Post on 18-Dec-2015
Confidential © 2001 Prover Technology, Inc.
3 Agenda
• About Prover Technology• Introduction to ASIC/FPGA flows• Equivalence Checking basics• Issues with Equivalence Checking• eCheck Tutorial• eCheck Demo
Confidential © 2001 Prover Technology, Inc.
4 Prover Technology in Brief
• Founded 1989• 25 employers• 3 offices
- Stockholm, Sweden (HQ)- Toulouse, France- Palo Alto, US
• Funded by MVI, Intel Capital etc• Main markets: formal verification for
EDA and CASE
Confidential © 2001 Prover Technology, Inc.
5 Prover Technology’s Missions
1. Provide core technology for formal verification- Key advantage: speed and capacity
2. Help with efficient and correct modeling of user problems
3. Develop complete end-user tools
Confidential © 2001 Prover Technology, Inc.
6 Three ways to build a tool
Prover provides the proof engine
• Intel• Esterel Tech.
Esterel Studio
• iLogix/OSC Statemate
• Xilinx Coregen
Design Specification
Translator
Internal Model representation
Interfaces
Proof Engine
Confidential © 2001 Prover Technology, Inc.
7 Three ways to build a tool
Prover provides proof engine and modelling
• Volvo Sequence
diagrams
• Esterel SCADE
• Bombardier SVT
Design Specification
Translator
Internal Model representation
Interfaces
Proof Engine
Confidential © 2001 Prover Technology, Inc.
8 Three ways to build a tool
Prover builds the complete tool
• Ericsson FABulous
• eCheck Equivalence
checker
• sCheck Sequential
Equivalence checker
• mCheck Model checker
Design Specification
Translator
Internal Model representation
Interfaces
Proof Engine
Confidential © 2001 Prover Technology, Inc.
10 ASIC development
Application Specific Integrated CircuitsUsed in applications with constraints in• Speed• Size• Low power consumption• Cost per units in mass-production• One chip – self-contained• >1 million gatesUsed in: Consumer electronics, high-speed
processing, safety-critical systems
Confidential © 2001 Prover Technology, Inc.
11 FPGA development
Field Application Gate ArraysConfigurable/re-programmable circuits, used in
applications where• Circuits may need to be changed• Speed less important• Cost per unit for small quantities important• Size of chip less important• <1 million gatesUsed in: Prototypes for testing, Space/Weapon
industry, etc
Confidential © 2001 Prover Technology, Inc.
12 First: Focus on FV in ASIC flow
• ASIC flow much more complicated- Several steps from idea to silicon- Cost of mistakes often very expensive
• ASIC: Main interest in RTL/gate-gate• FPGA: Increasing interest in RTL-RTL
Confidential © 2001 Prover Technology, Inc.
13 ASIC Development Flow
• The design is described in VHDL or Verilog at a high-level, and then refined to a low-level representation
- Often in the same language- Much like compiling C to ”assembly C”
• In FV, we disregard physical constraints- Timing- Area- Power consumptionWhich often are the reason for modifications
Confidential © 2001 Prover Technology, Inc.
14 ASIC Refinement Steps
• Architectural and Behavioural Model• Refine into Register-Transfer Level (RTL)• Design For Test insertion (DFT)
- BIST, scan, JTAG
• Synthesis down to gates (Netlist)• Optimisation• Scan-chain hook-up• Place & Route• Clock-tree insertion• Engineering Change Order (ECO)
Confidential © 2001 Prover Technology, Inc.
15 Verifying an ASIC flow
FV
FV
FV
FV
RTL
Gates
Example ASIC Flow
FV
Synthesis
Chip Optimization
Clock Insertion
Test Insertion
AuthoringGoals:• Input two circuit
descriptions (RTL or gate level)
• Automated analysis and results: errors identified or proven not to exist
• 100% coverage
Confidential © 2001 Prover Technology, Inc.
16 Equivalence Check Advantages
Simulation/testing can be reused• Your RTL is simulated and tested, but
then you modify it, is it still correct?
Easy to test new modifications• Change clock-frequency, modify
placement, change RTL, etc....
One Golden Reference Model• Equivalent to all stages in design-flow,
down to the final chip
Confidential © 2001 Prover Technology, Inc.
17 eCheck advantages
No more functional gate-level simulation
Modify your RTL freely without risk of introducing new bugs
Reuse your verification and testing
Confidential © 2001 Prover Technology, Inc.
18 Equivalence Checking Basics
• Check modifications in two HDL files- Size: up to 10 million gates each!- Wide range of programs often used to create
the HDL- Many small changes, but similar structure
• Equivalence Checking Challenge:- Partition the problem without loss of (too
much) generality- Model the HDL to validate as much
modifications as possible
Confidential © 2001 Prover Technology, Inc.
19 Simple Representation of HDL
For EC, the HDL can be compiled into the following primitives• Logical gates (and, or, xor, not, ...)• A full-adder and a mux• A flip-flop with asynchronous set/reset• A latch• Blackbox-primitives• A tristate-gate
Confidential © 2001 Prover Technology, Inc.
20 Two Approaches to EC
Sequential Equivalence Check• Modelcheck: for all sequences of input, the
circuits behave the same• Can compare completly dissimilar circuits• Very restricted to size of circuit
Combinational Equivalence Check• Check that all flip-flops are driven by equivalent
logic• Can only compare circuits with similar state-
structure• Much less sensitive to size of circuit
Confidential © 2001 Prover Technology, Inc.
22 Combinational Equivalence
• Find mapping between compare-points- Flip-flops, latches, blackbox-inputs, outputs
• Prove the “logical cones” equivalent
Confidential © 2001 Prover Technology, Inc.
