slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Formal Verification of Designs with Distinct Order of Memory Operations PowerPoint Presentation
Download Presentation
Formal Verification of Designs with Distinct Order of Memory Operations

Loading in 2 Seconds...

play fullscreen
1 / 47

Formal Verification of Designs with Distinct Order of Memory Operations - PowerPoint PPT Presentation


  • 245 Views
  • Uploaded on

Formal Verification of Designs with Distinct Order of Memory Operations G. Ritter H. Hinrichsen H. Eveking Darmstadt University of Technology Dept. of Electrical and Computer Engineering Germany Motivation

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Formal Verification of Designs with Distinct Order of Memory Operations' - emily


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Formal Verification of Designs withDistinct Order of Memory Operations

G. Ritter H. Hinrichsen H. Eveking

Darmstadt University of Technology

Dept. of Electrical and Computer Engineering

Germany

motivation
Motivation

Order of memory operations may be changed substantially in processor designs

  • Reading from memory
  • Writing to memory
slide3

Instruction 1

IF

ID

EX

WB

IF

ID

EX

WB

Instruction 2

IF

ID

EX

WB

Instruction 3

Example: Pipelining

Instruction 1

Instruction 2

Instruction 3

IF

ID

EX

WB

WB

IF

ID

ID

EX

WB

IF

ID

EX

Writing before Reading....

Pipelining

optimizes

Throughput

... order reversed

after Pipelining

WB

ID

slide4

Data memory mapping

(for example: simple microcontroller architectures)

Must model memory

including PC

Address

0

Acc

  • Some single registers can be addressed by instruc-tions in the same manner as the register file
  • For example, PC may be overwritten by any instruction

1

PC

2

.

.

.

.

.

N

Register-

file

slide5

Instruction 1

IF

ID

EX

WB

IF

ID

EX

WB

Instruction 2

IF

ID

EX

WB

Instruction 3

Example: data memory mapping

  • No regular store-scheme common to e.g., many general purpose processors
    • For example: writing of PC possible in ID and WB
  • Scheduling can change order

WB

ID

outline
Outline
  • Symbolic Simulation
  • Detecting Equivalences of Read-Operations
  • Detecting Equivalent Memory States
  • Experimental Results & Conclusion
slide7

Specification

Implementation

(rf[adrB]b,

xmem[adr2]);

(if adrA  adrB

then rf[adrA]a;

mem[adr1]val);

(if adr1=adr2

then zval+rf[adrR]

else zx+rf[adrR]);

rf[adrA]a;

rf[adrB]b;

mem[adr1]val;

xmem[adr2];

zx+rf[adrR];

Check theverification goal:

"Two descriptions are computationally

equivalent if both produce the same final

values on the same initial values"

slide8

ya+b;

10...01

11...11

...

...

00...01

11000011

00000001

00000000

11000100

Specification

Implementation

( mem[adr2]);twertwerwerweroewihgoerijhgbe

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

 mem[adr2]);twertwerwerweroewihgoerijhgbe

(if 78

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

mem[adr1 else zx+rf[adrR]);

a8

( mem[adr2]);twertwerwerweroewihgoerijhgbe

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

 mem[adr2]);twertwerwerweroewihgoerijhgbe

(if 78

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

rf[adrB] b,

x mem[adr2]);twertwerwerweroewihgoerijhgbe

 mem[adr2]);twertwerwerweroewihgoerijhgbe

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

x mem[adr2]);

(if adrA  adrB

then rf[adrA] a;

mem[adr1]val);

(if adr1=adr2

then zval+rf[adrR]

else zx+rf[adrR]);

a8

„Classical“ simulation: test vectors

mem

a

b

y

slide9

xa;

yb+x;

ya+b;

ainit

binit

meminit

yinit

y1

(ainit+binit)

Specification

Implementation

( mem[adr2]);twertwerwerweroewihgoerijhgbe

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

 mem[adr2]);twertwerwerweroewihgoerijhgbe

(if 78

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

mem[adr1 else zx+rf[adrR]);

a8

( mem[adr2]);twertwerwerweroewihgoerijhgbe

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

 mem[adr2]);twertwerwerweroewihgoerijhgbe

(if 78

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

rf[adrB] b,

x mem[adr2]);twertwerwerweroewihgoerijhgbe

 mem[adr2]);twertwerwerweroewihgoerijhgbe

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

(if adrA  adrBertetioerptkerotk8iperot

then rf[adrA] a;erteroterj[o ermjgi7ethbe

mem[adr1]val);

