Post-Reboot Equivalence and Compositional Verification of Hardware

Post-Reboot Equivalence and Compositional Verification of

Hardware

Zurab KhasidashviliMarcelo Skaba

Daher KaissZiyad Hanna

Design Technology SolutionsIntel, Haifa

FMCAD, SJ, Nov. 13FMCAD, SJ, Nov. 13thth 2006 2006

The Scope

Hardware verification has many aspects We will focus of logic verification:– Assume there is temporal specification, P, of a design– There is a spec model written in RTL– There is a more detailed implementation model (RTL or

extracted from circuit model)– Assume P is written in the common variables of spec and

imp (so that P is “understood” in both models)We want:– Prove spec satisfies the behavioral specification, P. We cal P

a “design intent” property.– We want to prove spec and imp are “equivalent”– From the above two, we want to conclude the

implementation model also satisfies P.

Overview

What we propose?A unified theory which combines equivalence verification with property

verification and reboot sequence verification

Motivation for introducing post-reboot equivalence for hardware FSMs– why do we need yet another equivalence concept?

Lattice-theoretic characterization of post-reboot equivalence– Helps in defining the concept of hardware machine

Comparison of compositional post-reboot equivalence verification with combinational verification and retiming verificationVerifying a reboot sequence– is a given input vector sequence a weak-synchronizing sequence for

(decomposed) spec and imp

Impact on property verification theory and practiceConclusions

Equivalence Verification in Practice

Decompose the spec and imp models using mapped cut points.Use boundary constraints to make the corresponding slices equivalent.Build reboot sequence that brings the circuits to states satisfying all boundary constraints (and possibly other constraints).Check the constraints remain valid post-reboot, using (non-exhaustive, 3-valued) simulation.

i1

i2

i1

i2

l1

l2

l1

l2

l3 = o

l3 = o

M2 (imp)

M1 (spec)

Figure 1

component A1 component B1

component A2 component B2

Equivalence Verification in Practice

Dominating in the EDA: slices are mostly combinational, rarely retimed. For combinational slices, equivalence means equivalence of Boolean functions under input constraintsFor retimed slices, equivalence means some form of steady-state equivalenceIt is not clear what kind of equivalence is proved when combining various equivalence checking methods on the same designs, and how it is related to alignabilityThe part that relates reboot sequence with the used properties was not considered as part of “equivalence verification”. Indeed, it is based on non-exhaustive simulation.

Equivalence concepts

There have been many concepts of equivalence studied in the literatureSome of them require some form of reboot sequence before the comparison of output behavior of spec and imp will start– Delayed safe replaceability [SPAB01]– Sequential hardware equivalence or alignability [Pix92]– Exact 3-valued equivalence [RSSB99]– 3-valued safe replaceability [HC98]– Steady state equivalence [KH02]

Other known equivalence concepts:– Combinational equivalence– Replaceability

We will focus on alignability concept as we believe it fits well hardware verification

Weak synchronizing sequences

States s1 and s2 are equivalent states of an FSM M, written s1 ≃ s2, iff : o1(s1,)=o2(s2,).

A weak synchronizing sequence for M is an input vector sequence that brings M from any (binary) state to a subset of equivalent states {s1,…,sm}, called weak synchronization states.

tt11

tt22

ss11 ss22

Out(tOut(t11) = Out(t) = Out(t22))

tt11

tt22

ss55

ss22

tt11 ≃ t t2 2 ≃ t t33ss33ss11

ss44 tt33

Alignability Equivalence Pixley 1989

A binary input sequence is an aligning sequence for states (s1,s2) in FSM M1x M2 if it brings M1x M2 from state (s1,s2) to an equivalent state.

