Warren A. Hunt Jr. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, 1989.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....space. To minimize the probability of this happening, designers employ various techniques to improve the quality of verification including co simulation [4] coverage analysis [4] random test generation [5] and model driven test generation [6] A recent development called formal verification [7] works to increase test space coverage by using formal methods to prove that a design is correct. Due to the large number of states that can be tested with a single proof, the approach can be much more efficient than simulation based testing. In some cases it is even possible to completely verify ....

W. Hunt, "Microprocessor design verification," Journal of Automated Reasoning, vol. 5, pp. 429-460, Dec. 1989.

....specification of the microarchitecture is given in the appendix. 2 Related Work Several verifications of complete processors were undertaken during the 1980s and early 1990s. Examples include tamarack [24] secd [3, 15] the partial verification of Viper [7, 8, 9] and Hunt s fm8501 and fm9001 [21, 22, 23] and Windley [36, 38] All these processors were simple uniprocessor fetch decode execute engines specifically designed for formal verification. Following this work, Miller and Srivas verified the implementation of some of the instructions of a simple real processor called aamp5 [27, 28] A ....

....of most significance are the memory and the program counter because these determine the state of the pipeline during initialisation. The rewriting is, therefore, structured around evaluating these components. 34 DECODE INST i T swp i[15:12] 15 (Rd = PC) 6 cycles T 4 mrs msr i[21] (R bit set) 1 cycle T (mrs) 15 (Rd = PC) F (msr) 3 cycles T 1 proc or Compare) 1 cycle = 15 (Rd = PC) F 3 cycles T 1 reg shift or Compare) 2 cycles = 15 (Rd = PC) F 4 cycles T 2 cycles br swi ex 3 undef ldr str 1 cycle F ....

[Article contains additional citation context not shown here]

Warren A. Hunt, Jr. Microprocessor design verification. Journal of Automated Reasoning, 5:429--460, 1989.

....consequently good candidates. We propose to use the ACL2 theorem prover [1] as a tool allowing a designer to reach a correct formal functional model of a specification. Our use of the prover is slightly different from the previous successful applications like the verification of microprocessors [2], pipeline machines [3] floating point arithmetic [4, 5] Mainly, in these articles, the authors prove that two different models affect a memory in the same way. In this paper, we show the formalization of the specification [6] of a widely used communication architecture into the ACL2 logic, and ....

Hunt W. A.: Microprocessor Design Verification. Journal of Automated Reasoning, Vol. 5, No. 4, 1989, pp. 429-460.

....cases which must be accounted for. Sometimes, significant bugs are found after a processor is commercially released, which is both embarrassing and costly. Formal verification techniques have been steadily improving over the last decade, and several simple microprocessors have been verified [3, 6, 8]. The methods used in these verification efforts are based on theorem provers, which require a great deal of expert guidance. In addition, some automatic techniques used on simple processors (i.e. 9] are not applicable to pipelined processors. And even though some pipelined processors have been ....

W. Hunt, Jr., "Microprocessor Design Verification", Journal of Automated Reasoning 5: p429460, 1989.

....space. To minimize the probability of this happening, designers employ various techniques to improve the quality of verification including co simulation [6] coverage analysis [6] random test generation [1] and model driven test generation [13] A recent development called formal verification [15] works to increase test space coverage by using formal methods to prove that a design is correct. Due to the large number of states that can be tested with a single proof, the approach can be much more efficient than simulation based testing. In some cases it is even possible to completely verify ....

W. Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, Dec. 1989.

....its specification, we cannot do the same for a parameterized n bit adder. There are similar problems in verifying temporal properties of a circuit that should hold over all instants of time. Typically such circuits are verified interactively, or semi automatically using mathematical induction [1, 2, 7, 10, 12, 13, 15]; that is, a time dependent property P (n) is shown to hold for all instants n by induction over n. There is an alternative approach to such problems, however: find and analyze a finite characterization of the infinite state space. For example, an n bit adder may be constructed by chaining ....

