Practical Formal: Mainstream Formal for the Rest of Us


Published on

Published in: Technology, Design
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Practical Formal: Mainstream Formal for the Rest of Us

  1. 1. 1JAA, 3/21/2007JAA, 3/21/2007Practical Formal –Practical Formal –Mainstream Formal for theMainstream Formal for theRest of UsRest of UsJacob A. AbrahamJacob A. AbrahamDVClub MeetingDVClub MeetingAustin, TexasAustin, TexasMarch 21, 2007March 21, 2007
  2. 2. 2JAA, 3/21/2007JAA, 3/21/2007Is Formal Verification Mainstream?Formal Equivalence CheckingOnly up to the RT LevelWhat about Formal Property Checking?Can it deal with properties used in a simulation-basedflow?●What characteristics prevent formal verification frombeing more widely used?Need to deal with complex designsSeamlessly fit into the design flow
  3. 3. 3JAA, 3/21/2007JAA, 3/21/2007Directions to make Formal MainstreamEngines which can deal with real designsMultiple clock domainsTristate signals (not Boolean)●Deal with design descriptions at higher levelsReduce complexity of analysisStatic analysis of design description will scale (unlike afunctional analysis)●Automated techniques which fit into the design flowNo distractions when concentrating on design
  4. 4. 4JAA, 3/21/2007JAA, 3/21/2007ATPG Engines to Check PropertiesSome work in checking safety propertiesDetecting “stuck-at-0” fault on pis equivalent to establishing EFpCircuitpVerify design at the lowest level possible:example, ATPG levelDeal with tri-states, multiple clocks, etc.
  5. 5. 5JAA, 3/21/2007JAA, 3/21/2007RTL to RTL Equivalence Checking Use Term Rewriting Systems (TRS) Significant success with RTL “Term” levelreductions Verification of arithmetic circuits at the RTLlevel using term rewriting RTL to RTL equivalence checking Verified large multiplier designs like Booth,Wallace Tree and many optimized multipliersusing this rewriting technique
  6. 6. 6JAA, 3/21/2007JAA, 3/21/2007RTL Equivalence Using TRSsGoldenRTLRevisedRTLRevisedTRSGoldenTRSEquivalence ProofVTransVTransVproverTranslationTranslation
  7. 7. 7JAA, 3/21/2007JAA, 3/21/2007Why it WorksCongruence between RTL-states (terms) of twodesigns, given the RTL state-transition graph(TRS)Equivalence is proved by showing that one termcan be rewritten to the otherSAT solvers, STE engines, gate-level equivalencecheckers, etc., as proof enginesComparison points in RTL-state spaceCongruence at every comparison pointCover entire data space of the designs
  8. 8. 8JAA, 3/21/2007JAA, 3/21/2007Results on MultipliersUnfinishedUnfinished60s64 X 64UnfinishedUnfinished40s32 X 32UnfinishedUnfinished25s16 X 1616s18s18s8 X 89s10s14s4 X 4CommercialTool 2CommercialTool 1VERIFIREWallace Tree
  9. 9. 9JAA, 3/21/2007JAA, 3/21/2007Sequential Equivalence Checking:Using Sequential Compare PointsIntroduce notion of sequential compare pointsSequential compare points are two-tupleentitiesIdentification w.r.t. relative position in timeIdentification w.r.t. space (data or variables)Co-ordinates on space-time axis of bothdesigns being comparedExactly model the sequential behavior ofdesigns
  10. 10. 10JAA, 3/21/2007JAA, 3/21/2007Equivalence Checking Using SequentialCompare PointsVariables of interest (observables) obtainedfrom user/block diagramTypically include primary outputsCan also include relevant intermediate variablesSymbolic expressions obtained forobservables assigned in a given cycleSymbolic expressions compared at sequentialcompare pointsComparison using a SAT solver in this workOther Boolean level engines can also be used
  11. 11. 11JAA, 3/21/2007JAA, 3/21/2007Example: Viterbi DecoderPart of digital radio (DRM) in System CDRM SoC partitioned to implement Viterbidecoder as a hardware acceleratorSystem C specificationBasic model implementing Viterbi algorithmNo optimizationsViterbi Verilog RTL implementationsFirst implementation: Optimized for speedSecond implementation: Optimized for area
  12. 12. 12JAA, 3/21/2007JAA, 3/21/2007Results
  13. 13. 13JAA, 3/21/2007JAA, 3/21/2007Antecedent Conditioned Slicing forVerification• Slicing part of design irrelevant to property beingverified• Safety Properties of the form• G (antecedent => consequent)• Use antecedent to specify states in which we areinterested• We do not need to preserve program executionswhere the antecedent is false• The resulting abstraction is called an antecedentconditioned slice
  14. 14. 14JAA, 3/21/2007JAA, 3/21/2007Example Properties of USB 2.0 CoreG((crc5err) V match) => send_token))If a packet with a bad CRC5 is received, or there is anendpoint field mismatch, the token is ignoredG((state == SPEED_NEG_FS) => X((mode_hs) ^(T1_gt_3_0ms) => (next_state ==RES_SUSPEND))If the machine is in the speed negotiation state, then inthe next clock cycle, if it is in high speed mode for morethan 3 ms, it will go to the suspend stateG((state == RESUME_WAIT) ^ (idle_cnt_clr)=>F(state == NORMAL))If the machine is waiting to resume operation and acounter is set, eventually (after 100 mS) it will return tonormal operation
  15. 15. 15JAA, 3/21/2007JAA, 3/21/2007Results on Temporal USB PropertiesCPU Seconds, 450 MHz dual UltraSPARC-II with 1 GB RAM
  16. 16. 16JAA, 3/21/2007JAA, 3/21/2007Verification of Processors usingAntecedent Conditioned Slicing Verification of single-instruction issue, multi-stagepipelined processors Antecedent conditioned slicing provides anautomatic decomposition strategy Individual “instruction machines”■ Leverage automatic power of model checking■ Provide a different notion of verification Verification of RTL model of off-the-shelf processor Verified all the instructions of the OR1200embedded processor
  17. 17. 17JAA, 3/21/2007JAA, 3/21/2007Single Instruction VerificationP0=P i1it+1inP1Pt+1PnModelCheckerhAntecedentConditioned Sliceget_conditioned_slice(P0, < i1, e, Vh>)
  18. 18. 18JAA, 3/21/2007JAA, 3/21/2007Results of OR1200 VerificationCPU Seconds, 3 GHz Pentium 4 processor with 1 GB RAM27.83l.srlSHF/ROT2377126.81l.sllSHF/ROT3094138.32l.sdLSU2887333.91l.lwsLSU48627212.27l.mtsprSPRS50696226.97l.mfsprSPRS2691927.93l.rorSHF/ROT2910435.85l.ldLSUMemoryUsage (KB)SMV time(seconds)InstructionsInstructionClass23771