Graham Birtwistle - Böcker

This report describes the partially completed correctness proof of the Viper 'block model'. Viper [7,8,9,11,23] is a microprocessor designed by W. J. Cullyer, C. Pygott and J. Kershaw at the Royal Signals and Radar Establishment in Malvern, England, (henceforth 'RSRE') for use in safety-critical applications such as civil aviation and nuclear power plant control. It is currently finding uses in areas such as the de­ ployment of weapons from tactical aircraft. To support safety-critical applications, Viper has a particulary simple design about which it is relatively easy to reason using current techniques and models. The designers, who deserve much credit for the promotion of formal methods, intended from the start that Viper be formally verified. Their idea was to model Viper in a sequence of decreasingly abstract levels, each of which concentrated on some aspect ofthe design, such as the flow ofcontrol, the processingofinstructions, and so on. That is, each model would be a specification of the next (less abstract) model, and an implementation of the previous model (if any). The verification effort would then be simplified by being structured according to the sequence of abstraction levels. These models (or levels) of description were characterized by the design team. The first two levels, and part of the third, were written by them in a logical language amenable to reasoning and proof.

VLSI Specification, Verification and Synthesis Proceedings of a workshop held in Calgary from 12-16 January 1987. The collection of papers in this book represents some of the discussions and presentations at a workshop on hardware verification held in Calgary, January 12-16 1987. The thrust of the workshop was to give the floor to a few leading researchers involved in the use of formal approaches to VLSI design, and provide them ample time to develop not only their latest ideas but also the evolution of these ideas. In contrast to simulation, where the objective is to assist in detecting errors in system behavior in the case of some selected inputs, the intent of hardware verification is to formally prove that a chip design meets a specification of its intended behavior (for all acceptable inputs). There are several important applications where formal verification of designs may be argued to be cost-effective. Examples include hardware components used in "safety critical" applications such as flight control, industrial plants, and medical life-support systems (such as pacemakers). The problems are of such magnitude in certain defense applications that the UK Ministry of Defense feels it cannot rely on commercial chips and has embarked on a program of producing formally verified chips to its own specification. Hospital, civil aviation, and transport boards in the UK will also use these chips. A second application domain for verification is afforded by industry where specific chips may be used in high volume or be remotely placed.

This volume contains the papers presented at a workshop held at Banff, Canada, 10-14 September 1990, which gathered together researchers interested in applying higher order techniques to: reasoning about concurrency; specifying and reasoning about synchronous circuits (specifically butterfly circuits); reasoning about delay insensitive circuits; categorical concepts for programming languages and; support for automated reasoning. In the 1960s and 1970s, Landin, Burge and others demonstrated the application of higher order techniques and laid practical foundations for modern functional programming. The advantage of higher order techniques is that they provide succinct and clear specifications that are easy to reason with. Over the past few years, higher order techniques have been applied successfully to a wide range of applications in software, hardware, and communications. While the papers present recent research results, they have been written so as to be accessible to non hardliners. This volume should be of interest to readers who wish to gain a broad view of the subject, as well as to specialists in specific subtopics.

As the costs of power and timing become increasingly difficult to manage in traditional synchronous systems, designers are being forced to look at asynchronous alternatives. Based on reworked and expanded papers from the 7th Banff Higher Order Workshop, this volume examines asynchronous methods which have been used in large circuit design, ranging from initial formal specification to more standard finite state machine based control models. Written by leading practitioners in the area, the papers cover many aspects of current practice including practical design, silicon compilation, and applications of formal specification. It also includes a state-of-the-art survey of asynchronous hardware design. The resulting volume will be beneficial to anyone interested in designing correct asynchronous circuits which exhibit high performance or low power operation.