# Formal Specification and Verification of the FM9001 Microprocessor Using the DE System

Cuong Chau ckcuong@cs.utexas.edu

Department of Computer Science

The University of Texas at Austin

May 23, 2017







Cuong Chau (UT Austin)





- 2 The DE System
- 3 Monotonicity of DE

Cuong Chau (UT Austin)



Image: A match a ma

FM9001 is a general-purpose 32-bit microprocessor whose gate-level netlist was originally specified and verified in the Nqthm logic using the DUAL-EVAL system [Brock & Hunt:1997].

We re-specify and re-verify the FM9001 netlist in the ACL2 logic using the DE system.

**Motivation:** This work provides a library of verified hardware circuit generators that can be applied when reasoning about the synthesis of hardware circuits using DE.

### FM9001 Specification Levels



Cuong Chau (UT Austin)

:▶ ◀ 볼 ▶ 볼 ∽ ९ ୯ May 23, 2017 5 / 22

### Block Diagram of the FM9001



Cuong Chau (UT Austin)

FM9001 Specification and Verification

May 23, 2017 6 / 22

- The FM9001 can be forced to a known state, i.e., reset, from any initial state by a suitable sequence of inputs.
- Given a set of initial conditions, the gate-level model correctly implements the high-level instruction interpreter.
- The state at the end of the reset sequence satisfies the initial conditions for the previous lemma.

Strategy:

Prove that the desired reset state can be reached from an initial state of all X (unknown) values.

- The FM9001 can be forced to a known state, i.e., reset, from any initial state by a suitable sequence of inputs.
- Given a set of initial conditions, the gate-level model correctly implements the high-level instruction interpreter.
- The state at the end of the reset sequence satisfies the initial conditions for the previous lemma.

Strategy:

Prove that the desired reset state can be reached from an initial state of all X (unknown) values.

- The FM9001 can be forced to a known state, i.e., reset, from any initial state by a suitable sequence of inputs.
- Given a set of initial conditions, the gate-level model correctly implements the high-level instruction interpreter.
- The state at the end of the reset sequence satisfies the initial conditions for the previous lemma.

### Strategy:

Prove that the desired reset state can be reached from an initial state of all X (unknown) values.

The original work modeled the memory model using Nqthm's shell principle.

• There is no such principle in ACL2.

The original work modeled the memory model using Nqthm's shell principle.

• There is no such principle in ACL2.

Need a different approach to formalizing the memory model for FM9001.

The original work used Nqthm's shell principle to introduce three new data structures for a memory cell:

- ROM tags read-only locations of the memory.
- **2** RAM tags **read-write** locations of the memory.
- **STUB** represents **"unimplemented"** portions.

The original work used Nqthm's shell principle to introduce three new data structures for a memory cell:

- **O** ROM tags **read-only** locations of the memory.
- **2** RAM tags read-write locations of the memory.
- STUB represents "unimplemented" portions.

Our approach: Represent a memory cell as a proper list of two elements:

- The first element is a flag specifying the memory type of the cell (i.e., ROM, or RAM, or STUB).
- In the second element is the value of the cell.

The original work used Nqthm's shell principle to introduce three new data structures for a memory cell:

- ROM tags read-only locations of the memory.
- **2** RAM tags **read-write** locations of the memory.
- **STUB** represents **"unimplemented"** portions.

Our approach: Represent a memory cell as a proper list of two elements:

- The first element is a flag specifying the memory type of the cell (i.e., ROM, or RAM, or STUB).
- **2** The second element is the **value** of the cell.

This change does not affect the proof strategy for FM9001 created in the previous work, except for establishing the monotonicity property for DE, which is part of the FM9001 verification procedure.

< (日) × (日) × (1)





Cuong Chau (UT Austin)



FM9001 Specification and Verification

3

A DE description is an ACL2 constant containing an ordered list of modules, which we call a netlist.

A DE description is an ACL2 constant containing an ordered list of modules, which we call a netlist.

The operational semantics for the DE language is implemented as an **output evaluator**, se, and a **state evaluator**, de.

