Applying formal verification to a commercial microprocessor

Formal verification using interactive proof-checkers has been used successfully to verify a wide variety of moderate-sized hardware designs. The industry is beginning to look at formal verification as an alternative to simulation for obtaining higher assurance than is currently possible. However, many questions remain regarding its use in practice: Can these techniques scale up to industrial systems, where are they likely to be useful, and how should industry go about incorporating them into practice? This paper describes a project recently undertaken by SRI International and Collins Commercial Avionics, a division of Rockwell International to explore some of these questions. The project formally specified in SRI´s PVS language a Rockwell proprietary pipelined microprocessor (the AAMP5, built using almost half a million transistors) at both the instruction-set and register-transfer levels and used the PVS theorem prover to show the microcode correctly implemented the instruction-level specification for a representative subset of instructions. The key results of the project were the development of a practical methodology for microprocessor verification in industrial settings and the discovery of both actual and seeded errors