(if adr1=adr2etyer54 78768 7776 8676 i68i 778

then zval+rf[adrR]7 878 i78 i87 i

else zx+rf[adrR]);7i 7878

78

x mem[adr2]);

(if adrA  adrB

then rf[adrA] a;

mem[adr1]val);

(if adr1=adr2

then zval+rf[adrR]

else zx+rf[adrR]);

a8

Symbolic simulation:

symbolic values

symbolic simulation
Symbolic Simulation

Challenges

  • Equivalence detection of terms
  • Consistent case splits during simulation
    • must consider sequential behaviour
    • details in CHARME’99
memory model
Memory Model
  • All memory accesses modeled by two operations
  • How can we detect equivalences between descriptions using these memory operations?

read(MEM, adr)

store(MEM, adr, val)

preprocessing
Preprocessing

rfstore(rf,adrA,a); rfstore(rf,adrB,b);

memstore(mem,adr1,val);

xread(mem,adr2);

zx+read(rf,adrR);

rf1store(rf,adrA,a); rf2store(rf1,adrB,b);

mem1store(mem,adr1,val);

x1read(mem1,adr2);

z1x1+read(rf2,adrR);

Express inherent timing structure by indexing register names

Our initial specification after introducing read- and store-operations

preprocessing13

s

s

s

s

s

s

s

s

Preprocessing

rf1store(rf,adrA,a); rf2store(rf1,adrB,b);

mem1store(mem,adr1,val);

x1read(mem1,adr2);

z1x1+read(rf2,adrR);

Specification...

Distinguish terms of specification and implementation by additional index s / i

preprocessing14

i

i

i

i

i

i

i

i

i

i

Preprocessing

(rf1store(rf,adrB,b),

x1read(mem,adr2);

(if adrA  adrB

then rf2store(rf1,adrA,a);

mem1store(mem,adr1,val);

(if adr1=adr2

then z1val+read(rf2,adrR)

else z1x1+read(rf2,adrR));

... and Implementation

Distinguish terms of specification and implementation by additional index s / i

preprocessing15
Preprocessing

(rf1store(rf,adrB,b),

x1read(mem,adr2);

(if adrA  adrB

then rf2store(rf1,adrA,a);

mem1store(mem,adr1,val);

(if adr1=adr2

then z1val+read(rf2,adrR)

else z1x1+read(rf2,adrR));

i

i

i

i

i

i

i

i

i

i

Note: Only the initial register values and memory states as anchors are identical in specification and implementation

equivalence classes
Equivalence classes
  • Equivalent terms are collected in equivalence classes
  • Every term gets initially its ownequivalence class
  • Equivalence classes are modifiedduring the symbolic simulation
    • use results of ALL other equivalence detection techniques
  • Equivalence classes permit efficient reasoning about addresses
slide17

Two terms never return the same value

adrA

adrB

  • Otherwise

adrB

adrA

  • Two terms are equivalent for ALL initial values of the registers and memories:

adrA

adrB

if adrA = adrB

then...

else...

possibly

adrA  x + y;

adrB  x - y;

equivalences of memory operations

read

value stored

Value stored previously by a storeis equivalent to a read

store

store

Resulting memory states are identical

read

read

Read values are the same

Equivalences ofMemory Operations
slide19

store(mem,adr1,v1);

read(mem1,adrR);

mem1 

reg1

mem1 

reg1

To simplify notation:

assignments ommitted in the

following

reading a previously stored value
Reading apreviously stored value

store(mem,adr1,v1);

read(mem1,adrR);

adr1

adrR

Value is read

read(mem1,adrR)

v1

reading a previously stored value21
Reading apreviously stored value

store(mem,adr1,v1);

store(mem1,adr2,v2);

read(mem2,adrR);

store(mem,adr1,v1);

store(mem1,adr2,v2);

read(mem2,adrR);

