Our objective in this dissertation is to demonstrate that we can formally verify a microprocessor model with complex control mechanisms. For the purpose of this research, we designed a new microprocessor model called FM9801, which is a pipelined microprocessor with a number of performance-oriented features: out-of-order issue and completion of instructions using Tomasulo's algorithm, speculative execution with branch prediction, memory optimizations such as load-bypassing and load-forwarding, precise exceptions and interrupts, and context switching between supervisor/user mode.
The verification of a pipelined microprocessor is not as simple as the verification of a non-pipelined microprocessor, because the pipelined machine starts the execution of an instruction before completing a previous one. In some cases, a pipelined implementation may execute instructions out of program order or execute them speculatively. The difference in the style of execution between the ideal sequential model and actual implementations makes it difficult to verify or even state the correctness of pipelined microprocessor designs. In this talk, we address what we mean by the ``correct'' pipelined implementations.
Our verification techniques for the FM9801 is the main topic of this
dissertation. One key idea in our approach is the use of the MAETT
intermediate abstraction, which is a list of instructions executed by our
pipelined microprocessor implementation. Using this abstraction,
we were able to directly reason about the executed instructions, which
in turn permitted the verification of the entire microprocessor model.
We have verified the FM9801 in two steps. In the first step, we
verified an invariant condition defined on the MAETT abstraction.
In the second step, we used the verified invariant as an assumption and
proved our correctness criterion. We will discuss how this will decompose
the verification problem both temporally and spatially. The FM9801 verification
is mechanically checked with the ACL2 theorem prover.
Compact Version (PS file, PDF file) I recommend downloading this version. This version is approximately 200 pages. The missing part is Appendix D containing the ACL2 scripts for the FM9801 verification, which is available on line.
Full Version (Gzipped
PS file, Gzipped
PDF file) The entire dissertation with approximately 1200 pages.
I recommend viewing the file with a previewing tool before printing or
downloading the compact version.