R. B. Jones and D. L. Dill. Efficient validity checking for processor verification. In IEEE International Conference on Computer-Aided Design (ICCAD), pages 2--6, 1995.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....algorithm based on abstract implicit enumeration. The reachability algorithm verifies whether an invariant holds in all reachable states of an abstract state machine [9] One application of the algorithm is the verification of observational equivalence of synchronous circuits. Burch and Dill [5, 13] proposed a validity checking algorithm for processor verification which is also based on the use of abstract sorts and uninterpreted function symbols. A logic expression representing the correctness statement is generated using symbolic simulation. The algorithm is then used to check its ....

....the correctness statement is generated using symbolic simulation. The algorithm is then used to check its validity. With carefully chosen heuristics for avoiding exponential case splitting, the authors verified a subset of a RISC pipeline processor DLX [5] and a protocol processor (PP) [13]. Cyrluk and Narendran [11] defined a first order temporal logic Ground Temporal Logic (GTL) which also uses uninterpreted function symbols. Using a decidable fragment of GTL, they can automate the verification in the PVS theorem prover. These methods, however, are not applicable to ....

R. B. Jones and D. L. Dill. Efficient validity checking for processor verification. In Proc. IEEE International Conference on Computer-Aided Design (ICCAD'95). San Jose, California, USA, November 1995.

.... reduction [16] but either do not provide a general solution for fast automatic traversal of large circuits or their area of application is restricted (e.g. 3] Techniques generating a single formula for the verification problem which is verified afterwards with a formula checker like SVC [4, 5, 17] have been successfully applied to verification problems described by the dotted line in Fig. 1. They do not distinguish explicitly the different intermediate symbolic values of the registers: an assignment is considered by using the symbolic term assigned whenever the register is used in the ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In ICCAD'95, 1995.

....This is for example the case when a data memory is addressed by an ALU and writes to the register file. Note that the ALU has to be represented by a memory model. Therefore, the processor they verified in [14] contains neither a data memory nor branching. SVC (the Stanford Validity Checker) [1, 2, 10] is a proof tool for automatic verification of formulas which can contain the two array operations read and write to model memory operations. Verification of control logic is possible using SVC if the verification task can be reduced to a formula which is sufficient to demonstrate the verification ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In ICCAD'95, 1995.

.... correct transformations of DFG s were investigated in [24] A formally correct derivation of a non pipelined processor was presented in [4] The systematic, but non mechanized derivation of a pipelined DLX processor is given in [3] The formal verification of pipelined processors was pioneered by [5, 17]. Transformational techniques of unpipeling are used in [19, 20] for verification. The synthesis of pipelined processors involves some intricate problems including the scheduling of loops and complex branching logic. This paper makes the following contributions: ffl a transformational method ....

.... terminating computations and since particular properties of functions are not employed during forwarding and pipeling, the equivalence of segments is shown by means of a prover for ground equational logic and uninterpreted functions [26, 22] The prover developed by us is based on the ideas of [5, 17, 1], and works very efficiently for LLS segments. 14 3. since the introduction of new labels or the correct substitution of a segment body for its label affects only two segments, the bisimulation relation as required in Sect. 3 is easily established employing the prover of 2. for checking the ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In Proc. ICCAD '94, 1995.

....can be used as a rewrite rule to eliminate the COND function. We call the following Rule #1. COND a b c j (a b) a c) A method for lifting the COND operator outside of equality operations is described in the work on integrating BDD based simplification into PVS [Raj95] Jones et al. JDB95] also describe if lifting of expressions as a heuristic for their validity checking algorithm. They present two rewrite rules 2 : COND a b c) EQ COND a d e) j COND a (b EQ d) c EQ e) COND a b c) EQ d) j COND a (b EQ d) c EQ d) This procress is called if lifting because the function ....

....using deduction in higher order logic. A toolkit of re usable techniques helps bridge the gap between the general purpose formalism and automated techniques, allowing for the easy integration of new analysis techniques. For example, the decision procedure of the Stanford Validity Checker [BD94, JDB95, BDL96] CHAPTER 9. CONCLUSIONS AND FUTURE WORK 281 for a quantifier free logic of equality with uninterpreted functions could be integrated into the framework. An abstraction technique other than Boolean abstraction would be needed since their decision procedure is applicable to more than just ....

