Abstract. The design of control units of modern processors is quite complex due to many speed-up techniques like pipelining and out-oforder execution. The existing approaches to formal veri cation of processor designs are applicable to very high level descriptions that ignore timing details of control signals. In this paper, we propose an approach for veri cation of detailed design of processors. Our approach suggests the use of Esterel language which has rich constructs for succinct and modular description of control. The Esterel simulation tool Xes and veri cation tools Xeve and FcTools can be used e ectively to catch minor bugs as well as subtle timing errors. As an illustration, we have developed an Esterel implementation of DLX pipeline control and veri ed certain crucial properties.
Introduction
Modern processors employ many techniques like pipelining, branch prediction and out-of-order execution to enhance their performance. The design and validation of these processors, especially their control circuitry, is a challenging task 6, 7] .
Formal veri cation techniques, emerging as a viable approach to validation 10], are still inadequate in veri cation of large systems like processors. Recently many new techniques have been proposed speci cally for processor veri cation 1, 7, 6, 9, 11] . These techniques verify that the given implementation is equivalent to a simpler sequential model of execution, as described by the instruction set architecture. But in these approaches, the implementation is at a very high level of abstraction ignoring details of ner timing constraints on control signals. These details are to be introduced to arrive at the nal implementation that can be realized in hardware. Even if the design at the higher level of abstraction is proved to be equivalent to a sequential model, later re nements may introduce timing errors.
The aim of this paper is to propose a veri cation method for detailed processor implementations containing timing constraints of control signals. We suggest the use of Esterel language 3, 2] and its associated veri cation tools for describing the implementations and verifying their properties. Esterel has a number of attractive features that come in handy for our purpose. It provides a nice separation between data and control. It o ers a rich set of high level constructs, like preemption, interrupts and synchronous parallelism, that are natural for hardware systems and that enable modular and succinct description of complex controllers. Besides simulation, Esterel descriptions can be rigorously veri ed using the tools Xeve 4] and FcTools 5] . Finally, Esterel programs can be directly translated into hardware.
In this paper we illustrate our approach by developing an Esterel model of the DLX pipelined processor control unit 8] . The model has been debugged using the simulator tool Xes and has been veri ed to satisfy a number of desired properties using the veri cation tools.
Esterel Speci cation of Pipelined Control Unit
The speci cation is based upon the informal description of DLX processor given in 8]. We con ne ourselves to the control unit speci cation; the data path speci cation can be trivially given using a host language like C.
The Main Controller
The execution of an instruction in the DLX processor goes through ve stages: Instruction Fetch (IF), Instruction Decode/Register Fetch (ID), Execution/E ective Address Calculation (EX), Memory Access/Branch Completion (MEM) and WriteBack (WB). The introduction of pipelining leads to increased complexity in design in terms of additional registers and control logic due to various hazards. Pipeline registers are required to store the intermediate values produced by different stages. DLX uses the branch-not-taken prediction scheme and hence to handle the control hazard that occurs when a branch is taken (determined in the EX stage), the instruction in the ID stage must be squashed; the handling of interrupts requires even more complex control logic. Appropriate actions like data forwarding or stalling have to be taken to handle data hazards, for instance when an instruction updates a register or memory location that is read by a subsequent instruction. Figure 1 gives an Esterel module that models a generic pipeline stage of the DLX controller. An Esterel program in general consists of one or more modules. Each module has an input-output interface and reactive code that is executed Esterel possesses a rich set of constructs for describing control. Here we give a very brief explanation of some of these constructs. The statement await S is a simple`wait construct' that delays termination until the signal S is present in the input; await immediate S is a variant which can terminate even in the very rst instant when control reaches the construct. The statement do watching stat S continues to execute stat as long as the signal S is not present; the moment S appears on the input, the whole statement terminates aborting the computation inside stat. The statement suspend stat till S suspends the execution of stat in all reactions in which S is present; execution continues where it got suspended when S is not present. Now we will describe the behavior of the module in Figure 1 . For the sake of simplicity, we have taken the tick signal to de ne the clock of the processor. Suppose the signals Stall and Restart are not present in a reaction, corresponding to the uninterrupted ow of an instruction through the pipeline stages. Then the submodule XX (in the rst branch of the parallel operator within the suspend statement) is executed in the cycle when the local signal Go is present; the Go signal is present in this cycle provided the GoPrev signal was present in the previous cycle (in the second branch of the parallel operator within the suspend statement). At the end of execution of XX, which is assumed to be instantaneous, the module generates GoNext. Suppose that Stall is present in a cycle, representing a hazard in the pipeline stage XX. Then the execution of XX is suspended by the suspend statement and the signal GoNext is not generated; the signal StallPrev is generated (in the second branch of the outer parallel operator). If on the other hand the Restart signal is present, representing an interrupt or a taken branch, then the body of the outer watchdog primitive is killed and the execution is restarted because of the presence of the outer loop construct. This results in the loss of information about the presence of the GoPrev In the module CONTROL, the renaming of the Go The module EX in Figure 4 emits two signals ExOutAdr and ExOutVal, corresponding to the address and value computed by the ALU by operations abstracted by the external functions AluOpAdr and AluOpVal. The presence of the input signal Bypass indicates that there is a data hazard and hence that the inputs to ALU are to be taken through a forwarding process from the output of the EX/MEM pipe stage; in the absence of this signal, the inputs come from the ID/EX pipe stage. The BranchTaken signal indicates a taken branch and triggers the signal WritePCb which writes the new branch address into PC.
The above Esterel model of the DLX processor has abstracted away details about the data path, instruction decoding, alternative actions based on various types of instructions (such as load/store) and hazard detection. This is the reason that the signals Bypass, Restart, BranchTaken and Stall have been modeled as external input signals, rather than being generated internally (by hazard detection units).
Validation using Esterel tools
In this section we outline the validation of the design of the DLX processor control unit using the Esterel simulation tool Xes and veri cation tools Xeve and FcTools. We focus on the micro-properties of the control unit, such as smooth ow of instructions through the pipeline, absence of deadlock, proper issuing of stall and restart instructions, and correct behavior of the pipeline with respect to these signals. We are able to verify that for example, in case of a taken branch (determined in the EX stage) the instruction following the branch (in its ID stage) is restarted or aborted. Similarly, we can verify that a stall signal sent to some stage propagates as a bubble through the pipeline.
The properties veri ed by us are ner than the macro-property veri ed in 7], namely that the pipelined machine has the same e ect on visible state as the sequential one for the same input. The latter property, in its full glory, cannot be veri ed using existing Esterel tools because they deal with only control states. However, the property restricted to control states is still veri able (see the paragraph titled Stall in Section 3.1).
Veri cation
The simple properties of the DLX pipeline controller mentioned above can be veri ed using the Esterel tools Xeve 4] and FcTools 5] . They are veri cation environments for Esterel programs modeled as nite state machines (FSMs) with a user-friendly graphical interface.
The Esterel compiler generates FSMs implicitly in the form of boolean equations with latches. One of the veri cation tasks performed by Xeve is to take an implicit FSM and perform a state minimization using the notion of bisimulation equivalence. Before minimization a set of input /output signals can be hidden. This results in a nondeterministic FSM where some transitions may be labeled by , a hidden internal action. Xeve generates minimized FSMs, that can be further reduced using some abstraction criterion by FcTools and can be graphically explored using the tool ATG.
FcTools is a veri cation tool set for networks of communicating FSMs. Its capabilities include graphical depiction of automata, reduction of automata and veri cation of simple modal properties by observers, counterexample production and visualization.
In our veri cation process the original FSM produced by Xeve had about 1500 states, which after making some irrelevant interface signals local got reduced to 543 reachable states. This was reduced to 16 states and 72 transitions after applying the observational equivalence minimization procedure available in FcTools. Still the automaton could not be inspected due to the large number of transitions. So we used the powerful abstraction technique available in FcTools to further reduce the size of the automaton. An abstraction criterion de nes a new set of action symbols that are regular expressions on the action symbols in the original automaton. The reduction involves abstraction of sequences of old actions into new actions so that the reduced automaton contains only new action symbols; further, certain paths in the original automaton are eliminated, thereby resulting in a small automaton that can be checked easily.
Depending upon the property to be checked, we applied di erent criteria to get small automata which we veri ed with respect to appropriate properties. issued is completed after four cycles in the absence of stalls and branches. The criterion depicted in Figure 5 , de nes four abstract actions pipe, pipec, pipebr and pipecbr which rename the edges satisfying the corresponding regular expressions, eg., pipebr renames any edge in which a branch has been taken and no instruction is completed; in the regular expressions Figure 6 gives the reduced automaton which can be veri ed with respect to the desired property by inspection. For the sake of clarity in the gures, the signals StallIF, IssueNextInstr, and InstrCompleted of the original automaton are renamed as S, I and IC respectively; further the WritePCb signal is treated as being synonymous with BranchTaken for technical reasons.
Stall The property veri ed here is that the StallIF signal stalls the IF stage for a cycle: no instruction is completed four cycles after a StallIF assuming later stages are not stalled or squashed in the intervening period. The abstraction criterion for this is shown in Figure 7 and the reduced automaton in Figure 8 . In the reduced automaton there is no path of length ve starting with a stall or a stallc that ends with a ic or stallc edge. Another interesting thing to note from this automaton is that from every state there is a sequence of`stalls' that leads to the initial state; this property corresponds to the sequential equivalence property of 7] for control states. 
Conclusion
We have proposed the use of Esterel language and tools for veri cation of modern processors. Esterel can be used to describe, in su cient detail and in a modular and succinct way, control units of processors using its rich set of constructs. Complex timing properties of Esterel descriptions can be veri ed using powerful tools.
