An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor

> Cuong Chau ckcuong@cs.utexas.edu

Department of Computer Science

The University of Texas at Austin

September 22, 2016

## 1 Introduction

- 2 The DE Language
- 3 Verifying Circuit Designs Using the DE Verification System
- FM9001 Microprocessor Verification

## 5 Future Work

## Introduction

- 2 The DE Language
- 3 Verifying Circuit Designs Using the DE Verification System
- 4 FM9001 Microprocessor Verification
- 5 Future Work

DE is a formal occurrence-oriented description language that permits the hierarchical definition of finite-state machines in the style of a hardware description language [W. Hunt, 2000].

DE has shown to be a valuable tool in formal specification and verification of modern hardware designs [W. Hunt & E. Reeber, 2006].

DE is a formal occurrence-oriented description language that permits the hierarchical definition of finite-state machines in the style of a hardware description language [W. Hunt, 2000].

DE has shown to be a valuable tool in formal specification and verification of modern hardware designs [W. Hunt & E. Reeber, 2006].

In this talk, I will give an overview of the DE language, illustrate how to use it to formally specify and verify circuit designs via simple examples, and finally briefly describe its application in the FM9001 microprocessor verification.

## 1 Introduction

# 2 The DE Language

## 3 Verifying Circuit Designs Using the DE Verification System

#### 4 FM9001 Microprocessor Verification

#### 5 Future Work

A DE description is an ACL2 constant containing an ordered list of modules, which we call a netlist.

A DE description is an ACL2 constant containing an ordered list of modules, which we call a netlist.

Each module consists of five elements: a netlist-unique module name, inputs, outputs, internal states, and occurrences.

A DE description is an ACL2 constant containing an ordered list of modules, which we call a netlist.

Each module consists of five elements: a netlist-unique module name, inputs, outputs, internal states, and occurrences.

Each occurrence consists of four elements: a module-unique occurrence name, outputs, **a reference to a primitive or defined module**, and inputs.



2

イロト イヨト イヨト イヨト

The evaluation of a DE netlist eventually results in the interpretation of **primitives**, which are specified in the DE primitive database.

- Logic gates: AND, OR, NOT, XOR,...
- State-holding primitives: latches, flip-flops,...



< □ > < 同 >

æ

```
(defconst *full-adder*
(cons
 '(full-adder
   (a b c)
    (sum carry)
   ()
   ((t0 (sum1 carry1) half-adder
                                             (a b))
     (t1 (sum carry2) half-adder
                                          (sum1 c))
     (t2 (carry)
                                  (carry1 carry2))))
                       b-or
```

```
*half-adder*))
```

э



(日) (四) (日) (日) (日)

э

```
(defconst *one-bit-counter*
 (cons
 '(one-bit-counter
    (clk carry-in reset-)
    (out carry)
    (g0)
    ((g0 (out out~) fd1 (clk sum-reset-))
     (g1 (sum carry) half-adder (carry-in out))
     (g2 (sum-reset-) b-and (sum reset-))))
```

```
*half-adder*))
```



ж

イロト イポト イヨト イヨト

```
(defconst *four-bit-counter*
 (cons
  '(four-bit-counter
    (clk incr reset-)
    (out0 out1 out2 out3)
    (h0 h1 h2 h3)
    ((h0 (out0 carry0) one-bit-counter (clk incr reset-))
     (h1 (out1 carry1) one-bit-counter (clk carry0 reset-))
     (h2 (out2 carry2) one-bit-counter (clk carry1 reset-))
     (h3 (out3 carry3) one-bit-counter (clk carry2 reset-))
     ))
```

```
*one-bit-counter*))
```

The semantics of the DE language is given by a simulator that, given the current inputs and current state for a module, will compute the module's outputs and next state.

The semantics of the DE language is given by a simulator that, given the current inputs and current state for a module, will compute the module's outputs and next state.

The DE simulator is composed of two sets of mutually recursive functions.

- The se function computes the **outputs** of a module being evaluated given its inputs and its current state. The se-occ function, which is mutually recursive with se, iteratively computes the **outputs** of each occurrence declared in a module.
- The de function computes the **next state** of a module being evaluated given its inputs and its current state. The de-occ function, which is mutually recursive with de, iteratively computes the (possibly empty) **next state** of each occurrence declared in a module.

The semantics of the DE language is given by a simulator that, given the current inputs and current state for a module, will compute the module's outputs and next state.

The DE simulator is composed of two sets of mutually recursive functions.

- The se function computes the **outputs** of a module being evaluated given its inputs and its current state. The se-occ function, which is mutually recursive with se, iteratively computes the **outputs** of each occurrence declared in a module.
- The de function computes the **next state** of a module being evaluated given its inputs and its current state. The de-occ function, which is mutually recursive with de, iteratively computes the (possibly empty) **next state** of each occurrence declared in a module.

