 (programmer-visible) 
Simulation: Applicability
Qualities of simulation as a correspondence notion:
Very generic and well-studied correspondence notion.
Provides guarantees on (infinite) execution via single-step theorems.
Hierarchically composible:
-If simulates , and simulates , then simulates .
For microprocessor verification, simulation and its variants are typically used to verify non-pipelined machines.
Simulation for Microprocessors
We typically define a simulation relation by projecting the programmer-visible components. We cannot specify such a simple simulation if MA is pipelined:
When an instruction is completed in MA, some subsequent instruction has already been partially executed.
ISA completes each instruction atomically in every step.
Different notions of correspondence are used for pipelined machines [ACDJ] :
Comparisons at flush point.
Comparisons based on stuttering simulation and bisimulation.
Flush the pipeline by completing all in-flight instructions but without fetching any new one.
Project the programmer-visible components of the flushed state. Burch and Dill (and its variants) have been used for verification of practical pipelines [SW, HSG] .
The flush signal of the pipeline is used to map MA state to ISA state.
Verification can be typically achieved by symbolic simulation on MA.
Problems:
Hierarchical composition is difficult.
Further, Manolios [Man] shows variants of Burch and Dill notion are flawed.
Stuttering Bisimulation
A stuttering bisimulation (WEB) correspondence can be shown between pipelined MA and ISA [Man] .
Shows that MA and ISA have the same observable behavior up to finite stuttering.
Preserves both safety and liveness properties.
Applicable to deterministic and non-deterministic machines.
Can be hierarchically composed.
Our Objectivē
Flush point correspondences have been widely used to verify pipelined machines.
Stuttering (bi)simulation is more satisfactory (and useful) as a correctness criterion.
Can we set up a correspondence framework so that when some flush-point correspondence is proven, we can derive a simulation-type theorem? 
Outlinē

Stuttering Simulation
We use stuttering simulation with one-sided stutter as our correctness criterion.
The ISA is allowed finite stutter. MA never stutters.
-If some instruction is completed at the current step by MA, then ISA matches the step, otherwise ISA stutters. -Finiteness of stuttering is guaranteed by arguments based on well-foundedness.
Our notion is a (restricted) variant of WEBs [Man] .
Basic Approach
We will show how to overlay a flush-point proof to determine stuttering simulation.
We will show how to overlay a flush-point proof to determine stuttering simulation. We will show how to overlay a flush-point proof to determine stuttering simulation. We will show how to overlay a flush-point proof to determine stuttering simulation. What is a witnessing State?
For a current state MA, the witnessing state is one that has been encountered in the past.
The witnessing state is one in which the instruction next to commit in MA was entering the pipeline.
How do we get such a state, and how do we use it to show stuttering simulation?
A Simple Example
Consider a trivial pipelined machine and the corresponding ISA. 
Witnessing State
The machine must have encountered a state in the past when instruction ¼ was about to enter the pipeline. That state is the witnessing state. But the second one is merely one step away from the first one! The "trick" was to flush from the witnessing state rather than from MA.
How do we find the witnessing state given some state MA?
Constructing the witnessing state requires keeping track of history of execution.
-But, the following predicate is an invariant of MA:
£ witness-exists´MAµ
We can specify the simulation relation using the Skolemization of this predicate as our witnessing state.
Outlinē
Microprocessor Correctness 
Elaborate Pipelines
The central step is to find the witnessing state. We can do this for:
Arbitrary but finite stalls
Interrupts
Out-of-order execution with in-order commit
We cannot handle:
Multiple-instruction commit Out-of-order commit
Stalls
If a pipeline is stalled, then no instruction enters the pipeline at that state. In this case, the machines are non-deterministic.
We have not analyzed machines with nested interrupts.
Out-of-order Execution
We can only deal with out-of-order execution when:
instructions enter the pipeline and are committed in program order, and at most one instruction is committed in one step.
To find the witnessing state, we need to find the next instruction to be committed.
This can be done by symbolic simulation of the pipeline forward.
Multiple Instruction Commit
If MA commits multiple instructions in one step, then we cannot handle such a pipeline.
ISA executes only one instruction in each step.
-There is no simulation relation such that ISA simulates MA.
We will need to change the ISA so that it can execute a sequence of instructions in each step.
Theorem proving
All the proofs have been done with the ACL2 theorem prover.
We use ACL2's encapsulation feature to verify generic pipelines.
-We can encapsulate the functionality of the different components that are visible to both MA and ISA, and only reason about the control flow. -We can instantiate such generic proofs with concrete pipeline implementations.
The applicability of the method depends on the efficiency of flush-point proofs.
Outlinē
Microprocessor Correctness We have not applied the approach to verify large practical pipelines.
-All our proofs are on toy examples.
-We are planning to verify a substantial pipeline module of a microprocessor. -The main complexity in such a verification is anticipated to be on:
£ Determination of witnessing states. £ Doing the flush-point proof.
We are working on handling more advanced out-of-order features.
-A plausible (but not tested) approach is described in the paper.
Conclusion
We have shown how to derive stuttering simulation proofs of pipelines.
-We verify a flush-point proof -Use quantification and Skolemization to derive a simulation relation.
An expressive logic is imperative for doing this.
Our approach works for generic pipelines.
-The generic proof can be instantiated by concrete pipelines.
In this (and other) verification efforts, we have found quantification extremely helpful.
-The witnessing state cannot be defined constructively without sufficient history variables and definition of complicated invariants.
