A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is
Verification of modern microprocessors is a complex task that requires a substantial allocation of resources. Despite significant progress in formal verification, the goal of complete verification of an industrial design has not been achieved. In this paper, we describe a current contribution of formal methods to the validation of modern x86 microprocessors at Centaur Technology. We focus on proving correctness of instruction implementations, which includes the decoding of an instruction, itsarXiv:1912.10285v1 fatcat:aeocsrtb5zd6vfsqklcoi3stxy
more »... anslation into a sequence of micro-operations, any subsequent execution of traps to microcode ROM, and the implementation of these micro-operations in execution units. All these tasks are performed within one verification framework, which includes a theorem prover, a verified symbolic simulator, and SAT solvers. We describe the work of defining the needed formal models for both the architecture and micro-architecture in this framework, as well as tools for decomposing the requisite properties into smaller lemmas which can be automatically checked. We additionally cover the advantages and limitations of our approach. To our knowledge, there are no similar results in the verification of implementations of an x86 microprocessor.
Lecture Notes in Computer Science
parametrized Approach used for all FP sizes Exponent 1 0 Max Outer Triangle I n n e r D i a g o n a l s Outer Triangle Denorms, Zeros NaNs, Infinities Exponent 2 0 Max Page 13 (Hunt, Swords ...doi:10.1007/978-3-642-02658-4_28 fatcat:77npbh2brzetbltkrldmcxuvfu
When using existing ACL2 datatype frameworks, many theorems require type hypotheses. These hypotheses slow down the theorem prover, are tedious to write, and are easy to forget. We describe a principled approach to types that provides strong type safety and execution efficiency while avoiding type hypotheses, and we present a library that automates this approach. Using this approach, types help you catch programming errors and then get out of the way of theorem proving.doi:10.4204/eptcs.192.2 fatcat:eixdhgkfkffohgaibkwvkg3jiy
While we have described the basic idea of symbolic execution and how GL uses it to prove theorems, Swords' dissertation  contains a much more detailed description of GL's implementation. ... For a comprehensive treatment of the implementation of GL, see Swords' dissertation  . Additional details about particular commands can be found in the online documentation with :doc gl. ...doi:10.4204/eptcs.70.7 fatcat:7j4lv5awujhcdjwtm6edtlr3pe
FGL is a successor to GL, a proof procedure for ACL2 that allows complicated finitary conjectures to be translated into efficient Boolean function representations and proved using SAT solvers. A primary focus of FGL is to allow greater programmability using rewrite rules. While the FGL rewriter is modeled on ACL2's rewriter, we have added several features in order to make rewrite rules more powerful. A particular focus is to make it more convenient for rewrite rules to use information from thedoi:10.4204/eptcs.327.3 fatcat:vj54wnorlrdp3oc5cr64co3br4
more »... yntactic domain, allowing them to replace built-in primitives and meta rules in many cases. Since it is easier to write, maintain, and prove the soundness of rewrite rules than to do the same for rules programmed at the syntactic level, these features help make it feasible for users to precisely program the behavior or the rewriter. We describe the new features that FGL's rewriter implements, discuss the solutions to some technical problems that we encountered in their implementation, and assess the feasibility of adding these features to the ACL2 rewriter.
Lecture Notes in Computer Science
AbstractFormal methods are becoming an indispensable part of the design process in software and hardware industry. It takes robust tools and proofs to make formal validation of large scale projects reliable. In this paper, we will describe the current status of formal verification at Centaur Technology. We will explain our challenges and our methodology—how various proofs and verification artifacts are interconnected and how we keep them consistent over the duration of a project. We alsodoi:10.1007/978-3-030-81685-8_2 fatcat:xrcodigbu5f3flsfvfrt2725ji
more »... e our main engine—a powerful symbolic simulator with rewriting capabilities that is integrated in a theorem prover and proven correct.
The most sophisticated algorithm that has been verified atop Hons-AIGs is the AIG to BDD conversion algorithm of Swords and Hunt  . ... Representation and Semantics (Note: our Hons-AIG representation and semantics are briefly described in previous work by Swords and Hunt  , we repeat some details here to make this paper more self-contained ...doi:10.4204/eptcs.114.8 fatcat:vdmun32ds5grhbowimcb677qcy
Experimental results on the formation of molecular hydrogen on amorphous silicate surfaces are presented and analyzed using a rate equation model. The energy barriers for the relevant diffusion and desorption processes are obtained. They turn out to be significantly higher than those obtained for polycrystalline silicates, demonstrating the importance of grain morphology. Using these barriers we evaluate the efficiency of molecular hydrogen formation on amorphous silicate grains underarXiv:0709.2472v1 fatcat:zxwglcqpujc7lbzrh5oqbsuuli
more »... ar conditions. It is found that unlike polycrystalline silicates, amorphous silicate grains are efficient catalysts of H_2 formation in diffuse interstellar clouds.
