Equivalence Checking Henrik Persson, Prover Technology.

Equivalence Checking

Henrik Persson, Prover Technology

Confidential © 2001 Prover Technology, Inc.

3 Agenda

• About Prover Technology• Introduction to ASIC/FPGA flows• Equivalence Checking basics• Issues with Equivalence Checking• eCheck Tutorial• eCheck Demo


4 Prover Technology in Brief

• Founded 1989• 25 employers• 3 offices

- Stockholm, Sweden (HQ)- Toulouse, France- Palo Alto, US

• Funded by MVI, Intel Capital etc• Main markets: formal verification for

EDA and CASE


5 Prover Technology’s Missions

1. Provide core technology for formal verification- Key advantage: speed and capacity

2. Help with efficient and correct modeling of user problems

3. Develop complete end-user tools


6 Three ways to build a tool

Prover provides the proof engine

• Intel• Esterel Tech.

Esterel Studio

• iLogix/OSC Statemate

• Xilinx Coregen

Design Specification

Translator

Internal Model representation

Interfaces

Proof Engine



Prover provides proof engine and modelling

• Volvo Sequence

diagrams

• Esterel SCADE

• Bombardier SVT


Translator


Interfaces

Proof Engine



Prover builds the complete tool

• Ericsson FABulous

• eCheck Equivalence

checker

• sCheck Sequential

Equivalence checker

• mCheck Model checker


Translator


Interfaces

Proof Engine


9 ASIC / FPGA development


10 ASIC development

Application Specific Integrated CircuitsUsed in applications with constraints in• Speed• Size• Low power consumption• Cost per units in mass-production• One chip – self-contained• >1 million gatesUsed in: Consumer electronics, high-speed

processing, safety-critical systems


11 FPGA development

Field Application Gate ArraysConfigurable/re-programmable circuits, used in

applications where• Circuits may need to be changed• Speed less important• Cost per unit for small quantities important• Size of chip less important• <1 million gatesUsed in: Prototypes for testing, Space/Weapon

industry, etc


12 First: Focus on FV in ASIC flow

• ASIC flow much more complicated- Several steps from idea to silicon- Cost of mistakes often very expensive

• ASIC: Main interest in RTL/gate-gate• FPGA: Increasing interest in RTL-RTL


13 ASIC Development Flow

• The design is described in VHDL or Verilog at a high-level, and then refined to a low-level representation

- Often in the same language- Much like compiling C to ”assembly C”

• In FV, we disregard physical constraints- Timing- Area- Power consumptionWhich often are the reason for modifications


14 ASIC Refinement Steps

• Architectural and Behavioural Model• Refine into Register-Transfer Level (RTL)• Design For Test insertion (DFT)

- BIST, scan, JTAG

• Synthesis down to gates (Netlist)• Optimisation• Scan-chain hook-up• Place & Route• Clock-tree insertion• Engineering Change Order (ECO)


15 Verifying an ASIC flow

FV

FV

FV

FV

RTL

Gates

Example ASIC Flow

FV

Synthesis

Chip Optimization

Clock Insertion

Test Insertion

AuthoringGoals:• Input two circuit

descriptions (RTL or gate level)

• Automated analysis and results: errors identified or proven not to exist

• 100% coverage


16 Equivalence Check Advantages

Simulation/testing can be reused• Your RTL is simulated and tested, but

then you modify it, is it still correct?

Easy to test new modifications• Change clock-frequency, modify

placement, change RTL, etc....

One Golden Reference Model• Equivalent to all stages in design-flow,

down to the final chip


17 eCheck advantages

No more functional gate-level simulation

Modify your RTL freely without risk of introducing new bugs

Reuse your verification and testing


18 Equivalence Checking Basics

• Check modifications in two HDL files- Size: up to 10 million gates each!- Wide range of programs often used to create

the HDL- Many small changes, but similar structure

• Equivalence Checking Challenge:- Partition the problem without loss of (too

much) generality- Model the HDL to validate as much

modifications as possible


19 Simple Representation of HDL

For EC, the HDL can be compiled into the following primitives• Logical gates (and, or, xor, not, ...)• A full-adder and a mux• A flip-flop with asynchronous set/reset• A latch• Blackbox-primitives• A tristate-gate


20 Two Approaches to EC

Sequential Equivalence Check• Modelcheck: for all sequences of input, the

circuits behave the same• Can compare completly dissimilar circuits• Very restricted to size of circuit

Combinational Equivalence Check• Check that all flip-flops are driven by equivalent

logic• Can only compare circuits with similar state-

structure• Much less sensitive to size of circuit


21 Combinational Equivalence Checking


22 Combinational Equivalence

• Find mapping between compare-points- Flip-flops, latches, blackbox-inputs, outputs

