Formal verification of microprocessors (original) (raw)
Related papers
Formal modeling and verification of microprocessors
IEEE Transactions on Computers, 1995
Formal verification has long been promised as a means of reducing the amount of testing required to ensure correct VLSI devices. Verification requires at least two mathematical models: one that describes the structure of a computer system and another that models its intended behavior. These models are called specijkations. Verification is a mathematical analysis showing that the behavior follows from the structure. Formal verification of microprocessor designs has been quite successful. Indeed, several verified microprocessors have been presented in the literature, and one microprocessor where formal modeling has been applied is commercially available. These efforts were virtuoso performances-largely academic exercises carried out by experts in logic and specification. This paper presents a methodology for microprocessor verification that significantly reduces the learning curve for performing verification. The methodology is formalized in the HOL theoremproving system. The paper includes a description of a large case study performed to evaluate the methodology. The novel aspects of this research include the use of abstract theories to formalize hardware models. Because our model is described using abstract theories, it provides a framework for both the specification and the verification. This framework reduces the number of ad hoc modeling decisions that must be made to complete the verification. Another unique aspect of our research is the use of hierarchical abstractions to reduce the number of difficult lemmas in completing the verification. Our formalism frees the user from directly reasoning about the difficult aspects of modeling the hierarchy, namely the temporal and data abstractions. We believe that our formalism, coupled with case studies and tools, allows microprocessor verification to be done by engineers with relatively little experience in microprocessor specification or logic. We are currently testing that hypothesis by using the methodology to teach graduate students formal microprocessor modeling. I. INTRODUCTION OMPUTERS are being used with increasing frequency C in areas in which the correct implementation of the computer hardware is critical. Testing has traditionally been used to exclude faults in computers; however, the effectiveness of testing is limited by the combinatorial explosion inherent in any testing technique. The limitations of testing, coupled with the ever-increasing size of VLSI devices, have led to a search for alternatives to testing, such as mathematical modeling and analysis.
A methodology for processor implementation verification
Lecture Notes in Computer Science, 1996
We address the problem of verification of implementations of complex processors using architectural level automatic test program generators. A number of automatic test program generators exist, and are widely used for verification of the compliance of complex processors with their architectures. We define a four stage verification process: (1) describing the processor implementation control as a Finite State Machine (2) deriving transition coverage on the FSM using methods from formal verification (3) translation of the covering tours to constraints on test programs (4) generation of test programs for each set of constraints. This process combines a high quality and well defined theoretical method along with tools used in industrial practice. There are a number of advantages of our Method: (a) The last three stages are automated (b) Implementing the FSM model involves relatively little expert designers time (c) The method is feasible for modern superscalar processors and was studied on an enhanced PowerPC processor. We describe a formal framework for the new process, identify the obstacles that are encountered in the modeling phase, and show how to overcome them.
Proceedings of the 36th ACM/IEEE conference on Design automation conference - DAC '99, 1999
We study the applicability of the logic of Positive Equality with Uninterpreted Functions (PEUF) [2][3] to the verification of pipelined microprocessors with very large Instruction Set Architectures (ISAs). Abstraction of memory arrays and functional units is employed, while the control logic of the processors is kept intact from the original gate-level designs. PEUF is an extension of the logic of Equality with Uninterpreted Functions, introduced by Burch and Dill [4], that allows us to use distinct constants for the data operands and instruction addresses needed in the symbolic expression for the correctness criterion. We present several techniques that make PEUF scale very efficiently for the verification of pipelined microprocessors with large ISAs. These techniques are based on allowing a limited form of non-consistency in the uninterpreted functions, representing initial memory state and ALU behaviors. Our tool required less than 30 seconds of CPU time and 5 MB of memory to verify a 5-stage MIPS-like pipelined processor that implements 191 instructions of various classes. The verification was done by correspondence checking-a formal method, where a pipelined microprocessor is compared against a non-pipelined specification.
Comparative study of strategies for formal verification of high-level processors
IEEE International Conference on Computer Design: VLSI in Computers and Processors, 2004. ICCD 2004. Proceedings.