FSMs M1 and M2 are alignable, written M1≃alnM, iff every state of M1x M2 has an aligning sequence Equivalently, M1≃alnM2 iff a universal aligning sequence aligns every binary state of M1x M2.

tt11

tt22

ss11 ss22

t1 t1 ≃ t2 t2

The Idea of Weak Synchronization

If a FSM is not WS, whatever the sequence , there always exist two power-up states s1 and s2 such that o1(s1,) !=o2(s2,). This means, whatever the , the FSM exhibits a non-deterministic observational (the outputs) behavior after .If a FSM is not WS, when it is not equivalent to itself according to [Pixley 89] – not alignable to itself.

A central observation: in practice, post-reboot states are a proper subset of WS states, satisfying (boundary) verification constraints as well as some non-functional constraints, like timing, power or other; these constraints are not directly captured by the output observability

An FSM from Pomeranz and Reddy [PR96]

The following FSM H is taken from [PR96]. State pairs (A, D), (B, E) and (C, F) are equivalent. Since A D, sequence 0 is a ws-sequence for the FSM, bringing the states {A, B} into A and states {C, D, E, F} into D. Since all states are accessible from A and D, all states are ws-states.

A B C

D E F

Terminal SCC – post-reboot states

0/0

1/1

0/0

1/0

-/1

0/0

1/1

0/01/0

-/1

Property semantics

In alignability equivalence, one works with equivalence classes of states. In the induced FSM, the ws form a strongly connected component. Therefore in alignability equivalence, the ws stets are (implicitly) considered as the operation states. The class of ws-sequences is a homogeneous one – no “good” or “bad” ws-sequences

A B C

[A,D] [B,E] [C,F]


0/0

1/11/1

0/0

1/0

-/1

0/0

1/1

0/01/0

-/1

Property semantics (cont.)

If the designer wants the FSM to operate in all states after reboot, he/she can use a “week” reboot sequence, say, 0, 01, or 011 as the reboot sequence.If the designer wants the FSM to operate in states {D, E, F} after reboot, he can choose a “strongest” reboot sequence, e.g. 0111, which transfers any state into the sink SCC {D, E, F}.

A B C

D E F


0/0

1/1

0/0

1/0

-/1

0/0

1/1

0/01/0

-/1

Property semantics (cont.)

Let P be a property true in {D, E, F}. Then P is valid in all post-reboot states wrt reboot sequence 0111, but is falsifiable in operation states wrt reboot sequence 0.Thus, considering all ws states as the operation states is inadequate for defining property semantics for hardware FSMs – the chosen reboot sequence might very well be 0111.

A B C

D E F


0/0

1/1

0/0

1/0

-/1

0/0

1/1

0/01/0

-/1

Operation States for Hardware FSMs

In our definition of a Hardware FSM (or HFSM), we introduce a set of operation states, or post-reboot states, as a part of its specification:

Definition: A Hardware Machine (HM) is a pair H=(M, R), where M is an FSM and R WS(M) is closed under transition; R is called the set of operation states of H.

– Here R must be seen as the set of states into which the H is brought after applying to it a reboot sequence .

– This actually makes a part of definition of an HFSM. In practice, R is defined as a set of constraints – as a set of boundary (and possibly other) constraints of a decomposition of spec & imp, thus we found it more natural to use R rather than as part of HFSM specification.

– In practice, R WS(H) – a strict inclusion;

Alignability does not preserve validity of temporal properties

The following two FSM are alignable

Let P be true in {D, E, F}Let P be true in {D, E, F}

When P is valid in (all When P is valid in (all post-reboot states of) FSM post-reboot states of) FSM 22

But P is not valid in FSM 1 But P is not valid in FSM 1 for the rebut sequence 0for the rebut sequence 0

Thus alignability Thus alignability equivalence does not equivalence does not preserve validity of preserve validity of temporal propertiestemporal properties

A B C

D E F


0/0

1/1

0/0

1/0

-/1

0/0

1/1

0/01/0

-/1

A B C

D E F


0/0

1/1

0/0

1/0

-/1

0/0

1/1

0/01/0

-/1

FSM Bisimulation

Let Mi = (Si, , ,i, i), i = 1,2, be FSMs, and let B S1S2 be a relation such that:– B(s1,s2) a: 1(s1,a) =2(s2,a) & B(1(s1,a),2(s2,a)).

