Microarchitecture Verification
by
Compositional Model Checking
Ken McMillan
Ranjit Jhala
Cadence Berkeley Labs / UC Berkeley
Introduction
• Compositional Model Checking:
– Decomposing large proofs to a set of automatically provable lemmas
• Previous Work:
– Unbounded or infinite state systems: Flash, SGI, Bakery,…
– Tomasulo’s Algorithm, with just 3 lemmas
• No need for manually constructed inductive invariant
• Q: Can the method scale to large and complex systems ?
– Does the effort grow in reasonable proportion to the complexity
• Verification of a complete processor microarchitecture
– Incremental cost of each architectural feature is small
– Very concise proofs
Microarchitectural Verification by Compositional Model Checking
2
Plan
• Compositional Model Checking :
– How to reduce the verification of unbounded systems
to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition : An example
• Comparison with other techniques
Microarchitectural Verification by Compositional Model Checking
3
Proof Decomposition
Proof goal
sub
sub
sub
Undecidable/
intractable
sub
Decidable/
tractable
• reduction to decidable/tractable problems
• do it in as few (and as simple) steps as possible
Microarchitectural Verification by Compositional Model Checking
4
Functional Decompositions
• Possible decompositions of problem
– Structural (by syntax)
– Temporal (by time steps)
– Functional (by “units of work”)
• Functional yields simple intermediate assertions
– interaction between “units of work” is simpler than between system
components
• Reduction to finite state
– each “unit of work” uses finite resources
– identify resources used for a given case
– abstract away everything else
Microarchitectural Verification by Compositional Model Checking
5
Reduction to Finite State
property
decomposition
parameterization
abstraction
“circular” temporal proof
•divide into “units of work”
temporal “case splitting”
•identify resources used
abstract interpretation
•reduce to finite state
model checking
Microarchitectural Verification by Compositional Model Checking
6
“Circular” Temporal Proofs
• Let p + q stand for
“if p up to time t-1, then q at t”
• Equivalent in LTL of:
(p U q) : Not the case that q is the first to be false
• Now we can reason as follows:
q + p
p + q
Gp  Gq
That is, if neither p nor q is the first to be
false, then both are always true.
Microarchitectural Verification by Compositional Model Checking
7
Using a Reference Model
e.g., programmer’s model
Ref. Model
q
p
A
refinement relations
(temporal properties)
“circular” proof:
B
q + p
p + q
Gp  Gq
A and B each perform a “unit of work”
Microarchitectural Verification by Compositional Model Checking
8
Temporal Case Splitting
p1
p2
p3
p4
p5
...
v1
Idea:
parameterize on most
recent writer w at
time t.
f: I'm O.K. at
time t.
"i: G((w=i)  f)
Gf
Microarchitectural Verification by Compositional Model Checking
9
Combine With Circular Reasoning
p1
p2
p3
p4
p5
...
v1
f: I'm O.K. at
time t.
To prove case w=i at time t, assume general case up to t-1:
"i: f + ((w=i)  f)
Gf
Microarchitectural Verification by Compositional Model Checking
10
Abstract Interpretation
• Problem: variables range over unbounded set U
• Solution: reduce U to finite set Û by a parameterized
abstraction, e.g.
Û = {{i}, U\i}
where U\i represents all the values in U except i
• Need a sound abstract interpretation, such that:
if f is valid in the abstraction, then, for all parameter valuations, f is
valid in the original
Microarchitectural Verification by Compositional Model Checking
11
Data Type Abstractions in SMV
• Examples:
– Equality
^
=
{i}
U\i
{i}
1
0
U\i
0
^
represents
“no information”
– Function symbol application
x
^
f(x)
{i}
f(i)
U\i
^
Unbounded array reduced to one fixed element!
Note: truth value under abstraction may be ^...
Microarchitectural Verification by Compositional Model Checking
12
Applying Abstraction
...
pi
abstracted
elements
v1
f: I'm O.K. at
time t.
