Results 1 
6 of
6
Modeling and Verification of OutofOrder Microprocessors in UCLID
, 2002
"... In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda express ..."
Abstract

Cited by 47 (15 self)
 Add to MetaCart
In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda expressions, and counter arithmetic. UCLID is a tool for specifying and verifying systems expressed in this logic. The paper makes two main contributions. First, we show that the logic is expressive enough to model components found in most modern microprocessors, independent of their actual sizes. Second, we demonstrate UCLID's verification capabilities, ranging from full automation for bounded property checking to a high degree of automation in proving restricted classes of invariants. These techniques, coupled with a counterexample generation facility, are useful in establishing correctness of processor designs. We demonstrate UCLID's methods using a case study of a synthetic model of an outoforder processor where all the invariants were proved automatically.
A Grand Challenge Proposal for Formal Methods: A Verified Stack
"... We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of their choice. The point is not to have just one integrated formal method or just one verified application, but to encourage groups to develop the techniques and methodologies necessary for systemlevel verification.
Correctness of Pipelined Machines
 Formal Methods in ComputerAided Designâ€“FMCAD 2000, volume 1954 of LNCS
"... The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness ..."
Abstract

Cited by 27 (14 self)
 Add to MetaCart
(Show Context)
The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Wellfounded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (MicroArchitecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...
Deductive verification of advanced outoforder microprocessors
 IN COMPUTERAIDED VERIFICATION (CAV â€™03), LNCS 2725
, 2003
"... ..."
Verification Of A Simple Pipelined Machine Model
"... The difficulty of pipelined machine verification derives from the fact that there is a complex timeabstraction between the pipelined implementation and its specification that executes instructions sequentially. To study this problem, we de ne a simple threestage pipelined machine in ACL2. We prove ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
The difficulty of pipelined machine verification derives from the fact that there is a complex timeabstraction between the pipelined implementation and its specification that executes instructions sequentially. To study this problem, we de ne a simple threestage pipelined machine in ACL2. We prove that this pipelined machine returns the same result as its specification machine. In order to ease the proof, we define an intermediate abstraction called MAETT. This abstraction models the behavior of instructions in the pipelined architecture, and it allows us to define directly and verify invariant conditions about executed instructions. The author used a similar approach to verify a more realistic pipelined machine. This section serves as an introduction to the verification of pipelined machines.
Verification of Pipelined Machines in ACL2
, 2000
"... We describe the ACL2 techniques used in a new approach to the verification of pipelined machines. Our notion of correctness is based on WEBs (Wellfounded Equivalence Bisimulations) [16, 18] and implies that the pipelined machine and the machine defined by the instruction set architecture have the s ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We describe the ACL2 techniques used in a new approach to the verification of pipelined machines. Our notion of correctness is based on WEBs (Wellfounded Equivalence Bisimulations) [16, 18] and implies that the pipelined machine and the machine defined by the instruction set architecture have the same computations up to finite stuttering. We verify various variants of Sawada's simple machine [22, 21], including machines with exceptions, interrupts, nondeterminism, and ALUs described in part at the netlist level. Our proofs contain no intermediate abstractions and are almost automatic, e.g., the verification of the base machine does not require any user supplied theorems. To motivate the need for a new notion of correctness we show that the variant of the Burch and Dill notion of correctness [4] used by Sawada can be satisfied by incorrect machines.