Formal specification and verification of a dataflow processor array

We describe the formal specification and verification of the VGI parallel DSP chip (V. Srini et al., 1998), which contains 64 compute processors with /spl sim/30 K gates in each processor. Our effort coincided with the "informal" verification stage of the chip. By interacting with the designers, we produced an abstract but executable specification of the design which embodies the programmer's view of the system. Given the size of the design, an automatic check that even one of the 64 processors satisfies its specification is well beyond the scope of current verification tools. However, the check can be decomposed using assume-guarantee reasoning. For VGI, the implementation and specification operate at different time scales: several steps of the implementation correspond to a single step in the specification. We generalized both the assume-guarantee method and our model checker MOCHA to allow compositional verification for such applications. We used our proof rule to decompose the verification problem of the VGI chip into smaller proof obligations that were discharged automatically by MOCHA. Using our formal approach, we uncovered and fixed subtle bugs that were unknown to the designers.

[1]  Jan M. Rabaey,et al.  Parallel DSP with memory and I/O processors , 1998, Optics & Photonics.

[2]  Thomas A. Henzinger,et al.  Symbolic Exploration of transition Hierarchies , 1998, TACAS.

[3]  Jan M. Rabaey,et al.  Architecture for web-based image processing , 1997, Optics & Photonics.

[4]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[5]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[6]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[7]  Thomas A. Henzinger,et al.  You Assume, We Guarantee: Methodology and Case Studies , 1998, CAV.

[8]  Randal E. Bryant,et al.  Automatic Clock Abstraction from Sequential Circuits , 1995, 32nd Design Automation Conference.

[9]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[10]  Kenneth L. McMillan,et al.  Verification of an Implementation of Tomasulo's Algorithm by Compositional Model Checking , 1998, CAV.

[11]  Edmund M. Clarke,et al.  Compositional model checking , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[12]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.

[13]  Ásgeir Th. Eiríksson The Formal Design of 1M-gate ASICs , 2000, Formal Methods Syst. Des..

[14]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[15]  Nancy A. Lynch,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[16]  Thomas A. Henzinger,et al.  Reactive Modules , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[17]  Thomas A. Henzinger,et al.  Reactive Modules , 1999, Formal Methods Syst. Des..

[18]  Thomas A. Henzinger,et al.  Assume-Guarantee Refinement Between Different Time Scales , 1999, CAV.

[19]  Tiziano Villa,et al.  VIS: A System for Verification and Synthesis , 1996, CAV.

[20]  Arvind Srinivasan,et al.  Verity - A formal verification program for custom CMOS circuits , 1995, IBM J. Res. Dev..

[21]  Eugene W. Stark,et al.  A Proof Technique for Rely/Guarantee Properties , 1985, FSTTCS.

[22]  Thomas A. Henzinger,et al.  MOCHA: Modularity in Model Checking , 1998, CAV.

[23]  David L. Dill,et al.  Automatic verification of Pipelined Microprocessor Control , 1994, CAV.