Robert B. Jones, David L. Dill, and Jerry R. Burch. Efficient validity checking for processor verification. In Proceedings of the

....verification, the application of formal verification techniqueshas been limited by the high design complexity. Most automatic methods based on state space exploration handle it either by considering smaller designs [2, 3] or by abstracting out the datapath to verify the pipelined control [6, 19, 20]. Formal verification attempts based on theorem proving systems have also been successful [9, 17, 23] but require significant manual effort. At the simulation end of the spectrum, several efforts have focused on generation of effective function test vectors. The targets include architectural test ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In Proc. IEEE Int. Conf. on Comput.-Aided Design, pages 2--6, Nov. 1995.

....datapaths for implementing a given DFG. The reader might also wish to 1 The state transition graph(STG) for the schedule is typically explicitly specified by the designer or generated by the scheduling algorithm. explore the similarities and differences between our approach and the approaches in [10, 11]. The algorithm starts with equivalence relationships between input variables. It then propagates equivalence relationships forward through the structure graphs until the outputs are reached, and checks for unconditional equivalence between the output signals of the RSG and SSG i . We apply the ....

R. Jones, D. Dill, and J. Burch, "Efficient Validity Checking for Processor Verification," in Proc. ICCAD, Nov. 1994.

....lengthened. Because the pipeline correctness diagram involves flushing which takes many machine cycles, slight increase in complexity of the pipeline causes an explosion in the number of examined cases. We can improve the efficiency of the verification process using heuristics and other techniques[12], but it does not solve the problem of case explosion. It is our belief that a naive application of the symbolic execution method cannot verify a pipelined machine with complex pipeline control logic with an acceptable computational cost. The second problem is that the diagram is not valid for ....

R. B. Jones, D. L. Dill, J. R. Burch, Efficient Validity Checking for Processor Verification, 1995 IEEE/ACM International Conference on ComputerAided Design, pages 2-6.

....from previous applications. The basic reason for using uninterpreted functions is the same to abstract away from the actual functions computed on data in order to reason separately about arithmetic and data flow. However, existing techniques using uninterpreted functions, such as [BD94,JDB95,HB95,SJD98,VB98,BBCZ98] are based essentially on symbolic simulation. In these methodologies, one attempts to prove a commutative diagram. In the simplest case, one shows that, from any state, applying an abstraction function and then a step of the specification model is equivalent to applying a ....

....change, the processor can be verified without modifying one line of the proof This is because our three lemmas (for operands, results and noninterference) are not affected by the design change. This highlights an important difference between the present methodology and techniques such as [BD94,JDB95,HB95,SJD98,VB98,BBCZ98] which are based on symbolic simulation. Because we are using model checking it is not necessary to write inductive invariants of the design. Instead, we rely on model checking to compute the strongest invariant of an abstracted model. Thus, our proof only specifies the ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In IEEE/ACM Int. Conf. on Computer Aided Design (ICCAD '95), 1995.

....change, the processor can be verified without modifying one line of the proof This is because our three lemmas (for operands, results and noninterference) are not affected by the design change. This highlights an important difference between the present methodology and techniques such as [BD94, JDB95, HB95, SJD98, VB98a, BBCZ98] which are based on symbolic simulation. Because we are using model checking it is not necessary to write inductive invariants of the design. Instead, we rely on model checking to compute the strongest invariant of an abstracted model. Thus, our proof only specifies ....

....from previous applications. The basic reason for using uninterpreted functions is the same to abstract away from the actual functions computed on data in order to reason separately about arithmetic and data flow. However, existing techniques using uninterpreted functions, such as [BD94, JDB95, HB95, SJD98, VB98a, BBCZ98] are based essentially on symbolic simulation. In these methodologies, one attempts to prove a commutative diagram. In the simplest case, one shows that, from any state, applying an abstraction function and then a step of the specification model is equivalent to ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In IEEE/ACM Int. Conf. on Computer Aided Design (ICCAD '95), 1995.

