www.gigascale.org
Specification and Encoding of
Transaction Interaction Properties
Divjyot Sethi
Yogesh Mahajan
Sharad Malik
Princeton University
Hardware Verification Workshop
Edinburgh
July 15, 2010
1
Gap Between Specification and
Implementation
Specification
Consequences for Verification
Objects are units of data
Concurrent computation on these objects
Instr
Frame
Op
Rs Rt
Immediate
Packet
H
•
l1
ln
T
Mapping of concurrent functions onto concurrent
hardware blocks is captured by humans
Implementation
Objects are functional logic blocks
Concurrent communication between these objects
M1
Pipeline
M2
M3
•
•
Need humans to translate
correctness conditions between
them
Incomplete, expensive, error
prone
Significant barrier to automation
in verification.
Drives efforts to move
design and verification to
levels above RTL.
Modeling Concurrent
Computation Using Transactions
Time
Read
• Transaction is a unit of work
• Transactions can be
concurrent
• Transaction sequences
• Permits reasoning about
• Individual transactions
• Interactions between
transactions
• e.g. pipeline hazards
End
Fetch Decode
T1
End
Read
Address
Write
Read
End
Fetch Decode
T2
End
Read
Address
Write
Read
End
T3
Fetch Decode
Transaction
Sequence
Order
End
Read
Address
Write
3
Shared
Resource
Transaction Interaction Properties
• Examples
– Contention
• Mutual exclusion
– Sequencing
• Ordering of packets in a router
• Pipeline hazards
– Priority
• Choosing among concurrent processes
Generally deal with ordering of
individual transaction instances.
4
Transaction Interaction Properties in RTL
•
Lack high-level information
–
•
Example: RAW Pipeline Hazard
Where are the instructions?
Need to instrument the
design to capture high-level
objects
– Instructions in flight
•
•
Need to state the property
in terms of instrumented
variables
Human intervention limits
automation
Easier with a transaction-level
model with explicit ordering
information.
5
Big Picture
TransactionLevel Model
Verified
Synthesis
Synthesized RTL
+
Transaction
Interaction
Property
Automated
Encoding
Finite Model +
Temporal Logic
Property
Model Check This
This Work
Previous Work
(CODES+ISSS 09)
Talk Outline
• Motivation
• Modeling Transactions and Interaction
Properties
• Encoding for Model Checking
• Experiments
• Related Work
• Summary
7
Transaction-Level Model
Start Step
• Individual Transaction
Guarded Transitions
End Step
T1
T2
– Explicit start and end steps
– Guarded transitions
– Model as a Kripke structure
• Infinite array of transactions
Parametric,
symmetric
in i
– Index but
valuenot
refers
to specific
transaction
M1
• State
– Local
i
Ti
Global State
• Transaction state
– present step & local variables
– Local variables constant after a
transaction ends

Local State Of Ti
– Global shared state
Modeled as an infinite Kripke structure
8
Property Specification using
Indexed Temporal Logic
Indexed transaction local variables
Example: RAW hazard property
i,j j>i  G~( readj & ~writei & F(writei))
 I, P(I)
  [L(I),g]
i, j are transaction
indices
Indexed Temporal Logic Formula
General Form of property:
•I: Set of index variables, one for each interacting transaction
•P(I): Predicate on the set of indices I capturing relationship
among interacting transactions
•[L(I),g]: Temporal logic formula on transaction local indexed
variables and global variables
9
Talk Outline
• Motivation
• Modeling Transactions and Interaction
Properties
• Encoding for Model Checking
• Experiments
• Related Work
• Summary
10
Encoding for Model Checking
Infinite State Model
+
T1
I, P(I)   [v(I),g]
Encode
T2
M1
i
LTL/CTL Formula
+
Global State
Finite State Model
Ti
Encode

Indexed State
Model Check This
11
Handling Infinite State
Infinite State Model
T1
+
T2
Observation 1: Only a finite number of active
transactions possible due to finite resources
•Finite state for active transactions
I, P(I)   [v(I),g]
M1
S1
i
Global State
S2
Ti

Indexed State
State of active
transactions
SK
User specified upper bound
Independently verified
12
Handling Infinite State
Infinite State Model
+
T1
But, properties may refer to local variables
of transactions that have ended.
T2
M1
i
I, P(I)   [v(I),g]
Global State
Ti
Observation 2: Can exploit non-determinism.
Non-deterministically select |I|
transactions for tracking past history.
The model checker will implicitly consider all
possible values.
E1

Indexed State
Local
variables
of selected
transactions
E2
Number of
interacting
transactions
E|I|
13
Encoding the Predicate
Infinite State Model
+
T1
T2
M1
i
Global State
Ti

Indexed State
I, P(I)   [v(I),g]
But, predicate evaluation needs the potentially
infinite index value of the interacting
transactions.
Observation 3: Can handle several (all?) useful
predicates without explicit index value storage.
•Ordering Constraints
ND_Selecti
•P(i, j) : i > j
Predicate
•Separation Constraints
FSM
•P(i, j) : i − j > m
ND_Selectj
•P(i, j) : i − j < m
•Equality Constraints: P(i, j)
I = {i,j}
•i = j + m
•Inequality constraints
•P(i, j) : i  j + m
14
Encoding for Model Checking
Infinite State Model
+
T1
I, P(I)   [v(I),g]
Key Components
T2
M1
i
S1
E1
S2
E2
Global State
Ti
SK
State of active
transactions

E|I|
Local variables
of ended
transactions
ND_Selecti
Predicate
FSM
Indexed State
ND_Selectj
15
Talk Outline
• Motivation
• Modeling Transactions and Interaction
Properties
• Encoding for Model Checking
• Experiments
• Related Work
• Summary
16
Experiments
• Design examples
– Simple router
• Property: Flits are processed in order
– Simple processor
• Property: Absence of RAW hazard
• Input:
– Designs specified using a transaction-level model
– Properties specified using indexed temporal logic
• Output:
– Synthesized SMV for finite model and LTL property
– Model checked using Cadence SMV
17
Model Checking Results
System BDD Size
Time
(Number
(s)
of Nodes)
No. of
State
Variables
Lines of
Code
K
(Finite
Bound)
Property
Result
Router
<0.1
43324
30
397
3
True
Processor
17
3152542
50
382
6
False
All experiments done on Intel Core 2 Duo 2.5GHz 3 GB RAM Machine with
Windows XP
18
Talk Outline
• Motivation
• Modeling Transactions and Interaction
Properties
• Encoding for Model Checking
• Experiments
• Related Work
• Summary
19
Related Work Summary
Transaction
Based
System
Parameterized
Synchronous Systems
[Emerson, Namjoshi]
Unbounded/
Infinite State
Indexed
Properties
Finite
Encoding
Encoding
Generation
Automated






NA

NA
NA










Indexed CTL* Logic
[Clarke, Grumberg, Brown]
Hazard Checking using
Transaction Models
[Malik, Mahajan]
This Work
20
Talk Outline
• Motivation
• Modeling Transactions and Interaction
Properties
• Encoding for Model Checking
• Experiments
• Related Work
• Summary
21
Summary
• Transaction-based higher-level models enable
reasoning without resorting to design instrumentation
• Main Contributions:
– Infinite Kripke structure model for transactions with
explicit indices
– Indexed temporal logic for specifying transactions
interactions properties
– Finite encoding of design and property exploiting
• Finiteness of hardware resources
• Non-determinism in model checkers
• Specific ordering relationships of interacting transactions
– Initial prototype demonstration
22
Related Papers
• Y. Mahajan, C. Chan, A. Bayazit, S. Malik, and W. Qin, “Verification
driven formal architecture and microarchitecture modeling,” in
MEMOCODE ’07: Proceedings of the 5th IEEE/ACM International
Conference on Formal Methods and Models for Codesign.
Washington, DC, USA: IEEE Computer Society, 2007, pp. 123–132.
• Y. Mahajan and S. Malik, “Automating hazard checking in
transaction-level microarchitecture models,” in FMCAD ’07:
Proceedings of the Formal Methods in Computer Aided Design.
Washington, DC, USA: IEEE Computer Society, 2007, pp. 62–65.
• D. Schwartz-Narbonne, C. Chan, Y. Mahajan, and S. Malik,
“Supporting RTL flow compatibility in a microarchitecture-level
design framework,” in CODES+ISSS ’09: Proceedings of the 7th
IEEE/ACM international conference on Hardware/software codesign
and system synthesis. New York, NY, USA: ACM, 2009, pp. 343–352.
23