# Instruction Set Architecture Specification, Verification, and Validation using Algorithmic C and ACL2

# 4 David S. Hardin

5 Collins Aerospace, USA

6 david.hardin@collins.com

### 7 — Abstract

It is common practice during Instruction Set Architecture (ISA) development to create an ISA 8 simulator, usually in C/C++. We describe an experiment in which we implement such an ISA q simulator for a derivative of a popular ISA written in a subset of Algorithmic C, to allow for the 10 verification of binary programs targeting that ISA, as well as to aid in the validation of the ISA 11 model via simulated execution of test programs on the model. Algorithmic C defines C++ header 12 files that enable compilation to both hardware and software platforms, providing support for the 13 peculiar bit widths employed, for example, in floating-point hardware design. We utilize a toolchain, 14 due to Russinoff and O'Leary, that provides a translation from a restricted subset of Algorithmic C 15 to the Common Lisp subset supported by the ACL2 theorem prover. This toolchain, called RAC, is 16 documented in Russinoff's recent book on floating-point hardware verification. We create an ISA 17 simulator in this C++ subset, use RAC to translate this simulator code to ACL2, produce small 18 binary programs for the ISA that we use to validate the simulator, and utilize the ACL2 Codewalker 19 decompilation-into-logic facility to prove those programs correct. 20

 $_{21}$  2012 ACM Subject Classification Hardware  $\rightarrow$  Hardware validation

Keywords and phrases Formal verification, theorem proving, instruction set architecture, decompi lation into logic

<sup>24</sup> Digital Object Identifier 10.4230/LIPIcs...

# <sup>25</sup> **1** Introduction

in his tour de force book on floating-point hardware verification [4], David Russinoff details 26 a 20-year quest to provide mathematical proofs for complex arithmetic hardware utilizing an 27 automated theorem prover, namely ACL2. Russinoff begins by presenting a formalization of 28 modular arithmetic in standard mathematical notation, but backed by collections of ACL2 29 lemmas, called *books* in ACL2 parlance. The *RTL* books are named after the "Register 30 Transfer Logic" artifacts that hardware designers produce using Hardware Description 31 Languages (HDLs), and are designed for reasoning at the RTL level. After developing 32 progressively more complex arithmetic circuits, Russinoff concludes his text with the complete 33 verification of representative ARM floating-point RTL for addition, multiplication, fused 34 multiply/add, division and square root. All of the sources and tools described in Russinoff's 35 book are available as part of the ACL2 distribution, so the curious reader can reproduce his 36 verification results. 37

The HDL that Russinoff employs in his book is a subset of Algorithmic C. Algorithmic C<sup>1</sup> entails a set of freely available C++ header files providing support for hardware development, including the peculiar bit widths utilized in floating-point design, and enables compilation to both hardware and software platforms. The Restricted Algorithmic C toolchain, or RAC, evolved from a similar toolchain for SystemC called MASC [3]. RAC accepts Algorithmic C

<sup>&</sup>lt;sup>1</sup> Available at https://www.mentor.com/hls-lp/downloads/ac-datatypes



© David S. Hardin:

licensed under Creative Commons License CC-BY Leibniz International Proceedings in Informatics

LIPICS Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany

### XX:2 Instruction Set Architecture Specification, Verification, and Validation



**Figure 1** Restricted Algorithmic C (RAC) toolchain and Codewalker.

```
struct leg64St {
    ui10 pc;
    array<ui64, REG_SZ>regs;
    array<ui64, DMEM_SZ>dmem;
    ui8 opcode;
    ui8 op1; [...] }
    leg64St leg64step(leg64St s, uint n) {
        s = leg64step(s); }
        return do_Inst(nextInst(s)); }
```

**Figure 2** Fragment of the LEG64 ISA state and step functions in Restricted Algorithmic C.

source, then translates it to S-expression forms acceptable to ACL2. A simplified view of the
RAC toolchain is shown in Fig. 1; for a complete depiction, see Fig. V.1 of [4].

RAC imposes several restrictions on the Algorithmic C developer. The most significant
of these is that all RAC function arguments must be pass-by-value, and all functions must
be side-effect-free. Please refer to Chapter 15 of [4] for details.

# **2** ISA Specification in Restricted Algorithmic C

<sup>49</sup> Our present challenge is to determine whether the RAC toolchain can be used to develop <sup>50</sup> an Instruction Set Architecture (ISA) simulator, of the sort commonly crafted (usually in <sup>51</sup> C/C++) during ISA design. The simulator should support proof-based verification, as well <sup>52</sup> as validation by simulation. For this experiment, we have created a simple 64-bit ISA, quite <sup>53</sup> similar to a commercially popular architecture, called LEG64. Figure 2 presents a fragment <sup>54</sup> of the LEG64 ISA state vector (left side), and instruction-stepping functions (right side).<sup>2</sup>

RAC translates the state struct, including its arrays, to ACL2 records, with ag get function, and as set function. The fixed-width data types are enforced in ACL2 using the RTL (bits y i j) function, which returns a bit-slice of y between bit indices i and j. Loop bodies are translated into ACL2 recursive functions, with generated ACL2 :measure forms to aid in termination analysis. The resulting ACL2 functions are readable, if not pretty.

### **3** Validation by Simulation

<sup>61</sup> To validate our RAC specification for the ISA, we can use the C++ executable for the ISA <sup>62</sup> simulator, a hardware simulator, or the RAC-translated ACL2 simulator, as depicted in

 $<sup>^2~{\</sup>rm Complete~sources}$  available at https://github.com/david-s-hardin/algoc-isa

| ui64 fact(ui64 n, ui64, acc) {        | .L3: cmp r0, #0 | ; r0 == 0?    |
|---------------------------------------|-----------------|---------------|
| if $(n == 0) \{$                      | beq .L2         | ; if so, done |
| return acc;                           | mul r1, r1, r0  | ; r1 <- r1*r0 |
| } else {                              | sub r0, r0, #1  | ; r0 <- r0-1  |
| <pre>return fact(n-1, acc * n);</pre> | b .L3           | ; goto top    |
| }                                     | .L2: mov r0, r1 | ; r0 <- r1    |
| }                                     | ret             | ; return      |

**Figure 3** Example test program for the LEG64 ISA simulator.

Fig. 1. In all cases, we validate the ISA simulator by loading the simulated code memory with binary programs compiled for our target ISA, load the data memory and registers appropriately for a given test, then step the simulator for the required number of steps, then inspecting the relevant elements of the resulting state vector. The results of running tests on the C++ executable of the ISA simulator can be checked against the translated ACL2 model as a validation check for the translation; ACL2's speed aids in this effort.

# <sup>69</sup> 4 Verification by ACL2 Proof using Codewalker

Once the LEG64 simulator has been translated to ACL2, we can reason about the translated functions, using the RTL books, as well as other ACL2 books. We can also reason about LEG64 binary code, using J Moore's decompilation-into-logic tool, Codewalker<sup>3</sup>. We have previously used Codewalker to prove properties of LLVM code [1].

As an example, consider a simple tail-recursive unsigned 64-bit factorial function (left of Figure 3), compiled to yield the LEG64 code on the right of Figure 3. The input parameter, n, is passed in using register r0, and the tail-recursive accumulator, acc, is passed in r1. The function actually computes acc \* n!, which is equal to n! when acc = 1 (modulo 64 bits). This result is then copied into register r0 for return to the caller.

To begin the verification, we describe the LEG64 machine, its registers, memories, and 79 ISA simulator functions, to Codewalker, and provide it the binary of the code of Figure 3. 80 Codewalker then "walks" the binary code, guided by the ACL2 ISA simulator, and decompiles 81 each basic block into a *semantic function* summarizing the effect of that block on the ISA 82 state s, in the style of Magnus Myreen's Ph.D. work [2]. Codewalker also generates a 83 per-block clock function, giving the number of instruction steps needed for a given input 84 condition. We can then instruct Codewalker to "project" the final value for a given register 85 out of a loop, producing a function that abstracts away the LEG64 state details. That 86 function can then be reasoned about, and/or executed in ACL2. For our factorial example, 87 Codewalker produces (fn1-loop pc n acc) for the final accumulator value, a function of 88 the ISA simulator program counter pc, input value n, and initial accumulator value acc. After 89 creating a "wrapper" function, fn1, we prove the correctness theorems of Figure 4, where ! 90 is a non-tail-recursive infinite-precision factorial function, and expt is exponentiation. 91

Finally, we prove that the execution of the loop of the factorial subroutine, loaded into code memory of the simulated LEG64, using the stepping function leg64steps, written in Algorithmic C and then translated by RAC to ACL2, for the number of steps given by the

<sup>&</sup>lt;sup>3</sup> Codewalker is part of the ACL2 standard distribution, in books/projects/codewalker

### XX:4 Instruction Set Architecture Specification, Verification, and Validation

```
(defthm fn1-loop-is-acc-*-n! (defun fn1 (n) (fn1-loop 0 n 1))
(implies
  (and (natp n)(natp acc) (defthm fn1-is-n!
        (< n (expt 2 64)) (implies
        (< acc (expt 2 64))) (and (natp n) (< n (expt 2 64)))
  (equal (fn1-loop 0 n acc) (equal (fn1 n)
        (bits (* acc (! n)) 63 0)))) (bits (! n) 63 0))))
```

**Figure 4** Correctness theorems for the projected loop result function from Codewalker.

```
(defthm reg-1-of-fact-loop-is-acc-*-n!
  (implies
   (and (fact-routine-loadedp s) (integerp (ag 0 (ag 'regs s)))
        (<= 1 (ag 0 (ag 'regs s))) (< (ag 0 (ag 'regs s)) (expt 2 64))
        (integerp (ag 1 (ag 'regs s))) (< (ag 1 (ag 'regs s)) (expt 2 64))
        (= (ag 'pc s) 0))
   (equal (ag 1 (ag 'regs (leg64steps s (acl2::clk-0 s))))
        (bits (* (ag 1 (ag 'regs s)) (! (ag 0 (ag 'regs s)))) 63 0))))
```

**Figure 5** Correctness of the factorial loop when executed on the LEG64 ISA simulator.

<sup>95</sup> Codewalker-generated clock function clk-0, yields the expected result, as shown in Figure 5.

### **5** Conclusion and Future Work

<sup>97</sup> We have used Restricted Algorithmic C to create an ISA-level simulator for a representative <sup>98</sup> CPU, and successfully employed the RAC toolchain, initially developed to verify floating <sup>99</sup> point hardware, to translate this simulator to ACL2. We produced small binary programs <sup>100</sup> for the ISA that we used to validate the simulator, then utilized the ACL2 Codewalker <sup>101</sup> decompilation-into-logic facility to prove those programs correct.

Future work includes refining the RAC toolchain to allow tail recursion, support for ACL2 typed records and/or stobjs, as well as investigating the verification of hardware/software codesigns. Codewalker is an experimental tool, and while its ability to comprehend new instruction sets and automatically create semantic functions, clock functions, etc., is impressive, it is difficult to configure. Additionally Codewalker is only useful for single subroutines; future work is needed to improve usability and scalability.

```
108
         References
    1
          David S. Hardin. Reasoning about LLVM code using Codewalker. In Proceedings of the 13th
109
          International Workshop on the ACL2 Theorem Prover and its Applications, volume 192, pages
110
          79-92. EPTCS, 2015. doi:10.4204/EPTCS.192.7.
111
    2
          Magnus O. Myreen. Formal verification of machine-code programs. PhD thesis, University of
112
          Cambridge, 2009.
113
          John W. O'Leary and David M. Russinoff. Modeling algorithms in SystemC and ACL2.
    3
114
          In Proceedings of the 12th International Workshop on the ACL2 Theorem Prover and its
115
          Applications, volume 152, pages 145–162. EPTCS, 2014. doi:10.4204/EPTCS.152.12.
116
    4
          David M. Russinoff. Formal Verification of Floating-Point Hardware Design: A Mathematical
117
          Approach. Springer, 2018.
118
```