Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop Edinburgh July 15,

Gap Between Specification and Implementation Consequences for Verification Need humans to translate correctness conditions between them Incomplete, expensive, error prone Significant barrier to automation in verification. Specification Objects are units of data Concurrent computation on these objects I mplementation Objects are functional logic blocks Concurrent communication between these objects Packet HT Instr OpImmediateRsRt Frame l1l1 lnln M1M2M3 Pipeline Mapping of concurrent functions onto concurrent hardware blocks is captured by humans Drives efforts to move design and verification to levels above RTL.

3 Time Transaction Sequence Order Modeling Concurrent Computation Using Transactions Transaction is a unit of work Transactions can be concurrent Transaction sequences Permits reasoning about Individual transactions Interactions between transactions e.g. pipeline hazards T1T1 T2T2 T3T3 Shared Resource

Transaction Interaction Properties Examples – Contention Mutual exclusion – Sequencing Ordering of packets in a router Pipeline hazards – Priority Choosing among concurrent processes 4 Generally deal with ordering of individual transaction instances.

Transaction Interaction Properties in RTL Lack high-level information – Where are the instructions? Need to instrument the design to capture high-level objects – Instructions in flight Need to state the property in terms of instrumented variables Human intervention limits automation 5 Example: RAW Pipeline Hazard Easier with a transaction-level model with explicit ordering information.

Transaction- Level Model Transaction Interaction Property Synthesized RTL Automated Encoding Finite Model + Temporal Logic Property This Work Previous Work (CODES+ISSS 09) Big Picture Verified Synthesis + Model Check This

Talk Outline Motivation Modeling Transactions and Interaction Properties Encoding for Model Checking Experiments Related Work Summary 7

Transaction-Level Model Individual Transaction – Explicit start and end steps – Guarded transitions – Model as a Kripke structure Infinite array of transactions – Index value refers to specific transaction State – Local Transaction state – present step & local variables – Local variables constant after a transaction ends – Global shared state 8 i T1T1 T2T2 TiTi M1M1 Global State Local State Of T i End Step Start Step Guarded Transitions Modeled as an infinite Kripke structure Parametric, but not symmetric in i

Property Specification using Indexed Temporal Logic 9  i,j j>i  G~( read j & ~write i & F(write i )) Example: RAW hazard property i, j are transaction indices  I, P(I)   [L(I),g] General Form of property: I: Set of index variables, one for each interacting transaction P(I): Predicate on the set of indices I capturing relationship among interacting transactions  [L(I),g]: Temporal logic formula on transaction local indexed variables and global variables Indexed transaction local variables Indexed Temporal Logic Formula

Talk Outline Motivation Modeling Transactions and Interaction Properties Encoding for Model Checking Experiments Related Work Summary 10

Encoding for Model Checking 11 i T1T1 T2T2 TiTi M1M1 Global State Indexed State Infinite State Model  I, P(I)   [v(I),g] + Finite State Model LTL/CTL Formula + Model Check This Encode

Handling Infinite State 12 i T1T1 T2T2 TiTi M1M1 Global State Indexed State Infinite State Model  I, P(I)   [v(I),g] + Observation 1: Only a finite number of active transactions possible due to finite resources Finite state for active transactions S1S1 S2S2 SKSK State of active transactions User specified upper bound Independently verified

Handling Infinite State 13 i T1T1 T2T2 TiTi M1M1 Global State Indexed State Infinite State Model  I, P(I)   [v(I),g] + But, properties may refer to local variables of transactions that have ended. Observation 2: Can exploit non-determinism. Non-deterministically select |I| transactions for tracking past history. The model checker will implicitly consider all possible values. E1E1 E2E2 E |I| Local variables of selected transactions Number of interacting transactions

Encoding the Predicate 14 i T1T1 T2T2 TiTi M1M1 Global State Indexed State Infinite State Model  I, P(I)   [v(I),g] + But, predicate evaluation needs the potentially infinite index value of the interacting transactions. Observation 3: Can handle several (all?) useful predicates without explicit index value storage. Ordering Constraints P(i, j) : i > j Separation Constraints P(i, j) : i − j > m P(i, j) : i − j < m Equality Constraints: P(i, j) i = j + m Inequality constraints P(i, j) : i  j + m Predicate FSM ND_Select i ND_Select j I = {i,j}

Encoding for Model Checking 15 i T1T1 T2T2 TiTi M1M1 Global State Indexed State Infinite State Model  I, P(I)   [v(I),g] + Key Components Predicate FSM ND_Select i ND_Select j S1S1 S2S2 SKSK State of active transactions E1E1 E2E2 E |I| Local variables of ended transactions

Talk Outline Motivation Modeling Transactions and Interaction Properties Encoding for Model Checking Experiments Related Work Summary 16

Experiments Design examples – Simple router Property: Flits are processed in order – Simple processor Property: Absence of RAW hazard Input: – Designs specified using a transaction-level model – Properties specified using indexed temporal logic Output: – Synthesized SMV for finite model and LTL property – Model checked using Cadence SMV 17

Model Checking Results 18 All experiments done on Intel Core 2 Duo 2.5GHz 3 GB RAM Machine with Windows XP

Talk Outline Motivation Modeling Transactions and Interaction Properties Encoding for Model Checking Experiments Related Work Summary 19

Related Work Summary 20

Talk Outline Motivation Modeling Transactions and Interaction Properties Encoding for Model Checking Experiments Related Work Summary 21

Summary Transaction-based higher-level models enable reasoning without resorting to design instrumentation Main Contributions: – Infinite Kripke structure model for transactions with explicit indices – Indexed temporal logic for specifying transactions interactions properties – Finite encoding of design and property exploiting Finiteness of hardware resources Non-determinism in model checkers Specific ordering relationships of interacting transactions – Initial prototype demonstration 22

Related Papers Y. Mahajan, C. Chan, A. Bayazit, S. Malik, and W. Qin, “Verification driven formal architecture and microarchitecture modeling,” in MEMOCODE ’07: Proceedings of the 5th IEEE/ACM International Conference on Formal Methods and Models for Codesign. Washington, DC, USA: IEEE Computer Society, 2007, pp. 123–132. Y. Mahajan and S. Malik, “Automating hazard checking in transaction-level microarchitecture models,” in FMCAD ’07: Proceedings of the Formal Methods in Computer Aided Design. Washington, DC, USA: IEEE Computer Society, 2007, pp. 62–65. D. Schwartz-Narbonne, C. Chan, Y. Mahajan, and S. Malik, “Supporting RTL flow compatibility in a microarchitecture-level design framework,” in CODES+ISSS ’09: Proceedings of the 7th IEEE/ACM international conference on Hardware/software codesign and system synthesis. New York, NY, USA: ACM, 2009, pp. 343–