## From Hardware Designs to TLA+ Specifications for Timing Analysis of Real-Time Systems

Samira Ait Bensaid,<sup>1</sup> Mihail Asavoae,<sup>1</sup> Mathieu Jan,<sup>1</sup> Farhat Thabet<sup>1</sup>

<sup>1</sup>Université Paris-Saclay, CEA-List, Palaiseau, France

TLA+ Community Event 2023 April 22



#### Context and Motivation

- 2 Automatic Construction of Abstract Pipeline Models
- **3** Formal TLA+ Specification of Abstract Pipeline Model
- 4 Formal Verification of Timing Anomalies
- **5** Conclusion and Future Work

#### Context and Motivation

• Safety critical systems: ensure temporal correctness, estimate Worst-Case Execution Time (WCET)



## Formal Verification of Timing Properties Workflow

**Goal:** Generating hardware **architecture models** for **formal verification** of timing properties

- Automation construction of pipeline models
- Timing properties: timing predictability



#### Challenges

- How to construct the formal pipeline models
- How to formally verify timing properties [AHJ18]

Samira Ait Bensaid (April 22, 2023)



#### **2** Automatic Construction of Abstract Pipeline Models

#### **3** Formal TLA+ Specification of Abstract Pipeline Model

- I Formal Verification of Timing Anomalies
- **5** Conclusion and Future Work

Automatic Construction of Abstract Pipeline

# Automated Construction of Abstract Pipeline Models for Timing Analysis



## Case Study: RISC-V Rocket Processor



#### Automatic Construction of Abstract Pipeline

Model

#### Register Analysis over Rocket Processor



## Register Assignment over Rocket Processor

- Register assignment: assign registers to their pipeline stages
  - Assign fetch stage to PC counter register: to\_stage(PC) = 1
  - Assign other registers:
    - Case 1: Register dependencies
    - Linear case: one source connection for the register to assign (wb\_reg\_pc)
    - Max: several sources connected to the register to assign (ex\_reg\_pc)
    - Case 2: Heuristic «When condition», assign registers of the same condition context in the same stage





## Register Assignment Result

• Results of a subset of registers linked to the PC register: registers assigned in their pipeline stages



• Pipeline depth: 6 stages



**2** Automatic Construction of Abstract Pipeline Models

#### **3** Formal TLA+ Specification of Abstract Pipeline Model

- I Formal Verification of Timing Anomalies
- **5** Conclusion and Future Work

Formal TLA+ Specification of Abstract Pipeline

### Specification TLA+: Datapath Formal Model

• Spec  $\triangleq$  Init  $\land$  [][Next]\_ << Variables >>



Formal TLA+ Specification of Abstract Pipeline

## Specification TLA+: Formal Control Logics

- Control logics address signals that ensure
  - Flow in pipeline stages: instructions patterns
  - Pipeline status: stall, bypass ...



Formal TLA+ Specification of Abstract Pipeline

## Rocket Processor: TLA+ Specification Model

#### • Next $\triangleq$ PipNext $\lor$ PipStall





- 2 Automatic Construction of Abstract Pipeline Models
- **3** Formal TLA+ Specification of Abstract Pipeline Model
- **4** Formal Verification of Timing Anomalies



### Timing Anomalies Intuition

- Timing anomalies complicates the WCET analysis
- Timing anomalies detection needs two variations of the same program execution (same sequence of instructions)



→ Formal TLA+ timing anomalies modeling requires:

- Formal Model: HW/SW
- Variability Notions: local/global
- Two Program Traces

Samira Ait Bensaid (April 22, 2023) Formal Verification

## Timing Anomalies TLA+ Specification



- State Variable: asi =  $[\text{delta}|->[n\in 1..2|->0], \\ \text{ET}|->[n\in 1..2|->0],$
- Extended Pipeline Specification: Next ≜ PipNext ∨ PipStall ∨ Reload ∨ Other
- Property:  $\sim$  (asi.delta[1] < asi.delta[2]  $\land$  asi.ET[1] > asi.ET[2])

## TLA+ Program Specification

- Local variations: set of instruction latencies in execute stage (latency)
- Extended asi variable: asi = pcid|-> Program.did, pathid|-> Program.fst

Rocket Timing Anomalies : TLA+ Program

$$\begin{array}{l} \mbox{Program} <- \mbox{ [ fst } |-> \mbox{ ( pc } |-> 1, \mbox{ type } |-> \mbox{"lw-RR", latency } |-> \mbox{ \{8,10\}}], \\ \mbox{ [ pc } |-> 2, \mbox{ type } |-> \mbox{"add-RR", latency } |-> \mbox{ \{1,2\} ]}, \\ \mbox{ [ pc } |-> 3, \mbox{ type } |-> \mbox{"bne-RR", latency } |-> \mbox{ \{5,8\}}] ] \end{tabular}, \end{array}$$

$$\begin{array}{l} {\rm snd} \mid -> & ({\rm pc} \mid -> 1, {\rm type} \mid -> "{\rm lw-RR}", {\rm latency} \mid -> \{ {\rm 8,10} \} ], \\ & ({\rm pc} \mid -> 2, {\rm type} \mid -> "{\rm add-RR}", {\rm latency} \mid -> \{ {\rm 4,3} \} ], \\ & ({\rm pc} \mid -> 3, {\rm type} \mid -> "{\rm bne-RR}", {\rm latency} \mid -> \{ {\rm 5,8} \} ] ] \\ \end{array} \right) ,$$

did |-> 2]

#### Rocket Processor: Encoding of Timing Anomalies



TLA+ Community Event 2023 20/23

#### Rocket Processor: Timing Anomalies Verification Results

- Cycle = 21
- asi = [delta |-> «1, 3», ET |-> «25, 21»]



- 2 Automatic Construction of Abstract Pipeline Models
- **3** Formal TLA+ Specification of Abstract Pipeline Model
- I Formal Verification of Timing Anomalies



### Conclusion and Future Work

#### Contributions

- Workflow to formally verify timing properties
- Automatic generation of datapath pipeline model of RISC-V Chisel-based processors
- Generate the TLA+ formal model from abstract pipeline model
- Integrate the TLA+ formal model into the formal detection of timing anomalies procedure with TLC model checker

#### On going work

- Apply the workflow on other RISC-V processors for timing analysis
- Add several functional units on pipeline models to extend the detection of timing anomalies analysis

## References I

[AHJ18] Mihail Asavoae, Belgacem Ben Hedia, and Mathieu Jan. "Formal Executable Models for Automatic Detection of Timing Anomalies". In: WCET 2018. Vol. 63. 2018, 2:1–2:13.

- [Ben+22a] Samira Ait Bensaid et al. "Deriving Pipeline Models for Timing Analysis from High-Level HDL Processor Designs". In: *MEMOCODE*. Submitted. 2022.
- [Ben+22b] Samira Ait Bensaid et al. "Work in Progress: Automatic Construction of Pipeline Datapaths from High-Level HDL Code". In: *RTAS-BP*. To appear. 2022.
- [Bin+20] Benjamin Binder et al. "Scalable Detection of Amplification Timing Anomalies for the Superscalar TriCore Architecture". In: *FMICS*. 2020.
- [Sam+22] Benjamin Binder Samira Ait Bensaid et al. "Formal Processor Modeling for Analyzing Safety and Security Properties". In: *ERTS*. To appear. 2022.