formal verification solution
Post on 03-Jun-2018
222 Views
Preview:
TRANSCRIPT
-
8/12/2019 Formal Verification Solution
1/80
1Inventing IC design technologies
that will be vital to Intel
SSCCLL
GSTE: An Industrial StrengthGSTE: An Industrial StrengthFormal Verification SolutionFormal Verification Solution
Jin Yang, Ph.D.,Jin Yang, Ph.D.,
Principal EngineerPrincipal EngineerStrategic CAD Labs,Strategic CAD Labs,Intel Corp.Intel Corp.
PSUPSUFeb 22, 2009Feb 22, 2009
-
8/12/2019 Formal Verification Solution
2/80
2
MotivationMotivation
Design ComplexityDesign Complexity
MicroMicro--architectures are complexarchitectures are complex
superscalar, OOO, hypersuperscalar, OOO, hyper--threading, powerthreading, power--saving etc.saving etc.
RTL is too bigRTL is too big
The number of bugs are proportional to lines of codeThe number of bugs are proportional to lines of code
Bug creation will soon overwhelm detectionBug creation will soon overwhelm detection
Creation - 4x per lead design, detection - flattening
Bug escapes can have an increasing $ impactBug escapes can have an increasing $ impactMultiMulti--core, multicore, multi--chip design becomes the trendchip design becomes the trend
-
8/12/2019 Formal Verification Solution
3/80
3
MotivationMotivation
Formal Verification Tool Capacity is TooFormal Verification Tool Capacity is TooSmallSmall
Symbolic Model CheckingSymbolic Model Checking
~200 state variables with rich logic~200 state variables with rich logic
STESTE~2,000 state variables with very~2,000 state variables with very
limited logiclimited logic
-
8/12/2019 Formal Verification Solution
4/80
4
MotivationMotivation
Solution NeededSolution Needed
An executableAn executable microarchitecturemicroarchitecture spec (HLM)spec (HLM)that is ~10x smaller than todaythat is ~10x smaller than today
Correct by construction design refinementsCorrect by construction design refinementsfrom the HLMfrom the HLM
Higher capacity FV technologyHigher capacity FV technology
-
8/12/2019 Formal Verification Solution
5/80
5
Simulation Based VerificationSimulation Based Verification
Solutions: A Historical ComparisonSolutions: A Historical Comparison
Designcomplexity
Verificationcompleteness
Specificationrichness
Dynamic (Random) simulation
symbolicsimulation
SymbolicTrajectoryEvaluation
(STE)
Symbo
licmodelch
ecking
GeneralizedSTE
(GSTE)
-
8/12/2019 Formal Verification Solution
6/80
6
Buffer SpecificationBuffer Specification
After reset, input data will be output after 3After reset, input data will be output after 3ticks.ticks.
reset
2
2din[1:0]
dout[1:0]
reset
din[1:0]
dout[1:0]
0 1 2 3 4 5 6 7 8
00 10 01 10 11
00 10 01 10 11
9
-
8/12/2019 Formal Verification Solution
7/80
7
Rotary Buffer ImplementationRotary Buffer Implementation
+
reset
2
2
en
en
en
2mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b2
b1
b0
-
8/12/2019 Formal Verification Solution
8/80
8
Rotary Buffer BehaviorRotary Buffer Behavior
+
reset
2
2
en
en
en
2mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b2
b1
b0
1
-
8/12/2019 Formal Verification Solution
9/80
9
Rotary Buffer BehaviorRotary Buffer Behavior
+
reset
2
2
en
en
en
2mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b2
b1
b0
0010
-
8/12/2019 Formal Verification Solution
10/80
10
Rotary Buffer BehaviorRotary Buffer Behavior
+
reset
2
2
en
en
en
2mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b2
b1
b0
001
0
-
8/12/2019 Formal Verification Solution
11/80
11
Rotary Buffer BehaviorRotary Buffer Behavior
+
reset
2
2
en
en
en
2mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b2
b1
b0
010
0
-
8/12/2019 Formal Verification Solution
12/80
12
Rotary Buffer BehaviorRotary Buffer Behavior
+
reset
2
2
en
en
en
2mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b2
b1
b0
100
0
-
8/12/2019 Formal Verification Solution
13/80
13
Dynamic SimulationDynamic Simulation
English Specification:English Specification:
After reset, input data willAfter reset, input data will
be output after 3 ticks.be output after 3 ticks.+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
din[1:0]
c0
c1
c2
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
0 1 2 3 4 5 6 7 8
00 10 01 10 11 11 01 00
9
00
00
00
00
00
-
8/12/2019 Formal Verification Solution
14/80
14
Dynamic SimulationDynamic Simulation
English Specification:English Specification:
After reset, input data willAfter reset, input data will
be output after 3 ticks.be output after 3 ticks.+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
