Flemming Andersen | Texas A&M University (original) (raw)
Papers by Flemming Andersen
Proceedings, Nov 1, 2006
Abstract This paper presents the development of a hierarchical methodology for speeding-up a symb... more Abstract This paper presents the development of a hierarchical methodology for speeding-up a symbolic trajectory evaluation (STE) based verification flow, using" program slicing" techniques. An overview of the proposed methodology is described, along with the details ...
Lecture Notes in Computer Science, 1994
A graphical tool for proving leadsto progress properties of UNITY programs is described. The tool... more A graphical tool for proving leadsto progress properties of UNITY programs is described. The tool allows a user to draw Directed Acyclic Graphs (DAGs) that outlines the proof of UNITY leadsto progress properties. From these DAGs the tool generates proof scripts that contain proofs of the leadsto properties. Edges in the DAGs are annotated with information that can direct a
Lecture Notes in Computer Science, 1994
... Flemming Andersen and Kim Dam Petersen and Jimmi S. Pettersson ... The types representing the... more ... Flemming Andersen and Kim Dam Petersen and Jimmi S. Pettersson ... The types representing the lift variable names, and their values are: var = floor [ up ] move I stop ] open [ req val = Boot bool I Num num I Bits (num--~bool) from which the state dependent variables floor., up ...
The HOL system supports mechanized verificationof specifications in polymorphic Higher Order Logi... more The HOL system supports mechanized verificationof specifications in polymorphic Higher Order Logic.HOL has facilities for defining primitive recursivefunctions, but no support for defining non-primitiverecursive functions.This paper presents a package for defining recursiveboolean functions in HOL as the minimal or maximalfixed point of a boolean function transformer. The implementationof the package is based on the results onfixed points in complete lattices by Tarski.Two examples on ...
Springer eBooks, 2000
A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches... more A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches along each wire of N is a multiple of c. Leiserson and Saxe [1, page 54] have shown that by increasing c (a process termed slowdown) and retiming, any design may be made systolic, thereby dramatically decreasing its cycle time. In this paper we develop a new fully-automated abstraction algorithm applicable to the verification of generalized c-slow flip-flop based netlists; the more generalized topology accepted by our approach allows applicability to a fairly large class of pipelined netlists. This abstraction reduces the number of state variables and divides the diameter of the model by c; intuitively, it folds the state space of the design modulo c. We study the reachable state space of both the original and reduced netlists, and establish a cslow bisimulation relation between the two. We demonstrate how CTL* model checking may be preserved through the abstraction for a useful fragment of CTL* formulae. Experiments with two components of IBM's Gigahertz Processor demonstrate the effectiveness of this abstraction algorithm.
Abstract—This paper discusses a methodology used on an industrial hardware development project to... more Abstract—This paper discusses a methodology used on an industrial hardware development project to validate various cache-coherence protocol components. The idea is to use a high level model (HLM) written in Murphi for model checking purposes, and then to use the HLM as a checker during dynamic (i.e. simulation based-) validation of the RTL. Such a checker requires a formal notion of what it means for the RTL to implement the HLM. Due to RTL pipelining, concurrency, and different RTL/HLM semantics, an appropriate notion is nonobvious. We employ a notion we call behavioral refinement, and describe a methodology for creating refinement checkers. A novel aspect of our methodology is that all “ingredients ” are specified using System Verilog (SV): even the Murphi model itself is compiled into SV. Thus any off-the-shelf SV simulation engine can be used. We report the successful use of our refinement checkers to catch bugs in a real project at Intel and give an example illustrating our met...
ABSTRACT . We describe a graphical tool for proving leadsto progress properties of UNITY programs... more ABSTRACT . We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool allows a user to draw Directed Acyclic Graphs (DAGs), to check that DAGs are proof lattices, similar to the idea of Owicki and Lamport. From each proof lattice the desired progress property is deduced. Edges in proof lattices are annotated with information describing how to prove the property that they represent. The tool transforms a DAG to a natural deduction-like proof, similar to the style used by Chandy and Misra. This proof is then, by a compiler, translated into a proof script which is checked by a theorem prover. With this graphical tool it is possible, modulo the strength of the theorem prover, to automatically prove that a program satisfies a leadsto property on the basis of a proof lattice that outlines the proof structure. 1 Introduction The work presented here is part of a project on building a software verification tool for telecommunication industry; a tool which can be u...
