J. Sawada and W.A. Hunt, "Processor verification with precise exceptions and speculative execution," in Computer Aided Verification (CAV'98), Lecture Notes in Computer Science, Vol. 1427, Springer-Verlag, Berlin, June 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....and a pipelined implementation. The ideas have been further developed by Burch, 5] Windley and Burch, 37] and Skakkebaek et al. 33] for pipelined microprocessors. Further developments to an out of order processor core have been made by Damm and Pnueli [10] and McMillan [26] Sawada and Hunt [31] give a formal proof of a pipeline with exceptions which requires invariants between successive pipeline stages. Aagaard and Leeser [2] developed the transaction technique (mirroring how an instruction is decoded and executed down the pipeline stages) method to cater for pipelines with hazards ....

J. Sawada and W. Hunt. Processor verification with precise exceptions and speculative execution. In Hu and Vardi [19].

.... focused on pipelined and superscalar designs, for example: Tahar and Kumar [28] using HOL, Burch and Dill [3, 2] using model checking; Skakkebk, Jones and Dill [26] using the Stanford Validity Checker (SVC) Hosabettu, Srivas and Gopalakrishnan [17] and Cyrluk [6] using PVS; and Sawada and Hunt [25] using ACL2 [20] Particular attention has been paid to managing the complexities associated with such designs, for example, out of order issue and interrupts. Topics addressed include, decomposing verifications, developing conducive data system abstractions, refinements and invariants. It is ....

Jun Sawada and Warren A. Hunt, Jr. Processor verification with precise exceptions and speculative execution. In Hu and Vardi [18], pages 135--146.

....Introduction Present day microprocessors are complex systems, incorporating features such as pipelining, speculative, out of order execution, register renaming, exceptions, and multi level caching. Several formal verification techniques, including symbolic model checking [4, 12] theorem proving [17, 2, 11], and approaches based on decision procedures for the logic of equality with uninterpreted functions [8, 6, 20] have been used to verify such microarchitectures. In previous work, Bryant et al. 5,6] presented PEUF, a logic of positive equality with uninterpreted functions. PEUF has been shown to ....

....other symmetry reduction techniques, to manually decompose a generic out of order execution model to a finite model, which is verified using a model checker. The manual guidance involved in decomposing the model limits the applicability of this approach to small, simple designs. Sawada and Hunt [17] use theorem proving methodology to verify the correctness of microarchitectures with out of order execution, load store instruction and speculation. They use a trace table based intermediate representation called MAETT to record both committed and in flight instructions. This method requires ....

[Article contains additional citation context not shown here]

J. Sawada and W. Hunt. Processor verification with precise exceptions and speculative execution. In A. J. Hu and M. Y. Vardi, editors, Computer-Aided Verification (CAV '98), LNCS 1427. Springer-Verlag, June 1998.

....based on the idea of refinement. Their model, however, assumes a restricted instruction set, without branches and memory instructions. The correctness criterion adopted in most processor verification papers is the commutative diagram condition of Burch and Dill [6] or some version thereof (cf. [4, 12, 14, 19]) Along with [18] we avoid dealing with explicit synchronization and abstraction functions that match the states of the verified processor 2 with the states of the reference machine. Instead, our criterion requires that the two sequences of retired instructions arising from running the same ....

....our criterion requires that the two sequences of retired instructions arising from running the same program on the two machines are equivalent. Dealing with memory instructions combined with out of order execution has only recently come into the scope of processor verification efforts; cf. [4, 12, 19]. Our execution unit allows multiple refinements with arbitrarily sophisticated treatment of memory operations (load bypassing, for example) A remarkably detailed model, including a treatment of exceptions, is verified by Sawada and Hunt [19] using a methodology which has many similarities to our ....

[Article contains additional citation context not shown here]

J. Sawada and W. Hunt. Processor verification with precise exceptions and speculative execution. In [13], pages 135--146.

....flushing, since the only purpose of that logic is to compute an abstraction function. Having an improper abstraction function will not compromise the verification and can only result in a false negative. The same correctness criterion has been applied to out of order designs by Sawada and Hunt [26][27] 28] by Jones, et al. 21] 22] and by Hosabettu, et al. 16] 18] 19] However, all of these approaches are based on theorem proving and require extensive manual intervention. For example, in Sawada and Hunt s method, the user has to manually build an intermediate abstraction of the processor ....

J. Sawada, and W.A. Hunt, Jr., "Processor Verification with Precise Exceptions and Speculative Execution," Computer-Aided Verification (CAV`98), A.J. Hu and M.Y. Vardi, eds., LNCS 1427, Springer-Verlag, June 1998, pp. 135-146.