... it seems

FOR THIS READ

that the store

does not exist

adr2

adr1

adrR

Value is read

read(mem2,adrR)

v1

slide22

Equivalence of Memory States

Specification

Implementation

store(mem,adrSA,vSA);

store(mem1,adrSB,vSB);

read(mem2,adrRS);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

s

i

s

i

adrSA

adrIA

vSA

vIA

adrSB

adrIB

vSB

vIB

store(mem1,...) mem2

s

s

store(mem1,...) mem2

i

i

equivalence of read ops
Equivalence of Read-Ops

Specification

Implementation

store(mem,adrSA,vSA);

store(mem1,adrSB,vSB);

read(mem2,adrRS);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

s

i

s

i

i

mem2

mem2

s

adrRS

adrRI

read(mem2,...)

read(mem1,...)

s

i

slide24

Specification

Implementation

store(mem,adrSA,vSA);

store(mem1,adrSB,vSB);

read(mem2,adrRS);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

s

i

s

i

The same example without the first

store in the specification....

slide25

Specification

Implementation

store(mem,adrSB,vSB);

read(mem1,adrRS);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

i

  • The final memory states are equivalent, if the first store in the implementation is overwritten by the second store

s

i

adrIA

adrIB

slide26

Specification

Implementation

store(mem,adrSB,vSB);

read(mem1,adrRS);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

i

  • Preceding memory states are not equivalent

s

i

possibly

adrIA

adrIB

  • However, the read-operations can be equivalent...
slide27

store(mem,adrSB,vSB);

read(mem2,adrRS);

store(mem,adrSB,vSB);

read(mem1,adrRS);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

i

i

s

s

i

i

Specification

Implementation

adrSB

adrRS

adrIA

adrIB

adrIRI

read(mem2,...)

read(mem2,...)

s

i

slide28

Specification

Implementation

store(mem,adrSB,vSB);

read(mem2,adrRS);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

store(mem,adrIA,vIA);

store(mem1,adrIB,vIB);

read(mem2,adrRI);

i

s

i

adrSB

adrRS

adrIA

possibly

adrIB

adrRI

... it seems

FOR THESE READs

that this store does not exist

But if address is

not the same

as the read addresses...

Problem:

Additional store...

read(mem2,...)

read(mem2,...)

s

i

slide29
So far: order of store-operations was the same in specification and implementation
    • eventually overwritten store-operations
  • But equivalent memory states might be reached also with a changed order
    • only one small example ...

skip...

slide30

AS store(mem,adrA,...);

O1 store(overwritten later);

BS store(mem2,adrB,...);

O2 store(overwritten later);

CS store(mem4,adrC,...);

DS store(mem5,adrD,...);

AS store(mem,adrA,...);

O1 store(overwritten later);

BS store(mem2,adrB,...);

O2 store(overwritten later);

CS store(mem4,adrC,...);

DS store(mem5,adrD,...);

AI store(mem,adrA,...);

DI store(mem1,adrD,...);

CI store(mem2,adrC,...);

O3 store(overwritten later);

BI store(mem4,adrB,...);

AI store(mem,adrA,...);

DI store(mem1,adrD,...);

CI store(mem2,adrC,...);

O3 store(overwritten later);

BI store(mem4,adrB,...);

i

i

s

s

i

i

s

s

i

i

s

s

Do not consider overwritten stores....

slide31

AS store(mem,adrA,...);

O1 store(overwritten later);

BS store(mem2,adrB,...);

O2 store(overwritten later);

CS store(mem4,adrC,...);

DS store(mem5,adrD,...);

AI store(mem,adrA,...);

DI store(mem1,adrD,...);

CI store(mem2,adrC,...);

O3 store(overwritten later);

BI store(mem4,adrB,...);

i

s

i

s

i

s

adrA

adrB

adrC

adrD

Must be able to shift CI over BI....

slide32

AS store(mem,adrA,...);

O1 store(overwritten later);

BS store(mem2,adrB,...);

O2 store(overwritten later);

CS store(mem4,adrC,...);

DS store(mem5,adrD,...);

AI store(mem,adrA,...);

DI store(mem1,adrD,...);

CI store(mem2,adrC,...);

O3 store(overwritten later);

BI store(mem4,adrB,...);

i

s

i

s

i

s

adrA

adrB

adrC

adrD

...and to shift DI over CI and BI

slide33

AS store(mem,adrA,...);

O1 store(overwritten later);

BS store(mem2,adrB,...);

O2 store(overwritten later);

CS store(mem4,adrC,...);

DS store(mem5,adrD,...);

AI store(mem,adrA,...);

DI store(mem1,adrD,...);

CI store(mem2,adrC,...);

O3 store(overwritten later);

BI store(mem4,adrB,...);

i

s

i

s

i

s

adrA

adrB

adrC

adrD

... then the final memory states are equivalent

slide34

Specification

. . .

s

x2read(rf3, adrA);

s

Implementation

. . .

if . . .

then x2 read(rf3, adrB);

else

x2read(rf3, adrC);

i

i

i

i

Note: the addresses are symbolic values...

slide35

Specification

Specification

. . .

. . .

s

s

s

s

x2read(rf3,

x2read(rf3, read(dmem, ir1[6:15]) + ir1[16:31]);

s

s

Implementation

Implementation

. . .

. . .

tmp1 read(dmem, ir2[6:9])

if tmp1 = 0

then x2 read(rf3, ir2 [16:31]);

else adr2 tmp1 + ir2 [16:31];

x2read(rf3, adr2);

if

then x2 read(rf3,

else

x2read(rf3,

i

i

i

i

i

i

i

i

i

i

i

i

i

i

i

i

... and address relationships have to be detected previously

slide36
Results of the other equivalence detection techniques are considered in the equivalence classes
  • efficient reasoning about addresses
experimental results
Experimental Results

Paths with stores

Description

conclusion
Conclusion
  • Symbolic simulation approach allows for complete equivalence check of control logic
  • Equivalence detection copes with distinct order of memory operations and considers
    • symbolic addresses
    • indirect addressing
  • Equivalence classes permit to establish an efficient address comparison
    • uses the results of ALL other equivalence detection techniques (e.g., bitvector-arithmetic)
outlook
Outlook
  • Apply technique to descriptions atgate- / standard-cell level
    • verification of design flow including commercial synthesis tool
  • Property verification
    • safety-critical designs
slide42

Specification

Implementation

(rf[adrB]b,

xmem[adr2]);

(if adrA  adrB

then rf[adrA]a;

mem[adr1]val);

(if adr1=adr2

then zval+rf[adrR]

else zx+rf[adrR]);

rf[adrA]a;

rf[adrB]b;

mem[adr1]val;

xmem[adr2];

zx+rf[adrR];

Two examples of reordering:

  • Forwarding
slide43

Specification

Implementation

(rf[adrB]b,

xmem[adr2]);

(if adrA  adrB

then rf[adrA]a;

mem[adr1]val);

(if adr1=adr2

then zval+rf[adrR]

else zx+rf[adrR]);

rf[adrA]a;

rf[adrB]b;

mem[adr1]val;

xmem[adr2];

zx+rf[adrR];

Two examples of reordering:

  • Forwarding
  • Reversed order of store-operations
abbreviations
Abbreviations
  • only the relevant read- and store-operations are shown in the examples
    • no if-then-else constructs
    • no other terms (e.g., add, nand etc.)
  • equivalences/unequivalence of addresses already have been detected by the other equivalence detection techniques
  • Hide terms that stand for the addresses
    • for exampleread(mem,a3+b4) read(mem,adrA)

i

i

slide45

Example: Different number of instruction phases

Instruction 1

Instruction 2

IF

ID

EX

EX

EX

WB

WB

IF

ID

EX

WB

WB

IF

Order of

Store-Operations

reversed

Instruction 1

IF

ID

EX

EX

EX

WB

WB

IF

ID

EX

WB

WB

Instruction 2

slide46

... then the first store

is ommitted

in the implementation

EX

WB

If addresses

of write back

are identical..

less memory operations in the implementation

than in the specification

Example: write-operation not executed

  • Instructions with different length

Instruction 1

ID

EX

EX

WB

ID

EX

WB

ID

Instruction 2

ID

ID

Instruction 3

slide47

Other slides

  • Intro-Example (Forwarding ...)
  • Abbreviations
  • Data Memory Mapping continued

Presentation

  • Beginning
  • Motivation
    • Pipeline Example
    • Data Memory Mapping
  • Outline
  • Intro Symbolic Simulation
  • Preprocessing
  • Equivalence Classes
  • Value-Read
  • Memory-States / read-read
  • without first store
    • all unequivalent
    • sometimes
  • changed store order
  • Experimental results
  • Conclusion