Serdar Tasiran

Using a Formal Specification and a Model Checker

to Monitor and Guide Simulation

Verifying the Multiprocessing Hardware of the Alpha 21364 Microprocessor

Serdar TasiranKoç University, Istanbul, Turkey

(formerly Compaq/HP Systems Research Center)

Yuan Yu (Microsoft Research, formerly Compaq)Brannon Batson (Intel, formerly Compaq)

But first But first

Formal MethodsFormal Methods (i.e. mathematical, algorithmic)(i.e. mathematical, algorithmic)

for for Software and Hardware Software and Hardware

DesignsDesigns

oror“Why should you care?”“Why should you care?”

French Guyana, June 4, 1996$800 million software failure

Mars, July 4, 1997Lost contact due to real-time priority inversion bug

Faulty division algorithm (Intel Pentium)$475 million replacement cost

Faulty floppy disk controller (Toshiba)$2.1 billion court settlement

$4 billion development effort> 50% system integration & validation cost

400 horses100 microprocessors

Feb. 17, 2003 Comp 302, Spring 2003

Cost of Finding Flaws Late

SCIENCE

Natural Systems

ENGINEERING

Artificial Systems

PURE

Abstract Systems

APPLIED

Concrete Systems

THEORY

EXPERIMENT DESIGN

ANALYSIS

Veri/Falsifica

tion

DESIGN VERI/FALSIFICATION

INFORMAL (ad hoc)

• by simulation

• by test

FORMAL (systematic)

• by proof

• by algorithm

Poor coverage High recovery cost

Koç University – ECE Graduate Program

Typical Abstraction Layers for a Hardware Design

System (Behavioral) Level

Register Transfer Level (RTL)

Gate Level

Transistor Level

Layout Level


Design Process

• Design : specify and enter the design intent

Implement: refine the

design

through all

phases

Verify:

verify the

correctness of

design and

implementation



• Abstract algorithmic description of high-level behavior– e.g. C-Programming language

– abstract because it does not contain any implementation details for timing or data

– efficient to get a compact execution model as first design draft– difficult to maintain throughout project because no link to

implementation

Port*compute_optimal_route_for_packet(Packet_t *packet,

Channel_t *channel){

static Queue_t *packet_queue;

packet_queue = add_packet(packet_queue, packet);...

}


RTL Level

• Cycle accurate model “close” to the hardware implementation– bit-vector data types and operations as abstraction from bit-level

implementation

– sequential constructs (e.g. if - then - else, while loops) to support modeling of complex control flow

module mark1;reg [31:0] m[0:8192];reg [12:0] pc;reg [31:0] acc;reg[15:0] ir;

alwaysbeginir = m[pc];if(ir[15:13] == 3b’000)

pc = m[ir[12:0]];else if (ir[15:13] == 3’b010)

acc = -m[ir[12:0]];...

endendmodule


Gate Level

• Model on finite-state machine level– models function in Boolean logic using registers and gates

– various delay models for gates and wires

1ns1ns

4ns4ns3ns3ns

5ns5ns


Transistor Level

• Model on CMOS transistor level– depending on application function modeled as resistive switches

• used in functional equivalence checking

– or full differential equations for circuit simulation

• used in detailed timing analysis


Layout Level

• Transistors and wires are laid out as polygons in different technology layers such as diffusion, poly-silicon, metal, etc.


Flavors of Verification

Design Verification: Does the design make sense? If I implemented it as designed, would it satisfy the design requirements?


Register Transfer Level (RTL)

Gate Level

Transistor Level

Layout Level

Implementation Verification: Is the implementation at the lower layer of abstraction consistent with the higher level?


Systems Design and Verification Challenges

• Heterogeneity (analog, digital, HW/SW)• Complexity (~billion transistors, ~millions of lines of code)• Time-to-market

Role of Computer-Aided Design and Verification Tools: Helping humans cope

Transistors

Processor ComplexityAvg. Human IQ

1

10

100

1K

10K

100K

1M

10M

1975 1980 1985 1990 1995

8086

6800068020

80386

80486

68040

Pentium

Pentium ProPPC601

PPC603

80804004

MIPS R4000

50

80

120

140

160

180

100

IntelligenceQuotient

Formal VerificationFormal Verification Tools Tools

VerifierVerifier

Description of sDescription of systemystemto be verifiedto be verified::- Finite state machineFinite state machine- Code written in a hardware Code written in a hardware description languagedescription language

SpecificationSpecification::-Temporal logic formulaTemporal logic formula- Algorithm- or protocol-level Algorithm- or protocol-level description for designdescription for design

YesYes

NoNo

Error traceError trace

G(p F q)p

q

Simulation vs. Formal VerificationSimulation vs. Formal Verification SimulationSimulation

• Not completeNot complete• Need to generate Need to generate

expected behaviorexpected behavior• Difficult to cover corner Difficult to cover corner

casescases• CPU intensiveCPU intensive

– have to run billions of have to run billions of cyclescycles

• Can handle large Can handle large systemssystems

Formal VerificationFormal Verification• Complete wrt specificationComplete wrt specification• No need to generate expected No need to generate expected

behaviorbehavior• Corner cases are Corner cases are

automatically taken care ofautomatically taken care of• Most of the state-of-the-art Most of the state-of-the-art

methods are memory methods are memory intensiveintensive

• Memory usage is strongly Memory usage is strongly related with the size of related with the size of systems to be verifiedsystems to be verified

Exploring the State Space of an Exploring the State Space of an FSMFSM

• Implicit methods: Representsets of states with decision diagrams

• Representation size not proportional to number of states• But still memory limited

10 stars11

10 transistors

10 states

7

100,000

The Moral …

Verification is a serious problem Formal verification methods are great, but not practical

yet on complex systems Simulation is practical, but can’t provide strong enough

guarantees Next part of talk: A hybrid technique:

Simulation + formal verification

Documents

Serdar Tasiran