Скачать презентацию So C Verification 晶片系統驗 證 Pao-Ann Hsiung 熊博安 Скачать презентацию So C Verification 晶片系統驗 證 Pao-Ann Hsiung 熊博安

97982951c869c619aa27a1dbb9750a2e.ppt

  • Количество слайдов: 100

So. C Verification (晶片系統驗 證) Pao-Ann Hsiung (熊博安 ) hpa@computer. org http: //www. cs. So. C Verification (晶片系統驗 證) Pao-Ann Hsiung (熊博安 ) [email protected] org http: //www. cs. ccu. edu. tw/~pahsiung/ 嵌入式系統實驗室 國立中正大學資訊 程學系

Contents n n Introduction Formal Verification n n Model Checking Equivalence Checking Verification Tools Contents n n Introduction Formal Verification n n Model Checking Equivalence Checking Verification Tools Verification Example: Industrial Embedded So. C Conclusion & Future Work 3 ~ 26 27 ~ 38 39 ~ 73 74 ~ 83 84 ~ 86 87 ~ 98 99 ~ 100 2 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Introduction 1998 Process Technology Silicon Complexity 1999 2001 0. 25 um 0. 18 um Introduction 1998 Process Technology Silicon Complexity 1999 2001 0. 25 um 0. 18 um 0. 15 um 1 M Gates 2~5 M Gates 5~10 M Gates M O O R E’ S L A W Deep Sub-Micron (DSM) Technology Pao-Ann Hsiung, CSIE, National Chung Cheng University 3

Introduction Challenges in DSM technology for So. C: n Timing Closure n n Large Introduction Challenges in DSM technology for So. C: n Timing Closure n n Large Capacity n n Sensitive to interconnect delays Hierarchical design and design reuse Physical Properties n n Signal integrity (crosstalk, IR drop, power/ground bounce) Design integrity (electron migration, hot electron, wire self-heating) Pao-Ann Hsiung, CSIE, National Chung Cheng University 4

Introduction Gates / Chip Design Productivity Gap 1990 1995 Gates / Hour 2000 5 Introduction Gates / Chip Design Productivity Gap 1990 1995 Gates / Hour 2000 5 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Introduction Time-to-Market (TTM) Trends 6 Pao-Ann Hsiung, CSIE, National Chung Cheng University Introduction Time-to-Market (TTM) Trends 6 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Introduction Multiple Design Disciplines: u Digital HW u Embedded SW u Analog/Mixed Signal (AMS) Introduction Multiple Design Disciplines: u Digital HW u Embedded SW u Analog/Mixed Signal (AMS) Blocks u Bus Architectures u Clock / Power Distributions u Test Structures Pao-Ann Hsiung, CSIE, National Chung Cheng University 7

Introduction So. C Verification v/s Design Gap 8 Pao-Ann Hsiung, CSIE, National Chung Cheng Introduction So. C Verification v/s Design Gap 8 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Verification Options n Simulation Technologies n Static Technologies n Formal Technologies n Physical Verification Verification Options n Simulation Technologies n Static Technologies n Formal Technologies n Physical Verification and Analysis 9 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Simulation Technologies n n n n n Event-based Simulators Cycle-based Simulators Transaction-based Simulators Code Simulation Technologies n n n n n Event-based Simulators Cycle-based Simulators Transaction-based Simulators Code Coverage HW/SW Co-verification Emulation Systems Rapid Prototyping Systems Hardware Accelerators AMS Simulation Pao-Ann Hsiung, CSIE, National Chung Cheng University 10

Static Technologies n Lint Checking n n n Syntactical correctness Identifies simple errors Static Static Technologies n Lint Checking n n n Syntactical correctness Identifies simple errors Static Timing Verification n Setup, hold, delay timing requirements n Challenging: multiple sources 11 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Formal Techniques n Theorem Proving Techniques n n n Formal Model Checking n n Formal Techniques n Theorem Proving Techniques n n n Formal Model Checking n n n Proof-based Not fully automatic Model-based Automatic Formal Equivalence Checking n n n Reference design modified design RTL-RTL, RTL-Gate, Gate-Gate implementations No timing verification 12 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Physical Verification & Analysis Issues for physical verification: n Timing n Signal Integrity n Physical Verification & Analysis Issues for physical verification: n Timing n Signal Integrity n Crosstalk n IR drop n Electro-migration n Power analysis n Process antenna effects n Phase shift mask n Optical proximity correction Pao-Ann Hsiung, CSIE, National Chung Cheng University 13