....and speculative loads, and branch prediction all of them found in the Intel Itanium [9] 12] 17] to be fabricated in the summer of 2000. The focus of this work is on efficient and automatic scaling that is clearly impossible with theorem proving approaches, as demonstrated by Sawada and Hunt [16] and Hosabettu et al. 11] The former approach was applied to a superscalar processor and required the proofs of around 4,000 lemmas that could be defined only after months, if not a year, of manual work by an expert. The latter work examined the formal verification of a single issue pipelined ....

....of computations in parallel, exploiting different structural variations in the Boolean formulas in order to achieve a performance gain for the BDD variable reordering heuristic. 9 Conclusions A VLIW microprocessor was formally verified. Its Execution Engine imitates that of the Intel Itanium [9][16], while its Fetch Engine is simpler. The modeled features are comparable to, if not more complex than, those of the StarCore [10] microprocessor by Motorola and Lucent. Efficient formal verification was possible after an extensive use of conservative approximations some of them applied ....

J. Sawada, and W.A. Hunt, Jr., "Processor Verification with Precise Exceptions and Speculative Execution, " Computer-Aided Verification (CAV`98), A.J. Hu and M.Y. Vardi, eds., LNCS 1427, SpringerVerlag, June 1998, pp. 135-146.

.... moderate complexity, and its verification in HOL [12] and [2] on a part of DLX [16] A refinement of the approach in [2] more applicable to out of order systems and long pipelines is [19, 20] In addition, work has been undertaken on the complex timing models of superscalar processors [30, 1, 5] [18] additionally considers exception processing in such an environment. The work in [21, 4] uses Hawk,a variant of the functional language Haskell. Generaly, the intuitive models seen are conceptually similar to our own [14, 15, 8] though significant di#erences exist in the approach to time. ....

J Sawada W A Hunt. Processor verification with precise exceptions and speculative execution. In A J Hu andMYVardi,editors,Computer Aided Verification: 10th International Conference, pages 135 -- 147. Springer-Verlag, Lecture Notes in Computer Science 1427, 1998.

.... out of order systems and long pipelines is [19, 20] In addition, superscalar processors have been addressed: in particular, the increased complexity of verification in the face of complex timing behaviour [31, 1, 5, 25] 21, 4] use a variant of Haskell called Hawk, and Isabelle for proofs; and [18] additionally considers exception processing in such an environment. The intuitive models in [25, 26, 32] are conceptually similar to our own [14, 15, 8] However, there are di#erences, particularly in the approach to time, and timing abstraction. For example, in [32, 25, 26] state elements in ....

J Sawada W A Hunt. Processor verification with precise exceptions and speculative execution. In A J Hu andMYVardi,editors,Computer Aided Verification: 10th International Conference, pages 135 -- 147. Springer-Verlag, Lecture Notes in Computer Science 1427, 1998.

....function. Having an improper abstraction function will not compromise the verification and can only result in a false negative. The same correctness criterion has been adopted by the theorem proving community and applied to an out of order design with exceptions and interrupts by Sawada and Hunt [17] and to an out of order design with only arithmetic instructions by 1. This research was supported in part by the SRC under contract 99 DC 068. Hosabettu, Srivas and Gopalakrishnan [13] However, the former approach requires the user to manually build an intermediate abstraction of the processor ....

J. Sawada, and W.A. Hunt, Jr., "Processor Verification with Precise Exceptions and Speculative Execution," Computer-Aided Verification (CAV`98), A.J. Hu and M.Y. Vardi, eds., LNCS 1427, Springer-Verlag, June 1998, pp. 135-146.

....for most problems of practical interest, the procedure is not sound, and can only be used as a heuristic to find counterexamples. Finally, a number of authors report the use of general purpose proof assistants, without model checking, in processor verification (for example [Cyr96, VB98b, WAH94, SWAH98] To conclude, the methods presented here are novel in several aspects: first the particular methods of circular compositional proof, symmetry reduction, and data type reduction and the method of handling uninterpreted functions are novel in and of themselves. Second, the combination of these ....

J. Sawada and Jr. W. A. Hunt. Processor verification with precise exceptions and speculative execution. In A. J. Hu and M. Y. Vardi, editors, Conference on Computeraided Verification (CAV '98), number 1427 in LNCS, pages 135--46. Springer-Verlag, 1998.

.... [6, 7] ACL2 has been used to study the problem of specifying advanced microprocessor architectures, in particular the interaction of such features as multi issue, speculative execution and exceptions and has been used to prove that one such design correctly implements a sequential architecture [22]. ACL2 was used to model the Rockwell Collins JEM1, the world s first silicon Java Virtual Machine [9, 10, 11, 12] The use of ACL2 to prove theorems about simple Java like byte code programs is reported in [17] One of the main reasons ACL2 has found industrial application is that it is both a ....

