Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microarchitecture Verification by Compositional Model Checking Ken McMillan Ranjit Jhala Cadence Berkeley Labs / UC Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Microarchitecture Verification by Compositional Model Checking Ken McMillan Ranjit Jhala Cadence Berkeley Labs / UC Berkeley."— Presentation transcript:

1 Microarchitecture Verification by Compositional Model Checking Ken McMillan Ranjit Jhala Cadence Berkeley Labs / UC Berkeley

2 Microarchitectural Verification by Compositional Model Checking2 Introduction Compositional Model Checking: –Decomposing large proofs to a set of automatically provable lemmas Previous Work: –Unbounded or infinite state systems: Flash, SGI, Bakery,… –Tomasulo’s Algorithm, with just 3 lemmas No need for manually constructed inductive invariant Q: Can the method scale to large and complex systems ? –Does the effort grow in reasonable proportion to the complexity Verification of a complete processor microarchitecture –Incremental cost of each architectural feature is small –Very concise proofs

3 Microarchitectural Verification by Compositional Model Checking3 Plan Compositional Model Checking : –How to reduce the verification of unbounded systems to a finite state problem Microarchitecture Modeled Important aspects of the proof Proof Decomposition : An example Comparison with other techniques

4 Microarchitectural Verification by Compositional Model Checking4 Proof Decomposition reduction to decidable/tractable problems do it in as few (and as simple) steps as possible Proof goal Undecidable/ intractable sub Decidable/ tractable sub

5 Microarchitectural Verification by Compositional Model Checking5 Functional Decompositions Possible decompositions of problem –Structural (by syntax) –Temporal (by time steps) –Functional (by “units of work”) Functional yields simple intermediate assertions –interaction between “units of work” is simpler than between system components Reduction to finite state –each “unit of work” uses finite resources –identify resources used for a given case –abstract away everything else

6 Microarchitectural Verification by Compositional Model Checking6 Reduction to Finite State property model checking decomposition “circular” temporal proof divide into “units of work” parameterization temporal “case splitting” identify resources used abstraction abstract interpretation reduce to finite state

7 Microarchitectural Verification by Compositional Model Checking7 “Circular” Temporal Proofs Let p   q stand for “if p up to time t-1, then q at t” Equivalent in LTL of:  (p U  q) : Not the case that q is the first to be false Now we can reason as follows: That is, if neither p nor q is the first to be false, then both are always true. q   p p   q Gp  Gq

8 Microarchitectural Verification by Compositional Model Checking8 Using a Reference Model Ref. Model A B q p q   p p   q Gp  Gq e.g., programmer’s model A and B each perform a “unit of work” refinement relations (temporal properties) “circular” proof:

9 Microarchitectural Verification by Compositional Model Checking9 Temporal Case Splitting p1p1 p2p2 p3p3 p4p4 p5p5 v1v1... Idea: parameterize on most recent writer w at time t.  : I'm O.K. at time t.  i: G((w=i)   ) G 

10 Microarchitectural Verification by Compositional Model Checking10 Combine With Circular Reasoning p1p1 p2p2 p3p3 p4p4 p5p5 v1v1...  : I'm O.K. at time t. To prove case w=i at time t, assume general case up to t-1:  i:    ((w=i)   ) G 

11 Microarchitectural Verification by Compositional Model Checking11 Abstract Interpretation Problem: variables range over unbounded set U Solution: reduce U to finite set Û by a parameterized abstraction, e.g. where U\i represents all the values in U except i Need a sound abstract interpretation, such that: if  is valid in the abstraction, then, for all parameter valuations,  is valid in the original Û = {{i}, U\i}

12 Microarchitectural Verification by Compositional Model Checking12 Data Type Abstractions in SMV Examples: –Equality –Function symbol application ={i}U\i {i} U\i 1 0 0  ^ ^ x f(x)f(i) {i}U\i  Unbounded array reduced to one fixed element! Note: truth value under abstraction may be  represents “no information”

13 Microarchitectural Verification by Compositional Model Checking13 Applying Abstraction pipi v1v1...  : I'm O.K. at time t.    ((w=i)   ) abstracted elements i.e, if p i is the most recent to modify v 1, then v 1 is correct. Must verify by model checking:

14 Microarchitectural Verification by Compositional Model Checking14 Review By a sequence of three steps: 1.“circular” temporal reasoning (restricts to one “unit of work”) 2.case splitting (adding parameters) (identifies resources used in that unit of work) 3.abstraction interpretation (abstracts away everything else)...we reduce the verification of an unbounded system of processes to a finite state problem.