Comparing Verification Options 14 Pao-Ann Hsiung, CSIE, National Chung Cheng University Comparing Verification Options 14 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Comparing HW/SW Coverification Options 15 Pao-Ann Hsiung, CSIE, National Chung Cheng University Comparing HW/SW Coverification Options 15 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Which is the fastest option? n Event-based simulation n n Cycle-based simulation n n Which is the fastest option? n Event-based simulation n n Cycle-based simulation n n Best for control-oriented designs Emulation n n Best for medium-sized designs Formal verification n n Best for asynchronous small designs Best for large capacity designs Rapid Prototype n Best for software development 16 Pao-Ann Hsiung, CSIE, National Chung Cheng University

So. C Verification Methodology n System-Level Verification n So. C Hardware RTL Verification n So. C Verification Methodology n System-Level Verification n So. C Hardware RTL Verification n So. C Software Verification n Netlist Verification n Physical Verification n Device Test 17 Pao-Ann Hsiung, CSIE, National Chung Cheng University

So. C Verification Methodology 18 Pao-Ann Hsiung, CSIE, National Chung Cheng University So. C Verification Methodology 18 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Verification Approaches n Top-Down Verification n Bottom-Up Verification n Platform-Based Verification n System Interface-Driven Verification Approaches n Top-Down Verification n Bottom-Up Verification n Platform-Based Verification n System Interface-Driven Verification 19 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Top-Down So. C Verification verification 20 Pao-Ann Hsiung, CSIE, National Chung Cheng University Top-Down So. C Verification verification 20 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Bottom-Up So. C Verification Components, blocks, units verification Memory map, internal interconnect Basic functionality, Bottom-Up So. C Verification Components, blocks, units verification Memory map, internal interconnect Basic functionality, external interconnect System level 21 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Platform Based So. C Verification Derivative Design Interconnect Verification between: Ø So. C Platform Platform Based So. C Verification Derivative Design Interconnect Verification between: Ø So. C Platform Ø Newly added IPs 22 Pao-Ann Hsiung, CSIE, National Chung Cheng University

System Interface-driven So. C Verification Besides Design-Under-Test, all others are interface models 23 Pao-Ann System Interface-driven So. C Verification Besides Design-Under-Test, all others are interface models 23 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Device Test n n To check if devices are manufactured defect-free Focus on structure Device Test n n To check if devices are manufactured defect-free Focus on structure of chip n Wire connections n Gate truth tables n Not functionality 24 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Device Test Challenges in So. C device test: n Test Vectors: Enormous! n Core Device Test Challenges in So. C device test: n Test Vectors: Enormous! n Core Forms: soft, firm, hard, diff tests n Cores: logic, mem, AMS, … n Accessibility: very difficult / expensive! 25 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Device Test Strategies n Logic BIST (Built-In-Self-Test) n n n Memory BIST n n Device Test Strategies n Logic BIST (Built-In-Self-Test) n n n Memory BIST n n On-chip address generator Data generator Read/write controller (mem test algorithm) Mixed-Signal BIST n n Stimulus generators embedded Response verifiers embedded For AMS cores: ADC, DAC, PLL Scan Chain n n Timing and Structural compliance ATPG tools generate manufacturing tests automatically Pao-Ann Hsiung, CSIE, National Chung Cheng University 26

Formal Verification Formal Verification

What is Formal Verification? n An analytic way of proving a system correct n What is Formal Verification? n An analytic way of proving a system correct n Formal Verification Methods n n no simulation triggers, stimuli, inputs no test-benches, test-vectors, test-cases Deductive Reasoning (theorem proving) Model Checking Equivalence Checking 28 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Theorem Proving n n n Uses axioms, rules to prove system correctness No guarantee Theorem Proving n n n Uses axioms, rules to prove system correctness No guarantee that it will terminate Difficult, time consuming: for critical applications only 29 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking n Automatic technique to prove correctness of concurrent systems: n n n Model Checking n Automatic technique to prove correctness of concurrent systems: n n n Digital circuits Communication protocols Real-time systems Embedded systems Control-oriented systems Explicit algorithms for verification 30 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Equivalence Checking n Checks if two circuits are equivalent n n Register-Transfer Level (RTL) Equivalence Checking n Checks if two circuits are equivalent n n Register-Transfer Level (RTL) Gate Level Reports differences between the two Used after: n n n clock tree synthesis scan chain insertion manual modifications 31 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Why Formal Verification? n n n Simulation and test cannot handle all possible cases Why Formal Verification? n n n Simulation and test cannot handle all possible cases (only some possible ones) Simulation and test can prove the presence of bugs, rather than their absence Formal verification conducts exhaustive exploration of all possible behaviors n n If verified correct, all behaviors are verified If verified incorrect, a counter-example (proof) is presented 32 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Why Formal Verification Now? n n So. C has a high system complexity Simulation Why Formal Verification Now? n n So. C has a high system complexity Simulation and test are taking unacceptable amounts of time More time and efforts devoted to verification (40% ~ 70%) than design Need automated verification methods for integration into design process 33 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Increased Simulation Loads 34 Pao-Ann Hsiung, CSIE, National Chung Cheng University Increased Simulation Loads 34 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Why Formal Verification Now? Examples of undetected errors n Ariane 5 rocket explosion, 1996 Why Formal Verification Now? Examples of undetected errors n Ariane 5 rocket explosion, 1996 n n Exception occurred when converting 64 -bit floating number to a 16 -bit integer! Pentium FDIV bug n Multiplier table not fully verified! 35 Pao-Ann Hsiung, CSIE, National Chung Cheng University

36 Pao-Ann Hsiung, CSIE, National Chung Cheng University 36 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Verification Tasks for So. C 37 Pao-Ann Hsiung, CSIE, National Chung Cheng University Verification Tasks for So. C 37 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Property Checking v/s Equivalence Checking 38 Pao-Ann Hsiung, CSIE, National Chung Cheng University Property Checking v/s Equivalence Checking 38 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model (Property) Checking n Algorithmic method of verifying correctness n n n of (finite Model (Property) Checking n Algorithmic method of verifying correctness n n n of (finite state) concurrent systems against temporal logic specifications A practical approach to formal verification 39 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking What is necessary for Model Checking? Ø Ø Ø A mathematically precise Model Checking What is necessary for Model Checking? Ø Ø Ø A mathematically precise model of the system A language to state system properties A method to check if the system satisfies the given properties 40 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking n Formal model of the system n n Desired behavior expressed as Model Checking n Formal model of the system n n Desired behavior expressed as a set of properties (specifications) n n Finite State Machine (FSM) Computation Tree Logic (CTL) Method to check properties against system n Efficient FSM traversals 41 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Formal Models of System Any mathematically precise model that can be represented as a Formal Models of System Any mathematically precise model that can be represented as a state transition system n Finite State Machines n Petri Nets n (Timed) Automata n Statecharts 42 Pao-Ann Hsiung, CSIE, National Chung Cheng University

State Transition System M(S, R, L) s 1 S = {s 1, s 2, State Transition System M(S, R, L) s 1 S = {s 1, s 2, s 3} a R = transition relation L = {a, b, c} ac b s 2 s 3 Kripke Structure 43 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Formal Model v/s Verification n 表達能力 v/s 驗證複雜度 語言的表達能力 表 達 能 力 簡 Formal Model v/s Verification n 表達能力 v/s 驗證複雜度 語言的表達能力 表 達 能 力 簡 單 NP 找平衡點! 表達能力豐富 Undecidable nonelementary EXPSPACE EXPTIME PSPACE 驗證問題複雜度 PTIME 44 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Property Specification Languages n n n Linear Temporal Logic (LTL) Computation Tree Logic (CTL) Property Specification Languages n n n Linear Temporal Logic (LTL) Computation Tree Logic (CTL) Timed Computation Tree Logic (TCTL) 7 ms 45 Pao-Ann Hsiung, CSIE, National Chung Cheng University

CTL – Computation Tree Logic n Path quantifiers n n n A (for all CTL – Computation Tree Logic n Path quantifiers n n n A (for all computation paths) E (for some computation path) Temporal operators n n n X (next time, next state) F (eventually, finally) G (always, globally) U (until) R (release, dual of U) Pao-Ann Hsiung, CSIE, National Chung Cheng University 46

CTL Formulas n n Temporal logic formulas are evaluated with respect to a state CTL Formulas n n Temporal logic formulas are evaluated with respect to a state in the model State Formulas n n Apply to a specific state Path Formulas n Apply to all states along a specific path 47 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Basic CTL Formulas n M, s |= E X (f ) n Exists a Basic CTL Formulas n M, s |= E X (f ) n Exists a next state of s, for which f holds s f n M, s |= A X (f ) n For all next states of s, f is true s f f Pao-Ann Hsiung, CSIE, National Chung Cheng University 48

Basic CTL Formulas n M, s |= E G (f ) n n Exists Basic CTL Formulas n M, s |= E G (f ) n n Exists a path from s, along which f holds in s every state f f M, s |= A G (f ) n For all paths from s, f holds in every state, i. e. , globally s f f f Pao-Ann Hsiung, CSIE, National Chung Cheng University 49

Basic CTL Formulas s n M, s |= E F (f ) n Exists Basic CTL Formulas s n M, s |= E F (f ) n Exists a path from s, which eventually contains a state in which f holds f s n M, s |= A F (f ) n f For all paths from s, eventually there is a state in which f holds f 50 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Basic CTL Formulas s f n M, s |= f U g n f Basic CTL Formulas s f n M, s |= f U g n f g n n Exists a path from s, which contains a state in which g holds and in all previous states f holds E F (f ) = E (true U f ) A F (f ) = A (true U f ) 51 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Basic CTL Formulas n Full set of operators n n n Boolean: , , Basic CTL Formulas n Full set of operators n n n Boolean: , , , Temporal: E, A, X, F, G, U, R Minimal set of operators (to express any CTL formula) n n Boolean: , Temporal: E, X, U 52 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Typical CTL Formulas n E F ( start ready ) n n A G Typical CTL Formulas n E F ( start ready ) n n A G ( req A F ack ) n n Eventually a state is reached where start holds and ready does not hold Any time request occurs, it will be eventually acknowledged A G ( E F restart ) n From any state it is possible to get to the restart state 53 Pao-Ann Hsiung, CSIE, National Chung Cheng University

TCTL (Timed CTL) n A G ( req A F 7 ack ) n TCTL (Timed CTL) n A G ( req A F 7 ack ) n Time Constraint: n Subscript “~ c ” is added to CTL formulas n ~ {<, , =, , >} n c is an integer 54 Pao-Ann Hsiung, CSIE, National Chung Cheng University

TCTL Example x: =0; z: =0 監控 x、z在系統開 始時,被設為 零。 x、 z 是實數值系統時鐘。 x<500 TCTL Example x: =0; z: =0 監控 x、z在系統開 始時,被設為 零。 x、 z 是實數值系統時鐘。 x<500 ms z 50 ms z=50 ms z在每次監控週期, 被設為零。 命中 z: =0; 修正 M, 監控 |= E F<300 (命中) 55 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking – Problem Given: n a structure M (S, R, L) and n Model Checking – Problem Given: n a structure M (S, R, L) and n a temporal logic formula f, find a set of states that satisfy f. {s S : M, s |= f } 56 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking – Explicit Algorithm n n n Label each state s with the Model Checking – Explicit Algorithm n n n Label each state s with the set label(s ) = { sub-formulas of f, which hold in s } i = 0; label(s ) = L (s ) i = i + 1; process formulas with (i -1) nested CTL operators. Add processed formulas to label(s ). Continue until closure. Result: M, s |= f iff f label(s ) 57 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Explicit Model Checking E F (g h) T 1 = states in which g Explicit Model Checking E F (g h) T 1 = states in which g & h are true T 2 = complement of T 1 T 3 = predecessor states of T 2 58 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Traffic Light Controller C’ + T’ S G 1 R 2 T Farm Road Traffic Light Controller C’ + T’ S G 1 R 2 T Farm Road T C T S R 1 Y 2 Y 1 R 2 City Road C’ + T S = Sensor R 1 G 2 T = Timer C T’ Kripke Structure 59 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Traffic Light Controller G 1 R 2 Y 1 R 2 G 1 R Traffic Light Controller G 1 R 2 Y 1 R 2 G 1 R 2 State Graph G 1 R 2 Y 1 R 2 R 1 G 2 R 1 Y 2 R 1 G 2 G 1 R 2 60 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Traffic Light Controller Model Checking Tasks n Safety Condition n n No green lights Traffic Light Controller Model Checking Tasks n Safety Condition n n No green lights on both roads at the same time A G (G 1 G 2) Fairness Condition n Eventually one road has green light E F (G 1 G 2) 61 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Traffic Light Controller – Checking Safety Condition n n A G (G 1 G Traffic Light Controller – Checking Safety Condition n n A G (G 1 G 2) E F ( G 1 G 2) S(G 1 G 2) = S(G 1) S(G 2) = {1} {3} = S(EF(G 1 G 2) = S( EF(G 1 G 2) = = {1, 2, 3, 4} Safety condition is true! C’ + T’ G 1 R 2 1 C T 4 R 1 Y 2 Y 1 R 2 2 C’ + T R 1 G 2 C T’ Pao-Ann Hsiung, CSIE, National Chung Cheng University 3 Kripke Structure 62

Traffic Light Controller – Checking Fairness Condition n E F (G 1 G 2) Traffic Light Controller – Checking Fairness Condition n E F (G 1 G 2) E(true U (G 1 G 2)) S(G 1 G 2) = S(G 1) S(G 2) = {1} {3} = {1, 3} S(EF(G 1 G 2)) = {1, 2, 3, 4} 1 3 4 2 3 1 (going backward from {1, 3}, find predecessors) n Fairness condition satisfied! Pao-Ann Hsiung, CSIE, National Chung Cheng University 63

Symbolic Model Checking n Symbolic n n Operates on “sets of states” rather than Symbolic Model Checking n Symbolic n n Operates on “sets of states” rather than individual states Use BDD for efficient representation n Represent Kripke structures n Manipulate Boolean formulas 64 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Binary Decision Diagram (BDD) n n BDD: A canonical form of representation for Boolean Binary Decision Diagram (BDD) n n BDD: A canonical form of representation for Boolean formulas. Motivation: n n Too much space redundancy in traditional representations BDD is more compact than truth tables, conjunctive normal form, disjunctive normal form, binary decision trees, etc. Ordered BDD has a canonical form BDD operations are efficient 65 Pao-Ann Hsiung, CSIE, National Chung Cheng University

BDD v/s Binary Decision Trees 2 -bit Comparator Binary Decision Tree BDD Order: a BDD v/s Binary Decision Trees 2 -bit Comparator Binary Decision Tree BDD Order: a 1 < b 1 < a 2 < b 2 Pao-Ann Hsiung, CSIE, National Chung Cheng University 66

Ordered BDD (OBDD) n Since OBDDs are canonical, it is easy to: n n Ordered BDD (OBDD) n Since OBDDs are canonical, it is easy to: n n check equivalence = check BDD isomorphism check satisfiability = check BDD isomorphism with OBDD(0) Size of OBDD depends critically on VARIABLE ORDERING !!! 2 -bit comparator example: Change variable order to: a 1 < a 2 < b 1 < b 2 11 vertices instead of 8 for a 1 < b 1 < a 2 < b 2 67 Pao-Ann Hsiung, CSIE, National Chung Cheng University

OBDD (Variable Ordering) n n a 1 < a 2 < b 1 < OBDD (Variable Ordering) n n a 1 < a 2 < b 1 < b 2 In general, for n-bit comparator: a 1 < b 1 < …< an < bn gives 3 n + 2 vertices a 1 < …< an < b 1<…< bn gives 3 2 n 1 vertices 68 Pao-Ann Hsiung, CSIE, National Chung Cheng University

BDD: Application to Verification n n Equivalence of combinational circuits Canonicity property of BDDs: BDD: Application to Verification n n Equivalence of combinational circuits Canonicity property of BDDs: n If F and G are equivalent, their BDDs are identical (for the same variable ordering) a F=a’bc + ab’c ? b c 0 a b c G=ac + bc 1 Pao-Ann Hsiung, CSIE, National Chung Cheng University 0 1 69

