Abstract. We describe a methodology for the formal verification of complex out-of-order pipelines as they may be used as execution units in out-of-order processors. The pipelines may process multiple instructions simultaneously, may have branches and cycles in the pipeline structure, may have variable latency, and may reorder instructions internally. The methodology combines model-checking for the verification of the pipeline control, and theorem proving for the verification of the pipeline functionality. In order to combine both techniques, we formally verify that the FairCTL operators defined in µ-calculus match their intended semantics expressed in a form where computation traces are explicit, since this form is better suited for theorem proving. This allows the formally safe translation of model-checked properties of the pipeline control into a theorem-proving friendly form, which is used for the verification of the overall correctness, including the functionality. As an example we prove the correctness of the pipeline of a multiplication/division floating point unit with all the features mentioned above. 1

Abstract. The IBM Power4 TM processor uses series approximation to calculate square root. We formally verified the correctness of this algorithm using the ACL2(r) theorem prover. The proof requires the analysis of the approximation error on a Chebyshev series. This is done by proving Taylor’s theorem, and then analyzing the Chebyshev series using Taylor series. Taylor’s theorem is proved by way of non-standard analysis, as implemented in ACL2(r). Since Taylor series of a given order have less accuracy than Chebyshev series in general, we used hundreds of Taylor series generated by ACL2(r) to evaluate the error of a Chebyshev series. 1

We describe an approach for formally verifying the linkage between a symbolic state enumeration system and a theorem proving system. This involves the following three stages of proof. Firstly we prove theorems about the correctness of the translation part of the symbolic state system. It interfaces between low level decision diagrams and high level description languages. We ensure that the semantics of a program is preserved in those of its translated form. Secondly we prove linkage theorems: theorems that justify introducing a result from a state enumeration system into a proof system. Finally we combine the translator correctness and linkage theorems. The resulting new linkage theorems convert results to a high level language from the low level decision diagrams that the result was actually proved about in the state enumeration system.They justify importing low-level external verification results into a theorem prover. We use a linkage between the HOL system and a simplified version of the MDG system to illustrate the ideas and consider a small example that integrates two applications from MDG and HOL to illustrate the linkage theorems.

To my parents, Henry and Karen Reeber, and my fiancée, Carrie Pankrast, for all their love, guidance, and support. Acknowledgments Most of all, I would like to thank my thesis advisor, Warren Hunt. Warren always has the amazing ability to give me what I need, before I even ask for it. Furthermore, Warren has been a source of constant encouragement and guidance, without which I never would have started this dissertation, let alone completed it. I would also like to thank the rest of my dissertation committee, Allen Emerson, Steve Keckler, J Moore, and Anna Slobodova, for all the time and energy they spent re-viewing my research and for their great feedback both on the dissertation itself and the earlier dissertation proposal. Anna in particular provided me with copious notes that have significantly improved the quality of this dissertation. Thanks also to Sandip Ray, Simha Sethumadhavan, and Jun Sawada for providing excellent feedback on portions of this dis-sertation. A number of professors at the University of Texas have influenced my work. My

Abstract. Formal verification of digital systems is achieved, today, using one of two main approaches: states exploration (mainly model checking and equivalence checking) or deductive reasoning (theorem proving). Indeed, the combination of the two approaches, states exploration and deductive reasoning promises to overcome the limitation and to enhance the capabilities of each. A comparison between both categories is discussed in details. In this paper, we are interested in presenting as an example a platform for Multiway Decision Graphs (MDGs) in LCF-style theorem prover. Based on this platform, many conversions such as the reachability analysis and reduction techniques can be implemented that uses the MDG theory within the HOL theorem prover. The paper also questions the best formalization principle of decision graphs to build such a platform in theorem proving since a set of basic operations are used to efficiently manipulate the decision graphs which constitute the kernel of the model checking algorithms, by describing two alternatives to formalize these decision graphs. Then we contrast between them according to their efficiency, complexity and feasibility. Finally, we hope this paper to serve as an adequate introduction to the concepts involved in formalization and a survey of relevant work. 1