15 Microarchitectural Verification by Compositional Model Checking15 Plan Compositional Model Checking : –How to reduce the verification of unbounded systems to a finite state problem Microarchitecture Modeled Important aspects of the proof Proof Decomposition : An example Comparison with other techniques

16 Microarchitectural Verification by Compositional Model Checking16 Instruction Set Architecture (ISA) The ISA we consider, supports the following instructions: LOAD reg src reg dst –reg dst := Mem[reg src ] STORE reg src reg dst –Mem[reg dst ] := reg src ALU reg srca reg srcb reg dst –Reg dst := F(reg srca, reg srcb ) BRANCH reg srca reg srcb offset –Branch to target (function of pc, offset) based on F(reg srca, reg srcb ) is true JUMP reg src –Transfer control to reg src OUT reg src –Send the data in reg src to the Output Port LOAD, STORE, ALU may raise exceptions

17 Microarchitectural Verification by Compositional Model Checking17 Salient Features Out of Order Execution –Tomasulo’s Algorithm –Reorder Buffer Speculative Execution –modelled by a non-deterministic Branch Predictor Precise Exceptions Optimised Load/Store Buffer –Reordering of Operations –Load Forwarding Unbounded – Memory, Register File, Reorder Buffer, LSB, Execution Units

18 Microarchitectural Verification by Compositional Model Checking18 The Processor Model Reorder Buffer EU RETIRED RESULTS / BUS INSTRUCTIONS PM PC branch predictor decdec OP,DST opraoprb EU OPS BUF Data Memory branch results VAL/TAG REG FILE VAL/TAG OP,DST opraoprb OP,DST opraoprb RES LD/ST BUFFER data forwarding EU

19 Microarchitectural Verification by Compositional Model Checking19 How it works: An instruction’s path Unit of work = instruction Reorder Buffer EU RETIRED RESULTS / BUS INSTRUCTIONS PM PC branch predictor decdec OP,DST opraoprb EU OPS BUF Data Memory branch results VAL/TAG REG FILE VAL/TAG OP,DST opraoprb OP,DST opraoprb RES LD/ST BUFFER data forwarding EU

20 Microarchitectural Verification by Compositional Model Checking20 Plan Compositional Model Checking : –How to reduce the verification of unbounded systems to a finite state problem Microarchitecture Modeled Important aspects of the proof Proof Decomposition : An example Comparison with other techniques

21 Microarchitectural Verification by Compositional Model Checking21 IMPLEMENTATION Refinement Maps Stall / Shadow What are we Proving ? ISA MODEL

22 Microarchitectural Verification by Compositional Model Checking22 Proof Strategy Show the Implementation Refines the ISA model by writing and verifying refinement maps –Whenever there is an OUT instruction, the output of the IMPL must be the same as that of the ISA For every instruction, the correct operands/results taken from ISA model and stored in auxiliary variables –Used to write refinement maps specifying the values during different stages in the instruction’s lifetime –Shadowed instructions: Don’t care, as they do not change state Secondary lemmas –Strengthen the abstraction : Non-interference etc. –Cut down the model size

23 Microarchitectural Verification by Compositional Model Checking23 Key Elements of the proof Writing the refinement maps Handling Speculation –Shadow bit marks every instr. that “should not” have been executed –For such instructions, refinement maps don’t have to specify values Handling data dependencies in Out-of-Order Execution –Tomasulo’s Algorithm: Implicitly data-flow –Load/Store Buffer

24 Microarchitectural Verification by Compositional Model Checking24 Proof : A Bird’s Eye View Refinement Maps Shadowed? Don’t Care RETIRED RESULTS / BUS INSTRUCTIONS PM PC branch predictor decdec OP,DST opraoprb EU OPS BUF Data Memory branch results VAL/TAG REG FILE VAL/TAG OP,DST opraoprb OP,DST opraoprb RES LD/ST BUFFER data forwarding EU

25 Microarchitectural Verification by Compositional Model Checking25 ISA Instruction Stream Fetch/Dec/Exc/WB in 1 cyc Handling Speculation: Synchronizing IMPL Instruction Stream Fetch/Dec At the same time as ISA

26 Microarchitectural Verification by Compositional Model Checking26 Handling Speculation: Shadow Bit Writeback Shadowed ! Stall ISA Stalls if IMPL guesses wrong, Enters “Shadow” State Subsequent IMPL instructions are “Shadowed” “Shadowed” status propagated Bad Instruction reaches WriteBack: IMPL flushes unfinished instructions

27 Microarchitectural Verification by Compositional Model Checking27 Handling Speculation: Shadow Bit ISA Stalls if IMPL guesses wrong, Enters “Shadow” State Subsequent IMPL instructions are “Shadowed” “Shadowed” status propagated Bad Instruction reaches WriteBack: IMPL flushes unfinished instructions ISA exits “Shadow” state, continues Subsequent IMPL instructions are clean

28 Microarchitectural Verification by Compositional Model Checking28 Should be last writer Handling Data Dependencies ISA Time IMPL Time Read Corresp. ISA Instr. Read Write Corresp. IMPL Instr. Write Corresp. Write Write Actual last writer All other instructions abstracted away Model Checking fails ! Abstraction too coarse … A different (abstracted) instruction is the actual last writer in Counter-Ex ! Put both instructions in the abstraction Or show separately that they are the same

29 Microarchitectural Verification by Compositional Model Checking29 Should be last writer Handling Data Dependencies ISA Time IMPL Time Read Corresp. ISA Instr. Read Write Corresp. IMPL Instr. Write Corresp. Write Write Actual last writer The “time” step of an instr. is the time it was issued For unshadowed instructions: ISA and IMPL issue “corresponding” instructions synchronously Easy to track correspondences

30 Microarchitectural Verification by Compositional Model Checking30 Plan Compositional Model Checking : –How to reduce the verification of unbounded systems to a finite state problem Microarchitecture Modeled Important aspects of the proof Proof Decomposition : An example Comparison with other techniques

31 Microarchitectural Verification by Compositional Model Checking31 ”Unit of Work” Decomposition Unlocked Registers Have Correct Data Instructions Receive Correct Operands Instructions Produce Correct Results

32 Microarchitectural Verification by Compositional Model Checking32 Split Cases on: 1.Register 2.The last instruction that should have written to that register (ISA) –But what if some bogus (abstracted) instruction wrote to it ? 3.The last instruction that actually wrote to that register (IMPL) Both are stored as auxiliary variables Model Checking should show the two are the same … … and also as that instruction produced the correct result (from refinement map), that the register has Correct Data Unlocked Registers have Correct Data 1 t ShouldActual

33 Microarchitectural Verification by Compositional Model Checking33 Unlocked Registers have Correct Data 2 …But Speculation Causes Problems: The instruction with the bad guess is abstracted away, thus there is no flushing … …A shadowed instruction writes to the register! Fails To Flush ! Wrongly Flushes ! An Intermediate (abstracted) instruction wrongly flushes the valid unshadowed instruction … … The register has stale data ! Can solve by splitting cases on flushing instr but … 3 instructions ) State Explosion !

34 Microarchitectural Verification by Compositional Model Checking34 Unlocked Registers have Correct Data 3 Lemmas to deal with speculation: Problem: Shadowed Inst. Writes Back Lemma: Every instruction writing back is not shadowed Split Cases on: 1)Instruction causing shadow 2)Instruction writing back Fails To Flush ! Wrongly Flushes ! Problem: Unshadowed Inst. Flushed ! Lemma: When there is a flush, there is no Unshadowed inst. in buffer Split Cases on: 1)Instruction causing the flush 2)Unshadowed instruction

35 Microarchitectural Verification by Compositional Model Checking35 Need to prove: Every LOAD returns the correct value Split Cases on: 1.Address 2.Last STORE instruction that should have written to that address (ISA) 3.Last STORE instruction that actually wrote to that address (IMPL) Aux. Variables, Model Checking should show they are the same Data forwarding and Reordering for free ! Load Store Buffer Should Actual LOAD STORE

36 Microarchitectural Verification by Compositional Model Checking36 Problem: Need to model resources of 3 instructions –Case and State Explosion ! Avoid modelling all resources by writing a refinement map for LSB –Use ISA, aux vars to specify the contents of valid entries in the buffer –Abstract away everything except the LSB and the Memory Break into 2 simpler lemmas –Each requires splitting cases on 2 instructions Load Store Buffer Should Actual LOAD STORE

37 Microarchitectural Verification by Compositional Model Checking37 Plan Compositional Model Checking : –How to reduce the verification of unbounded systems to a finite state problem Microarchitecture Modeled Important aspects of the proof Proof Decomposition : An example Comparison with other techniques

38 Microarchitectural Verification by Compositional Model Checking38 Comparison With Other Techniques Sawada & Hunt, Velev & Bryant, Hosabettu et. al. Variants of Burch-Dill “Flushing” Technique –Abstraction function not strong enough to be invariant –Manually constructed invariants needed –Reason about entire machine state, intractable –Decomposing the “flushing” function – advantage of BD lost ! Init IMPL State Abstract IMP 0 Abstract IMP 1 Next IMPL State ISA 1 ISA 0 ISA Step IMPL Step

39 Microarchitectural Verification by Compositional Model Checking39 Comparison With Other Techniques Velev & Bryant –Efficiently checking commutativity condition –No Out-of-Order or LSB : Flushing functions too complex ? Sawada & Hunt –Track status of instructions using a MAETT – similar to our aux. Vars –Need a huge inductive invariant Hosabettu et al. –Completion functions Proof Sizes: Sawada & Hunt: ACL2, Spec: 60 Kb, Proof: 1909 Kb, Lemmas: 4000 Hosabettu et al.: PVS, Spec: 70 Kb, Proof: 2300 Kb CMC : SMV, Spec: 20 Kb, Proof: 18 Kb, Lemmas: 18

40 Microarchitectural Verification by Compositional Model Checking40 Conclusions How to use CMC to verify microarchitectures with several modern features Proof strategies to handle speculation, rd/wr reordering Succintness of proof: –No need for invariants –Functional Decomposition into “units of work” Proof methodology scales well : –Would be easy to add features like caches, multiple issue, etc. CMC to verify a “real” microarchitecture Show how a model written at a high level can be refined to an RTL implementation Use Cadence SMV !

Download ppt "Microarchitecture Verification by Compositional Model Checking Ken McMillan Ranjit Jhala Cadence Berkeley Labs / UC Berkeley."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.
1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.

1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.
1 Lecture: Out-of-order Processors Topics: out-of-order implementations with issue queue, register renaming, and reorder buffer, timing, LSQ.

1 Lecture: Out-of-order Processors Topics: out-of-order implementations with issue queue, register renaming, and reorder buffer, timing, LSQ.
Computer Organization and Architecture

Computer Organization and Architecture
1/1/ /e/e eindhoven university of technology Microprocessor Design Course 5Z008 Dr.ir. A.C. (Ad) Verschueren Eindhoven University of Technology Section.

1/1/ /e/e eindhoven university of technology Microprocessor Design Course 5Z008 Dr.ir. A.C. (Ad) Verschueren Eindhoven University of Technology Section.
1 COMP 206: Computer Architecture and Implementation Montek Singh Mon., Oct. 14, 2002 Topic: Instruction-Level Parallelism (Multiple-Issue, Speculation)

1 COMP 206: Computer Architecture and Implementation Montek Singh Mon., Oct. 14, 2002 Topic: Instruction-Level Parallelism (Multiple-Issue, Speculation)
CPE 731 Advanced Computer Architecture ILP: Part IV – Speculative Execution Dr. Gheith Abandah Adapted from the slides of Prof. David Patterson, University.

CPE 731 Advanced Computer Architecture ILP: Part IV – Speculative Execution Dr. Gheith Abandah Adapted from the slides of Prof. David Patterson, University.
Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.

Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.
Computer Organization and Architecture

Computer Organization and Architecture
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
1 Lecture 7: Out-of-Order Processors Today: out-of-order pipeline, memory disambiguation, basic branch prediction (Sections 3.4, 3.5, 3.7)

1 Lecture 7: Out-of-Order Processors Today: out-of-order pipeline, memory disambiguation, basic branch prediction (Sections 3.4, 3.5, 3.7)
A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.

A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.
Chapter XI Reduced Instruction Set Computing (RISC) CS 147 Li-Chuan Fang.

Chapter XI Reduced Instruction Set Computing (RISC) CS 147 Li-Chuan Fang.
Computer Organization and Architecture The CPU Structure.

Computer Organization and Architecture The CPU Structure.
CSE378 Multicycle impl,.1 Drawbacks of single cycle implementation All instructions take the same time although –some instructions are longer than others;

CSE378 Multicycle impl,.1 Drawbacks of single cycle implementation All instructions take the same time although –some instructions are longer than others;
EECS 470 Pipeline Hazards Lecture 4 Coverage: Appendix A.

EECS 470 Pipeline Hazards Lecture 4 Coverage: Appendix A.

Similar presentations

Ads by Google