D. Cyrluk. Microprocessor Verification in PVS: A Methodology and Simple Example. Technical Report SRI-CSL-93-12, Menlo Park, CA, 1993.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... on microprocessor verification has focused on pipelined and superscalar designs, for example: Tahar and Kumar [28] using HOL, Burch and Dill [3, 2] using model checking; Skakkebk, Jones and Dill [26] using the Stanford Validity Checker (SVC) Hosabettu, Srivas and Gopalakrishnan [17] and Cyrluk [6] using PVS; and Sawada and Hunt [25] using ACL2 [20] Particular attention has been paid to managing the complexities associated with such designs, for example, out of order issue and interrupts. Topics addressed include, decomposing verifications, developing conducive data system abstractions, ....

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, Computer Science Laboratory, SRI International, Menlo Park, 1993.

....pipelined architecture specified in an Architecture Description Language (ADL) Several approaches for formal or semi formal verification of pipelined processors have been developed in the past. Theorem proving techniques, for example, have been successfully adapted to verify pipelined processors ([5] [13] 15] Burch and Dill presented a technique for formally verifying pipelined processor control circuitry [4] The technique has been extended to handle more complex pipelined architectures by several researchers ( 11] 14] Ho et al. 6] extract controlled token nets from a logic design to ....

D. Cyrluk. Microprocessor verification in pvs: A methodology and simple example. Technical report, SRI-CSL-93-12, 1993.

....by a case study in Section 6. Section 7 concludes the paper. 2 Related Work Several approaches for formal or semi formal verification of pipelined processors has been developed in the past. Theorem proving techniques, for example, have been successfully adapted to verify pipelined processors ([3], 16] 18] However, these approaches require a great deal of user in tervention, especially for verifying control intensive designs. Burch and Dill presented a technique for formally verifying pipelined processor control circuitry [2] Their technique verifies the correctness of the ....

D. Cyrluk. Microprocessor verification in pvs: A methodology and simple example. Technical report, SRI-CSL-93-12, 1993.

....these verification efforts are based on theorem provers, which require a great deal of expert guidance. In addition, some automatic techniques used on simple processors (i.e. 9] are not applicable to pipelined processors. And even though some pipelined processors have been successfully verified [4, 14, 15, 17], they are either very simple or require a great deal of work to verify. Burch and Dill [1] proposed a new method for verifying the control of microprocessors. The verification method compares two behavioral descriptions of the processor: a pipelined implementation and a simpler, unpipelined ....

D. Cyrluk, "Microprocessor Verification in PVS: A Methodology and Simple Example", Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, Dec. 1993.

....of pipelining, etc. Formal verification requires proving that the specification and implementation are in a proper relationship, but that relationship is not necessarily easy to define. Recently, there have been successful efforts to verify pipelined processors using human guided theorem provers [11, 19, 20, 22]. However, in all of these cases, either the processor was extremely simple or a large amount of labor was required. Although the examples we have attacked are still much simpler than current high performance commercial processors, they are significantly beyond the capabilities of automatic ....

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, Dec. 1993.

....our correctness criterion using the ACL2 theorem prover. 1 Introduction We have studied the verification of a pipelined microprocessor whose implementation contains speculative execution, external interrupts and precise exceptions. The verification of pipelined microprocessors has been studied[1, 12, 6, 13], but complicated features, such as exception mechanisms, are often simplified away from the implementation model. Several verified microprocessor designs contain exception mechanisms[4, 11] however, they contain only one kind of exception and require only a few cycles before exception handling ....

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example, Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, Dec. 1993.

....stored in 32 bit words in memory. The unpacking is of course turned off when TORCH runs in MIPS mode and only 8 words are loaded from memory during a cache miss. 3 Verification Approach We used an inductive verification approach that has previously been applied in high level design verification [11, 9]. Given an implementation and a specification, the approach (illustrated in Figure 3) requires that we define an abstraction relation that relates states in the implementation with states of the specification. The proof obligation is to show that for every implementation 5 state that is reachable ....

