ACL2-Based Verification of NoC Communication Infrastructures

ACL2-Based Verification of NoCCommunication InfrastructuresDominique Borrione, Amr Helmy, Laurence Pierre(TIMA Laboratory, Grenoble, F)Julien Schmaltz (Radboud University, Nijmegen, NL)

TIMA Laboratory1

TIMA Laboratory• Techniques of Informatics and Microelectronicsfor integrated systems Architecture (Head:D.Borrione)• Six teams: ARIS (Architectures for Robust and complex IntegratedSystems), M.Nicolaidis and R.Velazco CIS (Concurrent Integrated Systems), L.Fesquet andG.Sicard MNS (Micro and Nano systems), S.Basrour RMS (Reliable Mixed-signal Systems), S.Mir SLS (System Level Synthesis), F.Pétrot VDS (Verification and modeling of Digital Systems),L.Pierre2

Outline• IntroductionNetworks on ChipFormal verification of NoC• GeNoC model• Application: HERMES• Conclusion3

Introduction• Formal verification of complex SoC’s:Verificationof the IPsVerification of thecommunicationinfrastructure4

Introduction• Communication infrastructure: bus, Networkon Chip (NoC),…• The Network-on-Chip paradigm is emergingas a promising solution L.Benini and G.De Micheli, « Networks on Chips: A NewSoC Paradigm », Computer, 35 (1), 2002. P.Pande, G.De Micheli, C.Grecu, A.Ivanov, R.Saleh,« Design Synthesis, and Test of Networks on Chips »,Design & Test of Computers, 22 (5), 2005.5

Introduction• What is a NoC?Topology(Ex: 2D-Mesh)Routing algorithm(Ex: XY routing)Switching technique(Ex: wormhole)6

Formal Verification• State of the art:Model checking and/or theorem provingtechniques used to verify instances ofnetworks or protocols• GeNoC is a generic model for reasoningabout NoCs general framework7

GeNoC Model• Meta-model: network topology and size, routingand switching techniques• High level of abstractionAbstract view of the Transport (4), Network (3)and Data Link (2) layers of the OSI model• Encoded in the ACL2 theorem proverFunctional representation, parameterizedproofs8

Approach9

Correctness Statement∀T, ∀ I, ∀ R, ∀ S,P 1 (T) ∧ P 2 (I) ∧ P 3 (R) ∧ P 4 (S) ⇒P (GeNoC(T, I, R, S)P : every message arrived at a node actuallycorresponds to a message issued at anothernode of the network, and the message reachesthe intended destination without modification ofits contents10

GeNoC Function11

GeNoC FunctionMessagesNode setInitially emptyStateTimeGeNoC(M,N,a,T,S,z) ≡if SumOfAttempts(a)=0then list(T,M)elseArrived messageslet = R4D(M,z) inlet =Scheduling(Routing(Tr,N),a,S) inGeNoC(TM ∪ D,N,a',A ∪ T,S’,z+1)Delayed or en route messages12

Main Constraints• Interfaces: p2prcv o p2psend = Id• Network state: State modification functions return valid states Tr ∩ D = ∅• Routing: Each route from c to d starts in c, uses validnodes, and ends in d• Scheduling: TM ∩ A = ∅13

Implementation in ACL2• GeNoC : recursive function• Using constrained functions encapsulation mechanism(defspec GenericRouting(((Routing * *) => *))(local (defun Routing(M N) ; witness...))(defthm Routing-typing-constraint...)(defthm Routing-correctroutesp...)))14

Implementation in ACL2• Instances of Routing and Scheduling: recursivefunctions (must terminate!) Routing: Each recursive call brings closer to thedestination• Definition of a well-founded relation:nodelt(n 1 ,n 2 ) =o i on 1 .x < n 2 .x∨ (n 1 .x=n 2 .x ∧ n 1 .y < n 2 .y) x x+1∨ (n 1 .x=n 2 .x ∧ n 1 .y=n 2 .y ∧ (n 1 .dir=i ∧ n 2 .dir=o))15

Example: HERMES• Univ. Rio Grande do Sul (Porto Alegre, BR)and LIRMM (Montpellier, F)• Regular 2D mesh• Node : IP core Switch16

Example: HERMES• Switch:5 ports: North, South, East,West, Local• Deterministic minimalrouting algorithm: XY routing• Wormhole switching17

Proof of HERMES• XY routing algorithm:XYRouting(from,to) ≡if from=to /* destination reached */then thru localelseif Xfrom != Xto /* change X */then if Xfrom < Xtothen thru EastNN0 W EW Eelse thru WestSSelse /* change Y */NNif Yfrom < Yto1 W EW ESSthen thru Southelse thru North20 1 2NW ESNW ESNW ESNW ESNW ESfrom = (Xfrom,Yfrom), to = (Xto,Yto)18

Proof of HERMES• Scheduling function:WormHSched(L,TM,A,S) ≡if empty(L)then list(TM,A,S)elseList of messagesState of the networkArrived messagesEn route messageslet tr=first(L) /* first message */and r=routesOf(tr) /* set of routes */and c=check_routes(r,S) /* ∃ valid route */and a=check_arrival(c) / destination reached */inif c!=nilthen let TM’= if a then TM else TM ∪ update(tr)and A’= if a then A ∪ tr else AinWormHSched(rest(L), TM’, A’, updateSt(S))else WormHSched(rest(L), TM ∪ tr, A, S)19

Simulation• ACL2 provides a theorem prover + anexecution engine (Common Lisp)• Simulation results for the formally provenspecification• Simulation in Common Lisp + visualizationinterface in Java20

Simulation0 1 2012WWWNESNESNES3WWWNESNESNES1WWWNESNESNES2VHDL simulation:message 2 is blockedin node (2,2)21

Simulation0 1 20WNESWNESWNESACL2 simulation1WNES3WNES1WNES22WNESWNESWNES22

Other Case Studies• Spidergon (STMicroelectronics): Shortest-path routing (maximumnumber of hops = N/4) Packet switching• Nostrum (KTH Stockholm, Sweden): 2D mesh Deflective routing + load averaging Packet switching23

Conclusion• GeNoC is a kind of meta-model, that canbe used to verify realistic NoCsGeneric proofs on the size of the NoCsand the length of messages• Future work: various extensions towardsRTL24