ISSN 1292-862

TIMA Lab. Research Reports

TIMA Laboratory, 46 avenue Félix Viallet, 38000 Grenoble France

FORMALIZATION AND VERIFICATION OF THE AMBA AHBCOMMUNICATION ARCHITECTURE USING THE ACL2

THEOREM PROVER

Julien Schmaltz Dominique BorrioneTIMA-VDS TIMA - VDS

46, av Felix Viallet38031 Grenoble Cedex

Phone: (+33) 04 76 57 49 91Fax: (+33) 4 76 57 49 81

46, av Felix Viallet38031 Grenoble Cedex

Phone: (+33) 4 76 57 49 82Fax: (+33) 4 76 57 49 81

Julien.Schmaltz@imag.fr Dominique.Borrione@imag.fr

Abstract. In this paper, we apply a method, based on an automatic theoremprover, to reach correct formal descriptions of communication systems. Thisallows the verification of the correctness of systems at the first step of theirdesign. Moreover, the prover has reasoning capabilities that do not requirefixed size systems, and large parameterized architectures, like IPs or SoCs canbe modeled and proved correct through this approach. We illustrate theapproach to an industrial on-chip bus, the AMBA AHB.

1 Introduction

Systems on Chip (SoC) design is performed through the integration of pre-designedcomponents, called Intellectual Properties (IP). A challenge is to verify that thiscomposition of different functionalities behaves as the designer expects. The critical designstep is now the interconnections, i.e. the communication structure. Numeric simulation isno longer an effective method to verify complex circuits like SoCs, so formal methods arereceiving great attention. The formal tools currently used in the industry are suitable forfixed structures described at the Register Transfer Level (RTL). Due to their growingcomplexity, SoCs are described at a higher level (behavioral or system level) and aregeneric, i.e. unbounded. New techniques and methods are needed.

Theorem proving techniques have reasoning capabilities that do not require fixed sizesystems, and are consequently good candidates. We propose to use the ACL2 theoremprover [1] as a tool allowing a designer to reach a correct formal functional model of aspecification. Our use of the prover is slightly different from the previous successfulapplications like the verification of microprocessors [2], pipeline machines [3], floatingpoint arithmetic [4, 5]. Mainly, in these articles, the authors prove that two different modelsaffect a memory in the same way. In this paper, we show the formalization of thespecification [6] of a widely used communication architecture into the ACL2 logic, and weprove some critical properties on this formal model. So, we deal with high level

descriptions at the very first step of a system design and we show how it is possible toobtain correct formal models of complex architectures.

Section 2 presents an overview of the modeling and proof method. Sections 3 and 4present the ACL2 system and the AMBA architecture. Section 5 gives the formalizationand the verification of the two central components of the protocol: the address decoder andthe bus arbiter. Section 6 shows the formalization and the proof of the communication.Finally, section 7 concludes the paper.

2 Overview of the modeling and proof method

Fig. 1 shows how we proceed to model and verify bus architectures. The specificationdocument [6] is written with the traditional mixture of English sentences, drawings andtiming diagrams. We first manually construct a formal model for each generic componentand prove each one correct. Then we model their interconnections and prove thecommunications function correct. Finally, we obtain a correct formal model of the AMBAAHB architecture.

Figure 1: Modeling and proof method

Decoder Arbiter

Slaveinterface

Masterinterface

AMBA SpecificationRev 2.0

Decoder Arbiter

Slaveinterface

Masterinterface

Starting with the busspecification …

Modeling and verifying eachcomponent …

Modeling the interconnectionsand proving thecommunications correct …

Correct formal modelof the bus

We obtain a formal andunambiguous model of the bus.

3 The ACL2 theorem prover

ACL2 stands for “A Computational Logic for an Applicative Common Lisp” and denotes aprogramming language, a mathematical logic and a mechanized theorem prover. The inputlanguage is a side-effect free subset of Common Lisp [7]. The logic and the prover are anevolution of the Boyer-Moore theorem prover: Nqthm [8]. This section briefly presents thelogic and the general organization of the theorem prover. More details can be found in[1, 9].

