David Dill | Stanford University (original) (raw)
Papers by David Dill
Abstract Parallel architecture becomes more and more attractive as the demand for performance inc... more Abstract Parallel architecture becomes more and more attractive as the demand for performance increases. One of the most important classes of parallel machines is that of shared memory architectures, which are perceived as easier to program than other parallel architectures. In a shared memory multiprocessor architecture, a memory model describes the behavior of the memory system as observed at the user-level.
In verification by explicit state enumeration, for each reachable state of the protocol beingveri... more In verification by explicit state enumeration, for each reachable state of the protocol beingverified the full state descriptor is stored in a state table. Two probabilistic methods--bitstate hashing and hash compaction--have been proposed in the literature that storemuch fewer bits for each state but come at the price of some probability that not all reachablestates will be explored during the search, and that the verifier may thus produce falsepositives.
Abstract This paper presents initial results in model checking multi-threaded Java programs. Java... more Abstract This paper presents initial results in model checking multi-threaded Java programs. Java programs are translated into the SAL (Symbolic Analysis Laboratory) intermediate language, which supports dynamic constructs such as object instantiations and thread call stacks. The SAL model checker then exhaustively checks the program description for deadlocks and assertion failures, using traditional model checking optimizations to curb the state explosion problem.
Abstract To verify cache coherence protocols for distributed multiprocessor architectures, we com... more Abstract To verify cache coherence protocols for distributed multiprocessor architectures, we compare a state graph of the implementation with a specification which is a state graph representing the simplified behavior. The steps in the specification correspond to atomic transactions, which are not atomic in the implementation. The method relies on an abstraction function which aggregates the implementation steps of each transaction into a single atomic transaction in the specification.
Abstract Previously (Proc. 11th Symp. on Computer Hardware Description Languages and their Applic... more Abstract Previously (Proc. 11th Symp. on Computer Hardware Description Languages and their Application, April 1993), we proposed a reduction technique based on symmetries to alleviate the state explosion problem in automatic verification of concurrent systems. This paper describes the results of testing the technique on a wide range of algorithms and protocols, including realistic multiprocessor synchronization algorithms and cache coherence protocols.
Abstract Many system errors do not emerge unless some intricate sequence of events occurs. In pra... more Abstract Many system errors do not emerge unless some intricate sequence of events occurs. In practice, this means that most systems have errors that only trigger after days or weeks of execution. Model checking [4] is an effective way to find such subtle errors. It takes a simplified description of the code and exhaustively tests it on all inputs, using techniques to explore vast state spaces efficiently. Unfortunately, while model checking systems code would be wonderful, it is almost never done in practice: building models is just too hard.
Abstract The temporal logic model checking algorithm of Clarke, Emerson, and Sistla (1986) is mod... more Abstract The temporal logic model checking algorithm of Clarke, Emerson, and Sistla (1986) is modified to represent state graphs using binary decision diagrams (BDD's) and partitioned transition relations. Because this representation captures some of the regularity in the state space of circuits with data path logic, we are able to verify circuits with an extremely large number of states. We demonstrate this new technique on a synchronous pipelined design with approximately 5× 10 120 states.
Abstract We present a unified technique for timing verification and performance analysis of compl... more Abstract We present a unified technique for timing verification and performance analysis of complex asynchronous circuits designed with implicit timing assumptions. We model interacting asynchronous controllers and datapath elements using timing constraint graphs. Performance metrics and circuit timing constraints to be checked are formulated as time separations between appropriate events. Time separations between all pairs of events are then efficiently computed in a single pass.
Abstract. Consider the problem of determining whether a quantifierfree formula φ is satisfiable i... more Abstract. Consider the problem of determining whether a quantifierfree formula φ is satisfiable in some first-order theory T. Shostak's algorithm decides this problem for a certain class of theories with both interpreted and uninterpreted function symbols. We present two new algorithms based on Shostak's method. The first is a simple subset of Shostak's algorithm for the same class of theories but without uninterpreted function symbols.
A fundamental difficulty in automatic formal verification of finite-state systems is thestate exp... more A fundamental difficulty in automatic formal verification of finite-state systems is thestate explosion problem���even relatively simple systems can produce very large state spaces, causing great difficulties for methods that rely on explicit state enumeration. We address the problem by exploiting structuralsymmetries in the description of the system to be verified.
Model-checking is a method of verifying concurrent systems in which a state-graph model of the sy... more Model-checking is a method of verifying concurrent systems in which a state-graph model of the system behavior is compared with a temporal logic formula. This paper extends model-checking to stochastic real-time systems, whose behavior depends on probabilistic choice and quantitative time. The specification language is TCTL, a branching-time temporal logic for expressing real-time properties. We interpret the formulas of the logic over generalized semi-Markov processes.
The winners of an election are usually satisfied with the outcome, but it is often more challengi... more The winners of an election are usually satisfied with the outcome, but it is often more challenging to persuade the losers (and their supporters) that they lost. To that end, it is not sufficient that election results be accurate. The public must also know the results are accurate, which can only be achieved if conduct of the election is sufficiently transparent that candidates, the press, and the general public can satisfy themselves that no errors or cheating have occurred.
Abstract A completion-detection method is proposed for efficiently implementing Boolean functions... more Abstract A completion-detection method is proposed for efficiently implementing Boolean functions as self-timed logic structures. Current-sensing completion detection (CSCD) allows self-timed circuits to be designed using single-rail variable encoding (one signal wire per logic variable) and implemented in about the same silicon area as an equivalent synchronous implementation. Compared to dual-rail encoding methods, CSCD can reduce the number of signal wires and transistors used by approximately 50%.
Abstract A synthesis procedure for designing asynchronous controllers from burst-mode specificati... more Abstract A synthesis procedure for designing asynchronous controllers from burst-mode specifications, a class of specifications allowing multiple-input-change fundamental mode operation, is described. This implementation of burst-mode state machines uses standard combinational logic, generates low-latency outputs and guarantees freedom from hazards at the gate level. It requires no locally synthesized clock and no storage elements. In addition, primary outputs as well as additional state variables are used as feedback variables.
Abstract Complex systems have errors that involve mishandled corner cases in intricate sequences ... more Abstract Complex systems have errors that involve mishandled corner cases in intricate sequences of events. Conventional testing techniques usually miss these errors. In recent years, formal verification techniques such as [5] have gained popularity in checking a property in all possible behaviors of a system. However, such techniques involve generating an abstract model of the system. Such an abstraction process is unreliable, difficult and miss a lot of implementation errors.
We present a new approach for using a theorem-prover to verify the correctness of protocols and d... more We present a new approach for using a theorem-prover to verify the correctness of protocols and distributed algorithms. The method compares a state graph of the implementation with a specification which is a state graph representing the desired abstract behavior. The steps in the specification correspond to atomic transactions, which are not atomic in the implementation.
This paper describes representations of biological processes based on Rewriting Logic and Petri n... more This paper describes representations of biological processes based on Rewriting Logic and Petri net formalisms and mappings between these representations used in the Pathway Logic Assistant. The mappings are shown to preserve properties of interest. In addition a relevant subnet transformation is defined, that specializes a Petri net model to a specific query to reduce the number of transitions that must be considered when answering the query.
Abstract. Partitioned BDD-based algorithms have been proposed in the literature to solve the memo... more Abstract. Partitioned BDD-based algorithms have been proposed in the literature to solve the memory explosion problem in BDD-based verification. A naive parallelization of such algorithms is often ineffective as they have less parallelism. In this paper we present a novel parallel reachability approach that lead to a significantly faster verification on a Symmetric Multi-Processing architecture over the existing one-thread, one-CPU approaches. We identify the issues and bottlenecks in parallelizing BDD-based reachability algorithm.
The MYC oncogene has been implicated in the regulation of up to thousands of genes involved in ma... more The MYC oncogene has been implicated in the regulation of up to thousands of genes involved in many cellular programs including proliferation, growth, differentiation, self-renewal, and apoptosis. MYC is thought to induce cancer through an exaggerated effect on these physiologic programs. Which of these genes are responsible for the ability of MYC to initiate and/or maintain tumorigenesis is not clear. Previously, we have shown that upon brief MYC inactivation, some tumors undergo sustained regression.