J. Sawada and W. Hunt, Jr., Processor Verification with Precise Exceptions and Speculative Execution, in A. J. Hu and M. Y. Vardi (eds.) Computed Aided Verification: 10th International Conference, CAV '98, Springer-Verlag LNCS 1427, 1998.

....(cdr partitions) where partitions is the multiprocessor oracle after slicing it at each pid, and mstep and mrun are the multiprocessor single and iterated step transformations. The modeling methods sketched here can be extended to deal with much more complex systems. For example, Sawada [31] has constructed an ACL2 model of a pipelined microprocessor with multiple instruction issue and speculative execution. His model includes interrupts and exceptions. He uses ACL2 to prove that the modeled processor implements a sequential instruction set architecture. The combination of the ....

J. Sawada and W. Hunt. Processor verification with precise exceptions and speculative execution. In Computed Aided Verification: 10th International Conference, CAV '98, pages 135--146. Springer-Verlag LNCS 1427, 1998.

....suitable abstract modules and witness modules. However the proof can be carried out for a fixed small configuration of the processor only. Finally, verification of a processor model implementing Tomasulo s algorithm with a reorder buffer, exceptions and speculative execution is carried out in [SH98]. Their approach relies on constructing an explicit intermediate abstraction (called MAETT) and expressing invariant properties over this. Our approach avoids the construction of an intermediate abstraction and hence requires significantly less manual effort. 6 Conclusion We have showed in this ....

J. Sawada and W. A. Hunt, Jr. Processor verification with precise exceptions and speculative execution. In Hu and Vardi [HV98], pages 135--146.

....scheduling of execution resources. We have discharged the proof obligations for the simple example using the Stanford Validity Checker (SVC) 2 Related Work Sawada and Hunt s theorem proving approach uses a table of history variables, called a micro architectural execution trace table (MAETT) [10, 11]. The MAETT is an intermediate abstraction that contains selected parts of the implementation as well as extra history variables and variables holding abstracted values. It includes the ISA state and the ISA transition function. A predicate relating the implementation and MAETT is found by manual ....

J. Sawada and W. A. Hunt. Processor verification with precise exceptions and speculative execution. In A. J. Hu and M. Y. Vardi, editors, Computer Aided Verification (CAV'98), volume 1427 of Lecture Notes in Computer Science, pages 135--146, Vancouver, Canada, June-July 1998. Springer-Verlag.

....it using the Stanford Validity Checker (SVC) 1] In particular, we have verified its correctness for any (reasonable) scheduling algorithm. 2 Related Work Sawada and Hunt s theorem proving approach uses a table of history variables, called a micro architectural execution trace table (MAETT) [14, 13]. The MAETT is an intermediate abstraction that contains selected parts of the implementation as well as extra history variables and variables holding abstracted values. It includes the ISA state and the ISA transition function. A predicate relating the implementation and MAETT is found by manual ....

J. Sawada and W. A. Hunt. Processor verification with precise exceptions and speculative execution. Appears in this volume.

....because data and control flow are tightly coupled. A formal model has to capture all of the data dependencies. As a result, the state space may become enormous. Straightforward model checking techniques [5, 6] can not handle this complexity because of the state explosion problem. Theorem proving [8, 12, 19] alone usually involves significant manual effort. Moreover, the proofs are too tedious to be easily manageable. Symbolic execution using uninterpreted function symbols [4] is based on extensive term rewriting and simple proof theoretic reasoning, This research is sponsored by the ....

....available, and they are becoming widely used in industry. Because of the power of symbolic model checking techniques we decided to investigate whether they could be used in combination with uninterpreted function symbols to verify OOO designs. The advantage of model checking over theorem proving [8, 19] is that it is much more automatic. But even with the use of symbolic methods like BDDs there is a limit on the size of the models that can be handled. We will show that the direct application of symbolic model checking to the verification of OOO designs is infeasible. To reduce the size of the ....

J. Sawada and W. A. Hunt. Processor verification with precise exceptions and speculative execution. In Hu and Vardi [13], pages 135--146.

....not uncovered by this extensive test suite. ACL2 is being used to model microprocessors at several industrial sites. For example, at Rockwell Collins, Inc. ACL2 is being used experimentally to provide an executable model of JEM1, the world s first silicon Java Virtual Machine [2] In addition, [9] describes an ACL2 model of a microprocessor with multiple, out of order instruction issue with a reorder buffer, speculative execution and exceptions. Proofs are being done to relate this model to a more conventional ISA model. While this work is not industrial scale, the microprocessor is more ....

J. Sawada, W. Hunt, Jr., Processor Verification with Precise Exceptions and Speculative Execution, Computer Aided Verification 1998, Lecture Notes in Computer Science, Springer Verlag, 1998 (to appear).

