Invalid Instruction Exit Protocol Verification for Processors Using Formal Techniques

Jayanta Ghosh, Bijitendra Mittra (Interra Systems India Pvt Ltd) Subir K. Roy (Texas Instruments)
CDNLive! 2012
1

Outline
Brief Overview of the RISC Processor Problem Statement Invalid Instruction Behavior Complexities & Challenges Involved Modeling Layer & Proposed Methodology for Generation of Stream of Instructions Example of Instruction Sequence Generation Different Classes of Checks Model Creation for Proposed Methodology - Its Automation Issues Found Conclusion
CDNLive! 2012

Brief Overview of the RISC Processor - 1

The Processor supports both 16 and 32 bit instructions. The processor supports combinations of 16 and32 bit instructions in the instruction pipeline. The processor supports 4 hardware and one software interrupt. Number of I/Os = 169/280 and FFs = 954

CDNLive! 2012

Brief Overview of the RISC Processor - 2

Has a 3 stage pipeline
Instruction Memory Pipeline Stages Instruction Fetch Fetch-Decode (FD) Instruction Decode Architectural Control Registers Execute (EXE) M L S D Regfile

Memory Writeback (WB)

Data Memory

CDNLive! 2012

Problem Statement
The task is to verify correctness of a well defined Exit Protocol on two output signals that has been implemented in an in-house RISC processor, whenever and in whatsoever condition, that it encounters an invalid instruction within a stream of valid instructions. An invalid instruction is assumed to arrive randomly within any sequence of valid 16 and/or 32 bit instructions. (The exit protocol ensures that the processor is gracefully taken to a well defined fail safe state on encountering an invalid instruction).
CDNLive! 2012

Complexities Involved - 1
Enormous Invalid/Undefined Instruction State space. Valid 16/32 bit instructions (X)

Complexities Attributable to Processor Architecture : Classify an instruction in an instruction stream to be either a valid instruction or an invalid instruction. This involves separation of the rather small valid instruction set X (50 < X <200) from the large invalid instruction set, 232 - X. Another complexity involves combinations of 16 and 32 bit valid and invalid instructions in the instruction pipeline. 16 bit 32 Upper (Data) 32 Lower (Op) 16 bit 16 bit 32 Lower (Opcode) 16 bit 32 Upper (D) Two 16 bit instructions. One 32 bit instruction. One 16 bit instruction followed by [15:0] of next 32 bit instruction. [31:16] of previous 32 bit instruction followed by another 16 bit instruction.
CDNLive! 2012

Complexities Involved - 2
Complexities Attributable to Processor Architecture (Contd.) : The next complexity involves 32 bit instructions which in the instruction stream can be both contiguous or split into 16 bit words spread across consecutive instructions in the instruction pipeline. The final complexity involves instructions which cause branching from within a linear instruction sequence, for example, jump, branch, interrupts and subroutine calls. Complexity Attributable to Modeling Effort: Ensuring that the instruction classification holds true, i.e. we need to ensure that a valid instruction is never declared invalid, while an invalid instruction is never declared as a valid instruction. Complexity Attributable to Verification Effort: This complexity involves ensuring full coverage of all possible streams of instruction sequences consisting of both - only valid instructions and random embedding of an invalid instruction within a stream of valid instructions. Generating all possible sequence of instructions, being able to identify an invalid instruction, if any, and then ensure correctness of the exit policy under the above complexities renders the verification difficult. The above are hard to achieve through conventional approaches
CDNLive! 2012

Modeling Layer (1)

Feed the random stream of instructions to both the modeling layer and the processor. Use the modeling layer to generate flags which can be used to constrain and control the generation of instruction sequences for the processor.
Modeling Layer Flags used in Properties for Instruction sequence generation

Instruction Bus Signals for checking Invalid instruction exit protocol

8

Processor

CDNLive! 2012

Modeling Layer (2)

Type32, Type32S
32 bit inst (Valid/invalid )

2nd level Decoder !Type32, !Type32S

32 bit valid inst 32 bit invalid inst 16 bit invalid inst 16 bit valid inst Type16L,Type16U

Flag32
Random Instructions

First level Decoder

!Type16L, !Type16U

Flag16L Flag16U
16 bit inst (Valid/invalid

2nd level Decoder

P I P E L I N E

TYPE

Extra level of decoding

For Call, Branch and some special instructions

CDNLive! 2012

Modeling Layer Description

We use a multi-layered decoding approach in our model It consists of a light weight decoder to distinguish between a 16 bit instruction and a 32 bit instruction. This is then followed up with another decoder block which checks the validity of the instruction it receives, i.e. whether it is a valid or an invalid instruction. Different flags are generated in our model to identify the mix of 16 bit instructions from contiguous and non-contiguous 32 bit instructions in the instruction pipeline. Similarly, different flags are generated to identify instructions which cause change of linear instruction execution sequences. The generated flags are then implicitly used in carefully coded assertions to enable generation of all possible classes of sequence of instructions.
CDNLive! 2012

10

Modeling Layer Flags

Flag32 Flag16L Flag16U Type32 Type32S Implies that the data in the instruction bus is a 32 bit instruction (valid or invalid). Implies that the data in the instruction bus [15:0] is a 16 bit instruction (valid or invalid). Implies that the data in the instruction bus [31:16] is a 16 bit instruction (valid or invalid). Implies that the data in the instruction bus is a valid and contiguous 32 bit instruction. Implies that the data in the upper instruction bus ([31:16]) has the lower word ([15:0]) of a valid 32 bit instruction.

