1JAA, 3/21/2007JAA, 3/21/2007
Practical Formal – Practical Formal – Mainstream Formal for the Mainstream Formal for the
Rest of UsRest of Us
Jacob A. AbrahamJacob A. Abraham
DVClub MeetingDVClub MeetingAustin, TexasAustin, Texas
March 21, 2007March 21, 2007
2JAA, 3/21/2007JAA, 3/21/2007
Is Formal Verification Mainstream?Formal Equivalence Checking
Only up to the RT Level
What about Formal Property Checking?Can it deal with properties used in a simulation-based flow?
●
What characteristics prevent formal verification from being more widely used?
Need to deal with complex designsSeamlessly fit into the design flow
3JAA, 3/21/2007JAA, 3/21/2007
Directions to make Formal MainstreamEngines which can deal with real designs
Multiple clock domainsTristate signals (not Boolean)
●
Deal with design descriptions at higher levelsReduce complexity of analysisStatic analysis of design description will scale (unlike a functional analysis)
●
Automated techniques which fit into the design flowNo distractions when concentrating on design
4JAA, 3/21/2007JAA, 3/21/2007
ATPG Engines to Check PropertiesSome work in checking safety properties
Detecting “stuck-at-0” fault on p
is equivalent to establishing EFp
Circuit
p
Verify design at the lowest level possible:
example, ATPG levelDeal with tri-states, multiple clocks, etc.
5JAA, 3/21/2007JAA, 3/21/2007
RTL to RTL Equivalence Checking
Use Term Rewriting Systems (TRS) Significant success with RTL “Term” level
reductions Verification of arithmetic circuits at the RTL
level using term rewriting RTL to RTL equivalence checking Verified large multiplier designs like Booth,
Wallace Tree and many optimized multipliers using this rewriting technique
6JAA, 3/21/2007JAA, 3/21/2007
RTL Equivalence Using TRSs
GoldenRTL
RevisedRTL
RevisedTRS
GoldenTRS
Equivalence Proof
VTrans
VTrans
Vprover
Translation
Translation
7JAA, 3/21/2007JAA, 3/21/2007
Why it WorksCongruence between RTL-states (terms) of two designs, given the RTL state-transition graph (TRS) Equivalence is proved by showing that one term can be rewritten to the other
SAT solvers, STE engines, gate-level equivalence checkers, etc., as proof engines
Comparison points in RTL-state space Congruence at every comparison pointCover entire data space of the designs
8JAA, 3/21/2007JAA, 3/21/2007
Results on Multipliers
UnfinishedUnfinished60s64 X 64
UnfinishedUnfinished40s32 X 32
Unfinished Unfinished25s16 X 16
16s18s18s8 X 8
9s10s14s4 X 4
Commercial Tool 2
Commercial Tool 1
VERIFIREWallace Tree
9JAA, 3/21/2007JAA, 3/21/2007
Sequential Equivalence Checking:Using Sequential Compare Points
Introduce notion of sequential compare points Sequential compare points are two-tuple entitiesIdentification w.r.t. relative position in time
Identification w.r.t. space (data or variables)
Co-ordinates on space-time axis of both designs being comparedExactly model the sequential behavior of designs
10JAA, 3/21/2007JAA, 3/21/2007
Equivalence Checking Using Sequential Compare Points
Variables of interest (observables) obtained from user/block diagram
Typically include primary outputsCan also include relevant intermediate variables
Symbolic expressions obtained for observables assigned in a given cycleSymbolic expressions compared at sequential compare pointsComparison using a SAT solver in this work
Other Boolean level engines can also be used
11JAA, 3/21/2007JAA, 3/21/2007
Example: Viterbi Decoder
Part of digital radio (DRM) in System CDRM SoC partitioned to implement Viterbi decoder as a hardware acceleratorSystem C specification
Basic model implementing Viterbi algorithmNo optimizations
Viterbi Verilog RTL implementationsFirst implementation: Optimized for speedSecond implementation: Optimized for area
12JAA, 3/21/2007JAA, 3/21/2007
Results
13JAA, 3/21/2007JAA, 3/21/2007
Antecedent Conditioned Slicing for Verification
• Slicing part of design irrelevant to property being verified
• Safety Properties of the form• G (antecedent => consequent)
• Use antecedent to specify states in which we are interested
• We do not need to preserve program executions where the antecedent is false
• The resulting abstraction is called an antecedent conditioned slice
14JAA, 3/21/2007JAA, 3/21/2007
Example Properties of USB 2.0 CoreG((crc5err) V match) => send_token))
If a packet with a bad CRC5 is received, or there is an endpoint field mismatch, the token is ignored
G((state == SPEED_NEG_FS) => X((mode_hs) ^ (T1_gt_3_0ms) => (next_state == RES_SUSPEND))
If the machine is in the speed negotiation state, then in the next clock cycle, if it is in high speed mode for more than 3 ms, it will go to the suspend state
G((state == RESUME_WAIT) ^ (idle_cnt_clr) =>F(state == NORMAL))
If the machine is waiting to resume operation and a counter is set, eventually (after 100 mS) it will return to normal operation
15JAA, 3/21/2007JAA, 3/21/2007
Results on Temporal USB Properties CPU Seconds, 450 MHz dual UltraSPARC-II with 1 GB RAM
16JAA, 3/21/2007JAA, 3/21/2007
Verification of Processors using Antecedent Conditioned Slicing Verification of single-instruction issue, multi-stage
pipelined processors Antecedent conditioned slicing provides an
automatic decomposition strategy Individual “instruction machines”
■ Leverage automatic power of model checking■ Provide a different notion of verification
Verification of RTL model of off-the-shelf processor Verified all the instructions of the OR1200
embedded processor
17JAA, 3/21/2007JAA, 3/21/2007
Single Instruction Verification
P0=P i1
it+1
in
P1
Pt+1
Pn
ModelChecker
h
Antecedent Conditioned Slice
get_conditioned_slice (P0, < i1, e, Vh>)
18JAA, 3/21/2007JAA, 3/21/2007
Results of OR1200 VerificationCPU Seconds, 3 GHz Pentium 4 processor with 1 GB RAM
27.83l.srlSHF/ROT
2377126.81l.sllSHF/ROT
3094138.32l.sdLSU
2887333.91l.lwsLSU
48627212.27l.mtsprSPRS
50696226.97l.mfsprSPRS
2691927.93l.rorSHF/ROT
2910435.85l.ldLSU
Memory Usage (KB)
SMV time
(seconds)
InstructionsInstruction Class
23771