Skip to main content
SpringerLink
Log in

Automatic generation of inductive invariants from high-level microarchitectural models of communication fabrics

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

Abstract microarchitectural models of communication fabrics present a challenge for verification. Due to the presence of deep pipelining, a large number of queues and distributed control, the state space of such models is usually too large for enumeration by protocol verification tools such as Murphi. On the other hand, we find that state-of-the-art rtl model checkers such as abc have poor performance on these models since there is very little opportunity for localization and most of the recent capacity advances in rtl model checking have come from better ways of discarding the irrelevant parts of the model. In this work we explore a new approach for verifying these models where we capture a model at a high level of abstraction by requiring that it be described using a small set of well-defined microarchitectural primitives. We exploit the high level structure present in this description, to automatically strengthen some classes of properties, in order to make them 1-step inductive, and then use an rtl model checker to prove them. In some cases, even if we cannot make the property inductive, we can dramatically reduce the number and complexity of lemmas that are needed to make the property inductive.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Our queues are always fifo i.e. first-in-first-out.

  2. Henceforth we only mention the value parameters of a component and leave the type parameters implicit.

  3. When o.irdy is false, o.data is a don’t care. But for brevity in the equations, we always assign to o.data rather than only when o.irdy is asserted.

  4. By “v↦(v=0)” we mean the function that is 1 iff the input is equal to 0, i.e. the function λv.(v=0) using λ notation.

  5. Even with general joins there is an easy case. If p is a property such that p′=ph depends on only one variable, then it suffices to propagate p′ along the corresponding input.

  6. Assuming that the (local) assertions G(num ≤ k) for each queue have already been added.

  7. A typical example of such a system would be when separate virtual channels are used for req and rsp in Fig. 3 to avoid deadlock.

  8. To check for adequate buffering to avoid deadlocks.

References

  1. Baumgartner J et al. (2009) Scalable conditional equivalence checking: An automated invariant-generation based approach. In: MCAD 2009, pp 120–127

    Google Scholar 

  2. Benveniste A et al. (2003) The synchronous language twelve years later. Proc IEEE 91(1):64–83

    Article  Google Scholar 

  3. Berkeley Logic Synthesis Group. http://www.eecs.berkeley.edu/~alanmi/abc/

  4. Bjørner N, Browne A, Manna Z (1997) Automatic generation of invariants and intermediate assertions. Theor Comput Sci 173(1):49–87

    Article  Google Scholar 

  5. Bradley AR (2011) SAT-based model checking without unrolling. In: VMCAI 2011, pp 70–87

    Google Scholar 

  6. Chatterjee S, Kishinevsky M, Ogras UY (2010) Quick formal modeling of communication fabrics to enable verification. In: HLDVT 2010, pp 42–49

    Google Scholar 

  7. Colom JM, Silva M (1991) Convex geometry and semiflows in P/T nets. In: Proc. of Appl. and Theory of Petri Nets, pp 79–112

    Google Scholar 

  8. Corman TH et al. (1990) Introduction to algorithms, 2nd edn. MIT Press, Cambridge

    Google Scholar 

  9. Dally WJ, Towles B (2004) Principles and practices of interconnection networks. Morgan Kaufmann, San Mateo

    Google Scholar 

  10. Eén N, Mishchenko A, Brayton R (2011) Efficient implementation of property directed reachability, IWLS’11

  11. Gotmanov A, Chatterjee S, Kishinevsky M (2011) Verifying deadlock freedom of communication fabrics. In: VMCAI 2011, pp 214–231

    Google Scholar 

  12. Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10):576–580, 583

    Article  MATH  Google Scholar 

  13. Jhala R, McMillan KL (2001) Microarchitecture verification by compositional model checking. In: CAV 2011, pp 396–410

    Google Scholar 

  14. Kaivola R et al. (2009) Replacing testing with formal verification in Intel Core i7 processor execution engine validation. In: CAV 2009, pp 414–429

    Google Scholar 

  15. Sheeran M, Singh S, Stålmarck G (2000) Checking safety properties using induction and a SAT-solver. In: FMCAD 2000. LNCS, vol 1954.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Two Sigma Investments LLC, New York, NY, 10012, USA

    Satrajit Chatterjee

  2. Intel Corporation, Hillsboro, OR, 97124, USA

    Michael Kishinevsky

Authors
  1. Satrajit Chatterjee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Kishinevsky
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Satrajit Chatterjee.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Chatterjee, S., Kishinevsky, M. Automatic generation of inductive invariants from high-level microarchitectural models of communication fabrics. Form Methods Syst Des 40, 147–169 (2012). https://doi.org/10.1007/s10703-011-0134-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-011-0134-0

Keywords

Search

Navigation