Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an...
-
Upload
vuongthien -
Category
Documents
-
view
235 -
download
3
Transcript of Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an...
![Page 1: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/1.jpg)
Verifying a RISC-V Processor
Nirav Dave Prashanth Mundkur
SRI, International
![Page 2: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/2.jpg)
Verified Software
Recent work on verifying key components of software toolchain:
I compilers (e.g.,CompCert, CakeML, etc.)
I OS kernels (e.g.,seL4)
I hypervisors (e.g.,minVisor (x86), xmhf (x86))
Catch: all assume correct hardware.
![Page 3: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/3.jpg)
Verified Software
Recent work on verifying key components of software toolchain:
I compilers (e.g.,CompCert, CakeML, etc.)
I OS kernels (e.g.,seL4)
I hypervisors (e.g.,minVisor (x86), xmhf (x86))
Catch: all assume correct hardware.
![Page 4: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/4.jpg)
Real-world hardware
Intel Specification Update (328899-024), March 2015
I HSD1: LBR, BTS, BTM May Report a Wrong Address whenan Exception/Interrupt Occurs in 64-bit Mode
I HSD3: MCi-Status Overflow Bit May Be Incorrectly Set on aSingle Instance of a DTLB Error
I HSD5: MONITOR or CLFLUSH on the Local XAPIC’sAddress Space Results in Hang
I HSD20: Accessing Physical Memory Space 0-640K throughthe Graphics Aperture May Cause Unpredictable SystemBehavior
I HSD27: Processor May Enter Shutdown Unexpectedly on aSecond Uncorrectable Error
140 items, all marked No Fix.
![Page 5: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/5.jpg)
Real-world hardware
Intel Specification Update (328899-024), March 2015
I HSD1: LBR, BTS, BTM May Report a Wrong Address whenan Exception/Interrupt Occurs in 64-bit Mode
I HSD3: MCi-Status Overflow Bit May Be Incorrectly Set on aSingle Instance of a DTLB Error
I HSD5: MONITOR or CLFLUSH on the Local XAPIC’sAddress Space Results in Hang
I HSD20: Accessing Physical Memory Space 0-640K throughthe Graphics Aperture May Cause Unpredictable SystemBehavior
I HSD27: Processor May Enter Shutdown Unexpectedly on aSecond Uncorrectable Error
140 items, all marked No Fix.
![Page 6: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/6.jpg)
Real-world hardware
Cortex-A53 errata (ARM-EPM-048406 v17.0, 2015)
I 812869: Instruction stream might be corrupted
I 835769: AArch64 multiply-accumulate instruction mightproduce incorrect result
I 843419: A load or store might access an incorrect address
I 814270: Misaligned PC and out-of-range address aborts mightbe taken to incorrect exception level
I 845719: A load might read incorrect data
I . . . (37 pages)
![Page 7: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/7.jpg)
Real-world hardware
Cortex-A53 errata (ARM-EPM-048406 v17.0, 2015)
I 812869: Instruction stream might be corrupted
I 835769: AArch64 multiply-accumulate instruction mightproduce incorrect result
I 843419: A load or store might access an incorrect address
I 814270: Misaligned PC and out-of-range address aborts mightbe taken to incorrect exception level
I 845719: A load might read incorrect data
I . . . (37 pages)
![Page 8: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/8.jpg)
Real-world hardware
RISC-V ?
![Page 9: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/9.jpg)
Minimum prerequisites for RISC-Verified
I unambiguous formal ISA specification
I a processor implementation amenable to verification
I formal link between the two
![Page 10: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/10.jpg)
Minimum prerequisites for RISC-Verified
I unambiguous formal ISA specification
I a processor implementation amenable to verification
I formal link between the two
![Page 11: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/11.jpg)
Minimum prerequisites for RISC-Verified
I unambiguous formal ISA specification
I a processor implementation amenable to verification
I formal link between the two
![Page 12: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/12.jpg)
Formal ISA specification
I Specifying RISC-V in the L3 DSLI generates executable ISA interpreter (Standard ML)I exports definitions for theorem prover (HOL4)
I Use interpreter as reference oracle for processorimplementations
![Page 13: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/13.jpg)
L3 DSL
I constructs for registers, instructions and state
I ML-like data-types
I strong bit-level type-checking
I library for bit-vector ops, floating-point, etc.
![Page 14: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/14.jpg)
Current status
I implements interrupts and virtual memory
I unoptimized (no icache or dcache)
I passes most riscv-tests (-p-, -pt-, -v-)
Available at github.com/pmundkur/l3riscv
![Page 15: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/15.jpg)
Clarifications needed
Which has priority: a synchronous exception or an interrupt?
![Page 16: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/16.jpg)
Clarifications needed
Misaligned fetch is trapped before side-effects in jal/jalr.
