Towards a Formal Verification of a Floating Point Coprocessor and its Composition with a Central Processing Unit

PREFACE Current hardware verific&tion efforts have only begun to address the problem of composing asyn-chronousiy communicating units. This report presents work underway to formally specify and verify s floating-point coprocessor based on the MC68881. Our work uses the HOL verification system developed at Cambridge University. The coprocessor consists of two independent units: the bus interface unit to communicate with the CPU and the arithmetic processing unit to perform the actual calculation. We illustrate how the spec.iflcstion and verification process can be organised and simplified by a generalised hierarchical decomposition methodology that supports reasoning about horisontsl intera_-tion between processes. Techniques of composing processes having independent time scales are formalised. Reasoning about the interaction and synchronisation among processes using ]_gher-order logic is demonstrated. The CPU instructions and the floating-point instructions are xIIowed to execute concurrently to hn-prove performance. However, the coprocessor interface is designed to maintain a strictly sequential execution model to reflect the assembly language programmer's view of the system. We discuss the combination of the CPU and the coprocessor to form a computer system, and explore techniques to map from the underlying concurrent implementation to the programmer's view of sequential execution of instructions. INTRODUCTION Formal hardware verification involves using mechamzed theorem-proving techniques to verify that the design of a system satisfies its specification. Because exhaustive simulation is often too time consuming, and because simulation that is non-exhaustive might miss cases that are incorrect, there is increasing interest in using a formal approach to reason about hardware designs. This report describes work in progress on verifying a floating-point coprocessor based on the MC68881 ((ref. i), (ref. 2)) I. The coprocessor consists of a bus interface unit (BIU) which communicates with the CPU, and an arithmetic processing unit (APU). There has been significant interest in formal verification in recent years ((ref. Formal proofs of complex systems are not trivial, requiring significant machine time and human effort. Perhaps the best known verification effort is that of the VIPER microprocessor ((ref. 3), (ref. 4)). VIPER is the first microprocessor intended for commercial distribution where a formal verification has been attempted. Recent work ((ref. II), (ref. 12)) has shown that the verification of microprocessors can be simplified through insertion of intermediate levels of abstraction between the instruction set and the electronic block model (EBM); the EBM is, generally, the lowest level in the hierarchy and, logically, represents the object being verified. Through these appropriate intermediate …