We describe defret-mutual-generate, a utility for proving ACL2 theorems about large mutually recursive cliques of functions. This builds on previous tools such as defret-mutual and make-flag, which automate parts of the process but still require a theorem body to be written out for each function in the clique. For large cliques, this tends to mean that certain common hypotheses and conclusions are repeated many times, making proofs difficult to read, write, and maintain. This utility automatesdoi:10.4204/eptcs.327.10 fatcat:iqubseeonjfxznjjdbfvlnt2pa
more »... everal of the most common patterns that occur in these forms, such as including hypotheses based on formal names or types. Its input language is rich enough to support forms that have some common parts and some unique parts per function. One application of defret-mutual-generate has been to support proofs about the FGL rewriter, which consists of a mutually recursive clique of 49 functions. The use of this utility reduced the size of the forms that express theorems about this clique by an order of magnitude. It also greatly has reduced the need to edit theorem forms when changing definitions in the clique, even when adding or removing functions.
Design and Verification of Microprocessor Systems for High-Assurance Applications
Starting in the summer of 2008, Swords began an effort to build a verified version of the ACL2 G symbolic simulator, called GL (for G in the Logic). ... This led to Hunt and Swords to joining Centaur in June of 2007, to see if our existing (ACL2-based) tools could be usefully deployed on Centaur verification problems. ...doi:10.1007/978-1-4419-1539-9_3 fatcat:qczrzp6ah5a5lmq75hllk6oymq
GL is a verified tool for proving ACL2 theorems using Boolean methods such as BDD reasoning and satisfiability checking. In its typical operation, GL recursively traverses a term, computing a symbolic object representing the value of each subterm. In older versions of GL, such a symbolic object could use Boolean functions to compactly represent many possible values for integer and Boolean subfields, but otherwise needed to reflect the concrete structure of all possiblealues that its term mightdoi:10.4204/eptcs.249.7 fatcat:ehkvx4x44jh55ppci2uk52o3ze
more »... ake. When a term has many possible values that can't share such a representation, this can easily cause blowups because GL must then case-split. To address this problem, we have added several features to GL that allow it to reason about term-like symbolic objects using various forms of rewriting. These features allow GL to be programmed with rules much like the ACL2 rewriter, so that users may choose a better normal form for terms for which the default, value-like representation would otherwise cause case explosions. In this paper we describe these new features; as a motivating example, we show how to program the rewriter to reason effectively about the theory of records.
Available at http://hdl.handle.net/2152/ETD-UT-2010-12-2210.  Sol Swords and Jared Davis (2011): Bit-Blasting ACL2 Theorems. ... Available at http://www.cs.utexas.edu/users/moore/acl2/manuals/current/manual/index.html.  Anna Slobodova, Jared Davis, Sol Swords, and Warren A. ...doi:10.4204/eptcs.249.4 fatcat:drbrq7vxn5c3lhxzw7jvo2inzy
To make it practical to mechanize proofs in programming language metatheory, several capabilities are required of the theorem proving framework. One must be able to represent and efficiently reason about complex recursively-defined expressions, define arbitrary induction schemes including mutual inductions over several objects and inductions over derivations, and reason about variable bindings with minimal overhead. We introduce a method for performing these proofs in ACL2, including a macrodoi:10.1145/1217975.1217982 dblp:conf/acl2/SwordsC06 fatcat:gn6sbcjvgbbyfc7pgjgnmr2sfq
more »... ch automates the process of defining functions and theorems to facilitate reasoning about recursive data types. To illustrate this method, we present a proof in ACL2 of the soundness of the simply typed λ-calculus.
In 2010, Swords re-implemented the capabilities of the G system using only ACL2 code. This new system is called GL -for G in the Logic -and used ACL2 to prove its implementation is correct  . ...doi:10.1109/memcod.2011.5970515 dblp:conf/memocode/SlobodovaDSH11 fatcat:5vahhzcds5falllz5xqsvqraqq
The results of experiments on the formation of molecular hydrogen on low density and high density amorphous ice surfaces are analyzed using a rate equation model. The activation energy barriers for the relevant diffusion and desorption processes are obtained. The more porous morphology of the low density ice gives rise to a broader spectrum of energy barriers compared to the high density ice. Inserting these parameters into the rate equation model under steady state conditions we evaluate thedoi:10.1086/430435 fatcat:fnrhhw55wnevzcwtqtxwv2lcte
more »... oduction rate of molecular hydrogen on ice-coated interstellar dust grains.
« Previous Showing results 1 — 15 out of 13,195 results