TriCheck: Memory Model Verification at the Trisection of Software, Hardware, and ISA

TL;DR

This paper introduces TriCheck, a comprehensive tool for verifying memory consistency models across hardware, software, and ISA layers, ensuring correctness and uncovering issues in RISC-V implementations.

Contribution

The paper presents TriCheck, a novel full-stack verification framework for MCMs, capable of analyzing the entire hardware-software stack for consistency and correctness.

Findings

Identified under-specifications in RISC-V ISA documentation.

Detected 144 forbidden outcomes in RISC-V microarchitecture out of 1701 tests.

Showed the importance of full-stack verification for MCM correctness.

Abstract

Memory consistency models (MCMs) which govern inter-module interactions in a shared memory system, are a significant, yet often under-appreciated, aspect of system design. MCMs are defined at the various layers of the hardware-software stack, requiring thoroughly verified specifications, compilers, and implementations at the interfaces between layers. Current verification techniques evaluate segments of the system stack in isolation, such as proving compiler mappings from a high-level language (HLL) to an ISA or proving validity of a microarchitectural implementation of an ISA. This paper makes a case for full-stack MCM verification and provides a toolflow, TriCheck, capable of verifying that the HLL, compiler, ISA, and implementation collectively uphold MCM requirements. The work showcases TriCheck's ability to evaluate a proposed ISA MCM in order to ensure that each layer and each mapping is correct and complete. Specifically, we apply TriCheck to the open source RISC-V ISA, seeking to verify accurate, efficient, and legal compilations from C11. We uncover under-specifications and potential inefficiencies in the current RISC-V ISA documentation and identify possible solutions for each. As an example, we find that a RISC-V-compliant microarchitecture allows 144 outcomes forbidden by C11 to be observed out of 1,701 litmus tests examined. Overall, this paper demonstrates the necessity of full-stack verification for detecting MCM-related bugs in the hardware-software stack.