3.1 The logic

The kernel logic is composed of a Common Lisp syntax, a set of axioms and a set ofinference rules [9]. The logic is a first order, quantifier free logic with equality. Fig. 2shows the axiomatization of some Common Lisp primitives (nil denotes false, and t denotestrue).

Figure 2: Some of the ACL2 axioms

The rules of inference are those of propositional calculus with equality, instantiation, aninduction principle and extension principles allowing the addition of new total andrecursive functions, new constants and new packages. The logic supported by the ACL2system is richer than the kernel one, and is obtained by use of the extension principles,which ensure the consistency of the logic. For example, recursive functions must be provedto terminate in order to be added to the logic.

3.2 The ACL2 system

To get the best efficiency, ACL2 should be considered a proof checker rather than a fullyautomatic system. ACL2 helps a user fill in the gaps in the formal – or often informal –proof he has sketched.

The ACL2 environment is composed of three entities: the user, the prover and the“logical world” (see Fig. 3, taken from chapter two of [1]). This logical world consists inthe rules and strategies previously developed by the user. The user submits a formula toACL2, which tries to derive a proof from the rules of the logical world. If ACL2 succeeds,a new rule, derived from the theorem just proved, is added to the logical world. There areover a dozen kinds of rules: type-prescription, rewrite, ...

tyxequalyx =⇒= )(nilyxequalyx =⇒≠ )(zzyxifnilx =⇒= )(yzyxifnilx =⇒≠ )(

Figure 3: Organization of ACL2

The main objects manipulated in an ACL2 model are functions, predicates, lists andtheorems. Functions are added to the logic by the command defun. Predicates are functionsthat return t or nil, and they are often used to define new types. For readability, and byconvention, predicate identifiers end with letter “p”. For instance, the following predicatereturns t if x is an integer greater than or equal to 0, i.e. it recognizes naturals.

To submit a theorem, one uses the command defthm. The following “event” asks ACL2to prove that if a and b are two naturals then a+b is a natural:

Lists are essential in building composite objects. The base functions cons, car and cdr,respectively build a new ordered pair, return its first element and return the pair without itsfirst element. Lists are inductively built from nil (the empty list), by application of cons.They are recognized by the predicate consp.

Functions, predicates and theorems can be assembled into files, called “books”. Theuser can include these books into the logical world. This will make all the rules contained inthese books available for the prover. Books provide a convenient way to take advantage ofprevious works and to structure projects.

4 The AMBA AHB architecture

Arm processors are widely used in SoCs and embedded systems, so is the AdvancedMicrocontroller Bus Architecture (AMBA) and particularly the Advanced High-performance Bus (AHB). Its global structure is drawn on Fig. 4.

The AHB on chip bus allows the interconnection of n masters (typically: processingunits) with m slaves (typically: memory units), where n and m are parameters. There arethree different buses: HRDATA for data to be read, HWDATA for data to be written, andHADDR for the addresses. The communication involves four components:

User

TheoremProver

LogicalWorld

rules

theoremsProofs andproofattempts

Definitions andadvices

(defun naturalp (x)(and (integerp x)

(<= 0 x)))

(defthm nat_+_nat_=_nat(implies (and (naturalp a)

(naturalp b))(naturalp (+ a b))))

- a decoder: it receives an address and activates the corresponding slave- an arbiter: it receives requests and grants the bus to a unique master- master interfaces: initiate transfers- slave interfaces: answer to master requests

Figure 4: Organization of the AMBA AHB architecture

The decoder (Fig. 5) is used to select the slave that owns the required data. Addressdecoding depends on memory organization, and details about it are given in section 5. Thedecoder activates a slave x by setting the x’th bit of the HSEL signal to 1 and the others to0.

The role of the arbiter (Fig. 5) is to grant bus access to one master requesting it. Thearbiter is unique in an architecture and uses a priority scheme to select a master. Thisalgorithm is not specified in [6] but must obey some rules. The most important is topreserve the mutual exclusion of bus accesses. The AHB architecture is not a tri-states bus,so a default master is granted when no master requests the bus. We select master number 0.

