A General Decomposition Strategy for Verifying Register Renaming

1
A General Decomposition Strategyfor Verifying
Register Renaming

• Hazem Shehata and Mark Aagaard
• Dept of Elect and Comp Engr
• University of Waterloo
• http//www.watform.uwaterloo.ca

2
Overview

• Background
• Register renaming
• Hazards-based definition of pipeline correctness
• High-level model of O-o-O processor with generic
  model of register-renaming
• Definition of correctness for register-renaming,
  as a specialization of correctness for
  data-hazards
• Theorem proving to decompose register-renaming
  correctness into model checking obligations
• High-level model of Dual-RAT register renaming
• Verification of Dual-RAT register renaming using
  model checking

Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
3
Register Renaming

• Performance optimization implemented in
  processors to increase instruction-level
  parallelism
• Dates back to Thorntons scoreboard on CDC 8600
  and Tomasulos algorithm on IBM 360/91
• Today, several variations are in widespread use
  in high-performance microprocessors
• Processor implementations have more physical
  registers than the instruction set has
  architected registers

I1 R3 ? R1 ? 7
I2 R2 ? R3 R2
I2 R3 ? R1 3
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
4
Register Renaming

• Performance optimization implemented in
  processors to increase instruction-level
  parallelism
• Dates back to Thorntons scoreboard on CDC 8600
  and Tomasulos algorithm on IBM 360/91
• Today, several variations are in widespread use
  in high-performance microprocessors
• Processor implementations have more physical
  registers than the instruction set has
  architected registers

RAW
I1 R3 ? R1 ? 7
I2 R2 ? R3 R2
WAW
WAR
I2 R3 ? R1 3
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
5
Register Renaming

• Performance optimization implemented in
  processors to increase instruction-level
  parallelism
• Dates back to Thorntons scoreboard on CDC 8600
  and Tomasulos algorithm on IBM 360/91
• Today, several variations are in widespread use
  in high-performance microprocessors
• Processor implementations have more physical
  registers than the instruction set has
  architected registers

RAW
RAW
I1 R3 ? R1 ? 7
I1 P7 ? P5 ? 7
I2 R2 ? R3 R2
I2 P8 ? P7 P6
WAW
WAR
I3 P9 ? P5 3
I2 R3 ? R1 3
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
6
Pipeline Correctness and Verification
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
Pipeline
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
7
Pipeline Correctness and Verification
Guarantees Burch-Dill
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
Pipeline
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
8
Pipeline Correctness and Verification
Guarantees Burch-Dill
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
Pipeline
All hazards in the pipeline are handled correctly
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
9
Pipeline Correctness and Verification
Guarantees Burch-Dill
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
Pipeline
All hazards in the pipeline are handled correctly
Orthogonal properties enable specialized
abstractions.
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
10
Pipeline Correctness and Verification
Guarantees Burch-Dill
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
Pipeline
All hazards in the pipeline are handled correctly
Orthogonal properties enable specialized
abstractions.
Impl-specific predicates (e.g. Rd, Wr) relate
impl to properties.
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
11
Data-Hazard Correctness
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
RAW orderings are obeyed
WAW, and WAR orderings are obeyed (relatively
easy invariant)
Mapping from writes in spec to writes in impl
Mapping from reads in spec to reads in impl
Mapping from writes in impl to writes in spec
Writes before flushed states (easy architected
vars readable)
Impl data is not invalidated before flushed
states (easy)
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
12
Data-Hazard Correctness
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
Chose to verify the most difficult properties
RAW orderings are obeyed
WAW, and WAR orderings are obeyed (relatively
easy invariant)
Mapping from writes in spec to writes in impl
Mapping from reads in spec to reads in impl
Mapping from writes in impl to writes in spec
Writes before flushed states (easy architected
vars readable)
Impl data is not invalidated before flushed
states (easy)
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
13
Pipeline Correctness and Verification
PipeOk
StructCtrlHazOk
DataCtrlHazOk
DataPathFunOk
Raw
Waw
Rds
Enter
Exit
WFi
InvF
Trav
War
Wri
WFs
Wrs
Pipeline
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
14
Verification Strategy
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
Verification Challenge
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
15
Verification Strategy
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
generic register renaming
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
16
Verification Strategy
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
10 temporally rich properties
generic register renaming
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
17
Verification Strategy
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
10 temporally rich properties
manualtheorem proving
generic register renaming
8 env asms
10 invariants
16 inductive
3 init conds
1 until
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
18
Verification Strategy
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
10 temporally rich properties
manualtheorem proving
generic register renaming
8 env asms
10 invariants
16 inductive
3 init conds
1 until
SMVmodel checking
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
19
Verification Strategy
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
Generic O-o-O processor for register-renaming
10 temporally rich properties
manualtheorem proving
generic register renaming
8 env asms
10 invariants
16 inductive
3 init conds
1 until
SMVmodel checking
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
20
Generic Register-Renaming Units
Fetch/Decode
Rename
Dispatch
Execute
Writeback
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
21
Generic Register-Renaming Units
Fetch/Decode
Environmental Units Do not affect data storage
Rename
Dispatch
Execute
Writeback
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
22
Generic Register-Renaming Units
Fetch/Decode
Environmental Units Do not affect data storage
Rename
Dispatch
Modeled Units Implement register-renaming by
modifying data storage
Execute
Writeback
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
23
Generic Register-Renaming Units
Fetch/Decode
Environmental Units Do not affect data storage
Data Storage Holds processor state
Rename
Dispatch
Modeled Units Implement register-renaming by
modifying data storage
Execute
Writeback
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
24
Generic Register-Renaming Predicates
Fetch/Decode
DFD
SFD
BFD
F
Rename
B
BRR
DRR
SRR
Dispatch
DSD
SSD
BSD
Execute
DEX
BEX
Writeback
V
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
25
Generic Register-Renaming Predicates
Signal Predicates
Fetch/Decode
DFD
SFD
BFD
F
bubble
Rename
B
BRR
DRR
SRR
src reg
Dispatch
dst reg
DSD
SSD
BSD
Execute
DEX
BEX
Writeback
V
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
26
Generic Register-Renaming Predicates
Signal Predicates
Storage Predicates
Fetch/Decode
DFD
SFD
BFD
F
bubble
speculative arch?phys map
Rename
B
BRR
DRR
SRR
src reg
busy
Dispatch
dst reg
DSD
SSD
BSD
Execute
DEX
BEX
valid
Writeback
V
committed arch?phys map
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
27
Register-Renaming Correctness
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
10 temporally rich properties
manualtheorem proving
generic register renaming
8 env asms
10 invariants
16 inductive
3 init conds
1 until
SMVmodel checking
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
28
Instantiating Data-Hazard Correctness
Fetch/Decode
WrS
DFD
SFD
BFD
F
Rename
RdS
B
BRR
DRR
SRR
Dispatch
RdI
DSD
SSD
BSD
Execute
WrI
DEX
BEX
Writeback
V
AM
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
29
Instantiating Data-Hazard Correctness
spec write
Fetch/Decode
WrS
DFD
SFD
BFD
spec read
F
Rename
RdS
B
BRR
DRR
SRR
Dispatch
RdI
DSD
SSD
BSD
Execute
WrI
DEX
BEX
Writeback
V
AM
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
30
Instantiating Data-Hazard Correctness
spec write
Fetch/Decode
WrS
DFD
SFD
BFD
spec read
F
Rename
RdS
B
BRR
DRR
SRR
Dispatch
impl read
RdI
DSD
SSD
BSD
Execute
WrI
DEX
BEX
Writeback
V
AM
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
31
Instantiating Data-Hazard Correctness
spec write
Fetch/Decode
WrS
DFD
SFD
BFD
spec read
F
Rename
RdS
B
BRR
DRR
SRR
Dispatch
impl read
RdI
DSD
SSD
BSD
Execute
impl write
WrI
DEX
BEX
Writeback
V
AM
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
32
Instantiating Data-Hazard Correctness
spec write
Fetch/Decode
WrS
DFD
SFD
BFD
spec read
F
Rename
RdS
B
BRR
DRR
SRR
Dispatch
impl read
RdI
DSD
SSD
BSD
Execute
impl write
WrI
address map
DEX
BEX
Writeback
V
AM
R
Reorder/Retire
Modeled units
Environmental units
Data-storage
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
33
Model Checking Obligations
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
10 temporally rich properties
manualtheorem proving
generic register renaming
8 env asms
10 invariants
16 inductive
3 init conds
1 until
SMVmodel checking
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
34
Obligations

• Three initial conditions
• Ten invariants
• Sixteen single-step inductive relations
• One weak-until
• Could use knowledge of specific reg-rename
  scheme to decompose, but would lose generality
  of proof

?ai. AM(t0,ai)? ? ?V(t0,ai)
?t,ai. ?BRR(t) ? DRR(t,ai) ? B(t,ai)
?t,ai. V(t,ai) ? B(t,ai) ? (BRR(t1) ?
?DRR(t1,ai))
?t,ai,as,n. F(t,as,n) ? AM(t,ai)? ? AM(t1,ai)??
? ?t1gtt. (?t2? (t1t1). B(t2,ai)) ? AM(t,ai)n
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
35
High-Level Model of Dual-RAT
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
10 temporally rich properties
manualtheorem proving
generic register renaming
8 env asms
10 invariants
16 inductive
3 init conds
1 until
SMVmodel checking
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB
36
High-Level Model of Dual-RAT
Fetch/Decode
DFD
SFD
BFD
FRAT
Rename
BRR
DRR
SRR
Dispatch
RF
DSD
SSD
BSD
Execute
DEX
BEX
Writeback
ROB
RRAT
Reorder/Retire
Environmental units
Data-storage
Modeled units
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
37
High-Level Model of Dual-RAT
Speculative map of arch regs to phys regs
Fetch/Decode
DFD
SFD
BFD
Rename
FRAT
F
BRR
DRR
SRR
Dispatch
RF
DSD
SSD
BSD
Execute
DEX
BEX
Committed map of arch regs to phys regs
Writeback
ROB
Reorder/Retire
RRAT
R
Environmental units
Data-storage
Modeled units
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
38
High-Level Model of Dual-RAT
Speculative map of arch regs to phys regs
Fetch/Decode
Shared pool of speculative and committed data
values
DFD
SFD
BFD
Rename
FRAT
F
BRR
DRR
SRR
Dispatch
RF
DSD
SSD
BSD
Execute
B
V
DEX
BEX
Committed map of arch regs to phys regs
Writeback
ROB
Reorder/Retire
RRAT
R
Environmental units
Data-storage
Modeled units
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
39
High-Level Model of Dual-RAT
Speculative map of arch regs to phys regs
Fetch/Decode
Shared pool of speculative and committed data
values
DFD
SFD
BFD
Rename
FRAT
F
BRR
DRR
SRR
Dispatch
RF
DSD
SSD
BSD
Execute
B
V
FIFO queue of instructions
DEX
BEX
Committed map of arch regs to phys regs
Writeback
ROB
Reorder/Retire
RRAT
R
Environmental units
Data-storage
Modeled units
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
40
Dual-RAT Model Checking Results

• 30M BDD nodes, 10hrs max per property
• Fetch/Decode and Rename are most complex units
• Number of physical registers is dominate factor
  in model checking complexity

RAT_size x RF_size
Background
O-o-O Proc
Correctness
Decomposition
Dual RAT
Model checking
?
?
?
?
?
41
Verification Strategy
generic data hazards
WrS
RdS
Raw
Rds
Wri
Wrs
WrI
RdI
AM
10 temporally rich properties
manualtheorem proving
generic register renaming
8 env asms
10 invariants
16 inductive
3 init conds
1 until
SMVmodel checking
FRAT
RRAT
dual-RAT register renaming
Pipeline
RF
ROB