Verification of refinements in rule-based designs Nirav Dave, Myron - - PDF document

verification of refinements in rule based designs
SMART_READER_LITE
LIVE PREVIEW

Verification of refinements in rule-based designs Nirav Dave, Myron - - PDF document

Mar 04, 2024 35 likes •125 views

Verification of refinements in rule-based designs Nirav Dave, Myron King, Arvind (MIT) Michael Katelman, Jose Meseguer (Illinois) WG 2.8, Marble Falls, TX March 11, 2010 1 A typical RTL design What if we change the implementation of the

slide-1
SLIDE 1

1

Verification of refinements in rule-based designs

Nirav Dave, Myron King, Arvind (MIT) Michael Katelman, Jose’ Meseguer (Illinois) WG 2.8, Marble Falls, TX March 11, 2010

1

A typical RTL design

What if we change the implementation of the filter with a different latency?

2

slide-2
SLIDE 2

2

Problem in refinement

The correctness of thi bl k d d this block depends on the latency of the rest of the system

3

img data

Latency-Insensitive design

Edger Memory 1

rdResp

g Detector 1 Merge Image VGA Controller Video Controller RdReq Generator

wrReq rdReq rdReq rdResp RGB

Memory 2

rdResp (img data)

Such latency-insensitive designs are much more amenable to modular refinement

4

Wrap peripherals with handshake interface for reusability

slide-3
SLIDE 3

3

Refinements inside a block

5

r1 r2

Limitations of FSM-equivalence preserving refinements

yi = f1(xi; r1i); 1 0 1

f1 f2 r1 r2 x z y

r10 = 0; r1i+ 1 = yi; zi = f2(yi; r2i); r20 = 0; r2i+ 1 = zi; Produces the same z

6

f1 f2 r1 r2 x z y y’

shifted by one clock The two FSMs are not equal

slide-4
SLIDE 4

4

r1 r2

A rule-based description

prod-cons f1 f2 r1 r2 x z y inQ

  • utQ

register r1 = 0, r2 = 0 inQ, outQ

7

rule producer-consumer when (!inQ.empty && !outQ.full): let x = inQ.first; let y = f1(x,r1); let z = f2(y,r2); r1 : = y; r2 : = z

  • utQ.enq(z); inQ.deq;

r1 r2

Rules for the Refined System

register r1 = 0, r2 = 0 fifo q, inQ, outQ prod cons f1 f2 r1 r2 x z y y’ inQ

Can be implemented by many different FSMs

8

rule consume when (!q.empty && !outQ.full): let y = q.first; let z = f2(y,r2);

  • utQ.enq(z); q.deq;

r2 : = z; rule produce when (!q.full && !inQ.empty): let x = inQ.first; let y = f1(x,r1); q.enq(y); inQ.deq; r1 : = y

slide-5
SLIDE 5

5

Schedules

The semantics of rule-based systems

  • nly dictates that an execution must
  • nly dictates that an execution must

conform to some sequential execution

  • f rules

The compiler tries to execute in each cycle as many of the enabled rules as possible without violating the semantics possible without violating the semantics Each schedule results in a different FSM

9

Back to our example

The one rule system has only one schedule but the refined system has many

rule consume when (!q.empty && !outQ.full): let y = q.first; let z = f2(y,r2);

  • utQ.enq(z); q.deq;

r2 : = z; rule produce when (!q.full && !inQ.empty): let x = inQ.first; let y = f1(x,r1); q.enq(y); inQ.deq; r1 : = y

S h d l y y

10

Some schedules prod; cons; prod; cons; prod; cons; … prod; prod; cons; prod; cons; prod; cons; … prod; prod; cons; cons; prod; prod; … prod; (prod| cons); (prod| cons); (prod| cons); …

slide-6
SLIDE 6

6

In what sense are these two systems the same?

rule producer-consumer when (!inQ.empty && !outQ.full): let x = inQ.first; let y = f1(x,r1); let z = f2(y,r2); r1 : = y; r2 : = z

  • utQ.enq(z); inQ.deq;

register r1 = 0, r2 = 0 inQ, outQ register r1 = 0, r2 = 0 fifo q, inQ, outQ Original System Refined System same set

  • f

behaviors?

11

rule consume when (!q.empty && !outQ.full): let y = q.first; let z = f2(y,r2);

  • utQ.enq(z); q.deq;

r2 : = z; rule produce when (!q.full && !inQ.empty): let x = inQ.first; let y = f1(x,r1); q.enq(y); inQ.deq; r1 : = y

Same set of behaviors?

A set of rules defines a transition system A behavior is the sequence of values assumed A behavior is the sequence of values assumed by the state variables (r1, r2, inQ, outQ, q) as a consequence of rule executions In order to relate two systems we have to define “related” states of the two systems

 The state of the two system should be related when

q is empty (The designer specifies this) q p y ( g p )

Proof burden ?

12

slide-7
SLIDE 7

7

Strong stuttering simulation

refined s1 --> … . --> s2

Show that if the two systems start out in the l t bl t t d th fi d t

| | | related | related | | t1 --> … . --> t2

  • riginal

same relatable state and the refined systems gets into a relatable state then there exists transitions in the original system that can get to an equivalent related state.

13

Can be done using a SMT solver

The tool

The tool we have built shows that either the refinement is correct or produces a behavior refinement is correct or produces a behavior that it is unable to reproduce in some bounded amount of time on the original system Wonderful as a debugging aid because works in tens of seconds for many examples we have tried

14

p Most complex example: refining a 4 stage processor pipeline into a 5 stage pipleline

slide-8
SLIDE 8

8

Non-determinism: Adding an Observer rule

  • bserve

f1 f2 r1 r2 x z y inQ

  • utQ
  • bsQ

f3 prod-cons x z y

15

1 2

Wrong refinement

cons prod

  • bser

f1 f2 r1 r2 x z y inQ

  • utQ
  • bsQ

f3 cons prod

16

slide-9
SLIDE 9

9

Correct refinement 1

prod

  • bsv

f1 f2 r1 r2 x z y inQ

  • utQ
  • bsQ

f3 cons prod

17

r1 r2 r1p

Correct refinement 2

cons prod

  • bser

f1 f2 r1 r2 x z y inQ

  • utQ
  • bsQ

f3 r1p y’

  • 18

Thanks