Verification of Pipelined Microprocessors Using Invariants (original) (raw)
Related papers
Verification of Pipelined Microprocessors using Maude LTL Model Checker
This paper presents an approach for the verification of a pipelined microprocessor using the Rewriting Logic. To express many machine-relevant properties, we have modeled the stream of instructions with the system Maude which is based on Rewriting Logic. It is used to run and debug the pipelined machine specification. The Maude LTL model-checker is also used to verify the pipelined machine properties and eventually to verify a complete pipelined machine design, whose correctness is defined using the idea of pipeline flushing.
Verifying pipelined microprocessors
Proceedings of ASP-DAC'95/CHDL'95/VLSI'95 with EDA Technofair
Recently there has been much research in verifying pipelined microprocessors. Even so, there has been little consensus on what form the correctness statement should take. Put another way, what should we be verifying about pipelined microprocessors? We believe that the correctness statement should show that the parallel machine represented by the pipeline behaves in the same manner as the sequential machine represented by the instruction set semantics. In this paper, we present such a model and examine four pipeline veri cations to see how they compare.
Proceedings of the 36th ACM/IEEE conference on Design automation conference - DAC '99, 1999
We study the applicability of the logic of Positive Equality with Uninterpreted Functions (PEUF) [2][3] to the verification of pipelined microprocessors with very large Instruction Set Architectures (ISAs). Abstraction of memory arrays and functional units is employed, while the control logic of the processors is kept intact from the original gate-level designs. PEUF is an extension of the logic of Equality with Uninterpreted Functions, introduced by Burch and Dill [4], that allows us to use distinct constants for the data operands and instruction addresses needed in the symbolic expression for the correctness criterion. We present several techniques that make PEUF scale very efficiently for the verification of pipelined microprocessors with large ISAs. These techniques are based on allowing a limited form of non-consistency in the uninterpreted functions, representing initial memory state and ALU behaviors. Our tool required less than 30 seconds of CPU time and 5 MB of memory to verify a 5-stage MIPS-like pipelined processor that implements 191 instructions of various classes. The verification was done by correspondence checking-a formal method, where a pipelined microprocessor is compared against a non-pipelined specification.
Formal verification of microprocessors
Proceedings of the Fourth Annual Conference on Computer Assurance, 'Systems Integrity, Software Safety and Process Security, 1989
We present a general method for formally verifying the correctness of microprocessor designs. The abstract level specification of the processor defines the effect of every instruction in terms of a suitably chosen programmer's model of the processor. The concrete level specification gives a description of the design of the processor a t a synchronous level by defining the behavior over a single microcycle. We develop a general criterion of correctness to relate the two levels of behavior of the processor. We illustrate the application of our method to a simple processor, Simple, and a larger realistic processor MiniCayuga, which uses instruction pipelining. Both the designs have been completely verified using an applicative language based verification system Clio.
Integrating formal verification and high-level processor pipeline synthesis
2011 IEEE 9th Symposium on Application Specific Processors (SASP), 2011
When a processor implementation is synthesized from a specification using an automatic framework, this implementation still should be verified against its specification to ensure the automatic framework introduced no error. This paper presents our effort in integrating fully automated formal verification with a high-level processor pipeline synthesis framework. As an integral part of the pipeline synthesis, our framework also emits SMV models for checking the functional equivalence between the output pipelined processor implementation and its input non-pipelined specification. Well known compositional model checking techniques are automatically applied to curtail state explosion during model checking. The paper reports case studies of applying this integrated framework to synthesize and formally verify pipelined RISC and CISC processors.
Efficient formal verification of pipelined processors with instruction queues
Proceedings of the 14th ACM Great Lakes symposium on VLSI, 2004
Presented is a method for formal verification of pipelined processors with long instruction queues. The execution engine and the fetch engine (where the instruction queue is) are formally verified separately, after abstracting the other engine with a nondeterministic FSM derived from the high-level specification of that engine. Without the presented method, the monolithic formal verification of 9-stage, 9-wide VLIW processors-implementing many realistic and speculative features inspired by the Intel Itanium-scaled for models with 5 instruction-queue entries, but ran out of memory if the instruction queue was longer. The presented method resulted in 2 orders of magnitude speedup for the processor with 5 instruction-queue entries, and enabled scaling for designs with 64 instruction-queue entries.
Automatic Formal Proof of Liveness for Pipelined Microprocessors
The paper presents an indirect method to auto- matically prove liveness for pipelined microprocessors. This is done by first proving safety—correctness for one step, starting from an arbitrary initial state that is possibly restricted by invariant constraints. By induction, the imple- mentation will be correct for any number of steps; we need to prove that for some fixed number of steps, n, the implemen- tation will fetch at least one instruction that will be com- pleted. This was proved efficiently by using the property of Positive Equality. Modeling restrictions made the method applicable to designs with exceptions and branch prediction. The indirect method and the modeling restrictions resulted in 4 orders of magnitude speedup, enabling the automatic live- ness proof for dual-issue superscalar and VLIW designs.
Formal Verification of a DSP Chip Using an Iterative Approach
2002
In this paper we describe a methodology for the formal verification of a DSP chip using the HOL theorem prover. We used an iterative method to specify both the behavioral and structural descriptions of the processor. Our methodology consists of first simplifying the representations of the DSP units. We then prove for each unit that its hardware description implies its behavioral specification. Using the simplified (abstracted) description of the units we have been able to greatly reduce the cost of deducing the behavior of the processor instruction set from the hardware implementation of the processor units. The proposed methodology creates a new representation of the processor at each iteration such that its complexity can be handled by the theorem prover. This allowed us to make a proof of the full instruction set of this processor.
A correctness model for pipelined microprocessors
Lecture Notes in Computer Science, 1995
What does it mean for an instruction pipeline to be correct? We recently completed the specification and verification of a pipelined microprocessor called UINTA. Our proof makes no simplifying assumptions about data and control hazards. This paper presents the specification, describes the verification, and discusses the effect of pipelining on the correctness model. The most significant effect on the pipeline is that data and temporal abstractions in the correctness model are not orthogonal as they are in non-pipelined implementations.