Formal Verification Solution

8/12/2019 Formal Verification Solution

1/80

1Inventing IC design technologies

that will be vital to Intel

SSCCLL

GSTE: An Industrial StrengthGSTE: An Industrial StrengthFormal Verification SolutionFormal Verification Solution

Jin Yang, Ph.D.,Jin Yang, Ph.D.,

Principal EngineerPrincipal EngineerStrategic CAD Labs,Strategic CAD Labs,Intel Corp.Intel Corp.

PSUPSUFeb 22, 2009Feb 22, 2009


2/80

2

MotivationMotivation

Design ComplexityDesign Complexity

MicroMicro--architectures are complexarchitectures are complex

superscalar, OOO, hypersuperscalar, OOO, hyper--threading, powerthreading, power--saving etc.saving etc.

RTL is too bigRTL is too big

The number of bugs are proportional to lines of codeThe number of bugs are proportional to lines of code

Bug creation will soon overwhelm detectionBug creation will soon overwhelm detection

Creation - 4x per lead design, detection - flattening

Bug escapes can have an increasing $ impactBug escapes can have an increasing $ impactMultiMulti--core, multicore, multi--chip design becomes the trendchip design becomes the trend


3/80

3


Formal Verification Tool Capacity is TooFormal Verification Tool Capacity is TooSmallSmall

Symbolic Model CheckingSymbolic Model Checking

~200 state variables with rich logic~200 state variables with rich logic

STESTE~2,000 state variables with very~2,000 state variables with very

limited logiclimited logic


4/80

4


Solution NeededSolution Needed

An executableAn executable microarchitecturemicroarchitecture spec (HLM)spec (HLM)that is ~10x smaller than todaythat is ~10x smaller than today

Correct by construction design refinementsCorrect by construction design refinementsfrom the HLMfrom the HLM

Higher capacity FV technologyHigher capacity FV technology


5/80

5

Simulation Based VerificationSimulation Based Verification

Solutions: A Historical ComparisonSolutions: A Historical Comparison

Designcomplexity

Verificationcompleteness

Specificationrichness

Dynamic (Random) simulation

symbolicsimulation

SymbolicTrajectoryEvaluation

(STE)

Symbo

licmodelch

ecking

GeneralizedSTE

(GSTE)


6/80

6

Buffer SpecificationBuffer Specification

After reset, input data will be output after 3After reset, input data will be output after 3ticks.ticks.

reset

2

2din[1:0]

dout[1:0]

reset

din[1:0]

dout[1:0]

0 1 2 3 4 5 6 7 8

00 10 01 10 11

00 10 01 10 11

9


7/80

7

Rotary Buffer ImplementationRotary Buffer Implementation

+

reset

2

2

en

en

en

2mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b2

b1

b0


8/80

8

Rotary Buffer BehaviorRotary Buffer Behavior

+

reset

2

2

en

en

en

2mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b2

b1

b0

1


9/80

9


+

reset

2

2

en

en

en

2mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b2

b1

b0

0010


10/80

10


+

reset

2

2

en

en

en

2mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b2

b1

b0

001

0


11/80

11


+

reset

2

2

en

en

en

2mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b2

b1

b0

010

0


12/80

12


+

reset

2

2

en

en

en

2mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b2

b1

b0

100

0


13/80

13

Dynamic SimulationDynamic Simulation

English Specification:English Specification:

After reset, input data willAfter reset, input data will

be output after 3 ticks.be output after 3 ticks.+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

din[1:0]

c0

c1

c2

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

0 1 2 3 4 5 6 7 8

00 10 01 10 11 11 01 00

9

00

00

00

00

00


14/80

14

Dynamic SimulationDynamic Simulation


After reset, input data willAfter reset, input data will

be output after 3 ticks.be output after 3 ticks.+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

din[1:0]

c0

c1

c2

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

0 1 2 34

5 6 7 8

00 10 01 10 11 11 01

10 11

01 11

00 10

00 10 01

00

01

10 11

9

00

00

00

00

00


15/80

15

Dynamic Simulation: Pros/ConsDynamic Simulation: Pros/Cons

Designcomplexity



Random simulation

ProsPros Computationally inexpensiveComputationally inexpensive

Rich specification language (testRich specification language (testprograms)programs)

