Advertisement

Journal of Automated Reasoning

, Volume 5, Issue 2, pp 127–139 | Cite as

The notion of proof in hardware verification

  • Avra Cohn
Article

Abstract

Recent advances in the field of hardware verification have raised some fresh (and some familiar) issues concerning the scope and limitations of formal proof. In this article, we discuss in detail some of these issues. We focus particularly on which aspects of hardware and software one can verify, in contrast to the claims that are sometimes made in that regard. Since we consider verification to be one of the more important and promising applications of automated theorem proving — our research has been concerned with this application for a number of years — a precise understanding of verification must be addressed. Although the context for our discussion is the Viper verification project, our remarks apply generally. Viper is a microprocessor designed by W. J. Cullyer, C. Pygott, and J. Kershaw of the Royal Signals and Radar Establishment of the U.K. Ministry of Defence, for use in safety-critical applications. Much to their credit, the designers intended from the start that Viper be formally verified; they presented Viper's more abstract specifications in a language suitable for formal reasoning, and they placed the design in the public domain. Since Viper microprocessors are currently being marketed as verified chips, the need exists to identify precisely to what extent verification is possible. The formal proof aspects of the verification work have been carried out at the Computer Laboratory of the University of Cambridge. To date, some important properties of a register-transfer level model of Viper, relative to a more abstract functional specification, have been proved (by the author) using the HOL proof generating system. ‘Verified’ systems such as Viper seem likely to become commonplace in the near future. While proofs about the abstract models of such systems are obviously a vital contribution to our trust in them, it is also important (not least in safety-critical applications) that the limitations of the approach be understood.

Key words

Hardware verification formal proof Viper automated theorem proving 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Boyer, R. S. and Moore, J S., A Computational Logic, Academic Press (1979).Google Scholar
  2. 2.
    Camilieri, A., Gordon, M., and Melham, T., ‘Hardware Verification Using Higher-Order Logic’, Proceedings of the IFIP WG 10.2 Working Conference: From H.D.L. Descriptions to Guaranteed Correct Circuit Designs, Grenoble, September 1986, ed. D. Borrione, North-Holland, Amsterdam (1987).Google Scholar
  3. 3.
    Church, A., ‘A Formulation of the Simple Theory of Types’, Journal of Symbolic Logic 5, 1940.Google Scholar
  4. 4.
    Cohn, A., ‘Machine Assisted Proofs of Recursion Implementation’, Ph.D. Thesis, Dept. of Computer Science, University of Edinburgh, 1979.Google Scholar
  5. 5.
    Cohn, A., and Gordon, M., ‘A Mechanized Proof of Correctness of a Simple Counter’, University of Cambridge, Computer Laboratory, Tech. Report No. 94, 1986.Google Scholar
  6. 6.
    Cohn, A., ‘A Proof of Correctness of the Viper Microprocessor: the First Level’, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987; Also University of Cambridge, Computer Laboratory, Tech. Report No. 104, 1987.Google Scholar
  7. 7.
    Cohn, A., ‘Correctness Properties of the Viper Block Model: The Second Level’, Current Trends in Hardware Verification and Automated Deduction, eds. G. Birtwistle and P. A. Sabrahmanyam, Springer-Verlag, 1988; Also University of Cambridge, Computer Laboratory, Tech. Report No. 134, 1988.Google Scholar
  8. 8.
    Cullyer, W. J., ‘Viper Microprocessor: Formal Specification’, RSRE Report No. 85013, Oct. 1985.Google Scholar
  9. 9.
    Cullyer, W. J., ‘Viper — Correspondence between the Specification and the “Major State Machine”, RSRE report No. 86004, Jan. 1986.Google Scholar
  10. 10.
    Cullyer, W. J., ‘Implementing Safety-Critical Systems: The Viper Microprocessor’, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987.Google Scholar
  11. 11.
    Cullyer, W. J., Kershaw, J., and Pygott, C., forthcoming book on Viper.Google Scholar
  12. 12.
    Gane, C. (Computing Devices Company Ltd.), Computing Devices, Hastings' VIPER-VENOM Project: VIPER in Weapons Stores Management, Safety Net: Viper Microprocessors in High Integrity Systems, Enq. No. 021, Issue 2, July–August–September 1988, Viper Technologies Ltd., Worcester, England.Google Scholar
  13. 13.
    Gordon, M., Milner, R., and Wadsworth, C. P., ‘Edinburgh LCF’, Lecture Notes in Computer Science No. 78, Springer-Verlag, 1979.Google Scholar
  14. 14.
    Gordon, M., ‘HOL: A Machine Oriented Formulation of Higher-Order Logic’, University of Cambridge, Computer Laboratory, Tech. Report No. 68, 1985.Google Scholar
  15. 15.
    Gordon, M., ‘HOL: A Proof Generating System for Higher-Order Logic’, University of Cambridge, Computer Laboratory, Tech. Report No. 103, 1987; Revised version in VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987.Google Scholar
  16. 16.
    Halbert, M. P. (Cambridge Consultants Ltd.), ‘Selfchecking Computer Module Based on the Viper 1A Microprocessor, Safety Net: Viper Microprocessors in High Integrity Systems’, Enq. No. 017, Issue 2, July–August–September 1988, Viper Technologies Ltd., Worcester, England.Google Scholar
  17. 17.
    Herbert, J. and Gordon, M. J. C., ‘A Formal Hardware Verification Methodology and its Application to a Network Interface Chip’, IEE Proceedings, Computers and Digital Techniques, Special issue on Digital Design Verification, Vol. 133, Part E, No. 5, 1986; Also in draft version: University of Cambridge, Computer Laboratory, Tech. Report No. 66, 1985.Google Scholar
  18. 18.
    Hunt, W. A. Jr., ‘FM8501: A Verified Microprocessor’, University of Texas, Austin, Tech. Report 47, 1985.Google Scholar
  19. 19.
    Joyce, J. J., Formal Verification and Implementation of a Microprocessor, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987.Google Scholar
  20. 20.
    Kershaw, J., ‘Viper: A Microprocessor for Safety-Critical Applications’, RSRE Memo. No. 3754, Dec. 1985.Google Scholar
  21. 21.
    Melham, T., ‘Abstraction Mechanisms for Hardware Verification’, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahamanyam, Kluwer, 1987.Google Scholar
  22. 22.
    Melham, T., forthcoming Ph.D. Thesis, University of Cambridge, Computer Laboratory.Google Scholar
  23. 23.
    Paulson, L., Logic and Computation, Cambridge, University Press, 1987.Google Scholar
  24. 24.
    Pygott, C. H., ‘Viper: The Electronic Block Model’, RSRE Report No. 86006, July 1986.Google Scholar
  25. 25.
    Pygott, C. H., ‘Formal Proof of a Correspondence between the Specification of a Hardware Module and its Gate Level Implementation’, RSRE Report No. 85012, Nov. 1985.Google Scholar
  26. 26.
    Viper Microprocessor: Verifiable Integrated Processor for Enhanced Reliability: Development Tools, Charter Technologies Ltd., Publication No. VDT1, Issue 1, Dec. 1987.Google Scholar
  27. 27.
    Application for Admission and Registration Form, Second VIPER Symposium, RSRE, Malvern, England, 6–7 September, 1988.Google Scholar

Copyright information

© Kluwer Academic Publishers 1989

Authors and Affiliations

  • Avra Cohn
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeEngland

Personalised recommendations