Results 1  10
of
51
Effective Use of Boolean Satisfiability Procedures in the Formal Verification of Superscalar and VLIW Microprocessors
 Journal of Symbolic Computation
, 2001
"... We compare SATcheckers and decision diagrams on the evaluation of Boolean formulas produced in the formal verification of both correct and buggy versions of superscalar and VLIW microprocessors. We identify one SATchecker that significantly outperforms the rest. We evaluate ways to enhance its per ..."
Abstract

Cited by 101 (17 self)
 Add to MetaCart
(Show Context)
We compare SATcheckers and decision diagrams on the evaluation of Boolean formulas produced in the formal verification of both correct and buggy versions of superscalar and VLIW microprocessors. We identify one SATchecker that significantly outperforms the rest. We evaluate ways to enhance its performance by variations in the generation of the Boolean correctness formulas. We reassess optimizations previously used to speed up the formal verification and probe future challenges.
Modeling and Verification of OutofOrder Microprocessors in UCLID
, 2002
"... In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda express ..."
Abstract

Cited by 54 (14 self)
 Add to MetaCart
(Show Context)
In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda expressions, and counter arithmetic. UCLID is a tool for specifying and verifying systems expressed in this logic. The paper makes two main contributions. First, we show that the logic is expressive enough to model components found in most modern microprocessors, independent of their actual sizes. Second, we demonstrate UCLID's verification capabilities, ranging from full automation for bounded property checking to a high degree of automation in proving restricted classes of invariants. These techniques, coupled with a counterexample generation facility, are useful in establishing correctness of processor designs. We demonstrate UCLID's methods using a case study of a synthetic model of an outoforder processor where all the invariants were proved automatically.
Microarchitecture Verification by Compositional Model Checking
, 2001
"... Abstract. Compositional model checking is used to verify a processor microarchitecture containing most of the features of a modern microprocessor, including branch prediction, speculative execution, outoforder execution and a loadstore buffer supporting reordering and load forwarding. We observe ..."
Abstract

Cited by 34 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Compositional model checking is used to verify a processor microarchitecture containing most of the features of a modern microprocessor, including branch prediction, speculative execution, outoforder execution and a loadstore buffer supporting reordering and load forwarding. We observe that the proof methodology scales well, in that the incremental proof cost of each feature is low. The proof is also quite concise with respect to proofs of similar microarchitecture models using other methods. 1
Automatic Verification of Safety and Liveness for XScaleLike Processor Models Using WEBRefinements
 In Design Automation and Test in Europe, DATE’04
, 2003
"... We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation ..."
Abstract

Cited by 25 (10 self)
 Add to MetaCart
(Show Context)
We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation to a formula in the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). We use UCLID to transform the resulting CLU formula into a CNF formula, which is then checked with a SAT solver. We define several XScalelike models with out of order completion, including models with precise exceptions, branch prediction, and interrupts. We use two types of refinement maps. In one, flushing is used to map pipelined machine states to instruction set architecture states; in the other, we use the commitment approach, which is the dual of flushing, since partially completed instructions are invalidated. We present experimental results for all the machines modeled, including verification times. For our application, we found that the SAT solver Siege provides superior performance over Chaff and that the amount of time spent proving liveness when using the commitment approach is less than 1% of the overall verification time, whereas when flushing is employed, the liveness proof accounts for about 10% of the verification time.
Formal Verification of VLIW Microprocessors with Speculative Execution
, 2000
"... . This is a study of the formal verification of a VLIW microprocessor that imitates the Intel Itanium [9][12][17] in features such as predicated execution, register remapping, advanced and speculative loads, and branch prediction. The formal verification is done with the Burch and Dill flushing t ..."
Abstract