ConsCons Bug hunting, not a formal proofBug hunting, not a formal proof Coverage degrades quickly on complexCoverage degrades quickly on complex

designsdesigns Required simulation time increasesRequired simulation time increases

dramaticallydramatically

symbolicsimulation


16/80

16

Symbolic Simulation: BasicsSymbolic Simulation: Basics

Core IdeaCore Idea

UseUse booleanboolean variables/expressions to encode allvariables/expressions to encode all

possible scalar valuespossible scalar values

Simulation by function compositions ofSimulation by function compositions of booleanbooleanexpressionsexpressions

rather than function evaluations of scalar valuesrather than function evaluations of scalar values


17/80

17


A

B A & BA

B A + B+ A !A A(t) A(t+1)

Basic gates:

Function composition:

A

B +

A & !B + !A & B

!A

!B

A & !B

!A & B

A

B

+

E & A + !E & B

!E

E & A

!E & B

E

E & A + !E & Bat next time


18/80

18


Canonical representationCanonical representation

Are twoAre two booleanboolean expressions equivalent, i.e.,expressions equivalent, i.e.,

representing the samerepresenting the same booleanboolean function?function?Ordered Binary Decision Diagram (BDD) gives aOrdered Binary Decision Diagram (BDD) gives a

canonical form of anycanonical form of any booleanboolean function (Bryantfunction (Bryant1986)1986)

Function compositions are defined in terms ofFunction compositions are defined in terms ofBDD operationsBDD operations


19/80

19

Equivalent?


A

B

+

A & !B + !A & B!A

!B

A & !B

!A & B

A

B

+ (A + !B) & (!A + B)

!A

!B

A + !B

!A + B

+!((A + !B) & (!A + B))

A

0 1

B

0 1

A

0 1

B

A

0 1

B

A

0 1

BB

A

0 1

BB

A

0 1

A

0 1

A

0 1

B

A

0 1

B

A

0 1

BB

Equivalent!


20/80

20


Constrained inputsConstrained inputs

Parametric representation (Parametric representation (AagaardAagaard, Jones &, Jones &

Seger 1999)Seger 1999)

Canonical under any fixed parametric variableCanonical under any fixed parametric variableorderorder


21/80

21


A!A

A + !A = 1+

A

B+

Simple case

Complex case

s.t. A + B

P0 +

parametric

!P0 + P1P0 + !P0 + P1 = 1

11111111

0011001111001100

11000000

BBAAPP11PP00

valid space


22/80

22

Symbolic Simulation: Rotary BufferSymbolic Simulation: Rotary Buffer

+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

din[1:0]

c0

c1

c2

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

0 1 2 3 4 5 6

A1B1 A2B2

A0B0

D0E0

D1E1

D2E2

A3B3

C0

C1

C2

Partial English Specification:Partial English Specification:

Within first 6 ticksWithin first 6 ticks after reset, inputafter reset, inputdata will be output after 3 ticksdata will be output after 3 ticks

Stimulus/Antecedent

Check/Consequent

A1B1 A2B2 A3B3 A4B4 A5B5 A6B6

Assertion:


23/80

23

Symbolic Simulation: Rotary BufferSymbolic Simulation: Rotary Buffer

+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

Partial English Specification:Partial English Specification:

Within first 6 ticksWithin first 6 ticks after reset, inputafter reset, inputdata will be output after 3 ticksdata will be output after 3 ticks

$$: C$$: C00 & D& D00 + C+ C11 & D& D11 + C+ C22 & D& D22,,

CC00 & E& E00 + C+ C11 & E& E11 + C+ C22 & E& E22

$0: C$0: C00 & A& A00 + !C+ !C00 & D& D00,,

CC00 & B& B00 + !C+ !C00 & E& E00

$1: C$1: C11 & A& A00 + !C+ !C11 & D& D11,,CC11 & B& B00 + !C+ !C11 & E& E11

$2: C$2: C22 & A& A00 + !C+ !C22 & D& D22

CC22 & B& B00 + !C+ !C22 & E& E22

Large, but uselesssymbolic values!!!

