high level design validation: current practices & future trends 17th international conference on...

High Level Design Validation:Current Practices &

Future Trends

17th International Conference on VLSI Design17th International Conference on VLSI Design

Mumbai, IndiaMumbai, India

Januray 5th, 2004Januray 5th, 2004

TUTORIAL No. 3

AuthorsAuthors

Prof. Masahiro FujitaProf. Masahiro FujitaProfessorProfessorDept. of Electronic EngineeringDept. of Electronic EngineeringUniversity of Tokyo, JapanUniversity of Tokyo, JapanEmail: Email: [email protected]@ee.t.u-tokyo.ac.jp

Dr. Mukul PrasadDr. Mukul PrasadMember of Research StaffMember of Research StaffFujitsu Labs. of AmericaFujitsu Labs. of AmericaSunnyvale, CA, USASunnyvale, CA, USAEmail: Email: [email protected]@fla.fujitsu.com

Dr. Indradeep GhoshDr. Indradeep GhoshMember of Research StaffMember of Research StaffFujitsu Labs. of AmericaFujitsu Labs. of AmericaSunnyvale, CA, USASunnyvale, CA, USAEmail: Email: [email protected]@fla.fujitsu.com

Dr. Rajarshi MukherjeeDr. Rajarshi Mukherjee Member of Technical StaffMember of Technical Staff Calypto Design AutomationCalypto Design Automation Santa Clara, CA, USASanta Clara, CA, USA Email: Email: [email protected]@yahoo.com

Outline & IntroductionOutline & Introduction

MASAHIRO FUJITAMASAHIRO FUJITA

University of TokyoUniversity of Tokyo

Tokyo, JapanTokyo, Japan

[email protected]@ee.t.u-tokyo.ac.jp

Tutorial OutlineTutorial Outline

IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions

Necessity of high level verificationNecessity of high level verification

Over 70% of system LSI design time is for “verification”Over 70% of system LSI design time is for “verification” Over 50% reason of “re-spin” of ASIC designs is functional Over 50% reason of “re-spin” of ASIC designs is functional

design errorsdesign errors Need to find as many bugs and as early as possibleNeed to find as many bugs and as early as possible Once “golden models” are created, never introduce Once “golden models” are created, never introduce

design errorsdesign errors

Rem

ain

ing

bugs

Time

Verification methods:Simulation/EmulationVerification methods:Simulation/Emulation

SimulationSimulation Traditional, basic, and flexible techniqueTraditional, basic, and flexible technique Applicable at any design levelsApplicable at any design levels Difficulties in preparing “good” simulation Difficulties in preparing “good” simulation

patternspatterns Getting harder to cover corner casesGetting harder to cover corner cases

EmulationEmulation Can handle Software simultaneouslyCan handle Software simultaneously Cost and time for preparation: not ignorableCost and time for preparation: not ignorable Corner case problemCorner case problem

Spec

Formal VerificationFormal Verification ““Prove” the correctness of designsProve” the correctness of designs

Both design and spec must be represented with Both design and spec must be represented with mathematical modelsmathematical models

Mathematical reasoningMathematical reasoning Equivalence to “all cases” simulationsEquivalence to “all cases” simulations

Possible mathematical modelsPossible mathematical models Boolean function (Propositional logic)Boolean function (Propositional logic)

How to represent and manipulate on computersHow to represent and manipulate on computers First-order logicFirst-order logic

Need to represent “high level” designsNeed to represent “high level” designs Higher-order logicHigher-order logic

Theorem proving = Interactive methodTheorem proving = Interactive method Front-end is very importantFront-end is very important

In many cases, it determines the total performanceIn many cases, it determines the total performance

Mathematicalmodels

Design

Front-endtool

Verificationengines

Formal vs Simulation based VerificationFormal vs Simulation based Verification

Example:Example: Verification of Exclusive-OR circuits: Verification of Exclusive-OR circuits:

z = ~x&y + x&~y ( ‘~’ means compliment)z = ~x&y + x&~y ( ‘~’ means compliment)

G1

G2

G3

G4

x

y

a

b

c

z

Example: Formal vs Simulation (Cont.)Example: Formal vs Simulation (Cont.)

Verification of Exclusive-OR circuit with Verification of Exclusive-OR circuit with “simulation”“simulation” z and ~x&y+x&~y are equal for all casesz and ~x&y+x&~y are equal for all cases Need to simulate 2**N cases Need to simulate 2**N cases

x

y

a

b

c

z

00001111

11110011

11111100

00000000x y z ~x&y+x&~y

Verification of Exclusive-OR circuit with Verification of Exclusive-OR circuit with “formal verification”“formal verification” z = ~b + ~cz = ~b + ~c b = ~x + ~ab = ~x + ~a c = ~a + ~yc = ~a + ~y a = ~x + ~y a = ~x + ~y z = ~b + ~cz = ~b + ~c = ~(~x + ~a) + ~(~a + ~y)= ~(~x + ~a) + ~(~a + ~y) = a&x + a&y= a&x + a&y = (~x + ~y)&x + (~x + ~y)&y= (~x + ~y)&x + (~x + ~y)&y = x&~y + ~x&y= x&~y + ~x&y Axiomatic and Mathematical transformation of Axiomatic and Mathematical transformation of

expressions to reach the specificationexpressions to reach the specification

x

y

a

b

c

z

Example: Formal vs Simulation (Cont.)Example: Formal vs Simulation (Cont.)

Design Representation in High levelDesign Representation in High level

Super state: Need multiple cycles for Super state: Need multiple cycles for executionsexecutions

Op2 Op3

Op4

Op6

Op1

Op5PS3

PS1 PS2PS2

PS3

PS1

a = 42;while (a<100) { b = b + a; if (b > 50) c = c + d; a = a + c; }

SFSMD model

S1 S2

S3

Op2 Op3

Op4

Op6

Op1

Op5

FSMD modelDatapathcircuits

Controlcircuits

Establishmapping

Not so easy...Not so easy... Simulation patterns cannot be used Simulation patterns cannot be used

for formal verification (meaningless for formal verification (meaningless if used)if used)

Properties cannot be “simulated” as Properties cannot be “simulated” as it isit is

Anyway, write down properties...Anyway, write down properties... Assertion-based verificationAssertion-based verification Switch between formal and Switch between formal and

simulation-based dynamicallysimulation-based dynamically ……

Fusing Simulation and Formal Verification: Fusing Simulation and Formal Verification: Semi-formal Verification TechniquesSemi-formal Verification Techniques

SimulationPatterns

Property


IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and decision proceduresTheorem proving and decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions

High-Level Design Flow & High-Level Design Flow & Verification IssuesVerification Issues





Section OutlineSection Outline

System LSI designSystem LSI design From requirement to specification/functional From requirement to specification/functional

descriptionsdescriptions From functional description to implementationFrom functional description to implementation Verification problems in the design Verification problems in the design

methodologymethodology Verification techniques for high level designsVerification techniques for high level designs

System LSI DesignSystem LSI Design

System-on-Chip (SOC) designSystem-on-Chip (SOC) design Increase of design complexityIncrease of design complexity

1E0

1E1

1E2

1E3

1E4

1E5

1E6

1E7

Number of componentsLevel

Gate

RTL

Algorithm

System

Transistor

Ab

stra

ctio

n

Acc

ura

cy

System levelSystem levelSystem levelSystem level

IntroductionIntroduction System-on-Chip (SOC) designSystem-on-Chip (SOC) design Increase of design complexityIncrease of design complexity Move to higher levels of abstractionMove to higher levels of abstraction

1E0

1E1

1E2

1E3

1E4

1E5

1E6

1E7

Number of componentsLevel

Gate

RTL

Algorithm

Transistor

Ab

stra

ctio

n

Acc

ura

cy

System-On-Chip DesignSystem-On-Chip Design Specification to architecture to implementationSpecification to architecture to implementation Behavior to structureBehavior to structure

System level: system specification to system System level: system specification to system architecturearchitecture

RT/IS level: component behavior to component micro-RT/IS level: component behavior to component micro-architecturearchitecture

Specification+ constraints

Memory

Memory

µProcessor

Interface

Comp.IP

Bus

Interface

Interface

Interface

Custom HW

System architecture+ estimates

ProcessorsIPs

MemoriesBusses

RTL/IS Implementation+ results

RegistersALUs/FUsMemories

Gates

Mem RFState

Control

ALU

Datapath

PC

Control Pipeline

State

IF FSM

State

IF FSMIP Netlist

RAM

IR

Memory

What is UML? What is UML? UML is a language for:UML is a language for:

Specifying, Visualizing, Constructing, and Documenting Specifying, Visualizing, Constructing, and Documenting Software ArtifactsSoftware Artifacts

What does a modeling language provide?What does a modeling language provide? Model elementsModel elements: Concepts and semantics: Concepts and semantics NotationNotation: Visual rendering of model elements: Visual rendering of model elements GuidelinesGuidelines: Hints and suggestions for using : Hints and suggestions for using

elements in notationelements in notation

From Requirement to From Requirement to Specification/functional DescriptionsSpecification/functional Descriptions

Representing System ArchitectureRepresenting System Architecture

Conceptual Physical

Logical View

End-user Functionality

Implementation View

Programmers Software management

Process View

PerformanceScalabilityThroughput

System integrators

Deployment View

System topology Delivery, installation

Communication

System engineering

Use Case View

Ready-to-use, expressive visual modeling Ready-to-use, expressive visual modeling language that promotes language that promotes development/Exchangedevelopment/Exchange

Extensibility/specialization of core conceptsExtensibility/specialization of core concepts Independent of programming languages Independent of programming languages

and development processesand development processes Formal basis for understanding languageFormal basis for understanding language Encourage growth of OO tools marketEncourage growth of OO tools market Support higher level design conceptsSupport higher level design concepts

Collaborations, frameworks, patterns, etc.Collaborations, frameworks, patterns, etc.

Integrate the best practices of all OODIntegrate the best practices of all OOD

The Goals of UMLThe Goals of UML

UML Modeling Constructs/diagrams:UML Modeling Constructs/diagrams:Static vs. Dynamic PerspectivesStatic vs. Dynamic Perspectives

A diagram is a view into a modelA diagram is a view into a model Presented from the aspect of a particular Presented from the aspect of a particular

stakeholderstakeholder Provides a partial representation of the systemProvides a partial representation of the system Is semantically consistent with other viewsIs semantically consistent with other views

In UML, there are nine standard diagramsIn UML, there are nine standard diagrams Static ViewsStatic Views: Use Case, Class, Object, : Use Case, Class, Object,

Component, DeploymentComponent, Deployment Dynamic ViewsDynamic Views: Sequence, Collaboration, : Sequence, Collaboration,

Statechart, ActivityStatechart, Activity

Use-Case DiagramsUse-Case Diagrams Class and Object DiagramsClass and Object Diagrams Behavior DiagramsBehavior Diagrams

Statechart DiagramsStatechart Diagrams Activity DiagramsActivity Diagrams

Interaction DiagramsInteraction Diagrams Sequence DiagramSequence Diagram Collaboration DiagramCollaboration Diagram

Implementation DiagramsImplementation Diagrams Component DiagramComponent Diagram Deployment DiagramDeployment Diagram

UML Modeling Constructs/diagrams:UML Modeling Constructs/diagrams:Classification by Capability/timelineClassification by Capability/timeline

Relationship of Models and DiagramsRelationship of Models and Diagrams

Use CaseDiagramsUse Case

DiagramsUse CaseDiagrams

ScenarioDiagramsScenario

DiagramsCollaborationDiagrams

StateDiagramsState

DiagramsComponentDiagrams

ComponentDiagramsComponent

DiagramsDeploymentDiagrams

StateDiagramsState

DiagramsObjectDiagrams

ScenarioDiagramsScenario

DiagramsStatechartDiagrams

Use CaseDiagramsUse Case

DiagramsSequenceDiagrams

StateDiagramsState

DiagramsClassDiagrams

ActivityDiagrams

Models

Description ExampleDescription Example Host interface for compact flash memory Host interface for compact flash memory

Interface between NAND type flash memory and Interface between NAND type flash memory and host PChost PC

Use data buffer for asynchronous data Use data buffer for asynchronous data transfer and protocolstransfer and protocols

Use Case diagramUse Case diagram

Data transferswith protocol change

Confirm and changevarious status

Host PC NANDflashmemory

Design target

Interface between NAND Flash Interface between NAND Flash Memory and the Design TargetMemory and the Design Target

Use Case diagramUse Case diagram

Dataread/write

Confirm/changestatus

NANDflashmemory

Buffer

CPU

Activity DiagramActivity Diagram

Wait

NAND status

Ready

Busy

Send statusto CPU

Wait

ATA command/Interrupt

Interpret command

Data transferb/w Host andthe design target

Send statusto CPU

Sequence DiagramSequence Diagram

Databuffer

Synchro-nous IF CPU

NANDflash memory

Request data transferData transfer

BusyAsk statusReady

Get access rightStart transfer

Data transferFinish transfer

Finish transfer

Abstraction LevelsAbstraction LevelsStructure /

Implementation detailOrder /

Timing detail

Functional Untimed(causality)Specification

Structural Timed (estimated)

Architecture

Gate netlist

Gatedelays

Manufacturing

Bus-functional

Timing- accurate

Communication

RTL/IS Cycle-accurate

Implementation

Application domain MOCs (Matlab, SDF, etc.)

Requirements Constraints

Many small stepsof incremental refinement

Design FlowDesign Flow

Bus-functional

Structural

System design

Specification model

Algor.IP

Proto.IP

Architecture model

Communication synthesis

Communication model

Comp.IP

Implementation model

Softwarecompilation

Interfacesynthesis

Hardwaresynthesis

Backend

RTOSIP

RTLIP

Architecture exploration

Capture

Timed (estimated)

RTL/IS Cycle-accurate

Functional

Structure /Implementation detail

Untimed(causality)

Order /Timing detail

Timing- accurate

SpecC MethodologySpecC MethodologySystem design Validation flow

Specification model

Algor.IP

Proto.IP

Architecture model


Communication model

Comp.IP

Estimation

ValidationAnalysis

Compilation Simulation model

Estimation

ValidationAnalysis


Estimation

ValidationAnalysis



Softwarecompilation

Interfacesynthesis

Hardwaresynthesis

Backend Estimation

ValidationAnalysis


RTOSIP

RTLIP


Capture

Specification ModelSpecification Model

High-level, abstract modelHigh-level, abstract model Pure system functionalityPure system functionality Algorithmic behaviorAlgorithmic behavior No implementation detailsNo implementation details

No implicit structure / architectureNo implicit structure / architecture Behavioral hierarchyBehavioral hierarchy

UntimedUntimed Executes in zero (logical) timeExecutes in zero (logical) time Causal orderingCausal ordering Events only for synchronizationEvents only for synchronization

Specification model


Architecture model

Communication model



Backend

Specification Model ExampleSpecification Model Example

B1

v1

v2

e2

B1

B2 B3

Simple, typical specification modelSimple, typical specification model Hierarchical parallel-serial compositionHierarchical parallel-serial composition Communication through ports and variables, eventsCommunication through ports and variables, events

Architecture ExplorationArchitecture Exploration

Component allocation / Component allocation / selectionselection

Behavior partitioningBehavior partitioning

Variable partitioningVariable partitioning

SchedulingScheduling

Specification model


Architecture model

Communication model



Backend

Allocation, Behavior PartitioningAllocation, Behavior Partitioning

Allocate PEsAllocate PEs

Partition Partition behaviorsbehaviors

Globalize Globalize communicationcommunication

B2 B3c2

B1

v1

B1

Additional level of hierarchy to model PE structure

PE1

PE2

Architecture Model ExampleArchitecture Model Example

B3

B13rcv

B34snd

B2

B1B1

B13snd

B34rcv

PE1

c2

v1

cb13

cb34

PE2

v1

Architecture ModelArchitecture Model

Component structure/architectureComponent structure/architecture Top level of behavior hierarchy Top level of behavior hierarchy

Behavioral/functional component Behavioral/functional component

viewview Behaviors grouped under top-level Behaviors grouped under top-level

component behaviorscomponent behaviors Sequential behavior executionSequential behavior execution

TimedTimed Estimated execution delaysEstimated execution delays

Specification model

Architecture model

Communication model


Backend



Communication SynthesisCommunication Synthesis

Bus allocation / protocol Bus allocation / protocol selectionselection

Channel partitioningChannel partitioning

Protocol, transducer insertionProtocol, transducer insertion

InliningInlining

Specification model

Architecture model

Communication model


Backend



Bus Allocation / Channel PartitioningBus Allocation / Channel Partitioning

B3

B34snd

B2

B1B1

B13snd

B34rcv

PE1

c2

v1

cb13

cb34

PE2

v1

B13rcv

Allocate bussesAllocate busses

Partition channelsPartition channels

Update Update communicationcommunication

Additional level of hierarchy to model bus structure

Bus1

Model after Channel PartitioningModel after Channel Partitioning

B3

B34snd

B2

B1B1

B13snd

B34rcv

PE1

v1

PE2

v1

B13rcv

c2

cb13

cb34

Bus1

Communication Model ExampleCommunication Model Example

ready

ack

address[15:0]

data[31:0]

B3

B34snd

v1

B13rcv

B2

B1B1

B13snd

B34rcv

PE1

v1

PE2

Communication ModelCommunication Model

Component & bus Component & bus structure/architecturestructure/architecture Top level of hierarchyTop level of hierarchy

Bus-functional component modelsBus-functional component models Timing-accurate bus protocolsTiming-accurate bus protocols Behavioral component descriptionBehavioral component description

TimedTimed Estimated component delaysEstimated component delays

Specification model

Architecture model

Communication model


Backend



BackendBackend

Clock-accurate Clock-accurate implementation of PEsimplementation of PEs Hardware synthesisHardware synthesis

Software synthesisSoftware synthesis

Interface synthesisInterface synthesis

Specification model

Architecture model

Communication model


Backend



Hardware SynthesisHardware Synthesis

Schedule operations into clock cyclesSchedule operations into clock cycles Define clock boundaries in leaf behavior C codeDefine clock boundaries in leaf behavior C code Create FSMD model from scheduled C codeCreate FSMD model from scheduled C code

B3

B34snd

v1

B13rcv

PE2

PE2_CLK

PE2_CLK

PE2_CLK

Clock boundaries

Software SynthesisSoftware Synthesis Implement behavior on processor instruction-setImplement behavior on processor instruction-set

Code generationCode generation CompilationCompilation

B2

B1B1

B13snd

B34rcv

PE1

v1

Ff2 MOVE r0, r1

SHL r3 ADD r2, r3, r4 INC r2

PUSH r1 CALL Ff3 POP r0

Interface SynthesisInterface Synthesis

Implement communication on componentsImplement communication on components Hardware bus interface logicHardware bus interface logic

Software bus driversSoftware bus drivers

PE2Bus

IBu

sSla

ve

PE

2Pro

toco

l

IPro

toco

lSla

ve

ready

ack

addr[15:0]

data[31:0]

PE1Bus

IBu

sMas

ter

PE

1Pro

toco

l

IPro

toco

lMas

ter

ready

ack

addr[15:0]

data[31:0]

S0

S1

S2

S3

S4

DRV

Implementation Model ExampleImplementation Model Example

Software processor Custom hardware

ready

ack

address[15:0]

data[31:0]

PE2

PE2_CLKPE1_CLK

OBJ

PORTA

PORTB

INTA

PORTC

PE1

Instruction Set Simulator (ISS)

S0

S1

S2

S3

S4

Implementation ModelImplementation Model

Cycle-accurate system descriptionCycle-accurate system description RTL description of hardwareRTL description of hardware

Behavioral/structural FSMD viewBehavioral/structural FSMD view

Object code for processorsObject code for processors Instruction-set co-simulationInstruction-set co-simulation

Clocked bus communicationClocked bus communication Bus interface timing based on PE clockBus interface timing based on PE clock

Specification model

Architecture model

Communication model


Backend



Support: 1. Modeling EngineSupport: 1. Modeling Engine

Specification model

Architecture model

Communication model

Arch. refinement

Comm. refinement


Capture

Simulate

Compile

Simulate

Simulate

Simulate

Validation

Impl. refinement

Support: 2. Refinement EngineSupport: 2. Refinement Engine

Specification model

Architecture model

Communication model

Arch. refinement

Comm. refinement

Allocation

Beh. partitioning

Scheduling / RTOS

Refinement

Protocol selection

Channel partitioning

Spec. optimization

Arbitration

Impl. refinement


Capture

Cycle scheduling

Protocol scheduling

SW assembly

Browsing

Alg. selection

Validation

Compile

Simulate

Simulate

Simulate

Simulate

Support: 3. Exploration EngineSupport: 3. Exploration Engine

Specification model

Architecture modelEstimation

Profiling

Profiling data

Communication model

Profiling weights

Arch. refinement

Comm. refinement

Estimation results

Estimation

Estimation results

Impl. refinement


Capture

Validation

Protocolmodels

Comp. / IPmodels

Profile

Estimate

Estimate

Refinement

Allocation

Beh. partitioning

Scheduling / RTOS

Protocol selection


Spec. optimization

Cycle scheduling

Protocol scheduling

Browsing

Arbitration

SW assembly

Alg. selection

Simulate

Compile

Simulate

Simulate

Simulate

Support: 4. Synthesis EngineSupport: 4. Synthesis Engine

Specification model


Profiling

Profiling data

Design decisions

Communication model

Profiling weights

Arch. synthesis

Arch. refinement

Comm. synthesis

Comm. refinement

Refinement

Estimation results

Design decisions

Estimation

Impl. synthesis

Estimation results

Design decisionsImpl. refinement


Capture

RTLcomp.

Validation

Protocolmodels

Comp. / IPattributes

Protocolattributes

Comp. / IPmodels

Verify

Synthesize

Synthesize

Synthesize

Verify

Verify

Verify

Compile

Estimate

Simulate

Simulate

Estimate

Simulate

Profile

Simulate

Allocation

Beh. partitioning

Scheduling / RTOS

Protocol selection


Spec. optimization

Cycle scheduling

Protocol scheduling

Browsing

Arbitration

SW assembly

Alg. selection

Tool example: SoC Environment: SCE Tool example: SoC Environment: SCE from UCIfrom UCI

Specification model


Profiling

Profiling data

Communication model

Profiling weights

Arch. refinement

Comm. refinement

Estimation results

Estimation

Estimation results

Impl. refinement


Capture

Validation

Protocolmodels

Comp. / IPmodels

Profile

Estimate

Estimate

Refinement

Allocation

Beh. partitioning

Scheduling / RTOS

Protocol selection


Spec. optimization

Cycle scheduling

Protocol scheduling

Browsing

Arbitration

SW assembly

Alg. selection

Simulate

Compile

Simulate

Simulate

Simulate

Simulate

http://www.ics.uci.edu/~cad/sce.html

Formal verification in SpecC based Formal verification in SpecC based design methodologydesign methodology

C based design C based design description from description from specification (functional) specification (functional) level down to RTLlevel down to RTL

Incremental refinement on Incremental refinement on the SpecC/C descriptionsthe SpecC/C descriptions

Equivalence checking Equivalence checking between refinementsbetween refinements Between sequential and Between sequential and

parallel descriptions parallel descriptions Between two same control Between two same control

structuresstructures Property checking on each Property checking on each

refinementrefinement

Specificationin C

Refined description for hardware partsSoftware parts remain the same

Refined descriptionwith concurrency

Removal of pointer,recursive calling

Introduction ofconcurrency(SpecC or SystemCmay be used here) To RTL

design: Refinement step

Equivalence checking between two descriptions

Figure 1. C-based system design flow

Model checking on each description

Execution semantics in SpecCExecution semantics in SpecC

Sequentiality rule:Sequentiality rule:Tstart(B1) <= Tstart(a) < Tend(a) <=Tstart(B1) <= Tstart(a) < Tend(a) <=

Tstart(b) < Tend(b) <= Tstart(b) < Tend(b) <= Tstart(c) < Tend(c) <= Tend(B1) Tstart(c) < Tend(c) <= Tend(B1)

Sequential execution within a threadSequential execution within a thread

behavior B1{ void main(void) { a.main(); b.main(); c.main(); }};

B1

a b c

time

ExampleExample

d

a b c

time

B

e f

Execution semantics in SpecC (cont.)Execution semantics in SpecC (cont.)

Possible Schedule

Sequentiality rule:Sequentiality rule:Tstart(B) <= Tstart(a) < Tend(a) <=Tstart(B) <= Tstart(a) < Tend(a) <=

Tstart(b) < Tend(b) <= Tstart(b) < Tend(b) <= Tstart(c) < Tend(c) <= Tend(B) Tstart(c) < Tend(c) <= Tend(B)

Tstart(B) <= Tstart(d) < Tend(d) <=Tstart(B) <= Tstart(d) < Tend(d) <= Tstart(e) < Tend(e) <= Tstart(e) < Tend(e) <= Tstart(f) < Tend(f) <= Tend(B) Tstart(f) < Tend(f) <= Tend(B)

behavior B2{ void main(void) { d.main(); e.main(); f.main();} };

behavior B1{ void main(void) { a.main(); b.main(); c.main();} };

behavior B{ void main(void) { par { b1.main(); b2.main();} }};

Example: concurrencyExample: concurrency

Execution semantics in SpecC (cont.)Execution semantics in SpecC (cont.)