24 Consistency
Consistency can be proven:• If all compare-points in the two circuits
are driven by equivalent logic, the two circuits are equivalent
The opposite is NOT true:• If a compare-point is driven by different
logic in the two circuits, the two circuits may still be equivalent
• ”False Negative”, a weakness of combinational equivalence checking
Confidential © 2001 Prover Technology, Inc.
25 Issues
• Tristate logic• Don’t cares• State encoding• Retiming• Sequential propagation• Combinational loops• Hierarchical Comparison• Mapping• Debugging
Confidential © 2001 Prover Technology, Inc.
26 Tristate logic
Four valued logic: 0, 1, X, Z• X – don’t care
- Implicit from RTL (case, undriven nets)- Explicit from user
• Z – high impedence- Implicit, e.g. multiple drivers- Explicit, e.g. Tristate-buffers
Problem for equivalence checkers• Synthesis tools instantiate X as seen fit• Performance• Makes post-synthesis vs post-synthesis
impossible in some cases
Confidential © 2001 Prover Technology, Inc.
27 State encoding
User have described state-machines, but left encoding• Binary, One-hot, Gray, ...• VHDL more explicit compared to Verilog• Synthesis tools agressive to meet constraints
- One-hot registers gives less load on registers => faster and less power consumption
Equivalence checkers need to deduce encoding• Need perfect match in state structure
Confidential © 2001 Prover Technology, Inc.
28 Retiming
To meet constraints, several things may be needed:• Reduce logic inbetween registers to
clock flip-flops faster- Duplications of registers- Push through negations- Other retiming/pipelining
• Again, EC needs a perfect match between state elements
Confidential © 2001 Prover Technology, Inc.
29 Sequential Propagation
Test logic may be inserted that should not affect behaviour when TEST=0• TEST=0 often need to reset test-circuitry
in several clock-cycles• Equivalence checker need to propagate
this through registers to ”realize” that test-registers should be removed
Confidential © 2001 Prover Technology, Inc.
30 Combinational Loops
Combinational loops are inserted as feedback-loops through gates• Gives sequential behaviour (memory)• Master-Slave flip-flop• Various latch constructions
Makes EC harder, either choice:• Model feedback loops hard• Cutting loops using blackboxes hard• Extracting flipflops/latches hard
Confidential © 2001 Prover Technology, Inc.
31 Hierarchical Comparison
• Equivalence-check the smaller sub-modules first, then blackbox them and check the rest of the design
- Repeat iteratively
• Problem with cross-boundary optimisations
• Problem with test-insertion etc.
Confidential © 2001 Prover Technology, Inc.
32 Mapping
The compare points in design A and design B must be mapped
• Using names, structure, functionality or rules
Confidential © 2001 Prover Technology, Inc.
33 Debugging
When a bug is found, how do you fix it? • In a 1 million gates design with 20,000
flip-flops, you have reduced the search space
• Is it a ”false negative” or a real bug?• Use schematic viewer with annotated
values and possibilities to trace• Error candidates
Confidential © 2001 Prover Technology, Inc.
34 Modelling versus Rewriting
Two approaches to validate ASIC/FPGA flows:• Modelling – find a modelling of HDL which
justifies all valid modifications- Easy to concieve EC correct- Hard to model all rewriting (e.g. Gated clocks)
• Rewriting – add typical modifications as rewriting rules which are applied before checking
- Verification by reverse engineering- Harder to concieve EC correct- Easy to add new valid modifications
Confidential © 2001 Prover Technology, Inc.
37 eCheck Features
• Full Verilog/VHDL (Synthesizable RTL), EDIF, Liberty
• Multi-million gates performance• Blackboxing
- Memories- IP-blocks- Analog blocks- Blocks with completely different structure
• Constraints- Disable test logic- Constrain states
Confidential © 2001 Prover Technology, Inc.
38 eCheck Features
• Detection of combinational loops• Support for sequential optimizations
- Negation pushed through flip-flops- Duplication of registers
• Flip-flop / latch conversions• Produce independent elaborated netlists• GUI generates batch-commands• Powerful mapping heuristic based on
name, structure and functionality• Available for Windows/Linux/Solaris
Confidential © 2001 Prover Technology, Inc.
39 eCheck Tool Compatibility
eCheck tested to work for• Cadence BuildGates• Synopsys Design Compiler• Synplicity• Get2Chip• Leonardo Spectrum• Incentia• Xilinx ISE• Altera Quartus• LogicVision (BIST insertion)• ASC VBIT (scan insertion)• ASC vhdl2verilog and verilog2vhdl
Confidential © 2001 Prover Technology, Inc.
40 Running eCheck
Using eCheck consists of 3 steps1. Input the design files, and configuring
the project [Configure]2. Read the designs and map the compare
points, usually automatic [Validate]3. Run the actual comparison of the two
designs [Compare]
Confidential © 2001 Prover Technology, Inc.
41 Step 1: Configure
Input design files• Common libraries• Gold design• Impl design
Confidential © 2001 Prover Technology, Inc.
43 Step 2: Validate
Reads the design and automatically maps compare points
• Name-based• Function-based• Rule-based
Confidential © 2001 Prover Technology, Inc.
45 eCheck verification flow
• Parse and elaborate design- Parse errors, synthesis errors, warnings
• Map inputs, outputs and stateholding elements
- Optionally blackboxes, loops and tristate- Name-heuristic or functional
• Check logic inbetween mapped states• Highlight failing points and give test-
vectors
Confidential © 2001 Prover Technology, Inc.
46 Demo
• DES encryption algorithm- RTL versus post-synthesis
• Small RISC-processor- post-synthesis netlist versus DFT netlist- ASC SCAN-insertion
• Small VCR-controller- Illustrates debugging