Symbolic Simulation:

reset

din[1:0]

c0

c1

c2

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

0 1 2 3 4 5 6


A2B2 A5B5

A3B3

A1B1 A4B4

A1B1 A2B2

A0B0

D0E0

D1E1

D2E2

$$ A3B3

C0

C1

C2

$0

$1

$2

$0 $1 $2

dout[1:0] A1B1 A2B2 A3B3


24/80

24

Symbolic Simulation: Pros/ConsSymbolic Simulation: Pros/Cons

Designcomplexity



Dynamic simulation

symbolicsim

ulation

ProsPros

Formal proofFormal proof

ConsCons Poor capacityPoor capacity

Very limited specification languageVery limited specification language(over finite intervals)(over finite intervals)

symbolicsim

ulation

SymbolicTrajectoryEvaluation

(STE)


25/80

25

STE: BasicsSTE: Basics

STESTE Symbolic Trajectory EvaluationSymbolic Trajectory Evaluation(Bryant & Seger 1990)(Bryant & Seger 1990)

Use quaternary values 0, 1, X, C, in place ofUse quaternary values 0, 1, X, C, in place ofbooleanboolean valuesvalues

ExpandExpand booleanboolean logic to quaternary logiclogic to quaternary logic


26/80

26


C

0 1

X

(reverse) information order

Unknown

Conflict

CCCCCCCCCC

CC1100XX11

CC00000000CCXX00XXXX

CC1100XX&&

CCCCCCCCCC

CC11111111

CC1100XX00CC11XXXXXX

CC1100XX++

CCCC

0011

1100XXXX

!!

CCCC

1111

0000XXXX

+

Basic gates:


27/80

27


Quaternary abstractionQuaternary abstraction

A quaternary vector is an abstraction of a set ofA quaternary vector is an abstraction of a set of

booleanboolean vectorsvectors

PointPoint--wise abstraction of set union, intersectionwise abstraction of set union, intersection

Complexity reductionComplexity reduction


28/80


29/80

29


Symbolic Quaternary VectorSymbolic Quaternary Vector

It is often desired to work on a set of quaternaryIt is often desired to work on a set of quaternary

vectorsvectorsCapture different casesCapture different cases

Avoid too coarse abstractionAvoid too coarse abstraction

A symbolic quaternary vector encodes a set ofA symbolic quaternary vector encodes a set ofquaternary vectorsquaternary vectors


30/80

30


0 1 11, 0, 1 +

{{{{ }}}} 1

XX + X Too coarse!

abs.

+

1X

{{{{1 10, 1

v!v?1:X 1

01

v

01

{{{{ }}}} }}}}

v

abs. rew.

part. & sym.

Right level

+

v!v + w 1

rew.

v

w

01

10

11

finer part.

& sym.

Boolean


31/80

31


Quaternary Dual Rail EncodingQuaternary Dual Rail Encoding

C

0 1

X (1, 1)

(1, 0)(0, 1)

(0, 0)

(f, g) =

Symbolic form

X, when f & g

1, when f & !g

0, when !f & g

C, when !f & !g

[ v, !v?1:X ]

[ (v, !v) , (1, v) ]

( AH, AL )

( BH, BL ) ( AH & BH, AL + BL )

( AH, AL )

( BH, BL ) ( AH + BH, AL & BL )+

( AH, AL )( AL, AH )

( AH, AL )( AH, AL ) at next time

( AH, AL )

( BH, BL ) ( AH & BH, AL & BL ) ( AH, AL )

( BH, BL ) ( AH + BH, AL + BL )


32/80

32

STE: Rotary BufferSTE: Rotary Buffer

Partial English Specification:Partial English Specification: Within first 6 ticksWithin first 6 ticks after reset,after reset,

input data will be output afterinput data will be output after3 ticks3 ticks

0 1 2 3 4 5 6

Antecedent

STE Assertion:

reset := 0din := A1B1reset := 1 reset := 0din := A2B2

reset := 0din := A3B3reset := 0din := A4B4

reset := 0din := A5B5reset := 0din := A6B6

Consequent

Timeline

dout := A1B1 dout := A2B2 dout := A3B3

+

reset

2

2

2mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

a0 a1 a2

STE R B ff


33/80

33


+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

0 1 2 3 4 5 6

Antecedent

STE Assertion:

reset := 0din := A1B1

reset := 1 reset := 0din := A2B2





Consequent

Timeline


reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]


