Results 1  10
of
66
An Industrial Strength Theorem Prover for a Logic Based on Common Lisp
 IEEE Transactions on Software Engineering
, 1997
"... ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language  namely, a large a ..."
Abstract

Cited by 129 (6 self)
 Add to MetaCart
(Show Context)
ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language  namely, a large applicative subset of Common Lisp  while preserving the use of total functions within the logic. This makes it possible to run formal models efficiently while keeping the logic simple. We enumerate many other important features of ACL2 and we briefly summarize two industrial applications: a model of the Motorola CAP digital signal processing chip and the proof of the correctness of the kernel of the floating point division algorithm on the AMD5K 86 microprocessor by Advanced Micro Devices, Inc.
Formal verification in hardware design: A survey
, 1997
"... In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods ..."
Abstract

Cited by 113 (0 self)
 Add to MetaCart
In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods in a design process: The formal framework used to specify desired properties of a design, and the verification techniques and tools used to reason about the relationship between a specification and a corresponding implementation. We survey a variety of frameworks and techniques which have been proposed in the literature and applied to actual designs. The specification frameworks we describe include temporal logics, predicate logic, abstraction and refinement, as well as containment between!regular languages. The verification techniques presented include model checking, automatatheoretic techniques, automated theorem proving, and approaches that integrate the above methods.
ACL2 Theorems about Commercial Microprocessors
, 1996
"... ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of stateoftheart ..."
Abstract

Cited by 71 (16 self)
 Add to MetaCart
(Show Context)
ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of stateoftheart commercial microprocessors prior to fabrication. In the first project, Motorola, Inc., and CLI collaborated to specify Motorola's complex arithmetic processor (CAP), a singlechip, digital signal processor (DSP) optimized for communications signal processing. Using the specification, we proved the correctness of several CAP microcode programs. The second industrial collaboration involving ACL2 was between Advanced Micro Devices, Inc. (AMD) and CLI. In this work we proved the correctness of the kernel of the floatingpoint division operation on AMD's first Pentiumclass microprocessor, the AMD5K 86. In this paper, we discuss ACL2 and these industrial applications, with particular attention ...
The Security of Static Typing with Dynamic Linking
 In Fourth ACM Conference on Computer and Communications Security
, 1997
"... Dynamic linking is a requirement for portable executable content. Executable content cannot know, ahead of time, where it is going to be executed, nor know the proper operating system interface. This imposes a requirement for dynamic linking. At the same time, we would like languages supporting exec ..."
Abstract

Cited by 61 (1 self)
 Add to MetaCart
Dynamic linking is a requirement for portable executable content. Executable content cannot know, ahead of time, where it is going to be executed, nor know the proper operating system interface. This imposes a requirement for dynamic linking. At the same time, we would like languages supporting executable content to be statically typable, for increased efficiency and security. Static typing and dynamic linking interact in a securityrelevant way. This interaction is the subject of this paper. One solution is modeled in PVS, and formally proven to be safe.
Effective Theorem Proving for Hardware Verification
, 1994
"... . The attractiveness of using theorem provers for system design verification lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the effectiveness ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
. The attractiveness of using theorem provers for system design verification lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the effectiveness of theorem provers for hardware verification through the use of efficient automatic procedures for rewriting, arithmetic and equality reasoning, and an offtheshelf BDDbased propositional simplifier. These automatic procedures can be combined into generalpurpose proof strategies that can efficiently automate a number of proofs including those of hardware correctness. The inference procedures and proof strategies have been implemented in the PVS verification system. They are applied to several examples including an Nbit adder, the Saxe pipelined processor, and the benchmark Tamarack microprocessor design. These examples illustrate the basic design philosophy underlying PVS where powerful...
Combining Theorem Proving and Trajectory Evaluation in an Industrial Environment
 in Proc. DAC
, 1998
"... We describe the verification of the IM: a large, complex (12,000 gates and 1100 latches) circuit that detects and marks the boundaries between Intel architecture (IA32) instructions. We verified a gatelevel model of the IM against an implementationindependent specification of IA32 instruction le ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
(Show Context)
We describe the verification of the IM: a large, complex (12,000 gates and 1100 latches) circuit that detects and marks the boundaries between Intel architecture (IA32) instructions. We verified a gatelevel model of the IM against an implementationindependent specification of IA32 instruction lengths. We used theorem proving to to derive 56 modelchecking runs and to verify that the modelchecking runs imply that the IM meets the specification for all possible sequences of IA32 instructions. Our verification discovered eight previously unknown bugs. 1 Introduction The Intel architecture (IA32) instruction set has several hundred opcodes. The opcode length is variable, as are the lengths of operand and address displacement data. The architecture also includes the notion of prefix bytes, which change the semantics of the subsequent instruction. Two of the prefixes (h66, h67) can affect the length of the instruction. A single instruction may have multiple prefix bytes, but overall ...
Formal Requirements Analysis of an Avionics Control System
 IEEE Transactions on Software Engineering
, 1997
"... We report on a formal requirements analysis experiment involving an avionics control system. We describe a method for specifying and verifying realtime systems with PVS. The experiment involves the formalization of the functional and safety requirements of the avionics system as well as its multile ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
(Show Context)
We report on a formal requirements analysis experiment involving an avionics control system. We describe a method for specifying and verifying realtime systems with PVS. The experiment involves the formalization of the functional and safety requirements of the avionics system as well as its multilevel verification. First level verification demonstrates the consistency of the specifications whilst the second level shows that certain system safety properties are satisfied by the specification. We critically analyze methodological issues of large scale verification and propose some practical ways of structuring verification activities for optimising the benefits. KeywordsFormal specification, formal verification, safety critical systems, requirements analysis, avionics systems. I. Introduction T HIS paper reports on an experiment in the use of formal methods for producing and analyzing software requirements for a safetyrelated system. This work was conducted as part of the SafeFM ...
Mechanized Formal Reasoning about Programs and Computing Machines
, 1996
"... ly every instruction will have an opcode and two arguments, a and b. (defun opcode (ins) (nth 0 ins)) (defun a (ins) (nth 1 ins)) (defun b (ins) (nth 2 ins)) Because nth, like put, extends its list argument with nils, we can write instructions in three formats: (op), (op a), and (op a b) and omitte ..."
Abstract

