R. Hosabettu, M. Srivas, and G. Gopalakrishnan, "Decomposing the proof of correctness of pipelined microprocessors, " in Computer Aided Verification (CAV'98), Lecture Notes in Computer Science, Vol. 1427, Springer-Verlag, Berlin, June 1998, pp. 122--134.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... Work Recent work on microprocessor verification has focused on pipelined and superscalar designs, for example: Tahar and Kumar [28] using HOL, Burch and Dill [3, 2] using model checking; Skakkebk, Jones and Dill [26] using the Stanford Validity Checker (SVC) Hosabettu, Srivas and Gopalakrishnan [17], and Cyrluk [6] using PVS; and Sawada and Hunt [25] using ACL2 [20] Particular attention has been paid to managing the complexities associated with such designs, for example, out of order issue and interrupts. Topics addressed include, decomposing verifications, developing conducive data system ....

Ravi Hosabettu, Mandayam Srivas, and Ganesh Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In Hu and Vardi [18], pages 122--134.

.... The goal of formally verifying pipelined microprocessor designs [1, 14] is to show that pipelined implementations operate exactly as specified by their nonpipelined specification[2] In this paper we discuss our approach of reducing the verification problem into a number of simpler pieces [3, 9, 6, 12, 15] by introducing various invariant conditions that characterize the valid behavior of a pipeline. Using our approach, we have verified the correctness of a microprocessor model, whose features include: speculative execution, Tomasulo s algorithm [4, 8] and precise exception handling [13] ....

Ravi Hosabettu, Mandayam Srivas and Ganesh Gopalakrishnan. Decomposing the Proof of Correctness of Pipelined Microprocessors. Computer Aided Verification, CAV'98, LNCS 1427, pages 122-134, Springer Verlag, 1998.

....Their method involves the manual construction of a very specialized circuit that has only a distant relation to the original design. Not only has the Burch and Dill flushing technique not been applied to processors with multicycle functional units, but Hosabettu, Srivas and Gopalakrishnan [15] have claimed that it has the drawback that it is hard to use for pipelines with indeterminate latency, which can arise if the control involves data dependent loops or if some part of the processor, such as memory cache interface, is abstracted away for managing the complexity of the system. In ....

....manually identifying case splitting expressions. Again, SVC 1.0 could not complete the evaluation within 24 hours. As a side note, the application of the completion functions theorem proving approach on a comparable dual issue DLX required a month of manual work and around 30 minutes of CPU time [15][17] Another work which has distinguished positive and negative equations in a logic of equality with uninterpreted functions is that by Pnueli et al. 24] They do a more careful analysis of the set of equations and propose an encoding for the g terms which requires fewer BDD variables than the ....

[Article contains additional citation context not shown here]

R. Hosabettu, M. Srivas, and G. Gopalakrishnan, "Decomposing the Proof of Correctness of Pipelined Microprocessors," 4 Computer-Aided Verification (CAV`98), A.J. Hu and M.Y. Vardi, eds., LNCS 1427, Springer-Verlag, June 1998, pp. 122-134.

....their control circuitry, is a challenging task [6, 7] Formal verification techniques, emerging as a viable approach to validation [10] are still inadequate in verification of large systems like processors. Recently many new techniques have been proposed specifically for processor verification [1, 7, 6, 9, 11]. These techniques verify that the given implementation is equivalent to a simpler sequential model of execution, as described by the instruction set architecture. But in these approaches, the implementation is at Partial support for this work came from the Indo US Project titled Programming ....

R. Hosabettu, M. Srivas, and G. Gopalakrishnan. Decomposing the Proof of Correctness of Pipelined Microprocessors. In Proc. CAV'98, LNCS 1427. Springer Verlag, June/July 1998.

....and branch prediction all of them found in the Intel Itanium [9] 12] 17] to be fabricated in the summer of 2000. The focus of this work is on efficient and automatic scaling that is clearly impossible with theorem proving approaches, as demonstrated by Sawada and Hunt [16] and Hosabettu et al. [11]. The former approach was applied to a superscalar processor and required the proofs of around 4,000 lemmas that could be defined only after months, if not a year, of manual work by an expert. The latter work examined the formal verification of a single issue pipelined and a dual issue superscalar ....

R. Hosabettu, M. Srivas, and G. Gopalakrishnan, "Decomposing the Proof of Correctness of Pipelined Microprocessors," Computer-Aided Verification (CAV`98), A.J. Hu and M.Y. Vardi, eds., LNCS 1427, Springer-Verlag, June 1998, pp. 122-134.

....examples within software tools, where an important theme has been e#cient verification strategies. Interesting work on pipelined microprocessor verification includes [25] on AAMP5, a non trivial, industrial example, and its verification in PVS [26] recent accounts are [6, 27] see also [17]) 31] on UINTA, a processor of moderate complexity, and its verification in HOL [12] and [2] on a part of DLX [16] A refinement of the approach in [2] more applicable to out of order systems and long pipelines is [19, 20] In addition, work has been undertaken on the complex timing models of ....