A2B2 A5B5

A3B3

A1B1 A4B4

A1B1 A2B2 A3B3

X

a0 a1 a2

a2a1a0 XXX

XXX

XX

XX

XX

XX

XX

X

001

001

STE R B ffSTE R B ffd


34/80

34


+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

0 1 2 3 4 5 6

Antecedent

STE Assertion:







Consequent

Timeline


reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]


A2B2 A5B5

A3B3

A1B1 A4B4

A1B1 A2B2 A3B3

X

a0 a1 a2

a2a1a0 XXX

XXX

XX

XX

XX

XX

XX

001

001

X

A1B1

010

A1B1

010

STE R B ffSTE R t B ffd


35/80

35


+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

0 1 2 3 4 5 6

Antecedent

STE Assertion:







Consequent

Timeline


reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

A1B1 A2B2

A2B2 A5B5

a0 a1 a2

a2a1a0 XXX

XXX

XX

XX

XX

XX

XX

001

001

X

A1B1

010

X

010

A2B2

100

A1B1 A1B1

A2B2

100

STE R t B ffSTE R t B ffdp


36/80

36


+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

0 1 2 3 4 5 6

Antecedent

STE Assertion:







Consequent

Timeline


reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

A1B1 A2B2

A2B2 A5B5

a0 a1 a2

a2a1a0 XXX

XXX

XX

XX

XX

XX

XX

001

001

X

A1B1

010

010

A2B2

100

A1B1

A2B2

100

A3B3

001

X

A1B1

A2B2 A2B2

A3B3

001

A1B1

STE R t B ffSTE R t B ffdp


37/80

37


+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

0 1 2 3 4 5 6

Antecedent

STE Assertion:







Consequent

Timeline


reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

A1B1 A2B2

A2B2 A5B5

a0 a1 a2

a2a1a0 XXX

XXX

XX

XX

XX

XX

XX

001

001

X

A1B1

010

010

A2B2

100

100

A3B3

001

A1B1

A2B2

A3B3

001

X

A4B4

010

A2B2

A3B3

A1B1

A4B4

010

A2B2


38/80

STE R t B ffSTE: Rotary Bufferdp


39/80

39


+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

0 1 2 3 4 5 6

Antecedent

STE Assertion:







Consequent

Timeline


reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

A1B1 A2B2

A2B2 A5B5

a0 a1 a2

a2a1a0 XXX

XXX

XXXX

XX

XX

XX

001

001

X

A1B1

010

010

A2B2

100

100

A3B3

001

A1B1

001

A4B4

010

A2B2

A1B1

A2B2

010

100

A5B5

A4B4

A5B5

A3B3

100

A3B3

A6B6

001


40/80

GSTE: BasicsGSTE: Basics


41/80

41

GSTE: BasicsGSTE: Basics

GSTEGSTE Generalized STEGeneralized STE

Assertion graph specificationAssertion graph specification

automaton over antecedent/consequent pairsautomaton over antecedent/consequent pairs

Model CheckingModel Checking

STE + Abstract Set Union + FixSTE + Abstract Set Union + Fix--Point ComputationPoint Computation

Assertion GraphAssertion Graph English Specification:English Specification:


42/80

42

Assertion GraphAssertion Graph

reset := 0

din := AB

reset := 1 reset := 0 reset := 0 reset := 0

reset := 0

dout := AB


After reset, input dataAfter reset, input data

will be output after 3will be output after 3ticks.ticks.

reset := 0din := AB


dout := AB

reset := 0 reset := 0

Satisfied ifSatisfied if the STE assertionthe STE assertion

captured by every accepting pathcaptured by every accepting path

is satisfiedis satisfied

Length k for all possible k 0



43/80

43


reset := 0din := AB


reset := 0

dout := AB

Intuitively, think of it as aIntuitively, think of it as a

test programtest program

Beginreset: = 1; tick;while (random() < 0.7)

reset: = 0; tick;endwhile;reset: = 0; din := random value; tick;reset: = 0; tick;reset: = 0; tick;

reset := 0; assert(dout = din);end.



