averyhighlevelofabstractionignoringdetailsofnertimingconstraintsoncontrolsignalsThesedetailsaretobeintroducedtoarriveatthenalimplementationthatcanberealizedinhardwareEvenifthedesignatthehigherlevelof ID: 864394
Download Pdf The PPT/PDF document "ValidationofPipelinedProcessorDesignsusi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 ValidationofPipelinedProcessorDesignsusi
ValidationofPipelinedProcessorDesignsusingEsterelTools:ACaseStudy?(ExtendedAbstract)S.Ramesh1andPurandarBhaduri2??1DepartmentofComputerScienceandEngineeringIndianInstituteofTechnologyBombayPowai,Mumbai400076,INDIAEmail:ramesh@cse.iitb.ernet.in2AppliedTechnologyGroup,TataInfotechLtdSeepz,Andheri(E),Mumbai400096,INDIAEmail:purandar.bhaduri@tatainfotech.comAbstract.Thedesignofcontrolunitsofmodernprocessorsisquitecomplexduetomanyspeed-uptechniqueslikepipeliningandout-of-orderexecution.Theexistingapproachestoformalvericationofpro-cessordesignsareapplicabletoveryhighleveldescriptionsthatignoretimingdetailsofcontrolsignals.Inthispaper,weproposeanapproachforvericationofdetaileddesignofprocessors.OurapproachsuggeststheuseofEsterellanguagewhichhasrichconstructsforsuccinctandmodulardescriptionofcontrol.TheEsterelsimulationtoolXesandver-icationtoolsXeveandFcToolscanbeusedeectivelytocatchminorbugsaswellassubtletimingerrors.Asanillustration,wehavedevelopedanEsterelimplementationofDLXpipelinecontrolandveriedcertaincrucialproperties.1IntroductionModernprocessorsemploymanytechniqueslikepipelining,branchpredictionandout-of-orderexecutiontoenhancetheirperformance.Thedesignandval-idationoftheseprocessors,especiallytheircontrolcircuitry,isachallengingtask[6,7].Formalvericationtechniques,emergingasaviableapproachtovalida-tion[10],arestillinadequateinvericationoflargesystemslikeprocessors.Recentlymanynewtechniqueshavebeenproposedspecicallyforprocessorverication[1,7,6,9,11].Thesetechniquesverifythatthegivenimplementationisequivalenttoasimplersequentialmodelofexecution,asdescribedbytheinstructionsetarchitecture.Butintheseapproaches,theimplementationisat?PartialsupportforthisworkcamefromtheIndo-USProjecttitledProgrammingDynamicalReal-timesystemsandTataInfotechResearchLaboratory,IITBombay.??Thisauthor'scurrentaddress:TRDDC,54B,HadapsarIndustrialEstate,Pune411013,INDIA.Email:pbhaduri@pune.tcs.co.in averyhighlevelofabstractionignoringdetailsofnertimingconstraintsoncontrolsignals.Thesedetailsaretobeintroducedtoarriveatthenalimple-mentationthatcanberealizedinhardware.Evenifthedesignatthehigherlev
2 elofabstractionisprovedtobeequivalenttoa
elofabstractionisprovedtobeequivalenttoasequentialmodel,laterrenementsmayintroducetimingerrors.Theaimofthispaperistoproposeavericationmethodfordetailedproces-sorimplementationscontainingtimingconstraintsofcontrolsignals.WesuggesttheuseofEsterellanguage[3,2]anditsassociatedvericationtoolsfordescrib-ingtheimplementationsandverifyingtheirproperties.Esterelhasanumberofattractivefeaturesthatcomeinhandyforourpurpose.Itprovidesaniceseparationbetweendataandcontrol.Itoersarichsetofhighlevelconstructs,likepreemption,interruptsandsynchronousparallelism,thatarenaturalforhardwaresystemsandthatenablemodularandsuccinctdescriptionofcomplexcontrollers.Besidessimulation,Estereldescriptionscanberigorouslyveriedus-ingthetoolsXeve[4]andFcTools[5].Finally,Esterelprogramscanbedirectlytranslatedintohardware.InthispaperweillustrateourapproachbydevelopinganEsterelmodeloftheDLXpipelinedprocessorcontrolunit[8].ThemodelhasbeendebuggedusingthesimulatortoolXesandhasbeenveriedtosatisfyanumberofdesiredpropertiesusingthevericationtools.2EsterelSpecicationofPipelinedControlUnitThespecicationisbasedupontheinformaldescriptionofDLXprocessorgivenin[8].Weconneourselvestothecontrolunitspecication;thedatapathspec-icationcanbetriviallygivenusingahostlanguagelikeC.2.1TheMainControllerTheexecutionofaninstructionintheDLXprocessorgoesthroughvestages:InstructionFetch(IF),InstructionDecode/RegisterFetch(ID),Execution/EectiveAddressCalculation(EX),MemoryAccess/BranchCompletion(MEM)andWrite-Back(WB).Theintroductionofpipeliningleadstoincreasedcomplexityinde-signintermsofadditionalregistersandcontrollogicduetovarioushazards.Pipelineregistersarerequiredtostoretheintermediatevaluesproducedbydif-ferentstages.DLXusesthebranch-not-takenpredictionschemeandhencetohandlethecontrolhazardthatoccurswhenabranchistaken(determinedintheEXstage),theinstructionintheIDstagemustbesquashed;thehandlingofinterruptsrequiresevenmorecomplexcontrollogic.Appropriateactionslikedataforwardingorstallinghavetobetakentohandledatahazards,forinstancewhenaninstructionupdatesaregisterormemorylocationthatisreadbyasubsequentinstruction.Figure1givesanEs
3 terelmodulethatmodelsagenericpipelinesta
terelmodulethatmodelsagenericpipelinestageoftheDLXcontroller.AnEsterelprogramingeneralconsistsofoneormoremodules.Eachmodulehasaninput-outputinterfaceandreactivecodethatisexecuted moduleXXUnit:inputGoPrev,Stall,Restart;outputGoNext,StallPrev,RestartPrev;loop%executethe`loop'bodyrepeatedlydo%the`body'ofthe`do-watching'statementstartsheresignalGoin%Goisalocalsignal[suspend%stopexecution[loopawaitimmediateGo;%waittilltheothercomponentemits`Go'emitGoNext;%generatethesignalGoNextrunXX;%executethemodulenamedXXawaittick%waitforonereactionendloop||loopawaitimmediateGoPrev;%waittill`GoPrev'ispresentintheinputawaittick;%waitonereactionstepemitGo%generate`Go'signalendloop]immediateStall%stopexecutionofthe`suspend'bodywhen`Stall'%ispresent||loopawaittick;awaitimmediateStall;emitStallPrevend]endsignal%endofscopeoflocalsignaldeclarationwatchingRestart;%abortthe`watching'bodywhen`Restart'ispresentemitRestartPrevendloop%endoftheoutermostloopendmodule%endofthemoduleFig.1.ApipelinestageinEsterel periodicallyatthephaseofthebuilt-insignaltick.Everytimeamoduleisexecuted,itreadsinputsignalsanddependinguponthestateofthemodulegeneratesappropriateoutputsignalsandchangesthestate.Everysuchexe-cutioniscalledareaction.Areactionisassumedtobeinstantaneoussothatthereisnotimedelaybetweeninputconsumptionandoutputgeneration.AllEsterelstatementsareinstantaneousexceptingthe`halt'statementwhichdoesnotterminateatall.ThecontrolofanEsterelprogramresidesatoneormorehaltstatements(morethanonewhenthereareconcurrentcomponents)whichdecidethestateoftheprogram.Areaction,besidesgeneratingoutputs,resultsinachangeofstatewiththemovementofcontrolpointsfromonesetofhaltstatementstoanother.Esterelpossessesarichsetofconstructsfordescribingcontrol.Herewegiveaverybriefexplanationofsomeoftheseconstructs.ThestatementawaitSisasimple`waitconstruct'thatdelaysterminationuntilthesignalSispresentintheinput;awaitimmediateSisavariantwhichcanterminateevenintheveryrstinstantwhencontrolreachestheconstruct.ThestatementdowatchingstatScontinuestoexecutestataslongasthesignalSisnotpresent;themomentSappearsontheinput,thewholestatementterminatesabortingth
4 ecomputationinsidestat.Thestatementsuspe
ecomputationinsidestat.ThestatementsuspendstattillSsuspendstheexecutionofstatinallreactionsinwhichSispresent;executioncontinueswhereitgotsuspendedwhenSisnotpresent.NowwewilldescribethebehaviorofthemoduleinFigure1.Forthesakeofsimplicity,wehavetakentheticksignaltodenetheclockoftheprocessor.Sup-posethesignalsStallandRestartarenotpresentinareaction,correspondingtotheuninterrupted\rowofaninstructionthroughthepipelinestages.ThenthesubmoduleXX(intherstbranchoftheparalleloperatorwithinthesuspendstatement)isexecutedinthecyclewhenthelocalsignalGoispresent;theGosignalispresentinthiscycleprovidedtheGoPrevsignalwaspresentinthepre-viouscycle(inthesecondbranchoftheparalleloperatorwithinthesuspendstatement