Using positive equality to prove liveness for pipelined microprocessors

Velev, Miroslav N.

doi:10.1109/aspdac.2004.1337588

Cited by 10 publications

(13 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…From Table 1, the previous method for indirect proof of liveness [42] (see Sect. 5) scaled up to the model with a 32-cycle ALU, DLX-ALU32, for which the proof took 2,483 seconds.…”

Section: Resultsmentioning

confidence: 99%

“…The proposed method enables the liveness check for a 5-stage pipelined DLX processor [13] with a 2048-cycle ALU, while producing 4 orders of magnitude speedup for a pipelined DLX with a 32-cycle ALU compared to a previous method for indirect proof of bounded liveness [42] (see Sect. 5).…”

Section: Definition Of Safety and Livenessmentioning

confidence: 99%

“…This section summarizes one of the results from [42]. To avoid the validity checking of the monolithic liveness correctness formula (1), which becomes complex for designs with long pipelines and many features, we can prove liveness indirectly:…”

Section: Indirect Proof Of Livenessmentioning

confidence: 99%

“…Pnueli et al [29] proved the liveness of mutual-exclusion algorithms by deriving an abstraction, and enriching it with conditions that allowed the efficient liveness check in a way that implies the liveness of the original model. A method for indirect proof of liveness for pipelined processors was presented in [42]-see Sect. 5.…”

Section: Related Workmentioning

confidence: 99%

“…Thus, we can abstract each instruction's branch target and direction with an oracle term and an oracle formula, respectively, such that there is a 1-to-1 relation between the instruction and its oracles. This can be done by either extending the Instruction Memory to produce the oracles, or introducing a new uninterpreted function and a new pipelined processors with branch prediction, where the actual branch targets are compared for equality with predicted branch targets in order to correct a branch misprediction, we can use special abstractions that turn the actual and predicted branch targets into p-terms [42].) Hence, a liveness proof based on arbitrary terms for the branch targets and arbitrary formulas for the branch directions will account for any outcome of the branches, and will ensure that the PC will be updated by at least one new instruction after any sequence of instructions executed during n implementation steps.…”

Section: Sketch Of the Proofmentioning

confidence: 99%

See 4 more Smart Citations

Automatic Formal Verification of Liveness for Pipelined Processors with Multicycle Functional Units

Velev¹

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Previous work on microprocessor formal verification has almost exclusively addressed the proof of safety-that if a processor does something during a step, it will do it correctly-as also observed in [2], while ignoring the proof of liveness-that a processor will complete a new instruction after a finite number of steps. Several authors used theorem proving to check liveness [15] Functional units in recent state-of-the-art processors usually have latencies of up to 20 -30 cycles, and rarely up to 200 cycles, but it is expected that the memory latencies in next generation high-performance designs will reach 1,000 cycles [13]. Thus, the need to develop automatic techniques to prove the liveness of pipelined processors where the functional units can have latencies of up to thousands of cycles.In the current paper, the implementation and specification are described in the highlevel hardware description language HDL [46], based on the logic of Equality with Uninterpreted Functions and Memories (EUFM) [7]. In EUFM, word-level values are abstracted with terms (see Sect. 4) whose only relevant property is that of equality with other terms. Restrictions on the style for describing high-level processors [35][36] reduced the number of terms that appear in both positive and negated equality comparisons-and are so called g-terms (for general terms)-and increased the number of http://www.ece.cmu.edu/~mvelev mvelev@ece.cmu.eduAbstract. Presented is a highly automatic approach for proving bounded liveness of pipelined processors with multicycle functional units, without the need for the user to set up an inductive argument. Multicycle functional units are abstracted with a placeholder that is suitable for proving both safety and liveness. Abstracting the branch targets and directions with arbitrary terms and formulas, respectively, that are associated with each instruction, made the branch targets and directions independent of the data operands. The observation that the term variables abstracting branch targets of newly fetched instructions can be considered to be in the same equivalence class, allowed the use of a dedicated fresh term variable for all such branch targets and the abstraction of the Instruction Memory with a generator of arbitrary values.To further improve the scaling, the multicycle ALU was abstracted with a placeholder without feedback loops. Also, the equality comparison between the terms written to the PC and the dedicated fresh term variable for branch targets of new instructions was implemented as part of the circuit, thus avoiding the need to apply the abstraction function along the specification side of the commutative diagram for liveness. This approach resulted in 4 orders of magnitude speedup for a 5-stage pipelined DLX processor with a 32-cycle ALU, compared to a previous method for indirect proof of bounded liveness, and scaled for a 5-stage pipelined DLX with a 2048-cycle ALU.Miroslav N. Velev D.

show abstract

“…From Table 1, the previous method for indirect proof of liveness [42] (see Sect. 5) scaled up to the model with a 32-cycle ALU, DLX-ALU32, for which the proof took 2,483 seconds.…”

Section: Resultsmentioning

confidence: 99%

Section: Definition Of Safety and Livenessmentioning

confidence: 99%

Section: Indirect Proof Of Livenessmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Sketch Of the Proofmentioning

confidence: 99%

See 3 more Smart Citations

Automatic Formal Verification of Liveness for Pipelined Processors with Multicycle Functional Units

Velev¹

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Correct Hardware Design and Verification Methods

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Collection : Lecture Notes in Computer Science , Vol. 3725; ISBN : 978-3-540-29105-3This book constitutes the refereed proceedings of the 13th IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, CHARME 2005, held in Saarbrücken, Germany, in October 2005. The 21 revised full papers and 18 short papers presented together with 2 invited talks and one tutorial were carefully reviewed and selected from 79 submissions. The papers are organized in topical sections on functional approaches to design description, game solving approaches, abstraction, algorithms and techniques for speeding (DD-based) verification, real time and LTL model checking, evaluation of SAT-based tools, model reduction, and verification of memory hierarchy mechanisms

show abstract

Automatic Formal Verification of RISC-V Pipelined Microprocessors with Fault Tolerance by Spatial Redundancy at a High Level of Abstraction

Velev

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Using positive equality to prove liveness for pipelined microprocessors

Cited by 10 publications

References 33 publications

Automatic Formal Verification of Liveness for Pipelined Processors with Multicycle Functional Units

Automatic Formal Verification of Liveness for Pipelined Processors with Multicycle Functional Units

Correct Hardware Design and Verification Methods

Automatic Formal Verification of RISC-V Pipelined Microprocessors with Fault Tolerance by Spatial Redundancy at a High Level of Abstraction

Contact Info

Product

Resources

About