1 / 20

Transaction Based Modeling and Verification of Hardware Protocols

Transaction Based Modeling and Verification of Hardware Protocols. Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan. Supported in part by Intel SRC Customization Award 2005-TJ-1318. Modeling and Verification of HW Protocols. High-level modeling Model checking Murphi, TLA+

eugene
Download Presentation

Transaction Based Modeling and Verification of Hardware Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan • Supported in part by Intel SRC Customization Award 2005-TJ-1318

  2. Modeling and Verification of HW Protocols • High-level modeling • Model checking • Murphi, TLA+ • Low-level: RTL or VHDL • Simulation • SixthSense, RuleBase

  3. Problem Addressed • Global properties cannot be verified at RTL level • Specifications can be verified; but do they correctly represent the implementations • Our goal • Bridge the gap between specifications and implementations

  4. Modeling Multiple steps in low-level One step in high-level 1.3 1 1.1 1.2 1.4 buf client home local cache 1.5

  5. Differences in Execution 1 2 3 Interleaving in HL 1.2 1.1 Concurrency in LL 1.3 2.1 2.2 3.1 3.3 3.2 We introduce “transactions” for the mapping

  6. Hardware Murphi • Murphi extension by S. German and G. Janssen • A concurrent shared variable language • On each cycle • Multiple transitions execute concurrently • Exclusive write to a variable • Shared reads to variables • Write immediately visible within the same transition • Write visible to other transitions on the next cycle • Support signals, transactions, etc

  7. A Few Notations • Variables in both spec and impl • Interface variables: VI • Transactional variables: VH • Variable vinactiveat a state s • If all transactions that can write to v are not active at s

  8. Formal Notion of Refinement • For every concurrent execution of impl, exists an interleaving execution of spec that variables • VI always match • VHmatch for inactive(li) … l2 l0 l1 l3 LL … HL h0 h3 h1 h2

  9. Refinement Check Murphi Spec model Property check Muv Product model in Hardware Murphi Product model in VHDL Hardware Murphi Impl model Check high-level correctly implements low-level

  10. Property Check in Refinement Guard for spec transition must hold 1-transition Spec(s) Spec(s’) Observable vars changed by spec or impl must match 1-transaction: multi concurrent transitions s s’ s: reachable state where the commit transition of transaction is enabled

  11. Model Checking Approaches • Monolithic • Straightforward property check • Compositional • Divide and conquer

  12. Compositional Refinement Check • Reduce the verification complexity • Basic Techniques • Abstraction • Removing details to make verification easier • Assume guarantee • A simple form of induction which introduces assumptions and justifies them

  13. Abstraction • View design as concurrent processes • Perform simplifications • Change a read to access a fresh input variable, or • If in a process, two steps are executed • 1st step writes to a variable • 2nd step read it • then no need to consider other sources of the read Change to free inputs

  14. Assume Guarantee Reasoning • Assume certain values for any read of a variable • Guarantee certain values for all writes to the variable • Example • In the beginning of a transaction • Assume spec and impl have same values on joint variables to be read • At the end of the transaction • Guarantee spec and impl have same values on joint variables being written

  15. Driving Benchmark Dir Cache Mem Local Buf Home Buf Remote Buf Router Dir Cache Mem Local Buf Home Buf Remote Buf S. German and G. Janssen, IBM Research Tech Report 2006

  16. Bugs Found with Refinement Check • Benchmark satisfies cache coherence already • Bugs still found • Bug 1: router unit loses messages • Bug 2: home unit replies twice for one request • Bug 3: cache unit gets updated twice from one reply • Refinement check is an automatic way of constructing checks

  17. Experimental Results • Configurations • 2 nodes, 2 addresses, SixthSense “xpt” engine VerificationTime 1-day Monolithic approach Compositional approach 30 min Datapath 10-bit 1-bit Thanks: SixthSense, VHDL compiler and RuleBase groups

  18. Conclusion • Introduced transactions to map spec and impl • Developed formal theory of refinement check • Developed compositional approach • Abstraction • Assume guarantee • Encouraging experimental results

  19. Related Work • Arvind et. al. • Bluespec • Park and Dill • Aggregation of distributed actions • McMillan • Compositional approach

  20. Thanks! “Transaction based modeling and verification of hardware protocols”, To be appeared in FMCAD 2007

More Related