The following people have been involved with the work:
Each system has distinct advantages and disadvantages. The specification
styles used are totally different: timing diagrams versus state transition
diagrams. Which is preferred is perhaps a matter of taste. The MDG style of
specification could potentially be used in the HOL approach, though not vice
versa. The MDG verification was faster, involving weeks rather than a few months
of effort. Much of the slow down is actually due to the modular approach adopted
with HOL. With MDG the whole design is specified and verified in one go. With
HOL each module is specified and verified separately. This is more time
consuming as each module must be individually understood, specified and
verified. However, it pays off for the verification of subsequent related
designs which then take only days. Furthermore, because of this comprehensive
inspection of all modules, design changes can be suggested that improve or
simplify the design. It also means that the HOL approach is potentially scalable
to larger designs whereas the MDG approach is not. MDG provides a relatively
straightforward way to check specific properties of a design. It also provides
counter-examples when errors are encountered. With HOL, the problem of finding
the cause of errors is eased because of the thorough understanding of the design
that is obtained. This does not occur with MDG because of its black-box
approach. A final advantage of the HOL approach is the extra confidence its
results are afforded because of its LCF-style design.
For more information see:
A Comparison of HOL and MDG
In conjunction with the MDG group based at
Montreal University, we have compared the HOL and MDG systems. MDG is based on a
decision graph approach extended with a new technique called abstract implicit
enumeration in which decision graphs are used to represent sets of states as
well as the transition and output relations.
Publications