Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.
Introduction
This technical report summarizes an evaluation of the Larch/VHDL hardware design verification tool environment. The tool evaluation is based upon the formal verification of the Multi-Technology Processor (MTP) design.
A Larch/VHDL tool environment has been developed by Odyssey Research
Associates (ORA) under contract with Rome Laboratory. The tool combines a specification language, Larch [2] , with a widely used hardware design language, VHSIC Hardware Description Language (VHDL) [14] . These two notations provide a highly 
Background
The Larch/VHDL verification environment is a combination of Larch, VHDL, and the Penelope theorem prover. Larch is a two-tiered specification language developed at the Massachusetts Institute of Technology (MIT). The first tier, the Larch Shared Language (LSL) [4] , is a first order predicate calculus used to build the traits, or theories, that define the sorts (VHDL types) used by the target language, i.e., bit, word, string, arrays, integer, function, etc. The second tier, called the interface language [2] , defines the communication mechanisms of the target language, Ada, C, C++ or in this case VHDL, in the Larch notation. LSL is used to mathematically model data objects and operations on those objects, while the interface language maps the VHDL model into the abstractions represented by the Larch expressions for the purpose of formal reasoning.
VHDL evolved in part from a subset of the general purpose programming language Ada, and has been extended with capabilities to describe complex timing situations in hardware designs [14] .
Larch/VHDL is an interactive environment that helps its user to develop and verify digital electronic hardware designs written in VHDL. Larch/VHDL is well suited to developing code in the goal-directed style advocated by Gries [3] and Dijkstra [1] . In this style the designer develops a VHDL model from a specification in a way that assures the VHDL model will meet the specification.
In order to verify a large design, we will want to decompose the design into manageable pieces (even if we do not want to, we will be forced to) that we can specify and verify separately. These pieces will need to be combined to form the full design and the way the pieces interact will have to be rigidly defined to enable us to reason about the combined system. To be useful, this decomposition process should be fully hierarchical so that the pieces can be further decomposed. To do this kind of decomposition in a disciplined way we will therefore need all the machinery that is provided by the entities, ports, component instantiations, port maps, etc. provided by a hardware description language like VHDL. To reason about how the state of the design evolves in time, we will want to reason about when individual pieces of data change and how long they have been stable, so we need the equivalents of the signals, events, stable, delayed, etc.
provided by VHDL. Typical mathematical structuring constructs such as parameterized
Larch traits or parameterized theories in PVS (a theorem prover generally used to verify consistency of requirements specifications) are not directly applicable to such needs.
In short, since all the machinery of an HDL is needed to verify a large design, it makes sense to use an existing well designed language like VHDL to organize the verification effort rather than reinvent such machinery inside a mathematical language.
Of course, we can use verified designs written in VHDL to communicate the design to other tools for simulation, synthesis, and layout. This is a beneficial feature of an HDL based verification system but it is not the main reason for choosing this approach. The main goal is specification and verification of designs independent of how they are described, but we claim that the structure provided by the HDL is essential to achieving this goal, so we might as well make use of the hardware description language for these other tasks as well.
The advantage of starting with a specification (in this case written in Larch) is that the specification is precise and compact. Also, in a hierarchical design process, the higher level designs may be refined to specifications of components. This allows for each refinement to be traced back to the original specification for compliance, i.e. verification.
The integration of Larch and VHDL provides a path from specification to implementation.
The Larch/VHDL environment includes a large body of traits that define the basic constructs of digital design such as bit, vector, gate, logic operations and so on. Traits define sorts (logical types, including functions) and state properties or assertions that must hold true. Traits also contain theorems which are statements that are deducible from assertions, previously deduced theorems, and/or the assertions or theorems of other traits that are included. The two-tiered Larch approach allows designers the capability to extend the library of traits in order to support user defined sorts in their models. Once implemented, the traits are available as library components for reuse in other applications.
Traits are used to capture the concepts and relationships used in digital design, such as arithmetic, arrays, and lists. To support VHDL semantics there are traits defining signals, and signal delay, and other concepts needed to express the semantics of VHDL.
