End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification...

34
ARMResearch End-to-End Verification of ARM ® Processors with ISA-Formal Alastair Reid , Rick Chen, Anastasios Deligiannis, David Gilday, David Hoyes, Will Keen, Ashan Pathirane, Owen Shepherd, Peter Vrabel, Ali Zaidi alastair.reid@arm.com @alastair_d_reid

Transcript of End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification...

Page 1: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

End-to-End Verification of ARM®

Processors with ISA-Formal

Alastair Reid, Rick Chen, Anastasios Deligiannis, David Gilday, David Hoyes, Will Keen, Ashan Pathirane, Owen Shepherd, Peter Vrabel, Ali Zaidi

[email protected]@alastair_d_reid

Page 2: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Scale

Large Specifications

Large Implementations

2

Page 3: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Checking an instruction

3

ADD

Page 4: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Checking an instruction

3

ADDCMPLDR STRBNE

Context

Page 5: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 4

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

Page 6: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 4

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

πpre

πpost

Page 7: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 4

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

πpre

πpost

Pre Post_spec

Post_cpu

Spec ==?

Page 8: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Errors ISA-Formal can catch

• Errors in decode

• Errors in data path

• Errors in forwarding logic

• Errors in register renaming

• Errors in exception handling

• Errors in speculative execution

5

NoContext

Context

{

{

Page 9: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Specifying ADD

assign ADD_retiring = (pre.opcode & 16'b1111_1110_0000_0000) == 16'b0001_1000_0000_0000;assign ADD_result = pre.R[pre.opcode[8:6]] + pre.R[pre.opcode[5:3]];assign ADD_Rd = pre.opcode[2:0];

assert property (@(posedge clk) disable iff (~reset_n) ADD_retiring |-> (ADD_result == post.R[ADD_Rd]));

