Abstract
Viper [7,8,9,11,23] is a microprocessor designed by W. J. Cullyer, C. Pygott and J. Kershaw at the Royal Signals and Radar Establishment in Malvern, England (RSRE), and is now commercially available. Viper was intended for use in safety-critical applications such as civil aviation and nuclear power plant control. It is currently being evaluated (as part of the “VENOM” project [10]) for use as an input-output controller in the deployment of weapons from tactical aircraft. To satisfy requirements of safety-criticality, Viper has a particularly simple design about which it is relatively easy to reason using current techniques and models. The designers at RSRE, who deserve much credit for the promotion of formal methods, intended from the start that Viper be formally verified. The verification project has been carried out at the University of Cambridge. The University was and is not involved with any of the applications of Viper, civil or otherwise, and the whole verification project is and has been fully in the public domain. This report describes the partially completed correctness proof, in the HOL system, of the Viper ‘block model’ with respect to Viper’s top level functional specification. The (fully completed) correctness proof of the Viper ‘major state’ model has already been reported in [5]. This paper describes the analysis of the block model in some detail (in Sections 6 to 9), so is necessarily rather long. Section 2 is a discussion of the scope and limits of the word ‘verification’, and cautions against careless use of the term. The paper includes a very brief introduction to HOL (Section 4), but does not attempt a description or rationalization of Viper’s design.The possible uses of the paper are as follows:
• It includes enough detail to support an attempt to repeat the proof in HOL, or possibly in other theorem-proving systems;
• It serves as a guide for future analyses of Viper;
• It complements the existing Viper documentation;
• It covers some general issues in hardware verification;
• It illustrates some problems in managing large HOL proofs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
H. G. Barrow, VERIFY: A Program for Proving Correctness of Digital Hard¬ware Designs, Artificial Intelligence Vol. 24, 1984
A. Camilieri, M. Gordon and T. Melham, Hardware Verification using Higher- Order Logic, Proceedings of the IFIP WG 10.2 Working Conference: From H.D.L. Descriptions to Guaranteed Correct Circuit Designs, Grenoble, September 1986, ed. D. Borrione, North-Holland, Amsterdam, 1987
A. Church, A Formulation of the Simple Theory of Types, Journal of Symbolic Logic 5, 1940
A. Cohn and M. Gordon, A Mechanized Proof of Correctness of a Simple Counter, University of Cambridge, Computer Laboratory, Tech. Report No. 94, 1986
A. Cohn, A Proof of Correctness of the Viper Microprocessor: the First Level, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P.A. Subrahmanyam, Kluwer, 1987; Also University of Cambridge, Computer Laboratory, Tech. Report No. 104
W. J. Cullyer and C. H. Pygott, Hardware Proofs using LCFXSM and ELLA, RSRE Memo. 3832, Sept. 1985
W. J. Cullyer, Viper Microprocessor: Formal Specification, RSRE Report 85013, Oct. 1985
W. J. Cullyer, Viper — Correspondence between the Specification and the “Major State Machine”, RSRE report No. 86004, Jan. 1986
W. J. Cullyer, Implementing Safety-Critical Systems: The Viper Microproces¬sor, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P.A. Subrahmanyam, Kluwer, 1987
C. Gane (Computing Devices Company Ltd.), Computing Devices, Hastings’ VIPER-VENOM Project: VIPER in Weapons Stores Management, SafetyNet: Viper Microprocessors in High Integrity Systems, Enq. No. 021, Issue 2, July- August-September 1988, Viper Technologies Ltd., Worcester
J. Cullyer et. al., forthcoming book
M. Gordon, R. Milner and C. P. Wadsworth, Edinburgh LCF, Lecture Notes in Computer Science No. 78, Springer-Verlag, 1979
M. Gordon, Proving a Computer Correct, University of Cambridge, Computer Laboratory, Tech. Report , 1983
M. Gordon, HOL: A Machine Oriented Formulation of Higher-Order Logic, University of Cambridge, Computer Laboratory, Tech. Report No. 68, 1985
M. Gordon: A Proof Generating System for Higher-Order Logic, Univer¬sity of Cambridge, Computer Laboratory, Tech. Report No. 103, 1987; Revised version in VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P.A. Subrahmanyam, Kluwer, 1987
M. P. Halbert (Cambridge Consultants Ltd.), Selfchecking Computer Module Based on the ViperlA Microprocessor, SafetyNet: Viper Microprocessors in High Integrity Systems, Enq. No. 017, Issue 2, July-August-September 1988, Viper Technologies Ltd., Worcester
W. A. Hunt Jr., FM8501: A Verified Microprocessor, University of Texas, Austin, Tech. Report 47, 1985
J.J. Joyce, Formal Verification and Implementation of a Microprocessor, VLSI Specification, Verification and Synthesis, eds. G. Birtwistle and P.A. Subrah¬manyam, Kluwer, 1987
J. J. Joyce, private communication
J. Kershaw, Viper: A Microprocessor for Safety-Critical Applications, RSRE Memo. No. 3754, Dec. 1985
T. Melham, private communication
L. Paulson, Interactive Theorem Proving with Cambridge LCF, Cambridge University Press, 1987
C. H. Pygott, Viper: The Electronic Block Model, RSRE Report. No. 86006, July 1986
Viper Microprocessor: Verifiable Integrated Processor for Enhanced Reliabil¬ity: Development Tools, Charter Technologies Ltd., Publication No. VDT1, Issue 1, Dec. 1987
Application for Admission and Registration Form, Second VIPER Symposium, RSRE, Malvern, 6-7 September, 1988
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1989 Springer-Verlag New York Inc.
About this chapter
Cite this chapter
Cohn, A. (1989). Correctness Properties of the Viper Block Model: The Second Level. In: Birtwistle, G., Subrahmanyam, P.A. (eds) Current Trends in Hardware Verification and Automated Theorem Proving. Springer, New York, NY. https://doi.org/10.1007/978-1-4612-3658-0_1
Download citation
DOI: https://doi.org/10.1007/978-1-4612-3658-0_1
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4612-8195-5
Online ISBN: 978-1-4612-3658-0
eBook Packages: Springer Book Archive