Mark Greenstreet - Academia.edu (original) (raw)
Papers by Mark Greenstreet
Lecture Notes in Computer Science, 1999
We present a deductive verification framework that combines deductive reasoning, general purpose ... more We present a deductive verification framework that combines deductive reasoning, general purpose decision procedures, and domainspecific reasoning. We address the integration of formal as well as informal domain-specific reasoning, which is encapsulated in the form of user-defined inference rules. To demonstrate our approach, we describe the verification of a SRT divider where a transistor-level implementation with timing is shown to be a refinement of its high-level specification.
International Journal on Software Tools for Technology Transfer, Aug 1, 2001
We present a deductive verification framework that combines deductive reasoning, general purpose ... more We present a deductive verification framework that combines deductive reasoning, general purpose decision procedures, and domainspecific reasoning. We address the integration of formal as well as informal domain-specific reasoning, which is encapsulated in the form of user-defined inference rules. To demonstrate our approach, we describe the verification of a SRT divider where a transistor-level implementation with timing is shown to be a refinement of its high-level specification.
Meeting of the Association for Computational Linguistics, 2018
This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performanc... more This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performance of a mesh is the average number of operations per processor per unit time. For synchronous processors, it has been shown that the per-processor performance of a mesh goes to zero as the size of the mesh goes to injnity. This paper shows that for self-timed meshes, the per-processor performance can be bounded below by a positive constant. Thus, self-timed meshes are asymptotically faster than synchronous ones. Furthermore, simulation and analytic results are used to show that analysis based solely on average case times can be optimistic and lead to poor design decisions.
This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performanc... more This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performance of a mesh is the average number of operations per processor per unit time. For synchronous processors, it has been shown that the per-processor performance of a mesh goes to zero as the size of the mesh goes to injnity. This paper shows that for self-timed meshes, the per-processor performance can be bounded below by a positive constant. Thus, self-timed meshes are asymptotically faster than synchronous ones. Furthermore, simulation and analytic results are used to show that analysis based solely on average case times can be optimistic and lead to poor design decisions.
Inc., is a commercially marketed product based on CVE, which includes Verilog support as well. Ru... more Inc., is a commercially marketed product based on CVE, which includes Verilog support as well. RuleBase [Beer et al. 1996], developed at IBM, is an industry-oriented model checking tool built on SMV which provides a graphical user interface, a temporal logic defined on top of CTL, support for VHDL and Verilog, and debugging support. VIS [Brayton et al. 1996] integrates model checking with other verification techniques such as combinational and sequential equivalence checking. VIS accepts design descriptions in a synthesizable subset of Verilog, and supports CTL model checking. Interaction with the SIS synthesis tool [Sentovich et al. 1992] is provided through a common intermediate format.
Springer eBooks, 2002
Memo to. Per my voice message telephone convcration this moming, rm requesting the following chan... more Memo to. Per my voice message telephone convcration this moming, rm requesting the following changes be made on a final report submitted to DTIC receiving the following AD number: ADA361 329 Changes to be made on the Standard Form 298 Change Block 5 to read DAAG55-98-1-0259 Change Block 10 to read ARO 38745.1-MA-CF If you have any questions to this request plasc call me at DSN 832-4220.
Lecture Notes in Computer Science, 2023
Pre-designed and pre-verified hardware and software blocks can be combined on chips for many diff... more Pre-designed and pre-verified hardware and software blocks can be combined on chips for many different applicationsVthey promise large productivity gains.
A merge element combines two, concurrent, handshake streams. For every request received from a cl... more A merge element combines two, concurrent, handshake streams. For every request received from a client, a merge element may send a request to its parent, and for each acknowledgement received from its parent, the merge element may send an acknowledgement to a client. We show that that a merge-element can provide bounded time response if its parent also has bounded time response. We present two new implementations of a merge: one that uses an arbiter, and one that uses Schmitt triggers but no arbiters. Based on these designs, we explore a class of concurrent computations that can be performed in guaranteed bounded time, and we raise some new questions about what is possible in asynchronous design.
Design, Automation, and Test in Europe, Apr 16, 2007
System-on-Chip designs often have a large number of timing domains. Communication between these d... more System-on-Chip designs often have a large number of timing domains. Communication between these domains requires synchronization, and the failure probabilities of these synchronizers must be characterized accurately to ensure the robustness of the complete system. We present a novel approach for determining the failure probabilities of synchronizer circuits. We use numerical intergration to perform large-signal analysis that accounts for the non-linear behaviour of real synchronizer circuits. We complement this with small-signal techniques to characterize behaviours near the metastable equilibrium. This combination overcomes the limitations of traditional techniques: the large-signal analysis accounts for the transfer of metastable behaviour between synchronizer stages; and the small-signal techniques overcome the limitations of numerical accuracy inherent in pure simulation approaches. Our approach is fully automated, is suitable for integration into circuit simulation tools such as SPICE, and enables accurate characterization of extremely small failure probabilities.