A DE description is an ACL2 constant containing an ordered list of modules, which we call a netlist.

The operational semantics for the DE language is implemented as an **output evaluator**, se, and a **state evaluator**, de.

• The se function evaluates a module and returns its **outputs** as a function of its inputs and its internal state.

A DE description is an ACL2 constant containing an ordered list of modules, which we call a netlist.

The operational semantics for the DE language is implemented as an **output evaluator**, se, and a **state evaluator**, de.

- The se function evaluates a module and returns its **outputs** as a function of its inputs and its internal state.
- The de function evaluates a module and returns its **next state**; this state will be structurally identical to the module's current state, but with updated values.







Cuong Chau (UT Austin)



- The FM9001 can be forced to a known state, i.e., reset, from any initial state by a suitable sequence of inputs.
- Given a set of initial conditions, the gate-level model correctly implements the high-level instruction interpreter.
- The state at the end of the reset sequence satisfies the initial conditions for the previous lemma.

### Strategy:

Prove that the desired reset state can be reached from an initial state of all X (unknown) values.





A function f(x) is monotonic if  $a \le b \Rightarrow f(a) \le f(b)$ .



A function f(x) is monotonic if  $a \le b \Rightarrow f(a) \le f(b)$ .

A function  $f(x_1, x_2, ..., x_n)$  is monotonic if  $a_1 \le b_1 \& a_2 \le b_2 \& ... \& a_n \le b_n \Rightarrow f(a_1, a_2, ..., a_n) \le f(b_1, b_2, ..., b_n).$ 



A function f(x) is monotonic if  $a \le b \Rightarrow f(a) \le f(b)$ .

A function  $f(x_1, x_2, ..., x_n)$  is monotonic if  $a_1 \le b_1 \& a_2 \le b_2 \& ... \& a_n \le b_n \Rightarrow f(a_1, a_2, ..., a_n) \le f(b_1, b_2, ..., b_n).$ 

Primitive four-valued logic functions (e.g., F-AND, F-OR, F-NOT, F-XOR) are monotonic.

```
\begin{array}{l} \texttt{st1} \leq \texttt{st2} \\ \Rightarrow \\ (\texttt{de fn ins st1 netlist}) \leq (\texttt{de fn ins st2 netlist}) \end{array}
```

```
st1 \le st2

\Rightarrow

(de fn ins st1 netlist) \le (de fn ins st2 netlist)

\Rightarrow

(run fn ins-seq st1 netlist) \le (run fn ins-seq st2 netlist)
```

```
\begin{array}{l} \texttt{st1} \leq \texttt{st2} \\ \Rightarrow \\ (\texttt{de fn ins st1 netlist}) \leq (\texttt{de fn ins st2 netlist}) \\ \Rightarrow \\ (\texttt{run fn ins-seq st1 netlist}) \leq (\texttt{run fn ins-seq st2 netlist}) \end{array}
```

If (run fn ins-seq st1 netlist) contains no X value, then
(run fn ins-seq st1 netlist) = (run fn ins-seq st2 netlist)

```
\begin{array}{l} \texttt{st1} \leq \texttt{st2} \\ \Rightarrow \\ (\texttt{de fn ins st1 netlist}) \leq (\texttt{de fn ins st2 netlist}) \\ \Rightarrow \\ (\texttt{run fn ins-seq st1 netlist}) \leq (\texttt{run fn ins-seq st2 netlist}) \end{array}
```

If (run fn ins-seq st1 netlist) contains no X value, then
(run fn ins-seq st1 netlist) = (run fn ins-seq st2 netlist)

If st1 is contains only X values, and (run fn ins-seq st1 netlist) is the desired reset state, then this state can be reached from any state st2.

## State Approximation

The state approximation notion is changed under our proposed representation of the memory model.

# State Approximation

The state approximation notion is changed under our proposed representation of the memory model.

Below is the ACL2 version of the state approximation definition introduced in the previous work.

通 ト イ ヨ ト イ ヨ ト

# State Approximation

The state approximation notion is changed under our proposed representation of the memory model.

