Virtual Memory Simulation Theoremsbusserver.cs.uni-sb.de/lehre/vorlesung/info2/... · Virtual...

Virtual MemorySimulation Theorems

Mark A. Hillebrand, Wolfgang J. Paul{mah,wjp}@cs.uni-sb.de

Saarland University, Saarbruecken, Germany

This workwas partiallysupported by

Virtual MemorySimulation Theorems – p.1

OverviewTheorem: the parallel user programs of a main framesee a sequentially consistent virtual shared memory(Correctness of main frame hardware & part of OS)

ContextA (practical) approach for the complete formalverification of real computer systems:

1. Specify (precisely)

2. Construct (completely)

3. Mathematical correctness proof

4. Check correctness proof by computer

5. Automate approach (partially; recall Gödel)

Example: Processor design1.–3. [MP00]

Computer Architecture:Complexity and CorrectnessSpringer

4. [BJKLP03]Functional verification of the VAMP processorCharme ’03

5. PhD Thesis Project S. Tverdyshev(Khabarovsk State Technical University)

Why Memory Management?Layers of computer systems (all using localcomputation and communication):

User Program

Operating System

Hardware

! In memory management hardware and softwareare coupled extremely tightly.

DLX ConfigurationA processor configuration of the DLX is a pairc = (R,M):

• R : {register names} → {0, 1}32

where register names PC ,GPR(r), status, . . .

• M : {memory addresses} → {0, 1}8

where memory addresses ∈ {0, 1}32

Standard definition is an abstraction:real hardware usually has no 232 bytes main memory

DLX V ConfigurationA virtual processor configuration of DLX V is a triplec = (R,M, r):

• R : {register names} → {0, 1}32

where register names: PC ,GPR(r), status, . . .

• M : {virtual memory addresses} → {0, 1}8

where virtual memory addresses ∈ {0, 1}32

• r : {virtual memory addresses} → {R, W}where the rights R (read) and W (write) areidentical for each page (4K).

! DLX V is a basis for user programs.

DLX S ConfigurationA real specification machine configuration of DLX S

is a triple cS = (RS,PM , SM ):• RS \ R:

• mode system mode (0) or user mode (1)• pto Page table origin• ptl Page table length (only for exceptions)

• PM physical memory• SM swap memory

! DLX S is hardware specification.

Page-Table Lookup

(pto,012) px bx

32Page Table 20

Let c = (RS,PM , SM ).• Virtual address

va = (px, bx)

px: page indexbx: byte index

• PTc(px) = PM 4(〈pto〉 + 4 · 〈px〉)

=31 1 0

vwrppx[19 : 0] · · ·

12 11 3 2

ppxc(va): physical page indexvc(va): valid bit (↔ page in PM)

Address Translation(pto,012) px bx

32Page Table 20

pmac(va)

12Let c = (RS,PM , SM ).

• Virtual addressva = (px, bx)

px: page indexbx: byte index

• pmac(va) = (ppxc(va), bx)pmac: physical memory address

• To access swap memory, we also define:smac: swap memory address (e.g. sbasec + va)

Instruction ExecutionDLX V uses virtual addresses:

• Fetch: va = DPC (delayed PC)• Effective address of load/store:

va = ea = GPR(RS1 ) + imm (register relative)

Hardware DLX S for mode = 1 (user):• If vc(va), use translated addresses pmac(va)

instead of va.• Otherwise, exception.

(hardware supplies parameters for page faulthandler)

Hardware Implementation

load,store

DCache

ICache

• Build 2 hardware boxes MMU (memorymanagement unit for fetch and load/store)between CPU and caches

• Show it translates• Done

load,store

DCache

ICache

• Build 2 hardware boxes MMU (memorymanagement unit for fetch and load/store)between CPU and caches

• Show it translates• Done

load,store

DCache

ICache

• Build hardware boxes MMU & a few gates• Identify software conditions• Show MMU translates if software conditions are

met• Show software meets conditions• Almost done

We do not care about translation (purely technical),we care about a simulation theorem.

Simulating DLX V by DLX S

Let c = (RS,PM , SM ) and cV = (RV ,PM , r).Define a projection: cV = Π(c)

• Identical register contents: RV (r) = RS(r)

• Rights in page table:R ∈ r(va) ⇔ rc(va) = 1

W ∈ r(va) ⇔ wc(va) = 1

VM (va) =

PM (pmac(va) if vc(va)

SM (smac(va) otherwise

page(px)

PT (px)

PM cache for virtual memory, PT is cache directory.Handlers (almost!) work accordingly (select victim,write back to SM, swap in from SM)

VM (va) =

PM (pmac(va) if vc(va)

SM (smac(va) otherwise

page(px)

PT (px)

PM cache for virtual memory, PT is cache directory.Handlers (almost!) work accordingly (select victim,write back to SM, swap in from SM)

Software Conditions1. OS code and data structures (PT, sbase,

free space) maintained in system areaSys ⊆ PM

2. OS does not destroy its code & dataTablePage

3. User program (UP) cannot modify Sys(impossibility of hacking)

4. Writes to code section are separated from reads incode section by sync or (syncing) rfe

Standard sync empties pipelined or OoO (out oforder) machine before next instruction is issued.

! Swap in code then user mode fetch= self modification of code by OS & UP

Guaranteeing Software Conditions1. Operating system construction

2. Operating system construction

3. No pages of Sys allocated via PT to UP

4. UP alone not self modifying, handlers end withrfe

Hardware ICPU – memory system – protocol

load / store

DCache

ICache

Cache Miss

Cache Hit

Hardware IIInserting 2 MMUs:

load,store

DCache

ICache

Must obey memory protocol at both sides!

Primitive MMUPrimitive MMU controlled by finite state diagram (FSD)

c.addr[31:2]p.din[31:0]

[31:2]

(r,w,v)

[31:12]

pte[31:0]

c.din[31:0]

[11:0] [31:12]

[31:0]

(p.addr[31:2],0^2)

ptl[19:0] pto[19:0]

0^2 0^12

[31:0]lexcp

ar[31:0]

dr[31:0]

add:arce,addp.busy

p.req &p.t

seta:arce,p.busy

p.req &/p.t

readpte:c.mr,drce

p.busy

/lexcp

c.busy

comppa:arce,p.busy

/c.busy

pteexcp

read:c.mr,drce

p.busy

/pteexcp &p.mr

write:c.mw,p.busy

/pteexcp &p.mw

/c.busy

c.busy

/c.busy

c.busy

p.mr p.mw

MMU CorrectnessLocal translation lemma:Let T and V denote the start and end of a translatedread request, no excp. Let t ∈ {T, . . . , V }.Hypothesis: the following 4 groups of inputs do notchange in cycles t (i.e. X t = XT ):G0 : va = p.addrt, p.rdt, p.wrt, p.reqt

G1 : ptot, ptlt,modet

G2 : PT t

G3 : PM t(pmat(va)

Claim: p.dinV = PM T (pmaT (va))Proof: plain hardware correctness

Guaranteeing Hypotheses Gi

G0 MMU keeps p.busy active during translation

G1 Extra gates: normal sync before issue notenough. If rfe or update to {mode, pto, ptl} inissue stage, stop translation of fetch of nextinstruction.

G3 User program cannot modify Sys . Precedingsystem code terminated (by sync)

G4 Fetch: correct by syncLoad: assumes non-pipelined, in-order memoryunit, extra arguments otherwise

Global Hardware Correctness (fetch)Define scheduling functions I(k, T ) = i: instructionIi is in stage k during cycle T iff (. . . )

• Similar to tag computation• Key concept for hardware verification in SB

Hypothesis: I(fetch, T ) = i, translation from T to V

Claim: IR.dinV = PM iS(pmai

S(DPC iS))

Formal proof: part of PhD thesis project of I. Dalinger(Khabarovsk State Technical University)

Virtual Memory Theorem (SW only!)Consider a computation of DLX S:

Initialisation User Program Handler User Program Handler

c0 cα−1

Initialisation: Π(cαS) = c0

Simulation Step Theorem:

! 2 page faults per instruction possible(fetch & load/store)

Virtual Memory Theorem IIAssume Π(ci

S) = cjV .

Define:

• Same cycle or first cycle after handler:

s1(i) =

i if ¬pff i ∧ ¬pfls i

min{j > i,modej} otherwise

• Cycle after pagefault-free user mode step:

s2(i) =

i + 1 if ¬pff i ∧ ¬pfls i

s1(s1(i)) + 1 otherwise

Claim: Π(cs2(i)S ) = c

LivenessWe must maintain in Sys :MRSI (most recently swapped-in page)

Page fault handler must not evict page MRSI !

