verification with the check suite
play

Verification with the Check suite Yatin Manerkar Princeton - PowerPoint PPT Presentation

Mar 15, 2023 •272 likes •2.2k views

Automated Full-Stack Memory Model Verification with the Check suite Yatin Manerkar Princeton University ARM Cambridge, July 20 th , 2018 http:/ ://check.cs.p .princeton.edu/ What are Memory (Consistency) Models? Memory Consistency Models

  1. Check Suite: Full-Stack Automated MCM Analysis High-Level Languages (HLL) So far, tools have found bugs in: TriCheck • [Trippel et al. ASPLOS 2017] Widely-used gem5 Research simulator Compiler OS • Cache coherence paper ( TSO-CC ) • COATCheck IBM XL C++ compiler (fixed in v13.1.5) [Lustig et al. ASPLOS 2016] • In-design commercial processors Architecture (ISA) • RISC-V draft ISA specification PipeCheck & CCICheck • Compiler mapping proofs [Lustig et al. MICRO 2014] • C11 memory model [Manerkar et al. MICRO 2015] Microarchitecture • Open-source processor RTL RTLCheck [Manerkar et al. MICRO 2017] Processor RTL ▪ Suite of tools at various levels of computing stack ▪ Automated Full-Stack MCM checking across litmus test suites

  2. Modelling Microarchitecture: Going below the ISA ▪ Hardware enforces consistency model using smaller localized orderings • In- order fetch/decode/execute… • Orderings enforced by memory hierarchy • …and many more Fetch Fetch Lds. Dec. Dec. SB SB Exec. Exec. L1 L1 Mem. Mem. Memory Hierarchy WB WB L2

  3. Modelling Microarchitecture: Going below the ISA ▪ Hardware enforces consistency model using smaller localized orderings • In- order fetch/decode/execute… • Orderings enforced by memory hierarchy • …and many more Fetch Fetch Lds. Dec. Dec. SB SB Exec. Exec. L1 L1 Mem. Mem. Pipeline stages Memory Hierarchy WB WB L2 may be FIFO to ensure in-order execution

  4. Modelling Microarchitecture: Going below the ISA ▪ Hardware enforces consistency model using smaller localized orderings • In- order fetch/decode/execute… • Orderings enforced by memory hierarchy • …and many more Do individual orderings correctly work together Fetch Fetch Lds. Dec. Dec. SB SB to satisfy consistency model? Exec. Exec. L1 L1 Mem. Mem. Pipeline stages Memory Hierarchy WB WB L2 may be FIFO to ensure in-order execution

  5. Microarchitectural Consistency Checking Mic icroarchit itecture in in µspec ec DS DSL Axiom “ Decode_is_FIFO": ... EdgeExists ((i1, Decode), (i2, Decode)) => AddEdge ((i1, Execute), (i2, Execute)). Axiom "PO_Fetch": ... SameCore i1 i2 /\ ProgramOrder i1 i2 => AddEdge ((i1, Fetch), (i2, Fetch)). Litm Litmus Tes est

  6. Microarchitectural Consistency Checking Mic icroarchit itecture in µspec in ec DS DSL Axiom “ Decode_is_FIFO": ... EdgeExists ((i1, Decode), (i2, Decode)) => AddEdge ((i1, Execute), (i2, Execute)). Axiom "PO_Fetch": ... SameCore i1 i2 /\ ProgramOrder i1 i2 => AddEdge ((i1, Fetch), (i2, Fetch)). Each axiom specifies an ordering that µarch should respect Litm Litmus Tes est

  7. Microarchitectural Consistency Checking Mic icroarchit itecture in in µspec ec DS DSL Axiom “ Decode_is_FIFO": ... EdgeExists ((i1, Decode), (i2, Decode)) => AddEdge ((i1, Execute), (i2, Execute)). Axiom "PO_Fetch": ... SameCore i1 i2 /\ ProgramOrder i1 i2 => AddEdge ((i1, Fetch), (i2, Fetch)). Litm Litmus Tes est

  8. Microarchitectural Consistency Checking Mic icroarchit itecture in µspec in ec DS DSL Axiom “ Decode_is_FIFO": ... EdgeExists ((i1, Decode), (i2, Decode)) => AddEdge ((i1, Execute), (i2, Execute)). Axiom "PO_Fetch": ... SameCore i1 i2 /\ ProgramOrder i1 i2 => AddEdge ((i1, Fetch), (i2, Fetch)). Litm Litmus Tes est Mic icroarchit itectural happens-before (µ (µhb hb) gr graphs

  9. Microarchitectural Consistency Checking Mic icroarchit itecture in µspec in ec DS DSL Axiom “ Decode_is_FIFO": ... EdgeExists ((i1, Decode), (i2, Decode)) => AddEdge ((i1, Execute), (i2, Execute)). Axiom "PO_Fetch": ... SameCore i1 i2 /\ ProgramOrder i1 i2 => AddEdge ((i1, Fetch), (i2, Fetch)). Litm Litmus Tes est Microarch. verification checks that combination of axioms satisfies MCM Mic icroarchit itectural happens-before (µ (µhb hb) gr graphs

  10. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Cor Core 1 Litmus Test mp

  11. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Cor Core 1 (i1) Fetch Dec. Exec. Mem. WB SB Mem Litmus Test mp Hier.