Waitfor rule: Waitfor rule: 0 <= Tstart(a) < Tend(a) < 10 <= Tstart(a) < Tend(a) < 10 <= Tstart(w) < Tend(w) = 100 <= Tstart(w) < Tend(w) = 1010 <= Tstart(b) < Tend(b) < 1110 <= Tstart(b) < Tend(b) < 11

behavior B{ void main(void) { a.main(); waitfor 10; b.main(); } };

a w b

timet = 0 t = 1 t = 10 t = 11

Time-interval formalism Time-interval formalism Simulation time Simulation time Only waitfor increases simulation timeOnly waitfor increases simulation time Other statements execute in zero simulation timeOther statements execute in zero simulation time

ExampleExample

Synchronization SemanticsSynchronization Semantics wait/notify rule in time-interval formalism:wait/notify rule in time-interval formalism:

waitwait cannot proceed until it receives a notified cannot proceed until it receives a notified eventevent

notified event is validnotified event is validuntil a until a waitwait or or waitforwaitfor statement is reached statement is reached

Example:Example: Notify-wait rule derives: Tend(w) >= Tend(n)Notify-wait rule derives: Tend(w) >= Tend(n)

wait cannot proceed until it receives notified eventwait cannot proceed until it receives notified event

a w b

c n d

A

B

thread

time

‘wait e1’ starts

‘notify e1’ done

‘wait e1’ succeeds

this order is guaranteed!

behavior A: a.main(); wait e1; b.main();behavior B: c.main(); notify e1; d.main();

void A() {

}void B() {

}

void main() { A(); B(); C();}

void C() {

}

Incremental Refinement Steps Incremental Refinement Steps

A

B

C

Starting with a functional model, make each part more Starting with a functional model, make each part more detaileddetailed A1, B1, and C1 are refinement of A, B, and C respectivelyA1, B1, and C1 are refinement of A, B, and C respectively

void A1() {

}void B1() {

}

void main() { A1(); B1(); C1();}

void C1() {

}

A1

B1

C1

Incremental Refinement StepsIncremental Refinement Steps

A1 B1

void A1() {

}void B1() {

}

void main() { par{ A1.main(); B1.main(); } C1.main();}

void C1() {

}

C1

Change of control structuresChange of control structures IF-THEN-ELSEIF-THEN-ELSE Sequential to parallelSequential to parallel

void A1() {

}void B1() {

}

void main() { A1(); B1(); C1();}

void C1() {

}

A1

B1

C1

notify wait

Incremental Refinement StepsIncremental Refinement Steps

A2 B2

void A1() {

}void B1() {

}


void C1() {

}

C2

Again make each part more detailedAgain make each part more detailed A2, B2, and C2 are refinement of A1, B1, and C1 A2, B2, and C2 are refinement of A1, B1, and C1

respectivelyrespectively

A1 B1

void A1() {

}void B1() {

}


void C1() {

}

C1

notify wait

notify wait

Equivalence Checking Comparison of Equivalence Checking Comparison of two Descriptions with Same Controltwo Descriptions with Same Control

A1 B1

void A1() {

}void B1() {

}


void C1() {

}

C1

If A and A1, B and B1, C and C1 are equivalent, then entire If A and A1, B and B1, C and C1 are equivalent, then entire descriptions are equivalentdescriptions are equivalent Comparison of two “similar” descriptionsComparison of two “similar” descriptions

A B

void A() {

}void B() {

}

void main() { par{ A.main(); B.main(); } C.main();}

void C() {

}

C

notify wait

notify wait

void A() {

}void B() {

}

void main() { A(); B(); C();}

void C() {

}

Equivalence Checking between Equivalence Checking between Sequential and Parallel VersionsSequential and Parallel Versions

A

A B

B

C

void A() {

}void B() {

}


void C() {

}

C

Based on synchronization verification, prove equivalenceBased on synchronization verification, prove equivalence Extraction of synchronizationExtraction of synchronization and dependency analysis and dependency analysis

notify-wait pairare supposed to communicate !

notify wait

void A() {

}void B() {

}

void main() { A(); B(); C();}

void C() {

}

Various SpecC Description Refinements Various SpecC Description Refinements

A

B

C

Starting from pure functional ones, refine them into Starting from pure functional ones, refine them into more HW/SW oriented onesmore HW/SW oriented ones

void A1() {

}void B1() {

}

void main() { A1(); B1(); C1();}

void C1() {

}

A1

B1

C1

SpecC Description Refinements (cont.)SpecC Description Refinements (cont.)

A1 B1

void A1() {

}void B1() {

}


void C1() {

}

C1

From sequential ones to parallel onesFrom sequential ones to parallel ones

void A1() {

}void B1() {

}

void main() { A1(); B1(); C1();}

void C1() {

}

A1

B1

C1

SpecC Description Refinements (cont.)SpecC Description Refinements (cont.)

A2 B2

void A1() {

}void B1() {

}


void C1() {

}

C2

More refinement on each block of descriptionsMore refinement on each block of descriptions

A1 B1

void A1() {

}void B1() {

}


void C1() {

}

C1

Equivalence Checking between Equivalence Checking between Same Control StructuresSame Control Structures

A1 B1

void A1() {

}void B1() {

}


void C1() {

}

C1

The two below are equivalence, if A and A1, B and B1, C and C1 The two below are equivalence, if A and A1, B and B1, C and C1 are equivalentare equivalent Equivalence checking between two very similar descriptionsEquivalence checking between two very similar descriptions

A B

void A() {

}void B() {

}


void C() {

}

C

void A() {

}void B() {

}

void main() { A(); B(); C();}

void C() {

}

Equivalence Checking between Equivalence Checking between Sequential and Parallel StructuresSequential and Parallel Structures

A

A B

B

C

void A() {

}void B() {

}


void C() {

}

C

For example, if A and B are totally independent computations, they For example, if A and B are totally independent computations, they are equivalentare equivalent Extract control structureExtract control structure and check the final computation is equal and check the final computation is equal

Verification ofSynchronization

void A() {

}void B() {

}

void main() { A(); B(); C();}

void C() {

}

Synchronization Verification: Synchronization Verification: Par Statement in SpecCPar Statement in SpecC

A

A B

C Language SpecC Language

B

C

void A() {

}void B() {

}


void C() {

}

C

Synchronization in SpecCSynchronization in SpecC

Add notify/wait of event e for sync.Add notify/wait of event e for sync. ‘‘wait’ will stop process until it is ‘notify’ wait’ will stop process until it is ‘notify’

A B

void A() {

}void B() {

}

void main() { par { A.main(); B.main(); }}

notify e1;wait e2;

wait e1;notify e2; wait e1

Process B stopsand wait untile1 is notified

notify e1

B resumeswait e2

Process A stopsand wait untile2 is notified

notify e2

A resumes

main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ }} behavior b { main() { x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3

Tas T1s T1e T2s T2e Tae

Tbs T3s T3e Tbe

main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3


Tbs T3s T3e Tbe

Synchronization by Notify/wait

Synchronization in SpecC (cont.)Synchronization in SpecC (cont.)

Ambiguous results on y causing from x = 10; /*st1*/x = 20; /*st3*/

y = 20 (always)

Synchronization in SpecC (cont.)Synchronization in SpecC (cont.)

y = 20 (always)

main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}

time

a.main()

b.main()

St1 St2

St3


Tbs T3s T3e Tbe

Synchronization by Notify/wait

Tas=Tbs, Tae=TbeTas=Tbs, Tae=Tbe Tas<=T1s<T1e<=T2s<T2e<=TasTas<=T1s<T1e<=T2s<T2e<=Tas Tbs<=T3s<T3e<=TbeTbs<=T3s<T3e<=Tbe T2e<=T3sT2e<=T3s

Basic Method: Symbolic SimulationBasic Method: Symbolic Simulation

Example of checking the behavioral Example of checking the behavioral consistency based on symbolic simulationconsistency based on symbolic simulation Equivalent variables are collected into EqvClassEquivalent variables are collected into EqvClass

a = v1;b = v2;add1 = a + b;

Description 1

add2 = v1 + v2;

Description 2

EqvClass

Symbolic simulation

We are going to check the equivalencebetween add1 and add2

** Further discussed in later Section Further discussed in later Section

Symbolic Simulation ExampleSymbolic Simulation Example

This is an example of equivalence checking This is an example of equivalence checking based on symbolic simulationbased on symbolic simulation Equivalent variables are collected into EqvClassEquivalent variables are collected into EqvClass

a = v1;b = v2;add1 = a + b;

Description 1

add2 = v1 + v2;

Description 2

EqvClass

Symbolic simulation

E1 (a, v1)E2 (b, v2)E3 (add1, a+b)

Description1 is simulated



a = v1;b = v2;add1 = a + b;

Description 1

add2 = v1 + v2;

Description 2

EqvClass

Symbolic simulation

E1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)

Description2 is simulated



a = v1;b = v2;add1 = a + b;

Description 1

add2 = v1 + v2;

Description 2

EqvClass

Symbolic simulation

E1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)

Due to the equivalencesin E1, E2



a = v1;b = v2;add1 = a + b;

Description 1

add2 = v1 + v2;

Description 2

EqvClass

Symbolic simulation

E1 (a, v1)E2 (b, v2)E3’ (add1, a+b, add2, v1+v2)

E3 & E4 are mergedinto E3’

Program Slicing for C/SpecCProgram Slicing for C/SpecC

The codes to be symbolically simulated are extracted The codes to be symbolically simulated are extracted by program slicingby program slicing This means This means onlyonly extracted codes will be simulated for extracted codes will be simulated for

verificationverification Program slicing can extract the codes that can affect Program slicing can extract the codes that can affect

(be affected by) a variable(be affected by) a variable Two kinds of slicing: backward slicing and forward Two kinds of slicing: backward slicing and forward

slicingslicing Based on C program slicer, program slicer for SpecC Based on C program slicer, program slicer for SpecC

is developed based on VHDL program slicer [Shankar]is developed based on VHDL program slicer [Shankar] IF the two descriptions have the same control structures, a IF the two descriptions have the same control structures, a

little bit of extension is enoughlittle bit of extension is enough

Backward SlicingBackward Slicing

Backward slicing for a variable Backward slicing for a variable vv extracts extracts all codes that affect the variable all codes that affect the variable vv

a = 2;

b = 3;

c = 5;

a = a + 10;

b = a * c; /start/

c = c + a;

a = a * b;

a = 2;

b = 3;

c = 5;

a = a + 10;

b = a * c; /start/

c = c + a;

a = a * b;

Backward slicing

Forward SlicingForward Slicing

Forward slicing for a variable Forward slicing for a variable v v extracts all extracts all codes that are affected by the variable codes that are affected by the variable vv

a = 2;

b = 3;

c = 5;

a = a + 10;

b = a * c; /start/

c = c + a;

a = a * b;

Forward slicinga = 2;

b = 3;

c = 5;

a = a + 10;

b = a * c; /start/

c = c + a;

a = a * b;

Efficient Equivalence CheckingEfficient Equivalence Checking Comparison of two similar design descriptionsComparison of two similar design descriptions

Extract textual differencesExtract textual differences Dependency analysis by program slicing type Dependency analysis by program slicing type

techniquestechniques Symbolically simulate the real difference and analyze Symbolically simulate the real difference and analyze

the resultsthe results

Description1 Description2

return a; return a; return a; return a;

: textual differences

Description1 Description2

Verification Flow (1)Verification Flow (1)

Description 1 Description 2

Pre-processes

Identification of textual differences & ordering them

Output the set of textual differences (d1, d2, d3, …)

Identification of Textual DifferencesIdentification of Textual Differences

First, textual differences are identified by “diff”First, textual differences are identified by “diff” Then, they are sorted in the order of executionThen, they are sorted in the order of execution

int v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}

Description 1

int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}

Description 2

d1

d2

d3

Consistencyis proved


Is there any differences left?

Decision of target variables

Backward slicing

Symbolic simulation

Symbolic simulation

Forward slicing

Yes

NoVerification terminates successfully

An erroneous trace is reported

Consistency is not proved



(d1, d2, d3, …)




Backward slicing

Symbolic simulation

Symbolic simulation

Forward slicing

Yes



Consistencyis proved Consistency is not proved



(d1, d2, d3, …)

Decision of Target VariablesDecision of Target Variables A variable A variable vv in a difference in a difference dd is a target variable, is a target variable,

When the variable When the variable vv is defined in both descriptions, and is defined in both descriptions, and assigned in the difference assigned in the difference dd

int v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}

Description 1

int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}

Description 2

d1

d2

d3


Case SplitCase Split



Backward slicing

Symbolic simulation

Symbolic simulation

Forward slicing

Yes






(d1, d2, d3, …)

Symbolic Simulation/ Bounded Symbolic Simulation/ Bounded Model CheckingModel Checking

Reduced to Boolean SAT problems (OBDD or SAT)Reduced to Boolean SAT problems (OBDD or SAT)

Is there an input

pattern generating “one” at the

output

0x nx…

… …

Mem.

Expand k times

0y

my my

0y

… … …

Cycle 1 Cycle 2 Cycle k

…

…

00x 0

nx 1nx1

0x kx0knx

00y

0my

10y

1my

ky0

kmy

… … …

Checker Circuit

Convert

Property

(reset && X(reset) && XX(reset) &&c) ⇒ （ XX(out)=in)

Approaches for Verifying High-level DesignsApproaches for Verifying High-level Designs

Propositional logic First-order logic, ...⇒Propositional logic First-order logic, ...⇒ e.g. Abstraction of arithmetic op’s by symbols(<, +, *,...)e.g. Abstraction of arithmetic op’s by symbols(<, +, *,...)

ApproachesApproaches SAT for Logic of uninterpreted functions with equality SAT for Logic of uninterpreted functions with equality

Equivalence checking without considering meaning of Equivalence checking without considering meaning of functionsfunctions

Hybrid SATHybrid SAT SAT for Boolean formulas with linear constraintsSAT for Boolean formulas with linear constraints

ToolTool SVC(Stanford Validity Checker) toolSVC(Stanford Validity Checker) tool

– Boolean logic, linear programming, uninterpreted Boolean logic, linear programming, uninterpreted function,. arrays..function,. arrays..

Logic of Uninterpreted Functions with Logic of Uninterpreted Functions with EqualityEquality

Arithmetic operations are handled as symbolsArithmetic operations are handled as symbols

Equivalence checking :“Design 1 = Design 2 ?”Equivalence checking :“Design 1 = Design 2 ?” There is a decision procedure.There is a decision procedure. Can be checked by SVC tool.Can be checked by SVC tool.

f Yx

yc

Y:= if c then x else f(x,y)1

0

AbstractionAbstraction

Like to handle very large Like to handle very large descriptionsdescriptions

Reduction of the number Reduction of the number of states is a mustof states is a must Merging multiple states Merging multiple states

into a single stateinto a single state Abstracted designs contain Abstracted designs contain

more behaviors than the more behaviors than the originalsoriginals

False-negative results False-negative results possible, but never false-possible, but never false-positivepositive

A set of behaviors of the abstracted design

A set of behaviorsof the original design

** Further discussed in later Section Further discussed in later Section


If some property holds,If some property holds, then the original design is correctthen the original design is correct Otherwise,Otherwise,

the design is incorrect, or the the design is incorrect, or the abstraction is too strongabstraction is too strong

Refinement is necessary to Refinement is necessary to prove the propertyprove the property

Behaviors allowed by a property

“The property holds”. “The property does not hold”.

incorrect

abstraction is too strong

Indistinguishablefrom the verification

result for the abstracted design

Model Checking of C programsModel Checking of C programs

Basic techniquesBasic techniques abstraction, model checking, and error analysis + abstraction, model checking, and error analysis +

refinementrefinement

ModifiedProgram

Ｃ Program

Properties

AbstractedBoolean Program

Counter-example

New constraint

s

Abstraction

Model

Checking

Error analysis

Bugs

Correct

Microsoft’s SLAM tool

Theorem Proving & Decision Theorem Proving & Decision ProceduresProcedures





Symbolic LogicSymbolic Logic

Symbolic logic deals with the structure of Symbolic logic deals with the structure of reasoningreasoning

It defines ways to deal with relationships It defines ways to deal with relationships between conceptsbetween concepts

Provides ways to compose proofs of Provides ways to compose proofs of statementsstatements

Provides ways to express statements in a Provides ways to express statements in a precise, compact and symbolic mannerprecise, compact and symbolic manner

Symbolic Logic (cont.)Symbolic Logic (cont.)

More precisely, a formal symbolic More precisely, a formal symbolic logic consists of logic consists of A notation (symbols and syntax)A notation (symbols and syntax)

A set of axioms (facts)A set of axioms (facts) A set of inference rules (deduction A set of inference rules (deduction

sheme)sheme)

Types of Symbolic LogicTypes of Symbolic Logic

Propositional Logic – commonly known as Propositional Logic – commonly known as Boolean algebraBoolean algebra Variables in this algebra Variables in this algebra {0,1} {0,1}

First Order LogicFirst Order Logic Existential (Existential () and Universal () and Universal () quantifiers ) quantifiers

over variables over variables

Higher Order LogicHigher Order Logic Existential and Universal quantification over Existential and Universal quantification over

sets and functionssets and functions

Key Features of a TheoryKey Features of a Theory

Expressiveness Expressiveness what kind of statements can be written what kind of statements can be written

in the theoryin the theory Completeness Completeness

all valid formulas are provableall valid formulas are provable DecidabilityDecidability

there exists an algorithm to deduce the there exists an algorithm to deduce the truth of any formula in the theorytruth of any formula in the theory

Comparison of Types of LogicComparison of Types of Logic

PropositionalPropositional Least expressive, decidable, completeLeast expressive, decidable, complete

First Order LogicFirst Order Logic More expressive, decidable, not More expressive, decidable, not

completecomplete Higher Order LogicHigher Order Logic

Most expressive, not decidable, not Most expressive, not decidable, not completecomplete

First-Order LogicFirst-Order Logic

First-Order Logic First-Order Logic theory in symbolic logic theory in symbolic logic formalizes quantified statements formalizes quantified statements

E.g: “there exists an object such that…” or “for all objects, it is E.g: “there exists an object such that…” or “for all objects, it is the case that…”the case that…”

Statements in first-order logic built using:Statements in first-order logic built using: VariablesVariables x, yx, y ConstantsConstants 0, C, 0, C, FunctionsFunctions f (x ), x + yf (x ), x + y PredicatesPredicates p (x ), x > y, x = yp (x ), x > y, x = y Boolean connectivesBoolean connectives , , , , , , QuantifiersQuantifiers , ,

First-Order TheoriesFirst-Order Theories

A first-order theory A first-order theory a set of first-order statements about a related a set of first-order statements about a related

set of constants, functions, and predicates.set of constants, functions, and predicates. Example:Example:

A theory of arithmetic might include the A theory of arithmetic might include the following statements about following statements about 00 and and ++::

x. ( x + 0 = x )x. ( x + 0 = x )

x,y. (x + y = y + x )x,y. (x + y = y + x )

Validity of an Expression in a TheoryValidity of an Expression in a Theory

Given Given a theory and an expression a theory and an expression

Using Using building blocks of that theorybuilding blocks of that theory if expression evaluates to true for every if expression evaluates to true for every

evaluation, then it is valid in the theoryevaluation, then it is valid in the theory Example: Example:

X >= 0 is a valid expression in positive real X >= 0 is a valid expression in positive real arithmeticarithmetic

Validity Checking & UndecidabilityValidity Checking & Undecidability

Given a theory Given a theory in first-order logic and an in first-order logic and an expression expression we wish to prove that we wish to prove that is valid is valid in in Validity of Validity of in in is written as is written as |= |= Undecidability of FOLUndecidability of FOL

A well-known result states that in general it is undecidable A well-known result states that in general it is undecidable whether a FOL formula is valid in a given first-order whether a FOL formula is valid in a given first-order theorytheory

However with appropriate restrictions on However with appropriate restrictions on and and the theory can be made decidable and practical the theory can be made decidable and practical programs can be built around itprograms can be built around it

Why is Validity Checking Interesting?Why is Validity Checking Interesting?

Many practical problems can be posed as Many practical problems can be posed as formulas in a certain theory or a formulas in a certain theory or a combination of theoriescombination of theories

A proof of validity of this formula results in a A proof of validity of this formula results in a solution to the problemsolution to the problem ExampleExample

Scheduling of complex operations in a manufacturing Scheduling of complex operations in a manufacturing plantplant

Proof SystemProof System

A formal proof in a theory A formal proof in a theory a set of steps of statements a set of steps of statements a statement is derived from a previous statement using a a statement is derived from a previous statement using a

set of defined inference rulesset of defined inference rules Rewrite rulesRewrite rules

deal with mechanical massaging of statements deal with mechanical massaging of statements irrespective of the meaning of the statementsirrespective of the meaning of the statements

Key requirement of a proof system Key requirement of a proof system soundness : all provable formulas are logically true!soundness : all provable formulas are logically true!

A proof system need not be complete or decidable A proof system need not be complete or decidable in order to be useful!in order to be useful!

Theorem ProverTheorem Prover

Given Given a theory, a proof system, and a formula whose a theory, a proof system, and a formula whose

validity must be provedvalidity must be proved a system that allows a user to carry out the a system that allows a user to carry out the

proof is broadly classified as a theorem proverproof is broadly classified as a theorem prover AdvantagesAdvantages

Expressive, high abstraction, powerful Expressive, high abstraction, powerful reasoning, reasoning,

DisadvantagesDisadvantages Low automation, expert knowledge requiredLow automation, expert knowledge required

Automated vs. Interactive Theorem Automated vs. Interactive Theorem Proving Proving John Rushby, SRI, asserts “John Rushby, SRI, asserts “There are no fully There are no fully

automatic theorem proversautomatic theorem provers”.”. For best performance most theorem provers require For best performance most theorem provers require

user guidanceuser guidance Variable ordering, weighting of literals, function symbols, Variable ordering, weighting of literals, function symbols,

strategy selection, orientation of equations, invention of strategy selection, orientation of equations, invention of ordering lemmas, induction hintsordering lemmas, induction hints

Automation in certain domainsAutomation in certain domains Propositional logic using SAT solvers, BDDsPropositional logic using SAT solvers, BDDs Linear arithmetic – integer/linear programmingLinear arithmetic – integer/linear programming Temporal logic – model checkingTemporal logic – model checking Induction (Boyer-Moore heuristics)Induction (Boyer-Moore heuristics)

Well-known Theorem ProversWell-known Theorem Provers

Higher order: ALF, Alfa, Coq, HOL, PVSHigher order: ALF, Alfa, Coq, HOL, PVS Logical Frameworks: Isabelle, LF, TwelfLogical Frameworks: Isabelle, LF, Twelf Inductive: ACL2, InkaInductive: ACL2, Inka Automated: Gandalf, TPS, Otter, Setheo, Automated: Gandalf, TPS, Otter, Setheo,

SPASSSPASS EQP, Maude, SVCEQP, Maude, SVC Provers used in Verification – Provers used in Verification – HOL, PVS, HOL, PVS,

ACL2, SVCACL2, SVC

PVSPVS

A

PVS File

System model

FormulaeTo be proved

Proofs

• Owre et al., 1992 at SRIOwre et al., 1992 at SRI

• System model is translated either automatically or manuallySystem model is translated either automatically or manually• Formulae to be proved are also translated from their native formsFormulae to be proved are also translated from their native forms• Proofs are usually carried out interactivelyProofs are usually carried out interactively

PVS MethodologyPVS Methodology

Automate everything that is decidableAutomate everything that is decidable Propositional calculus, linear arithmetic, finite-state Propositional calculus, linear arithmetic, finite-state

model checkingmodel checking Heuristic automation for obvious cases for other Heuristic automation for obvious cases for other

problemsproblems Hashing conditional rewriter integrated with decision Hashing conditional rewriter integrated with decision

proceduresprocedures Instantiation, inductionInstantiation, induction

Human control for things difficult to automateHuman control for things difficult to automate Sequent calculus presentationSequent calculus presentation Tactic language for defining higher-level proof strategiesTactic language for defining higher-level proof strategies

Stanford Validity Checker (SVC)Stanford Validity Checker (SVC)

Started with applications to processor verificationStarted with applications to processor verification [Burch and Dill ‘94][Burch and Dill ‘94] [Jones et al. ‘95][Jones et al. ‘95]

Applications since releaseApplications since release Symbolic simulation Symbolic simulation [Su et al. ‘98][Su et al. ‘98] Software specification checking Software specification checking [Park et al. ‘98][Park et al. ‘98] Infinite-state model checking Infinite-state model checking [Das and Dill ‘01][Das and Dill ‘01] Theorem prover proof assistance Theorem prover proof assistance [Heilmann ‘99][Heilmann ‘99] Integration into programming languages Integration into programming languages [Day et al. ‘99][Day et al. ‘99]

Overall Flow of SVCOverall Flow of SVC Given an expression whose validity has to be Given an expression whose validity has to be

checkedchecked Choose an atomic formula Choose an atomic formula ƒ ƒ in the expressionin the expression Case split on the atomic formulaCase split on the atomic formula

Create two subformulas, for Create two subformulas, for ƒƒ = 0, and = 0, and ƒ = ƒ = 11 Simplify the two subformulasSimplify the two subformulas Iteratively check the validity of the two subformulasIteratively check the validity of the two subformulas

Example: Example: ( ( x x << y ) y ) ( y ( y < < x ) x ) ( x ( x == y ) y ) Choose Choose f = ( x < y )f = ( x < y ) Case split on f to get two subformulasCase split on f to get two subformulas

Simplify

Simplify

( true ) ( y < x )

true

( false ) ( y < x ) ( x = y ) ( y < x ) ( x = y )

Example (cont.)Example (cont.)

( y ( y < < x ) x ) ( x ( x == y ) y ) Choose Choose f = ( y f = ( y < < x ) x ) Case splitting gives two subformulasCase splitting gives two subformulas

true true ( x ( x == y ) true y ) true

false false ( x ( x == y ) ( x y ) ( x == y ) y )

Case splitting onCase splitting on f = ( x = y ) f = ( x = y ) gives two subformulasgives two subformulas

true and falsetrue and false The only false node is formula:The only false node is formula: ( x y ) ( y x ) ( x y )

Simplify

Simplify

If this formula can be proved unsatisfiable by theory then formula is a If this formula can be proved unsatisfiable by theory then formula is a tautologytautology

How is Validity Checking done?How is Validity Checking done? The validity checker is built on top of a core The validity checker is built on top of a core

decision procedure for decision procedure for satisfiabilitysatisfiability in a theory in a theory of a set of literals in the theory of a set of literals in the theory A literal is an atomic formula or its negationA literal is an atomic formula or its negation The core decision procedure depends on the The core decision procedure depends on the

theorytheory e.g. a Satisfiability Solver can be used for Propositional e.g. a Satisfiability Solver can be used for Propositional

LogicLogic

SVC proposesSVC proposes use of several decision theories targeted to use of several decision theories targeted to

several theories several theories gives the strongest decision proceduregives the strongest decision procedure

Need for Multiple TheoriesNeed for Multiple Theories

Why are multiple theories needed?Why are multiple theories needed? Most real-life problems when cast into a problem Most real-life problems when cast into a problem

of proving validity of a formula span a set of of proving validity of a formula span a set of theoriestheories Propositional logicPropositional logic Bit-vectors and arraysBit-vectors and arrays Real, linear arithmeticReal, linear arithmetic Uninterpreted functions & predicatesUninterpreted functions & predicates

A decision procedure isA decision procedure is a combination of theories must be able to a combination of theories must be able to

combine decision procedures that reason in combine decision procedures that reason in each of these theories!each of these theories!

