J. Joyce, G. Birtwistle, and M. Gordon. Proving a computer correct in higher order logic. Technical Report 100, University of Cambridge, Computer Laboratory, December 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....cases which must be accounted for. Sometimes, significant bugs are found after a processor is commercially released, which is both embarrassing and costly. Formal verification techniques have been steadily improving over the last decade, and several simple microprocessors have been verified [3, 6, 8]. The methods used in these verification efforts are based on theorem provers, which require a great deal of expert guidance. In addition, some automatic techniques used on simple processors (i.e. 9] are not applicable to pipelined processors. And even though some pipelined processors have been ....

J. Joyce, G. Birtwistle, and M. Gordon, "Proving a Computer Correct in Higher Order Logic", Technical Report 100, Computer Lab., University of Cambridge, 1986.

....aspects of the design that are most susceptible to errors, be relatively fast and require little labor, and provide information to help pinpoint design errors. The best known examples of formally verified processors have been extremely simple processor designs, which were generally unpipelined [7, 8, 15, 16]. The ver ification methods used rely on theorem provers that require a great deal of very skilled human guidance (the practical unit of for measuring labor in these studies seems to be the person month) Furthermore, the processor implementations that were verified were so simple that they were ....

J. Joyce, G. Birtwistle, and M. Gordon. Proving a computer correct in higher order logic. Technical Report 100, Computer Lab., University of Cambridge, 1986.

....algorithm. 10.1.2. Hardware verification In (Cantu Ortiz, 1997) Cantu describes an application of proof planning to the verification of clocked synchronous electronics. Cantu successfully automated the verification of the Gordon computer, which had previously been verified manually in HOL (Joyce et al. 1986). The proof plans were the largest ever created, and although some modification was required to Clam in order to cope with the much larger proofs (for example by employing memoisation) this effort provides evidence that proof planning can scale up. 10.1.3. Verification of communicating systems ....

Joyce, J., Graham Birtwistle, G., Gordon, M. (1986). Proving a computer correct in higher order logic. Technical Report 100, University of Cambridge Computer Laboratory.

....of complete benchmark microprocessors [4, 6, 7] language containment methods [10] have also been effectively applied to significant examples. At the other end of the spectrum, the Boyer Moore theorem prover and the HOL theorem prover have been successfully used to verify simple microprocessor [11, 12]. Most recently, PVS [16] a higher order, general purpose theorem prover being developed at SRI, has verified a large part of the AAMP5 a half million transistor, commercial pipelined microcoded microprocessor developed at Rockwell Collins [14] As hardware verification techniques become ....

J. Joyce, G. Birtwistle, and M. Gordon. Proving a computer correct in higher order logic. Technical Report 100, Computer Laboratory, University of Cambridge, 1986.

....of a simple microprocessor called Tamarack using the updated generic interpreter theory. We do this as a means of assuring the model is useful 1 as well as providing a tutorial on its use. Because of its simplicity, Tamarack makes an excellent example, and thus has been verified many times [Gor83, Joy86, Joy89]. Our work closely follows that of Joyce in [Joy89] The results of the verification presented here, that Tamarack is correct, are not new; the purpose of the proof and this paper are to serve as a tutorial on using the generic interpreter theory in microprocessor verification and demonstrate ....

J. Joyce, G. Birtwistle and M. Gordon. Proving a Computer Correct in Higher Order Logic. Report No. 100, Computer Laboratory, Cambridge University, 1986.

....correctly implement the (user level) instruction. He cannot describe this process within his system, so that his proof is not as neat as the one described below. 1.2. 4 Gordon s micro processor Mike Gordon formally specified a simple micro computer which has been given various implementations [JBG86, Joy87, Bar84] One of these has even been implemented in silicon. The computer is simple, yet it is interesting to verify because of its features, such as a bus, ROM, RAM and microcoded control. Implementations have been proved correct using LCF LSM 1 [Gor] and and HOL, which is a descendant ....

