Specifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

Similar documents
Specifying circuit properties in PSL

Sugar 2.0 An Introduction

IP Core Design. Lecture 11 Introduction to PSL

Property-based design with HORUS / SYNTHORUS

Part 6: VHDL simulation. Introduction to Modeling and Verification of Digital Systems. Elaboration and simulation. Elaboration and simulation

Property Specification Language. Reference Manual. Version 1.01

Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series

Software Model Checking: Theory and Practice

Real life experiences of PSL. Magnus Björk Hardware Description and Verificatoin

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

PSL Assertion Checking with Temporally Extended High-Level Decision Diagrams

Formal Verification of Business Continuity Solutions

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

ON THE EFFECTIVENESS OF ASSERTION-BASED VERIFICATION

HARDWARE EMULATION OF SEQUENTIAL ATPG-BASED BOUNDED MODEL CHECKING GREGORY FICK FORD. Submitted in partial fulfilment of the requirements

Finite State Verification. CSCE Lecture 14-02/25/2016

Symbolic Trajectory Evaluation - A Survey

Formal Verification for UML/SysML models

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Monitoring Interfaces for Faults

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Binary Decision Diagrams and Symbolic Model Checking

Finite State Verification. CSCE Lecture 21-03/28/2017

Principles of Programming Languages

Formal Methods in Software Engineering. Lecture 07

Formal Verification. Lecture 7: Introduction to Binary Decision Diagrams (BDDs)

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Optimized Temporal Logic Compilation

Track 2: (Logic, Semantics, Specification and Verification) Title: Truncating Regular Expressions. Authors: 1. Cindy Eisner (contact author)

EE382V: System-on-a-Chip (SoC) Design

A C-language binding for PSL

Cyber Physical System Verification with SAL

Hardware Verification 2IMF20

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

CS/ECE 5780/6780: Embedded System Design

Model checking Timber program. Paweł Pietrzak

Formalizing Timing Diagram Requirements:

The Esterel language

Introduction 2 The first synchronous language (early 80 s) Gérard Berry and his team (École des Mines de Paris / INRIA Sophia-Antipolis) Imperative, s

Tutorial on Model Checking Modelling and Verification in Computer Science

Model Checking: Back and Forth Between Hardware and Software

Syntactic Optimizations for PSL Verification

Automated Reasoning. Model Checking with SPIN (II)

Subset sum problem and dynamic programming

Programming Embedded Systems

Reasoning About Imperative Programs. COS 441 Slides 10

Combining Complementary Formal Verification Strategies to Improve Performance and Accuracy

Introduction to Software Testing Chapter 5.1 Syntax-based Testing

Model Checking VHDL with CV

Automated Reasoning Lecture 3: The NuSMV Model Checker

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

Constraint Satisfaction Problems (CSPs)

Introduction to CS 270 Math Foundations of CS

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

Administrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Behaviour Driven Development for Hardware Design

Using Integer Equations for High Level Formal Verification Property Checking

Lecture 7: Requirements Modeling III. Formal Methods in RE

High-Level Information Interface

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Lecture 2: Symbolic Model Checking With SAT

Typed Lambda Calculus. Chapter 9 Benjamin Pierce Types and Programming Languages

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Acceleration of SAT-based Iterative Property Checking

Formal Specification and Verification

Formal Verification: Practical Exercise Model Checking with NuSMV

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Design and Analysis of Distributed Interacting Systems

A Novel Approach for Software Property Validation

Software Engineering using Formal Methods

Design for Verification of SystemC Transaction Level Models

CSC2108: Automated Verification Assignment 1 - Solutions

Distributed Systems Programming (F21DS1) Formal Verification

EECS150 - Digital Design Lecture 20 - Finite State Machines Revisited

An Introduction to Lustre

[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION

Programming with Lustre

Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Programming Languages

Operational Semantics. One-Slide Summary. Lecture Outline

On the Design and Verification Methodology of the Look-Aside Interface

Introduction to VHDL #3

Using Cadence SMV. to verify temporal properties of finite-state machines : Intro to Model Checking April 6, 2011.

Java Software Solutions for AP Computer Science 3rd Edition, Lewis et al. 2011

Runtime Checking and Test Case Generation for Python

Programming Language Concepts, cs2104 Lecture 04 ( )

Functional Programming in Hardware Design

EEL 4783: HDL in Digital System Design

Program Verification. Aarti Gupta

A Frame Study for Post-Processing Analysis on System Behavior: A Case Study of Deadline Miss Detection

The Spin Model Checker : Part I/II

Global Optimization. Lecture Outline. Global flow analysis. Global constant propagation. Liveness analysis. Local Optimization. Global Optimization

Introduction to SystemC

Simulation semantics (a.k.a. event semantics)

Assertion Checker Synthesis for FPGA Emulation

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

FORMAL SPECIFICATION, SYSTEM VERILOG ASSERTIONS & COVERAGE. By Calderón-Rico, Rodrigo & Tapia Sanchez, Israel G.