How are Multiple Decision How are Multiple Decision Procedures Combined?Procedures Combined?

Shostak’s methodShostak’s method 1984 [Shostak ‘84]1984 [Shostak ‘84] Future corrections & clarificationsFuture corrections & clarifications

[Cyrluk et al. ‘96][Cyrluk et al. ‘96] [Ruess and Shankar ‘01][Ruess and Shankar ‘01]

Used in several automated deduction systemsUsed in several automated deduction systems PVS, STeP, SVCPVS, STeP, SVC

Shostak’s Method - CanonizerShostak’s Method - Canonizer

Two main componentsTwo main components CanonizerCanonizer SolverSolver

The canonizer rewrites terms into a unique The canonizer rewrites terms into a unique formform == a a == b b canon canon ((a a ) ) == canon canon ((b b ))

Examples of canonizer for linear arithmeticExamples of canonizer for linear arithmetic canoncanon ( (a a ++ a a ) ) == 2 2aa Unique ordering of variablesUnique ordering of variables

canoncanon ( b + a ) = a + b( b + a ) = a + b

Shostak’s Method – Solved formShostak’s Method – Solved form

Solved form – A set of equations Solved form – A set of equations is said to is said to be in solved form if the variable on the LHS be in solved form if the variable on the LHS of each equation appears in the set only onceof each equation appears in the set only once In solved form: In solved form: a = xa = x + c+ c

b = 2x + yb = 2x + y Not in solved form: Not in solved form: a = b + ca = b + c

x = a + zx = a + z RR denotes replacement of each LHS denotes replacement of each LHS

variable occuring in any RHS with its variable occuring in any RHS with its equationequation R R ((a + xa + x) ) = = 2b + 2c + z2b + 2c + z

Shostak’s Method - SolverShostak’s Method - Solver

The solver transforms an equation into a The solver transforms an equation into a corresponding set of equations in solved formcorresponding set of equations in solved form If If == a a b b , then , then solve solve ((a a == b b ) ) == { { false false }} Otherwise:Otherwise:

solve solve ((a a == b b ) ) == a set of equations a set of equations in solved formin solved form == ((a a == b b x.x. ))

– xx is a set of fresh variables appearing in is a set of fresh variables appearing in , but not in , but not in aa or or bb..

Example: solver for real linear arithmeticExample: solver for real linear arithmetic solve solve ((x x -- y y -- z z == 0 ) 0 ) = = { { x x == y y ++ z z }} solvesolve ( (x x ++ 1 1 == x x -- 1 ) 1 ) = = { { false false }}

The Simplified Shostak AlgorithmThe Simplified Shostak Algorithm

Simplified algorithm due to Clark Barrett, Simplified algorithm due to Clark Barrett, NYUNYU

Given a set of equations Given a set of equations EE and and disequations disequations DD Step 1: Use the solver to convert Step 1: Use the solver to convert EE into an into an

equisatisfiable set of equations equisatisfiable set of equations E’E’ in solved form in solved form Step 2: Use this set of equations together with Step 2: Use this set of equations together with

the canonizer to check if any disequality is the canonizer to check if any disequality is violatedviolated For each For each a a b b DD Check if Check if canon canon ((E’E’ ( (a a ) ) ) ) == canon canon ((E’E’ ( (b b ) )) )

Combining Theories in ShostakCombining Theories in Shostak

Two Shostak theories Two Shostak theories 11 and and 22 can be can be

combined under certain restrictions to combined under certain restrictions to form a new Shostak theory form a new Shostak theory == 22 2 2

Solvers from two theories can be Solvers from two theories can be combinedcombined

Treating terms from other theory as variablesTreating terms from other theory as variables Repeatedly apply solvers from each theory until Repeatedly apply solvers from each theory until

resulting set of equations is in solved formresulting set of equations is in solved form Issue of applying appropriate constraints to the Issue of applying appropriate constraints to the

variables from other theories is trickyvariables from other theories is tricky

Summing UpSumming Up

A very powerful proof methodologyA very powerful proof methodology can describe and prove properties on the most wide array of can describe and prove properties on the most wide array of

systems and abstractionssystems and abstractions

Proof is not fully automaticProof is not fully automatic requires manual interventionrequires manual intervention requires expertise and understanding of modeling conceptsrequires expertise and understanding of modeling concepts some proofs may not terminatesome proofs may not terminate

Industrial useIndustrial use not yet very popularnot yet very popular some dedicated specialized use in Intelsome dedicated specialized use in Intel need to make procedure more automated for practical useneed to make procedure more automated for practical use


Introduction Introduction Design flow and verification issuesDesign flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models

model checking and formal enginesmodel checking and formal engines model checking in practicemodel checking in practice equivalence checkingequivalence checking

Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions

Model Checking and Formal Model Checking and Formal EnginesEngines

MUKUL PRASAD

Fujitsu Labs. of America Sunnyvale, California


Introduction to Model CheckingIntroduction to Model Checking Engines for model checkingEngines for model checking

SAT SolversSAT Solvers Binary Decision Diagrams (BDDs)Binary Decision Diagrams (BDDs)

Symbolic Model Checking with BDDsSymbolic Model Checking with BDDs Model Checking using SAT Model Checking using SAT

Sequential Logic CircuitSequential Logic Circuit

AND OR

NOT XOR

Logic Gates

c

a

b

y

Y = c ( a b )

Combinational Circuit

Present

states

INPUTS

OUTPUTS

LATCHES

Next States

CombLogi

c

a

b

DQ

c

np

o

Sequential Circuit

Temporal Logic Model CheckingTemporal Logic Model CheckingVerify Reactive SystemsVerify Reactive Systems

Construct state machine representation of reactive systemConstruct state machine representation of reactive system Nondeterminism expresses range of possible behaviorsNondeterminism expresses range of possible behaviors ““Product” of component state machinesProduct” of component state machines

ModelChecker

Traffic LightController

Design

FSM rep.

“It is never possible to

have a green light for both

N-S and E-W.”

Property in some TL e.g.

CTL, LTL

True

False+ Counterexample

Express desired behavior as formula in temporal logic (TL)Express desired behavior as formula in temporal logic (TL) Determine whether or not property holdsDetermine whether or not property holds

MoC: Finite State Machine (FSM)MoC: Finite State Machine (FSM)

I: input alphabet S: finite, non-empty set of states : S I S, next-state function S0 S : set of initial (reset) states O: output alphabet : S I O , output function

S3 S2

S1

0/0

1/1

0/0 1/0

0/0

1/1

S1

S2

S3

x = 0 x = 1

S1,0 S2,1

S1,0

S3,0

S2,0

S1,1

State Transition Table

State Transition GraphMealy FSM: I, S, , S0, O, )

INPUTS OUTPUTS

LATCHES

Next States

Present states

CombLogic

Classification of PropertiesClassification of Properties Safety PropertiesSafety Properties

““undesirable things never happen”undesirable things never happen” ““desirable things always happen”desirable things always happen” Examples:Examples:

A bus arbiter never grants the requests to two mastersA bus arbiter never grants the requests to two masters Elevator does not reach a floor unless it is requestedElevator does not reach a floor unless it is requested Message received is the message sentMessage received is the message sent

Liveness (progress) propertiesLiveness (progress) properties ““desirable state repeatedly reached”desirable state repeatedly reached” ““desirable state eventually reached”desirable state eventually reached” Examples:Examples:

Every bus request is eventually grantedEvery bus request is eventually granted A car at a traffic light is eventually allowed to passA car at a traffic light is eventually allowed to pass

Fairness ConstraintsFairness Constraints In general, not every run in a state machine is a In general, not every run in a state machine is a

valid behaviorvalid behavior But all runs are included in transition systemsBut all runs are included in transition systems Fairness constraints rule out certain runsFairness constraints rule out certain runs

Properties only checked for fair paths !!Properties only checked for fair paths !!

Fairness constraints can be expressed as CTL Fairness constraints can be expressed as CTL formulasformulas A fair path must satisfy each formula infinitely oftenA fair path must satisfy each formula infinitely often Path quantifiers are restricted to only the fair paths Path quantifiers are restricted to only the fair paths

Fairness examplesFairness examples An arbiter arbitrates each requestor infinitely oftenAn arbiter arbitrates each requestor infinitely often In a communication channel a continuously transmitted In a communication channel a continuously transmitted

message is received infinitely oftenmessage is received infinitely often

Temporal LogicsTemporal Logics Precise specificationPrecise specification Amenable to symbolic manipulationAmenable to symbolic manipulation Two kinds of temporal logics (TL)Two kinds of temporal logics (TL)

Linear Temporal Logic (LTL):Linear Temporal Logic (LTL): Time is a linear sequence of eventsTime is a linear sequence of events

Branching time temporal logic (CTL, CTL*):Branching time temporal logic (CTL, CTL*): Time is a tree of eventsTime is a tree of events

CTLCTL Formulae describe properties of computation treesFormulae describe properties of computation trees Computation Trees are obtained by unwinding the Computation Trees are obtained by unwinding the

transition system model transition system model Branching structure due to nondeterminismBranching structure due to nondeterminism CTL* is more powerful, includes CTL and LTLCTL* is more powerful, includes CTL and LTL

Syntax of CTLSyntax of CTL Every atomic proposition is a CTL formulaEvery atomic proposition is a CTL formula If If ff and and gg are formulae then so are are formulae then so are

f, (f f, (f g), (f g), (f g), (f g), (f g), (f g), (f g) g) AG fAG f - in all paths, in all state - in all paths, in all state f f (in all future, (in all future, ff)) EG fEG f - in some path, in all states - in some path, in all states ff AF fAF f - in all paths, in some state - in all paths, in some state f f (in every future (in every future ff)) EF fEF f - in some future - in some future ff A(f U g)A(f U g) - in all paths, - in all paths, ff holds until holds until gg E(f U g)E(f U g) - in some path, f holds until - in some path, f holds until gg AX fAX f - in every next state, - in every next state, f f holds holds EX fEX f - in some next state - in some next state ff holds holds

ExamplesExamples AG ¬ (EW_light_go AG ¬ (EW_light_go NS_light_go) NS_light_go) AG (car_at_intersection AG (car_at_intersection AF(light_green)) AF(light_green)) AG (EF Restart)AG (EF Restart) EF (Start EF (Start ¬Ready)¬Ready)

CTL model checkingCTL model checking

MM:: Transition System, Transition System, FF:: CTL formulae CTL formulae MM defines a tree (unwind the transition system) defines a tree (unwind the transition system) FF specifies existence of one or all paths satisfying specifies existence of one or all paths satisfying

some conditionssome conditions Verification checks whether these conditions hold Verification checks whether these conditions hold

for the tree defined by for the tree defined by MM Specifically:Specifically:

Compute the set of states of Compute the set of states of MM satisfying satisfying FF MM ╞ F╞ F iffiff initial states of initial states of MM are in this set are in this set

(Clarke and Emerson, Quielle and Sifakis)(Clarke and Emerson, Quielle and Sifakis)

M╞ FM╞ F

CTL Model Checking Example 1CTL Model Checking Example 1P Compute Compute EFpEFp

EF p = p EX(p) EX(EX(p)) . . .

PSTEP 1

PSTEP 3

PSTEP 2

Fixed Point !! Computation terminates Computation terminates EFEF p Holds in all green states p Holds in all green states Computation involves Computation involves

backward breadth first traversal backward breadth first traversal Calculation of Strongly Calculation of Strongly

Connected Subgraphs (cycles)Connected Subgraphs (cycles)

CTL Model Checking Example 2CTL Model Checking Example 2PP P

EG p = p EX p EX(EX p) . . .

ComputeCompute EG p EG p

PP P

Initial:STEP 1PP P

STEP 2

PP P

STEP 3

PP P

TERMINATION

Checking Safety ConditionsChecking Safety Conditions

Start from SStart from S00 (Z)(Z) = set of initial = set of initial (bad)(bad) states states

Perform forward Perform forward (backward)(backward) reachability analysis reachability analysis to compute a reached state set R to compute a reached state set R (B)(B)

Determine if R Determine if R (B)(B) intersects Z intersects Z (S(S00))

S0

R

Z Z

B

Forward Reachability Backward Reachability

S0

S0: Initial states Z : Bad states

Model Checking ApproachesModel Checking Approaches Explicit state model checkingExplicit state model checking

Requires explicit enumeration of statesRequires explicit enumeration of states Impractical for circuits with large state spaces Impractical for circuits with large state spaces Useful tools exist: Murphi, SPIN, …Useful tools exist: Murphi, SPIN, …

Symbolic model checkingSymbolic model checking Representation & manipulation in terms of Representation & manipulation in terms of

ROBDDs or SAT solversROBDDs or SAT solvers Core tasks:Core tasks:

Represent state machine (transition relation) and sets of Represent state machine (transition relation) and sets of states states

Forward/backward reachability analysisForward/backward reachability analysis Based on computing image/pre-image of set of statesBased on computing image/pre-image of set of states Fixed-point detectionFixed-point detection

SAT Problem DefinitionSAT Problem Definition

Given a CNF formula, f :Given a CNF formula, f :

(C(C11,C,C22,C,C33)) Conjunction of clausesConjunction of clauses

(a,b,c)(a,b,c) A set of variables, A set of variables, VV

Each clause: disjunction of literals over Each clause: disjunction of literals over VV

C1 C2 C3

a = b = c = 1a = b = c = 1))()(( cbacacba Example :Example :

Does there exist an assignment of Boolean values to the variables, V which sets at least one literal in each

clause to ‘1’ ?

CC11

CONFLICTCONFLICT!!

DPLL Algorithm for SATDPLL Algorithm for SAT

Given :Given : CNF formula f(vCNF formula f(v11,v,v22,..,v,..,vkk) , and an ) , and an

ordering functionordering function Next_VariableNext_Variable

))()(( bacaba

Example :Example :

C1 C2 C3

11

CC33

CC22

SATSAT!!

11c

11

00b

00

a0

[Davis, Putnam, Logemann, Loveland 1960,62][Davis, Putnam, Logemann, Loveland 1960,62]

DPLL Algorithm: Unit Clause RuleDPLL Algorithm: Unit Clause Rule

Rule:Rule: Assign toAssign to truetrue any single literal clauses.any single literal clauses.

)( cba =

0

=

0c = 1

))()()()()(( edcedeccbacbcaa

))()()(( edcedeccbc

)( ede

Apply Iteratively: Apply Iteratively: Boolean Constraint Propagation (BCP)Boolean Constraint Propagation (BCP)

Anatomy of a Modern SAT SolverAnatomy of a Modern SAT Solver

SAT Solver

Search RestartsTo correct for bad To correct for bad choices in variable choices in variable orderingorderingRestart algorithm Restart algorithm “periodically”“periodically”Retain some/all Retain some/all recorded clausesrecorded clauses

Clause database managementDiscard useless clauses (e.g. inactive or large clauses)

Efficient garbage collection

Conflict-driven learning

DPLL Algorithm Efficient BCP

Conflict Driven Search Pruning Conflict Driven Search Pruning (GRASP)(GRASP)

SATSAT

Non-chronological backtrackingNon-chronological backtracking

Conflict-clause recording Conflict-clause recording

xxk-1k-1xxk-1k-1

xxkkxxkk

xx22xx22

xx11xx11

xxjjxxjj

11

22

Silva & Sakallah ‘95

Conflict Analysis: An ExampleConflict Analysis: An Example

)( 21 xx

)( 9312 xxx

)( 4323 xxx

)( 10544 xxx

)( 11645 xxx )( 656 xx

)( 818 xx )( 12717 xxx

)( 13879 xxx

}6@1{ 1 xDecision Assignment:Decision Assignment:

}2@1,2@1,3@0,3@0,1@0{ 131211109 xxxxx

Current Assignment:Current Assignment:

Example Contd: Implication GraphExample Contd: Implication Graph

)(( 111091 xxxxc )( 4323 xxx

xx22= 1@6= 1@6

xx1111= 0@3= 0@3

xx66= 1@6= 1@6

xx55= 1@6= 1@6

xx11= 1@6= 1@6

xx99= 0@1= 0@1

xx44= 1@6= 1@6

xx33= 1@6= 1@6

xx1010= 0@3= 0@3

33

33

11

22

22

44

44

55

55

66

66

Example Contd….Example Contd….

x1

55

33

66

Decision Decision LevelLevel

xx77= 1@6= 1@6

xx1313= 1@2= 1@2

xx1212= 1@2= 1@2

xx88= 1@6= 1@6

`̀`̀ 99

99

99

77

77

88

xx11= 0@6= 0@6

xx99= 0@1= 0@1

xx1010= 0@3= 0@3

xx1111= 0@3= 0@3

Variable OrderingVariable Ordering

Significantly impacts size of search treeSignificantly impacts size of search tree Ordering schemes can be Ordering schemes can be static static or or

dymamicdymamic Conventional wisdom (pre-chaff):Conventional wisdom (pre-chaff):

Satisfy most number of clauses ORSatisfy most number of clauses OR Maximize BCP Maximize BCP e.g.e.g. DLIS, MOMs, BOHMs DLIS, MOMs, BOHMs etc.etc.

Variable Ordering: New IdeasVariable Ordering: New Ideas

New wisdom:New wisdom: Recorded clauses key in Recorded clauses key in guiding searchguiding search

Conflict-driven variable ordering:Conflict-driven variable ordering: Chaff (DAC’01): Pick var. appearing in Chaff (DAC’01): Pick var. appearing in mostmost

number of number of recentrecent conflict clausesconflict clauses BerkMin (DATE’02): Pick var. BerkMin (DATE’02): Pick var. involvedinvolved in most in most

number of number of recentrecent conflicts conflicts

Semi-static in nature, for efficiencySemi-static in nature, for efficiency Statistics updated on each conflictStatistics updated on each conflict

Side-effect:Side-effect: Better cache behavior Better cache behavior

Efficient Boolean Constraint PropagationEfficient Boolean Constraint Propagation

Observation:Observation: BCP almost 80% of compute time, BCP almost 80% of compute time, under clause recordingunder clause recording

Traditional implementation:Traditional implementation: Each clause: Counter for #literals set to falseEach clause: Counter for #literals set to false Assgn. to variable ‘x’: Update all clauses having x, xAssgn. to variable ‘x’: Update all clauses having x, x

New Idea:New Idea: Only need to monitor event when # free Only need to monitor event when # free literals in a clause goes from 2 to 1literals in a clause goes from 2 to 1 Need to Need to watchwatch only 2 literals per clause : only 2 literals per clause : SATOSATO

(Zhang’97),(Zhang’97),ChaffChaff (DAC’01) (DAC’01)

…… …x1 w1w2 xk

SAT Solvers Today SAT Solvers Today Capacity:Capacity:

Formulas upto a Formulas upto a million variablesmillion variables and and 3-4 3-4 millionmillion clausesclauses can be solved in can be solved in few hoursfew hours

Only for Only for structured instancesstructured instances e.g.e.g. derived from derived from real-world circuits & systemsreal-world circuits & systems

Tool offerings:Tool offerings: Public domainPublic domain

GRASP : Univ. of MichiganGRASP : Univ. of Michigan SATO: Univ. of IowaSATO: Univ. of Iowa zChaff: Princeton UniversityzChaff: Princeton University BerkMin: Cadence Berkeley Labs.BerkMin: Cadence Berkeley Labs.

CommercialCommercial PROVER: Prover TechnologiesPROVER: Prover Technologies

Decision StructuresDecision Structures

Vertex represents decisionVertex represents decision Follow green (dashed) line for value 0Follow green (dashed) line for value 0 Follow red (solid) line for value 1Follow red (solid) line for value 1 Function value determined by leaf valueFunction value determined by leaf value

Truth Table Decision Tree

0 0

x3

0 1

x3

x2

0 1

x3

0 1

x3

x2

x1

00001111

00110011

01010101

00010101

x1 x2 x3 f

Source: Prof. Randal Bryant

Variable OrderingVariable Ordering Assign arbitrary total ordering to variablesAssign arbitrary total ordering to variables

e.g.e.g. x x11 < x < x22 < x < x33

Variables must appear in ascending order along all Variables must appear in ascending order along all pathspaths

PropertiesProperties No conflicting variable assignments along path Simplifies manipulation

x1

x2

x3

x1

x3

x3

x2

x1

x1

x1

OK Not OK

Reducing OBDDs: Rule #1Reducing OBDDs: Rule #1

11 1

Eliminate duplicate terminals

0 0

x3

0 1

x3

x2

0 1

x3

0 1

x3

x2

x1

x3 x3

x2

x3

0 1

x3

x2

x1

Reducing OBDDs: Rule #2Reducing OBDDs: Rule #2

x3 x3

x2

x3

0 1

x3

x2

x1

x3

x2

0 1

x3

x2

x1

a

b

a

c

a

b c

01 0

1 0 1

Merge isomorphic nodes, i.e. nodes that reference the same variable and point to the same successors

Reducing OBDDs: Rule #3Reducing OBDDs: Rule #3Eliminate a node if its 0 and 1 edges lead to the same node

x3

x2

0 1

x3

x2

x1

x2

0 1

x3

x1

a

b

b0 1

0 1

0 1

Example OBDDExample OBDD

Canonical representation of Boolean functionCanonical representation of Boolean function For given variable orderingFor given variable ordering Two functions equivalent if and only if graphs Two functions equivalent if and only if graphs

isomorphicisomorphic Can be tested in linear timeCan be tested in linear time

Desirable property: Desirable property: simplest form is canonicalsimplest form is canonical..

0 0

x3

0 1

x3

x2

0 1

x3

0 1

x3

x2

x1

x2

0 1

x3

x1

Initial Graph Reduced Graph

(x 1+x 2)· x 3

Effect of Variable OrderingEffect of Variable Ordering

Good Ordering

Linear Growth

0

b3

a3

b2

a2

1

b1

a1

Bad Ordering

Exponential Growth

a3 a3

a2

b1 b1

a3

b2

b1

0

b3

b2

1

b1

a3

a2

a1

)()()( 332211 bababa

ROBDD sizes & Variable OrderingROBDD sizes & Variable Ordering Bad News Bad News

Finding optimal variable ordering NP-HardFinding optimal variable ordering NP-Hard Some functions have exponential BDD size for all Some functions have exponential BDD size for all

orders orders e.g.e.g. multiplier multiplier Good News Good News

Many functions/tasks have reasonable size ROBDDsMany functions/tasks have reasonable size ROBDDs Algorithms remain practical up to 500,000 node OBDDsAlgorithms remain practical up to 500,000 node OBDDs Heuristic ordering methods generally satisfactoryHeuristic ordering methods generally satisfactory

What works in Practice What works in Practice Application-specific heuristics e.g. DFS-based ordering Application-specific heuristics e.g. DFS-based ordering

for combinational circuitsfor combinational circuits Dynamic ordering based on variable sifting Dynamic ordering based on variable sifting (R. Rudell)(R. Rudell)

Variants of Decision DiagramsVariants of Decision Diagrams Multiterminal BDDs (MTBDD)Multiterminal BDDs (MTBDD) – Pseudo Boolean functions – Pseudo Boolean functions BBn n N, N,

terminal nodes are integersterminal nodes are integers Ordered Kronecker FunctionalDecision Diagrams (OKFDD)Ordered Kronecker FunctionalDecision Diagrams (OKFDD) – uses – uses

XOR in OBDDsXOR in OBDDs Binary Moment Diagrams (BMD)Binary Moment Diagrams (BMD) – good for arithmetic operations – good for arithmetic operations

and word-level representationand word-level representation Zero-suppressed BDD (ZDD)Zero-suppressed BDD (ZDD) – good for representing sparse sets – good for representing sparse sets Partitioned OBDDs (POBDD)Partitioned OBDDs (POBDD) – highly compact representation – highly compact representation

which retains most of the features of ROBDDswhich retains most of the features of ROBDDs BDD packagesBDD packages – –

CUDD from Univ. of Colorado, Boulder,CUDD from Univ. of Colorado, Boulder, CMU BDD package from Carnegie Mellon Univ.CMU BDD package from Carnegie Mellon Univ. In addition, companies like Intel, Fujitsu, Motorola etc. have In addition, companies like Intel, Fujitsu, Motorola etc. have

their own internal BDD packagestheir own internal BDD packages

Symbolic Manipulation with OBDDsSymbolic Manipulation with OBDDs

StrategyStrategy Represent data as set of OBDDsRepresent data as set of OBDDs

Identical variable orderingsIdentical variable orderings Express solution method as sequence of symbolic Express solution method as sequence of symbolic

operationsoperations Implement each operation by OBDD manipulationImplement each operation by OBDD manipulation

Key Algorithmic PropertiesKey Algorithmic Properties Arguments: OBDDs with identical variable ordersArguments: OBDDs with identical variable orders Result is OBDD with same orderingResult is OBDD with same ordering Each step polynomial complexityEach step polynomial complexity

Arguments Arguments II, , TT, , EE Functions over variables X Represented as OBDDs

ResultResult OBDD representing

composite function (I T) (I E)

MUX1

0

I T, E

X

I

T

E

If-Then-Else OperationIf-Then-Else Operation ConceptConcept

Basic technique for building OBDD from logic Basic technique for building OBDD from logic network or formula.network or formula.