.... this goal, we designed an example microprocessor which features out of order instruction completion, speculative instruction fetch, and dynamic resolution of read after write (RAW) dependencies (also called true dependencies) and write after write (WAW) dependencies (also called antidependencies) [6, 8]. Our method employs a technique we call a Micro Architectural Execution Trace Table (MAETT) With the help of the MAETT, we define various properties of our pipelined implementation, and incrementally prove that each of them holds for all the reachable pipeline states. The correctness for our ....

....treats the data path symbolically and only verifies the control. However, the procedure can fail for large and complex processor designs, because the number of examined cases explodes as the control part becomes complicated. Various studies have been done to improve the capability of the technique [8, 14]. Especially, 14] decomposed Diagram (a) to simpler diagrams, which were used in superscalar verification in [4] However, it is still difficult to see how we can apply micro state flushed flushed micro state ISA state ISA state ISA state ISA state micro state transition flushed micro ....

R. B. Jones, D. L. Dill, J. R. Burch, Efficient Validity Checking for Processor Verification, 1995 IEEE/ACM International Conference on Computer-Aided Design, pages 2-6.

....out of order register writeback, and speculative execution of instructions. We know of no other earlier work which has verified a pipelined design with out of order completion. Our methodology has not suffered the severe case explosion that prevented automatic verification techniques [2][9] from being applied to a bigger example. We plan to enhance our verification techniques for pipelined machine designs with advanced features in the following ways: 1. Verification of a larger example with advanced features, 2. Verification of exception handling mechanisms in pipelined machines, ....

....the datapath symbolically, and verifies only the control logic of the pipeline. However, the cost of verification increases dramatically as the control logic becomes complex and the number of cases to be examined explodes. It is possible to use heuristics to improve the speed of the verification[9], but it still does not solve the case explosion problem. 3 Method of Pipeline Verification and its Examples We concluded that Burch and Dill s pipeline correctness diagram is a strong and succinct way to represent the correctness of the pipelined machines. We have developed new techniques to ....

R. B. Jones, D. L. Dill, J. R. Burch, Efficient Validity Checking for Processor Verification, 1995 IEEE/ACM International Conference on Computer-Aided Design, pages 2-6.

....was supported in part by a gift from Intel, a grant from the Minerva foundation, and an Infrastructure grant from the Israeli Ministry of Science and the Arts. to be combined in verification environments. In particular, proof methods based on decision procedures for first order logic [3] [9] have gained high attention due to their ability to naturally cope with abstractions from data computations when analyzing complex control circuitry while allowing full automation of the proof (in contrast to approaches relying on interactive theorem proving such as [6, 13, 15] In this paper we ....

R.B. Jones, D.L. Dill, and J.R.Burch. Efficient validity checking for processor verification. In Intl. Conf. on Computer-Aided Design. IEEE, 1995.

....under NASA Contract NAS1 Gamma20334 and ARPA Contract A721 NAG 2 Gamma891. effect of flushing the pipeline, for example by pumping a sequence of NOPs, can be used to automatically compute a suitable abstraction function. Burch and Dill used this flushing approach along with a validity checker [9, 1] to automate effectively the verification of pipelined implementations of several processors. The pure flushing approach has the drawback of making the size of the abstraction function generated and the number of examined cases impractically large for deep and complex superscalar pipelines. To ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In International Conference on Computer Aided Design, ICCAD '95, 1995.

....our implementation mapping allows the user to map an abstract input or output at the specification level into a protocol on multiple signals at the implementation level. Burch and Dill have used their automated technique to verify a pipelined implementation of a subset of the DLX architecture[46][51]. The DLX architecture was designed by Hennessy and Patterson to teach the basic concepts used in the MIPS 2000 and other RISC processors of that generation[61] The pipelined implementation was verified against its instruction set architecture. Their implementation had a 5 stage pipeline with a ....

R. B. Jones, D. L. Dill, and J. R. Burch, "Efficient Validity Checking for Processor Verification, " International Conference on Computer-Aided Design, November 1995.

....applications (c.f. e.g. CCH 96, BM97] coping with the complexity of industrial designs remains a key challenge, requiring complementary proof methods to be combined in verification environments. In particular, proof methods based on decision procedures for first order logic [BD94] JDJ95] have gained high attention due to their ability to naturally cope with abstractions from data computations when analyzing This research was supported in part by a gift from Intel, a grant from the Minerva foundation, and an Infrastructure grant from the Israeli Ministry of Science and the ....

