COEN6551: Formal Hardware Verificationtahar/coen6551/notes/intro-coen65… · Some Formal Methods...

COEN6551: Formal Hardware Verification

Prof. Sofiène TaharHardware Verification Group

Electrical and Computer EngineeringConcordia University

Montréal, QuebecCANADA

Formal Probabilistic Analysis

2

Accident at Carbide plant, India

Cost: $470 million, December 2-3, 1984Loss: 3,787 deaths, over 500,000 people exposedCauses: Corroding non-stainless steel pipes, Improper maintenance

E. Broughton. The Bhopal Disaster and its Aftermath: A Review. Environmental Health, 4(6):1-6, May 2005.

Formal VerificationS. Tahar


3

Train Derailment in Germany

Loss: 101 dead, 88 injuredMain cause of failure: wheel design, a single fatigue crack in one of the wheels


Cost: $30 Million, June 3,1998

Investigative Documentary on National Geographic Channel. Derailment at Eschede (High Speed Train Wreck), Seconds From Disaster., 2007.


4

Space Shuttles Challenger and Columbia

Challenger (January 28, 1986)

Challenger: Cause: Failure of the pressure seal in the aft field joint of the right Solid Rocket BoosteDesign was unacceptably sensitive to a number of factors

Columbia: During re-entry, damaged tiles in the heat shield allowed the hot gases to penetrateand destroy the internal wing structure, rapidly causing the in-flight breakup of the veh

Columbia (February 1, 2003)


Loss: Entire crew in both accidents

Rogers Commission report, Report of the Presidential Commission on the Space Shuttle Challenger Accident, Volume 1, chapter 4, page 72. http://history.nasa.gov/rogersrep/v1ch4.htm, 1986.


5

… and the list goes on and on …

System-on-Chip VerificationS. Tahar


Design Errors

Patriot Missile

Failure, a classical case of rounding

error

Floating-point division

bug

Floating-point to Integer

conversion

6

S. Tahar Formal Verification


Design Challenges7



What is Verification?8



Verification Technology9


Formal Probabilistic Analysis10

Verification by Simulation

Most widely used system analysis approachConstruct a computer based model of the systemAnalyze the behavior of the system model under a

number of test cases to deduce properties of interest

Easy to useMay generate inaccurate results

Practically impossible to test for all possible cases



Simulation –A Practical Example

Question: How long does it take to verify a 64-bitFloating Point Division Unit


Answer: There are (264 x 264): 2128 test cases At 1 test/s, it will take 1025 years!!!


Simulation –Another Practical Example

Question: How long does it take to verify a 256-bit RAM Memory Unit

S. Tahar

Answer: There are 2256 = 1080 bits to test At 1 test/ps and using all matters in our

galaxy to build computers of the size of a single electron, it will take 1010 years to verify 0.05%!!!

Formal Verification


Verification Gap

The situation is worsening as technology evolves

13



Verification by Formal Methods

Construct a computer based mathematical model of the system and its specification (properties)

Use mathematical reasoning to check functionalproperties of interest

Accurate results Consideration of all cases is implicit

Sometimes is difficult (limited) and time consuming



Simulation –Example Check if y>x for the given system (x is a natural number)

Test vectors (x) System output (y) y>x1 4 True

2 9 True

5 36 True

9 100 True

67 4624 True

1000 1002001 True

1000000 ??? ???

2)1( xx y



Formal Methods –Example Check if y>x for the given system (x is a natural number)

1 y>x Problem statement

2 (x+1)2>x Implementation

3 (x+1).(x+1)>x Definition of Square

4 (x+1).x+(x+1).1>x Distributivity

5 x.x+1.x+x.1+1.1>x Distributivity

6 x.x+x+x+1>x Multiplicative Identity

7 x.x+x+1+x>x Additive Commutivity

8 x.x+x+1>0 Addition Cancellation

9 True Natural numbers > 0

2)1( xx y



Most Widely used Formal Methods

Equivalence Checking

Model Checking

Theorem proving

S. Tahar System-on-Chip Verification



Both systems modeled as a Logic Formulas Formulas specified in Propositional Logic

Allows automatic proof of equivalence (decidable and complete)

Applicable on Combinational Systems (Circuits) Sequential (FSM) equivalence checking very costly


System 1 System 2

Logic Formula 1 Logic Formula 2

True, if both formulas equivalentCounterexample, otherwise

Equivalence Checker



Advantages Automatic (Push button type analysis tools) No proofs involved Diagnostic counter examples

Disadvantages Limited expressiveness Combinational Circuits

Equivalence Checking Tools VIS (Verification Interacting with Synthesis) - U. of California, BerkeleyMDG (Multiway Decision Graphs) - U. de Montreal Conformal, Formality, etc



Model Checking

System is modeled as a State Transition Graph Properties are specified in Temporal Logic

Allows the description of time-varying behaviour of systems

Exhaustive verification by searching the state space of the system model to determine if the property holds



Model Checking

Advantages Automatic (Push button type analysis tools) No proofs involved Diagnostic counter examples

Disadvantages Limited expressiveness State-space explosion problem

Model Checking Tools SMV (Symbolic Model Verifier) - Carnegie Mellon U. VIS (Verification Interacting with Synthesis) - U. of California, Berkeley SPIN , SLAM, PRISM, etc



Theorem Proving

System is modeled as a function in some appropriate logic

Properties are modeled as theorems in the same logic

These theorems are interactively verified based on mathematical reasoning in a computer based proof system (Theorem Prover)



Theorem Prover

A theorem prover consists of A notation (syntax) to express logic a small set of fundamental axioms (facts)

A Boolean variable can be True or False: a.(a = T) (a =F) a small set of inference (deduction) rules

Equality is transitive: a b c. (a = b) (b = c) (a = c)

Soundness is assured as every new theorem must be created from The basic axioms and primitive inference rules Any other already proved theorems or inference rules

Theory (collection of verified theorems in a file) Facilitate the reusability of pre-verified results



Theorem Proving Advantages

High expressiveness Can be essentially used to analyze any system that can be

expressed mathematically Less risk of mistakes (human errors) Some parts of the proofs can be automated

Disadvantages Detailed and explicit human guidance required The state-of-the-art is limited

Theorem Proving Tools Boyer-Moore (First-order Logic) U. of Texas, Austin PVS (Higher-order Logic) Stanford Research Institute HOL (Higher-order-logic) U. of Cambridge, UK



Some Formal Methods Myths

Formal methods can only be used by mathematicians They are primarily based on mathematical concepts that is

usually transparent to the user

The reasoning process is itself prone to errors, so why bother?We opt to reduce design bugs not eliminate them

Using formal methods tends to slow the design process The early detection of design bugs are allows us to speed up the

overall design process



Formal Methods Applications

Formal methods are widely used for the functional verification of many applications

Microprocessors

Software Conformance

Cache Coherence Protocols

Telecommunication Protocols

Security Protocols

Transportation



Cost of Verification

Verification accounts for 60-70% of project cost (human, computing and time)

Increasing VLSI technology and design complexity (1.7 billion transistors on chip)

Traditional simulation limited to a tiny percentage of test cases

Situation is most serious for safety critical applications

Many research groups and companies are using formal verification as complement simulation

27



Free Ad!

Anyone interested for more information on Formal Verification?

Visit http://hvg.ece.concordia.ca


COEN6551: Formal Hardware Verificationtahar/coen6551/notes/intro-coen65… · Some Formal Methods...

Documents

Transcript of COEN6551: Formal Hardware Verificationtahar/coen6551/notes/intro-coen65… · Some Formal Methods...