VIPER project by Kershaw, John
VIPER Project N91-17573
John Kershaw
Royal Signals Radar Establishment
Malvern, England
The VIPER project has so far produced a formal specification of a 32 bit
RISC microprocessor, an implementation of that chip in radiation-hard SOS
technology, a partial proof of correctness of the implementation which is
still being extended, and a large body of supporting software. The time
has now come to consider what has been achieved and what directions should
be pursued in future.
The most obvious lesson from the VIPER project has been the time and effort
needed to use formal methods properly. Most of the problems arose in the
interfaces between different formalisms e.g. between the (informal) English
description and the HOL spec, between the block-level spec in HOL and the
equivalent in ELLA needed by the low-level CAD tools. These interfaces
need to be made rigorous or (better) eliminated.
VIPER IA (the latest chip) is designed to operate in pairs, to give
protection against breakdowns in service as well as design faults. We have
come to regard redundancy and formal design methods as complementary, the
one to guard against normal component failures and the other to provide
insurance against the risk of the common-cause failures which bedevil
reliability predictions.
Any future VIPER chips will certainly need improved performance to keep up
with increasingly demanding applications. We have a prototype design (not
yet specified formally) which includes 32 and 64 bit multiply, instruction
pre-fetch, more efficient interface timing, and a new instruction to allow
a quick response to peripheral requests. Work is under way to specify this
device in MIRANDA, and then to refine the spec into a block-level design by
top-down transformations. When the refinement is complete, a relatively
simple proof checker should be able to demonstrate its correctness.
https://ntrs.nasa.gov/search.jsp?R=19910008260 2020-03-19T19:40:13+00:00Z
/Example of NODEN output
The NODEN aIlalysis suite I)rovi(tes automatic com-
1)arison between tile st)ecification arid design of moder-
ately c,omt)lex I)locks of logic. The following example
is taken from tile VIPER. design. MINOR is the sun-
)lest block in the chit), essentially consisting of a three
it counter. Following this paragraph is its specification
in NODEN-HDL, whilst oil the following pages are a cor-
rect and incorrect inq)lementation. The final page shows
tlJ(; outl)ut of the coml)arison program when presented
with the erroneous ('ircuit.
\ ** MINOR STATE LOGIC in NODEN ** \
FN INCWORD3 = (word3: minor) -> word3:
IF (VAL3 minor) = 7
THEN WORD3 0
ELSE WORD3((VAL3 minor)+1)
FI.
BLOCg MINOR = (bool: nextmainbar advance
reset intresetbar)
-> ('word3: minor):
IF reset OR (NOT intresetbar) OR
(advance AND (NOT nextmainbar))
THEN WORD3 0
ELIF advance
THEN INCWORD3 minor
ELSE minor
FI.
\ **** 'Library' of primitive gate functions **** \
FN INV =(bool: a ) -> bool: NOT a.
FN NAND2=(booI: a b ) -> bool: NAND(a,b).
FN EXNOR=(booI: a b ) -> bool: a = b.
FN ORNAND=(booI: a b c d) -> bool: NAND(a OR b,c OR d).
\ NB. NAND3 & NAND4 are built-in functions \
\ **** Correct gate level implementation **** \
BLOCK MINOR = (boo1: nextmnbar advance reset intrstbar)
-> ('word3: minor):
BEGIN
LET qbar_1 := NOT (minor[I]),
qbar_2 := NOT (minor [2]) ,
qbar_3 := NOT (minor [3]) .
LET gb2
LET gb4
LET gbl
LET gb3
LET gb7
LET gb8
•= INV(advance).
:= INV(reset).
•= NAND4(nextmnbar,advance,gb4,intrstbar).
:= NAND3(Eb2, gb4, intrstbar).
:= INV(qbar_l).
:= EXNOR(qbar_1, qbar_2).
LET gb11 "= INV(qbar_2).
LET gb12 := NAND2(gbT, gb11).
LET gb13 := EXNOR(gb12, qbar_3).
OUTPUT (ORNAND(gbT,
END.
gbl, gb3, qbar_l),
ORNAND(gb8, gbl, gb3, qbar_2),
ORNAND(gbI3, gbl, gb3, qbar_3)
)
\ **** Wrong gate level imp1ementatlon **** \
BLOCK M_ERR = (bool: nextmnbar advance reset intrstbar)
-> ('word3: minor):
BEGIN
LET qbar_l := NOT (minor[l]),
qbar_2 := NOT (minor [2]) ,
qbar_3 := NOT (minor [3]).
LET gb2
LET gb4
LET gbl
LET gb3
LET gb7
:= INV(advance).
•= INV(reset).
• - NAND4(nextmnbar,advance,gb4,intrstbar).
:= NAND3(gb2, gb4, intrstbar).
•= INV(qbar_l).
\ ** Inverted qbar_2 ** \
LET gb8 := EXNOR(qbar_l, NOT qbar_2).
LET gbll "= INV(qbar_2).
\ ** Missing NAND with gb7 ** \
LET gbl2 :- gbll.
LET gb13 := EXNOR(gb12, qbar_3).
\ ** Inverted first output ** \
OUTPUT (NOT(ORNAND(gbT, gbl, gb3, qbar_l)),
ORNAND(gbS, gbl, gb3, qbar_2),
ORNAND(gbI3, gbl, gb3, qbar_3)
)
END.