0 1

d

c

a

B3 B4

B2

B5

B1

Argument I

1

Argument T Argument E

A4,B3 A5,B4

A3,B2

A6,B2

A2,B2

A3,B4A5,B2

A6,B5

A1,B1

Recursive Calls

b

0

d

1

c

a

A4 A5

A3

A2

A6

A1

If-Then-Else Execution ExampleIf-Then-Else Execution Example

OptimizationsOptimizations Dynamic programmingDynamic programming Early termination rulesEarly termination rules Apply reduction rules bottom-up as return from recursive callsApply reduction rules bottom-up as return from recursive calls

(Recursive calling structure implicitly defines unreduced BDD)(Recursive calling structure implicitly defines unreduced BDD)

Derived Algebraic OperationsDerived Algebraic Operations Other operations can be expressed in Other operations can be expressed in

terms of If-Then-Elseterms of If-Then-Else

MUX1

0

F G, 0

X

F

G

0

MUX1

0

F 1, G

X

F

G

1

XF

G

XF

G

And(F, G)

Or(F, G)

If-Then-Else(F, G, 0)

If-Then-Else(F, 1, G)

Generating OBDD from NetworkGenerating OBDD from Network

Task: Represent output functions of gate network as OBDDs.

Network

Evaluation

A

B

C

T1

T2

Out

Resulting Graphs

A B CT1 T2

Out

0 1

a

0 1

c

0 1

b

0 1

b

a

0 1

c

b

c

b

0 1

b

a

A A new_var ("a");new_var ("a");BB new_var ("b");new_var ("b");CC new_var ("c");new_var ("c");T1T1 And (A, 0, B);And (A, 0, B);T2T2 And (B, C); And (B, C);OutOut Or (T1, T2);Or (T1, T2);

A0 /1

Set Operations

A

B

UnionA

B

Intersection

Characteristic FunctionsCharacteristic FunctionsConceptConcept

AA {0,1} {0,1}nn

Set of bit vectors of length Set of bit vectors of length nn Represent set Represent set AA as Boolean as Boolean

function function AA of of nn variables variables XX AA if and only if A( if and only if A(XX ) = 1 ) = 1

Nondeterministic FSM Symbolic Representation

o1,o2 encodedold state

n1, n2 encodednew state

00

10

01

11 o2

o1

1

n2

0

n1

o2

Symbolic FSM RepresentationSymbolic FSM Representation

Represent set of transitions as function Represent set of transitions as function ((OldOld, , NewNew)) Yields 1 if can have transition from state Yields 1 if can have transition from state OldOld to state to state NewNew

Represent as Boolean functionRepresent as Boolean function Over variables encoding statesOver variables encoding states

Reachability AnalysisReachability AnalysisTaskTask

Compute set of states reachable from initial state Compute set of states reachable from initial state QQ00

Represent as Boolean function Represent as Boolean function R(R(SS)) Never enumerate states explicitlyNever enumerate states explicitly

Rstate 0/1old state

new state0/1

Given Compute

InitialR0

=

Q0

R0

00

Breadth-First Reachability AnalysisBreadth-First Reachability Analysis

RRii – set of states that can be reached in– set of states that can be reached in ii transitionstransitions Reach fixed point when Reach fixed point when RRn n = R= Rnn+1+1

Guaranteed since finite stateGuaranteed since finite state

00

10

01

11

R1R0

00 01

R2R1R0

00 01 10

R3R2R1R0

00 01 10

Iterative ComputationIterative Computation

Ri

Ri

Ri +1

old

new

)],'()'([)()( '1 sssRsRsR isii

1 ii

1 ii RR

00 QR do

until ALGORITHM

BDD-based MC: Current StatusBDD-based MC: Current Status Symbolic model checkers can analyze Symbolic model checkers can analyze

sequential circuits with ~200- 400 flip flopssequential circuits with ~200- 400 flip flops For specific circuit types, larger state spaces have For specific circuit types, larger state spaces have

been analyzedbeen analyzed ChallengesChallenges

Memory/runtime bottlenecksMemory/runtime bottlenecks Adoption of TLs for property specificationAdoption of TLs for property specification

Frontier constantly being pushedFrontier constantly being pushed Abstraction & approximation techniquesAbstraction & approximation techniques Symmetry reductionSymmetry reduction Compositional reasoningCompositional reasoning Advances in BDD technology …Advances in BDD technology …

Solving Circuit Problems as SATSolving Circuit Problems as SAT

a

b

c

d

e

f

g

h

i

Primary Output ‘i’ toPrimary Output ‘i’ to 1 1 ??Input Vector AssignmentInput Vector Assignment ??

SAT Formulas for simple gatesSAT Formulas for simple gates

ab

c

))(( baba

a b

))()(( bacbcac

a

bc

))()(( bacbcac

a

bc

Solving Circuit problems as SATSolving Circuit problems as SAT

Set of clauses representing function of each gateSet of clauses representing function of each gate

))()(( fcbfcfb

))()(( hfahfha

))()(( gedgegd

)(i))()(( ighigih

a

b

c

d

e

f

g

h

i

Unit literal clause asserting output to Unit literal clause asserting output to ‘1’‘1’

SAT-based Unbounded MCSAT-based Unbounded MC

SAT-based Inductive reasoningSAT-based Inductive reasoning Exact image computationExact image computation

Use SAT solver just for fixed-point detectionUse SAT solver just for fixed-point detection Image computation using SAT solverImage computation using SAT solver

McMillan CAV’02, Kang & Park DAC’02McMillan CAV’02, Kang & Park DAC’02

Approximate image computationApproximate image computation Using Craig Interpolants Using Craig Interpolants (McMillan CAV’03)(McMillan CAV’03)

Abstraction refinementAbstraction refinement Discussed later in the tutorialDiscussed later in the tutorial

SAT-Based Reasoning on ILAsSAT-Based Reasoning on ILAs

PI PO

LATCHES

NSPS

CL

CL1 CL2 CLk NSk

PI2

POk

PI1 PIk

PO1 PO2

PS3PS2 PSk

NS1 NS2 NSk-1PS1

Unroll k-Steps

Popularized by the BMC work (Biere et al)

Current SAT solvers have shown good results

SAT-Based Inductive ReasoningSAT-Based Inductive Reasoning

P

CLk+1 P ‘1’

‘1’

‘1’

Ind

ucti

on

S

tep

Simple Induction

UNSAT

UNSAT

AG P is TRUE+

P

I0

‘1’B

ase

Case

SAT-Based Inductive ReasoningSAT-Based Inductive Reasoning

P

P

CL1 CL2 CLkI0 P

P‘1’B

ase

Case

P

P

CL1 CLk

P

CLk+1 P ‘1’

‘1’

‘1’

‘1’

Ind

ucti

on

S

tep

Induction with depth ‘k’(Sheeran et al, Bjesse et al FMCAD 2000)

SAT-based InductionSAT-based Induction

Can prove or disprove propertiesCan prove or disprove properties k-depth induction:k-depth induction:

Can check more properties for larger kCan check more properties for larger k Base case is simply k-length BMCBase case is simply k-length BMC But But notnot complete ! complete !

Not k - depth inductive for

any k !P P

Unreachable state-space

Example:

Complete!

SAT-based Inductive ReasoningSAT-based Inductive Reasoning

Unique paths Induction:Unique paths Induction: Restrict unrolled ILA to be loop-freeRestrict unrolled ILA to be loop-free Sheeran et al, Bjesse et al FMCAD’00Sheeran et al, Bjesse et al FMCAD’00 Unrolling upto Unrolling upto recurrence diameterrecurrence diameter i.e. length of longest loop-free pathi.e. length of longest loop-free path

Summary:Summary: Stronger induction methods can be expensiveStronger induction methods can be expensive But,But, some properties very easy to prove by some properties very easy to prove by

induction, very hard by state-space traversalinduction, very hard by state-space traversal Simple induction can be cheap, first step in Simple induction can be cheap, first step in

verification flowverification flow

SAT-based Image ComputationSAT-based Image Computation

Bug found ! Fixed-point

InitsR )(0

))()',(.(toProp)'(1 sRssTrssR ii

i

k

i

k

kk sRsR0

1

0

)()(

)()( sPsRi

do

until or

1ii

0i

SATSolver

Issues: Function representation Quantification

Function RepresentationFunction Representation Representation of: Representation of: Init, RInit, Rii(s), P(s), Tr(s,s’)(s), P(s), Tr(s,s’)

Converted to CNF for SAT solvingConverted to CNF for SAT solving

x z y

Reduced Boolean Circuit (RBC)

b

b a

0 1

Boolean Expression Diagram (BED)Abdulla et al, TACAS 2000 Williams et al, CAV 2000

QuantificationQuantification Apply definition of existential quantification:Apply definition of existential quantification:

Mitigate formula blow-up by:Mitigate formula blow-up by: Inherent reduction rules of function rep.Inherent reduction rules of function rep. Special case quantification rules:Special case quantification rules:

Limitation:Limitation: Suitable only when small number Suitable only when small number of variables to be quantified of variables to be quantified

)1()0()(. xxxx

Inlining: )()().( xxx )(Vars xwhere

))(.()(. xxxx

))(.())(.()()(. xxxxxxx

Scope Reduction:)(Vars xwhere

Exact Image Computation Using SATExact Image Computation Using SATMcMillan, CAV 2002

Solution: Express f in CNF: fCNF

Drop all wi literals from fCNF

Core problem: Express a given formula f in CNF

CTL Model CTL Model CheckingCheckingprocedure AG(p)procedure AG(p)

Let Z = Q = pLet Z = Q = p

while Z while Z 1 1

let Z = (let Z = (W W · p· pii/s/sii))QQ let Q = Q let Q = Q Z Zreturn Qreturn Q

SolveSolve W W · f· f

Computing a CNF representation for fComputing a CNF representation for f

Basic AlgorithmBasic Algorithm Create CNF(f)Create CNF(f) Solve Solve SAT(CNF(f) SAT(CNF(f) vf) Compute Compute blocking clauseblocking clause

for each satisfying for each satisfying assignmentassignment

Collect all blocking Collect all blocking clauses clauses f fCNFCNF

Blocking Clauses Must:Blocking Clauses Must: Contain only original vars. of Contain only original vars. of ff Be false under some sat. assgn. Be false under some sat. assgn.

of CNF(f) of CNF(f) vf

Be implied by CNF(f) CNF(f) vf

e.g. f = (ab)c

a

b

c

vab

CNF(f)

fCNF= (bc) (ac)

: (b: (bc) ) , (a(ac))Blocking Blocking ClausesClauses

vf

Some IssuesSome Issues Issues:Issues:

Blocking clauses expressed in terms of original Blocking clauses expressed in terms of original variables of variables of ff Extracted from a separate implication graphExtracted from a separate implication graph

Quantification of Quantification of WW vars. can be performed on vars. can be performed on each generated blocking clause: each generated blocking clause: Combine both Combine both steps into one!! steps into one!!

Conclusions:Conclusions: Technique promising where BDDs blow upTechnique promising where BDDs blow up BDDs superior as a general purpose techniqueBDDs superior as a general purpose technique Proposed technique needs more polishingProposed technique needs more polishing

Tutorial OutlineTutorial Outline Introduction Introduction Design flow and verification issuesDesign flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models



Model Checking in PracticeModel Checking in Practice

INDRADEEP GHOSH



Enhancing Formal Verification CapacityEnhancing Formal Verification Capacity Abstraction-refinementAbstraction-refinement Assume guarantee/Compositional ReasoningAssume guarantee/Compositional Reasoning ApproximationApproximation Symmetry reductionSymmetry reduction Partial Order ReductionPartial Order Reduction

Formal Verification: Case StudyFormal Verification: Case Study Industrial and Research Tool OfferingsIndustrial and Research Tool Offerings


Limitations of symbolic model checkingLimitations of symbolic model checking Suffers from state explosionSuffers from state explosion

ConcurrencyConcurrency Data domainsData domains

Abstraction of state spaceAbstraction of state space Represent the state space using a smaller modelRepresent the state space using a smaller model Pay attention to preserving the checked properties.Pay attention to preserving the checked properties. Do not affect the flow of controlDo not affect the flow of control..

ExampleExample

Use smaller data objectsUse smaller data objects HDL Code:HDL Code:

X:= f(m);X:= f(m);

Y:=g(n);Y:=g(n);

if (X*Y>0) if (X*Y>0)

then …then …

else …else …

X, Y never X, Y never

used again.used again.

Assign values {-1, 0, 1} to X and Y.Assign values {-1, 0, 1} to X and Y. Based on the following connection:Based on the following connection:

sgn(X) = 1 if X>0,sgn(X) = 1 if X>0, 0 if X=0, and 0 if X=0, and -1 if X<0. -1 if X<0.sgn(X)*sgn(Y)=sgn(X*Y).sgn(X)*sgn(Y)=sgn(X*Y).

Change f and g to produce abstract Change f and g to produce abstract values for X and Yvalues for X and Y

Abstraction vs. SimplificationAbstraction vs. Simplification

Not every simplified system is an Not every simplified system is an abstractionabstraction

The key question is:The key question is: If we prove or disprove a property of the If we prove or disprove a property of the

simplified system, what have we learned simplified system, what have we learned about the original system?about the original system?

Abstraction (Cont)Abstraction (Cont) Abstract transition relation is conservativeAbstract transition relation is conservative

Abstract next states Abstract next states mustmust contain all concrete successors contain all concrete successors And possibly more statesAnd possibly more states

RA

Abstract

Concrete

RC

s

t

x y

Abstract Counter-ExampleAbstract Counter-Example

If model checking fails an abstract counter-example is If model checking fails an abstract counter-example is producedproduced

Concrete transitions are present for each pair of Concrete transitions are present for each pair of consecutive abstract statesconsecutive abstract states But concrete counter-example may not be present!But concrete counter-example may not be present!

x

y’

zy’’

Abstract

ConcreteReal Trace

Spurious Trace

Abstraction RefinedAbstraction Refined

Abstraction is refined by adding more statesAbstraction is refined by adding more states prevents previous spurious counter exampleprevents previous spurious counter example

Model checking is repeated on new abstractionModel checking is repeated on new abstraction iterateiterate

x

y1

z

y’’

Abstract

ConcreteReal Trace

New Trace

Abstraction Refinement Algorithm Abstraction Refinement Algorithm

Build abstract model

Model check

abstractmodel

Check abstract

counterexampleon concrete

model

abstractcounterexample

True on concrete model

true

Infeasible

abort

False on concrete model

real counterexample

Refinement

spuriouscounterexample

Assume-Guarantee ReasoningAssume-Guarantee Reasoning

Used for:Used for: Compositional reasoningCompositional reasoning In a refinement checking In a refinement checking

settingsetting

[Stark] [Chandy-Misra] [Abadi-Lamport][Alur-Henzinger][McMillan]

Ref:

P Q

P’ Q’

Q’P

P’

P’ Q

Q’

+

AG Reasoning: ExampleAG Reasoning: Example

a’ � b’ := true � a’ b’ := false

P

true � b’ := true

P’

b’ � a’ := true � b’ a’ := false

Q

true � a’ := true

Q’

Assume all variables are initialized to trueX X

AG Reasoning: ExampleAG Reasoning: Example

a’ � b’ := true � a’ b’ := false

P


P’

true � a’ := true

Q’

b’ � a’ := true � b’ a’ := false

Q true � a’ := true

Q’


P’

Assume all variables are initialized to true

Symmetry ReductionsSymmetry Reductions

Idea: If state space is symmetric, explore only a symmetric “quotient” of the state space

A permutation function f : S A permutation function f : S S S is an automorphism if:is an automorphism if:

( x, z) ( x, z) ( f(x), f(z))( f(x), f(z))

0,0

1,1

0,1

1,0

f: f(0,0) = 1,1 f(1,1) = 0,0f: f(0,0) = 1,1 f(1,1) = 0,0

f(0,1) = 0,1 f(1,0) = 1,0f(0,1) = 0,1 f(1,0) = 1,0

e.g.

The set of all automorphisms forms a The set of all automorphisms forms a group!group!

Automorphism groups induce Automorphism groups induce equivalence classes (orbits) over the equivalence classes (orbits) over the state spacestate space [ (0,1), (1,0) ][ (0,1), (1,0) ]

[ (0,0), [ (0,0), (1,1) ](1,1) ]

e.g.

Quotient MachineQuotient Machine

Map each state to its representative in Map each state to its representative in the orbitthe orbit

Do model checking analysis on the Do model checking analysis on the quotient machinequotient machine

0,0

1,1

0,1

1,0

[ (0,0),(1,1) ]

[ (0,1), (1,0) ]

Quotient machine

Symmetry ReductionsSymmetry Reductions

DifficultyDifficulty Identifying symmetry groupsIdentifying symmetry groups Computing function mapping states to Computing function mapping states to

representativesrepresentatives

SolutionsSolutions Ask user to tell you where the symmetries are Be satisfied with multiple representatives for

each orbit

Tools: Mur, Nitpick, RuleBase

Over-Approximate ReachabilityOver-Approximate Reachability Exact reachability captures the exact reachable Exact reachability captures the exact reachable

state-spacestate-space Problem: BDD-blowup in many real designsProblem: BDD-blowup in many real designs

Solution: Compute over-approximation of the Solution: Compute over-approximation of the reachable statesreachable states

R1

R2+R1

+

R2R

I0

R+ Often sufficient to prove Often sufficient to prove properties correctproperties correct

Error could be a false Error could be a false negativenegative

Can trade off BDD-size Can trade off BDD-size and runtime with accuracy and runtime with accuracy of approximationof approximation

Over-approx. Reachability TechniquesOver-approx. Reachability Techniques

Split FSM into sub-Split FSM into sub-machines by machines by partitioning state-partitioning state-varsvars

Perform (exact) Perform (exact) reachability on each reachability on each machinemachine

Cross-product of Cross-product of reached state reached state spaces gives over-spaces gives over-approx. for original approx. for original FSMFSM

LATCHES

PI PO

NSPS

CL

X X

Over-approx: More IssuesOver-approx: More Issues

Communicate between sub-FSMs to tighten Communicate between sub-FSMs to tighten approximationapproximation After each time-frameAfter each time-frame After least fixpoint computation for a sub-FSMAfter least fixpoint computation for a sub-FSM

Computing partitionsComputing partitions Heuristic and/or manualHeuristic and/or manual Disjoint partitions Disjoint partitions (Cho et al)(Cho et al) Overlapping partitions Overlapping partitions (Govindaraju et al)(Govindaraju et al)

Can capture limited interaction among sub FSMsCan capture limited interaction among sub FSMs Tighter approximationTighter approximation May not increase BDD sizes muchMay not increase BDD sizes much

Partial Order ReductionPartial Order Reduction

Factor out independent state transitions!Factor out independent state transitions!(typical for asynchronous communication (typical for asynchronous communication as in Software- and Protocol-Checking)as in Software- and Protocol-Checking)

May result in exponential reductionMay result in exponential reductionin the number of statesin the number of states

Synchronization

Irrele

vant

StatesOne Relevant Trace of States

Process B

transition

Process Atransition

Case Study: VGICase Study: VGI

VGI = “Video-Graphics-Image”VGI = “Video-Graphics-Image” Designed by Infopad group at Berkeley Designed by Infopad group at Berkeley Purpose: web-based image processingPurpose: web-based image processing Designed using Designed using

VHDL (control) VHDL (control) Schematics (Data path)Schematics (Data path)

Source:Source: T. Henzinger, X. Liu, S. Qadeer and S. Rajamani, T. Henzinger, X. Liu, S. Qadeer and S. Rajamani, “Formal Specification and Verification of a Dataflow Processor “Formal Specification and Verification of a Dataflow Processor Array,” ICCAD 1999 Array,” ICCAD 1999

VGI ArchitectureVGI Architecture

16 clusters with 6 processors in each - 4 16 clusters with 6 processors in each - 4 compute, 1 memory, 1 I/O compute, 1 memory, 1 I/O

~30K logic gates per processor~30K logic gates per processor Pipelined compute processorsPipelined compute processors Low latency data transfer between Low latency data transfer between

processors - complex controlprocessors - complex control

Complex handshake

VGI ArchitectureVGI Architecture

pipeline

pipeline pipeline

pipeline

pipeline

FIFO buffer

ISA

ISA

ISA ISA

ISA

VerificationVerification

Different time scalesDifferent time scales ImplementationImplementation

two-phase clocktwo-phase clock level-sensitive latches level-sensitive latches activity on both HI and LO phases of clkactivity on both HI and LO phases of clk

Specification Specification no clk signalno clk signal

S

I

Sample OperatorSample Operator

I’ = Sample I at

Runs of I’ = Runs of I sampled at instances where holds

pipeline

pipeline pipeline

pipeline

pipeline

ISA

ISA

ISA ISA

ISA

clk

Sample OperatorSample Operator

Difficulty - VerificationDifficulty - Verification

Size of the VGI chip Size of the VGI chip ~800 latches in each compute processor~800 latches in each compute processor 64 compute processors64 compute processors

Need “divide and conquer”Need “divide and conquer” assume guarantee reasoningassume guarantee reasoning compositional reasoningcompositional reasoning refinement checkingrefinement checking

P’ Q’

P Q

P Q

TP TQ

TPTQ

P’

P Q’

Q’

QP’

Compositional ReasoningCompositional Reasoning

MochaMocha

Reactive Modules - language for Reactive Modules - language for describing designsdescribing designs

Assume-guarantee refinement checkingAssume-guarantee refinement checking

““Mocha: modularity in model Mocha: modularity in model checking,” Alur, Henzinger, Mang, checking,” Alur, Henzinger, Mang, Qadeer, Rajamani, Tasiran, CAV 1998Qadeer, Rajamani, Tasiran, CAV 1998

Network of Processors to Single ProcessorNetwork of Processors to Single Processor

pipeline

pipeline

pipeline

ISA

ISA

ISAISA

ISA

pipeline

pipeline

clk

clk clk

clkclk

Single ProcessorSingle Processor

Single processor still has ~800 latchesSingle processor still has ~800 latches Need “divide-and-conquer” againNeed “divide-and-conquer” again

ISA

pipeline

clk

TP

CommStage

PIPE

ALUGateLevel

REGFILE

ALUSpec

ISA REGFILE

FIFObuffer

OPGEN

Input from upstream processor


clk

Refinement MapRefinement Map

CommStage

ALUGateLevel

FIFObuffer

clk

PIPE

REGFILE


Decompose ProofDecompose Proof

ALU ALUSpec

ISA REGFILE

OPGEN


AbsAluOut

AbsAluOut

aluOutSpec

aluOutImpl

stall

stall aluOutImpl’ = aluOutImpl stall aluOutImpl’ = aluOutSpec

PIPE

ALUGateLevel

REGFILE

much smaller than

Abstraction and Compositional Abstraction and Compositional ReasoningReasoning

FIFObuffer

AbsAluOut

CommStage

TP

clk

Property: Communication ControlProperty: Communication Control

CommStage

PIPE

ALUGateLevel

REGFILE

ALUSpec

ISA REGFILE

FIFObuffer

OPGEN



clk

AbsOps

Refinement CheckingRefinement Checking

AbsAluOut

ResultsResults

Circular assume-guarantee Circular assume-guarantee AbsOpsAbsOps used to verify used to verify AbsAluOutAbsAluOut AbsAluOutAbsAluOut used to verify used to verify AbsOpsAbsOps

All lemmas (except one) checked by All lemmas (except one) checked by Mocha in a few minutesMocha in a few minutes

3 bugs in communication control found 3 bugs in communication control found and fixedand fixed

Abstraction modules crucial - designer Abstraction modules crucial - designer insight neededinsight needed

Model Checkers - Research ToolsModel Checkers - Research Tools

SMV (CMU, Cadence)SMV (CMU, Cadence) VIS (UC Berkeley)VIS (UC Berkeley) Mocha (UC Berkeley, compositional Mocha (UC Berkeley, compositional

reasoning) reasoning) Verisoft (AT&T, C-model checker)Verisoft (AT&T, C-model checker) Bandera (Java model checker)Bandera (Java model checker)

Industrial Model Checkers Industrial Model Checkers

FormalCheckFormalCheck (Cadence) (Cadence) COSPANCOSPAN (from Bell Labs) under the hood (from Bell Labs) under the hood Support for arbitrary precision arithmeticSupport for arbitrary precision arithmetic Automatic bus-contention, multi-driver Automatic bus-contention, multi-driver

violation, tri-state support fir high-impedance violation, tri-state support fir high-impedance checkcheck

Powerful design reduction techniquesPowerful design reduction techniques Removal of portions of design that do not affect the Removal of portions of design that do not affect the

property being provenproperty being proven Constant & constraint propagationConstant & constraint propagation Iterative reduction guarantees that queries proven on Iterative reduction guarantees that queries proven on

the reduced design hold on the entire designthe reduced design hold on the entire design

EDA Vendor Tool OfferingsEDA Vendor Tool Offerings Verplex (Cadence) Verplex (Cadence) BlacktieBlacktie IBM IBM RuleBaseRuleBase @HDL - @HDL - @Verifier@Verifier

works on Verilog RTLworks on Verilog RTL static assertion checksstatic assertion checks automatic property extractionautomatic property extraction clock domain synchronization errorsclock domain synchronization errors

Real Intent Real Intent VerixVerix slimilar to @Verifierslimilar to @Verifier

Averant Averant Solidify Solidify Jasper design automation Jasper design automation Jasper GoldJasper Gold

Tutorial OutlineTutorial Outline Introduction Introduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models



Equivalence CheckingEquivalence Checking

MUKUL PRASAD


Formal Equivalence CheckingFormal Equivalence Checking

Given two designs, prove that for all possible input stimuli their corresponding outputs are equivalent

Design A

Design B

=?Input Yes/No

Product Machine

Formal Equivalence CheckingFormal Equivalence Checking

Equivalence checking can be applied at or Equivalence checking can be applied at or across various levelsacross various levels

RTL

Gate Level

System Level

Device Level

Combinational Equivalence Checking (CEC)Combinational Equivalence Checking (CEC)

Currently most practical and pervasive Currently most practical and pervasive equivalence checking technologyequivalence checking technology

Nearly full automation possibleNearly full automation possible Designs of up to several million gates Designs of up to several million gates

verified in a few hours or minutesverified in a few hours or minutes Hierarchical verification deployedHierarchical verification deployed Full chip verification possibleFull chip verification possible Key methodology:Key methodology: Convert sequential Convert sequential

equivalence checking to a CEC problem!equivalence checking to a CEC problem! Match Latches & extract comb. portions for ECMatch Latches & extract comb. portions for EC

CEC in Today’s ASIC Design FlowCEC in Today’s ASIC Design Flow

RTL Design

Synthesis & optimization

DFT insertion

IO Insertion

Placement

Clock tree synthesis

CEC

CEC

CEC

CEC

CECCEC

Routing

ECO

Solving Seq. EC as Comb. ECSolving Seq. EC as Comb. EC

LATCHES

NS1

PI

PO

PS1

Comb.Logic

CIR

CU

IT 1

PI

PO

NS2PS2

Comb.Logic

CIR

CU

IT 2

MATCH PI

PS

PO

NS

Comb. Logic 1

Comb. Logic 2

=?