Must verify by model checking:
f + ((w=i)  f)
i.e, if pi is the most recent to modify v1, then v1
is correct.
Microarchitectural Verification by Compositional Model Checking
13
Review
•
By a sequence of three steps:
1. “circular” temporal reasoning
(restricts to one “unit of work”)
2. case splitting (adding parameters)
(identifies resources used in that unit of work)
3. abstraction interpretation
(abstracts away everything else)
...we reduce the verification of an unbounded system of
processes to a finite state problem.
Microarchitectural Verification by Compositional Model Checking
14
Plan
• Compositional Model Checking :
– How to reduce the verification of unbounded systems
to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition : An example
• Comparison with other techniques
Microarchitectural Verification by Compositional Model Checking
15
Instruction Set Architecture (ISA)
The ISA we consider, supports the following instructions:
• LOAD regsrc regdst
–
•
STORE regsrc regdst
–
•
Branch to target (function of pc, offset) based on F(regsrca, regsrcb) is
true
JUMP regsrc
–
•
Regdst := F(regsrca, regsrcb)
BRANCH regsrca regsrcb offset
–
•
Mem[regdst] := regsrc
ALU regsrca regsrcb regdst
–
•
regdst := Mem[regsrc]
Transfer control to regsrc
OUT regsrc
–
Send the data in regsrc to the Output Port
LOAD, STORE, ALU may raise exceptions
Microarchitectural Verification by Compositional Model Checking
16
Salient Features
•
Out of Order Execution
– Tomasulo’s Algorithm
– Reorder Buffer
•
Speculative Execution
– modelled by a non-deterministic Branch Predictor
•
•
Precise Exceptions
Optimised Load/Store Buffer
– Reordering of Operations
– Load Forwarding
•
Unbounded
–
Memory, Register File, Reorder Buffer, LSB, Execution Units
Microarchitectural Verification by Compositional Model Checking
17
The Processor Model
REG
FILE
VAL/TAG
VAL/TAG
VAL/TAG
RETIRED RESULTS / BUS
VAL/TAG
EU
OP,DST
PM
d
e
c
Reorder
Buffer
BUF
opra oprb
INSTRUCTIONS
OP,DST
opra oprb
OPS
EU
RES
BUF
OP,DST
opra oprb
PC
BUF
EU
branch results
data forwarding
branch
predictor
LD/ST
BUFFER
Data
Memory
Microarchitectural Verification by Compositional Model Checking
18
How it works: An instruction’s path
REG
FILE
VAL/TAG
VAL/TAG
VAL/TAG
RETIRED RESULTS / BUS
VAL/TAG
EU
OP,DST
PM
d
e
c
Reorder
Buffer
BUF
opra oprb
INSTRUCTIONS
OP,DST
opra oprb
OPS
EU
RES
BUF
OP,DST
opra oprb
PC
BUF
EU
branch results
data forwarding
branch
predictor
LD/ST
BUFFER
• Unit of work = instruction
Microarchitectural Verification by Compositional Model Checking
Data
Memory
19
Plan
• Compositional Model Checking :
– How to reduce the verification of unbounded systems
to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition : An example
• Comparison with other techniques
Microarchitectural Verification by Compositional Model Checking
20
What are we Proving ?
ISA MODEL
Refinement
Maps
Stall /
Shadow
IMPLEMENTATION
Microarchitectural Verification by Compositional Model Checking
21
Proof Strategy
•
Show the Implementation Refines the ISA model by
writing and verifying refinement maps
– Whenever there is an OUT instruction, the output of the IMPL
must be the same as that of the ISA
•
For every instruction, the correct operands/results taken
from ISA model and stored in auxiliary variables
– Used to write refinement maps specifying the values during
different stages in the instruction’s lifetime
– Shadowed instructions: Don’t care, as they do not change state
•
Secondary lemmas
– Strengthen the abstraction : Non-interference etc.
