Using a Formal Specification and a Model Checker to Monitor and Guide Simulation Verifying the Multiprocessing Hardware of the Alpha Microprocessor Serdar Tasiran Koç University, Istanbul, Turkey (formerly Compaq/HP Systems Research Center) Yuan Yu (Microsoft Research, formerly Compaq) Brannon Batson (Intel, formerly Compaq)

But first Formal Methods (i.e. mathematical, algorithmic) for Software and Hardware Designs or “Why should you care?”

French Guyana, June 4, 1996 $800 million software failure

Mars, July 4, 1997 Lost contact due to real-time priority inversion bug

Faulty division algorithm (Intel Pentium) $475 million replacement cost Faulty floppy disk controller (Toshiba) $2.1 billion court settlement

$4 billion development effort > 50% system integration & validation cost

400 horses 100 microprocessors

Feb. 17, 2003Comp 302, Spring 2003 Cost of Finding Flaws Late

SCIENCE Natural Systems ENGINEERING Artificial Systems PURE Abstract Systems APPLIED Concrete Systems THEORY EXPERIMENTDESIGN ANALYSIS Veri/Falsi fication

DESIGN VERI/FALSIFICATION INFORMAL (ad hoc) by simulation by test FORMAL (systematic) by proof by algorithm Poor coverage High recovery cost

Koç University – ECE Graduate Program Typical Abstraction Layers for a Hardware Design System (Behavioral) LevelRegister Transfer Level (RTL)Gate LevelTransistor LevelLayout Level

Koç University – ECE Graduate Program Design Process Design : specify and enter the design intent Implement: refine the design through all phases Verify: verify the correctness of design and implementation

Koç University – ECE Graduate Program

Flavors of Verification Design Verification: Does the design make sense? If I implemented it as designed, would it satisfy the design requirements? System (Behavioral) LevelRegister Transfer Level (RTL)Gate LevelTransistor LevelLayout Level Implementation Verification: Is the implementation at the lower layer of abstraction consistent with the higher level?

Koç University – ECE Graduate Program Systems Design and Verification Challenges Heterogeneity (analog, digital, HW/SW) Complexity (~billion transistors, ~millions of lines of code) Time-to-market

Role of Computer-Aided Design and Verification Tools: Helping humans cope Transistors Processor Complexity Avg. Human IQ K 10K 100K 1M 10M Pentium Pentium Pro PPC601 PPC MIPS R Intelligence Quotient

Formal Verification Tools Verifier Description of system to be verified: - Finite state machine - Code written in a hardware description language Specification: -Temporal logic formula - Algorithm- or protocol-level description for design Yes No Error trace G(p  F q) p q

Simulation vs. Formal Verification n Simulation Not completeNot complete Need to generate expected behaviorNeed to generate expected behavior Difficult to cover corner casesDifficult to cover corner cases CPU intensiveCPU intensive –have to run billions of cycles Can handle large systemsCan handle large systems n Formal Verification Complete wrt specification No need to generate expected behavior Corner cases are automatically taken care of Most of the state-of-the-art methods are memory intensive Memory usage is strongly related with the size of systems to be verified

Exploring the State Space of an FSM Implicit methods: Represent sets of states with decision diagrams Representation size not proportional to number of states But still memory limited

10 stars transistors 10 states 7 100,000

The Moral … Verification is a serious problem Formal verification methods are great, but not practical yet on complex systems Simulation is practical, but can’t provide strong enough guarantees Next part of talk: A hybrid technique: Simulation + formal verification