Recent advances in the field of hardware verification have raised some fresh (and some familiar) issues concerning the scope and limitations of formal proof. In this article, we discuss in detail some of these issues. We focus particularly on which aspects of hardware and software one can verify, in contrast to the claims that are sometimes made in that regard. Since we consider verification to be one of the more important and promising applications of automated theorem proving — our research has been concerned with this application for a number of years — a precise understanding of verification must be addressed. Although the context for our discussion is the Viper verification project, our remarks apply generally. Viper is a microprocessor designed by W. J. Cullyer, C. Pygott, and J. Kershaw of the Royal Signals and Radar Establishment of the U.K. Ministry of Defence, for use in safety-critical applications. Much to their credit, the designers intended from the start that Viper be formally verified; they presented Viper's more abstract specifications in a language suitable for formal reasoning, and they placed the design in the public domain. Since Viper microprocessors are currently being marketed as verified chips, the need exists to identify precisely to what extent verification is possible. The formal proof aspects of the verification work have been carried out at the Computer Laboratory of the University of Cambridge. To date, some important properties of a register-transfer level model of Viper, relative to a more abstract functional specification, have been proved (by the author) using the HOL proof generating system. ‘Verified’ systems such as Viper seem likely to become commonplace in the near future. While proofs about the abstract models of such systems are obviously a vital contribution to our trust in them, it is also important (not least in safety-critical applications) that the limitations of the approach be understood.
[1]
Avra Cohn.
Correctness properties of the Viper block model: the second level
,
1989
.
[2]
Alan P. Parkes.
Logic and Computation
,
2002
.
[3]
M. Gordon.
HOL: A Proof Generating System for Higher-Order Logic
,
1988
.
[4]
Tom Melham,et al.
Hardware Verification using Higher−Order Logic
,
1986
.
[5]
J. Herbert,et al.
Formal hardware verification methodology and its application to a network interface chip
,
1986
.
[6]
C H Pygott.
Formal proof of correspondence between the specification of a hardware module and its gate level implementation
,
1985
.
[7]
M. Gordon.
HOL : A machine oriented formulation of higher order logic
,
1985
.
[8]
W. J. Cullyer.
Implementing Safety-Critical Systems: The VIPER Microprocessor
,
1988
.
[9]
Alonzo Church,et al.
A formulation of the simple theory of types
,
1940,
Journal of Symbolic Logic.
[10]
Avra Cohn,et al.
Theoretical Foundations of VLSI Design: A mechanized proof of correctness of a simple counter
,
1990
.
[11]
Avra Cohn,et al.
A Proof of Correctness of the Viper Microprocessor: The First Level
,
1988
.
[12]
Avra Cohn.
Machine assisted proofs of recursion implementation
,
1979
.