44/80

44


reset := 0din := AB


reset := 0

dout := AB

[ ] C C C C CXXX

reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

XX

XX

XX

XX

XX

XX

001

+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

c2c1c0 = 001

STE + Abs. Set Union +STE + Abs. Set Union +FixFix--Point ComputationPoint Computation

Compute the set of circuitCompute the set of circuitinternal statesinternal states correscorres. to. to

each automation stateeach automation state cc22cc11cc00 bb00[1:0], b[1:0], b11[1:0], b[1:0], b22[1:0][1:0]


45/80



46/80

46


reset := 0din := AB


reset := 0

dout := AB

[ ] C C C CXXX

reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

XX

XX

XX

XX

XX

XX

0XX

+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

c2 = 0 X0X[ ]



47/80

47


reset := 0din := AB


reset := 0

dout := AB

[ ] C C C CXXX

reset

din[1:0]

c2c1c0

b0[1:0]

b1[1:0]

b2[1:0]

dout[1:0]

XX

XX

XX

XX

XX

XX

XXX

+

reset

2

2

2

mux

2

2

ctrl

dp

din[1:0] dout[1:0]

c0 c1 c2

b0

b1

b2

reset

No more new

states!

XXX[ ]


48/80

Assertion Graph RefinementAssertion Graph Refinement


49/80

49


reset := 0din := AB


reset := 0

dout := AB

reset := 0din := AB

reset := 1

reset := 0 reset := 0 reset := 0reset := 0

dout := ABreset := 0

reset := 0

reset := 0

din := AB

reset := 0 reset := 0 reset := 0

dout := AB

reset := 0din := AB


dout := AB

Case splitting



50/80

50


reset := 0din := AB

reset := 1

reset := 0 reset := 0 reset := 0reset := 0

dout := ABreset := 0

reset := 0

reset := 0din := AB


dout := AB

reset := 0din := AB


dout := AB

c2c1c0=001

c2c1c0=010

c2c1c0=100

c2c1c0=010d0[1:0]=AB

c2c1c0=100d0[1:0]=AB

c2c1c0=001d0[1:0]=AB

c2c1c0=100d1[1:0]=AB

c2c1c0=001d1[1:0]=AB

c2c1c0=010d1[1:0]=AB

c2c1c0=001d2[1:0]=AB

c2c1c0=010d2[1:0]=AB

c2c1c0=100d2[1:0]=AB

Problem: the refined assertion graph can become verylarge with buffer size increase

AssertionAssertion ProgramProgram


51/80

51


reset := 0din := AB


reset := 0

dout := AB

reset := 0din := AB


reset := 0

dout := AB

{ cnt1cnt0 := 0; }

{ cnt1cnt0 := (cnt1cnt0 +1) mod 3; }

{ } { } { } { }



52/80

52


reset := 0din := ABreset := 1


reset := 0

dout := AB

{ cnt1cnt0 := 0; }


{ } { } { } { }

!cnt1 & !cnt0

c2c1c0 = [ 0, 0, 1 ]



53/80

53


!cnt1 & !cnt0

c2c1c0 = [ 0, 0, 1 ]

!cnt1 & cnt0

c2c1c0 = [ 0, 1, 0 ]

reset := 0din := ABreset := 1


reset := 0

dout := AB

{ cnt1cnt0 := 0; }


{ } { } { } { }



54/80

54

Assertionsse t o Programog a

!cnt1

c2c1c0 = [ 0, cnt0, !cnt0 ]

reset := 0din := AB


reset := 0

dout := AB

{ cnt1cnt0 := 0; }


{ } { } { } { }



55/80

55

sse t o og ag

!cnt1 + !cnt0

c2c1c0 = [ cnt1&!cnt0, !cnt1&cnt0, !cnt1& !cnt0 ]

!cnt1 + !cnt0

c2c1c0 = [ !cnt1&cnt0, !cnt1&!cnt0, cnt1& !cnt0 ]d0[1:0] = !cnt1&!cnt0 ? [ A, B ] : [ X, X ]d1[1:0] = !cnt1& cnt0 ? [ A, B ] : [ X, X ]

d2[1:0] = cnt1&!cnt0 ? [ A, B ] : [ X, X ]

!cnt1 + !cnt0

c2c1c0 = [ !cnt1&!cnt0, cnt1&!cnt0, !cnt1&cnt0 ]d0[1:0] = !cnt1&!cnt0 ? [ A, B ] : [ X, X ]d1[1:0] = !cnt1& cnt0 ? [ A, B ] : [ X, X ]

d2[1:0] = cnt1&!cnt0 ? [ A, B ] : [ X, X ]

