Building a high-petformance microprocessor presents many reliability challenges. Designers must verify the correctness of large complex systems and construct implementations that work reliably in varied (and occasionally adverse) operating conditions. To&rther complicate this task, deep submicron fabrication technologies present new reliability challenges in the form of degraded signal quality and logic failures caused by natural radiation interference. In this paper; we introduce dynamic verification, a novel microarchitectural technique that can significantly reduce the burden of correctness in microprocessor designs. The approach works by augmenting the commit phase of the processor pipeline with a functional checker unit. Thefunctional checker verifies the correctness of the core processor’s computation, only permitting correct results to commit. Overall design cost can be dramatically reduced because designers need only veri ’ the correctness of the checker unit. We detail the DIVA checker architecture, a design optimized for simplicity and low cost. Using detailed timing simulation, we show that even resource-frugal DIVA checkers have little impact on core processor peflormance. To make the case for reduced verification costs, we argue that the DIVA checker should lend itself to functional and electrical verification better than a complex core processor Finally, future applications that leverage dynamic veri@cation to increase processor performance and availability are suggested. 1

We describe a framework for verifying a pipelined microprocessor whose implementation contains precise exceptions, external interrupts, and speculative execution. We present our correctness criterion which compares the state transitions of pipelined and non-pipelined machines in presence of external interrupts. To perform the verification, we created a table-based model of pipeline execution. This model records committed and in-flight instructions as performed by the microarchitecture.

The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Well-founded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (Micro-Architecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...

Building a high-performance microprocessor presents many reliability challenges. Designers must verify the correctness of large complex systems and construct implementations that work reliably in varied (and occasionally adverse) operating conditions. To further complicate this task, deep submicron fabrication technologies present new reliability challenges in the form of degraded signal quality and logic failures caused by natural radiation interference.

. Design validation is becoming more and more a bottleneck in the microprocessor design process. The difficulty of validation stems from the complexity of the design, which requires searching an enormous space to check correctness. This is exacerbated by features for enhancing performance, such as pipelines, which are becoming common in most microprocessors. This paper describes a new abstraction technique to handle this problem. Our solution is a novel method to identify the control states automatically from the processor HDL description and to extract an abstract finite state machine model which preserves the behaviors of the design accurate to the clock cycle, so that the state space to be analyzed is drastically reduced. This model is used to evaluate microarchitecture-level coverage of validation tests. We also present validation test generation algorithms for traversing state transition paths and covering snapshot and temporal events. These abstract paths with a finite length, a...

Abstract Most verifications of out-of-order microprocessors compare state-machine-based implementations and specifications, where the specification is based on the instruction-set architecture. The different efforts use a variety of correctness statements, implementations, and verification approaches. We present a framework for classifying correctness statements about safety that is independent of implementation representation and verification approach. We characterize the relationships between the different statements and illustrate how existing and classical approaches fit within this framework. 1

Abstract. In the VAMP (verified architecture microprocessor) project we have designed, functionally verified, and synthesized a processor with full DLX instruction set, delayed branch, Tomasulo scheduler, maskable nested precise interrupts, pipelined fully IEEE compatible dual precision floating point unit with variable latency, and separate instruction and data caches. The verification has been carried out in the theorem proving system PVS. The processor has been implemented on a Xilinx FPGA. 1

ion in Formal Verification of Out-of-Order Execution Robert B. Jones 1;2 , Jens U. Skakkebaek 1 , and David L. Dill 1 1 Computer Systems Laboratory, Stanford University, Stanford, CA 94305, USA fjus,dillg@cs.stanford.edu 2 Strategic CAD Labs, Intel, JFT-104, 2111 NE 25th Ave., Hillsboro, OR 97124, USA rjones@ichips.intel.com Abstract. Several methods have recently been proposed for verifying processors with out-of-order execution. These methods use intermediate abstractions to decompose the verification process into smaller steps. Unfortunately, the process of manually creating intermediate abstractions is very laborious. We present an approach that dramatically reduces the need for an intermediate abstraction, so that only the scheduling logic of the implementation is abstracted. After the abstraction, we apply an enhanced incremental-flushing approach to verify the remaining circuitry by comparing the processor description against itself in a slightly simpler configuration...

We present an automated formal verification method that can detect common pipeline-control bugs of logic-design components containing thousands of registers. The method models logic designs using controlled token nets. A controlled token net consists of: a token net that models the data flow in the datapath using token semantics; a control logic that models the control machines using traditional finite state semantics. We provide algorithms to (1) extract a controlled token net from a logic design, (2) minimize the controlled token net, and (3) compute an abstract interpretation of the controlled token net for efficient model checking. We implemented and applied the method to 6 Intel logic-design components containing up to 4500 registers and successfully detected 8 pre-silicon errata. 1.1 Keywords Pipeline control verification, controlled token net, abstract interpretation, processor verification, model checking, formal verification, functional verification, computer-aided design 2.

Abstract. In the VAMP (verified architecture microprocessor) project we have designed, functionally verified, and synthesized a processor with full DLX instruction set, delayed branch, Tomasulo scheduler, maskable nested precise interrupts, pipelined fully IEEE compatible dual precision floating point unit with variable latency, and separate instruction and data caches. The verification has been carried out in the theorem proving system PVS. The processor has been implemented on a Xilinx FPGA. 1