Abstract. We give an overview of a proof-producing compiler which translates recursion equations, defined in higher order logic, to assembly language. The compiler is implemented and validated with a mix of translation validation and compiler verification techniques. Both the design of the compiler and its mechanical verification are implemented in the same logic framework.

Abstract not found

(authors listed in alphabetical order) Abstract. Higher order logic (HOL) is a modelling language suitable for specifying behaviour at many levels of abstraction. We describe a compiler from a ‘synthesisable subset ’ of HOL function definitions to correctby-construction clocked synchronous hardware. The compiler works by theorem proving in the HOL4 system and goes through several phases, each deductively refining the specification to a more concrete form, until a representation that corresponds to hardware is deduced. It also produces a proof that the generated hardware implements the HOL functions constituting the specification. Synthesised designs can be translated to Verilog HDL, simulated and then input to standard design automation tools. Users can modify the theorem proving scripts that perform compilation. A simple example is adding rewrites for peephole optimisation, but all the theorem-proving infrastructure in HOL4 is available for tuning the compilation. Users can also extend the synthesisable subset. For example, the core system can only compile tail-recursions, but a ‘third-party ’ tool linRec is being developed to automatically generate tail recursive definitions to implement linear recursions, thereby extending the synthesisable subset of HOL to include linear recursion. 1

Abstract. The hol-4 proof system has been used to formally verify the correctness of the ARM6 micro-architecture. This paper describes the specification and verification of the multiply instructions. The processor’s implementation is based on the modified Booth’s algorithm. Correctness is defined using data and temporal abstraction maps. The ARM6 is a commercial RISC microprocessor that has been used extensively in embedded systems – it has a 3-stage pipeline with a multi-cycled execute stage. This paper describes the approach used in the formal verification and presents some key lemmas. 1

The hol-4 proof system has been used to formally verify the correctness of the ARM6 micro-architecture. This paper describes the specification and verification of one instructions class, block data transfers; these are a form of load-store instruction in which a set of up to sixteen registers can be transferred atomically. The ARM6 is a commercial RISC microprocessor that has been used extensively in embedded systems – it has a 3-stage pipeline with a multi-cycled execute stage. A list based programmer’s model specification of the block data transfers is compared with the ARM6’s implementation which uses a 16-bit mask. The models are far removed and reasonably complex, and this poses a verification challenge. This paper describes the approach and some key lemmas used in verifying correctness, which is defined using data and temporal abstraction maps. 1

Abstract not found

Abstract. We discuss a proof-producing compiler for a subset of higher order logic. The translation validation is automatic, and is based on Hoare rules derived from a compositional semantics for sequences of instructions for an ARM-like machine. Partial and total correctness are dealt with. The main focus is on issues in the intermediate level and back-end of the compiler. 1

Theorem proving and model checking have complementary strengths. Theorem proving can be applied to complex systems like complete processors, but it requires skilled manual guidance to verify most properties of practical interest. Model checking is automatic, but can only be applied to relatively small problems (e.g. fragments of processors, bus protocols); however, it provides counter-examples of great use in debugging. The research summarised here aimed to explore new ways to coherently combine the complementary strengths of each method. Two approaches that have been tried in the past are: (i) invoke a checker as an external black box from a prover [20], and (ii) define the checker entirely inside a prover [18]. The project described here explored a method that is between (i) and (ii). A model checker, holcheck, is defined in a theorem prover (HOL4 [12]) using efficient data manipulations provided by an external BDD engine [17, 11] as additional inference rules. Model checking is fully-expansive: it consists of a sequence of simple inference steps using a fixed set of rules, but it is efficient because the performance-critical steps are computed using state-of-the-art algorithms implemented in an external engine. In addition to implementing holcheck, several threads of theorem proving research were also followed. These are motivated and described in the next section. 2 Key Advances and Supporting Methodology An overview of the main scientific results of the project are listed below. • Implementation and public release of a fully expansive model checker for the µ-calculus and CTL using a BDD oracle linked to the HOL4 theorem prover. (Amjad [3, 1]) • Implementation in HOL4 of a fully automatic counterexample-guided abstraction refinement framework, using an external SAT oracle (Amjad [2]). • Case study using the model checker to verify properties of the AMBA bus (Amjad [5]). • Implementation of ‘boolification ’ proof strategies to translate high level data-types to vectors of booleans suitable for model checking (Hurd in collaboration with Prof. Slind of the