A Practical Methodology for the Formal Verification of RISC Processors

In this paper a practical methodology for formally verifying RISC cores is presented. Using a hierarchical model which reflects the abstraction levels used by designers of real RISC processors, proofs between neighboring levels are performed for simplifying the verification process. The proofs are performed by showing that each instruction is executed correctly by the pipelined machine with respect to the semantics of the instruction set architecture. During this proof, temporal abstractions are used to find correspondences between the various levels of abstractions. Additionally, lower level implementational details such as, multi-phased clocks and gate level descriptions of the final implementation, are accounted for. The overall correctness proof is managed in two complementary steps, namely, pipeline data and pipeline control correctness. In the former, we show that the cumulative effect of pipeline suboperations yields the data semantics of architecture instructions. While in the latter, we are concerned with interferences (conflicts) between the different instructions and suboperations in the pipeline. We have developed a set of parametrized proof scripts which highly automate the different proof tasks. In addition, the pipeline control proof is constructive, in the sense that the conditions under which the pipeline conflicts occur are automatically generated and explicitly stated thus aiding the user in its removal. All developed specifications and proof scripts are kept general, so that the methodology could be applied for a wide range of RISC cores (e.g. those used in embedded systems). In this paper, the described formalization and proof strategies are illustrated via the DLX RISC processor.