Abstract
In this paper a practical methodology for formally verifying RISC cores is presented. Using a hierarchical model which reflects the abstraction levels used by designers of real RISC processors, proofs between neighboring levels are performed for simplifying the verification process. The proofs are performed by showing that each instruction is executed correctly by the pipelined machine with respect to the semantics of the instruction set architecture. During this proof, temporal abstractions are used to find correspondences between the various levels of abstractions. Additionally, lower level implementational details such as, multiphased clocks and gate level descriptions of the final implementation, are accounted for. The overall correctness proof is managed in two complementary steps, namely, pipeline data and pipeline control correctness. In the former, we show that the cumulative effect of pipeline suboperations yields the data semantics of architecture instructions. While in the latter, we are concerned with interferences (conflicts) between the different instructions and suboperations in the pipeline. We have developed a set of parametrized proof scripts which highly automate the different proof tasks. In addition, the pipeline control proof is constructive, in the sense that the conditions under which the pipeline conflicts occur are automatically generated and explicitly stated thus aiding the user in its removal. All developed specifications and proof scripts are kept general, so that the methodology could be applied for a wide range of RISC cores (e.g., those used in embedded systems). In this paper, the described formalization and proof strategies are illustrated via the DLX RISC processor.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
M. Aagaard and M. Leeser, “Reasoning about pipelines with structural hazards,” in Proc. Theorem Provers in Circuit Design, Bad Herrenalb, Germany, Sept. 1994, pp. 15–34.
Abstract Hardware Limited, LAMBDA—Logic and Mathematics behind Design Automation: User and Reference Manuals, Version 3.1, 1990.
F. Anceau, The Architecture of Microprocessors, Addison-Wesley Publishing Company, 1986.
P. Andrews, An Introduction to Mathematical Logic and Type Theory: To Truth though Proof, Academic Press, 1986.
T. Arora, “The formal verification of the VIPER microprocessor: EBM to phase, phase to microcode level,” Master's thesis, University of California, Davis, 1990.
P. Ashenden, “DLX VHDL model,” Department of Computer Science, University of Adelaide, Australia, Nov. 1993.
T. Baker, “Headroom and legroom in the 80960 architecture,” in Proc. 35th IEEE Computer Society International Conference (COMPCON'90), San Francisco, CA, Feb. 1990, pp. 299–306.
A. Berenbaum, “Functional simulation for the CRISP microprocessor,” in Proc. International Conference on Very Large Scale Integration (VLSI'87), Vancouver, Canada, Aug. 1987, pp. 323–334.
A. Berenbaum, D. Ditzel, and H. McLellan, “Introduction to the CRISP microprocessor,” in Proc. 32th IEEE Computer Society International Conference (COMPCON'87), San Francisco, CA, Feb. 1987, pp. 86–90.
D. Borrione, P. Camurati, J. Paillet, and P. Prinetto, “A functional approach to formal hardware verification: The MTI experience,” in Proc. IEEE International Conference on Computer Design (ICCD'88), Rye Brook, New York, Oct. 1988, IEEE Computer Society Press, pp. 592–595.
V. Bhagwati and S. Devadas, “Automatic verification of pipelined microprocessors,” in Proc. ACM/IEEE 31st Design Automation Conference (DAC'94), San Diego, CA, June 1994, pp. 603–608.
M. Blomkvist, J. Nilsson, and W. Sagefalk, “AVLSI implementation of the DLX microprocessor,” Department of Computer Engineering, Lund University, Sweden, Sept. 1992.
A. Bode, RISC-Architekturen, BI-Wiss, Verlag, 1990.
S. Bose and A. Fisher, “Verifying pipelined hardware using symbolic logic simulation,” in Proc. IEEE International Conference on Computer Design (ICCD'89), Cambridge, MA, Sept. 1989, IEEE Computer Society Press, pp. 217–221.
A. Bronstein and C. Talcott, “Formal verification of pipelines based on string-functional semantics,” in L. Claesen (Ed.), Formal VLSI Correctness Verification, VLSI Design Methods II, Elsevier Science Publishers B.V. (North-Holland), 1990, pp. 349–367.
R. Bryant, “Graph-based algorithms for Boolean function manipulation,”; IEEE Transactions on Computers, Vol. C-35, No. 8, pp. 677–691, 1986.
O. Buckow, “Formale spezifikation und (teil-) verifikation eines SPARC-kompatiblen prozessors mit LAMBDA,”; Diplomarbeit, Fachbereich Mathematik-Informatik, Universität-Gesamthochschule Paderborn, Germany, Oct. 1992.
