Automated proofs of microprogram correctness

This paper presents a method for verifying microprograms with computer aid, and examples of its application to actual systems. The specifications for an architecture and those for the computer on which it is to be implemented are both described formally, with the microcode supplied as data to the low level description. A correspondence between the two descriptions is then formalized, and a system of programs is used to prove mathematically that the correspondence holds. This interactive, goal-directed system not only provides a proof that microcode performs as specified, but more often aids in detecting and correcting microprogram errors. Several errors in actual implementations, some of which were difficult to detect using test cases, have been discovered in this way.