Figure 5: (simplified) Schemes of the decoder and the arbiter

Slaveapplication k

Slaveinterface k

Slaveapplication l

Slaveinterface l

Masterinterface i

Masterapplication i

Masterinterface j

Masterapplication j

…

…

AddressDecoder

Busarbiter

Address busRead busWrite bus

HADDR

HADDR

HRDATA HWDATA

HRDATAHWDATA

HADDRHRDATA

HWDATA

HADDRHRDATA

HWDATA

HADDR

HADDR

HSEL(k) HSEL(l)

HGRANT(i) HGRANT(j)

HREQ(i) HREQ(j)

AHBDecoderHADDR HSEL

AHBArbiterHADDR

HCLOCK

HRESET

HBUSREQ

HGRANT

The slave interface (Fig. 6) uses the HSELx signal to determine if it is active or not. IfHSELx is high, the slave answers the master read or write request in one cycle, or it splitsthe transfer. The master interface (Fig. 6) produces all the signals needed for a transfer.

Figure 6: (simplified) Schemes of the slave and master interfaces

5 Formalization and verification of the two main components

In this section, we formalize the two main components of the bus protocol (the addressdecoder and the bus arbiter) and we prove them correct with respect to [6]. As we want afunctional model, reset and clock signals are ignored in our formal representation.

5.1 Address decoding

Let Card_S be the number of slaves, a generic parameter of the decoder of type natural. Theaddress decoding corresponds to the selection of an element of a set. The decoder functionassociates a set of addresses to a slave. As we abstract an address to a natural, the inputdomain of the decoder function is the set of naturals. The output domain is the interval[0, Card_S – 1]. Si denotes the slave number i, i ∈ [0, Card_S – 1].

The system memory is shared by all slaves. Each slave has a finite arbitrary numberMEM_SIZE of addresses, and the global memory is the product Card(S)*MEM_SIZE.During transfers, the master puts the global address, which ranges from 0 toCard(S)*MEM_SIZE – 1, on the HADDR bus, and the slave reads or writes the data to itslocal address UNADDR. A data has consequently two addresses:

- the global address: HADDR- the local address: UNADDR

To get a clear model, the local and the global addresses are related by Equation (1).

SIZEMEMHADDRUNADDR _mod= (1)

AHBMaster

Interface

HGRANTx

HCLOCK

HRESET

HRDATA HWDATA

HADDR

HWRITE

HBUSREQx

AHBSlave

Interface

HSELx

HCLOCK

HRESET

HWDATA

HRDATAHWRITE

HADDR

And the slave possessing the data with the HADDR address is Si, where i is computedby Equation (2):

SIZEMEMHADDRi

_= (2)

The decoder is modeled by two functions: decoder(Card_S, Sel) andAHB_decoder(Card_S, MEM_SIZE, HADDR). The former builds a list with at most one 1at the position Sel, and the other elements are 0. The latter computes Sel according toequation (2). The ACL2 functions are the following:

Function decoder is recursive over Card_S, the number of list elements. It returns theempty list if Card_S is not a natural integer. Otherwise, it concatenates 1 (if sel = 0) or 0 (ifsel ≠ 0) to the list resulting from the recursive call of decoder over (Card_S – 1) and (sel –1). Thus decoder constructs a list of Card_S elements, all equal to 0 except the sel’th one,provided 0≤sel< nb.

In function AHB_decoder, floor computes the integer division if its second operand is anon zero integer; otherwise it prints an error message.

The main property to prove on these functions, is that they select only one slavepossessing the right data. Clearly, once the proof is made on decoder, the proof forAHB_DECODER is straightforward due to equation (2). So, we prove the followingtheorems:

Theorem 1. (Selection of the right slave). (defthm Selection_of_the_right_slave

(implies (and (integerp i) (integerp Card_S)(>= i 0) (> Card_S i))

(equal (nth i (decoder Card_S i)) 1))))

Theorem 1 states that if Card_S and i are two integers such that i≥0 and Card_S>i thenthe i’th bit of decoder(Card_S, i) is 1. Function nth(i, L) returns the i’th element of a list Lcounting up left to right from 0.Proof. We first prove a lemma stating that the property is true if i=0. Then, ALC2 provesautomatically the selection of the right slave by induction over i and Card_S. ¨