... Ved at anvende resul-taterne fra Kapitel 2 er det s aledes muligt at a ede induktions princip... more ... Ved at anvende resul-taterne fra Kapitel 2 er det s aledes muligt at a ede induktions principper som er gyldige for den de nerede aktivitets egenskab ... som ikke er formaliserede i CM88] viser sig at v re specielle tilf lde af det udvidede implikations teorem som blev afsl ret i Kapitel ...
. We describe a graphical tool for proving leadsto progress properties of UNITY programs. The too... more . We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool allows a user to draw Directed Acyclic Graphs (DAGs), to check that DAGs are proof lattices, similar to the idea of Owicki and Lamport. From each proof lattice the desired progress property is deduced. Edges in proof lattices are annotated with information describing how to prove the property that they represent. The tool transforms a DAG to a natural deduction-like proof, similar to the style used by Chandy and Misra. This proof is then, by a compiler, translated into a proof script which is checked by a theorem prover. With this graphical tool it is possible, modulo the strength of the theorem prover, to automatically prove that a program satisfies a leadsto property on the basis of a proof lattice that outlines the proof structure. 1 Introduction The work presented here is part of a project on building a software verification tool for telecommunication industry; a tool which can be ...
ACM SIGMOD Record, 1986
Recently, extensions for relatlonal database management systems (DBMS) have been proposed to supp... more Recently, extensions for relatlonal database management systems (DBMS) have been proposed to support also herarch& structures (complex objects) These extensions have been mamly unplemented on top of an exlstmg DBMS Such an approach leads to many dlsadvantages not only from the conceptual pomt of view but also from performance aspects Thus paper reports on a 3-year effort to design and prototype a DBMS to support a generahzed relatlonal data model, called extended NFZ (Non Fist Normal Form) data model which treats flat relations, hyts, and hlerarctical structures m a umform way The log& data model, a language for thts model, and altematlves for storage structures to unplement generabzed relations are presented and discussed Proc. ACM-Sigmod Conf.,
2009 Formal Methods in Computer-Aided Design, 2009
This paper discusses a methodology used on an industrial hardware development project to validate... more This paper discusses a methodology used on an industrial hardware development project to validate various cache-coherence protocol components. The idea is to use a high level model (HLM) written in Murphi for model checking purposes, and then to use the HLM as a checker during dynamic (i.e. simulation based-) validation of the RTL. Such a checker requires a formal notion of what it means for the RTL to implement the HLM. Due to RTL pipelining, concurrency, and different RTL/HLM semantics, an appropriate notion is nonobvious. We employ a notion we call behavioral refinement, and describe a methodology for creating refinement checkers. A novel aspect of our methodology is that all "ingredients" are specified using System Verilog (SV): even the Murphi model itself is compiled into SV. Thus any off-the-shelf SV simulation engine can be used. We report the successful use of our refinement checkers to catch bugs in a real project at Intel and give an example illustrating our methodology.
Lecture Notes in Computer Science, 1995
The HOL-UNITY verification system consists of a collection of tools for specifying and verifying ... more The HOL-UNITY verification system consists of a collection of tools for specifying and verifying UNITY programs and their properties. All the tools interface the theorem prover HOL for proving the properties of UNITY programs. In this way HOL-UNITY supports mechanised proving of correctness for parallel programs.
Lecture Notes in Computer Science, 2000
A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches... more A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches along each wire of N is a multiple of c. Leiserson and Saxe [1, page 54] have shown that by increasing c (a process termed slowdown) and retiming, any design may be made systolic, thereby dramatically decreasing its cycle time. In this paper we develop a new fully-automated abstraction algorithm applicable to the verification of generalized c-slow flip-flop based netlists; the more generalized topology accepted by our approach allows applicability to a fairly large class of pipelined netlists. This abstraction reduces the number of state variables and divides the diameter of the model by c; intuitively, it folds the state space of the design modulo c. We study the reachable state space of both the original and reduced netlists, and establish a cslow bisimulation relation between the two. We demonstrate how CTL* model checking may be preserved through the abstraction for a useful fragment of CTL* formulae. Experiments with two components of IBM's Gigahertz Processor demonstrate the effectiveness of this abstraction algorithm.
