proof of correctness of a processor with reorder buffer using the completion functions approach
DESCRIPTION
Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach. Ravi Hosabettu (Univ. of Utah) Mandayam Srivas (SRI International) Ganesh Gopalakrishnan (Univ. of Utah). Motivation. Pipelined processor verification Increasingly complex designs - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/1.jpg)
Proof of Correctness of a Processor with Reorder Buffer
using the Completion Functions Approach
Ravi Hosabettu (Univ. of Utah)
Mandayam Srivas (SRI International)
Ganesh Gopalakrishnan (Univ. of Utah)
![Page 2: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/2.jpg)
2
Motivation
• Pipelined processor verification– Increasingly complex designs– Need for formal verification
• Theorem provers– Focus on the relevant aspects only
• To verify large, complex designs:– Automation– Decomposition
![Page 3: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/3.jpg)
3
Problem Definition
• Need a verification methodology that
– Is amenable to decomposition
– Uses decision procedures
• Solution: Completion Functions Approach
![Page 4: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/4.jpg)
4
What are Completion Functions?
• Desired effect of retiring an unfinished instruction in an atomic fashion
a b c
RFC_b
![Page 5: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/5.jpg)
5
Abstraction Function
• Need to define an abstraction function
• Flushing the pipeline
• Our idea: Define abstraction function as a Composition of Completion Functions
Impl.MachineStep
Spec.MachineStep
![Page 6: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/6.jpg)
6
Main Features
• Decomposition into verification conditions
• Generated systematically & discharged often automatically
RF
a b c
C_bC_a C_c
L_ab
Abs. fn = C_a o C_b o C_cOne VC is: C_a == L_ab o C_b
![Page 7: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/7.jpg)
7
Main Features Continued
• Incremental verification
• No explicit intermediate abstraction
• Methodology implemented in PVS
• Three examples (CAV98)– DLX– Dual issue DLX– Out-of-order execution example
![Page 8: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/8.jpg)
8
New Issues for OOO
a b c
RF
DB
RTT
RB
RF
EU
![Page 9: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/9.jpg)
9
Completion Functions Approach for OOO
• Instructions in a few possible states– Parameterized completion function
• Recursive abstraction function
• Proof decomposition is based on “instruction-state transitions”
• Liveness issues addressed
![Page 10: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/10.jpg)
10
Outline of the Presentation
• The implementation model
• Proof of correctness– Correctness criterion– Liveness proof
• Related work and conclusions
![Page 11: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/11.jpg)
11
Processor Model
RF
RTT RB
EU1 EUmDB
![Page 12: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/12.jpg)
13
The Completion Function
RF
RB
EU1DB
rbi
Action_issued
Action_dispatched
Action_executed
Action_writtenback
![Page 13: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/13.jpg)
14
Correctness Criterion
AbstractionAbstraction
I_step
A_step/
impl_st
![Page 14: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/14.jpg)
15
Recursive Abstraction Function
RB
tailhead
rbi
RF
Abs. fn = Complete_till(head)
![Page 15: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/15.jpg)
16
General Verification Condition
I
D
W
W
D
E
E
W
I
I
D
E
q
next(q)
RF
RF
Same
![Page 16: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/16.jpg)
17
Instruction-state Transitions
I E WDisp?
Not Disp?
Exec?
Not Exec?
Wback?
Not Wback? Not Retire?
Retire?D
![Page 17: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/17.jpg)
18
Establishing the General Verification Condition
I
D
W
W
D
E
E
W
I
I
D
E
q
next(q)
Action_executed
Same effect on
RF
Action_dispatched
![Page 18: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/18.jpg)
19
Overall Proof Decomposition
I E WD
RF
N
ISA specification
![Page 19: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/19.jpg)
21
Feedback Logic
• Feedback logic correctness: A = B
12i
Feedback logic
RFC_1C_2
Read
A
B
![Page 20: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/20.jpg)
22
Invariants Needed
• Feedback logic invariant
• Exclusiveness & exhaustiveness
• Instruction-state properties
![Page 21: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/21.jpg)
23
PVS Proof Statistics
• Proof strategies– Induction obligations: Very similar strategy– Rewrite rules & other obligations: Automatic– Invariants: No uniform strategy
• Manual effort– 1 week of planning & discussions– 12 person days of “first time” effort
• 1050 seconds on 167MHz UltraSparc
![Page 22: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/22.jpg)
24
Liveness Properties
• Two liveness properties– Eventually the processor gets flushed– Eventually a new instruction is executed
• Again based on “Instruction-state transition” diagram
![Page 23: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/23.jpg)
25
Liveness Proof
I D E WDisp?
Not Disp?
Exec?
Not Exec?
Wback?
Not Wback? Not Retire?
Retire?
Scheduler
![Page 24: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/24.jpg)
26
Related Work
• Jones, Skakkebaek & Dill - FMCAD98
• Pnueli & Arons - FMCAD98
• Sawada & Hunt - CAV98
• McMillan - CAV98
![Page 25: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/25.jpg)
27
Conclusions
• Well suited for verifying a processor with reorder buffer
• Proved the correctness of Tomasulo’s algorithm with no reorder buffer: CHARME99
![Page 26: Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach](https://reader030.vdocuments.net/reader030/viewer/2022032805/568131bc550346895d98251b/html5/thumbnails/26.jpg)
28
Work in Progress
• A processor with exceptions & speculative execution– Substantial progress made
• Mechanizing the liveness proofs• Bring the methodology closer to practice
– Bridging the model gap– More automated decision procedures– Integration into the design process