We have verified the FM9801, a microprocessor design whose features include speculative execution, out-of-order issue and completion of instructions using Tomasulo's algorithm, and precise exceptions and interrupts. As a correctness criterion, we used a commutative diagram that compares the result of the pipelined execution from a flushed state to another flushed state with that of the sequential execution. Like many pipelined microprocessors, the FM9801 may not operate correctly if the executed program modifies itself. We discuss the condition under which the processor is guaranteed to operate correctly. In order to show that the correctness criterion is satisfied, we introduce an intermediate abstraction that records the history of executed instructions. Using this abstraction, we define a number of invariant properties that must hold during the operation of the FM9801. We verify these invariant properties, and then derive the proof of the commutative diagram from them. The proof has been mechanically checked by the ACL2 theorem prover.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price includes VAT (USA)
Tax calculation will be finalised during checkout.
M. Abadi and L. Lamport, “The existence of refinement mappings,” Theoretical Computer Science, Vol. 82, No. 2, pp. 253–284, 1991.
The Alpha Architecture Committee, Alpha Architecture Reference Manual, 3rd ed., Digital Press, Boston, 1998.
S. Berezin, A. Biere, E. Clarke, and Y. Zhu, “Combining symbolic model checking with uninterpreted functions for out-of-order processor verification,” in Formal Methods in Computer-Aided Design (FMCAD' 98), Vol. 1522 of LNCS, Springer Verlag, Berlin, 1998, pp. 369–386.
J.R. Burch, “Techniques for verifying superscalar microprocessors,” in Design Automation Conference (DAC '96), Las Vegas, Nevada, June 1996, ACM Press, New York, pp. 552–557.
J.R. Burch and D.L. Dill, “Automatic verification of pipelined microprocessor control,” in Computer-Aided Verification (CAV '94), Vol. 818 of LNCS, Springer Verlag, Berlin, 1994, pp. 68–80.
H.G. Cragon, Memory Systems and Pipelined Processors, Jones and Bartlett Publishers, Sudbury, MA, 1996.
W. Damm and A. Pnueli, “Verifying out-of-order executions,” in D. Probst (Ed.), CHARME '97, Chapman and Hall, London, 1997, pp. 23–47.
T.A. Henzinger, S. Qadeer, and S.K. Rajamani, “You assume, we guarantee: Methodology and case studies,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 440–451.
R. Hosabettu, M. Srivas, and G. Gopalakrishnan, “Decomposing the proof of correctness of pipelined microprocessors,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '97), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 122–134.
M. Johnson, Superscalar Microprocessor Design, Prentice Hall, Englewood Cliffs, NJ, 1991.
R.B. Jones, D.L. Dill, and J.R. Burch, “Efficient validity checking for processor verification,” in IEEE/ACM International Conference on Computer-Aided Design, 1995, pp. 2–6.
L. Lamport and N. Lynch, “Distributed computing models and methods,” in Handbook of Theoretical Computer Science, Vol. B, The MIT Press, Cambridge, MA, 1990, pp. 1159–1199.
C. May, E. Silha, R. Simpson, and H. Warren, editors, The PowerPCTM Architecture: A Specification for a New Family of RISC Processors, 2nd ed., Morgan Kaufmann Publishers, San Francisco, CA, 1994.
K.L. McMillan, “Verification of an implementation of Tomasulo's algorithm by compositional model checking,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 110–121.
Mindshare, Inc. and Tom Shanley, Pentium Pro Processor System Architecture, Addison-Wesley Developers Press, MA, 1997. http://www.aw.com/devpress/.
D.A. Patterson and J.L. Hennessey, Computer Architecture: A Quantitative Approach, 2nd ed., Morgan Kaufmann Publishers, San Francisco, CA, 1996.
J. Sawada, “Verification scripts for FM9801 pipelined microprocessor design,” 1999. <URL:http://www>. cs.utexas.edu/users/boyer/sawada/FM9801.
J. Sawada and W.A. Hunt, Jr., “Trace table based approach for pipelined microprocessor verification,” in Computer Aided Verification (CAV '97), Vol. 1254 of LNCS, Springer Verlag, Berlin, 1997, pp. 364–375.
J. Sawada and W.A. Hunt, Jr., “Processor verification with precise exceptions and speculative execution,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 135–146.
J. Sawada and W.A. Hunt, Jr., “Hardware modeling using function encapsulation,” in Formal Methods in Computer Aided Design (FMCAD '00), Vol. 1954 of LNCS, Springer Verlag, Berlin, 2000, pp. 234–245.
J.U. Skakkebæk, R.B. Jones, and D.L. Dill, “Formal verification of out-of-order execution using incremental flushing,” in A.J. Hu and M.Y. Vardi (Eds.), Computer Aided Verification (CAV '98), Vol. 1427 of LNCS, Springer Verlag, Berlin, 1998, pp. 98–109.
M.K. Srivas and S.P. Miller, “Formal verification of a commercial microprocessor,” Technical Report SRICSL-95-04, SRI Computer Science Laboratory, July 1995.
R.M. Tomasulo, “An efficient algorithm for exploiting multiple arithmetic units,” IBM Journal of Research and Development, Vol. 11, No. 1, pp. 25–33, 1967.
M.N. Velev and R.E. Bryant, “Bit-level abstraction in the verification of pipelined microprocessors by correspondence checking,” in Formal Methods in Computer-Aided Design (FMCAD '98), Vol. 1522 of LNCS, Springer Verlag, Berlin, 1998, pp. 18–35.
P.J. Windley and M.L. Coe, “A correctness model for pipelined microprocessors,” in Theorem Provers in Circuit Design: Theory, Practice and Experience, Vol. 901 of LNCS, Springer Verlag, Berlin, 1995, pp. 33–51.
About this article
Cite this article
Sawada, J., Hunt, W.A. Verification of FM9801: An Out-of-Order Microprocessor Model with Speculative Execution, Exceptions, and Program-Modifying Capability. Formal Methods in System Design 20, 187–222 (2002). https://doi.org/10.1023/A:1014122630277
- formal verification
- theorem prover
- pipelined microprocessor
- out-of-order execution