# A talk from your pal Andrew!!!

yeah!!!!!!

Gator: Toward a Correct Technology Mapper

### Hardware Compilation First, what does a software compiler do?

// TODO @(bsaiki): andrew, do we need this? int add\_some\_stuff() { a = 1;b = 2; c = 3; return (a + b) & c;}

High-level source code

movq %rdi, \$1 movq %rsi, \$2 movq %rdx, \$3 addq %rdi, %rsi andq %rax, %rdx

Low-level implementation,

expressed as a series of assembly instructions

### Hardware Compilation What does a hardware compiler do?

module my\_design
 (input a,
 input b,
 input c,
 output out);
 assign out = (a + b) & c;
endmodule

High-level design fragment

module my\_design
 (input a,
 input b,
 input c,
 output out);
 wire mid;
 adder a0(.a = a, .b = b, .o = mid);
 ander a1(.a = mid, .b = c, .o = out);
endmodule

Low-level implementation, expressed as hardware primitives

### Hardware Compilation What does a hardware compiler do?

module my\_design
 (input a,
 input b,
 input c,
 output out);
 assign out = (a + b) & c;
endmodule

High-level design fragment



Low-level implementation, expressed as **a picture on a rock** 

### **Primitives are complex!** LUT4

- 4-bit truth table
- Has state: internal memory





# **Primitives are complex!** DSP48E2

- Common use cases:
  - barrel shifting
  - SIMD operations
  - (a + b) \* c & d
- Can be pipelined for 3 cycles



\*These signals are dedicated routing paths internal to the DSP48E2 column. They are not accessible via general-purpose routing resources.

X16752-042617



### **Primitives are complex!** What can the DSP48E2 actually do?

man ou, under au and a condition underen provouvouro, provout a underenant increase in challenge for technology mappers [6]. The UltraScale+ DSP48E2 has over 100 ports and parameters, and the manual that explains how to configure them properly is over 75 pages long [10]. The large number of ports and parameters is due to the fact that these primitives









### What does it mean for a primitive to be correct? How do we know a DSP configuration is correct?

- If the DSP is configured correctly, then for some time t, it should:
  - compute the correct result on time t, which is true if
  - it had correct state on time (t 1), which is true if:
  - it had correct state on time (t 2), which is true if:
  - it had correct state on time (t 3), which is true if:
  - ... shoot!



### What does it mean for a primitive to be correct? How do we know a DSP configuration is correct?

- If the DSP is configured correctly, then for some time t, it should:
  - compute the correct result on time t, which is true if
  - it had correct state on time (t 1), which is true if:
  - it had correct state on time (t 2), which is true if:
  - it had correct state on time (t 3), which is true if:
  - ... shoot! Soluti

# Solution from Vivado: don't provide these correctness guarantees!



# Do correctness guarantees actually matter?

## Verified Compilation in Software

Does this actually matter?

# Verified Compilation in Software



### Finding and Understanding Bugs in C Compilers

Xuejun YangYang ChenEric EideJohn Regehr

University of Utah, School of Computing { jxyang, chenyang, eeide, regehr }@cs.utah.edu



## Verified Compilation in Software

Does this actually matter?



## **Verified Compilation in Hardware**

Does this actually matter?

## **Verified Compilation in Hardware**

Does this actually matter?

### Finding and Understanding Bugs in FPGA Synthesis Tools

Yann Herklotz yann.herklotz15@imperial.ac.uk Imperial College London London, UK



John Wickerson j.wickerson@imperial.ac.uk Imperial College London London, UK

## **Verified Compilation in Hardware**

Does this actually matter?



