ACL2 provides a theorem prover + an execution engine (Common Lisp). ⢠Simulation results for the formally proven specification. ⢠Simulation in Common Lisp + ...
A Generic Model for Formally Verifying NoC Communication Architectures: A Case Study
Dominique Borrione, Amr Helmy, Laurence Pierre (TIMA Laboratory, Grenoble, F) Julien Schmaltz (Radboud University, Nijmegen, NL)
Introduction • The trend in SoCs design : • IPs • Communication infrastructure (NoC)
• Overall system verification: • Validated IPs • Verification of the communications
NoCs - May 2007
1
Formal Verification • State of the art: Model checking and/or theorem proving techniques used to verify instances of networks or protocols • GeNoC is a generic model for reasoning about NoCs
NoCs - May 2007
2
GeNoC Model • Meta-model: network topology and size, routing and switching techniques • High level of abstraction Abstract view of the Transport (4) and Network (3) layers of the OSI model
• Encoded in the ACL2 theorem prover Functional representation, parameterized proofs NoCs - May 2007
3
GeNoC Model • Abstract view of the communications Scheduling
messages Application
messages Interface
Interface
send/recv
send/recv
Application
frames
Routing
• Transaction = (id, source, message, destination) • Missive = (id, source, frame, destination)
• Generic correctness theorem NoCs - May 2007
4
Proving NoC Instances Meta-model Network characterization Proof obligations
Routing Proof obligations
Scheduling Proof obligations
Instances for a given NoC Correctness statement: each message reaches the intended destination NoCs - May 2007
5
Functions to be Instantiated • Main function:
Missives
Node set
Initially empty
GeNoC(M,N,a,T) ≡ if SumOfAttempts(a)=0 Aborted missives then list(T,M) else Scheduled missives let (S D a')= Scheduling(Routing(M,N),a) in GeNoC(D,N,a',S » T)
• Other functions: Scheduling, Routing,... NoCs - May 2007
6
HERMES • Univ. Rio Grande do Sul (Porto Alegre, BR) and LIRMM (Montpellier, F) • Regular 2D mesh • Node : • IP core • Switch
NoCs - May 2007
7
HERMES • Switch: • 5 ports: North, South, East, West, Local
• Deterministic minimal routing algorithm: XY routing • Wormhole scheduling
NoCs - May 2007
8
Proof of HERMES • Initial model [TPHOL2005]: • Nodes are associated with coordinates • Several messages cannot occupy a node simultaneously • Messages are atomic
• Extensions: • Nodes have coordinates as well as ports • A node can be occupied simultaneously by several messages • Support for non atomic messages (wormhole) NoCs - May 2007
9
Proof of HERMES • XY routing algorithm: XYRouting(from,to) ≡ if from=to /* destination reached */ then thru local else if Xfrom != Xto /* change X */ then if Xfrom < Xto 0 1 N N then thru East 0 W E W E S S else thru West else /* change Y */ N N 1 W E if Yfrom < Yto W E S S then thru South else thru North N N 2
W S
E
W S
E
2 N W S
E
N W S
E
N W S
E
from = (Xfrom,Yfrom), to = (Xto,Yto) NoCs - May 2007
10
Proof of HERMES • Scheduling function:
Pairs (missive, routes) State of the network
WormHSched(L,S,D,P) ≡ Delayed missives if empty(L) then list(S,D,P) Scheduled missives else let tr=first(L) /* first travel */ and n=nbflits(tr) /* number of flits */ and r=routesOf(tr) /* set of routes */ and c=check_routes(n,r,P) in if c=true then WormHSched(rest(L), S » update(tr), D, updateP(n,P)) else WormHSched(rest(L), S, D » tr, P)
NoCs - May 2007
11
Proof of HERMES • Scheduling function: 0 N
0
W
1
W
2
1
2
N E
W
S
N E
W
S
N
N E
W
E S
N E
W
E
S
S
S
N
N
N
W
E S
W
E S
W
S
E
D
S
NoCs - May 2007
12
Proof of HERMES • Scheduling function: WormHSched(L,S,D,P) ≡ if empty(L) then list(S,D,P) else let tr=first(L) /* first travel */ and n=nbflits(tr) /* number of flits */ and r=routesOf(tr) /* set of routes */ and c=check_routes(n,r,P) in if c=true then WormHSched(rest(L), S » update(tr), D, updateP(n,P)) else WormHSched(rest(L), S, D » tr, P)
NoCs - May 2007
13
Proof of HERMES • Scheduling function: 0
1
N
0
W
1
W
2
W
S
N E
W
E
W
N
S
N E
W
E
W
N
S
W S
E
E S
N E
S
N
S
N S
2
N E
W S
E
S
NoCs - May 2007
D
14
Proof of HERMES • Scheduling function: WormHSched(L,S,D,P) ≡ if empty(L) then list(S,D,P) else let tr=first(L) /* first travel */ and n=nbflits(tr) /* number of flits */ and r=routesOf(tr) /* set of routes */ and c=check_routes(n,r,P) in if c=true then WormHSched(rest(L), S » update(tr), D, updateP(n,P)) else WormHSched(rest(L), S, D » tr, P)
NoCs - May 2007
15
Proof - CPU Times Proof
# functions
# theorems
CPU time (s) *
Generic model
71
119
29.75
HERMES topology
10
6
6.25
HERMES routing
6
48
54.87
HERMES scheduling
7
32
10.72
HERMES correctness
2
1
5.56
* Intel Core Duo T2400 NoCs - May 2007
16
Simulation • ACL2 provides a theorem prover + an execution engine (Common Lisp) • Simulation results for the formally proven specification • Simulation in Common Lisp + visualization interface in Java
NoCs - May 2007
17
Simulation 0 0
1
N W
2
N E
W
N E
S
S
N
N
W
E S
1
1
W
S
E
W
S
N E
W
S
E
3
2
2
N W S
N E
W S
VHDL simulation: message 2 is blocked in node (2,2)
N E
W S
E
NoCs - May 2007
18
Simulation 0 0
1
N W
2
N E
W
N E
S
S
N
N
W
E
ACL2 simulation
S 1
1
W
S
E
W
S
N E
W
S
E
3
2
2
N W S
N E
W S
N E
W S
E
NoCs - May 2007
19
Simulation • Expected results from the ACL2 simulation: chronology of message transfers • Results obtained by VHDL and ACL2 simulations: similar, but messages appear to be blocked in their source node in the ACL2 simulation
NoCs - May 2007
20
Conclusion • The GeNoC model has been used to verify a realistic NoC: • Generic proof on the size of the NoC and the length of messages
• Future work: various extensions towards RTL • Cycle accurate modeling • Possibility to consider the Data Link layer NoCs - May 2007
21
