Formal Hardware Specification Languages for Protocol Compliance Verification
Total Page:16
File Type:pdf, Size:1020Kb
Formal Hardware Specification Languages for Protocol Compliance Verification ANNETTE BUNKER and GANESH GOPALAKRISHNAN University of Utah and SALLY A. MCKEE Cornell University The advent of the system-on-chip and intellectual property hardware design paradigms makes pro- tocol compliance verification increasingly important to the success of a project. One of the central tools in any verification project is the modeling language, and we survey the field of candidate languages for protocol compliance verification, limiting our discussion to languages originally in- tended for hardware and software design and verification activities. We frame our comparison by first constructing a taxonomy of these languages, and then by discussing the applicability of each approach to the compliance verification problem. Each discussion includes a summary of the devel- opment of the language, an evaluation of the language’s utility for our problem domain, and, where feasible, an example of how the language might be used to specify hardware protocols. Finally, we make some general observations regarding the languages considered. Categories and Subject Descriptors: B.4.3 [Input/Output and Data Communications]: Inter- connections (Subsystems)—Interfaces; B.4.5 [Input/Output and Data Communications]: Reli- ability, Testing, and Fault-Tolerance—Hardware reliability; B.7.2 [Integrated Circuits]: Design aids—Verification; C.2.2 [Computer-Communication Networks]: Network Protocols—Protocol verification; D.3.3 [Programming Languages]: Language Constructs and Features—Data types and structures General Terms: Languages, Verification Additional Key Words and Phrases: e, Esterel, Heterogeneous Hardware Logic, hardware monitors, Hierarchical Annotated Action Diagrams, Java, Lava, Live Sequence Charts, Message Sequence Charts, Objective VHDL, OpenVera, Property Specification Language, SpecC, Specification and De- scription Language, SystemC, SystemVerilog, Statecharts, timing diagrams, The Unified Modeling Language A preliminary version of this paper appeared as “An overview of formal hardware specification languages” in the Grace Hopper Celebration of Women in Computing, October 2002. This work was supported by National Science Foundation Grants CCR-9987516 and CCR-0219805. Authors’ addresses: A. Bunker and G. Gopalakrishnan, School of Computing, University of Utah, 50 S. Central Campus Drive, Room 3190, Salt Lake City, UT 84112; email: [email protected]; [email protected]; S. A. McKee, School of Electrical and Computing Engineering, Cornell Uni- versity, 324 Phillips Hall, Ithaca, NY 14853; email: [email protected]. Permission to make digital/hard copy of part or all of this work for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage, the copyright notice, the title of the publication, and its date appear, and notice is given that copying is by permission of ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific permision and/or a fee. C 2004 ACM 1084-4309/04/0100-0001 $5.00 ACM Transactions on Design Automation of Electronic Systems, Vol. 9, No. 1, January 2004, Pages 1–32. 2 • Bunker et al. 1. INTRODUCTION The emergence of the system-on-chip (SoC) development paradigm presents designers with new challenges in all aspects of the design process. Predictably, verifying a design consisting of intellectual property (IP) from several orga- nizations is monumental among these challenges. Our research addresses this issue by investigating the possibilities of formally verifying that an in- terface complies with a published standard, and by investigating methods for performing such a verification. In this paper, we survey several formal specification languages that are candidates for interface standard compliance verification. As in any engineering effort, the tools chosen for a verification project can greatly affect its success or failure. One of the most important tools of a for- mal verification engineer is the language used to specify the design. Having a broad view of the specification languages available allows the practitioner to refine the candidate set to further investigate only those most appropriate for the problem to be solved. To that end, we present a taxonomy of the specifi- cation language space, and we use this taxonomy to structure our discussion of the similarities, differences, and relative merits of each approach. We clas- sify specification languages first according to their form, that is, textual versus graphical or visual. We make finer classifications according to origins: hard- ware description languages (HDLs) versus traditional software programming languages versus temporal logic languages, in the textual case, and software engineering versus hardware engineering versus system engineering, in the visual case. Since we focus on tools for formal protocol compliance verification, we re- strict our survey to languages that explicitly support concurrent interactions occurring at component interfaces. As this is not a sharp selection criterion, we supplement it with two secondary criteria. First, where we consider a lan- guage that emphasizes multiple features that enable protocol specification, we facilitate comparison by also including other languages emphasizing similar features. Second, we focus our discussion on recent developments in this field, avoiding, for instance, discussion of Scheme-based hardware description and many older logic languages. We include Objective VHDL for its emphasis on message passing and its descent from a traditional hardware description language. Likewise, hardware monitor approaches and SystemVerilog grow directly from traditional simula- tion and emphasize protocol compliance verification. We include SpecC, Sys- temC, and Java because of their similarity to C, which should make them easy for most engineers to learn, and for their interface specification facilities. In- dustrial interest in verification applications of all sorts in e, OpenVera, and Esterel merits their inclusion. Lava takes a radically different approach by us- ing multiple interpretations of the same specification for various design and verification activities. Property Specification Language’s foundations in formal temporal logics deserve inclusion. We consider Message Sequence Charts for their message passing model, and Statecharts for their expressive state ma- chine notation. The Unified Modeling Language incorporates both of these, ACM Transactions on Design Automation of Electronic Systems, Vol. 9, No. 1, January 2004. Formal Hardware Specification Languages • 3 along with other diagrammatic notations. In addition, engineers find it useful in embedded and real-time systems. Explicit communication provided by a state machine model makes Specification and Description Language of interest to our survey. We include timing diagrams, Hierarchical Annotated Action Diagrams, and the Heterogeneous Hardware Logic for their formal foundations and for their hardware-specific specification capabilities. Finally, we include Live Se- quence Charts for their strengths in specifying message passing and for other features that aid in formalizing specifications. No single language is likely to match our application exactly, but we prefer to adapt an existing language rather than to develop a new language. The ideal language for our purposes has four characteristics that we use to evaluate the candidate languages: —Precise semantics. Our application requires a language with a complete for- malization. Because the specification provides a baseline for many imple- mentations developed by different organizations, a precise semantics must be available. —Short learning curve. The language must be easy to learn and understand, even by those not highly trained in formal verification techniques. A well- established, formal compliance verification system is likely to be used by engineers of all specialties, not just formal verification engineers. —Connections with automatic verification techniques. Because the same ver- ification may be performed by both the IP designer and the IP integrator, the verification effort must be significantly less than the total design effort. Because the organizations involved may be contractually bound, the verifica- tion must also state definitively whether or not the IP block complies with the standard. Furthermore, the results of the verification must be reproducible. Languages that lend themselves to automatic verification techniques are more likely to satisfy these requirements. —Integration with existing design practice. The transfer of formal methods technologies to industrial practice depends on their ability to fit into exist- ing or emerging design practices. The recent explosion of new design and reuse methods offers many opportunities for integrating formal compliance verification methods with accepted design practices. The discussion of each language follows a simple outline. First, we summa- rize the syntax of the language and offer some basic background on its develop- ment. Next, where feasible, we present and discuss an example specified in the language. To facilitate comparison, we confine our examples to a single data- handshake protocol. In this protocol, an initiator process drives data on a data bus, then asserts a flag telling the target process that the data is ready. Upon receiving the validation signal, the target reads the data off the bus and asserts an acknowledgment signal, allowing the initiator to proceed with subsequent