# **Formally Verified Hardware Compilation**

### Lutsig: A Verified Verilog Compiler for Verified Circuit Development

Andreas Lööw Chalmers University of Technology Gothenburg, Sweden

# **Formally Verified Hardware Compilation**

### Lutsig: A Verified Verilog Compiler for Verified Circuit Development

Andreas Lööw Chalmers University of Technology Gothenburg, Sweden

### "Lutsig's technology mapped output netlists for this class of FPGAs contain <u>only k-LUT (with k ≤ 6) and carry4 cells</u>"



# **Formally Verified Hardware Compilation**

### Lutsig: A Verified Verilog Compiler for Verified Circuit Development

Andreas Lööw Chalmers University of Technology Gothenburg, Sweden



| $\mathbf{\hat{c}}$ | Cak | eML /      | hardv   | ware    |               |            |                 |          |          |          |        |           |
|--------------------|-----|------------|---------|---------|---------------|------------|-----------------|----------|----------|----------|--------|-----------|
| de                 | • I | ssues      | ኒን      | Pull r  | equests       | $\bigcirc$ | Actions         | (!)      | Security | ~        | Insig  | hts       |
|                    |     | <b>)</b> F | nardv   | vare    | Public        |            |                 |          |          |          |        |           |
|                    |     | ا گ        | master  | •       | ះ <b>5</b> Br | anche      | s 🟷 <b>0</b> Ta | ags      |          |          |        | Q G       |
|                    |     | =          | Andr    | easLo   | ow Mani       | ual mei    | rge of rev      | viving w | ord extr | act su   | oport, | thanks    |
|                    |     |            | ag32    |         |               |            |                 |          |          | openth   | eory r | eader o   |
|                    |     |            | compi   | ler     |               |            |                 |          |          | handle   | index  | ing and   |
|                    |     |            | examp   | oles    |               |            |                 |          |          | More c   | leanu  | o: newT   |
|                    |     |            | misc    |         |               |            |                 |          |          | Reorga   | nizati | on (mo    |
|                    |     |            | transla | ator    |               |            |                 |          |          | Manua    | l merg | e of rev  |
|                    |     |            | veriloç | ]       |               |            |                 |          |          | handle   | index  | ing and   |
|                    |     |            | verilog | g_pars  | er            |            |                 |          |          | Lutsig   | v2     |           |
|                    |     | Ľ          | .gitign | ore     |               |            |                 |          |          | Lutsig   | v2     |           |
|                    |     | Ľ          | .holpa  | th      |               |            |                 |          |          | Add .he  | olpath |           |
|                    |     | Ľ          | LICEN   | SE      |               |            |                 |          |          | BSD 3-   | claus  | e licens  |
|                    |     | Ľ          | READI   | ME.md   | I             |            |                 |          |          | More c   | leanu  | o: newT   |
|                    |     | Ľ          | hardw   | areMis  | scScript.s    | sml        |                 |          |          | Lutsig   | v2     |           |
|                    |     |            | hardw   | arePre  | eamble.sr     | nl         |                 |          |          | Lutsig   | v2     |           |
|                    |     | ß          | oracle  | Script  | .sml          |            |                 |          |          | Lutsig   | v1     |           |
|                    |     | C          | sumE>   | ktraSci | ript.sml      |            |                 |          |          | Lutsig   | v2     |           |
|                    |     | Ľ          | words   | ExtraS  | cript.sml     |            |                 |          |          | Split in | to mu  | ltiple di |
|                    |     |            |         |         |               |            |                 |          |          |          |        |           |

