Formal VerificationNo testbench requiredExpected behavior property proveUsing logic and mathematic algorithms (formal verification engines) to prove that the property always holds wrt circuit under test!f property passes" a complete verification!f property fails" generate a counter#example for debuggingFor example$roving always (a % b & c)'imulation needs to enumerate all the possible combinations of a" b" and c(ut" consider circuit is )ust a set of logic relations of input signals!magine in a math test" given a set of logic relations and as*ed to prove (a % b & c)+ry to use logic and math reasoning (eg induction)'olving logic , temporal relations between circuit signals-. constraint satisfaction problemConstraint Satisfaction Problems/onstraints0ogic1 y 2 a 33 b45ux1y67819: 2 en; a67819: 1 b6 d)4?elational1 (x8 @@ 8) & x9 %2 =A fx & x > fxf > g2 (x > fx & x > fx) > (x > gx & x > gx)2 x > (fx > gx) & x > (fx > gx)f & g2 x > (fx & gx) & x > (fx & gx)Eperation1 perform on cofactors individuallyxf* )fxfx#KKKKKKKKK KK K&asic &(( perationsa* )f . a// ,b 00 c-f . ,a // b- 00 ,a // c-f . b 00 cE?c* )f . cb* )f . bE?c* ) * )bcbcf . a // ba* )bf . a // cc* )a!n short"8 f 2 a 33 (b HH c)= f 2 (a 33 b) HH (a 33 c) will result in same (DD independent of building orders+herefore" to build (DDs for a circuit-8 Erder circuit topologically from $!s to target gate= (uild (DDs from $!s to target+o prove combinational property by (DDs (uild (DDs for f*f+autology4 f is always 2 8 $roperty is always true* )fcounter#example'ounds too good to be true-.ny problem ;;&(( Complexit'!n general" the siFe of (DD nodes is still exponential to the siFe of input supportsUsually can only build (DDs for circuit with Linput 2 899 M =99+he problem;(DDs find all the counter#examples at once while we only need one-Consi+er1.(uilding (DDs one path at a time- Until find one path that evaluates f 2 9 NhatGs the difference from simulation;;abc(inary decision tree&ranc#2an+2&oun+ 3lgorit#m(ranch5a*ing decisions (9 or 8) on input variables O a" b" - PEne decision at a time4 evaluate f immediately(ound!f the decisions evaluate f to be 9 a counter#example is found (END)Etherwise" undo the last decision and ma*e the decision on its inverted value&ranc#2an+2&oun+ 3lgorit#m ,cont4+-abcafb c ---circuitf . *NhatGs the differencefrom simulation;;+Simulation vs. &ranc#2an+2&oun+5in#term vs cube (to generate 8 for 7#.ND)Q min#terms (simulation)999 M 888R cubes ((ranch#and#bound)9 # #89 S889888(ranch#and#bound/an bound with partial decisions99Simulation vs. &ranc#2an+2&oun+(inary decision tree'imulation(ranch#and#boundDo you still rememberwhy we tal* about(DDs"(ranch#and#bound"and all these ;;+hey are all techniquesto solveconstraint satisfaction problems.nd we need that to$?ETE a propertySolving Constraints "it# &ranc#2an+2&oun+!f solution exists5a*ing good decision can find the solution earlier!f no solutionNeed to traverse the entire decision treeFactors on &ranc#2an+2&oun+ Performance8 Decision order and valuesCood decisions find solution earlier= .ble to bound earlier.pply value on target f5a*e decision on internal nodes7 0earning (not covered in todayGs lecture)3ppl' value on target fafb c ---circuit 988 8 898 8U (ac*ward implicationsU 5ore implications produce conflict earlier bound earlier95a6e +ecision on internal no+es5a*ing decisions on internal nodes can lead to conflict earlierafb c ---circuit 95ore 3+vance+ Solving Tec#niques(DD$artitioning.pproximation(ranch#and#bound (.+$C" '.+)(/onflict) learning!nduction/onstraint modelingNord#level (arithmetic).bstraction , ?efinement'equential problems-/ombined engineCourse to fferV7 ('o/ Terification)!n general" the constraint#solving techniques can be applying to many other EE and non#EE problemsConstraint Solvers in 7(3 ToolsFront2en+5o+eling7ngines8UI HDL parser (Quick) Synthesis Flattening Problem formulation Constraint solers !ser "#$ Debugging utilitiesConstraint Solvers in 7(3 ToolsFront2en+5o+eling7ngines8UI5o+eling 5o+eling 5o+eling8UI 8UI 8UI,Formal- Verification 3pplications%TL 8(SII 8ate(esignImplementationP#'sicalImplementation %TL 8(SII 8ate(esignCreation(esign Flo"Bunctional'pecificationEquivalence /hec*ing$roperty /hec*ing7quivalence C#ec6ing ,7C-INPUTSCombinationalLogic

UTPUTSINPUTSCombinationalLogic

UTPUTS.. $3l"a'sequivalent$Colden circuit?evised circuit9#' +o "e nee+ equivalence c#ec6ing$Cate#level simulation is too slowEnce ?+0 simulation (speed EW) is done" no need to run gate level simulationNo need to repeat the verification effort spent in ?+0'ynthesis tool may have bugs5anual optmiFations (eg E/E)7C Problem (efinition'tarting from the same state in both circuits" input sequences Eutputs of golden and revised circuits are always the sameNhat about the register values (states);/omplexity;Commercial 7quivalence C#ec6ing ToolsBirst came out in early V9Gs(oost in late V9Gs/ompare any two circuits from ?+0 to layout'ynthesiFable subset4 not for behavior level!ncorporate formal verification techniquesEften can finish million#gate (eg ?+0#to#gate) comparison in a few hours!mpossible and incomplete by simulationNote1 simulation cannot prove EX.dopted in mainstream design flow now9#at 5a6es 7quivalence C#ec6ing Practical$.ssuming combinational equivalence /ompare1 outputs" registersTalid for most of the optimiFations8oto 7C fig7quivalence C#ec6ingINPUTSCombinationalLogic

UTPUTSCombinationalLogic

UTPUTS.. $3l"a'sequivalent$Colden circuit?evised circuit%78s%78s%78s.. $3l"a'sequivalent$9#at 5a6es 7quivalence C#ec6ing Practical$.ssuming combinational equivalence /ompare1 outputs" registersTalid for most of the optimiFations!nternal equivalence ('tructure similarity)Divide and conquerUse simulation to identify internal EX candidates8oto 7C figInternal 7quivalence..$$!s..$Internal 7quivalence..$New $!s9#at 5a6es 7quivalence C#ec6ing Practical$.ssuming combinational equivalence /ompare1 outputs" registersTalid for most of the optimiFations!nternal equivalence ('tructure similarity)Divide and conquerUse simulation to identify internal EX candidates.dvance in logic reasoning techniques.utomatic +est $attern Ceneration (.+$C) , (oolean 'atisfiability ('.+)(inary Decision Diagram ((DD)Incisive Conformal 7quivalence C#ec6erEriginal1 Terplex /onformal 0E/4 now /adenceUsage model8 ?ead design , library5ixed language= .dd constraints (optional)Eg 'can enable7 'et renaming rules (optional)Cate level may have different naming conventions from ?+0R Blatten the circuitsEutput 2 functions of inputsA /ompare< ?eport and debugIncisive Conformal 7C in NTU77Not available now (no one used it before)/!/ )ust passed application Nill install in 0ab =78Yopefully can be available this wee*Nill have some students to test and write a report (for 'o/ Design Everview class)Formal Verification 3pplications%TL 8(SII 8ate(esignImplementationP#'sicalImplementation %TL 8(SII 8ate(esignCreation(esign Flo"Bunctional'pecificationEquivalence /hec*ing$roperty /hec*ing9#at is Propert' C#ec6ing$Do ! correctly implement my spec;'pec (English) $roperties (Bormal,+emporal functions).ssert always (a % b)?equest eventually .c*nowledge?equest .c*nowledge in (7" 8=) cyclesb:ectives of Propert' C#ec6ing+o find as many bugs as possible899Z verification; Do ! write enough properties; (Borget itJJ)Nhich one is golden; 'pec; Nhat if there is a bug in spec;(Nho *nows). difficult#to#prove assertion is a good assertion; (NEJJ)Nrite properties to facilitate bug huntingPropert' C#ec6ing vs. 7quivalence C#ec6ingBlow$roperty chec*ing Equivalence chec*ing+ry ideas from equivalence chec*ing-/ombinational reduction; (No" most properties are sequential)!nternal equivalence;(No Equivalence to what;)!n reality" property chec*ing is much more difficult than equivalence chec*ing-9#at 5a6es Propert' C#ec6ing Practical$(Bact) $roperty1 formal specification of design intent?easonably local5ore than V9Z of properties are assertions5ost simple properties can be exhaustively proven" or some bugs can be found.dvance in .+$C,'.+" (DDRememberWhere am I going to find time to write assertions?I dont even have time to write comments!""" #one$ant design engineerIn realit%&esigners are too bus% and la'% to learn new assertion languages and write assertions!""" (erple$ mar)et validationPre2+efine+ C#ec6s'ome properties can be automatically identified and extracted during the synthesis process(us contention[ propagationB'5 chec*s?ange overflow?ace conditionDesigners donGt need to learn how to write assertions /lose to push#button solutionConclusion?eview design verification practices and problems'imulation is still the main stream.ssertion#(ased TerificationBormal technique1 constraint satisfaction problems(DD(ranch#and#bound.pplications on verification toolsEquivalence chec*ing$roperty chec*ingSimulation vs. Formal VerificationUser Briendly.cceptanceEasy bugsDifficult bugs'imulation >>>>> >>>>> >>>> >Equivalence /hec*ing>>>> >>>> >>>>> >>>>$roperty /hec*ing> > >>> >>>!s it possible to combine simulation and formal techniques;Simulation vs. Formal'imulationEasy to use/an run on large circuit/an detect easy bugs quic*ly.lmost impossible to handle corner case bugBormal (property chec*ing)Yigher learning curve for designers/annot perform exhaustive search on large designs/an target on corner case bug'emi#formal ### combines the advantages of bothSimulation2base+ Semi2formal 3pproac#'imulation trace.pply formal techniques (state space exploration)around the simulation state+han* you