R Hosabettu, M Srivas, and G Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In A J Hu and M Y Vardi, editors, Computer Aided Verification: 10th International Conference, pages 122 -- 134. SpringerVerlag, Lecture Notes in Computer Science 1427, 1998.

....and hence a key underlying theme of other work has been the need for e#cient verification strategies. Key work on pipelined microprocessor verification includes [25, 26] on AAMP5, a processor of some complexity, and its verification in PVS [27] recent accounts of this work are [6, 28] see also [17]) 32] on UINTA, a processor of moderate complexity, and its verification in HOL [12] and [2] on a a simple three stage ALU pipeline and a fragment of the DLX architecture [16] A refinement of this approach, more applicable to out of order systems and long pipelines is [19, 20] In addition, ....

R Hosabettu, M Srivas, and G Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In A J Hu and M Y Vardi, editors, Computer Aided Verification: 10th International Conference, pages 122 -- 134. SpringerVerlag, Lecture Notes in Computer Science 1427, 1998.

....for the processor. Both of these theorem proving methods require months of manual work for complex designs, i.e. they are not automatic. Not only has the Burch and Dill flushing technique not been applied to processors with multicycle functional units, but Hosabettu, Srivas and Gopalakrishnan [12] have claimed that it has the drawback of being hard to use for pipelines with indeterminate latency, particularly where an ALU computation might have a data dependent duration or a memory hierarchy of multiple levels might have a non deterministic delay. In this work we extend Burch and Dill s ....

....depends on the values of the input operands or on arbitrary environment factors, e.g. a memory system with cache coherence mechanisms [11] where a data value might be locked in order to be modified by another processor. It is such functional units and memory systems that other researchers [12] have found to make hard the application of the Burch and Dill method to real processors. We resolve this problem by using a technique that we call accelerated flushing. Namely, during the one cycle of regular 3 symbolic simulation of the Implementation, we model the indeterminate outcome of ....

R. Hosabettu, M. Srivas, and G. Gopalakrishnan, "Decomposing the Proof of Correctness of Pipelined Microprocessors," Computer-Aided Verification (CAV`98), A.J. Hu and M.Y. Vardi, eds., LNCS 1427, Springer-Verlag, June 1998, pp. 122-134.

....manual proof by induction that the intermediate abstraction satisfies the ISA. We automate the proof obligations with incremental flushing. Hosabettu et al. use a technique for decomposing the abstraction function and have applied it to the example of Sawada and Hunt with out of order retirement [7]. Although this aids in finding an appropriate abstraction function, manual intervention is needed in its construction. Henzinger et al. use Tomasulo s algorithm to illustrate a method for manually decomposing the proof of correctness [6] They manually provide abstract modules for parts of the ....

R. Hosabettu, M. Srivas, and G. Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In A. J. Hu and M. Y. Vardi, editors, Computer Aided Verification (CAV'98), volume 1427 of Lecture Notes in Computer Science, pages 122--134, Vancouver, Canada, June-July 1998. Springer-Verlag.

....and raises a question of soundness of the translations. Examples include proving a simulation relation, showing the relation between a concrete design and its version with uninterpreted functions, the reference file [BBCZ98] incremental flushing technique [SJD98] completion function method [HSG98], etc. A new language that puts together all these techniques will allow the user to concentrate on high level ideas, and not on the tricks and tweaks of the implementation in a tool that was never designed for that type of verification. Most of the recently developed techniques share the same ....

R. Hosabettu, M. Srivas, and G. Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In CAV'98 [CAV98], pages 122--134. To appear.

.... [133 139] real time [140 153] reactive [154] and hybrid systems [155 157] to distributed systems [158 164] and communications protocols [165 167] to program development [168] software development steps [169 172] and refinement [173 175] to compilers [176 179] to hardware design [180 203] and synthesis [204 209] to memory models and cache coherence protocols [210 213] to multimedia collaborations [214] to testing program visualization tools [215] to validating fault tolerant systems [216] and to self stabilization [217] PVS has also been used to support other specification ....

Ravi Hosabettu, Mandayam Srivas, and Ganesh Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In Alan J. Hu and Moshe Y. Vardi, editors, Computer-Aided Verification, CAV '98, volume 1427 of Lecture Notes in Computer Science, pages 122--134, Vancouver, Canada, June 1998. Springer-Verlag.

....because data and control flow are tightly coupled. A formal model has to capture all of the data dependencies. As a result, the state space may become enormous. Straightforward model checking techniques [5, 6] can not handle this complexity because of the state explosion problem. Theorem proving [8, 12, 19] alone usually involves significant manual effort. Moreover, the proofs are too tedious to be easily manageable. Symbolic execution using uninterpreted function symbols [4] is based on extensive term rewriting and simple proof theoretic reasoning, This research is sponsored by the ....

