Getting Formal Verification into Design Flow

Arvind, .; Dave, Nirav; Katelman, Michael

doi:10.1007/978-3-540-68237-0_2

Cited by 18 publications

(9 citation statements)

References 34 publications

(37 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Even relatively simple protocols (e.g., MSI, MESI) introduce many transient states that are not explicit in the higher-level protocol [3], and writing testbenches that exercise all the reachable transient states is an arduous task. Significant modeling simplifications must be made to make exploring the state space tractable [1], and even formally verifying a given protocol on a few cores gives no confidence that it will work on 100.…”

Section: Verification Complexitymentioning

confidence: 99%

“…Since the state space explodes exponentially as the distributed directories and the number of cores grow, it is virtually impossible to cover all scenarios during verification either by simulation or by formal methods [18]. Unfortunately, verifying small subsystems does not guarantee the correctness of the entire system [3]. In modern CMPs, errors in cache coherence are one of the leading bug sources in the post-silicon debugging phase [6].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The Execution Migration Machine: Directoryless Shared-Memory Architecture

et al. 2015

View full text Add to dashboard Cite

Distributed directory cache coherence protocols for current many-core CMPs are not only difficult and error-prone to implement and verify, but also provide suboptimal performance when a thread requires access to large amounts of data distributed across the chip: the data must be brought to the core where the thread is running, incurring delays and energy costs. In this paper, we propose an approach based on the combination of partial-context thread migration and a directory-free remote access protocol: for these kinds of applications, our architecture can outperform directory-based cache coherence. In addition, unlike with distributed cache coherence protocols, the verification complexity of our architecture does not grow with the number of cores.

show abstract

Section: Verification Complexitymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

The Execution Migration Machine: Directoryless Shared-Memory Architecture

et al. 2015

View full text Add to dashboard Cite

show abstract

“…The response to a given request is determined by the state of all actors in the system (for example, when one cache requests write access to a cache line, any cache containing that line must be sent an invalidate message); moreover, the indirections involved and the nondeterminism inherent in the relative timing of events requires a coherence protocol implementation to introduce many transient states that are not explicit in the higher-level protocol. This causes the number of actual states in even relatively simple protocols (e.g., MSI, MESI) to explode combinatorially [4], and results in complex cooperating state machines driving each cache and directory [2]. In fact, one of the main sources of bugs in such protocols is reachable transient states that are missing from the protocol definition, and fixing them often requires non-trivial modifications to the high-level specification.…”

Section: B System Verificationmentioning

confidence: 99%

“…In order to support shared-memory, current commodity multicore CMPs maintain coherence among private (per-core) caches using distributed directory coherence protocols. The design of even a simple coherence protocol, however, is not trivial [2]; more significantly, since the state space explodes combinatorially as the number of cores grows, many researchers have found implementing distributed directories in hardware and verifying them to be extremely difficult and not scalable [3], [4], [5], [6], [7]. Covering the entire space is impractical at even large and well-funded design houses, and verifying only small subsystems does not guarantee the correctness of the entire system [4], [6]; indeed, in modern CMPs, errors in cache coherence are one of the leading bug sources in the post-silicon debugging phase [5], and occasionally survive in chips already on the market [8].…”

Section: Introductionmentioning

confidence: 99%

Design tradeoffs for simplicity and efficient verification in the Execution Migration Machine

Shim

Lis

Cho

et al. 2013

2013 IEEE 31st International Conference on Computer Design (ICCD)

View full text Add to dashboard Cite

Abstract-As transistor technology continues to scale, the architecture community has experienced exponential growth in design complexity and significantly increasing implementation and verification costs. Moreover, Moore's law has led to a ubiquitous trend of an increasing number of cores on a single chip. Often, these large-core-count chips provide a shared memory abstraction via directories and coherence protocols, which have become notoriously error-prone and difficult to verify because of subtle data races and state space explosion. Although a very simple hardware shared memory implementation can be achieved by simply not allowing ad-hoc data replication and relying on remote accesses for remotely cached data (i.e., requiring no directories or coherence protocols), such remote-access-based directoryless architectures cannot take advantage of any data locality, and therefore suffer in both performance and energy.Our recently taped-out 110-core shared-memory processor, the Execution Migration Machine (EM²), establishes a new design point. On the one hand, EM² supports shared memory but does not automatically replicate data, and thus preserves the simplicity of directoryless architectures. On the other hand, it significantly improves performance and energy over remoteaccess-only designs by exploiting data locality at remote cores via fast hardware-level thread migration. In this paper, we describe the design choices made in the EM² chip as well as our choice of design methodology, and discuss how they combine to achieve design simplicity and verification efficiency. Even though EM² is a fairly large design-110 cores using a total of 357 million transistors-the entire chip design and implementation process (RTL, verification, physical design, tapeout) took only 18 manmonths.

show abstract

“…Despite efforts to optimize these tools, even configurations with only a few cores saturate state-of-the-art formal verification tools and only small systems can be formally verified. Unfortunately, there is currently no guarantee that the correctness of a small system implies the correctness of a much bigger system [3]. In this sense, even if we have a formally verified cache coherence protocol with 4 cores, we cannot trust that it is bug-free if we implement it for a 64-core system.…”

Section: Introductionmentioning

confidence: 99%