This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author’s copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Successful formal methods applications have four characteristics: intrinsically important applications, concise correctness theorems, validated models, and proof automation. We describe a recentlycompleted verification of a microprocessor's intrinsic partitioning mechanism in those terms. What Makes for a Good Application of Formal Methods? Formal methods is the application of mathematical reasoning to establish properties about digital systems. Formal methods can be applied in many different ways with many different notations and tools. They can deal with system models that describe the lowest level of implementation or the most abstract requirements, with properties to be proved that may be comprehensive descriptions of “correctness ” or minor aspects that indicate good system development. Despite the wide range of formal methods applications, we observe that successful formal methods projects share four characteristics. 1. The target being analyzed is intrinsically important. Formal methods can provide a high level of certainty about a target, but the extra assurance must be worth the effort that formal verification usually entails. Three applications of formal methods that we consider successful are Microsoft’s SLAM project [Ball2004], AMD’s floating-point verification [Russinoff2000], and Rockwell Collins ’ requirements validation [Miller2004]. The SLAM project aims to reduce crashes of Microsoft’s Windows OS by proving important device driver behaviors. AMD’s floating-point work seeks to eliminate errors in the floating-point units on AMD's x86 microprocessors. Rockwell Collins is applying model-checking to help validate requirements for safety-critical systems. Each of these applications of formal methods is solving a problem that is important enough to justify an extra effort. 2. The target’s desired behavior has a concise and understandable formalization. An important indicator of successful formal methods application is the degree to which the description of the needed property is compelling. A proved theorem only increases assurance about a target of evaluation if we trust in the formalization of the desired

Abstract. In the VAMP (verified architecture microprocessor) project we have designed, functionally verified, and synthesized a processor with full DLX instruction set, delayed branch, Tomasulo scheduler, maskable nested precise interrupts, pipelined fully IEEE compatible dual precision floating point unit with variable latency, and separate instruction and data caches. The verification has been carried out in the theorem proving system PVS. The processor has been implemented on a Xilinx FPGA. 1

In this paper we describe a fully-automated methodology for formal verification of fused-multiply-add floating point units (FPUs). Our methodology verifies an implementation FPU against a simple reference model derived from the processor’s architectural specification, which may include all aspects of the IEEE specification including denormal operands and exceptions. Our strategy uses a combination of BDD- and SAT-based symbolic simulation. To make this verification task tractable, we use a combination of casesplitting, multiplier isolation, and automatic model reduction techniques. The case-splitting is defined only in terms of the reference model, which makes this approach easily portable to new designs. The methodology is directly applicable to multi-GHz industrial implementation models (e.g., HDL or gate-level circuit representations) that contain all details of the high-performance transistorlevel model, such as aggressive pipelining, clocking, etc. Experimental results are provided to demonstrate the computational efficiency of this approach. 1

We report on the formal verification of the floating point unit used in the VAMP processor. The FPU is fully IEEE compliant, and supports denormals and exceptions in hardware. The supported operations are addition, subtraction, multiplication, division, comparison, and conversions. The hardware is verified on the gate level against a formal description of the IEEE standard by means of the theorem prover PVS.

Abstract. In the VAMP (verified architecture microprocessor) project we have designed, functionally verified, and synthesized a processor with full DLX instruction set, delayed branch, Tomasulo scheduler, maskable nested precise interrupts, pipelined fully IEEE compatible dual precision floating point unit with variable latency, and separate instruction and data caches. The verification has been carried out in the theorem proving system PVS. The processor has been implemented on a Xilinx FPGA. 1

Formal Verification History We have emphasized automated theorem proving. 1995--96: Division and square root algorithms for AMD-K5 microcode[3, 5] 1997--present: Proofs of floating-point algorithms and actual RTL that use ACL2 on the AMD Athlon processor and its derivatives [6, 7, 8] \Gamma We have a translator from our proprietary RTL to ACL2 [7] that enables RTL proofs. 2001: Completed some protocol-level proofs 5 A natural target for theorem provers [10, 4] Concise formal specifications relating outputs to inputs The RTL is relatively tractable. \Gamma While the size of an FPU may be substantial, the logic tends to decompose by operation. \Gamma The interfaces with other modules are smaller and simpler. Complexity of floating-point designs causes problems for other verification approaches. \Gamma Testing alone may be inadequate. \Gamma Decision procedures used in formal verification traditionally have capacity limitations, for example for multiplication and shiftin

We provide sufficient conditions that formally guarantee that the floating-point computation of a polynomial evaluation is faithful. To this end, we develop a formalization of floatingpoint numbers and rounding modes in the Program Verification System (PVS). Our work is based on a well-known formalization of floating-point arithmetic in the proof assistant Coq, where polynomial evaluation has been already studied. However, thanks to the powerful proof automation provided by PVS, the sufficient conditions proposed in our work are more general than the original ones.

Abstract- We describe a methodology for the formal verification of the correctness, including IEEE-compliance, of register-transfer level models of floating-point hardware designs, and its application to the floating-point units of a series of commercial microprocessors produced by Advanced Micro Devices, Inc. The methodology is based on a mechanical translator from a synthesizable subset of the Verilog hardware description language, in which the models are coded, to the formal logic of the ACL2 theorem prover. Behavioral specifications of correctness, coded in essentially the same language as the designs, are translated as well, and ultimately checked with the ACL2 prover. Keywords — Formal verification, Floating-point arithmetic, IEEE-compliance, Theorem proving, ACL2

We present a deductive method for proving invariants of reactive systems. Our approach uses term rewriting to reduce invariant proofs to reachability analysis on a finite graph. This substantially automates invariant proofs by obviating the need to define inductive invariants while still benefitting from the expressiveness of deductive methods. We implement a procedure supporting this approach which interfaces with the ACL2 theorem prover. The interface affords sound extension of our procedure with rewrite rules based on proven theorems. We demonstrate the method in the verification of cache coherence protocols. 1