Formal Verification of a Novel Snooping Cache Coherence Protocol for CMP Xuemei Zhao, Karl Sammut, and Fangpo He Flinders University, Australia.

Download Report

Transcript Formal Verification of a Novel Snooping Cache Coherence Protocol for CMP Xuemei Zhao, Karl Sammut, and Fangpo He Flinders University, Australia. 

Formal Verification of a Novel
Snooping Cache Coherence
Protocol for CMP
Xuemei Zhao, Karl Sammut, and Fangpo He
Flinders University, Australia
Background





The emergence of CMP brings huge research space to
increase performance
More caches on chip, low L2 latency, fast cache-to-cache
access
Traditional SMP memory hierarchy and cache coherence
protocol will diminish CMP’s performance.
Two traditional structures: Private L2 and Shared L2. Two
protocols: Snooping protocol, Directory-based protocol
Formal verification is useful for discovering and correcting
any errors at the early stage.
Outline





Cache architecture of SPS2
Description of SPS2 protocol
Verification using Hytech
Verification using SMV
Conclusion
Cache Architecture
CPU core
L1I
L1D
CPU core
L1I
CPU core
L1D
PL2
L1I
PL2
L1D
CPU core
L1I
PL2
L1D
L1D
CPU core
L1I
CPU core
L1D
L1I
SL2_1
L1D
SL2_2
To
Memory
Private L2
CPU core
L1I
SL2_0
PL2
To
Memory
CPU core
CPU core
Banked Shared L2
CPU core
CPU core
L1I
L1D
L1I
L1D
L1I
L1D
L1I
L1D
PL2
SL2
PL2
SL2
PL2
SL2
PL2
SL2
To
Memory
SPS2
Nahalal layout
CPU core
L1I
L1D
SL2_3
Advantages of SPS2





PL2 and SL2 could use different association
mechanism
PL2 and SL2 could have different size and
replacement policy
PL2 leads to low latency.
SL2 provides high capacity
No need new CPU instruction, simple
interface
Description of SPS2





Based on MOSI ( Modified, Owned,
Shared, Invalid) protocol
PL1 with state (M, O, S, I)
Exclusive
Inclusive
PL2 with state (M, O, I)
SL2 with state (S, I)
Write-invalidation policy on writeback cache
SPS2 Protocol
CPU core
CPU core
CPU core
CPU core
L1I
L1D
L1I
L1D
L1I
L1D
L1I
L1D
PL2
SL2
PL2
SL2
PL2
SL2
PL2
SL2
To
Memory







Read Miss – issue GETS
Read Hit
Write Miss – issue GETX
Write Hit
PL1 Replacement
PL2 Replacement
SL2 Replacement
State Graph
Vector {XYZ} represents the state of PL1, PL2 and SL2 in a node. There are
seven possible states, i.e., III, IIS, SIS, MII, IMI, OIS, and IOS.
rep1
GetS
rep2
tX
Ge
write
write
IOS
GetX
rep1
read
OIS
IOS
OIS
Ge
tX
wr
ite
S
Get
tS
Ge
write
ite
wr
rep2
rep
S
III
rea
d
S
rep
d
rea
(a) Command from processor perspective
S
Get
SIS
read
IIS
SIS
IIS
rep1
Get
S
X
Get
Ge
tS
read
IMI
S
rep
read/write
IMI
MII
tS
Ge
GetX
ite
wr
/
d
rea
MII
III
Get
X
GetX
(b) Command from bus perspective
Verification using Hytech



Hytech, an abstraction level model checker
To validate protocol independent of the
number of processors, we use EFSM to
model parameterized coherence protocol
global machine MG = <QG,∑G,F,δG>, QG ,
set of possible states of cache blocks, ∑G ,set
of operations , F, set of characteristic
functions, δG, set of state transitions
EFSM expression of SPS2
(r1) SIS+OIS+MII≥1→__
(r2) III≥1, MII=0, IMI=0 → III'=0, SIS'=SIS+1, IIS'=IIS+III-1
(r3) III≥1, MII≥1 → III'=0, SIS'=SIS+1, MII'=MII-1,
OIS'=OIS+1, IIS'=IIS+III-1
(r4) III≥1, IMI≥1 → III'=0, SIS'=SIS+1, IMI'=IMI-1,
IOS'=IOS+1, IIS'=IIS+III-1
(r5) IIS≥1 → IIS'=IIS-1, SIS'=SIS+1
(r6) IMI≥1 → MII'=MII+1, IMI'=IMI-1
(r7) IOS≥1 → OIS'=OIS+1, IOS'=IOS-1
……
......
Read hit event (r1), read miss events (r2) – (r7)
Verification using EFSM in Hytech
Define all possible sources of data inconsistency
(1) OIS >=1 & MII >=1
(2) OIS >=2
(3) IIS >=1 & IMI >=1
(4) …
As proved in [14][16][17], data consistency could
be verified.
Verification using SMV



SMV is an intermediate formal verification
tool.
To avoid state explosion, SMV uses OBDD
(ordered binary decision diagrams), which
could check finite-state systems satisfy
specification given in CTL
Protocols have been proven by SMV:
Gigamax, Futurebus+, FLASH
Modeling SPS2 using SMV

ASSIGN
init(state) := III;
next(state) :=
case
4
CMD=none:
case
...
1: state;
esac;
master:
case
CMD=gets:
1
2
3
5
6
7
8
9
10
11
12
case
state=III: SIS;
1: any;
esac;
CMD=read:
13
14
15
16
17
case
state=IIS: SIS;
state=IOS: OIS;
state=IMI: MII;
state in {SIS, MII, OIS}: state;
1: any;
esac;
...
18
19
20
21
22
23
24
25
Verification using SMV
For data integrity
 AG (p1.shared → p2.shared)
 AG (p1.state=SIS & p2.state=SIS → p1.data = p2.data)
 AG (p1.state=OIS & p2.state=IIS → p1.data = p2.data)
For liveness
 AG EF p1.state=OIS or AG EF p1.state=MII or
 AG EF p1.state=SIS or
 AG EF p1.readable or AG EF p1.writable
Conclusion



SPS2 takes advantages of the low latency
of L2P and the high capacity of L2S.
New proposed state graph is used for
description of SPS2 and verification
Using two formal verification method,
function correctness of SPS2 is proven
Thanks, any question is appreciated!
Simulation Result

Simulator: GEMS + SIMICS
Private
Shared
SPS2
Runtime
1.4
Bus traffic
1.4
1.2
1.2
Private
Shared
SPS2
1
0.8
0.6
0.4
1
0.8
0.6
0.2
0
0.4
LUN LUC FFT RAD WAS WAN OCE BAR CHO AVE
LUN LUC FFT RAD WAS WAN OCE BAR CHO AVE
Off-chip access
18
16
14
12
10
8
6
4
2
0
Private
Shared
SPS2
LUN
LUC
FFT
RAD
WAS WAN
OCE
BAR
CHO
AVE