1. Practical Formal –
Mainstream Formal for the
Rest of Us
Jacob A. Abraham
DVClub Meeting
Austin, Texas
March 21, 2007
JAA, 3/21/2007 1
2. Is Formal Verification Mainstream?
Formal Equivalence Checking
Only up to the RT Level
What about Formal Property Checking?
Can it deal with properties used in a simulation-based
flow?
●
What characteristics prevent formal verification from
being more widely used?
Need to deal with complex designs
Seamlessly fit into the design flow
JAA, 3/21/2007 2
3. Directions to make Formal Mainstream
Engines which can deal with real designs
Multiple clock domains
Tristate signals (not Boolean)
●
Deal with design descriptions at higher levels
Reduce complexity of analysis
Static analysis of design description will scale (unlike a
functional analysis)
●
Automated techniques which fit into the design flow
No distractions when concentrating on design
JAA, 3/21/2007 3
4. ATPG Engines to Check Properties
Some work in checking safety properties
Circuit
Detecting “stuck-at-0” fault on p
is equivalent to establishing EFp
p
Verify design at the lowest level possible:
example, ATPG level
Deal with tri-states, multiple clocks, etc.
JAA, 3/21/2007 4
5. RTL to RTL Equivalence Checking
Use Term Rewriting Systems (TRS)
Significant success with RTL “Term” level
reductions
Verification of arithmetic circuits at the RTL
level using term rewriting
RTL to RTL equivalence checking
Verified large multiplier designs like Booth,
Wallace Tree and many optimized multipliers
using this rewriting technique
JAA, 3/21/2007 5
6. RTL Equivalence Using TRSs
VTrans
Golden Golden
RTL TRS
Translation
Vprover
Equivalence Proof
VTrans
Revised Revised
RTL TRS
Translation
JAA, 3/21/2007 6
7. Why it Works
Congruence between RTL-states (terms) of two
designs, given the RTL state-transition graph
(TRS)
Equivalence is proved by showing that one term
can be rewritten to the other
SAT solvers, STE engines, gate-level equivalence
checkers, etc., as proof engines
Comparison points in RTL-state space
Congruence at every comparison point
Cover entire data space of the designs
JAA, 3/21/2007 7
8. Results on Multipliers
Wallace Tree VERIFIRE Commercial Commercial
Tool 1 Tool 2
4X4 14s 10s 9s
8X8 18s 18s 16s
16 X 16 25s Unfinished Unfinished
32 X 32 40s Unfinished Unfinished
64 X 64 60s Unfinished Unfinished
JAA, 3/21/2007 8
9. Sequential Equivalence Checking:
Using Sequential Compare Points
Introduce notion of sequential compare points
Sequential compare points are two-tuple
entities
Identification w.r.t. relative position in time
Identification w.r.t. space (data or variables)
Co-ordinates on space-time axis of both
designs being compared
Exactly model the sequential behavior of
designs
JAA, 3/21/2007 9
10. Equivalence Checking Using Sequential
Compare Points
Variables of interest (observables) obtained
from user/block diagram
Typically include primary outputs
Can also include relevant intermediate variables
Symbolic expressions obtained for
observables assigned in a given cycle
Symbolic expressions compared at sequential
compare points
Comparison using a SAT solver in this work
Other Boolean level engines can also be used
JAA, 3/21/2007 10
11. Example: Viterbi Decoder
Part of digital radio (DRM) in System C
DRM SoC partitioned to implement Viterbi
decoder as a hardware accelerator
System C specification
Basic model implementing Viterbi algorithm
No optimizations
Viterbi Verilog RTL implementations
First implementation: Optimized for speed
Second implementation: Optimized for area
JAA, 3/21/2007 11
13. Antecedent Conditioned Slicing for
Verification
• Slicing part of design irrelevant to property being
verified
• Safety Properties of the form
• G (antecedent => consequent)
• Use antecedent to specify states in which we are
interested
• We do not need to preserve program executions
where the antecedent is false
• The resulting abstraction is called an antecedent
conditioned slice
JAA, 3/21/2007 13
14. Example Properties of USB 2.0 Core
G((crc5err) V match) => send_token))
If a packet with a bad CRC5 is received, or there is an
endpoint field mismatch, the token is ignored
G((state == SPEED_NEG_FS) => X((mode_hs) ^
(T1_gt_3_0ms) => (next_state ==
RES_SUSPEND))
If the machine is in the speed negotiation state, then in
the next clock cycle, if it is in high speed mode for more
than 3 ms, it will go to the suspend state
G((state == RESUME_WAIT) ^ (idle_cnt_clr)
=>F(state == NORMAL))
If the machine is waiting to resume operation and a
counter is set, eventually (after 100 mS) it will return to
normal operation
JAA, 3/21/2007 14
15. Results on Temporal USB Properties
CPU Seconds, 450 MHz dual UltraSPARC-II with 1 GB RAM
JAA, 3/21/2007 15
16. Verification of Processors using
Antecedent Conditioned Slicing
Verification of single-instruction issue, multi-stage
pipelined processors
Antecedent conditioned slicing provides an
automatic decomposition strategy
Individual “instruction machines”
■ Leverage automatic power of model checking
■ Provide a different notion of verification
Verification of RTL model of off-the-shelf processor
Verified all the instructions of the OR1200
embedded processor
JAA, 3/21/2007 16
17. Single Instruction Verification
P0=P i1 get_conditioned_slice
P1 (P0, < i1, e, Vh>)
it+1
Pt+1
Pn in h
Model
Antecedent Checker
Conditioned Slice
JAA, 3/21/2007 17