Theorem 2. (Unicity of the selection). (defthm Unicity_of_the_selection

(implies (and (integerp p) (integerp Card_S)(<= 0 p) (< p Card_S) (not (equal p i)))

(equal (nth p (decoder Card_S i)) 0)) :hints (("GOAL" :induct (function_hint_th2_decoder p Card_S i))))

Theorem 2 states that if Card_S, p and i are integers such that 0≤p and p<Card_S, thenthe p’th element of decoder(Card_S, i) is 0 for p≠i.

(defun decoder (Card_S sel) (cond ((not (integerp Card_S)) nil)

((<= Card_S 0) nil)((equal sel 0) (cons 1 (decoder (1- Card_S) (1- sel))))

(t (cons 0 (decoder (1- Card_S) (1- sel))))))

(defun AHB_DECODER (MEM_SIZE Card_S HADDR) (decoder Card_S (floor HADDR MEM_SIZE)))

Proof. As for theorem 1, we prove a lemma stating that the first element of decoder is 0when i≠0. We prove another lemma to tell the prover that decoder returns a cons-pair. Theinduction scheme suggested by decoder is over Card_S and i. Here, we need an inductionover Card_S, i and p. We define a recursive function called “function_hint_th2_decoder”that suggests the needed induction scheme and tells ACL2, through the “:hints” clause, touse it. Then ACL2 performs the proof automatically. ¨

1.2 Bus arbitration

The priority scheme is a key feature of the bus protocol. It determines which master shouldbe granted bus access. The scheme is modeled by a priority matrix, as shown on Fig. 7. Thenumber P of lines sets the number of priority levels and the number N of columns is thenumber of masters having the same priority. Lines and columns are numbered from 0. Thematrix elements correspond to a single master, and the master number is computed fromline l and column c by: master_num = l*N + c. Master number 0, the default master, has thehighest priority.

Figure 7: The matrix modeling the priority scheme

In ACL2, the matrix is represented as a list of lists. For instance, if N=3, P=2 and themaster 1 is the only one requesting the bus, the ACL2 model of the matrix is((0 1 0) (0 0 0)).

The input domain of the arbiter function is the set of NxP bit matrices MREQrepresenting the master requests. The output domain is the set of bit vectors of length NxPwhere only one bit is 1. The function uses the following algorithm to select the master thatshould be granted bus access:

- determine the first line containing at least one request- extract this line out of the matrix MREQ- determine the highest priority master of the line- compute the number of this master master_num from the line number- build the output list where bit number master_num is 1.

In order to model these functions we need to define some predicates. The predicateno_requestp_matrix(MREQ) recognizes a matrix containing no requests, i.e. all its elementsare 0. The predicate no_requestp(L) recognizes a line with no requests. So, the first linecontaining at least one request is the first element of the priority matrix MREQ such thatno_requestp(car MREQ) does not hold. The number of this stage is computed by thefunction stage_P(MREQ) below:

NMaster number 0Default masterHighest priority

P

Master number P*N – 1Least priority

(defun stage_P (L) (cond ((endp L) 0) ((no_requestp_matrix L) 0) ((not (no_requestp (car L))) 0) (t (+ 1 (stage_P (cdr L))))))

We consider the function correct if prior stages to the returned one contain no request,and if the returned stage is non-empty. So, we prove the following theorems:

Theorem 3. (Respect of the Priority Scheme).(defthm Respect_of_the_Priority_Scheme(implies (and (equal (stage_P MREQ) i)

(< j i) (<= 0 j)) (no_requestp (nth j MREQ))))

Theorem 3 states that if i is the number of the line returned by Stage_P, then for allnatural j<i, line number j has no request.

Proof. The proof is made by induction over j and MREQ. The proof is fully automatic andACL2 uses type-prescriptions rules of the functions no_requestp, no_requestp_matrix andstage_P. ¨

Theorem 4. (Chosen stage is not empty, provided there is at least one request). (defthm Chosen_stage_is_not_empty

(implies (and (equal (stage_P MREQ) i)(not (no_requestp_matrix MREQ)))

(not (no_requestp (nth i MREQ)))))

Theorem 4 states that if i is the number of the line returned by Stage_P, and the matrixhas at least one request, then line i has at least one request.

