Formal Verification of a Novel Snooping Cache Coherence Protocol for CMP

1. Formal Verification of a Novel Snooping Cache Coherence Protocol for CMP Xuemei Zhao, Karl Sammut, and Fangpo He Flinders University, Australia

2. Background • The emergence of CMP brings huge research space to increase performance • More caches on chip, low L2 latency, fast cache-to-cache access • Traditional SMP memory hierarchy and cache coherence protocol will diminish CMP’s performance. • Two traditional structures: Private L2 and Shared L2. Two protocols: Snooping protocol, Directory-based protocol • Formal verification is useful for discovering and correcting any errors at the early stage.

3. Outline • Cache architecture of SPS2 • Description of SPS2 protocol • Verification using Hytech • Verification using SMV • Conclusion

4. Cache Architecture Private L2 Banked Shared L2 SPS2 Nahalal layout

5. Advantages of SPS2 • PL2 and SL2 could use different association mechanism • PL2 and SL2 could have different size and replacement policy • PL2 leads to low latency. • SL2 provides high capacity • No need new CPU instruction, simple interface

6. Description of SPS2 • Based on MOSI ( Modified, Owned, Shared, Invalid) protocol • PL1 with state (M, O, S, I) • PL2 with state (M, O, I) • SL2 with state (S, I) • Write-invalidation policy on write-back cache Exclusive Inclusive

7. SPS2 Protocol • Read Miss – issue GETS • Read Hit • Write Miss – issue GETX • Write Hit • PL1 Replacement • PL2 Replacement • SL2 Replacement

8. State Graph Vector {XYZ} represents the state of PL1, PL2 and SL2 in a node. There are seven possible states, i.e., III, IIS, SIS, MII, IMI, OIS, and IOS. (a) Command from processor perspective (b) Command from bus perspective

9. Verification using Hytech • Hytech, an abstraction level model checker • To validate protocol independent of the number of processors, we use EFSM to model parameterized coherence protocol • global machine MG = <QG,∑G,F,δG>, QG , set of possible states of cache blocks, ∑G ,set of operations , F, set of characteristic functions, δG, set of state transitions

10. EFSM expression of SPS2 (r1) SIS+OIS+MII≥1→__ (r2) III≥1, MII=0, IMI=0 → III'=0, SIS'=SIS+1, IIS'=IIS+III-1 (r3) III≥1, MII≥1 → III'=0, SIS'=SIS+1, MII'=MII-1, OIS'=OIS+1, IIS'=IIS+III-1 (r4) III≥1, IMI≥1 → III'=0, SIS'=SIS+1, IMI'=IMI-1, IOS'=IOS+1, IIS'=IIS+III-1 (r5) IIS≥1 → IIS'=IIS-1, SIS'=SIS+1 (r6) IMI≥1 → MII'=MII+1, IMI'=IMI-1 (r7) IOS≥1 → OIS'=OIS+1, IOS'=IOS-1 …… ...... Read hit event (r1), read miss events (r2) – (r7)

11. Verification using EFSM in Hytech Define all possible sources of data inconsistency • OIS >=1 & MII >=1 • OIS >=2 • IIS >=1 & IMI >=1 • … As proved in [14][16][17], data consistency could be verified.

12. Verification using SMV • SMV is an intermediate formal verification tool. • To avoid state explosion, SMV uses OBDD (ordered binary decision diagrams), which could check finite-state systems satisfy specification given in CTL • Protocols have been proven by SMV: Gigamax, Futurebus+, FLASH

13. Modeling SPS2 using SMV • ASSIGN 1init(state) := III; 2next(state) := 3case 4CMD=none: 5 case 6 ... 7 1: state; 8 esac; 9master: 10 case 11 CMD=gets: 12 case 13 state=III: SIS; 14 1: any; 15 esac; 16 CMD=read: 17case 18 state=IIS: SIS; 19 state=IOS: OIS; 20 state=IMI: MII; 21 state in {SIS, MII, OIS}: state; 221: any; 23 esac; 24 ... 25

14. Verification using SMV For data integrity • AG (p1.shared → p2.shared) • AG (p1.state=SIS & p2.state=SIS → p1.data = p2.data) • AG (p1.state=OIS & p2.state=IIS → p1.data = p2.data) For liveness • AG EF p1.state=OIS or AG EF p1.state=MII or • AG EF p1.state=SIS or • AG EF p1.readable or AG EF p1.writable

15. Conclusion • SPS2 takes advantages of the low latency of L2P and the high capacity of L2S. • New proposed state graph is used for description of SPS2 and verification • Using two formal verification method, function correctness of SPS2 is proven

16. Thanks, any question is appreciated!

17. Simulation Result • Simulator: GEMS + SIMICS