




A formal program verification is a (mathematical) proof that a program executed according to its
intended model meets some specification. This proves that the algorithm defined by the program is
correct in the precise technical sense of being consistent with a particular specification. A program
correct in this sense is free from a large and important class of errors, even though its behavior may
still produce unintended results---either because the implementation of the programming language
itself does not match the model of execution, or because the specification does not correctly express
the user's intentions.
Penelope is a prototype system for interactively developing and verifying programs that are written
in a rich subset of sequential Ada. Penelope can be used to develop a program and its correctness
proof incrementally, and in concert with one another. Incrementality is used in a number of ways to
help make verification more tractable and more productive. For example, if an already-verified pro-
gram is modified, one can attempt to prove the modified version by replaying and modifying the
original verification.
Penelope's specification language, Larch/Ada, belongs to the family of Larch interface languages.
Larch/Ada scales up properly, in the sense that it is demonstrably sound to decompose a system
hierarchically and reason locally about the implementation of each piece.
Penelope has been applied in various demonstration projects---for specification (guidance control,
distributed operating system), verification (of off-the-shelf code), and formal development (by non-
expert as well as expert users). Some features of Penelope have been embodied in AdaWise, a lint-









i < _ ooo
130











-.-_ 5 "_ _'_
- =_-_ ,, =o,_
. -_ oo :5:_.__ ._ --
0








o ::: o -_
c m .- ._ ,..o ___ _ o
._: "_ _
CO 0 0
= = =_ o -_: "o
















8 _ _0 ° _=
<a.

































...,_" _, ._ •
_ o
:_ _ oa z 0000 _ 000 _ '_
-- j=
!-




_,_),,-, , ,, =,
k% II































Session 6: Hardware Systems
Paul Miner, Chair
• The Formal Verification Technology Used on AAMP5, by Mandayam Srivas, SRI International
• Specification and Verification of VHDL Designs, by Damir Jamsek, Odyssey Research Associates
• Derivational Reasoning System, by Bhaskar Bose, Derivation Systems Inc.
PRECEDING PAGE BLANK NOT F_LMED _
..... "_'_TF,its'"_' ,..', _: .',,'v
139
