# ESE535: Electronic Design Automation Day 26: April 25, 2011 Processor Verification























# Implementation

- · Some particular embodiment
- Should have **same** observable behavior
  - Same with respect to **important** behavior
- · Includes many more details than spec.
  - How performed
  - Auxiliary/intermediate state

Penn ESE 535 Spring 2011 -- DeHor

13

# **Unimportant Behavior?**

• What behaviors might be unimportant?

Penn ESE 535 Spring 2011 -- DeHon

14

# "Important" Behavior

- Same output sequence for input sequence
  - Same output after some time?
- Timing?
  - Number of clock cycles to/between results?
  - Timing w/in bounds?
- · Ordering?

Penn ESE 535 Spring 2011 -- DeHor

15

#### **Abstraction Function**

- Map from implementation state to specification state
  - Use to reason about implementation correctness



- Want to guarantee: AF(Fi(q,i))=Fs(AF(q),i)
  - Similar to saying the composite state machines always agree on output (state)
    - -...but have more general notion of outputs and timing

Penn ESE 535 Spring 2011 -- DeHon

16

# 



## Familiar Example

- · Memory Systems
  - Specification:
    - W(A,D)
    - R(A)→D from last D written to this address
  - Specification state: contents of memory
  - Implementation:
    - Multiple caches, VM, pipelined, Write Buffers...
  - Implementation state: much richer...

Penn ESE 535 Spring 2011 -- DeHon

19

## Memory AF

- · Maps from
  - State of caches/WB/etc.
- To
  - Abstract state of memory
- Guarantee AF(Fi(q,I))==Fs(AF(q),I)
  - Guarantee change to state always represents the correct thing

Penn ESE 535 Spring 2011 -- DeHon

20

# Memory: L1, writeback

- · Memory with L1 cache
  - L1 cache is extra state
  - Another L1.capacity words of data
  - Check L1 cache first for data on read
  - Miss→load into cache
  - Writes update mapping for address in L1
  - When address evicted form L1
    - write-back to main memory

Penn ESE 535 Spring 2011 -- DeHon

21

# Memory: L1, writeback

- · Specification State:
  - one memory with addr:data mappings
  - -M(a) = MM[a]
- L1 writeback cache implementation
  - AF(L1+M): forall a
    - If a in L1
    - M(a)=L1[a]
    - معام •
    - M(a)=MM[a]

enn ESE 535 Spring 2011 -- DeHon



# Memory: L1, writeback

- · Specification State:
  - one memory with addr:data mappings
  - -M(a) = MM[a]
- What are several (different) implementation states that map to same specification state?

- Concrete: M(0x100C)=0xBEC1



Penn ESE 535 Spring 2011 -- DeHor

# **Abstract Timing**

- · For computer memory system
  - Cycle-by-cycle timing not part of specification
  - Must abstract out
- Solution:
  - Way of saying "no response"
    - Saying "skip this cycle"
    - Marking data presence
      - (tagged data presence pattern)
    - Example: stall while fetch data into L1 cache

Penn ESE 535 Spring 2011 -- DeHon

# Filter to Abstract Timing

- Filter input/output sequence
- View computation as: Os(in)→out
- FilterStall(Impl<sub>in</sub>) = in
- FilterStall( $Impl_{out}$ ) = out
- Forall sequences Implin
  - FilterStall(Oi(Impl<sub>in</sub>)) = Os(FilterStall(Impl<sub>in</sub>))

Penn ESE 535 Spring 2011 -- DeHon

25



#### **Processors**

- Pipeline is big difference between specification state and implementation state.
- · What is specification state?



Penn ESE 535 Spring 2011 -- DeHon



#### **Processors**



- Pipeline is big difference between specification state and implementation state.
- Specification State:
  - PC, RF, Data Memory
- · Implementation State:
  - + Instruction in pipeline
  - + Lots of bits
    - Many more states
    - State-space explosion to track

Penn ESE 535 Spring 2011 -- DeHon



## Return to L1, writeback

- How does main memory state relate to specification state after an L1 cache flush?
  - L1 cache flush = force writeback on all entries of L1

Penn ESE 535 Spring 2011 -- DeHor

31

35



#### Observation

- · After flushing pipeline,
  - Reduce implementation state to specification state (RF, PC, Data Mem)
- Can flush pipeline with series of NOOPs or stall cycles

Penn ESE 535 Spring 2011 -- DeHon

# Pipelined Processor Correctness

- w = input sequence
- w<sub>f</sub> = flush sequence
  - Enough NOOPs to flush pipeline state
- Forall states q and prefix w
  - Fi(q,w  $w_f$ )→Fs(q,w  $w_f$ )
  - Fi(q,w w<sub>f</sub>)→Fs(q,w)
- FSM observation
  - Finite state in pipeline
  - only need to consider finite w

Penn ESE 535 Spring 2011 -- DeHon

34

# Pipeline Correspondence



[Burch+Dill, CAV'94]

Penn ESE 535 Spring 2011 -- DeHon

Equivalence

- Now have a logical condition for equivalence
- Need to show that it always holds
   Is a Tautology
- · Or find a counter example

Penn ESE 535 Spring 2011 - DeHon

#### Ideas

- Extract Transition Function
- · Segregate datapath
- · Symbolic simulation on variables
  - For q, w's
- · Case splitting search
  - Generalization of SAT
  - Uses implication pruning

Penn ESE 535 Spring 2011 -- DeHon

37

#### **Extract Transition Function**

- From HDL
- · Similar to what we saw for FSMs

Penn ESE 535 Spring 2011 -- DeHon

38

### Segregate Datapath

- · Big state blowup is in size of datapath
  - Represent data symbolically/abstractly
    - · Independent of bitwidth
  - Not verify datapath/ALU functions as part of this
    - Can verify ALU logic separately using combinational verification techniques
    - · Abstract/uninterpreted functions for datapath

