Design and analysis of SIC: a provably timing-predictable pipelined processor core

Abstract

We introduce the strictly in-order core (SIC), a timing-predictable pipelined processor core. SIC is provably timing compositional and free of timing anomalies. This enables precise and efficient worst-case execution time (WCET) and multi-core timing analysis. SIC’s key underlying property is the monotonicity of its transition relation w.r.t. a natural partial order on its microarchitectural states. This monotonicity is achieved by carefully eliminating some of the dependencies between consecutive instructions from a standard in-order pipeline design. We present a formal proof framework based on satisfiability modulo theories that is able to automatically verify SIC’s timing predictability. SIC preserves most of the benefits of pipelining: it is only about 6–7% slower than a conventional non-strict in-order pipelined processor. Its timing predictability enables orders-of-magnitude faster WCET and multi-core timing analysis than conventional designs.

Appendix: Proof of monotonicity

Here, we provide the proofs for the lemmas stated in the main section that can all be proven by case distinction of the cycle behavior relation.

In the process of proving monotonicity of the strictly in-order pipeline, we use the following, rather technical lemma.

Lemma 3

(Update enable) Let a, b be two configurations. Furthermore, let \(i \in {\mathcal {I}}\) be an instruction with equal progress in a and b\((a(i) = b(i))\) and all previous instruction \(j < i\) have progressed more in a than b\((a(j) \sqsupseteq _{\mathcal {P}}b(j))\). For any given valuation of the free variables in ready, if b advances to the next pipeline stage, a advances as well:

$$\begin{aligned} b.\textit{ready}(i)&\Rightarrow a.\textit{ready}(i)\\ b.\textit{willbefree}(b.\textit{stage}'(i))&\Rightarrow a.\textit{willbefree}(b.\textit{stage}'(i)) \end{aligned}$$

Proof

\({\underline{ready}}\)

Let \(b.\textit{ready}(i)\). There are two cases. In the first case, \(b.\textit{stage}(i) = MEM \) and \( opc (i) = store \). As \(a(i) = b(i)\), it follows that \(a.\textit{stage}(i) = MEM \) and thus \(a.\textit{ready}(i)\). In the second case, we have \(b.\textit{cnt}(i) = 0\) and by \(a(i) = b(i)\) also \(a.\textit{cnt}(i) = 0\). For all pipeline stages except pre, \( ID \) and \( EX \) this is sufficient to conclude \(a.\textit{ready}(i)\). We prove the claim for \( EX \), \( ID \) and pre each by contradiction.

• For stage \( EX \), \(\lnot a.\textit{ready}(i)\) implies that i is either a store instruction or a load instruction that misses the data cache, while a store is pending. If \(a. stpending (i)\), there is a store instruction \(j < i\) with \(a(j) \sqsubset _{\mathcal {P}}( ST ,0)\). By assumption, we know that \(a(j) \sqsupseteq _{\mathcal {P}}b(j)\). By transitivity, \(b(j) \sqsubset _{\mathcal {P}}( ST ,0)\) and thus \(b. stpending (i)\). It follows, that \(\lnot b.\textit{ready}(i)\) which is a contradiction.

• For stage \( ID \), \(\lnot a.\textit{ready}(i)\) requires an operand hazard \( ophaz (i)\). This means, there is a load instruction \(j < i\) with \(a(j) \sqsubset _{\mathcal {P}}( MEM , 0)\) that writes our operand. By \(a(j) \sqsupseteq _{\mathcal {P}}b(j)\), we conclude that \(b(j) \sqsubset _{\mathcal {P}}( MEM , 0)\), i.e. there is an operand hazard in b. This contradicts \(b.\textit{ready}(i)\).

