The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Well-founded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (Micro-Architecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...

We describe the ACL2 techniques used in a new approach to the verification of pipelined machines. Our notion of correctness is based on WEBs (Well-founded Equivalence Bisimulations) [16, 18] and implies that the pipelined machine and the machine defined by the instruction set architecture have the same computations up to finite stuttering. We verify various variants of Sawada's simple machine [22, 21], including machines with exceptions, interrupts, non-determinism, and ALUs described in part at the netlist level. Our proofs contain no intermediate abstractions and are almost automatic, e.g., the verification of the base machine does not require any user supplied theorems. To motivate the need for a new notion of correctness we show that the variant of the Burch and Dill notion of correctness [4] used by Sawada can be satisfied by incorrect machines.