• Prove the “logical cones” equivalent


23 Logical Cones


24 Consistency

Consistency can be proven:• If all compare-points in the two circuits

are driven by equivalent logic, the two circuits are equivalent

The opposite is NOT true:• If a compare-point is driven by different

logic in the two circuits, the two circuits may still be equivalent

• ”False Negative”, a weakness of combinational equivalence checking


25 Issues

• Tristate logic• Don’t cares• State encoding• Retiming• Sequential propagation• Combinational loops• Hierarchical Comparison• Mapping• Debugging


26 Tristate logic

Four valued logic: 0, 1, X, Z• X – don’t care

- Implicit from RTL (case, undriven nets)- Explicit from user

• Z – high impedence- Implicit, e.g. multiple drivers- Explicit, e.g. Tristate-buffers

Problem for equivalence checkers• Synthesis tools instantiate X as seen fit• Performance• Makes post-synthesis vs post-synthesis

impossible in some cases


27 State encoding

User have described state-machines, but left encoding• Binary, One-hot, Gray, ...• VHDL more explicit compared to Verilog• Synthesis tools agressive to meet constraints

- One-hot registers gives less load on registers => faster and less power consumption

Equivalence checkers need to deduce encoding• Need perfect match in state structure


28 Retiming

To meet constraints, several things may be needed:• Reduce logic inbetween registers to

clock flip-flops faster- Duplications of registers- Push through negations- Other retiming/pipelining

• Again, EC needs a perfect match between state elements


29 Sequential Propagation

Test logic may be inserted that should not affect behaviour when TEST=0• TEST=0 often need to reset test-circuitry

in several clock-cycles• Equivalence checker need to propagate

this through registers to ”realize” that test-registers should be removed


30 Combinational Loops

Combinational loops are inserted as feedback-loops through gates• Gives sequential behaviour (memory)• Master-Slave flip-flop• Various latch constructions

Makes EC harder, either choice:• Model feedback loops hard• Cutting loops using blackboxes hard• Extracting flipflops/latches hard


31 Hierarchical Comparison

• Equivalence-check the smaller sub-modules first, then blackbox them and check the rest of the design

- Repeat iteratively

• Problem with cross-boundary optimisations

• Problem with test-insertion etc.


32 Mapping

The compare points in design A and design B must be mapped

• Using names, structure, functionality or rules


33 Debugging

When a bug is found, how do you fix it? • In a 1 million gates design with 20,000

flip-flops, you have reduced the search space

• Is it a ”false negative” or a real bug?• Use schematic viewer with annotated

values and possibilities to trace• Error candidates


34 Modelling versus Rewriting

Two approaches to validate ASIC/FPGA flows:• Modelling – find a modelling of HDL which

justifies all valid modifications- Easy to concieve EC correct- Hard to model all rewriting (e.g. Gated clocks)

• Rewriting – add typical modifications as rewriting rules which are applied before checking

- Verification by reverse engineering- Harder to concieve EC correct- Easy to add new valid modifications


35 eCheck Tutorial


36 eCheck


37 eCheck Features

• Full Verilog/VHDL (Synthesizable RTL), EDIF, Liberty

• Multi-million gates performance• Blackboxing

- Memories- IP-blocks- Analog blocks- Blocks with completely different structure

• Constraints- Disable test logic- Constrain states


38 eCheck Features

• Detection of combinational loops• Support for sequential optimizations

- Negation pushed through flip-flops- Duplication of registers

• Flip-flop / latch conversions• Produce independent elaborated netlists• GUI generates batch-commands• Powerful mapping heuristic based on

name, structure and functionality• Available for Windows/Linux/Solaris


39 eCheck Tool Compatibility

eCheck tested to work for• Cadence BuildGates• Synopsys Design Compiler• Synplicity• Get2Chip• Leonardo Spectrum• Incentia• Xilinx ISE• Altera Quartus• LogicVision (BIST insertion)• ASC VBIT (scan insertion)• ASC vhdl2verilog and verilog2vhdl


40 Running eCheck

Using eCheck consists of 3 steps1. Input the design files, and configuring

the project [Configure]2. Read the designs and map the compare

points, usually automatic [Validate]3. Run the actual comparison of the two

designs [Compare]


41 Step 1: Configure

Input design files• Common libraries• Gold design• Impl design


42 Configure specific options


43 Step 2: Validate

Reads the design and automatically maps compare points

• Name-based• Function-based• Rule-based


44 Step 3: Compare


45 eCheck verification flow

• Parse and elaborate design- Parse errors, synthesis errors, warnings

• Map inputs, outputs and stateholding elements

- Optionally blackboxes, loops and tristate- Name-heuristic or functional

• Check logic inbetween mapped states• Highlight failing points and give test-

vectors


46 Demo

• DES encryption algorithm- RTL versus post-synthesis

• Small RISC-processor- post-synthesis netlist versus DFT netlist- ASC SCAN-insertion

• Small VCR-controller- Illustrates debugging

Equivalence Checking Henrik Persson, Prover Technology.

Documents

Transcript of Equivalence Checking Henrik Persson, Prover Technology.