Proof. The proof is made by induction over MREQ. The proof is fully automatic and ACL2uses type-prescriptions rules (the same as for theorem 3) and a lemma stating that(nth (1+ N) (cons A L)) = (nth N L) if N is a natural. ¨

The next important step is the computation of the next master of the returned stage. Ona given line, masters have the same priority, and the access policy is “round robin”. Acircular traversal of the stage is performed from the last granted position to the nextrequested position (see Fig.8).

We split a stage after the last granted position; if the end part contains at least onerequest, the circular traversal starts with the first element of this part. Otherwise, we beginthe traversal with the first element of the stage. The “start” part is obtained with thefunction firstn(n L) that returns the first n elements (without the n’th) of L ; the “end” partis obtained with the function lastn(n L) that returns the last n elements (with the n’th) of L.We define the function find_next_1(L) that returns the position (starting from 0 and countedfrom the first element of L) of the first 1 met in L. The computation of the next master isdone by the function arbiter(L Last_granted) below:

(defun arbiter (HREQ Last_Granted) (cond ((no_requestp HREQ) 0) ((no_requestp (lastn (1+ Last_Granted) HREQ))

(find_next_1 (firstn (1+ Last_Granted) HREQ)))(t(+ (1+ Last_Granted) (find_next_1 (lastn (1+ Last_Granted)

HREQ))))))

Figure 8: Computation of the next master that should be granted bus access

The main property that should hold is that there is effectively a round robin. Inparticular, assume the master (number k) which was last granted access to the bus stillrequests access the next time the line is selected, and one or more other requests are alsopresent on that line, then the next bus access is not granted to master number k. This isexpressed by the following theorem:

Theorem 5. (No deadlock). (defthm No_Deadlock(implies (and (integerp i) (<= 0 i) (equal (nth k HREQ) 1)

(list_of_1_and_0 HREQ) (not (equal k i))) (implies (equal (nth i HREQ) 1))

(not (equal (arbiter HREQ k) k)))) :hints (("GOAL" :use (:instance lemma1_no_deadlock) :in-theory (disable lemma1_no_deadlock firstn)))))

This theorem is composed of several parts. The first “implies” clause gives generalhypotheses about objects used in the conclusion. The predicate list_of_1_and_0 tells theprover that the elements of the list HREQ are 0 or 1. The “equal” statement expresses thefact that the last granted master still requests access. The second “implies” clause is theproperty we want to prove. The hypothesis expresses the fact that one or more masters arerequesting bus access. The conclusion means that the next bus access is not given to the lastgranted master. The “:hints” clause forces the prover to use the lemma“lemma1_no_deadlock”. During the proof, the application of a rule R can make the proveruse “lemma1_no_deadlock”. But, as this lemma has already been applied, R will be appliedagain and the prover will loop. The “:in-theory” disables the rule derived from the lemmaduring the proof of the theorem and prevent ACL2 from looping.Proof. As arbiter is not recursive, the proof is not performed by induction, but by caseanalysis. The definition of arbiter (a cond with three alternatives) suggests three cases. Thehypothesis “(equal (nth i HREQ) 1))” is in contradiction with the first case. The third case isobvious. The remaining case is the second condition of the “cond” clause in the definitionof arbiter, which tests whether the end of HREQ contains a request. The lemma used in thehints proves the property if i is lower than (1+ Last_Granted), and proved this last case. ¨

Now, let E be the stage number, N its length, and New the position in the stage of thenew owner. The master Mi should be granted the bus access, where i is computed byEquation (3):

Last granted position

Stqrt End

L*E New i += (3)

This is done by the function arbiter_rr(L N Last_Granted):

(defun arbiter_rr (L N Last_Granted) (+ (* (stage_P L) N) (arbiter (choose_stage HREQ (stage_P L)) Last_Granted)))

