structuring instruction-sets with higher-order functions

Structuring instruction-sets with higher-order functions

Byron Cook

Advisor: John Launchbury

Microprocessor correctness

Lots of microarchitectural tricks

ISA: Simple machine

Pipelined.

Superscalar.

Out-of-order.

Speculative.

FV for microprocessor correctness

Approach to improving microprocessor quality: Model the systems in logic Prove that the microarchitecture

implements the ISA. Rich mixtures of automatic and manual

proof strategies are common.

FV for microprocessor correctness

Research community has found many techniques to solve this problem.

Several papers prove correctness of “superscalar, out-of-order, and speculative” implementations of RISC ISAs.

The twist: ISAs are evolving

Domain-specific extensions. example: MMX

Predication. example: ARM

Concurrency instructions: Example: IA-64

Speculative instructions: Example: IA-64

Extra structure to leverage

Should be carefully presented

Opportunity for new axis of proof decomposition: MMX: Can we first prove that the MMX

execution unit correctly implements MMX Predication: Can we prove just the MA

predication machinery correct? Concurrency instructions: Can we abstract

over the underlying pipelines? Speculative instructions: …………

Question that the dissertation answers

Can higher-order functions help?

Facilitate architectural extension design?

Microarchitectural modeling of extensions?

Facilitate the correctness proof?

Overview

Background Extensions and higher-order

functions Conclusion

Overview

Background Models and specifications Correctness Formal verification techniques

Extensions and higher-order functions

Conclusion

Models and specifications

In the literature: transition systems are used.

A transition system is a structure with: A set of initial states. A next state relation. An “observation” function.

Let’s see an example………

t = (init,next,obs)

init represents the initial states: init :: {s}

next represents the next state relation: next :: i -> s -> {s}

obs is the observation function:obs :: s -> o

type TS i s o = ( {s} , i->s->{s} , s->o )

t :: TS i s o

t = (init,next,obs)

{s} can sometimes mean a finite set of elements of s.

Sometimes infinite sets are used.

Sometimes, sets are not used at all.

type TS c i s o = ( c s , i->s->c s , s->o )

Finite sets t :: TS FSet i s o. t :: ( FSet s , i->s->FSet s , s->o )

Infinite sets: t :: TS Set i s o. t :: ( Set s , i->s->Set s , s->o )

No sets: t :: TS Id i s o. t :: ( s , i->s->s , s->o )

data OPCODE = ADD Reg Reg Reg

| SUB Reg Reg Reg

Example:ADD r1 r2 r5 :: OPCODE

Example: An ISA specification

risc :: TS FSet

OPCODE

RegFile

(Obs RegFile)

risc = (risc_init,risc_next,risc_obs)

where risc_init = unit i_rf

risc_next instr state = ………

risc_obs s = ………

data Obs x = Ready x

| Busy

| Stalled

Example: A pipelined model

pipe :: TS FSet OPCODE (RegFile,PipeReg,PipeReg,PipeReg)

(Obs RegFile)

pipe = (pipe_init,pipe_next,pipe_obs)where pipe_init = unit (i_rf,empty,empty,empty) pipe_next instr (rf,r1,r2,r3) = ……… pipe_obs (rf,r1,r2,r3) = ………

Overview

Conclusion

What is correctness?

Often a preorder relationship:

Bisimulation (BISIM).

Simulation (SIM).

Flush-point correctness (FP).

What is simulation?

“m” is the implementation, “n” is the specification.There exists an R such that

What is simulation?

init m

What is simulation?

init n

init m

What is simulation?

init n

init m

What is simulation?

init n

init m

next m i

What is simulation?

init n

init m

next n i

next m i

What is simulation?

init n

init m

next n i

next m i

What is simulation?

init n

init m

next n i

next m i

What is simulation?

init n

init m

next n i

next m i

What is simulation?

(m,n)SIM iff R. ainit m, binit n. (a,b)R (a,b)R, i, a’next m i a. b’next n i

b and (a’,b’)R (a,b)R. obs m a = obs n b

What is bisimulation?

“m” is the implementation, “n” is the specification.There exists an R such that, the same as before AND:

init n

init m

init n

init m

init n

init m

next n i

init n

init m

next n i

next m i

init n

init m

next n i

next m i

(m,n)BISIM iff R. ainit m, binit n. (a,b)R binit n, ainit m. (a,b)R (a,b)R, i, a’next m i a. b’next n i b and

(a’,b’)R (a,b)R, i, b’next n i b. a’next m i a and

(a’,b’)R (a,b)R. obs m a = obs n b

What is flush-point correctness?

init n

init m

What is flush-point correctness?