  12. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Cor Core 1 (i1) Fetch Dec. Exec. Mem. WB SB Mem Litmus Test mp Hier.

  13. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Core 1 Cor (i1) (i2) Fetch Dec. Fetch Exec. Dec. Mem. Exec. WB Mem. WB SB SB Mem Litmus Test mp Hier. Mem Hier.

  14. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Core 1 Cor (i1) (i2) Fetch Dec. Fetch Exec. Dec. Mem. Exec. WB Mem. WB SB SB Mem Litmus Test mp Hier. Mem Hier.

  15. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Core 1 Cor (i3) (i4) (i1) (i2) Fetch Dec. Fetch Fetch Exec. Dec. Dec. Fetch Mem. Exec. Exec. Dec. WB Mem. Mem. Exec. WB SB WB Mem. SB WB Mem Litmus Test mp Hier. Mem Hier.

  16. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Core 1 Cor (i3) (i4) (i1) (i2) Fetch Dec. Fetch Fetch Exec. Dec. Dec. Fetch Mem. Exec. Exec. Dec. WB Mem. Mem. Exec. WB SB WB Mem. SB WB Mem Litmus Test mp Hier. Mem Hier.

  17. PipeCheck: Executions as µhb Graphs [Lustig et al. MICRO 2014] Cor Core 0 Core 1 Cor (i3) (i4) (i1) (i2) Fetch Dec. Fetch Fetch Exec. Dec. Dec. Fetch Mem. Exec. Exec. Dec. WB Mem. Mem. Exec. WB SB WB Mem. SB WB Mem Litmus Test mp Hier. Mem Hier.

  18. PipeCheck: Microarchitectural Correctness ▪ Cycle in µhb graph => event has to happen before itself (impossible) ▪ Cyclic graph → unobservable on µarch ▪ Acyclic graph → observable on µarch ▪ Exhaustively enumerate and check all possible execs of litmus test on µarch • Implemented using fast SMT solvers • Compare against ISA-level outcome from herd [Alglave et al. TOPLAS 2014] Litmus Test mp

  19. PipeCheck: Microarchitectural Correctness ▪ Cycle in µhb graph => event has to happen before itself (impossible) ▪ Cyclic graph → unobservable on µarch ▪ Acyclic graph → observable on µarch ▪ Exhaustively enumerate and check all possible execs of litmus test on µarch • Implemented using fast SMT solvers • Compare against ISA-level outcome from herd [Alglave et al. TOPLAS 2014] Litmus Test mp ISA-Level Observable Not Observable Outcome (≥ 1 Graph Acyclic) (All Graphs Cyclic) OK (stricter Allowed OK than necessary) Forbidden Consistency violation! OK

  20. PipeCheck: Microarchitectural Correctness ▪ Cycle in µhb graph => event has to happen before itself (impossible) ▪ Cyclic graph → unobservable on µarch ▪ Acyclic graph → observable on µarch ▪ Exhaustively enumerate and check all possible execs of litmus test on µarch • Implemented using fast SMT solvers • Compare against ISA-level outcome from herd [Alglave et al. TOPLAS 2014] Litmus Test mp ISA-Level Observable Not Observable Outcome (≥ 1 Graph Acyclic) (All Graphs Cyclic) OK (stricter Allowed OK than necessary) Forbidden Consistency violation! OK

  21. PipeCheck: Microarchitectural Correctness ▪ Cycle in µhb graph => event has to happen before itself (impossible) ▪ Cyclic graph → unobservable on µarch ▪ Acyclic graph → observable on µarch ▪ Exhaustively enumerate and check all possible execs of litmus test on µarch • Implemented using fast SMT solvers • Compare against ISA-level outcome from herd [Alglave et al. TOPLAS 2014] Litmus Test mp ISA-Level Observable Not Observable Outcome (≥ 1 Graph Acyclic) (All Graphs Cyclic) OK (stricter Allowed OK than necessary) Forbidden Consistency violation! OK

