Abstract. We describe a framework for verifying a pipelined microprocessor whose implementation contains precise exceptions, external interrupts, and speculative execution. We present our correctness criterion which compares the state transitions of pipelined and non-pipelined machines in presence of external interrupts. To perform the veri cation, we created a table-based model of pipeline execution. This model records committed and in-ight instructions as performed by the microarchitecture. Given that certain requirements are met by this table-based model, we have mechanically veri ed our correctness criterion using the ACL2 theorem prover.
Introduction
We have studied the veri cation of a pipelined microprocessor whose implementation contains speculative execution, external interrupts and precise exceptions. The veri cation of pipelined microprocessors has been studied 1, 12, 6, 13], but complicated features, such as exception mechanisms, are often simpli ed away from the implementation model. Several veri ed microprocessor designs contain exception mechanisms 4, 11] ; however, they contain only one kind of exception and require only a few cycles before exception handling starts. Modern microprocessors have multiple exception types, which can occur simultaneously in its pipeline. Correct handling of an exception requires synchronizing and saving the machine state, which may take many clock cycles. This synchronization process may itself cause further exceptions.
Modern processors often execute a large number of instructions speculatively using branch prediction mechanisms. The processor has to keep track of these instructions correctly so that speculatively executed instructions following a mispredicted branch have no side-e ect. Also speculatively executed instructions may themselves cause exceptions, which may need to be ignored. ? This research was supported in part by the Semiconductor Research Corporation under contract 97-DJ-388.
To investigate these issues, we designed a processor model which can speculatively execute instructions and simultaneously detect multiple exceptions while executing instructions out-of-order. This machine has been speci ed at the instruction-set architecture level and micro-architecture level. We discuss the machine speci cation in Sect. 2.
Previously, we used a correctness criterion for verifying a pipelined microprocessor which did not contain exceptions 10]. In Sect. 3, we have extended this correctness criterion to permit the veri cation of a design containing speculative execution and external interrupts.
We have modeled the behavior of our processor using an intermediate model, called a MAETT, which records all executed instructions. This model, given in Sect. 4, presents an abstraction of the behavior of our pipelined design on speculative execution and exceptions. Using this model, we wrote an invariant condition that meets several requirements, and show that these requirements are strong enough to prove the correctness criterion. The proof has been carried out with ACL2 theorem prover 9]. A brief proof sketch is given Sect. 5. The veri cation of the invariant condition is in progress.
Hardware Speci cations
Our processor model has been speci ed at two levels: its micro-architecture (MA) and its instruction-set architecture (ISA). At the ISA level, we only describe the states of the components visible to the programmer, which are shown as shaded boxes in Fig. 1 . We specify the ISA behavior with an instruction interpreter function ISA-step(), which takes a current ISA state and an external interrupt input and returns the state after executing a single instruction. At the MA level, we describe the behavior of all components shown in Fig. 1 . The behavioral function MA-step() takes a current MA state and its external inputs, and returns the state after one clock cycle of execution. The ISA model is a non-pipelined machine speci cation while the MA model is pipelined.
Our ISA model implements eleven instructions, each in a di erent instruction class. For instance, ADD is the only integer operation instruction. For the purpose of our investigation, parameters such as the number of instructions, registers, and the register width are not critical. The ISA speci cation describes the action for external interrupts and internal exceptions. When an exception occurs, the processor saves some states in special registers, switches to supervisor mode, and jumps to the address speci c to the exception type.
The MA speci cation gives an abstract description of the complete design shown in Fig. 1 , as well as the exception mechanism, branch prediction unit, and memory-write bu ers. It fetches and commits instructions in program order, but it has the capability to issue up to three instructions to the execution units simultaneously and does execute instructions in an out-of-order manner. The machine can hold as many as 15 instructions in the pipeline, and 12 instructions can be speculatively executed. Instructions are executed as follows. A fetched instruction is decoded and dispatched to an appropriate reservation stations, where the instruction waits for its operands. Once an instruction has all necessary values, it is issued to the corresponding execution unit, and the result is written to the re-order bu er 7]. Finally, instructions are committed in program order. Committing is the point where the instruction actually takes its e ect. Speculatively executed instructions may reach the re-order bu er, but are only committed if appropriate.
Our MA deals with four types of exceptions: fetch errors, decode errors, data access errors, and external interrupts. The rst three exceptions have internal causes, and they are called internal exceptions. All exceptions are precise; that is, the correct machine state is saved so that the executed program can be restarted from the point where the exception occurred. To achieve this, our machine satis es the following properties for precise exceptions:
1. All instructions preceding an exception must complete their operation. 2. All partially executed instructions following an exception must be abandoned with no side-e ect. The machine may take a large number of machine cycles before it actually starts exception handling, because the rst condition requires completion of partially executed instructions that precede the exception in program order. The re-order bu er is used to sort out the instructions to be completed from those to be abandoned 5]. If multiple exceptions are detected in the pipeline, only the earliest exception in program order is processed. Our MA design does not contain any imprecise exceptions, and we have not considered the veri cation a processor with imprecise exceptions.
Correctness Criterion
Our veri cation objective is to show that the MA design correctly executes instructions as speci ed by the ISA. Various ways to show the equivalence between the two levels have been presented. Burch and Dill veri ed pipelined designs using a correctness criterion that involves pipeline ushing 2]. Although this criterion with ushing has been extended to cover superscalar processors 3, 14], it does not address speculative execution and external exceptions.
We previously used the correctness criterion shown as diagram (a) in In a correctly implemented MA design, speculatively executed instructions after a mispredicted branch should have no side-e ect on the programmer visible state. This can be checked by verifying diagram (a), because the ISA executes instructions one-by-one. The correctness diagram shows that instructions are executed correctly independently of how branches are predicted.
Let us consider how internal exceptions a ect the diagram. The ISA specication describes the machine behavior for internal exceptions; it speci es what states are stored in special registers, what the next PC value is, and so on. We want to show the MA design implements this action correctly, but we also want to check it implements precise exceptions. Since the ISA speci cation executes instructions one-by-one, it captures the requirements for precise exceptions given in Sect. 2. The correct behavior on multiple exceptions in the pipelined MA is also implied by the ISA speci cation, because it always processes exceptions in program order. These are our reasons to claim that verifying diagram (a) demonstrates precise handling of internal exceptions, as well as the correct action on exceptions. We do not check how exceptions are handled by exception handlers, since this is a software veri cation problem 11].
External exceptions make the problem more complicated. The ISA speci cation function ISA-step() takes an external interrupt signal as its argument, and describes the action of an external interrupt as it does for internal exceptions. The problem is that the non-determinism introduced by the external signal can lead to di erent nal ISA states, as shown in diagram (b). The commutative diagram holds only for the ISA state transitions which interrupt the same instructions as the MA does. Since supplying di erent environments to the MA will cause di erent instructions to be executed and interrupted, we need to nd the corresponding ISA sequence for each MA state sequence with di erent input signals.
Correctness Criterion: For an arbitrary MA execution sequence from a ushed state MA 0 to another ushed state MA n , there exists a corresponding ISA execution sequence from ISA 0 to ISA m . This sequence executes and interrupts the same instructions as occur in the MA execution sequence, and satisfy ISA 0 = proj(MA 0 ) and ISA m = proj(MA n ). The problem of self-modifying code is inseparable from pipelined processor veri cation, because instructions can be fetched from the main memory prior to the completion of writes by previous instructions. As a part of the statement of our correctness criterion, we assume that the program executed between the initial ushed MA state and the nal ushed MA state does not modify itself.
Our correctness criterion does not imply the complete correctness of a microprocessor design. Intuitively, our correctness criterion only suggests that the execution of instructions is correct if they are in fact executed. The liveness of the processor is not part of our criterion, but can be proven separately. The criterion suggests that external interrupt signals are processed correctly, but it does not guarantee that all the interrupt signals actually interrupt the machine. For a real time system, we may further want to show that the processor responds to an external signal in a bounded amount of time.
MAETT for Speculative Execution and Exceptions
We have extended our Micro-Architectural Execution Trace Table (MAETT) 10 ] to model the behavior for speculative execution, internal exceptions and external interrupts. A MAETT is an abstraction of an MA state, which contains redundant information that makes it straightforward to specify machine invariants.
A MAETT is a list whose entries correspond to either a committed or in-ight instruction. Each entry represents an instruction with a data structure whose elds are shown in The elds of each in-ight instruction are modi ed to re ect its progress in the pipeline. When the MA abandons instructions following a mispredicted branch or an exception, MAETT entries corresponding to these instructions are eliminated. 
Invariants Conditions and Correctness Criterion
We have de ned various invariant properties about our pipeline implementation. Instead of discussing a complete list of invariant properties and techniques to de ne them, we present the minimum requirements that our invariant condition should satisfy, and we give a sketch of the proof of our correctness criterion using them.
In A mispredicted conditional branch and an error-causing instruction will eventually cause instructions to be abandoned. MAETT-speculative?(MT k ) is a predicate to check whether MT k contains such an uncommitted mispredicted branch or an uncommitted error-causing instruction. The program counter in MA k should correctly point to the next instruction I l+1 to be fetched by ISA l , unless it is fetching instructions speculatively. We must show that the invariant condition Inv() is preserved during MAETT updates; however, if self-modi ed code is executed, the pipelined MA may not work correctly with respect to ISA speci cation. To characterize this problem, we de ned a predicate commit-self-modi ed-inst-p(MT) to check whether any instruction in MT is self-modi ed and also committed. Our invariant is preserved only when there is no such instruction. The machine can speculatively execute self-modi ed instructions, if they are eventually abandoned and have no e ect on the programmer visible state. Checking the rst ve requirements is easy, since they don't involve a state transition of MA. However, checking Requirement 6 takes extensive analysis of MA state transitions, and this is where the actual veri cation activity of the hardware design takes place. In the rest of this section, we summarize the proof of our correctness criterion, assuming that Inv() satis es Requirement 6.
From Requirements 2, 3 and 4 and the de nition of MAETT-speculative?(), it is straight forward to get the following lemma. The proof of Theorem 4 has been mechanically checked with ACL2 theorem prover. At this point, we have not yet completed the veri cation of Requirement 6. As pointed out earlier, the real veri cation problem is nding and verifying the invariant conditions. A merit of using the MAETT is that it helps us to de ne various pipeline invariants. For example, one invariant is that instructions are dispatched and committed in the ISA execution order. This is nicely de ned as a recursive function over the list of instructions in a MAETT. We have veri ed 6 out of 18 invariant conditions of Inv(). So far, this veri cation process found three bugs in the design, even though the design had been simulated.
Our proof presented here reduces the problem of checking the correctness criterion to the problem of verifying our requirements. In this sense, what we have presented here is a framework for verifying a microprocessor. Our requirements are strong enough to prove our correctness criterion, since we have carried out the mechanical proof by assuming only those conditions. This suggests the possibility that we can reuse the structure of the proof for other hardware designs which satisfy these requirements, even though the construction of MAETT-step() and the veri cation of the requirements are design dependent.
Conclusion
We have described a framework for verifying pipelined machine designs at the micro-architectural level. Our correctness criterion compares MA state transitions between two ushed states to the corresponding ISA state transitions. We discussed why our correctness criterion implies correct speculative execution and precise exceptions. The non-determinism at the ISA level introduced by external interrupts requires us to dynamically construct corresponding ISA transitions. This construction is done by modeling the execution of the MA design with a MAETT, which is essentially a history of committed and in-ight instructions. We de ned an invariant condition that satis es several requirements, and proved our correctness criterion under the assumption that the invariant conditions are preserved during MA state transitions. The proof has been mechanically checked by the ACL2 theorem prover. We have shown that our requirements are strong enough to carry out the proof.
We are currently verifying the invariant condition. We also would like to check whether an external interrupt is guaranteed to be processed. In our MA design, some external interrupts are dropped because internal exceptions have higher priority or because multiple interrupts are received within too short of an interval. It is an open question whether the MAETT model can help us to prove properties such as that an isolated external interrupt is guaranteed to be serviced.