Traits also describe the relationship between bit level operations and their arithmetic interpretation, in twos-complement or unsigned bit-level representations.
The Penelope theorem prover was originally developed for proving the correctness of Ada procedures. It is the purpose of the Penelope theorem prover to assist the user in proving theorems from the supplied axioms and included traits by applying logic reduction rules according to user directions and indicates to the user what, if anything, still has to be proved after each step. Penelope includes a simple proof editor/checker for predicate calculus that provides a number of proof rules for performing simplification and proofs.
ORA would like Penelope to automatically simplify the logic conditions that it computes, and to automatically prove the verification conditions if possible.
Unfortunately, all but the most trivial simplification and proofs in Penelope require the guidance and control of the user. This interaction is necessary because of the wellknown fact that simplification and theorem proving are in general undecidable; even so called automatic theorem provers usually require a good deal of guidance from human beings.
The motivation for developing this type of verification tool environment is that it is infeasible to exhaustively simulate all possible combinations of inputs to hardware designs because the design complexity and data path widths have increased. Our goal was to develop a formal verification tool that complements the current (simulationbased) hardware design process.
The Larch/VHDL verification process augments the design process in four ways: 
Combining Specifications and Proofs
We turn now to the process of verifying VHDL designs. Figure 2 
Figure 2 The Larch/VHDL verification process

Applications
The focus of most of the activity in evaluating the Larch/VHDL tool is the MTP design. It has been modeled at two levels, one level fairly abstract (behavior level) and the other more concrete (register transfer level). Details on these two levels are given below following the section "Terminology and Example Design" below.
Verification at Multiple Levels
Motivation for proving design correctness at multiple levels derives from the complexity of even a simple device design. This complexity is dealt with first by describing the device's architecture from the perspective of someone programming the device with assembly language, a perspective somewhat removed from the details of ALU operation and data paths. The assembly language view verification of correctness is performed within this model and is intended to find conceptual errors early in the design process. A more detailed view at a lower level is provided from the hardware designer's perspective. At this level errors which can affect the operation of a smaller part of the design can be found.
Terminology and Example Design
The following discussion is focused on digital logic, whether considered as an expression of a device's purpose or as a collection of logic gates, "the design", while a VHDL description of a design is known as a "model".
Properties of a model of a digital logic hardware design can be expressed at more than one level of detail: Instruction Set Architecture (ISA), behavioral, or Register Transfer Level (RTL). "Behavioral" design properties are those that are typically generated from the requirements of the intended user of the system. Behavioral properties generally are informal, and state functional requirements in natural language. The requirements are then translated into the language of some formal specification system. The process from here forward is one of trying to match a requirements property with one or more properties of the model to determine if the requirement is met within the model. The process has often been described as checking to see if the implementation (model) meets (implies) the specification (requirements).
Applying the Penelope Theorem Prover
12
In the context of a VHDL design, the original proof obligation is the Verification Condition (VC) (Figure 2 ), which is generated automatically by the Larch/VHDL tool.
During the proof process the original proof property (VC) considered as an obligation is converted by each proof step into another proof obligation. A proof is complete when there is no remaining proof obligation. The proof ends with "BY synthesis of TRUE" or "BY analysis of FALSE".
In most sequences of proof steps assumptions are involved, and they are designated "hypotheses". The "conclusion" (symbolically, "hypotheses" -> "conclusion") based on these hypotheses is a proof obligation. Formally, the conjunction ("anding" together) of the hypotheses implies the conclusion.
A property could be an axiom, a basic assumption, usually about some physical situation, where following the keyword "asserts" are axioms about writing and reading memories, plus an axiom particular to the register file of a design described below.
A VHDL entity defines the input and output signals for a design, and exists as a file apart from the VHDL architecture that contains design implementation details. The physical separation of entity and architecture allows association of multiple architectures to a single entity. Specifications relate to VHDL directly at the entity declaration by referencing variables listed in the entity interface file. In this view creating the entity is the beginning of the formal design process, in that both the Larch-like specification and the VHDL architecture follow from it. Just such a chronology is followed with graphical assistance to the process of creating files and constructing proofs, as described below. The word "specification" is used often throughout this report in the context of the MTP example, and refers to the formal logic descriptions of the MTP as developed from the informal descriptions in English text, written in the Larch specification language.
