Lecture Notes in Computer Science 1522 Editedby G.Goos,J. Hartmanisand J.van Leeuwen 3 Berlin Heidelberg NewYork Barcelona HongKong London Milan Paris Singapore Tokyo Ganesh Gopalakrishnan Phillip Windley (Eds.) Formal Methods in Computer-Aided Design Second International Conference, FMCAD ’98 Palo Alto, CA, USA, November 4-6, 1998 Proceedings 1 3 SeriesEditors GerhardGoos,KarlsruheUniversity,Germany JurisHartmanis,CornellUniversity,NY,USA JanvanLeeuwen,UtrechtUniversity,TheNetherlands VolumeEditors GaneshGopalakrishnan UniversityofUtah,DepartmentofComputerScience 50SCentralCampus,SaltLakeCity,UT841112-9205,USA E-mail:[email protected] PhillipWindley BrighamYoungUniversity,DepartmentofComputerScience 3361TMCB,Provo,UT84602-6576,USA E-mail:[email protected] Cataloging-in-Publicationdataappliedfor DieDeutscheBibliothek-CIP-Einheitsaufnahme Formalmethodsincomputer-aideddesign:secondinternational conference;proceedings/FMCAD’98,PaloAlto,CA,USA, November4-6,1998.GaneshGopalakrishnan;PhilipWindley (ed.).-Berlin;Heidelberg;NewYork;Barcelona;Budapest;Hong Kong;London;Milan;Paris;Singapore;Tokyo:Springer,1998 (Lecturenotesincomputerscience;Vol.1522) ISBN3-540-65191-8 CRSubjectClassification(1998):B.1.2,B.1.4,B.2.2-3,B.6.2-3,B.7.2-3,F.3.1, F.4.1,I.2.3,D.2.4,J.6 ISSN0302-9743 ISBN3-540-65191-8Springer-VerlagBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer-Verlag.Violationsare liableforprosecutionundertheGermanCopyrightLaw. (cid:1)c Springer-VerlagBerlinHeidelberg1998 PrintedinGermany Typesetting:Camera-readybyauthor SPIN10692817 06/3142–543210 Printedonacid-freepaper Preface ThisvolumecontainstheproceedingsoftheSecondInternationalConferenceon Formal Methods in Computer-Aided Design (FMCAD’98), organizedNovember 4-6, in Palo Alto, California, USA. The (cid:12)rst event of this series was organized byMandayamSrivasandAlbertCamilleriin1996inPaloAlto. FMCAD,which evolved from the series Theorem Provers in Circuit Design (TPCD), strives to beapremierforumfordisseminatingresearchinFormalVeri(cid:12)cation(FV)meth- ods for digital circuits and systems, includingprocessors,custom VLSI circuits, microcode,andreactivesoftware.Inadditiontosigni(cid:12)cantcase-studiesandveri- (cid:12)cationapproaches,FMCADalsoendeavorstorepresentadvancesinthedriving technologies for veri(cid:12)cation, including binary decision diagrams, model check- ing,symbolicreasoning(theoremproving),symbolicsimulation,andabstraction methods. Theconferenceincludedfourinvitedlectures.Theinvitedlecturesweregiven by Kenneth McMillan (Cadence Berkeley Labs) on Minimalist proof assistants: interactions of technology and methodology in formal system level veri(cid:12)cation, byCarl-JohanSeger on Formal methods in CAD from an industrial perspective, by Randal E. Bryant and Bwolen Yang on A performance study of BDD-based model checking, and by Amir Pnueli on Veri(cid:12)cation of data-insensitive circuits: an in-order-retirement case study. Ofthe55 regularpapersubmissionsreceived, 27 were selected by the technical program committee for presentation at the conference. All four tools papers received were also selected. We gratefully acknowledge the services of the technical program commit- tee of FMCAD’98, which consisted of Adnan Aziz (Univ. of Texas at Austin, USA),AlanHu(Univ.ofBritishColumbia,Canada),AlbertCamilleri(Hewlett- Packard,USA),CarlPixley(Motorola,USA),CarlosDelgadoKloos(Univ.Car- losIII deMadrid,Spain),Ching-TsunChou(Intel, USA), EduardCerny(Univ. ofMontreal,Canada),FranciscoCorella(Hewlett-Packard,USA),Jens(Stanford University, USA), Jerry Burch (Cadence Labs, USA), John