PO

NS

Combinational Combinational Equiv. CheckingEquiv. Checking

Methods for Latch MappingMethods for Latch Mapping Incomplete MethodsIncomplete Methods

Regular expression-based using latch namesRegular expression-based using latch names Using simulation (Cho & Pixley ‘97): Using simulation (Cho & Pixley ‘97):

Group latches with identical simulation signaturesGroup latches with identical simulation signatures Group based on structural considerations e.g. Group based on structural considerations e.g.

cone of influencecone of influence Incomplete run of complete method below Incomplete run of complete method below

(Anastasakis et al DAC ‘02)(Anastasakis et al DAC ‘02)

Complete MethodsComplete Methods Functional fixed-point iteration based on Van Functional fixed-point iteration based on Van

Eijk’s algorithm (van Eijk ’95)Eijk’s algorithm (van Eijk ’95)

Van Eijk’s Method for Latch MappingVan Eijk’s Method for Latch Mapping

PI

PS

Comb. Logic 1

Comb. Logic 2

NS

NS=?

Apply Latch Mapping

Assumptions

Initial Latch Mapping

Approximation

Verify Latch Mapping

Assumptions

Fixed-point ?

Iterate

Done !!

Yes

No

CEC in PracticeCEC in Practice

Key Observation:Key Observation: The circuits being verified usually The circuits being verified usually have a number of internal equivalent functionshave a number of internal equivalent functions

To proveTo prove f (f (i1, i2,…in) = f’ () = f’ (i1, i2,…in))

i2i1

f

in

f’

xkx2x1

x1’x2’xk’

x1(i1, i2,…in) = x1’(i1, i2,…in)

x2(i1, i2,…in) = x2’(i1, i2,…in)

xk(i1, i2,…in) = xk’(i1, i2,…in)

f(x1, x2,…xk) = f’(x1’, x2’,…xk’)

Check

Internal Equiv. Based CEC AlgorithmInternal Equiv. Based CEC Algorithm

Random Simulation

Gather PENs

Is x=y?

Refine PEN sets using counter-

example

Is there an unjustified PEN

pair x,y ?

Structurally merge x,y

Done!

PI

PS

PONS

Comb. Logic 1

Comb. Logic

2

=?PO

NS

Combinational miter after latch mapping

Yes

Yes

No

NoPENs: Potentially equivalent nodes, i.e. nodes with identical simulation signature

BDD/ATPG/SAT

Anatomy of Typical CEC ToolsAnatomy of Typical CEC Tools

Circuit A

Circuit B

BDDSAT

ATPG

Multi-engine solver

Structural methods

Learning

Quick Synthesis

Latch Mapper

Counter-example

viewer

Error Diagnosis

Engine

Major Industrial Offerings of CECMajor Industrial Offerings of CEC

Formality Formality (Synopsys)(Synopsys) Conformal Suite Conformal Suite (Verplex, now Cadence)(Verplex, now Cadence) FormalPro FormalPro (Mentor Graphics)(Mentor Graphics) Typical capabilities of these tools:Typical capabilities of these tools:

Can handle circuits of up to Can handle circuits of up to several million gates flatseveral million gates flat in up in up to a few hours of runtimeto a few hours of runtime

Comprehensive Comprehensive debug tooldebug tool to pinpoint error-sources to pinpoint error-sources Counter-example displayCounter-example display && cross-linkcross-link of RTL and gate-level of RTL and gate-level

netlists for easier debuggingnetlists for easier debugging Ability to Ability to checkpointcheckpoint verification process and restart from verification process and restart from

same point latersame point later What ifWhat if capability (unique to FormalPro) capability (unique to FormalPro)

Reachability-based Equivalence CheckingReachability-based Equivalence Checking

Build product machine of MBuild product machine of M11 and M and M22

Traverse state-space of product Traverse state-space of product machine starting from reset states machine starting from reset states SS00, S, S11

Test equivalence of outputs in each Test equivalence of outputs in each statestate

Can use any state-space traversal Can use any state-space traversal techniquetechnique

M1

M2

=?

OutputsInputs

S0

S1Product Machine

S0

S1

Move to System-Level DesignMove to System-Level Design

System-level design

Manual effort

RTL

Gate-level design


Current design iterations

Barrier to adoption of System-level design

Methodology!Errors

!

System-Level VerificationSystem-Level Verification

Property & Model

Checking

Equivalence

Checking

System-level design

Manual effort

RTL

Gate-level design

System-level SynthesisSystem-level Synthesis

Automatic Synthesis

System-level design

Manual effort

RTL

Gate-level design

Scope of Today’s EC Technology Scope of Today’s EC Technology

Seq

uen

tial

diff

ere

nces

Data representation differences

Bit-accurate

Identical data typesComposite data types

Precision/roundingdifferences

FFs match

pipelining

scheduling

Serial vs parallel interfaces

Re-encoding of state

CombinationalEC

Upcoming: Transaction-Based ECUpcoming: Transaction-Based EC

The states in RTL that correspond to states The states in RTL that correspond to states in system-level model (SLM), are referred in system-level model (SLM), are referred to as to as synchronizingsynchronizing states states

SLM

RTL

Refinement mapping

Transient states

Complete Verification

or

Sequentialcounterexample

Transactions : State ViewTransactions : State View

Encapsulates one or more units of Encapsulates one or more units of computation for the design being verifiedcomputation for the design being verified

Self-contained since it brings the machine Self-contained since it brings the machine back to a synchronizing stateback to a synchronizing state

Refinement mapping

SLM

RTLRTL transaction

SL transaction

Equivalence Checking: ConclusionsEquivalence Checking: Conclusions Currently equivalence checking based on Currently equivalence checking based on

latch mapping+CEClatch mapping+CEC Methodology premised on structural similarity Methodology premised on structural similarity

of designs under comparisonof designs under comparison Efficient & scalableEfficient & scalable Maybe applicable to system-level problemsMaybe applicable to system-level problems

More general sequential EC somewhat More general sequential EC somewhat less exploredless explored

Might be needed for system level Might be needed for system level equivalence checkingequivalence checking


Introduction Introduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions

Semi-Formal Verification Semi-Formal Verification TechniquesTechniques

MUKUL PRASAD


The need for Semi-formal VerificationThe need for Semi-formal Verification

Coverage

2K 20K 200K 2M

Existing

Formal

Verification

Random simulation

Manual testw/ coverage

FV Augmented Simulation

(Falsification)

GATES

FV + Complete coverage - Limited capacity

Simulation +Unlimited capacity - Poor coverage

FV Augmented Simulation+ Good coverage+ Good capacity


Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model Sequential ATPG-based model

checkingchecking Guided SearchGuided Search Smart SimulationSmart Simulation

Symbolic SimulationSymbolic Simulation

Symbolic simulation:Symbolic simulation: Symbolic expressions used for inputsSymbolic expressions used for inputs Expressions propagated to compute outputsExpressions propagated to compute outputs Equivalent to multiple constant simulations !!Equivalent to multiple constant simulations !!

a·b+b·c

a

b

c

1

1

0

1

Conventional Simulation:Conventional Simulation: Input & outputs are constants (0,1,X,…)Input & outputs are constants (0,1,X,…)

Problem: Too many constant

input combinations to simulate !!

Ref: Prof. David Dill, CAV ’99c

Symbolic Simulation (sequential case)Symbolic Simulation (sequential case)

a0

b0

a1

b1

c

a1·b1+b1·(a0·b0 + b0·c)

Unrolled Circuit

a0

b0

c

a0·b0 + b0 ·c

Time frame 1

a1·b1+b1·(a0·b0 + b0·c)

a1

b1

a0·b0 + b0·c

Time frame 2


a

b

c

a·b + b ·c

1

b

c

b + c

a+b

b

c

b + c

Inputs can be constants

Input expressions

can be related

Simulate certain set Simulate certain set of patterns of patterns

Model signal Model signal correlationscorrelations

Can result in simpler Can result in simpler output expressionsoutput expressions


Use BDDs as the symbolic representationUse BDDs as the symbolic representation Work at gate and MOS transistor levelWork at gate and MOS transistor level Can exploit abstraction capabilities of ’X’ Can exploit abstraction capabilities of ’X’

valuevalue Can be used to model unknown/don’t care Can be used to model unknown/don’t care

valuesvalues Common use in representing uninitialized state Common use in representing uninitialized state

variablesvariables Boolean functions extended to work with {0,1,X}Boolean functions extended to work with {0,1,X} Two BDD (binary) variables used to represent Two BDD (binary) variables used to represent

each symbolic variableeach symbolic variable


Advantages Advantages Can handle larger designs than model checkingCan handle larger designs than model checking Can use a large variety of circuit modelsCan use a large variety of circuit models Possibly more natural for non-formalists.Possibly more natural for non-formalists. Amenable to partial verification.Amenable to partial verification.

Disadvantages Disadvantages Not good with state machines (possibly better Not good with state machines (possibly better

with data paths).with data paths). Does not support temporal logicDoes not support temporal logic

Requires ingenuity to prove properties.Requires ingenuity to prove properties.

Practical DeploymentPractical Deployment Systems:Systems:

COSMOS [bryant et al], Voss[Seger et al Intel]COSMOS [bryant et al], Voss[Seger et al Intel] Magellan [Synopsys]Magellan [Synopsys] InnologicInnologic

Exploiting hierarchyExploiting hierarchy Symbolically encode circuit structureSymbolically encode circuit structure

Based on hierarchy in circuit descriptionBased on hierarchy in circuit description Simulator operates directly on encoded circuitSimulator operates directly on encoded circuit

Use symbolic variables to encode both data values & Use symbolic variables to encode both data values & circuit structurecircuit structure

Implemented by Innologic, Synopsys (DAC ‘02)Implemented by Innologic, Synopsys (DAC ‘02) Greatest success in memory verification Greatest success in memory verification

(Innologic)(Innologic)

High-level Symbolic SimulationHigh-level Symbolic Simulation Data Types:Data Types: Boolean, bitvectors, int, reals, arrays Boolean, bitvectors, int, reals, arrays Operations:Operations: logical, arithmetic, equality, logical, arithmetic, equality,

uninterpreted functions uninterpreted functions Final expression contains variables and Final expression contains variables and

operatorsoperators Coupled with Decision procedures to check Coupled with Decision procedures to check

correctness of final expressioncorrectness of final expression Final expressions can also be manually checked Final expressions can also be manually checked

for unexpected terms/variables, flagging errors for unexpected terms/variables, flagging errors e.g. in JEM1 verification [Greve ‘98]e.g. in JEM1 verification [Greve ‘98]

High-level Symbolic SimulationHigh-level Symbolic Simulation Manipulation of symbolic expressions done Manipulation of symbolic expressions done

withwith Rewrite systems like in PVSRewrite systems like in PVS Boolean and algebraic simplifiers along with Boolean and algebraic simplifiers along with

theories of linear inequalities, equalities and theories of linear inequalities, equalities and uninterpreted functionsuninterpreted functions

Extensively used along with decision Extensively used along with decision procedures in microprocessor verificationprocedures in microprocessor verification Pipelined processors: DLXPipelined processors: DLX Superscalar processors: Torch (Stanford)Superscalar processors: Torch (Stanford) Retirement logic of Pentium ProRetirement logic of Pentium Pro Processors with out of order executionsProcessors with out of order executions

Symbolic Trajectory Evaluation (STE)Symbolic Trajectory Evaluation (STE) Trajectory : Sequence of values of system Trajectory : Sequence of values of system

variablesvariables Example: c = AND (a, b) and delay is 1Example: c = AND (a, b) and delay is 1 A possible trajectory : (a,b,c) = (0, 1, X), (1, 1, 0), (1, 0, A possible trajectory : (a,b,c) = (0, 1, X), (1, 1, 0), (1, 0,

1), (X, X, 0), (X, X, X),… 1), (X, X, 0), (X, X, X),… Express behavior of system model as a set of Express behavior of system model as a set of

trajectories trajectories II and desired property as a set of and desired property as a set of trajectories trajectories SS

Determine if Determine if II is inconsistent with is inconsistent with SS Inconsistent: Inconsistent: II says 0 but says 0 but SS says 1 for a signal at time t says 1 for a signal at time t Consistent: Consistent: II says 0 but says 0 but SS says X or 0 for a signal at says X or 0 for a signal at

time ttime t

STE: An ExampleSTE: An Example

DinX

DoutX X X T = 0X

Dina

DoutX X X X T = 1X

DinX

DoutX a X X T = 2X

DinX

DoutX X a X T = 3X

DinX

DoutX X X a T = 4a

Din = a NNNN Dout = a

aAssert

Check

Din Dout

4-Bit Shift Register

Din = a NNNN Dout = a

Specification

If apply input a then 4 cycles later will get output a

Ref: Prof. Randal Bryant, 2002

STE: Pros, Cons & Practical UseSTE: Pros, Cons & Practical Use Advantage: Higher capacity than symbolic Advantage: Higher capacity than symbolic

model checkingmodel checking Disadvantage: Properties checkable not as Disadvantage: Properties checkable not as

expressive as CTLexpressive as CTL Practical success of STEPractical success of STE

Verification of arrays (memories, TLBs etc.) in Verification of arrays (memories, TLBs etc.) in Power PC architecturePower PC architecture

x86 Instruction length decoder for Intel processorx86 Instruction length decoder for Intel processor Intel FP adderIntel FP adder Microprocessor verificationMicroprocessor verification

SAT-Based Bounded Model CheckingSAT-Based Bounded Model Checking

PI PO

LATCHES

NSPS

CL

FSM M

Question: Does M have a counter-example to F within k transitions ?

Biere et al (TACAS’99, DAC’99)

P ?

Example F: AG P

Property F

SAT-Based Bounded Model CheckingSAT-Based Bounded Model Checking

P

P

CL1 CL2 CLkI0 P

P‘1’

Unroll M for k time-frames

CNFSAT

Solver

Counter-example to AG

P

No Counter-example within k

steps

SAT

UNSAT

Open problem!!

SAT-based BMCSAT-based BMC

Primarily used for finding bugs !Primarily used for finding bugs ! Verification complete if Verification complete if k > sequential k > sequential

depthdepth of M of M Sequential depth computation or tight Sequential depth computation or tight

estimation intractable in practice estimation intractable in practice

Can express both safety and liveness Can express both safety and liveness properties (bounded semantics)properties (bounded semantics) All LTL formulasAll LTL formulas Unbounded fairness by detecting loopsUnbounded fairness by detecting loops

SAT-based BMC: Pros & Cons SAT-based BMC: Pros & Cons Advantages Advantages

SAT-BMC good at producing counter-examples SAT-BMC good at producing counter-examples upto medium depths (upto 50-60)upto medium depths (upto 50-60)

SAT solvers less sensitive to size of design: SAT solvers less sensitive to size of design: SAT-BMC can handle larger designsSAT-BMC can handle larger designs

SAT solvers require less parameter tuning: SAT solvers require less parameter tuning: Productivity gainProductivity gain

Drawbacks Drawbacks Incomplete method: Cannot verify propertiesIncomplete method: Cannot verify properties Ineffective at larger depths: Slow, CNF blow-upIneffective at larger depths: Slow, CNF blow-up Cannot describe all CTL propertiesCannot describe all CTL properties

Enhancements to basic SAT-BMCEnhancements to basic SAT-BMC

CNF generation for BMCCNF generation for BMC Bounded cone-of-influence: Biere Bounded cone-of-influence: Biere et alet al CAV’99 CAV’99 Circuit-graph compression: Ganai Circuit-graph compression: Ganai et alet al VLSID’02 VLSID’02 Binary time-frame expansion: Fallah ICCAD’02Binary time-frame expansion: Fallah ICCAD’02

Decision variable orderingDecision variable ordering BMC-specific static ordering: Strichman CAV’00BMC-specific static ordering: Strichman CAV’00 Tuning VSIDS for BMC: Shacham Tuning VSIDS for BMC: Shacham et alet al MTV’02 MTV’02

Addition of clauses/constraintsAddition of clauses/constraints Sharing clauses across BMC runs: Strichman CHARME’01Sharing clauses across BMC runs: Strichman CHARME’01 Learning clauses from BDDs: Gupta Learning clauses from BDDs: Gupta et alet al DAC’03 DAC’03 Using BDD reachability over-approx: Cabodi Using BDD reachability over-approx: Cabodi et alet al DATE’03 DATE’03

Sequential ATPG for MCSequential ATPG for MC

CIRCUIT AUTOMATA

TEST NETWORK

from property

stuck-at fault

INPUT

CIRCUIT

s-a-0 fault

INPUT

p

AG p EF pe.g.

Proposed by Boppana, Rajan, Takayama & Fujita, CAV ‘99

Advantages of Sequential ATPG-based MCAdvantages of Sequential ATPG-based MC

No explicit storage of No explicit storage of statesstates

No need to build No need to build transition relationtransition relation

Good balance of DFS Good balance of DFS and BFS traversal of and BFS traversal of state-spacestate-space

Can model real-world Can model real-world primitives, primitives, e.g.e.g. tri-state tri-state buses, high impedence buses, high impedence valuevalue

No explicit unrolling of No explicit unrolling of time-framestime-frames

Uses circuit-based Uses circuit-based heuristics to guide or heuristics to guide or speed-up searchspeed-up search

vs BDDs vs SAT-BMC

Sequential ATPG for BMCSequential ATPG for BMC

Recent work Recent work by Abraham by Abraham et alet al (ITC’02, (ITC’02, VLSID’03)VLSID’03)

Model both Model both safety & safety & liveness liveness properties properties (bounded)(bounded)

ORIGINAL CIRCUIT

MONITOR

PROPERTY n

stuck-at faultTEST

NETWORK

start0 1 2 n-1 n

p

pp pp p

pp

pExample:

…

EG p

ATPG-MC: Current statusATPG-MC: Current status

Attempts to use simulation-based ATPG for Attempts to use simulation-based ATPG for falsification (Hsiao falsification (Hsiao et alet al HLDVT’01, DAC’02) HLDVT’01, DAC’02)

No research characterizing fragment of No research characterizing fragment of language (e.g. CTL, LTL) checkable through language (e.g. CTL, LTL) checkable through ATPG-based MCATPG-based MC

Some works report dramatic improvements of Some works report dramatic improvements of seq. ATPG-BMC vs. SAT-BMCseq. ATPG-BMC vs. SAT-BMC

Current efforts towards combining SAT Current efforts towards combining SAT solvers and sequential ATPG (SATORI solvers and sequential ATPG (SATORI ICCAD’03)ICCAD’03)


Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model checkingSequential ATPG-based model checking Guided Search (academic)Guided Search (academic) Smart Simulation (mixed engine)Smart Simulation (mixed engine)

SIVA (academic)SIVA (academic) Coverage-driven test generation: Magellan Coverage-driven test generation: Magellan

(industrial)(industrial) Test amplification: 0-in search (industrial)Test amplification: 0-in search (industrial)

Guided Search Guided Search

State-space search optimized for bug-State-space search optimized for bug-searching (Yang & Dill, DAC 98)searching (Yang & Dill, DAC 98)

Use prioritized searchUse prioritized search Cost function to pick next state to searchCost function to pick next state to search

Hamming distance to error statesHamming distance to error states

Prioritized Search

Error State

Breadth-first Search

Error State

Improving Guided SearchImproving Guided Search

Target enlargementTarget enlargementalso Yuan et al CAV 97also Yuan et al CAV 97

Improved cost functionImproved cost function TracksTracks

Compute series of approximate preimages

Use the approximate pre-image to estimate distance to enlarged target

GuidepostsGuideposts Designer provided hints/necessary Designer provided hints/necessary

pre-conditions for assertion violationpre-conditions for assertion violation

Bias search to explore search with Bias search to explore search with those pre-conditionsthose pre-conditions

Without Target

Enlargement

ErrorStates

Reset State

Enlarged Error States


Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model checkingSequential ATPG-based model checking Guided Search (academic)Guided Search (academic) Smart Simulation (mixed engine)Smart Simulation (mixed engine)

SIVA (academic)SIVA (academic) Coverage-driven test generation: Magellan Coverage-driven test generation: Magellan

(industrial)(industrial) Test amplification: 0-in search (industrial)Test amplification: 0-in search (industrial)

Smart Simulation I : SIVASmart Simulation I : SIVA

Combines random simulation with BDDs and Combines random simulation with BDDs and combinational ATPGcombinational ATPG

Identify targetsIdentify targets Indicator variables, coverage goals, fail states etc.Indicator variables, coverage goals, fail states etc. Lighthouses: Lighthouses:

Several per targetSeveral per target ““Sub-targets” to guide SIVA to reach a targetSub-targets” to guide SIVA to reach a target

At each state identify targets with constant At each state identify targets with constant simulation signaturesimulation signature

Advance simulation by visiting states which causes Advance simulation by visiting states which causes such targets to toggle valuesuch targets to toggle value Search for such next state by ATPG/BDDsSearch for such next state by ATPG/BDDs

[Ganai, Aziz, Kuehlmann DAC ‘99]

R1’R1’

R5000’R5000’

RANDOMRANDOM

INITIALINITIAL

BDDBDD

ATPGATPG

R1R1

R2R2

R5000R5000

D1D1

D2D2

D1’D1’

SIVA - a run SIVA - a run

Key:Key: Determination of appropriate targets, Determination of appropriate targets, lighthouses etc. to guide the searchlighthouses etc. to guide the search

Smart Simulation II: MagellanSmart Simulation II: Magellan

Approach: Approach: Coverage-driven test generationCoverage-driven test generation Identify few interesting signals (typically <64): Identify few interesting signals (typically <64):

coverage signalscoverage signals Goal:Goal: Maximize Maximize state-coveragestate-coverage on coverage on coverage

signalssignals Test generationTest generation

Interleave random simulation with symbolic Interleave random simulation with symbolic simulation & SAT-BMCsimulation & SAT-BMC

Unreachability analysis Unreachability analysis (under-approx)(under-approx) Identify unreachable coverage states to reduce Identify unreachable coverage states to reduce

coverage target coverage target

[Ho et al, ICCAD 2000 (Synopsys)]

Magellan MethodologyMagellan Methodology

Random simulation:Random simulation: Deep narrow search Deep narrow search SAT-BMC:SAT-BMC: Short-range exhaustive (wide) search (<10 steps) Short-range exhaustive (wide) search (<10 steps) Symbolic simulation:Symbolic simulation: Middle range exhaustive (wide) search Middle range exhaustive (wide) search

Initial state

Coverage state

Random simulation

Symbolic simulation / SAT-BMC

(10-50 steps)(10-50 steps)

Smart Simulation III: 0-in SearchSmart Simulation III: 0-in Search

Approach:Approach: Test amplificationTest amplification Identify Identify “seed states”“seed states” reached through reached through

simulation simulation i.e.i.e. directed or random simulation directed or random simulation Explore exhaustively behavior around seed Explore exhaustively behavior around seed

states using formal methodsstates using formal methods SAT-BMC, BDDs, symbolic simulationSAT-BMC, BDDs, symbolic simulation

+ =

Formal Simulation 0-In Search

Methodology: Assertion-based VerificationMethodology: Assertion-based Verification

Use checkers (written in HDL) to:Use checkers (written in HDL) to: Specify targets for simulation/formal methods Specify targets for simulation/formal methods

Capturing buggy conditionsCapturing buggy conditions Specify environment of a module Specify environment of a module

Can be synthesized into constraintsCan be synthesized into constraints Specify interfaces between componentsSpecify interfaces between components

Inserting checkers:Inserting checkers: From 0-in From 0-in CheckerWareCheckerWare library (~60 checkers) library (~60 checkers) Specified by the user in VerilogSpecified by the user in Verilog Created automatically from RTL directives Created automatically from RTL directives

By By 0-in Check functional0-in Check functional tool tool Suggested by Suggested by 0-in Checklist0-in Checklist while analyzing RTL while analyzing RTL

A kind of sophisticated lint checkingA kind of sophisticated lint checking

0-in Search: Tool Flow0-in Search: Tool Flow

Instrumented Verilog RTL

Verilog Tests and Testbench

Standard Verilog Simulator

No firings in Verilog output

Simulation Trace (Seed)

Firings Log 0-in View GUI Standard Waveform Tool

Checker Control File

Verilog simulator (Firing Replay)

0-in Search 0-in Confirm

Verilog Files with 0-in Checkers

Source: 0-in Design Automation Verification

White-paper


IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM Formal verification techniques for FSM Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions

Simulation Based VerificationSimulation Based Verification

INDRADEEP GHOSH



IntroductionIntroduction why simulationwhy simulation types of simulationtypes of simulation

Making simulation effectiveMaking simulation effective Coverage analysisCoverage analysis Test bench automationTest bench automation RTL ATPGRTL ATPG

SOC verification challengesSOC verification challenges Case studyCase study

Verification Using SimulationVerification Using Simulation

Test Sequences Test Cases/ Features

SpecImplementation to be Verified

Output Responses

=?

