A Progressive Methodology for the Verification of a DSP Chip

In this paper we describe a methodology for the formal verification using theorem proving of a DSP processor chip. We specified both the behavioral and implementation (at the register level) of the processor. Then we create a new representation of the processor such that its complexity can be handled by the theorem prover. Finally, we make a proof of the full instruction set of this processor. 1. INRODUCTION Hardware and software systems are growing everyday in scale and functionality. This increase in complexity increases the number of subtle errors. Moreover, some of these errors may cause catastrophic loss of money, time, or even in some cases human life. A major goal of software engineering or system design is to enable developers to construct systems that operate reliably despite this complexity. One way of achieving this goal is by using formal methods, which are mathematically-based languages, techniques, and tools for specifying and verifying such systems [6]. Even formal methods do not a priori guarantee correctness, they can greatly increase our understanding of a system by revealing inconsistencies, ambiguities, and incompleteness that might otherwise go undetected. Actually, there are many tools performing hardware verification. For instance, the two approaches model checking and theorem proving are getting more interest. Model checking is a technique that relies on building a finite model of a system and checking that a desired property holds in that model. Roughly speaking, the check is performed as an exhaustive state space search which is guaranteed to terminate since the model is finite. The technical challenge in model checking is in devising algorithms and data structures that allow us to handle large search spaces. Model checking has been used primarily in hardware and protocol verification; the current trend is to apply this technique to analyze specifications of software systems. Theorem proving is a technique where both the system and its desired properties are expressed as formulas in some mathematical logic [7]. This logic is given by a formal system, which defines a set of axioms and a set of inference rules. Theorem proving is the process of finding a proof of a property from the axioms of the system. Steps in the proof appeal to the axioms and rules, and possibly derived definitions and intermediate lemmas. While proofs can be constructed by hand, here, we focus only on machine-assisted theorem proving. Theorem provers are increasingly being used today in the mechanical verification of safety-critical properties of hardware and software designs. In contrast to model checking, theorem proving can deal directly with infinite state spaces [11]. It relies on techniques like structural induction to prove over infinite domains. Interactive theorem provers, by definition, require interaction with a human, so the theorem proving process is slow and often error-prone. In the process of finding the proof, however, the human user often gains invaluable insight into the system or the property being proved. Notable examples about using theorem proving are described in the literature [9]. The most related to our study is the Motorola CAP [5]. During 1992-1996 Brock of Computational Logic, Inc., working in collaboration with Motorola designers, developed an ACL2 specification of the entire Motorola Complex Arithmetic Processor (CAP), a microprocessor for digital signal processing (DSP). The formal specification tracked the evolving design and included a simpler non-pipelined view that was proved equivalent on a certain class of programs. In this paper we describe the formal verification using the theorem prover HOL (Higher Order Logic) of the Digital Signal Processor ADSP-2100 of Analog Devices. This processor is a 16 bit fixed point processor with three computational units, two address generators and one program sequencer. The verification of this processor is very similar in complexity to the Motorola CAP. However, to be able to verify all the instruction set of this processor, we defined a new progressive methodology based on the particular characteristics of the architecture of the processor and the strength of the HOL theorem prover. The HOL system is a powerful and widely used computer program for constructing formal specifications and proofs in higher order logic [3], using the programming language ML (Meta Language) [10]. The strength of HOL comes from two principles proprieties. First backward (goal-directed) proof is supported, and may be freely mixed with forward proof. Second, adherence to definitional extension guarantees that the consistency of the logic is not compromised [4]. The rest of the paper is structured as following: In Section 2, we describe the ADSP-2100 processor. In Section 3, we define the methodology that we used in the verification of the processor. In Section 4, we present the specification of the processor and we provide the steps of the verification of its instruction set. We conclude the paper in Section 5. 2. THE ADSP-2100 PROCESSOR 2.1 Architecture of the ADSP-2100 Processor The ADSP-2100 family is a collection of programmable singlechip microprocessors that share a common base architecture (Figure 1) optimized for digital signal processing (DSP) and other GLS-VLSI96 Draft dated of 29.12.01 high-speed numeric processing applications [1]. The various family processors differ principally in the type of on-chip peripherals they add to the base architecture. On-chip memory, a timer, serial port(s), and parallel ports are available in different members of the family. In addition, the ADSP-21msp58/59 processors include an on-chip analog interface for voiceband signal conversion [2]. The principle components of the ADSP-2100 processor are: Computational Units—Every processor in the ADSP-2100 family contains three independent, full-function computational units: an arithmetic/logic unit (ALU), a multiplier/accumulator (MAC) and a barrel shifter. The computational units process 16-bit data directly and also provide hardware support for multiprecision computations. Data Address Generators & Program Sequencer—Two dedicated address generators and a program sequencer supply addresses for on-chip or external memory access. The sequencer supports single-cycle conditional branching and executes program loops with zero overhead. Dual data address generators allow the processor to generate simultaneous addresses for dual operand fetches. Together the sequencer and data address generators keep the computational units continuously working, maximizing throughput. Memory—The ADSP-2100 family uses a modified Harvard architecture in which data memory stores data, and program memory stores both instructions and data. All ADSP-2100 family processors contain on-chip RAM that comprises a portion of the program memory space and data memory space. The speed of the on-chip memory allows the processor to fetch two operands (one from data memory and one from program memory) and an instruction (from program memory) in a single cycle. The processors have five internal buses. The program memory address (PMA) and data memory address (DMA) buses are used internally for the addresses associated with program and data memory. The program memory data (PMD) and data memory data (DMD) buses are used for the data associated with the memory spaces. The buses are multiplexed into a single external address bus and a single external data bus; the BMS, DMS and PMS signals select the different address spaces. The R bus transfers intermediate results directly between the various computational units. 2.2 Instruction Set of the ADSP-2100 Processor The ADSP-2100 family shares a single unified instruction set designed for upward compatibility with higher-integration devices. For instance, the ADSP-2171, ADSP-2181, and ADSP21msp58/59 processors have a number of additional and enhanced instructions [11]. The ADSP-2100 family instruction set provides flexible data moves. Multifunction instructions combine one or more data moves with a computation. Every instruction can be executed in a single processor cycle. The assembly language uses an algebraic syntax for readability and ease of coding. A comprehensive set of software and hardware tools supports program development [8]. Figure 1: Architecture of the ADSP 2100 processor. CLKIN Program Memory Address