Ensuring Robustness via Early-Stage Formal

Verification

Multicore Power Management:

Anita Lungu*, Pradip Bose**, Daniel Sorin*, Steven German**, Geert Janssen**

*Duke University **IBM T. J. Watson Research Center

Memocode 2009

High Level Motivation and Goal

• Dynamic Power Management (DPM) is useful for multicore processors with power constraints

• Goal: Enable DPM to be more easily adopted in current processors– Observation: A DPM that is easier to verify is

more robust and more likely to be included in processors

– Proposal: Design verification-aware DPM schemes

Memocode 2009

DPM for Multicore Processors

• We expect DPM to– Increase power efficiency– Avoid power spikes– Cap power to allocated budget– Etc.

• But, if incorrect, DPM can– Throttle performance to unacceptable level– Exceed allocated power budget– Lead to data corruption

Need to verify DPM schemes for correctness!

Memocode 2009

• Safety: Power usage within desired levels & no deadlocks in DPM protocol– Bug: Power capping DPM often exceeds budget

• Performance: resulting performance loss is acceptable

• Functional Correctness: correct results with DPM– Bug: DPM increases dI/dt problem data

corruption

DPM Scheme Verification Goals

DPM verification is important!

Memocode 2009

Importance of DPM Verification Effort

• Design verification is challenging even without DPM!– ~60% of resources for new processor

development allocated to verification

• Important to consider DPM verification effort! – We approximate it as number of reachable

states

?

Memocode 2009

Acceptable Power/Performance?

Early inDesign

Current DPM Design and Verification DPM Scheme Concept

Detailed Simulation

Found Bug?

Sufficient Coverage?

Done

Yes

Yes

No

No

Late inDesign

High-Level Model

No

• Early design stage– Focus on DPM

performance, power– DPM verifiability

often not considered• Late design stage

– Verify DPM scheme– DPM can have

enormous reachable state space

– Difficult to change DPM concept

Memocode 2009

Acceptable Power/Performance?

Early inDesign

Proposed DPM Design and Verification DPM Scheme Concept

Detailed Simulation

Found Bug?

Sufficient Coverage?

Done

Yes

Yes

No

No

Late inDesign

High-Level Model

No

No

Successful Verification?

Verification Scalability?

High-Level Formal Model

Yes

• Validate high-level DPM concept through formal verification

• Formal verification benefits:– Exhaustive traversal

of reachable state space (of high-level model)

– Estimation of size of reachable state space (verifiability)

– Catch design bugs early

Memocode 2009

• Use verifiability as additional metric considered at early DPM design stage

• Compare verifiability of different DPM schemes

• Evaluate trade-offs between verification effort, efficiency and safety of DPM schemes

Research Contributions

DPM Parameter

Performance

Verification Effort

X X

Memocode 2009

Outline

Motivation & Proposed Approach• Illustrative DPM Verification Examples• Experiments and Results• Conclusion

Memocode 2009

FreqVDD

IPC

Core 1

Global Controller

Power Budget

Monitor Power Use

Actuate VDD, Frequency

FreqVDD

IPC

Core 2

FreqVDD

IPC

Core 3

Considered DPM Scheme• Goal: Maintain

multiprocessor power usage below an allocated budget

• Important problem for multicores– Increase in number

of cores increase in gap between average and peak power use

VDD VDD

Memocode 2009

*

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Global Power

UseBudget

Max Power

Time

Actuate VDD Actuate Frequency

**

*

Considered DPM Scheme

• Global controller– Monitor power

usage– Actuate VDD and

Frequency of cores to cap power• Actuate VDD and

Frequency every 500us

• Actuate only Frequency every 100us

FrequencyVDD

IPCCore 1

Global Controller

Power Budget

Monitor Power Use

Actuate VDD, Frequency

FrequencyVDD

IPCCore 2

FrequencyVDD

IPCCore 3

Memocode 2009

DPM Parameters and Verifiability

• Questions: – What is the impact on verifiability of above design

decisions?– What are the tradeoffs between performance, verifiability

and safety?

BudgetController Actuator System

Utilization (IPC)

+

Approximate Power Usage

f(IPC, VDD, Freq)

• Controller algorithm:– Set next VDD and

Frequency so power usage < budget

• Design parameters:– Voltage levels, Frequency

levels, Cores per controller– Homogeneous vs.

heterogeneous VDD values 2 Cores per controller 3 Cores per controller

Memocode 2009

DPM Verification with PRISM Model Checker

Correct? YES

NO

Done

Model Checker

State Variable

s

Transition Rules

Correctness

Properties

0.4

0.2

0.30.1

0.6

0.40.2

0.40.4

1

• Model Description– State variables

• Current VDD, Frequency, Utilization values for all cores (~IPC)

• Possible State: – One assignment of values to state

variables from their domain• Reachable State:

– One assignment of values to state variables allowed under DPM

– Probabilistic transition rules• Probabilistic changes in utilization

– State rewards• To each state, assign tokens

representing power & performance

Memocode 2009

DPM Verification with PRISM Model Checker

Correct? YES

NO

Done

Model Checker

State Variable

s

Transition Rules

Correctness

Properties

0.4

0.2

0.30.1

0.6

0.40.2

0.40.4

1

• Correctness Properties– For every reachable state

• VDD and Frequency values matched and within range

• No deadlock– Along model execution paths

• Power over budget < X% of total power

• Performance loss < Y% of baseline

• Model Check– Build model

• Reachable states, expected values of rewards

– Check correctness properties

Memocode 2009

Outline

Motivation & Proposed Approach Illustrative DPM Verification Examples• Experiments and Results• Conclusion

Memocode 2009

Methodology

• Modeled 6 SPEC2000 benchmarks and their combinations– Art, bzip, crafty, eon, mcf, parser– Used probabilistic utilization transitions from simulation– Budget set to 25%, 40%, 50%, 70%, 100% of maximum

• Trade-offs analysis– Verifiability metric

• Number of reachable states and transitions– Performance metric

• % Performance (Frequency) vs. baseline without DVFS– Safety metrics

• % Power over budget of baseline system without DVFS• % Intervals over budget

Memocode 2009

Results: Voltage Levels

Memocode 2009

Results: Freq. Levels per Voltage Level

Memocode 2009

Conclusions

• Making design choices with verification in mind does impact the resulting verification effort

• Adding verifiability as a separate metric to be considered together with performance, reliability, and safety may lead to different design choices

Memocode 2009

Thank You!