Upload
vodieu
View
224
Download
1
Embed Size (px)
Citation preview
Strong Formal Verification for RISC-VFrom Instruction-Set Manual to RTL
Adam ChlipalaMIT CSAILRISC-V WorkshopNovember 2017
Joint work with: Arvind, Thomas Bourgeat, Joonwon Choi, Ian Clester, Samuel Duchovni, Jamey Hicks, Muralidaran Vijayaraghavan, Andrew Wright
2
A Cartoon View of Digital Hardware Design
Generator
RTL (e.g., Verilog)
Metaprogramming
Physical Layout
Silicon
CAD tools
Quite proprietary magic
3
A Cartoon View of Digital Hardware Design
Generator
RTL (e.g., Verilog)
Metaprogramming
Physical Layout
Silicon
CAD tools
Quite proprietary magic
Formal
Formal
Formal
Formal
Formal
Formal
Formal
Formal
FormalFormal
Formal
Formal Formal
6
Simplification #1: Prove a Shallow Property
If Foo is in this register, then Bar is in that one.
Never Baz here and Qux there at same time.
Commonpractice:prove some
Invariants
7
Simplification #1: Prove a Shallow Property
If Foo is in this register, then Bar is in that one.
Never Baz here and Qux there at same time.
Commonpractice:prove some
Invariantsor Boolean equivalence
check
8
Simplification #1: Prove a Shallow Property
ISA Reference≅
The Kami way:Behavioral refinement of functional spec
10
Simplification #2: Analyze Isolated Components
ProvedProved
The Kami way:Modularly compose proofs of pieces
11
Simplification #2: Analyze Isolated Components
Proved
ProvedProved
The Kami way:Modularly compose proofs of pieces
12
Simplification #2: Analyze Isolated Components
Proved
Proved
ISA Reference
≅Proved
The Kami way:Modularly compose proofs of pieces
14
Simplification #3: Start Over For Each Design
CPU
L1 Cache
Memory
Proved
CPU
L1 Cache
Memory
CPU
L1 Cache
15
Simplification #3: Start Over For Each Design
CPU
L1 Cache
Memory
Proved
CPU
L1 Cache
Memory
CPU
L1 Cache
Proved
CPU
L1 Cache
L2 Cache
CPU
L1 Cache
Memory
CPU
L1 Cache
CPU
L1 Cache
L2 Cache
16
Simplification #3: Start Over For Each Design
CPU
L1 Cache
Memory
Proved
CPU
L1 Cache
Memory
CPU
L1 Cache
Proved
CPU
L1 Cache
L2 Cache
CPU
L1 Cache
Memory
CPU
L1 Cache
CPU
L1 Cache
L2 Cache
Proved
17
Simplification #3: Start Over For Each Design
CPU
L1 Cache
Memory
Proved
CPU
L1 Cache
Memory
CPU
L1 Cache
Proved
CPU
L1 Cache
L2 Cache
CPU
L1 Cache
Memory
CPU
L1 Cache
CPU
L1 Cache
L2 Cache
Proved
The Kami way:Prove once for all parameters
ISA Reference∀ trees. ≅
18
A framework to support implementing, specifying, formally verifying, and compiling hardware designs
based on the Bluespec high-level hardware design language
and the Coq proof assistant
21
The Big Ideas (from Bluespec)
M
f(x) g(y)
Program modules are objectswith mutable private state,accessed via methods.
22
The Big Ideas (from Bluespec)
M
f(x) g(y)
Nh(u)
Ok(v)
Program modules are objectswith mutable private state,accessed via methods.
24
The Big Ideas
M
f(x) g(y)
Every method call appears to execute atomically.Any step is summarized by a trace of calls.
Recv f(1), Send h(2) Recv g(7),
Send k(13)
25
The Big Ideas
M
f(x) g(y)
Every method call appears to execute atomically.Any step is summarized by a trace of calls.Object refinement is inclusion of possible traces.
Recv f(1), Send h(2) Recv g(7),
Send k(13)
M'Refines
f g
27
The Big Ideas
M
f(x) g(y)
Composing objects hides internal method calls.
