Structuring instruction-sets with higher-order functions

1
Structuring instruction-sets with higher-order
functions

• Byron Cook
• Advisor John Launchbury

2
Microprocessor correctness
ISA Simple machine
Lots of microarchitectural tricks
3
Microprocessor correctness
Speculative.
Out-of-order.
Superscalar.
Pipelined.
4
Microprocessor correctness
?
5
FV for microprocessor correctness

• Approach to improving microprocessor quality
• Model the systems in logic
• Prove that the microarchitecture implements the
  ISA.
• Rich mixtures of automatic and manual proof
  strategies are common.

6
FV for microprocessor correctness

• Research community has found many techniques to
  solve this problem.
• Several papers prove correctness of superscalar,
  out-of-order, and speculative implementations of
  RISC ISAs.

7
The twist ISAs are evolving

• Domain-specific extensions.
• example MMX
• Predication.
• example ARM
• Concurrency instructions
• Example IA-64
• Speculative instructions
• Example IA-64

8
The twist ISAs are evolving
9
The twist ISAs are evolving
10
The twist ISAs are evolving
Extra structure to leverage
11
The twist ISAs are evolving
Should be carefully presented
12
The twist ISAs are evolving

• Opportunity for new axis of proof decomposition
• MMX Can we first prove that the MMX execution
  unit correctly implements MMX
• Predication Can we prove just the MA predication
  machinery correct?
• Concurrency instructions Can we abstract over
  the underlying pipelines?
• Speculative instructions

13
Question that the dissertation answers

• Can higher-order functions help?
• Facilitate architectural extension design?
• Microarchitectural modeling of extensions?
• Facilitate the correctness proof?

14
Overview

• Background
• Extensions and higher-order functions
• Conclusion

15
Overview

• Background
• Extensions and higher-order functions
• Conclusion

16
Overview

• Background
• Models and specifications
• Correctness
• Formal verification techniques
• Extensions and higher-order functions
• Conclusion

17
Models and specifications

• In the literature transition systems are used.
• A transition system is a structure with
• A set of initial states.
• A next state relation.
• An observation function.

18
Models and specifications

• Lets see an example

19
Models and specifications
20
Models and specifications
21
Models and specifications
22
Models and specifications
23
Models and specifications

• t (init,next,obs)
• init represents the initial states
• init s
• next represents the next state relation
• next i -gt s -gt s
• obs is the observation function
• obs s -gt o

24
Models and specifications
type TS i s o ( s , i-gts-gts , s-gto )
t TS i s o t (init,next,obs)
25
Models and specifications

• s can sometimes mean a finite set of elements
  of s.
• Sometimes infinite sets are used.
• Sometimes, sets are not used at all.

26
Models and specifications

• type TS c i s o
• ( c s , i-gts-gtc s , s-gto )

27
Models and specifications

• Finite sets
• t TS FSet i s o.
• t ( FSet s , i-gts-gtFSet s , s-gto )
• Infinite sets
• t TS Set i s o.
• t ( Set s , i-gts-gtSet s , s-gto )
• No sets
• t TS Id i s o.
• t ( s , i-gts-gts , s-gto )

28
Models and specifications

• data OPCODE ADD Reg Reg Reg
• SUB Reg Reg Reg
• .
• .
• Example
• ADD r1 r2 r5 OPCODE

29
Example An ISA specification

• risc TS FSet
• OPCODE
• RegFile
• (Obs RegFile)
• risc (risc_init,risc_next,risc_obs)
• where risc_init unit i_rf
• risc_next instr state
• risc_obs s

30
Models and specifications

• data Obs x Ready x
• Busy
• Stalled

31
Example A pipelined model

• pipe TS FSet
• OPCODE
• (RegFile,PipeReg,PipeReg,PipeReg)
• (Obs RegFile)
• pipe (pipe_init,pipe_next,pipe_obs)
• where pipe_init unit (i_rf,empty,empty,empty)
• pipe_next instr (rf,r1,r2,r3)
• pipe_obs (rf,r1,r2,r3)

32
Overview

• Background
• Models and specifications
• Correctness
• Formal verification techniques
• Extensions and higher-order functions
• Conclusion

33
What is correctness?
n
?
m
34
What is correctness?

• Often a preorder relationship
• Bisimulation (BISIM).
• Simulation (SIM).
• Flush-point correctness (FP).

35
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
36
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
init m
37
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
init m
init n
38
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
init m
R
init n
39
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
next m i
init m
R
R
init n
40
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
next m i
init m
R
R
init n
next n i
41
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
init m
R
init n
42
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
init m
R
R
init n
43
What is simulation?
m is the implementation, n is the
specification. There exists an R such that
obs m
init m
R
R
init n
obs n
44
What is simulation?