!cnt1 + !cnt0

c2c1c0 = [ cnt1&!cnt0, !cnt1&cnt0, !cnt1&!cnt0 ]d0[1:0] = !cnt1&!cnt0 ? [ A, B ] : [ X, X ]d1[1:0] = !cnt1& cnt0 ? [ A, B ] : [ X, X ]

d2[1:0] = cnt1&!cnt0 ? [ A, B ] : [ X, X ]dout[1:0] = [A, B]

reset := 0din := AB


reset := 0

dout := AB

{ cnt1cnt0 := 0; }


{ } { } { } { }

GSTE Model Checking AlgorithmGSTE Model Checking Algorithm


56/80

56

g gg gGSTE(G, ckt)begin/* initialization */1. for each state q in G2. if q is an initial state3. cktState(q) := [ ] ;4. else5. cktState(q) := C;6. put every transition from the initial vertex into EVQ;/* Fix-point iteration */7. while (EVQ != empty)

8. (q, (ant, cons), q) := pick a transition from EVQ;9. (res, nxtState) := STEOneStep(ckt, cktState(q), ant, cons);10. if (res = false)11. return false;12. newState := nxtState union cktState(q);

13. if (newState != cktState(q))14. cktState(q) := newState;15. put every transition from q to EVQ;16. endwhile;17. return true;

end

Concurrent GSTEConcurrent GSTE


57/80

57

GSTE LimitationGSTE Limitation

Sequential in nature, not suitable for describingSequential in nature, not suitable for describing

current circuit behaviorscurrent circuit behaviors


Support concurrent specification and modelSupport concurrent specification and model

checkingchecking

Core idea: define a new operator to join twoCore idea: define a new operator to join twosequences togethersequences together



58/80

58

reset := 0din1 := AB

reset := 1 reset := 0din1 := 00

reset := 0din2 := CD

reset := 1 reset := 0

reset := 0

dout := AB+CD

reset := 0

din1 := AB

reset := 1 reset := 0din

1:= 00

din2 := CD

reset := 0

dout := AB+CD



59/80

59

reset := 0din1 := AB

reset := 1

reset := 0reset := 0 reset := 0

din1 := 00

reset := 0din

2

:= CDreset := 1

reset := 0 reset := 0din2 := 00

dout := AB+CD

PropertyPropertyIf some time in the past din1 got nonIf some time in the past din1 got non--zero value AB, din2 got nonzero value AB, din2 got non--zerozero

value CD, thenvalue CD, then doutdout must be AB+CDmust be AB+CD..

it would be very tedious to express in assertion graph for ait would be very tedious to express in assertion graph for alarge number of interleaving events!large number of interleaving events!

Voting MachineVoting Machine


60/80

60

grst

av[1]v[1]

av[2]v[2]

av[3]

v[3]

voutVotingMachine

A vote can be accepted at stationA vote can be accepted at station ii (through(through v[i]=1,2,3v[i]=1,2,3) when) whenit is availableit is available

Outputs a voting result (Outputs a voting result (voutvout=f(v[1], v[2], v[3])=f(v[1], v[2], v[3])) when all) when allthree votes are in, and then makes the stations available forthree votes are in, and then makes the stations available fornext round.next round.

2

2

2

2

Concurrent SpecificationConcurrent Specification


61/80

61

voted[i]

11ii33

wait

11ii33

assume: !rst & v[i]=0

random

assume: rst

wait[i]

assume: !rst & v[i]=Y[i]



voted[i] and wait

assume: !rst

assert: vout=f(Y[1],Y[2],Y[3])

outputvoted

assume: !rst

Concurrent SpecificationConcurrent Specification


62/80

62

voted[i]

11ii33

wait

11ii33


assert: av[i]

random

assert: av[i]

assume: rst

wait[i]

assert: av[i]



assert: av[i]

assert: av[i]assume: !rst & v[i]=Y[i]

voted[i] and wait

assume: !rst

assert: av[i]

assert: vout=f(Y[1],Y[2],Y[3])

outputvoted

assume: !rst

Voting Machine ImplementationVoting Machine Implementation


63/80

63

vout

+

2

0 =av[1]

v[1]

2

0 =av[2]

v[2]