din[1:0]
c0
c1
c2
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
0 1 2 34
5 6 7 8
00 10 01 10 11 11 01
10 11
01 11
00 10
00 10 01
00
01
10 11
9
00
00
00
00
00
-
8/12/2019 Formal Verification Solution
15/80
15
Dynamic Simulation: Pros/ConsDynamic Simulation: Pros/Cons
Designcomplexity
Verificationcompleteness
Specificationrichness
Random simulation
ProsPros Computationally inexpensiveComputationally inexpensive
Rich specification language (testRich specification language (testprograms)programs)
ConsCons Bug hunting, not a formal proofBug hunting, not a formal proof Coverage degrades quickly on complexCoverage degrades quickly on complex
designsdesigns Required simulation time increasesRequired simulation time increases
dramaticallydramatically
symbolicsimulation
-
8/12/2019 Formal Verification Solution
16/80
16
Symbolic Simulation: BasicsSymbolic Simulation: Basics
Core IdeaCore Idea
UseUse booleanboolean variables/expressions to encode allvariables/expressions to encode all
possible scalar valuespossible scalar values
Simulation by function compositions ofSimulation by function compositions of booleanbooleanexpressionsexpressions
rather than function evaluations of scalar valuesrather than function evaluations of scalar values
-
8/12/2019 Formal Verification Solution
17/80
17
Symbolic Simulation: BasicsSymbolic Simulation: Basics
A
B A & BA
B A + B+ A !A A(t) A(t+1)
Basic gates:
Function composition:
A
B +
A & !B + !A & B
!A
!B
A & !B
!A & B
A
B
+
E & A + !E & B
!E
E & A
!E & B
E
E & A + !E & Bat next time
-
8/12/2019 Formal Verification Solution
18/80
18
Symbolic Simulation: BasicsSymbolic Simulation: Basics
Canonical representationCanonical representation
Are twoAre two booleanboolean expressions equivalent, i.e.,expressions equivalent, i.e.,
representing the samerepresenting the same booleanboolean function?function?Ordered Binary Decision Diagram (BDD) gives aOrdered Binary Decision Diagram (BDD) gives a
canonical form of anycanonical form of any booleanboolean function (Bryantfunction (Bryant1986)1986)
Function compositions are defined in terms ofFunction compositions are defined in terms ofBDD operationsBDD operations
-
8/12/2019 Formal Verification Solution
19/80
19
Equivalent?
Symbolic Simulation: BasicsSymbolic Simulation: Basics
A
B
+
A & !B + !A & B!A
!B
A & !B
!A & B
A
B
+ (A + !B) & (!A + B)
!A
!B
A + !B
!A + B
+!((A + !B) & (!A + B))
A
0 1
B
0 1
A
0 1
B
A
0 1
B
A
0 1
BB
A
0 1
BB
A
0 1
A
0 1
A
0 1
B
A
0 1
B
A
0 1
BB
Equivalent!
-
8/12/2019 Formal Verification Solution
20/80
20
Symbolic Simulation: BasicsSymbolic Simulation: Basics
Constrained inputsConstrained inputs
Parametric representation (Parametric representation (AagaardAagaard, Jones &, Jones &
Seger 1999)Seger 1999)
Canonical under any fixed parametric variableCanonical under any fixed parametric variableorderorder
-
8/12/2019 Formal Verification Solution
21/80
21
Symbolic Simulation: BasicsSymbolic Simulation: Basics
A!A
A + !A = 1+
A
B+
Simple case
Complex case
s.t. A + B
P0 +
parametric
!P0 + P1P0 + !P0 + P1 = 1
11111111
0011001111001100
11000000
BBAAPP11PP00
valid space
-
8/12/2019 Formal Verification Solution
22/80
22
Symbolic Simulation: Rotary BufferSymbolic Simulation: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
din[1:0]
c0
c1
c2
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
0 1 2 3 4 5 6
A1B1 A2B2
A0B0
D0E0
D1E1
D2E2
A3B3
C0
C1
C2
Partial English Specification:Partial English Specification:
Within first 6 ticksWithin first 6 ticks after reset, inputafter reset, inputdata will be output after 3 ticksdata will be output after 3 ticks
Stimulus/Antecedent
Check/Consequent
A1B1 A2B2 A3B3 A4B4 A5B5 A6B6
Assertion:
-
8/12/2019 Formal Verification Solution
23/80
23
Symbolic Simulation: Rotary BufferSymbolic Simulation: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
Partial English Specification:Partial English Specification:
Within first 6 ticksWithin first 6 ticks after reset, inputafter reset, inputdata will be output after 3 ticksdata will be output after 3 ticks
$$: C$$: C00 & D& D00 + C+ C11 & D& D11 + C+ C22 & D& D22,,
CC00 & E& E00 + C+ C11 & E& E11 + C+ C22 & E& E22
$0: C$0: C00 & A& A00 + !C+ !C00 & D& D00,,
CC00 & B& B00 + !C+ !C00 & E& E00
$1: C$1: C11 & A& A00 + !C+ !C11 & D& D11,,CC11 & B& B00 + !C+ !C11 & E& E11
$2: C$2: C22 & A& A00 + !C+ !C22 & D& D22
CC22 & B& B00 + !C+ !C22 & E& E22
Large, but uselesssymbolic values!!!