).AttheendofexecutionofXX,whichisassumedtobeinstantaneous,themodulegeneratesGoNext.SupposethatStallispresentinacycle,representingahazardinthepipelinestageXX.ThentheexecutionofXXissuspendedbythesuspendstatementandthesignalGoNextisnotgenerated;thesignalStallPrevisgenerated(inthesecondbranchoftheouterparalleloperator).IfontheotherhandtheRestartsignalispresent,representinganinterruptoratakenbranch,thenthebodyoftheouterwatchdogprimitiveiskilledandtheexecutionisrestartedbecauseofthepresenceoftheouterloopconstruct.ThisresultsinthelossofinformationaboutthepresenceoftheGoPrevsignalinthepreviouscycle.AlsoaRestarttriggersaRestartPrevsignal.Thus,XXUnitexecutesthesubmoduleXXineverycycleinwhichGoPrevispresentandgeneratesGoNext,aslongasStallorRestartarenotpresent.AStallinacyclesuspendstheexecutionofXXwhileaRestartrestartstheexecutionofwholemoduleafreshresettingitsinternalstate,i.e.,itsquashestheexecutionofXX. moduleCONTROL:inputIssueNextInstr;outputInstrCompleted;outputWritePCn:integer,WritePCb:integer;inputoutputRestart0,RestartIF,RestartID,RestartEX,RestartMEM,RestartWB;inputoutputStall0,StallIF,StallID,StallEX,StallMEM,StallWB;signalGoIF,GoID,GoEX,GoMEMin[runIFUnit[signalIssueNextInstr/GoPrev,GoIF/GoNext,StallIF/Stall,Stall0/StallPrev,RestartIF/Restart,Restart0/RestartPrev]||runIDUnit[signalGoIF/GoPrev,GoID/GoNext,StallID/Stall,StallIF/StallPrev,RestartID/Restart,RestartIF/RestartPrev]||runEXUnit[sign
5 alGoID/GoPrev,GoEX/GoNext,StallEX/Stall,
alGoID/GoPrev,GoEX/GoNext,StallEX/Stall,StallID/StallPrev,RestartEX/Restart,RestartID/RestartPrev]||runMEMUnit[signalGoEX/GoPrev,GoMEM/GoNext,StallMEM/Stall,StallEX/StallPrev,RestartMEM/Restart,RestartEX/RestartPrev]||runWBUnit[signalGoMEM/GoPrev,InstrCompleted/GoNext,StallWB/Stall,StallMEM/StallPrev,RestartWB/Restart,RestartMEM/RestartPrev]endsignalendmoduleFig.2.ThecontrolunitfortheDLXpipelinestages TheEsterelmoduleinFigure2modelsthebehavioroftheentirepipelinecontroller.EachpipelinestageisaninstantiationofthegenericmoduleXXUnitgiveninFigure1;forexample,IFUnitisobtainedfromXXUnitbyreplacingthecommandrunXXbyrunIFwherethemoduleIF,showninFigure3,describesthebehavioroftheinstructionfetchstage.InthemoduleCONTROL,therenamingoftheGo,StallandRestartsignalsleadstotheestablishmentofaforwardGo-chainandtworeverseStallandRestart-chains.WhenthereisnoStallsignal(noneofStallIF,,StallWBispresent),theinputIssueNextInstrsignaltriggerstheexecutionofthevestages,withtheexecutionofeachstageinacycletriggeringviatheGo-chaintheexecutionofthenextstageinthenextcycle.WhenStallXXispresent,itstallsthepipelineuptostageXX;thisisachievedbytheinstantaneoustrans-missionofthevariousStallsignalstotheprecedingstagesviatheStall-chain.Thesucceedingstagesarenotaectedbythisstall.Similarly,aRestartsignaltriggerstherestartofalltheearlierstagesuptothecurrentstageusingtheRestart-chain.2.2ThePipelineStagesTheEsterelspecicationofthevariouspipestageswhichinstantiateXXinFig-ure1cannowbedescribed.Becauseofspaceconstraints,wedescribeonlytheIFandEXstages.moduleIF:inputReadPC:integer,BranchTaken;outputWritePCn:integer,IfOut:integer;functionFetchInstr(integer):integer;functionIncrPC(integer):integer;emitIfOut(FetchInstr(?ReadPC));presentBranchTakenelseemitWritePCn(IncrPC(?ReadPC))endpresent;endmoduleFig.3.IFStageThemoduleIFinFigure3emitsasignalIfOutwithavaluerepresentingthecurrentinstructionandasignalWritePCnwhosevalueindicatesthenewvalueofPC.ThesignalBranchTakenindicatesatakenbranch,andtheIFstagewritesaPCvalueonlyifthissignalisabsent,indicatinganormal\rowofexecution.IftheBranchTakensignalispresentthePCvalueiswrittenbytheEXs
6 tage,showninFigure4,throughasignalcalled
