Microprocessing and Microprogramming 31 (1991) 43-46 43 North-Holland

MIXED STATIC AND DYNAMIC RFASONING IN A FORMAL SYSTEM

Mats Larsson

Depar tment of Computer and Information Science LinkOping University, S-58183 LinkSping, Sweden email: mla@ida.liu.se, phone: +46 13 281844

A new method tha t will provide for more flexible hardware analysis is introduced. The idea is to use the formal language, axioms and inference rules normally used for verification for doing simulation. This results in a tool where many levels of symbolic computation can be integrated. We show tha t a verification tool based on rewriting can be generalized into such a tool.

1. INTRODUCTION

The need for correct circuits, especially in safety- critical applications, and the at tempts to shorten the design-cycle have led to a growing interest in formal methods. A formal method is defined as an abst ract , symbolic notat ion and a set of t ransformations defining how expressions in the notation can be manipulated. Both the notation and the transformations mus t have a precise and rigorously defined formal semantics.

In h a r d w a r e des ign and analys is , formal m e t h o d s p rov ide a b s t r a c t n o t a t i o n s for documenting sys tem behaviour and structure. F u r t h e r m o r e the t r an s fo rm a t i ons provide a means of reasoning about proper t ies of the specified hardware . Such reasoning is often referred to as verification or verification by proof since properties can be proved mathematically. Examples of formal methods tha t have been used for verification are f irst-order logic [1], higher- order logic [4], [6] and [7] and process algebras [8].

However, verification has some shortcomings: First, tools that support verification are hard to use; Second, a proof is no be t t e r then the specification used bu t it is difficult to write correct specifications; Third, i t is not easily in tegra ted with analysis tools commonly used today where s imula t ion is the method for val idat ing system behaviour. These are serious shor tcomings since h a r d w a r e designers in general have no experience of proof techniques, and are ra ther unwilling to spend time adopting new methods.

The tradit ional analysis tool is simulation. I t

models dynamic propert ies , i.e. a device's response to a given input pattern. Unfortunately simulation suffers from the inherent inability to simulate all possible input patterns of a complex device. Thus, correct circuits cannot be guaranteed. To avoid the complexity caused by the large number of possible input patterns that might be applied to a device, symbolic simulation is used [2]. A symbolic simulator resembles a conventional simulator, except tha t the input patterns can contain variables (symbols) as well as constant values. The worst-case behaviour is no be t t e r than exhaustive simulat ion by a conventional simulator.

All three analysis methods mentioned above are useful. The problem is that none of them can in itself provide us with a complete analysis tool. Several attempts to solve this problem have been made. Camilleri [3] provided a t ranslator of descript ions in higher-order logic into an executable form, Milne [8] presented a flexible analysis environment covering both simulation and verification and Tang [9] proposed a method to mix s imu la t ion and ver i f ica t ion of specifications written in temporal logic.

We propose to generalize a verification tool to handle dynamic reasoning such as simulation. By using the notation and manipulation rules of a formal system to perform simulation we can deduce new observations from a set of given observations. We call this formal simulation since the deduced conclusions inheri t a formal meaning from the formal system. This type of tool should be more easily accepted by hardware designers and could facilitate the acceptance of formal methods. The main feature would be the flexibility it offers to the designer since it would allow him to specify, validate and verify his

44 M. Larsson

design in one environment using one notation and thus should reduce the risk of design errors.

2. AN ALGEBIIAIC APPROACH

A generalized reasoning process including both proofs and simulation is presented here. The genera l s t r a t egy used for m a n i p u l a t i n g express ions is based on rewri t ing , i.e. replacement of equals for equals. We use rule sets for specialization, simplification and canonization of different parts of an expression.

2.1 Specification I A - ~ a g e

We model a hardware system as a set o f modules. Each module communicates with its environ- ment via a set of information channels called p o r t s . Functional and temporal aspects of a hardware module are described as a set of relations between its ports or as a set of lower level modules and their couplings. The first is called a behav ioura l description and the latter s t ruc tura l .