• (m,n)?SIM iff ?R.
• ?a?init m, ?b?init n. (a,b)?R
• ?(a,b)?R, i, a?next m i a. ?b?next n i b
  and (a,b)?R
• ?(a,b)?R. obs m a obs n b

45
What is bisimulation?
m is the implementation, n is the
specification. There exists an R such that, the
same as before AND
46
What is bisimulation?
m is the implementation, n is the
specification. There exists an R such that, the
same as before AND
init n
47
What is bisimulation?
m is the implementation, n is the
specification. There exists an R such that, the
same as before AND
init m
init n
48
What is bisimulation?
m is the implementation, n is the
specification. There exists an R such that, the
same as before AND
init m
R
init n
49
What is bisimulation?
m is the implementation, n is the
specification. There exists an R such that, the
same as before AND
init m
R
R
init n
next n i
50
What is bisimulation?
m is the implementation, n is the
specification. There exists an R such that, the
same as before AND
next m i
init m
R
R
init n
next n i
51
What is bisimulation?
m is the implementation, n is the
specification. There exists an R such that, the
same as before AND
next m i
init m
R
R
R
init n
next n i
52
What is bisimulation?

• (m,n)?BISIM iff ?R.
• ?a?init m, ?b?init n. (a,b)?R
• ?b?init n, ?a?init m. (a,b)?R
• ?(a,b)?R, i, a?next m i a. ?b?next n i b and
  (a,b)?R
• ?(a,b)?R, i, b?next n i b. ?a?next m i a and
  (a,b)?R
• ?(a,b)?R. obs m a obs n b

53
What is flush-point correctness?
obs m
init m
R
R
init n
obs n
54
What is flush-point correctness?
R
55
What is flush-point correctness?
R
56
What is flush-point correctness?
R
R
57
Overview

• Background
• Models and specifications
• Correctness
• Formal verification techniques
• Extensions and higher-order functions
• Conclusion

58
How do we prove this?
n
SIM
m
59
Abstraction
60
Abstraction
61
Abstraction
62
Abstraction
63
Abstraction
64
History variables
65
History variables
66
History variables
67
Prophecy variables
68
Prophecy variables
69
Prophecy variables

• FP

FP
70
Prophecy variables
SIM
FP

• SIM?FP

71
Decomposition
72
Decomposition
73
Decomposition
74
Decomposition
75
Decomposition
76
Overview

• Background
• Models and specifications
• Correctness
• Formal verification techniques
• Extensions and higher-order functions
• Conclusion

77
Overview

• Background
• Extensions and higher-order functions
• Conclusion

78
Overview

• Background
• Extensions and higher-order functions
• Conclusion

79
Overview

• Background
• Extensions and higher-order functions
• OA an example extended ISA
• Modeling with transformers
• Proof decomposition with transformers
• Characterizing an important set of transformers
• Conclusion

80
The Oregon architecture.

• r2 lt- r2 1
• r1 lt- r1 r3
• pc lt- 102

81
The Oregon architecture.

• r2 lt- r2 1
• r1 lt- r1 r3
• pc lt- 102

82
The Oregon architecture.

• r2 lt- r2 1 if p2
• r1 lt- r1 r3 if p2
• pc lt- 102 if p2

83
The Oregon architecture.

• r2 lt- r2 1 if p2 in 1
• r1 lt- r1 r3 if p2 in 0
• pc lt- 102 if p2 in 2

84
The Oregon architecture.

• 101 r2 lt- load 100 if p5 in 0
• r1 lt- 1 if p5 in 1
• r3 lt- r2 if p5 in 0
• FENCE
• 102 r4 lt- r2 ! 0 if p5 in 0
• p2,p3 lt- r2p r4 if p5 in 0
• r3 lt- r2 if p5 in 1
• FENCE
• 103 r2 lt- r2 1 if p2 in 1
• r1 lt- r1 r3 if p2 in 0
• pc lt- 102 if p2 in 2
• 104 store 401 r1 if p3 in 3
• pc lt- 105 if p3 in 2
• nop
• FENCE

85
The Oregon architecture.
r3 lt- r2 if p5
r2 lt- load 100 if p5 r3 lt- r2 if p5
r4 lt- r2 ! 0 if p5 p2,p3 lt- r2p r4 if p5
r1 lt- 1 if p5
pc lt- 102 if p2 pc lt- 33 if p3
store 401 r1 if p3
r1 lt- r1 r3 if p2
r2 lt- r2 - 1 if p2
86
Overview

• Background
• Extensions and higher-order functions
• OA an example extended ISA
• Modeling with transformers
• Proof decomposition with transformers
• Characterizing an important set of transformers
• Conclusion

87
Transformers

• Transformers are functions between transition
  systems.
• Composition of transformers rather than
  monolithic transition systems.
• More modular specifications and models.
• A new axis for decomposition.
• Proof re-use.

