An Overview of the Formal Specification and Verification of the FM9001 Microprocessor

The use of mathematical logic for modeling and reasoning about hardware designs promises assurance of circuit correctness beyond what is available from current state-of-practice techniques. The development and use of formal tech-approach to circuit validation is known generally as hardware veriication. Circuits with the complexity of microprocessors 5, 30, 35, 46] have been given mathematical speciications, and their designs have been proved to implement their speciications. Yet, the transfer of hardware veriication techniques to commercial engineering practice has been hampered by such factors as the use of non-standard notations, inaccessibility of the tools, and the signiicant mathematical sophistication required to use these approaches. In addition, formal techniques have been directed at only selected aspects of the design process. Important hardware characteristics such as testability and I/O behavior have been largely neglected by the formal hardware modeling and veriication community. We have attempted to address some of these issues by considering the formal speciication, veriication, and physical implementation of the FM9001 microprocessor. The FM9001 is a general-purpose 32-bit microprocessor whose gate-level netlist design implementation was developed using a theorem-proving environment in conjunction with a traditional CAD system. The behavioral speciica-tion for the FM9001, the deenition of the hardware description language (HDL) used to represent the design of the FM9001, the simulator for the HDL, and the veriication of the FM9001 were all carried out using the Boyer-Moore theorem-proving system Nqthm 9]. The FM9001 netlist was mechanically translated to LSI Logic's Netlist Description Language and implemented by LSI Logic, Inc., as a CMOS gate-array. Rigorous testing has not uncovered any situation where the manufactured device fails to meet its speciication. The FM9001 also serves as the target for the veriied assembler, Piton 42], which in turn serves as the target of the veriied-Gypsy compiler 49]. This document presents the details of the FM9001 development, its speciication, and its veriication.

[1]  Robert S. Boyer,et al.  A computational logic handbook , 1979, Perspectives in computing.

[2]  Laurence Pierre,et al.  PREVAIL: a proof environment for VHDL descriptions , 1992 .

[3]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[4]  Steven M. German,et al.  Zeus: A Language for Expressing Algorithms in Hardware , 1985, Computer.

[5]  Miriam Leeser,et al.  From Programs to Transistors: Verifying Hardware Synthesis Tools , 1989, Hardware Specification, Verification and Synthesis.

[6]  W. Hunt,et al.  A formal HDL and its use in the FM9001 verification , 1992, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[7]  Edmund M. Clarke,et al.  Automatic verification of asynchronous circuits using temporal logic , 1986 .

[8]  M. Gordon,et al.  PROVING A COMPUTER CORRECT IN HIGHER ORDER LOGIC , 1986 .

[9]  Jeffrey S. Moore Piton: a verified assembly level language , 1988 .

[10]  W. J. Cullyer Implementing Safety-Critical Systems: The VIPER Microprocessor , 1988 .

[11]  Edmund M. Clarke,et al.  Automatic Verification of Sequential Circuits Using Temporal Logic , 1986, IEEE Transactions on Computers.

[12]  Mark Bickford,et al.  Formal verification of a pipelined microprocessor , 1990, IEEE Software.

[13]  Steven D. Johnson Manipulating Logical Organization with System Factorizations , 1989, Hardware Specification, Verification and Synthesis.

[14]  Bishop Brock,et al.  Introduction to a Formally Defined Hardware Description Language , 1992, TPCD.

[15]  Robert S. Boyer,et al.  A verified operating system kernel , 1987 .

[16]  Matt Kaufmann,et al.  AN INTEGER LIBRARY FOR NQTHM , 1990 .

[17]  Edmund M. Clarke,et al.  SML-a high level language for the design and verification of finite state machines , 1985 .

[18]  Moore J. Strother Mechanically Verified Hardware Implementing an 8-Bit Parallel IO Byzantine Agreement Processor , 1992 .

[19]  M. Gordon HOL: A Proof Generating System for Higher-Order Logic , 1988 .

[20]  Michael J. C. Gordon,et al.  Why higher-order logic is a good formalism for specifying and verifying hardware , 1985 .

[21]  Edmund M. Clarke,et al.  A language for compositional specification and verification of finite state hardware controllers , 1991 .

[22]  Guy L. Steele,et al.  Common Lisp the Language , 1984 .

[23]  Avra Cohn,et al.  A Proof of Correctness of the Viper Microprocessor: The First Level , 1988 .

[24]  M. Gordon,et al.  The Hol Veriication of Ella Designs 1 , 1991 .