CS 150 - Spring 2008 – Lec #23 – Verification - 1 Formal Verification zHow do I know if my...

CS 150 - Spring 2008 – Lec #23 – Verification - 1

Formal Verification How do I know if my circuit works?

Simulation

Formal Verification: prove it works Combinational verification Sequential Verification

Why Verify? November 1994: Pentium Step D Division Bug

Original Pentium chip could return incorrect results on division operation

Discovered by Prof. Thomas Nicely, professor at Lynchburg College, in November 1994

Forced recall of Pentium chips in December, 1994

Bug was extremely rare! Byte: chances of exciting bug 1 in 9 billion Other estimates 1 in 60 million

But even 1 in 9 billion happens occasionally… Pentium executed about 500 million instructions/sec 1 in 1000(?) FDIV 500000 FDIVs/sec One bug every 5 hours

Lessons from the Pentium Bug Subtle! Happened Very Rarely

Therefore hard to detect…

Expensive! Intel forced to recall Pentium chips Took huge black eye in November/December 1994

Generated by accident Pentium used SRT Division algorithm Table Look up for partial quotients, remainders Perl script used to generate table, extract to PLA

generator for LUT Bug in the perl script

Mistakes are easy to make, expensive to correct!

Simulation Main workhorse of verification Simple procedure:

Apply vectors to design Either compare to reference design or put error-checking into

model See if any problems occur

What’s the problem? Too many vectors, too much computation! ~5 billion transistors on modern chip ~1 billion gates

At 1 instruction/vector/gate, approx 1 CPU second to simulate 1 cycle on a machine

~30 CPU-years to simulate 1 CPU second!

Speeding up simulations

Hierarchical (Cycle) Simulation Simulate subcircuits in isolation and prove they work Substitute compiled (faster) form of circuit in simulator Ex: prove adder adds, then simulate with “+”

Massive parallelism In 1995, all of Intel workstations were used to run

simulations BOINC-like technology crawled workstations and

simulated when idle

Helps, But…

Still too much Data Exhaustive simulation of 32-bit adder

265 possible vectors 1 simulation/instruction (how?) 230 simulations/second 235 seconds to simulate (32 billion seconds = 9000 years)

Exhaustive simulation of 64-bit adder 2129 possible vectors 299 seconds to simulate Universe is 1.4E10 x 3.6E7 = 5E17 = 250 seconds old To do it in the age of the universe would require about 249

million computers doing nothing else… (100 quintillion computers)

Adder is only tiny chunk of a chip…

Formal Verification

Prove the chip works

No simulation

Combinational Verification Prove combinational circuit (no latches) equivalent to

reference design Ex: Prove carry-bypass adder computes same function as

ripple-carry adder

Sequential Verification Prove finite-state machine can’t get into bad state, can’t

deadlock, etc

Circuit Model

Latches

Combinational Logic

Latches

Combinational verification: prove this works

Combinational Verification Problem

Formal Statement: Given Circuit C and Reference Circuit R, does C compute

the same function as R? Key: we can usually describe what a circuit does very

simply Complexity comes from making it fast, compact, etc

For example: given a carry-bypass adder C, does it compute the same function as a (simple) ripple-carry adder R?

Two Approaches: Canonical Form and Satisfiability

Canonical Form Unique Form of a function: if f = g, then f g Example: list of minterms List of minterms is unique to a function Ex: f = A B C

F = (1,2,4,7) Problem: Too large! In general, O(2n) minterms for function of n variables

Note: for any canonical form, must be O(2n) for most functions Simple counting argument: 2^2^n functions of n variables Representation must be log number of functions

But humans don’t design most functions! Need canonical form usually small for functions humans

actually design

Another Canonical Form: Decision Trees

Graphical Form of Function Evaluation

1 Decision Tree for 1 0 Decision Tree for 0

DecisionTree for

Ex: Decision Tree for f = AB C

C C C C

1 01010

Still Too Large

n variable function

Full binary tree of depth n 2n leaves 2n -1 internal nodes

But we can do better

Full binary tree contains many identical nodes Fold these together, retain canonical form, greatly

reducted size

C C C C

1 01010

Identical

C C C C

1 01010

Identical

Fold Together identical nodes

Reduced, Ordered Binary Decision Diagram of function for f = A B C

Canonical Form

Often Small

“Most important computer science structure of last 20 years”

BDD Applications Formal Verification

Canonical form for circuit Represent sets of states in finite state machine

Low-power circuitry Each edge becomes AND gate Each node becomes OR Output is “1” terminal At most one transition per simulation

