## Verification of executable pipelined machines with bit-level interfaces (2005)

Venue: | In ICCAD-2005, International Conference on Computer-Aided Design |

Citations: | 6 - 4 self |

### BibTeX

@INPROCEEDINGS{Manolios05verificationof,

author = {Panagiotis Manolios},

title = {Verification of executable pipelined machines with bit-level interfaces},

booktitle = {In ICCAD-2005, International Conference on Computer-Aided Design},

year = {2005},

pages = {855--862}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract — We show how to verify pipelined machine models with bit-level interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, implement a small subset of the instruction set, and are far from executable. In contrast, we focus on verifying executable machines with bit-level interfaces. Such proofs have previously required substantial expert guidance and the use of deductive reasoning engines. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bit-level machine refines its instruction set architecture to a proof that a term level abstraction of the bit-level machine refines the instruction set architecture, which is then handled automatically by UCLID. In this way, we exploit the strengths of ACL2 and UCLID to prove theorems that are not possible to even state using UCLID and that would require prohibitively more effort using just ACL2. I.

### Citations

329 |
The Mechanical Evaluation of Expressions
- Landin
- 1964
(Show Context)
Citation Context ...e major problem with the translation is how to handle state elements that are themselves functions or predicates, as ACL2 is a first-order language. The way we handle this is first to closure-convert =-=[18]-=- and lambdalift [12] the relevant lambda expressions: we extract the free state variables of each lambda term, and alter the term to take an additional argument that packages up their current values. ... |

299 | Definitional interpreters for higher-order programming languages
- Reynolds
- 1972
(Show Context)
Citation Context ...ions: we extract the free state variables of each lambda term, and alter the term to take an additional argument that packages up their current values. Secondly, we perform a defunctionalisation step =-=[24]-=- on the resulting closures. That is, we statically know the call sites for each (functional) state variable. Such a call must be to the lambda expression produced by either the state variable’s initia... |

261 |
Computer-aided reasoning: an approach
- Kaufmann, Manolios, et al.
- 2000
(Show Context)
Citation Context ...TRODUCTION Successful approaches to pipelined machines verification can be roughly classified as being based on the use of theorem provers or decision procedures. Theorem proving systems such as ACL2 =-=[14]-=- have been used to reason about pipelined machine models at various levels of abstraction, ranging from the term-level to bit- and cycle-accurate models, but they typically require extensive expert us... |

259 | Automated verification of pipelined microprocessor control
- BURCH, L
- 1994
(Show Context)
Citation Context ...now selectively review previous work on pipelined machine verification that is directly related to our work. Burch and Dill showed how to automatically compute the abstraction function using flushing =-=[5]-=- and gave a decision procedure for the logic of uninterpreted functions with equality and boolean connectives. Another, more efficient decision procedure was given in [3]. The work was further extende... |

197 | Using a highperformance, programmable secure coprocessor
- Smith, Palmer, et al.
- 1998
(Show Context)
Citation Context ...25], AMD Athlon TM processor [26], and IBM Power4 TM processor [29]. The verification of separation properties in Rockwell avionics microprocessors [7], and verification of an IBM secure co-processor =-=[32]-=- also used ACL2. We combined ACL2 with UCLID [4], [17] because UCLID implements a decision procedure for formulas expressed in a decidable fragment of first order logic called CLU, which has been show... |

139 | Modeling and verifying systems using a logic of counter arithmetic with lambda expressions and uninterpreted functions
- Bryant, Lahiri, et al.
- 2002
(Show Context)
Citation Context ...s levels of abstraction, ranging from the term-level to bit- and cycle-accurate models, but they typically require extensive expert user support. Approaches based on decision procedures such as UCLID =-=[4]-=-, [17] are fast and highly automated but are restricted to term-level models, which employ numerous abstractions and are far from being executable, let alone bit- and cycle-accurate. We describe an ap... |

107 | Integrating decision procedures into heuristic theorem provers: A case study of linear arithmetic
- Boyer, Moore
- 1988
(Show Context)
Citation Context ...has to invoke the decision procedure explicitly. This allows us to avoid the well-known difficulties associated with the fine-grained integration of decision procedures into heuristic theorem provers =-=[2]-=-. We initially considered building a system that given an ACL2 conjecture generates a corresponding UCLID specification, which is then handed to the UCLID decision procedure, h UCLID to embedding of U... |

68 | An approach to systems verification
- Bevier, Jr, et al.
(Show Context)
Citation Context ...nd which we use to verify the models presented in this paper. An early, pioneering body of work on the use of theorem proving for the verification of microprocessors is the CLI stack work [10], [11], =-=[1]-=-. More recent theorem proving approaches include [28], [9]. The notion of correctness for pipelined machines that we use was first proposed in [19], and is based on WEB-refinement [20].sThe first proo... |

58 | Microprocessor Design Verification
- Hunt
- 1989
(Show Context)
Citation Context ...ssors [16] and which we use to verify the models presented in this paper. An early, pioneering body of work on the use of theorem proving for the verification of microprocessors is the CLI stack work =-=[10]-=-, [11], [1]. More recent theorem proving approaches include [28], [9]. The notion of correctness for pipelined machines that we use was first proposed in [19], and is based on WEB-refinement [20].sThe... |