Below is the ACL2 version of the state approximation definition introduced in the previous work.

Memory cells are defined as CONSES: cases (2), (3), and (4) in the above definition will never be satisfied. They are all subsumed in case (1).

16 / 22

We change the state approximation definition by rearranging the order of cases to (2), (3), (4), and (1).

• • = • • = •

We need the following property in order to establish the monotonicity property for DE.

We need the following property in order to establish the monotonicity property for DE.

The above property holds when we impose a constraint on the **value of** each memory cell that it must be a four-valued vector.

We need the following property in order to establish the monotonicity property for DE.

The above property holds when we impose a constraint on the **value of** each memory cell that it must be a four-valued vector.

 This constraint does not affect the correctness proofs for FM9001 since the FM9001 specification enforces a restriction that only bit vectors are stored in memory. We need the following property in order to establish the monotonicity property for DE.

The above property holds when we impose a constraint on the **value of** each memory cell that it must be a four-valued vector.

• This constraint does not affect the correctness proofs for FM9001 since the FM9001 specification enforces a restriction that only bit vectors are stored in memory.

We establish the monotonicity property for DE with stricter hypotheses: the structures of states and netlist must be syntactically well-formed.









FM9001 Specification and Verification

- (日)

We successfully verify the correctness the FM9001 microprocessor design.

- This work provides a library of verified hardware circuit generators that can be applied when reasoning about the synthesis of hardware circuits using DE.
- We also verify guards for the DE system.

We successfully verify the correctness the FM9001 microprocessor design.

- This work provides a library of verified hardware circuit generators that can be applied when reasoning about the synthesis of hardware circuits using DE.
- We also verify guards for the DE system.
- This work is also a contribution to ACL2 for two reasons.
  - First, it moves into the ACL2 regression suite one of the most important theorems proved by Nqthm.
  - Second, it is the first step toward porting the entire Computational Logic verified stack [Bevier et al.:1989, Moore:1996] from Nqthm to ACL2.

# References



### W. Hunt (2000)

#### The DE Language

*Computer-Aided Reasoning: ACL2 Case Studies*, Kluwer Academic Publishers Norwell, MA, USA, 151 – 166.

## B. Brock & W. Hunt (1997)

The DUAL-EVAL Hardware Description Language and Its Use in the Formal Specification and Verification of the FM9001 Microprocessor

Formal Methods in System Design, 11, 71 – 104.



W. R. Bevier and Hunt, Jr., W. A. and J S. Moore and W. D. Young (1989) Special Issue on System Verification

Journal of Automated Reasoning, 5(4), 409 – 530.

J S. Moore (1996)

Piton: A Mechanically Verified Assembly-Level Language Automated Reasoning Series, Kluwer Academic Publishers.

. . . . . . .

# Questions?

- ∢ ⊒ →

Image: A match a ma



æ

< ≣⇒

・ロト ・日下 ・ヨト



Cuong Chau (UT Austin)

May 23, 2017 24 / 22



May 23, 2017 25 /

э

< □ > < 同 > < 回 > < 回 > < 回 >

```
(defconst *one-bit-counter*
 (cons
 '(one-bit-counter
   (clk carry-in reset-)
   (out carry)
   (g0)
   ((g0 (out out~) fd1 (clk sum-reset-))
    (g1 (sum carry) half-adder (carry-in out))
   (g2 (sum-reset-) b-and (sum reset-))))
```

```
*half-adder*))
```



May 23, 2017 27 / 22

э

イロト イポト イヨト イヨト

```
(defconst *four-bit-counter*
  (cons
   '(four-bit-counter
     (clk incr reset-)
     (out0 out1 out2 out3)
     (h0 h1 h2 h3)
     ((h0 (out0 carry0) one-bit-counter (clk incr reset-))
      (h1 (out1 carry1) one-bit-counter (clk carry0 reset-))
      (h2 (out2 carry2) one-bit-counter (clk carry1 reset-))
      (h3 (out3 carry3) one-bit-counter (clk carry2 reset-))
      ))
```

```
*one-bit-counter*))
```