4
rsta.royalsocietypublishing.org Phil.Trans.R.Soc.A375:20150399
.........................................................
CLI similarly tested the FM9001 microprocessor model against the fabricated gate array and
tested the MC68020 model against a Sun 3 workstation. Since all of these models were moderately
large Lisp systems, execution efficiency was very important. To quote again from [5,p.9]:
Note that the post-fabrication testing of verified devices changes the role of model
execution. Heretofore execution was merely an efficient way to avoid ‘premature’
proof attempts. ... But the post-fabrication testing of a verified device is not a purely
mathematical question. On the one hand one has a physical object. On the other one
has a mathematical expression. The question is whether the behavior of the object is
accurately predicted by the mathematical expression. The behavior of the object can only
be manifested by giving it concrete data and observing its concrete output. Thus, one is
forced to give concrete data to the mathematical expression and derive its concrete output.
... Often, at least for devices for which verification is needed, the required computations
are so large and the test cases so numerous that we expect the efficiency with which the
model can be executed becomes an important issue.
The performance challenges raised by the use of Nqthm in the CLI Stack and MC68020
projects prompted Boyer, Moore and (soon thereafter) Kaufmann to begin creating ACL2 in the
late 1980s. Performance was a key driver in our attempts to connect this work to commercial
efforts, and it was a tremendous asset to define ACL2 as a superset of a substantial subset of the
widely supported Common Lisp language. This design decision enables all ACL2 functions to
be compiled by off-the-shelf Common Lisp compilers, so that ACL2 programs can be run with
commercial-class speed and capacity.
This speed and capacity has been a tremendous advantage for our work on commercial-size
models. A key development was the ‘deep embedding’ of our hardware description language
(HDL) into the logic of NQTHM and later, ACL2, which we first used in the NQTHM-based
verification of the FM9001 [6] gate-level design. Our HDL was sufficiently similar to commercial
HDLs (e.g. LSI Logic’s NDL and Verilog) to permit automatic translation of (subsets of)
commercial HDLs into our ACL2-based HDL. The resulting ACL2-based representation enabled
not only efficient simulation of the design (as is done with commercial simulators), but also
reasoning about the design using the ACL2 prover. Today, Centaur and Oracle represent designs
of interest by translating them from vendor-specific implementation formats into an ACL2-based
HDL, and then use ACL2 to specify and prove properties about their designs.
The process just described is used by companies to analyse very large systems. For instance,
at Centaur Technology the Verilog specification of one of their products is more than 700 000 lines
in length; this design can be translated (by our ACL2-based Verilog-to-ACL2 translator) into our
ACL2-specified HDL in just a few minutes. Once translated, Centaur runs thousands of proof
scripts daily to check tens of thousands of properties of Centaur’s evolving design. Later (in §6)
we elaborate on the use of this approach by engineers at Centaur.
3. Initial industrial demonstrations
By 1993, CLI was ready to try ACL2 on industrial verification projects. Finding suitable projects
was primarily the responsibility of Warren Hunt, CLI’s Vice President for Hardware Engineering.
The first project was the modelling and verification of a Motorola digital signal processor, the
Motorola Complex Arithmetic Processor (CAP) DSP. CLI’s involvement in the project started in
late 1993, with Bishop Brock relocating from CLI’s home in Austin, TX, to Phoenix, AZ, to work
with the Motorola Government Systems’ DSP design team. The formal methods project lasted 31
months. In the end, ACL2 was used to model the processor and its microcode and to verify that
the microcode semantics was correctly implemented. The most significant contribution was the
identification of over 50 ‘pipeline hazards’, the coding of a Lisp (ACL2) function for recognizing
those hazards, and the proof that the absence of those recognized hazards implied accurate
execution of the microcode. The compiled hazard detection predicate was used to identify hazards
Downloaded from https://royalsocietypublishing.org/ on 23 August 2021