A Framework for Microprocessor Correctness Statements

  • Mark D. Aagaard
  • Byron Cook
  • Nancy A. Day
  • Robert B. Jones
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2144)


Most verifications of out-of-order microprocessors compare state-machine-based implementations and specifications, where the specification is based on the instruction-set architecture. The different efforts use a variety of correctness statements, implementations, and verification approaches. We present a framework for classifying correctness statements about safety that is independent of implementation representation and verification approach. We characterize the relationships between the different statements and illustrate how existing and classical approaches fit within this framework.


Correctness Statement Intermediate Model Implementation State Cache Coherence Protocol Abstraction Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AL91]
    M. Abadi and L. Lamport. The existence of refinement mappings. Theoretical Computer Science, 2(82):253–284, 1991.CrossRefMathSciNetGoogle Scholar
  2. [AP99]
    T. Arons and A. Pnueli. Verifying Tomasulo’s algorithm by refinement. In Int’l Conference on VLSI Design, pp 92–99, 1999.Google Scholar
  3. [AP00]
    T. Arons and A. Pnueli. A comparison of two verification methods for speculative instruction execution with exceptions. In TACAS, vol 1785 of LNCS, pp 487–502. Springer, 2000.Google Scholar
  4. [AS99]
    Arvind and X. Shen. Using term rewriting systems to design and verify processors. IEEE Micro, 19(3):36–46, 1999.CrossRefGoogle Scholar
  5. [BB94]
    D. Beatty and R. Bryant. Formally verifying a microprocessor using a simulation methodology. In DAC, pp 596–602, 1994.Google Scholar
  6. [BBCZ98]
    S. Berezin, A. Biere, E. Clarke, and Y. Zhu. Combining symbolic model checking with uninterpreted functions for out-of-order processor verification. In FMCAD, vol 1522 of LNCS, pp 369–386. Springer, 1998.Google Scholar
  7. [BD94]
    J. Burch and D. Dill. Automatic verification of pipelined microprocessor control. In CAV, vol 818 of LNCS, pp 68–80. Springer, 1994.Google Scholar
  8. [BF89]
    S. Bose and A. Fisher. Verifying pipelined hardware using symbolic logic simulation. In ICCD, pp 217–221, 1989.Google Scholar
  9. [BGV99]
    R. Bryant, S. German, and M. Velev. Processor verification using efficient decision procedures for a logic of uninterpreted functions. In TABLEAUX, vol 1617 of LNAI, pp 1–13. Springer, June 1999.Google Scholar
  10. [Bur96]
    J. Burch. Techniques for verifying superscalar microprocessors. In DAC, pp 552–557, 1996.Google Scholar
  11. [DP97]
    W. Damm and A. Pnueli. Verifying out-of-order executions. In CHARME, pp 23–47. Chapman and Hall, 1997.Google Scholar
  12. [FH98]
    A. Fox and N. Harman. An algebraic model of correctness for superscaler microprocessors. In Prospects for Hardware Foundations, vol 1546 of LNCS, pp 138–183. Springer, 1998.CrossRefGoogle Scholar
  13. [HGS00]
    R. Hosabettu, G. Gopalakrishnan, and M. Srivas. Verifying advanced microarchitectures that support speculation and exceptions. In CAV, vol 1855 of LNCS, pp 521–537. Springer, 2000.Google Scholar
  14. [HQR98]
    T. Henzinger, S. Qadeer, and S. Rajamani. You assume, we guarantee: Methodology and case studies. In CAV, vol 1427 of LNCS, pp 440–451. Springer, 1998.Google Scholar
  15. [HSG98]
    R. Hosabettu, M. Srivas, and G. Gopalakrishnan. Decomposing the proof of correctness of pipelined microprocessors. In CAV, vol 1427 of LNCS, pp 122–134. Springer, 1998.Google Scholar
  16. [HSG99]
