孟昕,沈海斌,严晓浪

DOI: https://doi.org/10.3785/j.issn.1008-973X.2010.06.005

2010-01-01

Abstract:Configurable parameterized System-On-a-Chip (SoC) design using industry standard Hardware Description Language (HDL) is complicate and hard to maintain. A Domain-specific Language (DSL) named MetaHDL was presented for synthesizable functional description of configurable digital Very Large Scale Integrated (VLSI) circuits, ranging from logic oriented low-level module design to Intellectual Property (IP) based SoC integration. MetaHDL uses inference and parameter tracing technologies and has specific optimizations for circuit's structure and functional descriptions, so as to improve language expressiveness, code readability and maintainability, and achieved over 65% code reduction. MetaHDL provides a two-level code configuration system consisting comprehensive preprocessor and parameter tracing mechanism to ease the reuse-oriented module design and IP integration. MetaHDL has been used in the Unified Threat Management (UTM) chip development project, addressed various design challenges of complex reuse scenarios, and improved the project efficiency and quality.

Rajdeep Mukherjee,Saurabh Joshi,John O'Leary,Daniel Kroening,Tom Melham

DOI: https://doi.org/10.48550/arXiv.2001.01324

2020-01-06

Abstract:Conventional tools for formal hardware/software co-verification use bounded model checking techniques to construct a single monolithic propositional formula. Formulas generated in this way are extremely complex and contain a great deal of irrelevant logic, hence are difficult to solve even by the state-of-the-art Satis ability (SAT) solvers. In a typical hardware/software co-design the firmware only exercises a fraction of the hardware state-space, and we can use this observation to generate simpler and more concise formulas. In this paper, we present a novel verification algorithm for hardware/software co-designs that identify partitions of the firmware and the hardware logic pertaining to the feasible execution paths by means of path-based symbolic simulation with custom path-pruning, property-guided slicing and incremental SAT solving. We have implemented this approach in our tool COVERIF. We have experimentally compared COVERIF with HW-CBMC, a monolithic BMC based co-verification tool, and observed an average speed-up of 5X over HW-CBMC for proving safety properties as well as detecting critical co-design bugs in an open-source Universal Asynchronous Receiver Transmitter design and a large SoC design.

Formal Languages and Automata Theory,Logic in Computer Science

Shengchao Qin,Wei-Ngan Chin,Jifeng He,Zongyan Qiu

DOI: https://doi.org/10.1007/s11334-005-0020-2

2006-01-01

Innovations in Systems and Software Engineering

Abstract:Hardware/software co-specification is a critical phase in co-design. Our co-specification process starts with a high level graphical description in Statecharts and ends with an equivalent parallel composition of hardware and software descriptions in Verilog. In this paper, we first investigate the Statecharts formalism by providing it a formal syntax and a compositional operational semantics. Based on that, a semantics-preserving linking function is designed to compile specifications written in Statecharts into Verilog. The obtained Verilog specifications are then passed to a partitioning process to generate hardware and software subspecifications, where the correctness is guaranteed by algebraic laws of Verilog.

Thomas Braibant

DOI: https://doi.org/10.48550/arXiv.1108.4253

2011-08-22

Abstract:We propose a new library to model and verify hardware circuits in the Coq proof assistant. This library allows one to easily build circuits by following the usual pen-and-paper diagrams. We define a deep-embedding: we use a (dependently typed) data-type that models the architecture of circuits, and a meaning function. We propose tactics that ease the reasoning about the behavior of the circuits, and we demonstrate that our approach is practicable by proving the correctness of various circuits: a text-book divide and conquer adder of parametric size, some higher-order combinators of circuits, and some sequential circuits: a buffer, and a register.

Logic in Computer Science

Adriana Nicolae,Paul Irofti,Ioana Leustean

2023-11-07

Abstract:The seL4 microkernel is currently the only kernel that has been fully formally verified. In general, the increased interest in ensuring the security of a kernel's code results from its important role in the entire operating system. One of the basic features of an operating system is that it abstracts the handling of devices. This abstraction is represented by device drivers - the software that manages the hardware. A proper verification of the software component could ensure that the device would work properly unless there is a hardware <a class="link-external link-http" href="http://failure.In" rel="external noopener nofollow">this http URL</a> this paper, we choose to model the behavior of a device driver and build the proof that the code implementation matches the expected behavior. The proof was written in Isabelle/HOL, the code translation from C to Isabelle was done automatically by the use of the C-to-Isabelle Parser and AutoCorres tools. We choose Isabelle theorem prover because its efficiency was already shown through the verification of seL4 microkernel.

