Results 1  10
of
24
Formal Verification in Hardware Design: A Survey
 ACM TRANSACTIONS ON DESIGN AUTOMATION OF ELECTRONIC SYSTEMS
, 1999
"... ..."
Combining Theorem Proving and Trajectory Evaluation in an Industrial Environment
 in Proc. DAC
, 1998
"... We describe the verification of the IM: a large, complex (12,000 gates and 1100 latches) circuit that detects and marks the boundaries between Intel architecture (IA32) instructions. We verified a gatelevel model of the IM against an implementationindependent specification of IA32 instruction le ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
We describe the verification of the IM: a large, complex (12,000 gates and 1100 latches) circuit that detects and marks the boundaries between Intel architecture (IA32) instructions. We verified a gatelevel model of the IM against an implementationindependent specification of IA32 instruction lengths. We used theorem proving to to derive 56 modelchecking runs and to verify that the modelchecking runs imply that the IM meets the specification for all possible sequences of IA32 instructions. Our verification discovered eight previously unknown bugs. 1 Introduction The Intel architecture (IA32) instruction set has several hundred opcodes. The opcode length is variable, as are the lengths of operand and address displacement data. The architecture also includes the notion of prefix bytes, which change the semantics of the subsequent instruction. Two of the prefixes (h66, h67) can affect the length of the instruction. A single instruction may have multiple prefix bytes, but overall ...
Symbolic Trajectory Evaluation
 Formal Hardware Verification
, 1996
"... ion The main problem with model checking is the state explosion problem  the state space grows exponentially with system size. Two methods have some popularity in attacking this problem: compositional methods and abstraction. While they cannot solve the problem in general, they do offer significa ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
ion The main problem with model checking is the state explosion problem  the state space grows exponentially with system size. Two methods have some popularity in attacking this problem: compositional methods and abstraction. While they cannot solve the problem in general, they do offer significant improvements in performance. The direct method of verifying that a circuit has a property f is to show the model M satisfies f . The idea behind abstraction is that instead of verifying property f of model M , we verify property f A of model MA and the answer we get helps us answer the original problem. The system MA is an abstraction of the system M . One possibility is to build an abstraction MA that is equivalent (e.g. bisimilar [48]) to M . This sometimes leads to performance advantages if the state space of MA is smaller than M . This type of abstraction would more likely be used in model comparison (e.g. as in [38]). Typically, the behaviour of an abstraction is not equivalent...
Formal Hardware Verification By Symbolic Trajectory Evaluation
, 1997
"... Formal verification uses a set of languages, tools, and techniques to mathematically reason about the correctness of a hardware system. The form of mathematical reasoning is dependent upon the hardware system. This thesis concentrates on hardware systems that have a simple deterministic highlevel s ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
Formal verification uses a set of languages, tools, and techniques to mathematically reason about the correctness of a hardware system. The form of mathematical reasoning is dependent upon the hardware system. This thesis concentrates on hardware systems that have a simple deterministic highlevel specification but have implementations that exhibit highly nondeterministic behaviors. A typical example of such hardware systems are processors. At the high level, the sequencing model inherent in processors is the sequential execution model. The underlying implementation, however, uses features such as nondeterministic interface protocols, instruction pipelines, and multiple instruction issue which leads to nondeterministic behaviors. The goal is to develop a methodology with which a designer can show that a circuit fulfills the abstract specification of the desired system behavior. The abstract specification describes the highlevel behavior of the system independent of any timing or implem...
Collection of HighLevel Microprocessor Bugs from Formal Verification of Pipelined and Superscalar Designs
, 2003
"... The paper presents a collection of 93 different bugs, detected in formal verification of 65 student designs that include: 1) singleissue pipelined DLX processors; 2) extensions with exceptions and branch prediction; and 3) dualissue superscalar implementations. The processors were described in a hi ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
The paper presents a collection of 93 different bugs, detected in formal verification of 65 student designs that include: 1) singleissue pipelined DLX processors; 2) extensions with exceptions and branch prediction; and 3) dualissue superscalar implementations. The processors were described in a highlevel HDL, and were formally verified with an automatic tool flow. The bugs are analyzed and classified, and can be used in research on microprocessor testing.
Automatic formal verification of fusedmultiplyadd FPUs
 in DATE
, 2005
"... In this paper we describe a fullyautomated methodology for formal verification of fusedmultiplyadd floating point units (FPUs). Our methodology verifies an implementation FPU against a simple reference model derived from the processorâ€™s architectural specification, which may include all aspects o ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
In this paper we describe a fullyautomated methodology for formal verification of fusedmultiplyadd floating point units (FPUs). Our methodology verifies an implementation FPU against a simple reference model derived from the processorâ€™s architectural specification, which may include all aspects of the IEEE specification including denormal operands and exceptions. Our strategy uses a combination of BDD and SATbased symbolic simulation. To make this verification task tractable, we use a combination of casesplitting, multiplier isolation, and automatic model reduction techniques. The casesplitting is defined only in terms of the reference model, which makes this approach easily portable to new designs. The methodology is directly applicable to multiGHz industrial implementation models (e.g., HDL or gatelevel circuit representations) that contain all details of the highperformance transistorlevel model, such as aggressive pipelining, clocking, etc. Experimental results are provided to demonstrate the computational efficiency of this approach. 1
Verification of IEEE Compliant Subtractive Division Algorithms
 FORMAL METHODS IN COMPUTERAIDED DESIGN (FMCAD '96)
, 1996
"... A parameterized definition of subtractive floating point division algorithms is presented and verified using PVS. The general algorithm is proven to satisfy a formal definition of an IEEE standard for floating point arithmetic. The utility of the general specification is illustrated using a numb ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
A parameterized definition of subtractive floating point division algorithms is presented and verified using PVS. The general algorithm is proven to satisfy a formal definition of an IEEE standard for floating point arithmetic. The utility of the general specification is illustrated using a number of different instances of the general algorithm.
Formal Verification of the VAMP Floating Point Unit
 In CHARME 2001, volume 2144 of LNCS
, 2001
"... We report on the formal verification of the floating point unit used in the VAMP processor. The FPU is fully IEEE compliant, and supports denormals and exceptions in hardware. The supported operations are addition, subtraction, multiplication, division, comparison, and conversions. The hardware is v ..."
Abstract

Cited by 11 (6 self)
 Add to MetaCart
We report on the formal verification of the floating point unit used in the VAMP processor. The FPU is fully IEEE compliant, and supports denormals and exceptions in hardware. The supported operations are addition, subtraction, multiplication, division, comparison, and conversions. The hardware is verified on the gate level against a formal description of the IEEE standard by means of the theorem prover PVS.
Proving the Correctness of a Complete Microprocessor
 In GI Jahrestagung 2000
, 2000
"... . This paper presents status results of a microprocessor verification project. The authors verify a complete 32bit RISC microprocessor including the floating point unit and the control logic of the pipeline. The paper describes a formal definition of a "correct" microprocessor. This correctness ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
. This paper presents status results of a microprocessor verification project. The authors verify a complete 32bit RISC microprocessor including the floating point unit and the control logic of the pipeline. The paper describes a formal definition of a "correct" microprocessor. This correctness criterion is proven for an implementation using formal methods. All proofs are verified mechanically by means of the theorem proving system PVS. 1 Introduction Microprocessor design is an errorprone process. With increasing complexity of current microprocessor designs, formal verification has become crucial. In order to achieve completely verified designs, adjusting the design process itself plays an important role: the more highlevel information on the design is available, the faster the verification can be done. The authors redesigned a simple RISC processor, the DLX [1], with respect to verifiability. The design includes the complete pipe control and forwarding logic. The function...
Verification of FloatingPoint Adders
 LECTURE NOTES IN COMPUTER SCIENCE
, 1998
"... The floatingpoint(FP) division bug in Intel's Pentium processor and the overflow flag erratum of the FIST instruction in Intel's Pentium Pro and Pentium II processor have demonstrated the importance and the difficulty of verifying FP arithmetic circuits. In this paper, we present the verificatio ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
The floatingpoint(FP) division bug in Intel's Pentium processor and the overflow flag erratum of the FIST instruction in Intel's Pentium Pro and Pentium II processor have demonstrated the importance and the difficulty of verifying FP arithmetic circuits. In this paper, we present the verification of FP adders with reusable specifications, using extended wordlevel SMV, which is improved by using the Multiplicative Power HDDs (*PHDDs), and by incorporating conditional symbolic simulation as well as a shortcircuiting technique. Based on the case analysis, the specifications of FP adders are divided into several hundreds of implementationindependent subspecifications. We applied our system and these specifications to verify the IEEE double precision FP adder in the Aurora III Chip at the University of Michigan. Our system found several design errors in this FP adder and generated one counterexample for each error within several minutes. A variant of the corrected FP adder is created to illustrate the capability of our system to handle different FP adder designs. For each of FP adders, the verification task finished in 2 CPU hours on a Sun UltraSPARCII server.