Bisection with restarts [1] provides a way to quantify the failure probabilities of real-world sy... more Bisection with restarts [1] provides a way to quantify the failure probabilities of real-world synchronizer circuits. More recently [2] showed how time-varying, linear dynamics can be derived for non-linear synchronizer circuits building upon the bisection with restarts method. Here, we show that this linear model can be decomposed into component-wise contributions to synchronizer performance. This enables automatic optimization of device sizing to minimize the probability of failure. Furthermore, we can compare existing designs, optimizing each circuit to provide a fair comparison. The component-wise analysis explains the differences between designs by showing how each device contributes to metastability resolution over the time allotted for synchronization.
Proceedings, 2007
ABSTRACT Circuits such as flip-flops, sense amplifiers and synchronizers can exhibit metastabilit... more ABSTRACT Circuits such as flip-flops, sense amplifiers and synchronizers can exhibit metastability failures that are undetectable given the numerical accuracy limitations of simulators such as HSPICE. We present a novel simulation technique that allows us to generate accurate waveforms for the metastability failures and similar events. We apply our method to two latches and a self-resetting circuit for clock-phase generation.
The complementary strengths of interactive theorem proving and SMT solvers have motivated several... more The complementary strengths of interactive theorem proving and SMT solvers have motivated several efforts at integration including Sledgehammer for Isabelle/HOL, CoqSMT. The goal of these efforts is to combine the generality of interactive theorem provers, especially support for inductive proofs, with the automation of SMT solvers for discharging tedious subgoals. In practice, such efforts have been hindered by the gaps between the logic of the theorem prover and the SMT solver. Typically, goals in the theorem prover are expressed in an untyped logic, making often making extensive use of recursive functions and quantifiers. In contrast, the logic of SMT solvers is first-order, many-sorted, and lacks recursive functions. In practice, the effort to transform proof goals into formulations that are amenable to SMT techniques can dominate the proof effort.This tutorial describes Smtlink, our integration of Z3 into ACL2, and presents examples demonstrating the effectiveness of the approach. Smtlink makes extensive use of reflection. By inspecting proof goals and extracting already proven facts, Smtlink automates much of the translation of goals from the untyped logic of ACL2 to the many-sorted logic of Z3. From the users perspective, Smtlink can discharge goals that include user-defined data types, recursive functions, and whose proofs build on previously established theorems.We present several examples from analog and mixed-signal circuits. We also present a simple proof of the Cauchy-Schwartz inequality. In our experience, these proofs were surprisingly straightforward: we identified the obvious, inductive lemmas, and these lemmas were discharged without further effort by the user. As we will show with these examples, the SMT integration makes the theorem proving process productive and fun.This tutorial is based on joint work with Carl Kwan and Yan Peng.
In 2007, Yang and Greenstreet presented an algorithm that enables the computation of synchronizer... more In 2007, Yang and Greenstreet presented an algorithm that enables the computation of synchronizer failure probabilities, even when these probabilities are extremely small. Their approach gives a single probability number for the synchronizer but does not explain how the circuit details within the synchronizer contribute to the final result. We present an extension of their algorithm that connects the time-to-voltage gain of a synchronizer to the propagation of metastability through the circuit. This allows the designer to see what circuit features are helpful or not for synchronizer performance. There exists abundant folklore about what helps or hinders multistage synchronizer performance. We use our analysis to examine and explain two examples of such synchronizer folklore.
This paper describes three techniques for reachability analy-sis for systems modeled by ordinary ... more This paper describes three techniques for reachability analy-sis for systems modeled by ordinary dierential equations (ODEs). First, linear models with regions modeled by convex polyhedra are considered, and an exact algorithm is presented. Next, non-convex polyhedra are con-sidered, and techniques are presented for representing a polyhedron by its projection onto two-dimensional subspaces. This approach yields a compact representation, and allows ecient algorithms from computational geome-try to be employed. Within this context, an approximation technique for reducing non-linear ODE models to linear nonhomogeneous models is pre-sented. This reduction provides a sound basis for applying methods for linear systems analysis to non-linear systems. 1
Lecture Notes in Computer Science, 1999
We present a deductive verification framework that combines deductive reasoning, general purpose ... more We present a deductive verification framework that combines deductive reasoning, general purpose decision procedures, and domainspecific reasoning. We address the integration of formal as well as informal domain-specific reasoning, which is encapsulated in the form of user-defined inference rules. To demonstrate our approach, we describe the verification of a SRT divider where a transistor-level implementation with timing is shown to be a refinement of its high-level specification.