Overview

Conclusion

How do we prove this?

n m SIM

Abstraction

History variables

Prophecy variables

SIM FP

Decomposition

Overview

Conclusion

Overview

Background Extensions and higher-order functions

OA: an example extended ISA Modeling with transformers Proof decomposition with transformers Characterizing an important set of

transformers Conclusion

The Oregon architecture.

r2 <- r2 – 1

r1 <- r1 * r3

pc <- 102

r2 <- r2 – 1

r1 <- r1 * r3

pc <- 102

r2 <- r2 – 1 if p2

r1 <- r1 * r3 if p2

pc <- 102 if p2

r2 <- r2 – 1 if p2 in 1

r1 <- r1 * r3 if p2 in 0

pc <- 102 if p2 in 2

101: r2 <- load 100 if p5 in 0

r1 <- 1 if p5 in 1 r3 <- r2 if p5 in 0

FENCE 102: r4 <- r2 != 0 if p5 in 0 p2,p3 <- r2p r4 if p5 in 0 r3 <- r2 if p5 in 1FENCE 103: r2 <- r2 – 1 if p2 in 1 r1 <- r1 * r3 if p2 in 0 pc <- 102 if p2 in 2

104: store 401 r1 if p3 in 3 pc <- 105 if p3 in 2 nopFENCE

r2 <- load 100 if p5r3 <- r2 if p5

r1 <- 1 if p5 r4 <- r2 != 0 if p5p2,p3 <- r2p r4 if p5

r3 <- r2 if p5

pc <- 102 if p2pc <- 33 if p3

r1 <- r1 * r3 if p2

store 401 r1 if p3

r2 <- r2 - 1 if p2

Overview

Transformers

Transformers are functions between transition systems.

Composition of transformers rather than monolithic transition systems.

More modular specifications and models.

A new axis for decomposition. Proof re-use.

Modeling systems as the composition of functions.

Predicate Register

Fronte

Predicate

Register

FileFro

Predicate

Register

FileFro

InstructionBuffer

Dispatch Control

Predicate

Register

FileFro

InstructionBuffer

Dispatch

ProgramMemory (p)

Control

oa p = fnt p (cnc 1 (prd risc))

Familiar friend

Takes any transition system and adds predication

Adds explicit concurrency instructions

Adds a front-end with program fetch

InstructionBuffer

Dispatch

ProgramMemory (p)

ControlPredicated

RISCPipeline

PredicatedRISC

Pipeline

PredicatedRISC

Pipeline

Oregon microarchitectural implementaton.

ma p = fnt p (cnc 3 prd_pipe)

Oregon microarchitectural implementaton.

ma p = fnt p (cnc 3 prd_pipe)

Higher-performance predicated pipeline

prd :: (……,Bubble i,Collection c,Eq r,……) => TS c i s (Obs (Env r w)) -> TS c (Prd_Instr i r) (Prd_St s r i) (Obs (Env r w))

Polymorphic with respect to s

c (whatever it is) has to be a collection-type

class Collection c where

unit :: a -> c a

join :: c (c a) -> c a

union :: c a -> c a -> c a

map :: (a -> b) -> c a -> c b

Prd_Instr type.

data Prd_Instr i r = R2P r r r

| P2R r r

| SET r Bool

| IF i r

| GO i

Prd_St type.

type Prd_St s r i = (s,Env r Bool,……)

One of the advantages: predication is defined in isolation.

Other possibilities…..

oa p = fnt p (prd (cnc 1 risc))

oa p = prd (fnt p (cnc 1 risc))

oa p = prd (prd (prd risc))

Overview

Now what?

Now, let us look at how we can leverage the extra structure

Decomposition.

(f m,g n) SIM

Decomposition.

(f m,g n) SIM

Here’s the structure that we’re going to leverage.

Decomposition.

(f m,g n) SIM

Decomposition.

(m,n) A

(a,b)A. (f a, g b)SIM

Decomposition.

(m,n) A

We’re abstracting over m and n.

New notation:

(f, g) RQ

is defined as

(a,b)Q. (f a, g b)R

New notation:

(g, g’) RQ

is defined as

(a,b)Q. (g a, g’ b)R

Note: monotonicity is (f,f) RR

Decomposition.

(m,n) A

Decomposition.

(m,n) A

(f, g) SIMA

(ma,oa) FP(ma,oa) FP

Now, let’s decompose the proof using our available techniques

(ma,oa) FP(fnt p (cnc 3 prd_pipe), fnt p (cnc 1 (prd risc))) FP

(ma,oa) FP((fnt p o cnc 3) prd_pipe, (fnt p o cnc 1 o prd) risc) FP

function composition

(ma,oa) FP

(fnt o cnc 3,fnt o cnc 1) FPFP

(prd_pipe,prd risc) FP

Rule: decomposition

((fnt p o cnc 3) prd_pipe, (fnt p o cnc 1 o prd) risc) FP

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Rule: decomposition

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Reasoning: fnt adds no state

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Reasoning: Some hard reasoning here. Essentially: cnc expects no hazards amongst different threads.

☺☺

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Rule: Transitivity of FP and intermediate model prd pipe

(prd_pipe,prd pipe) FP

(prd pipe,prd risc) FP☺☺

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Rule: Transitivity of FP and intermediate model prd pipe

(prd pipe,prd risc) FP☺☺

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Rule: Decomposition and strengthening

(prd pipe,prd risc) FP

(prd,prd) SIMSIM

(pipe,risc) SIM

☺☺

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Reasoning: Many techniques available for this.

