Fig 1 - uploaded by Anna Slobodova
Content may be subject to copyright.

# 1 Floorplan of CN Media Unit

Source publication
Article
Full-text available
We describe the formal methodology we are using to verify components of a commercial 64-bit, x86-compatible microprocessor design at Centaur Technology. This methodology is based on the ACL2 theorem prover. In this methodology, we mechanically translate the RTL design into a formal HDL for which we have an interpreter in ACL2. We use AIG-and BDD-ba...

## Similar publications

Article
Full-text available
Logic can be a powerful tool for reasoning about multiagent systems. First of all, logics provide a language in which to specify properties-properties of an agent, of other agents, and of the environment. Ideally, such a language then also provides a means to implement an agent or a multiagent system, either by somehow executing the specification,...
Article
Full-text available
We give an overview on our approach to symbolic simulation in the PVS theorem prover and to demonstrate its usage in the realm of validation by executing specification on incomplete data. In this way, one can test executable models for a possibly infinite class of test vectors with one run only. One of the main benefits of symbolic simulation in a...
Chapter
Full-text available
Automatic reasoning tools play an important role when developing provably correct software. Both main approaches, program verification and program synthesis employ automated reasoning tools, more specifically, automated theorem provers. Besides classical logic, non-classical logics are particularly relevant in this field. This chapter presents calc...
Conference Paper
Full-text available
The focus of this paper is on reducing the complexity in verification by exploiting modularity at various levels: in specification, in verification, and structurally. For specifications, we use the modular language CSP-OZ-DC, which allows us to decouple verification tasks concerning data from those concerning durations. At the verification level, w...
Thesis
Full-text available
Multiway Decision Graph (MDG) is a canonical representation of a subset of many-sorted first-order logic. It generalizes the logic of equality with abstract types and uninterpreted function symbols. The area of Satisfiability (SAT) has been the subject of intensive research in recent years, with significant theoretical and practical contributions....

