Theorem proving techniques are particularly well suited for reasoning about arithmetic above the bit level and for relating different levels of abstraction. In this paper we show how a non-restoring integer square root algorithm can be transformed to a very efficient hardware implementation. The top level is a Standard ML function that operates on unbounded integers. The bottom level is a structural description of the hardware consisting of an adder/subtracter, simple combinational logic and some registers. Looking at the hardware, it is not at all obvious what function the circuit implements. At the top level, we prove that the algorithm correctly implements the square root function. We then show a series of optimizing transformations that refine the top level algorithm into the hardware implementation. Each transformation can be verified, and in places the transformations are motivated by knowledge about the operands that we can guarantee through verification. By decom...

. This paper presents in some detail the systematic derivation of a static bit-level parallel algorithm to implement multiplication of integers, that is to say one which might be implemented as an electronic circuit. The circuit is well known, but the derivation shows that its design can be seen as the consequence of decisions made (and explained) in terms of the abstract algorithm. The systematic derivation serves both as an explanation of the circuit, and as a demonstration that it is correct `by construction'. We believe that the technique is applicable to a wide range of similar algorithms. 1 Introduction We advocate a style of `design by calculation' for the very fine-grained parallel algorithms that are implemented as regular arrays of electronic circuits. The design of such circuits is particularly difficult because the implementation medium imposes severe constraints on what is possible and what is reasonably efficient. In consequence the details of the final implementation ha...

This paper presents the formal verification of all sub-circuits in a floating-point arithmetic unit (FPU) from an Intel microprocessor using a wordlevel model checker. This work represents the first large-scale application of word-level model checking techniques. The FPU can perform addition, subtraction, multiplication, square root, division, remainder, and rounding operations; verifying such a broad range of functionality required coupling the model checker with a number of other techniques, such as property decomposition, propertyspecific model extraction, and latch removal. We will illustrate our verification techniques using the Weitek WTL3170/3171 Sparc floating point coprocessor as an example. The principal contribution of this paper is a practical verification methodology explaining what techniques to apply (and where to apply them) when verifying floating-point arithmetic circuits. We have applied our methods to the floating-point unit of a state-of-the-art Intel microprocesso...

Based on a hierarchical verification methodology, we present an arithmetic circuit verifier ACV, in which circuits expressed in a hardware description language, also called ACV, are symbolically verified using Binary Decision Diagrams for Boolean functions and multiplicative Binary Moment Diagrams (*BMDs) for word-level functions. A circuit is described in ACV as a hierarchy of modules. Each module hasa structural definition as an interconnection of logic gates and other modules. Modules may also have functional descriptions, declaring the numeric encodings of the inputs and outputs, as well as specifying their functionality in terms of arithmetic expressions. Verification then proceeds recursively, proving that each module in the hierarchy having a functional description, including the top-level one, realizes its specification. The language and the verifier contain additional enhancements for overcoming some of the difficulties in applying *BMD-based verification to circuits computing...

It is impractical to verify multiplier or divider circuits entirely at the bit-level using ordered Binary Decision Diagrams (BDDs), because the BDD representations for these functions grow exponentially with the word size. It is possible, however, to analyze individual stages of these circuits using BDDs. Such analysis can be helpful when implementing complex arithmetic algorithms. As a demonstration, we show that Intel could haveused BDDs to detect erroneous lookup table entries in the Pentium(TM) floating point divider. Going beyond verification, we show that bit-level analysis can be used to generate a correct version of the table.

A parameterized definition of subtractive floating point division algorithms is presented and verified using PVS. The general algorithm is proven to satisfy a formal definition of an IEEE standard for floating point arithmetic. The utility of the general specification is illustrated using a number of different instances of the general algorithm.

. We describe a formal specification and verification in PVS for the general theory of SRT division, and for the hardware design of a specific implementation. The specification demonstrates how attributes of the PVS language (in particular, predicate subtypes) allow the general theory to be developed in a readable manner that is similar to textbook presentations, while the PVS table construct allows direct specification of the implementation's quotient look-up table. Verification of the derivations in the SRT theory and for the data path and look-up table of the implementation are highly automated and performed for arbitrary, but finite precision; in addition, the theory is verified for general radix, while the implementation is specialized to radix 4. The effectiveness of the automation derives from PVS's tight integration of rewriting with decision procedures for equality, linear arithmetic over integers and rationals, and propositional logic. This example demonstrates t...

We report on the formal verification of the floating point unit used in the VAMP processor. The FPU is fully IEEE compliant, and supports denormals and exceptions in hardware. The supported operations are addition, subtraction, multiplication, division, comparison, and conversions. The hardware is verified on the gate level against a formal description of the IEEE standard by means of the theorem prover PVS.

. This paper presents status results of a microprocessor verification project. The authors verify a complete 32-bit RISC microprocessor including the floating point unit and the control logic of the pipeline. The paper describes a formal definition of a "correct" microprocessor. This correctness criterion is proven for an implementation using formal methods. All proofs are verified mechanically by means of the theorem proving system PVS. 1 Introduction Microprocessor design is an error-prone process. With increasing complexity of current microprocessor designs, formal verification has become crucial. In order to achieve completely verified designs, adjusting the design process itself plays an important role: the more high-level information on the design is available, the faster the verification can be done. The authors re-designed a simple RISC processor, the DLX [1], with respect to verifiability. The design includes the complete pipe control and forwarding logic. The function...

A design structure is presented to assist in the design of IEEE compliant floating point hardware. The basis of the process is an abstraction of the bitwise operations found in hardware to reals and integers. This simplifies the definition of functionality prior to going to hardware. The final design structure will include a set of general algorithms defined for floating point operations (add, sub, multiply, division, square root) which are verified with respect to the IEEE standard. The designer then instantiates the general algorithms to complete the algorithmic specification. The algorithms are then mapped to hardware, maintaining the abstraction. The result is a verified functional description of the hardware which can then be realized by conventional techniques or by refining the description to bitwise operations. This paper is a work in progress which describes the design process to get a functional description of the hardware. Current work has focused on subtractive division and...