Using a Formal Specification and a Model Checker
to Monitor and Guide Simulation
Verifying the Multiprocessing Hardware of the Alpha 21364 Microprocessor
Serdar TasiranKoç University, Istanbul, Turkey
(formerly Compaq/HP Systems Research Center)
Yuan Yu (Microsoft Research, formerly Compaq)Brannon Batson (Intel, formerly Compaq)
But first But first
Formal MethodsFormal Methods (i.e. mathematical, algorithmic)(i.e. mathematical, algorithmic)
for for Software and Hardware Software and Hardware
DesignsDesigns
oror“Why should you care?”“Why should you care?”
French Guyana, June 4, 1996$800 million software failure
Mars, July 4, 1997Lost contact due to real-time priority inversion bug
Faulty division algorithm (Intel Pentium)$475 million replacement cost
Faulty floppy disk controller (Toshiba)$2.1 billion court settlement
$4 billion development effort> 50% system integration & validation cost
400 horses100 microprocessors
Feb. 17, 2003 Comp 302, Spring 2003
Cost of Finding Flaws Late
SCIENCE
Natural Systems
ENGINEERING
Artificial Systems
PURE
Abstract Systems
APPLIED
Concrete Systems
THEORY
EXPERIMENT DESIGN
ANALYSIS
Veri/Falsifica
tion
DESIGN VERI/FALSIFICATION
INFORMAL (ad hoc)
• by simulation
• by test
FORMAL (systematic)
• by proof
• by algorithm
Poor coverage High recovery cost
Koç University – ECE Graduate Program
Typical Abstraction Layers for a Hardware Design
System (Behavioral) Level
Register Transfer Level (RTL)
Gate Level
Transistor Level
Layout Level
Koç University – ECE Graduate Program
Design Process
• Design : specify and enter the design intent
Implement: refine the
design
through all
phases
Verify:
verify the
correctness of
design and
implementation
Koç University – ECE Graduate Program
System (Behavioral) Level
• Abstract algorithmic description of high-level behavior– e.g. C-Programming language
– abstract because it does not contain any implementation details for timing or data
– efficient to get a compact execution model as first design draft– difficult to maintain throughout project because no link to
implementation
Port*compute_optimal_route_for_packet(Packet_t *packet,
Channel_t *channel){
static Queue_t *packet_queue;
packet_queue = add_packet(packet_queue, packet);...
}
Koç University – ECE Graduate Program
RTL Level
• Cycle accurate model “close” to the hardware implementation– bit-vector data types and operations as abstraction from bit-level
implementation
– sequential constructs (e.g. if - then - else, while loops) to support modeling of complex control flow
module mark1;reg [31:0] m[0:8192];reg [12:0] pc;reg [31:0] acc;reg[15:0] ir;
alwaysbeginir = m[pc];if(ir[15:13] == 3b’000)
pc = m[ir[12:0]];else if (ir[15:13] == 3’b010)
acc = -m[ir[12:0]];...
endendmodule
Koç University – ECE Graduate Program
Gate Level
• Model on finite-state machine level– models function in Boolean logic using registers and gates
– various delay models for gates and wires
1ns1ns
4ns4ns3ns3ns
5ns5ns
Koç University – ECE Graduate Program
Transistor Level
• Model on CMOS transistor level– depending on application function modeled as resistive switches
• used in functional equivalence checking
– or full differential equations for circuit simulation
• used in detailed timing analysis
Koç University – ECE Graduate Program
Layout Level
• Transistors and wires are laid out as polygons in different technology layers such as diffusion, poly-silicon, metal, etc.
Koç University – ECE Graduate Program
Flavors of Verification
Design Verification: Does the design make sense? If I implemented it as designed, would it satisfy the design requirements?
System (Behavioral) Level
Register Transfer Level (RTL)
Gate Level
Transistor Level
Layout Level
Implementation Verification: Is the implementation at the lower layer of abstraction consistent with the higher level?
Koç University – ECE Graduate Program
Systems Design and Verification Challenges
• Heterogeneity (analog, digital, HW/SW)• Complexity (~billion transistors, ~millions of lines of code)• Time-to-market
Role of Computer-Aided Design and Verification Tools: Helping humans cope
Transistors
Processor ComplexityAvg. Human IQ
1
10
100
1K
10K
100K
1M
10M
1975 1980 1985 1990 1995
8086
6800068020
80386
80486
68040
Pentium
Pentium ProPPC601
PPC603
80804004
MIPS R4000
50
80
120
140
160
180
100
IntelligenceQuotient
Formal VerificationFormal Verification Tools Tools
VerifierVerifier
Description of sDescription of systemystemto be verifiedto be verified::- Finite state machineFinite state machine- Code written in a hardware Code written in a hardware description languagedescription language
SpecificationSpecification::-Temporal logic formulaTemporal logic formula- Algorithm- or protocol-level Algorithm- or protocol-level description for designdescription for design
YesYes
NoNo
Error traceError trace
G(p F q)p
q
Simulation vs. Formal VerificationSimulation vs. Formal Verification SimulationSimulation
• Not completeNot complete• Need to generate Need to generate
expected behaviorexpected behavior• Difficult to cover corner Difficult to cover corner
casescases• CPU intensiveCPU intensive
– have to run billions of have to run billions of cyclescycles
• Can handle large Can handle large systemssystems
Formal VerificationFormal Verification• Complete wrt specificationComplete wrt specification• No need to generate expected No need to generate expected
behaviorbehavior• Corner cases are Corner cases are
automatically taken care ofautomatically taken care of• Most of the state-of-the-art Most of the state-of-the-art
methods are memory methods are memory intensiveintensive
• Memory usage is strongly Memory usage is strongly related with the size of related with the size of systems to be verifiedsystems to be verified
Exploring the State Space of an Exploring the State Space of an FSMFSM
• Implicit methods: Representsets of states with decision diagrams
• Representation size not proportional to number of states• But still memory limited
10 stars11
10 transistors
10 states
7
100,000
The Moral …
Verification is a serious problem Formal verification methods are great, but not practical
yet on complex systems Simulation is practical, but can’t provide strong enough
guarantees Next part of talk: A hybrid technique:
Simulation + formal verification