Results of the Veri cation of a ComplexPipelined

Using a theorem prover, we have veriied a microprocessor design, FM9801. We deene our correctness criterion for processors with speculative execution and interrupts. Our veriication approach deenes an invariant on an intermediate abstraction that records the history of instructions. We veriied the invariant rst, and then proved the correct-ness criterion. We found several bugs during the veriication process. 1 FM9801 and Correctness Criterion We argue that even complex microprocessor design can be formally veriied. As an evidence of our claim, we have mechanically veriied our FM9801 microprocessor design. It has various features such as out-of-order issue and completion of instructions with Tomasulo's algorithm, speculative execution with branch prediction, precise handling of internal exceptions and external interrupts, and supervisor/user modes. The FM9801 is formally speciied in the ACL2 logiccKM96] at the instruction-set architecture (ISA) level and the microarchitecture (MA) level. These formal deenitions are publicly available along with the FM9801 veriication scriptssSaw]. The ISA sequentially executes instructions. Its behavior is speciied with function ISA-step(ISA; intr), which returns the ISA state after executing one instruction from state ISA, with interrupt signal intr. The MA is a clock cycle accurate model of the pipelined hardware design. Its behavioral function MA-step(MA; sigs) returns the MA state after one clock cycle of execution with external signals sigs. We deene ISA-stepn(ISA; intr-list; m) as the recursive function that repeatedly applies the next state function ISA-step to state ISA m times, where intr-list is a list of interrupt signals for each execution step. Similarly, we de-ne MA-stepn(MA; sig-list; n) as n applications of MA-step with a list of signals sig-list. Projection function proj(MA) returns the ISA state consisting of the program counter, the register le, and the memory in MA. Our correctness criterion is whether our machine designs satisfy the commu-tative diagram shown in Fig. 1. For an arbitrary initial MA state MA 0 , a list of signals sig-list, and a natural number n, if the initial state MA 0 and the nal state MA n = MA-step(MA 0 ; sig-list; n) are both pipeline ushed states, then proj(MA-stepn(MA 0 ; sig-list; n)) = ISA-step(proj(MA 0); intr-list; m) should hold for an appropriate list of interrupt signals intr-list and a natural number m. We additionally assume that the executed program does not modify itself.