: Recent advances in the field of hardware verification have raised some fresh (and some familiar) issues to do with the scope and limitations of formal proof. In this note, some of these are considered in the context of the Viper verification project. Viper is a microprocessor designed by W. J. Cullyer, C. Pygott and J. Kershaw, of the Royal Signals and Radar Establishment of the U.K. Ministry of Defense, for use in safety-critical applications. Much to their credit, the designers intended from the start that Viper be formally verified; they presented Viper's more abstract specifications in a language suitable for formal reasoning, and they placed the design in the public domain. Viper microprocessors are currently being marketed as verified chips. The formal proof aspects of the verification work have been carried out at the Computer Laboratory of the University of Cambridge. To date, some important properties of a register-transfer level model of Viper, relative to a more abstract ...

Introduction Communication networks are rapidly becoming all pervasive. Systems are increasingly being networked in the local area with applications using non-local services. In the wide area, telecommunications companies are turning to digital networks. As networks become all-pervasive, the consequences of errors in the design or implementation of network components become increasingly important. This is especially so if networks are used in safety-critical applications where communication problems could cause loss of life. For example a telephone network problem can contribute to loss of life if the emergency services cannot be contacted. Errors could cause the network to deadlock, particular links to crash, the service to be degraded to an unacceptable level, or even the whole network to crash. Network problems affect a wide range of users and applications and can cause whole systems or companies to grind to a halt [16, 17]. Asynchronous Transfer Mode (ATM) is a relatively

We investigate the equivalence checking of the RTL hardware implementation of the Cambridge Fairisle Asynchronous Transfer Mode (ATM) 4 by 4 switch fabric against a high-level behavioral specification which has no restrictions with respect to the frame size, cell length or word width. The verification is based on the reachability analysis of the product machine of the implementation and the specification, both modeled as Abstract State Machines (ASM). Multiway Decision Graphs (MDG) are used to encode both the output and transition relations of ASMs and the set of reachable abstract states, allowing implicit abstract state enumeration. Since MDGs avoid model explosion induce...

Synchronized Transitions is a formal notation for hardware specification, verification, and simulation. This paper describes the use of Synchronized Transitions in the design of a chip for high bandwidth interprocessor communication. The chip uses a hybrid of synchronous and self-timed circuit techniques; a proof is presented that all timing requirements are satisfied. The Synchronized Transitions notation is presented, and it is shown how programs can be translated into logic predicates, providing a basis for formal verification. The use of Synchronized Transitions in the simulation of the chip is described, and the design choices of using both simulation and formal proofs are discussed.