## Instantiating uninterpreted functional units and memory system: Functional verification of the VAMP (2003)

### Cached

### Download Links

- [www.kroening.com]
- [de.geocities.com]
- [busserver.cs.uni-sb.de]
- [www-wjp.cs.uni-saarland.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Correct Hardware Design and Verification Methods, volume 2860 of Lecture Notes in Computer Science |

Citations: | 13 - 7 self |

### BibTeX

@INPROCEEDINGS{Beyer03instantiatinguninterpreted,

author = {S. Beyer and C. Jacobi and D. Kröning and D. Leinenbach and W. J. Paul},

title = {Instantiating uninterpreted functional units and memory system: Functional verification of the VAMP},

booktitle = {Correct Hardware Design and Verification Methods, volume 2860 of Lecture Notes in Computer Science},

year = {2003},

pages = {51--65},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In the VAMP (verified architecture microprocessor) project we have designed, functionally verified, and synthesized a processor with full DLX instruction set, delayed branch, Tomasulo scheduler, maskable nested precise interrupts, pipelined fully IEEE compatible dual precision floating point unit with variable latency, and separate instruction and data caches. The verification has been carried out in the theorem proving system PVS. The processor has been implemented on a Xilinx FPGA. 1

### Citations

4269 |
Computer architecture: a quantitative approach
- Hennessy, Patterson
- 2002
(Show Context)
Citation Context ...fication effort for various parts of the project, summarizes our work, and sketches directions of some future work. 2 Overview of the VAMP Processor Instruction Set. The full DLX instruction set from =-=[7]-=- is realized. This includes loads and stores for double words, words, half words, and bytes, various shift operations, and two jump-and-link operations. Loads of bytes and half words can be unsigned o... |

566 | PVS: A Prototype Verification System
- Owre, Rushby, et al.
- 1992
(Show Context)
Citation Context ... the hardware. Thus all abstractions, restrictions and simplifications mentioned above have been removed. Specification and verification was performed using the interactive theorem proving system PVS =-=[20]-=-. All formal specifications and proofs are on our web site. 1 The hardware description was automatically extracted from PVS and translated into Verilog HDL by a tool sketched in section 7. Hardware wi... |

277 | Automated verification of pipelined microprocessor control,” Computer-Aided Verification
- Burch, Dill
- 1994
(Show Context)
Citation Context ...sors so far has concentrated mainly on the following aspects of architectures: i) Processors with in-order scheduling, one or several pipelines including forwarding, stalling and interrupt mechanisms =-=[3,13,28]-=-. The verification of the very simple, nonpipelined FM9001 processor has been reported in [2]. Using the flushing method from [3] and uninterpreted functions for modeling execution units, superscalar ... |

96 | Superscalar processor verification using efficient reductions of the logic of equality with uninterpreted functions
- Velev, Bryant
- 1999
(Show Context)
Citation Context ... is generalized in [28] by an uninterpreted test evaluation function. Most notably the verification of machines with load/store operations on half words and bytes has apparently not been reported. In =-=[27]-=- the authors report an attempt to handle these instructions by automatic methods which was unsuccessful due to memory overflow. ii) Delayed branch is replaced by non-deterministic speculation (specula... |

93 | Verification of an implementation of tomasulo’s algorithm by compositional model checking
- McMillan
- 1998
(Show Context)
Citation Context ...) by an automatic transformation, and automatically generate formal correctness proofs for this transformation [15]. ii) Tomasulo schedulers with reorder buffers for the support of precise interrupts =-=[5,8, 16,24]-=-. Exploiting symmetries, McMillan [16] has shown the correctness of a powerful Tomasulo scheduler with a remarkable degree of automation. Using theorem proving, Sawada and Hunt [24] show the correctne... |

49 | Processor verification with precise exceptions and speculative execution
- Sawada, Hunt
- 1998
(Show Context)
Citation Context ...) by an automatic transformation, and automatically generate formal correctness proofs for this transformation [15]. ii) Tomasulo schedulers with reorder buffers for the support of precise interrupts =-=[5,8, 16,24]-=-. Exploiting symmetries, McMillan [16] has shown the correctness of a powerful Tomasulo scheduler with a remarkable degree of automation. Using theorem proving, Sawada and Hunt [24] show the correctne... |

44 |
Computer Architecture: Complexity and Correctness
- Müller, Paul
- 2000
(Show Context)
Citation Context ...f Pentium processors are claimed in [4,19]. As the verified unit is part of an industrial product not all details have been published. Based on the constructions and on the paper and pencil proofs in =-=[18]-=- a fully IEEE compatible FPU has been verified [1,11] (using mostly but not exclusively theorem proving). iv) Caches. Multiple cache coherence protocols have been formally verified, e.g., [6,17, 25,26... |

42 |
Mechanically Checked Proof of IEEE Compliance of the Floating Point Multiplication, Division and Square Root Algorithms of the AMD-K7
- Russinoff, “A
- 1998
(Show Context)
Citation Context ...2860, pp. 51–65, 2003. c○ Springer-Verlag Berlin Heidelberg 2003s52 S. Beyer et al. iii) Floating point units(FPU). The correctness of an important collection of floating point algorithms is shown in =-=[21,22]-=- using the theorem prover ACL2. Correctness proofs using a combination of theorem proving and model checking techniques for the FPUs of Pentium processors are claimed in [4,19]. As the verified unit i... |

40 | Proof of correctness of a processor with reorder buffer using the completion function approach
- HOSABETTU, GOPALAKRISHNAN, et al.
- 1999
(Show Context)
Citation Context ...) by an automatic transformation, and automatically generate formal correctness proofs for this transformation [15]. ii) Tomasulo schedulers with reorder buffers for the support of precise interrupts =-=[5,8, 16,24]-=-. Exploiting symmetries, McMillan [16] has shown the correctness of a powerful Tomasulo scheduler with a remarkable degree of automation. Using theorem proving, Sawada and Hunt [24] show the correctne... |

39 | Trace Table Based Approach for Pipeline Microprocessor Verification
- Sawada, Hunt
- 1997
(Show Context)
Citation Context ...strategy, and the integration of the execution units into the Tomasulo core. Correctness criterion and proof strategy are based on scheduling functions [14,18] (similar to the stg-component of MAETTs =-=[23]-=-). The model of the execution unit is in a nontrivial way more general than previous models without complicating interactive proofs too much. Section 4 presents a delayed branch mechanism, which is au... |

34 | Formally verifying IEEE compliance of floating point hardware - O’Leary, Zhao, et al. - 1999 |

25 | Parameterized Verification of the FLASH Cache Coherence Protocol by Compositional Model Checking
- McMillan
- 2001
(Show Context)
Citation Context ...oofs in [18] a fully IEEE compatible FPU has been verified [1,11] (using mostly but not exclusively theorem proving). iv) Caches. Multiple cache coherence protocols have been formally verified, e.g., =-=[6,17, 25,26]-=-. Paper and pencil proofs are extremely error prone, and hence the generation of proofs for interactive theorem proving systems is slow. The method of choice is model checking. The compositional techn... |

25 | Cachet: an adaptive cache coherence protocol of distributed shared memory systems
- Shen, Arvind, et al.
- 1999
(Show Context)
Citation Context ...oofs in [18] a fully IEEE compatible FPU has been verified [1,11] (using mostly but not exclusively theorem proving). iv) Caches. Multiple cache coherence protocols have been formally verified, e.g., =-=[6,17, 25,26]-=-. Paper and pencil proofs are extremely error prone, and hence the generation of proofs for interactive theorem proving systems is slow. The method of choice is model checking. The compositional techn... |

23 | Verification of all circuits in a floating-point unit using word-level model checking
- Chen, Clarke, et al.
(Show Context)
Citation Context ...algorithms is shown in [21,22] using the theorem prover ACL2. Correctness proofs using a combination of theorem proving and model checking techniques for the FPUs of Pentium processors are claimed in =-=[4,19]-=-. As the verified unit is part of an industrial product not all details have been published. Based on the constructions and on the paper and pencil proofs in [18] a fully IEEE compatible FPU has been ... |

22 | Verifying out-of-order executions
- Damm, Pnueli
- 1997
(Show Context)
Citation Context |

22 | A case study in formal verification of register-transfer logic with ACL2: The floating point adder of the AMD Athlon processor
- Russinoff
- 2000
(Show Context)
Citation Context ...2860, pp. 51–65, 2003. c○ Springer-Verlag Berlin Heidelberg 2003s52 S. Beyer et al. iii) Floating point units(FPU). The correctness of an important collection of floating point algorithms is shown in =-=[21,22]-=- using the theorem prover ACL2. Correctness proofs using a combination of theorem proving and model checking techniques for the FPUs of Pentium processors are claimed in [4,19]. As the verified unit i... |

17 |
The formal design of 1M-gate ASICs
- Eiŕıksson
- 1998
(Show Context)
Citation Context ...oofs in [18] a fully IEEE compatible FPU has been verified [1,11] (using mostly but not exclusively theorem proving). iv) Caches. Multiple cache coherence protocols have been formally verified, e.g., =-=[6,17, 25,26]-=-. Paper and pencil proofs are extremely error prone, and hence the generation of proofs for interactive theorem proving systems is slow. The method of choice is model checking. The compositional techn... |

15 | Automated pipeline design
- Kroning, Paul
- 2001
(Show Context)
Citation Context ...form specification machines into simple pipelines (with forwarding and stalling mechanism) by an automatic transformation, and automatically generate formal correctness proofs for this transformation =-=[15]-=-. ii) Tomasulo schedulers with reorder buffers for the support of precise interrupts [5,8, 16,24]. Exploiting symmetries, McMillan [16] has shown the correctness of a powerful Tomasulo scheduler with ... |

13 | Formal Verification of the VAMP Floating Point Unit
- Berg, Jacobi
- 2001
(Show Context)
Citation Context ...verified unit is part of an industrial product not all details have been published. Based on the constructions and on the paper and pencil proofs in [18] a fully IEEE compatible FPU has been verified =-=[1,11]-=- (using mostly but not exclusively theorem proving). iv) Caches. Multiple cache coherence protocols have been formally verified, e.g., [6,17, 25,26]. Paper and pencil proofs are extremely error prone,... |

12 |
The FM9001 microprocessor proof
- Brock, Hunt, et al.
- 1994
(Show Context)
Citation Context ...n-order scheduling, one or several pipelines including forwarding, stalling and interrupt mechanisms [3,13,28]. The verification of the very simple, nonpipelined FM9001 processor has been reported in =-=[2]-=-. Using the flushing method from [3] and uninterpreted functions for modeling execution units, superscalar processors with multicycle execution units, exceptions and branch prediction [28] have been v... |

12 | Formal verification of complex out-of-order pipelines by combining model-checking and theorem-proving
- Jacobi
- 2002
(Show Context)
Citation Context ...rent for model checking [28]. Integration of Execution Units. The proofs for the scheduler and the proofs for the execution units are separated by the following specifications for the execution units =-=[11, 10]-=-. Notations refer to figure 3. i) stallT in =⇒ � validTout, i.e., if the scheduler asserts stallin, the execution unit does not return a valid instruction. ii) ∀T ∃T ′ ′ T >T :� stallout, i.e., the st... |

11 | Proofs of correctness of cachecoherence protocols
- Stoy, Shen, et al.
- 2001
(Show Context)
Citation Context |

9 |
Formal verification of superscale microprocessors with multicycle munctional units, exception, and branch prediction
- Velev, Bryant
- 2000
(Show Context)
Citation Context ...sors so far has concentrated mainly on the following aspects of architectures: i) Processors with in-order scheduling, one or several pipelines including forwarding, stalling and interrupt mechanisms =-=[3,13,28]-=-. The verification of the very simple, nonpipelined FM9001 processor has been reported in [2]. Using the flushing method from [3] and uninterpreted functions for modeling execution units, superscalar ... |

6 |
Formal Verification of Pipelined Microprocessors (Draft
- Kroening
- 2001
(Show Context)
Citation Context ... verification effort for the different parts of the VAMP. Note especially that “Putting it all together” took a whole personyear for several reasons. First of all, the proof of the Tomasulo core from =-=[12]-=- was only generic and had to be applied to the VAMP architecture, especially the VAMP instruction set. Unfortunately, in spite of thorough planning on our part, the interfaces between the different pa... |

3 |
Formal Verificaton of a fully IEEE compliant floating point unit
- Jacobi
- 2002
(Show Context)
Citation Context ...verified unit is part of an industrial product not all details have been published. Based on the constructions and on the paper and pencil proofs in [18] a fully IEEE compatible FPU has been verified =-=[1,11]-=- (using mostly but not exclusively theorem proving). iv) Caches. Multiple cache coherence protocols have been formally verified, e.g., [6,17, 25,26]. Paper and pencil proofs are extremely error prone,... |

3 |
Proving the correctness of pipelined micro-architectures. In 3ITG-/GI/GMM-Workshop Methoden und Beschreibungsprachen zur Modellierung und Verifikation von Schaltungen und System
- Kröning, Müller, et al.
- 2000
(Show Context)
Citation Context ...sors so far has concentrated mainly on the following aspects of architectures: i) Processors with in-order scheduling, one or several pipelines including forwarding, stalling and interrupt mechanisms =-=[3,13,28]-=-. The verification of the very simple, nonpipelined FM9001 processor has been reported in [2]. Using the flushing method from [3] and uninterpreted functions for modeling execution units, superscalar ... |

2 | Proving the correctness of processors with delayed branch using delayed PCs
- Kröning, Müller, et al.
- 2000
(Show Context)
Citation Context ...ribes the correctness criterion, the main proof strategy, and the integration of the execution units into the Tomasulo core. Correctness criterion and proof strategy are based on scheduling functions =-=[14,18]-=- (similar to the stg-component of MAETTs [23]). The model of the execution unit is in a nontrivial way more general than previous models without complicating interactive proofs too much. Section 4 pre... |