Verification of an implementation of Tomasulo's algorithm by compositional model checking

  • K. L. McMillan
Regular Papers
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1427)


An implementation of an out-of-order processing unit based on Tomasulo's algorithm is formally verified using compositional model checking techniques. This demonstrates that finite-state methods can be applied to such algorithms, without recourse to higher-order proof systems. The paper introduces a novel compositional system that supports cyclic environment reasoning and multiple environment abstractions per signal. A proof of Tomasulo's algorithm is outlined, based on refinement maps, and relying on the novel features of the compositional system. This proof is fully verified by the SMV verifier, using symmetry to reduce the number of assertions that must be verified.


  1. [AH96]
    R. Alur and T. A. Henzinger. Reactive modules. In 11th annual IEEE symp. Logic in Computer Science (LICS '96), 1996.Google Scholar
  2. [AL93]
    M. Abadi and L. Lamport. Composing specifications. ACM Trans. on Prog. Lang. and Syst., 15(1):73–132, Jan. 1993.CrossRefGoogle Scholar
  3. [AL95]
    M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. on Prog. Lang. and Syst., 17(3):507–534, May. 1995.CrossRefGoogle Scholar
  4. [BCM+92]
    J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. Information and Computation, 98(2):142–70, Jun. 1992.CrossRefGoogle Scholar
  5. [BD94]
    J. R. Burch and D. L. Dill. Automatic verification of pipelined microprocessor control. In Computer-Aided Verification (CAV '94). Springer-Verlag, 1994.Google Scholar
  6. [DP97]
    W. Damm and A. Pnueli. Verifying out-of-order executions. In D. Probst, editor, CHARMS '97. Chapman & Hall, 1997. To appear.Google Scholar
  7. [GL94]
    O. Grümberg and D. E. Long. Model checking and modular verification. ACM Trans. Programming Languages and Systems, 16(3):843–871, 1994.CrossRefGoogle Scholar
  8. [ID96]
    C.N. Ip and D.L. Dill. Better verification through symmetry. Formal Methods in System Design, 9(1-2):41–75, Aug. 1996.CrossRefGoogle Scholar
  9. [JNB96]
    A. Jain, K. Nelson, and R. E. Bryant. Verifying nondeterministic implementations of deterministic systems. In Formal Methods in Computer-Aided Design (FMCAD '96), pages 109–25, 1996.Google Scholar
  10. [KSL95]
    A. Kuehlmann, A. Srinivasan, and D. P. LaPotin. Verity — a formal verification program for custom CMOS circuits. IBM J. of Research and Development, 39(1-2):149–65, Jan.-Mar. 1995.Google Scholar
  11. [Kur94]
    R. P. Kurshan. Computer-Aided Verification of Coordinating Processes. Princeton, 1994.Google Scholar
  12. [LR97]
    D. Leibholz and R. Razdan. The alpha 21264: a 500 mhz out-of-order execution microprocessor. In Digest of Papers, COMPCON Spring 97, pages 28–36, 1997.Google Scholar
  13. [McM93]
    K. L. McMillan. Symbolic Model Checking. Kluwer, 1993.Google Scholar
  14. [McM97]
    K. L. McMillan. A compositional rule for hardware design refinement. In Computer Aided Verification (CAV'97), pages 24–35, 1997.Google Scholar
  15. [OG76]
    S. Owicki and D. Gries. Verifying properties of parallel programs. Comm. ACM, 19(5):279–85, May 1976.CrossRefGoogle Scholar
  16. [ORSS94]
    S. Owre, J. M. Rushby, N. Shankar, and M. K. Srivas. A tutorial on using PVS for hardware verification. In Theorem Provers in Circuit Design (TPCD '94), pages 258–79. Springer, 1994.Google Scholar
  17. [Tom67]
    R. M. Tomasulo. An efficient algorithm for exploiting multiple arithmetic units. IBM J. of Research and Development; 11(1):25–33, Jan. 1967.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • K. L. McMillan
    • 1
  1. 1.Cadence Berkeley LabsBerkeley

Personalised recommendations