88
Modeling systems as the composition of functions.
RISC
89
Modeling systems as the composition of functions.
Backend
Frontend
RISC
Predicate Register File
90
Modeling systems as the composition of functions.
Backend
Frontend
RISC
Predicate Register File
91
Modeling systems as the composition of functions.
Instruction Buffer
Backend
Frontend
RISC
Instruction Buffer
Dispatch
Control
Predicate Register File
Instruction Buffer
92
Modeling systems as the composition of functions.
Instruction Buffer
Backend
Frontend
RISC
Instruction Buffer
Dispatch
Control
Predicate Register File
Instruction Buffer
Program Memory (p)
93
The Oregon architecture.

• oa p fnt p (cnc 1 (prd risc))

94
The Oregon architecture.

• oa p fnt p (cnc 1 (prd risc))

Familiar friend
95
The Oregon architecture.

• oa p fnt p (cnc 1 (prd risc))

Takes any transition system and adds predication
96
The Oregon architecture.

• oa p fnt p (cnc 1 (prd risc))

Adds explicit concurrency instructions
97
The Oregon architecture.

• oa p fnt p (cnc 1 (prd risc))

Adds a front-end with program fetch
98
Modeling systems as the composition of functions.
Predicated RISC Pipeline
Instruction Buffer
Predicated RISC Pipeline
Instruction Buffer
Dispatch
Control
Predicated RISC Pipeline
Instruction Buffer
Program Memory (p)
99
Oregon microarchitectural implementaton.

• ma p fnt p (cnc 3 prd_pipe)

100
Oregon microarchitectural implementaton.

• ma p fnt p (cnc 3 prd_pipe)

Higher-performance predicated pipeline
101
Modeling systems as the composition of functions.

• prd (,Bubble i,Collection c,Eq r,)
• gt
• TS c i s (Obs (Env r w))
• -gt
• TS c
• (Prd_Instr i r)
• (Prd_St s r i)
• (Obs (Env r w))

102
Modeling systems as the composition of functions.

• prd (,Bubble i,Collection c,Eq r,)
• gt
• TS c i s (Obs (Env r w))
• -gt
• TS c
• (Prd_Instr i r)
• (Prd_St s r i)
• (Obs (Env r w))

Polymorphic with respect to s
103
Modeling systems as the composition of functions.

• prd (,Bubble i,Collection c,Eq r,)
• gt
• TS c i s (Obs (Env r w))
• -gt
• TS c
• (Prd_Instr i r)
• (Prd_St s r i)
• (Obs (Env r w))

c (whatever it is) has to be a collection-type
104
Modeling systems as the composition of functions.

• class Collection c where
• unit a -gt c a
• join c (c a) -gt c a
• union c a -gt c a -gt c a
• map (a -gt b) -gt c a -gt c b

105
Prd_Instr type.

• data Prd_Instr i r R2P r r r
• P2R r r
• SET r Bool
• IF i r
• GO i

106
Prd_St type.

• type Prd_St s r i (s,Env r Bool,)

107
Modeling systems as the composition of functions.

• prd (,Bubble i,Collection c,Eq r,)
• gt
• TS c i s (Obs (Env r w))
• -gt
• TS c
• (Prd_Instr i r)
• (Prd_St s r i)
• (Obs (Env r w))

One of the advantages predication is defined in
isolation.
108
Modeling systems as the composition of functions.
oa p fnt p (prd (cnc 1 risc)) oa p prd
(fnt p (cnc 1 risc)) oa p prd (prd (prd
risc))
Other possibilities..
109
Overview

• Background
• Extensions and higher-order functions
• OA an example extended ISA
• Modeling with transformers
• Proof decomposition with transformers
• Characterizing an important set of transformers
• Conclusion

110
Now what?

• Now, let us look at how we can leverage the extra
  structure

111
Decomposition.

• (f m,g n) ? SIM

112
Decomposition.

• (f m,g n) ? SIM

Heres the structure that were going to leverage.
113
Decomposition.

• (f m,g n) ? SIM

114
Decomposition.

• (m,n) ? A
• ?(a,b)?A. (f a, g b)?SIM

115
Decomposition.

• (m,n) ? A
• ?(a,b)?A. (f a, g b)?SIM

Were abstracting over m and n.
116
New notation ?

