Formal Speciication and Veriication of a Dataaow Processor Array

We describe the formal speci cation and veri cation of the VGI parallel DSP chip [1], which contains 64 compute processors with 30K gates in each processor. Our e ort coincided in time with the \informal" veri cation stage of the chip. By interacting with the designers, we produced an abstract but executable speci cation of the design which embodies the programmer's view of the system. Given the size of the design, an automatic check that even one of the 64 processors satis es its speci cation is well beyond the scope of current veri cation tools. However, the check can be decomposed using assume-guarantee reasoning. For VGI, the implementation and speci cation operate at di erent time scales: several steps of the implementation correspond to a single step in the speci cation. We generalized both the assumeguarantee method and our model checker Mocha to allow compositional veri cation for such applications. We used our proof rule to decompose the veri cation problem of the VGI chip into smaller proof obligations that were discharged automatically byMocha. Using our formal approach, we uncovered and xed subtle bugs that were unknown to the designers.