Despite years of research, the overall impact of formal methods on mainstream software design has been disappointing. By contrast, formal methods are beginning to make real inroads in commercial hardware design. This penetration is the result of sustained progress in automated hardware verification methods, an increasing accumulation of success stories from using formal techniques, and a growing consensus among hardware designers that traditional validation techniques are not keeping up with the increasing complexity of designs. For example, validation of a new microprocessor design typically requires as much manpower as the design itself, and the size of validation teams continues to grow. This manpower is employed in writing test cases for simulations that run for months on acres of high-powered workstations. In particular, the notorious FDIV bug in the Intel Pentium processor [13], has galvanized verification efforts, not because it was the first or most serious bug in a processor design, but because it was easily repeatable and because the cost was quantified (at over $400 million). Hence, hardware design companies are increasingly looking to new techniques, including formal verification, to supplement and sometimes replace conventional validation methods. Indeed, many companies, including industry leaders such as AT&T, Cadence, Hewlett-Packard, IBM, Intel, LSI Logic, Motorola, Rockwell, Texas Instruments, and Silicon Graphics have created formal verification groups to help with ongoing designs. In many cases, these groups began by demonstrating the effectiveness of formal verification by finding subtle design errors that were overlooked by months of simulation.

. We describe a formal specification and mechanized verification in PVS of the general theory of SRT division along with a specific hardware realization of the algorithm. The specification demonstrates how attributes of the PVS language (in particular, predicate subtypes) allow the general theory to be developed in a readable manner that is similar to textbook presentations, while the PVS table construct allows direct specification of the implementation's quotient lookup table. Verification of the derivations in the SRT theory and for the data path and lookup table of the implementation are highly automated and performed for arbitrary, but finite precision; in addition, the theory is verified for general radix, while the implementation is specialized to radix 4. The effectiveness of the automation stems from the tight integration in PVS of rewriting with decision procedures for equality, linear arithmetic over integers and rationals, and propositional logic. This example demonstrates t...

We report on the formal verification of the floating point unit used in the VAMP processor. The FPU is fully IEEE compliant, and supports denormals and exceptions in hardware. The supported operations are addition, subtraction, multiplication, division, comparison, and conversions. The hardware is verified on the gate level against a formal description of the IEEE standard by means of the theorem prover PVS.

. The most powerful tools for analysis of formal specifications are general-purpose theorem provers and model checkers, but these tools provide scant methodological support. Conversely, those approaches that do provide a well-developed method generally have less powerful automation. It is natural, therefore, to try to combine the better-developed methods with the more powerful general-purpose tools. An obstacle is that the methods and the tools often employ very different logics. We argue that methods are separable from their logics and are largely concerned with the structure and organization of specifications. We propose a technique called structural embedding that allows the structural elements of a method to be supported by a general-purpose tool, while substituting the logic of the tool for that of the method. We have found this technique quite effective and we provide some examples of its application. We also suggest how general-purpose systems could be restructured ...

. In the decade of the 1990s, formal methods have progressed from an academic curiosity at best, and a target of ridicule at worst, to a point where the leading manufacturer of microprocessors has indicated that its next design will be formally verified. In this short paper, I sketch a plausible history of the developments that led to this transformation, present a snapshot of the current state of the practice, and indicate some promising directions for the future. Mindful of the title of this conference, I suggest how formal methods might have an impact on software similar to that which they have had on hardware. 1 The Past In their early days (the 1970s---though continuing to the present in some places), formal methods were associated with proofs of program correctness. This is not only a very costly and difficult exercise---it requires formalizing the semantics of real programming languages, and dealing with the scale and characteristics of real imperative programs---but i...

We provide sufficient conditions that formally guarantee that the floating-point computation of a polynomial evaluation is faithful. To this end, we develop a formalization of floatingpoint numbers and rounding modes in the Program Verification System (PVS). Our work is based on a well-known formalization of floating-point arithmetic in the proof assistant Coq, where polynomial evaluation has been already studied. However, thanks to the powerful proof automation provided by PVS, the sufficient conditions proposed in our work are more general than the original ones.

It is shown how to use the PVS specification language and proof checker to present a hierarchical formalization of a two-dimensional, highspeed integer multiplier on the gate level. We first give an informal description of iterative array multiplier circuits together with a natural refinement into vertical and horizontal stages, and then show how the various features of PVS can be used to obtain a readable, high-level specification. The verification exploits the tight integration between rewriting, arithmetic decision procedures, and equality that is present in PVS. Altogether, this case study demonstrates that the resources of an expressive specification language and of a general-purpose theorem prover permit highly automated verification in this domain, and can contribute to clarity, generality, and reuse. 1 Introduction Verifying functional correctness results about arithmetic circuits poses some serious challenges to current hardware verification techniques. Almost all automated a...

m, P is a temporal formula. (M can also be expressed as a formula.) ffl Functional Programming: M is a function, and P (x; M(x)) holds. 3 ' & $ % Automated Deductive Verification Deductive verification proofs can be large. For a system with 10 transitions, proof of an invariant with 5 conjuncts, 50 cases in the proof. Automation is needed to ffl Manage the proof construction process (bookkeeping). ffl Automatically simplify the trivial cases. ffl Focus verifier's attention on the difficult or problematic cases. An automated deductive verification environment consists of: ffl Formal specification language ffl Syntax and typechecking tools ffl Proof development tools (theorem prover) 4 ' & $ % Example:

A design structure is presented to assist in the design of IEEE compliant floating point hardware. The basis of the process is an abstraction of the bitwise operations found in hardware to reals and integers. This simplifies the definition of functionality prior to going to hardware. The final design structure will include a set of general algorithms defined for floating point operations (add, sub, multiply, division, square root) which are verified with respect to the IEEE standard. The designer then instantiates the general algorithms to complete the algorithmic specification. The algorithms are then mapped to hardware, maintaining the abstraction. The result is a verified functional description of the hardware which can then be realized by conventional techniques or by refining the description to bitwise operations. This paper is a work in progress which describes the design process to get a functional description of the hardware. Current work has focused on subtractive division and...