Skip to main content
SpringerLink
Log in

The notion of proof in hardware verification

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

Recent advances in the field of hardware verification have raised some fresh (and some familiar) issues concerning the scope and limitations of formal proof. In this article, we discuss in detail some of these issues. We focus particularly on which aspects of hardware and software one can verify, in contrast to the claims that are sometimes made in that regard. Since we consider verification to be one of the more important and promising applications of automated theorem proving — our research has been concerned with this application for a number of years — a precise understanding of verification must be addressed. Although the context for our discussion is the Viper verification project, our remarks apply generally. Viper is a microprocessor designed by W. J. Cullyer, C. Pygott, and J. Kershaw of the Royal Signals and Radar Establishment of the U.K. Ministry of Defence, for use in safety-critical applications. Much to their credit, the designers intended from the start that Viper be formally verified; they presented Viper's more abstract specifications in a language suitable for formal reasoning, and they placed the design in the public domain. Since Viper microprocessors are currently being marketed as verified chips, the need exists to identify precisely to what extent verification is possible. The formal proof aspects of the verification work have been carried out at the Computer Laboratory of the University of Cambridge. To date, some important properties of a register-transfer level model of Viper, relative to a more abstract functional specification, have been proved (by the author) using the HOL proof generating system. ‘Verified’ systems such as Viper seem likely to become commonplace in the near future. While proofs about the abstract models of such systems are obviously a vital contribution to our trust in them, it is also important (not least in safety-critical applications) that the limitations of the approach be understood.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Boyer, R. S. and Moore, J S., A Computational Logic, Academic Press (1979).

  2. Camilieri, A., Gordon, M., and Melham, T., ‘Hardware Verification Using Higher-Order Logic’, Proceedings of the IFIP WG 10.2 Working Conference: From H.D.L. Descriptions to Guaranteed Correct Circuit Designs, Grenoble, September 1986, ed. D. Borrione, North-Holland, Amsterdam (1987).

    Google Scholar 

  3. Church, A., ‘A Formulation of the Simple Theory of Types’, Journal of Symbolic Logic 5, 1940.

  4. Cohn, A., ‘Machine Assisted Proofs of Recursion Implementation’, Ph.D. Thesis, Dept. of Computer Science, University of Edinburgh, 1979.

  5. Cohn, A., and Gordon, M., ‘A Mechanized Proof of Correctness of a Simple Counter’, University of Cambridge, Computer Laboratory, Tech. Report No. 94, 1986.

  6. Cohn, A., ‘A Proof of Correctness of the Viper Microprocessor: the First Level’, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987; Also University of Cambridge, Computer Laboratory, Tech. Report No. 104, 1987.

  7. Cohn, A., ‘Correctness Properties of the Viper Block Model: The Second Level’, Current Trends in Hardware Verification and Automated Deduction, eds. G. Birtwistle and P. A. Sabrahmanyam, Springer-Verlag, 1988; Also University of Cambridge, Computer Laboratory, Tech. Report No. 134, 1988.

  8. Cullyer, W. J., ‘Viper Microprocessor: Formal Specification’, RSRE Report No. 85013, Oct. 1985.

  9. Cullyer, W. J., ‘Viper — Correspondence between the Specification and the “Major State Machine”, RSRE report No. 86004, Jan. 1986.

  10. Cullyer, W. J., ‘Implementing Safety-Critical Systems: The Viper Microprocessor’, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987.

  11. Cullyer, W. J., Kershaw, J., and Pygott, C., forthcoming book on Viper.

  12. Gane, C. (Computing Devices Company Ltd.), Computing Devices, Hastings' VIPER-VENOM Project: VIPER in Weapons Stores Management, Safety Net: Viper Microprocessors in High Integrity Systems, Enq. No. 021, Issue 2, July–August–September 1988, Viper Technologies Ltd., Worcester, England.

    Google Scholar 

  13. Gordon, M., Milner, R., and Wadsworth, C. P., ‘Edinburgh LCF’, Lecture Notes in Computer Science No. 78, Springer-Verlag, 1979.

  14. Gordon, M., ‘HOL: A Machine Oriented Formulation of Higher-Order Logic’, University of Cambridge, Computer Laboratory, Tech. Report No. 68, 1985.

  15. Gordon, M., ‘HOL: A Proof Generating System for Higher-Order Logic’, University of Cambridge, Computer Laboratory, Tech. Report No. 103, 1987; Revised version in VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987.

  16. Halbert, M. P. (Cambridge Consultants Ltd.), ‘Selfchecking Computer Module Based on the Viper 1A Microprocessor, Safety Net: Viper Microprocessors in High Integrity Systems’, Enq. No. 017, Issue 2, July–August–September 1988, Viper Technologies Ltd., Worcester, England.

    Google Scholar 

  17. Herbert, J. and Gordon, M. J. C., ‘A Formal Hardware Verification Methodology and its Application to a Network Interface Chip’, IEE Proceedings, Computers and Digital Techniques, Special issue on Digital Design Verification, Vol. 133, Part E, No. 5, 1986; Also in draft version: University of Cambridge, Computer Laboratory, Tech. Report No. 66, 1985.

  18. Hunt, W. A. Jr., ‘FM8501: A Verified Microprocessor’, University of Texas, Austin, Tech. Report 47, 1985.

    Google Scholar 

  19. Joyce, J. J., Formal Verification and Implementation of a Microprocessor, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahmanyam, Kluwer, 1987.

  20. Kershaw, J., ‘Viper: A Microprocessor for Safety-Critical Applications’, RSRE Memo. No. 3754, Dec. 1985.

  21. Melham, T., ‘Abstraction Mechanisms for Hardware Verification’, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P. A. Subrahamanyam, Kluwer, 1987.

  22. Melham, T., forthcoming Ph.D. Thesis, University of Cambridge, Computer Laboratory.

  23. Paulson, L., Logic and Computation, Cambridge, University Press, 1987.

    Google Scholar 

  24. Pygott, C. H., ‘Viper: The Electronic Block Model’, RSRE Report No. 86006, July 1986.

  25. Pygott, C. H., ‘Formal Proof of a Correspondence between the Specification of a Hardware Module and its Gate Level Implementation’, RSRE Report No. 85012, Nov. 1985.

  26. Viper Microprocessor: Verifiable Integrated Processor for Enhanced Reliability: Development Tools, Charter Technologies Ltd., Publication No. VDT1, Issue 1, Dec. 1987.

  27. Application for Admission and Registration Form, Second VIPER Symposium, RSRE, Malvern, England, 6–7 September, 1988.

Download references

Author information

Authors and Affiliations

  1. Computer Laboratory, University of Cambridge, CB2 2QG, Cambridge, England

    Avra Cohn

Authors
  1. Avra Cohn
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Cohn, A. The notion of proof in hardware verification. J Autom Reasoning 5, 127–139 (1989). https://doi.org/10.1007/BF00243000

Download citation

  • Received:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF00243000

Key words

Search

Navigation