Results 1  10
of
17
DDDFM9001: Derivation of a Verified Microprocessor
, 1994
"... Derivation and verification represent alternate approaches to design. Derivation aims at deriving a "correct by construction" design while verification aims at constructing a post factum "proof of correctness" for a design. However, as researchers and engineers gain design experience in a formal fra ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
Derivation and verification represent alternate approaches to design. Derivation aims at deriving a "correct by construction" design while verification aims at constructing a post factum "proof of correctness" for a design. However, as researchers and engineers gain design experience in a formal framework, both approaches are emerging as interdependent facets of design. The thesis of this work is that alternate forms of formal reasoning must be integrated if formal methods are to support the natural analytical and generative reasoning that takes place in engineering practice. As a vehicle for this research, the DDD digital design derivation system was implemented to study formal hardware design in an algebraic framework. DDD is a firstorder transformation system which mechanizes a basic design algebra for synthesizing digital circuit descriptions from highlevel functional specifications. The system is a collection of correctness preserving transformations that promote a topdown desig...
A Correctness Model for Pipelined Microprocessors
"... What does it mean for an instruction pipeline to be correct? We recently completed the specification and verification of a pipelined microprocessor called Uinta. Our proof makes no simplifying assumptions about data and control hazards. This paper presents the specification, describes the verific ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
What does it mean for an instruction pipeline to be correct? We recently completed the specification and verification of a pipelined microprocessor called Uinta. Our proof makes no simplifying assumptions about data and control hazards. This paper presents the specification, describes the verification, and discusses the effect of pipelining on the correctness model. 1 Introduction Much has been written over the years regarding the formal specification and verification of microprocessors. Most of these efforts have been directed at nonpipelined microprocessors [Gor83, Bow87, Hun87, CCLO88, Coh88, Joy88, Hun89, Win90, Her92, SWL93, Win94b]. The verification of pipelined microprocessors presents unique challenges. The correctness model is somewhat different than the standard correctness models used previously (see Section 7.1). Besides the correctness model, the concurrent operations inherent in a pipeline lead to hazards which must be considered in the proof. There are three typ...
Implementing a Methodology for Formally Verifying RISC Processors in HOL
, 1994
"... . In this paper a methodology for verifying RISC cores is presented. This methodology is based on a hierarchical model of interpreters. This model allows us to define formal specifications at each level of abstraction and successively prove the correctness between the neighbouring abstraction levels ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
. In this paper a methodology for verifying RISC cores is presented. This methodology is based on a hierarchical model of interpreters. This model allows us to define formal specifications at each level of abstraction and successively prove the correctness between the neighbouring abstraction levels, so that the overall specification is correct with respect to its hardware implementation. The correctness proofs have been split into two steps so that the parallelism in the execution due to the pipelining of instructions, is accounted for. The first step shows that the instructions are correctly processed by the pipeline and the second step shows that the semantic of each instruction is correct. We have implemented the specification of the entire model and performed parts of the proofs in HOL. 1 Introduction Completely automating the verification of general complex systems is practically impossible. Hence appropriate heuristics for specific classes of circuits such as finite state machi...
A Theory of Generic Interpreters
, 1993
"... We present an abstract theory of interpreters. Interpreters are models of computation that are specifically designed for use as templates in computer system specification and verification. The generic interpreter theory contains an abstract representation which serves as an interface to the theory a ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We present an abstract theory of interpreters. Interpreters are models of computation that are specifically designed for use as templates in computer system specification and verification. The generic interpreter theory contains an abstract representation which serves as an interface to the theory and as a guide to specification. A set of theory obligations ensure that the theory is being used correctly and provide a guide to system verification. The generic interpreter theory provides a methodology for deriving important definitions and lemmas that were previously obtained in a largely ad hoc fashion. Many of the complex data and temporal abstractions are done in the abstract theory and need not be redone when the theory is used.
A Practical Methodology for the Formal Verification of RISC Processors
, 1995
"... In this paper a practical methodology for formally verifying RISC cores is presented. This methodology is based on a hierarchical model of interpreters which reflects the abstraction levels used by a designer in the implementation of RISC cores, namely the architecture level, the pipeline stage leve ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
In this paper a practical methodology for formally verifying RISC cores is presented. This methodology is based on a hierarchical model of interpreters which reflects the abstraction levels used by a designer in the implementation of RISC cores, namely the architecture level, the pipeline stage level, the clock phase level and the hardware implementation. The use of this model allows us to successively prove the correctness between two neighbouring levels of abstractions, so that the verification process is simplified. The parallelism in the execution of the instructions, resulting from the pipelined architecture of RISCs is handled by splitting the proof into two independent steps. The first step shows that each architectural instruction is implemented correctly by the sequential execution of its pipeline stages. The second step shows that the instructions are correctly processed by the pipeline in that we prove that under certain constraints from the actual architecture, no conflic...