Abstract Parallel architecture becomes more and more attractive as the demand for performance inc... more Abstract Parallel architecture becomes more and more attractive as the demand for performance increases. One of the most important classes of parallel machines is that of shared memory architectures, which are perceived as easier to program than other parallel architectures. In a shared memory multiprocessor architecture, a memory model describes the behavior of the memory system as observed at the user-level.
In verification by explicit state enumeration, for each reachable state of the protocol beingveri... more In verification by explicit state enumeration, for each reachable state of the protocol beingverified the full state descriptor is stored in a state table. Two probabilistic methods--bitstate hashing and hash compaction--have been proposed in the literature that storemuch fewer bits for each state but come at the price of some probability that not all reachablestates will be explored during the search, and that the verifier may thus produce falsepositives.
Abstract This paper presents initial results in model checking multi-threaded Java programs. Java... more Abstract This paper presents initial results in model checking multi-threaded Java programs. Java programs are translated into the SAL (Symbolic Analysis Laboratory) intermediate language, which supports dynamic constructs such as object instantiations and thread call stacks. The SAL model checker then exhaustively checks the program description for deadlocks and assertion failures, using traditional model checking optimizations to curb the state explosion problem.
Abstract To verify cache coherence protocols for distributed multiprocessor architectures, we com... more Abstract To verify cache coherence protocols for distributed multiprocessor architectures, we compare a state graph of the implementation with a specification which is a state graph representing the simplified behavior. The steps in the specification correspond to atomic transactions, which are not atomic in the implementation. The method relies on an abstraction function which aggregates the implementation steps of each transaction into a single atomic transaction in the specification.
Abstract Previously (Proc. 11th Symp. on Computer Hardware Description Languages and their Applic... more Abstract Previously (Proc. 11th Symp. on Computer Hardware Description Languages and their Application, April 1993), we proposed a reduction technique based on symmetries to alleviate the state explosion problem in automatic verification of concurrent systems. This paper describes the results of testing the technique on a wide range of algorithms and protocols, including realistic multiprocessor synchronization algorithms and cache coherence protocols.
Abstract Many system errors do not emerge unless some intricate sequence of events occurs. In pra... more Abstract Many system errors do not emerge unless some intricate sequence of events occurs. In practice, this means that most systems have errors that only trigger after days or weeks of execution. Model checking [4] is an effective way to find such subtle errors. It takes a simplified description of the code and exhaustively tests it on all inputs, using techniques to explore vast state spaces efficiently. Unfortunately, while model checking systems code would be wonderful, it is almost never done in practice: building models is just too hard.
Abstract The temporal logic model checking algorithm of Clarke, Emerson, and Sistla (1986) is mod... more Abstract The temporal logic model checking algorithm of Clarke, Emerson, and Sistla (1986) is modified to represent state graphs using binary decision diagrams (BDD's) and partitioned transition relations. Because this representation captures some of the regularity in the state space of circuits with data path logic, we are able to verify circuits with an extremely large number of states. We demonstrate this new technique on a synchronous pipelined design with approximately 5× 10 120 states.
Abstract We present a unified technique for timing verification and performance analysis of compl... more Abstract We present a unified technique for timing verification and performance analysis of complex asynchronous circuits designed with implicit timing assumptions. We model interacting asynchronous controllers and datapath elements using timing constraint graphs. Performance metrics and circuit timing constraints to be checked are formulated as time separations between appropriate events. Time separations between all pairs of events are then efficiently computed in a single pass.
Abstract. Consider the problem of determining whether a quantifierfree formula φ is satisfiable i... more Abstract. Consider the problem of determining whether a quantifierfree formula φ is satisfiable in some first-order theory T. Shostak's algorithm decides this problem for a certain class of theories with both interpreted and uninterpreted function symbols. We present two new algorithms based on Shostak's method. The first is a simple subset of Shostak's algorithm for the same class of theories but without uninterpreted function symbols.
A fundamental difficulty in automatic formal verification of finite-state systems is thestate exp... more A fundamental difficulty in automatic formal verification of finite-state systems is thestate explosion problem���even relatively simple systems can produce very large state spaces, causing great difficulties for methods that rely on explicit state enumeration. We address the problem by exploiting structuralsymmetries in the description of the system to be verified.