Compared are different methods for evaluation of formulas expressing microprocessor correctness in the logic of Equality with Uninterpreted Functions and Memories (EUFM) by translation to propositional logic, given recently developed efficient Boolean-to-CNF translations, in order to identify the best overall translation strategy from EUFM to CNF. The translation from EUFM to propositional logic is done by exploiting the property of Positive Equality, allowing us to treat most of the abstract word-level values as distinct constants while performing complete formal verification. For EUFM formulas from correct microprocessors, the best translation was by using the e ij encoding of g-equations (dual-polarity equations), the nested-ITE scheme for elimination of uninterpreted predicates, preserving the ITE-tree structure of equation arguments, and Boolean-to-CNF translation by encoding the unobservability of logic blocks by merging them with adjacent gates on the only path to the primary output. For EUFM formulas from buggy microprocessors, the best translation was by using the e ij encoding of g-equations, the Ackermann scheme for elimination of uninterpreted predicates, preserving the ITE-tree structure of equation arguments, and Boolean-to-CNF translation by applying optimizations to reduce the number of clauses-merging of ITE-trees with one level of their AND/OR leaves, and exploiting the polarity of gates and logic blocks to reduce the number of their clauses.
Formal Verification of VLIW Microprocessors with Speculative Execution
Lecture Notes in Computer Science, 2000
This is a study of the formal verification of a VLIW microprocessor that imitates the Intel Itanium [9][12][17] in features such as predicated execution, register remapping, advanced and speculative loads, and branch prediction. The formal verification is done with the Burch and Dill flushing technique [5] by exploiting the properties of Positive Equality [3][4]. The contributions include an extensive use of conservative approximations in abstracting portions of the processor and a framework for decomposition of the Boolean evaluation of the correctness formula. The conservative approximations are applied automatically when abstracting a memory whose forwarding logic is not affected by stalling conditions that preserve the correctness of the memory semantics for the same memory. These techniques allow a reduction of more than a factor of 4 in the CPU time for the formal verification of the most complex processor model examined relative to the monolithic evaluation of the correctness formula for a version of the same processor where conservative approximations are not applied.
Introduction to formal processor verification at logic level
Proceedings of the 2004 workshop on Computer architecture education held in conjunction with the 31st International Symposium on Computer Architecture - WCAE '04, 2004
This paper presents the case study proposed to 3 ¢ ¡ year students in our department of computer science. It is a practical activity in the first "Computer Architecture" Unit of the curriculum. This practical activity has several aims : 1) understanding a subtle mechanism in processor architecture, 2) experimenting the relations between logic level and RTL level descriptions and 3) practicing formal methods of verification. The main original point is the use of extraction (and minimization) of the full description of an automaton from the logic schema based on flip-flops and gates. In a certain way, the reverse of classic "automaton synthesis". ¥ Pipelining introduces a problem for conditional control transfer instructions.
Towards Formal Verification on the System Level
Due to increasing design complexity and intensive reuse of components, verifying the correctness of circuits and sys- tems becomes a more and more important factor. In the meantime, in many projects up to 80% of the overall design costs are caused by verification and by this, checking the correct behavior becomes the dominating factor. Formal verification has been proposed as a promising al- ternative to simulation and has become a standard in many flows. In this paper, existing approaches are reviewed and recent trends for system level verification are outlined. To demonstrate the techniques SystemC is used as a system level description language. Beside the successful applications a list of challenging problems is provided. This gives a better understanding of current problems in hardware verification and shows direc- tions for future research.
A property checking approach to microprocessor verification using symbolic simulation
2002
proposed to formally verify the implementation of a microprocessor by comparing the pipelined implementation with its Instruction-Set Architecture (ISA) specification model, or by deriving the ISA model from the implementation. We present a top-down validation approach using symbolic simulation. We define a set of properties and verify the correctness of the processor by verifying if the properties are met. We applied our methodology to verify several properties on a Memory Management Unit (MMU) of a microprocessor that is compliant with the PowerPC instruction-set architecture to demonstrate the usefulness of our approach.