  22. PipeCheck: Microarchitectural Correctness ▪ Cycle in µhb graph => event has to happen before itself (impossible) ▪ Cyclic graph → unobservable on µarch ▪ Acyclic graph → observable on µarch ▪ Exhaustively enumerate and check all possible execs of litmus test on µarch • Implemented using fast SMT solvers • Compare against ISA-level outcome from herd [Alglave et al. TOPLAS 2014] Litmus Test mp ISA-Level Observable Not Observable Outcome (≥ 1 Graph Acyclic) (All Graphs Cyclic) OK (stricter Allowed OK than necessary) Forbidden Consistency violation! OK

  23. PipeCheck: Microarchitectural Correctness ▪ Cycle in µhb graph => event has to happen before itself (impossible) ▪ Cyclic graph → unobservable on µarch ▪ Acyclic graph → observable on µarch Abstracted memory hierarchy prevents ▪ Exhaustively enumerate and check all possible execs of litmus test on µarch • Implemented using fast SMT solvers verification of complex coherence issues! • Compare against ISA-level outcome from herd [Alglave et al. TOPLAS 2014] Litmus Test mp ISA-Level Observable Not Observable Outcome (≥ 1 Graph Acyclic) (All Graphs Cyclic) OK (stricter Allowed OK than necessary) Forbidden Consistency violation! OK

  24. CCICheck: Coherence vs Consistency ▪ Memory hierarchy is a collection of caches High-Level Languages (HLL) • Coherence protocols ensure that all caches agree on the value of any variable ▪ CCICheck [Manerkar et al. MICRO 2015] shows that Compiler OS consistency verification often cannot simply treat memory hierarchy abstractly Architecture (ISA) • No Nomin inated for or Best Pap aper at t MIC ICRO 20 2015 15 Microarchitecture Fetch Fetch Lds. Dec. Dec. SB SB Exec. Exec. Processor RTL Processor RTL L1 L1 Mem. Mem. Memory WB WB Hierarchy L2

  25. CCICheck: Coherence vs Consistency ▪ Memory hierarchy is a collection of caches High-Level Languages (HLL) • Coherence protocols ensure that all caches agree on the value of any variable ▪ CCICheck [Manerkar et al. MICRO 2015] shows that Compiler OS consistency verification often cannot simply treat memory hierarchy abstractly Architecture (ISA) • No Nomin inated for or Best Pap aper at t MIC ICRO 20 2015 15 Microarchitecture Fetch Fetch Lds. Dec. Dec. SB SB Exec. Exec. Processor RTL Processor RTL L1 L1 Mem. Mem. WB WB L2 Coh Coherence Protocol (S (SWMR, , DVI VI, etc.)

  26. Coherence Protocol Example ▪ If P1 updates the value of x to 200, the stale value of x in other processors must be invalidated ▪ If P3 wants to subsequently read/write x, it must request the new value ▪ SWMR = Single-Writer Multiple Readers, DVI = Data Value Invariant P1 P2 P3 Processors x = 100 x = 100 x = 100 Caches

  27. Coherence Protocol Example ▪ If P1 updates the value of x to 200, the stale value of x in other processors must be invalidated ▪ If P3 wants to subsequently read/write x, it must request the new value ▪ SWMR = Single-Writer Multiple Readers, DVI = Data Value Invariant P1 P2 P3 Processors St x = 200 x = 100 x = 100 x = 100 Caches

  28. Coherence Protocol Example ▪ If P1 updates the value of x to 200, the stale value of x in other processors must be invalidated ▪ If P3 wants to subsequently read/write x, it must request the new value ▪ SWMR = Single-Writer Multiple Readers, DVI = Data Value Invariant P1 P2 P3 Processors St x = 200 x = 100 x = 100 x = 100 x = 100 x = 100 Caches Invalidations

  29. Coherence Protocol Example ▪ If P1 updates the value of x to 200, the stale value of x in other processors must be invalidated ▪ If P3 wants to subsequently read/write x, it must request the new value ▪ SWMR = Single-Writer Multiple Readers, DVI = Data Value Invariant P1 P2 P3 Processors x = 100 x = 200 x = 100 x = 100 x = 100 x = 100 Caches

  30. Coherence Protocol Example ▪ If P1 updates the value of x to 200, the stale value of x in other processors must be invalidated ▪ If P3 wants to subsequently read/write x, it must request the new value ▪ SWMR = Single-Writer Multiple Readers, DVI = Data Value Invariant P1 P2 P3 Processors Ld x x = 100 x = 200 x = 100 x = 100 x = 100 x = 100 Caches Request Data

  31. Coherence Protocol Example ▪ If P1 updates the value of x to 200, the stale value of x in other processors must be invalidated ▪ If P3 wants to subsequently read/write x, it must request the new value ▪ SWMR = Single-Writer Multiple Readers, DVI = Data Value Invariant P1 P2 P3 Processors Ld x x = 200 x = 100 x = 100 x = 100 x = 200 x = 100 x = 100 Caches Data Response