## Citations

... However, these methods, as well as SAT Solvers [22], do not scale for automatic verification of more common multiplier architectures, i.e., Wallace-tree like multipliers and Booth Encoding. Their irregular and more advanced structure complicates the process for automatic tools; therefore, verification of industrial designs is carried out mostly manually [10,11,12,21,23]. Recent studies have focused on computer algebra based methods and they have shown significant improvements [5,13,17,18,31]. ...
... However, these methods, as well as SAT Solvers [22], do not scale for automatic verification of more common multiplier architectures, i.e., Wallace-tree like multipliers and Booth Encoding. Their irregular and more advanced structure complicates the process for automatic tools; therefore, verification of industrial designs is carried out mostly manually [10,11,12,21,23]. Recent studies have focused on computer algebra based methods and they have shown significant improvements [5,13,17,18,31]. ...
Preprint
Full-text available
Automatic and efficient verification of multiplier designs, especially through a provably correct method, is a difficult problem. We show how to utilize a theorem prover, ACL2, to implement an efficient rewriting algorithm for multiplier design verification. Through a basic understanding of the features and data structures of ACL2, we created a verified program that can automatically verify various multiplier designs much faster than the other state-of-the-art tools. Additionally, users of our system have the flexibility to change the specification for the target design to verify variations of multipliers. We discuss the challenges we tackled during the development of this program as well as key implementation details for efficiency and verifiability. Those who plan to implement an efficient program on a theorem prover or those who wish to implement our multiplier verification methodology on a different system may benefit from the discussions in this paper.
... Some engineers verify reference designs using mechanized proof systems [20]. Another common analysis method is to decompose a design into smaller parts, reason about these parts separately, and then compose these proofs into a top-level theorem [21]- [23]. Finding a workable decomposition and combining individual proofs of multiplier fragments can be a cumbersome task. ...
Preprint
Full-text available
We have developed an algorithm, S-C-Rewriting, that can automatically and very efficiently verify arithmetic modules with embedded multipliers. These include ALUs, dot-product, multiply-accumulate designs that may use Booth encoding, Wallace-trees, and various vector adders. Outputs of the target multiplier designs might be truncated, right-shifted, or a combination of both. We evaluate the performance of other state-of-the-art tools on verification problems beyond isolated multipliers and we show that our method applies to a broader range of design techniques encountered in real-world modules. Our verification software is verified using the ACL2 theorem prover, and we can soundly verify 1024x1024-bit isolated multipliers and similarly large dot-product designs in minutes. We can also generate counterexamples in case of a design bug. Our tool and benchmarks are available online.
... This approach works only when the reference design is structurally close to the original under verification and relies on the correctness of the reference design and proof maintenance whenever designers make structural changes. Another approach is to find a suitable decomposition of a design into parts that can be verified automatically and compose those results into a top-level theorem [13,15,30]. The drawback of this method is that it requires manual intervention by the verification engineer who decides about the boundaries of the decomposition. ...
... Rewriting with Lemmas 12-17 does not affect the value of f 4 since they are restricted to rewrite terms that contain only the + and − functions, and minterms. For Lemmas 12,13,and 14, x can only be unified with a positive minterm. Therefore, rewriting with these lemmas does not change f 3 . ...
Chapter
Full-text available
The automatic formal verification of multiplier designs has been pursued since the introduction of BDDs. We present a new rewriter-based method for efficient and automatic verification of signed and unsigned integer multiplier designs. We have proved the soundness of this method using the ACL2 theorem prover, and we can verify integer multiplier designs with various architectures automatically, including Wallace, Dadda, and 4-to-2 compressor trees, designed with Booth encoding and various types of final stage adders. Our experiments have shown that our approach scales well in terms of time and memory. With our method, we can confirm the correctness of $$1024\times 1024$$-bit multiplier designs within minutes.
... At Centaur Technology, we have been doing formal verification of execution units-those that perform logical, integer, SIMD integer, and floating-point operations-for over a decade [19,9,14]. Formal methods have proven to be very effective in the validation of data-path intensive designs. With the size of operands in the x86 ISA growing to 512 bits, targeted or random simulations have become inadequate to cover arithmetic and cryptographic units. ...
... In contrast to these approaches, we extended our prior work on the execution unit [19,9] as well as microcode [17] verification, and along with proofs about instruction decoding and composition of uops, are able to prove instruction implementations correct. Notably, the operational semantics of uops provably reflects behavior of the RTL design. ...
Preprint
Verification of modern microprocessors is a complex task that requires a substantial allocation of resources. Despite significant progress in formal verification, the goal of complete verification of an industrial design has not been achieved. In this paper, we describe a current contribution of formal methods to the validation of modern x86 microprocessors at Centaur Technology. We focus on proving correctness of instruction implementations, which includes the decoding of an instruction, its translation into a sequence of micro-operations, any subsequent execution of traps to microcode ROM, and the implementation of these micro-operations in execution units. All these tasks are performed within one verification framework, which includes a theorem prover, a verified symbolic simulator, and SAT solvers. We describe the work of defining the needed formal models for both the architecture and micro-architecture in this framework, as well as tools for decomposing the requisite properties into smaller lemmas which can be automatically checked. We additionally cover the advantages and limitations of our approach. To our knowledge, there are no similar results in the verification of implementations of an x86 microprocessor.
