470 likes | 759 Views
Formal Verification of Designs with Distinct Order of Memory Operations G. Ritter H. Hinrichsen H. Eveking Darmstadt University of Technology Dept. of Electrical and Computer Engineering Germany Motivation
E N D
Formal Verification of Designs withDistinct Order of Memory Operations G. Ritter H. Hinrichsen H. Eveking Darmstadt University of Technology Dept. of Electrical and Computer Engineering Germany
Motivation Order of memory operations may be changed substantially in processor designs • Reading from memory • Writing to memory
Instruction 1 IF ID EX WB IF ID EX WB Instruction 2 IF ID EX WB Instruction 3 Example: Pipelining Instruction 1 Instruction 2 Instruction 3 IF ID EX WB WB IF ID ID EX WB IF ID EX Writing before Reading.... Pipelining optimizes Throughput ... order reversed after Pipelining WB ID
Data memory mapping (for example: simple microcontroller architectures) Must model memory including PC Address 0 Acc • Some single registers can be addressed by instruc-tions in the same manner as the register file • For example, PC may be overwritten by any instruction 1 PC 2 . . . . . N Register- file
Instruction 1 IF ID EX WB IF ID EX WB Instruction 2 IF ID EX WB Instruction 3 Example: data memory mapping • No regular store-scheme common to e.g., many general purpose processors • For example: writing of PC possible in ID and WB • Scheduling can change order WB ID
Outline • Symbolic Simulation • Detecting Equivalences of Read-Operations • Detecting Equivalent Memory States • Experimental Results & Conclusion
Specification Implementation (rf[adrB]b, xmem[adr2]); (if adrA adrB then rf[adrA]a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); rf[adrA]a; rf[adrB]b; mem[adr1]val; xmem[adr2]; zx+rf[adrR]; Check theverification goal: "Two descriptions are computationally equivalent if both produce the same final values on the same initial values"
ya+b; 10...01 11...11 ... ... 00...01 11000011 00000001 00000000 11000100 Specification Implementation ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1 else zx+rf[adrR]); a8 ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 rf[adrB] b, x mem[adr2]);twertwerwerweroewihgoerijhgbe mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 x mem[adr2]); (if adrA adrB then rf[adrA] a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); a8 „Classical“ simulation: test vectors mem a b y
xa; yb+x; ya+b; ainit binit meminit yinit y1 (ainit+binit) Specification Implementation ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1 else zx+rf[adrR]); a8 ( mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr2]);twertwerwerweroewihgoerijhgbe (if 78 mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 rf[adrB] b, x mem[adr2]);twertwerwerweroewihgoerijhgbe mem[adr2]);twertwerwerweroewihgoerijhgbe (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 (if adrA adrBertetioerptkerotk8iperot then rf[adrA] a;erteroterj[o ermjgi7ethbe mem[adr1]val); (if adr1=adr2etyer54 78768 7776 8676 i68i 778 then zval+rf[adrR]7 878 i78 i87 i else zx+rf[adrR]);7i 7878 78 x mem[adr2]); (if adrA adrB then rf[adrA] a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); a8 Symbolic simulation: symbolic values
Symbolic Simulation Challenges • Equivalence detection of terms • Consistent case splits during simulation • must consider sequential behaviour • details in CHARME’99
Memory Model • All memory accesses modeled by two operations • How can we detect equivalences between descriptions using these memory operations? read(MEM, adr) store(MEM, adr, val)
Preprocessing rfstore(rf,adrA,a); rfstore(rf,adrB,b); memstore(mem,adr1,val); xread(mem,adr2); zx+read(rf,adrR); rf1store(rf,adrA,a); rf2store(rf1,adrB,b); mem1store(mem,adr1,val); x1read(mem1,adr2); z1x1+read(rf2,adrR); Express inherent timing structure by indexing register names Our initial specification after introducing read- and store-operations
s s s s s s s s Preprocessing rf1store(rf,adrA,a); rf2store(rf1,adrB,b); mem1store(mem,adr1,val); x1read(mem1,adr2); z1x1+read(rf2,adrR); Specification... Distinguish terms of specification and implementation by additional index s / i
i i i i i i i i i i Preprocessing (rf1store(rf,adrB,b), x1read(mem,adr2); (if adrA adrB then rf2store(rf1,adrA,a); mem1store(mem,adr1,val); (if adr1=adr2 then z1val+read(rf2,adrR) else z1x1+read(rf2,adrR)); ... and Implementation Distinguish terms of specification and implementation by additional index s / i
Preprocessing (rf1store(rf,adrB,b), x1read(mem,adr2); (if adrA adrB then rf2store(rf1,adrA,a); mem1store(mem,adr1,val); (if adr1=adr2 then z1val+read(rf2,adrR) else z1x1+read(rf2,adrR)); i i i i i i i i i i Note: Only the initial register values and memory states as anchors are identical in specification and implementation
Equivalence classes • Equivalent terms are collected in equivalence classes • Every term gets initially its ownequivalence class • Equivalence classes are modifiedduring the symbolic simulation • use results of ALL other equivalence detection techniques • Equivalence classes permit efficient reasoning about addresses
Two terms never return the same value adrA adrB • Otherwise adrB adrA • Two terms are equivalent for ALL initial values of the registers and memories: adrA adrB if adrA = adrB then... else... possibly adrA x + y; adrB x - y;
read value stored Value stored previously by a storeis equivalent to a read store store Resulting memory states are identical read read Read values are the same Equivalences ofMemory Operations
store(mem,adr1,v1); read(mem1,adrR); mem1 reg1 mem1 reg1 To simplify notation: assignments ommitted in the following
Reading apreviously stored value store(mem,adr1,v1); read(mem1,adrR); adr1 adrR Value is read read(mem1,adrR) v1
Reading apreviously stored value store(mem,adr1,v1); store(mem1,adr2,v2); read(mem2,adrR); store(mem,adr1,v1); store(mem1,adr2,v2); read(mem2,adrR); ... it seems FOR THIS READ that the store does not exist adr2 adr1 adrR Value is read read(mem2,adrR) v1
Equivalence of Memory States Specification Implementation store(mem,adrSA,vSA); store(mem1,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); s i s i adrSA adrIA vSA vIA adrSB adrIB vSB vIB store(mem1,...) mem2 s s store(mem1,...) mem2 i i
Equivalence of Read-Ops Specification Implementation store(mem,adrSA,vSA); store(mem1,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); s i s i i mem2 mem2 s adrRS adrRI read(mem2,...) read(mem1,...) s i
Specification Implementation store(mem,adrSA,vSA); store(mem1,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); s i s i The same example without the first store in the specification....
Specification Implementation store(mem,adrSB,vSB); read(mem1,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i • The final memory states are equivalent, if the first store in the implementation is overwritten by the second store s i adrIA adrIB
Specification Implementation store(mem,adrSB,vSB); read(mem1,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i • Preceding memory states are not equivalent s i possibly adrIA adrIB • However, the read-operations can be equivalent...
store(mem,adrSB,vSB); read(mem2,adrRS); store(mem,adrSB,vSB); read(mem1,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i i s s i i Specification Implementation adrSB adrRS adrIA adrIB adrIRI read(mem2,...) read(mem2,...) s i
Specification Implementation store(mem,adrSB,vSB); read(mem2,adrRS); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); store(mem,adrIA,vIA); store(mem1,adrIB,vIB); read(mem2,adrRI); i s i adrSB adrRS adrIA possibly adrIB adrRI ... it seems FOR THESE READs that this store does not exist But if address is not the same as the read addresses... Problem: Additional store... read(mem2,...) read(mem2,...) s i
So far: order of store-operations was the same in specification and implementation • eventually overwritten store-operations • But equivalent memory states might be reached also with a changed order • only one small example ... skip...
AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i i s s i i s s i i s s Do not consider overwritten stores....
AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i s i s i s adrA adrB adrC adrD Must be able to shift CI over BI....
AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i s i s i s adrA adrB adrC adrD ...and to shift DI over CI and BI
AS store(mem,adrA,...); O1 store(overwritten later); BS store(mem2,adrB,...); O2 store(overwritten later); CS store(mem4,adrC,...); DS store(mem5,adrD,...); AI store(mem,adrA,...); DI store(mem1,adrD,...); CI store(mem2,adrC,...); O3 store(overwritten later); BI store(mem4,adrB,...); i s i s i s adrA adrB adrC adrD ... then the final memory states are equivalent
Specification . . . s x2read(rf3, adrA); s Implementation . . . if . . . then x2 read(rf3, adrB); else x2read(rf3, adrC); i i i i Note: the addresses are symbolic values...
Specification Specification . . . . . . s s s s x2read(rf3, x2read(rf3, read(dmem, ir1[6:15]) + ir1[16:31]); s s Implementation Implementation . . . . . . tmp1 read(dmem, ir2[6:9]) if tmp1 = 0 then x2 read(rf3, ir2 [16:31]); else adr2 tmp1 + ir2 [16:31]; x2read(rf3, adr2); if then x2 read(rf3, else x2read(rf3, i i i i i i i i i i i i i i i i ... and address relationships have to be detected previously
Results of the other equivalence detection techniques are considered in the equivalence classes • efficient reasoning about addresses
Experimental Results Paths with stores Description
Conclusion • Symbolic simulation approach allows for complete equivalence check of control logic • Equivalence detection copes with distinct order of memory operations and considers • symbolic addresses • indirect addressing • Equivalence classes permit to establish an efficient address comparison • uses the results of ALL other equivalence detection techniques (e.g., bitvector-arithmetic)
Outlook • Apply technique to descriptions atgate- / standard-cell level • verification of design flow including commercial synthesis tool • Property verification • safety-critical designs
Specification Implementation (rf[adrB]b, xmem[adr2]); (if adrA adrB then rf[adrA]a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); rf[adrA]a; rf[adrB]b; mem[adr1]val; xmem[adr2]; zx+rf[adrR]; Two examples of reordering: • Forwarding
Specification Implementation (rf[adrB]b, xmem[adr2]); (if adrA adrB then rf[adrA]a; mem[adr1]val); (if adr1=adr2 then zval+rf[adrR] else zx+rf[adrR]); rf[adrA]a; rf[adrB]b; mem[adr1]val; xmem[adr2]; zx+rf[adrR]; Two examples of reordering: • Forwarding • Reversed order of store-operations
Abbreviations • only the relevant read- and store-operations are shown in the examples • no if-then-else constructs • no other terms (e.g., add, nand etc.) • equivalences/unequivalence of addresses already have been detected by the other equivalence detection techniques • Hide terms that stand for the addresses • for exampleread(mem,a3+b4) read(mem,adrA) i i
Example: Different number of instruction phases Instruction 1 Instruction 2 IF ID EX EX EX WB WB IF ID EX WB WB IF Order of Store-Operations reversed Instruction 1 IF ID EX EX EX WB WB IF ID EX WB WB Instruction 2
... then the first store is ommitted in the implementation EX WB If addresses of write back are identical.. less memory operations in the implementation than in the specification Example: write-operation not executed • Instructions with different length Instruction 1 ID EX EX WB ID EX WB ID Instruction 2 ID ID Instruction 3
Other slides • Intro-Example (Forwarding ...) • Abbreviations • Data Memory Mapping continued Presentation • Beginning • Motivation • Pipeline Example • Data Memory Mapping • Outline • Intro Symbolic Simulation • Preprocessing • Equivalence Classes • Value-Read • Memory-States / read-read • without first store • all unequivalent • sometimes • changed store order • Experimental results • Conclusion