1JAA, 3/21/2007JAA, 3/21/2007

Practical Formal – Practical Formal – Mainstream Formal for the Mainstream Formal for the

Rest of UsRest of Us

Jacob A. AbrahamJacob A. Abraham

DVClub MeetingDVClub MeetingAustin, TexasAustin, Texas

March 21, 2007March 21, 2007

2JAA, 3/21/2007JAA, 3/21/2007

Is Formal Verification Mainstream?Formal Equivalence Checking

Only up to the RT Level

What about Formal Property Checking?Can it deal with properties used in a simulation-based flow?

●

What characteristics prevent formal verification from being more widely used?

Need to deal with complex designsSeamlessly fit into the design flow

3JAA, 3/21/2007JAA, 3/21/2007

Directions to make Formal MainstreamEngines which can deal with real designs

Multiple clock domainsTristate signals (not Boolean)

●

Deal with design descriptions at higher levelsReduce complexity of analysisStatic analysis of design description will scale (unlike a functional analysis)

●

Automated techniques which fit into the design flowNo distractions when concentrating on design

4JAA, 3/21/2007JAA, 3/21/2007

ATPG Engines to Check PropertiesSome work in checking safety properties

Detecting “stuck-at-0” fault on p

is equivalent to establishing EFp

Circuit

p

Verify design at the lowest level possible:

example, ATPG levelDeal with tri-states, multiple clocks, etc.

5JAA, 3/21/2007JAA, 3/21/2007

RTL to RTL Equivalence Checking

Use Term Rewriting Systems (TRS) Significant success with RTL “Term” level

reductions Verification of arithmetic circuits at the RTL

level using term rewriting RTL to RTL equivalence checking Verified large multiplier designs like Booth,

Wallace Tree and many optimized multipliers using this rewriting technique

6JAA, 3/21/2007JAA, 3/21/2007

RTL Equivalence Using TRSs

GoldenRTL

RevisedRTL

RevisedTRS

GoldenTRS

Equivalence Proof

VTrans

VTrans

Vprover

Translation

Translation

7JAA, 3/21/2007JAA, 3/21/2007

Why it WorksCongruence between RTL-states (terms) of two designs, given the RTL state-transition graph (TRS) Equivalence is proved by showing that one term can be rewritten to the other

SAT solvers, STE engines, gate-level equivalence checkers, etc., as proof engines

Comparison points in RTL-state space Congruence at every comparison pointCover entire data space of the designs

8JAA, 3/21/2007JAA, 3/21/2007

Results on Multipliers

UnfinishedUnfinished60s64 X 64

UnfinishedUnfinished40s32 X 32

Unfinished Unfinished25s16 X 16

16s18s18s8 X 8

9s10s14s4 X 4

Commercial Tool 2

Commercial Tool 1

VERIFIREWallace Tree

9JAA, 3/21/2007JAA, 3/21/2007

Sequential Equivalence Checking:Using Sequential Compare Points

Introduce notion of sequential compare points Sequential compare points are two-tuple entitiesIdentification w.r.t. relative position in time

Identification w.r.t. space (data or variables)

Co-ordinates on space-time axis of both designs being comparedExactly model the sequential behavior of designs

10JAA, 3/21/2007JAA, 3/21/2007

Equivalence Checking Using Sequential Compare Points

Variables of interest (observables) obtained from user/block diagram

Typically include primary outputsCan also include relevant intermediate variables

Symbolic expressions obtained for observables assigned in a given cycleSymbolic expressions compared at sequential compare pointsComparison using a SAT solver in this work

Other Boolean level engines can also be used

11JAA, 3/21/2007JAA, 3/21/2007

Example: Viterbi Decoder

Part of digital radio (DRM) in System CDRM SoC partitioned to implement Viterbi decoder as a hardware acceleratorSystem C specification

Basic model implementing Viterbi algorithmNo optimizations

Viterbi Verilog RTL implementationsFirst implementation: Optimized for speedSecond implementation: Optimized for area

12JAA, 3/21/2007JAA, 3/21/2007

Results

13JAA, 3/21/2007JAA, 3/21/2007

Antecedent Conditioned Slicing for Verification

• Slicing part of design irrelevant to property being verified

• Safety Properties of the form• G (antecedent => consequent)

• Use antecedent to specify states in which we are interested

• We do not need to preserve program executions where the antecedent is false

• The resulting abstraction is called an antecedent conditioned slice

14JAA, 3/21/2007JAA, 3/21/2007

Example Properties of USB 2.0 CoreG((crc5err) V match) => send_token))

If a packet with a bad CRC5 is received, or there is an endpoint field mismatch, the token is ignored

G((state == SPEED_NEG_FS) => X((mode_hs) ^ (T1_gt_3_0ms) => (next_state == RES_SUSPEND))

If the machine is in the speed negotiation state, then in the next clock cycle, if it is in high speed mode for more than 3 ms, it will go to the suspend state

G((state == RESUME_WAIT) ^ (idle_cnt_clr) =>F(state == NORMAL))

If the machine is waiting to resume operation and a counter is set, eventually (after 100 mS) it will return to normal operation

15JAA, 3/21/2007JAA, 3/21/2007

Results on Temporal USB Properties CPU Seconds, 450 MHz dual UltraSPARC-II with 1 GB RAM

16JAA, 3/21/2007JAA, 3/21/2007

Verification of Processors using Antecedent Conditioned Slicing Verification of single-instruction issue, multi-stage

pipelined processors Antecedent conditioned slicing provides an

automatic decomposition strategy Individual “instruction machines”

■ Leverage automatic power of model checking■ Provide a different notion of verification

Verification of RTL model of off-the-shelf processor Verified all the instructions of the OR1200

embedded processor

17JAA, 3/21/2007JAA, 3/21/2007

Single Instruction Verification

P0=P i1

it+1

in

P1

Pt+1

Pn

ModelChecker

h

Antecedent Conditioned Slice

get_conditioned_slice (P0, < i1, e, Vh>)

18JAA, 3/21/2007JAA, 3/21/2007

Results of OR1200 VerificationCPU Seconds, 3 GHz Pentium 4 processor with 1 GB RAM

27.83l.srlSHF/ROT

2377126.81l.sllSHF/ROT

3094138.32l.sdLSU

2887333.91l.lwsLSU

48627212.27l.mtsprSPRS

50696226.97l.mfsprSPRS

2691927.93l.rorSHF/ROT

2910435.85l.ldLSU

Memory Usage (KB)

SMV time

(seconds)

InstructionsInstruction Class

23771