cdnlive 2012 exit protocol ti presentation 13 [compatibility mode]

8/13/2019 CDNLive 2012 Exit Protocol TI Presentation 13 [Compatibility Mode]

1/20

Invalid Instruction Exit Protocol

Verification for ProcessorsUsing

G, B (I I )

.

( I)

1CDNLive! 2012


2/20

B IC

I I B C &C I

& G I

E I G D C C

C IA

I F

C

2CDNLive! 2012


3/20

B IC 1

16 32

.

16 32

.

4

.

I/ = 169/280 FF = 954

3CDNLive! 2012


4/20

B IC 2H 3

Instruction Memory

Instruction Fetch

Instruction Decode Architectural RegfileFetch-Decode

Pipeline Stages

ControlRegisters

L S D

Data Memory

Execute(EXE)

MemoryWriteback

(WB)

M

4CDNLive! 2012


5/20

IC ,

.

A 16 / 32

.

( ).

5CDNLive! 2012


6/20

C I 1

Valid 16/32 bitinstructions (X)

Enormous Invalid/UndefinedInstruction State space.

Complexities Attributable to Processor Architecture : Classify an instruction in an instruction stream to be either a valid

instruction or an invalid instruction. This involves separation of the rathersmall valid instruction set X (50 < X


7/20

C I 2

Complexities Attributable to Processor Architecture (Contd.) : The next complexity involves 32 bit instructions which in the instruction

stream can be both contiguous or split into 16 bit words spread acrossconsecutive instructions in the instruction pipeline.

The final complexity involves instructions which cause branching from

within a linear instruction sequence, for example, jump, branch,interrupts and subroutine calls.Complexity Attributable to Modeling Effort:

Ensuring that the instruction classification holds true, i.e. we need toensure that a valid instruction is never declared invalid, while an invalid

Generating all possible sequence of instructions, being able to identifyan invalid instruction, if any, and then ensure correctness of the exitpolicy under the above complexities renders the verification difficult. The

above are hard to achieve through conventional approaches

instruction is never declared as a valid instruction.Complexity Attributable to Verification Effort:

This complexity involves ensuring full coverage of all possible streamsof instruction sequences consisting of both - only valid instructions andrandom embedding of an invalid instruction within a stream of valid

instructions.

7CDNLive! 2012


8/20

(1)Feed the random stream of instructions to both the modeling layerand the processor. Use the modeling layer to generate flags which

can be used to constrain and control the generation of instructionsequences for the processor.

Modelin La er

Flags used inProperties for

Processor

ns ruc onsequence generation

Signals forchecking

Invalid instructionexit protocol

InstructionBus

8CDNLive! 2012


9/20

(2)

First levelDecoder

2nd levelDecoder

32 bit validinst

!Type32, !Type32SRandomInstructions

32 bitinvalid inst

16 bit

P

IPEL

Flag32

Type32, Type32S

!Type16L, !Type16U

32 bit inst(Valid/invalid

)

16 bit validinst

2nd levelDecoder

INE

TYPE Type16L,Type16U

For Call, Branch andsome specialinstructions

9CDNLive! 2012

Flag16U

Extra level of decoding

16 bit inst(Valid/invalid


10/20

D We use a multi-layered decoding approach in our model It consists of a light weight decoder to distinguish between a 16

bit instruction and a 32 bit instruction.

This is then followed up with another decoder block which

checks the validity of the instruction it receives, i.e. whether it

is a valid or an invalid instruction.

Different fla s are enerated in our model to identif the mix of

16 bit instructions from contiguous and non-contiguous 32 bitinstructions in the instruction pipeline.

Similarly, different flags are generated to identify instructions

which cause change of linear instruction execution sequences.

The generated flags are then implicitly used in carefully coded

assertions to enable generation of all possible classes of

sequence of instructions.

10CDNLive! 2012


11/20

F

F32 I 32

( ).

F16 I 15:0 16

( ).

F16 I 31:16 16 ( ).

11CDNLive! 2012

32 .

32 I (31:16)

(15:0) 32 .

F :

BF32/BF16


12/20

E I G

Flag32 && !Type32 && !Type32S

Any 32 bit Invalid instruction

Instruction Bus31 16 0

Flag32 && Type32

Any 32 bit valid contiguousinstructionValid 32-bit instruction

Invalid 32-bit instruction

Any 32 bit valid instruction

Flag16L && Flag16U && Type16L&& Type16U

Using Flags from the modeling layer we can drive valid 16/32 andinvalid instructions anywhere in the instruction sequence to get all

possible sequences.

12CDNLive! 2012

Flag16L && Flag16U && Type16L&& !Type16U

Valid 16-bit Valid 16-bit Two 16 bit valid instructions

Invalid 16-bit Valid 16-bit16 bit Invalid & 16 bit Valid


13/20

D C C

1. Checks for 32/16 bit invalid instruction in the instructionpipeline with interrupt and branching disabled.

2. Checks for 32/16 bit invalid instruction with branching

enabled and interrupt disabled - invalid instruction isassumed to be present in the branch taken portion or the sub-routine portion of the sequence of instructions.

3. Checks with interrupts enabled An invalid instruction is present before an interrupt is

asserted. An invalid instruction comes in the same cycle in which an

interrupt is encountered.

There exists an invalid instruction in the instructionpipeline after an interrupt is taken (this is primarily to verifythe correct execution of the ISR corresponding to eachinterrupt).

13CDNLive! 2012


14/20

E

Check for 32 bit Invalid instruction pattern:

property Invalid_Behaviour_4_n2 =always ({Flag32 && Type32;Flag32 && Type32;Flag32 && Type32;Flag16U && Flag16L && Type16L && Type16U;

ag ype r _ a a_c r _va == ;

Flag32 && !Type32 && (rd_data_ctrl_valid==1'b1)} |-> {[*0:5];(identifier_invalid==3'b011) &&cpu_invalid_o;(program_counter[30:0]==31'b0000000000000000000000000000110)})@(posedge cpu_fclk);assert Invalid_Behaviour_4_n2;

14CDNLive! 2012

Invalid Instruction generation


15/20

D I ,

32 , 16 ,

32

. 32 16

IA. 32

(232 ). ,F32

,

I

5

15CDNLive! 2012


16/20

A

. . . . 000 . . . . . . . . . . . . . . . . . . 100100101011010101

. . . . 001 . . . . . . . . . . . . . . . . . .100111110101010011

. . . . . . . . . . . . . . . . . . . . . . . . . 111111101001001010

. . . . 111 . . . . . . . . . . . . . . . . . . 100101000001001000

Example of 32 bit instruction pattern from the validset

[6:5] bits

coded as '10'for 32 bit

instructions

ExtendedOpcodes

Section A Section B

We used Espresso, a logic minimization tool from University of

California, Berkeley

For the kind of patterns show above, Espresso generates a reducedboolean expression for boolean vectors in Section A and Section B.

The minimized boolean expressions can be used for generation ofthe modeling layer flags

16CDNLive! 2012


17/20

F

C A

I

& B

92 10 .

I 43 45 .

I

18 15 .

17CDNLive! 2012


18/20

I F

(I)

I

.

.

2

31:16. I ,

18CDNLive! 2012


19/20

C

The proposed methodology based on Formalapproach has been successfully deployed on an in-

house RISC processor

Future versions of the processor can utilize the

place

This idea can be applied to any processor for itsinvalid instruction set verification

19CDNLive! 2012


20/20

cdnlive 2012 exit protocol ti presentation 13 [compatibility mode]

Documents