BDD: Application to Verification n Functional Test Generation n SAT, Boolean satisfiability analysis Test BDD: Application to Verification n Functional Test Generation n SAT, Boolean satisfiability analysis Test for H=1 (0): find a path in BDD to terminal 1 (0) The path, expressed in function variables, gives a satisfying solution (test vector) a ab b ab’c c 0 1 70 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking Issues Completeness n Model checking is effective for a given property n Model Checking Issues Completeness n Model checking is effective for a given property n Impossible to guarantee that the specification covers all properties the system should satisfy n Writing the specification – responsibility of the user 71 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking Issues Negative Results n Incorrect model n Incorrect specification (false negative) n Model Checking Issues Negative Results n Incorrect model n Incorrect specification (false negative) n Failure to complete the check (too large) 72 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checking Issues Capacity n State-space explosion occurs for complex systems n So, what Model Checking Issues Capacity n State-space explosion occurs for complex systems n So, what is the use of Model Checking for So. C? n Use model checking as a complementary technique, in addition to simulation, testing, emulation, etc. 73 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Equivalence Checking n Compares an implementation to an existing RTL or gate-level description for Equivalence Checking n Compares an implementation to an existing RTL or gate-level description for functional equivalence n n n RTL vs. synthesized gate-level implementation Gate-level design vs. revised gate-level design Uses BDDs, a canonical representation of logic functions n BDDs can grow exponentially with number of inputs n Depends on variable ordering 74 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Equivalence Checking n Features: n No vectors or testbench required n Capacity to handle Equivalence Checking n Features: n No vectors or testbench required n Capacity to handle large design n Eliminates gate-level simulation n Reduce time-to-market 75 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Equivalence Checking n Equivalence Checkers were used in: n n n RTL-to-RTL RTL-to-Netlist-Netlist: some Equivalence Checking n Equivalence Checkers were used in: n n n RTL-to-RTL RTL-to-Netlist-Netlist: some optimizations in Netlist like: n n CTS-inserted netlist Scan-chain-inserted netlist Post-layout netlist ……. 76 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Equivalence Checking n n Two circuits are functionally equivalent if they exhibit the same Equivalence Checking n n Two circuits are functionally equivalent if they exhibit the same behavior Combinational Circuits n n For all possible input values Sequential Circuits n CL For all possible input sequences Pi Po CL Ps R Ns 77 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Combinational Equivalence Checking n Functional Approach n n n Transform output functions into BDD Combinational Equivalence Checking n Functional Approach n n n Transform output functions into BDD 2 circuits are equivalent if their BDDs are identical Structural Approach n n Identify structurally similar internal points Prove internal points (cut-points) equivalent 78 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Functional Equivalence n n BDDs of output functions must be identical (using the same Functional Equivalence n n BDDs of output functions must be identical (using the same variable ordering) for functional equivalence If BDDs are too large n n Cannot construct BDD, memory problem Use partitioned BDD method n n n Decompose circuit into smaller pieces Represent each piece as a BDD Check equivalence of internal points Pao-Ann Hsiung, CSIE, National Chung Cheng University 79

Functional Decomposition n Decompose each function into functional blocks n n n F Represent Functional Decomposition n Decompose each function into functional blocks n n n F Represent each block as a BDD Define cut-points (z) Verify equivalence of blocks at cut-points starting at primary inputs G f 2 g 2 z z f 1 g 1 x y 80 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Cut-Points Resolution n All pairs of cut-points are equivalent F G If intermediate functions Cut-Points Resolution n All pairs of cut-points are equivalent F G If intermediate functions f 2, g 2 are not equivalent, functions F and G may still be equivalent (FALSE NEGATIVE) How to check False Negative? n n XOR (F, G) BDD for F G 81 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Structural Equivalence n Given 2 circuits, each with its own structure n n n Structural Equivalence n Given 2 circuits, each with its own structure n n n Identify “similar” internal points, cut sets Exploit internal equivalences False negative problem may arise n n F G, but differ structurally Verification algorithm declares F, G differ’nt n n Implication Techniques Learning Techniques 82 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Sequential Equivalence Checking n Represent each sequential circuit as an FSM n n Verify Sequential Equivalence Checking n Represent each sequential circuit as an FSM n n Verify if two FSMs are equivalent Approaches: n n n Reduction to combinational circuit Isomorphism of state graphs Symbolic FSM traversal of product machine 83 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Formal Verification Tools n n n Model Checkers Equivalence Checkers Academic Research Tools Commercial Formal Verification Tools n n n Model Checkers Equivalence Checkers Academic Research Tools Commercial Verification Tools Formal Tools Semi-Formal Tools 84 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Academic Tools SMV Institutes CMU MOCHA, VIS, Hy. Tech UC Berkeley STe. P Stanford Academic Tools SMV Institutes CMU MOCHA, VIS, Hy. Tech UC Berkeley STe. P Stanford SGM CCU & Sinica RED UPPAAL Academia Sinica Uppsala & Aalborg Univs KRONOS Verimag 85 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Commercial Tools Companies Formal Check Cadence Formal Model Checker Avant! Formality Synopsys Formal Pro Commercial Tools Companies Formal Check Cadence Formal Model Checker Avant! Formality Synopsys Formal Pro Mentor Graphics Black Tie, Conformal LEC Verplex Systems 86 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Example: Formal Verification of So. C n n Industrial Embedded So. C Product Korea Example: Formal Verification of So. C n n Industrial Embedded So. C Product Korea Samsung Electronics S 3 C 2400 X ARM 920 T processor 16 function modules (IPs) n n n Reused IPs: UART, I 2 S, … Newly Designed IPs: bus controllers, DMA, . . . Newly Bought IPs: USB host controller 87 Pao-Ann Hsiung, CSIE, National Chung Cheng University

