Formal Processor Verification

1
Formal Verification of Pipelined Microprocessors
2
Outline

• Task
• Verify that a pipelined processor correctly
  executes sequential programs
• Part I Background
• Definition of the problem Bryant
• Methodology Jones
• Part II State of the Art
• Verification with ACL2 Hunt
• Verification with UCLID Bryant
• Part III Future
• Techniques trends at Intel Jones
• Future CAD tools Hunt
• Panel discussion All

3
Challenge

• Views of System Operation
• Instruction Set
• Instructions executed in sequential order
• Instruction modifies programmer-visible state
• Microarchitecture
• At any given time, multiple instructions in
  flight
• State held in hidden pipeline registers and
  buffers
• Verification Task
• Prove all instruction sequences execute as
  predicted by instruction set model

4
Simplified Processor Example
Bdat

• Simplified RISC pipeline
• Register-Register and Register-Immediate
  operations
• Data hazards handled by register forwarding
• Each step of operation defined by function dpipe

5
Reference Model
PC

• Only programmer-visible state
• Much simpler control logic
• Assume verified against instruction set
  definition
• Each step of operation defined by function dspec

6
Example HP/Compaq Alpha 21264

• Pipeline State
• Multiple caches
• Instruction queues
• Dynamically-allocated registers
• Memory queue
• Many buffers between stages
• Verification Tasks
• Does it implement the Alpha ISA?

Microprocessor Report, Oct. 28, 1996
7
Complexities of Modern Processors

• Deep Pipelines Superscalar Operation
• Many instructions in flight simultaneously
• Complex mechanisms to prevent hazards
• Out of Order Execution
• Dont process instructions in program order
• Use interlocks to guarantee preservation of
  sequential semantics
• Speculative Execution
• Begin executing instructions at predicted branch
  target
• If discover misprediction, cancel pending updates
• Register Renaming
• Dynamically allocate physical registers

8
Things Working in Our Favor

• (Almost) Precise Specification
• Instruction Set Reference Manual
• Describes effect of each instruction on state
  next instruction selection
• Overall behavior should match sequential
  instruction execution
• Helpful Processor Mechanisms
• Pipeline Flushing
• Complete all in-flight instructions without
  fetching new ones
• Synchronizes pipeline with instruction set model
• Misprediction Recovery
• Processor will get correct result whether or not
  it predicts correctly
• Verifier can ignore prediction logic

9
Flushing Simplified Processor

• Stop incrementing program counter
• Inject No-Op instructions into pipeline
• After 3 cycles, register file will be fully
  updated

10
Applying Data Abstraction to Hardware Verification

• Idea
• Abstract details of data encodings and operations
• Keep control logic precise
• Applications
• Verify overall correctness of system
• Assuming individual functional units correct
• Technology
• Use restricted subset of first-order logic
• Hunt 87, Srivas Bickford 90
• Implement efficient decision procedures
• Multiple methods of performing verification

11
Abstracting Data from Bits to Integers
x0
x1
x2
xn-1

• View Data as Symbolic Terms
• Arbitrary integers
• Verification proves correctness of design for all
  possible word sizes
• Can store in memories registers

12
Required Logic

• Scalar Data Types
• Formulas (F ) Boolean Expressions
• Control signals
• Terms (T ) Integer Expressions
• Data values
• Arbitrary values from some infinite domain

13
Modeling Data Selection

• If-Then-Else Operation
• Mulitplexor
• Allows control-dependent data flow

14
Abstraction Via Uninterpreted Functions
f

• For any Block that Transforms or Evaluates Data
• Replace with generic, unspecified function
• Only assumed property is functional consistency
• a x ? b y ? f (a, b) f (x, y)

15
Abstraction Via Uninterpreted Functions
F3
F2
F1

• For any Block that Transforms or Evaluates Data
• Replace with generic, unspecified function
• Also view instruction memory as function

16
Abstracting Reference Model
PC

• Abstract with identical functions as in pipeline
  model
• Assume functional consistency
• x y ? f(x) f(y)

17
Modeling Data-Dependent Control
Cond
Adata
p
Branch?
Branch Logic
Bdata

• Model by Uninterpreted Predicate
• Yields arbitrary Boolean value for each control
  data combination
• Produces same result when arguments match
• Pipeline reference model will branch under
  same conditions

18
Modeling Memories

• Memory M Modeled as Function
• M(a) Value at location a
• Initially
• Arbitrary state
• Modeled by uninterpreted function m0

• Writing Transforms Memory
• M? Write(M, wa, wd)
• Future reads of address wa will get wd

19
Required Logic

• Scalar Data Types
• Formulas (F ) Boolean Expressions
• Control signals
• Terms (T ) Data Expressions
• Data values
• Functional Data Types
• Functions (Fun) Data ? Data
• Functional units
• Read Write functions for memories
• Predicates (P) Data ? Boolean
• Data-dependent control

20
EUF Equality with Uninterp. Functs

• Decidable fragment of first order logic
• Formulas (F ) Boolean Expressions
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• P (T1, , Tk) Predicate application
• Terms (T ) Integer Expressions
• ITE(F, T1, T2) If-then-else
• Fun (T1, , Tk) Function application
• Functions (Fun) Integer ? Integer
• f Uninterpreted function symbol
• Read, Write Memory operations
• Predicates (P) Integer ? Boolean
• p Uninterpreted predicate symbol

21
Term-Level Symbolic Simulation

• Simulator Operation
• Register states are term-level expressions
• Denoted by pointers to nodes in Directed Acyclic
  Graph (DAG)
• Simulate each cycle of circuit by adding new
  nodes to DAG
• Based on circuit operations
• Construct DAG denoting correctness condition

22
Decision Problem

• Logic of Equality with Uninterpreted Functions
• Truth Values
• Dashed Lines
• Model Control
• Logical connectives
• Equations
• Integer Values
• Solid lines
• Model Data
• Uninterpreted functions
• If-Then-Else operation
• Task
• Determine whether formula is universally valid
• True for all interpretations of variables and
  function symbols

23
Finite Model Property for EUF

• Observation
• Any formula has limited number of distinct
  expressions
• Only property that matters is whether or not
  different terms are equal

24
Boolean Encoding of Integer Values

• For Each Expression
• Either equal to or distinct from each preceding
  expression
• Boolean Encoding
• Use Boolean values to encode integers over small
  range
• EUF formula can be translated into propositional
  logic
• Tautology iff original formula valid

25
Pipeline Class 1

• Linear Pipeline
• E.g., Intel 486
• Each instruction flows through fixed sequence of
  stages
• Flush time pipeline depth
• Instructions Per Cycle (IPC) ? 1.0

26
Pipeline Class 2

• Superscalar Pipeline
• E.g., Intel Pentium
• Multiple instructions can flow through pipeline
• Interlocks prevent dependent instructions from
  executing at same time
• Instructions Per Cycle (IPC) ? 1.0

27
Pipeline Class 3
Instr Mem
Reorder Buffer
Execution Units

• Out-of-Order Pipeline
• E.g., Intel Pentium II, III, 4
• Instruction execution need not follow program
  order
• Complex control to make safe
• Flush time depends on Reorder Buffer size

28
Pipeline Class 3b
Instr Mem
Reorder Buffer

• Parametric Modeling
• ROB of length K for integer symbol K
• One verification proves correctness for family of
  designs
• No bound on flush time

29
Challenge Model Generation

• How to generate term-level model
• How to guarantee faithfulness to RTL description
• Comparison of Models
• Register Transfer Level
• Golden representation of most hardware designs
• Written in Verilog or VHDL
• Abstracts functional elements from gate-level
  model
• Synthesis allows automatic map to gate level
• Term level
• Abstracts bit-level data representations to words
• Abstracts memories to mutable functions
• Abstracts functional elements to uninterpreted
  functions

30
Generating Term-Level Model

• Manually Generate from RTL
• How do we know it is a valid abstraction?
• Hard to keep consistent with changing RTL
• Automatically Generate from RTL
• Andraus Sakallah, DAC 04
• Must first generate cycle-level bit-level model
  from HDL
• Difficult to do from Verilog/VHDL
• Must decide which signals to keep Boolean, which
  to abstract
• Confused by bit field extraction primitives of
  HDL
• Synthesize RTL from Word-Level Model
• Difficult to make efficient

31
Evaluating Different Verification Approaches

• What Class of Systems can be Modeled?
• Linear pipelines much simpler than out-of-order
• Can some system attributes be expressed
  parametrically
• More powerful form of verification
• How Efficient is Verifier?
• Consider both computational and manual effort
• What scale system can be verified