van Tassel (Texas Instruments, USA), Limor Fix (Intel, Israel), Mandayam Srivas (SRI Interna- tional, USA), Mark Aagaard (Intel, USA), Mary Sheeran (Chalmers Univer- sity, Sweden), Masahiro Fujita (Fujitsu, USA), Ramin Hojati (HDAC, and UC Berkeley,USA),RandyBryant(Carnegie-Mellon,USA),RangaVemuri(Univ.of Cincinnati,USA), Shiu-kai Chin (SyracuseUniv., USA), Steven German (IBM, USA), Steven Johnson (Indiana Univ., USA), Thomas Kropf (Univ. Karlsruhe, Germany),Tim Leonard(Compaq,USA), Tom Henzinger(UC Berkeley, USA), TomMelham(Univ.ofGlasgow,UK),TomShiple(Synopsys,USA),andWarren Hunt (IBM, USA). The following researchers also helped in the evaluation of the submissions, and we are grateful for their e(cid:11)orts: Abdel Mokkedem, Mike Jones, and Ra- jnishGhughal(UniversityofUtah), RobShaw(Hewlett-Packard), ArminBiere, Bwolen Yang, and Yirng-An Chen (CMU), Andres Marin Lopez, Franz Josef VI Preface Stewing, and Peter T. Breuer (Univ. Carlos III, Madrid), Abdelkader Dek- douk,E. MostaphaAboulhamid,andOtmaneAIT MOHAMED(Univ. ofMon- treal, Canada),ChuckYount,Marten van Hulst, andJohnMarkBouler (Intel), Koichiro Takayama and Vamsi Boppana (Fujitsu), Orna Kupferman, Luca de Alfaro, Sriram K. Rajamani, and Shaz Qadeer (Berkeley), Jun Sawada (U. of Texas),HowardWong-Toi(Cadence),SupratikChakraborty,ClarkBarrett,and Je(cid:11)reySu (Stanford), Michaela Huhn, Ralf Reetz, KlausSchneider,and Ju¨rgen Ruf (Karlsruhe), Justin Chien and Jun Yuan (Compaq), Nazanin Mansouri, Naren Narasimhan, Elena Teica, and Rajesh Radhakrishnan (Univ. of Cincin- nati).WealsothankRatanNalumasu,PhDstudentattheDepartmentofCom- puter Science, University of Utah, for helping us with the tool demo session in his capacity as the Tools Chair of FMCAD’98. WethankJudithBurgessofSRIInternational,MenloPark,CA,forherhelp and advice in organizingFMCAD’98. We gratefullyacknowledgethe services of Conferences and Institutes, University of Utah, notably of Jacqueline Brakey, Cathy Cunningham, and Linda Williams, for their work on registration, pub- licity, and conference facilities. We also gratefully acknowledge the services of the Springer-Verlag LNCS department, especially Alfred Hofmann and Anna Kramer,for theirprompthelpandcommunication.WethanktheIFIPWorking Group 10.5 for granting us the in co-operation status. Last, but not least, FMCAD’98 has received (cid:12)nancialsupportfrom Hewlett- Packard Company, Intel, Synopsys Inc., and Cadence Berkeley Labs. We thank all sponsors for their generosity. Salt Lake City, UT GaneshC.Gopalakrishnan Provo, UT Phillip J. Windley August 1998 Table of Contents MinimalistProof Assistants: Interactions of Technology an Methodology in FormalSystem Level Veri(cid:12)cation Kenneth L. McMillan ......................................................1 Reducing Manual Abstraction in Formal Veri(cid:12)cation of Out-of-Order Execution Robert B. Jones, Jens U. Skakkeb(cid:26)k, and David L. Dill ....................2 Bit-Level Abstraction in the Veri(cid:12)cation of Pipelined Microprocessorsby CorrespondenceChecking Miroslav N. Velev and Randal E. Bryant ..................................18 Solving Bit-Vector Equations M.Oliver M¨oller and Harald Rue(cid:25) .........................................36 The Formal Design of 1M-Gate ASICs A(cid:19)sgeir PI(cid:19)or Eir(cid:19)(cid:16)ksson ......................................................49 Design of Experiments for Evaluation of BDD Packages Using Controlled Circuit Mutations Justin E. Harlow III and Franc Brglez .................................... 64 A Tutorial on St(cid:23)almarck’s Proof Procedurefor PropositionalLogic Mary Sheeran and Gunnar St(cid:23)almarck .....................................82 Almana: A BDD Minimization Tool Integrating Heuristic and Rewriting Methods Macha Nikolska¨(cid:16)a, Antoine Rauzy, and David James Sherman ............100 BisimulationMinimization in an Automata-Theoretic Veri(cid:12)cation Framework Kathi Fisler and Moshe Y. Vardi ........................................ 115 Automatic Veri(cid:12)cation of Mixed-Level Logic Circuits Keith Hanna .............................................................133 A Timed Automaton-Based Method for Accurate Computation of Circuit Delay in the Presence of Cross-Talk S. Ta(cid:24)s(cid:16)ran, S.P. Khatri, S. Yovine, R.K. Brayton, and A. Sangiovanni-Vincentelli ..........................................149 MaximumTime Separation of Events in Cyclic Systems with Linear and Latest Timing Constraints Fen Jin, Henrik Hulgaard, and Eduard Cerny ............................167 Using MTBDDs for Composition and Model Checking of Real-Time Systems Ju¨rgen Ruf and Thomas Kropf ...........................................185 FormalMethods in CAD from an IndustrialPerspective Carl-Johan H. Seger .....................................................203 VIII Table ofContents A Methodology for Automatic Veri(cid:12)cation of Synthesized RTL Designs and Its Integration with a High-Level Synthesis Tool Nazanin Mansouri and Ranga Vemuri ................................... 204 CombinedFormal Post- and PresynthesisVeri(cid:12)cation in High Level Synthesis Thomas Lock, Michael Mendler, and Matthias Mutz ......................222 Formalizationand Proof of a Solution to the PCI 2.1 Bus Transaction OrderingProblem Abdel Mokkedem, Ravi Hosabettu, and Ganesh Gopalakrishnan ...........237 A PerformanceStudy of BDD-Based Model Checking Bwolen Yang, Randal E. Bryant, David R. O’Hallaron, Armin Biere, Olivier Coudert, Geert Janssen, Rajeev K. Ranjan, and Fabio Somenzi ...255 SymbolicModel Checking Visualization Gila Kamhi, Limor Fix, and Ziv Binyamini ..............................290 Input Elimination and Abstraction in Model-Checking Sela Mador-Haim and Limor Fix .........................................304 SymbolicSimulation of the JEM1 Microprocessor David A. Greve ..........................................................321 SymbolicSimulation: An ACL2 Approach J. Strother Moore ........................................................334 Veri(cid:12)cation of Data-Insensitive Circuits: An In-Order-RetirementCase Study Amir Pnueli and T. Arons ...............................................351 CombiningSymbolic Model Checking with Uninterpreted Functions for Out-of-OrderProcessor Veri(cid:12)cation Sergey Berezin, Armin Biere, Edmund Clarke, and Yunshan Zhu .........369 FormallyVerifying Data and Control with Weak ReachabilityInvariants Je(cid:11)rey Su, David L. Dill, and Jens U. Skakkeb(cid:26)k ........................387 Generalized ReversibleRules C. Norris Ip .............................................................403 An Assume-GuaranteeRule for Checking Simulation Thomas A. Henzinger, Shaz Qadeer, Sriram K. Rajamani, and Serdar Ta(cid:24)s(cid:16)ran ......................................................421 Three Approaches to HardwareVeri(cid:12)cation: HOL, MDG, and VIS Compared So(cid:12)(cid:18)ene Tahar, Paul Curzon, and Jianping Lu ............................433 An Instruction Set Process Calculus Shiu-Kai Chin and Jang Dae Kim .......................................451 Techniques for Implicit State Enumeration of EFSMs James H. Kukula, Tom R. Shiple, and Adnan