R.B. Jones, D.L. Dill, and J.R.Burch. Efficient validity checking for processor verification. In Intl. Conf. on Computer-Aided Design. IEEE, 1995.

....model is obtained. In each iteration, the equivalence between the old pipeline and the new pipeline is proved. As in our work, the proof is by induction on the number of execution cycles. The induction hypothesis is derived automatically and is checked automatically with a validity checker [12]. Once a proper description of the pipelined and sequential model in terms of uninterpreted functions has been written, the method is highly automatic. Borger and Mazzanti [2] applied the ASM methodology for the first time to microprocessor verification. They proved the correctness of a pipelined ....

Jones, R., Dill, D., and Burch, J. Efficient validity checking for processor verification. In IEEE International Conference on Computer Aided Design (Nov. 1995), pp. 2--6.

....are checked for universal truth by a validity checker. For an incorrect implementation, this validity checker can produce a specific example where the implementation of the processor contradicts its specification. Significant effort has gone into making this validity checker fast and efficient [7, 18]. For all but the simplest descriptions, the proofs require invariants: a logical formula characterizing a superset of the states reachable from the initial state of the processor. Currently, finding appropriate invariants is the single most labor intensive part of the verification method. The ....

R. Jones, D. Dill and J. Burch, "Efficient Validity Checking for Processor Verification", IEEE/ACM International Conference on Computer Aided Design, 1995.

....can experience a BDD blow up. This can make the usefulness of BDDs limited unless their use is carefully crafted to preclude this. 2.2. 2 Equivalence Checking with Logic Another formal approach, one that does not attempt to use properties of the state space of a design is the work of [BuD94] and [JDB95]. These attempt to prove the equivalence of two models of a design, one written with implementation details such as pipelines, and one without. Fundamentally, this is a formalization of the co simulation method of validation, which also compares two models for equivalence. The difference is that ....

Robert B. Jones, David L. Dill, Jerry R. Burch, "Efficient Validity Checking for Processor Verification", In Proceedings of the International Conference on Computer Aided Design, November 1995.

....and maintain the program order of instructions. Burch and Dill have devised an approach for pipelined microarchitectures that automatically generates the abstraction function by flushing the implementation state [3] The technique has been extended to dual issue and super scalar architectures [2, 8, 13]. However, these techniques do not work for out of order architectures in practice because the number of cycles required to empty the buffer completely is so large. The logical formulas are too complex to manipulate in proofs and often too complex even to construct. We have previously proposed ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In Proceedings: IEEE International Conference on Computer-Aided Design (ICCAD), November 1995.

....function manually for pipelined designs is tedious and time consuming. In response, Burch and Dill devised an approach that automatically generates the abstraction function by flushing the implementation state [3] The technique has been extended to dual issue and super scalar architectures [7, 2, 15]. While formal verification techniques exist for pipelined and super scalar architectures, experience verifying out of order architectures is minimal. The distinct features of out of order architectures challenge existing verification approaches. First, the extended instruction parallelism in ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In ICCAD'95, November 1995.

....times, and protect designers from economic losses due to undiscovered bugs. Formal methods for verification are especially attractive because they have the potential to cover most or all of the behaviors in a design without having to exhaustively simulate it. The Stanford Validity Checker (SVC) [2, 9] is an automatic verification tool which has been in development for several years at Stanford University. The input to SVC is a Boolean formula in a quantifier free subset of first order logic. It may also contain Boolean operators, uninterpreted functions, and various interpreted functions such ....

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient Validity Checking for Processor Verification. In IEEE Internationl Conference on Computer-Aided Design, pages 2--6, San Jose, CA (USA), November 1995. IEEE Computer Society Press.

No context found.

R. B. Jones and D. L. Dill. Efficient validity checking for processor verification. In IEEE International Conference on Computer-Aided Design (ICCAD), pages 2--6, 1995.

No context found.

R. B. Jones, D. L. Dill, and J. R. Burch. Efficient validity checking for processor verification. In International Conference on Computer Aided Design, ICCAD '95, 1995.

No context found.

R. B. Jones, D. L. Dill, J. R. Burch, Efficient Validity Checking for Processor Verification, 1995 IEEE/ACM International Conference on Computer-Aided Design, pages 2-6.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC