An Exercise in Integrating Veri cation with Formal Derivation

The DDD-FM9001 is a 32-bit general purpose microprocessor formally derived directly from Hunt's mechanically veri ed Nqthm FM9001 microprocessor speci cation. The exercise was part of a project to construct an implementation of the FM9001 by applying the DDD design derivation system to the Nqthm FM9001 speci cation. The main thesis of this work maintains that derivation and veri cation represent interdependent facets of design and must be integrated if formal methods are to support the natural analytical and generative reasoning that takes place in engineering practice. In this paper we describe the continuation of previous work in which the DDD system was applied to Hunt's FM8501 speci cation. This paper describes the derivation of the DDD-FM9001 and compares the derived architecture and hardware realization with that of the FM9001 in an e ort to better understand the interplay between derivation and veri cation.