Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ."— Presentation transcript:

1 A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ. of Utah) Mandayam Srivas (SRI International)

2 2 Talk Organization Motivation Completion Functions Approach Key contribution of the talk Detailed illustration Conclusions

3 3 Motivation Pipelined processor verification –Increasingly complex designs –Need for formal verification Theorem provers –Focus on the relevant aspects only To verify large, complex designs: –Automation –Decomposition

4 4 Problem Definition Need a verification methodology that –Is amenable to decomposition –Uses decision procedures Solution: Completion Functions Approach

5 5 What are Completion Functions? Desired effect of retiring an unfinished instruction in an atomic fashion ab c RF C_b

6 6 Abstraction Function Need to define an abstraction function Flushing the pipeline Our idea: Define abstraction function as a Composition of Completion Functions Impl. Machine Step Spec. Machine Step

7 7 Main Features Decomposition into verification conditions RF ab c C_bC_aC_c L_ab Abs. fn = C_a o C_b o C_c One VC is: C_a == L_ab o C_b

8 8 Main Features Continued VCs generated systematically & discharged often automatically Incremental verification No explicit intermediate abstraction Methodology implemented in PVS

9 9 Examples Verified Three examples (CAV98) –DLX –Dual issue DLX –Example with limited out-of-order execution Example with a reorder buffer & alu instructions only (CAV99)

10 10 In-order vs Out-of-order Retirement I D W W D E E W I I D E Same effect on RF Current state Next

11 11 Contributions of this Paper Extend completion functions approach to handle out-of-order retirement –hard to support exceptions & speculation –specialized processors Verified an implementation of Tomasulo’s algorithm without a reorder buffer

12 12 Details of the Proof The implementation model Correctness criterion Key ideas Proof of correctness Liveness proof

13 13 Processor Model EU1EUm RS RFRTT

14 14 Correctness Criterion Abstraction I_step A_step/  impl_st

15 15 Completion Functions Approach for Out-of-order Retirement Completion function returns the value computed by an instruction –Recursively complete instructions it is dependent on Abstraction function updates all registers –Latest pending instruction to write a register

16 16 The Completion Function EU1EUm Value_issued Value_executed Value_dispatched RS RFRTT

17 17 Value_issued Definition opcode src1_rse src1_val... = 0 /= 0 op1 := src1_val op1 := Complete(src1_rse) Value_issued := alu(opcode,op1,op2) Reservation Station Entry

18 18 Abstraction Function RFRTT rsi... 0 Complete(rsi) Unchanged

19 19 Main Verification Condition Same Complete(rsi) DDIIEDIEEE Next state Current state

20 20 Instruction-state Transitions IE Disp? Not Disp? Exec? Not Exec? Wback? Not Wback? D

21 21 Establishing the Main Verification Condition Value_executed Value_dispatched Next state Current state DDIIEDIEEE Same

22 22 Another Scenario DIEEIDDIIEI Current state Next state Induction Hypothesis Feedback Logic Correctness

23 23 Correctness Criterion Repeated Abstraction I_step A_step/  impl_st

24 24 Proving Commutative Diagram Complete(new) RTT in next state ISA spec. value RTT in current state Complete(rsi) rsi.. new 0.. Complete(rsi)Unchanged Spec. pathImpl. path

25 25 Invariants Needed Measure function related –Measure of instruction producing the source value is less than the given instruction Instruction validity invariants

26 26 PVS Proof Statistics Proof strategies –Induction obligations: Very similar strategy –Operand correctness & commutative diagram: Very similar strategy –Invariants: No uniform strategy Manual effort –7 person days of “first time” effort 500 seconds on 167MHz UltraSparc

27 27 Liveness Properties Two liveness properties –Eventually the processor gets flushed –Eventually a new instruction is executed Again based on Instruction-state transitions

28 28 Liveness Proof IDE Disp? Not Disp? Exec? Not Exec? Wback? Not Wback? Scheduler

29 29 Related Work Theorem proving: –Arons & Pnueli Model checking: –McMillan –Berezin et al –Henzinger et al MAETT, Incremental flushing

30 30 Work in Progress Mechanizing the liveness proofs Bringing the methodology closer to practice –More automated decision procedures –Automatic discovery of invariants –Integration into the design process

31 31 Conclusions Well suited for verifying processors with out-of-order retirement Completion Functions Approach has been applied on a wide variety of examples

32 32 Recent Verification Effort Also applied to verify a processor with: – a reorder buffer – alu, memory & branch instructions – store buffer & load value forwarding – exceptions – speculative execution – user & supervisory modes of operation

33 33 Manual Effort on all Examples DLX/Dual issue DLX : 2 months –Initial experiments Simple out-of-order execution: 14 days In-order retirement, reorder buffer example: 12 days Out-of-order retirement: 7 days Significantly complex example: 35 days

34 34 Conclusions Reasonable manual effort Scope for further increasing the automation Completion Functions Approach is a promising and a viable approach to verifying complex pipelined processors

Download ppt "A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ."

Similar presentations

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.

Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.

Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
ECE 2162 Tomasulo’s Algorithm. Implementing Dynamic Scheduling Tomasulo’s Algorithm –Used in IBM 360/91 (in the 60s) –Tracks when operands are available.

ECE 2162 Tomasulo’s Algorithm. Implementing Dynamic Scheduling Tomasulo’s Algorithm –Used in IBM 360/91 (in the 60s) –Tracks when operands are available.
THE MIPS R10000 SUPERSCALAR MICROPROCESSOR Kenneth C. Yeager IEEE Micro in April 1996 Presented by Nitin Gupta.

THE MIPS R10000 SUPERSCALAR MICROPROCESSOR Kenneth C. Yeager IEEE Micro in April 1996 Presented by Nitin Gupta.
Microprocessor Microarchitecture Dependency and OOO Execution Lynn Choi Dept. Of Computer and Electronics Engineering.

Microprocessor Microarchitecture Dependency and OOO Execution Lynn Choi Dept. Of Computer and Electronics Engineering.
Spring 2003CSE P5481 Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers)

Spring 2003CSE P5481 Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers)
1 COMP 206: Computer Architecture and Implementation Montek Singh Mon., Oct. 14, 2002 Topic: Instruction-Level Parallelism (Multiple-Issue, Speculation)

1 COMP 206: Computer Architecture and Implementation Montek Singh Mon., Oct. 14, 2002 Topic: Instruction-Level Parallelism (Multiple-Issue, Speculation)
Advanced Computer Architecture Lab University of Michigan MASE Eric Larson MASE: Micro Architectural Simulation Environment Eric Larson, Saugata Chatterjee,

Advanced Computer Architecture Lab University of Michigan MASE Eric Larson MASE: Micro Architectural Simulation Environment Eric Larson, Saugata Chatterjee,
CS 211: Computer Architecture Lecture 5 Instruction Level Parallelism and Its Dynamic Exploitation Instructor: M. Lancaster Corresponding to Hennessey.

CS 211: Computer Architecture Lecture 5 Instruction Level Parallelism and Its Dynamic Exploitation Instructor: M. Lancaster Corresponding to Hennessey.
CPE 731 Advanced Computer Architecture ILP: Part IV – Speculative Execution Dr. Gheith Abandah Adapted from the slides of Prof. David Patterson, University.

CPE 731 Advanced Computer Architecture ILP: Part IV – Speculative Execution Dr. Gheith Abandah Adapted from the slides of Prof. David Patterson, University.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Similar presentations

Ads by Google