2

0 =av[3]

v[3]

f

mux

0

v_[2]

v_[3]

voted[1]

rst

clr

clr

clr

clr

en

en

en

v_[1]

Direct Model CheckingDirect Model Checkingrst


64/80

64

vout

rst

+

2

0

av[i]

v[i] f

mu

x0

v_[i]

clr

en

clr

=

(!rst, vout=f(y[1],y[2],y[3]))

outputrandom wait[i] voted[i]

(rst, av[i])

(!rst & v[i]=0, av[i])

11ii33

voted

(!rst & v[i]=Y[i], av[i])

wait

11ii33


voted[i] and wait

(!rst, av[i])

(!rst & v[i]=0, av[i])true

poll

v_[i]=0



65/80

65

vout

rst

+

2

0

av[i]

v[i] f

mu

x0

v_[i]

clr

en

clr

=

(!rst, vout=f(Y[1],Y[2],Y[3]))


(rst, av[i])

(!rst & v[i]=0, av[i])

11ii33

voted


wait

11ii33


voted[i] and wait

(!rst, av[i])

(!rst & v[i]=0, av[i])true v_[i]=0

i.v_[i]=0

v_[i]=Y[i]

i.v[i]=0 & v_[i]=Y[i]

poll

no change



66/80

66

vout

+

2

0

av[i]

v[i] f

mu

x0

v_[i]

clr

en

clr

=

(!rst, vout=f(y[1],y[2],y[3]))


(rst, av[i])

(!rst & v[i]=0, av[i])

11ii33

voted


wait

11ii33


voted[i] and wait

(!rst, av[i])


poll

i.v_[i]=0

v_[i]=0v_[i]=Y[i]

i.v[i]=0 & v_[i]=Y[i]

no change

no change



67/80

67

vout

+

2

0

av[i]

v[i] f

mu

x0

v_[i]

clr

en

clr

=

(!rst, vout=f(y[1],y[2],y[3]))


(rst, av[i])

(!rst & v[i]=0, av[i])

1i3

voted


wait

1i3


voted[i] and wait

(!rst, av[i])


poll

i.v_[i]=Y[i]

i.v_[i]=0

v_[i]=0

i.v[i]=0 & v_[i]=Y[i]

v_[i]=Y[i]


68/80

ComparisonComparison


69/80

69

Advantage over model checkingAdvantage over model checking productproductspecificationspecification

highly efficient, avoid complexity ofhighly efficient, avoid complexity of productproduct

constructionconstructionover approximate, but can be refined by partialover approximate, but can be refined by partial productproduct

constructionconstruction

Advantage over assumeAdvantage over assume--guarantee paradigmguarantee paradigm implementation independent specificationimplementation independent specification

much less sensitive to implementation changesmuch less sensitive to implementation changes

Other aspects of GSTEOther aspects of GSTE


70/80

70

Dynamic simulationDynamic simulation

Monitor construction (Hu, Casas, Yang, ICCADMonitor construction (Hu, Casas, Yang, ICCAD

2003)2003)Assertion graphs as test programs (Yang,Assertion graphs as test programs (Yang,

ASPDAC 2005)ASPDAC 2005)

Compositional reasoningCompositional reasoningThrough monitor construction and modelThrough monitor construction and model

checking (Hu, Casas, Yang, CHARME 2003)checking (Hu, Casas, Yang, CHARME 2003)

Real Life Ex. 1: Memory VerificationReal Life Ex. 1: Memory Verification


71/80

71

Why interesting?Why interesting?

A commonly used unit inA commonly used unit in --processorprocessor

ComplexityComplexity

--

4 banks * 256 entries * 128 bits, 128K+ bits in total4 banks * 256 entries * 128 bits, 128K+ bits in total

Classic SMCClassic SMC capacity limitation causes state space explosioncapacity limitation causes state space explosion

STESTE finite time limitation requires openingfinite time limitation requires opening--up memory internals and explicitup memory internals and explicit(and tedious) symbolic indexing(and tedious) symbolic indexing

bank0

bank1

bank2

bank3

datawr128 alignmask

block

128

dataout

addr[9:0]

we

drive[4:0]

ck align[7:0]begin[4:0]end[4:0]


