Professional Documents
Culture Documents
Jayanta Ghosh, Bijitendra Mittra (Interra Systems India Pvt Ltd) Subir K. Roy (Texas Instruments)
CDNLive! 2012
1
Outline
Brief Overview of the RISC Processor Problem Statement Invalid Instruction Behavior Complexities & Challenges Involved Modeling Layer & Proposed Methodology for Generation of Stream of Instructions Example of Instruction Sequence Generation Different Classes of Checks Model Creation for Proposed Methodology - Its Automation Issues Found Conclusion
CDNLive! 2012
CDNLive! 2012
Data Memory
CDNLive! 2012
Problem Statement
The task is to verify correctness of a well defined Exit Protocol on two output signals that has been implemented in an in-house RISC processor, whenever and in whatsoever condition, that it encounters an invalid instruction within a stream of valid instructions. An invalid instruction is assumed to arrive randomly within any sequence of valid 16 and/or 32 bit instructions. (The exit protocol ensures that the processor is gracefully taken to a well defined fail safe state on encountering an invalid instruction).
CDNLive! 2012
Complexities Involved - 1
Enormous Invalid/Undefined Instruction State space. Valid 16/32 bit instructions (X)
Complexities Attributable to Processor Architecture : Classify an instruction in an instruction stream to be either a valid instruction or an invalid instruction. This involves separation of the rather small valid instruction set X (50 < X <200) from the large invalid instruction set, 232 - X. Another complexity involves combinations of 16 and 32 bit valid and invalid instructions in the instruction pipeline. 16 bit 32 Upper (Data) 32 Lower (Op) 16 bit 16 bit 32 Lower (Opcode) 16 bit 32 Upper (D) Two 16 bit instructions. One 32 bit instruction. One 16 bit instruction followed by [15:0] of next 32 bit instruction. [31:16] of previous 32 bit instruction followed by another 16 bit instruction.
CDNLive! 2012
Complexities Involved - 2
Complexities Attributable to Processor Architecture (Contd.) : The next complexity involves 32 bit instructions which in the instruction stream can be both contiguous or split into 16 bit words spread across consecutive instructions in the instruction pipeline. The final complexity involves instructions which cause branching from within a linear instruction sequence, for example, jump, branch, interrupts and subroutine calls. Complexity Attributable to Modeling Effort: Ensuring that the instruction classification holds true, i.e. we need to ensure that a valid instruction is never declared invalid, while an invalid instruction is never declared as a valid instruction. Complexity Attributable to Verification Effort: This complexity involves ensuring full coverage of all possible streams of instruction sequences consisting of both - only valid instructions and random embedding of an invalid instruction within a stream of valid instructions. Generating all possible sequence of instructions, being able to identify an invalid instruction, if any, and then ensure correctness of the exit policy under the above complexities renders the verification difficult. The above are hard to achieve through conventional approaches
CDNLive! 2012
Processor
CDNLive! 2012
32 bit valid inst 32 bit invalid inst 16 bit invalid inst 16 bit valid inst Type16L,Type16U
Flag32
Random Instructions
!Type16L, !Type16U
Flag16L Flag16U
16 bit inst (Valid/invalid
P I P E L I N E
TYPE
10
CDNLive! 2012
11
Valid 16-bit
Valid 16-bit
Invalid 16-bit
16 bit Invalid & 16 bit Valid Flag16L && Flag16U && Type16L && !Type16U Any 32 bit valid instruction Using Flags from the modeling layer we can drive valid 16/32 and invalid instructions anywhere in the instruction sequence to get all possible sequences. Valid 16-bit
CDNLive! 2012
12
13
Example Property
Check for 32 bit Invalid instruction pattern: property Invalid_Behaviour_4_n2 = always ({Flag32 && Type32; Flag32 && Type32; Flag32 && Type32; Flag16U && Flag16L && Type16L && Type16U; Flag32 && Type32 && (rd_data_ctrl_valid==1'b1); Flag32 && !Type32 && (rd_data_ctrl_valid==1'b1)} |-> {[*0:5]; (identifier_invalid==3'b011) && cpu_invalid_o;(program_counter[30:0]==31'b00000000000000000000000000 00110)})@(posedge cpu_fclk); assert Invalid_Behaviour_4_n2; Invalid Instruction generation
CDNLive! 2012
14
Thus, FV checks for the correctness for all possible instruction sequences in a specific class of check.
CDNLive! 2012
15
We used Espresso, a logic minimization tool from University of California, Berkeley For the kind of patterns show above, Espresso generates a reduced boolean expression for boolean vectors in Section A and Section B. The minimized boolean expressions can be used for generation of the modeling layer flags
CDNLive! 2012
16
CDNLive! 2012
17
18
Conclusion
The proposed methodology based on Formal approach has been successfully deployed on an inhouse RISC processor Future versions of the processor can utilize the methodology easily due to the automation put in place This idea can be applied to any processor for its invalid instruction set verification
CDNLive! 2012
19
Thank You