Formal Specification and Verification of ARM6

The use of theorem proving for processor verification started to be investigated in the 1980s and has continued since then. Early work done by groups at Cambridge [3], Calgary [18, 14] and Austin [16] established feasibility on simple academic designs. Following this first phase, two threads of research emerged: continued study of academic designs with increasingly sophisticated execution engines [23, 21, 2], and the application of theorem proving to fragments of real processors [20, 17]. At the start of our project it was thus established that complete academic processors and parts of commercial processors could be formally verified by automated theorem proving. Our goal was to investigate whether it was feasible to completely verify a real-world commercial processor, and if so to calibrate the effort needed. After discussions with ARM Ltd we chose ARM610 [1] as our target. This processor is similar to the still widely used ARM7, but embodies less sensitive IP and so is appropriate for public domain research (all our formal models are available on the web). ARM6 has a 3-stage pipelined Von Neumann Architecture. The differences between it and ARM7 are that the latter has (i) a hardware debug capability, (ii) the ‘Thumb’ instruction architecture to support both 16-bit and 32-bit instruction formats and (iii) an enhanced multiplier. In parallel to the automated theorem proving research described above, a group lead by Tucker and Harman at the University of Wales Swansea were evolving a method of structuring processor specifications using algebraic concepts [4]. They also developed pencil-and-paper proof methods and, with a PhD student Anthony Fox, applied these to verify by hand superscalar implementations of Hennessey and Patterson’s widely used pedagogical DLX RISC processor [5, 13]. When the current project was funded, we recruited Fox as our postdoctoral research assistant, and it was thus natural to see if the Tucker/Harman approach was suitable for mechanisation. It turned out to work very well indeed, and this is the approach we ended up using to specify and verify ARM6. The project was a collaboration with Professor Graham Birtwistle’s group at the University of Leeds, who produced accurate functional simulation models of the ARM6 architecture in Standard ML. Dominic Pajak produced a specification of the ARM programmers view and Daniel Schostak produced a model of the micro-architecture [22] (a three-stage pipeline implementation). Both these models were validated by extensive testing. Pajak and Schostak spent