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, December 1993.

....is done by comparing the specified properties of the entities. For example, one can compare if a register transfer level implementation of hardware satisfies the properties expressed by its high level specification. PVS has been used for reasoning in many domains, such as in hardware verification [Cyr 93, CRS 94] protocol verification, and algorithm verification [LOR 93] We have specified and verified transformations such as copy propagation, constant propagation, common subexpression insertion, commutativity, associativity, w0 w1 IFF war0 war1 par1 par0 w0 w1 par11 par00 war1 war0 ....

D. Cyrluk, Microprocessor Verification in PVS: A methodology and simple example, SRI-CSL-93-12, Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.

....studies quite new systems such as PVS [46] Isabelle [42] Nuprl [12] and Coq [5] All of the systems quoted below implement a higher order logic. ffl PVS (Prototype Verification System) is a proof checker based on sequent calculus in a classical logic. It includes numerous decision procedures. [19] and [38] give some examples of its use in hardware. ffl Isabelle is sometimes said to belong to a new category of theorem provers since it is generic in the sense that it allows to encode any logic one wants to consider. It is possible to declare theories using the Isabelle metalogic. Some works ....

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, Computer Science Laboratory SRI International, Menlo Park, CA, December 1993.

....in developing a general framework for microprocessor correctness. In [16] Windley developed such a framework using the notion of generic interpreters, but it is not applicable to pipelined processors. We derived the AAMP5 correctness criterion using the general framework developed by David Cyrluk [5] for proving correspondence between state machines in PVS which has been shown to be applicable to pipelined processors. E E E E E E Abs PC Abs REG next macro state 0 1 2 4 3 Commuting Property Fig. 1. Pipelined Microprocessor Correctness Formal microprocessor verification typically ....

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.

....is done by comparing the specified properties of the entities. For example, one can compare if a register transfer level implementation of hardware satisfies the properties expressed by its high level specification. PVS has been used for reasoning in many domains, such as in hardware verification [Cyr93, CRS94, RSS95] protocol verification, and algorithm verification [LOR93] We have specified and verified transformations such as copy propagation, constant propagation, common subexpression insertion, commutativity, associativity, distributivity, and strength reduction described by Engelen and ....

D. Cyrluk, Microprocessor Verification in PVS: A methodology and simple example, SRI-CSL-93-12, Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.

....which adopt radical performance optimizations, including superscalar super pipelining, out of order execution, and speculative execution [5, 7, 11] Pipelining is a key feature of today s microprocessor designs. There have been several earlier successes to formally verify pipelined machines [6, 14, 15, 16]; however, these machines have a short and simple pipeline structure. The lack of complex control logic, which is one of the hardest parts to verify, is something our approach addresses. In our project, we have been studying and developing techniques to verify the correctness of pipelined ....

....different levels of behavioral description. However, a simple time abstraction cannot relate sequential and pipelined machines, as we typically do not have a pipelined machine state that we can directly compare to the sequential specification state. Some earlier pipeline verification research[6, 15] used abstraction mappings combining different machine components at different times. For instance, an abstraction mapping of a pipelined machine may combine the program counter at time t and the register file and the memory at time t 2 to form the corresponding specification state. Sometimes ....

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example, Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, Dec. 1993

....of today s processors with modern performance optimizations, including superscalar super pipelining, out of order execution, and speculative execution. 2 Background There have been a number of earlier efforts to verify pipelined microprocessor designs with interactive theorem provers[5, 10, 11, 13]. Typically in these projects, they show the equivalence of an instruction set architecture (ISA) and a corresponding micro architectural design. An ISA is a non pipelined abstract machine which specifies the effects of individual instructions, while a micro architectural design exposes the ....

