Upload
tranthu
View
232
Download
3
Embed Size (px)
Citation preview
Kami:AFrameworkfor(RISC-V)HWVerification
Murali VijayaraghavanJoonwon Choi,AdamChlipala, (BenSherman),AndyWright,Sizhuo Zhang,ThomasBourgeat,
Arvind
1
TheRiscy ExpeditionbyMIT
Riscy LibraryofModules
Riscy Designs
Circuits(FPGAs,ASICs)
FormalFull-SystemVerification
2
ChipswithProofs
ModularVerificationofaFull-System
In-orderCore
CoherentCacheHierarchy(MSIprotocol)
In-orderCore
CoherentCacheHierarchy(MOSI protocol)
… … In-orderCoreOOOCore OOOCore OOOCore
(A’optimizesA)✓ Mustbeabletoverifythatoptimizationiscorrectindependentofcontexts
Mustbeabletoverifyinpresenceofparametersinsteadofjustinconcretesettings
3
(A+B)✓
(A’+B)✓
SemanticsforModularVerification
ModuleState
Transition
Transition
Inputs
Outputs
AoptimizesB⟺IOsequencesofA⊆IOsequencesofB
4
KamiVerificationFramework• DSLintheCoqProofAssistantforverifyingBluespec-styleH/W
– Embodiesthemodularverificationsemantics– DescriptionsinKamicanbetransliteratedfrom-and-toBluespec– IOPortsareBluespecmethods,statetransitionsareBluespec rules
• Supportsarbitraryparametrization– Fore.g,youcanparameterizeacachehierarchyonarbitrarilyshapedtrees– Verfication theoremscanbeoftheform
“∀n. Multicorewithn processorsimplementsSC”
• Enablessemi-automaticverification– Allinvariantsmustbesuppliedmanually– Provinginvariantsismostlyautomatic
5
WorkinProgress• Finishedbuildingrequiredtheoryandproofautomationinfrastructure
• Exampleweareworkingon:
6
Multicyclecore
Multicyclecore…
CoherentCacheHierarchy(Parameterized#of levels)
optimizesSequentialConsistency
• Decode/executefunctions areparameterized• Novirtualmemory,noFP• I$isread-only
• DirectoryMSIprotocol• Detailedtransientstatedetails,non-
blockingMSHR,etc
Conclusions
• Kami:general-purposeHWformalverificationframeworkusedforRiscy expedition– ChipswithProofs:PlanistoverifyamultiprocessorsystemwithOOOcoresconnectedtocoherentcachehierarchies
7
Thankyou!
Weneedaformalmulticore/memorymodelspecificationfirst
http://plv.csail.mit.edu/kami
Backup
8
ExampleofaCacheruleinKamiRule “missByState” :=
Read valid <- "procRqValid"; Assert !#valid;Call rq <- rqFromProcFirst();LET idx <- getIdx #rq@.”addr”;Call tag <- readTag(#idx);Call cs <- readCs(#idx);Assert (#tag == getTag #rq@."addr" &&
#cs == $ Sh && #rq@.”op”);Write "procRqValid" <- $$ true;Write "procRqReplace" <- $$ false;Write "procRqWait" <- $$ false;Write "procRq" <- #rq;Retv
Coq’s “notation”mechanismallowsusingintuitivesymbolswithoutwritingaparser 9
VerifyingaRISC-VMultiprocessorSystem
• HowdoweverifythatafullyoptimizedmultiprocessorsystemcontainingOOOsuperscalarcoresandahierarchyofcoherentcachesimplementsthe(multicore)RISC-Vspecification?
L1 L1 L1L2L2
…
L3 L3
Mainmemory
ROBPC
RegFileState
Fetch BranchPred
Memorysubsystem
Processor1 P2 Pn
LocalBuffer1 LB2 LBn
…
10
ChallengesinVerification• FormalSpecificationofmulticoreRISC-Vhastobegivenfirst!– Includesmemorymodelissues
• VerificationshouldbedoneontheactualH/Wasopposedtoa(potentiallysimplified)modeloftheH/W
• Verificationshouldbemodular– Refiningtheprocessorfrom,say,anatomicI2EprocessortoanOOOsuperscalarprocessorshouldnotrequirere-verificationofcache-coherenceprotocol
• Verificationshouldsupportarbitraryparameterization– Verifyingconcreteinstances,say,with2-coresdoesnotmeana4-coreor8-coresystemiscorrect
11
1000-feetviewofModularVerificationMethodology
• Modulesareessentially(finite)state transitionsystemswithinputsandoutputs– InBluespec,inputsandoutputsareviamethodcalls
• A refinesB ifanytrace(sequencesofI/Os)generatedbyA duringasequenceofstatetransitionscanbegeneratedbyB
• Modulescomposeiftheygenerateidenticaltracesforthecommunicatingports– Thecommunicatingportishiddenaftercomposition
12
Caveats/TODOswithKamiFramework
• TheCoqProofAssistantrequiressupplyingmanualproofsthatwillbemachine-checked– Wearedevelopingseveraltoolstoautomatethetaskofprovingnon-complexinvariants/theorems
– Butattheveryleast,thefullsetofinvariantshavetobesuppliedmanually
• Specificationmustberigorous– Noroomfor“evolving”specifications– Butcomponentscanbespecifiedabstractlywithoutgivingimplementations(forexample,decoder/ALUcanbespecifiedasuninterpreted functionswithoutgivingaconcreteinstance)
13
ThankYou
14