![Page 1: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/1.jpg)
1
Specification and Encoding of Transaction Interaction Properties
Divjyot SethiYogesh Mahajan
Sharad MalikPrinceton University
Hardware Verification WorkshopEdinburgh
July 15, 2010
www.gigascale.org
![Page 2: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/2.jpg)
Gap Between Specification and Implementation
Consequences for Verification• Need humans to translate
correctness conditions between them
• Incomplete, expensive, error prone
• Significant barrier to automation in verification.
SpecificationObjects are units of dataConcurrent computation on these objects
ImplementationObjects are functional logic blocksConcurrent communication between these objects
PacketH T
InstrOp ImmediateRs Rt
Frame l1
ln
M1 M2 M3
Pipeline
Mapping of concurrent functions onto concurrent hardware blocks is captured by humans
Drives efforts to move design and verification to
levels above RTL.
![Page 3: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/3.jpg)
3
End
End
Fetch Decode
Read
ReadAddress
Write
End
End
Fetch Decode
Read
ReadAddress
Write
End
End
Fetch Decode
Read
ReadAddress
Write
Time
Transaction
Sequence
Order
Modeling Concurrent Computation Using Transactions
• Transaction is a unit of work• Transactions can be
concurrent• Transaction sequences• Permits reasoning about
• Individual transactions• Interactions between
transactions• e.g. pipeline hazards
T1
T2
T3
Shared Resource
![Page 4: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/4.jpg)
Transaction Interaction Properties
• Examples– Contention• Mutual exclusion
– Sequencing• Ordering of packets in a router• Pipeline hazards
– Priority• Choosing among concurrent processes
4
Generally deal with ordering of individual transaction instances.
![Page 5: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/5.jpg)
Transaction Interaction Properties in RTL
• Lack high-level information– Where are the instructions?
• Need to instrument the design to capture high-level objects– Instructions in flight
• Need to state the property in terms of instrumented variables
• Human intervention limits automation
5
Example: RAW Pipeline Hazard
Easier with a transaction-level model with explicit ordering
information.
![Page 6: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/6.jpg)
Transaction-
Level Model
Transaction Interaction
Property
Synthesized RTL
Automated
Encoding
Finite Model + Temporal Logic
Property
This Work
Previous Work (CODES+ISSS 09)
Big Picture
VerifiedSynthesis
+
Model Check This
![Page 7: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/7.jpg)
Talk Outline
• Motivation• Modeling Transactions and Interaction
Properties• Encoding for Model Checking• Experiments• Related Work• Summary
7
![Page 8: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/8.jpg)
Transaction-Level Model• Individual Transaction
– Explicit start and end steps– Guarded transitions– Model as a Kripke structure
• Infinite array of transactions– Index value refers to specific
transaction• State
– Local• Transaction state
– present step & local variables– Local variables constant after a
transaction ends
– Global shared state
8
i
T1
T2
Ti
M1
Global State
Local State Of Ti
End Step
Start StepGuarded Transitions
Modeled as an infinite Kripke structure
Parametric, but not symmetric in i
![Page 9: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/9.jpg)
Property Specification using Indexed Temporal Logic
9
i,j j>i G~( readj & ~writei & F(writei))
Example: RAW hazard property
i, j are transaction indices
I, P(I) [L(I),g]
General Form of property: • I: Set of index variables, one for each interacting transaction• P(I): Predicate on the set of indices I capturing relationship among
interacting transactions• [L(I),g]: Temporal logic formula on transaction local indexed
variables and global variables
Indexed transaction local variables
Indexed Temporal Logic Formula
![Page 10: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/10.jpg)
Talk Outline
• Motivation• Modeling Transactions and Interaction
Properties• Encoding for Model Checking• Experiments• Related Work• Summary
10
![Page 11: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/11.jpg)
Encoding for Model Checking
11
i
T1
T2
Ti
M1
Global State
Indexed State
Infinite State Model
I, P(I) [v(I),g]+
Finite State Model
LTL/CTL Formula
+
Model Check This
Encode
Encode
![Page 12: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/12.jpg)
Handling Infinite State
12
i
T1
T2
Ti
M1
Global State
Indexed State
Infinite State Model
I, P(I) [v(I),g]+Observation 1: Only a finite number of active transactions possible due to finite resources• Finite state for active transactions
S1
S2
SK
State of active transactions
User specified upper boundIndependently verified
![Page 13: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/13.jpg)
Handling Infinite State
13
i
T1
T2
Ti
M1
Global State
Indexed State
Infinite State Model
I, P(I) [v(I),g]+But, properties may refer to local variablesof transactions that have ended.
Observation 2: Can exploit non-determinism.Non-deterministically select |I|transactions for tracking past history. The model checker will implicitly consider allpossible values.
E1
E2
E|I|
Local variablesof selectedtransactions
Number ofinteractingtransactions
![Page 14: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/14.jpg)
Encoding the Predicate
14
i
T1
T2
Ti
M1
Global State
Indexed State
Infinite State Model
I, P(I) [v(I),g]+But, predicate evaluation needs the potentiallyinfinite index value of the interacting transactions.Observation 3: Can handle several (all?) usefulpredicates without explicit index value storage.•Ordering Constraints• P(i, j) : i > j
•Separation Constraints• P(i, j) : i − j > m • P(i, j) : i − j < m
•Equality Constraints: P(i, j)• i = j + m
•Inequality constraints• P(i, j) : i j + m
Predicate FSM
ND_Selecti
ND_Selectj
I = {i,j}
![Page 15: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/15.jpg)
Encoding for Model Checking
15
i
T1
T2
Ti
M1
Global State
Indexed State
Infinite State Model
I, P(I) [v(I),g]+Key Components
Predicate FSM
ND_Selecti
ND_Selectj
S1
S2
SK
State of active transactions
E1
E2
E|I|
Local variablesof ended transactions
![Page 16: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/16.jpg)
Talk Outline
• Motivation• Modeling Transactions and Interaction
Properties• Encoding for Model Checking• Experiments• Related Work• Summary
16
![Page 17: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/17.jpg)
Experiments
• Design examples– Simple router
• Property: Flits are processed in order
– Simple processor• Property: Absence of RAW hazard
• Input:– Designs specified using a transaction-level model– Properties specified using indexed temporal logic
• Output:– Synthesized SMV for finite model and LTL property– Model checked using Cadence SMV
17
![Page 18: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/18.jpg)
Model Checking Results
18
System Time
(s)
BDD Size(Number of Nodes)
No. of State
Variables
Lines of Code
K (Finite Bound)
PropertyResult
Router <0.1 43324 30 397 3 True
Processor 17 3152542 50 382 6 False
All experiments done on Intel Core 2 Duo 2.5GHz 3 GB RAM Machine with Windows XP
![Page 19: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/19.jpg)
Talk Outline
• Motivation• Modeling Transactions and Interaction
Properties• Encoding for Model Checking• Experiments• Related Work• Summary
19
![Page 20: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/20.jpg)
Related Work Summary
20
Transaction Based System
Unbounded/Infinite State
Indexed Properties
Finite Encoding
Encoding GenerationAutomated
Parameterized Synchronous Systems[Emerson, Namjoshi]
Indexed CTL* Logic[Clarke, Grumberg, Brown]
NA NA NA
Hazard Checking using Transaction Models [Malik, Mahajan]
This Work
![Page 21: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/21.jpg)
Talk Outline
• Motivation• Modeling Transactions and Interaction
Properties• Encoding for Model Checking• Experiments• Related Work• Summary
21
![Page 22: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/22.jpg)
Summary
• Transaction-based higher-level models enable reasoning without resorting to design instrumentation
• Main Contributions:– Infinite Kripke structure model for transactions with explicit
indices– Indexed temporal logic for specifying transactions interactions
properties– Finite encoding of design and property exploiting
• Finiteness of hardware resources• Non-determinism in model checkers• Specific ordering relationships of interacting transactions
– Initial prototype demonstration
22
![Page 23: Specification and Encoding of Transaction Interaction Properties Divjyot Sethi Yogesh Mahajan Sharad Malik Princeton University Hardware Verification Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062308/56649d2e5503460f94a065dc/html5/thumbnails/23.jpg)
Related Papers
• Y. Mahajan, C. Chan, A. Bayazit, S. Malik, and W. Qin, “Verification driven formal architecture and microarchitecture modeling,” in MEMOCODE ’07: Proceedings of the 5th IEEE/ACM International Conference on Formal Methods and Models for Codesign. Washington, DC, USA: IEEE Computer Society, 2007, pp. 123–132.
• Y. Mahajan and S. Malik, “Automating hazard checking in transaction-level microarchitecture models,” in FMCAD ’07: Proceedings of the Formal Methods in Computer Aided Design. Washington, DC, USA: IEEE Computer Society, 2007, pp. 62–65.
• D. Schwartz-Narbonne, C. Chan, Y. Mahajan, and S. Malik, “Supporting RTL flow compatibility in a microarchitecture-level design framework,” in CODES+ISSS ’09: Proceedings of the 7th IEEE/ACM international conference on Hardware/software codesign and system synthesis. New York, NY, USA: ACM, 2009, pp. 343–352.
23