2006 IEEE International High Level Design Validation and Test Workshop, 2006
Abstract This paper presents the development of a hierarchical methodology for speeding-up a symb... more Abstract This paper presents the development of a hierarchical methodology for speeding-up a symbolic trajectory evaluation (STE) based verification flow, using" program slicing" techniques. An overview of the proposed methodology is described, along with the details ...
Lecture Notes in Computer Science, 1994
We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool ... more We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool allows a user to draw Directed Acyclic Graphs (DAGs), to check that DAGs are proof lattices, similar to the idea of Owicki and Lamport. From each proof lattice the desired progress property is deduced. Edges in proof lattices are annotated with information describing how to prove the property that they represent. The tool transforms a DAG to a natural deduction-like proof, similar to the style used by Chandy and Misra. This proof is then, by a compiler, translated into a proof script which is checked by a theorem prover. With this graphical tool it is possible, modulo the strength of the theorem prover, to automatically prove that a program satis es a leadsto property on the basis of a proof lattice that outlines the proof structure.
Lecture Notes in Computer Science, 1994
HOL-UNITY is an implementation of Chandy and Misra's UNITY theory in the HOL88 and HOL90 theorem ... more HOL-UNITY is an implementation of Chandy and Misra's UNITY theory in the HOL88 and HOL90 theorem provers. This paper shows how to verify safety and progress properties of concurrent programs using HOL-UNITY. As an example it is proved that a lift-control program satis es a given progress property. The proof is compositional and partly automated. The progress property is decomposed into basic safety and progress properties, which are proved automatically by a developed tactic based on a combination of Gentzen-like proof methods and Pressburger decision procedures. The proof of the decomposition which includes induction is done mechanically using the inference rules of the UNITY logic implemented as theorems in HOL. The paper also contains some empirical results of running the developed tactic in HOL88 and HOL90, respectively. It turns out that HOL90 in average is about 9 times faster than HOL88. Finally, we discuss various ways of improving the tactic.
Proceedings, Nov 1, 2006
Abstract This paper presents the development of a hierarchical methodology for speeding-up a symb... more Abstract This paper presents the development of a hierarchical methodology for speeding-up a symbolic trajectory evaluation (STE) based verification flow, using" program slicing" techniques. An overview of the proposed methodology is described, along with the details ...
Lecture Notes in Computer Science, 1994
A graphical tool for proving leadsto progress properties of UNITY programs is described. The tool... more A graphical tool for proving leadsto progress properties of UNITY programs is described. The tool allows a user to draw Directed Acyclic Graphs (DAGs) that outlines the proof of UNITY leadsto progress properties. From these DAGs the tool generates proof scripts that contain proofs of the leadsto properties. Edges in the DAGs are annotated with information that can direct a
Lecture Notes in Computer Science, 1994
... Flemming Andersen and Kim Dam Petersen and Jimmi S. Pettersson ... The types representing the... more ... Flemming Andersen and Kim Dam Petersen and Jimmi S. Pettersson ... The types representing the lift variable names, and their values are: var = floor [ up ] move I stop ] open [ req val = Boot bool I Num num I Bits (num--~bool) from which the state dependent variables floor., up ...
The HOL system supports mechanized verificationof specifications in polymorphic Higher Order Logi... more The HOL system supports mechanized verificationof specifications in polymorphic Higher Order Logic.HOL has facilities for defining primitive recursivefunctions, but no support for defining non-primitiverecursive functions.This paper presents a package for defining recursiveboolean functions in HOL as the minimal or maximalfixed point of a boolean function transformer. The implementationof the package is based on the results onfixed points in complete lattices by Tarski.Two examples on ...
Springer eBooks, 2000
A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches... more A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches along each wire of N is a multiple of c. Leiserson and Saxe [1, page 54] have shown that by increasing c (a process termed slowdown) and retiming, any design may be made systolic, thereby dramatically decreasing its cycle time. In this paper we develop a new fully-automated abstraction algorithm applicable to the verification of generalized c-slow flip-flop based netlists; the more generalized topology accepted by our approach allows applicability to a fairly large class of pipelined netlists. This abstraction reduces the number of state variables and divides the diameter of the model by c; intuitively, it folds the state space of the design modulo c. We study the reachable state space of both the original and reduced netlists, and establish a cslow bisimulation relation between the two. We demonstrate how CTL* model checking may be preserved through the abstraction for a useful fragment of CTL* formulae. Experiments with two components of IBM's Gigahertz Processor demonstrate the effectiveness of this abstraction algorithm.