PRECEDING PAGE BLANK NOT FILMED
Specification" 'MINOR' Implementation" 'M_ERR'
COMPARISON ERROR" Implementation output 'minor[l]'
is always incompatible with the specification of
'minor[l]'_ output inverted?
COMPARISON ERROR" Implementation output 'minor[2]'
is incompatible with the specification of 'minor[2]
under the following circumstances--
nextmainbar = t
advance = t
reset = f
intresetbar = t
For specification output 'minor[3]' - implementation
output 'minor[3]' .-
WARNING" Specification depends on minor[l] and
implementation doesn't
COMPARISON ERROR" Implementation output 'minor[3]'
is incompatible with the specification of 'minor[3]
under the following circumstances.-
nextmainbar = t
advance = t
reset = f
intresetbar = t
minor [2] = f
*** Comparison fails, invalid implementation ***
+ +
NODEN changes
• Negative integer subranges allowed
E.g. TYPE i8- INT[-128..127].
• Automatic casts between types
E.g. (t,t,f) + bool3_val-I-i8_val
• 2's compliment []bool to integer ops.
• Explicit legal value, !bool
• Compiler about four times faster.
• Analyer abouttwice as fast.
+
PRECEDII'_G PAGE BLANK NOT FILMED
7
+ +
Old NODEN_HDL
FN INCWORD3
IF (VAL3
THEN
ELSE
FI.
= (word3: minor) -> word3 :
minor) == 7
WOKD3 0
WOKD3 ((VAL3 minor) + I)
New NODEN_HDL
FN INCW0RD3
IF minor
= (word3: minor) -> word3:
== 7 THEN 0 ELSE minor + 1 FI.
Bibliography
Cullyer W.J. and Pygott C.H. 1987: "Application of Formal Methods to the
VIPER Microprocessor", Proc. IEE, 134, 133-141.
Kershaw J. 1987, "The VIPER Microprocessor": RSRE Report 87014.
Pygott C.H. ]988: "NODEN: An Engineering Approach to Hardware Verification",
l'r(_c. W(_rk,h_p on the fu_(,tt L_f ha,(|war_ design and v,,_icatio,_, _(|. Mi]ne.
N_,1t.h It,',] land.
Mox *son ,] l_, Peeling N E, Thorp T I,, 1985: "The design z'ationa]e of ELLA,
n hardwart, dos.[gn and dosczipt_on Janguage", Proceedil,gs of the Conference
,,It Hardwa,, Descriptioi, ],anquagea a,td th4_ir applicat:ions, Tokyo, Japan.
Halbert M.P. 1987:
mJ croprocessor",
UK.
"A self-checking computer module based on the VIPER
Proc. Safety & Reliability Society Symposium, Altrincham,
Camilleri A, Gordon M, and Melham T. 1986: "Hardware Verification using
Higher Order Logic", Proc. IFIP International WGI0.2 Working Conference,
North Holland.
Cohn A. 1987: "A Proof of Correctness of the VIPER Microprocessor: the First
Level", Proc. Workshop on the Verification of Hardware, Calgary, Canada.
Kluwer Academic Publishers 1988.
l_rlm,fJtt P..]. et a]. 1987: "A Hardware ._lynthesis Methodology", IEE Colloquium
_,,,VL:;] Sy_t. em Design: SpecifJcati(nl and Synthesis, London, Oct.ober 1987.
(_'UTlit, I.F. 1984: "Orwellian Programming in Safety-Critical Systems", Proc.
Co|tferertc@ on .%'yatent Implementation Languages - Practice and Experience,
Ilctiveze|ity (,f Kent at Canterbury.
Kershaw J: "The VIPER Microprocessor and its use in critical systems"
Software Engineering Journal special issue on Safety Critical Systems
(to be published)."
+ +
Why VIPER2?
• Faster, 32 and 64 bit multiply
• Improved interface to outside world
• New design methods now available
Jr 1
+ +
Extra Speed by ..
• Instruction pre-fetch
• Dedicated adders for P and indexing
• Half-cycle overlaps rather than full cycle
Speed more than 3x at same clock frequency
+ 1 '_
F4- 4-
On-board Multiply Instructions
Three separate instructions, F- 13, 14, 15
• Signed, 32 bit product, stop on OVF
• Unsigned, LS 32 bits of product
• Unsigned, MS 32 bits of product
4- 1
+
PRECEDING PAGE BLANK NOT FILMED
+
Improved interface
• "Call on signal" instruction
• "Frame restart" input
Longer setup and
memory and I/O
hold times on
cycles
+ 1
+ +
New design methods
Top-down synthesis by
transformations
correctness- prese rv ing
• Starts from specification in MIRANDA
• Generates proof as part of design process
• May scale up better than post hoc proof
+ 4-
VIPER 1A perspective
The present chip
application areas:
falls in between the main
Automotive and comms: too expensive,
minimum system too big (5 memory chips)
• Avionics: not fast enough, no multiply
• Space: about right, tiny market
• 'b
I •
! i
! !
_"lk_ . o •1 [
i



STOP -_
Processor I I
,[
No ] Exactly i Y_' .
Equal?
OPERATE
Dependable
Error
Reporting
  VIPER
TB A-B
- kA
A=B
B
Clock ®
®
FAIL
®
_I--..-.-msJor-stste-..--.-(_
Active
VIPER ®
® tr, ®
Moni tot
VIPER
®
mem
Timer
II
I
I
I
I
!
I
o VIPER
I
I
I
I
Mil 1553/STANAG 3838
