The formal verification used for the AAMP5 and AAMP-FV by Srivas, Mandayam
N96- 10031
The Formal Verification Used for the AAMP5 and AAMP-FV
It is becoming increasingly evident within the VLSI design industry that the complexity of many current p_ ¢_
hardware designs is outstripping the capability of traditional simulation-based tools to adequately verify
them. This situation was well-illustrated by the recent floating point bug discovered in Intel's Pentium pro-
cessor. The industry is beginning to look at formal verification as a technological alternative to simulation
for obtaining higher assurance than is currently possible.
Recently, SRI International and Collins Commercial Avionics, a division of Rockwell International, un-
dertook a project to explore how formal techniques for specification and verification could be introduced
into an industrial process. The project, sponsored by the Systems Validation Branch of NASA Langley
and Collins Commercial Avionics, consisted of specifying in the PVS language a portion of a Rockwell
proprietary microprocessor," the AAMP5, at both the instruction set and register-transfer levels and using
the PVS interactive proof-checker to show that the microcode correctly implemented the specified behavior
for a representative subset of instructions.
The main goal of the project was two-fold: First, to investigate the feasibility of formally specifying and
verifying a complex commercial microprocessor that was not expressly designed for formal verification.
Second, to explore effective ways to transfer the technology to an industrial setting. The choice of the
AAMP5 satisfied the first goal since the AAMP5 was not designed for formal verification, but to provide
a more than threefold performance improvement while remaining object-code-compatible with the earlier
AAMP2, which is used in numerous avionics applications, including the Boeing 737, 747, 757, and 767.
To satisfy the technology transfer objective, we had to develop a suitable verification methodology and a
formal infrastructure to make the technology usable by practicing engineers. This infrastructure includes
techniques for decomposing the microprocessor verification problem into a set of verification conditions
that the engineers can formulate and strategies to automate the proof of the verification conditions. The
development of the infrastructure was one of the key accomplishments of the project. Most of the in-
m_+_, ' general .....¢_-_ t-.... t ...... ,4 ..... odolog3 are............... e,,,,_,, to be reused for other microprocessors, certain]y in the
verification of another member of the AAMP family. This methodology was used to formally specify the
entire microarchitecture and more than half of the instruction set and to verify a core set of eleven AAMP5
instructions representative of several instruction classes. However, the methodology and the formal ma-
chinery developed are adequate to cover most of the remaining AAMP5 instructions. Although PVS was
the vehicle of the experiment, the methodology is applicable to other sufficiently powerful theorem provers.
Another key result of the project was the discovery of both actual and seeded errors. Two actual microcode
errors were discovered during development of the formal specification, illustrating the value of simply cre-
ating a precise specification. Both were specific to the AAMP5 and were corrected before first fabrication.
Two additional errors seeded by Collins in the microcode were systematically uncovered by SKI, who knew
that bugs had been seeded, but not their location or identity, while doing correctness proofs. One of these
was an actual error that had been discovered by Collins after first fabrication but left in the microcode
provided to SRI. The other error was designed to be unlikely to be detected by walk-throughs, testing, or
simulation.
Steve Miller's talk earlier in the workshop, gave an overview of the AAMP5 project emphasizing the tech-
nology transfer process with its administrative and managerial aspects. This talk describes the technical
approach used in verifying the AAMP5. Please refer to Steve Miller's slides for the AAMP5 design figures.
PRECEDING PAgE BLANK NOT FtL,_ED
INTENYIONALLY6.L_NK
141
https://ntrs.nasa.gov/search.jsp?R=19960000031 2020-06-16T07:06:07+00:00Z
¢-
0
°--
._
u,_
X
U
o oe_
"_ _ 0
U
_. _.. o o
o
_- < > E =
0 _ _ 0
o__
o _: _ o
_. _=_o_ -°
0
e-
P_
113
U
C
E
U
A
v _
.o !,.
u 4-
M
_ _-_ O
• . _ _1 .I_ I _-I
11.
D
O _
°_
0
LL
e-
_n
>
_0
E
r-
O_ _- ('_ _'_ 0
__i o
,_ o_ .
._1 0 -_ m
_'_<
0
U
E
E
o
U
-5
U
_u
0 -
e
0
0
E
:E
v
t-
142
ill
=
9
E
Ill
cl
E
=
o
°_
e-
LU
0.
r_
ii
..J
(-- t-
i/1
"El U
t_
o_
8_
e- e-
a u_
c
o
E
E
m
D
I1.
4_
0
•pI I 0
_ _ ._
o d 3 ._
II _-_
1 II I
o_
9
E
0
e_
I_ :.
• 0
0
0 u
_ v °
U II _
_+
® _11
E: _ 0 I I,_ I::l
_l ltl v ill
.l.a -_
• . _
grl
0 O_ O_
•= .u ._ g
9 0 _ ,-- •
0
v _
,.,.1 ,,.1
M ,,.l
v v
l.I _ := i_ :=
,._ + _ +
_ + ,_,
" e ; e ;
I
143
oo. _ o
,Ol _ E
"- 0
_,_ c r- :
E o.<_-
0 • • •
U
(81
e-
0
U
C
0.
f_..... __. ._
o
_s ,,,
.'(_ "_ I.L
__._ ......
t=,
0
u
e-
,_ _... -_
m
<
0
.1
'0
e-
< >
C
U
01
11.
.' !,,,
t_
r-
a_
E u
.g_o
1t4
4,a
E
4.1
U_
Itl
c_
e-
0
E
@
4.t
0
4,a
e,
o
U
.ha
U
.E
N
o.
v
I
0
U
I
_ II
I
-__
_.J
_ o^_
_-_-
oM I
d_l U 4_ _ @
_ _ "_0.. _
r_
v
o
!
c_
_0 _
0 _ _ ,_1
0 t I_
= o_o
•. _ 4=_ I
0
U
o
= 2
_-o_
o u T
0_
O
_- E
E
E
U
_ °.
_ _
_ ___ __
0 O 0 0 0
I/I
e.
0
4.a
_3
0
U
c-
O
4.1
fll
e.
e-
g
fl)
>
.ha
0
c-
O
,¢
0
r-
"0 "--
_. > o
L_
_ .o E
-_ _ ._ _,
: : 0 = = <>
• • @
u'_ ¢-
oo _B_°
0
o _.=>_
._-_o__
t
O
O
"_.
"G
O
4,.a
o_
c-
O
o ,-,
O.
U
145
0_3
C
0
U
C
o
>
0
0
£
D.
0
e-
_o
U
> _
0 r-
_ 0
"_ u
>
0 0
>
0
_o
N
e-
e-
¢-
_ e- u
_ ,_ E _ _
_ 0 ---
0 "--
u _: "'_g: o -r_
(..) "m
_ > 0a _->:_
-- > 0 m
v
¢
_ v
qq
_._ +
÷
0 II _l I
°_ I I
•r" .,-I I: M
÷ ._ +
,£ __
q
_, +
v 4.a
_, _._
r_3 n
_ ÷
I
_ -_
°° _
D
0
x: o .__
"=- _" "0 w
_-_ _= > _£
o - _ "
0 • __ 0
e-. o o ._
E _ o
0 c'- -_ .--
._ _ "_ -_ . =
_ 6 _ _..__
i-- _ QI
"-- 0
"- "_- o_=_.'_ _._ _ _
n
146
00
U
.Q
0
o_
E_ _. _ ;_
0
o_ _ _ ._.
__f. f.
147