Abstract—This paper discusses a methodology used on an industrial hardware development project to... more Abstract—This paper discusses a methodology used on an industrial hardware development project to validate various cache-coherence protocol components. The idea is to use a high level model (HLM) written in Murphi for model checking purposes, and then to use the HLM as a checker during dynamic (i.e. simulation based-) validation of the RTL. Such a checker requires a formal notion of what it means for the RTL to implement the HLM. Due to RTL pipelining, concurrency, and different RTL/HLM semantics, an appropriate notion is nonobvious. We employ a notion we call behavioral refinement, and describe a methodology for creating refinement checkers. A novel aspect of our methodology is that all “ingredients ” are specified using System Verilog (SV): even the Murphi model itself is compiled into SV. Thus any off-the-shelf SV simulation engine can be used. We report the successful use of our refinement checkers to catch bugs in a real project at Intel and give an example illustrating our met...
ABSTRACT . We describe a graphical tool for proving leadsto progress properties of UNITY programs... more ABSTRACT . We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool allows a user to draw Directed Acyclic Graphs (DAGs), to check that DAGs are proof lattices, similar to the idea of Owicki and Lamport. From each proof lattice the desired progress property is deduced. Edges in proof lattices are annotated with information describing how to prove the property that they represent. The tool transforms a DAG to a natural deduction-like proof, similar to the style used by Chandy and Misra. This proof is then, by a compiler, translated into a proof script which is checked by a theorem prover. With this graphical tool it is possible, modulo the strength of the theorem prover, to automatically prove that a program satisfies a leadsto property on the basis of a proof lattice that outlines the proof structure. 1 Introduction The work presented here is part of a project on building a software verification tool for telecommunication industry; a tool which can be u...
... Ved at anvende resul-taterne fra Kapitel 2 er det s aledes muligt at a ede induktions princip... more ... Ved at anvende resul-taterne fra Kapitel 2 er det s aledes muligt at a ede induktions principper som er gyldige for den de nerede aktivitets egenskab ... som ikke er formaliserede i CM88] viser sig at v re specielle tilf lde af det udvidede implikations teorem som blev afsl ret i Kapitel ...
. We describe a graphical tool for proving leadsto progress properties of UNITY programs. The too... more . We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool allows a user to draw Directed Acyclic Graphs (DAGs), to check that DAGs are proof lattices, similar to the idea of Owicki and Lamport. From each proof lattice the desired progress property is deduced. Edges in proof lattices are annotated with information describing how to prove the property that they represent. The tool transforms a DAG to a natural deduction-like proof, similar to the style used by Chandy and Misra. This proof is then, by a compiler, translated into a proof script which is checked by a theorem prover. With this graphical tool it is possible, modulo the strength of the theorem prover, to automatically prove that a program satisfies a leadsto property on the basis of a proof lattice that outlines the proof structure. 1 Introduction The work presented here is part of a project on building a software verification tool for telecommunication industry; a tool which can be ...
ACM SIGMOD Record, 1986
Recently, extensions for relatlonal database management systems (DBMS) have been proposed to supp... more Recently, extensions for relatlonal database management systems (DBMS) have been proposed to support also herarch& structures (complex objects) These extensions have been mamly unplemented on top of an exlstmg DBMS Such an approach leads to many dlsadvantages not only from the conceptual pomt of view but also from performance aspects Thus paper reports on a 3-year effort to design and prototype a DBMS to support a generahzed relatlonal data model, called extended NFZ (Non Fist Normal Form) data model which treats flat relations, hyts, and hlerarctical structures m a umform way The log& data model, a language for thts model, and altematlves for storage structures to unplement generabzed relations are presented and discussed Proc. ACM-Sigmod Conf.,
2009 Formal Methods in Computer-Aided Design, 2009
This paper discusses a methodology used on an industrial hardware development project to validate... more This paper discusses a methodology used on an industrial hardware development project to validate various cache-coherence protocol components. The idea is to use a high level model (HLM) written in Murphi for model checking purposes, and then to use the HLM as a checker during dynamic (i.e. simulation based-) validation of the RTL. Such a checker requires a formal notion of what it means for the RTL to implement the HLM. Due to RTL pipelining, concurrency, and different RTL/HLM semantics, an appropriate notion is nonobvious. We employ a notion we call behavioral refinement, and describe a methodology for creating refinement checkers. A novel aspect of our methodology is that all "ingredients" are specified using System Verilog (SV): even the Murphi model itself is compiled into SV. Thus any off-the-shelf SV simulation engine can be used. We report the successful use of our refinement checkers to catch bugs in a real project at Intel and give an example illustrating our methodology.
