Formal Verification of Iterative Algorithms in Microprocessors - PowerPoint PPT Presentation
1 / 94
Title:
Formal Verification of Iterative Algorithms in Microprocessors
Description:
Forte. Forte formal verification system. Evolved from Voss ... In Forte, specifications are written in FL (functional language with built-in BDDS) ... – PowerPoint PPT presentation
Number of Views:27
Avg rating:3.0/5.0
Title: Formal Verification of Iterative Algorithms in Microprocessors
1
Formal Verification of Iterative Algorithms in
Microprocessors
- Mark Aagaard Robert Jones
- Roope Kaivola Katherine Kohatsu
- Carl Seger
- Intel Corporation
2
Outline
- Implementing iterative algorithms in hardware
- Overview of verification strategy
- Detailed example floating-point square root
3
Straight-Line Algorithms
input
output
4
Straight-Line Algorithms
input
output
5
Straight-Line Algorithms
input
output
6
Straight-Line Algorithms
input
output
7
Straight-Line Algorithms
input
output
8
Straight-Line Algorithms
input
output
Verification goal output Spec(input)
9
Circuits for Iterative Algorithms
input
output
10
Circuits for Iterative Algorithms
input
output
11
Circuits for Iterative Algorithms
input
output
12
Circuits for Iterative Algorithms
input
output
13
Circuits for Iterative Algorithms
input
output
14
Circuits for Iterative Algorithms
input
output
15
Circuits for Iterative Algorithms
input
output
16
Circuits for Iterative Algorithms
input
output
17
Circuits for Iterative Algorithms
input
output
18
Circuits for Iterative Algorithms
input
output
Verification goal output Spec(input)
19
Examples of Iterative Algorithms
- Floating point units
- Square root
- Divide
- Front end of microprocessor(update internal
state for each chunk of data) - Mark boundaries between IA32 instructions
- Predict branches
- Back end of microprocessor
- Maintain state to retire instructions in order
20
Verifying Iterative Algorithms
Input/output specification
output Spec(input)
RTL Circuit
21
Verifying Iterative Algorithms
- Just as in program verification, iterative
circuits are verified with invariants - Two major properties
- Datapath invariant
- Control circuitry specification
- termination
- correct steering of data
- etc...
22
Verifying Iterative Algorithms
Input/output specification
output Spec(input)
RTL Circuit
23
Verifying Iterative Algorithms
Input/output specification
output Spec(input)
Data invariant
Control specification
RTL Circuit
24
Three Major Verification Tasks
Input/output specification
init
Data invariant
Control specification
ctrl
main
fini
RTL Circuit
25
Three Major Verification Tasks
Input/output specification
init
Data invariant
Control specification
ctrl
main
fini
RTL Circuit
26
Three Major Verification Tasks
Input/output specification
init
Data invariant
Control specification
ctrl
main
fini
RTL Circuit
27
Three Different Types of Verification
Input/output specification
theorem proving
init
Data invariant
Control specification
ctrl
main
datapath model checking
fini
control model checking
RTL Circuit
28
Forte
- Forte formal verification system
- Evolved from Voss
- Developed by Seger at Univ of British Columbia
- Datapath model checker
- Symbolic trajectory evaluation (STE)
- Based on symbolic simulation
- Control circuitry model checker
- Standard reachability analysis (e.g. SMV)
- Theorem Prover
- Seamless connection to model checking
- Environment
- General-purpose functional programming language
- Extensive graphical interfaces
29
Case Studies In the Paper
- Floating-point square root
- Verification of datapath invariants
- Floating-point divider and remainder
- Theorem proving for iterative algorithms
- Instruction boundary marker
- Verification and the design cycle
30
Case Studies In the Paper
- Floating-point square root
- Verification of datapath invariants
- Floating-point divider and remainder
- Theorem proving for iterative algorithms
- Instruction boundary marker
- Verification and the design cycle
31
Floating Point Square Root
N
internal state Z partial root R partial
remainder i iteration count
Zout
32
Square Root Invariant
N
invariant N Z?Z 2-i?R
Zout
Z partial root R partial remainder i
iteration count
33
Square Root Invariant
init Z0, RN, i0 N Z?Z 2-i?N
N
invariant N Z?Z 2-i?R
Zout
Z partial root R partial remainder i
iteration count
34
Square Root Invariant
init Z0, RN, i0 N 0?0 2-0?N N N
N
invariant N Z?Z 2-i?R
Zout
Z partial root R partial remainder i
iteration count
35
Square Root Invariant
init Z0, RN, i0 N 0?0 2-0?N N N
N
invariant N Z?Z 2-i?R
final iMax N Z?Z 2-Max?R N Z?Z ?
Zout
Z partial root R partial remainder i
iteration count
36
Verifying Floating Point Square Root
Input/output specification
Data invariant
Control specification
N Z?Z 2-i?R
RTL Circuit
37
Challenge Model Checking Capacity
Input/output specification
natural invariant uses multiplication, which
causes BDD blow up in model checking
Data invariant
Control specification
N Z?Z 2-i?R
RTL Circuit
38
Decomposing Invariant Verification 1
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
decompose invariant into base and inductive cases
RTL Circuit
39
Decomposing Invariant Verification 1
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
invariant holds in initial state
if the invariant holds in the current
state, then it will hold in the next state
RTL Circuit
40
Decomposing Invariant Verification 2
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqns Z ...Z...R...
