On Proving Correctness of Microprograms

This paper describes the results of an investigation in proving the correctness of microprograms. The vehicle used is the Smachine, which is a very simple “paper” computer. The approach to the proof of correctness is based on formally defining the machineinstruction level and the microprogramming level of the given machine, and then showing that these “interfaces” are equivalent through the use of a concept called algebraic simulation. Introduction This paper presents the results of an investigation [ 1 1 into proving the correctness of microprograms. The vehicle chosen for this investigation is the S-machine, a variation on a computer described by Gear [ 2 ] for which a simulation package is available [3]. This very simple computer is being used for teaching microprogramming in the Education Department at IBM Poughkeepsie. The question of whether a microprogram is correct leads to another question: “What is the microprogram supposed to do?” In trying to answer the latter question we realize that the functions of a microprogram are related to the operation of other parts of the computer: control store, registers, etc. Therefore the microprogram together with other parts of the computer constitute an “interface” or a “level” of the system. The concept of interface is an old and natural one. When designing a computer we start by specifying the machine at the highest interface. As more decisions are made on how to implement this level, a new and more detailed interface is drawn up. For example, the documentation for the Smachine consists of 1. a description of the machine-instruction level, the 2. a description of the microinstruction level, or the so-called “principles of operation” manual, and “microprogramming manual.” The language used in descriptions of this kind is informal; the English language description is complemented by graphic illustrations. When considering the problem of correctness, however, we have to formalize our definition in a way that will enable us to prove whatever we 250 claim to be correct. If we want to describe an interface of a given system together with all the data structures and processes related to this interface, the formal counterpart of the usual English-language description can be an abstract machine. The concept of an abstract machine was first formulated in the field of programming language semantics [4-91. An abstract machine which interprets a program in a given language is considered as one way of specifying the semantics of that language. Ouruse of the concept of abstract machine is similar to that of Lee [ lo] . Work in formalization of system definitions can also be found in Falkoff [ 111, Bell and Newel1 [ 121, and others. A language that has been used in defining abstract machines is the Vienna Definition Language (VDL) [7-9, 13-15]. In order to have a useful definition language for machine interfaces we had to supplement the VDL with basic operators and predicates. Since we are dealing with objects like registers, flip-flop circuits, memories, etc., which are represented by binary vectors and arrays, we selected as basic operators a small number of APL operators. Using this VDL/APL language we define two abstract machines: abstract machine S, which relates to the machine instruction interface, and abstract machine pS, for the microinstruction level (The abstract machine S is not to be confused with the “S-machine” which is the name of our computer.). The microprogram itself is part of pS. The abstract machine pS is in some sense equivalent to S. This kind of equivalence is found in the concept called “algebraic simulation of one program by another,” described by Milner [ 161 ; abstract machines are themselves programs or, more precisely, “abstract programs.” A. BIRMAN IBM J. RES. DEVELOP. The essence of the idea of simulation can be informally described as follows. A simulation of P by P’ implies that anything computed by P can be computed by P’. The simulation should have certain properties: 1 ) For any program P there should exist a simulation of P by P , and 2 ) if there exists a simulation of P by P , and also a simulation of P I by P, , then there should exist a simulation of P by P,. We display such a concept and prove that it has these properties. In this paper we develop an approach to proving the correctness of microprograms and we apply it to the Smachine. The proof of correctness for the S-machine implementation consists of the following steps: 1. Definition of abstract machine S corresponding to the 2. Definition of abstract machine pS for the microin3. Determining the desired simulation relation R . 4. Proving that pS simulates S with respect to R . machine-instruction level.