A formal framework for verification of embedded custom memories of the Motorola MPC7450 microprocessor

  • Authors:

  • Jayanta Bhadra;Andrew K. Martin;Jacob A. Abraham

  • Affiliations:

  • Freescale Semiconductor Inc.;IBM Corp.;The University of Texas at Austin

  • Venue:
  • Formal Methods in System Design
  • Year:
  • 2005

Quantified Score

Hi-index 0.01

Visualization

Abstract

In this presentation, we will deal with verification of custom designed embedded memories. Using our paradigm, one can abstract the behavior of a memory block by a couple of artifacts--one representing its contents, and another representing its interface. We make use of the well known behavioral model known as the Efficient Memory Model (EMM) [29, 30] to represent contents of memories. We provide a methodology using which the behavior of a switch (or equivalently, transistor) level device can be specified using parameterized regular expressions. These entities can be used to abstractly describe the behavior of a bunch of switches that represent the interface of a memory. An automaton that we construct out of an abstract memory interface definition represents an abstraction of the memory interface itself. We show that such an automaton also forms a transducer that is a simulation model in a symbolic simulation environment. An EMM representing a memory core in conjunction with a transducer representing its interface is used as an abstraction of a complete memory during our automatic verification process.We also present a language formalism using which we show that the outputs from the transducers that are generated from the abstract specifications are weaker than or equal to the outputs defined by the regular expressions, in a partially ordered output space. We show that although the regular expressions are defined over exact and legal input strings, the transducers computed from them can provide outputs even when provided with weak or illegal input strings. This is an absolute necessity in order to have the capability to produce outputs when treated as a reactive system embedded in a symbolic simulation environment. Thus, we show that the simulation model generated by our technique is an conservative approximation of the corresponding abstract specification.We present a simple theory of composition that can be used to compose different simulation models used in our technique. Memories consisting of several ports result into several user-provided abstract specifications, which in turn result into several transducers that can be composed into a single transducer. That transducer in turn can be composed to a simulation model of an EMM. Our simple theory of composition also enables one to compose the abstract state space a memory core along with its ports with the concrete state space of the circuitry surrounding the memory core. We have shown that the composite simulation model representing the complete circuit has a partially ordered state space that (a) forms a complete lattice, and (b) that has a monotonic state transition function, that makes it suitable for being used in a symbolic simulation environment making use of Symbolic Trajectory Evaluation (STE) [27].The verification paradigm used is STE. For Motorola high performance microprocessors, switch level models are hand designed assuming that corresponding RTLs are golden models. Therefore, checking of equivalence between the two models is of absolute necessity as the RTL needs to be predictive of silicon behavior. We have developed a tool based on the proposed technique and used it to check that RTL descriptions of custom memories have been correctly implemented by transistor level descriptions of the same, augmented with abstract specifications of their cores. Our example circuits were taken from the state of the art Motorola MPC7450 microprocessor, a Motorola PowerPC. Experimental evidence testify to the effectiveness of the technique in catching subtle bugs in data path circuitry.