First

mm
40
40
60
80
100
120
22. Introduction to Formal Verification

J. A. Abraham
60
Department
of Electrical and Computer Engineering

The University of Texas at Austin
80
EE 360R Computer-Aided IC Design

Fall 2011
ECE Department, University of Texas at Austin
November 14, 2011

Lecture 22. Introduction to Formal Verification
J. A. Abraham, November 14, 2011
1 / 43
Verification in the Design Cycle

mm
40
60
40
60
80
100
120
Implementation Verification: For

all feasible inputs the behavior of
the circuit is consistent with the
behavior required by the
specification
Design Verification: For all
feasible inputs the design has a
number of properties required by
the specification
80
Current formal verification techniques focused on functional

verification
1 / 43
Formal Verification Approaches

Theorem Proving: Relationship between a specification and
40
60
80
100
an implementation
is regarded
as a theorem
in a logic,
to be 120
proved within the framework of a proof calculus
mm
Used for verifying arithmetic circuits in industry
Model Checking: The specification is in the form of a logic

40
formula,
the truth of which is determined with respect to a
semantic model provided by an implementation
Starting to be used to check small modules in industry
Equivalence Checking: The equivalence of a specification and

an
60 implementation checked
Most common industry use of formal verification
Symbolic Trajectory Evaluation: Properties specified as

assertions about circuit state (pre- and post- conditions),
verified using symbolic simulation
80
Used to verify embedded memories in industry
2 / 43
Equivalence Checking
mm
40
60
80
100
120
Most common technique of formal verification used in

industry today
40
Typically, gate-level compared with RTL
Canonical representations, such as Binary Decision Diagrams

(BDDs), or Satisfiability Solvers used for the comparison
60
Boolean equivalence checking is NP-complete

Multipliers require an exponential number of BDD nodes
Commercial tools available from many vendors
80
3 / 43
Equivalence Checking
Validate that the implementation of a module is consistent
with the specification
mm
40
60
80
Can use simulation or formal techniques
Combinational or sequential modules
100
120
Example: Specification in RTL

40
module mux(input s, d0, d1,
output y);
assign y = s ? d1 : d0;
endmodule
60
Example: Implementation at the gate level
80
4 / 43
Decision Tree for A B C

mm
40
60
80
100
120
40
60
80
5 / 43
Reduced, Ordered BDD (ROBDD)

mm
40
60
80
100
120
40
60
F =ABC
Reduced, Ordered BDDs (ROBDDs) are canonical
80
Can represent sets of states, state-transition relations, etc.

Structure and complexity of ROBDDs for Symmetric Functions?
6 / 43
Example of ROBDD Reduction

mm
40
60
80
100
120
40
60
80
7 / 43
Impact of BDD Variable Ordering

f (x1 , x2 , . . . , x8 ) = x1 x2 + x3 x4 + x5 x6 + x7 x8
Ordering : x1 < x3 < x5 < x7 < x2 < x4 < x6 < x8
mm
40
60
80
100
120
Figure modified
from Wikipedia
40
60
80
8 / 43
Impact of BDD Variable Ordering, Contd

f (x1 , x2 , . . . , x8 ) = x1 x2 + x3 x4 + x5 x6 + x7 x8
Ordering : x1 < x2 < x3 < x4 < x5 < x6 < x7 < x8
mm
40
60
80
100
120
Figure modified
from Wikipedia
40
60
80
9 / 43
Satisfiability (SAT) Solvers

mm
40
60
80
100
120
Can a Boolean Function be Satisfied?

Cast an equivalence checking problem as a SAT problem
Starts by converting Boolean formula into the Conjunctive
Normal
Form (CNF) (product of sums)
40
(a + b + c)(a + e + f )(c + d + g). . .
Goal is to find an assignment satisfying every term (if any
clause is 0, there is no satisfying assignment)
60
Commercial and Open SAT solvers available

Most verification tools now use BDDs + SAT
Some bring in ATPG ideas called structural SAT
80
10 / 43
Truth Table to CNF

mm
40
60
80
100
120
Put negation of formula in DNF

For each 0 or F row in table, make a term equivalent to
the corresponding assignment
Negate
the disjunction of the terms
40
By DeMorgans Law, switch AND and OR, and complement

literals
Example: Express x y (x y + x y) in CNF

60
Two terms for 0: x=1, y=0 and x=0, y=1

= function is 0 when xy + xy
CNF is: (x + y)(x + y)
80
11 / 43
Circuit to CNF
mm
40
60
80
100
d (a + b)
e (c.d)
Clauses: 40
(a + b + d)
(a + d)
(b + d)
Clauses:
(c + d + e)
(d + e)
(c + e)
120
60
80
12 / 43
Use of ATPG for Equivalence Checking

Use a tool (Automatic Test Pattern Generator) which
generates manufacturing
tests
mm
40
60
80
100
120
Detecting a stuck-at-0 fault at Y (requires an input which
generates a 1 on Y) will prove inequivalence of the two circuits
Approach is not memory limited (like BDDs)
40
60
80
13 / 43
Functional Partitioning
If F1 and F2 are never true at the same time, then 1 and 2
form orthogonal partitions
mm
40
60
80
100
F1 and F2 can be evaluated and ordered independently

Many functions, which otherwise would take an exponential
amount of resources for verification, can be verified efficiently
(in polynomial time) using orthogonal partitions
40
Example, the Fortune-Hopcroft-Schmidt (FHS) function
120
60
80
14 / 43
Term Rewriting for Arithmetic Circuit Checking

RTL Term-Level reductions
mm
40arithmetic 60
80 RTL level100
Verification of
circuits at the
using term 120
rewriting
RTL to RTL equivalence checking
Verified large multiplier designs like Booth, Wallace Tree and
40
many optimized multipliers using this rewriting technique
VERIFIRE
Dedicated Arithmetic Circuit Checker
60
Vtrans: Translates Verilog designs to Term Rewriting Systems

Vprover: Proves equivalence of Term Rewriting Systems
80
Iterative engine
Returns error trace if proof not found
Maintains an expanding rule base for expression minimization
Incomplete, but efficient, engine
15 / 43
RTL Equivalence Using TRSs

mm
40
60
80
100
120
40
60
80
16 / 43
Results on Multipliers
mm
40
60
80
100
120
Different sizes of Wallace Tree Multipliers (Verilog RTL) compared

with a simple Golden Multiplier (Verilog RTL) of the same size
Compare Verifire against Commercial Tools
40
Wallace Tree
4x4
8x8
16x16
60
32x32
64x64
Verifire
14s
18s
25s
40s
60s
Commercial Tool 1
10s
18s
unfinished
unfinished
unfinished
Commercial Tool 2
9s
16s
unfinished
unfinished
unfinished
80
17 / 43
Application of Theorem Proving

mm
40
60
80
100
120
ACL2 used at AMD to formally verify FPUs

First used by Moore et al. to check the proof of correctness of
40 Kernel of the AMD 5k86 floating point division algorithm
the
Used to verify the RTL of K7 FPU
60
RTL primitives logical operations on bit vectors

Developed theory to prove RTL correct with respect to more
abstract IEEE standard
Theorem proving requires high degree of expertise
80
18 / 43
Symbolic Simulation
mm
40
60
80
100
120
Equivalence checking between RTL and circuit schematics is

difficult for some circuits (e.g., custom arrays)
40
Critical timing and self-timed control logic

Large number of bit-cells
Inherently complex sequential logic blocks
Dynamic logic
Traditional tools fail on such circuits

60
Very large state space, too many initial state/input sequences

for simulation-based tools
Boolean equivalence tools only check static cones of logic, do
not capture dynamic behavior
80
19 / 43
Example: Custom Control for Custom Array Structures

mm
40
60
80
100
120
40
60
OUT
pulse fans out to array READ/WRITE control signals
80
Equivalence checking does not work
20 / 43
Scalar Simulation
To prove that the circuit is a NAND gate, exhaustive simulation
n
requires
mm 2 vectors
40
60
80
100
120
40
60 Antecedent
A
A
A
80 A
=
=
=
=
0
0
1
1
(t0,t1)
(t0,t1)
(t0,t1)
(t0,t1)
and
and
and
and
B
B
B
B
=
=
=
=
0
1
0
1
(t0,t1)
(t0,t1)
(t0,t1)
(t0,t1)
Consequent
C is 1 (t1,t2)
C is 1 (t1,t2)
C is 1 (t1,t2)
C is 0 (t1,t2)
Table could be viewed as: Antecedent = Consequent

21 / 43
Ternary Simulation
Using three values (0, 1, X), N-input NAND requires N+1 vectors
mm
40
60
80
100
120
to verify
40
60
Antecedent
A = 0 (t0,t1) and B = X
A = X and B = 0 (t0,t1)
80 A = 1 (t0,t1) and B = 1 (t0,t1)
Consequent
C is 1 (t1,t2)
C is 1 (t1,t2)
C is 0 (t1,t2)
22 / 43
Symbolic Simulation
Exhaustive
Verification:
N-input
1 vector
mm
40
60 NAND requires
80
100 and N
variables
120
40
60
Antecedent: A = a(t0,t1) and B = b(t0,t1)

(a and b are Boolean variables)
80
Consequent:
C = [ (a AND b)](t1,t2)
23 / 43
Symbolic Trajectory Evaluation

VERSYS symbolic trajectory evaluation tool developed at
Motorola/Freescale
mm
40
60
80
Based on VOSS (from CMU/UBC)
100
120
Trajectory formulas
Boolean expressions with the temporal next-time operator
Ternary values states represented by a Boolean encoding
40
Properties
of type: Antecedent = Consequent
Antecedent, Consequent are trajectory formulas
Antecedent sets up stimulus, state of the circuit
Consequent specifies constraint on the state sequence
Used
to verify PowerPC arrays at Motorola/Freescale in 8
60
10% of the design time
Bugs found during array equivalence checking
80
Incorrect clock regenerators feeding latches

Control logic errors in READ/WRITE enables
Violation of one-hot property assumptions
Scan chain hookup errors
Potential circuit-related problems such as glitches and races
24 / 43
Design Verification
Digital systems similar to reactive programs
Digital systems receive inputs and produce outputs in a
mm
40
60
80
100
120
continuous interaction with their environment
Behavior of digital systems is concurrent because each gate in
the system simultaneously evaluating its output as a function
of its inputs
40
Check Properties of Design

Since specification is usually not formal, check design for
properties that would be consistent with the specification
60
Safety
something bad will never happen
Liveness Property: something good will eventually happen

Temporal Logic and variations commonly used to specify
properties
80
Example: Linear Temporal Logic (LTL) or Computation Tree

Logic (CTL)
25 / 43
Example of Computation Tree

mmlight controller
40
Traffic
60
80
100
120
40
60
80
26 / 43
Operators
Referring to paths
A: For every path
mm E: There40
exists a path 60
80
100
120
Referring to states on a path

G: Globally
F: In the future (eventually)
Examples
40
EF p: there is some path on which p is eventually true

AG p: for every path, at every state, p is true
EF60Y
(True)
EG R
(True)
80
AG(R+G)
(False)
27 / 43
Use of ATPG to Check Properties

This moves verification of the design to the same level as the
models used 40
to generate manufacturing
physical 120
mm
60
80 test of the
100
chip
Using ATPG allows the verification engine to deal with
tri-state signals, multiple clocks, etc.
40
60
Bounded Model Checking: Prove properties for a limited number

80
of cycles
The logic gate can be replaced by a state machine to check
properties on sequences of states
28 / 43
Model Checking on IBM Power 4

mm
40
60
80
100
120
Functional formal verification (equivalence checking and

model checking) on 40 design components (IU, FPU,
control, memory, etc.)
40
Found more than 200 design flaws at various stages and of

varying complexity
At least one bug was found by almost every application of
formal
verification
60
Estimate: 15% of bugs would have evaded simulation
Some of the bugs literally escaped 1-2 years of simulation
80
29 / 43
Synopsys Magellan
A Hybrid Verification Tool
Functional verification
tool
mm
40
60
80
100
120
Static formal mathematical techniques

Dynamic random simulation
Test properties specified in systhesizable System Verilog
40
Assertions
60
80
30 / 43
Magellan Flow
mm
40
60
80
100
120
40
60
80
31 / 43
Specifying Properties in Industry Tools: System Verilog

Assertions (SVA)
Used for both40simulation 60
monitoring and
mm
80 formal verification
100
120
Examples of assertion languages include Vera (Synopsys),

Sugar (IBM), Property Specification Language (PSL, Accelera
consortium), System Verilog Assertions (SVA)
SVA 40
Assertions: Predicates placed in program
Immediate and Concurrent Assertions
assert,
assume, cover, expect constructs
60
Immediate Assertions
assert (a == b);
80
Concurrent Assertions
assert property (@(posedge clk) req | ack);
32 / 43
Dealing with State Explosion

Verification is a very difficult problem
mm
40
60
80 problems
100
Even combinational
equivalence
checking
(ATPG,
120
SAT) are NP-complete

Checking sequential properties is only possible for small
designs
40
Additional
problem of generating correct wrappers for the
module being verified
How can we deal with the complexity?

60
Use more powerful computers?
Computers double in capability (assuming we can program
multi-core processors) every couple of years
Adding one state variable to a design doubles its states
80
Exploit
hierarchy in the design
Develop powerful abstractions

33 / 43
Program Slicing
mm
40
60
80
100
120
A Slice of a Design
Represents behavior of the design with respect to a given set
of
40 variables (or slicing criterion)
Proposed for use in software in 1984 (Weiser)
Slice generated by a control/data flow analysis of the program
code
60
Slicing
is done on the structure of the design, so scales well
Static analysis
80
34 / 43
Antecedent Conditioned Slicing

mm
40
60
80
100
120
40
60
80
35 / 43
Example of Antecedent Conditioned Slicing I

mm
40
60
80
100
120
40
60
80
36 / 43
Example of Antecedent Conditioned Slicing II

mm
40
60
80
100
120
40
60
80
37 / 43
Experiments with Antecedent Conditioned Slicing

mm
40
60
80
100
120
USB 2.0 Function Core

Verilog
implementation from www.opencores.org
40
Properties from specification document
Safety properties expressed in LTL (G(a = c))
Verification engine: Cadence-BMC (bound of 2450 steps)
60
80
38 / 43
Example USB Properties

G((crc5err (match) = (send token))
mm
40
60
80
100
If a packet with a bad CRC5 is received, or there is an endpoint

field mismatch, the token is ignored
120
G((state == SP EED N EG F S) = X((mode hs)

40
(T 1 gt 3 0ms) = (next state == RES SU SP EN D))
If the machine is in the speed negotiation state, then in the next
clock cycle, if it is in high speed mode for more than 3 ms, it will
go to the suspend state
60
G((state == RESU M E W AIT ) (idle cnt clr) =

F (state == N ORM AL))
If the80machine is waiting to resume operation and a counter is set,
eventually (after 100 mS) it will return to normal operation
39 / 43
Results on Temporal USB Properties

CPUmm
seconds, on 40
a 450 MHz dual
with100
I GB RAM 120
60 UltraSPARC-II
80
40
60
80
40 / 43
Verification of Processors Using Antecedent Conditioned

Slicing
mm
40
60
80
100
120
Verification of single-instruction issue, multi-stage pipelined

processors
40
Properties
are at the Instruction level (not for an internal
block in the design)
Antecedent conditioned slicing provides an automatic

decomposition strategy
60
Individual instruction machines

Verified all the instructions of the OR1200 embedded
processor (www.opencores.org)
80
41 / 43
Single Instruction Verification

mm
40
60
80
100
120
40
60
80
42 / 43
Results of OR1200 Verification

CPUmm
seconds, 3GHz
4 processor with
40 Pentium 60
80 1 GB RAM
100
120
SMV would not even compile the design without slicing

Instruction
Class
40
LSU
LSU
LSU
SHF/ROT
60
SHF/ROT
SHF/ROT
SPRS
SPRS
80
Instruction
l.ld
l.lws
l.sd
l.sll
l.srl
l.ror
l.mfspr
l.mtspr
SMV time
(seconds)
35.85
33.91
38.32
26.81
27.83
27.83
226.97
212.27
Memory Usage
(KB)
29104
28873
30941
23771
23771
26919
50696
48627
43 / 43

First

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

First

Загружено:

Авторское право:

Доступные форматы

mm

22. Introduction to Formal Verification

of Electrical and Computer Engineering

EE 360R Computer-Aided IC Design

ECE Department, University of Texas at Austin

November 14, 2011

J. A. Abraham, November 14, 2011

Verification in the Design Cycle

Implementation Verification: For

Current formal verification techniques focused on functional

Formal Verification Approaches

Used for verifying arithmetic circuits in industry

Model Checking: The specification is in the form of a logic

Equivalence Checking: The equivalence of a specification and

Symbolic Trajectory Evaluation: Properties specified as

Used to verify embedded memories in industry

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Most common technique of formal verification used in

Typically, gate-level compared with RTL

Canonical representations, such as Binary Decision Diagrams

Boolean equivalence checking is NP-complete

Commercial tools available from many vendors

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Example: Specification in RTL

Example: Implementation at the gate level

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Decision Tree for A B C

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Reduced, Ordered BDD (ROBDD)

Can represent sets of states, state-transition relations, etc.

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Example of ROBDD Reduction

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Impact of BDD Variable Ordering

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Impact of BDD Variable Ordering, Contd

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Satisfiability (SAT) Solvers

Can a Boolean Function be Satisfied?

Commercial and Open SAT solvers available

ECE Department, University of Texas at Austin

Lecture 22. Introduction to Formal Verification

J. A. Abraham, November 14, 2011

Truth Table to CNF

Put negation of formula in DNF

By DeMorgans Law, switch AND and OR, and complement

Example: Express x y (x y + x y) in CNF

Two terms for 0: x=1, y=0 and x=0, y=1

ECE Department, University of Texas at Austin