How do I use all this?

How do I use all this, really?

How do I use all this, really?– Detailed step-by-step description of a

pipeline verification example

Outline

1 Informal Introduction

2 Formal Definitions Reactive Systems

Witnessed Refinement Proofs

Slicing Reactive Systems

Decomposing Refinement Proofs

3 Formal Example: Three-Stage Pipeline

4 Informal Example: Dataflow Processor Array

isaRegFile

op

inp

src1src2dest outstall isaOut

isaAlu

Specification: ISA

isaRegFileop

inp

src1src2dst outstal

lisaOut

isaAlu

load r1 1

xnor r2 r1 r1

store r2

r1 := 1

r2 := 0

out := 0

Notes:

1. Store instruction results in an output

2. Memory hierarchy is not represented

3. Why do we need “stall” ?

regFile

op

inp

src1

src2

dst

alu

P1 P2

out out

FETCH EXECUTE WRITE-BACK

regFile

op

inp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

isaRegFileop

inp

src1src2dst outstal

lisaOut

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

isaAlu

Goal: Establish Pipeline refines ISA

isaRegFileop

inp

src1src2dst outstal

lisaOut

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

isaAlu

need for “stall” in ISA

isaRegFileop

inp

src1src2dst outstal

lisaOut

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

isaAlu

witnessed refinement

isaRegFile isaAlu

Limitation: State explosion

isaRegFileop

inp

src1src2dst outstal

lisaOut

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

isaAlu

Why not decompose

proof?

regFile

op

inp

src1

src2

dst

alu

P1 P2

out out

FETCH EXECUTE WRITE-BACK

regFile

P2

out out

WRITE-BACK

alu

P1 P2

EXECUTE

regFile

op

inp

src1

src2

dst

P1

FETCH

isaRegFileop

inp

src1src2dst outstal

lisaOut

outout

isaAlu

Why not decompose

proof?

opinp

src1

src2

dst

isaRegFileop

inp

src1src2dst outstal

lisaOut

regFile

outout

isaAlu

Why not decompose

proof?

opinp

src1

src2

dst

isaRegFileop

inp

src1src2dst outstal

lisaOut

regFile

opinp

src1

src2

dst

out

res

stall

p2op

p2dst

out

stall

isaAlu

Why not decompose

proof?

isaRegFileop

inp

src1src2dst outstal

lisaOut

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

isaAlu

Decompositon does not work!

