Академический Документы
Профессиональный Документы
Культура Документы
Motivation
Pentium SRT Division Bug : $0.5 billion loss to Intel
Mercury Space Probe : Veered off course due to a
failure to implement distance measurement in correct
units.
Ariane-5 Flight 501 failure : Internal sw exception
during data conversion from 64 bit floating point to 16
bit signed integer value led to mission failure.
The corresponding exception handling mechanism
contributed to the processor being shutdown (This was
part of the system specification).
Verification Hierarchy
Higher-Order Theorem Proving
Coverage/
Expressive
Power
Equivalence Checking of
structurally similar circuits
Simulation
Degree of Automation
Component Selection
ASIC & Software Implementation
Glue Logic Implementation
PCB Layout Implementation
Integration & Validation of Software into System
Debugging
Board - Manufacturing & Test
Implications on Verification
[Mosensoson, DesignCon 2000]
Verification Focus
Integration Verification & Complexity.
Bug Classes
Interactions between IP/Core/VC blocks
Conflicts in accessing shared resources
Deadlocks & Arbitration
Priority conflicts in exception handling
Unexpected HW/SW sequencing
Implications on Verification
Need to capture complexity of an SoC into an
executable verification environment
Automation of all verification activities
Reusability of verification components of unit
Cores/IPs/VCs
Abstraction of verification goals (Eg., Signals to
Transcations, End to End Transactions)
Checkers for internal properties
Interface Monitors (BFM, Integration Monitors)
Coverage monitors
Implications on Verification
Implication
Rigorous verification of each individual SoC
component seperately
Extensive verification of full system
Requirements
Efficient Verification Methodologies
Efficient Tools
High Level of Automation
System Verification
RTL/logic Synthesis
Modify Script
Timing Analysis
NOT OK
OK
Generic Parameters
Validate
Validate
Instantiation
Cycle Accurate Behavior
Fixed Parameters
Fixed Parameters
High/RT-Level Synthesis
Gate-Level
Gate-Level
(Small)
(Large Design)
Chip
Logic Synthesis
Chip
Validate
Techniques for
Module Verification
Formal Verification
Formal Methods
Functional verification
SOC context: block level verification, IP Blocks and
bus protocols
Formally check a formal model of a block against
its formal specification
Formal - Mathematical, precise, unambiguous,
rigorous
Static analysis
No test vectors
Exhaustive verification
Prove absence of bugs rather than their presence
Subtle bugs lying deep inside caught
Three-step process
Formal specification
Models
Flexible to model general to specific designs
Non-determinism, concurrency, fairness,
Transition systems, automata
Formal verification
Major techniques
Equivalence checking
Model checking
Language containment
Theorem proving
Model
Spec
Logic
Tr. Systems/
Automata
Model Checking
Automata/ Tr.
Systems
Lang. Containment
Obs. Equivalence
Logic
Th. Proving
Eq. Checking
EQUIVALENCE CHECKING
Model checking/Language
Containment
Another promising automatic technique
Checking design models against specifications
Specifications are temporal properties and
environment constraints
Design models are automata or HDL subsets
Checking is automatic and bug traces
Very effective for control-intensive designs
Commercial and Academic tools: FormalCheck
(Cadence), BlackTie (Verplex), VIS (UCB),
SMV(CMU, Cadence), Spin (Bell labs.), etc.
In-house tools: IBM (Rulebase), Intel, SUN, Fujitsu
(Bingo), etc.
Theorem proving
Systems verified
Various microprocessors (instruction level
verification):
DLX pipelined architectures, AAMP5 (avionics
applications), FM9001 (32 bit processor), PowerPC
Verification
by
Theorem Proving
Theorem Proving
Classical technique
Most general and powerful
non-automatic (in general)
Idea
Properties specified in a Logical Language
(SPEC)
System behavior also in the same language
(DES)
Establish (DES SPEC) as a theorem.
A Logical System
A language defining constants, functions and
predicates
A no. of axioms expressing properties of the
constants, function, types, etc.
Inference Rules
A Theorem
`follows' from axioms by application of
inference rules has a proof
Proof
Syntactic object
A1, A2, . . . , An
A1: axiom instance
An: theorem
Ai+1 - Syntactically obtainable from
A1, . . . , Ai using inference rules.
Examples
Full Adder
sum := (x y) cin
cout := (x y) ((x y) cin)
Theorem: sum = x + y + cin 2 * cout
Proof : Use properties of boolean and arithmetic
operators.
Combinational Equivalence
Checking
Design 2
Alternatively
Design 1
Design 2
F
Designs functionally equivalent
if and only if F is identical to 0
(0 for all inputs)
B1
A2
B2
A1
B1
A2
B2
Internal
signals
Design 2
Method of Implication
Derive set of internal signals that must be not
equivalent if out1 out2 is satisfiable
Propagate implications back towards inputs
Stop when
Primary inputs reached
Two primary inputs never equivalent
So, out1 out2 is satisfiable
Method of Implication
Stop when
Internal signals reached are known to be equivalent
Conclude out1 out2 is unsatisfiable
So, out1 is equivalent to out2
Structural Simplifications
Once two internal signals are found
equivalent, the circuit can be simplified
Suppose outputs of corresponding AND gates are
equivalent
Random simulation
More pairs
to verify?
CEP list
NO
YES
Verify pair, update VEP list
and CEP list,
Restructure circuit
End
CEP: Candidate
equivalent
pairs
VEP: Verified
equivalent
pairs
Some Observations
Most non-equivalent pairs filtered by random
simulation
Equivalent pairs identified early by proper choice of
internal variables when propagating implications
backwards
If pair under investigation is expressed in terms of already
known equivalent pairs, we are done!
Comb
Logic2
FF
FF
Given Equivalence
x1
X0
x0
Model
State transition graph
defined by
X0 = NOT(x0)
X1 = XOR(x1, x0)
X2 = XOR(x2, x0. x1)
Property
State x0, x1, x2 = 111
is reached infinitely
often starting from
state 000
Basic Approaches
Explicit state model checking
Requires explicit enumeration of states
Impractical for circuits with large state spaces
Useful tools exist: EMC, Murphi, SPIN, SMC
Model Checking
Reachability analysis
Find all states reachable from an initial set S0 of
states
Check if a safety condition is violated in any
reachable state
BDD:
1
x0
Forward Reachability
Start from set S0 of states
Set of states reachable in at most 1 step:
S1 = S0 { X | x in S0 N(x, X) = 1}
S1
S0
Forward Reachability
Compute S1 from S0, S2 from S1, S3 from S2,
Predicate transformer F: Si+1 = F (Si)
Backward Reachability
Give a set Z0 of states
Compute set of states from which some state in Z0
can be reached.
Analogous to forward reachability with minor
modifications
Z0
S0
R
Z
Forward Reachability
Z
Backward Reachability
CTL Properties
Once req goes high, grant eventually goes high
Not expressible as safety property
More on CTL
EG f, EF f, EX f, E [f U g] defined similarly
There exists a path from current state
f and g can themselves be CTL formulae
E.g., AG AF (x1 x2)
x1 or x2 is satisfied infinitely often in the future
Iterative squaring
Exponential reduction in number of steps to fixed point
Related techniques
Model checking for bugs
Prioritize state space search to direct it
towards bugs
Start from error state and current state
Compute pre-image of error states & image of current
state
Choose states for further expansion in order of their
proximity to pre-image of error states
Proximity metrics: Hamming distance, tracks,
guideposts *Yang, Dill 98+
Helps find bugs in erroneous circuits quickly
No advantages if circuit is bug-free
Related techniques
Approximate Model Checking
Representing exact state sets may involve large
BDDs
Compute approximations to reachable states
Potentially smaller representation
Over-approximation :
No bugs found
Circuit verified correct
Bugs found may be real or false
Reachable states
Under-approximation :
Bug found
Real bug
No bugs found Circuit may still contain bugs
Buggy states
Related techniques
Bounded model checking
Check property within k steps from given set S0 of
states
S0 F(S0)
F2(S0)
Fk(S0)
Unroll sequential machine for k time steps
PI
PO
PS
NS
PI0
S0
S1
S2
S3
Semi-formal Methods
Semi-formal Verification
Formal verification still a bottleneck
Simulation and emulation not keeping up with
design complexity
Designs with bugs being produced
FV methods havent yet been able to scale to all
types of industry designs
Fundamental complexity limits restrict how much
FV can do