# Synthesizing High Level Models from RTL for Efficient Verification of Memory Model Implementations

Yao Hsiao, Caroline Trippel

Jan 10, 2025

Memory Consistency Model (MCM) defines the ordering and visibility of shared memory accesses on a multiprocessor



# Memory Consistency Model (MCM) defines the ordering and visibility of shared memory accesses on a multiprocessor



# Challenge: How do we ensure that microarchitecture correctly implements its ISA MCM?



# Challenge: How do we ensure that microarchitecture correctly implements its ISA MCM?



# Challenge: How do we ensure that microarchitecture correctly implements its ISA MCM?



## The *Check Tools* Automate Formal Verification of Hardware Memory Model Implementations By Analyzing Abstract Model of Hardware



# Axiomatic Microarchitectural Models Enable Formal Analysis

#### [Lustig+, ASPLOS'16] Axiom Ld\_exe\_path: forall microops i, IsAnyRead i $\Rightarrow$ AddEdges [((i, IF), (i, DX)); High-Level Language ((i, DX), (i, RdMm)); TriCheck [ASPLOS'17] ((i, RdMm), (i, L1\$)); ((i, L1\$), (i, WB));] \/ **COATCheck** [ASPLOS'16] Formal Hardware Verification AddEdges [((i, IF), (i, DX)); with the Check Tools ((i, DX), (i, WB));] // Other axioms... **PipeCheck** [MICRO'14] Abstract Microarchitectural CCICheck [MICRO'15] Model: µSPEC Model First order logic axiomatic model of a microarchitecture = a set of invariants upheld by the microarchitecture: Omits **combinational** logic details RTL (e.g., SystemVerilog) Retains state updates and

ordering details

Verification Challenge: How to Verify that a µSPEC Accurately Represents a SystemVerilog Microarchitecture

µSPEC looks **quite different** from SystemVerilog!



### Roadmap Toward Automatic Synthesis of Verified µSPEC

- **Background**: The Microarchitecture-µSPEC Model Verification Challenge
- RTL2µSPEC: Synthesizing µSPEC model from Simple Processor RTL Designs
- RTL2MµPATH: Synthesizing ("Uncovering") All µPATHs per Instruction from Advanced SystemVerilog Processors
- **Next Steps:** Support synthesis of µSPEC axioms for coherence protocol and complex data dependencies in complex processors

Toward automatic synthesis of µSPEC model for complex multiprocessors

### Roadmap Toward Automatic Synthesis of Verified µSPEC

- **Background**: The Microarchitecture-µSPEC Model Verification Challenge
- **RTL2µSPEC**: Synthesizing µSPEC model from Simple Processor RTL Designs
- RTL2MµPATH: Synthesizing ("Uncovering") All µPATHs per Instruction from Advanced SystemVerilog Processors
- Next Steps: Support synthesis of µSPEC axioms for coherence protocol and complex data dependencies in complex processors























## RTL2µSPEC: Synthesizing µSPEC from Processor Design



### Roadmap Toward Automatic Synthesis of Verified µSPEC

- **Background**: The Microarchitecture-µSPEC Model Verification Challenge
- **RTL2µSPEC**: Synthesizing µSPEC model from Simple Processor RTL Designs
- RTL2MµPATH: Synthesizing ("Uncovering") All µPATHs per Instruction from Advanced SystemVerilog Processors
- Next Steps: Support synthesis of µSPEC axioms for coherence protocol and complex data dependencies in complex processors

# Single Microarchitectural Execution Path (µPATH) Assumption



# Overview of RTL2<u>M</u>µPATH: <u>M</u>ulti-µPATH Synthesis from RTL



## Overview of RTL2<u>M</u> $\mu$ PATH: <u>M</u>ulti- $\mu$ PATH Synthesis from RTL



# Overview of RTL2MµPATH: Multi-µPATH Synthesis from RTL





# Conceptualizing Nodes in a $\mu$ PATH: A Key Challenge to Automated $\mu$ PATH Discovery with RTL2M $\mu$ PATH





# **Our Solution**: Expressing Nodes in µPATHs using Micro-op Finite State Machines (µFSMs)



# **Our Solution**: Expressing Nodes in µPATHs using Micro-op Finite State Machines (µFSMs)



# **Our Solution**: Expressing Nodes in µPATHs using Micro-op Finite State Machines (µFSMs)











# CVA6 Core and Cache Case Study [Hsiao+, MICRO'24]

- RISC-V CVA6
  - 64-bit, 6-stage, single-issue core
  - Speculation and limited out-oforder write-back with diverse functional units (ALU, LSU, Mul/Div, CSR buffer)
- 72 instructions in RV64I base ISA + M extension (RV64IM)
- Synthesize per-instruction µPATH axioms from Core and Data Cache respectively



CVA6 Core [Zaruba+, VLSI'19]

# **CVA6 Core: Results**

- Complexity statistics: 8,577 LoC (SystemVerilog); after elaboration: 22,138 wires, 19,575 standard cells, 482 registers (11,985 D flip-flop bits), 3 memories.
- 124,459 properties
- Average ~4 min per property
- ~16% undetermined under timeout of 30 minutes

# **CVA6 Cache: Preliminary Results**

- Complexity statistics: 2,279 LoC (SystemVerilog); 4way, 128B (scaled down from 32 KB), write-through, coalescing write-buffer
- 4,178 properties
- Average < 3 sec per property
- All completed





https://github.com/yaohsiaopid/SynthLC

### Roadmap Toward Automatic Synthesis of Verified µSPEC

- **Background**: The Microarchitecture-µSPEC Model Verification Challenge
- **RTL2µSPEC**: Synthesizing µSPEC model from Simple Processor RTL Designs
- RTL2MµPATH: Synthesizing ("Uncovering") All µPATHs per Instruction from Advanced SystemVerilog Processors
- Next Steps: Support synthesis of µSPEC axioms for coherence protocol and complex data dependencies in complex processors

### **Challenge #1**: Synthesizing coherence protocol related axioms

| С0   |    |        |   | C1   |    |        |   |
|------|----|--------|---|------|----|--------|---|
| (i0) | ST | [data] | 1 | (i2) | LD | [data] | 2 |
| (i1) | ST | [data] | 2 | (i3) | LD | [data] | 1 |

Cache coherence protocols ensure that multiple cached copies of an address are kept up-to-date





#### **Challenge #2:** axioms synthesis regarding complex dataflow dependencies



## Takeaways



### Thank you!