Cryptography and Security,Logic in Computer Science,Operating Systems

Adam Procter,William L. Harrison,Ian Graves,Michela Becchi,Gerard Allwein

DOI: https://doi.org/10.1145/2808704.2754970

2015-07-22

ACM SIGPLAN Notices

Abstract:There is no such thing as high assurance without high assurance hardware. High assurance hardware is essential, because any and all high assurance systems ultimately depend on hardware that conforms to, and does not undermine, critical system properties and invariants. And yet, high assurance hardware development is stymied by the conceptual gap between formal methods and hardware description languages used by engineers. This paper presents ReWire, a functional programming language providing a suitable foundation for formal verification of hardware designs, and a compiler for that language that translates high-level, semantics-driven designs directly into working hardware. ReWire's design and implementation are presented, along with a case study in the design of a secure multicore processor, demonstrating both ReWire's expressiveness as a programming language and its power as a framework for formal, high-level reasoning about hardware systems.

R.K. Gupta,N.C. Claudionor,G. De Micheli

DOI: https://doi.org/10.1109/2.248880

1994-01-01

Computer

Abstract:Recent advances in the design and synthesis of integrated circuits have prompted system architects to investigate computer aided design methods for systems that contain both application-specific and predesigned reprogrammable components. For the most part, we can apply high level synthesis techniques to synthesis of systems containing processors by treating the latter as a generalized resource. However, the problem is more complex, since the software on the processor implements system functionality in an instruction-driven manner with a statically allocated memory space, whereas ASICs operate as data driven reactive elements. Due to these differences in computational models and primitive operations in hardware and software, a new formulation of the problem of cosynthesis is needed. The authors present their cosynthesis approach. They specify system behavior using HardwareC, a hardware description language (HDL) that has a C-like syntax and supports timing and resource constraints. It also supports specification of unbounded and unknown delay operations that can arise from data-dependent decisions and external synchronization operations. The particular choice of a HDL to specify system functionality is immaterial for the cosynthesis formulation here, and other HDLs such as Verilog could be used.&lt;&gt;

computer science, software engineering, hardware & architecture

Andrew Dobis,Tjark Petersen,Kasper Juul Hesse Rasmussen,Enrico Tolotto,Hans Jakob Damsgaard,Simon Thye Andersen,Richard Lin,Martin Schoeberl

DOI: https://doi.org/10.48550/arXiv.2102.13460

2021-02-26

Abstract:Performance increase with general-purpose processors has come to a halt. We can no longer depend on Moore's Law to increase computing performance. The only way to achieve higher performance or lower energy consumption is by building domain-specific hardware accelerators. To efficiently design and verify those domain-specific accelerators, we need agile hardware development. One of the main obstacles when proposing such a modern method is the lack of modern tools to attack it. To be able to verify a design in such a time-constrained development method, one needs to have efficient tools both for design and verification. This paper thus proposes ChiselVerify, an open-source tool for verifying circuits described in any Hardware Description Language. It builds on top of the Chisel hardware construction language and uses Scala to drive the verification using a testing strategy inspired by the Universal Verification Methodology (UVM) and adapted for designs described in Chisel. ChiselVerify is created based on three key ideas. First, our solution highly increases the productivity of the verification engineer, by allowing hardware testing to be done in a modern high-level programming environment. Second, the framework functions with any hardware description language thanks to the flexibility of Chisel blackboxes. Finally, the solution is well integrated into the existing Chisel universe, making it an extension of currently existing testing libraries. We implement ChiselVerify in a way inspired by the functionalities found in SystemVerilog. This allows one to use functional coverage, constrained-random verification, bus functional models, transaction-level modeling and much more during the verification process of a design in a contemporary high-level programming ecosystem.

