cdnlive 2012 exit protocol ti presentation 13 [compatibility mode]
TRANSCRIPT
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
1/20
Invalid Instruction Exit Protocol
Verification for ProcessorsUsing
G, B (I I )
.
( I)
1CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
2/20
B IC
I I B C &C I
& G I
E I G D C C
C IA
I F
C
2CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
3/20
B IC 1
16 32
.
16 32
.
4
.
I/ = 169/280 FF = 954
3CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
4/20
B IC 2H 3
Instruction Memory
Instruction Fetch
Instruction Decode Architectural RegfileFetch-Decode
Pipeline Stages
ControlRegisters
L S D
Data Memory
Execute(EXE)
MemoryWriteback
(WB)
M
4CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
5/20
IC ,
.
A 16 / 32
.
( ).
5CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
6/20
C I 1
Valid 16/32 bitinstructions (X)
Enormous Invalid/UndefinedInstruction State space.
Complexities Attributable to Processor Architecture : Classify an instruction in an instruction stream to be either a valid
instruction or an invalid instruction. This involves separation of the rathersmall valid instruction set X (50 < X
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
7/20
C I 2
Complexities Attributable to Processor Architecture (Contd.) : The next complexity involves 32 bit instructions which in the instruction
stream can be both contiguous or split into 16 bit words spread acrossconsecutive instructions in the instruction pipeline.
The final complexity involves instructions which cause branching from
within a linear instruction sequence, for example, jump, branch,interrupts and subroutine calls.Complexity Attributable to Modeling Effort:
Ensuring that the instruction classification holds true, i.e. we need toensure that a valid instruction is never declared invalid, while an invalid
Generating all possible sequence of instructions, being able to identifyan invalid instruction, if any, and then ensure correctness of the exitpolicy under the above complexities renders the verification difficult. The
above are hard to achieve through conventional approaches
instruction is never declared as a valid instruction.Complexity Attributable to Verification Effort:
This complexity involves ensuring full coverage of all possible streamsof instruction sequences consisting of both - only valid instructions andrandom embedding of an invalid instruction within a stream of valid
instructions.
7CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
8/20
(1)Feed the random stream of instructions to both the modeling layerand the processor. Use the modeling layer to generate flags which
can be used to constrain and control the generation of instructionsequences for the processor.
Modelin La er
Flags used inProperties for
Processor
ns ruc onsequence generation
Signals forchecking
Invalid instructionexit protocol
InstructionBus
8CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
9/20
(2)
First levelDecoder
2nd levelDecoder
32 bit validinst
!Type32, !Type32SRandomInstructions
32 bitinvalid inst
16 bit
P
IPEL
Flag32
Type32, Type32S
!Type16L, !Type16U
32 bit inst(Valid/invalid
)
16 bit validinst
2nd levelDecoder
INE
TYPE Type16L,Type16U
For Call, Branch andsome specialinstructions
9CDNLive! 2012
Flag16U
Extra level of decoding
16 bit inst(Valid/invalid
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
10/20
D We use a multi-layered decoding approach in our model It consists of a light weight decoder to distinguish between a 16
bit instruction and a 32 bit instruction.
This is then followed up with another decoder block which
checks the validity of the instruction it receives, i.e. whether it
is a valid or an invalid instruction.
Different fla s are enerated in our model to identif the mix of
16 bit instructions from contiguous and non-contiguous 32 bitinstructions in the instruction pipeline.
Similarly, different flags are generated to identify instructions
which cause change of linear instruction execution sequences.
The generated flags are then implicitly used in carefully coded
assertions to enable generation of all possible classes of
sequence of instructions.
10CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
11/20
F
F32 I 32
( ).
F16 I 15:0 16
( ).
F16 I 31:16 16 ( ).
11CDNLive! 2012
32 .
32 I (31:16)
(15:0) 32 .
F :
BF32/BF16
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
12/20
E I G
Flag32 && !Type32 && !Type32S
Any 32 bit Invalid instruction
Instruction Bus31 16 0
Flag32 && Type32
Any 32 bit valid contiguousinstructionValid 32-bit instruction
Invalid 32-bit instruction
Any 32 bit valid instruction
Flag16L && Flag16U && Type16L&& Type16U
Using Flags from the modeling layer we can drive valid 16/32 andinvalid instructions anywhere in the instruction sequence to get all
possible sequences.
12CDNLive! 2012
Flag16L && Flag16U && Type16L&& !Type16U
Valid 16-bit Valid 16-bit Two 16 bit valid instructions
Invalid 16-bit Valid 16-bit16 bit Invalid & 16 bit Valid
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
13/20
D C C
1. Checks for 32/16 bit invalid instruction in the instructionpipeline with interrupt and branching disabled.
2. Checks for 32/16 bit invalid instruction with branching
enabled and interrupt disabled - invalid instruction isassumed to be present in the branch taken portion or the sub-routine portion of the sequence of instructions.
3. Checks with interrupts enabled An invalid instruction is present before an interrupt is
asserted. An invalid instruction comes in the same cycle in which an
interrupt is encountered.
There exists an invalid instruction in the instructionpipeline after an interrupt is taken (this is primarily to verifythe correct execution of the ISR corresponding to eachinterrupt).
13CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
14/20
E
Check for 32 bit Invalid instruction pattern:
property Invalid_Behaviour_4_n2 =always ({Flag32 && Type32;Flag32 && Type32;Flag32 && Type32;Flag16U && Flag16L && Type16L && Type16U;
ag ype r _ a a_c r _va == ;
Flag32 && !Type32 && (rd_data_ctrl_valid==1'b1)} |-> {[*0:5];(identifier_invalid==3'b011) &&cpu_invalid_o;(program_counter[30:0]==31'b0000000000000000000000000000110)})@(posedge cpu_fclk);assert Invalid_Behaviour_4_n2;
14CDNLive! 2012
Invalid Instruction generation
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
15/20
D I ,
32 , 16 ,
32
. 32 16
IA. 32
(232 ). ,F32
,
I
5
15CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
16/20
A
. . . . 000 . . . . . . . . . . . . . . . . . . 100100101011010101
. . . . 001 . . . . . . . . . . . . . . . . . .100111110101010011
. . . . . . . . . . . . . . . . . . . . . . . . . 111111101001001010
. . . . 111 . . . . . . . . . . . . . . . . . . 100101000001001000
Example of 32 bit instruction pattern from the validset
[6:5] bits
coded as '10'for 32 bit
instructions
ExtendedOpcodes
Section A Section B
We used Espresso, a logic minimization tool from University of
California, Berkeley
For the kind of patterns show above, Espresso generates a reducedboolean expression for boolean vectors in Section A and Section B.
The minimized boolean expressions can be used for generation ofthe modeling layer flags
16CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
17/20
F
C A
I
& B
92 10 .
I 43 45 .
I
18 15 .
17CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
18/20
I F
(I)
I
.
.
2
31:16. I ,
18CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
19/20
C
The proposed methodology based on Formalapproach has been successfully deployed on an in-
house RISC processor
Future versions of the processor can utilize the
place
This idea can be applied to any processor for itsinvalid instruction set verification
19CDNLive! 2012
-
8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]
20/20