Formal verification

Formal Verification in VLSI

Dilawar Singh

Indian Institute of Technology Bombay

November 28, 2010

Dilawar Singh Formal Verification in VLSI

About

These slides were evolvedduring Testing and

Verification of VLSI

course offered by Prof. M. P.Desai at IIT Bombay. It dealswith non-technicalities of the’formal verification’ ratherthan theories and principles.Some comments areunprofessionallypersonal.Reader discretion isadvised. :-)

Figure: Fromhttp://shemesh.larc.nasa.gov/images/humor-sneak-a-peek.jpg


http://shemesh.larc.nasa.gov/images/humor-sneak-a-peek.jpg



Formal Verification

I Traditionally one discovers error in software and hardware bytesting all possible combination e.g. using simulation.1

I Since VLSI systems are too large, one can test only a (tiny?)fraction of them in practice. And this is when computercomputer runs faster than Chacha Chaudhary’s Brain.

I Besides, everything runs on simulation is orders of magnitudeslower than the real hardware, so pre-silicon testing is limited.That is why so little new design are coming out of industries.Testing has become way too costly. Over 25% of total cost.

I Formal verification is an alternative that provesmathematically that given VLSI system will work as intended.

I Testing is for fault detection.Formal Verification is faultavoidance technique.

1I’m done simulating; Now what?, Kantrowiz M and Noack Lisa, DECDilawar Singh Formal Verification in VLSI

Exhaustiveness

I In 1914, Littlewood proved that π(n)− li(n) changes signinfinitely often, where pi(n) is the number of primes ≤ n and

li(n) =n∫0

duln u though first instant of sign change occurs when

n ≥ 1.39822× 10316 discovered by Bays & Hudson (2000).

I Exhaustive testing using brute force may miss someerrors which can be detected by formal verification.

I Most notable example is Pentium FDIV Bug

I It’s good to be paranoid while verifying.


http://en.wikipedia.org/wiki/Pentium_FDIV_bug

Formal Models

I Specification First of all, we need to write down how mysystem should behave. Mathematical Description.

I Kripke Structures.

I Formal verification that aims to prove the correctness ofdesign with respect to a given mathematical formalspecifications.

I However, checking against a reference does not mean thatreference is correct. Sanity check of the reference is required.


How hard is formal verification

I Writing out completeproof for correctness islike defeating Tai Lungwithout a dragon scroll.And even one has one,not necessarily one canuse it.

I Assumptions and specialcases must be madeexplicit. Even for smallundertaking, this is a bigtask. Figure: Stick to details and

procedures. Not everyone is gifted!


Theorem Provers

I It would be great if one can prove oreven generate a proof using computer.

I It will reduce the risk of mistakes andcan automate some part of it for alarge system.

I Downside: People may becomedumber at a cost of smarter planet.

I There are many software packageavailable for this purpose. A very goodlist can be found here.a

ahttp://www.cs.indiana.edu/formal-methods-education/Tools/ Figure: From

http://shemesh.larc.nasa.gov/images/humor-whole-truth.jpg


http://www.cs.indiana.edu/formal-methods-education/Tools/




Verification - Hardware V/S Software

I In recent years, formal hardwareverification have become veryimportant part of developmentprocess. Almost all of the leadingcompanies use them but softwarecompanies are still lagging. a

I Why?

I Probably because they can get awaywith it. A faulty software does notthrow you our of business. MicrosoftWindows is still around.

I Its easy to write patches for software.Almost impossible for a hardware.

aFormal methods : State of Art and FutureDirections, Clarke and Wing, CMU.

Figure: A faulty hardware (andor (= xor?)) faulty software) canmake your machine life miserable.Take care!


Combinational Comparison

I One very fundamental question is whether two givencombinational circuits are equivalent for a given inputcombination. For example, output of a synthesis tool modifiedby a designer to reduce the gate.

I Task is that optimised and unoptimised circuits areequivalent. This can be done by verifying truth table.Tautology checking.

I Though this can be automated, but in practice, working withtruth table are tedious and inefficient.


Efficient tautology checking

I Tautology is NP-complete problem. One have to findheuristics for given cases till someone gives an efficientalgorithm to solve these problems.

I Divide the circuit and solve for smaller parts.

I In practice, Binary Decision Diagrams are efficient. They alsogive a canonical representation for a given boolean formulawith a specific variable ordering. 2

I Other methods are Integer Programming, Davis-Putnamprocedures.

I Symbolic simulation is also a candidate. They have beeninefficient till now.

2Bounded Model Checking, Armien Biere et al. Advances in computers,2003


Symbolic Trajectory Evaluation

I One can write specification in a restricted temporal logicspecifying the behavior over bounded-length trajectories(sequence of circuit state).

I One example : if the circuit satisfy the property P then aftern transition it will satisfy the property Q. E.g. if P (a counteris reset) is true then Q (the output is n) will be true after ntransitions.