Symbolic Simulation:
reset
din[1:0]
c0
c1
c2
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
0 1 2 3 4 5 6
A1B1 A2B2 A3B3 A4B4 A5B5 A6B6
A2B2 A5B5
A3B3
A1B1 A4B4
A1B1 A2B2
A0B0
D0E0
D1E1
D2E2
$$ A3B3
C0
C1
C2
$0
$1
$2
$0 $1 $2
dout[1:0] A1B1 A2B2 A3B3
-
8/12/2019 Formal Verification Solution
24/80
24
Symbolic Simulation: Pros/ConsSymbolic Simulation: Pros/Cons
Designcomplexity
Verificationcompleteness
Specificationrichness
Dynamic simulation
symbolicsim
ulation
ProsPros
Formal proofFormal proof
ConsCons Poor capacityPoor capacity
Very limited specification languageVery limited specification language(over finite intervals)(over finite intervals)
symbolicsim
ulation
SymbolicTrajectoryEvaluation
(STE)
-
8/12/2019 Formal Verification Solution
25/80
25
STE: BasicsSTE: Basics
STESTE Symbolic Trajectory EvaluationSymbolic Trajectory Evaluation(Bryant & Seger 1990)(Bryant & Seger 1990)
Use quaternary values 0, 1, X, C, in place ofUse quaternary values 0, 1, X, C, in place ofbooleanboolean valuesvalues
ExpandExpand booleanboolean logic to quaternary logiclogic to quaternary logic
-
8/12/2019 Formal Verification Solution
26/80
26
STE: BasicsSTE: Basics
C
0 1
X
(reverse) information order
Unknown
Conflict
CCCCCCCCCC
CC1100XX11
CC00000000CCXX00XXXX
CC1100XX&&
CCCCCCCCCC
CC11111111
CC1100XX00CC11XXXXXX
CC1100XX++
CCCC
0011
1100XXXX
!!
CCCC
1111
0000XXXX
+
Basic gates:
-
8/12/2019 Formal Verification Solution
27/80
27
STE: BasicsSTE: Basics
Quaternary abstractionQuaternary abstraction
A quaternary vector is an abstraction of a set ofA quaternary vector is an abstraction of a set of
booleanboolean vectorsvectors
PointPoint--wise abstraction of set union, intersectionwise abstraction of set union, intersection
Complexity reductionComplexity reduction
-
8/12/2019 Formal Verification Solution
28/80
-
8/12/2019 Formal Verification Solution
29/80
29
STE: BasicsSTE: Basics
Symbolic Quaternary VectorSymbolic Quaternary Vector
It is often desired to work on a set of quaternaryIt is often desired to work on a set of quaternary
vectorsvectorsCapture different casesCapture different cases
Avoid too coarse abstractionAvoid too coarse abstraction
A symbolic quaternary vector encodes a set ofA symbolic quaternary vector encodes a set ofquaternary vectorsquaternary vectors
-
8/12/2019 Formal Verification Solution
30/80
30
STE: BasicsSTE: Basics
0 1 11, 0, 1 +
{{{{ }}}} 1
XX + X Too coarse!
abs.
+
1X
{{{{1 10, 1
v!v?1:X 1
01
v
01
{{{{ }}}} }}}}
v
abs. rew.
part. & sym.
Right level
+
v!v + w 1
rew.
v
w
01
10
11
finer part.
& sym.
Boolean
-
8/12/2019 Formal Verification Solution
31/80
31
STE: BasicsSTE: Basics
Quaternary Dual Rail EncodingQuaternary Dual Rail Encoding
C
0 1
X (1, 1)
(1, 0)(0, 1)
(0, 0)
(f, g) =
Symbolic form
X, when f & g
1, when f & !g
0, when !f & g
C, when !f & !g
[ v, !v?1:X ]
[ (v, !v) , (1, v) ]
( AH, AL )
( BH, BL ) ( AH & BH, AL + BL )
( AH, AL )
( BH, BL ) ( AH + BH, AL & BL )+
( AH, AL )( AL, AH )
( AH, AL )( AH, AL ) at next time
( AH, AL )
( BH, BL ) ( AH & BH, AL & BL ) ( AH, AL )
( BH, BL ) ( AH + BH, AL + BL )
-
8/12/2019 Formal Verification Solution
32/80
32
STE: Rotary BufferSTE: Rotary Buffer
Partial English Specification:Partial English Specification: Within first 6 ticksWithin first 6 ticks after reset,after reset,
input data will be output afterinput data will be output after3 ticks3 ticks
0 1 2 3 4 5 6
Antecedent
STE Assertion:
reset := 0din := A1B1reset := 1 reset := 0din := A2B2
reset := 0din := A3B3reset := 0din := A4B4
reset := 0din := A5B5reset := 0din := A6B6
Consequent
Timeline
dout := A1B1 dout := A2B2 dout := A3B3
+
reset
2
2
2mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
a0 a1 a2
STE R B ff
-
8/12/2019 Formal Verification Solution
33/80
33
STE: Rotary BufferSTE: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
0 1 2 3 4 5 6
Antecedent
STE Assertion:
reset := 0din := A1B1
reset := 1 reset := 0din := A2B2
reset := 0din := A3B3
reset := 0din := A4B4
reset := 0din := A5B5
reset := 0din := A6B6
Consequent
Timeline
dout := A1B1 dout := A2B2 dout := A3B3
