Kami:AFrameworkfor(RISC-V)HWVerification

Murali VijayaraghavanJoonwon Choi,AdamChlipala, (BenSherman),AndyWright,Sizhuo Zhang,ThomasBourgeat,

Arvind

1

TheRiscy ExpeditionbyMIT

Riscy LibraryofModules

Riscy Designs

Circuits(FPGAs,ASICs)

FormalFull-SystemVerification

2

ChipswithProofs

ModularVerificationofaFull-System

In-orderCore

CoherentCacheHierarchy(MSIprotocol)

In-orderCore

CoherentCacheHierarchy(MOSI protocol)

… … In-orderCoreOOOCore OOOCore OOOCore

(A’optimizesA)✓ Mustbeabletoverifythatoptimizationiscorrectindependentofcontexts

Mustbeabletoverifyinpresenceofparametersinsteadofjustinconcretesettings

3

(A+B)✓

(A’+B)✓

SemanticsforModularVerification

ModuleState

Transition

Transition

Inputs

Outputs

AoptimizesB⟺IOsequencesofA⊆IOsequencesofB

4

KamiVerificationFramework• DSLintheCoqProofAssistantforverifyingBluespec-styleH/W

– Embodiesthemodularverificationsemantics– DescriptionsinKamicanbetransliteratedfrom-and-toBluespec– IOPortsareBluespecmethods,statetransitionsareBluespec rules

• Supportsarbitraryparametrization– Fore.g,youcanparameterizeacachehierarchyonarbitrarilyshapedtrees– Verfication theoremscanbeoftheform

“∀n. Multicorewithn processorsimplementsSC”

• Enablessemi-automaticverification– Allinvariantsmustbesuppliedmanually– Provinginvariantsismostlyautomatic

5

WorkinProgress• Finishedbuildingrequiredtheoryandproofautomationinfrastructure

• Exampleweareworkingon:

6

Multicyclecore

Multicyclecore…

CoherentCacheHierarchy(Parameterized#of levels)

optimizesSequentialConsistency

• Decode/executefunctions areparameterized• Novirtualmemory,noFP• I$isread-only

• DirectoryMSIprotocol• Detailedtransientstatedetails,non-

blockingMSHR,etc

Conclusions

• Kami:general-purposeHWformalverificationframeworkusedforRiscy expedition– ChipswithProofs:PlanistoverifyamultiprocessorsystemwithOOOcoresconnectedtocoherentcachehierarchies

7

Thankyou!

Weneedaformalmulticore/memorymodelspecificationfirst

http://plv.csail.mit.edu/kami

Backup

8

ExampleofaCacheruleinKamiRule “missByState” :=

Read valid <- "procRqValid"; Assert !#valid;Call rq <- rqFromProcFirst();LET idx <- getIdx #rq@.”addr”;Call tag <- readTag(#idx);Call cs <- readCs(#idx);Assert (#tag == getTag #rq@."addr" &&

#cs == $ Sh && #rq@.”op”);Write "procRqValid" <- $$ true;Write "procRqReplace" <- $$ false;Write "procRqWait" <- $$ false;Write "procRq" <- #rq;Retv

Coq’s “notation”mechanismallowsusingintuitivesymbolswithoutwritingaparser 9

VerifyingaRISC-VMultiprocessorSystem

• HowdoweverifythatafullyoptimizedmultiprocessorsystemcontainingOOOsuperscalarcoresandahierarchyofcoherentcachesimplementsthe(multicore)RISC-Vspecification?

L1 L1 L1L2L2

…

L3 L3

Mainmemory

ROBPC

RegFileState

Fetch BranchPred

Memorysubsystem

Processor1 P2 Pn

LocalBuffer1 LB2 LBn

…

10

ChallengesinVerification• FormalSpecificationofmulticoreRISC-Vhastobegivenfirst!– Includesmemorymodelissues

• VerificationshouldbedoneontheactualH/Wasopposedtoa(potentiallysimplified)modeloftheH/W

• Verificationshouldbemodular– Refiningtheprocessorfrom,say,anatomicI2EprocessortoanOOOsuperscalarprocessorshouldnotrequirere-verificationofcache-coherenceprotocol

• Verificationshouldsupportarbitraryparameterization– Verifyingconcreteinstances,say,with2-coresdoesnotmeana4-coreor8-coresystemiscorrect

11

1000-feetviewofModularVerificationMethodology

• Modulesareessentially(finite)state transitionsystemswithinputsandoutputs– InBluespec,inputsandoutputsareviamethodcalls

• A refinesB ifanytrace(sequencesofI/Os)generatedbyA duringasequenceofstatetransitionscanbegeneratedbyB

• Modulescomposeiftheygenerateidenticaltracesforthecommunicatingports– Thecommunicatingportishiddenaftercomposition

12

Caveats/TODOswithKamiFramework

• TheCoqProofAssistantrequiressupplyingmanualproofsthatwillbemachine-checked– Wearedevelopingseveraltoolstoautomatethetaskofprovingnon-complexinvariants/theorems

– Butattheveryleast,thefullsetofinvariantshavetobesuppliedmanually

• Specificationmustberigorous– Noroomfor“evolving”specifications– Butcomponentscanbespecifiedabstractlywithoutgivingimplementations(forexample,decoder/ALUcanbespecifiedasuninterpreted functionswithoutgivingaconcreteinstance)

13

ThankYou

14