diff options
| author | Yann Herklotz <git@yannherklotz.com> | 2020-06-09 11:03:43 +0100 |
|---|---|---|
| committer | Yann Herklotz <git@yannherklotz.com> | 2020-06-09 11:03:43 +0100 |
| commit | 28a71bb6ee259d6492f479814984dbd4260e94d6 (patch) | |
| tree | eacb3ca62035908293c095398aeb50754518dba0 /main.tex | |
| parent | 493692233b50ae4ae7efe9074e9dc24c0dbc8fcc (diff) | |
| download | oopsla21_fvhls-28a71bb6ee259d6492f479814984dbd4260e94d6.tar.gz oopsla21_fvhls-28a71bb6ee259d6492f479814984dbd4260e94d6.zip | |
Add introduction to verification in HLS
Diffstat (limited to 'main.tex')
| -rw-r--r-- | main.tex | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -181,10 +181,14 @@ However, the fact that the behaviour is preserved after HLS cannot be guaranteed %% Current work in formal verification of HLS -Therefore, work is being done to prove the equivalence between the generated hardware and the original behavioural description in C. An example of a tool that implements this is Mentor's Catapult~\cite{mentor20_catap_high_level_synth}, which tries to match the states in the register transfer level (RTL) description to states in the original C code after an unverified translation. This has also been the approach that is taken by +Therefore, work is being done to prove the equivalence between the generated hardware and the original behavioural description in C. An example of a tool that implements this is Mentor's Catapult~\cite{mentor20_catap_high_level_synth}, which tries to match the states in the register transfer level (RTL) description to states in the original C code after an unverified translation. This technique is called translation validation~\cite{pnueli98_trans}, whereby the translation that the HLS tool performed is proven to have been correct for that input, by showing that they behave in the same way for all possible inputs. Using translation validation is quite effective for proving complex optimisations such as scheduling~\cite{kim04_autom_fsmd,karfa06_formal_verif_method_sched_high_synth,chouksey20_verif_sched_condit_behav_high_level_synth} or code motion~\cite{banerjee14_verif_code_motion_techn_using_value_propag,chouksey19_trans_valid_code_motion_trans_invol_loops}, however, the validation has to be run every time the high-level synthesis is performed. In addition to that, the proofs are often not mechanised or directly related to the actual implementation, meaning the verifying algorithm might be wrong and could give false positives or false negatives. + +CompCert~\cite{leroy06_formal_certif_compil_back_end} is a C compiler that has been written and formally verified in the Coq theorem prover~\cite{bertot04_inter_theor_provin_progr_devel}. First of all, most of the proofs in CompCert have been formally verified directly, meaning that once the compiler is built, the proofs can be erased as the algorithm has been shown to be correct independent of the input. However, some optimisations in CompCert have also been proven using translation validation~\cite{tristan08_formal_verif_trans_valid}, in which case the proof still happens at runtime. The difference is that in this case, the verifier itself is actually formally verified in Coq and is therefore proven that it will only ever say that the input and output are equivalent if that is actually the case. %% Contributions of paper +Using CompCert, we can therefore build a fully verified high-level synthesis tool written in Coq + \section{Background} \subsection{Verilog} |