Derivation and verification represent alternate approaches to design. Derivation aims at deriving a "correct by construction" design while verification aims at constructing a post factum "proof of correctness" for a design. However, as researchers and engineers gain design experience in a formal framework, both approaches are emerging as interdependent facets of design. The thesis of this work is that alternate forms of formal reasoning must be integrated if formal methods are to support the natural analytical and generative reasoning that takes place in engineering practice. As a vehicle for this research, the DDD digital design derivation system was implemented to study formal hardware design in an algebraic framework. DDD is a first-order transformation system which mechanizes a basic design algebra for synthesizing digital circuit descriptions from high-level functional specifications. The system is a collection of correctness preserving transformations that promote a topdown desig...

ch we can both execute functions efficiently and express algorithms over the syntactic structure of their definitions. Our presentation at DCC 2004 will describe reFL [4], a new language designed to meet these and other theorem proving and hardware design requirements. reFL is strongly typed and similar to ML [5], but has quotation and antiquotation constructs that can be used to construct and decompose expressions in the reFL language itself. This provides a form of reflection like that in LISP but in a strongly typed language. The reFL language is fully implemented and replaces FL in future versions of the Forte system. The target applications of theorem proving and hardware design give intensional analysis a primary role in reFL . Our language therefore differs from other `meta-programming' languages, such as MetaML [14] and Template Haskell [12], that are aimed more at program generation and optimization of evaluation. Our presentation will describe these differences and the

A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a stream-based language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 microprocessor (and is designed to compile efficiently to hardware, too). This paper reports on our success in verifying the “core ” transformations of the compiler – those transformations over the sub-language of µCryptol that begin after “higher-order ” aspects of the language are compiled away, and finish just before hardware or software specific transformations are exercised. The core transformations are responsible for aggressive optimizations. We have written an ACL2 macro that automatically generates both the correspondence theorems and their proofs. The compiler also supplies measure functions that ACL2 uses to automatically prove termination of µCryptol programs, including programs with mutually-recursive cliques of streams. Our verifying compiler has proved the correctness of its core transformations for multiple algorithms, including TEA, RC6, and AES. Finally, we describe an ACL2 book of primitive operations for the general specification and verification of encryption algorithms. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification—correctness proofs, formal methods, reliability; D.3.4 ∗ The ACL2 books associated with this paper can be retrieved at

General Term: Algorithms. The broad problem of matrix algebra is taken up from the perspective of functional program-ming. Akey question is how arrays should be represented in order to admit good implementations of well-known e cient algorithms, and whether functional architecture sheds any new light on these or other solutions. It relates directly to disarming the \aggregate update " problem. The major thesis is that 2 d-ary trees should be used to represent d-dimensional arrays � ex-amples are matrix operations (d = 2), and a particularly interesting vector (d = 1) algorithm. Sparse and dense matrices are represented homogeneously, but at some overhead that appears tolerable � encouraging results are reviewed and extended. A Pivot Step algorithm is described which o ers optimal stability at no extra cost for searching. The new results include proposed sparseness measures for matrices, improved performance of stable matrix inversion through re-peated pivoting while deep within a matrix-tree (extendible to solving linear systems), and a clean matrix derivation of the vector algorithm for the fast Fourier transform. Running code is o ered in the appendices.

www.dcs.gla.ac.uk/∼jtod/ Hydra is a computer hardware description language that integrates several kinds of software tool (simulation, netlist generation and timing analysis) within a single circuit specification. The design language is inherently concurrent, and it offers black box abstraction and general design patterns that simplify the design of circuits with regular structure. Hydra specifications are concise, allowing the complete design of a computer system as a digital circuit within a few pages. This paper discusses the motivations behind Hydra, and illustrates the system with a significant portion of the design of a basic RISC processor.

. This article gives a survey on different methods of formal synthesis. We define what we mean by the term formal synthesis and delimit it from the other formal methods that can also be used to guarantee the correctness of an implementation. A possible classification scheme for formal synthesis methods is then introduced, based on which some significant research activities are classified and summarized. We also briefly introduce our own approach towards the formal synthesis of hardware. Finally, we compare these approaches from different points of view. 1 Introduction In everyday use, synthesis means putting together of parts or elements so as to make up a complex whole. However in the circuit design domain, synthesis stands for a stepwise refinement of circuit descriptions from higher levels of abstraction (specifications) to lower ones (implementations), including optimizations within one abstraction level. Synthesis can be performed by hand for small circuits. Nowadays mor...

A parameterized definition of subtractive floating point division algorithms is presented and verified using PVS. The general algorithm is proven to satisfy a formal definition of an IEEE standard for floating point arithmetic. The utility of the general specification is illustrated using a number of different instances of the general algorithm.

This article presents an example of correct circuit design through interactive transformation. Interactive transformation differs from traditional hardware design transformation frameworks in that it focuses on the issue of finding suitable hardware architecture for the specified system and the issue of architecture correctness. The transformation framework divides every transformation in designs into two steps. The first step is to find a proper architecture implementation. Although the framework does not guarantee existence of such an implementation, nor its discovery, it does provide a characterization of architectural implementation so that the question "is this a correct implementation?" can be answered by equational rewriting. The framework allows a correct architecture implementation to be automatically incorporated with control descriptions to obtain a new system description. The significance of this transformation framework lies in the fact that it requires simpler mechanism o...

This article describes the embedding of high level synthesis algorithms in HOL. For given standard synthesis steps, we describe, how its data can be mapped to terms in HOL and the synthesis process be expressed by means of a logical derivation. In contrast to post-synthesis verification techniques our approach is constructive in a sense that the proof is derived during synthesis rather than "guessed" afterwards. Therefore one does not get into the hardship of NP-completeness or undecidability.

this paper develops such a scheme, called "hardware description with recursion equations" (abbreviated HDRE and pronounced as hydra). A designer using HDRE may describe a circuit using a simple set of primitive functions written in an underlying general purpose programming language, and the description itself is just a function written in that language. Executing a circuit description function provides its meaning --- its semantic content.