InstructionLevel Abstraction ILA A Uniform Specification for SystemonChip
Instruction-Level Abstraction (ILA): A Uniform Specification for System-on-Chip (So. C) Verification Sharad Malik Princeton University Jasper User Group Conference 10/11/2018 Main collaborators: Aarti Gupta Bo-Yuan Huang Hongce Zhang Pramod Subramanyan Yakir Vizel Supported in part by the Applications Driving Architectures (ADA) Research Center, a JUMP Center co-sponsored by SRC and DARPA.
Specification and Abstraction: A System-on-Chip (So. C) Verification Perspective Sharad Malik Princeton University Jasper User Group Conference 10/11/2018
Specifications and Abstractions in Formal Verification • Specifications • Textual • Ambiguous • Need to be converted to properties • Properties/Assertions • Large set • Incomplete • Hard to construct • Abstractions • Techniques: • variable hiding/ predicate abstraction/ control abstraction • Methodology • Manual • Counter-example guided abstraction refinement (CEGAR) 3
Lessons from the ISA Interface (All I needed to know I learned in kindergarten. ) ISA: Instruction Set Architecture HW Abstraction HW Specification ISA - Software view of hardware - Compilation target - Defines semantics for SW verification at the lowest level - Microarchitecture/ Implementation spec - Verification target for microarchitecture/ implementation - Enables HW upgrades 4
It’s a whole new accelerator world… Out-of-Core Accelerators Apple A 8 Maltiel Consulting estimates Our estimates [Y. Shao, IEEE Micro 2015] [www. anandtech. com/show/8562/chipworks-a 8] • Increasing number of accelerators and SW/HW interactions • Need to verify accelerator implementations • Need to verify SW with HW interactions 5
Increasing IP Integration CPU GPU Cam Ctrl. Touch Ctrl. Flash Ctrl. On-chip Interconnect … … PTIP • Need to verify system integration 6
And Increasing On-platform FW… CPU GPU Cam Ctrl. Touch Ctrl. Flash Ctrl. No. C IF μC On-chip Interconnect ROM (FW) … … PTIP RAM HW Accelerators • Need to verify FW-HW interactions 7
Lessons from the ISA Interface Applied to the accelerator context ILA: Instruction-Level Abstraction HW Specification - Microarchitecture/ Implementation spec - Verification target for microarchitecture/ implementation - Enables HW upgrades ILA - Software view of hardware - Compilation target - Defines semantics for SW-HW interaction at the lowest level - Defines semantics for verifying system integration 8
Lessons from the ISA Interface (All I needed to know I learned in kindergarten. ) HW Abstraction HW Specification - Microarchitecture/ Implementation spec - Verification target for microarchitecture/ implementation - Enables HW upgrades ISA - Software view of hardware - Compilation target - Defines semantics for SW verification at the lowest level Key Characteristics • Modular Specification • Set of instructions • Relevant Abstraction • Software-visible architectural state • Simple Specification/Abstraction • Architectural state update for each instruction 9
Instruction-Level Abstraction (ILA) • ISA-like model: • Modular functional specification – a set of instructions • A meaningful state abstraction – architectural state On-chip Interconnect Memory-mapped IO START_ENCRYPT Write, 0 xff 00, 0 x 1 STORE_KEY Write, 0 xff 10, data Interface Insight 1: treat commands at interface as instructions AES Encrypt Acc. Counter Key Length Insight 2: clear separation between implementation and specification Hierarchical Micro-instructions: one possible implementation Instructions Format Semantics START_ENCRYPT BUS Command = (Write, 0 xff 00, 0 x 1) Micro-instructions: load block 0, encrypt block 0, write block 0 load block 1, encrypt block 1, write block 1 10
AES Accelerator ILA Instruction Description RD/WR_Data. Addr Get/set address of data to encrypt/decrypt RD/WR_Data. Len Get/set length of data to encrypt/decrypt RD/WR_Key 0 Get/set key register 0 RD/WR_Key 1 Get/set key register 1 RD/WR_Key. Sel Get/set key selector RD/WR_Ctr Get/set counter for CTR mode START_ENCRYPT Start the encryption state machine GET_STATUS Poll for completion 11
![ILA Modeling Accelerators • Gaussian Blur Image Processing [Horowitz group, Stanford] • Different levels](http://slidetodoc.com/presentation_image/2efba25f8997e1437eb3e3f6167d7070/image-12.jpg "ILA Modeling Accelerators • Gaussian Blur Image Processing [Horowitz group, Stanford] • Different levels")
ILA Modeling Accelerators • Gaussian Blur Image Processing [Horowitz group, Stanford] • Different levels of abstractions • Streaming interface Halide description High-level ILA C++ for HLS Low-level ILA RTL implementation • AES Block Encryption [opencores. org] • One specification, different implementations • Restricted Boltzmann Machine [Carloni group, Columbia] Start Encrypt Block load Block encrypt Block store ILA V Start Encypt Initiate DMA load word 1 load word 2 load word 3 … • Decomposition of computation from interface protocol ILA C RBM ILA Processor ISA • RISC-V RV 32 I base instruction set • With privilege instructions and interrupt Training child-ILA Prediction child-ILA Data Transfer child-ILA Heterogeneity Homogeneity Uniform Interface for Processors and Accelerators 12
Modeling Case Studies Size comparable to high-level reference model 13
ILA Synthesis Using Templates • ILA Synthesis using program synthesis • Make it easy for the designer • Template: Program with holes • Specify architectural state • Instructions • Operations • Library of available templates • Oracle: HW simulator An Example Template op imm opcode ALU R 0 -R 7 SRC 1 = choice [R 0 … R 7, IMM] SRC 2 = choice [R 0 … R 7, IMM] ADD_RES = SRC 1 + SRC 2 SUB_RES = SRC 1 – SRC 2 … ALU_RES = choice alu_result [ADD_RES, SUB_RES, … ] Synthesis can infer opcodes, immediate bits, register specifiers 14
ILA Verification Scenarios Automated Verification Techniques based on Transition Systems Spec/arch state S • ILA vs. FSM (C/RTL/… ) • ILA vs. ILA Verification Method FSM/Impl. state S’ Sf’ f + = FSM state transitions f + Sf Refinement Relation: What state to match and when to match it • Leverage processor verification techniques • Modular check per instruction Application and Results Instruction micro-inst vs. Instruction Sequential Equivalence Checking • Verified AES/RBM/GB accelerators ILA • Accelerator upgrades • Found RISC-V Rocket MRET/SRET bug Old New and optimized 15
Verification Case Studies Verification against architectural spec of accelerator/processor 16
![GPU ILA Model • PTX ISA [ICCAD 18] • More stable than CUDA API](http://slidetodoc.com/presentation_image/2efba25f8997e1437eb3e3f6167d7070/image-17.jpg "GPU ILA Model • PTX ISA [ICCAD 18] • More stable than CUDA API")
GPU ILA Model • PTX ISA [ICCAD 18] • More stable than CUDA API • Application: data race checker • Improved scalability and accuracy block PTX ILA Model per-thread Model states pc, tid, r 1… ······ (otherthreads) ······ (otherblocks) acq-rel guard bar status bar enter, exit shared mem pointer Example: Rodinia [Che, Boyer, Meng et al. IISWC 2014] Testsuite Identify 4 bugs out of 15 kernels global mem, parameter pointer 17
HW-SW and HW-FW Verification Co-verification notoriously hard Replace MMIO Instructions with corresponding ILA instructions Reduce to SW verification • Case study on industrial So. C Secure Boot implementation [DAC 18] • • Explore an attack where commands can be spoofed in the absence of access control protection Prove command integrity when its mitigation is deployed 18
Beyond Processors and Accelerators (Ongoing) • Interconnect/No. C instruction ILA ILA On-chip interconnect state-update • Memory Controller Offchip Mem Ctrl. Instruction: store, load, … • Analog/Mixed-Signal With M. Horowitz Digital IF AMS Instructions DC 1 Appropriate Modeling State-update DC 3 DC 2 19
ILA vs. CEGAR • CEGAR: Counter-Example Guided Abstraction Refinement • CEGAR Review (1) Compute Abstraction (2) Check Abstraction If no error, done: property is valid else (4) Refine else (3) Check Feasibility Counterexample If feasible: property is violated 20
ILA vs. CEGAR: Counter-Example Guided Abstraction Refinement ILA CEGAR Top-down: • Architecture state based abstraction • Instructions and state updates Bottom-up: • Property directed abstraction • Iteratively refining • Techniques: variable hiding, predicate abstraction, nondeterminism, etc. Derived from: • High-level models • Simulation • Human insights Derived from: • Known transition relation (e. g. , existing Verilog implementation) Usage: • Specification for hardware • Abstraction for programs General verification technique for improving scalability 21
Key Takeaways ILAs for accelerators and what they enable HW Abstraction HW Specification - Microarchitecture/ Implementation spec - Verification target for microarchitecture/ implementation - Enables HW upgrades ILA - Software view of hardware - Compilation target - Defines semantics for SW-HW interaction at the lowest level - Defines semantics for verifying system integration ILA: Instruction-Level Abstraction 22
Publications • A Formal Instruction-Level GPU Model for Scalable Verification. International Conference On Computer Aided Design (ICCAD), 2018 • ILA-MCM: Integrating Memory Consistency Models with Instruction-Level Abstractions for Heterogeneous System-on-Chip Verification. Formal Methods in Computer-Aided Design (FMCAD), 2018. • Formal Security Verification of Concurrent Firmware in So. Cs using Instruction-Level Abstraction for Hardware. Design Automation Conference (DAC), 2018. • Instruction-Level Abstraction (ILA): A Uniform Specification for System-on. Chip (So. C) Verification. ar. Xiv: 1801. 01114. Accepted for publication, ACM Transactions on Design Automation for Electronic Systems, (TODAES), 2018 • Template-based Parameterized Synthesis of Uniform Instruction-Level Abstractions for So. C Verification. Transaction on Computer-Aided Design of Integrated Circuits and Systems (TCAD), 2017. • Specification and Modeling for Systems-on-Chip Security Verification. Design Automation Conference (DAC), 2016. • Verifying Information Flow Properties of Firmware using Symbolic Execution. Design, Automation, and Test in Europe (DATE), 2016. • Template-based Synthesis of Instruction-Level Abstractions for So. C Verification. Formal Methods in Computer-Aided Design (FMCAD), 2015. 23
Shameless Ad • Research group opening for Research Engineer on this project • • Location: Princeton or Stanford Experience with formal verification Experience with programming (C/C++/Verilog) Interest in research! • Contact: sharad@princeton. edu 24
Key Takeaways ILAs for accelerators and what they enable HW Abstraction HW Specification - Microarchitecture/ Implementation spec - Verification target for microarchitecture/ implementation - Enables HW upgrades ILA - Software view of hardware - Compilation target - Defines semantics for SW-HW interaction at the lowest level - Defines semantics for verifying system integration ILA: Instruction-Level Abstraction 25
- Slides: 25