Managing Complexity through Abstraction: A Refinement-Based Approach to Formalize Instruction Set Architectures

  • Fangfang Yuan
  • Stephen Wright
  • Kerstin Eder
  • David May
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6991)


Verifying the functional correctness of a processor requires a sound and complete specification of its Instruction Set Architecture (ISA). Current industrial practice is to describe a processor’s ISA informally using natural language often with added semi-formal notation to capture the functional intent of the instructions. This leaves scope for errors and inconsistencies. In this paper we present a method to specify, design and construct sound and complete ISAs by stepwise refinement and formal proof using the formal method Event-B. We discuss how the automatically generated Proof Obligations help to ensure self-consistency of the formal ISA model, and how desirable properties of ISAs can be enforced within this modeling framework. We have developed a generic ISA modeling template in Event-B to facilitate reuse. The key value of reusing such a template is increased model integrity. Our method is now being used to formalize the ISA of the XMOS XCore processor with the aim to guarantee that the documentation of the XCore matches the silicon and the silicon matches the architectural intent.


Proof Obligation Internal Storage Choice Point Program Counter Generic Template 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    International Technology Roadmap for Semiconductors, chap. Design, p. 19 (2009),
  2. 2.
    Abrial, J.R.: The B-book: Assigning Programs to Meanings. Cambridge University Press, New York (1996)CrossRefzbMATHGoogle Scholar
  3. 3.
    Abrial, J.R.: Modeling in Event-B: System and Software Engineering. Cambridge University Press, Cambridge (2010)CrossRefzbMATHGoogle Scholar
  4. 4.
    Abrial, J.R., Butler, M., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L.: Rodin: An open toolset for modelling and reasoning in Event-B. STTT 12(6), 447–466 (2010)CrossRefGoogle Scholar
  5. 5.
    ARM Ltd: ARM Architecture Refernce Manual, AMVv7-A and ARMv7-R edn.Google Scholar
  6. 6.
    Azevedo, R., Rigo, S., Bartholomeu, M., Araujo, G., Araujo, C., Barros, E.: The ArchC architecture description language and tools. Int. J. Parallel Program. 33, 453–484 (2005)CrossRefzbMATHGoogle Scholar
  7. 7.
    Bergeron, J.: Writing Testbenches: Functional Verification of HDL Models, 2nd edn. Springer, Heidelberg (2003)CrossRefzbMATHGoogle Scholar
  8. 8.
    Bowen, J.P.: Formal specification and documentation of microprocessor instruction sets. Microprocess. Microprogram 21(1-5), 223–230 (1987)CrossRefGoogle Scholar
  9. 9.
    Chockler, H., Halpern, J.Y., Kupferman, O.: What causes a system to satisfy a specification? ACM Transactions on Computational Logic 9, 1–26 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Fox, A.: A HOL specification of the ARM instruction set architecture. Tech. Rep. UCAM-CL-TR-545, University of Cambridge, Computer Laboratory (June 2001)Google Scholar
  11. 11.
    Fox, A.: An algebraic framework for modelling and verifying microprocessors using HOL. Tech. Rep. UCAM-CL-TR-512, University of Cambridge, Computer Laboratory (March 2001)Google Scholar
  12. 12.
    Fox, A., Myreen, M.: A trustworthy monadic formalization of the ARMv7 instruction set architecture. Interactive Theorem Proving, ITP (2010)Google Scholar
  13. 13.
    Hallerstede, S.: On the purpose of Event-B proof obligations. Formal Aspects of Computing 23(1), 133–150 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Harman, N.A., Tucker, J.V.: Algebraic models and the correctness of microprocessors. In: Proceedings of the IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, pp. 92–108. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  15. 15.
    Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann, San Francisco (2002)zbMATHGoogle Scholar
  16. 16.
    Jones, R.B., O’Leary, J.W., Seger, C.J.H., Aagaard, M.D., Melham, T.F.: Practical formal verification in microprocessor design. IEEE Design & Test of Computers 18(4), 16–25 (2001)CrossRefGoogle Scholar
  17. 17.
    May, D.: The XMOS XS1 Architecture. XMOS Limited (2009)Google Scholar
  18. 18.
    Medeiros Jr., V., Déharbe, D.: Formal Modelling of a Microcontroller Instruction Set in B. In: Formal Methods: Foundations and Applications: 12th Brazilian Symposium on Formal Methods, pp. 282–289 (2009)Google Scholar
  19. 19.
    Page, D.: CRISP: A Cryptographic RISC Processor,
  20. 20.
  21. 21.
    Wile, B., Goss, J.C., Roesner, W.: Comprehensive Functional Verification. Morgan Kaufmann, San Francisco (2005)Google Scholar
  22. 22.
    Windley, P.J.: Specifying Instruction-Set Architectures in HOL: A Primer. In: Melham, T.F., Camilleri, J. (eds.) HUG 1994. LNCS, vol. 859, pp. 440–455. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  23. 23.
    Wright, S.: Automatic Generation of C from Event-B. In: IM_FMT 2009 Workshop on Integration of Model-based Formal Methods and Tools (February 2009)Google Scholar
  24. 24.
    Wright, S., Eder, K.: Using Event-B to construct instruction set architectures. Formal Aspects of Computing 23(1), 73–89 (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Fangfang Yuan
    • 1
  • Stephen Wright
    • 1
  • Kerstin Eder
    • 1
  • David May
    • 2
  1. 1.Computer Science DepartmentUniversity of BristolBristolUK
  2. 2.XMOS LtdBristolUK

Personalised recommendations