Demo.

## 1 Introduction

2 The DE Language

## 3 Verifying Circuit Designs Using the DE Verification System

4 FM9001 Microprocessor Verification

#### 5 Future Work

If a module doesn't have an internal state (purely combinational), only the value lemma needs to be proven.

If a module doesn't have an internal state (purely combinational), only the value lemma needs to be proven.

These lemmas are used to prove the correctness of yet larger modules containing these submodules, without the need to dig into any details about the submodules.

If a module doesn't have an internal state (purely combinational), only the value lemma needs to be proven.

These lemmas are used to prove the correctness of yet larger modules containing these submodules, without the need to dig into any details about the submodules.

Demo.

The DE verification system can be applied to verify **circuit generators**. *Example:* proving the correctness of a parameterized ripple-carry adder.

The DE verification system can be applied to verify **circuit generators**. *Example:* proving the correctness of a parameterized ripple-carry adder.

The DE verification system can be applied to verify **circuit generators**. *Example:* proving the correctness of a parameterized ripple-carry adder.

Demo.

## 1 Introduction

2 The DE Language

## 3 Verifying Circuit Designs Using the DE Verification System

#### 4 FM9001 Microprocessor Verification

#### 5 Future Work

The FM9001 is a general-purpose 32-bit microprocessor whose gate-level netlist was specified using the **DUAL-EVAL** hardware description language [B. Brock & W. Hunt, 1997].

The correctness of the FM9001 gate-level design was verified using the **NQTHM** theorem-proving system [B. Brock & W. Hunt, 1997].

The FM9001 is a general-purpose 32-bit microprocessor whose gate-level netlist was specified using the **DUAL-EVAL** hardware description language [B. Brock & W. Hunt, 1997].

The correctness of the FM9001 gate-level design was verified using the **NQTHM** theorem-proving system [B. Brock & W. Hunt, 1997].

We have been re-specifying and re-verifying the correctness of the FM9001 design using the ACL2-based DE system.

## FM9001 Specification Levels



Cuong Chau (UT Austin)

The DE Language

September 22, 2016 21 / 28

э

The proof of correctness of the FM9001 gate-level design consists of three major lemmas:

- The FM9001 can be forced to a known state, i.e., reset, by a suitable sequence of inputs.
- Given a set of initial conditions, the gate-level model correctly implements the high-level instruction interpreter.
- The state at the end of the reset sequence satisfies the initial conditions for the previous lemma.

The proof of correctness of the FM9001 gate-level design consists of three major lemmas:

- The FM9001 can be forced to a known state, i.e., reset, by a suitable sequence of inputs.
- Given a set of initial conditions, the gate-level model correctly implements the high-level instruction interpreter.
- The state at the end of the reset sequence satisfies the initial conditions for the previous lemma.

Our result so far: proved that given a set of initial conditions, the gate-level model correctly implements the register-transfer model.

# Block Diagram of the FM9001



Cuong Chau (UT Austin)

The DE Language

∃ → September 22, 2016 23 / 28

э

# The NEXT-CNTL-STATE module



## 1 Introduction

- 2 The DE Language
- **3** Verifying Circuit Designs Using the DE Verification System

#### 4 FM9001 Microprocessor Verification

### 5 Future Work

Finish the proof of correctness of the FM9001 gate-level design, i.e., the three major lemmas mentioned earlier.

Finish the proof of correctness of the FM9001 gate-level design, i.e., the three major lemmas mentioned earlier.

Specify and verify the correctness of the FM9001 using the **asynchronous-circuit-oriented** formalization.

- No global clock signal.
- Local communication protocols, e.g., the link-joint interface [M. Roncken et al., 2015].
- Non-deterministic behavior due to *uncertain but bounded delays* on wires and gates.

o ...

## References



#### W. Hunt (2000)

The DE Language

*Computer-Aided Reasoning: ACL2 Case Studies*, Kluwer Academic Publishers Norwell, MA, USA, 151 – 166.

#### W. Hunt & E. Reeber (2006)

#### Applications of the DE2 Language

*The 6th International Workshop on Designing Correct Circuits (DCC 2006)*, Vienna, Austria.

#### B. Brock & W. Hunt (1997)

The DUAL-EVAL Hardware Description Language and Its Use in the Formal Specification and Verification of the FM9001 Microprocessor

Formal Methods in System Design, 11, 71 – 104.

M. Roncken, S. Gilla, H. Park, N. Jamadagni, C. Cowan, I. Sutherland (2015) Naturalized Communication and Testing ASYNC 2015, 77 – 84.

# Questions?

▶ < ∃ >

< □ > < 同 >

2