  32. Motivating Example – “Peekaboo” [Sorin et al. Primer 2011] ▪ Three optimizations: correct individually, but not in combination

  33. Motivating Example – “Peekaboo” [Sorin et al. Primer 2011] ▪ Three optimizations: correct individually, but not in combination 1. Prefetching

  34. Motivating Example – “Peekaboo” [Sorin et al. Primer 2011] ▪ Three optimizations: correct individually, but not in combination 1. Prefetching 2. Invalidation before use • Invalidation can arrive before data • Acknowledge Inv early rather than wait for data to arrive • But repeated inv before use → livelock [Kubiatowicz et al. ASPLOS 1992]

  35. Motivating Example – “Peekaboo” [Sorin et al. Primer 2011] ▪ Three optimizations: correct individually, but not in combination 1. Prefetching 2. Invalidation before use • Invalidation can arrive before data • Acknowledge Inv early rather than wait for data to arrive • But repeated inv before use → livelock [Kubiatowicz et al. ASPLOS 1992] 3. 3. Liv ivelock avoid idance: allow destination core to perform one operation on data when it arrives, even if if alr lready in invalid lidated [Sorin et al. Primer 2011] • Does not break coherence • Sometimes in intentio ionall lly returns stale data

  36. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Cor Core 0 Cor Core 1 x: Shared x: Invalid y: Modified y: Invalid r1 ← [y] [x] ← 1 r2 ← [x] [y] ← 1

  37. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Core 0 Cor Core 1 Cor x: Shared x: Invalid y: Modified y: Invalid r1 ← [y] [x] ← 1 r2 ← [x] [y] ← 1

  38. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Core 0 Cor Core 1 Cor Data (x = 0) x: Shared x: Invalid y: Modified y: Invalid r1 ← [y] [x] ← 1 r2 ← [x] [y] ← 1

  39. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Core 0 Cor Core 1 Cor Data (x = 0) x: Shared x: Invalid y: Modified y: Invalid Inv r1 ← [y] [x] ← 1 r2 ← [x] [y] ← 1

  40. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Core 0 Cor Core 1 Cor Data (x = 0) x: Shared x: Invalid y: Modified y: Invalid Inv Inv-Ack r1 ← [y] [x] ← 1 r2 ← [x] [y] ← 1

  41. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Core 0 Cor Core 1 Cor Data (x = 0) x: Modified x: Invalid y: Modified y: Invalid Inv [x] ← 1 Inv-Ack r1 ← [y] [y] ← 1 r2 ← [x]

  42. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Core 0 Cor Core 1 Cor Data (x = 0) x: Modified x: Invalid y: Modified y: Invalid Inv Inv-Ack r1 ← [y] [x] ← 1 r2 ← [x] [y] ← 1

  43. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Cor Core 0 Cor Core 1 Data (x = 0) x: Modified x: Invalid y: Modified y: Invalid Inv Inv-Ack r1 ← [y] [x] ← 1 Request y r2 ← [x] [y] ← 1

  44. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Cor Core 0 Cor Core 1 Data (x = 0) x: Modified x: Invalid y: Shared y: Shared Inv Inv-Ack r1 r1 = 1 [x] ← 1 Request y r2 ← [x] [y] ← 1 Data (y = 1)

  45. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Cor Core 0 Cor Core 1 Data (x = 0) x: Modified x: Invalid y: Shared y: Shared Inv Inv-Ack r1 r1 = 1 [x] ← 1 Request y r2 ← [x] [y] ← 1 Data (y = 1)

  46. Motivating Example – “Peekaboo” ▪ Consider mp with the livelock-avoidance mechanism: Optimizations: 1. Prefetching 2. Invalidation-before-use 3. Livelock avoidance Prefetch x Cor Core 0 Core 1 Cor Data (x = 0) x: Modified x: Invalid y: Shared y: Shared Inv Inv-Ack r1 r1 = 1 [x] ← 1 Request y r2 r2 = 0 [y] ← 1 Data (y = 1)

  47. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Stale Data = Consistency

  48. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Stale Data = Consistency

  49. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Stale Data = Consistency

  50. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Stale Data = Consistency

  51. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Stale Data = Consistency

  52. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Livelock = Consistency

  53. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Livelock = Consistency

  54. The Coherence-Consistency Interface (CCI) ▪ CCI = coherence protocol guarantees to microarch. + orderings microarch. expects from coherence protocol + Expected Coherence SWMR, DVI, No Livelock = CCI Mismatch Consistency Violation!