tage,showninFigure4,throughasignalcalledWritePCbtoindicateabranchininstruction execution.TheexternalfunctionsFetchInstrandIncrPCabstracttheactionscorrespondingtofetchinganinstructionandincrementingthePC.moduleEX:inputBranchTaken,Bypass,MemInAdr:integer,MemInVal:integer,ExInOpcode:integer,ExInOpnd:integer;outputExOutAdr:integer,ExOutVal:integer,WritePCb:integer;functionAluOpAdr(integer,integer):integer;functionAluOpVal(integer,integer):integer;presentBypassthenemitExOutAdr(AluOpAdr(?ExInOpcode,?MemInVal));emitExOutVal(AluOpVal(?ExInOpcode,?MemInVal))elseemitExOutAdr(AluOpAdr(?ExInOpcode,?ExInOpnd));emitExOutVal(AluOpVal(?ExInOpcode,?ExInOpnd))endpresent;presentBranchTakenthenemitWritePCb(AluOpAdr(?ExInOpcode,?ExInOpnd))endpresentendmoduleFig.4.EXStageThemoduleEXinFigure4emitstwosignalsExOutAdrandExOutVal,cor-respondingtotheaddressandvaluecomputedbytheALUbyoperationsab-stractedbytheexternalfunctionsAluOpAdrandAluOpVal.ThepresenceoftheinputsignalBypassindicatesthatthereisadatahazardandhencethattheinputstoALUaretobetakenthroughaforwardingprocessfromtheoutputoftheEX/MEMpipestage;intheabsenceofthissignal,theinputscomefromtheID/EXpipestage.TheBranchTakensignalindicatesatakenbranchandtriggersthesignalWritePCbwhichwritesthenewbranchaddressintoPC.TheaboveEsterelmodeloftheDLXprocessorhasabstractedawaydetailsaboutthedatapath,instructiondecoding,alternativeactionsbasedonvarioustypesofinstructions(suchasload/store)andhazarddetection.ThisisthereasonthatthesignalsBypass,Restart,BranchTakenandStallhavebeenmodeledasexternalinputsignals,ratherthanbeinggeneratedinternally(byhazarddetectionunits).3ValidationusingEstereltoolsInthissectionweoutlinethevalidationofthedesignoftheDLXprocessorcontrolunitusingtheEsterelsimulationtoolXesandvericationtoolsXeveandFcTools.Wefocusonthemicro-propertiesofthecontrolunit,suchassmooth \rowofinstructionsthroughthepipeline,absenceofdeadlock,properissuingofstallandrestartinstructions,andcorrectbehaviorofthepipelinewithrespecttothesesignals.Weareabletoverifythatforexample,incaseofatakenbranch(determinedintheEXstage)theinstructionfollowingthebranch(initsIDstage)isresta
7 rtedoraborted.Similarly,wecanverifythata
rtedoraborted.Similarly,wecanverifythatastallsignalsenttosomestagepropagatesasabubblethroughthepipeline.Thepropertiesveriedbyusarenerthanthemacro-propertyveriedin[7],namelythatthepipelinedmachinehasthesameeectonvisiblestateasthesequentialoneforthesameinput.Thelatterproperty,initsfullglory,cannotbeveriedusingexistingEstereltoolsbecausetheydealwithonlycontrolstates.However,thepropertyrestrictedtocontrolstatesisstillveriable(seetheparagraphtitledStallinSection3.1).3.1VericationThesimplepropertiesoftheDLXpipelinecontrollermentionedabovecanbeveriedusingtheEstereltoolsXeve[4]andFcTools[5].TheyarevericationenvironmentsforEsterelprogramsmodeledasnitestatemachines(FSMs)withauser-friendlygraphicalinterface.TheEsterelcompilergeneratesFSMsimplicitlyintheformofbooleanequa-tionswithlatches.OneofthevericationtasksperformedbyXeveistotakeanimplicitFSMandperformastateminimizationusingthenotionofbisimulationequivalence.Beforeminimizationasetofinput/outputsignalscanbehidden.ThisresultsinanondeterministicFSMwheresometransitionsmaybelabeledby,ahiddeninternalaction.XevegeneratesminimizedFSMs,thatcanbefur-therreducedusingsomeabstractioncriterionbyFcToolsandcanbegraphicallyexploredusingthetoolATG.FcToolsisavericationtoolsetfornetworksofcommunicatingFSMs.Itscapabilitiesincludegraphicaldepictionofautomata,reductionofautomataandvericationofsimplemodalpropertiesbyobservers,counterexampleproductionandvisualization.InourvericationprocesstheoriginalFSMproducedbyXevehadabout1500states,whichaftermakingsomeirrelevantinterfacesignalslocalgotre-ducedto543reachablestates.Thiswasreducedto16statesand72transitionsafterapplyingtheobservationalequivalenceminimizationprocedureavailableinFcTools.Stilltheautomatoncouldnotbeinspectedduetothelargenumberoftransitions.SoweusedthepowerfulabstractiontechniqueavailableinFcToolstofurtherreducethesizeoftheautomaton.Anabstractioncriteriondenesanewsetofactionsymbolsthatareregularexpressionsontheactionsymbolsintheoriginalautomaton.Thereductioninvolvesabstractionofsequencesofoldactionsintonewactionssothatthereducedautomatoncontainsonlynewactionsymbols;further,certainpa
8 thsintheoriginalautomatonareeliminated,t
thsintheoriginalautomatonareeliminated,therebyresultinginasmallautomatonthatcanbecheckedeasily.Dependinguponthepropertytobechecked,weapplieddierentcriteriatogetsmallautomatawhichweveriedwithrespecttoappropriateproperties. CriterionStatesTransitionsInitial1672SmoothFlow812Stall1632Branch11Table1.SizesofReducedAutomataTable1summarizesthesizesofthevariousreducedautomataobtainedfordif-ferentcriteria.Thedetailsaboutthecriteria`SmoothFlow'and`Stall'aregivenbelow.Thecriterion`Branch'checksforproperupdationofthePCvalueatanycyclebyabstractingpathsintotwoabstractactions`success'and`failure'.Thereducedautomatonhasonlyonetransitionwiththelabel`success'.pipepipepipepipepipepipepipepipepipepipepipepipepipepipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbr~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.!WritePCb.~!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?S.?I.!WritePCb.!IC.*~?
9 S.?I.!WritePCb.!IC.*Fig.5.AbstractionCri
S.?I.!WritePCb.!IC.*Fig.5.AbstractionCriterionforSmoothFlowSmooth\rowofinstructionsThiscriterionveriesthateveryinstructionissuediscompletedafterfourcyclesintheabsenceofstallsandbranches.ThecriteriondepictedinFigure5,denesfourabstractactionspipe,pipec,pipebrandpipecbrwhichrenametheedgessatisfyingthecorrespondingregularex-pressions,eg.,pipebrrenamesanyedgeinwhichabranchhasbeentakenandnoinstructioniscompleted;intheregularexpressions,.denotessynchronousproductofinputandoutputevents(prexedby?and!respectively)andtheir pipepipepipepipepipepipepipepipepipepipepipepipepipepipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipepipepipepipepipepipepipepipepipepipepipepipepipepipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipebrpipepipepipepipepipepipepipepipepipepipepipepipepipepipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecbrpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipecpipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipepipeFig.6.ReducedAutomatonforSmoothFlownegations(prexedby~);theevent*matchesanyevent.Figure6givesthereducedautomatonwhichcanbeveriedwithrespecttothedesiredpropertybyinspection.Forthesakeofclarityinthegures,thesignalsStallIF,IssueNextInstr,andInstrCompletedoftheoriginalautomatonarerenamedasS,IandICrespectively;furthertheWritePCbsignalistreatedasbeingsynonymouswithBranchTakenfortechnicalreasons.StallThepropertyveriedhereisthattheStallIFsignalstallstheIFstageforacycle:noinstructioniscompletedfourcyclesafteraStallIFassuminglaterstagesarenotstalledorsquashedintheinterveningperiod.TheabstractioncriterionforthisisshowninFigure7andthereducedautomatoninFigure8.Inthereducedautomatonthereisnopathoflengthvestartingwithastallorastallcthatendswithaicorstallcedge.Anotherinterestingthingtonotefromthisau
10 tomatonisthatfromeverystatethereisaseque
tomatonisthatfromeverystatethereisasequenceof`stalls'thatleadstotheinitialstate;thispropertycorrespondstothesequentialequivalencepropertyof[7]forcontrolstates. stallstallstallstallstallstallstallstallstallstallstallstallstallstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciciciciciciciciciciciciciciiiiiiiiiiiii?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.~!IC.* + ~?I.~!WritePCb.~!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*?S.~!WritePCb.!IC.* + ~?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!WritePCb.!IC.*~?S.?I.~!W
11 ritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?
ritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*~?S.?I.~!WritePCb.~!IC.*Fig.7.AbstractionCriterionforStall4ConclusionWehaveproposedtheuseofEsterellanguageandtoolsforvericationofmodernprocessors.Esterelcanbeusedtodescribe,insucientdetailandinamodularandsuccinctway,controlunitsofprocessorsusingitsrichsetofconstructs.ComplextimingpropertiesofEstereldescriptionscanbeveriedusingpowerfultools.WehaveillustratedtheuseofEstereltoolsforthedescriptionofDLXpro-cessor.Theinitialresultsareencouraging.ThevericationtoolsXes,XeveandFcToolswerefoundtobequiteusefulindetectinganomaliesrangingfromsim-plebugstocomplextimingerrors.Weplantoextendourinvestigationtomorecomplexprocessorsinvolvingsuperscalarfeatureslikeout-of-orderexecutions.Wealsoplantoinvestigate,ingreaterdetail,therelativemeritsofEsterelfordescribingcontrolunitsofprocessorswithrespecttothetraditionalHDLs.References1.S.Berezin,A.Biere,Ed.Clarke,andY.Zhu.Combiningsymbolicmodelcheckingwithuninterpretedfunctionsforoutoforderprocessorverication.InG.Gopalakr-ishnanandP.Windley,editors,FMCAD'98,LNCS1522.SpringerVerlag,1998. iiiiiiiiiiiiiiiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallstallicicicicicicicicicicicicicicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstallstallicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstallstallicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstalls
12 tallicicicicicicicicicicicicicstallcstal
tallicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstallstallicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstallstallicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstallstallicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallciiiiiiiiiiiiistallstallstallstallstallstallstallstallstallstallstallstallstallicicicicicicicicicicicicicstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcstallcFig.8.ReducedAutomatonforStall2.G.Berry.TheFoundationsofEsterel.InG.Plotkin,C.Stirling,andM.Tofte,editors,Proof,LanguageandInteraction:EssaysinHonourofRobinMilner.MITPress,1998.3.G.BerryandG.Gonthier.TheEsterelsynchronousprogramminglanguage:De-sign,semantics,implementation.ScienceOfComputerProgramming,19(2),1992.4.A.Bouali.XEVE:AnEsterelVericationEnvironment.Availablebyftpfromftp-sop.inria.frasle/meije/verif/xeve-doc.ps.gz.5.A.Bouali,A.Ressouche,R.deSimone,andV.Roy.TheFcToolsUserManual.Availablebyftpfromftp-sop.inria.frasle/meije/verif/fc2userman.ps.6.R.E.Bryant.FormalVericationofPipelinedProcessors.InProc.TACAS98,LNCS1384.SpringerVerlag,March-April1998.7.J.R.BurchandD.L.Dill.AutomaticVericationofPipelinedMicroprocessorControl.InProc.CAV'94,LNCS818.SpringerVerlag,June1994.8.J.HennessyandD.Patterson.ComputerArchitecture:AQuantitativeApproach,SecondEdition.MorganKaufmanPublishersInc.,1995.9.R.Hosabettu,M.Srivas,andG.Gopalakrishnan.DecomposingtheProofofCor-rectnessofPipelinedMicroprocessors.InProc.CAV'98,LNCS1427.SpringerVerlag,June/July1998.10.T.Kropf,editor.FormalHardwareVerication,LNCS1287.SpringerVerlag,1997.11.J.U.Skakkebaek,R.B.Jones,andD.L.Dill.FormalVericationofOut-of-orderExecutionusingIncrementalFlushing.InProc.CAV'98,LNCS1427.SpringerVerlag,J