Programming Languages,Hardware Architecture

Jiangyi Liu,Charlie Murphy,Anvay Grover,Keith J.C. Johnson,Thomas Reps,Loris D'Antoni

2024-08-30

Abstract:Program verification and synthesis frameworks that allow one to customize the language in which one is interested typically require the user to provide a formally defined semantics for the language. Because writing a formal semantics can be a daunting and error-prone task, this requirement stands in the way of such frameworks being adopted by non-expert users. We present an algorithm that can automatically synthesize inductively defined syntax-directed semantics when given (i) a grammar describing the syntax of a language and (ii) an executable (closed-box) interpreter for computing the semantics of programs in the language of the grammar. Our algorithm synthesizes the semantics in the form of Constrained-Horn Clauses (CHCs), a natural, extensible, and formal logical framework for specifying inductively defined relations that has recently received widespread adoption in program verification and synthesis. The key innovation of our synthesis algorithm is a Counterexample-Guided Synthesis (CEGIS) approach that breaks the hard problem of synthesizing a set of constrained Horn clauses into small, tractable expression-synthesis problems that can be dispatched to existing SyGuS synthesizers. Our tool Synantic synthesized inductively-defined formal semantics from 14 interpreters for languages used in program-synthesis applications. When synthesizing formal semantics for one of our benchmarks, Synantic unveiled an inconsistency in the semantics computed by the interpreter for a language of regular expressions; fixing the inconsistency resulted in a more efficient semantics and, for some cases, in a 1.2x speedup for a synthesizer solving synthesis problems over such a language.

Programming Languages

Andy Ray,Benjamin Devlin,Fu Yong Quah,Rahul Yesantharao

DOI: https://doi.org/10.48550/arXiv.2312.15035

2023-12-22

Programming Languages

Abstract:This paper introduces Hardcaml, an embedded hardware design domain specific language (DSL) implemented in the OCaml programming language. Unlike high level synthesis (HLS), Hardcaml allows for low level control of the underlying hardware for maximum productivity, while abstracting away many of the tedious aspects of traditional hardware definition languages (HDLs) such as Verilog or VHDL. The richness of OCaml's type system combined with Hardcaml's fast circuit elaboration checks reduces the chance of user-introduced bugs and erroneous connections with features like custom type defining, type-safe parameterized modules and elaboration-time bit-width inference and validation. Hardcaml tooling emphasizes fast feedback through simulation, testing, and verification. It includes both a native OCaml cycle-accurate and an event-driven simulator. Unit tests can live in the source code and include digital ASCII waveforms representing the simulator's output. Hardcaml also provides tools for SAT proving and formal verification. Hardcaml is industrially proven, and has been used at Jane Street internally for many large FPGA designs. As a case study we highlight several aspects of our recent Hardcaml submission to the 2022 ZPrize cryptography competition which won 1st place in the FPGA track.

Bryan Olmos,Daniel Gerl,Aman Kumar,Djones Lettnin

2024-10-24

Abstract:The design of Systems on Chips (SoCs) is becoming more and more complex due to technological advancements. Missed bugs can cause drastic failures in safety-critical environments leading to the endangerment of lives. To overcome these drastic failures, formal property verification (FPV) has been applied in the industry. However, there exist multiple hardware designs where the results of FPV are not conclusive even for long runtimes of model-checking tools. For this reason, the use of High-level Equivalence Checking (HLEC) tools has been proposed in the last few years. However, the procedure for how to use it inside an industrial toolchain has not been defined. For this reason, we proposed an automated methodology based on metamodeling techniques which consist of two main steps. First, an untimed algorithmic description written in C++ is verified in an early stage using generated assertions; the advantage of this step is that the assertions at the software level run in seconds and we can start our analysis with conclusive results about our algorithm before starting to write the RTL (Register Transfer Level) design. Second, this algorithmic description is verified against its sequential design using HLEC and the respective metamodel parameters. The results show that the presented methodology can find bugs early related to the algorithmic description and prepare the setup for the HLEC verification. This helps to reduce the verification efforts to set up the tool and write the properties manually which is always error-prone. The proposed framework can help teams working on datapaths to verify and make decisions in an early stage of the verification flow.

Hardware Architecture,Artificial Intelligence

Aruna Jayasena,Prabhat Mishra

DOI: https://doi.org/10.1109/TCAD.2024.3383961

2024-04-17

Abstract:Hardware-firmware co-verification is critical to design trustworthy systems. While formal methods can provide verification guarantees, due to the complexity of firmware and hardware, it can lead to state space explosion. There are promising avenues to reduce the state space during firmware verification through manual abstraction of hardware or manual generation of hints. Manual development of abstraction or hints requires domain expertise and can be time-consuming and error-prone, leading to incorrect proofs or inaccurate results. In this paper, we effectively combine the scalability of simulation-based validation and the completeness of formal verification. Our proposed approach is applicable to actual firmware and hardware implementations without requiring any manual intervention during formal model generation or hint extraction. To reduce the state space complexity, we utilize both static module-level analysis and dynamic execution of verification scenarios to automatically generate system-level hints. These hints guide the underlying solver to perform scalable equivalence checking using proofs. The extracted hints are validated against the implementation before using them in the proofs. Experimental evaluation on RISC-V based systems demonstrates that our proposed framework is scalable due to scenario-based decomposition and automated hint extraction. Moreover, our fully automated framework can identify complex bugs in actual firmware-hardware implementations.

