Decomposing the proof of correctness of pipelined microprocessors

technical reportWe present a systematic approach to decompose and incrementally build the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function using completion functions, one per unfinished instruction, each of which specify the effect (on the observables) of completing the instruction. In addition to avoiding term-size and case explosion as could happen for deep and complex pipelines during flushing and helping localize errors, our method can also handle stages with iterative loops. The technique is illustrated on pipelined- as well as a superscalar pipelined implementations of a subset of the DLX architecture

A Systematic Methodology for Verifying Superscalar Microprocessors

We present a systematic approach to decompose and incrementally build the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function by using completion functions, one per unfinished instruction, each of which specifies the effect (on the observables) of completing the instruction. In addition to avoiding the term size and case explosion problem that limits the pure flushing approach, our method helps localize errors, and also handles stages with interactive loops. The technique is illustrated on pipelined and superscalar pipelined implementations of a subset of the DLX architecture. It has also been applied to a processor with out-of-order execution

Cache Coherency Verification for Avalanche

Introduction This project is about verifying the cache coherency of the Avalanche migratory cache protocol [1]. The verification is performed in a manner similar to the FLASH cache coherency verification by Park and Dill [2]. The rest of the report is organised as follows: we describe the general verification methodology in section 2, followed by a section on the Avalanche migratory protocol. Section 4 describes the specifics of this project and section 5 gives the conclusions. 2 Verification Methodology The verification method [2] begins with two state graphs - one that of the implementation and other that of the specification and attempts to establish a correspondence between these two graphs. Specifically, let Q denote the set of all implementation states and F denote the set of all implementation transitions. We similarly have Q' and F ' denoting the specication state sets and specification stat

A proof of correctness of a processor implementing Tomasulo's algorithm without a reorder buffer

The Completion Functions Approach was proposed in [HSG98] as a systematic way to decompose the proof of correctness of pipelined microprocessors. The central idea is to construct the abstraction function using completion functions, one per unfinished instruction, each of which specifies the effect (on the observables) of completing the instruction. However, its applicability depends on the fact that the implementation "commits " the unfinished instructions in the pipeline in program order. In this paper, we extend the completion functions approach when this is not true and demonstrate it on an implementation of Tomasulo's algorithm without a reorder buffer. The approach leads to an elegant decomposition of the proof of the correctness criterion, does not involve the construction of an explicit intermediate abstraction, makes heavy use of an automatic case-analysis strategy based on decision procedures and rewriting, and addresses both safety and liveness issues