International Journal on Software Tools for Technology Transfer, Aug 1, 2001
We present a deductive verification framework that combines deductive reasoning, general purpose ... more We present a deductive verification framework that combines deductive reasoning, general purpose decision procedures, and domainspecific reasoning. We address the integration of formal as well as informal domain-specific reasoning, which is encapsulated in the form of user-defined inference rules. To demonstrate our approach, we describe the verification of a SRT divider where a transistor-level implementation with timing is shown to be a refinement of its high-level specification.
Meeting of the Association for Computational Linguistics, 2018
This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performanc... more This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performance of a mesh is the average number of operations per processor per unit time. For synchronous processors, it has been shown that the per-processor performance of a mesh goes to zero as the size of the mesh goes to injnity. This paper shows that for self-timed meshes, the per-processor performance can be bounded below by a positive constant. Thus, self-timed meshes are asymptotically faster than synchronous ones. Furthermore, simulation and analytic results are used to show that analysis based solely on average case times can be optimistic and lead to poor design decisions.
This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performanc... more This paper shows that self-timed meshes can achieve linear speed-up. The per-processor performance of a mesh is the average number of operations per processor per unit time. For synchronous processors, it has been shown that the per-processor performance of a mesh goes to zero as the size of the mesh goes to injnity. This paper shows that for self-timed meshes, the per-processor performance can be bounded below by a positive constant. Thus, self-timed meshes are asymptotically faster than synchronous ones. Furthermore, simulation and analytic results are used to show that analysis based solely on average case times can be optimistic and lead to poor design decisions.
Inc., is a commercially marketed product based on CVE, which includes Verilog support as well. Ru... more Inc., is a commercially marketed product based on CVE, which includes Verilog support as well. RuleBase [Beer et al. 1996], developed at IBM, is an industry-oriented model checking tool built on SMV which provides a graphical user interface, a temporal logic defined on top of CTL, support for VHDL and Verilog, and debugging support. VIS [Brayton et al. 1996] integrates model checking with other verification techniques such as combinational and sequential equivalence checking. VIS accepts design descriptions in a synthesizable subset of Verilog, and supports CTL model checking. Interaction with the SIS synthesis tool [Sentovich et al. 1992] is provided through a common intermediate format.
Springer eBooks, 2002
Memo to. Per my voice message telephone convcration this moming, rm requesting the following chan... more Memo to. Per my voice message telephone convcration this moming, rm requesting the following changes be made on a final report submitted to DTIC receiving the following AD number: ADA361 329 Changes to be made on the Standard Form 298 Change Block 5 to read DAAG55-98-1-0259 Change Block 10 to read ARO 38745.1-MA-CF If you have any questions to this request plasc call me at DSN 832-4220.
Lecture Notes in Computer Science, 2023
Pre-designed and pre-verified hardware and software blocks can be combined on chips for many diff... more Pre-designed and pre-verified hardware and software blocks can be combined on chips for many different applicationsVthey promise large productivity gains.
A merge element combines two, concurrent, handshake streams. For every request received from a cl... more A merge element combines two, concurrent, handshake streams. For every request received from a client, a merge element may send a request to its parent, and for each acknowledgement received from its parent, the merge element may send an acknowledgement to a client. We show that that a merge-element can provide bounded time response if its parent also has bounded time response. We present two new implementations of a merge: one that uses an arbiter, and one that uses Schmitt triggers but no arbiters. Based on these designs, we explore a class of concurrent computations that can be performed in guaranteed bounded time, and we raise some new questions about what is possible in asynchronous design.
Design, Automation, and Test in Europe, Apr 16, 2007
System-on-Chip designs often have a large number of timing domains. Communication between these d... more System-on-Chip designs often have a large number of timing domains. Communication between these domains requires synchronization, and the failure probabilities of these synchronizers must be characterized accurately to ensure the robustness of the complete system. We present a novel approach for determining the failure probabilities of synchronizer circuits. We use numerical intergration to perform large-signal analysis that accounts for the non-linear behaviour of real synchronizer circuits. We complement this with small-signal techniques to characterize behaviours near the metastable equilibrium. This combination overcomes the limitations of traditional techniques: the large-signal analysis accounts for the transfer of metastable behaviour between synchronizer stages; and the small-signal techniques overcome the limitations of numerical accuracy inherent in pure simulation approaches. Our approach is fully automated, is suitable for integration into circuit simulation tools such as SPICE, and enables accurate characterization of extremely small failure probabilities.
