. As an alternative to commercial hardware description languages, AMD 1 has developed an RTL language for microprocessor designs that is simple enough to admit a clear semantic definition, providing a basis for formal verification. We describe a mechanical proof system for designs represented in this language, consisting of a translator to the ACL2 logical programming language and a methodology for verifying properties of the resulting programs using the ACL2 prover. As an illustration, we present a proof of IEEE compliance of the floating-point adder of the AMD Athlon processor. 1 Introduction The formal hardware verification effort at AMD has emphasized theorem proving using ACL2 [3], and has focused on the elementary floating-point operations. One of the challenges of our earlier work was to construct accurate formal models of the targeted circuit designs. These included the division and square root operations of the AMD-K5 processor [4, 6], which were implemented in microcode, a...

The use of pipelines is an important technique in contemporary hardware design, particularly at the level of register-transfer logic (RTL). Earlier formal analysis (e.g., [4]) using the ACL2 theorem prover showed correctness of pipelined floating-point RTL. This paper extends that work by considering a notion of a conditional pipeline, essentially the result of sharing hardware among several distinct pipelines. We have employed a pipeline tool, written in ACL2 but completely unverified, to find a pipelinerelated bug in an industrial hardware design, which has since been corrected.

Formal Verification History We have emphasized automated theorem proving. 1995--96: Division and square root algorithms for AMD-K5 microcode[3, 5] 1997--present: Proofs of floating-point algorithms and actual RTL that use ACL2 on the AMD Athlon processor and its derivatives [6, 7, 8] \Gamma We have a translator from our proprietary RTL to ACL2 [7] that enables RTL proofs. 2001: Completed some protocol-level proofs 5 A natural target for theorem provers [10, 4] Concise formal specifications relating outputs to inputs The RTL is relatively tractable. \Gamma While the size of an FPU may be substantial, the logic tends to decompose by operation. \Gamma The interfaces with other modules are smaller and simpler. Complexity of floating-point designs causes problems for other verification approaches. \Gamma Testing alone may be inadequate. \Gamma Decision procedures used in formal verification traditionally have capacity limitations, for example for multiplication and shiftin

We present a tool that simplifies les of ACL2 definitions using the ACL2 rewriter. This tool can be applied to definitions that have been generated automatically, so that the initial generation can be kept relatively straightforward and trusted while putting the onus of simplification on the tool and the rules it uses. The tool can also transfer lemmas from the original functions to the corresponding new functions. The ACL2 Theorem Prover can check equivalence of original and new functions, and of transferred lemmas, using lemmas and hints generated by the tool.