I The the circuit can be checked for this specification. If thisdoes not hold true then a witness will be found.


Temporal Logic Model Checking

I In general, specification can be written in more generaltemporal logic without the limitation of boundedtrajectories.Hardware is reduced to a state transition system inwhich at every state, one checks whether a given atomicformula holds or not.

I Linear Temporal Logic (LTL) and Computation Tree Logic(CTL) can be used to describe the behaviour.

I In CTL, behaviour can be specified by quantifying both overfuture and over all range of possible states transitionsequence. Kripke Structure are natural for these specification.

I Since every transition system is coded up with combination ofboolean variables, BDD are used to represent them. There aremany BDD packages available. 3

I For example, EGf means that there exists a paths for which fholds in every state. A path is a sequence of possible statetransition.

3http://vlsicad.eecs.umich.edu/BK/Slots/cache/www.itu.dk/research/buddy/index.htmlDilawar Singh Formal Verification in VLSI

Example : Kripke Structure

I Kripke structure K = (S , I ,T , L) .

I S is the set of states; I ⊆ S is the setof initial states; T ⊆ S × S is thetransition relations and L : S 7→ P(A)is the labeling function, where A is theset of atomic proposition, and P(A)denotes the power-set of A i.e. for astate s ∈ S the set L(s) is made of theatomic proposition that holds in s.

S = {00, 01, 10, 11}I = {00}T = {(00, 01), (00, 11), (01, 00), (01, 10),

(10, 11), (10, 01), (11, 10), (11, 00), (10, 00)}

Figure: A finite State Machine!


Example : Temporal representation

I Let xnext is the next state and x is thecurrent state of two bit vector.Assuming that both up and down cannot be 0 at same time,

xp(0) = ¬x(0) (1)

xp(1) = x(0) Y x(1) (2)

xm(0) = ¬x(0) (3)

xm(1) = ¬(x(1) Y ¬x(0)) (4)

T (xnext , x) : xnext = (up ∧ ¬down ∧ xp)(5)

∨(¬up ∧ down ∧ xm) ∨ (up ∧ down ∧ xn)(6)

I f : T holds.

I EGf is true. In fact for every path f istrue i.e. AGf holds.

Figure: A finite State Machine!


Model Checking

I In model checking, one builds a finite model of a system andcheck that a desired property holds in that system. This isdone by search exhaustively (and some times wisely), if it doesnot hold and a counterexample is produced. That is itsgreatest strength to able to produce and error and thussuitable for debugging. Since model is finite, it will terminate.It is mostly used in hardware and protocol verification.

I Two approaches are genrally used in model checking,TEMPORAL MODEL CHECKING (we have seeb them ) and‘find and automation and compare to the specification todetermine whether or not its behaviour conforms to thatspecification . For example, Language Inclusion (Har’El andKrushan, 19941], refinement ordering [Cleaveland et all. 93],observal equivalence [Cleaveland et all 93, Fernandez, 96, Royand de Simone 90].

I Vardi and Wolper [1986] have shown how the temporal modelchecking problem could be recast in terms of automata, thusrelating two approaches.


Theorem Proving V/s Model Checking

I Two well established approach to verification are modelchecking and theorem proving. Model checking is very fastbut can handle finite states.

I When theorem proving fails, unlike Model Checking, it doesnot produce a counter-example.

I Model checking is much faster than theorem proving. But theproblem is STATE EXPLOSION. There are heuristics toimprove this though [Krushan 1994; Krushan 1994] andsemantic minimization (Elseaidy et al. 1996] to eliminateunnecessary states from a system modeling. Using thismethod one has verified 10120 reachable states.

I Theorem proving can deal with infinite state space. It usesstructural induction to prove over infinite domains.


Blah Blah

I The overreaching goal of formal methods is to help engineersconstruct more reliable systems. A global property is brokeninto local properties which are conceptually easier to handle.

I Abstraction is also needed. Hardware specification can writtendown in more abstract language like Esteral (good for controlengineering freaks).

I Combination of mathematical theories is also a very lessexplored area. One solid concepts from one discipline can findapplication in another numerous fields, graph theory is one ofthe most remarkable example of it.

I Who can forget to include better data structures andalgorithms.

I Rather than building models for some specific problem, onecan ambitiously romanticise “meta-tools” which themselvescan produce or change themselves to handle a particularproblem domain. Integration of available methods?


Tools

I In the hand of a Jedi Knight a simple looking light saber ismore efficient that a million dollar weapon. How to use youravailable tool efficiently, one should learn through practice.Anyone who have mastered vim editor will probably agreewith me.

I A list of available tools are given herehttp://www.cs.indiana.edu/formal-methods-education/Tools/.





Formal verification

Technology

Transcript of Formal verification