The type descriptions that define_type is capable of handling are noticeably more limited than those allowed by SML. In particular, define_type requires of a type description it is given that the type being defined should not occur within any compound type. While this restriction is more severe than is necessary for there to be a solution in HOL to the description, we show that some restriction on the nature of the compound types within which the type being defined may occur is necessary. Not all descriptions allowable in SML will have a solution in HOL. Moreover, owing to the nature of the basic principle of type definition in HOL, no purely syntactic non-ad hoc test of a recursive type description will be sufficient to allow us to extend define_type to compound types involving “safe” type constructors such as list while at the same time barring all descriptions for which no solution is possible. Any general extension to the define_type package that allows the types being defined to occur within compound types in the type description will need to take as additional arguments theorems about the type constructors used in the compound type that justify their being so used. Finally, we show that an extension to the case where all the type constructors used in compound types involving the types being defined are essentially recursive type constructors themselves; the type constructors must satisfy an “initiality” theorem of the form returned by define_type, which must be supplied as an argument to this extension of define_type.

Simulation is an important aspect of microprocessor design. In a verified microprocessor design, simulation can be used to ensure that the functionality of instruction set is sufficient and that the microprocessor behaves as intended by the designer. This paper documents and demonstrates a tool written in the HOL theorem proving system for executing microprocessor specifications written in higher–order logic.

By encapsulating the primitive rules of inference as the constructors of the abstract type of theorems, LCF-style systems provide a successful answer to the problem of how to soundly add derived inference rules to a theorem prover. We suggest a supplementary method which uses formal proof of program equivalence to justify the dynamic addition of new primitive rules. The method does not increase the strength of the logic; rather, it is a means of increasing the computational strength of the implementation. The method can be used to enforce rigour in the process of iteratively improving the performance of a system. This work uses first class environments, a recent addition to the SML/NJ compiler.

In previous work (using HOL and other theorem provers) on the verification of microprocessors, the design is typically represented as a single level (e.g., an electronic block model) or as a linear hierarchy of interpreters (Joyce and Windley). There has been no attempt to verify designs that are in reality a central processor composed with various coprocessors, the typical organization of modern microprocessors. Our work is a step towards the verification (ultimately down to the microcode level) of a microprocessor that consists of a central processing unit that is the master of a floating point coprocessor; the design is drawn from the MC68881 floating point coprocessor slaved to the MC68000, but greatly simplified. The coprocessor in isolation will be verified with respect to a specification that captures the IEEE floating point standard. In our system, CPU and floating point instructions are allowed to execute concurrently, but the appearance to the programmer of the composed system is that of a sequentially executing instruction stream. The CPU and floating point coprocessor communicate through the four-phase handshaking protocol. The verification involves reasoning about a form of behavioral abstraction wherein concurrently executing instruction steams are mapped to a sequential stream.

Silage is an applicative language for describing multi-rate DSP algorithms. It has been used as the high level input language to the CATHEDRAL Silicon Compilers. Hardware implementations of specifications described in Silage are synthesized and inconsistencies in the synthesis trajectory must be avoided. To build the foundations of a verification environment, the formal semantics of Silage must be defined. Our main motivation to formally define the semantics of Silage is to build formal tools, in such a way that the interactivity between the user and the silicon compiler can be increased in a safe way. The designer could then interactively transform the specification, fully exploiting his expertise, but without the risks of introducing inconsistencies. Formally verified transformational design techniques could then be applied at the specification level of the Silicon Compilers. This paper describes the formal semantics definition of a substantial subset of Silage focusing on the multi-rate aspects of the language.

A formal derivation of an implementation at register transfer level of Gordon's computer is presented. The derivation illustrates a proof-driven hierarchical construction process, based on logical inference, which reveals some essential aspects of computer design.

Microprocessor verification to date has primarily focused on single microprocessors in isolation, yet families of microprocessors exist which share a common base instruction set. We propose a “machine abstraction” method for specifying the behaviour of a microprocessor in a manner which encourages portability of specifications to other microprocessors in the same family. Areas of an assembly language which are restricted by hardware constraints rather than language semantics are grouped within a “machine abstraction” and are supplied to a specification of the language as parameters. We hope such “machine abstraction” will simplify the verification of families of microprocessors. This paper extends earlier work on generic approaches by Joyce, Windley, and Herbert.

Boyer and Moore's heuristics for their first-order logic without quantifiers have been re-implemented in the HOL system. They have been adapted to behave as an automatic prover for the subset of higher-order logic that roughly corresponds to the Boyer-Moore logic. This paper describes the modifications required and presents some initial results and conclusions from the exercise.

The experiences of large case studies show that there is a definite need for far better efficiency of machine-supported proving. The integration of automatic special-purpose systems with interactive theorem provers promises better performance. By means of interactive proof systems problems at higher abstraction levels can be transformed into manageable - in terms of complexity and degree of abstraction - subtasks for fully-automatic tools.

The VHSIC Hardware Description Language (VHDL) has been gaining wide acceptance as a unifying HDL. It is, however, still a language in which the only way of validating a design is by careful simulation. With the aim of better understanding VHDL's particular simulation process and eventually reasoning about it, a formalisation of VHDL's simulation cycle has been developed for a subset of the language. It has also been possible to embed the semantics in the Cambridge Higher-Order Logic (HOL) system and derive interesting properties about specific VHDL programs.