Aziz .......................469 Model Checking on Product Structures Klaus Schneider .........................................................483 Table ofContents IX BDDNOW: A Parallel BDD Package Kim Milvang-Jensen and Alan J. Hu .....................................501 Model-Checking VHDL with CV David D(cid:19)eharbe, Subash Shankar, and Edmund M. Clarke .................508 Alexandria: A Tool for Hierarchical Veri(cid:12)cation Annette Bunker, Trent N. Larson, Michael D. Jones, and Phillip J. Windley ...................................................515 PV: An Explicit EnumerationModel-Checker Ratan Nalumasu and Ganesh Gopalakrishnan ............................523 Author Index ..........................................................529 Minimalist Proof Assistants: Interactions of Technology and Methodology in Formal System Level Veri(cid:12)cation Kenneth L. McMillan Cadence Berkeley Labs. 2001AddisonSt.,3rd flour, Berkeley, CA 94704-1103 [email protected] Abstract. Thecomplexityofsystemsimplementedinhardwarecontin- ues to grow, and with it the need for formal, automated, system level veri(cid:12)cation. Unfortunately, though automatic formal veri(cid:12)cation tech- nologiescontinuetoimproveincrementallyintermsofthesizeandcom- plexityofsystemstheycanhandle,thereisawideninggapbetween real designsanddesigns thatcan be veri(cid:12)ed automatically. Iwillarguethatproofsandproofassistantsinsomeform,incombination with automated methods, are necessary to close this gap. However, the considerations that drive the disign of a proof assistant for hardware veri(cid:12)cationandnot necessarily thosethathaveshapedexistinggeneral- purpose proof assistants. In particular, for a hardware pro(cid:11) assistant, the requirements in terms of logical expressiveness and the power of itsdeductivemachinereyareminimal.Forexample,theabilitytoreason abouthigher-orderobjectslikesetsandfunctionsisprobablysuperfluous inthe hardwaredomain. Rather,theprimaryconsiderationinconstructingproofsofcomplexsys- temsisthatproofsbeconciseandmaintainable.Thismeansthataproof system must take maximum advantageof thestrengths ofmodel check- ingandautomateddecisionproceduresinordertominimizetheneedfor manual decomposition of proofs. It is thus important to concider how inferencerulesanddicisionprocedures(e.g.,modelchecking)interactto allowconciseproofdecompositionsinaparticulardomainofapplication. Asanexample,Iwillshowhowmodelcheckingcombinedwithafewsim- plebutdomain-tailoredinferencerulesallowssurprisinglyconciseproofs aboutout-of-order instructionprocessors. Thisischiefly because basing theproofonmodelcheckingeliminatestheneedtostateandproveglobal invariants. Along the way, I will also discuss some practical considerations for the design of large, formally veri(cid:12)ed, hardware systems. In particular, the most concise proof decompositions for hardware systems are often non- hierarchical.Rather, profsoftendecompose most naturallyaccordingto the paths followed by data and control through the system under var- ious conditions, rather than according to structural hierarchy. Further, design for compositional veri(cid:12)cation di(cid:11)ers strongly from the paradigm of design-by-debugging that is currently prevalent. The debugging ap- proach leads to complex (and often unknown) interactions between de- signcomponets,whereastheformalapproachfavorsthedisignof"bullet- proof"components,thatimplement agiven abstractmodel withoutany assumptionsabout environment behavior. G.Gopalakrishnan,P.Windley(Eds.):FMCAD’98,LNCS1522,pp.1,1998. (cid:13)c Springer-VerlagBerlinHeidelberg1998