J. Sawada and W. A. Hunt Jr. , "Trace Table Based Approach for Pipelined Microprocessor Verification," Computer Aided Verification, CAV-97, pp. 364-375, June 1997.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....architecture specified in an Architecture Description Language (ADL) Several approaches for formal or semi formal verification of pipelined processors have been developed in the past. Theorem proving techniques, for example, have been successfully adapted to verify pipelined processors ( 5] [13] [15] Burch and Dill presented a technique for formally verifying pipelined processor control circuitry [4] The technique has been extended to handle more complex pipelined architectures by several researchers ( 11] 14] Ho et al. 6] extract controlled token nets from a logic design to ....

J. Sawada et al. Trace table based approach for pipelined microprocessor verification. CAV, 1997.

....a case study in Section 6. Section 7 concludes the paper. 2 Related Work Several approaches for formal or semi formal verification of pipelined processors has been developed in the past. Theorem proving techniques, for example, have been successfully adapted to verify pipelined processors ( 3] [16], 18] However, these approaches require a great deal of user in tervention, especially for verifying control intensive designs. Burch and Dill presented a technique for formally verifying pipelined processor control circuitry [2] Their technique verifies the correctness of the implementation ....

J. Sawada and J. W.A. Hunt. Trace table based approach for pipelined microprocessor verification. In CAV, 1997.

.... 6 Conclusions Some of the early work on pipelined machine veri cation was based on skewed abstraction functions [25, 5, 26] The Burch and Dill notion of correctness, based on ushing and commuting diagrams, was introduced later [4] Theorem proving approaches include the work by Sawada and Hunt [23, 24, 21, 22]. They use an intermediate abstraction called MAETT to verify some very complicated machines. There are other theorem proving approaches as well [9, 8, 27] Modelchecking approaches include the use of symmetry reductions and compositional 20 model checking [17] and the use of assume guarantee ....

J. Sawada and W. A. Hunt, Jr. Trace table based approach for pipelined microprocessor verication. In Computer Aided Verication (CAV '97), volume 1254 of LNCS, pages 364-375. Springer-Verlag, 1997.

....implementation and its speci cation. It veri es the correctness of a theorem using axioms and rules of inference in the formal system. Such approaches have been successful in verifying several simple circuits, notably the FM8501 microprocessor in Boyer Moore logic [55] on superscalar processors [76, 77], and AMD oating point division [20] Though these techniques can be very powerful in handling complex designs, they require a high degree of expertise in the particular formal logic and experience with theorem prover. As such, the approach is not practical enough to be widely embraced in the ....

J. Sawada and W. A. Hunt. Trace Table Based Approach for Pipelined Micro125 processor Verication. In Proc. of the Computer Aided Verication Conf., June 1997.

....358. Email: jus cs.stanford.edu. Phone: 650) 725 9046. Fax: 650) 725 6949. 1 1 Introduction Formal verification has been applied successfully to high level models of processors against their Instruction Set Architectures (ISAs) 29, 28, 33, 12] and selected parts thereof, such as pipelines [9, 23] and memory protocols [20, 19, 10, 17] This is a cost effective approach to applying formal methods, since it may reveal errors in the specifications, early in the design process. Unfortunately, these approaches do not fit well with today s mainstream circuit design practices. First, high level ....

J. Sawada and W. A. Hunt. Trace table based approach for pipelined microprocessor verification. In Orna Grumberg, editor, Computer-Aided Verification, CAV '97, volume 1254 of Lecture Notes in Computer Science, pages 364--375, Haifa, Israel, June 1997. Springer-Verlag.

....methods cannot handle the entire design of today s processors with advanced microarchitectural features. To reduce complexity, these methods focus on part of the design by targeting one mechanism at a time. Although there has been progress in verification of pipelined processor control [3, 4], a formal description of the design has to be manually generated, for example, into a description using uninterpreted functions and predicates. This manual modeling process is laborious and slow, especially when the RTL design is modified frequently. Moreover, the formal representation is not ....