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
A1B1 A2B2 A3B3 A4B4 A5B5 A6B6
A2B2 A5B5
A3B3
A1B1 A4B4
A1B1 A2B2 A3B3
X
a0 a1 a2
a2a1a0 XXX
XXX
XX
XX
XX
XX
XX
X
001
001
STE R B ffSTE R B ffd
-
8/12/2019 Formal Verification Solution
34/80
34
STE: Rotary BufferSTE: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
0 1 2 3 4 5 6
Antecedent
STE Assertion:
reset := 0din := A1B1
reset := 1 reset := 0din := A2B2
reset := 0din := A3B3
reset := 0din := A4B4
reset := 0din := A5B5
reset := 0din := A6B6
Consequent
Timeline
dout := A1B1 dout := A2B2 dout := A3B3
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
A1B1 A2B2 A3B3 A4B4 A5B5 A6B6
A2B2 A5B5
A3B3
A1B1 A4B4
A1B1 A2B2 A3B3
X
a0 a1 a2
a2a1a0 XXX
XXX
XX
XX
XX
XX
XX
001
001
X
A1B1
010
A1B1
010
STE R B ffSTE R t B ffd
-
8/12/2019 Formal Verification Solution
35/80
35
STE: Rotary BufferSTE: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
0 1 2 3 4 5 6
Antecedent
STE Assertion:
reset := 0din := A1B1
reset := 1 reset := 0din := A2B2
reset := 0din := A3B3
reset := 0din := A4B4
reset := 0din := A5B5
reset := 0din := A6B6
Consequent
Timeline
dout := A1B1 dout := A2B2 dout := A3B3
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
A1B1 A2B2
A2B2 A5B5
a0 a1 a2
a2a1a0 XXX
XXX
XX
XX
XX
XX
XX
001
001
X
A1B1
010
X
010
A2B2
100
A1B1 A1B1
A2B2
100
STE R t B ffSTE R t B ffdp
-
8/12/2019 Formal Verification Solution
36/80
36
STE: Rotary BufferSTE: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
0 1 2 3 4 5 6
Antecedent
STE Assertion:
reset := 0din := A1B1
reset := 1 reset := 0din := A2B2
reset := 0din := A3B3
reset := 0din := A4B4
reset := 0din := A5B5
reset := 0din := A6B6
Consequent
Timeline
dout := A1B1 dout := A2B2 dout := A3B3
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
A1B1 A2B2
A2B2 A5B5
a0 a1 a2
a2a1a0 XXX
XXX
XX
XX
XX
XX
XX
001
001
X
A1B1
010
010
A2B2
100
A1B1
A2B2
100
A3B3
001
X
A1B1
A2B2 A2B2
A3B3
001
A1B1
STE R t B ffSTE R t B ffdp
-
8/12/2019 Formal Verification Solution
37/80
37
STE: Rotary BufferSTE: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
0 1 2 3 4 5 6
Antecedent
STE Assertion:
reset := 0din := A1B1
reset := 1 reset := 0din := A2B2
reset := 0din := A3B3
reset := 0din := A4B4
reset := 0din := A5B5
reset := 0din := A6B6
Consequent
Timeline
dout := A1B1 dout := A2B2 dout := A3B3
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
A1B1 A2B2
A2B2 A5B5
a0 a1 a2
a2a1a0 XXX
XXX
XX
XX
XX
XX
XX
001
001
X
A1B1
010
010
A2B2
100
100
A3B3
001
A1B1
A2B2
A3B3
001
X
A4B4
010
A2B2
A3B3
A1B1
A4B4
010
A2B2
-
8/12/2019 Formal Verification Solution
38/80
STE R t B ffSTE: Rotary Bufferdp
-
8/12/2019 Formal Verification Solution
39/80
39
STE: Rotary BufferSTE: Rotary Buffer
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
0 1 2 3 4 5 6
Antecedent
STE Assertion:
reset := 0din := A1B1
reset := 1 reset := 0din := A2B2
reset := 0din := A3B3
reset := 0din := A4B4
reset := 0din := A5B5
reset := 0din := A6B6
Consequent
Timeline
dout := A1B1 dout := A2B2 dout := A3B3
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
A1B1 A2B2
A2B2 A5B5
a0 a1 a2
a2a1a0 XXX
XXX
XXXX
XX
XX
XX
001
001
X
A1B1
010
010
A2B2
100
100
A3B3
001
A1B1
001
A4B4
010
A2B2
A1B1
A2B2
010
100
A5B5
A4B4
A5B5
A3B3
100
A3B3
A6B6
001
-
8/12/2019 Formal Verification Solution
40/80
GSTE: BasicsGSTE: Basics
-
8/12/2019 Formal Verification Solution
41/80
41
GSTE: BasicsGSTE: Basics
GSTEGSTE Generalized STEGeneralized STE
Assertion graph specificationAssertion graph specification
automaton over antecedent/consequent pairsautomaton over antecedent/consequent pairs
Model CheckingModel Checking
STE + Abstract Set Union + FixSTE + Abstract Set Union + Fix--Point ComputationPoint Computation
Assertion GraphAssertion Graph English Specification:English Specification:
-
8/12/2019 Formal Verification Solution
42/80
42
Assertion GraphAssertion Graph
reset := 0
din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
English Specification:English Specification:
After reset, input dataAfter reset, input data
will be output after 3will be output after 3ticks.ticks.