Then, B is called an FSM bisimulation and M1 and M2 are called bisimilar with respect to B. States (s1,s2)S1S2 are called bisimilar, written as s1s2, if they are contained in a bisimulation on S1S2.

Bisimulation for FSMs with initial states (Gupta et al.)

A concept of bisimulation for FSMs was first studied by Asher, Gupta and Malik 2001They considered FSMs with an initial state, and assumed the initial state pair must belong to the bisimulationThat concept of FSM bisimulation can be seen as a special case of post-reboot bisimulation introduced next.

Post-reboot Hardware Equivalence

Definition: Let M1 and M2 be compatible FSMs, let be an input vector sequence for M1 and M2, and let B be a bisimulation between M1 and M2. A pair (,B) is a post-reboot bisimulation between M1 and M2 iff (s1,s2)S1S2. (: s1 * t1 & : s2 * t2) B(t1,t2).

M1 and M2 are called post-reboot bisimilar or post-reboot equivalent if there is a post-reboot bisimulation between them.

tt11

tt22

ss11

ss22

B(t1, t2)B(t1, t2)

Alignability vs PRE for FSMs

Theorem: Let WS1 and WS2 be weak-synchronization states of FSMs M1 and M2, respectively. Further, let StateEq(WS1,WS2) = StateEq (WS1WS2). Then the following are equivalent:– M1 and M2 are alignable;

– StateEq(WS1,WS2) ≠ ;

– StateEq(WS1,WS2) is a non-empty on-to bisimulation, on WS1WS2, between M1 and M2.

– M1 and M2 are post-reboot equivalent.

The order on PRBs

Define: (1,B1)(2, B2) iff B1 B2.

Theorem: The set of all post-reboot bisimulations between HFSMs H1 and H2, when it is a non-empty set, is a complete lattice with respect to the partial order .

A complete lattice of PRBs

(0, {A,B,C,D,E,F})

(010,{A,B,C,D,E,F})…

(011, {A,B,C,D,E,F})

(010, {A,B,C,D,E,F})…

(0111, {A,B,C,D,E,F})

(01110, {A,B,C,D,E,F})…

A B C

D E F


0/0

1/1

0/0

1/0

-/1

0/0

1/1

0/01/0

-/1

Order on PRBs:Order on PRBs: The larger the operating states set, the stronger the PRB The larger the operating states set, the stronger the PRB

PRB order ws order on ws sequences

0111

011

0

{A,B,C,D,E,F}

{A,B,C,D,E,F}

{A,B,C,D,E,F}

01110

01111 …

010

00000

…

…

01

(0, {A,B,C,D,E,F})

(010,{A,B,C,D,E,F})…

(011, {A,B,C,D,E,F})

(010, {A,B,C,D,E,F})…

(0111, {A,B,C,D,E,F})

(01110, {A,B,C,D,E,F})…

Order on ws sequences:Order on ws sequences:The smaller the operating The smaller the operating states set, the stronger states set, the stronger the ws sequencethe ws sequence

Order on PRBs:Order on PRBs: The larger the operating The larger the operating states set, the stronger states set, the stronger the PRB the PRB

Partial Order on WS-sequences

The order has upper bounds but need not have a bottom element – thus need not be a lattice – it is an upper semi-lattice. Here is an example:– Since s1 s4 and s2 s3, input sequences 1 and 0 are WS,

and so is 10. Further, 111111 …; 000000…; 0110 100….; And 0 and 1 have upper bound 01, but have no lower bound.