54 | M.N.: Exploiting Positive Equality in a Logic of Equality with Uninterpreted Functions
- Bryant, German, et al.
- 1999
(Show Context)
Citation Context ...ction function using flushing [5] and gave a decision procedure for the logic of uninterpreted functions with equality and boolean connectives. Another, more efficient decision procedure was given in =-=[3]-=-. The work was further extended in [4], where a decision procedure for the CLU logic that exploits optimized encoding schemes [31] is given. The decision procedure is implemented in UCLID, which has b... |

46 | A hybrid SAT-based decision procedure for separation logic with uninterpreted functions
- Seshia, Lahiri, et al.
- 2003
(Show Context)
Citation Context ...n connectives. Another, more efficient decision procedure was given in [3]. The work was further extended in [4], where a decision procedure for the CLU logic that exploits optimized encoding schemes =-=[31]-=- is given. The decision procedure is implemented in UCLID, which has been used to verify outof-order microprocessors [16] and which we use to verify the models presented in this paper. An early, pione... |

42 | Modeling and Verification of Out-of-order Microprocessors using UCLID
- Lahiri, Seshia, et al.
(Show Context)
Citation Context ... memory of our machine—memory can be modeled as an integer variable using two UFs, one to read and one to write. This modeling style leads to faster verification times than the approach using lambdas =-=[16]-=-. However, it is much more difficult to use if the abstraction has to be mechanically verified. To mechanically verify this abstraction, we have to show how to instantiate the UFs corresponding to rea... |

39 | The UCLID Decision Procedure
- Lahiri, Seshia
- 2004
(Show Context)
Citation Context ...els of abstraction, ranging from the term-level to bit- and cycle-accurate models, but they typically require extensive expert user support. Approaches based on decision procedures such as UCLID [4], =-=[17]-=- are fast and highly automated but are restricted to term-level models, which employ numerous abstractions and are far from being executable, let alone bit- and cycle-accurate. We describe an approach... |

39 |
Mechanical Verification of Reactive Systems
- Manolios
- 2001
(Show Context)
Citation Context ...us approaches and the verification times are in the order of minutes. Our proofs are based on WEB-refinement, a theory of refinement that is compositional and preserves safety and liveness properties =-=[20]-=-. Essential use is made of both these features of WEB-refinement. Compositionality allows us to reduce the proof that the bit-level machine refines its instruction set architecture into several refine... |

35 | Proof of Correctness of a Processor with Reorder Buffer Using the Completion Functions Approach
- Hosabettu, Srivas, et al.
- 1999
(Show Context)
Citation Context ...er. An early, pioneering body of work on the use of theorem proving for the verification of microprocessors is the CLI stack work [10], [11], [1]. More recent theorem proving approaches include [28], =-=[9]-=-. The notion of correctness for pipelined machines that we use was first proposed in [19], and is based on WEB-refinement [20].sThe first proofs of correctness for pipelined machines based on WEB-refi... |

26 | High-speed, analyzable simulators
- Greve, Wilding, et al.
- 2000
(Show Context)
Citation Context ...he power of a theorem proving system such as ACL2. Since UCLID models are defined at the term-level, they are not executable. In contrast, ACL2 can be made to simulate processors at close to C speeds =-=[8]-=-. In addition, term-level models generally contain only one instruction per instruction class and do not capture the semantics of the instruction set architecture, e.g.,sBranch Prediction PC IF1 IF2 I... |

26 | Correctness of Pipelined Machines
- Manolios
- 2000
(Show Context)
Citation Context ...d models imply something about the original models requires proof. Refinement maps are used to map implementation states to specification states. We use the commitment refinement map for this purpose =-=[19]-=-, [21], where a pipelined machine state is related to an instruction set architecture state by invalidating all the partially executed instructions in the pipeline and rolling back the programmer-visi... |

21 | Automatic verification of safety and liveness for xscale-like processor models using web refinements
- Manolios, Srinivasan
- 2004
(Show Context)
Citation Context ...n [23]. For example, one can prove the following theorem, where r; q denotes functional composition, i.e., (r; q)(s) =q(r(s)). Theorem 1: (Composition) If M≈r M ′ and M ′ ≈q M ′′ then M≈r;q M ′′ . In =-=[21]-=-, it is shown how to automate the proof of WEBrefinement in the context of pipelined machine verification. The idea is to strengthen, thereby simplifying, the WEBrefinement proof obligation; the resul... |

21 |
Formal Verification of an Advanced Pipelined Machine
- Sawada
- 1999
(Show Context)
Citation Context ...is paper. An early, pioneering body of work on the use of theorem proving for the verification of microprocessors is the CLI stack work [10], [11], [1]. More recent theorem proving approaches include =-=[28]-=-, [9]. The notion of correctness for pipelined machines that we use was first proposed in [19], and is based on WEB-refinement [20].sThe first proofs of correctness for pipelined machines based on WEB... |