....refinement relations to be proved. Although they do not need any flushing mechanism, there is no systematic method to generate the invariants and obligations needed and hence their mechanization is not as automatic as ours. And they do not address liveness issues needed to complete the proof. In [SH98], verification of a processor model with a reorder buffer, exceptions, and speculative execution is carried out. Their approach relies on constructing an explicit intermediate abstraction (called MAETT) and expressing invariant properties over this. Our approach avoids the construction of an ....

J. Sawada and W. A. Hunt, Jr. Processor verification with precise exceptions and speculative execution. In Hu and Vardi [HV98], pages 135--146.

....and control flow are tightly coupled. A formal model has to capture all of the data dependencies. As a result, the state space may become enormous. Straightforward model checking techniques [CE81, CES86] can not handle this complexity because of the state explosion problem. Theorem proving [DP97, SH98] alone usually involves significant manual effort. Moreover, the proofs are too tedious to be easily manageable. Symbolic execution using uninterpreted function symbols [BD94] is based on extensive term rewriting and simple proof theoretic reasoning, and thus, can be easily automated. However, ....

....and they are becoming widely used in industry. Because of the power of symbolic model checking techniques we decided to investigate whether they could be used in combination with uninterpreted function symbols to verify OOO designs. The advantage of model checking over theorem proving [DP97, SH98] is that it is much more automatic. But even with the use of symbolic methods like BDDs there is a limit on the size of the models that can be handled. We will show that the direct application of symbolic model checking to the verification of OOO designs is infeasible. To reduce the size of the ....

[Article contains additional citation context not shown here]

J. Sawada and W. A. Hunt. Processor verification with precise exceptions and speculative execution. In CAV'98 [CAV98]. To appear.

....an intermediate model of the MA state that mimics the behavior of speculative execution, exceptions, and external interrupts. This abstraction, which is called a MAETT, records executed instructions, each of which is represented with a data structure holding the values related to the instruction[SH98]. Table 1 gives a list of properties we defined during our verification. Let Pi be the set of properties in the table. Additionally, we define predicate CMI p that holds iff the MA has committed any self modifying code. Then V P2 Pi P is an invariant under the constraint :CMI p [LL90] that ....

Jun Sawada and Warren A. Hunt, Jr. Processor verification with precise exceptions and speculative execution. In Alan J. Hu and Moshe Y. Vardi, editors, computer Aided Verification (CAV '98), volume 1427 of LNCS, pages 135--146. Springer Verlag, 1998.

....simplified the verification of our intermediate data values invariant in Section 4. We finally present a breakdown of the total effort required to verify this design in Section 5, and then present our conclusions. 2 Machine Model and Correctness Criterion We designed a new microprocessor model [11] for the purpose of our research. The model contains several features which make the verification problem challenging. Some of the interesting features included are speculative execution, branch prediction, exceptions, and external interrupts. It contains four pipelined execution units that ....

....i ) strips off the implementation dependent components from MA i , and returns the ISA state consisting of only the programmer visible components. 2 Our verification goal is to show that the MA model correctly implements our ISA specification, by proving the following correctness criterion [11]. Definition 1. Correctness Criterion) Suppose we run the MA model for n machine cycles from an initial flushed state MA 0 with a sequence of external signals SIG MA . If the resulting state MAn = MA stepn(MA 0 ; SIG MA ; n) is also flushed, there exists a corresponding ISA execution of ....

[Article contains additional citation context not shown here]

J. Sawada and W. Hunt, Jr. Processor Verification with Precise Exceptions and Speculative Execution. Computer Aided Verification, CAV'98, LNCS 1427, pages 135-146, Springer Verlag, 1998.

No context found.

J. Sawada and W.A. Hunt, "Processor verification with precise exceptions and speculative execution," in Computer Aided Verification (CAV'98), Lecture Notes in Computer Science, Vol. 1427, Springer-Verlag, Berlin, June 1998.

No context found.

J. Sawada and W. A. Hunt, Jr. Processor verification with precise exceptions and speculative execution. In A. J. Hu and M. Y. Vardi, editors, Computer-Aided Verification (CAV '98), LNCS 1427, pages 135--146, 1998.

No context found.

J. Sawada and W. D. Hunt. Processor Verification with Precise Exceptions and Speculative Execution. In CAV, 1998.

No context found.

J. Swada and W. Hunt. Processor Verification with Precise Exceptions and Speculative Execution. In Proceedings of the 10 Verification, volume 1427 of Lecture notes on Computer Science, pages 135-146. Springer Verlag, 1998.

No context found.

J. Sawada and W. Hunt, Jr., "Processor Verification with Precise Exceptions and Speculative Execution," Proc. Computer-Aided Verification (CAV '98), Lecture Notes in Computer Science 1427, A.J. Hu and M.Y. Vardi, eds., Springer Verlag, 1998, pp. 135-146.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC