Formal verification

Formal Veriﬁcation in VLSI
Dilawar Singh
Indian Institute of Technology Bombay
November 28, 2010
Dilawar Singh Formal Veriﬁcation in VLSI

About
These slides were evolved
during Testing and
Verification of VLSI
course oﬀered by Prof. M. P.
Desai at IIT Bombay. It deals
with non-technicalities of the
’formal veriﬁcation’ rather
than theories and principles.
Some comments are
unprofessionally
personal.Reader discretion is
advised. :-)
Figure: From
http://shemesh.larc.nasa.gov/images/humor-sneak-
a-peek.jpg

Formal Verification
Traditionally one discovers error in software and hardware by
testing all possible combination e.g. using simulation.1
Since VLSI systems are too large, one can test only a (tiny?)
fraction of them in practice. And this is when computer
computer runs faster than Chacha Chaudhary’s Brain.
Besides, everything runs on simulation is orders of magnitude
slower than the real hardware, so pre-silicon testing is limited.
That is why so little new design are coming out of industries.
Testing has become way too costly. Over 25% of total cost.
Formal verification is an alternative that proves
mathematically that given VLSI system will work as intended.
Testing is for fault detection.Formal Verification is fault
avoidance technique.
1
I’m done simulating; Now what?, Kantrowiz M and Noack Lisa, DEC

Exhaustiveness
In 1914, Littlewood proved that π(n) − li(n) changes sign
infinitely often, where pi(n) is the number of primes ≤ n and
li(n) =
n
0
du
ln u though first instant of sign change occurs when
n ≥ 1.39822 × 10316 discovered by Bays & Hudson (2000).
Exhaustive testing using brute force may miss some
errors which can be detected by formal verification.
Most notable example is Pentium FDIV Bug
It’s good to be paranoid while verifying.

Formal Models
Specification First of all, we need to write down how my
system should behave. Mathematical Description.
Kripke Structures.
Formal verification that aims to prove the correctness of
design with respect to a given mathematical formal
specifications.
However, checking against a reference does not mean that
reference is correct. Sanity check of the reference is required.

How hard is formal veriﬁcation
Writing out complete
proof for correctness is
like defeating Tai Lung
without a dragon scroll.
And even one has one,
not necessarily one can
use it.
Assumptions and special
cases must be made
explicit. Even for small
undertaking, this is a big
task. Figure: Stick to details and
procedures. Not everyone is gifted!

Theorem Provers
It would be great if one can prove or
even generate a proof using computer.
It will reduce the risk of mistakes and
can automate some part of it for a
large system.
Downside: People may become
dumber at a cost of smarter planet.
There are many software package
available for this purpose. A very good
list can be found here.a
a
http://www.cs.indiana.edu/formal-methods-
education/Tools/ Figure: From
http://shemesh.larc.nasa.gov/images/humor-whole-
truth.jpg

Veriﬁcation - Hardware V/S Software
In recent years, formal hardware
veriﬁcation have become very
important part of development
process. Almost all of the leading
companies use them but software
companies are still lagging. a
Why?
Probably because they can get away
with it. A faulty software does not
throw you our of business. Microsoft
Windows is still around.
Its easy to write patches for software.
Almost impossible for a hardware.
a
Formal methods : State of Art and Future
Directions, Clarke and Wing, CMU.
Figure: A faulty hardware (and
or (= xor?)) faulty software) can
make your machine life miserable.
Take care!

Combinational Comparison
One very fundamental question is whether two given
combinational circuits are equivalent for a given input
combination. For example, output of a synthesis tool modiﬁed
by a designer to reduce the gate.
Task is that optimised and unoptimised circuits are
equivalent. This can be done by verifying truth table.
Tautology checking.
Though this can be automated, but in practice, working with
truth table are tedious and ineﬃcient.

Efficient tautology checking
Tautology is NP-complete problem. One have to find
heuristics for given cases till someone gives an efficient
algorithm to solve these problems.
Divide the circuit and solve for smaller parts.
In practice, Binary Decision Diagrams are efficient. They also
give a canonical representation for a given boolean formula
with a specific variable ordering. 2
Other methods are Integer Programming, Davis-Putnam
procedures.
Symbolic simulation is also a candidate. They have been
inefficient till now.
2
Bounded Model Checking, Armien Biere et al. Advances in computers,
2003

Symbolic Trajectory Evaluation
One can write speciﬁcation in a restricted temporal logic
specifying the behavior over bounded-length trajectories
(sequence of circuit state).
One example : if the circuit satisfy the property P then after
n transition it will satisfy the property Q. E.g. if P (a counter
is reset) is true then Q (the output is n) will be true after n
transitions.
The the circuit can be checked for this speciﬁcation. If this
does not hold true then a witness will be found.

Temporal Logic Model Checking
In general, specification can be written in more general
temporal logic without the limitation of bounded
trajectories.Hardware is reduced to a state transition system in
which at every state, one checks whether a given atomic
formula holds or not.
Linear Temporal Logic (LTL) and Computation Tree Logic
(CTL) can be used to describe the behaviour.
In CTL, behaviour can be specified by quantifying both over
future and over all range of possible states transition
sequence. Kripke Structure are natural for these specification.
Since every transition system is coded up with combination of
boolean variables, BDD are used to represent them. There are
many BDD packages available. 3
For example, EGf means that there exists a paths for which f
holds in every state. A path is a sequence of possible state
transition.
3
http://vlsicad.eecs.umich.edu/BK/Slots/cache/www.itu.dk/research/buddy/index.

Example : Kripke Structure
Kripke structure K = (S, I, T, L) .
S is the set of states; I ⊆ S is the set
of initial states; T ⊆ S × S is the
transition relations and L: S → P(A)
is the labeling function, where A is the
set of atomic proposition, and P(A)
denotes the power-set of A i.e. for a
state s ∈ S the set L(s) is made of the
atomic proposition that holds in s.
S = {00, 01, 10, 11}
I = {00}
T = {(00, 01), (00, 11), (01, 00), (01, 10),
(10, 11), (10, 01), (11, 10), (11, 00), (10, 00)}
Figure: A ﬁnite State Machine!

Example : Temporal representation
Let xnext is the next state and x is the
current state of two bit vector.
Assuming that both up and down can
not be 0 at same time,
xp(0) = ¬x(0) (1)
xp(1) = x(0) x(1) (2)
xm(0) = ¬x(0) (3)
xm(1) = ¬(x(1) ¬x(0)) (4)
T(xnext, x): xnext = (up ∧ ¬down ∧ xp)(5)
∨(¬up ∧ down ∧ xm) ∨ (up ∧ down ∧ xn)(6)
f : T holds.
EGf is true. In fact for every path f is
true i.e. AGf holds.
Figure: A ﬁnite State Machine!

Model Checking
In model checking, one builds a finite model of a system and
check that a desired property holds in that system. This is
done by search exhaustively (and some times wisely), if it does
not hold and a counterexample is produced. That is its
greatest strength to able to produce and error and thus
suitable for debugging. Since model is finite, it will terminate.
It is mostly used in hardware and protocol verification.
Two approaches are genrally used in model checking,
TEMPORAL MODEL CHECKING (we have seeb them ) and
‘find and automation and compare to the specification to
determine whether or not its behaviour conforms to that
specification . For example, Language Inclusion (Har’El and
Krushan, 19941], refinement ordering [Cleaveland et all. 93],
observal equivalence [Cleaveland et all 93, Fernandez, 96, Roy
and de Simone 90].
Vardi and Wolper [1986] have shown how the temporal model
checking problem could be recast in terms of automata, thus

Theorem Proving V/s Model Checking
Two well established approach to verification are model
checking and theorem proving. Model checking is very fast
but can handle finite states.
When theorem proving fails, unlike Model Checking, it does
not produce a counter-example.
Model checking is much faster than theorem proving. But the
problem is STATE EXPLOSION. There are heuristics to
improve this though [Krushan 1994; Krushan 1994] and
semantic minimization (Elseaidy et al. 1996] to eliminate
unnecessary states from a system modeling. Using this
method one has verified 10120 reachable states.
Theorem proving can deal with infinite state space. It uses
structural induction to prove over infinite domains.

Blah Blah
The overreaching goal of formal methods is to help engineers
construct more reliable systems. A global property is broken
into local properties which are conceptually easier to handle.
Abstraction is also needed. Hardware specification can written
down in more abstract language like Esteral (good for control
engineering freaks).
Combination of mathematical theories is also a very less
explored area. One solid concepts from one discipline can find
application in another numerous fields, graph theory is one of
the most remarkable example of it.
Who can forget to include better data structures and
algorithms.
Rather than building models for some specific problem, one
can ambitiously romanticise “meta-tools” which themselves
can produce or change themselves to handle a particular
problem domain. Integration of available methods?

Tools
In the hand of a Jedi Knight a simple looking light saber is
more eﬃcient that a million dollar weapon. How to use your
available tool eﬃciently, one should learn through practice.
Anyone who have mastered vim editor will probably agree
with me.
A list of available tools are given here
http://www.cs.indiana.edu/formal-methods-
education/Tools/.

Formal verification

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Formal verification

Similar to Formal verification (20)

More from DIlawar Singh

More from DIlawar Singh (6)

Recently uploaded

Recently uploaded (20)

Formal verification