

#### Adopts ISA-Formal On High-End Out-Of-Order Execute RISC-V Cores

HUANG YU-TSE, WU SHENG-JHAN, HSIAO YUNG-CHING









Golden Instruction model

Formal properties

#### Conclusion







## What's an ISA-Formal?

- ISA-Formal
  - An end-to-end framework to verify the core conform to the Instruction-Set Architecture (ISA) spec.
  - bounded model checking (BMC) to explore different sequences of instructions.
- Pros and Cons

Pros

- Single Instruction
  - Error in decode
  - Error in data path
- Multiple Instruction
  - Errors in forwarding logic
  - Errors in register renaming and OoO execution
  - Errors in exception trigger

#### SYSTEMS INITIATIVE

2024/9/10

#### Cons

- FP computation
- Mul/Div operation
- Vector operation
- Crypto operation



## **ISA** view

- In the ISA view, instructions are seen in a very straightforward manner
- Instruction is considered a state transformation function.



• E.g. ADDI x2, x1, 10

 $\begin{array}{c} ADDI \ x2, x1, \ 10 \\ State_0 \qquad \longrightarrow \qquad State_1 \end{array}$ 

 $State_1.x2 = State_0.x1+10$ 





# **ISA-Formal Key Component**

- Golden instruction Model
  - Calculate the expected result.
  - Must be synthesizable.
- Pipeline follower
  - Collect necessary CPU information for building architectural state.
  - Determine when to activate Instruction model and check.
- Formal Properties
  - Assertion properties to verify the instruction result correctness.
    - E.g. when an addi instruction retired implies GPRs of DUT should be same to GPRs of architectural state.
  - Constraint properties to remove unsolvable scenarios in ISA-Formal.
    - E.g. asynchronous interrupts.





### **ISA-Formal Overview**







## Structure of CPU state

- General purpose registers(GPRs)
- Floating point registers
- Vector registers
- Control and status registers(CSRs)
- Privilege
- Virtual mode
- Trap





## **Pipeline-Follower**

What do we need for IF verifying ISA architecture?

- Instruction opcode
- State before the instruction execution(pre\_state)
- State after the instruction execution by DUT(post\_state)







## OoO CPU state abstraction

- Decode and Register rename stage
  - Collect instruction operand information
    - Rd, Rs1, Rs2, Immediate value
  - Map the logic register to physical register.
  - Mark Instruction with instruction id.
- Formal Reorder Buffer (FROB)
  - Ensure the instruction committed in order.
  - Observe issued instruction status.
    - Instruction age
    - completed
    - committed
    - Trap
    - Physical register index

| ROB field | Note                  |  |
|-----------|-----------------------|--|
| completed | Instruction complete  |  |
| commited  | Instruction committed |  |





## **OoO** Pipeline-Follower





2024/9/10



2024

DVCUV

## **OoO Pipeline-Follower**





2024/9/10



## **OoO Pipeline-Follower**



We don't care about pipeline execution.

We only need to observe the write-back value and the required register values.

State<sub>n</sub>(pre state): Observed Register value in Physical register file(PRF)

State $_{n+1}$ (post state): Observed register committed write back value.





2024

DVCUN

### **ISA-Formal Overview**







## **Golden Instruction model**

• ADDI Instruction model by handwriting

| 3120  | 1915 | 1412 | 117 | 60      |
|-------|------|------|-----|---------|
| imm12 | rs1  | 000  | rd  | 0010011 |

assign ADDI\_retiring = ( instr & 32'h707F ) == 32'h13; assign ADDI\_result = preState.GPR[instr[19:15]] + instr[31:20]; assign ADDI\_rd = instr[11:7];

assert property (@(posedge clk) disable iff (~reset\_n)
ADDI\_retiring |-> (ADDI\_result == postState.GPR[ADDI\_rd]))







## **Golden Instruction model**

- How to efficiently generate enormous amount instructions?
  - Utilized the existed open-source Sail-riscv project to transform the Sail specifications into Verilog, creating an accurate instruction model.







## Sail

- A language for defining the instruction-set architecture semantics.
  - engineer-friendly
  - Numerous type system

```
type xlen : Int = 64
type xlen_bytes : Int = 8
type xlenbits = bits(xlen)
```

```
register PC : xlenbits
register nextPC : xlenbits

register Xs : vector(32, dec, xlenbits)
val rX : regbits -> xlenbits
function rX(r) =
   match r {
        Ob00000 => EXTZ(0x0),
        _ => Xs[unsigned(r)]
    }
```

- Given a Sail ISA specification, the tool can:
  - Conduct type-check
  - · Generate executable emulators in C or Ocaml
  - Generate a reference ISA model in SystemVerilog





## Sail-riscv

- Formal specification of the RISC-V architecture, written in Sail.
- This project Specifies RISC-V ratified extensions in detail.
  - Instruction behavior
  - Control and status registers
  - General purpose registers
  - Machine Privilege
  - Virtual address translation
  - Parameterized over platform-specific options





#### Sail-riscv

#### Abstract syntax tree

```
union clause ast = ITYPE : (bits(12), regbits, regbits, iop)
/* the encode/decode mapping between AST elements and 32-bit words */
mapping encdec_iop : iop <-> bits(3) = {
   RISCV_ADDI <-> 0b000,
   RISCV_SLTI <-> 0b010,
   RISCV_SLTIU <-> 0b011,
   RISCV_SLTIU <-> 0b011,
   RISCV_ORI <-> 0b110,
   RISCV_ORI <-> 0b100
```