Our approach is to describe and reason about the design at the level of integer arithmetic, which is more intuitive to the user. Integer arithmetic is supported by twos-complement arithmetic properties (subtraction implemented as addition), and to using bit-string ("bit- 
Instruction Set Architecture Property Proofs
One "behavioral" view of the design is that of an Instruction Set Architecture (ISA).
The ISA views the design's function in terms of the assembly language instructions which execute on the hardware. This is a level high enough that capabilities identified in the requirements for the design can be distinguished (one instruction for each capability), but still primitive enough that each instruction could be implemented in a small microcode function. The inspiration for proving properties of the design at the ISA level came from a Syracuse University project [16] The declarative style of this specification is evident in the appearance of both current and updated values in the "exe" function. , ev)) elsez)))))))))))) flag_op_c: up_c_flags(i, srl, sr2, dr, dbusin, rf, c) 
Listing 1 Specification of the ISA model
The style of the statements is declarative. This means that properties of a model are expressed as equations of logic functions with Boolean parameters. These logic functions express properties of a model when used in equations where the individual variable name parameters are substituted with Boolean expressions of logic variables. As an example (see Table 1 below), if the updated register file is denoted by "nrf", the original state of the register file (before execution of a given instruction "i") by "rf", and the output data by a function named "alu", where its parameters are instruct ion "i", ALU inputs from register file locations "srl" and "sr2", and register file destination (offset into the register file as an array) "dr" of the ALU output, then the relation as expressed by an equation is "nrf = rf[dr=>alu(i,srl,sr2,dr,rf)]". The symbol "=>" assigns ALU output at offset "dr" into the register file "rf". Proofs of properties at the ISA level generally involve searching through "tables" 
Register Level Property Proofs
Register level properties proved in this activity were generated from a VHDL With VHDL, properties to be proved can be expressed more precisely than with specifications alone. As a related benefit in an environment involving VHDL, more of the process of deriving properties to be proved (some properties described as verification conditions, or VC's) can be automated. In contrast to higher level specifications, where there is a much wider variety of syntax available for describing concepts not necessarily confined to hardware description, the majority of VHDL syntax supports very regular and repeatable constructs, such as gates, registers, and interactions among them. User supplied properties ("the specification") are also referred to as "guarantees". See Figure   5 . It is a more detailed version of Figure 2 in that it emphasizes the dynamics of proof process iteration, as opposed to Figure 2 , which featured inputs to this process. Much of the process is aided by organizational tools, such as a graphical user interface (GUI).
Within a GUI environment the Larch/VHDL use r makes choices from an associated menu to create a graph whose nodes are files used for constructing VC's. This is accomplished as follows. The user supplies file names and directory pathnames for four files: a VHDL entity, a VHDL architecture, proof node, and a Larch-like specification. The entity node is constructed first, and the pull-down menu at the already-constructed entity node allows even more automated construction of the associated specification node, VHDL architecture node, and proof node. Pull-down menus at the entity node, specification node, and VHDL architecture node allow an editor (e.g., emacs, vi) to create/open these files directly from their respective nodes on the graph. The specification contains the "guarantee", or property, to be proved about the VHDL architecture. See Figure 6 and Figure 1 above. The pull-down menu at the proof node allows the user to open the interactive proof editor (Penelope) and automatically construct and load the proof.
Note that depending on how much the user has interacted with the proof process already, the proof file loaded may be the file representing progress ranging anywhere from a beginning situation just after the VC's have been generated (no proof steps have been made yet), to a completed proof. These capabilities require then that the user has first constructed a VHDL entity file, a specification file, and a VHDL architecture file.
Finally the proof editor is opened and loaded automatically with the VC's and other properties (the "guarantees") recognizable from the specification file. At this point the user is ready to start proving the correctness of the VC's by using the proof editor interactively. Examples of related sets of entities, specifications, and architectures are given in Appendix E.