Recv f(1)Recv g(7), Send k(13)
Nh(u)
28
The Big Ideas
M
f(x) g(y)
Composing objects hides internal method calls.
Recv f(1)Recv g(7), Send k(13)
Nh(u)
Ok(v)
Recv g(7)
29
Some Example Kami Code (simple FIFO)
Definition deq {ty} : ActionT ty dType := Read isEmpty <- ^empty; Assert !#isEmpty; Read eltT <- ^elt; Read enqPT <- ^enqP; Read deqPT <- ^deqP; Write ^full <- $$false; LET next_deqP <- (#deqPT + $1) :: Bit sz; Write ^empty <- (#enqPT == #next_deqP); Write ^deqP <- #next_deqP; Ret #eltT@[#deqPT].
30
An Example Kami Proof (pipelined processor)Lemma p4st_refines_p3st: p4st <<== p3st.Proof. kmodular. - kdisj_edms_cms_ex O. - kdisj_ecms_dms_ex O. - apply fetchDecode_refines_fetchNDecode; auto. - krefl.Qed.
Uses standard Coq ASCII syntax for mathematical proofs.These proofs are checked automatically, just like type checking.We inherit streamlined IDE support for Coq.
32
We Are Building:
Design SpecRefines
Coq tactics to prove refinements
RTL
Compiler
Refines
Verify semantics preservation of
compiler
34
Some Useful Refinement TacticsMonolithic Spec
Sequential Consistency
Decompose1
Decoupled SpecProcessor
Memory
35
Some Useful Refinement TacticsMonolithic Spec
Sequential Consistency
Decompose1
Decoupled SpecProcessor
Memory
Getting RealFancy Processor
Memory
Replace Module2
36
Some Useful Refinement TacticsMonolithic Spec
Sequential Consistency
Decompose1
Decoupled SpecProcessor
Memory
Getting RealFancy Processor
Memory
Replace Module2
Processor
. . . .
37
Some Useful Refinement TacticsMonolithic Spec
Sequential Consistency
Decompose1
Decoupled SpecProcessor
Memory
Getting RealFancy Processor
Memory
Replace Module2
Processor'
Induction/Simulation
3
Processor
. . . .
38
Some Useful Refinement TacticsMonolithic Spec
Sequential Consistency
Decompose1
Decoupled SpecProcessor
Memory
Getting RealFancy Processor
Memory
Replace Module2
Processor'
Induction/Simulation
3
Processor''
Ideal Queue
Decompose4
Processor
. . . .
39
Some Useful Refinement TacticsMonolithic Spec
Sequential Consistency
Decompose1
Decoupled SpecProcessor
Memory
Getting RealFancy Processor
Memory
Replace Module2
Processor'
Induction/Simulation
3
Processor''
Ideal Queue
Decompose4
Processor
. . . .
Processor''
Ring BufferReplace5
=. . . .
40
Key Ingredient
Formal Semantics for RISC-V ISA(s)
Nikhil just explained the semantics style.We are building a translator for the semantics into the language of Coq/Kami.
41
An Open Library of Formally Verified Components
• Microcontroller-class RV32I (multicore; U)• Desktop-class RV64IMA (multicore; U,S,M)• Cache-coherent memory system
Reuse our proofs when composing our components with your own formally verified accelerators!
44
The Promise of this Approach
ISA Formal Semantics
Processor Proved
RTL Formal Semantics
Application Machine Code
Application Specification
45
The Promise of this Approach
ISA Formal Semantics
Processor Proved
RTL Formal Semantics
Application Machine Code
Application Specification
Proved
47
The Trusted Computing Base
Where can defects go uncaught?
Coq proof checker (small & general-purpose)RTL formal semanticsApplication specification
48
The Trusted Computing Base
Where can defects go uncaught?
Coq proof checker (small & general-purpose)RTL formal semanticsApplication specificationISA formal semanticsHardware design (Bluespec, RTL, …)Software implementation (C, …)