Lecture Notes in Computer Science, 1995
The HOL-UNITY verification system consists of a collection of tools for specifying and verifying ... more The HOL-UNITY verification system consists of a collection of tools for specifying and verifying UNITY programs and their properties. All the tools interface the theorem prover HOL for proving the properties of UNITY programs. In this way HOL-UNITY supports mechanised proving of correctness for parallel programs.
Lecture Notes in Computer Science, 2000
A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches... more A c-slow netlist N is one which may be retimed to another netlist N , where the number of latches along each wire of N is a multiple of c. Leiserson and Saxe [1, page 54] have shown that by increasing c (a process termed slowdown) and retiming, any design may be made systolic, thereby dramatically decreasing its cycle time. In this paper we develop a new fully-automated abstraction algorithm applicable to the verification of generalized c-slow flip-flop based netlists; the more generalized topology accepted by our approach allows applicability to a fairly large class of pipelined netlists. This abstraction reduces the number of state variables and divides the diameter of the model by c; intuitively, it folds the state space of the design modulo c. We study the reachable state space of both the original and reduced netlists, and establish a cslow bisimulation relation between the two. We demonstrate how CTL* model checking may be preserved through the abstraction for a useful fragment of CTL* formulae. Experiments with two components of IBM's Gigahertz Processor demonstrate the effectiveness of this abstraction algorithm.
2006 IEEE International High Level Design Validation and Test Workshop, 2006
Abstract This paper presents the development of a hierarchical methodology for speeding-up a symb... more Abstract This paper presents the development of a hierarchical methodology for speeding-up a symbolic trajectory evaluation (STE) based verification flow, using" program slicing" techniques. An overview of the proposed methodology is described, along with the details ...
Lecture Notes in Computer Science, 1994
We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool ... more We describe a graphical tool for proving leadsto progress properties of UNITY programs. The tool allows a user to draw Directed Acyclic Graphs (DAGs), to check that DAGs are proof lattices, similar to the idea of Owicki and Lamport. From each proof lattice the desired progress property is deduced. Edges in proof lattices are annotated with information describing how to prove the property that they represent. The tool transforms a DAG to a natural deduction-like proof, similar to the style used by Chandy and Misra. This proof is then, by a compiler, translated into a proof script which is checked by a theorem prover. With this graphical tool it is possible, modulo the strength of the theorem prover, to automatically prove that a program satis es a leadsto property on the basis of a proof lattice that outlines the proof structure.
Lecture Notes in Computer Science, 1994
HOL-UNITY is an implementation of Chandy and Misra's UNITY theory in the HOL88 and HOL90 theorem ... more HOL-UNITY is an implementation of Chandy and Misra's UNITY theory in the HOL88 and HOL90 theorem provers. This paper shows how to verify safety and progress properties of concurrent programs using HOL-UNITY. As an example it is proved that a lift-control program satis es a given progress property. The proof is compositional and partly automated. The progress property is decomposed into basic safety and progress properties, which are proved automatically by a developed tactic based on a combination of Gentzen-like proof methods and Pressburger decision procedures. The proof of the decomposition which includes induction is done mechanically using the inference rules of the UNITY logic implemented as theorems in HOL. The paper also contains some empirical results of running the developed tactic in HOL88 and HOL90, respectively. It turns out that HOL90 in average is about 9 times faster than HOL88. Finally, we discuss various ways of improving the tactic.