1. Using a Formal Specification and a Model Checker to Monitor and Guide Simulation Verifying the Multiprocessing Hardware of the Alpha 21364 Microprocessor Serdar Tasiran Koç University, Istanbul, Turkey (formerly Compaq/HP Systems Research Center) Yuan Yu (Microsoft Research, formerly Compaq) Brannon Batson (Intel, formerly Compaq)

2. But first Formal Methods (i.e. mathematical, algorithmic) for Software and Hardware Designs or “Why should you care?”

3. French Guyana, June 4, 1996 $800 million software failure

4. Mars, July 4, 1997 Lost contact due to real-time priority inversion bug

5. Faulty division algorithm (Intel Pentium) $475 million replacement cost Faulty floppy disk controller (Toshiba) $2.1 billion court settlement

6. $4 billion development effort > 50% system integration & validation cost

7. 400 horses 100 microprocessors

8. Feb. 17, 2003Comp 302, Spring 2003 Cost of Finding Flaws Late

9. SCIENCE Natural Systems ENGINEERING Artificial Systems PURE Abstract Systems APPLIED Concrete Systems THEORY EXPERIMENTDESIGN ANALYSIS Veri/Falsi fication

10. DESIGN VERI/FALSIFICATION INFORMAL (ad hoc) by simulation by test FORMAL (systematic) by proof by algorithm Poor coverage High recovery cost

11. Koç University – ECE Graduate Program Typical Abstraction Layers for a Hardware Design System (Behavioral) LevelRegister Transfer Level (RTL)Gate LevelTransistor LevelLayout Level

12. Koç University – ECE Graduate Program Design Process Design : specify and enter the design intent Implement: refine the design through all phases Verify: verify the correctness of design and implementation

13. Koç University – ECE Graduate Program

18. Flavors of Verification Design Verification: Does the design make sense? If I implemented it as designed, would it satisfy the design requirements? System (Behavioral) LevelRegister Transfer Level (RTL)Gate LevelTransistor LevelLayout Level Implementation Verification: Is the implementation at the lower layer of abstraction consistent with the higher level?

19. Koç University – ECE Graduate Program Systems Design and Verification Challenges Heterogeneity (analog, digital, HW/SW) Complexity (~billion transistors, ~millions of lines of code) Time-to-market

20. Role of Computer-Aided Design and Verification Tools: Helping humans cope Transistors Processor Complexity Avg. Human IQ 1 10 100 1K 10K 100K 1M 10M 19751980198519901995 8086 68000 68020 80386 80486 68040 Pentium Pentium Pro PPC601 PPC603 8080 4004 MIPS R4000 50 80 120 140 160 180 100 Intelligence Quotient

21. Formal Verification Tools Verifier Description of system to be verified: - Finite state machine - Code written in a hardware description language Specification: -Temporal logic formula - Algorithm- or protocol-level description for design Yes No Error trace G(p  F q) p q

22. Simulation vs. Formal Verification n Simulation Not completeNot complete Need to generate expected behaviorNeed to generate expected behavior Difficult to cover corner casesDifficult to cover corner cases CPU intensiveCPU intensive –have to run billions of cycles Can handle large systemsCan handle large systems n Formal Verification Complete wrt specification No need to generate expected behavior Corner cases are automatically taken care of Most of the state-of-the-art methods are memory intensive Memory usage is strongly related with the size of systems to be verified

23. Exploring the State Space of an FSM Implicit methods: Represent sets of states with decision diagrams Representation size not proportional to number of states But still memory limited

24. 10 stars 11 10 transistors 10 states 7 100,000

25. The Moral … Verification is a serious problem Formal verification methods are great, but not practical yet on complex systems Simulation is practical, but can’t provide strong enough guarantees Next part of talk: A hybrid technique: Simulation + formal verification