6

Page 10: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA Formal

• Finds complex bugs in processor pipelines

• Applied to wide range of μArchitectures

• Uses translation of ARM’s internal ISA specification

7

Page 11: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 8

Page 12: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 8

Page 13: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Challenges

• Complex Functional Units• FP• Memory

• Dual Issue• Instruction Fusion• Register Renaming• Out-of-order Retire

9

Page 14: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 10

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

Page 15: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 11

Page 16: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 11

MemoryTLB

Prefetch

PTW

Coherence

Cache

Page 17: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 11

MemoryTLB

Prefetch

PTW

Coherence

Cache

FPUFMUL

FADD FDIV

FSQRT

Page 18: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 12

Memory

R0-

R15DecodeFetch

R0-

R15

Memory

FPU

Page 19: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

FP Subset Behaviour

13

-∞ -1 0 1 ∞-∞ -∞ -∞ -∞ -∞

-1 -∞ -1 0 ∞0 -∞ -1 0 1 ∞1 -∞ 0 1 ∞∞ ∞ ∞ ∞ ∞

FPAdd

Page 20: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA Formal

• Finds complex bugs in processor pipelines

• Applied to wide range of μArchitectures

• Uses translation of ARM’s internal ISA specification

14

Page 21: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

15

ADC ADD B … YIELDR[] ✔

NZCVSPPC

S[],D[],V[]FPSR

MemReadMemWriteSysRegRW

ELRESR…

Page 22: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

16

ADC ADD B … YIELDR[] ✔

NZCVSP ✔

PCS[],D[],V[]FPSR

MemReadMemWriteSysRegRW

ELRESR…

Page 23: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

17

ADC ADD B … YIELDR[] ✔ ✔

NZCVSP ✔

PC ✔

S[],D[],V[]FPSR

MemReadMemWriteSysRegRW

ELRESR…

Page 24: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

18

ADC ADD B … YIELDR[] ✔ ✔ ✔

NZCV ✔

SP ✔ ✔

PC ✔

S[],D[],V[]FPSR

MemReadMemWriteSysRegRW

ELRESR…

Page 25: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

But this is slowand inconsistent

19

Page 26: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

20

ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔

NZCVSPPC

S[],D[],V[]FPSR

MemReadMemWriteSysRegRW

ELRESR…

Page 27: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

21

ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔

NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[]FPSR

MemReadMemWriteSysRegRW

ELRESR…

Page 28: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

22

ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔

NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[] ✔ ✔ ✔ ✔ ✔

FPSR ✔ ✔ ✔ ✔ ✔

MemReadMemWriteSysRegRW

ELRESR…

Page 29: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

23

ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔

NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[] ✔ ✔ ✔ ✔ ✔

FPSR ✔ ✔ ✔ ✔ ✔

MemRead ✔ ✔ ✔ ✔ ✔

MemWrite ✔ ✔ ✔ ✔ ✔

SysRegRWELRESR…

Page 30: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

ISA-Formal Properties

24

ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔

NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[] ✔ ✔ ✔ ✔ ✔

FPSR ✔ ✔ ✔ ✔ ✔

MemRead ✔ ✔ ✔ ✔ ✔

MemWrite ✔ ✔ ✔ ✔ ✔

SysRegRW ✔ ✔ ✔ ✔ ✔

ELR ✔ ✔ ✔ ✔ ✔

ESR ✔ ✔ ✔ ✔ ✔

Page 31: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Automation

25

CombinationalVerilog

ASL to Verilog

ArchitectureSpecification

Specialize Monomorphize

Constant Propagation Width Analysis

Exception Handling …

Page 32: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch 26

Page 33: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

ARMResearch

Summary• Finds complex bugs in processor pipelines

• Complete RTL, not just model

• Bug absence not being proved (yet)

• Applied to wide range of μArchitectures• 3 trials, 6 full deployments.

• Uses translation of ARM’s internal ISA specification• Public release of ISA spec this fall in collaboration w/ Cambridge University

• “Trustworthy Specifications of ARM® v8-A and v8-M System Level Architecture,” to appear, FMCAD 2016

27

Page 34: End-to-End Verification of ARM Processors with ISA-Formal · ARMResearch End-to-End Verification of ARM® Processors with ISA-Formal Alastair Reid, Rick Chen, Anastasios Deligiannis,

End

28

[email protected]@alastair_d_reid


Runtime Power Monitoring in High-End Processors: Methodology and Empirical Data

Runtime Power Monitoring in High-End Processors: Methodology and Empirical Data

Formal verification - cl.cam.ac.uk

Formal verification - cl.cam.ac.uk

Software Verification and Testing - Sheffieldstaff• verification presupposes formal program semantics; testing does not • verification often based on abstraction, thus also

Software Verification and Testing - Sheffieldstaff• verification presupposes formal program semantics; testing does not • verification often based on abstraction, thus also

Verification of Security Protocols

Verification of Security Protocols

End-to-end formal ISA verification of RISC-V processors ... · PDF fileEnd-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf

End-to-end formal ISA verification of RISC-V processors ... · PDF fileEnd-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf

Runtime Power Monitoring in High-End Processors ...

Runtime Power Monitoring in High-End Processors ...

Danish Fact Verification: An End-to-End Machine Learning ... › itu › docs › fever-da_jubi_hens.pdf · Danish Fact Verification: An End-to-End Machine Learning System for Automatic

Danish Fact Verification: An End-to-End Machine Learning ... › itu › docs › fever-da_jubi_hens.pdf · Danish Fact Verification: An End-to-End Machine Learning System for Automatic

Automatic Person Identification and Verification using ... · Automatic Person Identification and Verification using ... titled “Automatic Person Identification and Verification

Automatic Person Identification and Verification using ... · Automatic Person Identification and Verification using ... titled “Automatic Person Identification and Verification

NexTech2010 keynotes overview25102010 - IARIA€¦ · PBSM Thread Processors PBSM Thread Processors Thread Processors Thread Processors Thread Processors Thread Processors Thread

NexTech2010 keynotes overview25102010 - IARIA€¦ · PBSM Thread Processors PBSM Thread Processors Thread Processors Thread Processors Thread Processors Thread Processors Thread

Angular Softmax Loss for End-to-end Speaker Verification · Angular Softmax Loss for End-to-end Speaker Verification Yutian Li, Feng Gao, Zhijian Ou, Jiasong Sun Speech Processing

Angular Softmax Loss for End-to-end Speaker Verification · Angular Softmax Loss for End-to-end Speaker Verification Yutian Li, Feng Gao, Zhijian Ou, Jiasong Sun Speech Processing

End-to-End Verification of Information-Flow Security for …flint.cs.yale.edu/flint/publications/security.pdf · End-to-End Verification of Information-Flow Security for C and Assembly

End-to-End Verification of Information-Flow Security for …flint.cs.yale.edu/flint/publications/security.pdf · End-to-End Verification of Information-Flow Security for C and Assembly

Testing and verification in service-oriented architecture ... · End-user: The end-user is the stakeholder who uses the service through an application or platform. 3. SERVICE-CENTRIC

Testing and verification in service-oriented architecture ... · End-user: The end-user is the stakeholder who uses the service through an application or platform. 3. SERVICE-CENTRIC

PIPELINED PROCESSORS Chapter No. 5. Pipeline Evolution in Processors zFirst appeared in at the end of 1960s in the first supercomputers of that time such.

PIPELINED PROCESSORS Chapter No. 5. Pipeline Evolution in Processors zFirst appeared in at the end of 1960s in the first supercomputers of that time such.

Runtime Power Monitoring in High-End Processors ...papers/micro03/pdf/isci-RunTimePower...Runtime Power Monitoring in High-End Processors: Methodology and Empirical Data Canturk Isci

Runtime Power Monitoring in High-End Processors ...papers/micro03/pdf/isci-RunTimePower...Runtime Power Monitoring in High-End Processors: Methodology and Empirical Data Canturk Isci

authenticity verification - arXiv

authenticity verification - arXiv

Symbolic Verification of Cache Side-Channel Freedomabhik/pdf/TCAD18.pdf · Symbolic Verification of Cache Side-Channel Freedom ... in commodity embedded processors, such as in ARM-based

Symbolic Verification of Cache Side-Channel Freedomabhik/pdf/TCAD18.pdf · Symbolic Verification of Cache Side-Channel Freedom ... in commodity embedded processors, such as in ARM-based

Completing the Automated Verification of a Small …Completing the Automated Verification of a Small Hypervisor - Assembler Code Verification? Wolfgang Paul, Sabine Schmaltz, and

Completing the Automated Verification of a Small …Completing the Automated Verification of a Small Hypervisor - Assembler Code Verification? Wolfgang Paul, Sabine Schmaltz, and

An End-To-End System for Unconstrained Face …...An End-to-End System for Unconstrained Face Verification with Deep Convolutional Neural Networks Jun-Cheng Chen 1 , Rajeev Ranjan

An End-To-End System for Unconstrained Face …...An End-to-End System for Unconstrained Face Verification with Deep Convolutional Neural Networks Jun-Cheng Chen 1 , Rajeev Ranjan

Presents The Silver Family An Integrated Approach to Processors, Data Communication and Head End Integration.

Presents The Silver Family An Integrated Approach to Processors, Data Communication and Head End Integration.

Formal Verification of Numerical Programs: From C Annotated ...proval.lri.fr/publications/boldo11mcs.pdf · Formal Verification of Numerical Programs 381 Fig. 4 Back-end provers

Formal Verification of Numerical Programs: From C Annotated ...proval.lri.fr/publications/boldo11mcs.pdf · Formal Verification of Numerical Programs 381 Fig. 4 Back-end provers