Warren Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, 1989.

....circuits and systems is concerned. One class of approaches is based on describing both the circuit and the specification in a formal logic and verifying the circuit by proving theorems using the axioms and the rules of inference in the formal system. These are the theorem proving based approaches [22, 23, 31, 30]. These techniques are very powerful in handling abstractions and hierarchical designs but require a high degree of expertise and are not completely automated. State based approaches like symbolic model checking [6] and its variations [33] and language containment [16, 25] are highly automated and ....

W. Hunt. Microprocessor design verification. Journal of Automated Reasoning, vol.5(4), pages 429--460, 1989.

....design complexity. Most automatic methods based on state space exploration handle it either by considering smaller designs [2, 3] or by abstracting out the datapath to verify the pipelined control [6, 19, 20] Formal verification attempts based on theorem proving systems have also been successful [9, 17, 23], but require significant manual effort. At the simulation end of the spectrum, several efforts have focused on generation of effective function test vectors. The targets include architectural test sets [7] pipeline hazards [18] and property specific architectural test sets [21] 4 Test Set ....

W. A. Hunt, Jr. Microprocessor design verification. J. Automated Reasoning, 5(4):429--460, 1989.

....schema, was initiated by Gordon [11] who first verified a simple processor using LCS LSM. This experience has been succeeded by two main significative case studies: the VIPER processor was partly verified with the HOL proof system [8] and the FM8501 processor with the Boyer Moore proof system [13]. These two large examples, raise the need for a general methodology of processor verification. In fact, these proofs were specific to a particular processor, and the 2 proof of another processor has to be built from the scratch. To fill this gap, a general functional model has first been ....

W. A. Hunt Jr. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, Dec. 1989.

....its specification, we cannot do the same for a parameterized n bit adder. There are similar problems in verifying temporal properties of a circuit that should hold over all instants of time. Typically such circuits are verified interactively, or semi automatically using mathematical induction [1, 2, 7, 10, 12, 13, 15]; that is, a time dependent property P (n) is shown to hold for all instants n by induction over n. There is an alternative approach to such problems, however: find and analyze a finite characterization of the infinite state space. For example, an n bit adder may be constructed by chaining ....

Warren Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, 1989.

....and Cullyer [1987] which discuss its partial verification in HOL. Viper has been further considered in Arora et al. 1993] see also Harman [1989] ffl Landin s SECD machine (Landin [1963] has been considered in Graham [1992] Graham and Birtwistle [1990] and Birtwistle and Graham [1990] ffl Hunt [1986] Hunt [1989], Hunt [1992] and Hunt [1994] discuss a PDP 11 based processor, the FM8501, and its considerably more advanced successor the FM9001. The FM9001 is also considered in Bose and Johnson [1993] ffl Barrett and Shepard [1992] and Roscoe [1992] discuss parts of the Inmos T800 and T9000 Transputers, ....

Hunt [1989] W A Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429 -- 460, 1989.

.... in (Joyce [1987] Stavridou [1993] Harman and Tucker [1994] Viper (Cohn [1987] Cullyer [1987b] and Cullyer [1987a] further considered in Arora et al. 1993] Landin s SECD machine (Landin [1963] considered in Graham [1992] Graham and Birtwistle [1990] and Birtwistle and Graham [1990] Hunt [1986] Hunt [1989], Hunt [1992] and Hunt [1994] discuss a PDP 11 based processor, the FM8501, and its more advanced successor, FM9001 (see also Bose and Johnson [1993] The algebraic tools in this paper and others, and work at Swansea on modeling hardware and parallel systems in general, is part of the work of ....

Hunt [1989] W A Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429 -- 460, 1989.

