruence and show how it can be used to demonstrate commutiv... more We present a state property called congruence and show how it can be used to demonstrate commutivity of instructions in a modern load{store architecture. Our analysis is particularly important in pipelined microprocessors where instructions are frequently reordered to avoid costly delays in execution caused by hazards. Our work has signi cant implications to safety and security critical applications since reordering can easily change the meaning and an instruction sequence and current techniques are largely ad hoc. Our work is done in a mechanical theorem prover and results in a set of trustworthy rules for instruction reordering. The mechanization makes it practical to analyze the entire instruction set.
Verification of VLSI designs
In this paper we explore the specification and verification of VLSI designs. The paper focuses on... more In this paper we explore the specification and verification of VLSI designs. The paper focuses on abstract specification and verification of functionality using mathematical logic as opposed to low-level boolean equivalence verification such as that done using BDDs and Model Checking. Specification and verification, sometimes called formal methods, is one tool for increasing computer dependability in the face of an exponentially increasing testing effort.
Formal specification of a high speed CMOS correlator
The formal specification of a high speed CMOS correlator is presented. The specification gives th... more The formal specification of a high speed CMOS correlator is presented. The specification gives the high-level behavior of the correlator and provides a clear, unambiguous description of the high-level architecture of the device.
Springer eBooks, 1998
The VLSI CAD flow encompasses an abundance of critical NP-complete and PSPACE-complete problems. ... more The VLSI CAD flow encompasses an abundance of critical NP-complete and PSPACE-complete problems. Instead of developing a dedicated algorithm for each, the trend during the last decade has been to encode them in formal languages, such as Boolean satisfiability (SAT) and quantified Boolean formulas (QBFs), and focus academic resources on improving SAT and QBF solvers. The significant progress of these solvers has validated this strategy. This dissertation contributes to the further advancement of formal techniques in CAD. Today, the verification and debugging of increasingly complex RTL designs can consume up to 70% of the VLSI design cycle. In particular, RTL debug is a manual, resource-intensive task in the industry. The first contribution of this thesis is an in-depth examination of the factors affecting the theoretical computational complexity of debugging. It is established that most variations of the debugging problem are NP-complete. Automated debugging tools return all potential error sources in the RTL, called solutions, that can explain a given failing error trace. Finding each solution requires a separate call to a formal engine, which is computationally expensive. The second contribution of this dissertation comprises techniques for reducing the number of such iterations, by leveraging dominance relationships between RTL blocks to imply solutions. Extensive experiments on industrial designs show a threefold reduction in the number of formal engine calls due to solution implications, resulting in a 1.64x overall speed-up. The third contribution aims to advance the state-of-the-art of QBF solvers, whose progress has not been as impressive as that of SAT solvers. We present a framework for using complete dominators to preprocess and reduce QBFs with an inherent circuit structure, which is com
This document was generated in support of NASA contract NAS 1-18586, Design and Validation of Dig... more This document was generated in support of NASA contract NAS 1-18586, Design and Validation of Digital Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 10. Task 10 is concerned with the formal specification and verification of a processor interface unit. This report describes the formal specification of the design and partial requirements for a processor interface unit using the HOL theorem-proving system. The HOL listings of the formal specification are documented in NASA CR-191465. The processor interface unit is a single-chip subsystem within a fault-tolerant embedded system under development at the Boeing Defense & Space Group. It provides the opportunity to investigate the specification and verification of a real-world subsystem within a commercially-developed fault-tolerant computer.
This document was generated in support of NASA contract NASI-18586, Design and Validation of Digi... more This document was generated in support of NASA contract NASI-18586, Design and Validation of Digital Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 3. Task 3 is associated with formal verification of embedded systems. In particular, this document contains the HOL code that formally proves the AVM-I microprocessor using the theory of generic interpreters.
Uploads
Papers by Phillip Windley