Microarchitecture Verification by Compositional Model Checking

1
Microarchitecture VerificationbyCompositional
Model Checking
Ken McMillan Ranjit Jhala Cadence Berkeley Labs
/ UC Berkeley
2
Introduction

• Compositional Model Checking
• Decomposing large proofs to a set of
  automatically provable lemmas
• Previous Work
• Unbounded or infinite state systems Flash, SGI,
  Bakery,
• Tomasulos Algorithm, with just 3 lemmas
• No need for manually constructed inductive
  invariant
• Q Can the method scale to large and complex
  systems ?
• Does the effort grow in reasonable proportion to
  the complexity
• Verification of a complete processor
  microarchitecture
• Incremental cost of each architectural feature is
  small
• Very concise proofs

3
Plan

• Compositional Model Checking
• How to reduce the verification of unbounded
  systems to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition An example
• Comparison with other techniques

4
Proof Decomposition
Undecidable/ intractable
Proof goal
Decidable/ tractable
sub
sub
sub
sub

• reduction to decidable/tractable problems
• do it in as few (and as simple) steps as possible

5
Functional Decompositions

• Possible decompositions of problem
• Structural (by syntax)
• Temporal (by time steps)
• Functional (by units of work)
• Functional yields simple intermediate assertions
• interaction between units of work is simpler
  than between system components
• Reduction to finite state
• each unit of work uses finite resources
• identify resources used for a given case
• abstract away everything else

6
Reduction to Finite State
property
7
Circular Temporal Proofs

• Let p q stand for
• if p up to time t-1, then q at t
• Equivalent in LTL of
• Ø(p U Øq) Not the case that q is the first to
  be false
• Now we can reason as follows

That is, if neither p nor q is the first to
be false, then both are always true.
8
Using a Reference Model
Ref. Model
e.g., programmers model
refinement relations (temporal properties)
q
p
A
circular proof
q p p q Gp Ù Gq
B
A and B each perform a unit of work
9
Temporal Case Splitting
p1
p2
p3
p4
p5
...
v1
f I'm O.K. at time t.
Idea parameterize on most recent writer w
at time t.
"i G((wi) Þ f) Gf
10
Combine With Circular Reasoning
p1
p2
p3
p4
p5
...
v1
f I'm O.K. at time t.
To prove case wi at time t, assume general case
up to t-1
"i f ((wi) Þ f) Gf
11
Abstract Interpretation

• Problem variables range over unbounded set U
• Solution reduce U to finite set Û by a
  parameterized abstraction, e.g.
• where U\i represents all the values in U except i
• Need a sound abstract interpretation, such that
• if f is valid in the abstraction, then, for all
  parameter valuations, f is valid in the original

Û i, U\i
12
Data Type Abstractions in SMV

• Examples
• Equality
• Function symbol application

i
U\i
represents no information
i
1
0
U\i
0

x
i
U\i

f(x)
f(i)

Unbounded array reduced to one fixed element!
Note truth value under abstraction may be ...
13
Applying Abstraction
pi
...
abstracted elements
v1
f I'm O.K. at time t.
Must verify by model checking
f ((wi) Þ f)
i.e, if pi is the most recent to modify v1, then
v1 is correct.
14
Review

• By a sequence of three steps
• circular temporal reasoning
• (restricts to one unit of work)
• case splitting (adding parameters)
• (identifies resources used in that unit of work)
• abstraction interpretation
• (abstracts away everything else)
• ...we reduce the verification of an unbounded
  system of processes to a finite state problem.

15
Plan

• Compositional Model Checking
• How to reduce the verification of unbounded
  systems to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition An example
• Comparison with other techniques

16
Instruction Set Architecture (ISA)

• The ISA we consider, supports the following
  instructions
• LOAD regsrc regdst
• regdst Memregsrc
• STORE regsrc regdst
• Memregdst regsrc
• ALU regsrca regsrcb regdst
• Regdst F(regsrca, regsrcb)
• BRANCH regsrca regsrcb offset
• Branch to target (function of pc, offset) based
  on F(regsrca, regsrcb) is true
• JUMP regsrc
• Transfer control to regsrc
• OUT regsrc
• Send the data in regsrc to the Output Port
• LOAD, STORE, ALU may raise exceptions

17
Salient Features

• Out of Order Execution
• Tomasulos Algorithm
• Reorder Buffer
• Speculative Execution
• modelled by a non-deterministic Branch Predictor
• Precise Exceptions
• Optimised Load/Store Buffer
• Reordering of Operations
• Load Forwarding
• Unbounded
• Memory, Register File, Reorder Buffer, LSB,
  Execution Units

18
The Processor Model
Reorder Buffer
19
How it works An instructions path
Reorder Buffer

• Unit of work instruction

20
Plan

• Compositional Model Checking
• How to reduce the verification of unbounded
  systems to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition An example
• Comparison with other techniques

21
What are we Proving ?
22
Proof Strategy

• Show the Implementation Refines the ISA model by
  writing and verifying refinement maps
• Whenever there is an OUT instruction, the output
  of the IMPL must be the same as that of the ISA
• For every instruction, the correct
  operands/results taken from ISA model and stored
  in auxiliary variables
• Used to write refinement maps specifying the
  values during different stages in the
  instructions lifetime
• Shadowed instructions Dont care, as they do not
  change state
• Secondary lemmas
• Strengthen the abstraction Non-interference
  etc.
• Cut down the model size