Expressions are implicitly always valid, i.e. true for all time points, so we do not have to write vt or D. The temporal reference operator denoted by ? refers to the value of an expression at a specified relative time-point. Thus the temporal expression ? (eft) refers to the value of the expression e, i time units prior to the reference time measured in some user-defined time unit. This time unit may refer to an abstract ordering delay, an explicit time unit such as nano-seconds or to clock cycles. An example:

x - ? (y,d)

Informally this means tha t the value of x is equivalent to the value ofy at the instant d time units prior to the observation time instant. A behavioural description of a nand-gate is defined a s :

nand2 (inl, in2, out)= out= -~( ? (in7,9 ,', ?(in2,9)

A structural description of a halfadder is defined as:

halfadder (a, b, s, c)= xor-gate(a, b, s) ^

2.2 Static reasoning

When performing verification of a design some static property is to be proved, i.e. a property that holds for all time points and for all variable bindings. Given an expression, e, denoting a theorem to be proven, typically of the type el = e2 or el -~ e2 (where el denotes a s tructural imple- mentation and e2 a behavioural specification), we t ry to find a deduction i.e. a sequence of rewrite rule applications where the rules are either axioms or derived theorems of the theory and where the final application yields T, i.e the symbol denoting the truth value.

An important technique in algebraic verification methods is spec ia l i za t ion . By using knowledge about the real system or doing case analysis the deduction can be simplified. Specialization rules for each expression type such as boolean, arithmetic and relational are used. For example the previously defined nand-gate with one input bound to T can be specialized using the A-identity rule:

nand2 (in1, T, OL# ) out= -,( ? (in1,1) ^ ?(T, 1)) out=-1(?(in1,1))

This results in a simplified expression tha t can then be used for further symbol manipulation. Examples and more details on algebraic veri- fication methods can be found in Larsson [7].

2.3 DynAmic reasoning

To achieve dynamic reasoning we need to be able to reason about absolute time points. For now we do that by explicitly indexing the streams of values denoted by ports. For example x(1) denotes the value of the stream x at time point 1. We call such value bindings at absolute t ime points observat ions.

When we express stimuli and results in this way it is easy to see that our formal system used for s tat ic r eason ing also can handle dynamic reasoning. Expressions are specialized as in the static case. The difference is that the observation time point is fixed to an absolute value and the evaluation is done relative to tha t absolute time value, i.e. a temporally local evaluation. Given an expression e describing the device to be analyzed and a set of given observations oa~v new obser- vations o ~ c a n be deduced:

e ^ o $ ~ oz, z where o ~ ¢ oz~

Mixed static and dynamic reasoning in a formal system 45

To exemplify this we re tu rn to the nand-gate but now the input is bound a t an absolute t ime point:

nand2 (inl, in2, out ) ^ (in2(O)= T) out (1) =-~ ( ?(in1,1 )) out ( l ) =-~ in1 (0)

We call this formal s imulat ion. I t is a very general reasoning mechanism. I t says nothing about in which direction reasoning should be done, i.e. should it be forwards or backwards in time, from input or f rom output ports or perhaps both? Neither does it say anything on what should be considered as a new observat ion or what should be assumed about values on non-observed variables or on observed variables a t non-observed absolute t ime points. In this general framework different s imulat ion types can be modeled by constraining the above properties.

3. IMPLEMENTATION ISSUES

To implement this sys tem we need a separate driving mechan i sm for handl ing observation data and an efficient representat ion of such data.

Static Dynamic Manipulation Manipulation

Verificatiol~ I Tactics & L , _-~. [Algorithms I " =

4 t ~" Observation

Trans- ,~ ~" formation v

Rules ..,, i TM

Figure 1: Proposed System Architecture

In figure 1 we have t r ied to sketch a somewhat idealized system architecture. The system can be constructed from a se t of well-defined building blocks. Firs t , a se t of t r ans fo rmat ion rules consisting of basic algebraic rules such as the boolean ring axioms and rewrite rules describing the actual hardware system under consideration. Second, verification tactics and algorithms for

applying a sequence of rules for a particular purpose, e.g. canonizing an expression. Third a simulation engine whose task is explained below and Fourth, a set of observation data. Thanks to this it is easily extendible with e.g. alternative simulation engines and blocks are reusable. I t is for example possible to have one common rule set for manipulating expressions for both simulation and verification.

3.1 Data Representation

Since we no longer want to view ports only as symbols denoting an abstract s tream of values, but also explicitly manipulate discrete values of these s t reams, we mus t find an efficient representation of them. This becomes even more impor tan t because of the considerable size of observat ion data normal ly associated with simulations. For this purpose we introduce the concept of event traces. We define an event trace as a sequence of discrete event observations of a s t r eam of values. In order to improve the efficiency of the algebraic manipulation of these expressions, we add a new theory describing the concept of event traces and how they can be manipula ted . The complete theory will be presented in a forthcoming paper.

