Introduction To Formal Verification

VLSI Design, Fall 2015
Introduction to Formal Verification
mm
40
40
60
80
100
120
22. Introduction to Formal Verification

J. A. Abraham
60
Department
of Electrical and Computer Engineering

The University of Texas at Austin
VLSI Design
Fall 2015
80
November 16, 2015

ECE Department, University of Texas at Austin
Lecture 22. Introduction to Formal Verification
J. A. Abraham, November 16, 2015
1 / 48
Verification in the Design Cycle

mm
40
60
40
60
80
100
120
Implementation Verification: For

all feasible inputs the behavior of
the circuit is consistent with the
behavior required by the
specification
Design Verification: For all
feasible inputs the design has a
number of properties required by
the specification
80
Current formal verification techniques focused on functional

verification
1 / 48
Department of Electrical and Computer Engineering, The University of Texas at Austin


Formal Verification Approaches

Theorem Proving: Relationship between a specification and
40
60
80
100
an implementation
is regarded
as a theorem
in a logic,
to be 120
proved within the framework of a proof calculus
mm
Used for verifying arithmetic circuits in industry
Model Checking: The specification is in the form of a logic

40
formula,
the truth of which is determined with respect to a
semantic model provided by an implementation
Starting to be used to check small modules in industry
Equivalence Checking: The equivalence of a specification and

an
60 implementation checked
Most common industry use of formal verification
Symbolic Trajectory Evaluation: Properties specified as

assertions about circuit state (pre- and post- conditions),
verified using symbolic simulation
80
Used to verify embedded memories in industry
2 / 48
Equivalence Checking
mm
40
60
80
100
120
Most common technique of formal verification used in

industry today
40
Typically, gate-level compared with RTL
Canonical representations, such as Binary Decision Diagrams

(BDDs), or Satisfiability Solvers used for the comparison
60
Boolean equivalence checking is NP-complete

Multipliers require an exponential number of BDD nodes
Commercial tools available from many vendors
80
3 / 48


Equivalence Checking
Validate that the implementation of a module is consistent
with the specification
mm
40
60
80
100
120
Can use simulation or formal techniques

Combinational or sequential modules
Example: Specification in RTL

40
module mux(input s, d0, d1,
output y);
assign y = s ? d1 : d0;
endmodule
60
Example: Implementation at the gate level
80
4 / 48
Decision Tree for A B C

mm
40
60
80
100
120
40
60
80
5 / 48


Reduced, Ordered BDD (ROBDD)

mm
40
60
80
100
120
40
60
F =ABC
Reduced, Ordered BDDs (ROBDDs) are canonical
80
Can represent sets of states, state-transition relations, etc.

Structure and complexity of ROBDDs for Symmetric Functions?
6 / 48
Example of ROBDD Reduction

mm
40
60
80
100
120
40
60
80
7 / 48


Impact of BDD Variable Ordering

f (x1 , x2 , . . . , x8 ) = x1 x2 + x3 x4 + x5 x6 + x7 x8
Ordering : x1 < x3 < x5 < x7 < x2 < x4 < x6 < x8
mm
40
60
80
100
120
Figure modified
from Wikipedia
40
60
80
8 / 48
Impact of BDD Variable Ordering, Contd

f (x1 , x2 , . . . , x8 ) = x1 x2 + x3 x4 + x5 x6 + x7 x8
Ordering : x1 < x2 < x3 < x4 < x5 < x6 < x7 < x8
mm
40
60
80
100
120
Figure modified
from Wikipedia
40
60
80
9 / 48


Variable Swapping An example

mm
40
60
80
100
120
40
60
80
10 / 48
Probabilistic Verification
Concept of arithmetic simulation
Transform Boolean
function
so that operations
mm
40
60 or circuit80
100
120
performed on arithmetic (rather than Boolean) variables
Evaluate specification and implementation for a random
arithmetic vector (result called a hash code)
If40hash codes are different, the two are definitely not
equivalent
If hash codes are the same, there is a small probability of error
(that is, the two may not be equivalent)
60
error e =
1
m,
where m is the size of the integer space
Probability of error can be reduced by using integers from a

larger space, or by repeating evaluation on another random
vector (error decreases exponentially)
1 k
)
The
error after k runs, e = ( m
80
Example probability of error for 32-bit integers: 108
Each evaluation reduces error by the above factor
11 / 48


Indexed Binary Decision Diagrams

A BDD graph with multiple layers
Characteristics:
mm
40
40
60
80
100
function graph is divided into k layers
each layer is strongly ordered
two layers can have different ordering
Example: F = (a1 a2 a3 a4 ) (a1 a3 a2 a4 )
120
60
80
12 / 48
Satisfiability (SAT) Solvers

mm
40
60
80
100
Can a Boolean Function be Satisfied?