20 | A summary of intrinsic partitioning verification
- Greve, Richards, et al.
- 2004
(Show Context)
Citation Context ...ing-point unit verification of the AMDK5 processor [25], AMD Athlon TM processor [26], and IBM Power4 TM processor [29]. The verification of separation properties in Rockwell avionics microprocessors =-=[7]-=-, and verification of an IBM secure co-processor [32] also used ACL2. We combined ACL2 with UCLID [4], [17] because UCLID implements a decision procedure for formulas expressed in a decidable fragment... |

15 |
A mechanically checked proof of correctness of the AMD K5 floating point square root microcode
- Russinoff
- 1999
(Show Context)
Citation Context ...al-strength mechanical theorem prover that has been successfully used for hardware verification. Some of ACL2’s commercial applications include floating-point unit verification of the AMDK5 processor =-=[25]-=-, AMD Athlon TM processor [26], and IBM Power4 TM processor [29]. The verification of separation properties in Rockwell avionics microprocessors [7], and verification of an IBM secure co-processor [32... |

13 |
RTL verification: A floating-point multiplier
- Russinoff, Flatau
- 2000
(Show Context)
Citation Context ... prover that has been successfully used for hardware verification. Some of ACL2’s commercial applications include floating-point unit verification of the AMDK5 processor [25], AMD Athlon TM processor =-=[26]-=-, and IBM Power4 TM processor [29]. The verification of separation properties in Rockwell avionics microprocessors [7], and verification of an IBM secure co-processor [32] also used ACL2. We combined ... |

11 |
Siege homepage. See URL http://www.cs.sfu.ca/ ∼loryan/personal
- Ryan
(Show Context)
Citation Context ...em B. For all the proof steps, except MU → IU, we used the ACL2 theorem proving system (version 2.9). For MU → IU, we used the UCLID decision procedure (version 1.0) coupled with the siege SAT solver =-=[27]-=- (variant 4). All the experiments were run on a 3.06 GHz Intel Xeon, with a cache size of 512 KB. The user effort required for the proof steps is an estimate of the effort that would be required for a... |

10 |
FM8501: A Verified Microprocessor, volume 795 of LNAI
- Hunt
- 1994
(Show Context)
Citation Context ...[16] and which we use to verify the models presented in this paper. An early, pioneering body of work on the use of theorem proving for the verification of microprocessors is the CLI stack work [10], =-=[11]-=-, [1]. More recent theorem proving approaches include [28], [9]. The notion of correctness for pipelined machines that we use was first proposed in [19], and is based on WEB-refinement [20].sThe first... |

8 |
An embedded 32-bit microprocessor core for low-power and high-performance applications
- Clark, Hoffman, et al.
(Show Context)
Citation Context ...r the pipelined machine model. We describe related work in Section VIII and conclude in Section IX. II. PROCESSOR MODEL The pipelined machine model we use is inspired by the Intel XScale architecture =-=[6]-=- and is shown in Figure 1. The model is described using the ACL2 programming language and can execute assembly-level programs. In Section VII, we show an example program (a dynamic programming solutio... |

8 | Formal verification of divide and square root algorithms using series calculation
- Sawada
- 2002
(Show Context)
Citation Context ... used for hardware verification. Some of ACL2’s commercial applications include floating-point unit verification of the AMDK5 processor [25], AMD Athlon TM processor [26], and IBM Power4 TM processor =-=[29]-=-. The verification of separation properties in Rockwell avionics microprocessors [7], and verification of an IBM secure co-processor [32] also used ACL2. We combined ACL2 with UCLID [4], [17] because ... |

7 | A complete compositional reasoning framework for the efficient verification of pipelined machines
- Manolios, Srinivasan
- 2005
(Show Context)
Citation Context ...ap to under the refinement map, and their successor states. The above notion of refinement is compositional and a complete compositional reasoning framework based our notion of refinement is given in =-=[23]-=-. For example, one can prove the following theorem, where r; q denotes functional composition, i.e., (r; q)(s) =q(r(s)). Theorem 1: (Composition) If M≈r M ′ and M ′ ≈q M ′′ then M≈r;q M ′′ . In [21], ... |

4 | A suite of hard ACL2 theorems arising in refinement-based processor verification
- Manolios, Srinivasan
- 2004
(Show Context)
Citation Context ...s to drastically outperform ACL2, e.g., to complete the proof of correctness of a simple five-stage DLX pipeline defined at the term-level, UCLID took about 3 seconds, while ACL2 required 15 1 2 days =-=[22]-=-. Unfortunately, as we now outline, UCLID also has some severe limitations, which is why we need the power of a theorem proving system such as ACL2. Since UCLID models are defined at the term-level, t... |

1 |
A user’s guide to uclid version 1.0, 2003. See URL http://www.cs.cmu.edu/ uclid/userguide.ps
- Seshia, Lahiri, et al.
(Show Context)
Citation Context ...n language in ACL2. The full details of the embedding are rather technical and will be presented elsewhere. The CLU syntax and semantics and the UCLID specification language are described in [4], and =-=[30]-=-, respectively. The UCLID specification language is based on CLU, but extends it with features such as macros and convenient commands for expressing symbolic simulation. UCLID specifications are there... |