1 / 47

Formal Verification of Designs with Distinct Order of Memory Operations

Formal Verification of Designs with Distinct Order of Memory Operations G. Ritter H. Hinrichsen H. Eveking Darmstadt University of Technology Dept. of Electrical and Computer Engineering Germany Motivation

emily
Download Presentation

Formal Verification of Designs with Distinct Order of Memory Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Verification of Designs withDistinct Order of Memory Operations G. Ritter H. Hinrichsen H. Eveking Darmstadt University of Technology Dept. of Electrical and Computer Engineering Germany

  2. Motivation Order of memory operations may be changed substantially in processor designs • Reading from memory • Writing to memory

  3. Instruction 1 IF ID EX WB IF ID EX WB Instruction 2 IF ID EX WB Instruction 3 Example: Pipelining Instruction 1 Instruction 2 Instruction 3 IF ID EX WB WB IF ID ID EX WB IF ID EX Writing before Reading.... Pipelining optimizes Throughput ... order reversed after Pipelining WB ID

  4. Data memory mapping (for example: simple microcontroller architectures) Must model memory including PC Address 0 Acc • Some single registers can be addressed by instruc-tions in the same manner as the register file • For example, PC may be overwritten by any instruction 1 PC 2 . . . . . N Register- file

  5. Instruction 1 IF ID EX WB IF ID EX WB Instruction 2 IF ID EX WB Instruction 3 Example: data memory mapping • No regular store-scheme common to e.g., many general purpose processors • For example: writing of PC possible in ID and WB • Scheduling can change order WB ID

  6. Outline • Symbolic Simulation • Detecting Equivalences of Read-Operations • Detecting Equivalent Memory States • Experimental Results & Conclusion

  7. Specification Implementation (rf[adrB]b, xmem[adr2]); (if adrA  adrB then rf[adrA]a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); rf[adrA]a; rf[adrB]b; mem[adr1]val; xmem[adr2]; zx+rf[adrR]; Check theverification goal: "Two descriptions are computationally equivalent if both produce the same final values on the same initial values"

  8. ya+b; 10...01 11...11 ... ... 00...01 11000011 00000001 00000000 11000100 Specification Implementation ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe  mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1 else zx+rf[adrR]); a8 ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe  mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 rf[adrB] b, x mem[adr2]);twertwerwerweroewihgoerijhgbe  mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 x mem[adr2]); (if adrA  adrB then rf[adrA] a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); a8 „Classical“ simulation: test vectors mem a b y

  9. xa; yb+x; ya+b; ainit binit meminit yinit y1 (ainit+binit) Specification Implementation ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe  mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1 else zx+rf[adrR]); a8 ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe  mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 rf[adrB] b, x mem[adr2]);twertwerwerweroewihgoerijhgbe  mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA  adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 x mem[adr2]); (if adrA  adrB then rf[adrA] a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); a8 Symbolic simulation: symbolic values

  10. Symbolic Simulation Challenges • Equivalence detection of terms • Consistent case splits during simulation • must consider sequential behaviour • details in CHARME’99

  11. Memory Model • All memory accesses modeled by two operations • How can we detect equivalences between descriptions using these memory operations? read(MEM, adr) store(MEM, adr, val)

  12. Preprocessing rfstore(rf,adrA,a); rfstore(rf,adrB,b); memstore(mem,adr1,val); xread(mem,adr2); zx+read(rf,adrR); rf1store(rf,adrA,a); rf2store(rf1,adrB,b); mem1store(mem,adr1,val); x1read(mem1,adr2); z1x1+read(rf2,adrR); Express inherent timing structure by indexing register names Our initial specification after introducing read- and store-operations

  13. s s s s s s s s Preprocessing rf1store(rf,adrA,a); rf2store(rf1,adrB,b); mem1store(mem,adr1,val); x1read(mem1,adr2); z1x1+read(rf2,adrR); Specification... Distinguish terms of specification and implementation by additional index s / i

  14. i i i i i i i i i i Preprocessing (rf1store(rf,adrB,b), x1read(mem,adr2); (if adrA  adrB then rf2store(rf1,adrA,a); mem1store(mem,adr1,val); (if adr1=adr2 then z1val+read(rf2,adrR) else z1x1+read(rf2,adrR)); ... and Implementation Distinguish terms of specification and implementation by additional index s / i

  15. Preprocessing (rf1store(rf,adrB,b), x1read(mem,adr2); (if adrA  adrB then rf2store(rf1,adrA,a); mem1store(mem,adr1,val); (if adr1=adr2 then z1val+read(rf2,adrR) else z1x1+read(rf2,adrR)); i i i i i i i i i i Note: Only the initial register values and memory states as anchors are identical in specification and implementation

  16. Equivalence classes • Equivalent terms are collected in equivalence classes • Every term gets initially its ownequivalence class • Equivalence classes are modifiedduring the symbolic simulation • use results of ALL other equivalence detection techniques • Equivalence classes permit efficient reasoning about addresses

  17. Two terms never return the same value adrA adrB • Otherwise adrB adrA • Two terms are equivalent for ALL initial values of the registers and memories: adrA adrB  if adrA = adrB then... else... possibly adrA  x + y; adrB  x - y;

  18. read value stored Value stored previously by a storeis equivalent to a read store store Resulting memory states are identical read read Read values are the same Equivalences ofMemory Operations

  19. store(mem,adr1,v1); read(mem1,adrR); mem1  reg1 mem1  reg1 To simplify notation: assignments ommitted in the following

  20. Reading apreviously stored value store(mem,adr1,v1); read(mem1,adrR); adr1 adrR Value is read read(mem1,adrR) v1

  21. Reading apreviously stored value store(mem,adr1,v1); store(mem1,adr2,v2); read(mem2,adrR); store(mem,adr1,v1); store(mem1,adr2,v2); read(mem2,adrR); ... it seems FOR THIS READ that the store does not exist  adr2 adr1 adrR Value is read read(mem2,adrR) v1

  22. Equivalence of Memory States Specification Implementation store(mem,adrSA,vSA); store(mem1,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); s i s i adrSA adrIA vSA vIA adrSB adrIB vSB vIB store(mem1,...) mem2 s s store(mem1,...) mem2 i i

  23. Equivalence of Read-Ops Specification Implementation store(mem,adrSA,vSA); store(mem1,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); s i s i i mem2 mem2 s adrRS adrRI read(mem2,...) read(mem1,...) s i

  24. Specification Implementation store(mem,adrSA,vSA); store(mem1,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); s i s i The same example without the first store in the specification....

  25. Specification Implementation store(mem,adrSB,vSB); read(mem1,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i • The final memory states are equivalent, if the first store in the implementation is overwritten by the second store s i adrIA adrIB

  26. Specification Implementation store(mem,adrSB,vSB); read(mem1,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i • Preceding memory states are not equivalent s i possibly adrIA adrIB • However, the read-operations can be equivalent...

  27. store(mem,adrSB,vSB); read(mem2,adrRS); store(mem,adrSB,vSB); read(mem1,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i i s s i i    Specification Implementation adrSB adrRS adrIA adrIB adrIRI read(mem2,...) read(mem2,...) s i

  28. Specification Implementation store(mem,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i s i  adrSB adrRS adrIA possibly adrIB adrRI ... it seems FOR THESE READs that this store does not exist But if address is not the same as the read addresses... Problem: Additional store... read(mem2,...) read(mem2,...) s i

  29. So far: order of store-operations was the same in specification and implementation • eventually overwritten store-operations • But equivalent memory states might be reached also with a changed order • only one small example ... skip...

  30. AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i i s s i i s s i i s s Do not consider overwritten stores....

  31. AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i s i s i s adrA adrB  adrC adrD Must be able to shift CI over BI....

  32. AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i s i s i s   adrA adrB  adrC adrD ...and to shift DI over CI and BI

  33. AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i s i s i s   adrA adrB  adrC adrD ... then the final memory states are equivalent

  34. Specification . . . s x2read(rf3, adrA); s Implementation . . . if . . . then x2 read(rf3, adrB); else x2read(rf3, adrC); i i i i Note: the addresses are symbolic values...

  35. Specification Specification . . . . . . s s s s x2read(rf3, x2read(rf3, read(dmem, ir1[6:15]) + ir1[16:31]); s s Implementation Implementation . . . . . . tmp1 read(dmem, ir2[6:9]) if tmp1 = 0 then x2 read(rf3, ir2 [16:31]); else adr2 tmp1 + ir2 [16:31]; x2read(rf3, adr2); if then x2 read(rf3, else x2read(rf3, i i i i i i i i i i i i i i i i ... and address relationships have to be detected previously

  36. Results of the other equivalence detection techniques are considered in the equivalence classes • efficient reasoning about addresses

  37. Experimental Results Paths with stores Description

  38. Conclusion • Symbolic simulation approach allows for complete equivalence check of control logic • Equivalence detection copes with distinct order of memory operations and considers • symbolic addresses • indirect addressing • Equivalence classes permit to establish an efficient address comparison • uses the results of ALL other equivalence detection techniques (e.g., bitvector-arithmetic)

  39. Outlook • Apply technique to descriptions atgate- / standard-cell level • verification of design flow including commercial synthesis tool • Property verification • safety-critical designs

  40. Specification Implementation (rf[adrB]b, xmem[adr2]); (if adrA  adrB then rf[adrA]a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); rf[adrA]a; rf[adrB]b; mem[adr1]val; xmem[adr2]; zx+rf[adrR]; Two examples of reordering: • Forwarding

  41. Specification Implementation (rf[adrB]b, xmem[adr2]); (if adrA  adrB then rf[adrA]a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); rf[adrA]a; rf[adrB]b; mem[adr1]val; xmem[adr2]; zx+rf[adrR]; Two examples of reordering: • Forwarding • Reversed order of store-operations

  42. Abbreviations • only the relevant read- and store-operations are shown in the examples • no if-then-else constructs • no other terms (e.g., add, nand etc.) • equivalences/unequivalence of addresses already have been detected by the other equivalence detection techniques • Hide terms that stand for the addresses • for exampleread(mem,a3+b4) read(mem,adrA) i i

  43. Example: Different number of instruction phases Instruction 1 Instruction 2 IF ID EX EX EX WB WB IF ID EX WB WB IF Order of Store-Operations reversed Instruction 1 IF ID EX EX EX WB WB IF ID EX WB WB Instruction 2

  44. ... then the first store is ommitted in the implementation EX WB If addresses of write back are identical.. less memory operations in the implementation than in the specification Example: write-operation not executed • Instructions with different length Instruction 1 ID EX EX WB ID EX WB ID Instruction 2 ID ID Instruction 3

  45. Other slides • Intro-Example (Forwarding ...) • Abbreviations • Data Memory Mapping continued Presentation • Beginning • Motivation • Pipeline Example • Data Memory Mapping • Outline • Intro Symbolic Simulation • Preprocessing • Equivalence Classes • Value-Read • Memory-States / read-read • without first store • all unequivalent • sometimes • changed store order • Experimental results • Conclusion

More Related