... The formal verification team at Centaur Technology applies formal methods to problems in various stages of the design process, including equivalence checking of transistor level and Register-Transfer Level (RTL) designs. In the area of the RTL verification, we have applied symbolic simulation supported by SAT-based and BDD-based technology to verify execution of individual microoperations in assigned execution units [1][2][3]. All of this verification has been carried out within the ACL2 system [4]. ...
... This said, significant parts of our model do have a strong connection to the real hardware design. In previous work [1][2][3] we described how we have developed an RTL-level verification framework within ACL2, and used it to prove that our execution units for integer, media, and floating point instructions implement desired operations. This previous work means that, for many uops, we have a specification function, written in ACL2, that functionally matches the execution of the uop in a particular unit. ...
Conference Paper
Despite significant progress in formal hardware verification in the past decade, little has been published on the verification of microcode. Microcode is the heart of every microprocessor and is one of the most complex parts of the design: it is tightly connected to the huge machine state, written in an assembly-like language that has no support for data or control structures, and has little documentation and changing semantics. At the same time it plays a crucial role in the way the processor works. We describe the method of formal microcode verification we have developed for an x86-64 microprocessor designed at Centaur Technology. While the previous work on high and low level code verification is based on an unverified abstract machine model, our approach is tightly connected with our effort to verify the register-transfer level implementation of the hardware. The same microoperation specifications developed to verify implementation of teh execution units are used to define operational semantics for the microcode verification. While the techniques used in the described verification effort are not inherently new, to our knowledge, our effort is the first interconnection of hardware and microcode verification in context of an industrial size design. Both our hardware and microcode verifications are done within the same verification framework.
... We use GL to verify x86 execution units [21]. Its ability to solve these problems depends on the performance of its symbolic execution and the capacity of these solvers. ...
Article
And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions (like circuits). AIG simplification algorithms can dramatically reduce an AIG, and play an important role in modern hardware verification tools like equivalence checkers. In practice, these tricky algorithms are implemented with optimized C or C++ routines with no guarantee of correctness. Meanwhile, many interactive theorem provers can now employ SAT or SMT solvers to automatically solve finite goals, but no theorem prover makes use of these advanced, AIG-based approaches. We have developed two ways to represent AIGs within the ACL2 theorem prover. One representation, Hons-AIGs, is especially convenient to use and reason about. The other, Aignet, is the opposite; it is styled after modern AIG packages and allows for efficient algorithms. We have implemented functions for converting between these representations, random vector simulation, conversion to CNF, etc., and developed reasoning strategies for verifying these algorithms. Aside from these contributions towards verifying AIG algorithms, this work has an immediate, practical benefit for ACL2 users who are using GL to bit-blast finite ACL2 theorems: they can now optionally trust an off-the-shelf SAT solver to carry out the proof, instead of using the built-in BDD package. Looking to the future, it is a first step toward implementing verified AIG simplification algorithms that might further improve GL performance.
... In contrast proof assistants are essential to the verification of complex designs and the refinement processes advocated by Johnson (2001), and indeed Intel's Integrated Design and Validation (IDV) system appears to have successfully applied this methodology to their designs (Grundy, Melham, and O'Leary 2006;Seger, Jones, O'Leary, Melham, Aagaard, Barrett, and Syme 2005), though perhaps not as ambitiously as Johnson aspired to. Functional programming techniques underpin all large-scale verification efforts such as the ARM processor models of Fox, Gordon, and Myreen (2010) and the x86-compatible models of Hunt Jr. et al. (2010). ...
Thesis
Knowledge-based programs (KBPs) are a formalism for directly relating agents' knowledge and behaviour in a way that has proven useful for specifying distributed systems. Here we present a scheme for compiling KBPs to executable automata in finite environments with a proof of correctness in Isabelle/HOL. We use Arrows, a functional programming abstraction, to structure a prototype domain-specific synchronous language embedded in Haskell. By adapting our compilation scheme to use symbolic representations we can apply it to several examples of reasonable size.
... The language has a formal semantics, through a deep embedding in the logic of the ACL2 theorem prover. The language has been used in formal functional verification of industrial hardware designs, e.g., in the verification of floating-point units of the VIA Nano TM microprocessor [4]. ...
Conference Paper
We develop a formal tool for speed-path analysis and debug. We encode speed-path requirements in a formal hardware description language providing the semantics of both the functional behavior and timing constraints, and the disciplined use of an SMT solver to analyze speed-path requirements. We are applying our framework for speed-path analysis of several RTL designs from Opencores.
... These approaches have much higher capacity than exhaustive testing. We are using GL heavily at Centaur Technology [17, 11, 10]. So far, we have used it to verify RTL implementations of floating-point addition, multiplication, and conversion operations, as well as hundreds of bitwise and arithmetic operations on scalar and packed integers. ...
Article
Interactive theorem proving requires a lot of human guidance. Proving a property involves (1) figuring out why it holds, then (2) coaxing the theorem prover into believing it. Both steps can take a long time. We explain how to use GL, a framework for proving finite ACL2 theorems with BDD- or SAT-based reasoning. This approach makes it unnecessary to deeply understand why a property is true, and automates the process of admitting it as a theorem. We use GL at Centaur Technology to verify execution units for x86 integer, MMX, SSE, and floating-point arithmetic.