72/80

Complexity AnalysisComplexity Analysis


73/80

73

GSTE Ternary Representation:

addr datawrwrite

row[0]:

row[1]:

row[1023]:

stored

read

Summary:

Black-box verification

Complexity ~170 boolean variables for

128k+ model (~45 ifverifying individual bitsthen a word)

331 seconds on PIII600MHz

< 300 MB (most are forstoring the circuit)

Summary:Summary:

BlackBlack--box verificationbox verification

ComplexityComplexity

~170~170 booleanboolean variables forvariables for128k+ model (~45 if128k+ model (~45 ifverifying individual bitsverifying individual bitsthen a word)then a word)

331 seconds on PIII331 seconds on PIII600MHz600MHz

< 300 MB (most are for< 300 MB (most are forstoring the circuit)storing the circuit)

Real Life Ex.2: Resource SchedulerReal Life Ex.2: Resource Scheduler


74/80

74

Specification:Specification:

when resource is available (avail = 1), schedule the oldest readwhen resource is available (avail = 1), schedule the oldest readyy uopuop handling 10handling 10 uopsuops at a time, >1k state elements, >17000 gatesat a time, >1k state elements, >17000 gates

priority matrix, CAM, decision logic, powerpriority matrix, CAM, decision logic, power--saving feature etc.saving feature etc.

previous resultprevious result -- hundreds of small properties on priority matrix onlyhundreds of small properties on priority matrix only

CAM

receivinglogic

priority matrix

readylogic

Stagingand

CAMmatch

schedulinglo

gic

Deliveringlogic

uop

alloc

ready

avail

init

out

sched

wrback

Main ResultMain Result


75/80

75

Specification (basic idea):Specification (basic idea):

scheduleschedule uop[iuop[i], if (1)], if (1) uop[iuop[i] is the oldest ready] is the oldest ready and (2)and (2)resource is availableresource is available

uop[iuop[i] is oldest ready, if (1)] is oldest ready, if (1) uop[iuop[i] is ready] is ready and (2) for all jand (2) for all j i,i,eithereither uop[juop[j] is not ready] is not ready oror uop[iuop[i] arrived earlier than] arrived earlier thanuop[juop[j]]

Model checkingModel checking122.5 seconds, 36M on P4 1.5GHz122.5 seconds, 36M on P4 1.5GHz

scalablescalable -- O(logO(log22 ##uopsuops) variables, BDD was not a bottle) variables, BDD was not a bottle--neck!neck!

RealReal--Life FV ResultsLife FV ResultsIntel Pentium 4 1 5G


76/80

76

2952951321321212282282241854241854466824668266

361361451451002424406630406630348993489955

24024050050000103103187928187928224332243344

50950911711700401401187928187928224332243333

260260522052204141959562735627357506750622

3636122122446868173671736771871811

MemoryMemory

(MB.)(MB.)

TimeTime(sec.)(sec.)

#Prec.#Prec.NodesNodes

# Spec.# Spec.varsvars

#Gates#Gates#Latches#LatchesEx.Ex.

All cover nonAll cover non--trivial functionalities, a majority from inputs to outputstrivial functionalities, a majority from inputs to outputs

No prior model pruning/abstractionNo prior model pruning/abstraction

Intel Pentium 4 1.5G


77/80

GSTE in ActionGSTE in Action


78/80

78

SummarySummaryOperational specification


79/80

79

GSTEAssertion

Graph

GSTEModel

Checking

QuaternaryAbstraction

Operational specification describe temporal causality relation capture computation flow

Spec. driven implicit state exploration directed by the flow in specification tailored by antecedents

Quaternary circuit abstraction dynamically shaped by the specification tightly integrated in model checking

SummarySummary


80/80

80

GSTE is for realGSTE is for realhas been used byhas been used by FVersFVers for >2 year on verifyingfor >2 year on verifying

nextnext--gen. Intelgen. Intel --processors with thousands ofprocessors with thousands of

state elementsstate elements((BentlyBently HLDVTHLDVT02, Yang & Seger FMCAD02, Yang & Seger FMCAD02,02,

Schubert ICCADSchubert ICCAD03)03)

Future directionsFuture directionsSpecification reasoningSpecification reasoning

Better specification languageBetter specification language

Abstraction refinementAbstraction refinement

Formal Verification Solution

Documents

Transcript of Formal Verification Solution