  55. ViCL: Value in Cache Lifetime ▪ Need a way to model cache occupancy and coherence events for: • Coherence protocol optimizations (eg: Peekaboo) • Partial incoherence and lazy coherence (GPUs, etc) ▪ A ViCL is a 4-tuple: (cache_id, address, data_value, , generation_id) ▪ cache_id and generation_id uniquely identify each cache line ▪ A ViCL 4-tuple maps on to the period of time over which the cache line serves the data value for the address

  56. ViCLs in µhb Graphs ▪ ViCLs start at a ViC iCL Create event and end at a ViC iCL Exp xpire event • Correspond to nodes in µhb graphs • Axioms over these nodes and edges enforce coherence and data movement orderings ▪ Use pipeline model from PipeCheck, but add ViCL nodes and edges Litmus Test co-mp

  57. ViCLs in µhb Graphs ▪ ViCLs start at a ViC iCL Create event and end at a ViC iCL Exp xpire event • Correspond to nodes in µhb graphs • Axioms over these nodes and edges enforce coherence and data movement orderings ▪ Use pipeline model from PipeCheck, but add ViCL nodes and edges Litmus Test co-mp

  58. ViCLs in µhb Graphs ▪ ViCLs start at a ViC iCL Create event and end at a ViC iCL Exp xpire event • Correspond to nodes in µhb graphs • Axioms over these nodes and edges enforce coherence and data movement orderings ▪ Use pipeline model from PipeCheck, but add ViCL nodes and edges Litmus Test co-mp

  59. ViCLs in µhb Graphs ▪ ViCLs start at a ViC iCL Create event and end at a ViC iCL Exp xpire event • Correspond to nodes in µhb graphs • Axioms over these nodes and edges enforce coherence and data movement orderings ▪ Use pipeline model from PipeCheck, but add ViCL nodes and edges Litmus Test co-mp

  60. ViCLs in µhb Graphs ▪ ViCLs start at a ViC iCL Create event and end at a ViC iCL Exp xpire event • Correspond to nodes in µhb graphs • Axioms over these nodes and edges enforce coherence and data movement orderings ▪ Use pipeline model from PipeCheck, but add ViCL nodes and edges Litmus Test co-mp

  61. µhb Graph for the Peekaboo Problem ▪ Additional nodes represent ViCL requests and invalidations ▪ Solu lution: Invalidated data only usable if accessing load/store is oldest in program order at time of request [Sorin et al. Primer 2011] ▪ TSO-CC protocol [Elver and Nagarajan HPCA 2014] was vulnerable to variant of Peekaboo! • Now fixed

  62. µhb Graph for the Peekaboo Problem ▪ Additional nodes represent ViCL requests and invalidations ▪ Solu lution: Invalidated data only usable if accessing load/store is oldest in program order at time of request [Sorin et al. Primer 2011] ▪ TSO-CC protocol [Elver and Nagarajan HPCA 2014] was vulnerable to variant of Peekaboo! • Now fixed

  63. µhb Graph for the Peekaboo Problem ▪ Additional nodes represent ViCL requests and invalidations ▪ Solu lution: Invalidated data only usable if accessing load/store is oldest in program order at time of request [Sorin et al. Primer 2011] ▪ TSO-CC protocol [Elver and Nagarajan HPCA 2014] was vulnerable to variant of Peekaboo! • Now fixed

  64. µhb Graph for the Peekaboo Problem ▪ Additional nodes represent ViCL requests and invalidations ▪ Solu lution: Invalidated data only usable if accessing load/store is oldest in program order at time of request [Sorin et al. Primer 2011] ▪ TSO-CC protocol [Elver and Nagarajan HPCA 2014] was vulnerable to variant of Peekaboo! • Now fixed

  65. µhb Graph for the Peekaboo Problem ▪ Additional nodes represent ViCL requests and invalidations ▪ Solu lution: Invalidated data only usable if accessing load/store is oldest in program order at time of request [Sorin et al. Primer 2011] ▪ TSO-CC protocol [Elver and Nagarajan HPCA 2014] was vulnerable to variant of Peekaboo! • Now fixed

  66. CCICheck Takeaways ▪ Coherence & consistency often closely coupled in implementations ▪ In such cases, coherence & consistency cannot be verified separately ▪ CCICheck: CCI-aware microarchitectural MCM checking • Uses ViCL (Value in Cache Lifetime) abstraction ▪ Discovered bug in TSO-CC lazy coherence protocol

  67. ISA-level MCMs in the Hardware-Software Stack High-Level Languages (HLLs) New ISA-level MCM Hardware

  68. ISA-level MCMs in the Hardware-Software Stack High-Level Languages (HLLs) New ISA-level MCM Which orderings must be guaranteed by hardware? Hardware