J. Sawada and W. A. Hunt. Trace Table Based Approach for Pipelined Microprocessor Verification. In Proc. of the Computer Aided Verification Conf., June 1997.

....there are various conditions, often separated into safety and liveness conditions, that need to be checked, or that as new features are added, new notions of correctness are used. We explored the situation in detail for the BD (Burch and Dill [4] variant of correctness used by Hunt and Sawada in [24, 25, 22, 23] because of the availability of proof scripts and because of the ubiquity of the BD approach to pipelined machine veri cation. We found that trivial machines satisfy this notion of correctness; a mechanical proof establishing this is described near the beginning of Section 3.2. We must point out ....

....functions is outlined in [26, 5, 27] There are approaches based on model checking, e.g. in [17] compositional model checking and symmetry reductions are used and in [6] assumeguarantee reasoning at di erent time scales is discussed. There are theoremproving based approaches, e.g. in [24, 25, 22, 23], an intermediate abstraction called MAETT is used to verify some very complicated machines. Another theorem proving approach is presented in [8, 9, 7] where completion functions are used to decompose the abstraction function. In [28] a related notion of correctness based on state and temporal ....

J. Sawada and W. A. Hunt, Jr. Trace table based approach for pipelined microprocessor verication. In Computer Aided Verication (CAV '97), volume 1254 of LNCS, pages 364-375. Springer-Verlag, 1997.

.... and Hunt have veri ed the correctness of an out of order execution processor model with a reorder bu er, a store bu er, speculative execution and exceptions [45,47] 8 They construct an explicit intermediate abstraction in the form of a table called MAETT (Micro Architectural Execution Trace Table [46]) that represents the trace of all executed instructions up to the present time. They formulate several invariant properties over this intermediate abstraction and prove the nal correctness from these invariant properties. Our approach avoids the construction of an explicit intermediate ....

Sawada, J., and Hunt, Jr., W. A. Trace table based approach for pipelined microprocessor verication. In Computer-Aided Verication, CAV '97 (Haifa, Israel, June 1997), O. Grumberg, Ed., vol. 1254 of Lecture Notes in Computer Science, Springer-Verlag, pp. 364-375.

....the proof of the commutative diagram one stage at a time in a fashion that is closer to the user s intuition about the design. Park and Dill have used aggregation functions [12] which are conceptually similar to completion functions, for distributed cache coherence protocol verification. In [13], Sawada and Hunt used an incremental verification technique to verify a processor with out of order execution which we have reverified using our approach. We describe the differences in section 4.5. 2 Correctness Criteria for Processor Verification The completion functions approach aims to ....

....verification technique to verify a processor with out of order execution which we have reverified using our approach. We describe the differences in section 4.5. 2 Correctness Criteria for Processor Verification The completion functions approach aims to realize the correctness criterion (used in [13, 3]) expressed in Figure 1(a) in a manner that proofs based on it are modular and layered as pointed out earlier. Figure 1(a) requires that every sequence of n implementation transitions which start and end with flushed states (i.e. no partially executed instructions) corresponds to a sequence of m ....

[Article contains additional citation context not shown here]

J. Sawada and W. A. Hunt, Jr. Trace table based approach for pipelined microprocessor verification. In Orna Grumberg, editor, Computer-Aided Verification, CAV '97, volume 1254 of Lecture Notes in Computer Science, pages 364--375, Haifa, Israel, June 1997. Springer-Verlag.

....Finally, we prove correctness on the simplest configuration. The approach is illustrated with a simple example of an out of order execution core. 1 Introduction Several techniques for formally verifying out of order microprocessor designs using theorem proving have recently been suggested [4, 10 12]. These techniques all use some form of intermediate abstraction to bridge the gap in abstraction level between the implementation and the specification, as defined by an instructionset architecture (ISA) Creating such intermediate abstractions manually and then showing the correspondence between ....