Expected Responses

Simulation and Abstraction LevelsSimulation and Abstraction Levels

Specification level simulationSpecification level simulation particular behavior or properties can be captured in UML like particular behavior or properties can be captured in UML like

languages and simulated. e.g. protocolslanguages and simulated. e.g. protocols Behavioral simulationBehavioral simulation

possible to simulate just C/C++/SpecC/SystemC programpossible to simulate just C/C++/SpecC/SystemC program checking with spec requires cutting out relevant portions of behaviorchecking with spec requires cutting out relevant portions of behavior

RTL simulationRTL simulation most widely used in industrymost widely used in industry many commercial toolsmany commercial tools checking with behavior requires time checkpointingchecking with behavior requires time checkpointing

Logic simulationLogic simulation fairly straight forward and easy to check with RTLfairly straight forward and easy to check with RTL detailed timing simulation comes into picturedetailed timing simulation comes into picture

Advantages/DisadvantagesAdvantages/Disadvantages

AdvantagesAdvantages simple conceptsimple concept scales well with design size compared to formal or semi-scales well with design size compared to formal or semi-

formal methodsformal methods most popular strategy in industrymost popular strategy in industry

DisadvantagesDisadvantages simulation semantics may not mimic hardwaresimulation semantics may not mimic hardware cannot be exhaustive cannot be exhaustive

cannot prove correctnesscannot prove correctness writing extensive test benches is tediouswriting extensive test benches is tedious do not know when to stopdo not know when to stop still can be resource intensive and slowstill can be resource intensive and slow

Static RTL checks : LintingStatic RTL checks : Linting

Design rule basedDesign rule based coding, style, documentation, naming, customcoding, style, documentation, naming, custom

Fix non-synthesizeable codeFix non-synthesizeable code no point simulating stuff that cannot be synthesizedno point simulating stuff that cannot be synthesized

Synthesis results vary based on coding stylesSynthesis results vary based on coding styles force uniform and correct style among all designersforce uniform and correct style among all designers

Verilog syntax can compile but create problems in Verilog syntax can compile but create problems in synthesis and simulationsynthesis and simulation comparing different length variables if(a[2:0] == b[1:0] )comparing different length variables if(a[2:0] == b[1:0] ) using blocking/non-blocking assignments at wrong placesusing blocking/non-blocking assignments at wrong places latch interfaces etc.latch interfaces etc.

Standard set of rules are based on Reuse Methodology Standard set of rules are based on Reuse Methodology Manual (RMM) (reference page 2)Manual (RMM) (reference page 2)

Linting CAD ToolsLinting CAD Tools

LEDA LEDA from Synopsysfrom Synopsys

nLintnLint from Novas Software from Novas Software integrated with the Debussy debugging systemintegrated with the Debussy debugging system

HDLLintHDLLint from Veritools from Veritools

VN-checkVN-check from TransEDA from TransEDA

SurelintSurelint from Verisity from Verisity

Spyglass Spyglass from Atrentafrom Atrenta

Tackling Simulation DrawbacksTackling Simulation Drawbacks

Simulation semantics may not mimic hardwareSimulation semantics may not mimic hardware Cannot be exhaustive Cannot be exhaustive

cannot prove correctnesscannot prove correctness

Writing extensive test benches is tediousWriting extensive test benches is tedious Do not know when to stopDo not know when to stop Still can be resource intensive and slowStill can be resource intensive and slow

RTL Simulation SemanticsRTL Simulation Semantics delay modeldelay model

each operation takes negligible timeeach operation takes negligible time operations are scheduled in terms of clock boundariesoperations are scheduled in terms of clock boundaries explicitly specified delay may be usedexplicitly specified delay may be used functional simulation may be different from later stage timing functional simulation may be different from later stage timing

simulationsimulation 4 valued logic is usually used (0, 1, X, Z)4 valued logic is usually used (0, 1, X, Z)

more complex logic possible e.g. more complex logic possible e.g. std_logic_vectorstd_logic_vector in VHDL in VHDL Blocking and Non-blocking assignments using syntaxBlocking and Non-blocking assignments using syntax

blocking assignments are sequentially executedblocking assignments are sequentially executed non blocking assignments are executed in parallel at end of a clock non blocking assignments are executed in parallel at end of a clock

boundaryboundary Value Change Dump (Value Change Dump (VCDVCD) file captures changes in values of ) file captures changes in values of

variables with timevariables with time

Event-driven SimulationEvent-driven Simulation

Event: change in logic value at a node, at Event: change in logic value at a node, at a certain instant of time a certain instant of time (V,T) (V,T)

Event-driven: only considers active nodesEvent-driven: only considers active nodes EfficientEfficient

Performs both timing and functional Performs both timing and functional verificationverification All nodes are visibleAll nodes are visible Glitches are detectedGlitches are detected

Most heavily used and well-suited for all Most heavily used and well-suited for all types of designstypes of designs


Event: change in logic value, at a certain instant of time Event: change in logic value, at a certain instant of time (V,T) (V,T)

10

1

0

1

0

1

D=2a

b

cEvents:•Input: b(1)=1•Output: none

10

1

0

1

0

1

D=2a

b

cEvents:•Input: b(1)=1•Output: c(3)=03


Uses a timewheel to manage the Uses a timewheel to manage the relationship between componentsrelationship between components

TimewheelTimewheel = list of all events not = list of all events not processed yet, sorted in time (complete processed yet, sorted in time (complete ordering)ordering)

When event is generated, it is put in the When event is generated, it is put in the appropriate point in the timewheel to appropriate point in the timewheel to ensure causalityensure causality


b(1)=1d(5)=1

D=1

10

1

0

1

D=2a

b

c

d(5)=1

d5

0

1

e

0

1

3

c(3)=0d(5)=1

0

1

4

d(5)=1

e(4)=0

6

e(6)=1

Cycle-based SimulationCycle-based Simulation Take advantage of the fact that most digital Take advantage of the fact that most digital

designs are largely synchronousdesigns are largely synchronous

Synchronous circuit: state elements change value on Synchronous circuit: state elements change value on active edge of clockactive edge of clock

Only boundary nodes are evaluatedOnly boundary nodes are evaluated

Internal Node

Boundary NodeLatches

Latches

Cycle-based SimulationCycle-based Simulation

Compute steady-state response of the circuit Compute steady-state response of the circuit at each clock cycleat each clock cycle at each boundary nodeat each boundary node

Latches

Latches

Internal Node

Cycle-based vs Event-drivenCycle-based vs Event-driven

Cycle-based:Cycle-based: Only boundary Only boundary

nodesnodes No delay No delay

informationinformation

Event-driven:Event-driven: Each internal nodeEach internal node Need scheduling and Need scheduling and

functions may be functions may be evaluated multiple evaluated multiple timestimes

At RTL if timing information is unknown Cycle-based is more At RTL if timing information is unknown Cycle-based is more appropriateappropriate

Cycle-based is 10x-100x faster than event-driven (and less Cycle-based is 10x-100x faster than event-driven (and less memory usage)memory usage)

Cycle-based does not detect glitches and setup/hold time Cycle-based does not detect glitches and setup/hold time violations, while event-driven doesviolations, while event-driven does

Simulation CAD ToolsSimulation CAD Tools

Event-driven simulatorsEvent-driven simulators Synopsys Synopsys VCS, SiroccoVCS, Sirocco

VCS is a fast Verilog simulatorVCS is a fast Verilog simulator Sirocco is a VHDL simulatorSirocco is a VHDL simulator

Cadence Cadence NCSim NCSim (VHDL, Verilog, mixed)(VHDL, Verilog, mixed) Model Tech. Model Tech. Modelsim Modelsim (VHDL, Verilog, mixed)(VHDL, Verilog, mixed)

Cycle-based simulatorsCycle-based simulators Quickturn Quickturn SpeedSimSpeedSim (VHDL) (VHDL) Synopsys Synopsys PureSpeedPureSpeed (Verilog) (Verilog) Cadence Cadence CobraCobra

VCD dump viewerVCD dump viewer e.g. Cadence e.g. Cadence SignalscanSignalscan

Integrated debugging environmentIntegrated debugging environment more sophisticated toolmore sophisticated tool cross references code, VCD waveform viewer, coverage analysis etc.cross references code, VCD waveform viewer, coverage analysis etc. integrates software debug features and hardware debug featuresintegrates software debug features and hardware debug features e.g. Novas Software e.g. Novas Software DebussyDebussy

Debugging ToolsDebugging Tools

clk

ab

bus[0:3] xxxx 5H 3H

time 0 10 20 30 40 50

Coverage AnalysisCoverage Analysis Quantitative measure of simulation effectivenessQuantitative measure of simulation effectiveness Determines if the simulation test bench is exercising Determines if the simulation test bench is exercising

the design effectivelythe design effectively Concepts borrowed from software testingConcepts borrowed from software testing Various metrics availableVarious metrics available

HDL Design

Coverage Analysis Tool

Instrumented Design

Test Bench RTLSimulation

Gather Coverage Data

Display in GUI

Common Coverage MetricsCommon Coverage Metrics

* Statement Coverage - see if all statements are covered by testbench if ( a > 0)

e = c * d;else f = c + d;

if (b > 0) e = e + 1;

Example

Statement Coverage: 66.7%

* Branch Coverage - see if both sides are taken in all possible branches

if (b <= 0) did not occur Branch Coverage: 50%

Verification engineers shouldaim for 100% statement, branch and toggle coverage

* Toggle Coverage - see if each variable bit value has toggled

Condition CoverageCondition Coverage

* See if all possible conditions in an expression are taken

Example:if ((a < 0) && (b > 3) && (c = 5)) { ..... }

* All eight possibilities are to be present for 100% condition coverage - e.g. {(a>=0), (b<=3), (c != 5)} ; {(a >=0), (b<=3), (c=5)} etc.* All don’t care possibilities may not be feasible

- use only care combinations

Focussed Expression Coverage* Only try possibilities that make each clause important Thus try {(true, true, true); (false, true, true); (true, false, true); (true, true, false)}If some combinations are still not possible then expression in redundant!

Verification engineers should aim for > 95% FEC

Path CoveragePath Coverage

State = Q

Isb == ‘1’

State <= S

Done == ‘1’

State = R

yesno

yesno

State = Q

Isb == ‘1’

State <= S

Done == ‘1’

State = R

yesno

yesno

State = Q

Isb == ‘1’

State <= S

Done == ‘1’

State = R

yesno

yesno

State = Q

Isb == ‘1’

State <= S

Done == ‘1’

State = R

yesno

yesno

* Path Coverage: What % of paths are covered? - exponential number of paths - difficult to do the bookkeeping - impossible to get good coverage - false paths may hinder coverage - supported to a limited extent in most tools

Mostly ignored by verification engineerers

FSM CoverageFSM Coverage

If there are FSM descriptions in the machineIf there are FSM descriptions in the machine see that all states of all FSMs are visitedsee that all states of all FSMs are visited all possible state transitions in every FSM is takenall possible state transitions in every FSM is taken

FSMs need to be described in particular mannerFSMs need to be described in particular manner automatic extraction fails mostlyautomatic extraction fails mostly if other coverage metrics are good, this is already taken if other coverage metrics are good, this is already taken

care ofcare of else this should at least be 100%else this should at least be 100%

A B

C D

Cover - 4 states - 7 transitions

Coverage Analysis CAD ToolsCoverage Analysis CAD Tools

Work in conjunction with RTL simulatorsWork in conjunction with RTL simulators Synopsys Synopsys CovermeterCovermeter

Verilog coverage integrated with VCS simulatorVerilog coverage integrated with VCS simulator Verisity Verisity SurecovSurecov

Verilog coverage analysis tool integrated with Specman Verilog coverage analysis tool integrated with Specman Elite toolElite tool

TransEDA TransEDA Verification NavigatorVerification Navigator supports both VHDL and Verilog supports both VHDL and Verilog works with all major simulatorsworks with all major simulators

Cadence Cadence AffirmaAffirma works with their NCSim RTL simulators (VHDL and Verilog)works with their NCSim RTL simulators (VHDL and Verilog)

Coverage Analysis - Pros & ConsCoverage Analysis - Pros & Cons

Pros:Pros: provides some quantitative analysis of verification effortprovides some quantitative analysis of verification effort increases confidence level in simulation based verificationincreases confidence level in simulation based verification points out untested functionality in the designpoints out untested functionality in the design gives some type of closure to verification effortgives some type of closure to verification effort

Cons:Cons: cannot model many types of errorscannot model many types of errors high confidence level due to good coverage numbers can give high confidence level due to good coverage numbers can give

false sense of securityfalse sense of security observability of error is ignoredobservability of error is ignored still covering implementation, not specificationstill covering implementation, not specification

Importance of ObservabilityImportance of Observability

Example:Example:input a, b, c, d;f = 1;e = 0;

if ( a > 0) e = c * d;else f = c + d;

if (b > 0) print(e);else print(f);

simulate:a = 1, b = -1;a = 0, b = 1;

100% statement andbranch coverage, butno errors detected

error

error

Observability Enhanced Code Coverage AnalysisObservability Enhanced Code Coverage Analysis

Does vector set propagate an erroneous value on variable Does vector set propagate an erroneous value on variable aa to an to an observable output?observable output?

a = 1;

c = 4 - a;

printf(“%d”, c);

erroneous value

• This metric known as This metric known as OCCOMOCCOM is based on Fallah et.al’s work at DAC 98. is based on Fallah et.al’s work at DAC 98.

• Possibility of an error represented by tagging variable in left-hand side of Possibility of an error represented by tagging variable in left-hand side of an assignment or an expression by an assignment or an expression by +D+D oror -D-D ..

• A Tag at a location/variableA Tag at a location/variable represents the possibility that an represents the possibility that an incorrect value is present at the location/variableincorrect value is present at the location/variable

• Goal: see if Tag injected at a location is propagated to output by test setGoal: see if Tag injected at a location is propagated to output by test set

Tag PropagationTag Propagation

Positive, Negative and Unsigned tag Positive, Negative and Unsigned tag

Single error assumptionSingle error assumption

);printf( 4

1

%d",C "CA ;C

;A

Error ModelError Model

Errors in design modeled as errors in assignment statements Errors in design modeled as errors in assignment statements and expression clausesand expression clauses only positive and negative errors tackled to reduce complexityonly positive and negative errors tackled to reduce complexity sometimes unkown tags (sometimes unkown tags ('') ) generatedgenerated

Method confirms that a design error is detected if the vector Method confirms that a design error is detected if the vector set set activatesactivates and and propagatespropagates the required tag on the location of the required tag on the location of the errorthe error error may propagate even if tag does noterror may propagate even if tag does not tag propagation is conservativetag propagation is conservative if if ++ andand --collide then usuallycollide then usually ( ('') ) tag is killed after sometime but error tag is killed after sometime but error

can still be observablecan still be observable

Error model is sufficient but not necessary for error detectionError model is sufficient but not necessary for error detection

Research ResultsResearch Results

* How good is the tag coverage metric for tracking bugs?

- 30 typical bugs were introduced into a Fujitsu RTL circuit

- functional simulation done using intelligent vectors that target tag coverage and random vectors

Conclusion: Tag coverage closely tracks bug coverage but is slightly pessimistic.

Bug Coverage

Intelligent Vectors

Tag Coverage

Bug Coverage

Random Vectors

Tag Coverage

CWL (Component Wrapper Language)CWL (Component Wrapper Language)

Jointly developed by Hitachi and FujitsuJointly developed by Hitachi and Fujitsu Hierarchical description aimed at Hierarchical description aimed at

abstraction level conversionabstraction level conversion Support for split transactionsSupport for split transactions Support for interface specific hardwareSupport for interface specific hardware

Specification Coverage using CWLSpecification Coverage using CWL

Hierarchical Description: BaseHierarchical Description: Base

signalset all = {clk,rst, en, ad,wait,dt}; N : { R, 1, 1, x, 1, x}; I : { R, 0, x, x, 1, x}; Q(a): { R, 1, 0, a, 1, x}; W : { R, 1, 1, x, 0, x}; S(d): { R, 1, 1, x, 1, d}; endsignalset

signalset all = {clk,rst, en, ad,wait,dt}; N : { R, 1, 1, x, 1, x}; I : { R, 0, x, x, 1, x}; Q(a): { R, 1, 0, a, 1, x}; W : { R, 1, 1, x, 0, x}; S(d): { R, 1, 1, x, 1, d}; endsignalset

clk

rst

en

ad[9:0]

wait

dt[7:0]

II NN Q(a)Q(a) WW WW S(d)S(d)

a

d

NN

sentencesentence

Hierarchical Description: TransactionHierarchical Description: Transaction

word; nop : N ; reset : I ; read(a,d) : Q(a) W* S(d) ; endword

word; nop : N ; reset : I ; read(a,d) : Q(a) W* S(d) ; endword

resetreset

clk

rst

en

ad[9:0]

wait

dt[7:0]

nopnop read(a,d)read(a,d) nopnop

I N Q(a) W W S(d) N

a

d

sentence; reset [ nop | read ]+ ; endsentence

sentence; reset [ nop | read ]+ ; endsentence

Once specification sentence protocol generatedOnce specification sentence protocol generated create complete regular expressioncreate complete regular expression create FSM that recognizes regular expressioncreate FSM that recognizes regular expression convert FSM to Verilog monitorconvert FSM to Verilog monitor during simulation see that all transitions in FSM are during simulation see that all transitions in FSM are

coveredcovered

Then protocol specification completely verifiedThen protocol specification completely verified ensures coverage of all possible legal signal ensures coverage of all possible legal signal

combinationscombinations not just the interesting scenariosnot just the interesting scenarios

Specification Coverage using TransitionsSpecification Coverage using Transitions

Test Bench AutomationTest Bench Automation Today’s ASICs and SOCsToday’s ASICs and SOCs

multi million gates, extremely complexmulti million gates, extremely complex 1000s of inputs and outputs1000s of inputs and outputs

Writing meaningful input patterns in 1s and 0s impossibleWriting meaningful input patterns in 1s and 0s impossible Impossible to verify output pattern in 1s and 0sImpossible to verify output pattern in 1s and 0s Need specialized language and framework Need specialized language and framework

toto write good, complex and extensive test benchwrite good, complex and extensive test bench Example: Ethernet frameExample: Ethernet frame

header, addresses, payload (variable length), error correction header, addresses, payload (variable length), error correction code (72 bytes to 10000 bytes)code (72 bytes to 10000 bytes)

Write function Write function Create_frame(parameters)Create_frame(parameters) creates correct frame in terms of patterns of 1s and 0s creates correct frame in terms of patterns of 1s and 0s

Key FeaturesKey Features Constrained input sequence generationConstrained input sequence generation

write input sequence in high level constructwrite input sequence in high level construct may use structures, fields etc.may use structures, fields etc.

put constraints on input fields put constraints on input fields tool converts these to signal level test sequencetool converts these to signal level test sequence tool can also solve for constraints on some inputstool can also solve for constraints on some inputs tool can iterate on several parameters to generate numerous test tool can iterate on several parameters to generate numerous test

sequences automaticallysequences automatically Automatic Output Checker generationAutomatic Output Checker generation

create a set of rules to check expected outputcreate a set of rules to check expected output again high level structures can be usedagain high level structures can be used e.g. if packet sent to port A from port B earlier that port C, they are output in e.g. if packet sent to port A from port B earlier that port C, they are output in

sequence in port A [check_packet( )]sequence in port A [check_packet( )] Concise property specification languagesConcise property specification languages Support for constrained random test generationSupport for constrained random test generation

Bus Functional ModelsBus Functional Models

These HDL models are used to convert higher level These HDL models are used to convert higher level transaction behavior to signal level inputstransaction behavior to signal level inputs test bench can be written and analyzed in high leveltest bench can be written and analyzed in high level once done prevents detailed signal level stimulus once done prevents detailed signal level stimulus

more robust and less error prone, hides detailsmore robust and less error prone, hides details

Example: memoryExample: memory

read()

write() BusFunctional Model

address[7:0]

data[7:0

rw

alevald Pre-defined

protocol with timing

Property Specification LanguagesProperty Specification Languages Is needed for unambiguous modeling of SpecIs needed for unambiguous modeling of Spec Should be formal yet easy to read/understandShould be formal yet easy to read/understand

support for real life properties - Boolean, temporal etcsupport for real life properties - Boolean, temporal etc support for modeling design input behavior support for modeling design input behavior

PSL SugarPSL Sugar from IBM standardized by Accellera from IBM standardized by Accellera it has 4 layers of formalismit has 4 layers of formalism Boolean layerBoolean layer

describes states of designdescribes states of design Temporal layerTemporal layer

describes behavior of design over timedescribes behavior of design over time Modeling layerModeling layer

model auxiliary state variables and state machines and input environmentmodel auxiliary state variables and state machines and input environment Verification layerVerification layer

directives to verification tool assume/assert/cover etc.directives to verification tool assume/assert/cover etc.

Writing Properties in Sugar Writing Properties in Sugar

ExampleExample {true[*];req;ack} |=> {start;busy[*];end}{true[*];req;ack} |=> {start;busy[*];end}

true

req

ack

start

busy

endif then

if then

Temporal OperatorsTemporal Operators

nevernever (read_enable and write_enable) (read_enable and write_enable) always always (req -> next ack)(req -> next ack)

when request is asserted ack must be asserted next cyclewhen request is asserted ack must be asserted next cycle

using using forallforall operator operator alwaysalways (req && data_in == ‘b000 -> next data_out == ‘b000) (req && data_in == ‘b000 -> next data_out == ‘b000) alwaysalways (req && data_in == ‘b001 -> next data_out == ‘b001) (req && data_in == ‘b001 -> next data_out == ‘b001) .. .. can be written ascan be written as forallforall i in 0..7 i in 0..7 alwaysalways (req && data_in == i -> next data_out == i) (req && data_in == i -> next data_out == i)

ExampleExample assert if assert if requestrequest signal is high for 5 cycles without the signal is high for 5 cycles without the acknowledgeacknowledge

signal going high, then system should assert signal going high, then system should assert busy flagbusy flag Sugar propertySugar property

vunit check_busy_flag {vunit check_busy_flag { assert assert { [*], {request & !acknowledge} [*5] } |-> {busy flag}{ [*], {request & !acknowledge} [*5] } |-> {busy flag} }}

If this checker is written in VerilogIf this checker is written in Verilog 50 lines of HDL code50 lines of HDL code

Automatic translators exist now Automatic translators exist now e.g. e.g. FOCS FOCS from IBMfrom IBM

Verification efficiency is increased a lotVerification efficiency is increased a lot

Assertion CheckingAssertion Checking

CAD Tools for Test Bench Automation CAD Tools for Test Bench Automation & Assertion Checking& Assertion Checking

Verisity Verisity Specman EliteSpecman Elite uses proprietary E language (free licenses available)uses proprietary E language (free licenses available)

Cadence Cadence TestbuilderTestbuilder uses C++ classes to automate testsuses C++ classes to automate tests

Synopsys Synopsys VeraVera uses its own OVL (Open Vera Language) (now open)uses its own OVL (Open Vera Language) (now open)

Avery Avery VCKVCK uses VLE (Verilog language enhancements)uses VLE (Verilog language enhancements)

As Accellera Sugar has become industry As Accellera Sugar has become industry standard all tools are now supporting itstandard all tools are now supporting it

Automatic Test Pattern Generation at RTLAutomatic Test Pattern Generation at RTL

Generating good RTL simulation test benches is hard and Generating good RTL simulation test benches is hard and tedioustedious still manual process still manual process

test bench automation helps somewhat but still need to write tests in test bench automation helps somewhat but still need to write tests in high-level test language like Sugar etc.high-level test language like Sugar etc.

may not exercise design completely (bugs may remain)may not exercise design completely (bugs may remain) Alternative: Alternative: attempt to generate RTL test benches attempt to generate RTL test benches

automatically by analyzing the RTL design (ATPG)automatically by analyzing the RTL design (ATPG) only HDL design is needed only HDL design is needed approach is bottom up as opposed to top downapproach is bottom up as opposed to top down

may not be suitable in all casesmay not be suitable in all cases

Requires RTL error models Requires RTL error models currently stuck-at fault model and OCCOM is usedcurrently stuck-at fault model and OCCOM is used experimentally determined they correlate well with bugsexperimentally determined they correlate well with bugs

Application ScenariosApplication Scenarios

Test Generation Algorithm/Tool

SCENARIO 2

Golden RTL Model

TestResponses

TestResponses=?

TestBench

OptimizedRTL model

* Formal RTL equivalence checking fails as circuits are too dissimilar

near 100% coverage

Test Generation Algorithm/Tool

SCENARIO 1

RTL Design Under Test

TestResponses

TestResponses=?

TestBench

ExecutableSpecification

near 100% coverage

Data Structure UsedData Structure Used Represent RTL netlist as an Represent RTL netlist as an

Assignment Decision Assignment Decision Diagram (ADD)Diagram (ADD)

Previously proposed for high-Previously proposed for high-level synthesis by Chaiyakul level synthesis by Chaiyakul et.al.et.al. (DAC 93) (DAC 93)

a 7 state st3 p q

< =

!