#### Encoding/Decoding

```
mapping clause encdec = ITYPE(imm, rs1, rd, op)
<-> imm @ rs1 @ encdec_iop(op) @ rd @ 0b0010011
```

/\* the execution semantics for the ITYPE instructions \*/

```
function clause execute (ITYPE (imm, rs1, rd, op)) = {
  let rs1_val = X(rs1);
  let immext : xlenbits = EXTS(imm);
  let result : xlenbits = match op {
    RISCV_ADDI => rs1_val + immext,
    RISCV_SLTI => EXTZ(rs1_val <_s immext),
    RISCV_SLTIU => EXTZ(rs1_val <_u immext),
    RISCV_SLTIU => rs1_val & immext,
    RISCV_ORI => rs1_val & immext,
    RISCV_XORI => rs1_val ^ immext
  };
  X(rd) = result;
  true Instruction semantic
```



## Sail to SystemVerilog

Transform formal specification to Combinational SystemVerilog.







## Sail to SystemVerilog

• Transform formal specification to Combinational SystemVerilog.

| <pre>function automatic t_Retired execute_ITYPE(bit [11:0] imm, bit [4:0] rs1, bit [4:0] rd, t_iop op);</pre> |               |
|---------------------------------------------------------------------------------------------------------------|---------------|
| t_Retired sail_return;                                                                                        | 4             |
| <pre>bit goto_case_4035 = 1'h0;<br/>bit acts_case_4035 = 4'h0;</pre>                                          | 4             |
| <pre>bit goto_case_4036 = 1'h0; bit goto_case_4037 = 4'h0;</pre>                                              |               |
| <pre>bit goto_case_4037 = 1'h0;</pre>                                                                         |               |
| bit goto_case_4038 = 1'h0;<br>bit goto_case_4039 = 1'h0; Control flow                                         | 4             |
|                                                                                                               |               |
| bit goto case 4040 = 1'h0:<br>bit goto finish match 4034 = 1'h0:                                              | 4             |
|                                                                                                               | 4             |
| $zz48199 = rX_bits(rs1);$                                                                                     | 4             |
| zz48218 = 65'b000000000000000000000000000000000000                                                            | ADDI comontic |
|                                                                                                               | ADDI semantic |
| <pre>zz48220 = sign_extend(zz48218, zz48219);<br/>==40200 = (==40220 hits)[(2:0];</pre>                       | 4             |
| <pre>zz48200 = {zz48220.bits}[63:0];</pre>                                                                    | 4             |
| if (RISCV_ADDI != op) begin                                                                                   | 4             |
| <pre>goto_case_4035 = 1'h1;</pre>                                                                             | 4             |
| end else begin                                                                                                | 4             |
| goto_case_4035 = 1'h0;                                                                                        | 4             |
| end;                                                                                                          | 4             |
| if (!goto_case_4035) begin                                                                                    | 4             |
| zz48203 = zz48199 + zz48200;                                                                                  | 4             |
| end;                                                                                                          |               |
| if (!goto_case_4035) begin                                                                                    | 4             |
| <pre>goto_finish_match_4034 = 1'h1;<br/>end;</pre>                                                            | 4             |
| /* case 4035 */                                                                                               | 4             |
| if (!goto_finish_match_4034) begin                                                                            | 4             |
| if (RISCV_SLTI != op) begin                                                                                   | 4             |
| goto case 4036 = 1'h1;                                                                                        | 4             |
| end else begin                                                                                                | 4             |
| cite begin                                                                                                    |               |





## Sail to SystemVerilog

• Transform formal specification to Combinational SystemVerilog.







21

### Instruction model

After the code generation, we can activate the ISA model by

- 1.Input an instruction opcode.
- 2. Decode instruction to AST.
- 3. Execute the AST semantic body.

```
always comb begin
   // Input instruction
if (|instruction) begin
    // Initialize the Instruction with pre_state.
    set_cpu_state(cpu_state);
     // Decode and execute instruction by sail-riscv function.
2.
    inst ast = ext decode(instruction);
3
    result = execute(inst ast);
    // Get n+1 state(Arch state)
    arch cpu state = get cpu state(cpu state);
  end
end
```





### **ISA-Formal Overview**







## **Formal properties**

- ALU instruction
  - Instruction successfully retired
    - post\_state.GPRs == architectural state.GPRs







## **Formal properties**

- Load/Store instruction
  - Memory system abstraction
    - Oracle address
    - Oracle data
  - Instruction successfully retired and access oracle memory
    - post state == architectural state
    - memory data == oracle data
- Constrain Async Interrupt event not happen.
  - E.g. assume mip[meip] == 0
- Complexity reduction
  - Black-box MMU, DCache, ICache, BTB





## Conclusion

- Check instruction functionality:
  - mathematical prove the core conform to the RISC-V ISA Spec
  - Identifies design errors early in the development process, reducing the cost and effort required to fix them later.
- Check uArch functionality:
  - In CPU pipeline, instruction done based on forwarding(speculative state)
  - In Formal model, instruction done based on register file.(committed arch state)
  - Effective at finding bugs in the datapath, pipeline control, forwarding/stall logic involving complex sequences of instructions.





## Q&A

- Contact
  - Stanley, <u>likey714@andestech.com</u>
  - SJ, shewu677@andestech.com
  - Yung-Ching, <u>ychsiao@andestech.com</u>



2024