Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach

1. Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach Ravi Hosabettu (Univ. of Utah) Mandayam Srivas (SRI International) Ganesh Gopalakrishnan (Univ. of Utah)

2. Motivation • Pipelined processor verification • Increasingly complex designs • Need for formal verification • Theorem provers • Focus on the relevant aspects only • To verify large, complex designs: • Automation • Decomposition

3. Problem Definition • Need a verification methodology that • Is amenable to decomposition • Uses decision procedures • Solution: Completion Functions Approach

4. RF What are Completion Functions? • Desired effect of retiring an unfinished instruction in an atomic fashion C_b c a b

5. Abstraction Function • Need to define an abstraction function • Flushing the pipeline • Our idea: Define abstraction function as a Composition of Completion Functions Impl. Machine Step Spec. Machine Step

6. C_a C_b C_c c a b L_ab Abs. fn = C_ao C_bo C_c One VC is: C_a == L_abo C_b RF Main Features • Decomposition into verification conditions • Generated systematically & discharged often automatically

7. Main Features Continued • Incremental verification • No explicit intermediate abstraction • Methodology implemented in PVS • Three examples (CAV98) • DLX • Dual issue DLX • Out-of-order execution example

8. DB c a b EU RF RTT RB RF New Issues for OOO

9. Completion Functions Approach for OOO • Instructions in a few possible states • Parameterized completion function • Recursive abstraction function • Proof decomposition is based on “instruction-state transitions” • Liveness issues addressed

10. Outline of the Presentation • The implementation model • Proof of correctness • Correctness criterion • Liveness proof • Related work and conclusions

11. Processor Model DB EU1 EUm RF RTT RB

12. The Completion Function Action_issued Action_dispatched DB EU1 Action_executed RF rbi RB Action_writtenback

13. Correctness Criterion A_step/ Abstraction Abstraction I_step impl_st

14. Recursive Abstraction Function RF RB rbi head tail Abs. fn = Complete_till(head)

15. General Verification Condition RF q D I E D W I Same next(q) E I W E W D RF

16. Instruction-state Transitions Not Disp? Not Exec? Not Wback? Not Retire? I E W D Disp? Exec? Wback? Retire?

17. Establishing the General Verification Condition Action_dispatched q D I D E W I Same effect on RF next(q) E I E W W D Action_executed

18. I E W D RF N Overall Proof Decomposition ISA specification

19. Feedback Logic • Feedback logic correctness: A = B Read RF C_2 B C_1 i 2 1 A Feedback logic

20. Invariants Needed • Feedback logic invariant • Exclusiveness & exhaustiveness • Instruction-state properties

21. PVS Proof Statistics • Proof strategies • Induction obligations: Very similar strategy • Rewrite rules & other obligations: Automatic • Invariants: No uniform strategy • Manual effort • 1 week of planning & discussions • 12 person days of “first time” effort • 1050 seconds on 167MHz UltraSparc

22. Liveness Properties • Two liveness properties • Eventually the processor gets flushed • Eventually a new instruction is executed • Again based on “Instruction-state transition” diagram

23. Not Disp? Not Exec? Not Wback? Not Retire? I D E W Disp? Exec? Wback? Retire? Liveness Proof Scheduler

24. Related Work • Jones, Skakkebaek & Dill - FMCAD98 • Pnueli & Arons - FMCAD98 • Sawada & Hunt - CAV98 • McMillan - CAV98

25. Conclusions • Well suited for verifying a processor with reorder buffer • Proved the correctness of Tomasulo’s algorithm with no reorder buffer: CHARME99

26. Work in Progress • A processor with exceptions & speculative execution • Substantial progress made • Mechanizing the liveness proofs • Bring the methodology closer to practice • Bridging the model gap • More automated decision procedures • Integration into the design process