pipeproof
play

PipeProof: Automated Memory Consistency Proofs for - PowerPoint PPT Presentation

Jun 09, 2023 •551 likes •1.36k views

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/ Memory

  1. PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/

  2. Memory Consistency Models (MCMs) ▪ Specify rules governing values returned by loads in parallel programs ▪ MCM must be correctly implemented for all possible programs Compiler Microarchitecture

  3. Memory Consistency Models (MCMs) ▪ Specify rules governing values returned by loads in parallel programs ▪ MCM must be correctly implemented for all possible programs Compiler ISA-Level MCM (x86-TSO, Power, ARMv8, etc) Microarchitecture

  4. Memory Consistency Models (MCMs) ▪ Specify rules governing values returned by loads in parallel programs ▪ MCM must be correctly implemented for all possible programs Compiler Target for compilers… ISA-Level MCM (x86-TSO, Power, ARMv8, etc) Microarchitecture

  5. Memory Consistency Models (MCMs) ▪ Specify rules governing values returned by loads in parallel programs ▪ MCM must be correctly implemented for all possible programs Compiler Target for compilers… ISA-Level MCM (x86-TSO, Power, ARMv8, etc) …and a specification that microarchitecture must implement Microarchitecture

  6. Memory Consistency Models (MCMs) ▪ Specify rules governing values returned by loads in parallel programs ▪ MCM must be correctly implemented for all possible programs Compiler Target for compilers… ??? …and a specification that microarchitecture must implement Microarchitecture

  7. The Infinite Forest [Images: HeeWann Kim, tzblacktd, audino]

  8. The Infinite Forest +∞ Forest goes on forever ( infinite number of possible programs ) +∞ - ∞ - ∞ [Images: HeeWann Kim, tzblacktd, audino]

  9. The Infinite Forest +∞ Can check known hideouts ( verify design +∞ - ∞ for test programs ) - ∞ [Images: HeeWann Kim, tzblacktd, audino]

  10. The Infinite Forest +∞ +∞ - ∞ Are Pokemon lurking in unexplored areas? ( Do tested programs provide - ∞ complete coverage? ) [Images: HeeWann Kim, tzblacktd, audino]

  11. The Infinite Forest +∞ Have we caught all the Pokemon? +∞ - ∞ ( Are there any MCM bugs left in the design? ) - ∞ [Images: HeeWann Kim, tzblacktd, audino]

  12. PipeProof Overview ▪ First automated all-program microarchitectural MCM verification! • Covers all possible addresses, values, numbers of cores ▪ Proof methodology based on automatic abstraction refinement ▪ Early-stage: Can be conducted before RTL is written! µarch and ISA All-Program MCM Specs MCM PipeProof + Correctness Auxiliary Proof! Inputs

  13. Outline ▪ Background • ISA-level MCM specs • Microarchitectural ordering specs ▪ Microarchitectural Correctness Proof • Transitive Chain (TC) Abstraction ▪ Overall PipeProof Operation • TC Abstraction Support Proof • Chain Invariants ▪ Results

  14. ISA-Level MCM Specifications ▪ Defined in terms of relational patterns [Alglave et al. TOPLAS 2014] ▪ ISA-level executions are graphs • Nodes: instructions, edges: ISA-level relations between instrs ▪ Correctness based on acyclicity, irreflexivity, etc of relational patterns • Eg: SC is 𝑏𝑑𝑧𝑑𝑚𝑗𝑑(𝑞𝑝 ∪ 𝑑𝑝 ∪ 𝑠𝑔 ∪ 𝑔𝑠) An IS ISA-level l execution of of mp mp Mes essage passin ing (mp mp) litm litmus tes est (i1) [x] ← 1 (i3) r1 ← [y] po po rf fr (i2) [y] ← 1 (i4) r2 ← [x]

  15. ISA-Level MCM Specifications ▪ Defined in terms of relational patterns [Alglave et al. TOPLAS 2014] ▪ ISA-level executions are graphs • Nodes: instructions, edges: ISA-level relations between instrs ▪ Correctness based on acyclicity, irreflexivity, etc of relational patterns • Eg: SC is 𝑏𝑑𝑧𝑑𝑚𝑗𝑑(𝑞𝑝 ∪ 𝑑𝑝 ∪ 𝑠𝑔 ∪ 𝑔𝑠) An IS ISA-level l execution of of mp mp Mes essage passin ing (mp mp) litm litmus tes est (i1) [x] ← 1 (i3) r1 ← [y] po po rf fr (i2) [y] ← 1 (i4) r2 ← [x]

  16. ISA-Level MCM Specifications ▪ Defined in terms of relational patterns [Alglave et al. TOPLAS 2014] ▪ ISA-level executions are graphs • Nodes: instructions, edges: ISA-level relations between instrs ▪ Correctness based on acyclicity, irreflexivity, etc of relational patterns • Eg: SC is 𝑏𝑑𝑧𝑑𝑚𝑗𝑑(𝑞𝑝 ∪ 𝑑𝑝 ∪ 𝑠𝑔 ∪ 𝑔𝑠) An IS ISA-level l execution of of mp mp Mes essage passin ing (mp mp) litm litmus tes est (i1) [x] ← 1 (i3) r1 ← [y] po po rf fr (i2) [y] ← 1 (i4) r2 ← [x]

