Automatic verification of safety and liveness for XScale-like processor models using WEB refinements

Manolios, Panagiotis; Srinivasan, Sudarshan K.

doi:10.1109/date.2004.1268844

Cited by 27 publications

(40 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, a big advantage over previous work is that we can handle liveness; in fact, we show that with our approach the time spent proving liveness accounts for only 5% of the total verification time [17].…”

Section: Automationmentioning

confidence: 86%

The Challenge of Hardware-Software Co-verification

Manolios

2008

Verified Software: Theories, Tools, Experiments

View full text Add to dashboard Cite

Abstract. Building verified computing systems such as a verified compiler or operating system will require both software and hardware verification. How can we decompose such verification efforts into mostly separate tasks, one involving hardware and the other software? What theorems should we prove? What specification languages should we use? What tools should we build? To what extent can the process be automated? We address these issues, using as a running example our recent and on-going work on refinement-based pipelined machine verification.

show abstract

Section: Automationmentioning

confidence: 86%

The Challenge of Hardware-Software Co-verification

Manolios

2008

Verified Software: Theories, Tools, Experiments

View full text Add to dashboard Cite

show abstract

“…5. Another approach suitable for proving both safety and liveness of pipelined processors was proposed in [24], but was not applied to designs with multicycle functional units.…”

Section: Related Workmentioning

confidence: 99%

Automatic Formal Verification of Liveness for Pipelined Processors with Multicycle Functional Units

Velev¹

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Previous work on microprocessor formal verification has almost exclusively addressed the proof of safety-that if a processor does something during a step, it will do it correctly-as also observed in [2], while ignoring the proof of liveness-that a processor will complete a new instruction after a finite number of steps. Several authors used theorem proving to check liveness [15] Functional units in recent state-of-the-art processors usually have latencies of up to 20 -30 cycles, and rarely up to 200 cycles, but it is expected that the memory latencies in next generation high-performance designs will reach 1,000 cycles [13]. Thus, the need to develop automatic techniques to prove the liveness of pipelined processors where the functional units can have latencies of up to thousands of cycles.In the current paper, the implementation and specification are described in the highlevel hardware description language HDL [46], based on the logic of Equality with Uninterpreted Functions and Memories (EUFM) [7]. In EUFM, word-level values are abstracted with terms (see Sect. 4) whose only relevant property is that of equality with other terms. Restrictions on the style for describing high-level processors [35][36] reduced the number of terms that appear in both positive and negated equality comparisons-and are so called g-terms (for general terms)-and increased the number of http://www.ece.cmu.edu/~mvelev mvelev@ece.cmu.eduAbstract. Presented is a highly automatic approach for proving bounded liveness of pipelined processors with multicycle functional units, without the need for the user to set up an inductive argument. Multicycle functional units are abstracted with a placeholder that is suitable for proving both safety and liveness. Abstracting the branch targets and directions with arbitrary terms and formulas, respectively, that are associated with each instruction, made the branch targets and directions independent of the data operands. The observation that the term variables abstracting branch targets of newly fetched instructions can be considered to be in the same equivalence class, allowed the use of a dedicated fresh term variable for all such branch targets and the abstraction of the Instruction Memory with a generator of arbitrary values.To further improve the scaling, the multicycle ALU was abstracted with a placeholder without feedback loops. Also, the equality comparison between the terms written to the PC and the dedicated fresh term variable for branch targets of new instructions was implemented as part of the circuit, thus avoiding the need to apply the abstraction function along the specification side of the commutative diagram for liveness. This approach resulted in 4 orders of magnitude speedup for a 5-stage pipelined DLX processor with a 32-cycle ALU, compared to a previous method for indirect proof of bounded liveness, and scaled for a 5-stage pipelined DLX with a 2048-cycle ALU.Miroslav N. Velev D.

show abstract

“…In fact, BAT was able to solve the specification without calling the SAT solver by using the rewrite rules described in Section 4. Two Stage Pipelined Machine (2f ) Benchmarks: The 2f is a flushing based refinement theorem [14] for a simple 2 stage pipelined machine that implements only an add instruction and has two memory elements, which are the instruction memory and the register file as shown in Figure 5(a). We used the 2f benchmarks to compare BAT with VCEGAR, and found that VCEGAR cannot handle any of these benchmarks.…”

Section: Instruction Cache Ram (Icram) Unit (Icram) Benchmarksmentioning

confidence: 99%

“…We did not use VCEGAR to check the 5f and the 5fb benchmarks, as they are far more complex than the 2f benchmarks, which VCEGAR was not able to handle. Three Stage Pipelined Machine (3c) Benchmarks: The 3c benchmark is a commitment based refinement theorem [14] for a 3 stage pipeline, which has an instruction memory, a register file, and a data memory. Table 2 shows the BAT verification times for the 3c benchmarks obtained by increasing the number of words in the memory elements (N).…”

Section: Instruction Cache Ram (Icram) Unit (Icram) Benchmarksmentioning

confidence: 99%

“…If rewrite rules are not used, the number of words in the resulting memory abstractions are large, and are significantly more difficult for BAT to analyze. Five Stage Pipelined Machine (5f ) Benchmarks: The 5f benchmark is a flushing based refinement theorem [14] for a 5 stage pipelined machine model that implements simple ALU, load, store, and branch instructions. To support these instructions, the model has an instruction memory, a register file, and a data memory.…”

Section: Instruction Cache Ram (Icram) Unit (Icram) Benchmarksmentioning

confidence: 99%

See 1 more Smart Citation

Automatic memory reductions for RTL model verification

Manoliost

Srinivasan

Vroon

2006

Proceedings of the 2006 IEEE/ACM International Conference on Computer-Aided Design - ICCAD '06

View full text Add to dashboard Cite

We present several techniques for automatically reducing memories in RTL designs. This includes a new memory abstraction algorithm that allows us to greatly reduce the size of memories and a technique based on-term rewriting that further improves the abstraction. In contrast to previously proposed methods for abstracting memories of RTL designs, our methods are general-e.g., they allow us to arbitrarily and directly compare memories-and they are sound and complete-e.g., there are no false positives or negatives. In addition, the combination of our techniques allows us to automatically verify RTL pipelined machine designs beyond the reach of current state-of-the-art methods, as our experimental results show.

show abstract

Automatic verification of safety and liveness for XScale-like processor models using WEB refinements

Cited by 27 publications

References 20 publications

The Challenge of Hardware-Software Co-verification

The Challenge of Hardware-Software Co-verification

Automatic Formal Verification of Liveness for Pipelined Processors with Multicycle Functional Units

Automatic memory reductions for RTL model verification

Contact Info

Product

Resources

About