The Notion of Proof in Hardware Veriication

Recent advances in the eld of hardware veriication have raised some fresh (and some familiar) issues to do with the scope and limitations of formal proof. In this note, some of these are considered in the context of the Viper veriication project. Viper is a microprocessor designed by W. J. Cullyer, C. Pygott and J. Kershaw, of the Royal Signals and Radar Establishment of the U.K. Ministry of Defense, for use in safety-critical applications. Much to their credit, the designers intended from the start that Viper be formally veriied; they presented Viper's more abstract spec-iications in a language suitable for formal reasoning, and they placed the design in the public domain. Viper microprocessors are currently being marketed as veriied chips. The formal proof aspects of the veriication work have been carried out at the Computer Laboratory of the University of Cambridge. To date, some important properties of a register-transfer level model of Viper, relative to a more abstract functional speciication, have been proved (by the author) using the HOL proof generating system. `Veriied' systems such as Viper seem likely to become commonplace in the near future. Whilst proofs about the abstract models of such systems are obviously a vital contribution to our trust in them, it is also important (not least in safety-critical applications) that the limitations of the approach be understood. Some of the material in this note appears in 7].