End-to-End Verification of ARM ® Processors with ISA-Formal

Despite 20+ years of research on processor verification, it remains hard to use formal verification techniques in commercial processor development. There are two significant factors: scaling issues and return on investment. The scaling issues include the size of modern processor specifications, the size/complexity of processor designs, the size of design/verification teams and the (non)availability of enough formal verification experts. The return on investment issues include the need to start catching bugs early in development, the need to continue catching bugs throughout development, and the need to be able to reuse verification IP, tools and techniques across a wide range of design styles. This paper describes how ARM has overcome these issues in our Instruction Set Architecture Formal Verification framework “ISA-Formal.” This is an end-to-end framework to detect bugs in the datapath, pipeline control and forwarding/stall logic of processors. A key part of making the approach scale is use of a mechanical translation of ARM’s Architecture Reference Manuals to Verilog allowing the use of commercial modelcheckers. ISA-Formal has proven especially effective at finding microarchitecture specific bugs involving complex sequences of instructions. An essential feature of our work is that it is able to scale all the way from simple 3-stage microcontrollers, through superscalar in-order processors up to out-of-order processors. We have applied this method to 8 different ARM processors spanning all stages of development up to release. In all processors, this has found bugs that would have been hard for conventional simulation-based verification to find and ISA-Formal is now a key part of ARM’s formal verification strategy. To the best of our knowledge, this is the most broadly applicable formal verification technique for verifying processor pipeline control in mainstream commercial use.

[1]  R. Eickemeyer,et al.  Interlock Collapsing ALU For Increased Instruction-level Parallelism , 1992, [1992] Proceedings the 25th Annual International Symposium on Microarchitecture MICRO 25.

[2]  David L. Dill,et al.  Automatic verification of Pipelined Microprocessor Control , 1994, CAV.

[3]  Phillip J. Windley Formal Modeling and Verification of Microprocessors , 1995, IEEE Trans. Computers.

[4]  Kenneth L. McMillan,et al.  Verification of an Implementation of Tomasulo's Algorithm by Compositional Model Checking , 1998, CAV.

[5]  Jun Sawada,et al.  Verifying the FM9801 microarchitecture , 1999, IEEE Micro.

[6]  Carl-Johan H. Seger,et al.  A Methodology for Large-Scale Hardware Verification , 2000, FMCAD.

[7]  Daniel Kroening,et al.  Proving the Correctness of Pipelined Micro-Architectures , 2000, MBMV.

[8]  Shuvendu K. Lahiri,et al.  Experience with term level modeling and verification of the M*CORE/sup TM/ microprocessor core , 2001, Sixth IEEE International High-Level Design Validation and Test Workshop.

[9]  Ranjit Jhala,et al.  Microarchitecture Verification by Compositional Model Checking , 2001, CAV.

[10]  Mark Aagaard,et al.  A Framework for Microprocessor Correctness Statements , 2001, CHARME.

[11]  Shuvendu K. Lahiri,et al.  Deductive Verification of Advanced Out-of-Order Microprocessors , 2003, CAV.

[12]  Mark Aagaard,et al.  Simplifying design and verification for structural hazards and datapaths in pipelined circuits , 2004, Proceedings. Ninth IEEE International High-Level Design Validation and Test Workshop (IEEE Cat. No.04EX940).

[13]  Anna Slobodová,et al.  Replacing Testing with Formal Verification in Intel CoreTM i7 Processor Execution Engine Validation , 2009, CAV.

[14]  Sudarshan K. Srinivasan Automatic Refinement Checking of Pipelines with Out-of-Order Execution , 2010, IEEE Transactions on Computers.

[15]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[16]  Anna Slobodová,et al.  A flexible formal verification framework for industrial scale validation , 2011, Ninth ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMPCODE2011).

[17]  Aarti Gupta,et al.  Symbolic Trajectory Evaluation: The primary validation Vehicle for next generation Intel® Processor Graphics FPU , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[18]  David Gilday,et al.  Processor Memory System Verification using DOGReL: a language for specifying End-to-End properties , 2014 .

[19]  Alastair David Reid,et al.  Trustworthy specifications of ARM® v8-A and v8-M system level architecture , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).