Extracting ISA semantics from a processor RTL

Abstract

The diversity in processor architecture is continuously increasing due primarily to the slowed improvements from semiconductor process technology. The specialized processors implement a new, or a variation of an existing instruction-set architecture (ISA), that defines specialized instructions design for the target domain. These new instructions found from the specialized processors render the task of program analysis cumbersome. Many program analysis techniques require the instruction semantics to be formally described, but doing so for every single complex and new special instructions have found to be challenging. This work presents SemTracter that extracts the instruction semantics automatically from a processor implemented in hardware- description language (HDL), at register-transfer level (RTL). SemTracter obtains each instruc- tion semantics by simulating the processor RTL symbolically and compile the result to formal instruction semantics using the Sail language. Our evaluation of SemTracter using a small RISC-V processor RTL shows that SemTracter can extract semantics of basic instructions from a 5-stage processor implemented in RTL. SemTracter extracted most of the RISC-V 32-bit integer base user-level ISA (RV32I) instructions that the RTL implements, and it took 9 hours to extract the semantics. The generated semantics matches the manually written one.