Specifying InstructionSet Architectures in HOL: A Primer
, 1994
"... . This paper presents techniques for specifying microprocessor instruction set syntax and semantics in the HOL theorem proving system. The paper describes the use of abstract representations for operators and data, gives techniques for specifying instruction set syntax, outlines the use of recor ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
. This paper presents techniques for specifying microprocessor instruction set syntax and semantics in the HOL theorem proving system. The paper describes the use of abstract representations for operators and data, gives techniques for specifying instruction set syntax, outlines the use of records in specifying semantic domains, presents the creation of parameterized semantic frameworks, and shows how all of these can be used to create a semantics for a microprocessor instruction set. The verified microprocessor Uinta provides examples for each of these. 1 Introduction Much has been written over the years regarding the formal specification and verification of microprocessors [CCLO88, Bow87, Hun87, Coh88b, Coh88a, Gor83, Joy88, Hun89, Joy89, SB90, Her92, SWL93, TK93]. These efforts use many different proof systems and styles. We have verified a number of microprocessors in the HOL theorem proving system [Win90a, Win90b, Win94, WC94] and have developed techniques which clarify t...
Problems Encountered in the Machineassisted Proof of Hardware
 Higher Order Logic Theorem Proving and Its Applications, Lecture Notes in Computer Science 780
, 1994
"... . We describe our experiences verifying real communications hardware using machineassisted proof. In particular we reflect on the errors found, problems encountered and the bottlenecks that slowed the progress of the proofs. We also note techniques which would alleviate the problems. Most of the pr ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
. We describe our experiences verifying real communications hardware using machineassisted proof. In particular we reflect on the errors found, problems encountered and the bottlenecks that slowed the progress of the proofs. We also note techniques which would alleviate the problems. Most of the problems we discuss only become significant when large designs are verified. 1 Introduction Descriptions of formal verification projects invariably focus on the successes. However, much can also be learned from the things that slow progress. In this paper we reflect on the problems encountered in the verification of real communications hardware: the Fairisle Asynchronous Transfer Mode (ATM) switching fabrics [7]. Fairisle is an existing network, designed by the Systems Research Group in Cambridge. It was designed as a platform for research into multimedia and management issues of ATM networks, and carries real user data. The switching fabrics that we considered contain both control and data p...
Incremental Design and Formal Verification of Microcoded Microprocessors
 Theorem Provers in Circuit Design, Proceedings of the IFIP WG 10.2 International Working Conference
, 1992
"... A number of microprocessors have been specified and verified using machine supported formal techniques [2], [1], [7], [8], [10]. Some of these were preexisting designs, others were designed as part of the specification and verification project. Even in the case of new designs, the formal techniques ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
A number of microprocessors have been specified and verified using machine supported formal techniques [2], [1], [7], [8], [10]. Some of these were preexisting designs, others were designed as part of the specification and verification project. Even in the case of new designs, the formal techniques used offered very little support for incremental design and verification. Support for incremental design and verification means that certain additions to the implementation and/or specification can be verified without reverification of the previous parts. Here, we present techniques for incremental design and verification which, as well as providing more appropriate models, also make the formal verification more efficient. The formal framework to support these ideas has been implemented in the HOL system and has been used in the specification, design and verification of a microcoded microprocessor. The techniques deal with three different aspects of the microprocessor: specification of mac...
Implementational Issues for Verifying RISCPipeline Conflicts in HOL
, 1994
"... . We outline a general methodology for the formal verification of instruction pipelines in RISC cores. The different kinds of conflicts, i. e. resource, data and control conflicts, that can occur due to the simultaneous execution of the instructions in the pipeline have been formally specified in H ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
. We outline a general methodology for the formal verification of instruction pipelines in RISC cores. The different kinds of conflicts, i. e. resource, data and control conflicts, that can occur due to the simultaneous execution of the instructions in the pipeline have been formally specified in HOL. Based on a hierarchical model for RISC processors, we have developed a constructive proof methodology, i.e. when conflicts at a specific abstraction level are detected, the conditions under which these occur are generated and explicitly output to the designer, thus easing their removal. All implemented specifications and tactics are kept general, so that the implementation could be used for a wide range of RISC cores. In this paper, the described formalization and proof strategies are illustrated via the DLX RISC processor. 1 Introduction In this paper, we concentrate on the formalization and the correctness proofs of instruction pipelines in RISC cores. The previous work (from other re...