|                                          | Q Type 🕖 to search | >_   (+ - ) () ()                                                                       |
|------------------------------------------|--------------------|-----------------------------------------------------------------------------------------|
|                                          | ⊙ Watch 42 👻       | 약 Fork 5 ▼ ☆ Star 23 ▼                                                                  |
| Go to file t Add file                    | - <> Code -        | About                                                                                   |
| ks <b>@j4nk1</b> 8264e60 · last year     | 🕚 117 Commits      | Verilog development and verification project for HOL4                                   |
| r documentation                          | last year          | hardware verilog synthesis                                                              |
| nd slicing for internal inputs           | last year          | formal-methods formal-verification hol                                                  |
| wTranslator -> translator                | 3 years ago        | 印 Readme<br>邳 BSD-3-Clause license                                                      |
| nove around some directories etc.)       | 3 years ago        | -^- Activity                                                                            |
| reviving word extract support, thanks @j | last year          | <ul> <li>E Custom properties</li> <li>☆ 23 stars</li> </ul>                             |
| nd slicing for internal inputs           | last year          | <ul> <li>42 watching</li> </ul>                                                         |
|                                          | 3 years ago        | <b>父 5</b> forks                                                                        |
|                                          | 3 years ago        | Report repository                                                                       |
|                                          | 6 years ago        | Contributors 3                                                                          |
| nse                                      | 6 years ago        | AndreasLoow Andreas Lööw                                                                |
| wTranslator -> translator                | 3 years ago        | xrchz Ramana Kumar                                                                      |
|                                          | 3 years ago        | acjf3                                                                                   |
|                                          | 3 years ago        |                                                                                         |
|                                          | 4 years ago        | Languages                                                                               |
|                                          | 3 years ago        | <ul> <li>Standard ML 94.4%</li> <li>SystemVerilog 2.3%</li> <li>Haskell 1.1%</li> </ul> |
| directories                              | 6 years ago        | <ul> <li>Ruby 0.8%</li> <li>Python 0.7%</li> </ul>                                      |
|                                          |                    | <ul> <li>Verilog 0.6%</li> <li>Makefile 0.1%</li> </ul>                                 |



Q Type // to search

[+ - ][O][II]

>\_ |





### If a hardware compiler is **extensible**, support for additional primitives can be added with little user effort.

### If a hardware compiler is **extensible**, support for additional primitives can be added with little user effort.

In general, hardware compilers aren't extensible!

- $\bullet$ hardware primitives.
- Lakeroad reasons about what a primitive can do through automatic

Lakeroad uses program synthesis to map high-level designs to low-level

- lacksquarehardware primitives.
- Lakeroad reasons about what a primitive can do through automatic
- If someone wants to support a new DSP, they've got to:

Lakeroad uses program synthesis to map high-level designs to low-level

- hardware primitives.
- Lakeroad reasons about what a primitive can do through automatic
- If someone wants to support a new DSP, they've got to:
  - Download the simulation model

Lakeroad uses program synthesis to map high-level designs to low-level

- hardware primitives.
- Lakeroad reasons about what a primitive can do through automatic
- If someone wants to support a new DSP, they've got to:
  - Download the simulation model
  - Write a short sketch

Lakeroad uses program synthesis to map high-level designs to low-level



- hardware primitives.
- Lakeroad reasons about what a primitive can do through automatic
- What does the workflow of Lakeroad actually look like?

Lakeroad uses program synthesis to map high-level designs to low-level



### Lakeroad's Compilation Flow





## 1. Download the simulation model









# 1. Download the simulation model





I can add and multiply!





# 1. Download the simulation model









### 2. Set up a sketch

(a + b)



## **3. Lakeroad's synthesis query:**

def impl(a, b, t): return a + b

def sketch(a, b, t): return a (+ or \*) b

assert (forall a, b, impl(a, b, 1) == sketch(a, b, 1) and impl(a, b, 2) == sketch(a, b, 2)











## Lakeroad's correctness guarantees

- Lakeroad's program synthesis query does a "bounded model synthesis" where correctness for the first few cycles is formally guaranteed.
- ...but this doesn't account for all the other cycles!
- Lakeroad provides some guarantees for correctness, but not full guarantees.

assert (forall a impl(a, b, 1) =impl(a, b, 2) == sketch(a, b, 2)

# A Survey of Hardware Compilers

Lakeroad











# **A Survey of Hardware Compilers**

Lakeroad









7





# A Survey of Hardware Compilers

Lakeroad











### The Gator<sup>TM</sup> Project<sup>TM</sup> ©:

- Goal: a hardware compiler which is **correct** and **extensible**.

What if we modify Lakeroad's synthesis query so that it's correct for all time?

### $\forall i : spec(i,1) = impl(i,1) \land spec(i,2) = impl(i,2)$

 $\forall i, t : t > init \rightarrow spec(i, t) = impl(i, t)$ 

Demo Time! (maybe)

Thank you!!