J. Burch, “Techniques for verifying superscalar microprocessors,” in Proc. 33rd ACM IEEE Design Automation Conference, Las Vegas, June 1996, ACM Press, pp. 552–557.
J. Burch and D. Dill, “Automatic verification of pipelined microprocessor control,” in D. Dill (Ed.), Computer Aided Verification, Lecture Notes in Computer Science 818, Springer-Verlag, 1994, pp. 68–80.
Cadence Design Systems Inc., CADENCE User Manuals, Cadence Design Systems Inc., Oct. 1991.
A. Camilleri, “Simulation as an aid to verification using the HOL theorem prover,” Technical Report No. 150, Computer Laboratory, Cambridge University, Oct. 1988.
P. Camurati and P. Prinetto, “Formal verification of hardware correctness: Introduction and survey of current research,” IEEE Computer, pp. 8–19, July 1988.
CAO-VLSI Team, “Implementation of DLX in ALLIANCE,” MASI Laboratory, University Pierre et Marie Curie, Jussieu, Paris, France, March 1993.
R. Cloutier and D. Thomas, “Synthesis of pipelined instruction set processors,” in Proc. ACM/IEEE 30th Design Automation Conference (DAC'93), Dallas, Texas, June 1993, pp. 583–588.
M. Coe, “Results from verifying a pipelined microprocessor,” Master thesis, Laboratory for Applied Logic, University of Idaho, Oct. 1994.
A. Cohn, “A proof of the viper microprocessor: The first level,” in G. Birtwistle and P. Subrahmanyam (Eds.), VLSI Specification, Verification and Synthesis, Kluwer Academic Publishers, 1988.
A. Cohn, “The notion of proof in hardware verification,” Journal of Automated Reasoning, Vol. 5, pp. 127–139, 1989.
R. Constable et al., Implementing Mathematics with the Nuprl Proof Development System, Prentice-Hall, Englewood Cliffs, NJ, 1986.
J. Cook, “Verification of the C/30 microcode using the state delta verification system (SDVS),” in Proc. 13th National Computer Security Conference, Washington, DC, National Bureau of Standards/National Computer Security Centre, Oct. 1990, pp. 20–31.
D. Cyrluk, “Microprocessor verification in PVS: A methodology and simple example,” Technical Report SRI-CSL-92-12, SRI Computer Science Laboratory, Dec. 1993.
M. Dehof, “Formale spezifikation und verifikation des DLX-RISC-prozessors,”; Diplomarbeit, Institut für Technik der Informationsverarbeitung, Universität Karlsruhe, Germany, Aug. 1994.
M. Dehof and S. Tahar, “Implementierung des DLX RISC-processors in einer standardzellenentwufsumgebung,”; Technical Report No. SFB 358-C2-1/94, Institute for Computer Design and Fault Tolerance, University of Karlsruhe, Germany, March 1994.
Digital Equipment Corp., Alpha Architecture Handbook, Digital Equipment Corp., Maynard, MA, Order No. EC-H1689-10, 1992.
P. Dubey and M. Flynn, “Branch strategies: Modelling and optimization,” IEEE Transactions on Computer, Vol. 40, No. 10, pp. 1159–1167, 1991.
Electronic Design Interchange Format, Version 200: EIA Interim Standard No. 44, EDIF Steering Committee, Electronic Industries Association, May 1987.
S. Furber, “VLSI RISC architecture and organization,” Electrical Engineering and Electronics, Marcel Dekker, New York, 1989.
G. Gopalakrishnan, “Specification and verification of pipelined hardware in HOP,” in J. Darringer and J. Rammig (Eds.), Computer Hardware Description Language and their Applications (CHDL'89), Elsevier Science Publishers B.V. (North-Holland), 1989, pp. 117–131.
G. Gopalakrishnan, R. Fujimoto, V. Akella, N. Mani, and K. Smith, “Specification-driven design of custom hardware in HOP,” in G. Birtwistle and P. Subrahmanyam (Eds.), Current Trends in Hardware Verification and Automated Theorem Proving, Springer-Verlag, 1989, pp. 128–170.
A. Van De Goor, Computer Architecture and Design, Addison-Wesley, 1989.
M. Gordon, “Proving a computer correct using the LCF LSM hardware verification system,” Technical Report No. 42, Computer Laboratory, University of Cambridge, Sept. 1983.
M. Gordon and T. Melham, Introduction to HOL: A Theorem Proving Environment for Higher Order Logic, Cambridge University Press, 1993.