  17. ISA-Level MCM Specifications ▪ Defined in terms of relational patterns [Alglave et al. TOPLAS 2014] ▪ ISA-level executions are graphs • Nodes: instructions, edges: ISA-level relations between instrs ▪ Correctness based on acyclicity, irreflexivity, etc of relational patterns • Eg: SC is 𝑏𝑑𝑧𝑑𝑚𝑗𝑑(𝑞𝑝 ∪ 𝑑𝑝 ∪ 𝑠𝑔 ∪ 𝑔𝑠) An IS ISA-level l execution of of mp mp Mes essage passin ing (mp mp) litm litmus tes est (i1) [x] ← 1 (i3) r1 ← [y] po po rf fr (i2) [y] ← 1 (i4) r2 ← [x]

  18. ISA-Level MCM Specifications ▪ Defined in terms of relational patterns [Alglave et al. TOPLAS 2014] ▪ ISA-level executions are graphs • Nodes: instructions, edges: ISA-level relations between instrs ▪ Correctness based on acyclicity, irreflexivity, etc of relational patterns • Eg: SC is 𝑏𝑑𝑧𝑑𝑚𝑗𝑑(𝑞𝑝 ∪ 𝑑𝑝 ∪ 𝑠𝑔 ∪ 𝑔𝑠) An IS ISA-level l execution of of mp mp Mes essage passin ing (mp mp) litm litmus tes est (i1) [x] ← 1 (i3) r1 ← [y] po po rf fr (i2) [y] ← 1 (i4) r2 ← [x]

  19. Microarchitectural Ordering Specifications ▪ Set of axioms in µspec DSL [Lustig et al. ASPLOS 2016] ▪ Used to generate microarchitectural executions as µhb graphs • Nodes: instr. sub-events, edges: happens-before relations between instrs ▪ Observability based on cyclicity of graphs A µhb hb gr graph of of mp mp on on sim imple leSC • Cyclic graph → Unobservable fr • Acyclic graph → Observable po po rf (i1) (i2) (i3) (i4) IF Mes essage passin ing (mp mp) litm litmus tes est EX WB

  20. Microarchitectural Ordering Specifications ▪ Set of axioms in µspec DSL [Lustig et al. ASPLOS 2016] ▪ Used to generate microarchitectural executions as µhb graphs • Nodes: instr. sub-events, edges: happens-before relations between instrs ▪ Observability based on cyclicity of graphs A µhb hb gr graph of of mp mp on on sim imple leSC • Cyclic graph → Unobservable fr • Acyclic graph → Observable po po rf (i1) (i2) (i3) (i4) IF Mes essage passin ing (mp mp) litm litmus tes est EX WB

  21. Microarchitectural Ordering Specifications ▪ Set of axioms in µspec DSL [Lustig et al. ASPLOS 2016] ▪ Used to generate microarchitectural executions as µhb graphs • Nodes: instr. sub-events, edges: happens-before relations between instrs ▪ Observability based on cyclicity of graphs A µhb hb gr graph of of mp mp on on sim imple leSC • Cyclic graph → Unobservable fr • Acyclic graph → Observable po po rf (i1) (i2) (i3) (i4) IF Mes essage passin ing (mp mp) litm litmus tes est EX WB

  22. Microarchitectural Ordering Specifications ▪ Set of axioms in µspec DSL [Lustig et al. ASPLOS 2016] ▪ Used to generate microarchitectural executions as µhb graphs • Nodes: instr. sub-events, edges: happens-before relations between instrs ▪ Observability based on cyclicity of graphs A µhb hb gr graph of of mp mp on on sim imple leSC • Cyclic graph → Unobservable fr • Acyclic graph → Observable po po rf (i1) (i2) (i3) (i4) IF Mes essage passin ing (mp mp) litm litmus tes est EX WB

  23. Microarchitectural Ordering Specifications ▪ Set of axioms in µspec DSL [Lustig et al. ASPLOS 2016] ▪ Used to generate microarchitectural executions as µhb graphs • Nodes: instr. sub-events, edges: happens-before relations between instrs ▪ Observability based on cyclicity of graphs A µhb hb gr graph of of mp mp on on sim imple leSC • Cyclic graph → Unobservable fr • Acyclic graph → Observable po po rf (i1) (i2) (i3) (i4) IF Mes essage passin ing (mp mp) litm litmus tes est EX WB

  24. Our Prior Work: Litmus Test-Based MCM Verification Mic icroarchit itecture in in µspec ec DS DSL Axiom “ Decode_is_FIFO": ... EdgeExists ((i1, Decode), (i2, Decode)) => AddEdge ((i1, Execute), (i2, Execute)). ... Axiom "PO_Fetch": ... SameCore i1 i2 /\ ProgramOrder i1 i2 => AddEdge ((i1, Fetch), (i2, Fetch)). Litm Litmus Tes est [Lustig et al. MICRO- 47, …]

  25. Our Prior Work: Litmus Test-Based MCM Verification Mic icroarchit itecture in µspec in ec DS DSL Axiom “ Decode_is_FIFO": ... EdgeExists ((i1, Decode), (i2, Decode)) => AddEdge ((i1, Execute), (i2, Execute)). ... Axiom "PO_Fetch": ... SameCore i1 i2 /\ ProgramOrder i1 i2 => AddEdge ((i1, Fetch), (i2, Fetch)). Litm Litmus Tes est Mic icroarchit itectural happen ens-before (µ (µhb hb) gr graphs [Lustig et al. MICRO- 47, …]

Recommend

More recommend