Warren A. Hunt, Jr.

# FM8501: A Verified Microprocessor

#### Springer-Verlag

Berlin Heidelberg NewYork London Paris Tokyo Hong Kong Barcelona Budapest Series Editors

Jaime G. Carbonell School of Computer Science, Carnegie Mellon University Schenley Park, Pittsburgh, PA 15213-3890, USA

Jörg Siekmann University of Saarland German Research Center for Artificial Intelligence (DFKI) Stuhlsatzenhausweg 3, D-66123 Saarbrücken, Germany

Author

Warren A. Hunt, Jr. Computational Logic, Inc. 1717 West 6th Street, Suite 290 Austin, TX 78703-4776, USA

CR Subject Classification (1991): B.6, I.2.2-3, F.4.1, B.2.4, B.4.4, B.7.2

ISBN 3-540-57960-5 Springer-Verlag Berlin Heidelberg New York ISBN 0-387-57960-5 Springer-Verlag New York Berlin Heidelberg

CIP data applied for

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law.

© Springer-Verlag Berlin Heidelberg 1994 Printed in Germany

Typesetting: Camera ready by authorSPIN: 1013207945/3140-543210 - Printed on acid-free paper

## Acknowledgements

My colleague Bill Young reformatted this document from  $\mathrm{Scribe}^{\mathrm{TM}}$  to  $\mathrm{IAT}_{\mathrm{E}}X$ . He also remade all of the drawings. This conversion was a larger job than either of us expected. I am quite thankful for his effort, because without it this book would not have been possible.

This work originally appeared as the author's dissertation, Department of Computer Science, the University of Texas at Austin. The work was partially sponsored by the National Science Foundation (Grants DCR-8202943 and DCR-8122039), the Department of the Navy, Space and Naval Warfare Systems Command (Contract N00039-85-K-0085), and British Petroleum North America, Inc. It appeared as Technical Report 47, Institute for Computing Science, the University of Texas at Austin, February, 1986.

W. A. H.

## Preface

The hardware specification and verification ideas presented in this monograph germinated while I was taking a graduate class from Bover and Moore in 1982. It was during their class that I was first introduced to logic. By the end of this class, I had written an instruction-interpreter specification for a Z80 microprocessor [51]. At this point, I had not seen any other work for mathematically specifying digital hardware except Boolean logic and ISP descriptions. At this point also, I was a digital design engineer for Cyb Systems, Inc., where I was designing Multibus<sup>[26]</sup> compatible cards for a Unix minicomputer. These designs were based upon the Motorola 68000 microprocessor [35]. During 1983 and 1984 I worked full time as a board designer, but I continued to be interested in formalizing a microprocessor. This interest was motivated both from an intellectual curiosity and from my personal frustration at attempting to engineer correctly designed boards. Each time I designed a board, I had to agglomerate specifications provided by device manufacturers in an attempt to produce some board with greater functionality. This was performed in a "rigorous" manner, but without any mathematical connecting tissue.

In 1985 I returned to the University of Texas to complete my degree. Originally, I had hoped to mathematically specify an existing microprocessor for my dissertation work, but I felt that the documentation available to me did not adequately specify all their operational aspects. I also realized that to specify and verify an existing microprocessor would require me to have access to a commercial design – this would require a non-disclosure agreement which would prevent me from publishing the results of my effort, thus no degree could result. In the beginning of 1985, I began the FM8501 effort which resulted in this monograph and this monograph was submitted as a dissertation at the end of 1985 in partial fulfillment of the PhD degree requirements at the University of Texas at Austin under the advisorship of Bob Boyer and J Moore.

The FM8501 microprocessor was invented as a generic microprocessor somewhat similar to a PDP-11 [13] — "FM" stood for functional machine and "8501" stood for the first machine of 1985. This was an optimistic naming convention; the FM8502, a 32-bit variant of the FM8501, wasn't completed until 1987. The principal idea of the FM8501 effort was to see if it was possible to express the user-level specification and the design implementation using a formal logic,



Figure 0.1: Specification Levels

the Boyer-Moore logic; this approach permitted us to complete a mechanically checked proof that the FM8501 implementation fully implemented its specification.

The implementation model for the FM8501 was inadequate for industrial hardware design. Circuits were expressed by overloading functions in the Boyer-Moore logic. This modeling technique allowed the specification of the necessary combinational connecting gates and registers, but did not allow wires to be named explicitly. Further, this approach did not provide a direct migration path to CAD languages, from which a physical device could be built. Since the FM8501 effort Bishop Brock and I have formalized a simple hierarchical, occurrence-oriented hardware description language (HDL) [25, 9]. The formalization of this HDL made the hardware circuits explicit – a formal circuit semantics and syntax exists for the HDL – and provides a simple means of converting designs into commercial CAD languages. Our HDL semantics include four logical values: true, false, undefined, and floating, thus providing a richer modeling capability than used with the FM8501.

Our current approach can be contrasted with the FM8501 effort by comparing our recent FM9001 microprocessor verification. Figure 0.1 shows the four specification levels we used for the FM9001; only the top two levels exist in the FM8501 effort. The two-valued level was the implementation level for the FM8501. The FM8501 had separate data input and data output busses because we were not able to model bidirectional wires. For the FM9001, the two-valued level is a Boolean model of the implementation with the tri-state memory interface bus abstracted away. The four-valued level is functionally equivalent to the netlist level. The netlist level describes the actual gates, wires, I/O pads, and test logic that are actually needed to construct the FM9001 microprocessor. The FM9001 design verification takes into consideration the I/O pads and test logic as well as the functional gates and registers. We had LSI Logic, Inc., fabricate the FM9001 design using one of their gate-array families. We have not discovered any errors in the fabricated devices after several months of testing.

The FM8501 effort was an important step in our evolution to the design verification methodology we now employ.

Warren A. Hunt, Jr. Austin, Texas

January, 1992

## Contents

| Preface   Acknowledgements |                                    |                                       |    |  |  |
|----------------------------|------------------------------------|---------------------------------------|----|--|--|
|                            |                                    |                                       |    |  |  |
|                            | 1.1                                | Nature of this Research               | 1  |  |  |
|                            | 1.2                                | The Meaning of Verification           | 2  |  |  |
|                            | 1.3                                | Research Goal                         | 2  |  |  |
|                            | 1.4                                | Dissertation Outline                  | 4  |  |  |
| 2                          | ΑE                                 | Iardware Model                        | 5  |  |  |
|                            | 2.1                                | Narrowing the Scope of Investigation  | 5  |  |  |
|                            | 2.2                                | The Register-transfer Model           | 6  |  |  |
|                            | 2.3                                | The FM8501 Model                      | 8  |  |  |
|                            |                                    | 2.3.1 Hardware Functions              | 8  |  |  |
|                            |                                    | 2.3.2 Sequencing                      | 8  |  |  |
|                            | 2.4                                | Related Hardware Verification Efforts | 9  |  |  |
| 3                          | Notation and Bit Vectors 1         |                                       |    |  |  |
|                            | 3.1                                | Another Language–Why?                 | 13 |  |  |
|                            | 3.2                                | The Boyer-Moore Logic                 | 14 |  |  |
|                            | 3.3                                | Bit Vectors                           | 16 |  |  |
| 4                          | Numeric Definitions and Operations |                                       |    |  |  |
|                            | 4.1                                | Natural Number Representation         | 20 |  |  |
|                            |                                    | 4.1.1 Natural Numbers                 | 20 |  |  |
|                            |                                    | 4.1.2 Bit-vectors for Natural Numbers | 21 |  |  |
|                            | 4.2                                | Integer Number Representation         | 23 |  |  |
|                            |                                    | 4.2.1 Integer Numbers                 | 23 |  |  |
|                            |                                    | 4.2.2 Bit-vectors for Integer Numbers | 24 |  |  |

#### 5 The Verification Approach

| 6  | FM         | 8501: A Conventional Description       | 31        |
|----|------------|----------------------------------------|-----------|
|    | 6.1        | Introduction and Features              | 31        |
|    | 6.2        | Block Diagram                          | 32        |
|    | 6.3        | Programmer's Model                     | 32        |
|    | 6.4        | Data Representation                    | <b>34</b> |
|    | 6.5        | Instruction Format                     | 34        |
|    | 6.6        | Addressing                             | 35        |
|    | 6.7        | Instruction Set                        | 35        |
|    | 6.8        | Signal Description                     | 36        |
|    |            | 6.8.1 Address Bus                      | 36        |
|    |            | 6.8.2 Data Out Bus                     | 36        |
|    |            | 6.8.3 Data Input                       | 36        |
|    |            | 6.8.4 Reset Input                      | 38        |
|    |            | 6.8.5 Data Acknowledge Input           | 38        |
|    |            | 6.8.6 Read and Write Outputs           | 38        |
|    |            | 6.8.7 Clock and Power                  | 38        |
|    | 6.9        | Bus Operation                          | 39        |
|    |            | -                                      |           |
| 7  | Con        | nmonly Used Functions                  | 41        |
|    | 7.1        | Bit and Bit-vector Manipulation        | 41        |
|    | 7.2        | Adder and Subtracter Definitions       | 51        |
|    | 7.3        | Incrementer and Decrementer            | 53        |
| ~  | <b>771</b> | A T TT                                 |           |
| 8  |            |                                        | 55        |
|    | 8.1        | ALU Hardware Function                  | 56        |
|    | 8.2        | ALU Specification                      | 58        |
| 9  | Inet       | ruction Fields                         | 69        |
| 3  | Inst       | i uction Tields                        | 09        |
| 10 | Upo        | late and Accessor Functions            | 73        |
|    | -          |                                        |           |
| 11 |            | e FM8501 Hardware Interpreter          | 75        |
|    |            | The Control Unit                       | 78        |
|    | 11.2       | Miscellanous Functions                 | 81        |
|    | 11.3       | The FM8501 Combinational Logic         | 83        |
|    | 11.4       | External Functions                     | 89        |
|    |            |                                        |           |
| 12 |            | 8501: A Formal Specification           | 93        |
| •  |            | RAM, Flags, and the Register File      | 93        |
|    |            | The Instruction Interpreter            | 93        |
|    |            | Conditional Storage of the ALU Results | 94        |
|    |            | Register File Update                   | 95        |
|    |            | Memory Update                          | 100       |
|    |            | Flag Interpretations                   | 100       |
|    | 12.7       | The Reset Specification                | 101       |

| 13             | Correctness of FM8501                | 103 |  |  |
|----------------|--------------------------------------|-----|--|--|
|                | 13.1 The Proof Environment           | 103 |  |  |
|                | 13.2 Resetting FM8501                | 104 |  |  |
|                | 13.3 Abstracting Big-Machine's State | 106 |  |  |
|                | 13.4 The Oracles                     | 107 |  |  |
|                | 13.5 Correctness of FM8501           |     |  |  |
|                | Instruction Execution                | 109 |  |  |
|                | 13.6 Correctness of FM8501           | 109 |  |  |
| 14             | Expansion of FM8501                  | 111 |  |  |
| 15 Conclusions |                                      |     |  |  |
| Appendix       |                                      |     |  |  |
| Inc            | Index                                |     |  |  |
| References     |                                      |     |  |  |