Software Engineering

Gus Henry Smith

2024-08-28

Abstract:Compilers convert between representations -- usually, from higher-level, human writable code to lower-level, machine-readable code. A compiler backend is the portion of the compiler containing optimizations and code generation routines for a specific hardware target. In this dissertation, I advocate for a specific way of building compiler backends: namely, by automatically generating them from explicit, formal models of hardware using automated reasoning algorithms. I describe how automatically generating compilers from formal models of hardware leads to increased optimization ability, stronger correctness guarantees, and reduced development time for compiler backends. As evidence, I present two case studies: first, Glenside, which uses equality saturation to increase the 3LA compiler's ability to offload operations to machine learning accelerators, and second, Lakeroad, a technology mapper for FPGAs which uses program synthesis and semantics extracted from Verilog to map hardware designs to complex, programmable hardware primitives.

Programming Languages,Hardware Architecture

Zhihao Xu,Shikai Guo,Guilin Zhao,Peiyu Zou,Xiaochen Li,He Jiang

2024-07-01

Abstract:Field Programmable Gate Array (FPGA) logic synthesis compilers (e.g., Vivado, Iverilog, Yosys, and Quartus) are widely applied in Electronic Design Automation (EDA), such as the development of FPGA programs.However, defects (i.e., incorrect synthesis) in logic synthesis compilers may lead to unexpected behaviors in target applications, posing security risks. Therefore, it is crucial to thoroughly test logic synthesis compilers to eliminate such defects.Despite several Hardware Design Language (HDL) code generators (e.g., Verismith) have been proposed to find defects in logic synthesis compilers, the effectiveness of these generators is still limited by the simple code generation strategy and the monogeneity of the generated HDL code.This paper proposes LegoHDL, a novel method to generate syntax valid HDL code for comprehensively testing FPGA logic synthesis compilers.LegoHDL can generate more complex and diverse defect-trigger HDL code (e.g., Verilog, VHDL, and SystemVerilog) by leveraging the guidance of abstract syntax tree and the extensive function block libraries of cyber-physical systems. Extensive experiments show that the diversity and defect-trigger capability of HDL code generated by LegoHDL are significantly better than the state-of-the-art method (i.e., Verismith).In three months, LegoHDL has reported 20 new defects--many of which are deep and important; 16 of them have been confirmed.

Hardware Architecture,Software Engineering

Stephen A. Edwards

DOI: https://doi.org/10.48550/arXiv.0710.4683

2007-10-25

Abstract:MANY TECHNIQUES for synthesizing digital hardware from C-like languages have been proposed, but none have emerged as successful as Verilog or VHDL for register-transfer-level design. This paper looks at two of the fundamental challenges: concurrency and timing control.

Programming Languages

Thomas Bourgeat,Clément Pit-Claudel,Adam Chlipala,Arvind

DOI: https://doi.org/10.1145/3385412.3385965

2020-06-06

Abstract:The Bluespec hardware-description language presents a significantly higher-level view than hardware engineers are used to, exposing a simpler concurrency model that promotes formal proof, without compromising on performance of compiled circuits. Unfortunately, the cost model of Bluespec has been unclear, with performance details depending on a mix of user hints and opaque static analysis of potential concurrency conflicts within a design. In this paper we present Koika, a derivative of Bluespec that preserves its desirable properties and yet gives direct control over the scheduling decisions that determine performance. Koika has a novel and deterministic operational semantics that uses dynamic analysis to avoid concurrency anomalies. Our implementation includes Coq definitions of syntax, semantics, key metatheorems, and a verified compiler to circuits. We argue that most of the extra circuitry required for dynamic analysis can be eliminated by compile-time BSV-style static analysis.