Figure 3

1/1

1/0

0/0

0/1

1/1

0/1

0/0

1/0

s1

s4s3

s2

[1] [0]

[01]

Fig. 3.a

Partial Order on WS-sequences

Let (,B) be a post-reboot bisimulation between M1 and M2. We associate with a smallest bisimulation B[ such that (,B[) is a PRB; B[ is the intersection of all Bi such that (,Bi) is a post-reboot bisimulation. Define (strict) order on such sequences as follows: define 1≺≺2 iff B[1] B[2]; – that is, 1 cannot transfer all state pairs of M1M2 into B[2],

while 2 can; therefore we call 2 a stronger reboot sequence than 1.

We write 1 2 iff B[1] = B[2].

When H1=H2=H, the order is in fact an order on the ws-sequences of H

Equivalence and property semantics for Hardware Machines

We call HMs H1=(M1,R1) and H2=(M2,R2) equivalent if there is a post-reboot bisimulation (p,B) between FSMs M1 and M2 such that B R1R2.

We call a CTL* formula [CGP99] valid in H1 iff it is valid in all states in R1.

We will see that if post-reboot equivalence between HMs is proven using the compositional method proposed in [KSKH 04], then a post-reboot bisimulation is built allowing proving that equivalent HMs satisfy the same class of CTL* formulasTo show this, we need to see how to specify the operation states of HMs – we will use stable decompositions of HMs.

Stable Decomposition (example)

il1

l2

o1

CL2

C2 (imp)

l4

l3

il1

l2

CL1

l3

l4cut

cut

A B

C D

C1 (spec)

o2

Example: usage of constraint l1 = l2

il1

l2

o1

CL2

C2 (imp)

l4

l3

il1

l2

CL1

l3

l4cut

cut

A B

C D

C1 (spec)

o2

Prove l1 = l2 on ws-

states of A and C

Impose l1 = l2

when verifying B and D

Stable Properties and Stable FSM

A “conditional” FSM can be given as an FSM and a set of properties (or constraints) on it.– Combinational properties may disable several transitions– Sequential properties (written with next state operator, w/o temporal

operators) can disable transition (sub) paths.To insure a reasonable theory for divide and conquer alignability verification, we need the verification properties to be stable:– For stable properties, the conditional FSM induced by the subcircuit

and the property is a sub-FSM of the FSM corresponding to the subcircuit.

– Intuitively, this means that some of the arcs in the FSM may be disabled “permanently”, independently on how do we arrive to a corresponding state (with a forbidden transition).

– This will be clarified on examples.

Example of a Non-Stable Property

A property stating that next value of an input i coincides with the negation of i – next(i) = !i -- is not stable:– From any of the two states, a transition w/ i=1 is

allowed (and forced) iff the previous incoming transition was w/ i = 0.

i= 0 i=1

i=1

i= 0

Examples of Stable Properties

Property next(i) = i is stable: two possible sub-FSMs (depending of the first transition) are:

Any combinational property (written with Boolean connectives alone, w/o the next-state operator) can easily be shown to be stable.

i= 0 i= 0i=1

i=1

State relation R(D) induced by decomposition D

A stable decomposition D of (H1, H2) determines a bisimulation R[D]S(H1)S(H2) defined as follows: (s1,s2) R[D] iff – (s1,s2) satisfies the boundary properties; – the induced state of each component is a ws-state for that

(constrained) component. – It is assumed that the same name (mapped) latches are

assigned same values in (s1,s2).

This observation allowed us to prove the following weak compositionality result for alignability [KSKH 04]:Theorem: Under the assumptions that FSMs M1 and M2 are weakly synchronizable, alignability of corresponding slices in the stable decomposition of M1x M2 implies alignability of the circuits.

What is Combinational Equivalence Proving

Combinational decomposition of state-matching circuits can be seen as a special form of stable decomposition, when only stable boundary constraints are allowed (and all latches are cut points).Here combinational equivalence is defined as follows: – slice outputs equal in current time (under constraints) => (a)

slice outputs remain equal in next time; and (b) the constraints are valid in next time.

Theorem: Given a combinational, stable decomposition D=D1xD2 of FSMs M1xM2, proving that M1 and M2 are combinationally equivalent is exactly proving that the state relation R[D] is a bisimulation.– This bisimulation is included in R(D1) X R(D2).

Is proving combinational equivalence sufficient?

Unless there is a sequence that brings any pair of states of M1 and M2 into a state pair in R[D], the fact that R[D] is a bisimulation cannot guarantee that M1 and M2 will have same observable behavior in post-reboot states from any power-up states.That is, w/o relating combinational equivalence to a sufficiently strong reboot sequence, combinational equivalence is meaningless.When we do combine proving combinational equivalence with checking that for the given reboot sequence the pair (,R[D]) is a post-reboot bisimulation, then combinational equivalence also proves post-reboot equivalence (and thus alignability too).

What steady-state equivalence proves for ws (sub) circuits

Similarly, for ws-FSMs, steady-state equivalence (used for verifying retimed circuits) implies alignability.Thus by the weak compositionality theorem, it is safe to combine combinational verification with retiming verification and alignability verification on slices of the same design – provided both FSMs are ws.

It is unclear how one can verify whether a given input vector sequence is a ws sequenceFortunately, we need to prove a simpler result:We need to show where an input vector sequence is a legal reboot sequence for a given stable decomposition of spec and imp.– Any legal input vector sequence is a ws-sequence for both

FSMs

Proving Post-reboot Equivalence

In practice, proving PRE means: 1. building a stable decomposition D (entirely combinational

or with sequential slices, retimed or not).2. building a reboot sequence 3. proving that (, R[D]) is a PRB.

Parts 1 and 2 are mainly manual (part 1 is actually semi-automatic, aided by automatic, counter-example based abstraction algorithms and GUI tools). Part 3 was not studied as part of formal equivalence verification (it was performed by semi-formal methods).

Proving Post-reboot Equivalence

For checking part 3 formally (full proof), we propose the following algorithm:– H1 and H2 are 3-valued simulated with the reboot

sequence starting from the X-states. – For the resulting set of X-states, the boundary

constraints (and the latch mapping) must be checked for the set S(X, ) of all binary instances of these X-states; the later is a simple model checking problem for slices, thus is completely computationally feasible.

Relation with Property Verification

Because we know that all boundary properties are satisfied at all post-reboot states R, for a design intent property P, we need to prove that s R P(s)

If we were using alignability equivalence, we would have to prove s WS P(s);

In practice, for industrial designs, the relation WS(s) cannot be computed, thus it is unclear how one can formally prove the validity of temporal properties in all WS states.

Experimental Results

31228734190assert 5

20964698648350assert 4

209910123180assert 3

155122120241assert 2

154171674261142assert 1

cpu (sec)BPgateslatchesinputsEIassertions

13252585186751assert 5

596250745374248582assert 4

211954114699assert 3

26217690113336910assert 2

256787152612510assert 1

cpu (sec)gateslatchesinputsEIassertions

Table 1: assertion verification using boundary properties

Table 2: assertion verification without boundary properties

Conclusions

From practice to the theory:– Formalize the several dominating hardware equivalence

verification methods into a unified theory – the outcome is post-reboot hardware equivalence

From theory to practice:– Propose a fully formal, practically applicable hardware

equivalence verification algorithms and methodology.– Give experimental data where the new theory “makes

difference” in the practice of full-chip verification.

We base our theory on bisimulation, and it is easy to adapt our theory to equivalence concepts requiring other forms of bisimulation (such as weak bisimulation, bisimulation up-to an equivalence relation, etc.).

Future Work

In this work, we mainly focused on justifying a new equivalence concept – post-reboot bisimulation – end showing how it makes property verification and reboot sequence verification feasibleWe are working on a comprehensive theory for property verification that will be fully aligned with compositional post-reboot equivalence verification and reboot sequence verification for Hardware Machines.An important and very challenging problem is to build algorithms for funding latch mapping automatically.

Post-Reboot Equivalence and Compositional Verification of Hardware

Documents

Transcript of Post-Reboot Equivalence and Compositional Verification of Hardware