Transcription:

Specifying circuit properties in PSL (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

Background: Model Checking property G(p -> F q) yes MC algorithm q p p q no finite-state model counterexample (Ken McMillan)

Two main types of temporal logic Linear-time Temporal Logic (LTL) must properties, safety and liveness Pnueli, 1977 Computation Tree Logic (CTL) branching time, may properties, safety and liveness Clarke and Emerson, Queille and Sifakis, 1981 Linear time conceptually simpler (words vs trees) Branching time computationally more efficient We will return to this in a later lecture

But temporal logics hard to read and write!

Computation Tree Logic A sequence beginning with the assertion of signal strt, and containing two not necessarily consecutive assertions of signal get, during which signal kill is not asserted, must be followed by a sequence containing two assertions of signal put before signal end can be asserted AG~(strt & EX E[~get & ~kill U get & ~kill & EX E[~get & ~kill U get & ~kill & E[~put U end] or E[~put & ~end U (put & ~end & EX E[~put U end])]]])

PSL version always({strt; {get[=2]}&&{kill[=0]}} => {{put[=2]}&&{end[=0]}})

Grew out of CTL Basis of PSL was Sugar (IBM, Haifa) Added lots of syntactic sugar Engineer friendly, used in many projects Used in the industrial strength MC RuleBase Standardisation led to further changes

Assertion Based Verification (ABV) can be done in two ways During simulation (dynamic, at runtime, called semi-formal verification, checks only those runs, restricted to a subset of the property language) As a static check (formal verification, covers all possible runs, more comprehensive, harder to do) (Note: this duality has been important for PSL s practical success, but it also complicates the semantics!)

Safety Properties always (p) Nothing bad will ever happen Most common type of property checked in practice Easy to check (more later) Disproved by a finite run of the system always (not (gr1 and gr2))

Observer (alternative to property language) Observer written in same language as circuit Safety properties only Used in verification of control programs such as Lustre programs that control safety critical features in the airbus (and in Lava later) F Prop ok

Observer (alternative to property language) Observer written in same language as circuit Safety properties only Used in verification of control programs such as Lustre programs that control safety critical features in the airbus (and in Lava later) F Prop ok Property languagebased tools often use observers intenrally

Back to PSL Layers Boolean Temporal Verification Modelling (we use VHDL flavour and the simplest choice of what the clock in properties is) (temporal operators, SEREs) (group properties, specify whether to verify or assume etc.) (subset of chosen HDL)

Concrete example vunit counter_properties(counter(behavioral)) { default clock is (rising_edge(clk)); property bounded is always (o < bound); property validtransitions is ; } assert bounded; assert validtransitions;

Concrete example vunit counter_properties(counter(behavioral)) { default clock is (rising_edge(clk)); property bounded is always (o < bound); property validtransitions is ; Defines a complete verification job (verification layer) } assert bounded; assert validtransitions;

Concrete example vunit counter_properties(counter(behavioral)) { default clock is (rising_edge(clk)); property bounded is always (o < bound); property validtransitions is Prop_name (entity (architecture)) ; } assert bounded; assert validtransitions;

Concrete example vunit counter_properties(counter(behavioral)) { default clock is (rising_edge(clk)); } property bounded is always (o < bound); property validtransitions is ; assert bounded; assert validtransitions; Defines clock to be used by all properties and sequences in the vunit (can also clock properties and sequences individually)

Concrete example vunit counter_properties(counter(behavioral)) { default clock is (rising_edge(clk)); property bounded is always (o < bound); } property validtransitions is ; assert bounded; assert validtransitions; property declaration (can also declare sequences)

Concrete example vunit counter_properties(counter(behavioral)) { default clock is (rising_edge(clk)); property bounded is always (o < bound); } property validtransitions is ; assert bounded; assert validtransitions; property with temporal operator always (the most usual one) Others include next and until

Concrete example vunit counter_properties(counter(behavioral)) { default clock is (rising_edge(clk)); property bounded is always (o < bound); } property validtransitions is ; assert bounded; assert validtransitions; verification directive assert <property> (others include assume, restrict, cover)

Temporal layer Our main concern how to define properties and sequences use both temporal operators (related to LTL) and sequences to build properties We are in the so-called Foundation Language (FL), used for both simulation and FV (in sim. prop. can be checked in a single run) There is an optional branching extension (OBE, related to CTL), used only for FV

Temporal operators always (= never not...) Most PSL properties start with this!