3.2 The Simulation Engine

The t a sk of the simulation engine will be to control the reading, application and updating of observation data in the form of event traces. To perform this task we can choose between two strategies. The first is a traditional event-based style where observation data is read, evaluated and updated in time sequence. I t must then keep track of the state of computation and the flow of time. The second approach is to apply event t races to each other directly by symbolic manipulat ion. In tha t way the event-queue handling could be avoided. Since this is the most expensive operation in event-based simulators this approach shows a lot of potential and thus, it will be our first choice. A paper describing the symbolic manipulation of event traces is under preparation.

4. CONCLUSIONS

We have shown tha t stat ic and dynamic reason ing about ha rdware devices can be performed in a formal system using one design

46 M. Larsson

representat ion and one rule set. To do this we have used algebraic methods based on rewriting. The principal power of our approach comes from the fact that we support mixed verification and simulation (numerical and symbolic) on a single representation, thus allowing the methods to be combined instead of used separately.

This work can be motivated in many ways. First, the mere fact that simulation takes place in a formal system is interesting as it can contribute to providing a formal meaning to simulations. Seeondi using the manipulat ions of a formal system to deduce observations gives possibilities of doing other types of dynamic reasoning than in t r ad i t iona l s imula tors , e.g. more genera l symbolic reasoning or backwards reasoning. Third, a formal system giving possibilities to work in a more conventional way as well as with proof methods will be more easily accepted by ha rdware designers and can work as an introduction to formal methods. Fourth, we believe it can be interesting to mix proof methods and s imulat ion when va l ida t ing ha rdware systems, since proof methods sometimes are hard or even impossible to use and perhaps only parts of a system need to be verified by proof. Fifth, i t is economical to have as few design representat ions as possible, since errors are easily introduced in mapping between different representations. Sixth, simulation is necessary for debugging specifications.

The cost for this flexibility is a somewhat slower s imulat ion. This is due to the fact t h a t representat ions and algorithms as efficient as those used in t radi t ional s imula tors can in general not be used. This is however not fatal. Since the use of formal methods demands hierarchical multi-level descriptions, the effort to s imula te each descript ion will be reduced compared to the large flattened descriptions often used today.

Our next step will be to implement a prototype system to test the ideas presented in this paper. Another task is to investigate fur ther the true relation between simulation and proofs, hopefully leading to a notion of proof by simulation. Since our approach allows for the analysis methods to be combined, this is perhaps the most promising future development.

Acknowledgement

The framework for this work has been developed in close association with Tony Larsson.

References

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

Barrow H., VERIFY: A Program for Proving Correctness of Digital Hardware Designs, Artificial Intelligence 24, (1984), pp. 437-491.

Bryant R.E., Symbolic Verification of MOS Circuits, In 1985 Chapel Hill Conference on VLS/, ed. Fuchs H., Computer Science Press, (1985).

Camilleri A., Simulation as an aid to Veri- fication using the HOL Theorem Prover, In IFIP workshop on Design Methodologies for VLSI and Computer Architecture, Pisa, Italy, (1988).

Cohn A., A Proof of Correctness of the VIPER Microprocessor, VLSI Specification, Verification and Synthesis, ed. Birtwistle G. and Subrahmanyam P., Kluwer Academic Publishers, Boston, (1988).

Gordon M., Why Higher-Order Logic is a Good Formalism for Specifying and Veri- fying Hardware, In Formal Aspects of VLSI Design, ed. Milne G. and Subrahmanyam P.A., Elsevier North-Holland, (1986).

Joyce J., Formal Verification and Imple- mentat ion of a Microprocessor, In VLSI Specification, Verification and Synthesis, ed. Birtwistle G. and S u b r a h m a n y a m P.A., Kluwer Academic Publishers, (1988).

Larsson T., A Formal Hardware Descrip- tion and Verification Method, Phi) Diss- ertation no. 214, Dept. of Comp. Science, Linkbping University, Sweden, (1989).

Milne G. Simulation and Verification: Related Techniques for Hardware Analysis, Computer Hardware Languages and their Applications, ed. Koomen C., Moto-oka T . , North-Holland, (1985).

Tang T.G., A Temporal Language for Hardware Simulation, Specification and Verification, Technical Report No. 88-194, Computer Science Department , Carnegie- Mellon University, USA, (1988).