• Summary
• Related Documents
  • Active Bibliography
  • Co-citation
• Version History

Abstract:

Abstract. The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Well-founded Equivalence Bisimulations) [16, 19]. Brie y, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (Micro-Architecture) machines have the same observable innite paths, up to stuttering. This implies that the two machines satisfy the same CTL nX properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify several variants of the simple pipelined machine described by Sawada in [22, 23]. Our variants extend the basic machine by adding exceptions (to deal with over ows), interrupts, and eshed-out 128-bit ALUs (one of which is described in a netlist language). In all cases, we prove the same nal theorem. We develop a methodology with mechanical support that we used to verify Sawada's machine. The resulting proof is substantially shorter than the original and does not require any intermediate abstractions; in fact, given the denitions and some general-purpose books (collections of theorems), the proof is automatic. A practical and noteworthy feature of WEBs is their compositionality. This allows us to prove the correctness of the more elaborate machines in manageable stages. 1

Citations