Jerry R. Burch and David L. Dill, \Automatic veri cation of pipelined microprocessor control, Proc. International Conference on Computer Aided Veri cation, 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....e s is a state of size ( 1 ; 2 ) that satis es formula (2) ut The Class htype 1 7 booli This is the class of systems which have boolean and other nite domain parameterized arrays. The algorithms belonging to this class are mux sem (mutual exclusion by semaphores) a 3 stages pipeline [BD94] McM98a] Steve German s cache [Ger00,PRZ01] and the Illinois Cache Algorithm [PP84,Del00] all studied in [PRZ01] In addition, it includes Szymanski s mutual exclusion algorithm [Szy88] and token ring algorithms. This class extends the class of systems considered in [PRZ01] which only ....

J. R. Burch and D. L. Dill. Automatic verication of pipelined microprocessor control. In CAV'94, LNCS 818, pp. 68-80, 1994.

....level. Our proofs contain no intermediate abstractions and are almost automatic, e.g. the veri cation of the base machine does not require any user supplied theorems. To motivate the need for a new notion of correctness we show that the variant of the Burch and Dill notion of correctness [4] used by Sawada can be satis ed by incorrect machines. 1 Introduction The speci cation used to prove a pipelined machine correct is an instruction set architecture (ISA) The ISA describes the interface between the hardware and software and contains the programmer visible components of the ....

....hardware and software and contains the programmer visible components of the machine. A pipelined machine is correct if it satis es a certain relationship with the ISA. There is no wide agreement on the right notion of correctness, but perhaps the most common approach is that of Burch and Dill [4]. One of the diculties with specifying correctness is that we want to account for non terminating behavior. If we were to restrict ourselves to terminating programs, we could say that a pipelined machine is correct if for any terminating program, both the pipelined machine and the ISA machine halt ....

[Article contains additional citation context not shown here]

J. R. Burch and D. L. Dill. Automatic verication of pipelined microprocessor control. In Computer-Aided Verication (CAV '94), volume 818 of LNCS, pages 68-80. Springer-Verlag, 1994.

....methods. In this regard, we have developed an experimental translator from Mur [77] to PVS, and have connected a BDD based decision procedure for the modal calculus to PVS, giving us similar capabilities to SMV [78] We are also exploring more ecient approaches to hardware veri cation [79], 80] and improved support for requirements speci cations in the tabular style advocated by Parnas and others [81] 82] Acknowledgments: The work reported here owes a very great deal to our collaborators at NASA Langley Research Center: Rick Butler, Jim Caldwell, Michael Holloway, Paul Miner, ....

J. R. Burch and D. L. Dill, \Automatic verication of pipelined microprocessor control", in Computer-Aided Verication, CAV '94, David Dill, Ed., Stanford, CA, June 1994, vol. 818 of Lecture Notes in Computer Science, pp. 68-80, Springer-Verlag.

....such as those for equality, propositional logic, arithmetic, arrays, and bit vectors occur naturally in many system speci cations, both for hardware and software. In addition, the use of uninterpreted function symbols has proven to be essential for signi cantly scaling up veri cation methods [Cyr93, BD94]. Decision procedures for the combination of theories are usually based on Nelson and Oppen s [NO79, TH96] or on Shostak s [Sho84] algorithm. There are e ective point solutions for each of the theories above. Binary decision diagrams, for example, are often used for deciding propositional ....

J. R. Burch and D. L. Dill. Automatic verication of pipelined microprocessor control. In David Dill, editor, Proceedings of CAV'94, volume 818 of Lecture Notes in Computer Science, pages 68-80, Stanford, CA, June 1994. Springer-Verlag.

....of Computer Sciences, University of Texas at Austin pete cs.utexas.edu http: www.cs.utexas.edu users pete Abstract. The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g. interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness We discuss the issue at length and show, by mechanical proof, that variants of the Burch ....

....reachable from a ushed state) to ISA states, or that there are various conditions, often separated into safety and liveness conditions, that need to be checked, or that as new features are added, new notions of correctness are used. We explored the situation in detail for the BD (Burch and Dill [4]) variant of correctness used by Hunt and Sawada in [24, 25, 22, 23] because of the availability of proof scripts and because of the ubiquity of the BD approach to pipelined machine veri cation. We found that trivial machines satisfy this notion of correctness; a mechanical proof establishing this ....