Model-checking is a method of verifying concurrent systems in which a state-graph model of the sy... more Model-checking is a method of verifying concurrent systems in which a state-graph model of the system behavior is compared with a temporal logic formula. This paper extends model-checking to stochastic real-time systems, whose behavior depends on probabilistic choice and quantitative time. The specification language is TCTL, a branching-time temporal logic for expressing real-time properties. We interpret the formulas of the logic over generalized semi-Markov processes.
The winners of an election are usually satisfied with the outcome, but it is often more challengi... more The winners of an election are usually satisfied with the outcome, but it is often more challenging to persuade the losers (and their supporters) that they lost. To that end, it is not sufficient that election results be accurate. The public must also know the results are accurate, which can only be achieved if conduct of the election is sufficiently transparent that candidates, the press, and the general public can satisfy themselves that no errors or cheating have occurred.
Abstract A completion-detection method is proposed for efficiently implementing Boolean functions... more Abstract A completion-detection method is proposed for efficiently implementing Boolean functions as self-timed logic structures. Current-sensing completion detection (CSCD) allows self-timed circuits to be designed using single-rail variable encoding (one signal wire per logic variable) and implemented in about the same silicon area as an equivalent synchronous implementation. Compared to dual-rail encoding methods, CSCD can reduce the number of signal wires and transistors used by approximately 50%.
Abstract A synthesis procedure for designing asynchronous controllers from burst-mode specificati... more Abstract A synthesis procedure for designing asynchronous controllers from burst-mode specifications, a class of specifications allowing multiple-input-change fundamental mode operation, is described. This implementation of burst-mode state machines uses standard combinational logic, generates low-latency outputs and guarantees freedom from hazards at the gate level. It requires no locally synthesized clock and no storage elements. In addition, primary outputs as well as additional state variables are used as feedback variables.
Abstract Complex systems have errors that involve mishandled corner cases in intricate sequences ... more Abstract Complex systems have errors that involve mishandled corner cases in intricate sequences of events. Conventional testing techniques usually miss these errors. In recent years, formal verification techniques such as [5] have gained popularity in checking a property in all possible behaviors of a system. However, such techniques involve generating an abstract model of the system. Such an abstraction process is unreliable, difficult and miss a lot of implementation errors.
We present a new approach for using a theorem-prover to verify the correctness of protocols and d... more We present a new approach for using a theorem-prover to verify the correctness of protocols and distributed algorithms. The method compares a state graph of the implementation with a specification which is a state graph representing the desired abstract behavior. The steps in the specification correspond to atomic transactions, which are not atomic in the implementation.
This paper describes representations of biological processes based on Rewriting Logic and Petri n... more This paper describes representations of biological processes based on Rewriting Logic and Petri net formalisms and mappings between these representations used in the Pathway Logic Assistant. The mappings are shown to preserve properties of interest. In addition a relevant subnet transformation is defined, that specializes a Petri net model to a specific query to reduce the number of transitions that must be considered when answering the query.
Abstract. Partitioned BDD-based algorithms have been proposed in the literature to solve the memo... more Abstract. Partitioned BDD-based algorithms have been proposed in the literature to solve the memory explosion problem in BDD-based verification. A naive parallelization of such algorithms is often ineffective as they have less parallelism. In this paper we present a novel parallel reachability approach that lead to a significantly faster verification on a Symmetric Multi-Processing architecture over the existing one-thread, one-CPU approaches. We identify the issues and bottlenecks in parallelizing BDD-based reachability algorithm.
The MYC oncogene has been implicated in the regulation of up to thousands of genes involved in ma... more The MYC oncogene has been implicated in the regulation of up to thousands of genes involved in many cellular programs including proliferation, growth, differentiation, self-renewal, and apoptosis. MYC is thought to induce cancer through an exaggerated effect on these physiologic programs. Which of these genes are responsible for the ability of MYC to initiate and/or maintain tumorigenesis is not clear. Previously, we have shown that upon brief MYC inactivation, some tumors undergo sustained regression.