Modular Deductive Verification of Multiprocessor Hardware Designs

Vijayaraghavan, Muralidaran; Chlipala, Adam; Arvind, .; Dave, Nirav

doi:10.1007/978-3-319-21668-3_7

Cited by 28 publications

(24 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Implementations of atomic memory systems are well understood and used pervasively in practice. For example, a coherent write-back cache hierarchy with a MSI/MESI protocol can be an atomic memory system [32], [33]. In such a cache hierarchy, the moment a store request is written to the L1 data array corresponds to processing the store instantaneously in the monolithic memory abstraction; and the moment a load request gets its value corresponds to the instantaneous processing of the load in the monolithic memory.…”

Section: B Atomic Versus Non-atomic Memorymentioning

confidence: 99%

Constructing a Weak Memory Model

Zhang¹,

Vijayaraghavan²,

Wright³

et al. 2018

2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA)

Self Cite

View full text Add to dashboard Cite

Weak memory models are a consequence of the desire on part of architects to preserve all the uniprocessor optimizations while building a shared memory multiprocessor. The efforts to formalize weak memory models of ARM and POWER over the last decades are mostly empirical -they try to capture empirically observed behaviors -and end up providing no insight into the inherent nature of weak memory models. This paper takes a constructive approach to find a common base for weak memory models: we explore what a weak memory would look like if we constructed it with the explicit goal of preserving all the uniprocessor optimizations. We will disallow some optimizations which break a programmer's intuition in highly unexpected ways. The constructed model, which we call General Atomic Memory Model (GAM), allows all four load/store reorderings. We give the construction procedure of GAM, and provide insights which are used to define its operational and axiomatic semantics. Though no attempt is made to match GAM to any existing weak memory model, we show by simulation that GAM has comparable performance with other models. No deep knowledge of memory models is needed to read this paper.

show abstract

Section: B Atomic Versus Non-atomic Memorymentioning

confidence: 99%

Constructing a Weak Memory Model

Zhang¹,

Vijayaraghavan²,

Wright³

et al. 2018

2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA)

Self Cite

View full text Add to dashboard Cite

show abstract

“…A request issued to port i may be from a load instruction in the ROB of P i or a store in the store buffer of P i. In conventional coherence protocols, all memory requests can be serialized, i.e., each request can be considered as taking effect at some time point within its processing period [57]. For example, consider the non-stalling MSI directory protocol in the Primer by Sorin et al [58,Chapter 8.7.2].…”

Section: Wmm Implementationmentioning

confidence: 99%

Weak Memory Models: Balancing Definitional Simplicity and Implementation Flexibility

Zhang

Vijayaraghavan²,

Arvind

2017

2017 26th International Conference on Parallel Architectures and Compilation Techniques (PACT)

Self Cite

View full text Add to dashboard Cite

The memory model for RISC-V, a newly developed open source ISA, has not been finalized yet and thus, offers an opportunity to evaluate existing memory models. We believe RISC-V should not adopt the memory models of POWER or ARM, because their axiomatic and operational definitions are too complicated. We propose two new weak memory models: WMM and WMM-S, which balance definitional simplicity and implementation flexibility differently. Both allow all instruction reorderings except overtaking of loads by a store. We show that this restriction has little impact on performance and it considerably simplifies operational definitions. It also rules out the out-of-thin-air problem that plagues many definitions. WMM is simple (it is similar to the Alpha memory model), but it disallows behaviors arising due to shared store buffers and shared write-through caches (which are seen in POWER processors). WMM-S, on the other hand, is more complex and allows these behaviors. We give the operational definitions of both models using Instantaneous Instruction Execution (I 2 E), which has been used in the definitions of SC and TSO. We also show how both models can be implemented using conventional cache-coherent memory systems and out-of-order processors, and encompasses the behaviors of most known optimizations. Keywords-weak memory model• Single-copy atomic: a store becomes visible to all processors at the same time, e.g., in SC. • Multi-copy atomic: a store becomes visible to the issuing processor before it is advertised simultaneously to all other processors, e.g., in TSO and Alpha [5]. • Non-atomic (or non-multi-copy-atomic): a store becomes visible to different processors at different times, e.g., in POWER and ARM.Multi-copy atomic stores are caused by the store buffer or write-through cache that is private to each processor. Non-atomic stores arise (mostly) because of the sharing of a store buffer or a write-through cache by multiple processors, and such stores considerably complicate the formal definitions [7], [8]. WMM is an Alpha-like memory model which permits only multi-copy atomic stores and thus, prohibits shared store buffers or shared write-through caches in implementations. WMM-S is an ARM/POWERlike memory model which admits non-atomic stores. We will present the implementations of both models using out-oforder (OOO) processors and cache-coherent memory systems.In particular, WMM and WMM-S allow the OOO processors in multicore settings to use all speculative techniques which are valid for uniprocessors, including even the load-value arXiv:1707.05923v2 [cs.PL] 18 Sep 2018 Atomic Memory … Processor Reg State … (a) SC Atomic Memory … Processor Reg State Store Buffer … (b) TSO/PSO Atomic Memory … Processor Reg State Store Buffer Inv Buffer … TSO-Nm (non-memory execution)Predicate: The next instruction of a processor is a non-memory instruction. Action: Instruction is executed by local computation. TSO-Ld (load execution) Predicate: The next instruction of a processor is a load. Action: Assume the load address is a. The lo...

show abstract

“…The next challenge is choosing the right kind of correctness theorem to ascribe to the components of a system, so that the individual theorems can be composed in a black-box way into full-system results. Here we follow our previous work [Vijayaraghavan et al 2015] in adapting ideas from process algebra. We formalize hardware components as labeled transition systems, with an interaction-centric operational semantics that helps us reason about each component individually while abstracting over its environment.…”

Section: Introductionmentioning

confidence: 99%

“…We formalize hardware components as labeled transition systems, with an interaction-centric operational semantics that helps us reason about each component individually while abstracting over its environment. Our previous work [Vijayaraghavan et al 2015] suffers from one of the problems we mentioned earlier: it applies only to models of real hardware designs, with no path toward extraction-style generation of synthesizable circuits. We previously applied a manual and error-prone process to example hardware designs, formalizing each one directly as an inductive relation in Coq.…”

Section: Introductionmentioning

confidence: 99%

Kami: a platform for high-level parametric hardware specification and its modular verification

Choi

Vijayaraghavan

Sherman

et al. 2017

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

It has become fairly standard in programming-languages research to verify functional programs in proof assistants using induction, algebraic simplification, and rewriting. In this paper, we introduce Kami, a Coq library that uses labeled transition systems to enable similar expressive and modular reasoning for hardware designs expressed in the style of the Bluespec language. We can specify, implement, and verify realistic designs entirely within Coq, ending with automatic extraction into a pipeline that bottoms out in FPGAs. Our methodology has been evaluated in a case study verifying an infinite family of multicore systems, with cache-coherent shared memory and pipelined cores implementing (the base integer subset of) the RISC-V instruction set. CCS Concepts: • Hardware → Theorem proving and SAT solving; Hardware description languages and compilation; High-level and register-transfer level synthesis;

show abstract

Modular Deductive Verification of Multiprocessor Hardware Designs

Cited by 28 publications

References 32 publications

Constructing a Weak Memory Model

Constructing a Weak Memory Model

Weak Memory Models: Balancing Definitional Simplicity and Implementation Flexibility

Kami: a platform for high-level parametric hardware specification and its modular verification

Contact Info

Product

Resources

About