&

&

+ -

rc

c vv

• Advantages– Represents a structural view suitable for ATPG

Assignment Value

AssignmentTarget

AssignmentCondition

Case state is when st3 => if (a < 7) r = p + q; else r = p - q;

Example

Convert HDL file into a series of ADDsConvert HDL file into a series of ADDs each process converted to an ADDeach process converted to an ADD ADDs connected together by read and write nodesADDs connected together by read and write nodes

Infer RTL structural components from ADDsInfer RTL structural components from ADDs

Each inferred component is fed its logic-level stuck-at testEach inferred component is fed its logic-level stuck-at test 2-to-1 mux2-to-1 mux : 4 vectors: 4 vectors register / latchregister / latch : 4 / 2 vectors: 4 / 2 vectors logic gate logic gate : well known test set: well known test set memoriesmemories : checker board test: checker board test arithmetic module : precomputed testarithmetic module : precomputed test

an universal test set preferablean universal test set preferable random logic / test set unavailable random logic / test set unavailable

excite HDL code and observe effect at system primary outputexcite HDL code and observe effect at system primary output

Algorithm OverviewAlgorithm Overview

<

PI PI

PO

logic

Modeling RTL ValuesModeling RTL Values CgCg : control an n-bit bus to any of 2: control an n-bit bus to any of 2n n valuevalue C0C0 : control a variable to the 0 value (00..00): control a variable to the 0 value (00..00) C1C1 : control a variable to the 1 value (00..01): control a variable to the 1 value (00..01) Ca1Ca1 : control a variable to the all ones vector (11..11): control a variable to the all ones vector (11..11)

CA1 of 1 bit variable is C1CA1 of 1 bit variable is C1 CqCq : control a variable to any constant (5, 10, etc.): control a variable to any constant (5, 10, etc.) CsCs : control a state variable to a particular state value (St1): control a state variable to a particular state value (St1) CzCz : control to high-impedance state (zz..zzz): control to high-impedance state (zz..zzz) Cp : control to a particular range of integers (16-32)Cp : control to a particular range of integers (16-32) OO : observe an any fault on multi-bit variable or an 1/0 : observe an any fault on multi-bit variable or an 1/0

fault on a single-bit variable fault on a single-bit variable O’O’ : observe a 0/1 fault only for a single-bit variable: observe a 0/1 fault only for a single-bit variable

* These constants are sufficient to propagate test vectors across all RTL modules

AlgorithmAlgorithm

<

+

*

Cg

Cg

O

To PIs

To POs

To PIs

C1

Cg

C1

Cg

C1

O

C1

O

CqCg

backtrack

Results & Ongoing ResearchResults & Ongoing Research This is in technology transfer phaseThis is in technology transfer phase

Has been applied on industrial examplesHas been applied on industrial examples Prototype shows huge speed up over logic ATPGPrototype shows huge speed up over logic ATPG

2 to 3 orders of magnitude reduction in CPU time 2 to 3 orders of magnitude reduction in CPU time Test sets automatically give close to 100% line, branch and condition Test sets automatically give close to 100% line, branch and condition

coveragecoverage Can be used as initial filter before manual test benches or formal Can be used as initial filter before manual test benches or formal

verificationverification Disadvantages:Disadvantages:

application scenarios limitedapplication scenarios limited still block level tool, about 20,000-50,000 line flat HDLstill block level tool, about 20,000-50,000 line flat HDL

search is NP complete and uses branch and boundsearch is NP complete and uses branch and bound

Ongoing researchOngoing research speed up engine using circuit SAT techniquesspeed up engine using circuit SAT techniques modify engine for RTL property checking modify engine for RTL property checking

Stopping Criteria Stopping Criteria

Coverage basedCoverage based e.g. >99.5% line coverage, >99% branch coverage, >90% condition e.g. >99.5% line coverage, >99% branch coverage, >90% condition

coveragecoverage Bug rate basedBug rate based

when rate of new bugs detected fallen below particular level, e.g. - 2 when rate of new bugs detected fallen below particular level, e.g. - 2 per weekper week

Random simulation basedRandom simulation based e.g. random simulation ran for 3 days without probleme.g. random simulation ran for 3 days without problem

Some weighted average of all the aboveSome weighted average of all the above Use case emulationUse case emulation

e.g. video processor e.g. video processor watch output of emulator in real time on a TV screenwatch output of emulator in real time on a TV screen

Deadline basedDeadline based need to tape out chip, hence stop simulation !!need to tape out chip, hence stop simulation !!

Still huge amounts of time and resources Still huge amounts of time and resources required to simulate multi-million gate designsrequired to simulate multi-million gate designs but only simulation scales to large designsbut only simulation scales to large designs

AlternativesAlternatives Hardware emulation/accelerationHardware emulation/acceleration Core based design of SOCCore based design of SOC

use preverified modules and just verify interfaceuse preverified modules and just verify interface some peculiar problems arisesome peculiar problems arise

Correct by construction designCorrect by construction design

Tackling the Time ComplexityTackling the Time Complexity

EmulationEmulation Compile RTL design into a number of FPGAs and PLDsCompile RTL design into a number of FPGAs and PLDs Directly simulate test bench on the hardware using a Directly simulate test bench on the hardware using a

computer interfacecomputer interface Capture output responses in a memory buffer and Capture output responses in a memory buffer and

display using the computerdisplay using the computer AdvantagesAdvantages

10X to 100X faster than software simulation10X to 100X faster than software simulation simulation semantics problems are lowersimulation semantics problems are lower

DisadvantagesDisadvantages systems are expensivesystems are expensive cumbersome to set upcumbersome to set up debugging support weaker than software debuggersdebugging support weaker than software debuggers



AlternativesAlternatives Hardware emulation/accelerationHardware emulation/acceleration Core based design of SOCCore based design of SOC



SOC Verification IssuesSOC Verification Issues What is new in SOC verification?What is new in SOC verification?

Why is SOC verification more challenging?Why is SOC verification more challenging? SOCs - large designs, small teamsSOCs - large designs, small teams

closer to computer systems than ASICscloser to computer systems than ASICs but built rapidly with small design teams using coresbut built rapidly with small design teams using cores

Verification team cannot get deep understanding of Verification team cannot get deep understanding of target designtarget design

Not enough resources to develop verification tools Not enough resources to develop verification tools specific to designspecific to design

Verification teams must rely on existing tools and Verification teams must rely on existing tools and technologytechnology generic knowledge of domain with small adaptationsgeneric knowledge of domain with small adaptations

More ChallengesMore Challenges Most SOCs contain a processorMost SOCs contain a processor

big and complex and programmablebig and complex and programmable Processors can be used to stimulate rest of the system but..Processors can be used to stimulate rest of the system but.. How to treat system softwareHow to treat system software

ignoring means not testing entire systemignoring means not testing entire system leaving it in means more difficult to use processor to test other leaving it in means more difficult to use processor to test other

componentscomponents HW/SW co-simulation a major issueHW/SW co-simulation a major issue

simulating processor will slow down RTL simulationsimulating processor will slow down RTL simulation hardware and software operate at different rateshardware and software operate at different rates modeling solutions are required modeling solutions are required

e.g. Instruction Set Architecturee.g. Instruction Set Architecture Interface issuesInterface issues

how to check that the cores are talking correctly with each other e.g. how to check that the cores are talking correctly with each other e.g. protocol verificationprotocol verification

Solution - Raise Abstraction LevelSolution - Raise Abstraction Level

Focus at level where design complexity liesFocus at level where design complexity lies AdvantagesAdvantages

match shift in design paradigmmatch shift in design paradigm improved productivity due to reasoning at right levelimproved productivity due to reasoning at right level early start of verification effortearly start of verification effort

start on high-level models of designstart on high-level models of design but use same methodology for lower levelbut use same methodology for lower level

New building blocksNew building blocks signals, packets, complex transactionssignals, packets, complex transactions cores instead of registers, FSMs etc.cores instead of registers, FSMs etc.

New Paradigms New Paradigms

Transaction based verification and coverageTransaction based verification and coverage System level test generatorsSystem level test generators New applications of formal verificationNew applications of formal verification

protocol verificationprotocol verification E.g. - Product by Jasper Design AutomationE.g. - Product by Jasper Design Automation

High Level Checking TechniquesHigh Level Checking Techniques

Behavioral rules can be checked to test aspects Behavioral rules can be checked to test aspects of behaviorof behavior e.g. : transaction ordering, coherencee.g. : transaction ordering, coherence

Need means to describe rules and check themNeed means to describe rules and check them e.g. : when write transaction begins all previous read e.g. : when write transaction begins all previous read

transactions have finishedtransactions have finished look for all read transactions and check their statuslook for all read transactions and check their status check order with respect to write transactioncheck order with respect to write transaction

Data flow is a good source of behavioral rulesData flow is a good source of behavioral rules record the history of each transactionrecord the history of each transaction analyze the the behavior of system according to the flow analyze the the behavior of system according to the flow

of transactions and their interactionof transactions and their interaction

Using System Level Test GeneratorsUsing System Level Test Generators

Goal: Systematic verification of IP (core) Goal: Systematic verification of IP (core) interaction to verify global functional behaviorinteraction to verify global functional behavior assumes each IP has been individually verifiedassumes each IP has been individually verified

Generates tests that cover the interaction among Generates tests that cover the interaction among IPsIPs

Tool Tool Esterel StudioEsterel Studio based on hierarchical concurrent finite state machines based on hierarchical concurrent finite state machines

(HFSMs)(HFSMs) Four step processFour step process

model system as HFSM (need lot of abstraction)model system as HFSM (need lot of abstraction) create symbolic testscreate symbolic tests transform tests to concrete teststransform tests to concrete tests simulate the concrete testssimulate the concrete tests

Creating Symbolic TestsCreating Symbolic Tests

Use BDD based traversal engine to compute all Use BDD based traversal engine to compute all the possible paths to the the possible paths to the test_completedtest_completed state in state in the global test scheduling FSMthe global test scheduling FSM each path is associated with an input sequenceeach path is associated with an input sequence

Transform input sequences to output sequences Transform input sequences to output sequences using the Esterel Studio simulatorusing the Esterel Studio simulator

The resulting sequences are commands to and by The resulting sequences are commands to and by the IPs that create the requested scenariothe IPs that create the requested scenario

config_data_channel_1req_dst_wav req_srcwrite_frame



AlternativesAlternatives Hardware emulationHardware emulation Core based design of SOCCore based design of SOC



Correct By ConstructionCorrect By Construction

Translation from higher to lower level descriptionTranslation from higher to lower level description automatic and correctautomatic and correct no need to verify lower level no need to verify lower level

Easier said than doneEasier said than done CAD tools will contain bugs (software program)CAD tools will contain bugs (software program) requires years of use before some degree of confidencerequires years of use before some degree of confidence

ExampleExample Synopsys Design CompilerSynopsys Design Compiler RTL to gate level generatorRTL to gate level generator after 12 years of use and numerous bug fixes most designers trust its after 12 years of use and numerous bug fixes most designers trust its

output in terms of functionalityoutput in terms of functionality timing still not completely robusttiming still not completely robust

Platform based designPlatform based design another design flow with this philosophyanother design flow with this philosophy

Case Study: Fujitsu 10GB Ethernet SwitchCase Study: Fujitsu 10GB Ethernet Switch

Fujitsu 10 Gb Ethernet Switch ChipFujitsu 10 Gb Ethernet Switch Chip Layer 2 SwitchLayer 2 Switch

12 I/O XAUI ports (IEEE 802.3ae)12 I/O XAUI ports (IEEE 802.3ae) MAC frame relay and spanning tree (802.1D)MAC frame relay and spanning tree (802.1D) Virtual LAN (802.1Q)Virtual LAN (802.1Q)

Design ComplexityDesign Complexity 6.3 million gates & 900 KBytes SRAM6.3 million gates & 900 KBytes SRAM approximately 70 million transistorsapproximately 70 million transistors process 0.11process 0.11

Processor(BPDU, GMRP, GVRP,

Management)

Switch Chip(Filtering, Relay)

Our mission is to verify the Switch Chip

Verification FrameworkVerification Framework

Test Program-1 (.cc)

Frame Generator(.cc)

ProcessorBFM (.v)

EEPROMBFM (.v)

XGMIIDriver /

Receiver (.cc)

XAUIDriver /

Receiver (.cc)

XAUIBFM(.v)

Sw

itch C

hip

(D

UV

)

Driver (.cc)

Interrupt Handler /Device Driver (.cc)

XA

UI

XGMIIBFM(.v) M

AC

ReferenceModel (.cc)

Verilog-HDL TestBuilder

Test Program-2 (.cc)

APIs

Black Box VerificationBlack Box Verification

Just see if design conforms to Spec.Just see if design conforms to Spec. Spec. - IEEE 802.3ae, 802.1D, 802.1QSpec. - IEEE 802.3ae, 802.1D, 802.1Q

over 1000 pages of English textover 1000 pages of English text IEEE Specifications conformance testIEEE Specifications conformance test

Micro-architecture independentMicro-architecture independent PICS (Protocol Implementation Conformance Statement)PICS (Protocol Implementation Conformance Statement)

somebody painfully went through the text to extract about 200 somebody painfully went through the text to extract about 200 points to test (this is well known)points to test (this is well known)

extracted 39 test cases (one test case can cover multiple tests)extracted 39 test cases (one test case can cover multiple tests)

Example: frame address is learnt by switchExample: frame address is learnt by switch send frame with source address A from port 2send frame with source address A from port 2 send frame with destination address A from port 3send frame with destination address A from port 3 check that second frame comes out at port 2check that second frame comes out at port 2

White Box VerificationWhite Box Verification

Test the special features of the chip not mentioned Test the special features of the chip not mentioned in IEEE Specin IEEE Spec implementation dependentimplementation dependent verification engineer need to understand design verification engineer need to understand design

functionalityfunctionality Micro-architecture dependent test casesMicro-architecture dependent test cases

E.g. 1. memory corruption testE.g. 1. memory corruption test memory protected by error correcting codememory protected by error correcting code intentionally corrupt memory during frame transmission intentionally corrupt memory during frame transmission see that error correction is occurring correctlysee that error correction is occurring correctly

E.g. 2. mode registers: extracted 88 test casesE.g. 2. mode registers: extracted 88 test cases Total dedicated test cases - 200Total dedicated test cases - 200

simulation cycles - 25.9 million simulation cycles - 25.9 million

IP VerificationIP Verification

Design used one 3rd party soft IPDesign used one 3rd party soft IP IP came with own testbenchIP came with own testbench Manually translated IP test bench to Manually translated IP test bench to

system test bench for regression testssystem test bench for regression tests verified line coverage of IP > 99.5% even within verified line coverage of IP > 99.5% even within

systemsystem 5 bugs were found in the IP5 bugs were found in the IP

Random SimulationRandom Simulation

Random testRandom test Arbitrary random frames generationArbitrary random frames generation Reference model for automatic verificationReference model for automatic verification

this is tricky as bugs may be in reference modelthis is tricky as bugs may be in reference model may be tedious to writemay be tedious to write

Best used to hit assertions put in by Best used to hit assertions put in by designerdesigner the random seeds needs to be stored for each the random seeds needs to be stored for each

test case so that failed test may be reproducedtest case so that failed test may be reproduced Random testRandom test

#cycles: 1B (2M frames)#cycles: 1B (2M frames)

Coverage AnalysisCoverage Analysis At this pointAt this point

line coverage > 95%line coverage > 95% branch coverage > 90%branch coverage > 90%

If not rethink verification strategyIf not rethink verification strategy OtherwiseOtherwise

find uncovered codefind uncovered code ask designer what he intended to do in that piece of code (broad ask designer what he intended to do in that piece of code (broad

idea only)idea only) write test case to test functionalitywrite test case to test functionality careful not to repeat same bugcareful not to repeat same bug

Final CoverageFinal Coverage line - 99.3%line - 99.3% branch - 99.5%branch - 99.5% condition - 94.5%condition - 94.5%

Code SizeCode Size

10 Gb Switch Chip (Hierarchical RTL Verilog): 10 Gb Switch Chip (Hierarchical RTL Verilog): 75k lines75k lines Bus Functional Models (Verilog) : Bus Functional Models (Verilog) : 6k lines6k lines Transaction Verification Model (C++)Transaction Verification Model (C++)

with random testwith random test : : 10k lines10k lines Test Programs (C++)Test Programs (C++) : : 48k lines48k lines Total RTL Verilog - Total RTL Verilog - 75K lines75K lines Total Verification Testbench - Total Verification Testbench - 64K lines64K lines (almost same as (almost same as

design)design)

Bug RateBug Rate

0

50

100

150

200

250

300TotalBlock LevelSystem Level

271

157114

2468

1012141618

Block LevelSystem Level

00 2 4 6 8 11 13 15 17 19 21 23 25 27week

00 2 4 6 8 11 13 15 17 19 21 23 25 27week

Start Unit Level Verification

Start System Level Verification(early functional)

Start System Level Verification (full functional)

First Code Review

LogicFreeze

Use Case SimulationUse Case Simulation Final stepFinal step

Get a few typical applications running on 2 to 3 serversGet a few typical applications running on 2 to 3 servers these applications should need to exchange data between them these applications should need to exchange data between them

frequently over the LANfrequently over the LAN obtain data traffic trace over the LAN assuming they are obtain data traffic trace over the LAN assuming they are

connected by this switchconnected by this switch

Simulate/Emulate with this traffic and the applicationsSimulate/Emulate with this traffic and the applications

Check applications are running correctlyCheck applications are running correctly

This step is more involved than software simulationThis step is more involved than software simulation requires testing board, emulator, memory dump, accelerator etc.requires testing board, emulator, memory dump, accelerator etc.

Lessons LearntLessons Learnt

Verification needs to start early in design cycleVerification needs to start early in design cycle even with partial designseven with partial designs

Designers are responsible for block-level verificationDesigners are responsible for block-level verification

Dedicated verification team for system-level verificationDedicated verification team for system-level verification

Equivalence check after scan insertionEquivalence check after scan insertion

Coverage analysis necessary but not sufficient Coverage analysis necessary but not sufficient

Hardware/Software co-simulation necessaryHardware/Software co-simulation necessary

Only function verification not enoughOnly function verification not enough Timing verification & complete DRC check equally importantTiming verification & complete DRC check equally important

Recap & ConclusionRecap & Conclusion

INDRADEEP GHOSH


Verification ImportanceVerification Importance It is obvious that we need to verify a design before fabricationIt is obvious that we need to verify a design before fabrication Many famous bugsMany famous bugs

Pentium floating pointPentium floating point Arian 5 rocket blow upArian 5 rocket blow up Mars polar lander crash landsMars polar lander crash lands

Design productivity gapDesign productivity gap technology available to put 1 billion transistors on chiptechnology available to put 1 billion transistors on chip inability of designers to design that kind of chipinability of designers to design that kind of chip verification bottleneckverification bottleneck

70% of chip design effort is spent on verification70% of chip design effort is spent on verification

Robust and scalable solutions are requiredRobust and scalable solutions are required verification effort is reducedverification effort is reduced larger designs can be addressedlarger designs can be addressed

Various Types of VerificationVarious Types of Verification Higher order theorem proving and decision proceduresHigher order theorem proving and decision procedures

mostly manual effort and cumbersomemostly manual effort and cumbersome requires deep understanding of algorithmrequires deep understanding of algorithm still mostly in research phase with limited industrial applicationstill mostly in research phase with limited industrial application

Formal VerificationFormal Verification has become industrial practice in last few yearshas become industrial practice in last few years combinational equivalence checking very successfulcombinational equivalence checking very successful sequential equivalence checking needs worksequential equivalence checking needs work model checking automatic but does not scale wellmodel checking automatic but does not scale well

still block level (10,000 gates 1,000 FFs)still block level (10,000 gates 1,000 FFs) some techniques to reduce state space are practicalsome techniques to reduce state space are practical

may increase frontier by 4-5 timesmay increase frontier by 4-5 times

Semiformal VerificationSemiformal Verification recently SAT solvers have become extremely efficient recently SAT solvers have become extremely efficient bounded model checking is being used bounded model checking is being used

handles large designs but can go to about 1,000 cycles deephandles large designs but can go to about 1,000 cycles deep

Simulation BasedSimulation Based most popular in industry (mature technology)most popular in industry (mature technology) scalable but requires huge amounts of CPU and memory scalable but requires huge amounts of CPU and memory full chip simulation may not be practical in few yearsfull chip simulation may not be practical in few years coverage is an issue and cannot prove correctnesscoverage is an issue and cannot prove correctness

Various Types of VerificationVarious Types of Verification

Verification DirectionsVerification Directions Driven by design flowDriven by design flow

higher levels of abstractionhigher levels of abstraction formal specification languagesformal specification languages mapping verification problems to lower level enginesmapping verification problems to lower level engines

design reusedesign reuse interface verificationinterface verification system level verificationsystem level verification

Tackling larger designs in formal verificationTackling larger designs in formal verification efficient formal enginesefficient formal engines sequential equivalence checkerssequential equivalence checkers filter based techniquesfilter based techniques

using multiple enginesusing multiple engines hybrid engineshybrid engines

e.g. BDD/SAT/ATPG combinatione.g. BDD/SAT/ATPG combination higher level reasoning higher level reasoning

need to automateneed to automate

Current Industry PracticesCurrent Industry Practices Most designs still start at RTLMost designs still start at RTL

RTL simulation well understood and usedRTL simulation well understood and used many mature CAD toolsmany mature CAD tools getting more and more difficult to do full chip simulationgetting more and more difficult to do full chip simulation

Model checking tools gaining popularity at block levelModel checking tools gaining popularity at block level writing meaningful set of properties difficultwriting meaningful set of properties difficult designers need to change mindsetdesigners need to change mindset

property specification languages becoming popularproperty specification languages becoming popular automatic property extraction cannot go very farautomatic property extraction cannot go very far many new CAD tool offerings from EDA vendorsmany new CAD tool offerings from EDA vendors

functionality still evolvingfunctionality still evolving

Equivalence checking mainstream for certain casesEquivalence checking mainstream for certain cases Emulation used for real-time systemsEmulation used for real-time systems Functional verification not end of storyFunctional verification not end of story

timing verification and DRC check very importanttiming verification and DRC check very important

New CAD Tool OfferingsNew CAD Tool Offerings

Model Checking toolsModel Checking tools @HDL, Real Intent, Verplex@HDL, Real Intent, Verplex

Semi-formal verification toolsSemi-formal verification tools 0-in 0-in Synopsys MagellanSynopsys Magellan

Interface/Protocol Verification toolsInterface/Protocol Verification tools Jasper Design AutomationJasper Design Automation

Hardware accelerationHardware acceleration Tharus SystemsTharus Systems

Coverage analysis and debugging toolsCoverage analysis and debugging tools Novas DebussyNovas Debussy Sugar based tools from TransEDA, VerisitySugar based tools from TransEDA, Verisity

Research IssuesResearch Issues Design and Verification at high levels of abstractionDesign and Verification at high levels of abstraction

new modeling issuesnew modeling issues Eg: what if Spec is in UMLEg: what if Spec is in UML

how to generate problem, map problemhow to generate problem, map problem

Faster enginesFaster engines more efficient BDDsmore efficient BDDs

efficient and automatic abstraction-refinementefficient and automatic abstraction-refinement faster SAT solversfaster SAT solvers

better learning and pruning techniquesbetter learning and pruning techniques combining enginescombining engines

ATPG/SAT combinationATPG/SAT combination BDD/SAT combinationBDD/SAT combination

use of higher level information to guide searchuse of higher level information to guide search methodology issuesmethodology issues

Interface specification and verificationInterface specification and verification automatic static checks automatic static checks

Concluding RemarksConcluding Remarks Verification is a fundamental problem for everyoneVerification is a fundamental problem for everyone

not only hardware but software, mechanical, electrical everywherenot only hardware but software, mechanical, electrical everywhere will not be irrelevant until correct-by-construction from English is will not be irrelevant until correct-by-construction from English is

possible (looks impossible so far)possible (looks impossible so far) It is becoming a design bottleneck in hardwareIt is becoming a design bottleneck in hardware

path breaking inventions are requiredpath breaking inventions are required serious industrial and academic efforts are requiredserious industrial and academic efforts are required

Newer products will emerge in the formal domainNewer products will emerge in the formal domain still nascent technologystill nascent technology

Remains an exciting filed of researchRemains an exciting filed of research Verification will evolve as design methodology evolvesVerification will evolve as design methodology evolves

newer problems, newer solutionsnewer problems, newer solutions No single approach will sufficeNo single approach will suffice

Thank You

BibliographyBibliography

BooksBooks B. Berard et. al., “Systems and Software Verification: Model Checking Techniques and Tools”, Springer

Verlag, 2001. J. Bergeron, “Writing Testbenches: Functional Verification of HDL Models”, Kluwer Academic

Publishers, Boston, 2000. D.D. Gajski et. al., “SpecC: Specification Language and Methodology”, Kluwer Academic Publishers,

Boston, 2000. J. Bhasker, “ A SystemC Primer ”, Star Galaxy Press, Allentown, 2002. M. Suart and D. Dempster, “ Verification Methodology Manual for Code Coverage in HDL Designs”,

Teamwork International, Hampshire, UK, 2000. K. L. McMillan, ``Symbolic Model Checking'', Kluwer Academic Publishers, 1993. Z. Manna and A. Pnueli, “Temporal Specification and Verification of Reactive Systems” Vol. I and II,

Springer 1995. Ching-Tsun Chou, "The Mathematical Foundation of Symbolic Trajectory Evaluation", Springer-Verlag

1999. Thomas Kropf: "Introduction to Formal Hardware Verification", (Springer Verlag; ISBN: 3540654453, 299

pages, January 2000) E. M. Clarke, O. Grumberg and D. Peled, "Model Checking", (MIT Press; ISBN: 0262032708; 330 pages;

January 2000) G. J. Holzmann, “Design and Validation of Computer Protocols”, Prentice Hall, 1991. M. P. Fourman, “Formal System Design”, Formal Methods for VLSI Design, IFIP, 1990, North-Holland. C. Meinel and T. Theobald, “Algorithms and Data Structures in VLSI Design”, Springer-Verlag, 1998. Hassan Gomaa, “Designing Concurrent, Distributed and Real-Time Applications with UML”, Addison-

Wesley, July 2000.

BooksBooks L. Bening and H. Foster, “Principles of Verifiable RTL Design: Functional Coding Style Supporting

Verification Processes in Verilog”, published by Kluwer Academic Publishers, 2000. R. P. Kurshan, “Computer Aided Verification of Coordinating Processes”, Princeton University Press,

1994. Robert B. Jones, “Symbolic Simulation Methods for Industrial Formal Verification”, Kluwer Academic

Publishers, Boston, 2002. M. Yoeli, "Formal Verification of Hardware Design", IEEE Computer Society Press, 1991. (Book

containing a collection of papers) R. P. Kurshan, “Computer Aided Verification of Coordinating Processes”, Princeton University Press,

1994. G. J. Holzmann, “Design and Validation of Computer Protocols”, Prentice Hall, 1991. M. P. Fourman, “Formal System Design”, Formal Methods for VLSI Design, IFIP, 1990, North-Holland. C. Meinel and T. Theobald, “Algorithms and Data Structures in VLSI Design”, Springer-Verlag, 1998. M. Kaufmann, P. Manolios, and J S. Moore, "Computer-Aided Reasoning: An Approach", (Kluwer

Academic Publishers, June 2000; ISBN 0792377443) Robert B. Jones, Symbolic Simulation Methods for Industrial Formal Verification, Kluwer Academic

Publishers, Boston, 2002. M. Yoeli, "Formal Verification of Hardware Design", IEEE Computer Society Press, 1991. (Book

containing a collection of papers) M. Kaufmann, P. Manolios, and J S. Moore, "Computer-Aided Reasoning: An Approach", (Kluwer

Academic Publishers, June 2000; ISBN 0792377443) M. Keating and P. Bricaud “Reuse Methodology Manual for System-On-A-Chip Designs,” Kluwer

Academic Publishers, June 1998.

PapersPapersHigh Level Design and Verification Modeling D. D. Gajski, ``IP-Based Design Methodology'', Proc. of the 36th Design Automation Conference, pp.

