1 Testing Composable SpecificationsKen McMillan Microsoft Research
2 Case study TileLink is a protocol for implementing a coherent memory in a system-on-chip (SoC). Goal: a formal, modular specification of TileLink Specify the protocol Prove that it implements correct memory semantics Rigorously test component implementations Allow rapid configuration of SoC designs
3 TileLink system Hierarchy of memory system components for SoC using a common interface protocol. TL CORE L2$ NET DIR MEM Hierarchy implements weakly consistent memory model.
4 Modular verification General approach: Composable specifications:Write generic formal specifications of components Verify components locally against specifications Infer that systems of such components are correct Composable specifications: Correctness of components implies correctness of system. With a composable specification, we can assemble arbitrary configurations of components. Some composable specifications are better than others, howeverβ¦
5 Good composability Assume/guarantee specificationsA conjunction of temporal properties of interfaces Assume/guarantee relationships A B π A: βπΊ (π»πβπ)β B: βπΊ (π»πβπ)β Aβ₯B: βπΊ(πβ§π)β composable! π This proof is checkable in P-time We want our specifications to be composable βby constructionβ.
6 Memory semantics op(loc,kind,addr,data) Memory operations: CPUread write atomic Happens-before relation on operations: happens-before(π π 1 ,π π 2 ) β loc(π π 1 ) = loc(π π 2 ) β§ time(π π 1 ) < time(π π 2 ) β§ (addr(π π 1 ) = addr(π π 2 ) β¨ atomic(π π 1 ) β¨ atomic(π π 2 )) Consistency: A sequence of ops is consistency if every read sees value of most recent write. Weak consistency: A set of operations is weakly consistent if there exists an ordering π s.t: π respects happens-before π is consistent
7 Problem How do you write a βgoodβ composable specification for a system if its key property refers to all events in the system? How do we witness the serialization π? How do local operations fit into the global serialization?
8 Solution Add a βreference objectβ. Constructs the witness for π.Verifies consistency π as it is constructed ref. create commit create : op Γ loc β stamp commit : stamp β unit eval : stamp β value eval mem commit(stamp): assumes happens-before(X,op(stamp)) β committed(X) value = eval(stamp): guarantees value = result(π,op(stamp)) assumes committed(stamp) These operations allow us to define the semantics of the system interfaces.
9 TileLink system Hierarchy of memory system components for SoC using a common interface protocol. TL CORE L2$ NET DIR MEM
10 TileLink interface protocolProtocol messages implement Coherent requests (MESI) Invalidation Ordered, non-coherent operations Interface has two roles: Client β processor Manager β memory client manager Typical transaction flow at interface Acquire Grants Finish Probe Release
11 Writing a βgoodβ composable specSpecification has two parts: Temporal properties of interface Assume/guarantee relationships between properties Interface properties of two types: Interface protocol properties Semantic properties, relative to reference object
12 Semantic interface propertiesThese properties refer to the reference object to define ordering and data values at the interface. Manager-side properties M[1]: Data in cached Grant must match ref.mem. M[2]: If uncached resp. then committed(stamp) M[3]: If uncached resp. then data = eval(stamp) Client-side properties C[1]: Data in cached Release must match ref.mem. C[2]: If uncached req. then happens-before(X,stamp) implies requested(X). C[3]: If uncached resp. then data = eval(stamp)
13 Commitment propertiesThe coherence state determines what commitments are allowed on either side of the interface. This is the function of coherence. Client-side commitments: SC[1]: Read may be committed on client side only if interface has shared or exclusive permissions. SC[2]: Write may be committed on client side only if interface has exclusive permissions. Manager-side properties SM[1]: Read may be committed on manager side only if interface has shared or invalid permissions. SM[2]: Write may be committed on manager side only if interface has invalid permissions. Note: βclient sideβ means any component left of the interface.
14 Assume/guarantee relationshipsAn L2 cache has TileLink interfaces on processor side and memory side. πΆ π π π π΄ π πͺ π β¦ ππππ π β¦ ππππ πΊπ΄ π ππ π reference object ππΆ π πΊπͺ π πΉ π¨ π·
15 Assume/guarantee relationshipsAn L2 cache has TileLink interfaces on processor side and memory side. πΆ π π π π΄ π πͺ π β¦ ππππ π β¦ ππππ πΊπ΄ π ππ π reference object ππΆ π πΊπͺ π πΉ π¨ π· P,R: πΆ π β , π π β β πΆ π , π π P,R: π πΆ π , πΆ π β , π π β β π πΆ π P,R: π π π , πΆ π β , π π β β π π π P,R: πΆ π β , π π β , π π π β , π πΆ π β β π π΄ π Checking this proof is a purely syntactic operation πΊ π π΄ π
16 Formal proofs We can now formally verify components in isolation against their assume/guarantee specifications: Reording buffer Hierarchical cache Processor, memory, etc. These are simple abstract component models, intended to show that the specification has the intended implementations. Show key property that protocol is insensitive to message re- ordering. In the process, specification was corrected. Because our assume/guarantee specification is composable, we know that hierarchies built from these components implement a weakly consistent shared memory.
17 Compositional testingFrom an assume/guarantee specification, we can automatically generate a test environment. πΆ π π π ππΆ π ππ π π΄ π πͺ π πΊπ΄ π πΊπͺ π β¦ ππππ check πΏ2 RTL generate reference object check πΉ π¨ π· Tested two RTL level components with randomized generation using Z3: L2 cache bank Snooping hub
18 Testing results Compositional testing revealed currency errors in the RTL in under 1s (< 100 cycles) Unit testing provides much greater flexibility in covering internal corner cases Randomized specification-based testing reduces bias Latent bugs Most bugs could not be stimulated in integration test Latent bugs affect re-usability Importance of composability All system-level errors exposed to unit testing Gain confidence that components can be assembled into arbitrary configuration.
19 Conclusion Good composable specification is such that:Correct component imply correct system The proof of this is efficiently checkable Global properties (such as memory consistency) Reference object + temporal assume/guarantee Allows local specification of interface semantics Composable TileLink interface spec provides: Documentation of the interface Ability to reason formally about specification Efficient and rigorous test to find latent bugs Composable specifications provide a way to formal verification experts to provide value in an environment where most engineers do not have formal skills.
20 Specification as a social processThe specification develops over time in collaboration with the system architects. Ambiguities in informal specs must be resolved. Initial formal spec almost certainly does not reflect designers intention. Mismatch with implementation may indicate properties should be strengthened or weakened for efficiency. Over time the formal spec becomes a valuable document. Encapsulates design knowledge. Allows rigorous testing and verification.