– Cut down the model size
Microarchitectural Verification by Compositional Model Checking
22
Key Elements of the proof
•
Writing the refinement maps
•
Handling Speculation
–
–
•
Shadow bit marks every instr. that “should not” have been executed
For such instructions, refinement maps don’t have to specify values
Handling data dependencies in Out-of-Order Execution
– Tomasulo’s Algorithm: Implicitly data-flow
– Load/Store Buffer
Microarchitectural Verification by Compositional Model Checking
23
Proof : A Bird’s Eye View
Refinement Maps
Shadowed? Don’t Care
VAL/TAG
RETIRED RESULTS / BUS
REG VAL/TAG
FILE VAL/TAG
VAL/TAG
PM
d
e
c
INSTRUCTIONS
OP,DST
opra oprb
OP,DST
opra oprb
PC
branch
predictor
EU
OP,DST
opra oprb
OPS
EU
BUF
RES
BUF
BUF
EU
branch results
LD/ST
BUFFER
Microarchitectural Verification by Compositional Model Checking
data forwarding
Data
Memory
24
Handling Speculation: Synchronizing
ISA Instruction Stream
Fetch/Dec/Exc/WB in 1 cyc
IMPL Instruction Stream
Fetch/Dec At the same time as ISA
Microarchitectural Verification by Compositional Model Checking
25
Handling Speculation: Shadow Bit
• ISA Stalls if IMPL guesses wrong,
• Enters “Shadow” State
• Subsequent IMPL instructions are “Shadowed”
• “Shadowed” status propagated
Shadowed !
Stall
• Bad Instruction reaches WriteBack:
• IMPL flushes unfinished instructions
Writeback
Microarchitectural Verification by Compositional Model Checking
26
Handling Speculation: Shadow Bit
• ISA Stalls if IMPL guesses wrong,
• Enters “Shadow” State
• Subsequent IMPL instructions are “Shadowed”
• “Shadowed” status propagated
• Bad Instruction reaches WriteBack:
• IMPL flushes unfinished instructions
• ISA exits “Shadow” state, continues
• Subsequent IMPL instructions are clean
Microarchitectural Verification by Compositional Model Checking
27
Handling Data Dependencies
Corresp. Write
Write
Read
ISA Time
Corresp. IMPL
Corresp. ISA
Instr.
Instr.
Write
Write
Read
IMPL Time
Should be
Actual
last writer
last writer
• All other instructions abstracted away
• Model Checking fails ! Abstraction too coarse …
• A different (abstracted) instruction is the actual last writer in Counter-Ex !
• Put both instructions in the abstraction
• Or show separately that they are the same
Microarchitectural Verification by Compositional Model Checking
28
Handling Data Dependencies
Corresp. Write
Write
Read
ISA Time
Corresp. IMPL
Corresp. ISA
Instr.
Instr.
Write
Write
Read
IMPL Time
Should be
Actual
last writer
last writer
• The “time” step of an instr. is the time it was issued
• For unshadowed instructions:
• ISA and IMPL issue “corresponding” instructions synchronously
• Easy to track correspondences
Microarchitectural Verification by Compositional Model Checking
29
Plan
• Compositional Model Checking :
– How to reduce the verification of unbounded systems
to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition : An example
• Comparison with other techniques
Microarchitectural Verification by Compositional Model Checking
30
”Unit of Work” Decomposition
Unlocked Registers
Have Correct Data
Instructions Receive
Correct Operands
Microarchitectural Verification by Compositional Model Checking
Instructions
Produce Correct
Results
31
Unlocked Registers have Correct Data 1
•
Split Cases on:
1. Register
2. The last instruction that should have written to that register (ISA)
– But what if some bogus (abstracted) instruction wrote to it ?
3. The last instruction that actually wrote to that register (IMPL)
Should
•
•
•
Actual
t
Both are stored as auxiliary variables
Model Checking should show the two are the same …
… and also as that instruction produced the correct result
(from refinement map), that the register has Correct Data
Microarchitectural Verification by Compositional Model Checking
32
Unlocked Registers have Correct Data 2
…But Speculation Causes Problems:
• The instruction with the bad
guess is abstracted away, thus
there is no flushing …
• …A shadowed instruction
writes to the register!