Cast an equivalence checking problem as a SAT problem
120
Starts by converting Boolean formula into the Conjunctive

Normal
Form (CNF) (product of sums)
40
(a + b + c)(a + e + f )(c + d + g). . .
Goal is to find an assignment satisfying every term (if any
clause is 0, there is no satisfying assignment)
60
Commercial and Open SAT solvers available

Most verification tools now use BDDs + SAT
Some bring in ATPG ideas called structural SAT
80
13 / 48


Truth Table to CNF

mm
40
60
Put negation of formula in DNF
80
100
120
For each 0 or F row in table, make a term equivalent to

the corresponding assignment
Negate
the disjunction of the terms
40
By DeMorgans Law, switch AND and OR, and complement

literals
Example: Express x y (x y + x y) in CNF

60
Two terms for 0: x=1, y=0 and x=0, y=1

= function is 0 when xy + xy
CNF is: (x + y)(x + y)
80
14 / 48
Circuit to CNF
mm
40
60
80
d (a + b)
100
120
e (c.d)
Clauses: 40
(a + b + d)
(a + d)
(b + d)
Clauses:
(c + d + e)
(d + e)
(c + e)
60
80
15 / 48


Use of ATPG for Equivalence Checking

Use a tool (Automatic Test Pattern Generator) which
generates manufacturing
tests
mm
40
60
80
100
120
Detecting a stuck-at-0 fault at Y (requires an input which
generates a 1 on Y) will prove inequivalence of the two circuits
Approach is not memory limited (like BDDs)
40
60
80
16 / 48
Functional Partitioning
If F1 and F2 are never true at the same time, then 1 and 2
form orthogonal partitions
mm
40
60
80
100
F1 and F2 can be evaluated and ordered independently

Many functions, which otherwise would take an exponential
amount of resources for verification, can be verified efficiently
(in polynomial time) using orthogonal partitions
40
Example, the Fortune-Hopcroft-Schmidt (FHS) function
120
60
80
17 / 48


10
Term Rewriting for Arithmetic Circuit Checking

RTL Term-Level reductions
mm
40arithmetic 60
80 RTL level100
Verification of
circuits at the
using term 120
rewriting
RTL to RTL equivalence checking
Verified large multiplier designs like Booth, Wallace Tree and
40
many optimized multipliers using this rewriting technique
VERIFIRE
Dedicated Arithmetic Circuit Checker
60
Vtrans: Translates Verilog designs to Term Rewriting Systems

Vprover: Proves equivalence of Term Rewriting Systems
80
Iterative engine
Returns error trace if proof not found
Maintains an expanding rule base for expression minimization
Incomplete, but efficient, engine
18 / 48
RTL Equivalence Using TRSs

mm
40
60
80
100
120
40
60
80
19 / 48


11
Results on Multipliers
mm
40
60
80
100
120
Different sizes of Wallace Tree Multipliers (Verilog RTL) compared

with a simple Golden Multiplier (Verilog RTL) of the same size
Compare Verifire against Commercial Tools
40
Wallace Tree
4x4
8x8
16x16
60
32x32
64x64
Verifire
14s
18s
25s
40s
60s
Commercial Tool 1
10s
18s
unfinished
unfinished
unfinished
Commercial Tool 2
9s
16s
unfinished
unfinished
unfinished
80
20 / 48
Application of Theorem Proving

mm
40
60
80
100
120
ACL2 used at AMD to formally verify FPUs

First used by Moore et al. to check the proof of correctness of
40 Kernel of the AMD 5k86 floating point division algorithm
the
Used to verify the RTL of K7 FPU
60
RTL primitives logical operations on bit vectors

Developed theory to prove RTL correct with respect to more
abstract IEEE standard
Theorem proving requires high degree of expertise
80
21 / 48


12
Symbolic Simulation
mm
40
60
80
100
120
Equivalence checking between RTL and circuit schematics is

difficult for some circuits (e.g., custom arrays)
40
Critical timing and self-timed control logic

Large number of bit-cells
Inherently complex sequential logic blocks
Dynamic logic
Traditional tools fail on such circuits

60
Very large state space, too many initial state/input sequences

for simulation-based tools
Boolean equivalence tools only check static cones of logic, do
not capture dynamic behavior
80
22 / 48
Example: Custom Control for Custom Array Structures

mm
40
60
80
100
120
40
60
OUT
pulse fans out to array READ/WRITE control signals
80
Equivalence checking does not work
23 / 48


13
Scalar Simulation
To prove that the circuit is a NAND gate, exhaustive simulation
n
requires
mm 2 vectors
40
60
80
100
120
40
60 Antecedent
A
A
A
80 A
=
=
=
=
0
0
1
1
(t0,t1)
(t0,t1)
(t0,t1)
(t0,t1)
and
and
and
and
B
B
B
B
=
=
=
=
0
1
0
1
(t0,t1)
(t0,t1)
(t0,t1)
(t0,t1)
Consequent
C is 1 (t1,t2)
C is 1 (t1,t2)
C is 1 (t1,t2)
C is 0 (t1,t2)
Table could be viewed as: Antecedent = Consequent

24 / 48
Ternary Simulation
Using three values (0, 1, X), N-input NAND requires N+1 vectors
mm
40
60
80
100
120
to verify
40
60
Antecedent
A = 0 (t0,t1) and B = X
A = X and B = 0 (t0,t1)
80 A = 1 (t0,t1) and B = 1 (t0,t1)
Consequent
C is 1 (t1,t2)
C is 1 (t1,t2)
C is 0 (t1,t2)
25 / 48


14
Symbolic Simulation
Exhaustive
Verification:
N-input
1 vector
mm
40
60 NAND requires
80
100 and N
variables
120
40
60
Antecedent: A = a(t0,t1) and B = b(t0,t1)

(a and b are Boolean variables)
80
Consequent:
C = [ (a AND b)](t1,t2)
26 / 48
Symbolic Trajectory Evaluation

VERSYS symbolic trajectory evaluation tool developed at
Motorola/Freescale
mm
40
60
80
Based on VOSS (from CMU/UBC)
100
120
Trajectory formulas
Boolean expressions with the temporal next-time operator
Ternary values states represented by a Boolean encoding
40
Properties
of type: Antecedent = Consequent
Antecedent, Consequent are trajectory formulas
Antecedent sets up stimulus, state of the circuit
Consequent specifies constraint on the state sequence
Used
to verify PowerPC arrays at Motorola/Freescale in 8
60
10% of the design time
Bugs found during array equivalence checking
80
Incorrect clock regenerators feeding latches

Control logic errors in READ/WRITE enables
Violation of one-hot property assumptions
Scan chain hookup errors
Potential circuit-related problems such as glitches and races
27 / 48


15
Design Verification
Digital systems similar to reactive programs
Digital systems receive inputs and produce outputs in a
mm
40
60
80
100
120
continuous interaction with their environment
Behavior of digital systems is concurrent because each gate in
the system simultaneously evaluating its output as a function
of its inputs
40
Check Properties of Design

Since specification is usually not formal, check design for
properties that would be consistent with the specification
60
Safety
something bad will never happen
Liveness Property: something good will eventually happen

Temporal Logic and variations commonly used to specify
properties
80
Example: Linear Temporal Logic (LTL) or Computation Tree

Logic (CTL)
28 / 48
Example of Computation Tree

mmlight controller
40
Traffic
60
80
100
120
40
60
80
29 / 48


16
Operators
Referring to paths
A: For every path
mm E: There40
exists a path 60
80
100
120
Referring to states on a path

G: Globally
F: In the future (eventually)
Examples
40
EF p: there is some path on which p is eventually true

AG p: for every path, at every state, p is true
EF60Y
(True)
EG R
(True)
80
AG(R+G)
(False)
30 / 48
Use of ATPG to Check Properties

This moves verification of the design to the same level as the
60
80
models used 40
to generate manufacturing
test of the100
physical 120
chip
mm
Using ATPG allows the verification engine to deal with

tri-state signals, multiple clocks, etc.
40
60
80 Model Checking: Prove properties for a limited number

Bounded
of cycles
31 / 48


17
Monitor State Machine for EGp

mm
40
60
80
100
Find an input sequence of length n for which the system will

satisfy the property p
120
40
60
80
32 / 48
Monitor State Machine for EpUq

For some
up to n cycles,
state where100
q holds and120
mm path of 40
60 there is a80
p holds in every previous state
40
60
80
33 / 48


18
Model Checking on IBM Power 4

mm
40
60
80
100
120
Functional formal verification (equivalence checking and

model checking) on 40 design components (IU, FPU,
control, memory, etc.)
40
Found more than 200 design flaws at various stages and of

varying complexity
At least one bug was found by almost every application of
formal
verification
60
Estimate: 15% of bugs would have evaded simulation
Some of the bugs literally escaped 1-2 years of simulation
80
34 / 48
Cadence Formal Verification

mm
40
60
80
100
120
40
60
80
35 / 48


19
Specifying Properties (Assertions) in Industry Tools

Used for both simulation monitoring and formal verification
mm
40
60
80
100
Examples of assertion languages include Vera (Synopsys),

Sugar (IBM), Property Specification Language,PSL (Accelera
consortium), System Verilog
120
40
PSL/Sugar
Core based on Boolean and Temporal logic
Layer of user-friendly syntactic sugar
Comes
in three flavors
60
Verilog
VHDL
GDL
Reference
Manual:
80
http://www.eda.org/vfv/docs/PSL-v1.1.pdf
36 / 48
System Verilog Assertions (SVA)

mm
40
60
80
100
120
SVA
Assertions: Predicates placed in program
Immediate and Concurrent Assertions
40
assert,
assume, cover, expect constructs
Immediate Assertions
assert (a == b);
60
Concurrent Assertions
assert property (@(posedge clk) req | ack);
80
37 / 48


20
Dealing with State Explosion

Verification is a very difficult problem
mm
40
60
80 problems
100
Even combinational
equivalence
checking
(ATPG,
120
SAT) are NP-complete

Checking sequential properties is only possible for small
designs
40
Additional
problem of generating correct wrappers for the
module being verified
How can we deal with the complexity?

60
Use more powerful computers?
Computers double in capability (assuming we can program
multi-core processors) every couple of years
Adding one state variable to a design doubles its states
80
Exploit
hierarchy in the design
Develop powerful abstractions

38 / 48
Program Slicing
mm
40
60
80
100
120
A Slice of a Design
Represents behavior of the design with respect to a given set
of
40 variables (or slicing criterion)
Proposed for use in software in 1984 (Weiser)
Slice generated by a control/data flow analysis of the program
code
60
Slicing
is done on the structure of the design, so scales well
Static analysis
80
39 / 48


21
Antecedent Conditioned Slicing

mm
40
60
80
100
120
40
60
80
40 / 48
Example of Antecedent Conditioned Slicing I

mm
40
60
80
100
120
40
60
80
41 / 48


22
Example of Antecedent Conditioned Slicing II

mm
40
60
80
100
120
40
60
80
42 / 48
Experiments with Antecedent Conditioned Slicing

mm
40
60
80
100
120
USB 2.0 Function Core

Verilog
implementation from www.opencores.org
40
Properties from specification document
Safety properties expressed in LTL (G(a = c))
Verification engine: Cadence-BMC (bound of 2450 steps)
60
80
43 / 48


23
Example USB Properties

G((crc5err (match) = (send token))
mm
40
60
80
100
If a packet with a bad CRC5 is received, or there is an endpoint

field mismatch, the token is ignored
120
G((state == SP EED N EG F S) = X((mode hs)

40
(T 1 gt 3 0ms) = (next state == RES SU SP EN D))
If the machine is in the speed negotiation state, then in the next
clock cycle, if it is in high speed mode for more than 3 ms, it will
go to the suspend state
60
G((state == RESU M E W AIT ) (idle cnt clr) =

F (state == N ORM AL))
If the80machine is waiting to resume operation and a counter is set,
eventually (after 100 mS) it will return to normal operation
44 / 48
Results on Temporal USB Properties

CPUmm
seconds, on 40
a 450 MHz dual
with100
I GB RAM 120
60 UltraSPARC-II
80
40
60
80
45 / 48


24
Verification of Processors Using Antecedent Conditioned

Slicing
mm
40
60
80
100
120
Verification of single-instruction issue, multi-stage pipelined

processors
40
Properties
are at the Instruction level (not for an internal
block in the design)
Antecedent conditioned slicing provides an automatic

decomposition strategy
60
Individual instruction machines

Verified all the instructions of the OR1200 embedded
processor (www.opencores.org)
80
46 / 48
Single Instruction Verification

mm
40
60
80
100
120
40
60
80
47 / 48


25
Results of OR1200 Verification

CPUmm
seconds, 3GHz
4 processor with
40 Pentium 60
80 1 GB RAM
100
120
SMV would not even compile the design without slicing

Instruction
Class
40
LSU
LSU
LSU
SHF/ROT
60
SHF/ROT
SHF/ROT
SPRS
SPRS
80
Instruction
l.ld
l.lws
l.sd
l.sll
l.srl
l.ror
l.mfspr
l.mtspr
SMV time
(seconds)
35.85
33.91
38.32
26.81
27.83
27.83
226.97
212.27
Memory Usage
(KB)
29104
28873
30941
23771
23771
26919
50696
48627
48 / 48


Introduction To Formal Verification

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Formal Verification

Uploaded by

Copyright:

Available Formats

VLSI Design, Fall 2015