    R. Hosabettu, M. Srivas, and G. Gopalakrishnan. Proof of correctness of a processorwith reorder buffer using the completion functions approach. In CAV, vol 1633 of LNCS, pp 47–59. Springer, 1999.Google Scholar
  17. [JSD98]
    R. Jones, J. Skakkebæk, and D. Dill. Reducing manual abstraction in formal verification of out-of-order execution. In FMCAD, vol 1522 of LNCS, pp 2–17. Springer, 1998.Google Scholar
  18. [Man00]
    P. Manolios. Correctness of pipelined machines. In FMCAD, vol 1954 of LNCS, pp 161–178. Springer, 2000.Google Scholar
  19. [McM98]
    K. McMillan. Verification of an implementation of Tomasulo’s algorithm by compositional model checking. In CAV, vol 1427 of LNCS, pp 110–121. Springer, 1998.Google Scholar
  20. [Mil71]
    R. Milner. An algebraic definition of simulation between programs. In Proc. of 2nd Int’l Joint Conf. on Artificial Intelligence, pp 481–489. The British Comp. Soc., 1971.Google Scholar
  21. [NG98]
    R. Nalumasu and G. Gopalakrishnan. Deriving efficient cache coherence protocols through refinement. In Formal Methods for Parallel Programming: Theory and Applications (FMPPTA’98), 1998.Google Scholar
  22. [PA98]
    A. Pnueli and T. Arons. Verification of data-insensitive circuits: An in-order-retirement case study. In FMCAD, vol 1522 of LNCS, pp 351–368. Springer, 1998.Google Scholar
  23. [PD96]
    S. Park and D. Dill. Protocol verification by aggregation of distributed transactions. In CAV, vol 1102 of LNCS, pp 300–310. Springer, 1996.Google Scholar
  24. [PJB99]
    V Patankar, A. Jain, and R. E. Bryant. Formal verification of an ARM processor. In Int’l Conf. on VLSI Design, pp 282–287. IEEE; New York, NY, January 1999.Google Scholar
  25. [Qad99]
    S. Qadeer. Algorithms and Methodology for Scalable Model Checking. PhD thesis, Elec. Eng. and Comp. Sci., University of California at Berkeley, 1999.Google Scholar
  26. [S.
    A97]_X. Shen and Arvind. A methodology for designing correct cache coherence protocols for DSM systems. Technical Report CSG Memo 398 (A), MIT, June 1997.Google Scholar
  27. [SB90]
    M. Srivas and M. Bickford. Formal verification of a pipelined microprocessor. IEEE Trans. on Software Engineering, pp 52–64, September 1990.Google Scholar
  28. [SH97]
    J. Sawada and W. Hunt. Trace table based approach for pipelined microprocessor verification. In CAV, vol 1254 of LNCS, pp 364–375. Springer, 1997.Google Scholar
  29. [SH98]
    J. Sawada and W. Hunt. Processor verification with precise exceptions and speculative execution. In CAV, vol 1427 of LNCS, pp 135–146. Springer, 1998.Google Scholar
  30. [SH99]
    J. Sawada and W. Hunt. Results of the verification of a complex pipelined machine model. In CHARME, vol 1703 of LNCS, pp 313–316. Springer, 1999.Google Scholar
  31. [SJD98]
    J. Skakkebæk, R. Jones, and D. Dill. Formal verification of out-of-order execution using incremental flushing. In CAV, vol 1427 of LNCS, pp 98–109. Springer, 1998.Google Scholar
  32. [SM95]
    M. K. Srivas and S. P. Miller. Applying formal verification to a commercial microprocessor. In CHDL, pp 493–502, August 1995.Google Scholar
  33. [WC94]
    P. Windley and M. Coe. A correctness model for pipelined microprocessors. In Theorem Provers in Circuit Design, pp 32–51. Springer, 1994.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Mark D. Aagaard
    • 1
  • Byron Cook
    • 2
  • Nancy A. Day
    • 3
  • Robert B. Jones
    • 4
  1. 1.Electrical and Computer Engr.University of WaterlooWaterlooCanada
  2. 2.Prover TechnologyPortlandUSA
  3. 3.Computer ScienceUniversity of WaterlooUSA
  4. 4.Strategic CAD LabsIntel CorporationHillsboroUSA

Personalised recommendations