David Young,Ziyi Yang,Ilya Sergey,Alex Potanin

2024-07-15

Abstract:Synthetic Separation Logic (SSL) is a formalism that powers SuSLik, the state-of-the-art approach for the deductive synthesis of provably-correct programs in C-like languages that manipulate Heap-based linked data structures. Despite its expressivity, SSL suffers from two shortcomings that hinder its utility. First, its main specification component, inductive predicates, only admits first-order definitions of data structure shapes, which leads to the proliferation of ''boiler-plate'' predicates for specifying common patterns. Second, SSL requires concrete definitions of data structures to synthesise programs that manipulate them, which results in the need to change a specification for a synthesis task every time changes are introduced into the layout of the involved structures. We propose to significantly lift the level of abstraction used in writing Separation Logic specifications for synthesis -- both simplifying the approach and making the specifications more usable and easy to read and follow. We avoid the need to repetitively re-state low-level representation details throughout the specifications -- allowing the reuse of different implementations of the same data structure by abstracting away the details of a specific layout used in memory. Our novel high-level front-end language called Pika significantly improves the expressiveness of SuSLik. We implemented a layout-agnostic synthesiser from Pika to SuSLik enabling push-button synthesis of C programs with in-place memory updates, along with the accompanying full proofs that they meet Separation Logic-style specifications, from high-level specifications that resemble ordinary functional programs. Our experiments show that our tool can produce C code that is comparable in its performance characteristics and is sometimes faster than Haskell.

Programming Languages

M. A. Hafiz,L. Besnard,Jianwei Niu,Noor Khan,J. Talpin,Kai Hu

DOI: https://doi.org/10.1109/SKG49510.2019.00034

2019-09-01

Abstract:The SIGNAL is a high-level synchronous data-flowlanguage for the design and implementation of safety-criticalembedded systems. It provides a unified framework forspecification, modeling, formal analysis, and automatic codegeneration for different general-purpose languages like Java, C, and C++. However, fully implemented and verified open sourcetool for code generation from SIGNAL to Hardware DescriptionLanguage (HDL) is not available. This paper describes theformal verification of the generated Verilog code from theSIGNAL language. Proving the correctness of generated code isvery important when it is for safety-critical embedded systems. We use the translation validation technique for verifying thecorrectness of the generated code. In this approach, thePolychrony Toolset builds the models of source SIGNALprograms with its associated model checker SIGALI. The opensource tool Yosys generates models for target Verilog programsin the SMT-LIB standard format. We transform the modelgenerated by Yosys to the model accepted by the SIGALI modelchecker. Finally, we use the SIGALI model checker to validatethe translation by symbolic simulation between both source andtarget program models. The target program may have fewerbehaviors than the source program therefore if the model of thetarget program implies the model of the source program, itmeans the target program preserves the semantics of the sourceprogram, and the translation is correct.

Computer Science,Engineering

Prasita Mukherjee,Benjamin Delaware

2024-10-19

Abstract:We present \synver{}, a novel synthesis and verification framework for C programs, that deploys a Large Language Model (LLM) to search for a candidate program that satisfies the given specification. Our key idea is to impose syntactic and semantic biases on programs generated by LLMs, such that the synthesized program is more amenable to automated verification. Based on this idea, we propose a novel specification-verification tool, built on top of Verified Software Toolchain, that help automate the process. Our experiments on a diverse set of benchmarks drawn from the deductive program synthesis community, shows that this approach is scalable and extensible. The benchmarks constitute of specifications comprising of basic coding examples, Separation Logic based assertions, and API specifications.

Programming Languages

Yashdeep Godhal,Krishnendu Chatterjee,Thomas A. Henzinger

DOI: https://doi.org/10.1007/s10009-011-0207-9

2011-07-10

International Journal on Software Tools for Technology Transfer

Abstract:The standard hardware design flow involves: (a) design of an integrated circuit using a hardware description language, (b) extensive functional and formal verification, and (c) logical synthesis. However, the above-mentioned processes consume significant effort and time. An alternative approach is to use a formal specification language as a high-level hardware description language and synthesize hardware from formal specifications. Our work is a case study of the synthesis of the widely and industrially used AMBA AHB protocol from formal specifications. Bloem et al. presented the first formal specifications for the AMBA AHB Arbiter and synthesized the AHB Arbiter circuit. However, in the first formal specification some important assumptions were missing. Our contributions are as follows: (a) We present detailed formal specifications for the AHB Arbiter incorporating the missing details, and obtain significant improvements in the synthesis results (both with respect to the number of gates in the synthesized circuit and with respect to the time taken to synthesize the circuit), and (b) we present formal specifications to generate compact circuits for the remaining two main components of AMBA AHB, namely, AHB Master and AHB Slave. Thus with systematic description we are able to automatically and completely synthesize an important and widely used industrial protocol.

computer science, software engineering