43, New Orleans, June 1999. D. Kroening and E. Clarke, “Behavioral consistency of C and Verilog programs using bounded model

checking,” in Proc. DAC, June 2003. T. Sakunkonchak and M. Fujita, “Verification of synchronization in SpecC description with the use of

difference decision diagram,” IEICE Trans. Fundamentals, Vol. E85-A, Jan 2002. T. Matsumoto and M. Fujita, “Equivalence checking of C-based hardware descriptions by using

symbolic simulation and program slicer,” in Proc. IWLS, May 2003. T. Ball and S. Rajamani, “Checking Temporal Properties of Software with Boolean Programs”, in

Proc. Computer Aided Verification 2000, [Microsoft SLAM project] R. Bryant et . al. “Processor Verification Using Efficient Reductions of the Logic of Uninterpreted

Functions to Propositional Logic” in ACM Trans. on Computational Logic, Vol 2., 2001.

S. Singh, “Design and Verification of CoreConnectTM IP using Esterel,” in Proc CHARME 2003

S. Sutherland, “System Verilog 3.1 Its what the DAVEs in you company asked for”. in Proc. DVCON 2003

S. Abdi, D. Shin and D. Gajski, "Automatic Communication Refinement for System Level Design,” Proceedings of Design Automation Conference, Anaheim, CA, June 2003.

W. Mueller, R. Dömer, A. Gerstlauer, "The Formal Execution Semantics of SpecC,"in Proceedings of International Symposium on System Synthesis, October 2002.

PapersPapersTheorem Proving & Decision Procedures S. Owre and S. Rajan and J.M. Rushby and N. Shankar and M.K. Srivas, “PVS: Combining

Specification, Proof Checking, and Model Checking”, 411-414, CAV96. S. Owre and S. Rajan and J.M. Rushby and N. Shankar and M.K. Srivas, “PVS: Combining

Specification, Proof Checking, and Model Checking”, 411-414, CAV96. D. Cyrluk, S. Rajan, N. Shankar and M. K. Srivas, “Effective Theorem Proving for Hardware

Verification”, pp. 287-305, TPCD94. S. J. Garland and J. V. Guttag, “An Overview of LP: the Larch Prover”, Proceedings of the

Third International Conference on Rewriting Techniques and Applications, 1989, Springer-Verlag.

J. Staunstrup and M. Greenstreet, “Synchronized Transitions”, Formal Methods for VLSI Design, 1990, IFIP, North-Holland.

R. Vemuri, “How to Prove the Completeness of a Set of Register Level Design Transformations”, Proceedings of the 27th ACM/IEEE Design Automation Conference, 1990, 207—212.

D. Cyrluk, S. Rajan, N. Shankar and M. K. Srivas, “Effective Theorem Proving for Hardware Verification”, pp. 287-305, TPCD94.

S. J. Garland and J. V. Guttag, “An Overview of LP: the Larch Prover”, Proceedings of the Third International Conference on Rewriting Techniques and Applications, 1989, Springer-Verlag.

J. Staunstrup and M. Greenstreet, “Synchronized Transitions”, Formal Methods for VLSI Design, 1990, IFIP, North-Holland.

C. M. Angelo, “Formal Hardware Verification ina Silicon Compilation Environment by means of Theorem Proving”, Ph.D. Dissertation, Katholieke Universiteit Leuven (February, 1994).

PapersPapers R. Vemuri, “How to Prove the Completeness of a Set of Register Level Design

Transformations”, Proceedings of the 27th ACM/IEEE Design Automation Conference, 1990, 207—212.

Jeffrey J. Joyce and Carl-Johan H. Seger, “Linking Bdd Based Symbolic Evaluation to Interactive Theorem Proving”, Proceedings of the 30th Design Automation Conference, 1993.

S. P. Rajan, N. Shankar and M. Srivas, “An Integration of Model-Checking with Automated Proof Checking”, 7th Conference on Computer-Aided Verification, July, 1995.

M.D. Aagard, R.B. Jones and C.-J.H. Seger, “Combining Theorem Proving and Trajectory Evaluation in an Industrial Environment”, Proceedings of DAC 1998, pp. 538-541

C.W. Barrett, D.L. Dill and J.R. Levitt, “A Decision Procedure for Bit-Vector Arithmetic”, Proceedings of DAC 1998

J.R. Burch and D.L. Dill, “Automatic Verification of Pipelined Microprocessor Control”, Proceedings of CAV 1994

J.X. Su, D.L. Dill and C.W. Barrett, “Automatic Generation of Invariants in Processor Verification”, Proceedings of FMCAD 1996

M. Aagaard, M. E. Leeser, and P. J. Windley, “Toward a Super Duper Hardware Tactic”, in Higher Order Logic Theorem Proving and its Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 399-412.

F. Andersen, K. D. Petersen, and J. S. Pettersson, `A Graphical Tool for Proving UNITY Progress', in Higher Order Logic Theorem Proving and Its Applications: 7th International Workshop, Valletta, Malta, September 1994: Proceedings, edited by T. F. Melham and J. Camilleri, Lecture Notes in Computer Science, Volume 859 (Springer-Verlag, 1994), pp. 17-32.

PapersPapers S. Agerholm, `Domain Theory in HOL', in Higher Order Logic Theorem Proving and its

Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 295-310.

S. Agerholm, `Formalising a Model of the lambda-calculus in HOL-ST' Technical Report Number 354, University of Cambridge Computer Laboratory (1994).

S. Agerholm, “A HOL Basis for Reasoning about Functional Programs”, Ph.D. Dissertation, BRICS Technical Report RS-94-44, Department of Computer Science, University of Aarhus (December 1994).

S. Agerholm, “LCF Examples in HOL”, The Computer Journal, vol. 38, no. 2 (July 1995), pp. 121-130.

S. Agerholm, `Mechanizing Program Verification in HOL', in Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications, Davis, August 1991, edited by M. Archer, J. J. Joyce, K. N. Levitt, and P. J. Windley (IEEE Computer Society Press, 1992), pp. 208-222.

S. Agerholm, `Mechanizing Program Verification in HOL', M.Sc. Dissertation, DAIMI Report Number IR-111, Department of Computer Science, University of Aarhus (April 1992).

S. Agerholm “Non-Primitive Recursion Function Definition”, in Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Aspen Grove, Utah, September 1995: Proceedings, edited by E. T. Schubert, P. J. Windley, and J. Alves-Foss, Lecture Notes in Computer Science, Volume 971 (Springer-Verlag, 1995), pp. 17-31.

F. Andersen and K. D. Petersen, `Recursive Boolean Functions in HOL', in Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications, Davis, August 1991, edited by M. Archer, J. J. Joyce, K. N. Levitt, and P. J. Windley (IEEE Computer Society Press, 1992), pp. 367-377.

PapersPapers C. M. Angelo, L. Claesen, and H. De Man, “Degrees of Formality in Shallow Embedding

Hardware Description Languages in HOL”, in Higher Order Logic Theorem Proving and its Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 89-100.

C. M. Angelo, L. Claesen, and H. De Man, `The Formal Semantics Definition of a Multi-Rate DSP Specification Language in HOL', in Higher Order Logic Theorem Proving and its Applications: Proceedings of the IFIP TC10/WG10.2 International Workshop, Leuven, September 1992, edited by L. J. M. Claesen and M. J. C. Gordon, IFIP Transactions A-20 (North-Holland, 1993), pp. 375-394.

C. M. Angelo, L. Claesen, and H. De Man, “Modeling Multi-rate DSP Specifiction Semantics for Formal Transformational Design in HOL”, Formal Methods in System Design, vol. 5, nos. 1/2 (July 1994), pp. 61-94.

R. J. R. Back and J. von Wright, `Predicate Transformers and Higher Order Logic', in Semantics: Foundations and Applications: REX Workshop, Beekbergen, June 1992, edited by J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, Lecture Notes in Computer Science, Volume 666 (Springer-Verlag, 1993), pp. 1-20.

R. J. R. Back and J. von Wright, `Refinement Concepts Formalised in Higher Order Logic', Formal Aspects of Computing, Vol. 2, No. 3 (July-September 1990), pp. 247-272.

S. Bainbridge, A. Camilleri, and R. Fleming, `Industrial Application of Theorem Proving to System Level Design', in Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications, Davis, August 1991, edited by M. Archer, J. J. Joyce, K. N. Levitt, and P. J. Windley (IEEE Computer Society Press, 1992), pp. 130-142.

F. Andersen, K. D. Petersen, and J. S. Pettersson, `Program Verification using HOL-UNITY', in Higher Order Logic Theorem Proving and its Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 1-15.

PapersPapers R. H. Beers and P. J. Windley, `Abstracting Signals: The waveform Library', in

Supplementary Proceedings of the 9th International Conference on Theorem Proving in Higher Order LogicsL TPHOLs ’96, edited by J. von Wright, J. Grundy, and J. Harrison, TUCS General Publication No 1, Turku Centre for Computer Science (August, 1996), pp. 1-13.

G. Birtwistle and B. Graham, `Verifying SECD in HOL', in Formal Methods for VLSI Design: IFIP WG 10.2 Lecture Notes, edited by J. Staunstrup (North-Holland, 1990), pp. 129-177.

G. Birtwistle, B. Graham, and S.-K. Chin, “New theory HOL: An Introduction to Hardware Verification in Higher Order Logic”, (August 1994). [Published electronically.]

R. Boulton, `Boyer-Moore Automation for the HOL System', in Higher Order Logic Theorem Proving and its Applications: Proceedings of the IFIP TC10/WG10.2 International Workshop, Leuven, September 1992, edited by L. J. M. Claesen and M. J. C. Gordon, IFIP Transactions A-20 (North-Holland, 1993), pp. 133-142.

R. Boulton, “Combining Decision Procedures in the HOL System”, in Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Aspen Grove, Utah, September 1995: Proceedings, edited by E. T. Schubert, P. J. Windley, and J. Alves-Foss, Lecture Notes in Computer Science, Volume 971 (Springer-Verlag, 1995), pp. 75-89.

R. J. Boulton, “Efficiency in a Fully-Expansive Theorem Prover”, Ph.D. Dissertation, Technical Report Number 337, University of Cambridge Computer Laboratory (May 1994).

PapersPapersFormal Verification: SAT Solvers J. Marques-Silva and K. Sakallah, “GRASP: A Search Algorithm for Propositional

Satisfiability”, IEEE Transactions on Computers, 48(5):506-521, May 1999 M. Sheeran and G. Stalmarck, “A tutorial on Stalmarck’s proof procedure for propositional

logic”, Formal Methods in System Design, 16(1):23-58, January 2000 M.H. Moskewicz et. al., “Chaff: engineering an efficient SAT solver,” in Proc. Design

Automation Conf., June 2001. E. Goldberg and Y. Novikov, “BerkMin: a Fast and Robust Sat-Solver”, Proceedings of Design

Automation and Test in Europe, pp.142-149, March 2002.

Formal Verification: BDDs R. E. Bryant, “Graph Based Algorithms for Boolean Function Manipulation”, IEEE

Transactions on Computers, Vol. C-35-8, pp. 677- 691, August 1986 R. Rudell, “Dynamic Variable Ordering for Ordered Binary Decision Diagrams”, Proceedings

of ICCAD 1993, pp. 42- 45 R. E. Bryant, “On the Complexity of VLSI Implementations and Graph Representations of

Boolean Functions with Application to Integer Multiplication”, IEEE Transactions on Computers, Vol. 40, No. 2, pp, 205-213, February 1991

B. Bollig and I. Wegener, “Improving the variable ordering for OBDDs is NP-complete”, IEEE Transactions on Computers, Vol. 45, No. 9, pp. 993-1002, September 1996

M. Fujita, H. Fujitsawa and Y. Matsunaga, “Variable Ordering Algorithms for Ordered Binary Decision Diagrams and their Evaluation”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 12, No. 1, pp. 6- 12, January 1993

R. Bryant, “Symbolic Boolean Manipulation with Ordered Binary Decision Diagrams”, slides from a presentation by Prof. Bryant in August 1999

PapersPapersFormal Verification: Symbolic Model Checking (BDDs) D. L. Dill, “The Mur Verification System”, 390-393, CAV96. R. Bryant, E. Clarke, K. McMillan and A. Emerson, “Binary Decision Diagrams and

Symbolic Model Checking”, slides from a presentation at Symposium on Algorithms in the Real World, May, 2000

E. M. Clarke, E. A. Emerson and A. P. Sistla, ``Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications'', ACM Trans. on Programming Language and Systems, Vol.8, No.2, pp 244-263, April 1986.

J. Burch, E. Clarke, D. Long, K. McMillan, D. Dill, “Symbolic Model Checking for Sequential Circuit Verification”, IEEE Trans. Computer Aided Design, 13, 1994, 401-424.

C. Kern and M. Greenstreet, "Formal Verification in Hardware Design: A Survey", ACM Transactions on Design Automation of E. Systems, Vol. 4, April 1999, pp. 123-193.

H. Iwashita and T. Nakata, `` Forward Model Checking Techniques Oriented to Buggy Designs'', Proceedings of ICCAD, pp. 400-404, 1997.

K. Takayama, T. Satoh, T. Nakata, and F. Hirose, ``An approach to Verify a Large Scale System-on-a-chip Using Symbolic Model Checking'', Proceedings of ICCD, 1998.

A. J. Hu, “Formal Hardware Verification with BDDs : An Introduction”, ACM Transactions on Programming Languages and Systems, 1997.

M. Kaufmann, A. Martin, and C. Pixley, "Design Constraints in Symbolic Model M. Kaufmann, A. Martin, and C. Pixley, "Design Constraints in Symbolic Model Checking", Proc. CAV-98, pp. 477-487, 1998.Checking", Proc. CAV-98, pp. 477-487, 1998.

K. L. McMillan, "Fitting formal methods into the design cycle", Proceedings of the 31st K. L. McMillan, "Fitting formal methods into the design cycle", Proceedings of the 31st Design Automation Conference, pp. 314-19, 1994Design Automation Conference, pp. 314-19, 1994

PapersPapersFormal Verification with SAT solvers P. Abdulla, P. Bjesse and N. Een, “Symbolic Reachability Analysis Based on SAT

Solvers”, Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 41-425, March 2000

P. Williams et al, “Combining Decision Diagrams and SAT Procedures for Efficient Symbolic Model Checking”, Proc. of the 12th CAV, pp. 124-138, July 2000

M. Sheeran, S. Singh and G. Stalmarck, “Checking Safety Properties Using Induction and a SAT Solver”, Proc. of the 3rd Intl. Conference on Formal Methods in CAD (FMCAD), pp. 208-125, Nov. 2000

P. Bjesse and K. Claessen, “SAT-based Verification without State Space Traversal”, Proc. of the 3rd FMCAD, pp. 372-389, Nov. 2000

K.L. McMillan, “Applying SAT Methods in Unbounded Model Checking”, Proc. of the 14th CAV, pp. 250-264, July 2002

K.L. McMillan, “Interpolation and SAT-based Model Checking”, Proc. of the 15 th CAV, July 2003

I. Park and H. Kang, “SAT-based unbounded symbolic model checking”, Proceedings of DAC, pp. 840-843, June 2003

PapersPapers

Equivalence Checking D. Brand, “Verification of Large Synthesized Designs”, Proceedings of ICCAD,

November 1993, pp. 534-537 A. Kuehlmann and F. Krohm, “Equivalence Checking using Cuts and Heaps”,

Proceedings of DAC 1997, pp. 263-268 Y. Matsunaga, “An Efficient Equivalence Checker for Combinational Circuits”,

Proceedings of DAC 1996, pp. 629-634 R. Mukherjee, J. Jain, K. Takayama, M. Fujita, J. Abraham and D. Fussell, “An

Efficient Filter Based Approach for Combinational Verification”, in IEEE Transactions on CAD, 18:1542-1557, Nov. 1999

H. Cho and C. Pixley, “Apparatus and Method for deriving correspondences between storage elements of a first circuit model and storage elements of a second circuit model”, U.S. Patent 5,638,381, June 1997

K. Ng, M. Prasad, R. Mukherjee and J. Jain, “Solving the Latch Mapping Problem in an Industrial Setting”, Proceedings of DAC 2003, pp. 442-447

C.A.J. van Eijk, “Sequential Equivalence Checking Based on Structural Similarities”, IEEE Transactions on CAD, 19(7):814-819, July 2000

S.-Y. Huang, K.-T. Cheng, K.-C. Chen and F. Brewer, “AQUILA: An Equivalence Checking System for Large Sequential Circuits”, IEEE Transactions on Computers, 49(5), May 2000

PapersPapersSemi-Formal Verification R. E. Bryant, “Symbolic Simulation -- Techniques and Applications”, Proceedings of

DAC 1990 R.B. Jones, “Applications of Symbolic Simulation to the Formal Verification of

Microprocessors”, Ph.D. Thesis, Computer Systems Laboratory, Stanford University, August 1999

R.E. Bryant and C.J.H. Seger, “Formal hardware verification by symbolic trajectory evaluation,” in Proc. Design Automation Conf., June 1991.

C.-J.H. Seger and R.E. Bryant, “Formal Verification by Symbolic Evaluation of Partially Ordered Trajectories”, Formal Methods in System Design, Vol. 6, No. 2, pp. 147-190, 1995

E. Clarke, A Biere, R. Raimi and Y. Zhu, “Bounded Model Checking Using Satisfiability Solving”, in Formal Methods in System Design, 19(1): 7-34, July 2001, Kluwer Academic Publishers

O. Shtrichman, “Tuning SAT Checkers for bounded model checking,” in Proc. Int. Conf. on Computer-Aided Verification, July 2000.

F. Fallah, “Binary Time-Frame Expansion”, Proc. of ICCAD, pp. 458-464, Nov. 2002 A. Gupta et al, “Learning from BDDs in SAT-based bounded model checking,” in

Proc. Design Automation Conf., June 2003. V. Boppana, S. Rajan, K. Takayama and M. Fujita, “Model Checking Based on

Sequential ATPG”, Proceedings of CAV, pp. 418-430, July 1999. J. Abraham, V. Vedula and D. Saab, “Verifying Properties Using Sequential ATPG”,

Proceedings of International Test Conference, October 2002

PapersPapers D. Dill and S. Tasiran, "Simulation meets Formal Verification?", slides from a

presentation at ICCAD'99. D. Dill, "Alternative Approaches to Formal Verification (Symbolic Simulation)", slides

from a presentation at CAV 1999. C. H. Yang and D. L. Dill, “Validation with Guided Search of the State Space”,

Proceedings of DAC 1998 M. Ganai et al, “SIVA: A System for Coverage Directed State Space Search”, In Journal

of Electronic Testing: Theory and Applications (JETTA), February 2001 P.-H. Ho et al, “Smart Simulation Using Collaborative Formal and Simulation Engines”,

Proceedings of ICCAD, pp. 120-126, November 2000 Y. Hoskote, T. Kam, P. Ho and X. Zhao, ``Coverage Estimation for Symbolic Model

Checking'', Proc. of the 36th Design Automation Conference, New Orleans, June 1999. S. Katz, O. Grumberg and D. Geist, ``Have I written enough properties? - A method of

comparison between specification and implementation'', Technical Report, IBM Haifa Research Laboratory, Haifa, Israel, 1999.

Model Checking in Practice S. Berezin, S. Campos and E. M. Clarke, ``Compositional Reasoning in Model

Checking'', Technical Report - CMU-CS-98-106, School of Computer Science, Carnegie Mellon University, February, 1998.

PapersPapers K. L. McMillan, "A compositional rule for hardware design refinement", Computer Aided Verification

(CAV97), O. Grumberg (Ed.), Haifa, Israel, pp. 24-35, 1997. T.A.Henzinger, S. Qadeer, and S.K.Rajamani, "You assume, We guarantee : Methodology and Case

Studies" CAV98: Computer Aided Verification, Lecture Notes in Computer Science, Springer-Verlag, pp. 440-451, 1998.

G. Mosensoson, “Practical Approaches to SoC Verification”, DATE 2000. J. L. Nielsen, H. R. Andersen, G. Behrmann, H. Hulgaard, K. Kristoffersen and K. G. Larsen, “Verification

of Large State/Event Systems using Compositionality and Dependency Analysis”, Proceedings of TACAS 1998, LNCS 1384, April 1998.

D. Geist, G. Biran, T. Arons, M. Slavkin, Y. Nustov, M. Farkas, and K. Holtz, “A Methodology for the verification of a System on Chip”, Proc. Of DAC 1999, pp. 574-579.

A. Evans, A. Silburt, G. Vrckovnik, T. Brown, M. Dufresne, G. Hall, T. Ho and Y. Liu, “Functional Verification of Large ASICs”, Proc. Of DAC, 1998.

S. Taylor, M. Quinn, D. Brown, N. Dohm, S. Hildebrandt, J. Higgins and C. Ramey, “Functional Verification of a Multiple-issue, Out-of-Order, Superscalar Alpha Processor – the DEC Alpha 21264 Microprocessor”, Proc. Of DAC, 1998.

T. Henzinger, X. Liu, S. Qadeer and S. Rajamani, “Formal Specification and Verification of a Dataflow Processor Array,”Proceedings of ICCAD 1999

D. Wang, “SAT based Abstraction Refinement for Hardware Verification”, Ph.D. thesis, ECE Dept., Carnegie Mellon University, May 2003

Shankar G. Govindaraju, David L. Dill, Alan J. Hu, and Mark A. Horowitz. "Approximate Reachability with BDDs using Overlapping Projections,” in Proc. DAC 1998

Gaurishankar Govindaraju, "Approximate Symbolic Model Checking using Overlapping Projections" Ph.D. thesis, Stanford University, August 2000.

PapersPapersSimulation Based Verification I. Ghosh and M. Fujita, ``Automatic test pattern generation for functional register-transferlevel circuits using

assignment decision diagrams,'' IEEE. Trans. on Computer-Aided Design, Vol. 20, No. 3, pp. 402-415, March 2001.

F. Fallah, S. Devadas, and K. Keutzer, ``OCCOM: Efficient computation of observability-based code coverage metrics for functional verification,'' IEEE. Trans. on Computer-Aided Design, Vol. 20, No. 8, pp. 1003-1015, Aug. 1998.

F. Fallah, S. Devadas, and K. Keutzer, ``Functional vector generation for HDL models using linear programming and 3-satisfiability,”{\em IEEE. Trans. on Computer-Aided Design}, Vol. 20, No. 8, pp. 994-1002, Aug. 1998.

S. Ravi, G. Lakshminarayana, and N.K. Jha, ``TAO: Regular expression based high-level testability analysis and optimization,'' in Int. Test Conf., pp. 331-340, Oct. 1998.

I. Ghosh and S. Ravi, “On automatic generation of RTL validation test benches using circuit testing techniques,” in Proc. Great Lakes Symposium on VLSI, April 2003.

L. Zhang, I. Ghosh and M. Hsiao, “Efficient sequential ATPG for functional RTL circuits,” in Proc. International Test Conference, Oct. 2003.

L. Zhang, I. Ghosh and M. Hsiao, “Automatic design validation framework for HDL descriptions via RTL ATPG,” in Proc. Asian Test Symposium, Nov. 2003

F. Fallah, I. Ghosh, and M. Fujita, “Event driven observability enhanced coverage analysis of C programs for functional validation,” in {\em Proc. Asia and South Pacific Design Automation Conference}, Jan. 2003.

K. Ara and K. Suzuki, “A proposal for transaction level verification with component wrapper language,” Proc. Design Automation and Test in Europe, March 2003.

A. U. Shankar, "An Introduction to Assertional Reasoning for Concurrent Systems", ACM Computing Surveys, Sept. 1993, Vol 25, No. 3, pp. 225-262

PapersPapers S. Ramesh and P. Bhaduri, “Validation of Pipelined Processor Designs using Esterel

Tools: A Case Study”, Proc. of CAV '99, LNCS Vol. 1633, 1999. C. Eisner et. al. “The Temporal Logic Sugar” in Proc. Int Conf. on Computer-aided

Verification 2001.

Miscellaneous J. Jain, W. Adams and M .Fujita, “Sampling Schemes for Computing OBDD Variable

Orderings”, Proceedings of ICCAD 1998, pp. 331-338 J. Jain, R. Mukherjee and M. Fujita, “Advanced Verification Technique Based on

Learning”, Proceedings of DAC 1995, pp. 420-426 C. H. Yang and D. L. Dill, “Validation with Guided Search of the State Space”,

Proceedings of DAC 1998 A. Jain, “Formal Hardware Verification by Symbolic Trajectory Evaluation”, Ph.D.

Thesis, Dept. of Electrical and Computer Engineering, Carnegie Mellon University, August 1997

C.-J.H. Seger and R.E. Bryant, “Formal Verification by Symbolic Evaluation of Partially Ordered Trajectories”, Formal Methods in System Design, Vol. 6, No. 2, pp. 147-190, 1995

Important web-sitesImportant web-sites

http://www.comlab.ox.ac.uk/archive/formal-methods.html

http://www.csl.sri.com

http://www-cad.eecs.Berkeley.edu/ vis

http://godel.ece.utexas.edu/texas97-benchmarks/

http://citeseer.nj.nec.com/

http://www.rational.com/uml (Universal Modelling Language HOME-PAGE)

http://www-sop.inria.fr/meije/verification/esterel

http://www.accellera.org

http://www.systemC.org

http://www.specC.org

Conference ProceedingsConference Proceedings Computer Aided Verification (CAV)

Formal Methods in Computer Aided Design (FMCAD)

International Conference on Computer-Aided Design (ICCAD)

International Conference on Computer Design (ICCD)

Design Automation Conference (DAC) Asia South Pacific Design Automation Conference (ASPDAC)

International Conference on VLSI Design (VLSI)

Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME)

Journals/MagazinesJournals/Magazines IEEE Design and Test of Computers

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

IEEE Transactions on Computers

IEEE Transactions on VLSI Systems

ACM Transactions on Design Automation of ELectronic Systems

Formal Methods in System Design

Formal Aspects of Computing

high level design validation: current practices & future trends 17th international conference on...

Documents

u verification of exclusive

y slide

formal verification

simulation u z

xy x

n cases x y

verification issues

verification methods