1. Scaling Formal Methods Toward Hierarchical Protocols in Shared Memory Processors Presenters: Ganesh Gopalakrishnan and Xiaofang Chen School of Computing, University of Utah, Salt Lake City, UT 84112 {ganesh, xiachen}@cs.utah.edu http://www.cs.utah.edu/formal_verification GRC CADTS Review, Berkeley, March 18, 2008 Supported by SRC Contract TJ-1318 (Intel Customization)

2. 2 Multicores are the future! Their caches are visibly central… (photo courtesy of Intel Corporation.) > 80% of chips shipped will be multi-core

3. 3 Hierarchical Cache Coherence Protocols will play a major role in multi-core processors Chip-level protocols Inter-cluster protocols Intra-cluster protocols dir mem dir mem …  State Space grows multiplicatively across the hierarchy!  Verification will become harder

4. 4 Protocol design happens in “the thick of things” (many interfaces, constraints of performance, power, testability). From “High-throughput coherence control and hardware messaging in Everest,” by Nanda et.al., IBM J.R&D 45(2), 2001.

5. 5 Future Coherence Protocols  Cache coherence protocols that are tuned for the contexts in which they are operating can significantly increase performance and reduce power consumption [Liqun Cheng] Producer-consumer sharing pattern-aware protocol [Cheng et.al, HPCA07]  21% speedup and 15% reduction in network traffic Interconnect-aware coherence protocols [Cheng et.al., ISCA06]  Heterogeneous Interconnect  Improve performance AND reduce power  11% speedup and 22% wire power savings Bottom-line: Protocols are going to get more complex!

6. 6 Main Result #1 : Hierarchical RAC L2 Cache+Local Dir L1 Cache Main Mem Home ClusterRemote Cluster 1Remote Cluster 2 L1 Cache Global Dir RAC L2 Cache+Local Dir L1 Cache RAC L2 Cache+Local Dir L1 Cache Intra-cluster Inter-cluster  Developed way to reduce verification complexity of hierarchical (CMP) protocols using A/G

7. 7 Main Result #2 : Refinement Developed way to Verify a Proposed Refinement of ONE unit into its low level (RTL) implementation

8. 8 Main Result #2 : Refinement Developed way to Verify a Proposed Refinement of ONE unit into its low level (RTL) implementation Murphi

9. 9 Main Result #2 : Refinement Developed way to Verify a Proposed Refinement of ONE unit into its low level (RTL) implementation Murphi

10. 10 Main Result #2 : Refinement Developed way to Verify a Proposed Refinement of ONE unit into its low level (RTL) implementation Murphi HMurphi

11. 11 Differences in Modeling: Specs vs. Impls home remote One step in high-level Multiple steps in low-level an atomic guarded/command home router buf remote

12. 12 Our Refinement Check Spec( I ) I Spec( I ’) Spec transition Multi-step Impl transaction I’ Guard for Spec transition must hold I is a reachable Impl state Observable vars changed by either must match

13. 13 Workflow of Our Refinement Check Hardware Murphi Impl model Product model in Hardware Murphi Product model in VHDL Murphi Spec model Property check Muv Check implementation meets specification

14. 14 Anticipated Future Result Developed way to Verify a Proposed Refinement of the ENTIRE hierarchy

15. 15 Anticipated Future Result Deal with pipelining Sequential Interaction Pipelined Interaction

16. 16 Anticipated Future Result Develop ways to “tease apart” protocols that are “blended in” e.g. for power-down or post-si observability enhancement More protocols….. do they interfere?