• (f, g) ? R?Q
• is defined as
• ?(a,b)?Q. (f a, g b)?R

117
New notation ?

• (g, g) ? R?Q
• is defined as
• ?(a,b)?Q. (g a, g b)?R
• Note monotonicity is (f,f) ? R?R

118
Decomposition.

• (m,n) ? A
• ?(a,b)?A. (f a, g b)?SIM

119
Decomposition.

• (m,n) ? A
• (f, g) ? SIM?A

120
(ma,oa)? FP

• (ma,oa)? FP

121
(ma,oa)? FP

• (ma,oa)? FP

Now, lets decompose the proof using our
available techniques
122
(ma,oa)? FP

• (ma,oa)? FP

123
(ma,oa)? FP

• (fnt p (cnc 3 prd_pipe), fnt p (cnc 1 (prd
  risc)))? FP

124
(ma,oa)? FP

• ((fnt p o cnc 3) prd_pipe, (fnt p o cnc 1 o prd)
  risc)? FP

function composition
125
(ma,oa)? FP
((fnt p o cnc 3) prd_pipe, (fnt p o cnc 1 o prd)
risc)? FP
(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
Rule decomposition
126
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
127
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
(cnc 3,cnc 1)? FP?FP
(fnt,fnt)? FP?FP
Rule decomposition
128
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
(cnc 3,cnc 1)? FP?FP
?
(fnt,fnt)? FP?FP
Reasoning fnt adds no state
129
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
?
(cnc 3,cnc 1)? FP?FP
?
(fnt,fnt)? FP?FP
Reasoning Some hard reasoning here.
Essentially cnc expects no hazards amongst
different threads.
130
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
?
(cnc 3,cnc 1)? FP?FP
?
(prd pipe,prd risc)? FP
(fnt,fnt)? FP?FP
(prd_pipe,prd pipe)? FP
Rule Transitivity of FP and intermediate model
prd pipe
131
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
?
(cnc 3,cnc 1)? FP?FP
?
(prd pipe,prd risc)? FP
(fnt,fnt)? FP?FP
(prd_pipe,prd pipe)? FP
Rule Transitivity of FP and intermediate model
prd pipe
132
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
?
(cnc 3,cnc 1)? FP?FP
?
(prd pipe,prd risc)? FP
(fnt,fnt)? FP?FP
(prd_pipe,prd pipe)? FP
(prd,prd)? SIM?SIM
(pipe,risc)? SIM
Rule Decomposition and strengthening
133
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
?
(cnc 3,cnc 1)? FP?FP
?
(prd pipe,prd risc)? FP
(fnt,fnt)? FP?FP
(prd_pipe,prd pipe)? FP
(prd,prd)? SIM?SIM
?
(pipe,risc)? SIM
Reasoning Many techniques available for this.
134
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
?
(cnc 3,cnc 1)? FP?FP
?
(prd pipe,prd risc)? FP
(fnt,fnt)? FP?FP
?
(prd_pipe,prd pipe)? FP
(prd,prd)? SIM?SIM
?
(pipe,risc)? SIM
Rule Surprisingly hard. More later
135
(ma,oa)? FP
(prd_pipe,prd pipe)? FP
136
(ma,oa)? FP
Rule using intermediate model slow prd_pipe.
Also using SIM?FP.
(prd_pipe,prd pipe)? FP
(prd_pipe,slow prd_pipe)? FP
(slow prd_pipe, prd pipe)? SIM
137
(ma,oa)? FP
Reasoning Techniques available for this.
Essentially self-consistency.
(prd_pipe,prd pipe)? FP
?
(prd_pipe,slow prd_pipe)? FP
(slow prd_pipe, prd pipe)? SIM
138
(ma,oa)? FP
Reasoning Simulation relation given in
dissertation.
(prd_pipe,prd pipe)? FP
?
(prd_pipe,slow prd_pipe)? FP
?
(slow prd_pipe, prd pipe)? SIM
139
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
(cnc 3,cnc 1)? FP?FP
(prd pipe,prd risc)? FP
(fnt,fnt)? FP?FP
(prd_pipe,prd pipe)? FP
(prd,prd)? SIM?SIM
(pipe,risc)? SIM
(prd_pipe,slow prd_pipe)? FP
(slow prd_pipe, prd pipe)? SIM
140
Overview

• Background
• Extensions and higher-order functions
• OA an example extended ISA
• Modeling with transformers
• Proof decomposition with transformers
• Characterizing an important set of transformers
• Conclusion

141
Monotonicity.

• What about the case
• (prd m, prd n) ? SIM

142
Monotonicity.

• By the decomposition rule
• (m,n) ? SIM
• (prd, prd) ? SIM?SIM

143
Monotonicity.

• By the decomposition rule
• (m,n) ? SIM
• (prd, prd) ? SIM?SIM

Unfortunately, we dont get this automatically
144
Monotonicity.

• Dissertation characterizes a set of transformers
  such that (f, f) ? SIM?SIM
• Same for BISIM?BISIM.

145
BISIM?BISIM

• Question Why arent all transformers monotonic
  with respect to BISIM?
• Answer The troublesome transformers are those
  that are not polymorphic in their state.

146
Models and specifications
4
0
147
BISIM?BISIM

• f TS FSet Int i o -gt TS FSet Int i o
• f (init,next,obs) (init,next,obs)
• where
• init init 4
• .

148
Models and specifications
0
149
BISIM?BISIM

• The solution use a polymorphic transformer.
• f TS FSet s I O -gt TS FSet (F s) I O
• Dissertation proves that
• (f, f) ? BISIM?BISIM
• Note fs definition does not matter.

150
BISIM?BISIM

• The solution use a polymorphic transformer
• f TS FSet s I O -gt TS FSet (F s) I O
• Dissertation proves that
• (f, f) ? BISIM?BISIM
• Proof is based on the theory of Parametricity.

151
BISIM?BISIM

• The solution use a polymorphic transformer
• f TS FSet s I O -gt TS FSet (F s) I O
• Dissertation proves that
• (f, f) ? BISIM?BISIM
• Proof is based on the theory of
  Parametricityand I actually check it too.

152
SIM?SIM

• Assume that
• f TS FSet s I O -gt TS FSet (F s) I O
• Unfortunately, there are cases where
• (f, f) ? SIM?SIM

153
SIM?SIM

• Question Why arent all polymorphic transformers
  monotonic with respect to SIM?
• Answer polymorphic transformers can still look
  at the structure of sets.

154
Models and specifications
155
SIM?SIM

• f TS FSet s i o -gt TS FSet s i Bool
• f (init,next,obs) (init,next,obs)
• where
• obs x if (initlt2) then False
• else True
• .

156
Models and specifications
157
SIM?SIM

• The solution limit the set-like operations that
  f has access to by putting constraint in the
  type
• f Container c gt TS c s I O -gt TS c (F s) I
  O
• Dissertation proves that
• (f, f) ? SIM?SIM
• Proof is, again, based on Parametricity.

158
Collection

• class Collection c where
• unit a -gt c a
• join c (c a) -gt c a
• union c a -gt c a -gt c a
• map (a -gt b) -gt c a -gt c b

159
SIM?SIM

• The solution limit the set-like operations that
  f has access to
• f Container c gt TS c s I O -gt TS c (F s) I
  O
• Dissertation proves that
• (f, f) ? SIM?SIM
• This probably seems limiting but both prd and
  fnt are examples.

160
Overview

• Background
• Extensions and higher-order functions
• OA an example extended ISA
• Modeling with transformers
• Proof decomposition with transformers
• Characterizing an important set of transformers
• Conclusion

161
Overview

• Background
• Extensions and higher-order functions
• Conclusion

162
Overview

• Background
• Extensions and higher-order functions
• Conclusion

163
Conclusion

• Higher-order functions can be used to facilitate
  both the design of architectural extensions and
  the correctness proofs of their implementations.
• Dissertation provides
• A modeling method based on higher-order functions
  for instruction-set extensions.
• Decomposition and discharge rules for models
  written using the modeling method.
• Reusable extension specifications.
• Proof re-use.

164
Summary

• The dissertation
• Reviews the history of processor verification.
• Develops the theory necessary to model
  microproccessors and do FV.
• Develops a next generation VLIW-like
  instruction-set with predication and concurrency
  instructions
• Develops a microarchitectural implementation.
• Develops the theory that allows us to leverage
  the higher-order functions
• Demonstrates how a microarchitectural correctness
  proof can be decomposed and structured.

165
(ma,oa)? FP

• (ma,oa)? FP

(fnt o cnc 3,fnt o cnc 1)? FP?FP
(prd_pipe,prd risc)? FP
(cnc 3,cnc 1)? FP?FP
(prd pipe,prd risc)? FP
(fnt,fnt)? FP?FP
(prd_pipe,pipe pipe)? FP
(prd,prd)? SIM?SIM
(pipe,risc)? SIM
(prd_pipe,slow prd_pipe)? FP
(slow prd_pipe, prd pipe)? SIM