The AAMP5/AAMP-FV project by Srivas, Mandayam & Miller, Steven P.
N96-10027
The AAMP5/AAMP-FV Project
Steven E Miller Mandayam Srivas
Collins Commercial Avionics Computer Science Laboratory
Rockwell International SRI International
Cedar Rapids, IA 52498 USA Menlo Park, CA 94025 USA
spmiller@pobox.cca.rockwell.com srivas@csl.sri.com
Software and digital hardware are increasingly being used in situations where failure could be life threatening,
such as aircraft, nuclear power plants, weapon systems, and medical instrumentation. Several authors have
demonstrated the infeasibility of showing that such systems meet ultra-high reliability requirements through
testing alone [1,2]. Formal methods are a promising approach for increasing our confidence in digital systems, but
many questions remain on how it can be used effectively in an industrial setting.
This presentation describes a project, formal verification of the microcode in the AAMP5 microprocessor,
conducted to explore how formal techniques for specification and verification could be introduced into an industrial
process. Sponsored by the Systems Validation Branch of NASA Langley and by Collins Commercial Avionics,
a division of Rockwell International, it was conducted by Collins and the SRI International Computer Science
Laboratory. The project consisted of specifying in the PVS language developed by SRI [3] a portion of a Rockwell
proprietary microprocessor, the AAMP5, at both the instruction set and register-transfer levels and using the PVS
theorem prover to prove the microcode correct for a representative subset of instructions.
While this presentation includes a brief technical overview (se¢-[4,5] for a_lod technical discussion), its
emphasis is on the lessons learned in using PVS for an example of this size and the implications for using formal
methods in an industrial setting. The central result of this project was to demonstrate the feasibility of formally
specifying a commercial microprocessor and the use of mechanical proofs of correctness to verify microcode. This
is particularly significant since the AAMP5 was not designed for formal verification, but to provide a more than
three fold performance improvement, by pipelining instruction execution, while remaining object code compatible
with the earlier AAMP2. As a consequence, the AAMP5 is one of the most complex microprocessors to which
formal methods have been applied.
Another key result was the discovery of both actual and seeded errors. Two actual microcode errors were
discovered and corrected during development of the formal specification, illustrating the value of simply creating
a precise specification. Two seeded errors were systematically uncovered while doing correctness proofs. One of
these was an actual error that had been discovered after ftrst fabrication but left in the microcode provided to SRI.
The other error was designed to be unlikely to be detected by walkthroughs, testing, or simulation.
Several other results emerged during the project, including the ease with which practicing engineers became
Comfortable with PVS, the need for libraries of general purpose theories, the usefulness of formal specification in
revealing errors, the natural fit between formal specification and inspections, the difficulty of selecting the best style
of specification for a new problem domain, the high level of assurance provided by proofs of correctness, and the
need to engineer proof strategies for reuse.
Many of the costs of the AAMP5 project can be attributed to the overhead of applying an experimental method
for the In'st time. To determine how much these costs can be reduced through reuse of the AAMP5 expertise,
Collins, SRI, and NASA are conducting a follow--on project to verify the microcode in the AAMP-FV, a smaller
microprocessor design similar to those actually used in autoland systems. A report on the status of this project is
also presented.
[1] Butler, R. and G. Finelli, The Infeasibility of Experimental Quantification of Life--Critical Software Reliability, Soft-
ware Engineering Notes, Vol. 16, No.5, pg. 66-76, December 1991.
[2] Littlewood, B. and L. Strigini, Validation of Ultra-High Dependability for Software-based Systems, Communications of
theACM, Vol. 36, No. 11, pg. 69-80, November 1993.
[3] Owre, S., J. Rushby, and N. Shankar, PVS: A Prototype Verification System, In Deepak Kapur, Editor, 11th International
Conference on Automated Deduction, (CADE), pg. 748-752, Saratoga, NY, June 1992, Vol. 607 of Lecture Notes in
Artificial Intelligence, Springer-Verlag.
[4] Srivas, M. and S. Miller, Formal Verification of the AAMP5: A Case Study in the Verification of a Commercial Micro-
processor, to appear in Applications of Formal Methods, Michael G. Hinchey and Jonathan P. Bowen, Editors, Prentice-
Hall International Series in Computer Science.
[5] Srivas, M. and S. Miller, Formal Verification of an Avionics Microprocessor, to be submitted as a NASA Contractor Re-
port.
PRECEDING PAGIE BLANK NOT FILMED
59
https://ntrs.nasa.gov/search.jsp?R=19960000027 2020-06-16T06:56:08+00:00Z
fL
C
,=
¢:.
:=
.=_
¢=
i
m
#.
=
._: >_ <
=.= ==
r_ _
< o o _ oo _. o oo _ o
==
< <
=.-= _ =,g _,=
=E_- _
¢=-"===Eg-= -
_1_ _ _ i i
f f
o _
• _=_=_
"r- _
• _. = I,;,I_
_ I
-__ _" or--
= _=_"
r_ E
L.
.=
=. o
E
r=_
= _=
m
4¢ _4¢
< < _=
.=. =
6O
].=
_, ._=
_ _ "_i _
i --ii ]i
_ To_ m
!
• i B • •
i !
<- -==- I i
i 1'
_._ _
l _oooo_'0
• • • • ill
61
fr..}
g
(I,} I,_
I
E
o
)
)-ii _-
I=
_ =o _o --
• • • •
]I
f
i_.il i
-_) 1 _1
1 , _ - _ -- _i,
--= _ _ -_
N I_. [,.}
• > _ _ "_ "-_ _ -r.-_ _
-= o _ e _ oo o _. o o o o
)
..g
i
k.
. IoI
]
(2
f== ==
_G
.,- _. =,=
)
=.. "i ==-_ = _'_
m 0 0 '_" 0 0
.3
= -_<<
3
m
=,, &.,_
r_
-; _ _ .-
_ __ _=
_E _z _ E== ,a .=_ I= ,._
°-- u E
_- _.-_=
.--
- ,_ = .=
_ o o =_ o o =. o o o _ o
(- f
w.
l=
¢,
=
==_
=))
m
=_ :'- ¢ )_ ._ =_-=
= -- = "__
_i e e
'_'_ =. _='= . == "_ _
Immsmmm_m
+..,.
,<
i<+
=i++
o
m
.++
m=
6
o
< " _+_
_+-"
__--, _
-- _._ .--_
0 0 0 1_ 0 0 _ 0 0
f
p.,.
e_m+ +_++
_++++,+_ -i+
+++++++
.++:+ ,+,++
• • II
i
+]
