By Brian T. Graham

This is a milestone in machine-assisted microprocessor verification. Gordon [20] and Hunt [32] led the best way with their verifications of sim­ ple designs, Cohn [12, thirteen] this with the verification of elements of the VIPER microprocessor. This paintings illustrates how a lot those, and different, pioneers completed in constructing tractable versions, scalable instruments, and a strong technique. A condensed overview of prior re­ seek, emphasising the behavioural version underlying this kind of verification is by means of a cautious, and remarkably readable, ac­ count number of the SECD structure, its formalisation, and a record at the organization and execution of the automatic correctness facts in HOL. This monograph stories on Graham's MSc undertaking, demonstrat­ ing that - within the correct palms - the instruments and method for formal verification can (and for that reason should?) now be utilized through a person with little prior services in formal tools, to ensure a non-trivial microprocessor in a restricted timescale. this isn't to belittle Graham's success; the construction of this facts, paintings­ ing as Graham did from the former literature, is going well past a customary MSc venture. The success is that, with this exposition handy, an engineer tackling the verification of comparable microprocessor designs may have a transparent view of the milestones that has to be handed at the means, and of the the right way to be utilized to accomplish them.

DU M creates the environment with the installed n placeholder. The RAP instruction is similar to the AP instruction, except that in creating the environment in which the function is executed, the parameters are installed by using the rplaca operation on an environment whose car is the pending value n. e). The list of parameters must consist of only function objects, and they will all contain the same environment component, so the single destructive operation creates a circular context for all the mutually recursi ve defini tions.

The interface to the external memory gives rise to the possibility of undesirable power dissipation. This can occur if both memory and SEeD devices drive external lines simultaneously for some overlapping interval, which is possible given capacitance induced delays of signal switching. A more considered interface than the "memory as a register" view used until now is needed. 30 ne could devise a scenario where the rpB signal overlaps the start of the pulse, and thus random write signals may be generated.

Implementing the controller as a finite state machine requires buffering between current and next states. This is achieved by the use of a two-phase non-overlapping clocking scheme and paired master/slave registers, along the design style described in [42]. The state register in the control unit is the mpe register, but in a more general sense, the values on the 4-deep microcode subroutine stack are also part of the state. In the following discussion, references to the mpe register can be applied similarly to the stack registers.