....scheduling of execution resources. We have discharged the proof obligations for the simple example using the Stanford Validity Checker (SVC) 2 Related Work Sawada and Hunt s theorem proving approach uses a table of history variables, called a micro architectural execution trace table (MAETT) [10, 11]. The MAETT is an intermediate abstraction that contains selected parts of the implementation as well as extra history variables and variables holding abstracted values. It includes the ISA state and the ISA transition function. A predicate relating the implementation and MAETT is found by manual ....

J. Sawada and W. A. Hunt. Trace table based approach for pipelined microprocessor verification. In Orna Grumberg, editor, Computer-Aided Verification, CAV '97, volume 1254 of Lecture Notes in Computer Science, pages 364--375, Haifa, Israel, June 1997. Springer-Verlag.

....stalling situations and all of these are instruction independent. On the other hand, Cobra Lite has much more complex stalling situations that are dependent on the instructions (or at least the instruction formats) Researchers have used the ACL2 theorem prover to verify pipelined processors[56][57]. ACL2 stands for A Computational Logic for Applicative Common Lisp. ACL2 is both a mathematical 19 logic and a set of tools which can be used to construct proofs in the logic[36] 39] The logic is a quantifier free first order logic of total recursive functions. Brock and others used the ....

....was performed on only hazard free code. It should, however, be acknowledged that depending on the verification strategy, compiler assumptions can be more difficult to handle than pipeline interlocks. Sawada and Hunt used the ACL2 theorem prover to verify an out of order pipelined processor [57]. They designed their own processor. The processor includes out of order execution and speculative instruction fetch. In order to avoid pipeline hazards, the issuing logic suspends the issue of any instruction which may cause a hazard. Once an instruction is issued, it is guaranteed that no hazard ....

J. Sawada and W. A. Hunt Jr., "Trace Table Based Approach for Pipelined Microprocessor Verification," To appear in Computer-Aided Verification, CAV-97, June 1997. Documentation on Processors

....By verifying at the bit level, we avoid the need to construct an abstracted model of the circuit. We can verify the actual hardware design, given a logic gate level or register transfer level description. An extensive body of research has been spawned by Burch and Dill s method. Sawada and Hunt [16] have combined it with theorem proving, assuming the availability of a set of invariants that completely specifies the properties of the pipelined processor in correct operation. Burch [7] has extended it to superscalar processor verification by proposing a new flushing mechanism (notice that the ....

J. Sawada, and W.A. Hunt, Jr., "Trace Table Based Approach for Pipelined Microprocessor Verification," CAV `97, O. Grumberg, ed., LNCS 1254, Springer-Verlag, June 1997, pp. 364-375.

....it using the Stanford Validity Checker (SVC) 1] In particular, we have verified its correctness for any (reasonable) scheduling algorithm. 2 Related Work Sawada and Hunt s theorem proving approach uses a table of history variables, called a micro architectural execution trace table (MAETT) [14, 13]. The MAETT is an intermediate abstraction that contains selected parts of the implementation as well as extra history variables and variables holding abstracted values. It includes the ISA state and the ISA transition function. A predicate relating the implementation and MAETT is found by manual ....

J. Sawada and W. A. Hunt. Trace table based approach for pipelined microprocessor verification. In Orna Grumberg, editor, CAV '97, volume 1254 of LNCS, pages 364--375, Haifa, Israel, June 1997. Springer-Verlag.

....process. Hence, the memory state in our case reflects the relative history of memory operations, rather than the sequence of writes. This difference will become clear as we present our algorithms. An extensive body of research has been spawned by Burch and Dill s method. Sawada and Hunt [11] have combined it with theorem proving, assuming the availability of a set of invariants that completely specifies the properties of the pipelined processor in correct operation. Burch [5] has extended it to superscalar processor verification by proposing a new flushing mechanism and by ....

J. Sawada, and W. A. Hunt, Jr., "Trace Table Based Approach for Pipelined Microprocessor Verification, " CAV `97, O. Grumberg, ed., LNCS 1254, Springer-Verlag, June 1997, pp. 364-375.