Fails To Flush !
• An Intermediate (abstracted)
instruction wrongly flushes the
valid unshadowed instruction …
• … The register has stale data !
Wrongly Flushes !
Can solve by splitting cases on flushing instr but …
3 instructions ) State Explosion !
Microarchitectural Verification by Compositional Model Checking
33
Unlocked Registers have Correct Data 3
Lemmas to deal with speculation:
Problem: Shadowed Inst. Writes Back
Lemma: Every instruction writing back
is not shadowed
Split Cases on:
Fails To Flush !
1)
Instruction causing shadow
2)
Instruction writing back
Problem: Unshadowed Inst. Flushed !
Lemma: When there is a flush, there
is no Unshadowed inst. in buffer
Split Cases on:
Wrongly Flushes !
Microarchitectural Verification by Compositional Model Checking
1)
Instruction causing the flush
2)
Unshadowed instruction
34
Load Store Buffer
•
•
Need to prove: Every LOAD returns the correct value
Split Cases on:
1. Address
2. Last STORE instruction that should have written to that address (ISA)
3. Last STORE instruction that actually wrote to that address (IMPL)
Should
STORE
STORE
LOAD
Actual
•
•
Aux. Variables, Model Checking should show they are the same
Data forwarding and Reordering for free !
Microarchitectural Verification by Compositional Model Checking
35
Load Store Buffer
Should
STORE
STORE
LOAD
Actual
•
Problem:
Need to model resources of 3 instructions
–
•
Avoid modelling all resources by writing a refinement map for LSB
–
–
•
Case and State Explosion !
Use ISA, aux vars to specify the contents of valid entries in the buffer
Abstract away everything except the LSB and the Memory
Break into 2 simpler lemmas
–
Each requires splitting cases on 2 instructions
Microarchitectural Verification by Compositional Model Checking
36
Plan
• Compositional Model Checking :
– How to reduce the verification of unbounded systems
to a finite state problem
• Microarchitecture Modeled
• Important aspects of the proof
• Proof Decomposition : An example
• Comparison with other techniques
Microarchitectural Verification by Compositional Model Checking
37
Comparison With Other Techniques
•
Sawada & Hunt, Velev & Bryant, Hosabettu et. al.
ISA0
ISA Step
ISA1
Abstract
IMP0
Init IMPL State
•
Abstract
IMPL Step
IMP1
Next IMPL State
Variants of Burch-Dill “Flushing” Technique
–
–
–
Abstraction function not strong enough to be invariant
– Manually constructed invariants needed
Reason about entire machine state, intractable
Decomposing the “flushing” function – advantage of BD lost !
Microarchitectural Verification by Compositional Model Checking
38
Comparison With Other Techniques
•
•
•
Velev & Bryant
– Efficiently checking commutativity condition
– No Out-of-Order or LSB : Flushing functions too complex ?
Sawada & Hunt
– Track status of instructions using a MAETT – similar to our aux. Vars
– Need a huge inductive invariant
Hosabettu et al.
– Completion functions
Proof Sizes:
• Sawada & Hunt: ACL2, Spec: 60 Kb, Proof: 1909 Kb, Lemmas: 4000
• Hosabettu et al.: PVS , Spec: 70 Kb, Proof: 2300 Kb
• CMC
: SMV , Spec: 20 Kb, Proof: 18 Kb, Lemmas: 18
Microarchitectural Verification by Compositional Model Checking
39
Conclusions
• How to use CMC to verify microarchitectures with several
modern features
• Proof strategies to handle speculation, rd/wr reordering
• Succintness of proof:
– No need for invariants
– Functional Decomposition into “units of work”
• Proof methodology scales well :
– Would be easy to add features like caches, multiple issue, etc.
• CMC to verify a “real” microarchitecture
• Show how a model written at a high level can be refined to
an RTL implementation
• Use Cadence SMV !
Microarchitectural Verification by Compositional Model Checking
40