Abstract
Formal specification combined with mechanical verification is a promising approach for achieving the extremely high levels of assurance required of safety-critical digital systems. However, many questions remain regarding their use in practice: Can these techniques scale up to industrial systems, where are they likely to be useful, and how should industry go about incorporating them into practice? This paper discusses a project undertaken to answer some of these questions, the formal verification of the microcode in the AAMP5 microprocessor. This project consisted of formally specifying in the PVS language a Rockwell proprietary microprocessor at both the instruction-set and register-transfer levels and using the PVS theorem prover to show the microcode correctly implemented the instruction-level specification for a representative subset of instructions. Notable aspects of this project include the use of a formal specification language by practicing hardware and software engineers, the integration of traditional inspections with formal specifications, and the use of a mechanical theorem prover to verify a portion of a commercial, pipelined microprocessor that was not explicitly designed for formal verification.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
D. Best, C. Kress, N. Mykris, J. Russel, and W. Smith, “An advanced-architecture cmos/sos microprocessor,” IEEE Micro, pp. 11–26, August 1982.
R.S. Boyer and J.S. Moore, A Computational Logic, Academic Press, New York, NY, 1979.
S. Brock and C. George, The RAISE Method Manual, Computer Resources International A/S, 1990.
J.R. Burch and D.L. Dill, “Automatic verification of pipelined microprocessor control,” in David Dill (Ed.), Computer-Aided Verification, CAV'94, Vol. 818 of Lecture Notes in Computer Science, pp. 68–80, Stanford, CA, June 1994, Springer-Verlag.
A. Burns, J. McDermid, and J. Dobson, “On the meaning of safety and security,” Computer Journal, Vol. 35, No. 1, pp. 3–15, 1992.
Ricky W. Butler, “NASA Langley's research program in formal methods,” in COMPASS'91, Proceedings of the Sixth Annual Conference on Computer Assurance, Gaithersburg, MD, June 1991, pp. 157–162, IEEE Washington Section.
D. Cyrluk and P. Narendran, “Ground temproral logic—a logic for hardware verification,” in David Dill (Ed.), Computer-Aided Verification, CAV'94, Vol. 818 of Lecture Notes in Computer Science, pp. 247–259, Stanford, CA, June 1994, Springer-Verlag.
D. Cyrluck, S. Rajan, N. Shankar, and M.K. Srivas, “Effective theorem proving for hardware verification,” in Kumar and Kropf [18], pp. 203–222.
Cyrluk, “Microprocessor verification in PVS: A methodology and simple example,” Technical Report SRI-CSL-93–12, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.
Ben L.Di Vito, Ricky W. Butler, and James L. Caldwell, “Formal design and verification of a reliable computing platform for real-time control,” NASA Technical Memorandum 102716, NASA Langley Research Center, Hampton, VA, October 1990.
M. Fagan, “Advances in software inspections,” IEEE Transactions on Software Engineering, Vol. SE-12, No. 7, pp. 744–751, 1986.
S. Gerhart, M. Bouler, K. Greene, D. Jamsek, T. Ralston, and D. Russinoff, “Formal methods transition study final report,” Technical Report STP-FT-322–91, Microelectronics and Computer Technology Corporation, Austin, Texas, August 1991.
James Glanz, “Mathematical logic flushes out the bugs in chip designs,” Science, Vol. 267, pp. 332–333, 1995.
M. Gordon, “Why higher-order logic is a good formalism for specifying and verifying hardware,” Technical Report 77, University of Cambridge Computer Laboratory, September 1985.
M.J.C. Gordon and T.F. Melham (Eds.), Introduction to HOL: A Theorem Proving Environment for Higher-Order Logic, Cambridge University Press, Cambridge, UK, 1993.
Warren A. HuntJr., FM8501: A Verified Microprocessor, Vol. 795 of Lecture Notes in Artificial Intelligence, Springer-Verlag, Berlin, 1994.
