Skip to main content

Verification of FM9801: An Out-of-Order Microprocessor Model with Speculative Execution, Exceptions, and Program-Modifying Capability

Abstract

We have verified the FM9801, a microprocessor design whose features include speculative execution, out-of-order issue and completion of instructions using Tomasulo's algorithm, and precise exceptions and interrupts. As a correctness criterion, we used a commutative diagram that compares the result of the pipelined execution from a flushed state to another flushed state with that of the sequential execution. Like many pipelined microprocessors, the FM9801 may not operate correctly if the executed program modifies itself. We discuss the condition under which the processor is guaranteed to operate correctly. In order to show that the correctness criterion is satisfied, we introduce an intermediate abstraction that records the history of executed instructions. Using this abstraction, we define a number of invariant properties that must hold during the operation of the FM9801. We verify these invariant properties, and then derive the proof of the commutative diagram from them. The proof has been mechanically checked by the ACL2 theorem prover.

This is a preview of subscription content, access via your institution.

References

  1. 1.

    M. Abadi and L. Lamport, “The existence of refinement mappings,” Theoretical Computer Science, Vol. 82, No. 2, pp. 253–284, 1991.

    Google Scholar 

  2. 2.

    The Alpha Architecture Committee, Alpha Architecture Reference Manual, 3rd ed., Digital Press, Boston, 1998.

    Google Scholar 

  3. 3.

    S. Berezin, A. Biere, E. Clarke, and Y. Zhu, “Combining symbolic model checking with uninterpreted functions for out-of-order processor verification,” in Formal Methods in Computer-Aided Design (FMCAD' 98), Vol. 1522 of LNCS, Springer Verlag, Berlin, 1998, pp. 369–386.

    Google Scholar 

  4. 4.

    J.R. Burch, “Techniques for verifying superscalar microprocessors,” in Design Automation Conference (DAC '96), Las Vegas, Nevada, June 1996, ACM Press, New York, pp. 552–557.

    Google Scholar 

  5. 5.

    J.R. Burch and D.L. Dill, “Automatic verification of pipelined microprocessor control,” in Computer-Aided Verification (CAV '94), Vol. 818 of LNCS, Springer Verlag, Berlin, 1994, pp. 68–80.

    Google Scholar 

  6. 6.

    H.G. Cragon, Memory Systems and Pipelined Processors, Jones and Bartlett Publishers, Sudbury, MA, 1996.

    Google Scholar 

  7. 7.

    W. Damm and A. Pnueli, “Verifying out-of-order executions,” in D. Probst (Ed.), CHARME '97, Chapman and Hall, London, 1997, pp. 23–47.

    Google Scholar 

  8. 8.

    T.A. Henzinger, S. Qadeer, and S.K. Rajamani, “You assume, we guarantee: Methodology and case studies,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 440–451.

    Google Scholar 

  9. 9.

    R. Hosabettu, M. Srivas, and G. Gopalakrishnan, “Decomposing the proof of correctness of pipelined microprocessors,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '97), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 122–134.

    Google Scholar 

  10. 10.

    M. Johnson, Superscalar Microprocessor Design, Prentice Hall, Englewood Cliffs, NJ, 1991.

    Google Scholar 

  11. 11.

    R.B. Jones, D.L. Dill, and J.R. Burch, “Efficient validity checking for processor verification,” in IEEE/ACM International Conference on Computer-Aided Design, 1995, pp. 2–6.

  12. 12.

    L. Lamport and N. Lynch, “Distributed computing models and methods,” in Handbook of Theoretical Computer Science, Vol. B, The MIT Press, Cambridge, MA, 1990, pp. 1159–1199.

    Google Scholar 

  13. 13.

    C. May, E. Silha, R. Simpson, and H. Warren, editors, The PowerPCTM Architecture: A Specification for a New Family of RISC Processors, 2nd ed., Morgan Kaufmann Publishers, San Francisco, CA, 1994.

    Google Scholar 

  14. 14.

    K.L. McMillan, “Verification of an implementation of Tomasulo's algorithm by compositional model checking,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 110–121.

    Google Scholar 

  15. 15.

    Mindshare, Inc. and Tom Shanley, Pentium Pro Processor System Architecture, Addison-Wesley Developers Press, MA, 1997. http://www.aw.com/devpress/.

    Google Scholar 

  16. 16.

    D.A. Patterson and J.L. Hennessey, Computer Architecture: A Quantitative Approach, 2nd ed., Morgan Kaufmann Publishers, San Francisco, CA, 1996.

    Google Scholar 

  17. 17.

    J. Sawada, “Verification scripts for FM9801 pipelined microprocessor design,” 1999. <URL:http://www>. cs.utexas.edu/users/boyer/sawada/FM9801.

  18. 18.

    J. Sawada and W.A. Hunt, Jr., “Trace table based approach for pipelined microprocessor verification,” in Computer Aided Verification (CAV '97), Vol. 1254 of LNCS, Springer Verlag, Berlin, 1997, pp. 364–375.

    Google Scholar 

  19. 19.

    J. Sawada and W.A. Hunt, Jr., “Processor verification with precise exceptions and speculative execution,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 135–146.

    Google Scholar 

  20. 20.

    J. Sawada and W.A. Hunt, Jr., “Hardware modeling using function encapsulation,” in Formal Methods in Computer Aided Design (FMCAD '00), Vol. 1954 of LNCS, Springer Verlag, Berlin, 2000, pp. 234–245.

    Google Scholar 

  21. 21.

    J.U. Skakkebæk, R.B. Jones, and D.L. Dill, “Formal verification of out-of-order execution using incremental flushing,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 98–109.

    Google Scholar 

  22. 22.

    M.K. Srivas and S.P. Miller, “Formal verification of a commercial microprocessor,” Technical Report SRICSL-95-04, SRI Computer Science Laboratory, July 1995.

  23. 23.

    R.M. Tomasulo, “An efficient algorithm for exploiting multiple arithmetic units,” IBM Journal of Research and Development, Vol. 11, No. 1, pp. 25–33, 1967.

    Google Scholar 

  24. 24.

    M.N. Velev and R.E. Bryant, “Bit-level abstraction in the verification of pipelined microprocessors by correspondence checking,” in Formal Methods in Computer-Aided Design (FMCAD '98), Vol. 1522 of LNCS, Springer Verlag, Berlin, 1998, pp. 18–35.

    Google Scholar 

  25. 25.

    P.J. Windley and M.L. Coe, “A correctness model for pipelined microprocessors,” in Theorem Provers in Circuit Design: Theory, Practice and Experience, Vol. 901 of LNCS, Springer Verlag, Berlin, 1995, pp. 33–51.

    Google Scholar 

Download references

Author information

Affiliations

Authors

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Sawada, J., Hunt, W.A. Verification of FM9801: An Out-of-Order Microprocessor Model with Speculative Execution, Exceptions, and Program-Modifying Capability. Formal Methods in System Design 20, 187–222 (2002). https://doi.org/10.1023/A:1014122630277

Download citation

  • formal verification
  • theorem prover
  • pipelined microprocessor
  • out-of-order execution