The last step is to build the vector HGRANT that selects the right master. This is doneusing the function decoder defined for the decoder, so the main function of the arbiter isAHB_arbiter(N P HREQ Last_granted):

(defun AHB_Arbiter (N P HREQ Last_Granted) (decoder (* N P) (arbiter_rr HREQ N Last_Granted)))

We now sketch how we reach a correct formal model of the bus arbiter and the addressdecoder. We model a generic slave interface and a generic master interface. That gives thetwo following functions:

- Slave_interf (HSEL HWRITE HADDR HWDATA DATA_R MEM_SIZE)- Master_interf (ADDR DATA HRDATA OP HGRANT).

DATA_R is the data given by the slave application. MEM_SIZE is the size of theslave memory. The slave interface returns the following list of signals:

(LIST (HRDATA) (LIST HWRITE UNADDR HWDATA))

HRDATA is the read bus, and the second list represents the signals that are connectedto the slave application.

The master interface returns the following list of signals:(LIST (HRDATA) (LIST HADDR HWRITE HWDATA))

The read bus is connected to the master application. The second list represent thesignals sent to the decoder, the arbiter and the slave interfaces.

For each interface, we prove that for a given operation (e.g. read or write) the outputsignals produced by the interface are correct with respect to [6]. The theorem proved foreach output SIGNALi of the interfaces has the following template:

(defthm M/S_interf_SIGNALi (implies (hypotheses on the inputs identifying the operation to

be performed)(equal SIGNALi VALUE1)))

2 Proof of transfers

Now, we want a formal model of the communications, and we want to prove them correct.We have proved two important facts: the decoder selects the unique slave possessing thedata needed by a correctly granted master (because we know our arbiter is correct).Moreover, a transfer can only be performed between two components: a master and a slave.Consequently, if we prove that a master and a slave arbitrarily taken in the set of mastersand slaves communicate correctly, then all communications behave correctly. Moreover,we consider the bus as an IP component, so we model and prove it correct withoutconsidering the master and slave applications using the bus. We define two functions, one

1 VALUE can be a numeric or a symbolic expression.

for transfers from the slave to the master, and one for the other way. For instance, thefunction modeling a transfer from the master to the slave is defined as the result of the slavefunction applied on the result of the master function. That gives the following ACL2function:

This function shows how we link the different elements together. For instance, theHADDR signal of the master is linked to the corresponding input of the slave on lines 11 to13. Lines 6, 7, 9, 10, 12, 13, 15 and 16 express the hypothesis that the master involved inthe transfer is the one that has been granted bus access.

On this function, we prove that for each value of OP the signals produced by the slaveinterface are correct with respect to [6] for all the values of the other parameters. Thescheme of the theorems we have proved is:

(defthm M_to_S_SOUPUTi(implies (and (equal OP operation)

(some hypotheses on the parameters)) (equal SOUTPUTi VALUE2)))

3 Results and analysis

Table 1 shows the size of each ACL2 file and the time spent by a SUN bi-processor400Mhz with 1.7 Gb memory to prove all the theorems and lemmas in it. Our model,although not complete, is quite large and fully parameterized. The time needed to prove thetotal system is very short. But the time spent to write the model and to drive the prover is

2 VALUE can be a numeric or a symbolic expression.

(1)(defun AHB_trans_M_to_S (ADDR DATA OP N Card_S P Last_Granted HREQSlave_Number DATA_R MEM_SIZE)

(2)(slave_interf(3) (nth Slave_Number(4) (AHB_decoder MEM_SIZE Card_S(5) (nth 0 (nth 1 (Master_interf ADDR DATA DATA_R OP(6) (nth (arbiter_rr HREQ N Last_Granted)(7) (AHB_Arbiter N P HREQ Last_Granted)))))))

(8) (cadr (nth 1 (Master_interf ADDR DATA DATA_R OP(9) (nth (arbiter_rr HREQ N Last_Granted)(10) (AHB_Arbiter N P HREQ Last_Granted)))))

(11) (nth 0 (nth 1 (Master_interf ADDR DATA DATA_R OP(12) (nth (arbiter_rr HREQ N Last_Granted)(13) (AHB_Arbiter N P HREQ Last_Granted)))))

(14) (caddr (nth 1 (Master_interf ADDR DATA DATA_R OP(15) (nth (arbiter_rr HREQ N Last_Granted)(16) (AHB_Arbiter N P HREQ Last_Granted)))))

(17) DATA_R MEM_SIZE))

around one-man month. Nevertheless, we have verified a structure that is out of reach ofthe current formal tools, even for the state of the art model checkers.