0 1 2 3 4 5 a b assert not (a and b)?

0 1 2 3 4 5 a b assert not (a and b) holds

0 1 2 3 4 5 a b Pure boolean assertion refers to FIRST cycle ONLY assert not (a and b) holds

0 1 2 3 4 5 a b assert always not (a and b)?

0 1 2 3 4 5 a b assert always not (a and b) does not hold assert never (a and b) is same

Temporal operators next next p holds in a cycle if p holds at the next cycle

Example Whenever signal a is asserted then in the next cycle signal b must be asserted

Boolean Logical implication But often used inside temporal ops p1 -> p2 is (not p1) or p2 if p1 then p2 else true

Boolean Logical implication But often used inside temporal ops p1 -> p2 is (not p1) or p2 if p1 then p2 else true is TRUE if p1 is false Beware!

next and implication a 0 1 2 3 4 5 6 7 8 9 10 b assert always (a -> next b)

next and implication a 0 1 2 3 4 5 6 7 8 9 10 b a does not hold assert always (a -> next b)

next and implication a 0 1 2 3 4 5 6 7 8 9 10 b a holds so check b in next cycle assert always (a -> next b)

next and implication a 0 1 2 3 4 5 6 7 8 9 10 b a does not hold assert always (a -> next b) Note overlap with previous pair

next and implication a 0 1 2 3 4 5 6 7 8 9 10 b a does not hold assert always (a -> next b)

next and implication a 0 1 2 3 4 5 6 7 8 9 10 b a holds so check b in next cycle assert always (a -> next b) and so on.

Slightly different trace a 0 1 2 3 4 5 6 7 8 9 10 b assert always (a -> next b)?

Slightly different trace a 0 1 2 3 4 5 6 7 8 9 10 b assert always (a -> next b)

next[n] p holds if p holds in nth cycle in future a 0 1 2 3 4 5 6 7 8 9 10 b next is next[1] assert always (a -> next[2] b)?

next[n] p holds if p holds in nth cycle in future a 0 1 2 3 4 5 6 7 8 9 10 b next is next[1] assert always (a -> next[2] b)

More variants Ranges next_a[3 to 7] all in range next_e [3 to 5] exists (= some) in range next_event(b) p p should hold at next cycle at which Boolean b holds (could be this cycle) Also comes in a and e versions for ranges

And yet more! weak vs strong Strong operator demands that the trace not end too soon indicated by!

example a 0 1 2 3 4 5 6 7 8 b weak operator is lenient assert always (a -> next b)

example a 0 1 2 3 4 5 6 7 8 b weak operator is lenient assert always (a -> next b)

example a 0 1 2 3 4 5 6 7 8 b strong operator is strict assert always (a -> next! b)

Temporal operators until p until q p holds in each cycle until (the one before) q holds p until_ q p holds in each cycle until (and including the one where) q holds

Example Whenever signal req is asserted then, starting from the next cycle, signal busy must be asserted until signal done is asserted.

assert always (req -> next (busy until done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done

assert always (req -> next (busy until done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done

assert always (req -> next (busy until done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done

assert always (req -> next (busy until done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done

assert always (req -> next (busy until done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done

assert always (req -> next (busy until_ done)) req 0 1 2 3 4 5 6 7 8 9 10 the other form of until busy done

assert always (req -> next (busy until_ done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done

Ex: assert always (req -> next (busy until_ done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done?

Ex: assert always (req -> next (busy until done)) 0 1 2 3 4 5 6 7 8 9 10 req busy done?

Temporal operators before p before q p must hold at least once strictly before q holds p before_ q p holds at least once before or at the same cycle as q holds

Pulsed request signal req Example Requirement: Before we can make a second request, the first must be acknowledged

assert always (req -> next (ack before req)) 0 1 2 3 4 5 6 7 8 9 10 req ack?

assert always (req -> next (ack before req)) 0 1 2 3 4 5 6 7 8 9 10 req ack

Allow ack simultaneously with next req 0 1 2 3 4 5 6 7 8 9 10 req ack assert always (req -> next (ack before_ req))

Questions 0 1 2 3 4 5 6 7 8 9 10 req ack 1) assert always (req -> next (ack before req))?

Questions 2) Would assert always (req -> (ack before req)) match the original English requirement? 3) What if we want to allow the ack to come not together with the next req but with the req that it is acknowledging?? Write a new property for this.

Next topic Sequential Extended Regular Expressions SEREs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback