The application for funding from NLnet and the Next Generation Internet initiative from the European Commission, from back in November of last year, has been approved. It means that we have EUR $50,000 to pay for full-time engineering work to be carried out over the next year, and to pay for bounty-style tasks. For the right people, with the right skills, there is money now available.

More plans from our community are in the pipeline. We can apply for additional grants (also up to EUR $50,000). In the next couple of days, we will put in an application for “Formal Mathematical Proofs” of the processor design.

There are several reasons for doing so. The primary one is down to the
fact that we anticipate this (commercial, libre) product to be closely
and independently examined by third parties, to verify for themselves
that it does not contain spying backdoor co-processors, as well as the
usual security and correctness guarantees. If there exist *formal
mathematical proofs* that the processor and its sub-components operate
correctly, that independent third-party verification task is a lot easier.

In addition, it turns out that when writing unit tests, using formal
mathematical proofs makes for *complete* code coverage - far better
than any other "comprehensive" multiple unit test technique could ever
hope to achieve - with less code and not just better accuracy but *100%
provable* accuracy. Additional, much simpler unit tests can then be written
which are more along the lines of "HOWTOs" - examples on how to use the
unit.

This is one of those "epiphany" moments that, as a software engineer of 25 years experience, has me stunned and wondering why on earth this is not more generally and widely deployed in software. The answer I believe is down to the nature of what a processor actually is.

A processor is developed much more along the lines of how functional programming
works. Functional programming can have formal mathematical proofs applied
to it because for any given inputs, the output is *guaranteed* to be the same.
This of course breaks down when the function has "side-effects," such as
reading from a file or accessing other external state outside of the "control"
of the function. And, in the design of a processor, by the very nature
of hardware, you simply cannot create a verilog module that has access to
"files" or to "global variables."

In addition, hardware is based purely on boolean logic, and on if/else
constructs. In essence, then the *entire hardware design* has to be made
according to far simpler rules than "normal" software is expected to conform
to. Even memory accesses in hardware have to be implemented according to
these strict rules (we’re *implementing* LOAD and STORE instructions here,
not *using* those LOAD and STORE instructions).

Consequently, adding in formal proofs is a little bit easier, brings
huge benefits as well in terms of code readability, reliability, and
time-cost savings, and has the crucial advantage of being aligned with
the overall privacy goal *and* with NLnet’s funding remit.

The past few months have seen a *lot* of activity. The IEEE754 ADD unit
has been completed, both as a finite state machine (FSM) and as a fully
pipelined design, both of which have parameters that allow them to do
FP16, FP32 or FP64. The DIV unit has been implemented as an FSM, and
will stay that way for now. MUL has been completed, however needs to
be turned into an FMAC (three operands: multiply and accumulate).

A provisional pipeline API has been developed, which the IEEE754 FPU is using. It includes data "funneling" (multiplexing) blocks that allow for the creation of what Mitch Alsup calls a "concurrent computation unit." It’s basically an array of matched operand latches and result latches (as input and output, respectively), in front of a single pipeline. This arrangement allows a batch of operations to be presented to the CDC6600-style "dependency matrices."

Jacob has been working on a fascinating design: a dynamically partitionable adder and multiplier unit. Given that we are doing a vector processing front-end onto SIMD back-end operations, it makes sense to save gates by allowing the ADD and MUL units to be able to optionally handle a batch of 8-bit operations, or half the number of 16-bit operations, or a quarter of the number of 32-bit operations, or one eighth of the number of 64-bit operations. In this way, many fewer gates are required than if they were separate units. The unit tests demonstrate that the code Jacob has written provide RISC-V mul, mulh, mulhu and mulhsu functionality.

The augmented 6600 scoreboard took literally six weeks to correctly implement read-after-write and write-after-read hazards. It required extraordinary and excruciating patience to get right. Adding in write-after-write, however, only took two days, as the infrastructure to do so had already been developed.

Currently being implemented is "branch shadowing" - this is not the
same as branch *prediction* - that is a different algorithm which,
when *combined* with "branch shadowing," provides the feature known as
branch *speculation*. This is the source of a lot of confusion about
out-of-order (OoO) designs in general. It seems to be assumed that an
OoO design *has* to have branch speculation: it doesn’t. It’s just
that, given all the pieces, adding in branch speculation is actually
quite straightforward, and provides such a high-performance increase
that it is hard to justify leaving it out.

One huge surprise came out of a recent discussion with Mitch Alsup. It has been assumed all along that turning this design from a single-issue to multi-issue would be difficult, or require significant gates and latency to do so. The "simple" approach to do multi-issue, using the dependency matrices, would be to analyse a batch of instructions, and if there are no overlaps (no registers in common), allow that batch to proceed in parallel. This is a naive approach.

Mitch pointed out that in his work on the AMD Opteron (the processor
family that AMD had to publish "Intel equivalent" speed numbers for,
because it was so much more efficient and effective than Intel’s designs)
each instruction "accumulated" the dependencies of all prior instructions
being issued in the same batch. This works because read and write
dependencies are *transitive* (whenever a -> b and b -> c then a -> c).

What that means, in practical terms, is that we have a way to create a design that could, if ramped up, take on the big boys. To make that clear: there’s no technical barrier that would prevent us from creating a quad issue (or higher) design.

There is still a heck of a lot to get done. However, it has to be said that actually adding an instruction decoder onto the 6600-style dependency matrices is relatively straightforward, this being RISC, after all. It is possible, then, that we may have a subset of functionality operational far sooner than anticipated.