Conclusions about Verification at Multiple Levels
The Larch/VHDL tool supports the verification of components at different levels of the design hierarchy: ISA, behavioral and RTL, and the verification of the composition User involvement in the proof process extends to more than just the ability to select proof steps and arrange the order of applying them. The user has the option of reaching proof completion by applying domain knowledge to decrease the number of proof steps.
This is a more active approach than responding passively to a proof obligation that remains after applying the most recent proof step. Domain knowledge is applied to the proof by making a claim which splits the remaining proof obligation into two parts, a new proof obligation to prove correct the statement of the claim itself with the hypotheses prior to the claim's existence, and a second part which repeats the original proof obligation and hypotheses augmented by the claim as a new hypothesis. Therefore, the claim has to be proved correct, and then it can be used as an additional hypothesis with the original proof obligation. The syntax of the claim is a statement about logic variables which appear in the original proof obligation. There is a tradeoff between the opportunity for shorter proofs and the amount of domain knowledge required of the user in order to state a claim effective at shortening the proof.
The user also needs to determine optimal substitutions when instantiating theorems 
Conclusions
Adopting a formal specification and proof of correctness methodology has produced several benefits over traditional simulation based design environments.
Formulating high level Larch specifications in itself uncovered design omissions and errors in the early stages of this project, particularly with regard to behavioral definitions of integer arithmetic. Specific behavioral descriptions related to shifting operations and arithmetic overflow were clarified when discrepancies were identified in the process of writing formal specifications from ordinary English descriptions of behavior. The operative difference is that although one could precede traditional simulation with a formal specification, the formal specifications used in connection with theorem proving are linked to the theorem proving activity by the "guarantees" statements referenced earlier in this report. The specification process, while as thorough as possible for capturing a designer's intentions, when followed by standalone simulation allows another source of error to be injected via misinterpretation between specification and simulation.
There are a number of reasons why theorem proving compares favorably with simulation.
As stated briefly before, proof of each theorem about a design covers correctness of multiple design input configurations otherwise treated separately under simulation. The typical argument in favor of theorem proving versus simulation for data paths is that for any combination of O's and l's on a bus, with the data path width as the exponent and two as a base, there are two to that exponent possible combinations of data path values.
All of these combinations must be simulated separately in lieu of proving a single theorem characterizing the setting and reading (interpreting) of the entire bit field
representing those values. Such theorems would generally describe the effect of a change in one bit of data in this data field on any subdesign which uses the data path as input. Beyond this initial concern over combinatorial explosion (complexity exponential in the data path width), the data path paradigm is treated much more generally by theorem proving, as many proof environments allow the user to parameterize all theorems and proofs on the width of the data path without specifying width explicitly.
Alternatively, a change in data path width requires that a simulation based check for correctness would have to be repeated from the beginning.
The repetitious nature of simulation makes human interaction less effective (monotony and propensity for errors in human review of massive displays of very similar patterns) and makes no use of the hierarchy of design possible with theorem proving.
Although no claim is made that portions of that hierarchy handled best by theorem proving techniques are a total replacement for simulation, the structure of such a hierarchy is made more apparent to the user of a theorem proving environment. Subtle design flaws masked by poorly chosen hierarchical structure would be harder to detect with simulation. A secondary benefit of obvious theorem prover support for hierarchy in design is that the entire design can be more easily comprehended. Since hierarchy also ensures more modularity, parts of a given design can be more easily isolated within a theorem proving environment, for later reuse in another design. In contrast, although a simulation environment allows separating parts of design for independent simulation, the combinatorial explosion problem referenced earlier is made worse when data paths are disconnected to isolate modules in a more detailed phase of a design. The number of input and output port data paths (at the boundaries of the newly created modules) is increased, thereby increasing at least linearly the total number of unique input and output combinations to be verified. The number of input and output combinations to be checked doubles for every disconnection. Table 2 
MISSION OF ROME LABORATORY
Mission. The mission of Rome Laboratory is to advance the science and technologies of command, control, communications and intelligence and to transition them into systems to meet customer needs. To achieve this, Rome Lab: 
