(Cite bugs from FCCM submission etc.) % - There exist some workarounds. (Testing the output, formally verifying the output, etc.) % - The time has come to prove the tool itself correct. (Mention success of Compcert and other fully verified tools?) % - We've made some encouraging progress on this front in a prototype tool called Vericert. (Summarise current state of Vericert, and how it compares performance-wise to LegUp.) % - But there's still a long way to go. (List the main things left to do, and how you expect Vericert to compare to LegUp after those things are done.) \begin{abstract} High-level synthesis (HLS) is increasingly being relied upon as the size of designs and needs for hardware accelerators increases. However, HLS is known to be quite flaky with each tool supporting different input languages and sometimes generating incorrect designs. A formally verified HLS tool would solve these issues by dramatically reducing the amount of trusted code, and providing a formal description of the input language that is supported. \end{abstract} %% 2012 ACM Computing Classification System (CSS) concepts %% Generate at 'http://dl.acm.org/ccs/ccs.cfm'. \begin{CCSXML} 10011007.10011006.10011008 Software and its engineering~General programming languages 500 10003456.10003457.10003521.10003525 Social and professional topics~History of programming languages 300 \end{CCSXML} \ccsdesc[500]{Software and its engineering~General programming languages} \ccsdesc[300]{Social and professional topics~History of programming languages} %% End of generated code %% Keywords %% comma separated list \keywords{\compcert{}, Coq, high-level synthesis, C, Verilog} \maketitle \section{Introduction} %\JW{I removed the `All' from the title, as I think that's a bit strong; it also means that the title fit on one line now :).} \renewcommand{\epigraphsize}{\normalsize} \renewcommand{\epigraphflush}{center} \renewcommand{\epigraphrule}{0pt} \epigraph{\textit{High-level synthesis research and development is inherently prone to introducing bugs or regressions in the final circuit functionality.}}{--- Andrew Canis~\cite{canis15_legup}\\Co-founder of LegUp Computing} %\JW{Nice quote; I'd be tempted to tinker with whether it can be formatted a bit more elegantly, like at https://style.mla.org/styling-epigraphs/} Research in high-level synthesis (HLS) often concentrates on performance, trying to achieve the lowest area with the shortest run-time. What is often overlooked is ensuring that the high-level synthesis tool is indeed correct, which means that it outputs a correct hardware design. Instead, the design is often meticulously tested, often using the higher level design as a model. As these tests are performed on the hardware design directly, they have to be run on a simulator, which takes much longer than if the original C was tested. Any formal properties obtained from the C code would also have to be checked again in the resulting design, to ensure that these hold there as well, as the synthesis tool may have translated the input incorrectly. It is often assumed that because current HLS tools should transform the input specification into a semantically equivalent design, such as mentioned in \citet{lahti19_are_we_there_yet}. However, this is not the case, and as with all complex pieces of software there are bugs in HLS tools as well. For example, Vivado HLS was found to incorrectly apply pipelining optimisations\footnote{\url{https://bit.ly/vivado-hls-pipeline-bug}} or generate wrong designs with valid C code as input, but which the HLS tool interprets differently compared to a C compiler, leading to undefined behaviour. These types of bugs are difficult to identify, and exist because firstly it is not quite clear what input these tools support, and secondly if the output design actually behaves the same as the input. The solution to both of these points is to have a formally verified high-level synthesis tool. It not only guarantees that the output is correct, but also brings a formal specification of the input and output language semantics. These are the only parts of the compiler that need to be trusted, and if these are well-specified, then the behaviour of the resulting design can be fully trusted. In addition to that, if the semantics of the input semantics are taken from a tool that is widely trusted already, then there should not be any strange behaviour; the resultant design will either behave exactly like the input specification, or the translation will fail early at compile time. \section{How to prove an HLS tool correct} The standard methods for checking the outputs of the HLS tools are the following. First, the output could be checked by using a test bench and checking the outputs against the model. However, this does not provide many guarantees, as many edge cases may never be tested. Second, if testing is not rigorous enough, there has been research on checking that the generated hardware design has the same functionality as the input design, where the focus is on creating translation validators~\cite{pnueli98_trans} to prove the equivalence between the design and input code, while supporting various optimisations such as scheduling~\cite{kim04_autom_fsmd,karfa06_formal_verif_method_sched_high_synth,chouksey20_verif_sched_condit_behav_high_level_synth} or code motion~\cite{banerjee14_verif_code_motion_techn_using_value_propag,chouksey19_trans_valid_code_motion_trans_invol_loops}. However, these aren't perfect solutions either, as there is no guarantee that these proofs really compose with each other. This means that