Mark Bickford

Formal verification of a pipelined microprocessor

The application of modern functional languages and supporting verification technology to a scaled-down but realistic microprocessor is described. The model is of an infinite stream of machine instructions consuming an infinite stream of interrupt signals and is specified at two levels: instruction and hardware design. A correctness criterion is stated for an appropriate sense of equivalent behavior of these levels and proved using a mechanically supported induction argument. The functional-language-based verification system Clio and the Mini Cayuga microprocessor are described. The formal specification and verification process are examined in detail.<<ETX>>

Verification of a Pipelined Microprocessor Using Clio

Clio is a system for verifying properties of expressions written in Caliban, a higher-order polymorphic strongly-typed lazy functional language akin to Turners Miranda. Clio was designed for verifying each step in the implementation of a program: the specification, the high-level language, the assembly language, the microcode, and the hardware. This paper describes the use of Clio for verifying the correctness of an instruction pipelined microprocessor design. The abstract and the realization levels of behavior of the processor are modeled as infinite streams. The abstract specification describes the behavior in terms of a suitably chosen programmers model of the processor. A realization specification gives a description of the design of the processor by describing the activities that happen in the circuit over a single microcycle. We develop a general criterion of correctness to relate the two levels which is verified using a form of fixed-point induction.

Composable specifications for asynchronous systems using UNITY

Using UNITY as a model for asynchronous hardware systems, we give a generic specification of a device that obeys a four phase protocol. The specification is general enough to allow devices with bundled data as well as dual-rail coded ports, and two phase signalling can be seen as a special case. We give a generic implementation of a function cell and show that A. Martins Adder cell is an instance. Finally, we prove two composition theorems that allow four phase devices to be combined into larger four phase devices. All stated theorems were checked using a mechanical theorem prover and we give complete definitions for all the concepts used in the generic specification.

Formal verification of microprocessors

A general method is presented for formally verifying the correctness of microprocessor designs. The abstract-level specification of the processor defines the effect of every instruction in terms of a suitably chosen programmer model of the processor. The concrete-level specification describes the design of the processor at a synchronous level by defining the behavior over a single microcycle. A general criterion of correctness to relate the two levels of behavior of the processor is developed. An application of the method to a simple processor, Simple, and a larger realistic processor, MiniCayuga, which uses instruction pipelining, is presented. Both designs are completely verified using an applicative-language-based verification system Clio.<<ETX>>