Formal Verification of an Avionics Microprocessor

Formal specification combined with mechanical verification is a promising approach for achieving the extremely high levels of assurance required of safety-critical digital systems. However, many questions remain regarding their use in practice: Can these techniques scale up to industrial systems, where are they likely to be useful, and how should industry go about incorporating them into practice? This report discusses a project undertaken to answer some of these questions, the formal verification of the AAMP5 microprocessor. This project consisted of formally specifying in the PVS language a Rockwell proprietary microprocessor at both the instruction-set and register-transfer levels and using the PVS theorem prover to show that the microcode correctly implemented the instruction-level specification for a representative subset of instructions. Notable aspects of this project include the use of a formal specification language by practicing hardware and software engineers, the integration of traditional inspections with formal specifications, and the use of a mechanical theorem prover to verify a portion of a commercial, pipelined microprocessor that was not explicitly designed for formal verification.

[1]  Alan Burns,et al.  On the Meaning of Safety and Security , 1992, Comput. J..

[2]  Stephen J. Garland,et al.  Using transformations and verification in circuit design , 1992, Formal Methods Syst. Des..

[3]  R. W. Butler NASA Langley's research program in formal methods , 1991, COMPASS '91, Proceedings of the Sixth Annual Conference on Computer Assurance.

[4]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[5]  Aarti Gupta,et al.  Formal hardware verification methods: A survey , 1992, Formal Methods Syst. Des..

[6]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[7]  Bev Littlewood,et al.  Validation of ultrahigh dependability for software-based systems , 1993, CACM.

[8]  Stephen J. Garland,et al.  PVS: A Prototype . . . , 1992 .

[9]  Alexander Birman,et al.  Some Techniques for Microprogram Validation , 1974, IFIP Congress.

[10]  Michael J. C. Gordon,et al.  Why higher-order logic is a good formalism for specifying and verifying hardware , 1985 .

[11]  G. B. Finelli,et al.  The infeasibility of experimental quantification of life-critical software reliability , 1991, SIGSOFT '91.

[12]  David W. Best,et al.  An Advanced-Architectur CMOS/SOS Microprocessor , 1982, IEEE Micro.

[13]  Phillip John Windley The formal verification of generic interpreters , 1990 .

[14]  Michael E. Fagan Advances in software inspections , 1986, IEEE Transactions on Software Engineering.

[15]  Mark Bickford,et al.  Formal verification of a pipelined microprocessor , 1990, IEEE Software.

[16]  David L. Dill,et al.  Automatic verification of Pipelined Microprocessor Control , 1994, CAV.

[17]  W. Hunt,et al.  A formal HDL and its use in the FM9001 verification , 1992, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[18]  Daniel Brand,et al.  Microprogram verification considered necessary , 1978, AFIPS National Computer Conference.

[19]  Phillip J. Windley,et al.  A Correctness Model for Pipelined Multiprocessors , 1994, TPCD.

[20]  Natarajan Shankar,et al.  Effective Theorem Proving for Hardware Verification , 1994, TPCD.

[21]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[22]  Thomas Kropf,et al.  Theorem Provers in Circuit Design , 1995, Lecture Notes in Computer Science.

[23]  Sofiène Tahar,et al.  Implementing a Methodology for Formally Verifying RISC Processors in HOL , 1993, HUG.

[24]  David Cyrluk Microprocessor Verification in PVS - A Methodology and Simple Example , 1993 .

[25]  Randal E. Bryant,et al.  Formally Verifying a Microprocessor Using a Simulation Methodology , 1994, 31st Design Automation Conference.