Download - Serdar Tasiran
![Page 1: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/1.jpg)
Using a Formal Specification and a Model Checker
to Monitor and Guide Simulation
Verifying the Multiprocessing Hardware of the Alpha 21364 Microprocessor
Serdar TasiranKoç University, Istanbul, Turkey
(formerly Compaq/HP Systems Research Center)
Yuan Yu (Microsoft Research, formerly Compaq)Brannon Batson (Intel, formerly Compaq)
![Page 2: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/2.jpg)
But first But first
Formal MethodsFormal Methods (i.e. mathematical, algorithmic)(i.e. mathematical, algorithmic)
for for Software and Hardware Software and Hardware
DesignsDesigns
oror“Why should you care?”“Why should you care?”
![Page 3: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/3.jpg)
French Guyana, June 4, 1996$800 million software failure
![Page 4: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/4.jpg)
Mars, July 4, 1997Lost contact due to real-time priority inversion bug
![Page 5: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/5.jpg)
Faulty division algorithm (Intel Pentium)$475 million replacement cost
Faulty floppy disk controller (Toshiba)$2.1 billion court settlement
![Page 6: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/6.jpg)
$4 billion development effort> 50% system integration & validation cost
![Page 7: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/7.jpg)
400 horses100 microprocessors
![Page 8: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/8.jpg)
Feb. 17, 2003 Comp 302, Spring 2003
Cost of Finding Flaws Late
![Page 9: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/9.jpg)
SCIENCE
Natural Systems
ENGINEERING
Artificial Systems
PURE
Abstract Systems
APPLIED
Concrete Systems
THEORY
EXPERIMENT DESIGN
ANALYSIS
Veri/Falsifica
tion
![Page 10: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/10.jpg)
DESIGN VERI/FALSIFICATION
INFORMAL (ad hoc)
• by simulation
• by test
FORMAL (systematic)
• by proof
• by algorithm
Poor coverage High recovery cost
![Page 11: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/11.jpg)
Koç University – ECE Graduate Program
Typical Abstraction Layers for a Hardware Design
System (Behavioral) Level
Register Transfer Level (RTL)
Gate Level
Transistor Level
Layout Level
![Page 12: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/12.jpg)
Koç University – ECE Graduate Program
Design Process
• Design : specify and enter the design intent
Implement: refine the
design
through all
phases
Verify:
verify the
correctness of
design and
implementation
![Page 13: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/13.jpg)
Koç University – ECE Graduate Program
System (Behavioral) Level
• Abstract algorithmic description of high-level behavior– e.g. C-Programming language
– abstract because it does not contain any implementation details for timing or data
– efficient to get a compact execution model as first design draft– difficult to maintain throughout project because no link to
implementation
Port*compute_optimal_route_for_packet(Packet_t *packet,
Channel_t *channel){
static Queue_t *packet_queue;
packet_queue = add_packet(packet_queue, packet);...
}
![Page 14: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/14.jpg)
Koç University – ECE Graduate Program
RTL Level
• Cycle accurate model “close” to the hardware implementation– bit-vector data types and operations as abstraction from bit-level
implementation
– sequential constructs (e.g. if - then - else, while loops) to support modeling of complex control flow
module mark1;reg [31:0] m[0:8192];reg [12:0] pc;reg [31:0] acc;reg[15:0] ir;
alwaysbeginir = m[pc];if(ir[15:13] == 3b’000)
pc = m[ir[12:0]];else if (ir[15:13] == 3’b010)
acc = -m[ir[12:0]];...
endendmodule
![Page 15: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/15.jpg)
Koç University – ECE Graduate Program
Gate Level
• Model on finite-state machine level– models function in Boolean logic using registers and gates
– various delay models for gates and wires
1ns1ns
4ns4ns3ns3ns
5ns5ns
![Page 16: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/16.jpg)
Koç University – ECE Graduate Program
Transistor Level
• Model on CMOS transistor level– depending on application function modeled as resistive switches
• used in functional equivalence checking
– or full differential equations for circuit simulation
• used in detailed timing analysis
![Page 17: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/17.jpg)
Koç University – ECE Graduate Program
Layout Level
• Transistors and wires are laid out as polygons in different technology layers such as diffusion, poly-silicon, metal, etc.
![Page 18: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/18.jpg)
Koç University – ECE Graduate Program
Flavors of Verification
Design Verification: Does the design make sense? If I implemented it as designed, would it satisfy the design requirements?
System (Behavioral) Level
Register Transfer Level (RTL)
Gate Level
Transistor Level
Layout Level
Implementation Verification: Is the implementation at the lower layer of abstraction consistent with the higher level?
![Page 19: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/19.jpg)
Koç University – ECE Graduate Program
Systems Design and Verification Challenges
• Heterogeneity (analog, digital, HW/SW)• Complexity (~billion transistors, ~millions of lines of code)• Time-to-market
![Page 20: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/20.jpg)
Role of Computer-Aided Design and Verification Tools: Helping humans cope
Transistors
Processor ComplexityAvg. Human IQ
1
10
100
1K
10K
100K
1M
10M
1975 1980 1985 1990 1995
8086
6800068020
80386
80486
68040
Pentium
Pentium ProPPC601
PPC603
80804004
MIPS R4000
50
80
120
140
160
180
100
IntelligenceQuotient
![Page 21: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/21.jpg)
Formal VerificationFormal Verification Tools Tools
VerifierVerifier
Description of sDescription of systemystemto be verifiedto be verified::- Finite state machineFinite state machine- Code written in a hardware Code written in a hardware description languagedescription language
SpecificationSpecification::-Temporal logic formulaTemporal logic formula- Algorithm- or protocol-level Algorithm- or protocol-level description for designdescription for design
YesYes
NoNo
Error traceError trace
G(p F q)p
q
![Page 22: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/22.jpg)
Simulation vs. Formal VerificationSimulation vs. Formal Verification SimulationSimulation
• Not completeNot complete• Need to generate Need to generate
expected behaviorexpected behavior• Difficult to cover corner Difficult to cover corner
casescases• CPU intensiveCPU intensive
– have to run billions of have to run billions of cyclescycles
• Can handle large Can handle large systemssystems
Formal VerificationFormal Verification• Complete wrt specificationComplete wrt specification• No need to generate expected No need to generate expected
behaviorbehavior• Corner cases are Corner cases are
automatically taken care ofautomatically taken care of• Most of the state-of-the-art Most of the state-of-the-art
methods are memory methods are memory intensiveintensive
• Memory usage is strongly Memory usage is strongly related with the size of related with the size of systems to be verifiedsystems to be verified
![Page 23: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/23.jpg)
Exploring the State Space of an Exploring the State Space of an FSMFSM
• Implicit methods: Representsets of states with decision diagrams
• Representation size not proportional to number of states• But still memory limited
![Page 24: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/24.jpg)
10 stars11
10 transistors
10 states
7
100,000
![Page 25: Serdar Tasiran](https://reader034.vdocument.in/reader034/viewer/2022051517/56815734550346895dc4d236/html5/thumbnails/25.jpg)
The Moral …
Verification is a serious problem Formal verification methods are great, but not practical
yet on complex systems Simulation is practical, but can’t provide strong enough
guarantees Next part of talk: A hybrid technique:
Simulation + formal verification