23
Key Elements of the proof

• Writing the refinement maps
• Handling Speculation
• Shadow bit marks every instr. that should not
  have been executed
• For such instructions, refinement maps dont have
  to specify values
• Handling data dependencies in Out-of-Order
  Execution
• Tomasulos Algorithm Implicitly data-flow
• Load/Store Buffer

24
Proof A Birds Eye View
Refinement Maps Shadowed? Dont Care
25
Handling Speculation Synchronizing
ISA Instruction Stream Fetch/Dec/Exc/WB in 1 cyc
IMPL Instruction Stream Fetch/Dec At the same
time as ISA
26
Handling Speculation Shadow Bit

• ISA Stalls if IMPL guesses wrong,
• Enters Shadow State

• Subsequent IMPL instructions are Shadowed

• Shadowed status propagated

• Bad Instruction reaches WriteBack

• IMPL flushes unfinished instructions

27
Handling Speculation Shadow Bit

• ISA Stalls if IMPL guesses wrong,
• Enters Shadow State

• Subsequent IMPL instructions are Shadowed

• Shadowed status propagated

• Bad Instruction reaches WriteBack

• IMPL flushes unfinished instructions

• ISA exits Shadow state, continues
• Subsequent IMPL instructions are clean

28
Handling Data Dependencies
Read

• All other instructions abstracted away
• Model Checking fails ! Abstraction too coarse
• A different (abstracted) instruction is the
  actual last writer in Counter-Ex !
• Put both instructions in the abstraction

• Or show separately that they are the same

29
Handling Data Dependencies
Read

• The time step of an instr. is the time it was
  issued
• For unshadowed instructions
• ISA and IMPL issue corresponding instructions
  synchronously
• Easy to track correspondences

30
Plan

• Compositional Model Checking
• How to reduce the verification of unbounded
  systems to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition An example
• Comparison with other techniques

31
Unit of Work Decomposition
Unlocked Registers Have Correct Data
32
Unlocked Registers have Correct Data 1

• Split Cases on
• Register
• The last instruction that should have written to
  that register (ISA)
• But what if some bogus (abstracted) instruction
  wrote to it ?
• The last instruction that actually wrote to that
  register (IMPL)
• Both are stored as auxiliary variables
• Model Checking should show the two are the same
• and also as that instruction produced the
  correct result
• (from refinement map), that the register has
  Correct Data

Should
Actual
t
33
Unlocked Registers have Correct Data 2
But Speculation Causes Problems

• The instruction with the bad guess is abstracted
  away, thus there is no flushing
• A shadowed instruction writes to the register!

• An Intermediate (abstracted) instruction wrongly
  flushes the valid unshadowed instruction
• The register has stale data !

Can solve by splitting cases on flushing instr
but 3 instructions ) State Explosion !
34
Unlocked Registers have Correct Data 3
Lemmas to deal with speculation

• Problem Shadowed Inst. Writes Back
• Lemma Every instruction writing back
  is not shadowed
• Split Cases on
• Instruction causing shadow
• Instruction writing back

• Problem Unshadowed Inst. Flushed !
• Lemma When there is a flush, there is no
  Unshadowed inst. in buffer
• Split Cases on
• Instruction causing the flush
• Unshadowed instruction

35
Load Store Buffer

• Need to prove Every LOAD returns the correct
  value
• Split Cases on
• Address
• Last STORE instruction that should have written
  to that address (ISA)
• Last STORE instruction that actually wrote to
  that address (IMPL)
• Aux. Variables, Model Checking should show they
  are the same
• Data forwarding and Reordering for free !

36
Load Store Buffer

• Problem
• Need to model resources of 3 instructions
• Case and State Explosion !
• Avoid modelling all resources by writing a
  refinement map for LSB
• Use ISA, aux vars to specify the contents of
  valid entries in the buffer
• Abstract away everything except the LSB and the
  Memory
• Break into 2 simpler lemmas
• Each requires splitting cases on 2 instructions

37
Plan

• Compositional Model Checking
• How to reduce the verification of unbounded
  systems to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition An example
• Comparison with other techniques

38
Comparison With Other Techniques

• Sawada Hunt, Velev Bryant, Hosabettu et. al.
• Variants of Burch-Dill Flushing Technique
• Abstraction function not strong enough to be
  invariant
• Manually constructed invariants needed
• Reason about entire machine state, intractable
• Decomposing the flushing function advantage
  of BD lost !

39
Comparison With Other Techniques

• Velev Bryant
• Efficiently checking commutativity condition
• No Out-of-Order or LSB Flushing functions too
  complex ?
• Sawada Hunt
• Track status of instructions using a MAETT
  similar to our aux. Vars
• Need a huge inductive invariant
• Hosabettu et al.
• Completion functions
• Proof Sizes
• Sawada Hunt ACL2, Spec 60 Kb, Proof 1909
  Kb, Lemmas 4000
• Hosabettu et al. PVS , Spec 70 Kb, Proof
  2300 Kb
• CMC SMV , Spec 20 Kb,
  Proof 18 Kb, Lemmas 18

40
Conclusions

• How to use CMC to verify microarchitectures with
  several modern features
• Proof strategies to handle speculation, rd/wr
  reordering
• Succintness of proof
• No need for invariants
• Functional Decomposition into units of work
• Proof methodology scales well
• Would be easy to add features like caches,
  multiple issue, etc.
• CMC to verify a real microarchitecture
• Show how a model written at a high level can be
  refined to an RTL implementation
• Use Cadence SMV !