A mechanically checked proof of the AMD5K86TM floating-point division program

We report on the successful application of a mechanical theorem prover to the problem of verifying the division microcode program used on the AMD5_K86 microprocessor. The division algorithm is an iterative shift and subtract type. It was implemented using floating point microcode instructions. As a consequence, the floating quotient digits have data dependent precision. This breaks the constraints of conventional SRT division theory. Hence, an important question was whether the algorithm still provided perfectly rounded results at 24, 53, or 64 bits. The mechanically checked proof of this assertion is the central topic of the paper. The proof was constructed in three steps. First, the divide microcode was translated into a formal intermediate language. Then, a manually created proof was transliterated into a series of formal assertions in the ACL2 dialect. After many expansions and modifications to the original proof, the theorem prover certified the assertion that the quotient will always be correctly rounded to the target precision