## Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach (1999)

Citations: | 39 - 1 self |

### BibTeX

@INPROCEEDINGS{Hosabettu99proofof,

author = {Ravi Hosabettu and Mandayam Srivas and Ganesh Gopalakrishnan},

title = {Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach},

booktitle = {},

year = {1999},

pages = {47--59},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The Completion Functions Approach was proposed in [HSG98] as a systematic way to decompose the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function using completion functions, one per unfinished instruction, each of which specifies the effect (on the observables) of completing the instruction. In this paper, we show that this "instruction-centric" view of the completion functions approach leads to an elegant decomposition of the proof for an out-of-order execution processor with a reorder buffer. The proof does not involve the construction of an explicit intermediate abstraction, makes heavy use of strategies based on decision procedures and rewriting, and addresses both safety and liveness issues with a clean separation between them.

### Citations

4163 |
Computer Architecture: A Quantitative Approach, 4th Edition (to appear
- Hennessy, Patterson
- 2006
(Show Context)
Citation Context ...otentially overwhelm the decision procedures, and a potentially tedious manual proof. This methodology is implemented using PVS [ORSvH95] and was applied (in [HSG98]) to three processor examples: DLX =-=[HP90]-=-, dual-issue DLX, and a processor that exhibited limited out-of-order execution capability. An attribute common to all these processors was that the maximum number of instructions pending at any time ... |

308 | Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS
- Owre, Rushby, et al.
- 1995
(Show Context)
Citation Context ...trikes a balance between full automation that (if at all possible) can potentially overwhelm the decision procedures, and a potentially tedious manual proof. This methodology is implemented using PVS =-=[ORSvH95]-=- and was applied (in [HSG98]) to three processor examples: DLX [HP90], dual-issue DLX, and a processor that exhibited limited out-of-order execution capability. An attribute common to all these proces... |

151 | Validity checking for combinations of theories with equality - Barrett, Dill, et al. - 1996 |

91 | Verification of an implementation of Tomasulo’s algorithm by compositional model checking
- MCMILLAN
- 1998
(Show Context)
Citation Context ...e abstraction (called MAETT) and expressing invariant properties over this. Our approach avoids the construction of an intermediate abstraction and hence requires significantly less manual effort. In =-=[McM98]-=-, McMillan uses compositional model checking and aggressive symmetry reductions to manually decompose the proof of a processor implementing Tomasulo's algorithm (without a reorder buffer) into smaller... |

49 | Processor verification with precise exceptions and speculative execution
- Sawada, Hunt
- 1998
(Show Context)
Citation Context ...systematic method to generate the invariants and obligations needed and hence their mechanization is not as automatic as ours. And they do not address liveness issues needed to complete the proof. In =-=[SH98]-=-, verification of a processor model with a reorder buffer, exceptions, and speculative execution is carried out. Their approach relies on constructing an explicit intermediate abstraction (called MAET... |

24 | Decomposing the Proof of Correctness of Pipelined Microprocessors
- Hosabettu, Srivas, et al.
- 1998
(Show Context)
Citation Context ...Lake City, UT 84112, hosabett,ganesh@cs.utah.edu 2 Computer Science Laboratory, SRI International, Menlo Park, CA 94025, srivas@csl.sri.com Abstract. The Completion Functions Approach was proposed in =-=[HSG98]-=- as a systematic way to decompose the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function using completion functions, one per unfinished instru... |

13 | Reducing manual abstraction in formal verification of out-of-order execution
- JONES, SKAKKEBæK, et al.
- 1998
(Show Context)
Citation Context ...ps of the methodology (3) the level of automation with which the obligations generated by the methodology can be verified. Two theorem-proving based verifications of a similar design are described in =-=[JSD98] and [PA98-=-]. The idea in [JSD98] is to first show that for every outof -order execution sequence that contains as many as n unretired instructions at any time there exists an "equivalent" (max-1) exec... |

9 | et SRIVAS M., « Effective Theorem Proving for Hardware Verification - CYRLUK, RAJAN, et al. - 1994 |

4 |
Mandayam Srivas. A proof of correctness of a processor implementing Tomasulo's algorithm without a reorder buffer
- Hosabettu, Gopalakrishnan
- 1999
(Show Context)
Citation Context ...tly extended our approach to be applicable in a scenario where instructions "commit" out-of-order and illustrated it on an example processor implementing Tomasulo's algorithm without a reord=-=er buffer [HGS99]-=-. The proof was constructed in seven person days, reusing lot of the ideas and the machinery developed in this paper. We are currently working on verifying a more detailed out-of-order execution proce... |

4 |
Verification of data-insensitive circuits: An in-order-retirement case study
- Pnueli, Arons
- 1998
(Show Context)
Citation Context ...thodology (3) the level of automation with which the obligations generated by the methodology can be verified. Two theorem-proving based verifications of a similar design are described in [JSD98] and =-=[PA98]. The idea-=- in [JSD98] is to first show that for every outof -order execution sequence that contains as many as n unretired instructions at any time there exists an "equivalent" (max-1) execution conta... |

1 |
PVS specification and proofs of all the examples verified with the completion functions approach
- Hosabettu
- 1999
(Show Context)
Citation Context ...dentify an instruction in the processor by its reorder buffer entry index (i.e., instruction rbi means instruction at index rbi). The complete PVS specifications and the proof scripts can be found at =-=[Hos99]-=-. 4.1 Specifying the completion functions An instruction in the processor can be in one of the following four possible states inside the processor---issued, dispatched, executed or written back. (A re... |