....describes the verification, and discusses the effect of pipelining on the correctness model. 1 Introduction Much has been written over the years regarding the formal specification and verification of microprocessors. Most of these efforts have been directed at non pipelined microprocessors [Gor83, Bow87, Hun87, CCLO88, Coh88, Joy88, Hun89, Win90, Her92, SWL93, Win94b]. The verification of pipelined microprocessors presents unique challenges. The correctness model is somewhat different than the standard correctness models used previously (see Section 7.1) Besides the correctness model, the concurrent operations inherent in a pipeline lead to hazards which ....

Warren A. Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5:429--460, 1989.

....Prdikatenlogik erster oder hherer Stufe beschrieben und durch den Einsatz von interaktiven Theorembeweisern, wie z.B. Nqthm [24] RRL [25] HOL [26] oder PVS [27] verifiziert. Diese Theorembeweiser wurden von verschiedenen Forschungsgruppen bereits eingesetzt (etwa zur Verifikation von Prozessoren [28, 29, 30, 31]) Auch wenn in diesem Bereich keine vollstndige Automatisierung erzielbar ist, so lt sich durch geeignete Strukturierung der Beweisziele eine wenigstens teilweise Automatisierung erreichen [32] Bei eingebetteten Systemen treten allerdings hufig Verifikationsaufgaben aus beiden Problemklassen ....

W.A. Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, 1989.

.... Tucker [1997] Viper (Cohn [1987] and Cullyer [1987] further considered in Arora et al. 1993] Landin s SECD machine (Landin [1963] considered in Graham [1992] and Birtwistle and Graham [1990] A PDP 11 based processor, the FM8501, and its more advanced successor, FM9001 are discussed in Hunt [1989], Hunt [1992] and Hunt [1994] see also Bose and Johnson [1993] The structure of this paper is as follows. In 2 we introduce the basic iterated map model of a microprocessor. In 3 we consider how we may express the correctness of one model of a (non superscalar) microprocessor with respect ....

Hunt [1989] W A Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429 -- 460, 1989.

....FM8501 microprocessor [Hun87] and Avra Cohn s VIPER microprocessor [Coh88] Tamarack is a simple microprocessor with only 8 instructions. FM8501 is larger (roughly the size of a PDP 11) but has not been implemented (a 32 bit version is currently being verified and implemented by Hunt et al. [Hun89]) Perhaps the most interesting of these is VIPER since even though VIPER is significantly simpler than today s general purpose microprocessors, its verification provides a benchmark on the state of the art in microprocessor verification. VIPER was designed by Britain s Royal Signals and Radar ....

Warren A. Hunt. Microprocessor design verification. Journal of Automated Reasoning, Vol 5, pages 429--460, 1989.

....to the immersion of Sect. 3.4. Interesting earlier work on microprocessors includes the following. Gordon s Computer [15] a significant example since considered by others in [24, 35, 19] Viper [7] which was partially verified in HOL. Landin s SECD machine [25] has been considered in [17, 3] [23, 21, 22, 4] discuss a PDP 11based processor and a more advanced successor. 1, 33] discuss parts of the Inmos T800 and T9000 Transputers, using an Occam based transformation system. 3 Algebraic Formalisms Computer systems are modelled in an algebraic framework using primitive recursive functions. We omit ....

W A Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429 -- 460, 1989.

....and shows how all of these can be used to create a semantics for a microprocessor instruction set. The verified microprocessor Uinta provides examples for each of these. 1 Introduction Much has been written over the years regarding the formal specification and verification of microprocessors [CCLO88, Bow87, Hun87, Coh88b, Coh88a, Gor83, Joy88, Hun89, Joy89, SB90, Her92, SWL93, TK93]. These efforts use many different proof systems and styles. We have verified a number of microprocessors in the HOL theorem proving system [Win90a, Win90b, Win94, WC94] and have developed techniques which clarify the specification and ease the verification effort. Some of this has been codified ....

Warren A. Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5:429--460, 1989.