B. Graham, The SECD Microprocessor: A Verification Case Study, Kluwer Academic Publishers, 1992.
A. Gupta, “Formal hardware verification methods: A survey,” Journal of Formal Methods in System Design, Vol. 1, Nos. 2/3, pp. 151–238, 1992.
A. Gupta and P. Stephan, “VHDL design and analysis of DLX,” CS252 Semester Project, University of California, Berkeley, May 1991.
F. Hanna and N. Daeche, “Specification and verification of digital systems using higher-order predicate logic,” IEE Proc. Pt. E, Vol. 133, No. 3, pp. 242–254, Sept. 1986.
F. Hanna, M. Longley, and N. Daeche, “Formal synthesis of digital systems,” in L. Claesen (Ed.), Applied Formal Methods for Correct VLSI Design, Elsevier Science Publishers B.V. (North-Holland), 1989, pp. 532–548.
J. Hennessy and D. Patterson, Computer Architecture: A Quantitative Approach, Morgan Kaufmann Publishers, San Mateo, CA, 1996.
W. Hunt, “The mechanical verification of a microprocessor design,” in D. Borrione (Ed.), From HDL Description to Guaranteed Correct Circuit Designs, Elsevier Science Publishers B.V. (North-Holland), 1987, pp. 89–129.
W. Hunt, “Microprocessor design verification,” Journal of Automated Reasoning, Vol. 5, No. 4, pp. 429–460, 1989.
W. Hwu and P. Chang, “Efficient instruction sequencing with inline target insertion,” IEEE Transactions on Computer, Vol. 41, No. 12, pp. 1537–1551, 1992.
Institute of Electrical and Electronics Engineers, IEEE Standard VHDL Language Reference Manual, IEEE Press, New York, June 1993.
Intel Corporation, i860 64-Bit Microprocessor Programmer's Reference Manual, Intel Corporation, Santa Clara, California, 1989.
J. Joyce, “Multi-level verification of microprocessor-based systems,” Ph.D. Thesis, Computer Laboratory, Cambridge University, Dec. 1989.
P. Kogge, The Architecture of Pipelined Computers, McGraw-Hill, 1981.
T. Kropf, R. Kumar, and K. Schneider, “Embedding hardware verification within a commercial design framework,” Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME'93), Lecture Notes in Computer Science, Springer-Verlag, 1993.
R. Kumar, K. Schneider, and T. Kropf, “Structuring and automating hardware proofs in a higher-order theorem-proving environment,” Journal of Formal Methods in System Design, Vol. 2, No. 2, pp. 165–230, 1993.
L. Marcus, SDVS 10 Users' Manual, Technical Report ATR-91(6778)-10, The Aerospace Corporation, 1991.
S. McFarling and J. Hennessy, “Reducing the cost of branches,” in Proc. 13th Annual International Symposium on Computer Architecture, Tokyo, Japan, June 1986.
T. Melham, “Abstraction mechanisms for hardware verification,” in G. Birtwistle and P. Subrahmanyam (Eds.), VLSI Specification, Verification and Synthesis, Kluwer Academic Publishers, 1988, pp. 129–157.
Mentor Graphics Inc., GENESIL Designer Manuals, Mentor Graphics Inc., Sept. 1989.
V. Milutinovic, High Level Language Computer Architecture, Computer Science Press, 1989.
Motorola, Inc., MC88100 RISC Microprocessor User's Manual, Prince-Hall, Englewood Cliffs, NJ, 1988.
S. Owre, N. Shankar, and J. Rushby, User Guide for the PVS Specification and Verification System, Language, and Proof Checker, Computer Science Laboratory, SRI International, Melno Park, CA, Feb. 1993.
P. Patel and D. Douglass, “Architecture feature of the i860—Microprocessor RISC core and on-chip caches,” in Proc. IEEE International Conference on Computer Design (ICCD'89), Cambridge, MA, Sept. 1989, IEEE Computer Society Press, pp. 385–390.
L. Paulson, ML for the Working Programmer, Cambridge University Press, 1991.
L. Paulson, Isabelle: A Generic Theorem Prover, Lecture Notes in Computer Science 828, Springer-Verlag, 1994.
A. Roscoe, “Occam in the specification and verification of microprocessors,” Philosophical Transactions of the Royal Society of London, Series A: Physical Sciences and Engineering, Vol. 339, No. 1652, pp. 137–151, April 1992.
R. Sekar and M. Srivas, “Formal verification of a microprocessor using equational techniques,” in G. Birtwistle and P. Subrahmanyam (Eds.), Current Trends in Hardware Verification and Automated Theorem Proving, Springer-Verlag, 1989, pp. 171–217.
J. Saxe, S. Garland, J. Guttag, and J. Horning, “Using transformations and verification in circuit design,” in Proc. 2nd Workshop on Designing Correct Circuits, Lyngby, Danmark, Jan. 1992.
M. Srivas and M. Bickford, “Formal verification of a pipelined microprocessor,” IEEE Software, Vol. 7, No. 5, pp. 52–64, Sept. 1990.
M. Srivas and S. Miller, “Applying formal verification to the AAMP5 microprocessor: A case study in the industrial use of formal methods,” Formal Methods in System Design, Kluwer Academic Publishers, Vol. 8, pp. 153–188.
H. Stone: High-Performance Computer Architecture; Addison-Wesley Publishing Company, 1990.
Sun Microsystems, Inc., The SPARC Architecture Manual, Sun Microsystems, Inc., USA, Version 8, Part No. 800-1399-09, Aug. 1989.
E. Talkhan, A. Ahmed, and A. Salama, “Microprocessors functional testing,” IEEE Transactions on Computer Aided Design, Vol. 8, No. 3, March 1989.
S. Tahar and R. Kumar, “Towards a methodology for the formal hierarchical verification of RISC processors,” in Proc. IEEE International Conference on Computer Design (ICCD'93), Cambridge, MA, Oct. 1993, IEEE Computer Society Press, pp. 58–62.
S. Tahar and R. Kumar, “Implementing a methodology for formally verifying RISC processors in HOL,” in J. Joyce and C. Seger (Eds.), Higher Order Logic Theorem Proving and Its Applications, Lecture Notes in Computer Science 780, Springer-Verlag, 1994, pp. 281–294.
S. Tahar and R. Kumar, “Formal verification of pipeline conflicts in RISC processors,” in Proc. European Design Automation Conference (EURO-DAC'94), Grenoble, France, Sept. 1994, IEEE Computer Society Press, pp. 285–289.
S. Tahar and R. Kumar, “Implementational issues for verifying RISC-pipeline conflicts in HOL,” in T. Melham and J. Camilleri (Eds.), Higher Order Logic Theorem Proving and Its Applications, Lecture Notes in Computer Science 854, Springer-Verlag, 1994, pp. 424–439.
M. Thomas, “The industrial use of formal methods,” Microprocessor and Microsystems, Vol. 17, No. 1, pp. 31–36, 1993.
N. Tredemick, “Experiences in commercial VLSI microprocessor design,” Microprocessors and Microsystems, Vol. 12, No. 8, Oct. 1988.
P. Villarrubia, G. Nusbaum, R. Masleid, and P. Patel, “IBM RISC chip design methodology,” in Proc. IEEE International Conference on Computer Design (ICCD'89), Cambridge, MA, Sept. 1989, IEEE Computer Society Press, pp. 143–147.
P. Windley, “Formal modeling and verification of microprocessors,” IEEE Transactions on Computers, Vol. 44, No. 1, 1995.
P. Windley, “Verifying pipelined microprocessors,” in Proc. Conference on Hardware Description Languages (CHDL'95), Chiba, Japan, Aug. 1995, pp. 503–511.
P. Windley and J. Burch, “Mechanically checking a lemma used in an automatic verification tool,” in M. Srivas and A. Camilleri (Eds.), Formal Methods in Computer-Aided Design, Lecture Notes in Computer Science 1166, Springer-Verlag, 1996, pp. 262–276.
P. Windley and M.L. Coe, “A correctness model for pipelined microprocessors,” in R. Kumar and T. Kropf (Eds.), in Proc. Theorem Provers in Circuit Design, Lecture Notes in Computer Science 901, Springer-Verlag, 1995, pp. 33–51.
K. Winters, “ASIC design experience: MDLX,” Department of Electrical Engineering, Montana State University, USA, April 1992.
W. Wong, “Modelling bit vectors in HOL: The word library,” in J. Joyce and C. Seger (Eds.), Higher Order Logic Theorem Proving and Its Applications, Lecture Notes in Computer Science 780, Springer-Verlag, 1994, pp. 371–384.
Rights and permissions
About this article
Cite this article
Tahar, S., Kumar, R. A Practical Methodology for the Formal Verification of RISC Processors. Formal Methods in System Design 13, 159–225 (1998). https://doi.org/10.1023/A:1008622002590
Issue Date:
DOI: https://doi.org/10.1023/A:1008622002590