Cliff B. Jones, Systematic Software Development Using VDM, Prentice Hall International Series in Computer Science, Prentice Hall, Hemel Hempstead, UK, second edition, 1990.
Ramayya Kumar and Thomas Kropf (Eds.), Theorem Provers in Circuit Design (TPCD'94), Vol. 910 of Lecture Notes in Computer Science, Bad Herrenalb, Germany, September 1994, Springer-Verlag.
Mandayam Srivas et al., “Hardware verification using PVS: A tutorial,” Technical Report SRI-CSL-95–13, Computer Science Laboratory, SRI International, Menlo Park, CA, 1995 (Forthcoming).
Steven P. Miller and Mandayam, Srivas, “Formal verification of the AAMP5 microprocessor: A case study in the industrial use of formal methods,” in WIFT'95: Workshop on Industrial-Strength Formal Specification Techniques, Boca Raton, FL, 1995, pp. 2–16, IEEE Computer Society.
S. Owre, N. Shankar, and J.M. Rushby, The PVS Specification Language, Computer Science Laboratory, SRI International, Menlo Park, CA, February 1993 (A new edition for PVS Version 2 is expected in early 1995).
S. Rajan, N. Shankar, and M.K. Srivas, “An integration of model-checking with automated proof checking,” in Pierre Wolper (Ed.), Computer-Aided Verification, Cag'95, Vol. 939 of Lecture Note in Computer Science, pp. 84–97, Liege, Belgium, June 1995, Springer-Verlag.
AAMP2 Advanced Architecture Microprocessor II Reference Manual, Rockwell International, Collins Commercial Avionics, Rockwell International Corporation, Cedar Rapids, Iowa 52498, February 1990.
AAMP5 Microarchitecture (Unreleased Document), Rockwell International Processor and Software Technology Department, Advanced Technology and Engineering, Collins Commercial Avionics, Rockwell International Corporation, Cedar Rapids, Iowa 52498, February 1993.
James B. Saxe, Stephen J. Garland, John V. Guttag, and James J. Horning, “Using transformations and verification in circuit design,” Formal Methods in System Design, Vol. 4, No. 1, pp. 181–210, 1994.
N Shankar, S. Owre, and J.M. Rushby, The PVS Proof Checker: A Refrence Manual, Computer Science Laboratory, SRI International, Menlo Park, CA, February 1993 (A new edition for PVS Version 2 is expected in early 1995).
Mandayam Srivas and Mark Bickford, “Formal verification of a pipelined microprocessor,” IEEE Software, Vol. 7, No. 5, pp. 52–64, 1990.
Mandayam Srivas and Steven P. Miller, “Formal verification of a commercial microprocessor,” Technical Report SRI-CSL-95–4, Computer Science Laboratory, SRI International, Menlo Park, CA, February 1995.
S. Tahar and R. Kumar, “Implementing a methodology for formally verifying risc processors in hol,” in Jeffrey J. Joyce and Carl-Johan H. Seger (Eds.), Higher Order Logic Theorem Proving and its Applications (6th International Workshop, HUG'93), Number 780 in Lecture Notes in Computer Science, pp. 281–294, Vancouver, Canada, August 1993, Springer-Verlag.
Phillip J. Windley and Michael L. Coe, “A correctness model for pipelined microprocessors,” in Kumar and Kropf [18], pp. 33–51.
P.J. Windley, “Formal modeling and verification of microprocessors,” IEEE Transactions on Computers, Vol. 44, No. 1, 1995.
Author information
Authors and Affiliations
Additional information
This work was supported by NASA Langley Research Center under contract NAS1-20334 and NAS1-19704.
Rights and permissions
About this article
Cite this article
Srivas, M.K., Miller, S.P. Applying formal verification to the AAMP5 microprocessor: A case study in the industrial use of formal methods . Form Method Syst Des 8, 153–188 (1996). https://doi.org/10.1007/BF00122419
Issue Date:
DOI: https://doi.org/10.1007/BF00122419