.... the microcode time scale (more concrete) to the instruction set time scale (more abstract) abs p 0 t = p t 8t 0 :t 0 t :p(t 0 ) abs p (n 1) t = p t 9t 0 :t 0 t abs p n t 0 8t 00 : t 0 t 00 t 00 t) p(t 00 ) This function has variously been called abs in [JBG86] istimeof in [Mel87] and nexttime in [Coh87] All instruction set time signals were now defined in terms of the microcode time scale signals using abs. The signal ready was used as the synchronisation condition: 8n:sig abs n t = signal(abs ready n t) This means that the abstract (instruction ....

[Article contains additional citation context not shown here]

Jeff Joyce, Graham Birtwistle, and Mike Gordon. Proving a computer correct in higher order logic. Technical Report 100, University of Cambridge Computer Laboratory, December 1986. HOL version of Technical Report 42.

....version of a pipelined processor. Sekar and Srivas verified a simplified version of Wirth s Lilith. Tamarack Mike Gordon illustrated his early ideas on hardware verification using a simple computer which has been verified, usually using higher order logic, several times, by Jeff Joyce and others [117, 11, 10, 144, 146, 150, 81, 158]. Elaborated versions of this design are known as Tamarack. Windley later improved upon the structure of the proofs [245, 244] 1.6. CONTRIBUTIONS OF THIS THESIS 19 Viper The Viper microprocessor has received publicity as the first verified microprocessor. It was not entirely verified ....

Jeff Joyce, Graham Birtwistle, and Mike Gordon. Proving a computer correct in higher order logic. Technical report 100. University of Cambridge Computer Laboratory, December 1986.

....the behaviours associated with an hdl program are also invalid. While this has always been clearly understood in areas such as device modelling where simulation programs have been used extensively [71] and system level modelling, this was not always so obvious in formal hardware verification [48, 20]. A separate development addressed the need to document and design systems at higher levels of abstraction. Behavioural notations such as isp [81] closer to conventional programming languages, were defined for this purpose. By definition, this type of description does not relate to any particular ....

Jeff Joyce, Graham Birtwistle, and Mike Gordon. Proving a computer correct in higher order logic. Technical Report 100, University of Cambridge Computer Laboratory, December 1986. HOL version of Technical Report 42.

....All models are abstract and hence cannot be used to draw meaningful conclusions concerning features from which they abstract. A description of a design is therefore not just verified; it is verified with respect to a specification using a particular model. For example, Joyce et al. reveal in [106] that a gate level model used in the verification of a microprocessor included unrealistic power up assumptions. Using a more accurate switch level model an error in the design was discovered. The subsequent correct functioning of the implementation underlines the fact that the more detailed model ....

Jeff Joyce, Graham Birtwistle, and Mike Gordon. Proving a computer correct in higher order logic. Technical Report 100, University of Cambridge Computer Laboratory, December 1986. HOL version of Technical Report 42.

....is used to generate subgoals that are typically proved by means of the decision procedures. We present the proof strategy and demonstrate its utility on a number of examples including an N bit ripple carry adder circuit, Saxe s pipelined microprocessor [24] and the Tamarack processor [18]. The point of these examples is to illustrate efficiency and generality that can be derived from the inference capabilities present in PVS. This work is still at a preliminary stage and we feel that there is plenty of scope for obtaining even greater generality, efficiency, and automation by ....

....register bypass logic. Note that this strategy, while not identical to the basic hardware strategy described earlier, has the same core strategy, namely the (do rewrite, lift if, bddsimp, assert) cycle. We have also applied the same strategy to the Tamarack microprocessor first verified by Joyce [18]. This microprocessor is microcoded but not pipelined. Only the first restricted form of rewriting is necessary to finish the Tamarack s proof of correctness. This is because the case splitting generated by the num cycles function is sufficient to generate all the relevant cases and to direct the ....

J. Joyce, G. Birtwistle, and M. Gordon. Proving a computer correct in higher order logic. Technical Report 100, Computer Lab., University of Cambridge, 1986.