  69. ISA-level MCMs in the Hardware-Software Stack High-Level Languages (HLLs) Which orderings does the compiler need to enforce? New ISA-level MCM Which orderings must be guaranteed by hardware? Hardware

  70. ISA-level MCMs in the Hardware-Software Stack High-Level Languages (HLLs) Which orderings does the compiler need to enforce? TriCheck checks that HLL, compiler, ISA, and New ISA-level MCM hardware align on MCM requirements Which orderings must be guaranteed by hardware? Hardware

  71. TriCheck: Layers of the Stack are Intertwined ▪ ISA-level MCMs should allow microarchitectural High-Level Languages (HLL) optimizations but also be compatible with HLLs ▪ TriCheck [Trippel et al. ASPLOS 2017] enables Compiler OS holistic analysis of HLL memory model, ISA-level MCM, compiler mappings, and microarchitectures Architecture (ISA) • Mapping: translation of HLL synchronization primitives to Microarchitecture one or more assembly language instructions ▪ Also useful for checking HLL compiler mappings to Processor RTL Processor RTL ISA-level MCMs ▪ Selected as one of 12 “ Top Pic icks of f Comp. Arc rch. Conferences ” for 2017

  72. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec HLL Litmus Model Compiler Microarch. Test Variants e.g. C11 Mapping Model Four Primary Inputs

  73. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec HLL Litmus Model Compiler Microarch. Test Variants e.g. C11 Mapping Model Examine all C11 memory_order combinations ( release , acquire , relaxed , seq_cst ) for HLL litmus tests

  74. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec ISA-level HLL Litmus Model Compiler Microarch. litmus tests Test Variants e.g. C11 Mapping Model Translate HLL Litmus Tests to ISA-level litmus tests

  75. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec ISA-level HLL Litmus Model Compiler Microarch. litmus tests Test Variants e.g. C11 Mapping Model Use Herd to Herd check HLL [Alglave et al. TOPLAS 2014] outcomes HLL Outcome Forbidden/Allowed?

  76. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec ISA-level HLL Litmus Model Compiler Microarch. litmus tests Test Variants e.g. C11 Mapping Model Use µhb analysis to Herd µhb Analysis check microarch. [Alglave et al. with Check TOPLAS 2014] outcomes HLL Outcome Microarch. Outcome Forbidden/Allowed? Observable/Unobservable?

  77. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec ISA-level HLL Litmus Model Compiler Microarch. litmus tests Test Variants e.g. C11 Mapping Model Herd µhb Analysis [Alglave et al. with Check TOPLAS 2014] Compare HLL and microarch. outcomes ? HLL Outcome Microarch. Outcome Forbidden/Allowed? Observable/Unobservable?

  78. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec ISA-level HLL Litmus Model Compiler Microarch. litmus tests Test Variants e.g. C11 Mapping Model Herd µhb Analysis [Alglave et al. with Check TOPLAS 2014] Compare HLL and microarch. outcomes ? HLL Outcome Microarch. Outcome Forbidden Forbidden/Allowed? Observable Observable/Unobservable?

  79. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec ISA-level HLL Litmus Model Compiler Microarch. litmus tests Test Variants e.g. C11 Mapping Model Herd µhb Analysis [Alglave et al. with Check TOPLAS 2014] Compare HLL and microarch. outcomes HLL Outcome Microarch. Outcome BUG! Forbidden Forbidden/Allowed? Observable Observable/Unobservable?

  80. TriCheck: Comparing HLL to Microarchitecture HLL HLL to ISA µspec ISA-level HLL Litmus Model Compiler Microarch. litmus tests Test Variants e.g. C11 Mapping Model If bugs found, iterate Herd by changing the µhb Analysis [Alglave et al. with Check inputs and re-run TOPLAS 2014] HLL Outcome Microarch. Outcome BUG! Forbidden Forbidden/Allowed? Observable Observable/Unobservable?

  81. Using TriCheck for ISA MCM Design: RISC-V ▪ Ran TriCheck on draft RISC-V ISA MCM with • C11 HLL MCM [Batty et al. POPL 2011] [Batty et al. POPL 2016] • Compiler mappings based on RISC-V manual • Variety of microarchitectures that relaxed various memory orderings − All legal according to draft RISC-V spec − Ranging from SC microarchitecture to one with reorderings allowed by ARM/Power ▪ Draft RISC-V MCM for Base ISA incapable of correctly compiling C11: • C11 outcome forbidden, but impossible to forbid on hardware • RISC-V fences too weak to restore orderings that implementations could relax

  82. Current RISC-V Status ▪ In response to our findings, RISC-V Memory Model Working Group was formed (we are members) • Mandate to create an MCM for RISC-V that satisfies community needs ▪ Working Group has developed an MCM proposal that fixes the aforementioned bugs (and other issues) ▪ MCM proposal recently passed the 45-day public feedback period! • Well on its way to being included in the next version of the RISC-V ISA spec