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example, Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, Dec. 1993

....designs. Since the instruction set specification runs instructions one by one, we call it the sequential specification as opposed to the pipeline implementation, in order to make clear the difference in styles of execution. There are several earlier pipelined processor verification efforts[4][11] 12] 13] in which they proved commutative diagrams like Figure 2 using a peculiar abstraction mapping. In many of them[4] 12] 13] they combine the states of different components at different times to produce a corresponding sequential specification state. For instance, the program counter at ....

....as opposed to the pipeline implementation, in order to make clear the difference in styles of execution. There are several earlier pipelined processor verification efforts[4] 11] 12] 13] in which they proved commutative diagrams like Figure 2 using a peculiar abstraction mapping. In many of them[4][12] 13] they combine the states of different components at different times to produce a corresponding sequential specification state. For instance, the program counter at time and the register file and the memory at time are combined to form a corresponding sequential specification state. In ....

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example, Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, Dec. 1993

....paths in the commutative diagram which will then be tested for equivalence. An automatic way to perform this equivalence testing is to use ground decision procedures for equality with uninterpreted functions such as the ones in PVS. This strategy has been used to verify several processors in PVS [5, 4, 15]. Some of the approaches to pipelined processor verification rely on the user providing the definition for the abstraction function. Burch and Dill in [3] observed that the This work was done in part when Ravi Hosabettu was visiting SRI International in summer 1997. The work done by the ....

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.

....to derive other desired properties. The process of verification involves checking relationships that are supposed to hold among entities. The checking is done by comparing the specified properties of the entities. PVS has been used for reasoning in many domains, such as in hardware verification [6,7,8], protocol verification, and algorithm verification [9] We briefly give the features of the PVS specification language in Section 4.1 and the PVS verification features in Section 4.2. 4.1 PVS Specification Language The specification language features common programming language constructs such ....

....for model checking and Boolean reasoning. It also features a variety of general induction schemes to tackle large scale verification. Moreover, different verification schemes can be combined into general purpose strategies for similar classes of problems, such as verification of microprocessors [6,7]. A PVS specification is first parsed and type checked. More information on PVS and its use in mechanical verification can be obtained through World Wide Web: http: www.csl.sri.com sri csl fm.html . At this stage, the type of every term in the specification is unambiguously known. The ....

D. Cyrluk. "Microprocessor Verification in PVS: A methodology and simple example". Technical Report, SRI International, December 1993. Report CSL-93-12.

....processor, Fischer s real time mutual exclusion protocol, and the Oral Messages protocol for Byzantine agreement. Examples of this scale can typically be completed within a day. More substantial examples include the correspondence between the programmer and RTL level of a simple hardware processor [11], the correctness of a real time railroad crossing controller [29] a variant of the Schroder Bernstein theorem, and the correctness of a distributed agreement protocol for a hybrid fault model consisting of Byzantine, symmetric, and crash faults [19] These harder examples can take from several ....

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.

....suited for thee types of activities. Finally, just as Hoare triples or Floyd inductive assertions provide a general framework for program verification, the verification of hardware can often be stated in a larger more general framework that can act as a guide for the larger verification effort [8]. 4 Industrial Verification Hardware verification in industry has several characteristics and needs that distinguish it from the type of verification done by researchers. In this section we enumerate these criteria and show how an interactive theorem prover can meet those needs. 1. Industrial ....

....is built in to the tool. In a higher order prover an appropriate framework can be specified for any given task. In this section we describe one approach for specifying the high level correctness of synchronous sequential circuits such as microprocessors. Other frameworks are discussed in [1, 8, 20]. E E E E Abs PC Abs REG next macro state 2 3 Commuting Property Figure 1: Pipelined Microprocessor Correctness Formal microprocessor verification involves specifying the processor as a machine that interprets the instructions in the instruction set at two levels macro and micro. The ....

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRICSL -93-12, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.

