-Ware: Hardware Description with Dependent Types Author: Joo Paulo - PowerPoint PPT Presentation

. Syntax . . . . . . . Context Defjnition Motivation Why Agda? Π-Ware Semantics . Proofs Present / Future Current work Future 1 Π-Ware: Hardware Description with Dependent Types Author: João Paulo Pizani Flor <j.p.pizani@uu.nl> Supervisor: Wouter Swierstra <w.s.swierstra@uu.nl> Department of Information and Computing Sciences Utrecht University . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monday 18th May, 2015

. . . . . . . . . . . . Context . Defjnition Motivation Why Agda? Π-Ware Syntax Semantics Proofs Present / Future Current work Future 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . Context

. Motivation . . . . . . . . . Context Defjnition Why Agda? . Π-Ware Syntax Semantics Proofs Present / Future Current work Future 3 One-sentence defjnition A unifjed DSL (Π-Ware) embedded in Agda for modeling hardware circuits, synthesizing them and proving properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . about their behaviour and structure.

. Motivation . . . . . . . . . Context Defjnition Why Agda? . Π-Ware Syntax Semantics Proofs Present / Future Current work Future 4 Hardware is growing More specifjcally, hardware acceleration . Three reasons why: More applications benefjt from hardware acceleration Hardware design benefjts more from rigour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Miniaturization still has some generations to go [3] ▶ Microarch. optimization gives diminishing returns [1] ▶ Battery energy density vs. demand for computation ▶ DSP, crypto, codecs, graphics, comm. protocols, etc. ▶ Early optimization , more error-prone ▶ Mass production, less updateable

. Motivation . . . . . . . . . Context Defjnition Why Agda? . Π-Ware Syntax Semantics Proofs Present / Future Current work Future 5 Hardware design “status quo” Myriad of languages for specifjc design tasks… Problems: An analogous situation in software seems bizarre: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Simulation: SystemC, VHDL/Verilog ▶ Synthesis: VHDL/Verilog (subsets), C/C++ (subsets) ▶ Verifjcation: SAT solvers / Theorem provers ▶ Manual translation ▶ Loss of invariants, manual checking ▶ To “simulate” (interpret) your program, you use Haskell ▶ For compilation to x86, use C (non-standardized)

. Context . . . . . . . . . . Defjnition . Motivation Why Agda? Π-Ware Syntax Semantics Proofs Present / Future Current work Future 6 Functional hardware DSLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Solve most of the problems with multiple descriptions ▶ “Popular” example: Lava (Chalmers) • Description, simulation, testing in Haskell • Verifjcation through external SAT solver ▶ Drawbacks: • Non modular verifjcation (fully-automated) • Only for specifjc circuits (not families ) • Haskell types not expressive enough • addN :: Int -> ([ Bit ], [ Bit ]) -> [ Bit ] • Could use lots of extensions, but why compromise?

. Context . . . . . . . . . . Defjnition . Motivation Why Agda? Π-Ware Syntax Semantics Proofs Present / Future Current work Future 7 Dependent types for hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Well-formedness ▶ Rule out design mistakes early • Floating wires (matching interfaces) • Short-circuits ( 𝖰𝗆𝗏𝗁 constructor) f ₚ : o ₛ → i ₛ c ₁ i ₛ c ₂ p o ₛ c ₁ ⟫ ' p ⟫ ' c ₂ ▶ More precise specifjcation of circuit generators • Haskell: addN :: Int -> ([ Bit ], [ Bit ]) -> [ Bit ] • Agda: 𝖻𝖾𝖾𝖮 ∶ (𝑜 ∶ ℕ) → 𝖣 (𝟥 ∗ 𝑜) (𝗍𝗏𝖽 𝑜) ▶ Mainly: proofs in the same language as the models • (Functional) correctness proofs • Provably-correct circuit transformations

. . . . . . . . . . . . Context . Defjnition Motivation Why Agda? Π-Ware Syntax Semantics Proofs Present / Future Current work Future 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . Π-Ware

. Syntax . . . . . . . Context Defjnition Motivation Why Agda? Π-Ware Semantics . Proofs Present / Future Current work Future 9 Circuit syntax 𝖾𝖻𝗎𝖻 ℂ 𝗑𝗂𝖿𝗌𝖿 𝖧𝖻𝗎𝖿 ∶ ℂ (|𝗃𝗈| 𝑕) (|𝗉𝗏𝗎| 𝑕) 𝖰𝗆𝗏𝗁 ∶ 𝑗 ⤪ 𝑝 → ℂ 𝑗 𝑝 _ ⟫ _ ∶ ℂ 𝑗 𝑛 → ℂ 𝑛 𝑝 → ℂ 𝑗 𝑝 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Π-Ware is deep-embedded • Multiple semantics, algebraic manipulation ▶ Low-level, architectural representation • Analogous to a block diagram • Untyped, but sized _ ∥ _ ∶ ℂ 𝑗 1 𝑝 1 → ℂ 𝑗 2 𝑝 2 → ℂ (𝑗 1 + 𝑗 2 ) (𝑝 1 + 𝑝 2 )