![Page 17: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/17.jpg)
Next Steps
Completing the executable specification:
I RVC
I floating-point
I SBI (when available)
I boot single-core Linux/FreeBSD
I use for tandem-verification (e.g.,with Flute from Bluespec,Inc)
![Page 18: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/18.jpg)
Next Steps
I usable HOL4 formal definitions
I prove non-interference and information flow in low-levelprivileged code
I tie to architectural predicates for hardware implementations
![Page 19: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/19.jpg)
Processor verification via Architectural Extraction
![Page 20: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/20.jpg)
Motivation
I Verify architectural and µ-architectural variants of RISC-V
I using parametrized BluespecVerilog designs
I Robust to design and implementation changes
I Quick formal verification of designI using architect-friendly approach
![Page 21: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/21.jpg)
Motivation
I Verify architectural and µ-architectural variants of RISC-VI using parametrized BluespecVerilog designs
I Robust to design and implementation changes
I Quick formal verification of designI using architect-friendly approach
![Page 22: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/22.jpg)
BSV-Based Design
I Break ISA-level transactions into smaller transactions withbetter cycle-level parallelization
I add/modify system state (e.g.,pipeline buffers)I re-order operations / perform speculation
I Transactions in design ≡ rules in BSVI design correctness ≡ re-arrangement of µ-transactions into
ISA-level operations
![Page 23: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/23.jpg)
RF
I$ + IMEM D$ + DMEM
WbIF
bI
Exe
bE
Mem
bW
Dec
bD
Imem Rules Dmem Rules
I Pipeline view: stages execute (mostly) in reverse orderI concurrent execution of instructions
I ISA view: stages execute in pipeline orderI one instruction at-a-time
![Page 24: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/24.jpg)
RF
I$ + IMEM D$ + DMEM
WbIF
bI
Exe
bE
Mem
bW
Dec
bD
Imem Rules Dmem Rules
I find a mapping of µ-architectural rule exections to coarser(ISA-level) rule executions
I pipeline correctness derived from commutativity of ruleexecution order
![Page 25: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/25.jpg)
RF
I$ + IMEM D$ + DMEM
WbIF
bI
Exe
bE
Mem
bW
Dec
bD
Imem Rules Dmem Rules
I Two rule sequences are equivalents iff they start and end inequivalent states
I what if instructions are partially executed?I easier for ISA-level states (i.e.,flushed pipelines)
![Page 26: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/26.jpg)
RF
I$ + IMEM D$ + DMEM
WbIF
bI
Exe
bE
Mem
bW
Dec
bD
Imem Rules Dmem Rules
I Two rule sequences are equivalents iff they start and end inequivalent states
I what if instructions are partially executed?
I easier for ISA-level states (i.e.,flushed pipelines)
![Page 27: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/27.jpg)
RF
I$ + IMEM D$ + DMEM
WbIF
bI
Exe
bE
Mem
bW
Dec
bD
Imem Rules Dmem Rules
I Two rule sequences are equivalents iff they start and end inequivalent states
I what if instructions are partially executed?I easier for ISA-level states (i.e.,flushed pipelines)
![Page 28: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/28.jpg)
Formalizing this observation
I Given predicate on µ-state that picks out ISA-level states,search for covers of all possible rule traces
I i.e.,perform a stuttering bisimulation search
I robust to modular changes and pipeline variations
I Does not guarantee correctness of implemented ISA
I only provides an abstracted “ISA”-level model
![Page 29: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/29.jpg)
Formalizing this observation
I Given predicate on µ-state that picks out ISA-level states,search for covers of all possible rule traces
I i.e.,perform a stuttering bisimulation search
I robust to modular changes and pipeline variations
I Does not guarantee correctness of implemented ISA
I only provides an abstracted “ISA”-level model
![Page 30: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/30.jpg)
Formalizing this observation
I Given predicate on µ-state that picks out ISA-level states,search for covers of all possible rule traces
I i.e.,perform a stuttering bisimulation searchI robust to modular changes and pipeline variations
I Does not guarantee correctness of implemented ISA
I only provides an abstracted “ISA”-level model
![Page 31: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/31.jpg)
Formalizing this observation
I Given predicate on µ-state that picks out ISA-level states,search for covers of all possible rule traces
I i.e.,perform a stuttering bisimulation searchI robust to modular changes and pipeline variations
I Does not guarantee correctness of implemented ISAI only provides an abstracted “ISA”-level model
![Page 32: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/32.jpg)
RF
I$ + IMEM D$ + DMEM
WbIF
bI
Exe
bE
Mem
bW
Dec
bD
Imem Rules Dmem Rules
I Expected traces (mapping to ISA-level executions):I Single instruction:
[IF, IMem, Dec, Exe, Mem, Dmem, Wb]I Branch misprediction:
[IF, IMem, Dec, Exe] [IF, IMem, Dec]I Pipeline bug:
[(IF, IMem)×2, Dec, Exe, Dec, Exe, (Mem, DMem, Wb)×2]
![Page 33: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/33.jpg)
Flute µ-architecture
I analysis-friendly pipeline design from Bluespec, Inc
I modularized pipeline stages allow changes in pipeline timing
![Page 34: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/34.jpg)
Current status
First steps: basic correctnessI verify FIFO channels maintain atomicity expectations
I show potentially unsafe use of BSV RWires are correct
I show processor pipeline ≡ to unpipelined processorI no order-dependant pipeline bugs
![Page 35: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/35.jpg)
Eventual Goal
Full abstraction of Flute Microprocessor to ISA-level design
I Block-level microarchitectural modular predicates to alloweasy refinement
I Compilation of ISA-level traces to L3 RISC-V model forfunctional verification
I Verify implemented Flute matches L3 design at ISA-level
![Page 36: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/36.jpg)
Questions?
Thank you!
![Page 37: Verifying a RISC-V Processor a RISC-V Processor ... BTS, BTM May Report a Wrong Address when an Exception/Interrupt Occurs in 64-bit Mode I HSD3: ...](https://reader036.fdocuments.us/reader036/viewer/2022062401/5ab483e57f8b9a2f438ba369/html5/thumbnails/37.jpg)
Improving the Spec
Ambiguities in the spec
I sstatus/mstatus projections for read/write
I pseudo-code for instructions (e.g. CSRR[SC])
I interrupt / exception priorities