• For stage pre, \(\lnot a.\textit{ready}(i)\) requires either \( brpending (i)\), \( mempending (i) \wedge \lnot ichit (i)\), or \(\lnot \textit{next}(i)\). In all three cases an argument analogous to \( ophaz \) applies. If there is a branch j pending in a, j is also a pending branch in b as \(a(j) \sqsupseteq _{\mathcal {P}}b(j)\). If there is an older instruction \(j < i\) to be fetched next, j is also in the pre stage in b and is to be fetched next in b. If a memory operation j is pending in a, j is also a pending memory operation in b as \(a(j) \sqsupseteq _{\mathcal {P}}b(j)\). Thus, if any of the three expressions above evaluates to true for a, it also evaluates to true for b resulting in \(\lnot b.\textit{ready}(i)\). This is a contradiction.

This concludes the proof for ready.

\({\underline{willbefree}}\)

Let \(s = b.\textit{stage}'(i)\) and \(b.\textit{willbefree}(s)\). If \(s = post \), \(a.\textit{willbefree}(s)\) follows by definition of \(\textit{willbefree}\). If s is empty in b, i.e. no \(j<i\) is in s, s must also be empty in a since \(a(j) \sqsupseteq _{\mathcal {P}}b(j)\).

Otherwise a \(j<i\) is in s such that \(b.\textit{ready}(j)\) and \(b.\textit{willbefree}(b.\textit{stage}'(j))\). Since \(a(j) \sqsupseteq _{\mathcal {P}}b(j)\), either \(a(j) = b(j)\) or \(a(j) \sqsupset _{\mathcal {P}}b(j)\). In the latter case, j in a is already in a stage further than s and consequently \(a.\textit{willbefree}(s)\) since stage s must be free in a. In the other case, \(a(j) = b(j)\), we can inductively use this Lemma 3 for j which is in a later stage than i. We repeat this argument until we hit either a free stage or stage post. By applying the induction hypothesis, i.e. Lemma 3 for j, we get \(a.\textit{ready}(j)\) and \(a.\textit{willbefree}(b.\textit{stage}'(j))\). This results in \(a.\textit{willbefree}(s)\). \(\square \)

Proof of Lemma 1

The progress of an instruction depends on the progress of other instructions exclusively via \(\textit{ready}\) and \(\textit{willbefree}\). By the proof of Lemma 3, we know that \(\textit{ready}\) and \(\textit{willbefree}\) solely depend on the progress of previous instructions.\(\square \)

Proof of Lemma 2

First, we prove \(c \sqsubseteq cycle (c)\) by case distinction of \( cycle \). We denote \( cycle (c)\) by \(c'\) for short. Let an instruction \(i\in {\mathcal {I}}\) be given. If \(c'(i)\) is stalled, \(c'(i) = c(i)\) and thus \(c(i) \sqsubseteq _{\mathcal {P}}c'(i)\). If \(c'(i)\) reduces the number of remaining cycles, \(c'(i) = (c.\textit{stage}(i), c.\textit{cnt}(i) - 1)\) and thus \(c(i) \sqsubset _{\mathcal {P}}c'(i)\). If \(c'(i)\) advances to the next pipeline stage, \(c.\textit{stage}(i) \sqsubset _{\mathcal {S}} c'.\textit{stage}(i)\) and thus \(c(i) \sqsubset _{\mathcal {P}}c'(i)\).

To prove the strictness of \(c \sqsubset c'\), it is sufficient to show that not every instruction is stalled in the pipeline. We will show that the instruction farthest down the pipeline is not stalled. Let instruction i be the farthest instruction, i.e. all instructions \(j < i\) already left the pipeline. All stages below \(c.\textit{stage}(i)\) are empty, which results in \(\textit{willbefree}(c.\textit{stage}'(i))\). If \(c.\textit{cnt}(i) > 0\), i is not stalled as the number of remaining cycles is reduced. If \(c.\textit{cnt}(i) = 0\), \(c.\textit{ready}(i)\) and thus i would progress to the next stage. Even if the current stage of i is \( EX \), \( ID \), or pre, the readiness of i cannot be prevented from operand hazard or pending branches/memory operations as the pipeline in front of i is empty.\(\square \)

Proof of Theorem 1

Let c, d be given such that \(c \sqsubseteq d\). We need to prove that \( cycle (c) \sqsubseteq cycle (d)\). We denote \( cycle (c)\) by \(c'\) and \( cycle (d)\) by \(d'\) for short.

For every \(i \in {\mathcal {I}}\), we need to show that \(c'(i) \sqsubseteq _{\mathcal {P}}d'(i)\). We distinguish three possible cases of \( cycle \) applied to c: (1) i is stalled, (2) i counts down its remaining cycles, or (3) i advances to the next pipeline stage.

Pipeline stall

If instruction i is stalled in configuration c, we obtain \(c'(i) = c(i)\). By assumption, we know \(c'(i) = c(i) \sqsubseteq _{\mathcal {P}}d(i)\). By Lemma 2, we conclude that \(c'(i) \sqsubseteq _{\mathcal {P}}d'(i)\).

Remaining cycles countdown

If instruction i reduces its remaining cycles in c, we obtain \(c.\textit{stage}(i) = c'.\textit{stage}(i)\) and \(c'.\textit{cnt}(i) = c.\textit{cnt}(i) - 1\). If \(c(i) = d(i)\), by definition of \( cycle \) we obtain \(c'(i) = d'(i)\). Otherwise, \(c(i) \sqsubset _{\mathcal {P}}d(i)\):

• If \(c.\textit{stage}(i) \sqsubset _{\mathcal {S}} d.\textit{stage}(i)\), we conclude by Lemma 2 that \(c'.\textit{stage}(i) \sqsubset _{\mathcal {S}} d'.\textit{stage}(i)\) and so \(c'(i) \sqsubset _{\mathcal {P}}d'(i)\).

• Otherwise \(c.\textit{cnt}(i) > d.\textit{cnt}(i)\).

  • If \(d.\textit{cnt}(i) = 0\), either i advances in the pipeline resulting in \(c'.\textit{stage}(i) \sqsubset _{\mathcal {S}} d'.\textit{stage}(i)\) or i is stalled in d resulting in \(d'.\textit{cnt}(i) = d.\textit{cnt}(i) = 0 \le c.\textit{cnt}(i) - 1 = c'.\textit{cnt}(i)\).

  • If \(d.\textit{cnt}(i) \ne 0\), by definition of \( cycle \) we conclude \(c'.\textit{cnt}(i) = c.\textit{cnt}(i) - 1 < d.\textit{cnt}(i) - 1 = d'.\textit{cnt}(i)\).

Pipeline stage advance

We know that \(c(i) \sqsubseteq _{\mathcal {P}}d(i)\), i.e. either \(c(i) = d(i)\) or \(c(i) \sqsubset _{\mathcal {P}}d(i)\). We consider the case \(c(i) = d(i)\) first. As we are in the pipeline stage advance case, we know \(c.\textit{ready}(i)\) and \(c.\textit{willbefree}(c.\textit{stage}'(i))\). By using Lemma 3, we get \(d.\textit{ready}(i)\) and \(d.\textit{willbefree}(c.\textit{stage}'(i))\). Consequently, we know that i will also advance its pipeline stage in d which results in \(c'.\textit{stage}(i) = d'.\textit{stage}(i)\). In the second case, \(c(i) \sqsubset _{\mathcal {P}}d(i)\), we know \(c.\textit{stage}(i) \sqsubset _{\mathcal {S}} d.\textit{stage}(i)\) since we are in the pipeline stage advance case. By definition of \(\textit{stage}'\), i can at most move to the consecutive stage and thus either \(c'.\textit{stage}(i) \sqsubset _{\mathcal {S}} d'.\textit{stage}(i)\) or \(c'\textit{stage}(i) = d'.\textit{stage}(i)\).

To conclude \(c'(i) \sqsubseteq _{\mathcal {P}}d'(i)\), it remains to be proven that \(c'.\textit{cnt}(i) \ge d'.\textit{cnt}(i)\) if \(c'.\textit{stage}(i) = d'.\textit{stage}(i)\). Immediately after the pipeline advance, \(c'.\textit{cnt}(i)\) is the latency determined by \( latency (i)\) and thus \(d'.\textit{cnt}(i)\) cannot be higher because the number of remaining cycles is never increased during \( cycle \). \(\square \)