Formal Verification of the Aamp5 Microprocessor 1 2.1 Aamp Family of Microprocessors 2.2 Pvs 2.3 Historical Perspective/scale of the Challenge 2.4 Overview of the Technical Approach

This paper describes the experiences of Collins Commercial Avionics and SRI International in formally specifying and verifying the microcode for the AAMP5 microprocessor with the PVS verification system. This project was conducted to determine if an industrial microprocessor designed for use in real–time embedded systems could be formally specified at the instruction set and register transfer levels and if formal proofs could be used to prove the microcode correct. The paper provides a brief technical overview, but its emphasis is on the lessons learned in using PVS for an example of this size and the implications for using formal methods in an industrial setting. Software and digital hardware are increasingly being used in situations where failure could be life threatening, such as aircraft, nuclear power plants, weapon systems, and medical instrumentation. Several authors have demonstrated the infeasibility of showing that such systems meet ultra–high reliability requirements through testing alone [9,19]. Formal methods are a promising approach for increasing our confidence in digital systems, but many questions remain on how it can be used effectively in an industrial setting. This paper describes a project, formal verification of the microcode in the AAMP5 microprocessor, conducted to explore how formal techniques for specification and verification could be introduced into an industrial process. project consisted of specifying in the PVS language developed by SRI [22] a portion of a Rockwell proprietary microprocessor, the AAMP5, at both the instruction set and register–transfer levels and using the PVS theorem prover to show the microcode correctly implemented the specified behavior for a representative subset of instructions. While this paper includes a brief technical overview (see [28,29] for a detailed technical discussion), its emphasis is on the lessons learned in using PVS for an example of this size and the implications for using formal methods in an industrial setting. The central result of this project was to demonstrate the feasibility of formally specifying a commercial microprocessor and the use of mechanical proofs of correctness to verify microcode. This is particularly significant since the AAMP5 was not designed for formal verification, but to provide a more than three fold performance improvement, by pipelining instruction execution, while remaining object code compatible with the earlier AAMP2. As a consequence, the AAMP5 is one of the most complex microprocessors to which formal methods have been applied. Another key result was the discovery of both actual and seeded errors. Two actual microcode errors …

[1]  Alexander Birman,et al.  Some Techniques for Microprogram Validation , 1974, IFIP Congress.

[2]  Robert S. Boyer,et al.  A computational logic handbook , 1979, Perspectives in computing.

[3]  Geoff Barrett,et al.  Formal Methods Applied to a Floating-Point Number System , 1989, IEEE Trans. Software Eng..

[4]  Mark Bickford,et al.  Formal verification of a pipelined microprocessor , 1990, IEEE Software.

[5]  Karl N. Levitt,et al.  Formal proof of the AVM-1 microprocessor using the concept of generic interpreters , 1991 .

[6]  R. W. Butler NASA Langley's research program in formal methods , 1991, COMPASS '91, Proceedings of the Sixth Annual Conference on Computer Assurance.

[7]  Mark Bickford,et al.  Verification of the FtCayuga fault-tolerant microprocessor system. Volume 1: A case study in theorem prover-based verification , 1991 .

[8]  Ricky W. Butler,et al.  The infeasibility of experimental quantification of life-critical software reliability , 1991 .

[9]  W. Hunt,et al.  A formal HDL and its use in the FM9001 verification , 1992, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[10]  Stephen J. Garland,et al.  Using transformations and verification in circuit design , 1992, Formal Methods Syst. Des..

[11]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[12]  Geoff Barrett,et al.  Designing chips that work , 1992, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[13]  Bev Littlewood,et al.  Validation of ultrahigh dependability for software-based systems , 1993, CACM.

[14]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[15]  David L. Dill,et al.  Automatic verification of Pipelined Microprocessor Control , 1994, CAV.

[16]  Warren A. Hunt FM8501: A Verified Microprocessor , 1994, Lecture Notes in Computer Science.

[17]  Randal E. Bryant,et al.  Formally Verifying a Microprocessor Using a Simulation Methodology , 1994, 31st Design Automation Conference.

[18]  Victoria Stavridou,et al.  Gordon's computer: A hardware verification case study in OBJ3 , 1994, Formal Methods Syst. Des..

[19]  Natarajan Shankar,et al.  Effective Theorem Proving for Hardware Verification , 1994, TPCD.

[20]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[21]  K Srivas Mandayam,et al.  Formal Verification of an Avionics Microprocessor , 1995 .

[22]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[23]  James L. Caldwell,et al.  High Level Design Proof of a Reliable Computing Platform , 2003 .