Abstract
High-level synthesis (HLS), which refers to the automatic compilation of software into hardware, is rapidly gaining popularity. In a world increasingly reliant on application-specific hardware accelerators, HLS promises hardware designs of comparable performance and energy efficiency to those coded by hand in a hardware description language such as Verilog, while maintaining the convenience and the rich ecosystem of software development. However, current HLS tools cannot always guarantee that the hardware designs they produce are equivalent to the software they were given, thus undermining any reasoning conducted at the software level. Furthermore, there is mounting evidence that existing HLS tools are quite unreliable, sometimes generating wrong hardware or crashing when given valid inputs. To address this problem, we present the first HLS tool that is mechanically verified to preserve the behaviour of its input software. Our tool, called Vericert, extends the CompCert verified C compiler with a new hardware-oriented intermediate language and a Verilog back end, and has been proven correct in Coq. Vericert supports most C constructs, including all integer operations, function calls, local arrays, structs, unions, and general control-flow statements. An evaluation on the PolyBench/C benchmark suite indicates that Vericert generates hardware that is around an order of magnitude slower (only around 2× slower in the absence of division) and about the same size as hardware generated by an existing, optimising (but unverified) HLS tool.
Highlights
Can you trust your high-level synthesis tool? As latency, throughput, and energy efficiency become increasingly important, custom hardware accelerators are being designed for numerous applications
RQ1 How fast is the hardware generated by Vericert? RQ2 How area-efficient is the hardware generated by Vericert? RQ3 How quickly does Vericert translate the C into Verilog? RQ4 How effective is the correctness theorem in Vericert?
The Verilog that is generated by Vericert or LegUp is provided to Xilinx Vivado v2017.1 [Xilinx 2019], which synthesises it to a netlist, before placing-and-routing this netlist onto a Xilinx XC7Z020 field-programmable gate array (FPGA) device that contains approximately 85000 LUTs
Summary
Vericert is built by extending the CompCert verified C compiler [Leroy 2009] with a new hardware-specific intermediate language and a Verilog back end. The proof follows standard CompCert techniques ś forward simulations, intermediate specifications, and determinism results ś but we encountered several challenges peculiar to our hardware-oriented setting These include handling discrepancies between the byte-addressed memory assumed by the input software and the word-addressed memory that we implement in the output hardware, different handling of unsigned comparisons between C and Verilog, and carefully implementing memory reads and writes so that these behave properly as a RAM in hardware. A snapshot of the Vericert development is available in a Zenodo repository [Herklotz et al 2021b]
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have