....(INST stg i 2 0 ) latch2. The stage of completed instructions is de ned as retire, so (INST stg i 3 0 ) retire. Using this instruction representation, we de ne the intermediate abstraction state. We call this intermediate abstraction a Microarchitecture Execution Trace Table (MAETT)[Sawada and Hunt, 1997]. It is de ned using the ACL2 structure: defstructure MAETT (init ISA ( assert (ISA state p init ISA) rewrite) trace ( assert (INST listp trace) rewrite) options ( conc name MT ) The trace eld stores the list of completed and in ight instructions. Let MT t be the MAETT for ....

Sawada, J. and Hunt, Jr., W. A. (1997). Trace table based approach for pipelined microprocessor verication. In Computer Aided Verication (CAV '97), volume 1254 of LNCS, pages 364-375. Springer Verlag.

....instructions out of order. This machine has been specified at the instruction set architecture level and micro architecture level. We discuss the machine specification in Sect. 2. Previously, we used a correctness criterion for verifying a pipelined microprocessor which did not contain exceptions[10]. In Sect. 3, we have extended this correctness criterion to permit the verification of a design containing speculative execution and external interrupts. We have modeled the behavior of our processor using an intermediate model, called a MAETT, which records all executed instructions. This ....

....involves pipeline flushing[2] Although this criterion with flushing has been extended to cover superscalar processors[3, 14] it does not address speculative execution and external exceptions. We previously used the correctness criterion shown as diagram (a) in Fig. 2 to verify a pipelined design[10]. This diagram compares two paths. The lower path runs the MA design for an arbitrary number of clock cycles from a flushed pipeline state MA 0 to another flushed state MAn , which causes m ISA instructions to be executed. By stripping off states not visible to the programmer, we can project MAn ....

[Article contains additional citation context not shown here]

J. Sawada, W. Hunt, Jr. Trace Table Based Approach for Pipelined Microprocessor Verification, Computer Aided Verification, Lecture Notes in Computer Science 1254, Springer Verlag, pages 364-375, 1997.

....the next section, we explain this by examining the definition and verification of invariant MT inst invariants. 4 Decomposition of Invariant Verification Most of the invariant conditions discussed in the previous section are defined as predicates that take an MA state and its corresponding MAETT [10]. The MAETT is an abstract representation of an MA state. A MAETT records various information about the current MA state and, most importantly, the history of completed and in flight instructions. The data structure of a MAETT is abstractly depicted in Fig. 2. The list pointed to from MAETT field ....

....for our pipelined machine design. Our correctness criterion implies that the MA model executes each instruction correctly with respect to the ISA model. However, there are some properties that have not been verified. For instance, liveness properties are not yet verified as we have done previously [10]. We verified that external interrupts are processed correctly, but we have not verified how long it takes for an interrupt signal to be processed. The verification cost is always a serious practical concern. Since our verification was carried out solely by the ACL2 theorem prover, we had to ....

[Article contains additional citation context not shown here]

J. Sawada and W. Hunt, Jr. Trace Table Based Approach for Pipelined Microprocessor Verification. Computer Aided Verification, CAV'97, LNCS 1254, pages 364-375, Springer Verlag, 1997.

No context found.

J. Sawada and W. A. Hunt Jr. , "Trace Table Based Approach for Pipelined Microprocessor Verification," Computer Aided Verification, CAV-97, pp. 364-375, June 1997.

No context found.

J. Sawada and W. A. Hunt, Jr. Trace table based approach for pipelined microprocessor verification. In Orna Grumberg, editor, Computer-Aided Verification, CAV '97, volume 1254 of Lecture Notes in Computer Science, pages 364--375, Haifa, Israel, June 1997. Springer-Verlag.

No context found.

J. Sawada and W.A. Hunt, Jr. Trace table based approach for pipelined microprocessor verification. In CAV, 1997.

No context found.

J. Sawada and W. Hunt, Jr., "Trace Table Based Approach for Pipelined Microprocessor Verification," Proc. Computer-Aided Verification, CAV '97, Lecture Notes in Computer Science 1254, Springer Verlag, 1997, pp. 364-375.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC