The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Well-founded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (Micro-Architecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...

Abstract. We show that adding a total order to ACL2, via new axioms, allows for simpler and more elegant definitions of functions and libraries of theorems. We motivate the need for a total order with a simple example and explain how a total order can be used to simplify existing libraries of theorems (i.e., ACL2 books) on finite set theory and records. These ideas have been incorporated into ACL2 Version 2.6, which includes axioms positing a total order on the ACL2 universe. 1 Introduction ACL2 [7, 6, 8] is a logic of total functions. One particularly pleasant consequence is that many properties of functions can be stated as unconditional rewrite rules. For example, we can prove (equal ( * y ( * x z)) ( * x ( * y z))) without having to establish that x, y, and z are numbers. Such unconditional rewrite rules lead to simpler libraries of theorems, which in turn improve the ability of ACL2 to reduce large terms automatically and efficiently. Unfortunately, it is problematic to exploit fully the totality of functions in ACL2 Version 2.5. One is often forced to use rewrite rules with hypotheses because of the lack of a definable total order on the ACL2 universe.

ACL2 computed hints dynamically calculate advice to the ACL2 theorem prover during a mechanical proof. We wrote an ACL2 book that adds a number of useful functions and macros to ease the use of computed hints. The combination of these macros can specify a complex condition under which a certain hint is invoked. We will also review the usage of computed hints in the FM9801 project.

We describe the ACL2 techniques used in a new approach to the verification of pipelined machines. Our notion of correctness is based on WEBs (Well-founded Equivalence Bisimulations) [16, 18] and implies that the pipelined machine and the machine defined by the instruction set architecture have the same computations up to finite stuttering. We verify various variants of Sawada's simple machine [22, 21], including machines with exceptions, interrupts, non-determinism, and ALUs described in part at the netlist level. Our proofs contain no intermediate abstractions and are almost automatic, e.g., the verification of the base machine does not require any user supplied theorems. To motivate the need for a new notion of correctness we show that the variant of the Burch and Dill notion of correctness [4] used by Sawada can be satisfied by incorrect machines.