....designed at the then Royal Signals and Radar Establishment of the UK s Ministry of Defence specifically for use in safety critical systems. However, the MoD withdrew its support for the chip when doubts were cast as to the correctness and completeness of the proofs [Cohn 1989, Matthews 1991] [Hunt 1989] reports on the verification of the FM8502 microprocessor using the Boyer Moore theorem prover [Boyer 1988] as part of a larger project [Bevier 1989] to verify a short stack of system components consisting of a compiler, an assembler, an operating system kernel and the FM8502 itself. ....

Hunt, Warren A., J., 1989: Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460.

....purposes and none have included any kind of analysis of their instruction sets regarding code reordering. Only one formally verified general purpose microprocessor has been fabricated and it has so few features as to be impractical for real use. Descriptions of these efforts can be found in [Coh88, Joy89a, Joy88, Hun89]. It is important to note that none of these projects involved verification of a pipelined processor. In [SB90] Srivas et al. describe the formal verification of a pipelined microprocessor called Mini Cayuga, comparable in complexity of design to that of Hunt s FM8501. However, the structure and ....

Warren A. Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5:429--460, 1989.

....of boolean functions as BDDs (Binary Decision Diagrams) 8] However, at the architecture level, the situation is more open for processor verification. Several methods based on distinct formalisms and logical proof tools have been proposed to formally verify processors, among which we can mention [10, 16, 18, 17, 5, 4, 22, 14]. In our opinion, one drawback of using general theorem provers such as HOL [13, 2] or Nqthm [6] is that the verification must be performed by an user familiar with general logic tools. The functional approach presented in [5] does not need any logical knowledge, but does not use the computer ....

....a single bus. General and base registers and interruption vectors are in an internal memory. The communication between the processor and the external memory is realized by two buses and two wires. We decided to verify this processor because it has interesting features that do not appear in FM8501[17], Viper[10] and Gordon s processor[12, 18] complex addressing modes, register files, external memory communication protocol. 5.2 Specification of the MTI We will now follow the methodology we gave in section 2 to specify the MTI. 5.2.1 Structure specification Using the component toolbox, we ....

W.A. Hunt: "Microprocessor design verification", Journal of Automated Reasoning, 5(4): 429--460, 1989.

....proof systems to carry out the transitions and verify the commutation of the diagram. 1. 3 Aims of the Paper and Related Works Several interesting approaches have been proposed to realize formal verification of processors along the lines of the previous general schema, see for instance [7, 11, 18, 21, 22]. However, in our sense, these works display two kinds of shortcomings: they are specific to a particular processor. This means that the specification of a new processor must be built from the scratch. As a consequence, they do not provide any user friendly interface to describe processors and ....

W. A. Hunt Jr. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, Dec. 1989.

....to systems verification, and summarize the application of our approach to several systems components. These components consist of a code generator for a simple high level language [16] an assembler and linking loader [14] a simple operating system kernel [2, 1] and a microprocessor design [11]. Each of these is formally specified by an abstract finite state machine, and each is proved correct by showing that a lower level machine implements the abstract machine. In the case of the compiler and the assembler, a translation function is verified to correctly map an arbitrary legal ....

..... the correctness of a simple Micro Gypsy program. 2 These proofs were all constructed by the Boyer Moore theorem prover. Complete descriptions of the relevant machines, implementations, MapUp functions, correctness theorems, and proofs are given in the accompanying papers in this collection [11, 14, 16]. We have proved the additional results necessary to let us stack the three correctness results. For example, a legal Micro Gypsy program that executes without high level errors is compiled into a legal Piton program that executes without Piton level errors, etc. We thus obtain a theorem that ....

[Article contains additional citation context not shown here]

W.A. Hunt. Microprocessor Design Verification. To appear in The Journal of Automated Reasoning.

No context found.

Warren A. Hunt Jr. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429--460, 1989.

No context found.

Warren A. Hunt. Microprocessor Design Verification. Journal of Automated Reasoning, 5(4):429--460, 1989.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC