1. How do I use all this?

2. How do I use all this, really?

3. –Detailed step-by-step description of a pipeline verification example

4. Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

5. isaRegFile op inp src1 src2 dest out stall isaOut isaAlu Specification: ISA

6. isaRegFile op inp src1 src2 dst out stall isaOut isaAlu load r1 1 xnor r2 r1 r1 store r2 r1 := 1 r2 := 0 out := 0 Notes: 1. Store instruction results in an output 2. Memory hierarchy is not represented 3. Why do we need “stall” ?

7. regFile op inp src1 src2 dst alu P1 P2 out FETCHEXECUTEWRITE-BACK

8. regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall

9. isaRegFile op inp src1 src2 dst out stall isaOut regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall isaAlu Goal: Establish Pipeline refines ISA

10. isaRegFile op inp src1 src2 dst out stall isaOut regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall isaAlu need for “stall” in ISA

11. isaRegFile op inp src1 src2 dst out stall isaOut regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall isaAlu witnessed refinement isaRegFile isaAlu Limitation: State explosion

12. isaRegFile op inp src1 src2 dst out stall isaOut regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall isaAlu Why not decompose proof?

13. regFile op inp src1 src2 dst alu P1 P2 out FETCHEXECUTEWRITE-BACK

14. regFile P2 out WRITE-BACK

15. alu P1 P2 EXECUTE

16. regFile op inp src1 src2 dst P1 FETCH

17. isaRegFile op inp src1 src2 dst out stall isaOut out isaAlu Why not decompose proof? op inp src1 src2 dst

18. isaRegFile op inp src1 src2 dst out stall isaOut regFile out isaAlu Why not decompose proof? op inp src1 src2 dst

19. isaRegFile op inp src1 src2 dst out stall isaOut regFile op inp src1 src2 dst out res stall p2op p2dst out stall isaAlu Why not decompose proof?

20. isaRegFile op inp src1 src2 dst out stall isaOut regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall isaAlu Decompositon does not work!

21. isaRegFile op inp src1 src2 dest out stall isaOut isaAlu

22. isaRegFile opr1 op inp src1 src2 dest out stall isaOut opr2 res isaAlu p2dst opr1 opr2 res

23. isaRegFile opr1 op inp src1 src2 dst out stall isaOut opr2 res p2dst regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall opr1 opr2 res “out” proof isaAlu

24. isaRegFile op inp src1 src2 dst stall out isaAlu op inp src1 src2 dst res “out” proof

25. isaRegFile op inp src1 src2 dst stall regFile out isaAlu op inp src1 src2 dst res “out” proof

26. isaRegFile op inp src1 src2 dst stall regFile op inp src1 src2 dst out res stall p2op p2dst out stall isaAlu res “out” proof

27. isaRegFile op inp src1 src2 dst stall res p2dst regFile op src1 src2 dst out stall p1op p1dst p2op p2dst out stall “out” proof isaAlu

28. isaRegFile op inp src1 src2 dst stall res p2dst regFile op src1 src2 dst out stall p1op p1dst p2op p2dst out stall out isaOut “out” proof isaAlu

29. regFile P2 out WRITE-BACK

30. isaRegFile opr1 op inp src1 src2 dst out stall isaOut opr2 res p2dst regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall opr1 opr2 res “res” proof isaAlu

31. isaRegFile opr1 op inp src1 src2 dst stall opr2 op inp dst res stall p1inp p1op p1dst p2op p2dst alu stall opr1 opr2 res “res” proof isaAlu

32. isaRegFile opr1 op inp src1 src2 dst stall opr2 op inp dst res stall p1inp p1op p1dst p2op p2dst alu stall opr1 opr2 res p2dst “res” proof isaAlu

33. alu P1 P2 EXECUTE

34. isaRegFile opr1 op inp src1 src2 dst out stall isaOut opr2 res p2dst regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall opr1 opr2 res “opr1” proof isaAlu

35. isaRegFile op inp src1 src2 dst stall opr2 res p2dst regFile op inp src1 src2 dst opr1 stall p1inp p1op p1dst p2op p2dst alu stall opr2 res “opr1” proof isaAlu

36. isaRegFile op inp src1 src2 dst stall opr2 res p2dst regFile op inp src1 src2 dst opr1 stall p1inp p1op p1dst p2op p2dst alu stall opr2 res “opr1” proof opr1 isaAlu

37. regFile op inp src1 src2 dst P1 FETCH

38. EXECUTE WRITE-BACK

39. isaRegFile opr1 op inp src1 src2 dst out stall isaOut opr2 res p2dst regFile op inp src1 src2 dst out opr1 opr2 res stall p1inp p1op p1dst p2op p2dst alu out stall opr1 opr2 res isaAlu

40. But..

41. But.. is this really practical?

42. –Verification of VGI multiprocessor

43. Outline 1 Informal Introduction 2 Formal Definitions Reactive Systems Witnessed Refinement Proofs Slicing Reactive Systems Decomposing Refinement Proofs 3 Formal Example: Three-Stage Pipeline 4 Informal Example: Dataflow Processor Array

44. VGI VGI = “Video-Graphics-Image” Designed by Infopad group at Berkeley Purpose: web-based image processing Designed using –VHDL (control) – Schematics (Data path)

45. VGI Architecture 16 clusters with 6 processors in each - 4 compute, 1 memory, 1 I/O ~30K logic gates per processor ~800 latches per processor Pipelined compute processors Low latency data transfer between processors - complex control

46. VGI Architecture Complex handshake pipeline

47. FIFO buffer ISA Complex handshake pipeline

48. Verification Different time scales Implementation –two-phase clock –level-sensitive latches –activity on both HI and LO phases of clk Specification –no clk signal

49.  S I Sample Operator I’ = Sample I at  Runs of I’ = Runs of I sampled at instances where  holds 

50.  pipeline clk ISA

51. Difficulty - Verification Size of the VGI chip –~800 latches in each compute processor –64 compute processors Need “divide and conquer”

52. Step 1: Network of Processors to Single Processor

53.  pipeline clk ISA

54.  pipeline clk ISA

55.  pipeline clk ISA

56.  pipeline clk ISA

57.  pipeline clk ISA

58.  pipeline ISA     pipeline clk

59. Step 2: Single Processor Single processor still has ~800 latches Need “divide-and-conquer” again ISA  pipeline clk

60. Comm Stage PIPEPIPE ALU Gate Level REGFILE ALU Spec ISA REGFILE FIFO buffer OP GEN Input from upstream processor Input from upstream processor  clk

61. VGI Results All lemmas (exceptALU) checked by Mocha in a few minutes 3 bugs in communication control found and fixed Abstract definitions crucial - designer insight needed