CS137: Today Electronic Design Automation - PDF document

CS137: Today Electronic Design Automation • Specification/Implementation • Abstraction Functions • Correctness Condition Day 15: February 13, 2006 • Verification Processor Verification • Self-Consistency 1 2 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Specification Implementation • Abstract from Implementation • Some particular embodiment • Describes observable/correct behavior • Should have same observable behavior – Same with respect to important behavior • Many more details – How performed – Auxiliary/intermediate state 3 4 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Important Behavior Abstraction Function • Same output sequence for input • Map from implementation state to sequence specification state – Same output after some time? – Use to reason about implementation correctness • Timing? – Want to guarantee: AF(Fi(q,i))=Fs(AF(q),i) – Number of clock cycles to/between results? AF – Timing w/in bounds? Fi Fs • Ordering? AF 5 6 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 1

Familiar Example Memory AF • Memory Systems • Maps from – Specification: – State of caches/WB/etc. • W(A,D) • To • R(A) � D from last D written to this address – Abstract state of memory – Specification state: contents of memory • Guarantee AF(Fi(q,I))==Fs(AF(q),I) – Implementation: – Guarantee change to state always • Multiple caches, VM, pipelined, Write Buffers… represents the correct thing – Implementation state: much richer… 7 8 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Abstract Timing Filter to Abstract Timing • For computer memory system • Filter input/output sequence – Cycle-by-cycle timing not part of • Os(in) � out specification • FilterStall(Impl in ) = in – Must abstract out • FilterStall(Impl out ) = out • Solution: – Way of saying “no response” • Forall sequences Impl in • Saying “skip this cycle” – FilterOut(Oi(Impl in )) = Os(FilterStall(Impl in )) • Marking data presence – (tagged data presence pattern) 9 10 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon CS184b: Day3 Processors DLX Datapath • Pipeline is big difference between specification state and implementation state. • Specification State: – Register contents (incl. PC) – Memory contents DLX unpipelined datapath from H&P (Fig. 3.1 e2, A.17 e3) 11 12 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 2

CS184b: Day3 Revised Pipeline Processors • Pipeline is big difference between specification state and implementation state. • Specification State: – Register contents (incl. PC) – Memory contents • Implementation State: + Instruction in pipeline + Lots of bits � Many more states � State-space explosion to track DLX repipelined datapath from H&P (Fig. 3.22 e2, A.24 e3) 13 14 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Observation Compare • After flushing pipeline, – Reduce implementation state to specification state • Can flush pipeline with series of NOPs or stall cycles 15 16 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Pipelined Processor Pipeline Correspondence Correctness • w = input sequence • w f = flush sequence – Enough NOPs to flush pipeline state • Forall states q and prefix w – Fi(q,w w f ) � Fs(q,w w f ) – Fi(q,w w f ) � Fs(q,w) • FSM observation – Finite state in pipeline [Burch+Dill, CAV’94] – only need to consider finite w 17 18 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 3

Equivalence Ideas • Now have a logical condition for • Extract Transition Function equivalence • Segregate datapath • Need to show that it holds • Symbolic simulation on variables – Is a Tautology – For q, w’s • Or find a counter example • Case splitting search – Implication pruning 19 20 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Extract Transition Function Segregate Datapath • From HDL • Big state blowup is in size of datapath – Represent data symbolically/abstractly • Similar to what we saw for FSMs • Independent of bitwidth – Not verify datapath/ALU functions as part of this • Can verify ALU logic separately using combinational verification techniques • Abstract/uninterpreted functions for datapath 21 22 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Burch&Dill Logic B&D Logic • Quantifier-free • Formula = ite (formula, formula, formula) ⏐ (term=term) • Uninterpreted functions (datapath) ⏐ psym(term,…term) • Predicates with ⏐ pvar | true | false – Equality • Term = ite( formula,term,term) – Propositional connectives ⏐ fsym(term,…term) ⏐ tvar 23 24 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 4

Sample Sample Pipeline • Regfile: – (ite stall regfile (write regfile dest (alu op (read regfile src1) (read regfile src2)))) 25 26 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Example Logic Symbolic Simulation • arg1: • Create logical expressions for outputs/state – (ite (or bubble-ex – Taking initial state/inputs as variables (not (= src1 dest-ex))) (read (ite bubble-wb regfile (write regfile dest-wb result)) src1) (alu op-ex arg1 arg2)) 27 28 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Case Splitting Search Review: What have we done? • Reduced to simpler problem • Satisfiability Problem – Simple, clean specification • Pick an unresolved variable • Abstract Simulation • Branch on true and false – Explore all possible instruction sequences • Push implications • Abstracted the simulation • Bottom out at consistent specification – Focus on control • Exit on contradiction – Divide and Conquer: control vs. arithmetic • Used Satisfiability for reachability in • Pragmatic: use memoization to reuse search in abstract simulation work 29 30 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 5

Achievable • Burch&Dill: Verify 5-stage pipeline DLX – 1 minute in 1994 Self Consistency 31 32 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Self-Consistency Self-Consistency • Compare same implementation in two • w = instruction sequence different modes of operation • S(w) = w with no-ops – (which should not affect result) • Show: Forall q, w • Compare pipelined processor – F(q,w) = F(q,S(w)) – To self w/ NOPs separating instructions • So only one instruction in pipeline at a time 33 34 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Sample Result Sample Result Verification running on P2-200MHz [Jomes, Seger, Dill/FMCAD 1996] [Skakkebæk, Jones, and Dill / CAV 1998] n.b. Jones&Seger at Intel 35 36 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 6

Key Idea Admin • Implementation State reduces to • No class Wednesday Specification state after finite series of • Friday operations – Sequential Implementation • Abstract datapath to avoid dependence – Present Proposed Plan of Attack on bitwidth 37 38 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Big Ideas • Proving Invariants • Divide and Conquer • Exploit structure 39 CALTECH CS137 Winter2006 -- DeHon 7