....and has simplified their proofs. Finally, lessons learned from this methodology can help develop better heuristics employed by automatic methods. 1 Introduction The use of abstraction mappings [1] for the verification of microprocessors and other sequential hardware circuits is commonplace [3, 7, 11]. Both automated stand alone tools [3] and automated proof strategies for use in interactive theorem provers [6] have been developed based on the use of abstraction mappings. In [5] we developed a language GTL2 that is appropriate for specifying the correctness of sequential hardware circuits ....

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993.

....pipelined microprocessor. This example is due to Saxe, Garland, Guttag and Horning [18] who performed the original verification using the stuttering state and explicit time approach. The example, and its verification in PVS using both approaches, are described in detail in a technical report [6]. Figure 6 shows the non pipelined version of the microprocessor; this description is used as the specification machine; Figure 7 shows the pipelined implementation of the microprocessor. Corresponding registers in the two figures are labeled SXX for specification register XX and IXX for the ....

....whether IRA equals IWA1, IWA2, IWA3, or none of these) 7 4.2. Stuttering State Approach Rather than give all the details of the example verification using the stuttering state approach, we simply highlight where it differs from the visible state approach presented in the previous section (see [6, 18] for the details) To relate the two machine descriptions, we need to define when the specification machine stutters, and the abstraction mapping from the implementation machine to the specification machine. The specification machine stutters exactly when the implementation machine goes through ....

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, Computer Science Laboratory, SRI International, Menlo Park, CA, Dec. 1993.

....is to show that the traces induced by the implementation transition system are a subset of the traces induced by the specification transition system, where subset has to be carefully defined by use of an abstraction mapping. The details of this approach are beyond the scope of this paper (see [2, 11,24,27,29] 7 ) In this approach, the proof of correctness makes use of an abstraction function that maps an implementation state into a corresponding specification state. Correctness can then be reduced to showing that for any execution trace of the implementation machine there exists a corresponding ....

....corresponding specification state. Correctness can then be reduced to showing that for any execution trace of the implementation machine there exists a corresponding execution trace of the specification machine. The implementation machine may run at a different rate than the specification machine [11,27]. For example, in the case of the Saxe pipeline example [24] the specification machine takes one state transition to execute each instruction, but the implementation machine might take five cycles to execute branch instructions, but only one cycle for non branch instructions. In the following we ....

[Article contains additional citation context not shown here]

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, December 1993.

....register file and for an arbitrary number of alu instructions. The cost we incur is that our fragment is much less temporally expressive than the decidable propositional temporal logics. Using theorem proving techniques we have in the past verified several microprocessors such as Saxe s pipeline [20, 10]. We are currently verifying a more realistic microprocessor a Verilog model of a much simplified MIPS R3000 processor. The correctness of these circuits is also expressible in our decidable fragment. In the future we can make use of this fragment by either implementing the fragment ....

....Control Register file ALU Op2 Read ports Write port Op1 Instruction inputs Figure 2: A pipelined ALU 6 Microprocessor Correctness In [20] microprocessor correctness is stated in a form similar to equation 1, where I and S are conditional equations with a universally quantified time variable. In [21, 10] the microprocessor correctness is stated in a form that does not mention time, but rather uses explicit next state relationships. We now summarize the approach to microprocessor correctness in [21, 10] and show that it can be encoded in a decidable fragment of GTL. Microprocessors can be ....

[Article contains additional citation context not shown here]

David Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, December 1993.

No context found.

D. Cyrluk. Microprocessor Verification in PVS: A Methodology and Simple Example. Technical Report SRI-CSL-93-12, Menlo Park, CA, 1993.

No context found.

D. Cyrluk. Microprocessor verification in PVS: A methodology and simple example. Technical report, SRICSL -93-12, 1993.

No context found.

D. Cyrluk. Microprocessorverification in PVS: A methodologyand simple example, Technical Report SRI-CSL-93-12, SRI Computer Science Laboratory, Dec. 1993

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC