

59515

### N96-10031

### The Formal Verification Used for the AAMP5 and AAMP-FV

It is becoming increasingly evident within the VLSI design industry that the complexity of many current hardware designs is outstripping the capability of traditional simulation-based tools to adequately verify them. This situation was well-illustrated by the recent floating point bug discovered in Intel's Pentium processor. The industry is beginning to look at formal verification as a technological alternative to simulation for obtaining higher assurance than is currently possible.

Recently, SRI International and Collins Commercial Avionics, a division of Rockwell International, undertook a project to explore how formal techniques for specification and verification could be introduced into an industrial process. The project, sponsored by the Systems Validation Branch of NASA Langley and Collins Commercial Avionics, consisted of specifying in the PVS language a portion of a Rockwell proprietary microprocessor, the AAMP5, at both the instruction set and register-transfer levels and using the PVS interactive proof-checker to show that the microcode correctly implemented the specified behavior for a representative subset of instructions.

The main goal of the project was two-fold: First, to investigate the feasibility of formally specifying and verifying a complex commercial microprocessor that was not expressly designed for formal verification. Second, to explore effective ways to transfer the technology to an industrial setting. The choice of the AAMP5 satisfied the first goal since the AAMP5 was not designed for formal verification, but to provide a more than threefold performance improvement while remaining object-code-compatible with the earlier AAMP2, which is used in numerous avionics applications, including the Boeing 737, 747, 757, and 767.

To satisfy the technology transfer objective, we had to develop a suitable verification methodology and a formal infrastructure to make the technology usable by practicing engineers. This infrastructure includes techniques for decomposing the microprocessor verification problem into a set of verification conditions that the engineers can formulate and strategies to automate the proof of the verification conditions. The development of the infrastructure was one of the key accomplishments of the project. Most of the infrastructure and methodology are general enough to be reused for other microprocessors, certainly in the verification of another member of the AAMP family. This methodology was used to formally specify the entire microarchitecture and more than half of the instruction set and to verify a core set of eleven AAMP5 instructions representative of several instruction classes. However, the methodology and the formal machinery developed are adequate to cover most of the remaining AAMP5 instructions. Although PVS was the vehicle of the experiment, the methodology is applicable to other sufficiently powerful theorem provers.

Another key result of the project was the discovery of both actual and seeded errors. Two actual microcode errors were discovered during development of the formal specification, illustrating the value of simply creating a precise specification. Both were specific to the AAMP5 and were corrected before first fabrication. Two additional errors seeded by Collins in the microcode were systematically uncovered by SRI, who knew that bugs had been seeded, but not their location or identity, while doing correctness proofs. One of these was an actual error that had been discovered by Collins after first fabrication but left in the microcode provided to SRI. The other error was designed to be unlikely to be detected by walk-throughs, testing, or simulation.

Steve Miller's talk earlier in the workshop, gave an overview of the AAMP5 project emphasizing the technology transfer process with its administrative and managerial aspects. This talk describes the technical approach used in verifying the AAMP5. Please refer to Steve Miller's slides for the AAMP5 design figures.

PRECEDING PAGE BLANK NOT FILMED

INTENTIONALLY BLANK

The Formal Verification Technology Used for the AAMP5 and AAMP-FV\*

Mandayam Srivas

**Computer Science Laboratory** 333 Ravenswood Avenue (http://www.csl.sri.com) Menlo Park, CA 94025 (srivas@csl.sri.com) SRI International

\*Joint work with Steve Miller, Rockwell International, Collins Commercial Avionics, Cedar Rapids, Iowa 52498

-

2

**Organization of the Talk** 

- Overview of AAMP5 Processor
- What did we verify?
- How did we manage complexity of verification?
- Mechanization of proofs
- Conclusions

The Stack Memory Model

Macromachine Specfication

ADD\_lemma\_1: LEMMA

LET X = current\_data\_env(st)(tos(st)+1),

Y = current\_data\_env(st)(tos(st))

IN current\_opcode(st) = ADD & NOT arith\_update.exception(st) => normal\_macro\_machine.next\_macro\_state(st) =

st WITH [(dmem)(word2denv(denv(st)))(tos(st)+1) := X + Y, (pc) := pc(st) + 1,

(tos) := tos(st) + 1]

1

|                                                                                                                                | DPU Environment Assumptions                                                                                |
|--------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|
| DPU Environment Assumptions                                                                                                    | <ul> <li>"If RDY is true then decoded outputs presented by the I FU</li> </ul>                             |
| <ul> <li>"If RDY is false then RDY will eventually become true provided<br/>the DPU obeys its end of the protocol."</li> </ul> | correspond to the instruction stored at the PC presented by the LFU."                                      |
| CLR_RDY_wait: AXIOM                                                                                                            |                                                                                                            |
| NOT RDY(t) & normal_fetching(t) & CLR_RDY?(NCO(t)) =>                                                                          |                                                                                                            |
| (EXISTS (t1   t1 > t):                                                                                                         | % Invariant constraints on the outputs when LFU is RDY                                                     |
| <pre>stays_same(NCO(t))(t, t1) =&gt;</pre>                                                                                     | RDYinv: AXIOM                                                                                              |
| stays_same(RDY)(t, t1-1) & RDY(t1) &                                                                                           | RDY(t) =>                                                                                                  |
| normal_fetching(t1) &                                                                                                          | <pre>LET opcode = opcode_at(CENV(t), DP(t), CODE_MEMORY(t))</pre>                                          |
| DP(t1) = DP(t)+length_of_instruction(opcode) )                                                                                 | IN EP(t) = EP_ROM(opcode) & (has_imm_data(opcode)                                                          |
|                                                                                                                                | => IM(t) = first_unit_of_imm_data(t))                                                                      |
|                                                                                                                                |                                                                                                            |
| ۵                                                                                                                              | v                                                                                                          |
|                                                                                                                                |                                                                                                            |
|                                                                                                                                |                                                                                                            |
|                                                                                                                                |                                                                                                            |
| Sample Register-Transfer Level Specification                                                                                   | Other Microprocessor Verification Efforts                                                                  |
| $SVax$ : AXIOM $SV(t+1) = IF DHLD(t) THEN SV(t) ELSE NEXT_SV(t) ENDIF$                                                         | <ul> <li>FM8501 [Hunt: 1986]</li> </ul>                                                                    |
| SV1ax: AXIOM SV1(t+1) = IF DHLD(t) THEN SV1(t) ELSE SV(t) ENDIF                                                                | <ul> <li>Viper [Cohn: 1988]</li> <li>Tamarack [Joyce: 1988]</li> </ul>                                     |
| TVax: AXIOM TV( $t+1$ ) = IF DHLD( $t$ ) THEN TV( $t$ ) ELSE NEXT_TV( $t$ ) ENDIF                                              | <ul> <li>MiniCayuga [Srivas &amp; Bickford: 1990]</li> <li>Saxe's Pipeline [Saxe. et. al. 1991]</li> </ul> |
| TV1ax: AXIOM TV1(t+1) = IF DHLD(t) THEN TV1(t) ELSE TV(t) ENDIF                                                                | DLX pipeline [Burch & Dill: 1993]     Inlitta [Windlew: 1994]                                              |
| END SVTVpipeline_axioms                                                                                                        |                                                                                                            |
|                                                                                                                                |                                                                                                            |
|                                                                                                                                |                                                                                                            |

~



- Abstraction function (ABS)
- Visible state

# Complications posed by AAMP5

- Pipelining
- Autonomous prefetch and data transfers
- The "stack cache" abstraction





- Abstraction function must be suitably "skewed"
- Length of instruction cycle can be idefinite not necessarily a function of the current visible state



10

6



T

| Formal Correctness Statement                    | <pre>commuting_property: LEMMA visible_state(t) &amp; proper_instrns_in_pipe(t)     &amp; no_logical_stack_overflow(t)</pre>                                                                                                                                                                                                                                                                                                                                                                                              | 5 | General Verification Conditions<br>• dhld.lemma:<br>"NOT DHLD ⇒<br>> (DHLD & macrostate unchanged)"<br>> (DHLD & macrostate unchanged)"<br>• [FU.not.rdy.lemma:<br>"NOT RDY ⇒<br>> (RDY & next instruction moves in)"<br>• (RDY & next instruction moves in)"<br>• (RDY & mext instruction moves in)"<br>• (entry.condition.met & macrostate unchanged"                                                                                                                                                                                                                      | 16 |
|-------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Specializing Correctness Criterion to the AAMP5 | <ul> <li>Visible state:</li> <li>The first microinstruction of the <i>current</i> macroinstruction is loaded into MC0 (microregister)</li> <li>The current (compute-stage) instruction is guaranteed to advance</li> <li>The previous (write-stage) instruction in the pipeline is guaranteed to complete in the next cycle</li> <li>Abstraction function</li> <li>A projection function except for data memory</li> <li>The data memory at the macro level is real memory with the overlaid "stack registers"</li> </ul> | ξ | <ul> <li>Our Approach to the Verification Task</li> <li>Incremental verification: Structure it so as to o get early feedback o Collins staff can participate in the proof process</li> <li>Collins staff can participate in the proof process</li> <li>Abstract the DPU environment: A set of "rely-guarantee" assertions characterizing the interactions for the DPU with the other units.</li> <li>Decompose the proof into o an automatic part: <i>instruction-specific verification conditions</i></li> <li>interactive part: general verification conditions</li> </ul> | 15 |

TO\_correctness: LEMMA

visible\_state\_with(ADD)(t) & SysInv(t) =>
T0(t+2) =
(sign\_extend[16](48)(ith\_top\_of\_scache(t+1)(1))
+ sign\_extend[16](48)(ith\_top\_of\_scache(t+1)(0)))^((15,0))

i: VAR below[10]
REG\_correctness: LEMMA
visible\_state\_with(ADD)(t) & SysInv(t) =>

REG(t + 2)(i) = REG(t + 1)(i)

17

18

### The Core Startegy Used

For proving theorems of the form:

"Precond(s0)  $\Rightarrow f(s0) = g(E^i(s0))$ , for some constant i"

- Rewrite expressions in the theorem using the functions in the design specification as auto-rewrite rules. ((repeat (do-rewrite)))
- "Lift" all the if-then-else structures to the topmost level ((repeat (lift-if)))
- Simplify using a BDD simplifier, arithmetic, and other decision procedures along with using a library of bit-vector properties as auto-rewrite rules.

((then\* (bddsimp) (assert)))

Mechanization of proofs of Verification Conditions

Overview of PVS

Our core hardware strategy

## Mechanization overview

- Instruction-specific VCs: Core hardware strategy
- General VCs: Inductions with core strategy for the base and inductive steps.
- Main correctness theorem: Chaining of VCs with intructionspecific VCs, definition of abstraction function, and macro specification used as rewrite rules.

### Conclusions

- Is commercial processor verification technically feasible? Yes, if carefully planned and executed.

  - Can practicing engineers use this technology? Yes, with appropriate training and expert help.
    - Is it "cost-effective" ?