

# End-to-End Verification of ARM<sup>®</sup> Processors with ISA-Formal

L

Alastair Reid, Rick Chen, Anastasios Deligiannis, David Gilday, David Hoyes,  
Will Keen, Ashan Pathirane, Owen Shepherd, Peter Vrabel, Ali Zaidi



[alastair.reid@arm.com](mailto:alastair.reid@arm.com)

[@alastair\\_d\\_reid](https://twitter.com/alastair_d_reid)

# Scale

Large Specifications

Large Implementations

# Checking an instruction

ADD

# Checking an instruction









# Errors ISA-Formal can catch

- No Context {
  - Errors in decode
  - Errors in data path
- Context {
  - Errors in forwarding logic
  - Errors in register renaming
  - Errors in exception handling
  - Errors in speculative execution

# Specifying ADD

|    |    |    |    |    |    |   |   |    |   |    |   |    |   |   |   |
|----|----|----|----|----|----|---|---|----|---|----|---|----|---|---|---|
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7  | 6 | 5  | 4 | 3  | 2 | 1 | 0 |
| 0  | 0  | 0  | 1  | 1  | 0  | 0 |   | Rm |   | Rn |   | Rd |   |   |   |

```
assign ADD_retiring = (pre.opcode & 16'b1111_1110_0000_0000)  
                      == 16'b0001_1000_0000_0000;
```

```
assign ADD_result  = pre.R[pre.opcode[8:6]] + pre.R[pre.opcode[5:3]];
```

```
assign ADD_Rd     = pre.opcode[2:0];
```

```
assert property (@(posedge clk) disable iff (~reset_n)  
    ADD_retiring |-> (ADD_result == post.R[ADD_Rd]));
```

# ISA Formal

- Finds complex bugs in processor pipelines
- Applied to wide range of μArchitectures
- Uses translation of ARM's internal ISA specification





# Challenges

- Complex Functional Units
  - FP
  - Memory
- Dual Issue
- Instruction Fusion
- Register Renaming
- Out-of-order Retire











# FP Subset Behaviour

| <i>FPAAdd</i> | $-\infty$ | -1        | 0         | 1         | $\infty$ |
|---------------|-----------|-----------|-----------|-----------|----------|
| $-\infty$     | $-\infty$ | $-\infty$ | $-\infty$ | $-\infty$ |          |
| -1            | $-\infty$ |           | -1        | 0         | $\infty$ |
| 0             | $-\infty$ | -1        | 0         | 1         | $\infty$ |
| 1             | $-\infty$ | 0         | 1         |           | $\infty$ |
| $\infty$      |           | $\infty$  | $\infty$  | $\infty$  | $\infty$ |

# ISA Formal

- Finds complex bugs in processor pipelines
- Applied to wide range of μArchitectures
- Uses translation of ARM's internal ISA specification

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         |     | ✓   |   |     |       |
| NZCV        |     |     |   |     |       |
| SP          |     |     |   |     |       |
| PC          |     |     |   |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         |     | ✓   |   |     |       |
| NZCV        |     |     |   |     |       |
| SP          |     | ✓   |   |     |       |
| PC          |     |     |   |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         |     | ✓   | ✓ |     |       |
| NZCV        |     |     |   |     |       |
| SP          |     | ✓   |   |     |       |
| PC          |     |     | ✓ |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ |     |       |
| NZCV        | ✓   |     |   |     |       |
| SP          | ✓   | ✓   |   |     |       |
| PC          |     |     | ✓ |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

But this is slow  
and inconsistent

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        |     |     |   |     |       |
| SP          |     |     |   |     |       |
| PC          |     |     |   |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] | ✓   | ✓   | ✓ | ✓   | ✓     |
| FPSR        | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] | ✓   | ✓   | ✓ | ✓   | ✓     |
| FPSR        | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemRead     | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemWrite    | ✓   | ✓   | ✓ | ✓   | ✓     |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] | ✓   | ✓   | ✓ | ✓   | ✓     |
| FPSR        | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemRead     | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemWrite    | ✓   | ✓   | ✓ | ✓   | ✓     |
| SysRegRW    | ✓   | ✓   | ✓ | ✓   | ✓     |
| ELR         | ✓   | ✓   | ✓ | ✓   | ✓     |
| ESR         | ✓   | ✓   | ✓ | ✓   | ✓     |
| ...         |     |     |   |     |       |

# Automation





# Summary

- Finds complex bugs in processor pipelines
  - Complete RTL, not just model
  - Bug absence not being proved (yet)
- Applied to wide range of μArchitectures
  - 3 trials, 6 full deployments.
- Uses translation of ARM's internal ISA specification
  - Public release of ISA spec this fall in collaboration w/ Cambridge University
  - “Trustworthy Specifications of ARM® v8-A and v8-M System Level Architecture,” to appear, FMCAD 2016

End

[alastair.reid@arm.com](mailto:alastair.reid@arm.com)  
[@alastair\\_d\\_reid](https://twitter.com/alastair_d_reid)