S 3 C 2400 X So. C 88 Pao-Ann Hsiung, CSIE, National Chung Cheng S 3 C 2400 X So. C 88 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Formal Verification Methodology for So. C 89 Pao-Ann Hsiung, CSIE, National Chung Cheng University Formal Verification Methodology for So. C 89 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Model Checker Cadence SMV (Symbolic Model Verifier) n Many success stories!!! n Supports SMVL Model Checker Cadence SMV (Symbolic Model Verifier) n Many success stories!!! n Supports SMVL and Verilog (with vl 2 smv) n Problem size reduction: n n scalarset data type for symmetric reduction ordset data type for induction subclass structure for case-splitting layer structure for compositional assumeguarantee verification 90 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Modeling Problems n SMV supports only 1 implicit clock n Issues in modeling in Modeling Problems n SMV supports only 1 implicit clock n Issues in modeling in SMVL: n Multiple clocks n Gated clocks n Unsynchronized clocks n Synchronization logic 91 Pao-Ann Hsiung, CSIE, National Chung Cheng University

General Strategy for Module Verification 1) Define what to verify for a module. 2) General Strategy for Module Verification 1) Define what to verify for a module. 2) Construct the environment required for verifying each property. 3) Transform each property to CTL. 4) Check coverage of CTL properties over RTL code 92 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Vacuous Property Checking n n A G ( p A X (q) ) If Vacuous Property Checking n n A G ( p A X (q) ) If p does not occur, we cannot check AX(q) at all. Model Checker says it is verified as true. We should check if p occurs at least once, i. e. , A G (~p) is false! 93 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Fairness Constraint n n n The correctness of a module depends not only on Fairness Constraint n n n The correctness of a module depends not only on environment, but also some specific behavior of the environment This specific behavior is modeled as fairness constraints (input restrictions) Also called assumptions in assumeguarantee reasoning 94 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Reduction of Address Bus and Data Bus n Traditional approach: n n Abstraction: 32 Reduction of Address Bus and Data Bus n Traditional approach: n n Abstraction: 32 -bit wide bus 1 -bit or 2 -bits wide Not used in So. C, because full data bus and partial address bus are used to access CRs (configuration registers) 95 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Reduction of Address Bus and Data Bus n Different approach: n Divide verification task Reduction of Address Bus and Data Bus n Different approach: n Divide verification task into 2 parts: n CR accessing logic n Normal operation logic n 2 different environments n 2 different property groups 96 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Modules Verified Modules CTL State Time properties variables (min) AHB arbiter 27, 38 90, Modules Verified Modules CTL State Time properties variables (min) AHB arbiter 27, 38 90, 80 50 Bridge 61 50 5 DMA 67 100 440 N/A 9 h, 43 h 2 h, 6 h USB 102+4+5 (mw) 36+4+2 Host (mr) 97 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Discussions on Example n n Incremental design and verification Early stage of design: helps Discussions on Example n n Incremental design and verification Early stage of design: helps find real design errors Later stage of design: helps find model and property errors Design and verification time reduced 98 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Conclusions n n Formal verification of So. C is definitely required! But, it should Conclusions n n Formal verification of So. C is definitely required! But, it should be used in conjunction with other verification techniques. Capacity of formal verification must be enlarged for its wide-spread adoption Techniques required: n n Design abstraction Verification partitioning 99 Pao-Ann Hsiung, CSIE, National Chung Cheng University

Future Work n Automatic abstraction & partitioning n n Incorporation of assertion languages: n Future Work n Automatic abstraction & partitioning n n Incorporation of assertion languages: n n n Assume-Guarantee Reasoning (AGR) Verplex’s OVL Intel’s For. Spec etc. Language Wars!!! IP = Verilog + OVL + AGR Hierarchical verification of So. C based on OVL + AGR 100 Pao-Ann Hsiung, CSIE, National Chung Cheng University