PVS : Combining Speci cation , Proof Checking , and Model Checking ? To appear in CAV ' 96

PVS (Prototype Veriication System) is an environment for constructing clear and precise speciications and for developing readable proofs that have been mechanically veriied. It is designed to exploit the synergies between language and deduction, automation and interaction, and theorem proving and model checking. For example, the type system of PVS requires the use of theorem proving to establish type correctness, and conversely, type information is used extensively during a proof. Similarly, decision procedures are heavily used in order to simplify the tedious and obvious steps in a proof leaving the user to interactively supply the high-level steps in a veriication. Model checking is one such decision procedure that is used to discharge temporal properties of speciic nite-state systems. A variety of examples from functional programming, fault tolerance, and real time computing have been veriied using PVS 8]. The most substantial use of PVS has been in the veriication of the microcode for selected instructions of a commercial-scale microprocessor called AAMP5 designed by Rockwell-Collins and containing about 500,000 transistors 6]. Most recently, PVS has been applied to the veriication of the design of an SRT divider 10]. The key elements of the PVS design are described below in greater detail below. The PVS speciication language is based on classical, simply typed higher-order logic, but the type system has been augmented with subtypes and dependent types. Though typechecking is undecidable for the PVS type system, the PVS typechecker automatically checks for simple type correctness and generates proof obligations corresponding to predicate subtypes. These proof obligations can be discharged through the use of the PVS proof checker. PVS also has parametric theories so that it is possible to capture, say, the notion of sorting with respect to arbitrary sizes, types, and ordering relations. By exploiting subtyping, dependent typing, and parametric theories, researchers at NASA Langley Research Center and SRI have developed a very general bit-vector library. Paul Miner at NASA ?