Simulation Compile circuit into BDD Compile BDD into code Number of instructions to simulate circuit = number of

variables in BDD

Forming BDD’s

Due to Bryant, 1986

Key observation: can’t form Decision Tree (also called “Shannon Tree”) and then fold Decision Tree is too big

Bryant showed how one could build up BDDs from component functions Developed efficient algorithms to OR, AND, etc BDDs

together Meant one could always work with small structures

Bryant’s procedures

1 Bdd = 1

0 Bdd = Bdd

1 Bdd = Bdd

0 Bdd = 0

Not BDD: just swap terminals

Bryant’s procedures

BDDforf|A=1

BDDforf|A=0

BDDfor

=BDDfor

f op g|A=1

BDDfor

f op g|A=0

Key to Efficiency

Kept a hash table (var, low, high)

If var, low, high already in table returned stored function

Kept each function at most once

Example: a’b’c + ab’c’

Example: f = a’b’c + ab’c’

Example: a’bc’ + abc

Example: f = a’b’c + ab’c’ + a’bc’ + abc

BDD’s For Verification

Reduced, Ordered Binary Decision Diagram of function for f = A B C (slide 16)

Reduced, Ordered Binary Decision Diagram of function for f = A’B’C + A’BC’ + AB’C’+ ABC (slide 16)

Satisfiability

Formal Statement: Given Circuit C and Reference Circuit R, does C compute

the same function as R? Key: we can usually describe what a circuit does very

simply

Easy to formulate as a circuit-satisfiability problem

For each output Ci, Ri, is Ci Ri = 0?

General Formulation of the Satisfiability Problem

C is identical to R only when out == 0 (no inputs X, Y, Z that makes out 1)

Example: Verification of f = A B C

Implementation of f = A B C

Specification of f = A B C

Example: Verification of f = A B C

Implementation

Specification

Works when check can’t be set to 1

Verification With a Don’t-Care Set

Key: only need to verify against care set

Error only if: Check = 1 AND don’t-care = 0 Check = 1 and care = 1

Therefore: use same procedure as before but just AND with the don’t-care set

Verification With a Don’t-Care Set

Example: Verify A B C with don’t-care set A+B

Implementation

Valid unless check=1

Don’t-careSpecification

Solving the SAT problem

Assert 1 on the output

Trace implications back to inputs No contradiction => error, input vector found Contradiction: Circuit works

SAT is NP-complete (first NP-Complete problem; Cook’s paper was called “Complexity of Theorem-Proving Procedures)

But extensively studied

Current best heuristics (Malik, Princeton) up to 5000 variables…

Finite State Machine Verification Does my finite-state machine work?

In the limit, proves the whole design works (Any design is just one big FSM) In general, this is too hard – prove things about pieces at a

“Works” is too complicated and ill-formed a question to prove We mean multiple properties How can we say “video feed displays properly”

mathematically? Need to pose questions we can answer

E.G. Prove when we get an init message we always respond with an ack

FSM Verification Two general classes of property to prove

Safety: Bad things don’t happen e.g., two FSMs can’t deadlock

Liveness: Good things eventually happen E.g., I can always recover locally from a failure

The two techniques are somewhat similar Safety: prove a machine can never get into a bad state Liveness: prove that a particular state is on a cycle in the

state graph

We’ll consider safety Liveness proof turns out to be a simple manipulation of

the state graph

Key Technique: “Reachable States Iteration”

Compute the reachable states of a finite state machine

Initial State is Reachable R0 = {Init}

Next is reached by iteration: Rn = Rn-1 {T | ST is a transition and T Rn-1}

R* = Reachable States = Rn where Rn = Rn-1

Lots of mathematics, but just the breadth-first traversal of the state graph until we have hit every state

Notice that every new state is one we’ve visited before

FSM Traversal

FSM Traversal -- R0

FSM Traversal – R1

R3 = R2 = R* = {A, B, C, D, E, F}

G is unreachable!

This was obvious from the State Graph! But, typically don’t have an explicit representation

for a state graph Just latches and logic Need to mathematically represent current set of

reachable states Use BDD to represent set of reachable states Push BDD through the logic using Bryant’s

Procedure Get a new BDD – if equal to old, we are done Many variants: “Iterative Squaring”, “Transitive

Closure”, “Prefix Sets”

Multiple machines

Often, we want to prove two communicating machines have some property E.g., Two machines are a factored form of a single

machine

Solution: express two machines as single combined FSM State property as safety property on the combined

machine Use R.S. iteration to prove the property

Example

(Dy)’

(Bx)’

Example

Prove those two machines are a partition of this one:

Form the single Machine and prove it!

States are pairs of states from the original machines

Transitions are legal transitions from the original machines

Thing to prove: (I, J) is unreachable {A, B} x {C, D} are unreachable

E. G., (A, D) is unreachable

State Diagram for the Combined Machine

Filling in the transitions

(Dy)’

(Bx)’

•In state (I,J)

•Possible Transitions:

•(Bx)’(Dy)’ to (I,J)

•(Bx)’(Dy) to (A,J) (X)

•Not in state D

•(Bx)(Dy)’ to (I,C) (X)

•Not in state B

•(Bx)(Dy) to (A,C) (X)

•Not in states B or D

Filling in the transitions

(Dy)’

(Bx)’

•In state (B,D)

•Possible Transitions:

•x’y’ to (A,C)

•xy to (I,J)

•x’y to (A,J)

•xy’ to (I,C)

Reachable States for the Combined Machine

Forbidden States

Reachable and Forbidden States for the Combined Machine

Conclusion

Two machines are a partition of the one logical machine!

Forbidden states didn’t overlap reachable states

Formal Verification How do I know if my circuit works?

Simulation

Formal Verification: prove it works Combinational verification

Bdd’s as canonical forms SAT-based approach

Sequential Verification Reachable-states iteration

CS 150 - Spring 2008 – Lec #23 – Verification - 1 Formal Verification zHow do I know if my...

Documents

Transcript of CS 150 - Spring 2008 – Lec #23 – Verification - 1 Formal Verification zHow do I know if my...

Software Engineering Research Approaches zBalancing theory and praxis zHow engineering research differs from scientific research zThe role of empirical.

Program verification using Verification -Condition generationwang626/pubDOC/iccad08-tutorial-shuvendu-VC.pdf · Program verification using Verification -Condition generation 5 Shuvendu

Design Verification The Case for Verification, Not Validation · Design Verification – The Case for Verification, Not Validation Page ... Design Verification – The Case for Verification,

MKTG 371 CULTURE Lars Perner, Instructor 1 CULTURE zWhat is culture? zCulture and subculture zHow does culture manifest itself? zHow does it impact marketing.

MARKET MICROSTRUCTURE. THE FUNDAMENTAL QUESTION OF MARKET MICROSTRUCTURE: zHOW DOES INFORMATION GET INCORPORATED INTO PRICES??

Social Cognition zHow we think about others and how those thoughts influence us yAttitudes and Attitude Formation yImpression Formation yAttribution yCognitive.

Tennis by Robert Hughes Introduction zUniversity Tennis zHistory of The Davis Cup zHow are Davis Cup Matches Played? zHow Bad is Great Britain at Tennis?

CSE 477Design Problems1 1. Encode binary value using PCM zBinary # --> zHow accurate can you get? (+/- 1 usec?)

Historical Performance of Financial Assets zWhat are our investment alternatives? zHow have stocks, bonds, cash, and other financial assets performed in.

Evidence-Based Practices in Mental Health is Evidence-Based Medicine? ... healthcare interventions, ... zFormal literature reviews on evidence-based practices in mental health

EGU 2013 Short Course: ZHow to write (and publish) a ...static2.egu.eu/media/filer_public/2013/04/11/egu_verhoest_how_to... · EGU 2013 Short Course: ZHow to write (and publish) a

Home - Silicon Service | Custom Software Solutions · VERIFICATION EXPERTISE SOC Verification GPI-I Verification Performance Verification Security Verification METHODOLOGY SV/UVM

Biosafety Capacity Development · -- Getting the right people zWhat ? -- Training plan: training objectives, methodology and expected results, preliminary program zHow ? • Local

Verification Test Bench - Keysightedadownload.software.keysight.com/eedl/ads/2017... · Verification Test Bench (VTB) and Verification Test Bench (VTB) Component The Verification

BUSINESS ORGANIZATIONS Chapter 13. Chapter Issues zMajor forms of business organizations zHow businesses are created zFactors that may influence a business’s.

Volkswagen Beetle. TOC zHistory yDevelopment yCommercial Success zHow Beetle Works ? yEngine yInterior ySpecifications.

COMS30026 Design Verification Verification Tools

Chapter 3: Sound Recording and Popular Music. Some guiding questions zHow did the technologies for sound recording develop? zHow did popular music become.

Verification and Validation. CS351 - Software Engineering (AY2004)2 Verification and validation Verification…

Gas Transmission MAOP Verification Integrity Verification ... CC - Pipeline Safety... · Gas Transmission MAOP Verification Integrity Verification Process ... miter bends Welding