Table 1: Size of ACL2 files and their proof time.

ACL2 file Proof time

Decoder 100 lines 1,5 seconds

Arbiter 500 lines 7 seconds

Interfaces 300 lines 0,2 second

MiscellaneousBooks

300 lines 2,5 seconds

Bus 200 lines 1,5 seconds

Total 1000 lines 12,7 seconds

4 Conclusions and perspectives

In this paper, we have modeled a complex parameterized on-chip-bus in a functional style,and used the ACL2 theorem prover to show the correctness of master-slavecommunications using the bus. Thanks to the reasoning engine of ACL2 the proof waslargely automatic and extremely efficient once the bus description and the ACL2 logicalworld were complemented with a sufficient set of intermediate lemmas. The central resultis that the communication protocol of the bus has been proved correct for an arbitrarynumber of masters and slaves.

This work is part of a wider research on the systematic specification and verification ofcomplex components intended for use and reuse in the design of systems on chip. Most ofthe intermediate lemmas that were developed, in the process of proving the theorems whichconstitute the correctness statement for the AHB bus, are general in nature and will bereusable for other on chip network components. Indeed, we aim at proposing amethodology that would reuse the theorems on the component specification together with areuse of the component itself in a system on chip.

In consideration to the current status on theorem provers, ACL2 is one of the mostautomated systems. Yet, human expertise is needed to provide a provable initial model andguide the proof process with hints and lemmas. We are aware that the designer will needthe help of an expert verification engineer to follow our proposed methodology. Thisrepresents an added investment in human time to write trustful specifications before thefirst design step. We believe that this cost will be more than compensated by the positiveeffects of having quality specifications for components that will be used more than once:there is today no alternative technique except simulation.

Acknowledgments

We would like to thank N.E. Zergaïnoh for his help on the AHB bus, and manydiscussions.

References

[1] Kaufmann M., Manolios P. and J. Strother Moore: Computer-Aided Reasoning: An Approach. KluwerAcademic Press, 2000.

[2] Hunt W. A.: Microprocessor Design Verification. Journal of Automated Reasoning, Vol. 5, No. 4, 1989,pp. 429-460.

[3] Sawada J.: Formal Verification of an Advanced Pipelined Machine. PhD Thesis, University of Texas atAustin, 1999.

[4] Russinoff D.: A Mechanically Checked Proof of IEEE Compliance of a Register-Transfer-LevelSpecification of the AMD-K7 Floating-point Multiplication, Division and Square Root instructions.London Mathematical Society Journal of Computation and Mathematics, Vol. 1, 1998, pp. 148-200.

[5] Sawada J. and Gamboa R.: Mechanical Verification of a Square Root Algorithm using Taylor’sTheorem. In: Formal Methods in Computer-Aided Design (FMCAD ’02), 2002, pp. 274-292.

[6] AMBA Specification Rev 2.0 ARM IHI0011A, 2000

[7] Steele G.L. Jr.: Common Lisp The Language, Second Edition. Digital Press, 30 North Avenue,Burlington, MA 01803, 1990.

[8] Boyer S. R. and J Strother Moore: A Computational Logic Handbook. Perspective in Computing, 1988.

[9] Kaufmann M. and J Strother Moore: A Precise Description of the ACL2 Logic. Technical Report,University of Texas at Austin, Computer Science Department, Austin 1997.

[10]Brock B., Kaufmann M., and J Strother Moore: Theorems about Commercial Microprocessors. In:Proceedings of Formal Methods in Computer-Aided Design (FMCAD ’96), M. Srivas and A. Camilleri(eds.), Springer-Verlag, November, 1996, pp. 275-293