Cited by 20 (12 self)
 Add to MetaCart
. This is a study of the formal verification of a VLIW microprocessor that imitates the Intel Itanium [9][12][17] in features such as predicated execution, register remapping, advanced and speculative loads, and branch prediction. The formal verification is done with the Burch and Dill flushing technique [5] by exploiting the properties of Positive Equality [3][4]. The contributions include an extensive use of conservative approximations in abstracting portions of the processor and a framework for decomposition of the Boolean evaluation of the correctness formula. The conservative approximations are applied automatically when abstracting a memory whose forwarding logic is not affected by stalling conditions that preserve the correctness of the memory semantics for the same memory. These techniques allow a reduction of more than a factor of 4 in the CPU time for the formal verification of the most complex processor model examined relative to the monolithic evaluation of the ...
Automated Pipeline Design
 38TH DESIGN AUTOMATION CONFERENCE (DAC ’01), JUNE, LAS VEGAS
, 2001
"... The interlock and forwarding logic is considered the tricky part of a fullyfeatured pipelined microprocessor and especially debugging these parts delays the hardware design process considerably. It is therefore desirable to automate the design of both interlock and forwarding logic. The hardware de ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
(Show Context)
The interlock and forwarding logic is considered the tricky part of a fullyfeatured pipelined microprocessor and especially debugging these parts delays the hardware design process considerably. It is therefore desirable to automate the design of both interlock and forwarding logic. The hardware design engineer begins with a sequential implementation without any interlock and forwarding logic. A tool then adds the forwarding and interlock logic required for pipelining. This paper describes the algorithm for such a tool and the correctness is formally verified. We use a standard DLX RISC processor as an example.
Collection of HighLevel Microprocessor Bugs from Formal Verification of Pipelined and Superscalar Designs
, 2003
"... The paper presents a collection of 93 different bugs, detected in formal verification of 65 student designs that include: 1) singleissue pipelined DLX processors; 2) extensions with exceptions and branch prediction; and 3) dualissue superscalar implementations. The processors were described in a hi ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
The paper presents a collection of 93 different bugs, detected in formal verification of 65 student designs that include: 1) singleissue pipelined DLX processors; 2) extensions with exceptions and branch prediction; and 3) dualissue superscalar implementations. The processors were described in a highlevel HDL, and were formally verified with an automatic tool flow. The bugs are analyzed and classified, and can be used in research on microprocessor testing.
EVC: A Validity Checker for the Logic of Equality with Uninterpreted Functions and Memories, Exploiting Positive Equality, and Conservative Transformations
 AND CONSERVATIVE TRANSFORMATIONS,” 3 COMPUTERAIDED VERIFICATION (CAV ’01
, 2001
"... The property of Positive Equality [2] dramatically speeds up validity checking of formulas in the logic of Equality with Uninterpreted Functions and Memories (EUFM) [4]. The logic expresses correctness of highlevel microprocessors. We present ..."
Abstract

Cited by 17 (12 self)
 Add to MetaCart
The property of Positive Equality [2] dramatically speeds up validity checking of formulas in the logic of Equality with Uninterpreted Functions and Memories (EUFM) [4]. The logic expresses correctness of highlevel microprocessors. We present
Automatic Abstraction of Memories in the Formal Verification of Superscalar Microprocessors
 Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems
, 2001
"... A system of conservative transformation rules is presented for abstracting memories whose forwarding logic interacts with stalling conditions for preserving the memory semantics in microprocessors with inorder execution. Microprocessor correctness is expressed in the logic of Equality with Uninterp ..."
Abstract

Cited by 17 (12 self)
 Add to MetaCart
A system of conservative transformation rules is presented for abstracting memories whose forwarding logic interacts with stalling conditions for preserving the memory semantics in microprocessors with inorder execution. Microprocessor correctness is expressed in the logic of Equality with Uninterpreted Functions and Memories (EUFM) [6]. Memory reads and writes are abstracted as arbitrary uninterpreted functions in such a way that the forwarding property of the memory semanticsthat a read returns the data most recently written to an equal write addressis satisfied completely only when exactly the same pair of one read and one write address is compared for equality in the stalling logic. These transformations are applied entirely automatically by a tool for formal verification of microprocessors, based on EUFM, the Burch and Dill flushing technique [6], and the properties of Positive Equality [3]. An order of magnitude reduction is achieved in the number of e ij Boolean variables [9] that encode the equality comparisons of register identifiers in the correctness formulas for singleissue pipelined and dualissue superscalar microprocessors with multicycle functional units, exceptions, and branch prediction. That results in up to 40 reduction in the CPU time for the formal verification of the dualissue superscalar microprocessors.
Exploiting Signal Unobservability for Efficient Translation to CNF in Formal Verification of Microprocessors
, 2004
"... The paper presents a method for translating Boolean circuits to CNF by identifying trees of ITE operators, where each ITE has fanout count of 1, and representing every such tree with a single set of equivalent CNF clauses without intermediate variables for ITE outputs, except for the tree output. Th ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
The paper presents a method for translating Boolean circuits to CNF by identifying trees of ITE operators, where each ITE has fanout count of 1, and representing every such tree with a single set of equivalent CNF clauses without intermediate variables for ITE outputs, except for the tree output. This not only eliminates intermediate variables, but also reduces the number of clauses, compared to conventional translation to CNF, where each ITE is assigned an output variable and is represented with a separate set of clauses. Other gates with fanout count of 1 are similarly merged with their fanout gate to generate a single set of equivalent clauses. This translation to CNF was implemented in a decision procedure for the logic of Equality with Uninterpreted Functions and Memories (EUFM), and was applied to formulas from formal verification of microprocessors. To increase the number of ITEtrees in the Boolean formulas, the decision procedure was optimized to preserve the ITEtree structure of arguments to equality comparisons. In conventional translation to CNF with the unoptimized decision procedure, the benchmark formulas require up to hundreds of thousands of CNF variables and millions of clauses. The best translation strategy reduced the CNF variables by up to 8×; the clauses by up to 17×; the SATsolver decisions by up to 79×; the SATsolver conflicts by up to 96×; and accelerated the SAT solving by up to 420 ×.