[Article contains additional citation context not shown here]

J. R. Burch and D. L. Dill. Automatic verication of pipelined microprocessor control. In Computer-Aided Verication (CAV '94), volume 818 of LNCS, pages 68-80. Springer-Verlag, 1994.

....leads to a very simple new implementation of the delayed branch mechanism. We then prove the correctness of a pipelined machine with delayed PC. INTRODUCTION Machine veri ed correctness proofs for (almost) entire processors have been produced for sequential machines [1] for pipelined machines [2, 3, 4, 5, 6] and for machines with out of order execution [7, 6, 8, 9] In all non sequential designs cited above either a branch not taken strategy is applied or the following actions are performed in a single cycle: i) the evaluation of the condition of branch instructions ii) the next PC computation iii) ....

.... 0 1 Add(32) 0 1 0 1 Add(32) PC 0 DPC reset 4 bjtaken jumpR 0 1 imm Figure 2 PC environment of the DLX design 584 NextPC 4 RS1 Add(32) 0 1 0 1 reset 0 1 Add(32) IF reset PC 4 bjtaken 0 dpc IM ID jumpR 0 1 imm Figure 3 PC environment of the DLX design T reset ue[0] ue[1] ue[2] ue[3] ue[4] 0 1 1 0 0 0 0 1 0 1 1 0 0 0 2 0 1 1 1 0 0 3 0 1 1 1 1 0 4 0 1 1 1 1 1 0 1 1 1 1 1 Table 1 The activation of the update enable signals ue[4 : 0] after reset. For all i, signal ue[i] enables the update of registers and RAMs in out(i) Theorem 3. Let I (k; T 0 ) i and let R be an ....

[Article contains additional citation context not shown here]

Jerry R. Burch and David L. Dill, \Automatic verication of pipelined microprocessor control, Proc. International Conference on Computer Aided Verication, 1994.

....this level of success is usually reserved for in order issue pipelines or simple out of order pipelines with small window sizes. Complete formal veri cation of complex modern microprocessors with out of order issue, speculation, and large instruction windows is currently an intractable problem [8, 9]. Electrical Veri cation Functional veri cation only veri es the correctness of a processor s function at the logic level, it cannot verify the correctness of the logic implementation in silicon. This task is performed during electrical veri cation. Electrical veri cation occurs at design time ....

....the core design. In addition to these attributes, we are currently investigating formal veri cation of the DIVA checker. The DIVA checker resembles a simple in order processor with little microarchitectural state and few inter instruction dependencies properties that simplify formal veri cation [8, 9]. We believe the DIVA checker will also lend itself to formal veri cation, making it possible to formally verify large complex microarchitectures by only verifying the correctness of the DIVA checker. 3. Experimental Evaluation In this section, we examine the impact of dynamic veri cation on ....

J. Burch and D. Dill, \Automatic verication of pipelined microprocessors control," Computer Aided Verication, pp. 68-80, 1994. 24 DIVA: A Dynamic Approach to Microprocessor Verification

....Thus for the case of comparison sort there are essentially no interesting choices for h relating the integer and boolean cases. 5 The Stanford Validity Checker The Stanford Validity Checker (SVC) is an implementation of a decision procedure for a quanti er free, rst order logic with equality [2, 7, 11]. It has been used extensively for microprocessor validation and veri cation [7, 11, 12, 22] and recently for requirements validation [18] The logic allows models to include uninterpreted functions, which can be used to represent datapath operations in a pipelined architecture. SVC returns a ....

....h relating the integer and boolean cases. 5 The Stanford Validity Checker The Stanford Validity Checker (SVC) is an implementation of a decision procedure for a quanti er free, rst order logic with equality [2, 7, 11] It has been used extensively for microprocessor validation and veri cation [7, 11, 12, 22] and recently for requirements validation [18] The logic allows models to include uninterpreted functions, which can be used to represent datapath operations in a pipelined architecture. SVC returns a counterexample if the formula is not valid. formula : ite (formula, formula, formula) j ....

[Article contains additional citation context not shown here]

J. R. Burch and D. L. Dill. Automatic verication of pipelined microprocessor control. In CAV, volume 818 of LNCS, pages 68-79. Springer-Verlag, 1994.