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
dout := AB
reset := 0 reset := 0
Satisfied ifSatisfied if the STE assertionthe STE assertion
captured by every accepting pathcaptured by every accepting path
is satisfiedis satisfied
Length k for all possible k 0
Assertion GraphAssertion Graph
-
8/12/2019 Formal Verification Solution
43/80
43
Assertion GraphAssertion Graph
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
Intuitively, think of it as aIntuitively, think of it as a
test programtest program
Beginreset: = 1; tick;while (random() < 0.7)
reset: = 0; tick;endwhile;reset: = 0; din := random value; tick;reset: = 0; tick;reset: = 0; tick;
reset := 0; assert(dout = din);end.
Model CheckingModel Checking
-
8/12/2019 Formal Verification Solution
44/80
44
Model CheckingModel Checking
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
[ ] C C C C CXXX
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
XX
XX
XX
XX
XX
XX
001
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
c2c1c0 = 001
STE + Abs. Set Union +STE + Abs. Set Union +FixFix--Point ComputationPoint Computation
Compute the set of circuitCompute the set of circuitinternal statesinternal states correscorres. to. to
each automation stateeach automation state cc22cc11cc00 bb00[1:0], b[1:0], b11[1:0], b[1:0], b22[1:0][1:0]
-
8/12/2019 Formal Verification Solution
45/80
Model CheckingModel Checking
-
8/12/2019 Formal Verification Solution
46/80
46
Model CheckingModel Checking
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
[ ] C C C CXXX
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
XX
XX
XX
XX
XX
XX
0XX
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
c2 = 0 X0X[ ]
Model CheckingModel Checking
-
8/12/2019 Formal Verification Solution
47/80
47
Model CheckingModel Checking
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
[ ] C C C CXXX
reset
din[1:0]
c2c1c0
b0[1:0]
b1[1:0]
b2[1:0]
dout[1:0]
XX
XX
XX
XX
XX
XX
XXX
+
reset
2
2
2
mux
2
2
ctrl
dp
din[1:0] dout[1:0]
c0 c1 c2
b0
b1
b2
reset
No more new
states!
XXX[ ]
-
8/12/2019 Formal Verification Solution
48/80
Assertion Graph RefinementAssertion Graph Refinement
-
8/12/2019 Formal Verification Solution
49/80
49
Assertion Graph RefinementAssertion Graph Refinement
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
reset := 0din := AB
reset := 1
reset := 0 reset := 0 reset := 0reset := 0
dout := ABreset := 0
reset := 0
reset := 0
din := AB
reset := 0 reset := 0 reset := 0
dout := AB
reset := 0din := AB
reset := 0 reset := 0 reset := 0
dout := AB
Case splitting
Assertion Graph RefinementAssertion Graph Refinement
-
8/12/2019 Formal Verification Solution
50/80
50
Assertion Graph RefinementAssertion Graph Refinement
reset := 0din := AB
reset := 1
reset := 0 reset := 0 reset := 0reset := 0
dout := ABreset := 0
reset := 0
reset := 0din := AB
reset := 0 reset := 0 reset := 0
dout := AB
reset := 0din := AB
reset := 0 reset := 0 reset := 0
dout := AB
c2c1c0=001
c2c1c0=010
c2c1c0=100
c2c1c0=010d0[1:0]=AB
c2c1c0=100d0[1:0]=AB
c2c1c0=001d0[1:0]=AB
c2c1c0=100d1[1:0]=AB
c2c1c0=001d1[1:0]=AB
c2c1c0=010d1[1:0]=AB
c2c1c0=001d2[1:0]=AB
c2c1c0=010d2[1:0]=AB
c2c1c0=100d2[1:0]=AB
Problem: the refined assertion graph can become verylarge with buffer size increase
AssertionAssertion ProgramProgram
-
8/12/2019 Formal Verification Solution
51/80
51
AssertionAssertion ProgramProgram
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
{ cnt1cnt0 := 0; }
{ cnt1cnt0 := (cnt1cnt0 +1) mod 3; }
{ } { } { } { }
AssertionAssertion ProgramProgram
-
8/12/2019 Formal Verification Solution
52/80
52
AssertionAssertion ProgramProgram
reset := 0din := ABreset := 1
reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
{ cnt1cnt0 := 0; }
{ cnt1cnt0 := (cnt1cnt0 +1) mod 3; }
{ } { } { } { }
!cnt1 & !cnt0
c2c1c0 = [ 0, 0, 1 ]
AssertionAssertion ProgramProgram
-
8/12/2019 Formal Verification Solution
53/80
53
AssertionAssertion ProgramProgram
!cnt1 & !cnt0
c2c1c0 = [ 0, 0, 1 ]
!cnt1 & cnt0
c2c1c0 = [ 0, 1, 0 ]
reset := 0din := ABreset := 1
reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
{ cnt1cnt0 := 0; }
{ cnt1cnt0 := (cnt1cnt0 +1) mod 3; }
{ } { } { } { }
AssertionAssertion ProgramProgram
-
8/12/2019 Formal Verification Solution
54/80
54
Assertionsse t o Programog a
!cnt1
c2c1c0 = [ 0, cnt0, !cnt0 ]
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
{ cnt1cnt0 := 0; }
{ cnt1cnt0 := (cnt1cnt0 +1) mod 3; }
{ } { } { } { }
AssertionAssertion ProgramProgram
-
8/12/2019 Formal Verification Solution
55/80
55
sse t o og ag
!cnt1 + !cnt0
c2c1c0 = [ cnt1&!cnt0, !cnt1&cnt0, !cnt1& !cnt0 ]
!cnt1 + !cnt0
c2c1c0 = [ !cnt1&cnt0, !cnt1&!cnt0, cnt1& !cnt0 ]d0[1:0] = !cnt1&!cnt0 ? [ A, B ] : [ X, X ]d1[1:0] = !cnt1& cnt0 ? [ A, B ] : [ X, X ]
d2[1:0] = cnt1&!cnt0 ? [ A, B ] : [ X, X ]
!cnt1 + !cnt0
c2c1c0 = [ !cnt1&!cnt0, cnt1&!cnt0, !cnt1&cnt0 ]d0[1:0] = !cnt1&!cnt0 ? [ A, B ] : [ X, X ]d1[1:0] = !cnt1& cnt0 ? [ A, B ] : [ X, X ]
d2[1:0] = cnt1&!cnt0 ? [ A, B ] : [ X, X ]
!cnt1 + !cnt0
c2c1c0 = [ cnt1&!cnt0, !cnt1&cnt0, !cnt1&!cnt0 ]d0[1:0] = !cnt1&!cnt0 ? [ A, B ] : [ X, X ]d1[1:0] = !cnt1& cnt0 ? [ A, B ] : [ X, X ]
d2[1:0] = cnt1&!cnt0 ? [ A, B ] : [ X, X ]dout[1:0] = [A, B]
reset := 0din := AB
reset := 1 reset := 0 reset := 0 reset := 0
reset := 0
dout := AB
{ cnt1cnt0 := 0; }
{ cnt1cnt0 := (cnt1cnt0 +1) mod 3; }
{ } { } { } { }
GSTE Model Checking AlgorithmGSTE Model Checking Algorithm
-
8/12/2019 Formal Verification Solution
56/80
56
g gg gGSTE(G, ckt)begin/* initialization */1. for each state q in G2. if q is an initial state3. cktState(q) := [ ] ;4. else5. cktState(q) := C;6. put every transition from the initial vertex into EVQ;/* Fix-point iteration */7. while (EVQ != empty)
8. (q, (ant, cons), q) := pick a transition from EVQ;9. (res, nxtState) := STEOneStep(ckt, cktState(q), ant, cons);10. if (res = false)11. return false;12. newState := nxtState union cktState(q);
13. if (newState != cktState(q))14. cktState(q) := newState;15. put every transition from q to EVQ;16. endwhile;17. return true;
end
Concurrent GSTEConcurrent GSTE
-
8/12/2019 Formal Verification Solution
57/80
57
GSTE LimitationGSTE Limitation
Sequential in nature, not suitable for describingSequential in nature, not suitable for describing
current circuit behaviorscurrent circuit behaviors
Concurrent GSTEConcurrent GSTE
Support concurrent specification and modelSupport concurrent specification and model
checkingchecking
Core idea: define a new operator to join twoCore idea: define a new operator to join twosequences togethersequences together
Concurrent GSTEConcurrent GSTE
-
8/12/2019 Formal Verification Solution
58/80
58
reset := 0din1 := AB
reset := 1 reset := 0din1 := 00
reset := 0din2 := CD
reset := 1 reset := 0
reset := 0
dout := AB+CD
reset := 0
din1 := AB
reset := 1 reset := 0din
1:= 00
din2 := CD
reset := 0
dout := AB+CD
Concurrent GSTEConcurrent GSTE
-
8/12/2019 Formal Verification Solution
59/80
59
reset := 0din1 := AB
reset := 1
reset := 0reset := 0 reset := 0
din1 := 00
reset := 0din
2
:= CDreset := 1
reset := 0 reset := 0din2 := 00
dout := AB+CD
PropertyPropertyIf some time in the past din1 got nonIf some time in the past din1 got non--zero value AB, din2 got nonzero value AB, din2 got non--zerozero
value CD, thenvalue CD, then doutdout must be AB+CDmust be AB+CD..
it would be very tedious to express in assertion graph for ait would be very tedious to express in assertion graph for alarge number of interleaving events!large number of interleaving events!
Voting MachineVoting Machine
-
8/12/2019 Formal Verification Solution
60/80
60
grst
av[1]v[1]
av[2]v[2]
av[3]
v[3]
voutVotingMachine
A vote can be accepted at stationA vote can be accepted at station ii (through(through v[i]=1,2,3v[i]=1,2,3) when) whenit is availableit is available
Outputs a voting result (Outputs a voting result (voutvout=f(v[1], v[2], v[3])=f(v[1], v[2], v[3])) when all) when allthree votes are in, and then makes the stations available forthree votes are in, and then makes the stations available fornext round.next round.
2
2
2
2
Concurrent SpecificationConcurrent Specification
-
8/12/2019 Formal Verification Solution
61/80
61
voted[i]
11ii33
wait
11ii33
assume: !rst & v[i]=0
random
assume: rst
wait[i]
assume: !rst & v[i]=Y[i]
assume: !rst & v[i]=0
assume: !rst & v[i]=Y[i]
voted[i] and wait
assume: !rst
assert: vout=f(Y[1],Y[2],Y[3])
outputvoted
assume: !rst
Concurrent SpecificationConcurrent Specification
-
8/12/2019 Formal Verification Solution
62/80
62
voted[i]
11ii33
wait
11ii33
assume: !rst & v[i]=0
assert: av[i]
random
assert: av[i]
assume: rst
wait[i]
assert: av[i]
assume: !rst & v[i]=Y[i]
assume: !rst & v[i]=0
assert: av[i]
assert: av[i]assume: !rst & v[i]=Y[i]
voted[i] and wait
assume: !rst
assert: av[i]
assert: vout=f(Y[1],Y[2],Y[3])
outputvoted
assume: !rst
Voting Machine ImplementationVoting Machine Implementation
-
8/12/2019 Formal Verification Solution
63/80
63
vout
+
2
0 =av[1]
v[1]
2
0 =av[2]
v[2]
2
0 =av[3]
v[3]
f
mux
0
v_[2]
v_[3]
voted[1]
rst
clr
clr
clr
clr
en
en
en
v_[1]
Direct Model CheckingDirect Model Checkingrst
-
8/12/2019 Formal Verification Solution
64/80
64
vout
rst
+
2
0
av[i]
v[i] f
mu
x0
v_[i]
clr
en
clr
=
(!rst, vout=f(y[1],y[2],y[3]))
outputrandom wait[i] voted[i]
(rst, av[i])
(!rst & v[i]=0, av[i])
11ii33
voted
(!rst & v[i]=Y[i], av[i])
wait
11ii33
(!rst & v[i]=Y[i], av[i])
voted[i] and wait
(!rst, av[i])
(!rst & v[i]=0, av[i])true
poll
v_[i]=0
Direct Model CheckingDirect Model Checkingrst
-
8/12/2019 Formal Verification Solution
65/80
65
vout
rst
+
2
0
av[i]
v[i] f
mu
x0
v_[i]
clr
en
clr
=
(!rst, vout=f(Y[1],Y[2],Y[3]))
outputrandom wait[i] voted[i]
(rst, av[i])
(!rst & v[i]=0, av[i])
11ii33
voted
(!rst & v[i]=Y[i], av[i])
wait
11ii33
(!rst & v[i]=Y[i], av[i])
voted[i] and wait
(!rst, av[i])
(!rst & v[i]=0, av[i])true v_[i]=0
i.v_[i]=0
v_[i]=Y[i]
i.v[i]=0 & v_[i]=Y[i]
poll
no change
Direct Model CheckingDirect Model Checkingrst
-
8/12/2019 Formal Verification Solution
66/80
66
vout
+
2
0
av[i]
v[i] f
mu
x0
v_[i]
clr
en
clr
=
(!rst, vout=f(y[1],y[2],y[3]))
outputrandom wait[i] voted[i]
(rst, av[i])
(!rst & v[i]=0, av[i])
11ii33
voted
(!rst & v[i]=Y[i], av[i])
wait
11ii33
(!rst & v[i]=Y[i], av[i])
voted[i] and wait
(!rst, av[i])
(!rst & v[i]=0, av[i])true
poll
i.v_[i]=0
v_[i]=0v_[i]=Y[i]
i.v[i]=0 & v_[i]=Y[i]
no change
no change
Direct Model CheckingDirect Model Checkingrst
-
8/12/2019 Formal Verification Solution
67/80
67
vout
+
2
0
av[i]
v[i] f
mu
x0
v_[i]
clr
en
clr
=
(!rst, vout=f(y[1],y[2],y[3]))
outputrandom wait[i] voted[i]
(rst, av[i])
(!rst & v[i]=0, av[i])
1i3
voted
(!rst & v[i]=Y[i], av[i])
wait
1i3
(!rst & v[i]=Y[i], av[i])
voted[i] and wait
(!rst, av[i])
(!rst & v[i]=0, av[i])true
poll
i.v_[i]=Y[i]
i.v_[i]=0
v_[i]=0
i.v[i]=0 & v_[i]=Y[i]
v_[i]=Y[i]
-
8/12/2019 Formal Verification Solution
68/80
ComparisonComparison
-
8/12/2019 Formal Verification Solution
69/80
69
Advantage over model checkingAdvantage over model checking productproductspecificationspecification
highly efficient, avoid complexity ofhighly efficient, avoid complexity of productproduct
constructionconstructionover approximate, but can be refined by partialover approximate, but can be refined by partial productproduct
constructionconstruction
Advantage over assumeAdvantage over assume--guarantee paradigmguarantee paradigm implementation independent specificationimplementation independent specification
much less sensitive to implementation changesmuch less sensitive to implementation changes
Other aspects of GSTEOther aspects of GSTE
-
8/12/2019 Formal Verification Solution
70/80
70
Dynamic simulationDynamic simulation
Monitor construction (Hu, Casas, Yang, ICCADMonitor construction (Hu, Casas, Yang, ICCAD
2003)2003)Assertion graphs as test programs (Yang,Assertion graphs as test programs (Yang,
ASPDAC 2005)ASPDAC 2005)
Compositional reasoningCompositional reasoningThrough monitor construction and modelThrough monitor construction and model
checking (Hu, Casas, Yang, CHARME 2003)checking (Hu, Casas, Yang, CHARME 2003)
Real Life Ex. 1: Memory VerificationReal Life Ex. 1: Memory Verification
-
8/12/2019 Formal Verification Solution
71/80
71
Why interesting?Why interesting?
A commonly used unit inA commonly used unit in --processorprocessor
ComplexityComplexity
--
4 banks * 256 entries * 128 bits, 128K+ bits in total4 banks * 256 entries * 128 bits, 128K+ bits in total
Classic SMCClassic SMC capacity limitation causes state space explosioncapacity limitation causes state space explosion
STESTE finite time limitation requires openingfinite time limitation requires opening--up memory internals and explicitup memory internals and explicit(and tedious) symbolic indexing(and tedious) symbolic indexing
bank0
bank1
bank2
bank3
datawr128 alignmask
block
128
dataout
addr[9:0]
we
drive[4:0]
ck align[7:0]begin[4:0]end[4:0]
-
8/12/2019 Formal Verification Solution
72/80
Complexity AnalysisComplexity Analysis
-
8/12/2019 Formal Verification Solution
73/80
73
GSTE Ternary Representation:
addr datawrwrite
row[0]:
row[1]:
row[1023]:
stored
read
Summary:
Black-box verification
Complexity ~170 boolean variables for
128k+ model (~45 ifverifying individual bitsthen a word)
331 seconds on PIII600MHz
< 300 MB (most are forstoring the circuit)
Summary:Summary:
BlackBlack--box verificationbox verification
ComplexityComplexity
~170~170 booleanboolean variables forvariables for128k+ model (~45 if128k+ model (~45 ifverifying individual bitsverifying individual bitsthen a word)then a word)
331 seconds on PIII331 seconds on PIII600MHz600MHz
< 300 MB (most are for< 300 MB (most are forstoring the circuit)storing the circuit)
Real Life Ex.2: Resource SchedulerReal Life Ex.2: Resource Scheduler
-
8/12/2019 Formal Verification Solution
74/80
74
Specification:Specification:
when resource is available (avail = 1), schedule the oldest readwhen resource is available (avail = 1), schedule the oldest readyy uopuop handling 10handling 10 uopsuops at a time, >1k state elements, >17000 gatesat a time, >1k state elements, >17000 gates
priority matrix, CAM, decision logic, powerpriority matrix, CAM, decision logic, power--saving feature etc.saving feature etc.
previous resultprevious result -- hundreds of small properties on priority matrix onlyhundreds of small properties on priority matrix only
CAM
receivinglogic
priority matrix
readylogic
Stagingand
CAMmatch
schedulinglo
gic
Deliveringlogic
uop
alloc
ready
avail
init
out
sched
wrback
Main ResultMain Result
-
8/12/2019 Formal Verification Solution
75/80
75
Specification (basic idea):Specification (basic idea):
scheduleschedule uop[iuop[i], if (1)], if (1) uop[iuop[i] is the oldest ready] is the oldest ready and (2)and (2)resource is availableresource is available
uop[iuop[i] is oldest ready, if (1)] is oldest ready, if (1) uop[iuop[i] is ready] is ready and (2) for all jand (2) for all j i,i,eithereither uop[juop[j] is not ready] is not ready oror uop[iuop[i] arrived earlier than] arrived earlier thanuop[juop[j]]
Model checkingModel checking122.5 seconds, 36M on P4 1.5GHz122.5 seconds, 36M on P4 1.5GHz
scalablescalable -- O(logO(log22 ##uopsuops) variables, BDD was not a bottle) variables, BDD was not a bottle--neck!neck!
RealReal--Life FV ResultsLife FV ResultsIntel Pentium 4 1 5G
-
8/12/2019 Formal Verification Solution
76/80
76
2952951321321212282282241854241854466824668266
361361451451002424406630406630348993489955
24024050050000103103187928187928224332243344
50950911711700401401187928187928224332243333
260260522052204141959562735627357506750622
3636122122446868173671736771871811
MemoryMemory
(MB.)(MB.)
TimeTime(sec.)(sec.)
#Prec.#Prec.NodesNodes
# Spec.# Spec.varsvars
#Gates#Gates#Latches#LatchesEx.Ex.
All cover nonAll cover non--trivial functionalities, a majority from inputs to outputstrivial functionalities, a majority from inputs to outputs
No prior model pruning/abstractionNo prior model pruning/abstraction
Intel Pentium 4 1.5G
-
8/12/2019 Formal Verification Solution
77/80
GSTE in ActionGSTE in Action
-
8/12/2019 Formal Verification Solution
78/80
78
SummarySummaryOperational specification
-
8/12/2019 Formal Verification Solution
79/80
79
GSTEAssertion
Graph
GSTEModel
Checking
QuaternaryAbstraction
Operational specification describe temporal causality relation capture computation flow
Spec. driven implicit state exploration directed by the flow in specification tailored by antecedents
Quaternary circuit abstraction dynamically shaped by the specification tightly integrated in model checking
SummarySummary
-
8/12/2019 Formal Verification Solution
80/80
80
GSTE is for realGSTE is for realhas been used byhas been used by FVersFVers for >2 year on verifyingfor >2 year on verifying
nextnext--gen. Intelgen. Intel --processors with thousands ofprocessors with thousands of
state elementsstate elements((BentlyBently HLDVTHLDVT02, Yang & Seger FMCAD02, Yang & Seger FMCAD02,02,
Schubert ICCADSchubert ICCAD03)03)
Future directionsFuture directionsSpecification reasoningSpecification reasoning
Better specification languageBetter specification language
Abstraction refinementAbstraction refinement
top related