an equivalence checker normally needs to work for the all of the translations that the HLS tool might perform, increasing the chances that it cannot check for equivalence anymore. The radical solution to this problem is to formally verify the complete tool, writing the complete tool in Coq~\cite{coquand86}, an interactive theorem prover. This has been proven to be successful, for example, \compcert{}~\cite{leroy09_formal_verif_realis_compil} is a formally verified C compiler written in Coq. The reliability of formal verification in Coq was demonstrated by CSmith~\cite{yang11_findin_under_bugs_c_compil}, a random C, valid C generator, which found more than 300 bugs in GCC and Clang, whereas only 5 bugs were found in the unverified parts of \compcert{}, which prompted the verification of those parts as well. In addition to that, recently Lutsig~\cite{loow21_lutsig}, a synthesis tool going from behavioural Verilog to a technology mapped netlist in Verilog, was also proven correct. \subsection{Will this not take too long?} One might argue that developing a formally verified tool in a theorem prover and proving correctness theorems about it might be too tedious and take too long. However, we have already been developed our own verified HLS tool called \vericert{}~\cite{herklotz21_formal_verif_high_level_synth} based on \compcert{}, adding a Verilog back end to the compiler. We currently have a completely verified translation from a large subset of C into Verilog, which fullfills the minimum requirements for an HLS tool. We found that it normally takes $5\times$ or $10\times$ longer to prove a translation correct compared to writing the algorithm. However, this could be seen as being worth it, as proving the correctness of the HLS tool proves the absence of any bugs according to the language semantics, meaning much less time spent on fixing bugs. In addition to that, even though simple testing would still be required to check the tool does indeed perform simple translations, and generates performant designs, these test benches would not have to cover every single edge case. \subsection{Current testing techniques are enough} Another argument against building a verified HLS tool is that current testing techniques for these tools are good enough. There are many internal test benches that ensure the correctness of the HLS tool, as well as equivalence checkers to ensure that the final design behaves the same as the input. \section{Guarantees of trusted code} There are a couple of theorems one can prove about the HLS tool once it is written in Coq. The first, which is the most important one, is that transforming the C code into Verilog is semantics preserving, meaning the translated code will behave the same as the C code. The following backward simulation, as initially presented in \compcert{}, shows the main property that we should want to show: \begin{equation*} \forall C, V, B \in \texttt{Safe},\, \yhfunction{hls} (C) = \yhconstant{OK} (V) \land V \Downarrow B \implies C \Downarrow B. \end{equation*} \noindent Given a \textit{safe} behaviour $B$, meaning it does not contain undefined behaviour, we want to show that if the translation from C to Verilog succeeded, that executing the Verilog program with that behaviour implies that the C code will execute with the same behaviour. However, there are also assumptions that have to be made about the tool. In the case of \vericert{}, the only assumption that needs to be made is if the C semantics and Verilog semantics can be trusted. This is much simpler than checking that the translation algorithm is implemented properly. Using that assumption, the proofs ensure that the translation preserves the behaviour and doesn't need to be trusted. Trusting the Verilog semantics is not that easy, since it is not quite clear which semantics to take. Verilog can either be simulated or synthesised into hardware, and has different semantics based on how it is used. We therefore use existing Verilog semantics by \citet{loow19_proof_trans_veril_devel_hol}, which are designed to only model a small part of the semantics, while ensuring that the behaviour for synthesis and simulation stays the same. \section{Performance of such a tool} Finally, it is interesting to compare the performance of \vericert{} compared to existing HLS tools, to see how correctness guarantees affect the size and speed of the final hardware. This was done on a common compiler benchmark called PolyBench/C~\cite{polybench}. \section{Improvements to \vericert{}} There are many optimisations that need to be added to \vericert{} to turn it into a viable and competitive HLS tool. First of all, the most important addition is a good scheduling implementation, which supports operation chaining and properly pipelining operators. Our main focus is trying to implement scheduling based on system of difference constraint~\cite{cong06_sdc}, which is the same algorithm which \legup{} uses. We have currently implemented the scheduling algorithm, as well as a simple verifier for the translation, but are missing the semantic preservation proofs that the verifier should produce. The main idea used to prove the scheduling correct, is to split it up into multiple stages. The first stage of the translation will turn basic blocks into a parallel basic block representation, whereas the second stage will schedule these parallel basic blocks. \section{Conclusion} In conclusion, we have shown that a verified HLS tool could achieve similar performance to an existing unverified HLS tool, while guaranteeing that the output is always correct.