. Why Agda? . . . . . . . . Context Defjnition Motivation Π-Ware . Syntax Semantics Proofs Present / Future Current work Future 10 Circuit syntax • 𝖾𝖻𝗎𝖻 ℂ ∶ {𝑞 ∶ 𝖩𝗍𝖣𝗉𝗇𝖼} → 𝖩𝗒 → 𝖩𝗒 → 𝖳𝖿𝗎 𝖾𝖻𝗎𝖻 𝖩𝗍𝖣𝗉𝗇𝖼 ∶ 𝖳𝖿𝗎 𝗑𝗂𝖿𝗌𝖿 𝜏 𝜕 ∶ 𝖩𝗍𝖣𝗉𝗇𝖼 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Combinational / sequential • Single way of constructing a sequential circuit: 𝖤𝖿𝗆𝖻𝗓𝖬𝗉𝗉𝗊 𝖤𝖿𝗆𝖻𝗓𝖬𝗉𝗉𝗊 ∶ ℂ {𝜏} (𝑗 + 𝑚) (𝑝 + 𝑚) → ℂ {𝜕} 𝑗 𝑝 ▶ The ℂ type is “tagged” to keep the two cases distinct • The distinction is mainly important for simulation • Easier defjnitions of generators • Obs: 𝜕 has to do with Σ 𝜕

. Motivation . . . . . . . . . Context Defjnition Why Agda? . Π-Ware Syntax Semantics Proofs Present / Future Current work Future 11 Fundamental gates 𝖻𝗈𝖾𝖳𝗊𝖿𝖽 ∶ 𝖶𝖿𝖽 𝖢𝗉𝗉𝗆 𝟥 → 𝖶𝖿𝖽 𝖢𝗉𝗉𝗆 𝟤 𝖻𝗈𝖾𝖳𝗊𝖿𝖽 (𝑦 ∷ 𝑧 ∷ 𝜁) = [ 𝑦 ∧ 𝑧 ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Circuits are built by combining smaller circuits • Ultimately, from a library of fundamental 𝖧𝖻𝗎𝖿𝗍 • Each gate specifjed by a function over (binary) words ▶ A “traditional” instance of 𝖧𝖻𝗎𝖿𝗍 is 𝖢𝗉𝗉𝗆𝖴𝗌𝗃𝗉 • Set of gates: {⊥, ⊤, ¬, ∧, ∨} • With the usual specifjcation (stdlib) ▶ Other “interesting” instances: • Modular arithmetic • Cryptographic primitives • Primitives for scans (case study)

. Motivation . . . . . . . . . Context Defjnition Why Agda? . Π-Ware Syntax Semantics Proofs Present / Future Current work Future 12 Fundamental gates |𝗃𝗈| |𝗉𝗏𝗎| ∶ 𝖧𝖻𝗎𝖿# → ℕ 𝗍𝗊𝖿𝖽 ∶ (𝑕 ∶ 𝖧𝖻𝗎𝖿#) → (𝖷 (|𝑗𝑜| 𝑕) → 𝖷 (|𝑝𝑣𝑢| 𝑕)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ To defjne a gate library, we need to defjne: • How many gates are there • Each gate’s interface • Each gate’s specifjcation ▶ Dependent types help us again • The 𝖧𝖻𝗎𝖿# type ranges in [0..𝑜 − 1] • 𝗍𝗊𝖿𝖽 works over words of the right size

. Context . . . . . . . . . . Defjnition . Motivation Why Agda? Π-Ware Syntax Semantics Proofs Present / Future Current work Future 13 Atomic types . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ The whole 𝖣𝗃𝗌𝖽𝗏𝗃𝗎 module is parameterized by a record • Defjning what is carried over the “wires” • 𝖷 = 𝖶𝖿𝖽 𝖡𝗎𝗉𝗇 ▶ This 𝖡𝗎𝗉𝗇𝗃𝖽 class is similar to Haskell’s 𝖥𝗈𝗏𝗇 • An atomic type needs to be fjnite • There’s a bijection between the type and [0..𝑜 − 1] • 𝖿𝗈𝗏𝗇 ∶ 𝖦𝗃𝗈 |𝐵𝑢𝑝𝑛| ↔ 𝐵𝑢𝑝𝑛 • In Agda, the bijection is proven ▶ Dependent types move runtime errors to type checking: • Haskell : succ maxBound → runtime error • Agda : “ succ maxBound ” → doesn’t typecheck!

. Context . . . . . . . . . . Defjnition . Motivation Why Agda? Π-Ware Syntax Semantics Proofs Present / Future Current work Future 14 Atomic types ( 𝖢𝗉𝗉𝗆 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▶ Some possible instances… • 𝖢𝗉𝗉𝗆 • Multi-valued logics (VHDL’s std_logic ) • States of a state machine ▶ Simplest “useful”: 𝖢𝗉𝗉𝗆 • We use the mapping 0 ↔ 𝐺𝑏𝑚𝑡𝑓; 1 ↔ 𝑈 𝑠𝑣𝑓 • Order and choice of indices don’t matter ▶ Later how this parameterization infmuences synthesis