Formal proof: PhD thesis project of T. In der Rieden(Saarbrücken)

Translation Look-aside Buffers I1-level lookup: formally caches for PT-region of PM

• Consistency of 4 caches:ICache, DCache, ITLB, DTLB

• Simply invalidate TLBs at mode switch to 1,sufficient by sync conditions

Translation Look-aside Buffers IIMulti-level lookup: TLB is simplified cache hardware:

• Normal cache entry:v = 1 tag PM(tag,c ad)c ad

• TLB entry:v = 1 tag pmat(tag,c ad)c ad

t : time of last sync / rfeInvalidate at mode switch to 1

• No writeback or load of lines• Only ‘cache’ reads and writes of values pma(va)

by MMU

Formal verification trivial from verified cache

Multiuser with Sharing• Easy implementation and proof of protection

properties using right bits r(va) and w(va)

Main Frames I

Proc Proc Proc

Shared Memory

• PM: sequentially consistent shared memory (bycache coherence protocol)

• New software condition: before change of anypage table entry all processors sync

• Sync hardware: some AND trees and driver treesinterfaced with CPUConsidered alone almost completelymeaningless.

Main Frames IITheorem: user programs see sequentially consistentvirtual shared memoryProof: Phases OS - UPs OS UPsGlobal serial schedule:

• in each phase from sequential consistency ofphysical shared memory

• straight forward composition across phases• remaining arguments not changed!

Summary• Mathematical treatment of memory management• Intricate combination of hardware and software

considered• Formalization under way

Future WorkFormal verification of

• compilers,• operating systems,• applications,• communication systems

in industrial context. . .

Future WorkFormal verification of

• compilers,• operating systems,• applications,• communication systems

in industrial context. . .

. . . with a little help from my friends.

Virtual Memory Simulation Theoremsbusserver.cs.uni-sb.de/lehre/vorlesung/info2/... · Virtual...

Documents

An improved spatial span test of visuospatial memory - … · An improved spatial span test of visuospatial memory ... aHuman Cognitive Neurophysiology Laboratory ... Simulation studies

Memory Controller Design for GPU Simulation in Multi2sim

Universit¨at des Saarlandes - math.uni-sb.de

MEG: A RISCV-Based System Simulation Infrastructure for ... · MEG: A RISCV-based System Simulation Infrastructure for Exploring Memory Optimization Using FPGAs and Hybrid Memory

1 Anaphora, Discourse and Information Structure Oana Postolache oana@coli.uni-sb.de EGK Colloquium April 29, 2004

Conservative Simulation using Distributed-Shared Memory

Distributed Simulation Using a Real-Time Shared Memory Network · Distributed Simulation Using a Real-Time Shared Memory Network ... 2) various interprocessor communication ... The

Simulation of Memory Management in Virtual Machinesmwang2/projects/MMU_virtualMachine_11s.pdf · This project will cover topics in multiprocessing, virtualization, and memory management

Distributed Shared Memory for Real Time Hardware in the Loop Simulation

Deep Processing for Restricted Domain QA Yi Zhang Universit ä t des Saarlandes yzhang@coli.uni-sb.de

Surfaces in Computational Physics ECG-Workshop 2003 Surfaces in Computational Physics Andreas Hildebrandt anhi@bioinf.uni-sb.de

ABSTRACT Scalable and Accurate Memory System Simulation

1 Getting Started: C-Revisions and Introduction to Graphics Next: Simulation Essentials, Memory Handling

Generic Software Pipelining at the Assembly Level Markus Pister pister@cs.uni-sb.de

Database Recovery – Heisenbugs, Houdini’s Tricks, and the Paranoia of Science Gerhard Weikum weikum@cs.uni-sb.de (Rationale,

© Gerhard Weikum1 Dependable Workflow Technology Gerhard Weikum University of the Saarland, Germany weikum@cs.uni-sb.de

Conservative Garbage Collection Stephan Lesch January 9, 2002 slesch@studcs.uni-sb.de

Memory Management Computer Architecture IIbusserver.cs.uni-sb.de/lehre/vorlesung/info2/Uebungen/Memory... · Computer Architecture II: Memory Management M.A. Hillebrand, D.C. Leinenbach,

1 Quality of Service Guarantees for Multimedia Digital Libraries and Beyond Gerhard Weikum weikum@cs.uni-sb.de

Phonetic features in ASR: a linguistic solution to acoustic variation? Jacques Koremankoreman@coli.uni-sb.de Bistra Andreevaandreeva @coli.uni-sb.de Attilio