Verification holds great promise for increasing the trustworthiness of computer systems. Before this promise is realized however, verification must become an engineering activity instead of a research activity. An engineering approach provides a methodology for specification and verification.
This dissertation contains results that provide a methodological approach to microprocessor verification. We present a hierarchical decomposition strategy for specifying microprocessors. The decomposition follows traditional abstraction levels used by microprocessor designers. We show how the explicit representation of these abstraction levels in the specification can lead to an order of magnitude reduction in the number of long, difficult cases in a microprocessor verification.
The dissertation also develops a theory of interpreters that can be used to model microprocessor behavior. The generic interpreter theory abstracts away the details of instruction functionality, leaving a general model of what an interpreter does. The interpreter theory has been formalized using generic theories in a verification system called HOL for use in specifying and verifying microprocessors. The use of generic theories for formalizing the model plays an important role in our methodological approach to microprocessor specification and verification.
The generic interpreter theory formally defines an interpreter and proves a correctness theorem for the generic model stating what it means, in general, for an interpreter to be correctly implemented. The generic interpreter theory provides a methodology for verifying microprocessors: (1) The generic interpreter theory clearly states exactly what definitions need to be made to specify a microprocessor. (2) The generic interpreter theory also says exactly which lemmas must be proven to verify that the specification is correctly implemented.
The dissertation provides a detailed example, the verification of correctness for a microprocessor called AVM-1. The architecture of AVM-1 provides a RISC-like instruction set operating on a register file with 32 registers. The implementation is microcoded. The example is used to illustrate the utility of hierarchical decomposition and the generic interpreter theory.
[1]
Rance Cleaveland,et al.
Implementing mathematics with the Nuprl proof development system
,
1986
.
[2]
Avra Cohn,et al.
A Proof of Correctness of the Viper Microprocessor: The First Level
,
1988
.
[3]
W. J. Cullyer.
Implementing Safety-Critical Systems: The VIPER Microprocessor
,
1988
.
[4]
Hilarie Orman,et al.
Reverification of a microprocessor
,
1988,
Proceedings. 1988 IEEE Symposium on Security and Privacy.
[5]
Francois Anceau,et al.
The architecture of microprocessors
,
1987
.
[6]
S. D. Crocker,et al.
State deltas: a formalism for representing segments of computation.
,
1977
.
[7]
Joseph A. Goguen,et al.
Parameterized Programming
,
1984,
IEEE Transactions on Software Engineering.
[8]
Emmanuel Katevenis,et al.
Reduced instruction set computer architectures for VLSI
,
1984
.
[9]
Henry Ledgard,et al.
Reference Manual for the ADA® Programming Language
,
1983,
Springer New York.
[10]
Avra Cohn.
Correctness properties of the Viper block model: the second level
,
1989
.
[11]
W. F. Clocksin.
Logic Programming and Digital Circuit Analysis
,
1987,
J. Log. Program..
[12]
Harry G. Barrow,et al.
VERIFY: A Program for Proving Correctness of Digital Hardware Designs
,
1984,
Artif. Intell..
[13]
Jeffrey John Joyce,et al.
Multi-level verification of microprocessor-based systems
,
1989
.
[14]
Robert S. Boyer,et al.
Computational Logic
,
1990,
ESPRIT Basic Research Series.
[15]
Tom Melham,et al.
Hardware Verification using Higher−Order Logic
,
1986
.
[16]
P. J. Landin.
The Mechanical Evaluation of Expressions
,
1964,
Comput. J..
[17]
Edmund M. Clarke,et al.
SML-a high level language for the design and verification of finite state machines
,
1985
.