Penn ESE 535 Spring 2011 -- DeHon

39

# Burch&Dill Logic

- · Quantifier-free
- Uninterpreted functions (datapath)
- · Predicates with
  - Equality
  - Propositional connectives

Penn ESE 535 Spring 2011 -- DeHon

40

# **B&D** Logic

```
• Formula = ite(formula, formula, formula)
```

(term=term)

psym(term,...term)

| pvar | true | false

• Term = ite(formula,term,term)

| fsym(term,...term) | tvar

Penn ESE 535 Spring 2011 -- DeHon

41

# Sample

```
· Regfile:
```

```
– (ite stall regfile (write regfile dest (alu op (read regfile src1) (read regfile src2))))
```

Penn ESE 535 Spring 2011 -- DeHon





# Symbolic Simulation

- Create logical expressions for outputs/ state
  - Taking initial state/inputs as variables
- E.g. (ALU op2 (ALU op1 rf-init1 rf-init2) rf-init3)

Penn ESE 535 Spring 2011 -- DeHon

45

# Case Splitting Search

- · Satisfiability Problem
- · Pick an unresolved variable

Penn ESE 535 Spring 2011 -- DeHon

Case Splitting Search

- · Satisfiability Problem
- · Pick an unresolved variable
- · Branch on true and false
- · Push implications
- Bottom out at consistent specification
- Exit on contradiction
- Pragmatic: use memoization to reuse work

Penn ESE 535 Spring 2011 -- DeHon

47

#### Review: What have we done?

- · Reduced to simpler problem
  - Simple, clean specification
- · Abstract Simulation
  - Explore all possible instruction sequences
- Abstracted the simulation
  - Focus on control
  - Divide and Conquer: control vs. arithmetic
- Used Satisfiability for reachability in search in abstract simulation

Penn ESE 535 Spring 2011 -- DeHon

48

#### Achievable

- Burch&Dill: Verify 5-stage pipeline DLX
  - 1 minute in 1994
    - On a 40MHz R3400 processor
- Modern machines 30+ pipeline stages
  - ...and many other implementation embellishments

Penn ESE 535 Spring 2011 -- DeHon

49

## **Self Consistency**

Penn ESE 535 Spring 2011 -- DeHon

50

# **Self-Consistency**

- Compare same implementation in two different modes of operation
  - (which should not affect result)
- Examples of different modes of operation that should behave the same?

Penn ESE 535 Spring 2011 -- DeHon

51

# **Self-Consistency**

- Compare same implementation in two different modes of operation
  - (which should not affect result)
- · Compare pipelined processor
  - To self w/ NOOPs separating instructions
    - · So only one instruction in pipeline at a time
  - Why might this be important?

Penn ESE 535 Spring 2011 -- DeHon

52

# Self-Consistency

- w = instruction sequence
- S(w) = w with no-ops
- Show: Forall q, w

-F(q,w) = F(q,S(w))

Penn ESE 535 Spring 2011 -- DeHon

53

# Sample Result

- A stream processor
- B multithread pipeline

| Circuit | Gates | Latches | Simulation<br>Variables |    | Equivalent<br>Simulation Cases |
|---------|-------|---------|-------------------------|----|--------------------------------|
| A       | 8452  | 2506    | 49                      | 3  | $6*10^{14}$                    |
| В       | 72664 | 11709   | 144                     | 10 | $2 * 10^{43}$                  |

Table 1. Self-consistency checking results.

[Jones, Seger, Dill/FMCAD 1996] n.b. Jones&Seger at Intel

Penn ESE 535 Spring 2011 -- DeHon

# Sample Result: OoO processor

| IMPL-ABS     |       |        |       |        |
|--------------|-------|--------|-------|--------|
| Verification | CPU   | Case   |       | Case   |
|              | (sec) | Splits | (sec) | Splits |
| Base Case    | 1.9   | 10     | 0.7   | 4      |
| Issue        | 454.8 |        |       |        |
| Dispatch     | 49.1  | 12,036 | 163.3 | 45,828 |
| Writeback    | 35.0  |        | 42.1  |        |
| Retire       | 29.5  | 8,392  | 307.0 | 59,474 |

| ABS-ISA<br>Verification | CPU<br>(sec) | Case<br>Splits |
|-------------------------|--------------|----------------|
| ABS Inv.                | 222.2        | 48,440         |
| Obl. 2                  | 37.6         | 530            |
| Obl. 3                  | 26.2         | 2              |
| Obl. 4                  | 7.0          | 2              |
| Obl. 5                  | 17.8         | 14             |

Verification running on P2-200MHz

[Skakkebæk, Jones, and Dill / CAV 1998, Formal Methods in System Design v20, p139, 2002]

Penn ESE 535 Spring 2011 -- DeHon

# Key Idea Summary

- Implementation state reduces to Specification state after finite series of operations
- Abstract datapath to avoid dependence on bitwidth
- Abstract simulation (reachability)
  - Show same outputs for any input sequence
- State → state transform
  - Can reason about finite sequence of steps
     56

Penn ESE 535 Spring 2011 -- DeHon

#### Admin

- Last Class
- · Assignment 8 out
  - due May 9th (noon)
  - Late assignments will not receive partial credit
  - André traveling May 1-6
    - Ask clarifying questions before May 1
- Normal office hours Tuesday (tomorrow)
  - None on May 3rd
- · Course evaluations online

Penn ESE 535 Spring 2011 -- DeHon

57

# Big Ideas

- · Proving Invariants
- · Divide and Conquer
- · Exploit Structure

Penn ESE 535 Spring 2011 -- DeHon