: Recent advances in the field of hardware verification have raised some fresh (and some familiar) issues to do with the scope and limitations of formal proof. In this note, some of these are considered in the context of the Viper verification project. Viper is a microprocessor designed by W. J. Cullyer, C. Pygott and J. Kershaw, of the Royal Signals and Radar Establishment of the U.K. Ministry of Defense, for use in safety-critical applications. Much to their credit, the designers intended from the start that Viper be formally verified; they presented Viper's more abstract specifications in a language suitable for formal reasoning, and they placed the design in the public domain. Viper microprocessors are currently being marketed as verified chips. The formal proof aspects of the verification work have been carried out at the Computer Laboratory of the University of Cambridge. To date, some important properties of a register-transfer level model of Viper, relative to a more abstract ...

this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., NASA, the Defense Advanced Research Projects Agency or the U.S. Government. The Formal Specification and Partial Verification of VIPER Technical Report #46

This research report describes the formal verification of an arithmetic logic unit of the VIPER microprocessor. VIPER is one of the first processors designed using formal methods. A formal model in HOL has been created which models the ALU at two levels: on the higher level, the ALU is specified as a function taking two 32bit operands and returning a result; on the lower level, the ALU is implemented by a number of 4-bit slices which should takes the same operands and returns the same result. The ALU is capable of performing thirteen different operations. A formal proof of functional equivalence of these two levels has been completed successfully. The complete HOL text of the ALU formal model and details of the proof procedures are included in this report. It has demonstrated that the HOL system is powerful and efficient enough to perform formal verification of realistic hardware design. 4 ALU Verification 1 Introduction This report describes the verification of the Arithmetic Logi...

We present a summary of [59] that develops the theoretical and practical tools necessary to provide a weak, second-order algebraic approach to stream processing. This research is in contrast to existing techniques in the literature that are typically based on full secondorder semantic models. In particular, we compare our approach with existing methods to demonstrate its advantages from the perspective of an analysis of computability issues and automated verification, and hence show that it provides the basis of an alternative general theory of stream processing. Finally, we discuss the development of the language ASTRAL based on this theory. 1 INTRODUCTION 2 1 Introduction 1.1 Definitions and Notation This paper is a companion to [60] that presents a detailed survey of the stream processing literature. As such we assume complete familiarity with [60] to which the reader is directed for all definitions and notation. 1.2 Motivation Our research into stream processing has bee...

This paper describes an experiment to evaluate the applicability of the VIPER (Verifiable Integrated Processor for Enhanced Reliability) microprocessor to real-time control. The VIPER microprocessor was invented by the Royal Signals and Radar Establishment (RSRE), U.K., and is an example of the use of formal mathematical methods for developing digital electronic systems with a high degree of assurance on the system design and implementation correctness. The design of the VIPER microprocessor was guided by several criteria and restricted by engineering and verification methods including: ffl Developing a microprocessor for use in safety-critical applications [4]