Other Flags : Branch_Flag_32 / Branch_Flag_16

CDNLive! 2012

11

Example of Instruction Sequence Generation

31 Instruction Bus 16 Valid 32-bit instruction 0 Any 32 bit valid contiguous instruction Flag32 && Type32 Any 32 bit Invalid instruction Flag32 && !Type32 && !Type32S Two 16 bit valid instructions Flag16L && Flag16U && Type16L && Type16U

Invalid 32-bit instruction

Valid 16-bit

Valid 16-bit

Invalid 16-bit

16 bit Invalid & 16 bit Valid Flag16L && Flag16U && Type16L && !Type16U Any 32 bit valid instruction Using Flags from the modeling layer we can drive valid 16/32 and invalid instructions anywhere in the instruction sequence to get all possible sequences. Valid 16-bit
CDNLive! 2012

12

Different Classes of Checks

1. Checks for 32/16 bit invalid instruction in the instruction

pipeline with interrupt and branching disabled.

2. Checks for 32/16 bit invalid instruction with branching enabled and interrupt disabled - invalid instruction is assumed to be present in the branch taken portion or the subroutine portion of the sequence of instructions. 3. Checks with interrupts enabled An invalid instruction is present before an interrupt is asserted. An invalid instruction comes in the same cycle in which an interrupt is encountered. There exists an invalid instruction in the instruction pipeline after an interrupt is taken (this is primarily to verify the correct execution of the ISR corresponding to each interrupt).
CDNLive! 2012

13

Example Property
Check for 32 bit Invalid instruction pattern: property Invalid_Behaviour_4_n2 = always ({Flag32 && Type32; Flag32 && Type32; Flag32 && Type32; Flag16U && Flag16L && Type16L && Type16U; Flag32 && Type32 && (rd_data_ctrl_valid==1'b1); Flag32 && !Type32 && (rd_data_ctrl_valid==1'b1)} |-> {[*0:5]; (identifier_invalid==3'b011) && cpu_invalid_o;(program_counter[30:0]==31'b00000000000000000000000000 00110)})@(posedge cpu_fclk); assert Invalid_Behaviour_4_n2; Invalid Instruction generation

CDNLive! 2012

14

Description of the Property

In the antecedent part of the example PSL property, we are driving three 32 bit valid instructions, followed by two 16 bit valid instructions, which are then followed by an invalid 32 bit instruction pattern in the instruction pipeline. The valid 32 bit and the 16 bit instructions can be any instruction from the legal set of instructions in the processors ISA. The invalid 32 bit instruction pattern can be any from the set of invalid instructions belonging to the invalid instruction space (232 X). The expression, Flag32 && !Type32, involving flags from our modeling layer, ensures all possible invalid 32 bit instruction patterns are considered. In the consequent part of the property we check for the correct generation of the two signals involved in the exit protocol these should be generated within 5 cycles of detection of invalid instruction

Thus, FV checks for the correctness for all possible instruction sequences in a specific class of check.
CDNLive! 2012

15

Automation of Modeling Layer

Example of 32 bit instruction pattern from the valid set . . . . 000 . . . . . . . . . . . . . . . . . . 100100101011010101 . . . . 001 . . . . . . . . . . . . . . . . . .100111110101010011 . . . . . . . . . . . . . . . . . . . . . . . . . 111111101001001010 Extended . . . . 111 . . . . . . . . . . . . . . . . . . 100101000001001000 Opcodes Section A Section B [6:5] bits coded as '10' for 32 bit instructions

We used Espresso, a logic minimization tool from University of California, Berkeley For the kind of patterns show above, Espresso generates a reduced boolean expression for boolean vectors in Section A and Section B. The minimized boolean expressions can be used for generation of the modeling layer flags
CDNLive! 2012

16

Formal Run Statistics

Property Classes Without Interrupt & Branching With Interrupt Instructions with extended opcode Properties 92 43 18 Average Run Time Per Property 10 min. 45 min. 15 min.

CDNLive! 2012

17

Issues Reported by Formal Runs

While returning from an interrupt service routine (ISR) the program counter was being loaded with incremented memory address instead of the return memory address stored in the stack corresponding to the ISR this was detected indirectly by a failed property in which an invalid instruction was assumed to be present in the return memory address location. The PSL property failed as the invalid instruction was missed due to the wrong return address. Some of the valid instructions are of the extended opcode type and have a 2nd level of opcode in the upper instruction bus [31:16]. If the extended opcode was an invalid one, the invalid extended instruction was not being detected as invalid
CDNLive! 2012

18

Conclusion
The proposed methodology based on Formal approach has been successfully deployed on an inhouse RISC processor Future versions of the processor can utilize the methodology easily due to the automation put in place This idea can be applied to any processor for its invalid instruction set verification

CDNLive! 2012

19

Thank You