17. 17 Basics  PI : Ganesh Gopalakrishnan  Industrial Liaisons : Ching Tsun Chou (Intel), Steven M. Geman (IBM), John W. O’Leary (Intel), Jayanta Bhadra (Freescale), Alper Sen (Freescale), Aseem Maheshwari (TI)  Primary Student : Xiaofang Chen  Graduation Date : Writing PhD Dissertation; in the market  Other Students :Yu Yang (PhD), Guodong Li (PhD), Michael DeLisi (BS/MS)  Anticipated Results: Hierarchical : Methodology for Hierarchical (Cache Coherence) Protocol Verification, with Emphasis on Complexity Reduction (was in original SRC proposal) Refinement : Methodology for Expressing and Verifying Refinement of Higher Level Protocol Descriptions (not in original SRC proposal)

18. 18 Basics  Deliverables (Papers, Software, Xiaofang’s Dissertation) Hierarchical:  Methodology for Applying A/G Reasoning for Complexity Reduction  Verified Protocol Benchmarks – Inclusive, Non-Inclusive, Snoopy (Large Benchmarks)  Automatic Abstraction Tool in support of A/G Reasoning Refinement:  Muv Language Design (for expressing Designs)  Refinement Checking Theory and Methodology  Complete Muv tool implementation

19. 19 What’s Going On  Accomplishments during the past year Hierarchical:  Finishing Non-inclusive Hierarchical Protocol Verif  Developing and Verifying a Hier. Protocol with a Snoopy First Level

20. 20 Experimental Results on One Hierarchical Protocol

21. 21 A Snoopy Multicore Protocol  Motivation: Snoop protocols commonly used in 1st level of caches Have applied our approach on directory protocols How about snoop protocols?

22. 22 Applying Our Approach  Abstracted protocols  Experimental results

23. 23 What’s Going On  Accomplishments during the past year (contd.) Refinement:  HMurphi was fleshed out in great detail  Most of Muv was implemented (a large portion during IBM T.J. Watson Internship) – joint work with Steven German and Geert Janssen

24. 24 What’s Going On  Future directions Hierarchical + Refinement  Develop ways to verify hierarchies of HMurphi modules interacting Pipelining Teasing out protocols supporting non-functional aspects  Power-down protocols  Protocols to enhance Post-si Observability Architectural Characterization  How do we describe the “ISA” of future multi-core machines?  How do we make sure that this ISA has no hidden inconsistencies

25. 25 What’s Going On  Technology Transfer & Industrial Interactions With Liaisons  Publications FMCAD 06, FMCAD 07, HLDVT 07 TECHCON 07 (best session paper award) Journal paper and Dissertation (under prep) Request to IBM for Open-sourcing Muv has been placed

26. 26 Overview of “Hierarchical”  Given a protocol to verify, create a verification model that models a small number of clusters acting on a single cache line Verification Model Inv P Home Remote Global directory

27. 27 2. Exploit Symmetries  Model “home” and the two “remote”s (one remote, in case of symmetry) Verification Model Inv P

28. 28 3. Initial abstraction will be extreme; slowly back-off from this extreme… Inv P1 Inv P2 Inv P3  P1 fails  Diagnose failure  Bug  report to user  False Alarm  Diagnose where guard is overly weak  Add Strengthening Guard  Introduce Lemma to ensure Soundness of Strengthening

29. 29 Overview of Theory Involved

30. 30 3. Create Abstract Models (three models in this example) Inv P Inv P1Inv P2 Inv P3

31. 31 Step 1 of Refinement Inv P1 Inv P2 Inv P3 Inv P1 Inv P2 Inv P3’

32. 32 Step 2 of Refinement Inv P1 Inv P2 Inv P3 Inv P1 Inv P2 Inv P3’ Inv P1 Inv P2’ Inv P3’

33. 33 Final Step of Refinement Inv P1 Inv P2 Inv P3 Inv P1 Inv P2 Inv P3’ Inv P1’ Inv P2’ Inv P3’ Inv P1 Inv P2’ Inv P3’’

34. 34 Detailed Presentation of Refinement Note: Three examples have been presented in full detail at http://www.cs.utah.edu/formal_verification/muv

35. 35 Our Approach of Refinement Check Hardware Murphi Impl model Product model in Hardware Murphi Product model in VHDL Murphi Spec model Property check Muv Check implementation meets specification

36. 36 Basic Features of Hardware Murphi vs Murphi … signal s1, s2 … s1 <= … chooserule rules; end; … firstrule rules; end; … transaction rule-1; rule-2; … end; …

37. 37 Language Extensions to Hardware Murphi (I) --include spec.m correspondence u1[0..7] :: v1[1..8]; u1 :: v2; end;  Directives  Joint variables correspondence

38. 38 Language Extensions to Hardware Murphi (II) transactionset p1:T1; p2:T2 do transaction … end;  Transactionset rule:id guard ==> action; ruleset p1:T1; p2:T2 do rule:id … end;  Rules with IDs

39. 39 Language Extensions to Hardware Murphi (III) >; >; …  Execute a rule by ID var[i] <:= data;  Fine-grained assignments for write-write conflicts

40. 40

41. 41

42. 42 Our Extensions to Muv  Language extensions support  Automatic assertion generation for refinement Ensure exclusive write to a var in each clock cycle Serializability check for spec rules Enableness for spec rules Joint vars equivalence when inactive  Many done with static analysis

43. 43 Refinement Extensions to Muv (I) v := d; for i: s1..s2 do assert (update_bits[i] = false); end; v := d; for i: s1..s2 do update_bits[i] := true; end;  No write-write conflicts

44. 44 Refinement Extensions to Muv (II)  Serializability for specification rules S0S0 S1S1 S0S0 S1S1 t1t1 t2t2 t3t3 S’ 1 S’ 2 t1t1 t2t2 t3t3  Obtain read and write sets of variables of each rule  Analyze read-write dependency  Check for cycles

45. 45 Check for Dependency Cycles S0S0 S1S1 S0S0 S1S1 t1t1 t2t2 t3t3 S’ 1 S’ 2 t1t1 t2t2 t3t3 t 3 write v 2, read v 3 t 1 read v 1, write v 3 t 2 write v 1, read v 2

46. 46 Refinement Extensions to Muv (III) rule:id guard  action; bool function id_guard() {…} void procedure id_action(…) {…}  Enableness of specification rules >; assert id_guard(); id_action();

47. 47 Refinement Extensions to Muv (IV)  Joint variables equivalence when inactive  For each joint variable v When all transactions that write to v are inactive v must be equivalent in Impl and Spec … transaction T1 … transaction T2 … … assert inactive(T1) & inactive(T2) => v = v’;

48. 48 The Cache Coherence Protocol Benchmark S. German and G. Janssen, IBM Research Tech Report 2006 Buf Remote DirCache Mem Router Buf Local Home Remote DirCache Mem Local Home

49. 49 Details of the Cache Example  Hardware Murphi model ~2500 LOC 15 transactionsets  Generated VHDL ~1000 assertions, of which ~800 are write-write conflicts check assertions Took ~16min with SixthSense for all assertions Took ~13min w/o write-write conflicts check

50. 50 Bugs Found with Refinement Check  Benchmark satisfies cache coherence already  Bugs still found Bug 1: router unit loses messages Bug 2: home unit replies twice for one request Bug 3: cache unit gets updated twice from 1 reply  Refinement check is an automatic way of constructing such checks

51. 51 Model Checking Approaches  Monolithic Straightforward property check  Compositional Divide and conquer

52. 52 Compositional Refinement Check  Reduce the verification complexity  Basic Techniques Abstraction  Removing details to make verification easier Assume guarantee  A simple form of induction which introduces assumptions and justifies them

53. 53 Experimental Results Verification Time 1-bit 10-bit 1-day Datapath  Configurations 2 nodes, 2 addresses, SixthSense 30 min Monolithic approach Compositional approach

54. 54 A Simple 2-Stage Pipelined Stack pipelined pushes pipelined pops overlapped pop & push  Push: increase counter + push data  Pop: decrease counter + pop data

55. 55 Future Work  Muv-like refinement check for interaction modules RTL modules interaction via communication protocols Interfaces involving buffers and pipelining  Refinement of initial RTL protocols Power-down issues Post-silicon validation support Runtime verification support Safe augmentation of verified protocols Cheap re-verification