(prd,prd) SIMSIM

(pipe,risc) SIM

☺☺

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

Rule: Surprisingly hard. More later………

(prd,prd) SIMSIM

(pipe,risc) SIM

☺☺

(ma,oa) FP

Rule: using intermediate model slow prd_pipe. Also using SIMFP.

(prd_pipe,slow prd_pipe) FP

(slow prd_pipe, prd pipe) SIM

(ma,oa) FP

Reasoning: Techniques available for this. Essentially “self-consistency”.

(slow prd_pipe, prd pipe) SIM☺

(ma,oa) FP

Reasoning: Simulation relation given in dissertation.

(slow prd_pipe, prd pipe) SIM☺ ☺

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

(prd,prd) SIMSIM

(pipe,risc) SIM

Overview

Monotonicity.

What about the case:

(prd m, prd n) SIM

Monotonicity.

By the decomposition rule:

(m,n) SIM

(prd, prd) SIMSIM

Monotonicity.

By the decomposition rule:

(m,n) SIM

(prd, prd) SIMSIMUnfortunately, we don’t get this automatically

Monotonicity.

Dissertation characterizes a set of transformers such that: (f, f) SIMSIM

Same for BISIMBISIM.

BISIMBISIM

Question: Why aren’t all transformers monotonic with respect to BISIM?

Answer: The troublesome transformers are those that are not polymorphic in their state.

BISIMBISIM

f :: TS FSet Int i o -> TS FSet Int i o f (init,next,obs) = (init’,next,obs) where init’ = init – {4}

BISIMBISIM

The solution: use a polymorphic transformer.

f :: TS FSet s I O -> TS FSet (F s) I’ O’

Dissertation proves that

(f, f) BISIMBISIM

Note: f’s definition does not matter.

BISIMBISIM

The solution: use a polymorphic transformer

(f, f) BISIMBISIM

Proof is based on the theory of Parametricity.

BISIMBISIM

The solution: use a polymorphic transformer

(f, f) BISIMBISIM

Proof is based on the theory of Parametricity……and I actually check it too.

SIMSIM

Assume that

Unfortunately, there are cases where

(f, f) SIMSIM

SIMSIM

Question: Why aren’t all polymorphic transformers monotonic with respect to SIM?

Answer: polymorphic transformers can still look at the structure of sets.

SIMSIM

f :: TS FSet s i o -> TS FSet s i Bool f (init,next,obs) = (init,next,obs’) where obs’ x = if (|init|<2) then False else True

SIMSIM

The solution: limit the set-like operations that f has access to by putting constraint in the type:

f :: Container c => TS c s I O -> TS c (F s) I’ O’

(f, f) SIMSIM

Proof is, again, based on Parametricity.

Collection

class Collection c where

unit :: a -> c a

join :: c (c a) -> c a

union :: c a -> c a -> c a

map :: (a -> b) -> c a -> c b

SIMSIM

The solution: limit the set-like operations that f has access to

f :: Container c => TS c s I O -> TS c (F s) I’ O’

(f, f) SIMSIM

This probably seems limiting: but both prd and fnt are examples.

Overview

Conclusion

Higher-order functions can be used to facilitate both the design of architectural extensions and the correctness proofs of their implementations.

Dissertation provides: A modeling method based on higher-order

functions for instruction-set extensions. Decomposition and discharge rules for models

written using the modeling method. Reusable extension specifications. Proof re-use.

Summary

The dissertation: Reviews the history of processor verification. Develops the theory necessary to model

microproccessors and do FV. Develops a next generation VLIW-like instruction-set

with predication and concurrency instructions Develops a microarchitectural implementation. Develops the theory that allows us to leverage the

higher-order functions Demonstrates how a microarchitectural correctness

proof can be decomposed and structured.

(fnt,fnt) FPFP

(cnc 3,cnc 1) FPFP

(prd_pipe,pipe pipe) FP

(prd,prd) SIMSIM

(pipe,risc) SIM

structuring instruction-sets with higher-order functions

Documents

chapter 9 instruction sets: characteristics and functions

chapter 10 instruction sets: characteristics and functions

control functions for coded character sets

introduction, motivation, basics about sets, functions,...

math 301 introduction to proofs - - sets - functions

17. instruction sets: characteristics and functions

22c:19 discrete structures sets and functions

sets, logic, relations, and functions - andrew...

unit sf: sets and functions

2.sets functions sequences sums

resonance -sets relations and functions

random zero sets of analytic functions and traces of...

sets, relations and functions (2)

lesson 10: functions and level sets

topik 9 - instruction sets - characteristics and functions

sets and functions by saleh elshehabey

chapter 6 : sets, relations and functions

classical sets and fuzzy sets classical sets operation on...

sets, relations & functions

unit 01 sets, relations and functions eng