RemEqns R ...Z...R...
verify inductive case with recurrence equations
RTL Circuit
41
Recurrence Equations
- Recall problems in high-level invariant
- (High-level invariant N Z?Z 2-iR)
- Z ? Z exponential in width of Z
- Mentions all of N, Z, R
- Choose recurrence equations for model checking
efficiency - Get rid of multiplication
- Find separate equations for Z and R
- Z par_root_fn(Z, R)
- R remainder_fn(Z, R)
42
Recurrence Equations
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqns Z ...Z...R...
RemEqns R ...Z...R...
verify inductive case with recurrence equations
RTL Circuit
43
Gap From Bit Vectors to Arithmetic
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqns Z ...Z...R...
RemEqns R ...Z...R...
unbounded arithmetic Z ... Z ...
fixed length bit-vectors
RTL Circuit
44
Solution BitVec Arith Library
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
unbounded arithmetic Z ... Z ...
RootEqnsBv
RemEqnsBv
bit vector arithmetic library with overflow
detection Z630 ... bvadd(... Z630) ...
RTL Circuit
45
Bit Vector Arithmetic Library
- Background
- In Forte, specifications are written in
FL(functional language with built-in BDDS) - bit-vector addition implemented as recursive
functions over lists of BDDs - Goal
- Prove that if a property holds over fixed-length
bit-vectors, then it will hold over unbounded
integers - Solution
- Write an enhanced bit-vector library that
automatically detects overflow
46
Bit Vector Arithmetic Library
- Implement bit-vectors as a pair
- accurate flag TRUE iff bit-vector has not
overflowed - BDD list bit vector value
47
Bit Vector Arithmetic Library
- Implement bit-vectors as a pair
- accurate flag TRUE iff bit-vector has not
overflowed - BDD list bit vector value
- Example bit vector addition
- bvadd(bv1, bv2) data_out bvadd_raw(Fdata(bv1
), Fdata(bv2)) ok_out accurate(bv1) and
accurate(bv2) and msb(data_out)
..... return(ok_out, data_out)
48
Bit Vector Arithmetic Library
- Implement bit-vectors as a pair
- accurate flag TRUE iff bit-vector has not
overflowed - BDD list bit vector value
- Example bit vector addition
- bvadd(bv1, bv2) data_out bvadd_raw(Fdata(bv1
), Fdata(bv2)) ok_out accurate(bv1) and
accurate(bv2) and msb(data_out)
..... return(ok_out, data_out) - Theorem (res bvadd(bv1, bv2)) AND
accurate(res) ? bv2nat(data(res))
bv2nat(bv1) bv2nat(bv2)
49
BitVec Arith Library
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
unbounded arithmetic Z ... Z ...
RootEqnsBv
RemEqnsBv
bit vector arithmetic library with overflow
detection Z630 ... bvadd(... Z630) ...
RTL Circuit
50
Verify Init State and Recurrence Eqns
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RTL Circuit
51
Verify Init State and Recurrence Eqns
- To verify base case of invariant, need to
compute initial state of circuit - To verify recurrence equations, need to compute
next-state functions of circuit - We use symbolic simulation to get initial state
and next-state functions from circuit - Advantages
- Provides common semantic basis for STE and
reachability based model checking - Built-in support for constant propagation and
environmental constraints
52
Next-State Funs with Symbolic Sim
datapath
53
Next-State Funs with Symbolic Sim
f
d
- Compute d f(d)
54
Next-State Funs with Symbolic Sim
clock
f
d
- Compute d f(d)
- Put BDD variables on latches
55
Next-State Funs with Symbolic Sim
clock
f
d
- Compute d f(d)
- Put BDD variables on latches
- Clock circuit for one clock cycle
56
Next-State Funs with Symbolic Sim
clock
f
d
- Compute d f(d)
- Put BDD variables on latches
- Clock circuit for one clock cycle
- Sample inputs to latches
57
A Problem
- Problem
- Designers want to optimize circuit
- Retiming is a common optimization
58
A Problem
- Problem
- Designers want to optimize circuit
- Retiming is a common optimization
- After retiming, Z and R are no longer latches
- Conventional calculation of transition function
via symbolic simulation is latch-to-latch
59
A Problem and A Solution
- Problem
- Designers want to optimize circuit
- Retiming is a common optimization
- After retiming, Z and R are no longer latches
- Conventional calculation of transition function
via symbolic simulation is latch-to-latch
- Solution
- Symbolic Trajectory Evaluation (STE) removes
latch-to-latch restriction
60
Next-State Functions with STE
clock
- Pick cut points for clean recurrence functions
61
Next-State Functions with STE
clock
- Pick cut points with clean recurrence functions
- Put BDD variables on cutpoints
62
Next-State Functions with STE
clock
- Pick cut points with clean recurrence functions
- Put BDD variables on cutpoints
- Simulate circuit for one clock cycle
63
Next-State Functions with STE
clock
- Pick cut points with clean recurrence functions
- Put BDD variables on cutpoints
- Simulate circuit for one clock cycle
64
Next-State Functions with STE
clock
- Pick cut points with clean recurrence functions
- Put BDD variables on cutpoints
- Simulate circuit for one clock cycle
- Sample cutpoints
65
Verify Init State and Recurrence Eqns
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RTL Circuit
66
Verify Init State and Recurrence Eqns
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
Next state
Initial state
RTL Circuit
67
Verify Init State and Recurrence Eqns
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
Next state
Initial state
RTL Circuit
68
Verify Recurrence Eqns
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
Next state
Initial state
RTL Circuit
69
Verify Recurrence Eqns
- Recurrence equations for Z and R
- Z par_root_fn(Z, R)
- R remainder_fn(Z, R)
- But, were not yet done...
- Problem recurrence equations dont hold for all
combinations of Z and R - Need to compute reachable state, or find
additional invariants that are strong enough to
verify recurrence equations
70
Verify Recurrence Eqns
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
Next state
Initial state
RTL Circuit
71
Additional Invariants
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
72
Yet Another Set of Invariants...
- Conventional techniques failed to find invariants
needed to verify recurrence equations - Optimizations greatly complicated the circuit
- Automated reachability model checking still
hopeless(approx 1000 latches in datapath alone) - Several months of manual efforts unsuccessful
- too strong (couldnt verify against circuit)
- too weak (couldnt verify against high-level
invariant)
73
Circuit Optimizations
Z
R
Z par_root_fn(Z, R) R remainder_fn(Z, R)
Z
R
74
Circuit Optimizations
Z
R
Z par_root_fn(Z, R) R remainder_fn(Z, R)
f
g
Z
R
75
Circuit Optimizations
Z par_root_fn(Z, R) R remainder_fn(Z, R)
Z
R
X
h
need an invariant for relationship between Z, R,
X
f
g
Z
R
76
Overapproximating Reachable States
- Solution overapproximate reachable states
- create multiple invariants one for Z,X one for
R,X - dont look at all of the bits of Z, R, X
R
X
Z
Z par_root_fn(Z, R) R remainder_fn(Z, R)
Z
R
X
77
Overapproximating Reachable States
- Solution overapproximate reachable states
- create multiple invariants one for Z,X one for
R,X - dont look at all of the bits of Z, R, X
- RootInv(Z, X) relates partial root and redundant
state
R
X
Z
Z par_root_fn(Z, R) R remainder_fn(Z, R)
Z
R
X
78
Overapproximating Reachable States
- Solution overapproximate reachable states
- create multiple invariants
- look at just some of the bits of Z, R, X
- RootInv(Z, X) relates partial root and redundant
state - RemInv(R, X) relates remainder and redundant state
R
X
Z
Z par_root_fn(Z, R) R remainder_fn(Z, R)
Z
R
X
79
Additional Invariants
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
80
Additional Invariants
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
81
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
82
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
83
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
84
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
85
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
86
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
87
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
88
Summary of Verification Strategy
Specification
N Z?Z 2-i?R
Data Invariant
Base
Induct
Control specification
RootEqnsInt
RemEqnsInt
RootEqnsBv
RemEqnsBv
RootInv
RemInv
Next state
Initial state
RTL Circuit
89
Summary of STE Properties
- Initial state satisfies
- datapath invariant
- partial root invariant
- partial remainder invariant
- Inductive step of partial root invariant
- Inductive step of partial remainder invariant
- Next-state function for partial root satisfies
recurrence equation - Next-state function for partial remainder
satisfies recurrence equation
90
Case Studies In the Paper
- Floating-point square root
- Over approximation of reachable state
- Using STE to extract next-state functions
- BDD bashing for propositional reasoning
- Floating-point divider and remainder
- Manually deduced invariant
- Application-specific theorem proving environment
for weakest precondition reasoning - Instruction boundary marker
- Porting verification script to new design
- Maintaining verification script on live RTL
91
Summary
- Used novel combinations of existing verification
techniques to verify highly optimized circuitry
that implements complex iterative algorithm
against natural input/output specification - Forte environment allows for such flexibility and
is key to success - Functional language interface
- STE as primary engine
- Verification on constantly changing RTL is much
harder than on static designs. - Getting the first verification to go through is
harder - Must maintain verification script as design
evolves.
92
Conclusions
- Optimistic about continued growth of FV
- Formal verification on floating-point is a clear
win - Still many challenges out there, but reusable
methodologies improve probability of success and
productivity - Need for combined model checking and theorem
proving is clear
93
Formal Verification of Iterative Algorithms in
Microprocessors
- Mark Aagaard Robert Jones
- Roope Kaivola Katherine Kohatsu
- Carl Seger
- Intel Corporation
94
(No Transcript)
Recommended
CrystalGraphics Presentations
