Complementary use of runtime validation and model checking

The increasing gap between design complexity and compute power for verification necessitates radically new solutions to meet the verification challenges for future generations of hardware designs. Increasingly it will not be possible to completely validate hardware prior to fabrication. We will need to reconcile ourselves to the fact that hardware, like software, will be shipped with bugs. However, this can be acceptable with appropriate mechanisms for runtime validation that detect bugs and recover from them when needed. This paper takes a significant step in examining runtime validation as part of the verification methodology. It examines the strengths and weaknesses of runtime validation and how it may be used to complement model checking in a hybrid methodology. We consider the use of on-chip hardware for detecting bugs using hardware assertions. These assertions may be used for validating abstractions and assumptions for use in offline model checking. Hardware based assertions monitor properties at runtime and do not suffer from the state explosion problem. Offline model checking is used to validate globally distributed properties where runtime error detection has limitations in monitoring and responding to signals separated by many clock cycles. In this case the hardware based runtime validated abstractions and assumptions help in reducing the state space for model checking. Our ideas are demonstrated on a highly concurrent, yet simple to understand token sharing protocol, as well as a fairly complex cache coherence system.