Bisection with restarts [1] provides a way to quantify the failure probabilities of real-world sy... more Bisection with restarts [1] provides a way to quantify the failure probabilities of real-world synchronizer circuits. More recently [2] showed how time-varying, linear dynamics can be derived for non-linear synchronizer circuits building upon the bisection with restarts method. Here, we show that this linear model can be decomposed into component-wise contributions to synchronizer performance. This enables automatic optimization of device sizing to minimize the probability of failure. Furthermore, we can compare existing designs, optimizing each circuit to provide a fair comparison. The component-wise analysis explains the differences between designs by showing how each device contributes to metastability resolution over the time allotted for synchronization.
Proceedings, 2007
ABSTRACT Circuits such as flip-flops, sense amplifiers and synchronizers can exhibit metastabilit... more ABSTRACT Circuits such as flip-flops, sense amplifiers and synchronizers can exhibit metastability failures that are undetectable given the numerical accuracy limitations of simulators such as HSPICE. We present a novel simulation technique that allows us to generate accurate waveforms for the metastability failures and similar events. We apply our method to two latches and a self-resetting circuit for clock-phase generation.
The complementary strengths of interactive theorem proving and SMT solvers have motivated several... more The complementary strengths of interactive theorem proving and SMT solvers have motivated several efforts at integration including Sledgehammer for Isabelle/HOL, CoqSMT. The goal of these efforts is to combine the generality of interactive theorem provers, especially support for inductive proofs, with the automation of SMT solvers for discharging tedious subgoals. In practice, such efforts have been hindered by the gaps between the logic of the theorem prover and the SMT solver. Typically, goals in the theorem prover are expressed in an untyped logic, making often making extensive use of recursive functions and quantifiers. In contrast, the logic of SMT solvers is first-order, many-sorted, and lacks recursive functions. In practice, the effort to transform proof goals into formulations that are amenable to SMT techniques can dominate the proof effort.This tutorial describes Smtlink, our integration of Z3 into ACL2, and presents examples demonstrating the effectiveness of the approach. Smtlink makes extensive use of reflection. By inspecting proof goals and extracting already proven facts, Smtlink automates much of the translation of goals from the untyped logic of ACL2 to the many-sorted logic of Z3. From the users perspective, Smtlink can discharge goals that include user-defined data types, recursive functions, and whose proofs build on previously established theorems.We present several examples from analog and mixed-signal circuits. We also present a simple proof of the Cauchy-Schwartz inequality. In our experience, these proofs were surprisingly straightforward: we identified the obvious, inductive lemmas, and these lemmas were discharged without further effort by the user. As we will show with these examples, the SMT integration makes the theorem proving process productive and fun.This tutorial is based on joint work with Carl Kwan and Yan Peng.
In 2007, Yang and Greenstreet presented an algorithm that enables the computation of synchronizer... more In 2007, Yang and Greenstreet presented an algorithm that enables the computation of synchronizer failure probabilities, even when these probabilities are extremely small. Their approach gives a single probability number for the synchronizer but does not explain how the circuit details within the synchronizer contribute to the final result. We present an extension of their algorithm that connects the time-to-voltage gain of a synchronizer to the propagation of metastability through the circuit. This allows the designer to see what circuit features are helpful or not for synchronizer performance. There exists abundant folklore about what helps or hinders multistage synchronizer performance. We use our analysis to examine and explain two examples of such synchronizer folklore.
This paper describes three techniques for reachability analy-sis for systems modeled by ordinary ... more This paper describes three techniques for reachability analy-sis for systems modeled by ordinary dierential equations (ODEs). First, linear models with regions modeled by convex polyhedra are considered, and an exact algorithm is presented. Next, non-convex polyhedra are con-sidered, and techniques are presented for representing a polyhedron by its projection onto two-dimensional subspaces. This approach yields a compact representation, and allows ecient algorithms from computational geome-try to be employed. Within this context, an approximation technique for reducing non-linear ODE models to linear nonhomogeneous models is pre-sented. This reduction provides a sound basis for applying methods for linear systems analysis to non-linear systems. 1