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite 12 spacious Suites Junior Suite: 45m 2 Suite: 65m 2 Apartment Suite: 110m 2 Fine Italian Cuisine Renowned Chef Vito Grippa

498 views • 18 slides
A Suite of Hard ACL2 Theorems Arising in Refinement-Based Processor Verification Panagiotis

A Suite of Hard ACL2 Theorems Arising in Refinement-Based Processor Verification Panagiotis

A Suite of Hard ACL2 Theorems Arising in Refinement-Based Processor Verification Panagiotis (Pete) Manolios Sudarshan Srinivasan Georgia Institute of Technology 1 Introduction Hardware verification is an area of strength for ACL2.

422 views • 20 slides
SCBench: A Benchmark Design Suite for SystemC Verification and Validation Bin Lin Department of

SCBench: A Benchmark Design Suite for SystemC Verification and Validation Bin Lin Department of

SCBench: A Benchmark Design Suite for SystemC Verification and Validation Bin Lin Department of Computer Science Portland State University 1 Agenda Background and Motivation Overview of Benchmark Designs Key Features of SCBench

528 views • 19 slides
DLS VERIFICATION TESTING FIELD TESTS TO CHECK DLS OPERATIONS DATA LOGGER SYSTEMS DATA LOGGER

DLS VERIFICATION TESTING FIELD TESTS TO CHECK DLS OPERATIONS DATA LOGGER SYSTEMS DATA LOGGER

DLS VERIFICATION TESTING FIELD TESTS TO CHECK DLS OPERATIONS DATA LOGGER SYSTEMS DATA LOGGER SYSTEMS Data LOGGER SYSTEMS (DLS) ARE ELECTRONIC SYSTEMS USED TO: 1. MONITOR MATERIAL APPLICATION CONDITIONS i.e. ambient temperatures 2. PROVIDE REAL

492 views • 23 slides
Lecture 17: Wrapup & Questions . Runtime-Verification . Statement-, branch-, term-

Lecture 17: Wrapup & Questions . Runtime-Verification . Statement-, branch-, term-

Topic Area Code Quality Assurance: Content Content Introduction and Vocabulary Formal Program Verification VL 14 Test case, test suite, test execution. Proof System PD . . Positive and negative outcomes. Softwaretechnik /

246 views • 13 slides
Outline Introduction Modeling Specifying properties and Verification An example

Outline Introduction Modeling Specifying properties and Verification An example

Outline Introduction Modeling Specifying properties and Verification An example Project assignment References, links Shangzhu Weng Labeled Transition System Analyzer (LTSA) Animate and check the behavior of the overall

928 views • 51 slides
A Benchmark Suite for Formal Verification of Analog Circuits Felix Salfelder, Lars Hedrich

A Benchmark Suite for Formal Verification of Analog Circuits Felix Salfelder, Lars Hedrich

A Benchmark Suite for Formal Verification of Analog Circuits Felix Salfelder, Lars Hedrich Introduction MCNC benchmark Analog simulation Numerical challenges Big circuits ISCAS'89 benchmark Digital circuits Simulation,

269 views • 14 slides
Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John

Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John

Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John O Leary, Mark R. Tuttle SCL, Intel Corp Parametric Verification using Flows P A True or Cex P(N) Model Check Abstract Last year we

479 views • 32 slides
DANE verification test suite Hamza Boulakhrif Guido Kroon Supervisor: Michiel Leenaars (NLnet

DANE verification test suite Hamza Boulakhrif Guido Kroon Supervisor: Michiel Leenaars (NLnet

DANE verification test suite Hamza Boulakhrif Guido Kroon Supervisor: Michiel Leenaars (NLnet Foundation) hamza.boulakhrif@os3.nl, guido.kroon@os3.nl Faculty of Physics, Mathematics and Informatics Graduate School of Informatics System and

940 views • 17 slides
Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015 Outline Motivation for Formal Verification Overview of MCMAS Overview of PRISM Formal verification It is a systematic way to check

461 views • 34 slides
Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records OVERVIEW 01 04 Scope of Verification Peggys Picks Types of verification, Verifying exam results or parameters, privacy graduation using databases

1.25k views • 81 slides
La Jolla Commons Office Tower Appendix Slides Architecture Dual Systems Breadth Check Shear

La Jolla Commons Office Tower Appendix Slides Architecture Dual Systems Breadth Check Shear

La Jolla Commons Office Tower Appendix Slides Architecture Dual Systems Breadth Check Shear Wall Lateral System Modeling Verification Model Vibrations Verification Analysis La Jolla Commons Office Tower Architecture Breadth Appendix

440 views • 22 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
Toward a Standard Benchmark Format and Suite for Floating-Point Analysis Nasrine Damouche,

Toward a Standard Benchmark Format and Suite for Floating-Point Analysis Nasrine Damouche,

Toward a Standard Benchmark Format and Suite for Floating-Point Analysis Nasrine Damouche, Matthieu Martel, Pavel Panchekha , Chen Qiu, Alexander Sanchez-Stern, Zachary Tatlock. Incredible progress Optimization Automatic Verification STOKE

817 views • 23 slides
Verification, and Counterexamples Yatin Manerkar Princeton University manerkar@princeton.edu

Verification, and Counterexamples Yatin Manerkar Princeton University manerkar@princeton.edu

C11 Compiler Mappings: Exploration, Verification, and Counterexamples Yatin Manerkar Princeton University manerkar@princeton.edu http://check.cs.princeton.edu November 22 nd , 2016 1 Compilers Must Uphold HLL Guarantees High-Level Assembly

591 views • 48 slides
Transfer Learning for Semi-Supervised Collaborative Recommendation Weike Pan 1 , Qiang Yang 2

Transfer Learning for Semi-Supervised Collaborative Recommendation Weike Pan 1 , Qiang Yang 2

Transfer Learning for Semi-Supervised Collaborative Recommendation Weike Pan 1 , Qiang Yang 2 , Yuchao Duan 1 and Zhong Ming 1 panweike@szu.edu.cn, qyang@cse.ust.hk, duanyuchao@email.szu.edu.cn, mingz@szu.edu.cn 1 College of Computer

318 views • 27 slides
Chapter 21 The STL (maps and algorithms) Bjarne Stroustrup www.stroustrup.com/Programming

Chapter 21 The STL (maps and algorithms) Bjarne Stroustrup www.stroustrup.com/Programming

Chapter 21 The STL (maps and algorithms) Bjarne Stroustrup www.stroustrup.com/Programming Abstract n This talk presents the idea of STL algorithms and introduces map as an example of a container. Stroustrup/Programming Nov'13 2 Overview n

477 views • 37 slides
Logistics Project Standard Template Library II Part 1 (clock and design) due Sunday, Sept

Logistics Project Standard Template Library II Part 1 (clock and design) due Sunday, Sept

Logistics Project Standard Template Library II Part 1 (clock and design) due Sunday, Sept 25 th Part 2 (water) due Sunday, Oct 16 th Partners for Parts 2-3 Questions? Logistics Exam 1 Important date: Review

248 views • 7 slides
4 Writing P o etry Session 4 Sharing Revision Strategies Poem factory Idea generators

4 Writing P o etry Session 4 Sharing Revision Strategies Poem factory Idea generators

4 Writing P o etry Session 4 Sharing Revision Strategies Poem factory Idea generators Publishing Sources 4 Dimensions of Poetry: Intellect Emotions Imagination Senses Our winning bids Transformed Revision Strategies

574 views • 31 slides
Stephan Merz INRIA Lorraine & LORIA Nancy, France 1

Stephan Merz INRIA Lorraine & LORIA Nancy, France 1

Modeling and Developing Systems Using TLA + Stephan Merz INRIA Lorraine & LORIA Nancy, France 1

2.01k views • 143 slides
Summary Summary What you need to know about concurrency What you need to know about concurrency

Summary Summary What you need to know about concurrency What you need to know about concurrency

Herb Sutter Software and the Concurrency Revolution Software and the Software and the Concurrency Revolution Concurrency Revolution Herb Sutter Herb Sutter Software Architect Software Architect Microsoft Developer Division Microsoft

351 views • 19 slides
A Practical Methodology for Measuring the Side- Channel Signal Available to the Attacker for

A Practical Methodology for Measuring the Side- Channel Signal Available to the Attacker for

A Practical Methodology for Measuring the Side- Channel Signal Available to the Attacker for Instruction- Level Events Robert Callan, Alenka Zajic, and Milos Prvulovic @ MICRO14 (Paper #48) EECS 573 Sung Kim and Siying Feng 6/7/2017 1 1

350 views • 19 slides
Power-Aware Predictive Models of Hybrid (MPI/OpenMP) Scientific Applications on Multicore Systems

Power-Aware Predictive Models of Hybrid (MPI/OpenMP) Scientific Applications on Multicore Systems

Power-Aware Predictive Models of Hybrid (MPI/OpenMP) Scientific Applications on Multicore Systems Charles Lively III*, Xingfu Wu*, Valerie Taylor*, Shirley Moore+ , Hung-Ching Chang^, Chun-Yi Su^, and Kirk Cameron^ *Department of Computer

250 views • 24 slides

More recommend