Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop

1

Specification and Encoding of Transaction Interaction Properties

Divjyot SethiYogesh Mahajan

Sharad MalikPrinceton University

Hardware Verification WorkshopEdinburgh

July 15, 2010

www.gigascale.org

Gap Between Specification and Implementation

Consequences for Verification• Need humans to translate

correctness conditions between them

• Incomplete, expensive, error prone

• Significant barrier to automation in verification.

SpecificationObjects are units of dataConcurrent computation on these objects

ImplementationObjects are functional logic blocksConcurrent communication between these objects

PacketH T

InstrOp ImmediateRs Rt

Frame l1

ln

M1 M2 M3

Pipeline

Mapping of concurrent functions onto concurrent hardware blocks is captured by humans

Drives efforts to move design and verification to

levels above RTL.

3

End

End

Fetch Decode

Read

ReadAddress

Write

End

End

Fetch Decode

Read

ReadAddress

Write

End

End

Fetch Decode

Read

ReadAddress

Write

Time

Transaction

Sequence

Order

Modeling Concurrent Computation Using Transactions

• Transaction is a unit of work• Transactions can be

concurrent• Transaction sequences• Permits reasoning about

• Individual transactions• Interactions between

transactions• e.g. pipeline hazards

T1

T2

T3

Shared Resource

Transaction Interaction Properties

• Examples– Contention• Mutual exclusion

– Sequencing• Ordering of packets in a router• Pipeline hazards

– Priority• Choosing among concurrent processes

4

Generally deal with ordering of individual transaction instances.

Transaction Interaction Properties in RTL

• Lack high-level information– Where are the instructions?

• Need to instrument the design to capture high-level objects– Instructions in flight

• Need to state the property in terms of instrumented variables

• Human intervention limits automation

5

Example: RAW Pipeline Hazard

Easier with a transaction-level model with explicit ordering

information.

Transaction-

Level Model

Transaction Interaction

Property

Synthesized RTL

Automated

Encoding

Finite Model + Temporal Logic

Property

This Work

Previous Work (CODES+ISSS 09)

Big Picture

VerifiedSynthesis

+

Model Check This

Talk Outline

• Motivation• Modeling Transactions and Interaction

Properties• Encoding for Model Checking• Experiments• Related Work• Summary

7

Transaction-Level Model• Individual Transaction

– Explicit start and end steps– Guarded transitions– Model as a Kripke structure

• Infinite array of transactions– Index value refers to specific

transaction• State

– Local• Transaction state

– present step & local variables– Local variables constant after a

transaction ends

– Global shared state

8

i

T1

T2

Ti

M1

Global State

Local State Of Ti

End Step

Start StepGuarded Transitions

Modeled as an infinite Kripke structure

Parametric, but not symmetric in i

Property Specification using Indexed Temporal Logic

9

i,j j>i G~( readj & ~writei & F(writei))

Example: RAW hazard property

i, j are transaction indices

I, P(I) [L(I),g]

General Form of property: • I: Set of index variables, one for each interacting transaction• P(I): Predicate on the set of indices I capturing relationship among

interacting transactions• [L(I),g]: Temporal logic formula on transaction local indexed

variables and global variables

Indexed transaction local variables

Indexed Temporal Logic Formula

Talk Outline



10

Encoding for Model Checking

11

i

T1

T2

Ti

M1

Global State

Indexed State

Infinite State Model

I, P(I) [v(I),g]+

Finite State Model

LTL/CTL Formula

+

Model Check This

Encode

Encode

Handling Infinite State

12

i

T1

T2

Ti

M1

Global State

Indexed State


I, P(I) [v(I),g]+Observation 1: Only a finite number of active transactions possible due to finite resources• Finite state for active transactions

S1

S2

SK

State of active transactions

User specified upper boundIndependently verified

Handling Infinite State

13

i

T1

T2

Ti

M1

Global State

Indexed State


I, P(I) [v(I),g]+But, properties may refer to local variablesof transactions that have ended.

Observation 2: Can exploit non-determinism.Non-deterministically select |I|transactions for tracking past history. The model checker will implicitly consider allpossible values.

E1

E2

E|I|

Local variablesof selectedtransactions

Number ofinteractingtransactions

Encoding the Predicate

14

i

T1

T2

Ti

M1

Global State

Indexed State


I, P(I) [v(I),g]+But, predicate evaluation needs the potentiallyinfinite index value of the interacting transactions.Observation 3: Can handle several (all?) usefulpredicates without explicit index value storage.•Ordering Constraints• P(i, j) : i > j

•Separation Constraints• P(i, j) : i − j > m • P(i, j) : i − j < m

•Equality Constraints: P(i, j)• i = j + m

•Inequality constraints• P(i, j) : i j + m

Predicate FSM

ND_Selecti

ND_Selectj

I = {i,j}

Encoding for Model Checking

15

i

T1

T2

Ti

M1

Global State

Indexed State


I, P(I) [v(I),g]+Key Components

Predicate FSM

ND_Selecti

ND_Selectj

S1

S2

SK

State of active transactions

E1

E2

E|I|

Local variablesof ended transactions

Talk Outline



16

Experiments

• Design examples– Simple router

• Property: Flits are processed in order

– Simple processor• Property: Absence of RAW hazard

• Input:– Designs specified using a transaction-level model– Properties specified using indexed temporal logic

• Output:– Synthesized SMV for finite model and LTL property– Model checked using Cadence SMV

17

Model Checking Results

18

System Time

(s)

BDD Size(Number of Nodes)

No. of State

Variables

Lines of Code

K (Finite Bound)

PropertyResult

Router <0.1 43324 30 397 3 True

Processor 17 3152542 50 382 6 False

All experiments done on Intel Core 2 Duo 2.5GHz 3 GB RAM Machine with Windows XP

Talk Outline



19

Related Work Summary

20

Transaction Based System

Unbounded/Infinite State

Indexed Properties

Finite Encoding

Encoding GenerationAutomated

Parameterized Synchronous Systems[Emerson, Namjoshi]

Indexed CTL* Logic[Clarke, Grumberg, Brown]

NA NA NA

Hazard Checking using Transaction Models [Malik, Mahajan]

This Work

Talk Outline



21

Summary

• Transaction-based higher-level models enable reasoning without resorting to design instrumentation

• Main Contributions:– Infinite Kripke structure model for transactions with explicit

indices– Indexed temporal logic for specifying transactions interactions

properties– Finite encoding of design and property exploiting

• Finiteness of hardware resources• Non-determinism in model checkers• Specific ordering relationships of interacting transactions

– Initial prototype demonstration

22

Related Papers

• Y. Mahajan, C. Chan, A. Bayazit, S. Malik, and W. Qin, “Verification driven formal architecture and microarchitecture modeling,” in MEMOCODE ’07: Proceedings of the 5th IEEE/ACM International Conference on Formal Methods and Models for Codesign. Washington, DC, USA: IEEE Computer Society, 2007, pp. 123–132.

• Y. Mahajan and S. Malik, “Automating hazard checking in transaction-level microarchitecture models,” in FMCAD ’07: Proceedings of the Formal Methods in Computer Aided Design. Washington, DC, USA: IEEE Computer Society, 2007, pp. 62–65.

• D. Schwartz-Narbonne, C. Chan, Y. Mahajan, and S. Malik, “Supporting RTL flow compatibility in a microarchitecture-level design framework,” in CODES+ISSS ’09: Proceedings of the 7th IEEE/ACM international conference on Hardware/software codesign and system synthesis. New York, NY, USA: ACM, 2009, pp. 343–352.

23

Documents

Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop