Results 1 -
3 of
3
Partial Functions in ACL2
- Journal of Automated Reasoning
"... We describe a macro for introducing \partial functions" into ACL2, i.e., functions not dened everywhere. The function \denitions" are actually admitted via the encapsulation principle. We discuss the basic issues surrounding partial functions in ACL2 and illustrate theorems that can be proved ab ..."
Abstract
-
Cited by 31 (8 self)
- Add to MetaCart
We describe a macro for introducing \partial functions" into ACL2, i.e., functions not dened everywhere. The function \denitions" are actually admitted via the encapsulation principle. We discuss the basic issues surrounding partial functions in ACL2 and illustrate theorems that can be proved about such functions.
Correctness of Pipelined Machines
- Formal Methods in Computer-Aided Design–FMCAD 2000, volume 1954 of LNCS
"... The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness ..."
Abstract
-
Cited by 26 (13 self)
- Add to MetaCart
The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Well-founded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (Micro-Architecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...
Verification of Pipelined Machines in ACL2
, 2000
"... We describe the ACL2 techniques used in a new approach to the verification of pipelined machines. Our notion of correctness is based on WEBs (Well-founded Equivalence Bisimulations) [16, 18] and implies that the pipelined machine and the machine defined by the instruction set architecture have the s ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
We describe the ACL2 techniques used in a new approach to the verification of pipelined machines. Our notion of correctness is based on WEBs (Well-founded Equivalence Bisimulations) [16, 18] and implies that the pipelined machine and the machine defined by the instruction set architecture have the same computations up to finite stuttering. We verify various variants of Sawada's simple machine [22, 21], including machines with exceptions, interrupts, non-determinism, and ALUs described in part at the netlist level. Our proofs contain no intermediate abstractions and are almost automatic, e.g., the verification of the base machine does not require any user supplied theorems. To motivate the need for a new notion of correctness we show that the variant of the Burch and Dill notion of correctness [4] used by Sawada can be satisfied by incorrect machines.