....complex transition system as the implementation. In [20] the specification is actually a non pipelined microprocessor. In [21] the specification is a transition system corresponding to the instruction set architecture. In both [21, 20] the implementation is a pipelined microprocessor. Early work [12, 13] used the instruction set architecture as the specification and a non pipelined machine as the implementation. The microprocessor verification problem is to show that the traces induced by the implementation transition system are a subset of the traces induced by the specification transition ....

J. Joyce, G. Birtwistle, and M. Gordon. Proving a computer correct in higher order logic. Technical Report 100, Computer Lab., University of Cambridge, 1986.

....the required lemmas. Example: the Gordon computer This is a 16 bit microprocessor, with 8 programming instructions, no interrupts, and a synchronous communication interface with memory, designed by Mike Gordon and his group at Cambridge University and verified interactively using the HOL system [12]. The specification is given in terms of the semantics of the 8 programming instructions. Each instruction consists of the set of operations that determines a new computer state, where a state is determined by the contents of the memory, the program counter, the accumulator and the idle running ....

....access the bus, and the input of manual information through the switches and the knob, are not considered. However, Tamarack 3 includes an option for asynchronous communication with memory. 5. 3 HOL The Gordon computer was originally designed and verified using HOL by Mike Gordon and his group [12] and later implemented and verified as the Tamarack microprocessor by Jeffrey Joyce [13] The verification took about 5 weeks of proof development effort and required the derivation of at least 200 lemmas including general lemmas for arithmetic reasoning and temporal logic operators which are now ....

Jeff Joyce, G. Graham Birtwistle, and M. Gordon. Proving a Computer Correct in Higher-order Logic. Tech. Report 100, U. of Cambridge Computer Lab., 1986.

....techniques have been proposed to overcome the wellknown theoretical and practical limits of such conventional techniques and have been applied to the analysis of a certain number of (usually rather simple and unpipelined) microprocessors. Some typical examples standing for many others are [JBG86] [Bow87] C88] C89] Hunt89] LC91] Her92] Be93] Win94] and [Ta95] which includes an excellent detailed survey. We develop a practical method which reduces the labor required to do formally supported design and verification of microprocessors by orders of magnitude. The method allows one to ....

J.Joyce, G.Birtwistle, and M.Gordon. Proving a computer correct in higher order logic. TR 100, Computer Lab., University of Cambridge, 1986.

....is available from current state of practice techniques. The development and use of formal techniques in hardware design is spreading [5, 13, 16, 19, 20, 25, 28, 36, 45] This approach to circuit validation is known generally as hardware verification. Circuits with the complexity of microprocessors [5, 30, 35, 46] have been given mathematical specifications, and their designs have been proved to implement their specifications. Yet, the transfer of hardware verification techniques to commercial engineering practice has been hampered by such factors as the use of non standard notations, inaccessibility of ....

Graham Birtwistle Jeffery Joyce and Mike Gordon. Proving a Computer Correct in Higher Order Logic. Technical report, University of Calgary, Department of Computer Science, August 1985.

....techniques have been proposed to overcome the well known theoretical and practical limits of such conventional techniques and have been applied to the analysis of a certain number of (usually rather simple and unpipelined) microprocessors. Some typical examples standing for many others are [JBG86] [Bow87] C88] C89] Hunt89] LC91] Her92] Be93] Win94] See [Ta95] for an excellent detailed survey. We develop here a method which reduces the labor required to do formally supported design and verification of microprocessors by orders of magnitude. The method exploits the power of ....

J.Joyce, G.Birtwistle, and M.Gordon. Proving a computer correct in higher order logic. Technical Report 100, Computer Lab. University of Cambridge, 1986.

No context found.

J. Joyce, G. Birtwistle, and M. Gordon. Proving a computer correct in higher order logic. Technical Report 100, University of Cambridge, Computer Laboratory, December 1986.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC