Practical Formal: Mainstream Formal for the Rest of Us
Upcoming SlideShare
Loading in...5

Practical Formal: Mainstream Formal for the Rest of Us






Total Views
Views on SlideShare
Embed Views



2 Embeds 4 3 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Practical Formal: Mainstream Formal for the Rest of Us Practical Formal: Mainstream Formal for the Rest of Us Presentation Transcript

  • 1JAA, 3/21/2007JAA, 3/21/2007Practical Formal –Practical Formal –Mainstream Formal for theMainstream Formal for theRest of UsRest of UsJacob A. AbrahamJacob A. AbrahamDVClub MeetingDVClub MeetingAustin, TexasAustin, TexasMarch 21, 2007March 21, 2007
  • 2JAA, 3/21/2007JAA, 3/21/2007Is Formal Verification Mainstream?Formal Equivalence CheckingOnly up to the RT LevelWhat about Formal Property Checking?Can it deal with properties used in a simulation-basedflow?●What characteristics prevent formal verification frombeing more widely used?Need to deal with complex designsSeamlessly fit into the design flow
  • 3JAA, 3/21/2007JAA, 3/21/2007Directions to make Formal MainstreamEngines which can deal with real designsMultiple clock domainsTristate signals (not Boolean)●Deal with design descriptions at higher levelsReduce complexity of analysisStatic analysis of design description will scale (unlike afunctional analysis)●Automated techniques which fit into the design flowNo distractions when concentrating on design
  • 4JAA, 3/21/2007JAA, 3/21/2007ATPG Engines to Check PropertiesSome work in checking safety propertiesDetecting “stuck-at-0” fault on pis equivalent to establishing EFpCircuitpVerify design at the lowest level possible:example, ATPG levelDeal with tri-states, multiple clocks, etc.
  • 5JAA, 3/21/2007JAA, 3/21/2007RTL to RTL Equivalence Checking Use Term Rewriting Systems (TRS) Significant success with RTL “Term” levelreductions Verification of arithmetic circuits at the RTLlevel using term rewriting RTL to RTL equivalence checking Verified large multiplier designs like Booth,Wallace Tree and many optimized multipliersusing this rewriting technique
  • 6JAA, 3/21/2007JAA, 3/21/2007RTL Equivalence Using TRSsGoldenRTLRevisedRTLRevisedTRSGoldenTRSEquivalence ProofVTransVTransVproverTranslationTranslation
  • 7JAA, 3/21/2007JAA, 3/21/2007Why it WorksCongruence between RTL-states (terms) of twodesigns, given the RTL state-transition graph(TRS)Equivalence is proved by showing that one termcan be rewritten to the otherSAT solvers, STE engines, gate-level equivalencecheckers, etc., as proof enginesComparison points in RTL-state spaceCongruence at every comparison pointCover entire data space of the designs
  • 8JAA, 3/21/2007JAA, 3/21/2007Results on MultipliersUnfinishedUnfinished60s64 X 64UnfinishedUnfinished40s32 X 32UnfinishedUnfinished25s16 X 1616s18s18s8 X 89s10s14s4 X 4CommercialTool 2CommercialTool 1VERIFIREWallace Tree
  • 9JAA, 3/21/2007JAA, 3/21/2007Sequential Equivalence Checking:Using Sequential Compare PointsIntroduce notion of sequential compare pointsSequential compare points are two-tupleentitiesIdentification w.r.t. relative position in timeIdentification w.r.t. space (data or variables)Co-ordinates on space-time axis of bothdesigns being comparedExactly model the sequential behavior ofdesigns
  • 10JAA, 3/21/2007JAA, 3/21/2007Equivalence Checking Using SequentialCompare PointsVariables of interest (observables) obtainedfrom user/block diagramTypically include primary outputsCan also include relevant intermediate variablesSymbolic expressions obtained forobservables assigned in a given cycleSymbolic expressions compared at sequentialcompare pointsComparison using a SAT solver in this workOther Boolean level engines can also be used
  • 11JAA, 3/21/2007JAA, 3/21/2007Example: Viterbi DecoderPart of digital radio (DRM) in System CDRM SoC partitioned to implement Viterbidecoder as a hardware acceleratorSystem C specificationBasic model implementing Viterbi algorithmNo optimizationsViterbi Verilog RTL implementationsFirst implementation: Optimized for speedSecond implementation: Optimized for area
  • 12JAA, 3/21/2007JAA, 3/21/2007Results
  • 13JAA, 3/21/2007JAA, 3/21/2007Antecedent Conditioned Slicing forVerification• Slicing part of design irrelevant to property beingverified• Safety Properties of the form• G (antecedent => consequent)• Use antecedent to specify states in which we areinterested• We do not need to preserve program executionswhere the antecedent is false• The resulting abstraction is called an antecedentconditioned slice
  • 14JAA, 3/21/2007JAA, 3/21/2007Example Properties of USB 2.0 CoreG((crc5err) V match) => send_token))If a packet with a bad CRC5 is received, or there is anendpoint field mismatch, the token is ignoredG((state == SPEED_NEG_FS) => X((mode_hs) ^(T1_gt_3_0ms) => (next_state ==RES_SUSPEND))If the machine is in the speed negotiation state, then inthe next clock cycle, if it is in high speed mode for morethan 3 ms, it will go to the suspend stateG((state == RESUME_WAIT) ^ (idle_cnt_clr)=>F(state == NORMAL))If the machine is waiting to resume operation and acounter is set, eventually (after 100 mS) it will return tonormal operation
  • 15JAA, 3/21/2007JAA, 3/21/2007Results on Temporal USB PropertiesCPU Seconds, 450 MHz dual UltraSPARC-II with 1 GB RAM
  • 16JAA, 3/21/2007JAA, 3/21/2007Verification of Processors usingAntecedent Conditioned Slicing Verification of single-instruction issue, multi-stagepipelined processors Antecedent conditioned slicing provides anautomatic decomposition strategy Individual “instruction machines”■ Leverage automatic power of model checking■ Provide a different notion of verification Verification of RTL model of off-the-shelf processor Verified all the instructions of the OR1200embedded processor
  • 17JAA, 3/21/2007JAA, 3/21/2007Single Instruction VerificationP0=P i1it+1inP1Pt+1PnModelCheckerhAntecedentConditioned Sliceget_conditioned_slice(P0, < i1, e, Vh>)
  • 18JAA, 3/21/2007JAA, 3/21/2007Results of OR1200 VerificationCPU Seconds, 3 GHz Pentium 4 processor with 1 GB RAM27.83l.srlSHF/ROT2377126.81l.sllSHF/ROT3094138.32l.sdLSU2887333.91l.lwsLSU48627212.27l.mtsprSPRS50696226.97l.mfsprSPRS2691927.93l.rorSHF/ROT2910435.85l.ldLSUMemoryUsage (KB)SMV time(seconds)InstructionsInstructionClass23771