R. Hosabettu, M. Srivas, and G. Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In Hu and Vardi [13], pages 122--134.

....for their love, support and encouragement. my wife, Sahana, for her patience, support and charm. The work presented in this dissertation is an extension and modi cation of the work reported in the following four papers: 1. Decomposing the Proof of Correctness of Pipelined Microprocessors [29] 2. Proof of Correctness of a Processor with Reorder Bu er using the Completion Functions Approach [30] 3. A Proof of Correctness of a Processor Implementing Tomasulo s Algorithm without a Reorder Bu er [27] 4. Verifying Microarchitectures that Support Speculation and Exceptions [28] xii ....

Hosabettu, R., Srivas, M., and Gopalakrishnan, G. Decomposing the proof of correctness of pipelined microprocessors. In Hu and Vardi [31], pp. 122-134.

....Menlo Park, CA 94025, srivas csl.sri.com Abstract. In this paper, we discuss the veri cation of a microprocessor involving a reorder bu er, a store bu er, speculative execution and exceptions at the microarchitectural level. We extend the earlier proposed Completion Functions Approach [HSG98] in a uniform manner to handle the veri cation of such microarchitectures. The key extension to our previous work was in systematically extending the abstraction map to accommodate the possibility of all the pending instructions being squashed. An interesting detail that arises in doing so is ....

....store bu ers are handled. We highlight a new type of invariant in this work one which keeps correspondence between store bu er pointers and reorder bu er pointers. All these results, taken together with the features handled using the completion functions approach in our earlier published work [HSG98,HSG99,HGS99], demonstrates that the approach is uniformly applicable to a wide variety of pipelined designs. 1 Introduction Formal Veri cation of pipelined processor implementations against instruction set architecture (ISA) speci cations is a problem of growing importance. A signi cant number of ....

[Article contains additional citation context not shown here]

Ravi Hosabettu, Mandayam Srivas, and Ganesh Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In Hu and Vardi [HV98], pages 122-134.

....1 , and Mandayam Srivas 2 1 Department of Computer Science, University of Utah, Salt Lake City, UT 84112, hosabett,ganesh cs.utah.edu 2 Computer Science Laboratory, SRI International, Menlo Park, CA 94025, srivas csl.sri.com Abstract. The Completion Functions Approach was proposed in [HSG98] as a systematic way to decompose the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function using completion functions, one per unfinished instruction, each of which specifies the effect (on the observables) of completing the instruction. ....

....decomposing the overall proof and reducing the effort for an individual model checker run, a practical methodology for decision procedure centered verification must prescribe a systematic way to decompose the correctness assertion into smaller problems that the decision procedures can handle. In [HSG98], we proposed such a methodology for pipelined processor verification called the Completion Functions Approach. The central idea behind this approach is to define the abstraction function 1 as a composition of a sequence of completion functions, one for every unfinished instruction, in their ....

[Article contains additional citation context not shown here]

Ravi Hosabettu, Mandayam Srivas, and Ganesh Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In Hu and Vardi [HV98], pages 122--134.

....2 , and Ganesh Gopalakrishnan 1 1 Department of Computer Science, University of Utah, Salt Lake City, UT 84112, hosabett,ganesh cs.utah.edu 2 Computer Science Laboratory, SRI International, Menlo Park, CA 94025, srivas csl.sri.com Abstract. The Completion Functions Approach was proposed in [HSG98] as a systematic way to decompose the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function using completion functions, one per unfinished instruction, each of which specifies the effect (on the observables) of completing the instruction. In ....

....at SRI International was supported in part by NASA contract NAS1 20334 and ARPA contract NASA NAG 2 891 (ARPA Order A721) procedure centered verification must prescribe a systematic way to decompose the correctness assertion into smaller problems that the decision procedures can handle. In [HSG98], we proposed such a methodology for pipelined processor verification called the Completion Functions Approach. The central idea behind this approach is to define the abstraction function as a composition of a sequence of completion functions, one for every unfinished instruction, in their program ....

[Article contains additional citation context not shown here]

Ravi Hosabettu, Mandayam Srivas, and Ganesh Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In Hu and Vardi [HV98], pages 122--134.

No context found.

R. Hosabettu, M. Srivas, and G. Gopalakrishnan, "Decomposing the proof of correctness of pipelined microprocessors, " in Computer Aided Verification (CAV'98), Lecture Notes in Computer Science, Vol. 1427, Springer-Verlag, Berlin, June 1998, pp. 122--134.

No context found.

R.M. Hosabettu, M. Srivas, and G. Gopalakrishnan, "Decomposing the Proof of Correctness of Pipelined Microprocessors," Tenth International Conference on Computer Aided Verification (CAV'98), A.J. Hu and M.Y. Vardi, eds., LNCS 1427, Springer-Verlag, June 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC