Test Generation using SATbased Bounded Model Checking for Validation of Pipelined Processors

1
Test Generation using SAT-based Bounded Model
Checking for Validation of Pipelined Processors

• Heon-Mo Koo, Prabhat Mishra
• Dept. of Computer and Information Science and
  Engineering
• University of Florida, USA

2
Motivation

• Exponential growth of design complexity
• Deeply pipelined complex microarchitecture
• Logic bugs increase 3 - 4x per generation
• Up to 70 of design time and resources are spent
  during functional validation
• Functional validation is a major challenge in
  microprocessor design

3
Related Work

• Existing validation approaches
• Simulation-based techniques
• Formal methods
• Simulation is the most widely used form for
  microprocessor validation
• Uses random, pseudorandom, directed tests
• Random/pseudo-random test generation
• e.g., Genesys-Pro, Adir et al., DAC95, Shen et
  al., DAC99
• Directed test generation based FSM coverage
• Ho et al., ISCA95, Kohno et al., DAC01
• Abstract FSM model
• Ur et al., DAC99, Shen et al., ETTA00
• Test Generation using Model Checking
• Mishra et al., DATE 2004

4
Processor Validation using Test Programs
Test Generator
Pipelined Processor
TestGen
MOV R1, 011 MOV R2, 010 ADD R3, R1, R2 R3 101
Test Program
R3 101 ?
Check Result
Verifies the functionality of the processor using
instruction sequences
5
Test Generation using Model Checking

• Processor model
• Desired behaviors (temporal logic properties)
• Test generation Algorithm
• Apply negated version of the property
• MC generates a counterexample test program

Problem Very costly or not possible in many
scenarios - Complex processors and/or complex
properties.
An Example Generate test to stall a Decode unit
Decode never stalled
Processor Model
Model Checker
Approach Bounded MC Design partitioning -
Reduce TG time memory - Enables test
generation in complex scenarios
Cycle Opcode Dest Src1 Src2 1
NOP 2 ADD R3 R1 R2
3 SUB R4 R3 R2
6
Test Generation using SAT-based BMC
Architecture Specification (ADL Specification)
Decomposition
Decomposition
1 Design Decomposition
2 Bound Decision and Property Decomposition
SAT-based BMC
Test Cases
3 Test Generation
7
Graph Model of a Pipelined Processor
PC
Inst. Cache
Fetch
Graph (Nodes, Edges) Nodes units U
storages Edges data-transfer edges
U pipeline edges
Decode
Reg File
DIV
FADD1
IALU
MUL1
FADD2
MUL2
Main Mem.
FADD3
MUL7
FADD4
Data Cache
MEM
WriteBack
8
Property Generation

• Functional fault model
• Graph model of pipelined processors
• Pipeline interaction fault model
• Functional coverage metric
• Pipeline interactions
• Combination of modules and their activities
• Activities decided by the functionalities to be
  tested, e.g., execution, stall, exception
• (n1,a1) (n2.a2) (nN,aN)
• Converted to a property
• F(p1 ? p2 ? ? pN)
• Negation G(?p1 ? ? p2 ? ? ? pN)

9
Deciding Bound A Challenge

• The depth of counterexamples is unknown in
  advance
• Using incorrect bound increases test generation
  time
• Iterative increasing bound
• Good for shallow counterexamples
• Bad for deep counterexample due to accumulation
  of iterative running
• Maximum bound
• Disadvantage if the bound is too big

Solution Deciding bound for each property -
Reducing search bound compared to Max. k
10
Deciding Bound

• Maximum bound
• The longest pipeline path
• FE-DE-IALU-MEM-Cache-MM-Cache-WB
• Over-conservative in most test scenarios
• Bound for each property
• The longest temporal distance from the root node
  among the nodes to be considered
• Example
• Decode in stall (2), and IALU (3), FADD3 in
  operation execution (5) at the same time bound
  5

Fetch
Decode
FADD1
IALU
FADD2
FADD3
11
Design Decomposition

• Design Decomposition
• Stage-level (horizontal)
• Path-level (vertical)

Fetch
Decode
DIV
FADD1
IALU
MUL1

• Example
• Decode in stall, and IALU, FADD3 in operation
  execution at the same time

Fetch
Decode
FADD1
Fetch
FADD2
Decode
FADD3
FADD1
IALU
FADD4
FADD2
WriteBack
FADD3
12
Test Generation Example

• Property
• F(clk5 ? Decode.stall ? IALU.exe ?
  FADD3.exe)
• Negation
• G((clk 5) ? (Decode.stall) ? (IALU.exe) ?
  (FADD3.exe))

Fetch Cycle Instructions 1 FADD R1 R2
R2 2 NOP 3 ADD R3 R2 R2
4 ADD R3 R1 R2 5 NOP
13
Comparison of Test Generation Methods

• Test generation time increases with the of
  module interactions
• 1030 test generation time reduction by design
  partitioning
• Bound for each property reduces approximately 90
  of test generation time

14
Conclusions

• Functional validation bottleneck in processor
  design
• Simulation using directed tests is promising
• Need for automatic directed test generation
• Model checking as test generation engine
• Capacity restriction poses practical challenges
• Our approach
• SAT-based BMC as test generator
• Determine bound for each property
• Partition design in the context of SAT-based BMC
• Reduces test generation time and memory
  requirement
• Future work
• Analysis of pipeline interaction fault model
• Optimal property and design partitions