isaRegFile

op

inp

src1src2dest outstall isaOut

isaAlu

isaRegFile

opr1

op

inp

src1src2dest outstall isaOut

opr2

res

isaAlu

p2dst

opr1

opr2

res

isaRegFile

opr1

op

inp

src1src2dst outstal

lisaOut

opr2

resp2dst

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

opr1

opr2

res

“out” proof isaAlu

isaRegFileop

inp

src1src2dststal

l

outout

isaAlu

opinp

src1

src2

dst

res

“out” proof

isaRegFileop

inp

src1src2dststal

l

regFile

outout

isaAlu

opinp

src1

src2

dst

res

“out” proof

isaRegFileop

inp

src1src2dststal

l

regFile

opinp

src1

src2

dst

out

res

stall

p2op

p2dst

out

stall

isaAlu

res

“out” proof

isaRegFileop

inp

src1src2dststal

l

resp2dst

regFile

op

src1

src2

dst

out

stall

p1op

p1dst

p2op

p2dst

out

stall

“out” proof isaAlu

isaRegFileop

inp

src1src2dststal

l

resp2dst

regFile

op

src1

src2

dst

out

stall

p1op

p1dst

p2op

p2dst

out

stall

outisaOut

“out” proof isaAlu

regFile

P2

out out

WRITE-BACK

isaRegFile

opr1

op

inp

src1src2dst outstal

lisaOut

opr2

resp2dst

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

opr1

opr2

res

“res” proof isaAlu

isaRegFile

opr1

op

inp

src1src2dststal

l

opr2

opinp

dst

res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

stall

opr1

opr2

res

“res” proof isaAlu

isaRegFile

opr1

op

inp

src1src2dststal

l

opr2

opinp

dst

res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

stall

opr1

opr2

res

res resp2dst

“res” proof isaAlu

alu

P1 P2

EXECUTE

isaRegFile

opr1

op

inp

src1src2dst outstal

lisaOut

opr2

resp2dst

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

opr1

opr2

res

“opr1” proof isaAlu

isaRegFileop

inp

src1src2dststal

l

opr2

resp2dst

regFile

opinp

src1

src2

dst

opr1

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

stall

opr2

res

“opr1” proof isaAlu

isaRegFileop

inp

src1src2dststal

l

opr2

resp2dst

regFile

opinp

src1

src2

dst

opr1

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

stall

opr2

res

“opr1” proof

opr1opr1

isaAlu

regFile

op

inp

src1

src2

dst

P1

FETCH

FETCH

EXECUTE

WRITE-BACK

isaRegFile

opr1

op

inp

src1src2dst outstal

lisaOut

opr2

resp2dst

regFile

opinp

src1

src2

dst

out

opr1

opr2res

stall

p1inp

p1op

p1dst

p2op

p2dst

alu

out

stall

opr1

opr2

res

isaAlu

But..

But.. is this really practical?

But.. is this really practical?– Verification of VGI multiprocessor

Outline

1 Informal Introduction

2 Formal Definitions Reactive Systems

Witnessed Refinement Proofs

Slicing Reactive Systems

Decomposing Refinement Proofs

3 Formal Example: Three-Stage Pipeline

4 Informal Example: Dataflow Processor Array

VGI

• VGI = “Video-Graphics-Image”• Designed by Infopad group at

Berkeley • Purpose: web-based image

processing• Designed using

– VHDL (control) – Schematics (Data path)

VGI Architecture

• 16 clusters with 6 processors in each - 4 compute, 1 memory, 1 I/O

• ~30K logic gates per processor• ~800 latches per processor• Pipelined compute processors• Low latency data transfer between

processors - complex control

VGI Architecture

Complex handshakepipeline

pipeline pipeline

pipeline

pipeline

FIFO buffer

ISA

ISA

ISA ISA

ISA

Complex handshakepipeline

pipeline pipeline

pipeline

pipeline

Verification

• Different time scales• Implementation

– two-phase clock– level-sensitive latches – activity on both HI and LO phases of

clk

• Specification – no clk signal

S

I

Sample Operator

I’ = Sample I at

Runs of I’ = Runs of I sampled at instances where holds

pipeline

pipeline pipeline

pipeline

pipeline

clk

ISA

ISA

ISA ISA

ISA

Difficulty - Verification

• Size of the VGI chip – ~800 latches in each compute

processor– 64 compute processors

• Need “divide and conquer”

Step 1: Network of Processors to Single Processor

pipeline

pipeline pipeline

pipeline

pipeline

clk

ISA

ISA

ISA ISA

ISA

pipeline

clk

ISA

pipeline

pipeline pipeline

pipeline

pipeline

clk

ISA

ISA

ISA ISA

ISA

pipeline

clk

ISA

pipeline

pipeline pipeline

pipeline

pipeline

clk

ISA

ISA

ISA ISA

ISA

pipeline

pipeline

pipeline

ISA

ISA

ISAISA

ISA

pipeline

pipeline

clk

clk

clk

clkclk

Step 2: Single Processor

• Single processor still has ~800 latches• Need “divide-and-conquer” again

ISA

pipeline

clk

CommStage

PIPE

ALUGateLevel

REGFILE

ALUSpec

ISA REGFILE

FIFObuffer

OPGEN

Input from upstream processor

Input from upstream processor

clk

VGI Results

• All lemmas (exceptALU) checked by Mocha in a few minutes

• 3 bugs in communication control found and fixed

• Abstract definitions crucial - designer insight needed