Results 1  10
of
17
A Mechanically Verified Language Implementation
 Journal of Automated Reasoning
, 1989
"... contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., the Defense Advanced Research Projects Agency or the U.S. Government. This paper briefly describes a programming language ..."
Abstract

Cited by 52 (2 self)
 Add to MetaCart
(Show Context)
contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., the Defense Advanced Research Projects Agency or the U.S. Government. This paper briefly describes a programming language, its implementation on a microprocessor via a compiler and linkassembler, and the mechanically checked proof of the correctness of the implementation. The programming language, called Piton, is a highlevel assembly language designed for verified applications and as the target language for highlevel language compilers. It provides executeonly programs, recursive subroutine call and return, stack based parameter passing, local variables, global variables and arrays, a uservisible stack for intermediate results, and seven abstract data types including integers, data addresses, program addresses and subroutine names. Piton is formally specified by an interpreter written for it in the computational logic of Boyer and Moore. Piton has been implemented on the FM8502, a general purpose microprocessor whose gatelevel design has been mechanically proved to implement its machine code interpreter. The FM8502 implementation of Piton is via a function in the BoyerMoore logic which maps a Piton initial state into an FM8502 binary core image. The compiler and linkassembler are all defined as functions in the logic. The implementation requires approximately 36K bytes and 1,400 lines of prettyprinted source code in the Pure Lisplike syntax of the logic. The implementation has been mechanically proved correct. In particular, if a Piton state can be run to completion without error, then the final values of all the global data structures can be ascertained from an inspection of an FM8502 core image obtained by running the core image produced by the compiler and linkassembler. Thus, verified Piton programs running on FM8502 can be thought of as having been verified down to the gate level. 1.
Effective Theorem Proving for Hardware Verification
, 1994
"... . The attractiveness of using theorem provers for system design verification lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the effectiveness ..."
Abstract

Cited by 38 (6 self)
 Add to MetaCart
. The attractiveness of using theorem provers for system design verification lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the effectiveness of theorem provers for hardware verification through the use of efficient automatic procedures for rewriting, arithmetic and equality reasoning, and an offtheshelf BDDbased propositional simplifier. These automatic procedures can be combined into generalpurpose proof strategies that can efficiently automate a number of proofs including those of hardware correctness. The inference procedures and proof strategies have been implemented in the PVS verification system. They are applied to several examples including an Nbit adder, the Saxe pipelined processor, and the benchmark Tamarack microprocessor design. These examples illustrate the basic design philosophy underlying PVS where powerful...
A Correctness Model for Pipelined Microprocessors
"... What does it mean for an instruction pipeline to be correct? We recently completed the specification and verification of a pipelined microprocessor called Uinta. Our proof makes no simplifying assumptions about data and control hazards. This paper presents the specification, describes the verific ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
What does it mean for an instruction pipeline to be correct? We recently completed the specification and verification of a pipelined microprocessor called Uinta. Our proof makes no simplifying assumptions about data and control hazards. This paper presents the specification, describes the verification, and discusses the effect of pipelining on the correctness model. 1 Introduction Much has been written over the years regarding the formal specification and verification of microprocessors. Most of these efforts have been directed at nonpipelined microprocessors [Gor83, Bow87, Hun87, CCLO88, Coh88, Joy88, Hun89, Win90, Her92, SWL93, Win94b]. The verification of pipelined microprocessors presents unique challenges. The correctness model is somewhat different than the standard correctness models used previously (see Section 7.1). Besides the correctness model, the concurrent operations inherent in a pipeline lead to hazards which must be considered in the proof. There are three typ...
Hardware Description with Recursion Equations
 In Proceedings of the IFIP 8th International Symposium on Computer Hardware Description Languages and their Applications
, 1987
"... this paper develops such a scheme, called "hardware description with recursion equations" (abbreviated HDRE and pronounced as hydra). A designer using HDRE may describe a circuit using a simple set of primitive functions written in an underlying general purpose programming language, and th ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
this paper develops such a scheme, called "hardware description with recursion equations" (abbreviated HDRE and pronounced as hydra). A designer using HDRE may describe a circuit using a simple set of primitive functions written in an underlying general purpose programming language, and the description itself is just a function written in that language. Executing a circuit description function provides its meaning  its semantic content.
A Behavioral Model for Codesign
 FM’99 – Formal Methods, Lecture Notes in Computer Science
, 1999
"... There is an increasing awareness of the need for the behavioural models suited for specifying and reasoning about both programs and digital devices. This report presents a specification language based on Interval Temporal Logic for the mixed hardware/software systems. The language is equipped with a ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
There is an increasing awareness of the need for the behavioural models suited for specifying and reasoning about both programs and digital devices. This report presents a specification language based on Interval Temporal Logic for the mixed hardware/software systems. The language is equipped with a novel parallel operator in support of integration of systems evolved at various time rate. Its mixed interval structure enables us to model both discrete time and continuous time systems. The framework provides a unifying means for presenting the main features of eventbased hardware description languages and statebased programming languages. The paper gives a number of tests, known as healthiness conditions, which can be applied to specifications and intermediate designs to maintain their feasibility during the development process. We also provide an observationoriented semantics to the core of the VERILOG Hardware Description Language, and formalise the temporal language TEMPURA in this...
Report on the Formal Specification and Partial Verification of the VIPER Microprocessor
, 1990
"... ..."
Specifying InstructionSet Architectures in HOL: A Primer
, 1994
"... . This paper presents techniques for specifying microprocessor instruction set syntax and semantics in the HOL theorem proving system. The paper describes the use of abstract representations for operators and data, gives techniques for specifying instruction set syntax, outlines the use of recor ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
. This paper presents techniques for specifying microprocessor instruction set syntax and semantics in the HOL theorem proving system. The paper describes the use of abstract representations for operators and data, gives techniques for specifying instruction set syntax, outlines the use of records in specifying semantic domains, presents the creation of parameterized semantic frameworks, and shows how all of these can be used to create a semantics for a microprocessor instruction set. The verified microprocessor Uinta provides examples for each of these. 1 Introduction Much has been written over the years regarding the formal specification and verification of microprocessors [CCLO88, Bow87, Hun87, Coh88b, Coh88a, Gor83, Joy88, Hun89, Joy89, SB90, Her92, SWL93, TK93]. These efforts use many different proof systems and styles. We have verified a number of microprocessors in the HOL theorem proving system [Win90a, Win90b, Win94, WC94] and have developed techniques which clarify t...
The formalization of a simple hardware description language
 Applied Formal Methods For Correct VLSI Design
, 1989
"... ..."
A Formalization of a Hierarchical Model for RISC Processors
, 1993
"... . Since microprocessors are used in many areas of realtime control, the use of formal methods provides an alternative approach for achieving high reliability. In this paper, a methodology based on a hierarchical model of interpreters is presented for formalizing RISCs in general. The abstraction le ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
. Since microprocessors are used in many areas of realtime control, the use of formal methods provides an alternative approach for achieving high reliability. In this paper, a methodology based on a hierarchical model of interpreters is presented for formalizing RISCs in general. The abstraction levels used by a designer in the implementation of RISCs, namely the instruction set level, the pipeline stage level, the phase level and the hardware implementation, are mirrored by this hierarchical model. Hence the informal specifications given by the user, at each level of abstraction, can be easily converted into a formal specification, in higher order logic. Such a model is of great use in formal verification and also synthesis using transformational reasoning. 1 Introduction As computer systems are becoming increasingly complex, the trustworthiness of their design is questionable. Conventional approaches such as simulation and testing have a very high cost to confidencegain ratio and ...