Cited by 28 (11 self)
 Add to MetaCart
ly every instruction will have an opcode and two arguments, a and b. (defun opcode (ins) (nth 0 ins)) (defun a (ins) (nth 1 ins)) (defun b (ins) (nth 2 ins)) Because nth, like put, extends its list argument with nils, we can write instructions in three formats: (op), (op a), and (op a b) and omitted arguments default to nil. For example, the constant (times (movi 2 0) ; 0 mem[2] / 0 (jumpz 0 5) ; 1 if mem[0]=0, go to 5 (add 2 1) ; 2 mem[2] / mem[1] + mem[2] (subi 0 1) ; 3 mem[0] / mem[0]  1 (jump 1) ; 4 go to 1 (ret))) ; 5 return to caller defines one program in our language. The constant is a list of seven elements. The first, times, is the name of the program and the other six elements are the 8 Chapter 4 instructions. For example, the first instruction is (movi 2 0), which has an opcode of movi, an a argument of 2 and a b argument of 0; the last instruction is (ret), which has an opcode of ret and a and b arguments of nil. A typical code memory will contain many such ...
An Efficient Decision Procedure for the Theory of FixedSized BitVectors (Extended Abstract)
 In: ComputerAided Verification (CAV ’97
, 1997
"... , Submitted) David Cyrluk ? , Oliver Moller ?? , Harald Rueß ?? ? Computer Science Laboratory ?? Fakultat fur Informatik SRI International Universitat Ulm Menlo Park, CA 94025, USA D89069 Ulm, Germany cyrluk@csl.sri.com fmoeller,ruessg@ki.informatik.uniulm.de Abstract. In this paper we de ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
(Show Context)
, Submitted) David Cyrluk ? , Oliver Moller ?? , Harald Rueß ?? ? Computer Science Laboratory ?? Fakultat fur Informatik SRI International Universitat Ulm Menlo Park, CA 94025, USA D89069 Ulm, Germany cyrluk@csl.sri.com fmoeller,ruessg@ki.informatik.uniulm.de Abstract. In this paper we describe a decision procedure for the core theory of fixedsized bitvectors with extraction and composition than can readily be integrated into Shostak's procedure for deciding combinations of theories. Inputs to the solver are unquantified bitvector equations t = u and the algorithm returns true if t = u is valid in the bitvector theory, false if t = u is unsatisfiable, and a system of solved equations otherwise. The time complexity of the solver is O(j t j \Delta log n + n 2 ), where t is the length of the bitvector term t and n denotes the number of bits on either side of the equation. Then, the solver for the core bitvector theory is extended to handle other bitvector operations li...
Elements of Mathematical Analysis in PVS
 Ninth international Conference on Theorem Proving in Higher Order Logics TPHOL
, 1996
"... . This paper presents the formalization of some elements of mathematical analysis using the PVS verification system. Our main motivation was to extend the existing PVS libraries and provide means of modelling and reasoning about hybrid systems. The paper focuses on several important aspects of PVS i ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
(Show Context)
. This paper presents the formalization of some elements of mathematical analysis using the PVS verification system. Our main motivation was to extend the existing PVS libraries and provide means of modelling and reasoning about hybrid systems. The paper focuses on several important aspects of PVS including recent extensions of the type system and discusses their merits and effectiveness. We conclude by a brief comparison with similar developments using other theorem provers. 1 Introduction PVS is a specification and verification system whose ambition is to make formal proofs practical and applicable to large and complex problems. The system is based on a variant of higher order logic which includes complex typing mechanisms such as predicate subtypes or dependent types. It offers an expressive specification language coupled with a theorem prover designed for efficient interactive proof construction. In previous work we have applied PVS to the requirements analysis of a substantially ...