....of such models. Very early e orts to formally verify non pipelined microprocessors were carried out by Cohn [15] and later by Hunt [32] One of the earliest works on verifying pipelined processors was by Srivas and Bickford in the Mini Cayuga veri cation e ort [50] In 1994, Burch and Dill [13] introduced an automatic approach to verify pipelined processors and were successful in verifying many simple processor models. Several other researchers have extended their work to verify more involved models and some other new approaches have been proposed (described in a later section) but the ....

....veri cation was carried out by Srivas and Bickford [50] in the MiniCayuga veri cation e ort. Some of the other early veri cation e orts are described in [17,48,53,57] One of the widely followed approaches in pipelined processor veri cation is the ushing approach, introduced by Burch and Dill [13]. They observed that the e ect of ushing the pipeline can be used to compute a suitable abstraction function used in the correctness criterion. This can be achieved, automatically in many cases, by simulating the implementation machine without feeding a new instruction for a large enough number ....

[Article contains additional citation context not shown here]

Burch, J. R., and Dill, D. L. Automatic verication of pipelined microprocessor control. In Computer-Aided Verication, CAV '94 (Stanford, CA, June 1994), D. Dill, Ed., vol. 818 of Lecture Notes in Computer Science, Springer-Verlag, pp. 68-80.

....verication of processors was rst tackled using theorem proving techniques [22, 27, 17] Impressive proofs were performed [28, 32, 31] but in our opinion these proofs required to much user guidance from specialized experts. Some interesting results have been obtained using more automatic techniques [18, 13] but they do not verify operative parts of processors. Therefore they cannot perform functional verications of complex arithmetic circuits. Completely automatic methods [20, 12, 5] are lacking for abstraction mechanisms and so generally focus on proving low level descriptions. The problem of ....

....DP 32 processor has been specied from its original VHDL description [4] and then veried with SVP in 8 minutes [3] A real processor called MTI, designed by CNET in France, has been veried from the microprogram level to the assembly level. Several errors have been found in its implementation. 1 [13] proposes a slightly dioeerent diagram to verify pipelined processors 2.2 Verication of Loop Instructions The problem we specically address in this paper is the verication of microprograms that contain loops. That is, in the above diagram, trans 1 i 1 ffi : ffi trans n i 1 is not linear ....

J. Burch and D. Dill. Automatic verication of pipelined microprocessor control. In Computer-Aided Verication, volume 818 of LNCS, 1994.

....leads to a very simple new implementation of the delayed branch mechanism. We then prove the correctness of a pipelined machine with delayed PC. 1 Introduction Machine veri ed correctness proofs for (almost) entire processors have been produced for sequential machines [1] for pipelined machines [2, 3, 4, 5, 6] and for machines with out of order execution [7, 6, 8, 9] In all non sequential designs cited above either a branch not taken strategy is applied or the following actions are performed in a single cycle: i) the evaluation of the condition of branch instructions ii) the next PC computation iii) ....

....introduced in order to construct a sequential machine for a delayed branch semantics. ii) Following reset the stages are updated as indicated in table 1. The schedule for this machine is described by the following function I : I (k; T ) i T = k i: T reset ue[0] ue[1] ue[2] ue[3] ue[4] 0 1 1 0 0 0 0 1 0 1 1 0 0 0 2 0 1 1 1 0 0 3 0 1 1 1 1 0 4 0 1 1 1 1 1 0 1 1 1 1 1 Table 1: The activation of the update enable signals ue[4 : 0] after reset. For all i, signal ue i enables the update of registers and RAM cells in out(i) stage s I (s; T ) I (s; T 1) k 1 i k i i 1 ....

Jerry R. Burch and David L. Dill. Automatic veri- cation of pipelined microprocessor control. In Proc. International Conference on Computer Aided Veri- cation, 1994.

No context found.

J. Burch and D. Dill. Automatic veri cation of pipelined microprocessor control. In CAV 94: Computer Aided Veri cation, LNCS 818, pages 68-80, 1994.

No context found.

Jerry R. Burch and David L. Dill, \Automatic veri cation of pipelined microprocessor control, Proc. International Conference on Computer Aided Veri cation, 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC