Cindy Eisner

1
A Methodology for Formal Design of Hardware
Control

• Cindy Eisner
• IBM Haifa Research Laboratory
• June 8, 2000
• joint work with
• Russ Hoover, Wayne Nation, Kyle Nelson,Irit
  Shitsevalov and Ken Valk

2
Outline

• Why we need formal design
• H/W control as a concurrent distributed algorithm
• Example cache coherence protocol
• The sorry state of high-level specifications
• The methodology
• Algorithmic specification of hardware control
• Executing the specification formal verification
• Translating the specification to HDL
• Results
• How to Make it Work

3
Hardware Control as a Concurrent Distributed
Algorithm
4
Example Snoopy Cache Coherence Protocol

• M Modified
• E Exclusive
• S Shared
• I Invalid

5
Example (continued)
6
Example (continued)
7
Example (continued)
8
The Sorry State of High-Level Specifications

• Interface lists English description
• Protocol (syntax rather than semantics)
• Transition diagrams
• assume transactions are atomic
• ignore overlapping transactions (collisions)
• ignore data
• No reflection of complex temporal and spatial
  structure of control algorithm
• Problem is much more than ambiguity of English!

9
Algorithmic Specification of Cache Coherence
Protocol
_at_snoop response pq.snoopresponsesnoop_in if(pq
.snoopresponseRETRY) pq.stateRETRIED else
if(pq.snoopresponseMDF) pq.stateINTERVENTION
else pq.stateNORMAL MemoryCommand
lookup_MemoryCmdOut(pq.command,pq.state)

• Pseudo-Java
• Method is atomic
• Communication through shared variables
• Concurrency is implied

10
Executing the Specification Formal Verification

• Verified models containing up to 6 sequencers

11
Abstraction Level of the Formal Model

• Cycle accurate, but
• Only one address ( modeling of castouts)
• Data is abstract
• Abstraction level marks the line between an
  algorithmic error and an implementation error

12
Translating the Specification to HDL

• Automatic translation to HDL hardware which is
  correct by construction (?)
• Need to add bookkeeping code

13
Recent Results

• Evolution of collision detection logic
• Week 1 when in doubt, retry
• Week 41 10 pages of pseudo-code

14
Why Algorithmic Verification is So Effective

• Model has only one address, so
• Quick and simple to code and debug
• Allows fast focus on algorithmic problems
• In simulation, algorithmic problems hide
  behindbookkeeping problems

15
Effect on Design Process (Architects Words)

• Drove rigor, completeness and correctness of
  high-level design
• Found errors and helped to direct changes in
  early design approaches
• VHDL written more quickly automatically
  generated VHDL increases productivity and ensures
  consistency

16
How to Make it Work

• If you are an architect or logic designer
• Methodology is not limited to cache coherence
  protocols
• Can work for any complicated control code
• Used successfully on Instruction Reordering Unit
• If you are a verification person
• Dont try to convince your architects to code in
  Java
• Methodology can be introduced gradually start
  with an English specification and use
  non-determinism to fill the holes
• After the third really good bug, theyll be hooked