High Level Design Validation: Current Practices & Future Trends 17th International Conference on...
-
Upload
eileen-rogers -
Category
Documents
-
view
220 -
download
0
Transcript of High Level Design Validation: Current Practices & Future Trends 17th International Conference on...
High Level Design Validation:Current Practices &
Future Trends
17th International Conference on VLSI Design17th International Conference on VLSI Design
Mumbai, IndiaMumbai, India
Januray 5th, 2004Januray 5th, 2004
TUTORIAL No. 3
AuthorsAuthors
Prof. Masahiro FujitaProf. Masahiro FujitaProfessorProfessorDept. of Electronic EngineeringDept. of Electronic EngineeringUniversity of Tokyo, JapanUniversity of Tokyo, JapanEmail: Email: [email protected]@ee.t.u-tokyo.ac.jp
Dr. Mukul PrasadDr. Mukul PrasadMember of Research StaffMember of Research StaffFujitsu Labs. of AmericaFujitsu Labs. of AmericaSunnyvale, CA, USASunnyvale, CA, USAEmail: Email: [email protected]@fla.fujitsu.com
Dr. Indradeep GhoshDr. Indradeep GhoshMember of Research StaffMember of Research StaffFujitsu Labs. of AmericaFujitsu Labs. of AmericaSunnyvale, CA, USASunnyvale, CA, USAEmail: Email: [email protected]@fla.fujitsu.com
Dr. Rajarshi MukherjeeDr. Rajarshi Mukherjee Member of Technical StaffMember of Technical Staff Calypto Design AutomationCalypto Design Automation Santa Clara, CA, USASanta Clara, CA, USA Email: Email: [email protected]@yahoo.com
Outline & IntroductionOutline & Introduction
MASAHIRO FUJITAMASAHIRO FUJITA
University of TokyoUniversity of Tokyo
Tokyo, JapanTokyo, Japan
[email protected]@ee.t.u-tokyo.ac.jp
Tutorial OutlineTutorial Outline
IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Necessity of high level verificationNecessity of high level verification
Over 70% of system LSI design time is for “verification”Over 70% of system LSI design time is for “verification” Over 50% reason of “re-spin” of ASIC designs is functional Over 50% reason of “re-spin” of ASIC designs is functional
design errorsdesign errors Need to find as many bugs and as early as possibleNeed to find as many bugs and as early as possible Once “golden models” are created, never introduce Once “golden models” are created, never introduce
design errorsdesign errors
Rem
ain
ing
bugs
Time
Verification methods:Simulation/EmulationVerification methods:Simulation/Emulation
SimulationSimulation Traditional, basic, and flexible techniqueTraditional, basic, and flexible technique Applicable at any design levelsApplicable at any design levels Difficulties in preparing “good” simulation Difficulties in preparing “good” simulation
patternspatterns Getting harder to cover corner casesGetting harder to cover corner cases
EmulationEmulation Can handle Software simultaneouslyCan handle Software simultaneously Cost and time for preparation: not ignorableCost and time for preparation: not ignorable Corner case problemCorner case problem
Spec
Formal VerificationFormal Verification ““Prove” the correctness of designsProve” the correctness of designs
Both design and spec must be represented with Both design and spec must be represented with mathematical modelsmathematical models
Mathematical reasoningMathematical reasoning Equivalence to “all cases” simulationsEquivalence to “all cases” simulations
Possible mathematical modelsPossible mathematical models Boolean function (Propositional logic)Boolean function (Propositional logic)
How to represent and manipulate on computersHow to represent and manipulate on computers First-order logicFirst-order logic
Need to represent “high level” designsNeed to represent “high level” designs Higher-order logicHigher-order logic
Theorem proving = Interactive methodTheorem proving = Interactive method Front-end is very importantFront-end is very important
In many cases, it determines the total performanceIn many cases, it determines the total performance
Mathematicalmodels
Design
Front-endtool
Verificationengines
Formal vs Simulation based VerificationFormal vs Simulation based Verification
Example:Example: Verification of Exclusive-OR circuits: Verification of Exclusive-OR circuits:
z = ~x&y + x&~y ( ‘~’ means compliment)z = ~x&y + x&~y ( ‘~’ means compliment)
G1
G2
G3
G4
x
y
a
b
c
z
Example: Formal vs Simulation (Cont.)Example: Formal vs Simulation (Cont.)
Verification of Exclusive-OR circuit with Verification of Exclusive-OR circuit with “simulation”“simulation” z and ~x&y+x&~y are equal for all casesz and ~x&y+x&~y are equal for all cases Need to simulate 2**N cases Need to simulate 2**N cases
x
y
a
b
c
z
00001111
11110011
11111100
00000000x y z ~x&y+x&~y
Verification of Exclusive-OR circuit with Verification of Exclusive-OR circuit with “formal verification”“formal verification” z = ~b + ~cz = ~b + ~c b = ~x + ~ab = ~x + ~a c = ~a + ~yc = ~a + ~y a = ~x + ~y a = ~x + ~y z = ~b + ~cz = ~b + ~c = ~(~x + ~a) + ~(~a + ~y)= ~(~x + ~a) + ~(~a + ~y) = a&x + a&y= a&x + a&y = (~x + ~y)&x + (~x + ~y)&y= (~x + ~y)&x + (~x + ~y)&y = x&~y + ~x&y= x&~y + ~x&y Axiomatic and Mathematical transformation of Axiomatic and Mathematical transformation of
expressions to reach the specificationexpressions to reach the specification
x
y
a
b
c
z
Example: Formal vs Simulation (Cont.)Example: Formal vs Simulation (Cont.)
Design Representation in High levelDesign Representation in High level
Super state: Need multiple cycles for Super state: Need multiple cycles for executionsexecutions
Op2 Op3
Op4
Op6
Op1
Op5PS3
PS1 PS2PS2
PS3
PS1
a = 42;while (a<100) { b = b + a; if (b > 50) c = c + d; a = a + c; }
SFSMD model
S1 S2
S3
Op2 Op3
Op4
Op6
Op1
Op5
FSMD modelDatapathcircuits
Controlcircuits
Establishmapping
Not so easy...Not so easy... Simulation patterns cannot be used Simulation patterns cannot be used
for formal verification (meaningless for formal verification (meaningless if used)if used)
Properties cannot be “simulated” as Properties cannot be “simulated” as it isit is
Anyway, write down properties...Anyway, write down properties... Assertion-based verificationAssertion-based verification Switch between formal and Switch between formal and
simulation-based dynamicallysimulation-based dynamically ……
Fusing Simulation and Formal Verification: Fusing Simulation and Formal Verification: Semi-formal Verification TechniquesSemi-formal Verification Techniques
SimulationPatterns
Property
Tutorial OutlineTutorial Outline
IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and decision proceduresTheorem proving and decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
High-Level Design Flow & High-Level Design Flow & Verification IssuesVerification Issues
MASAHIRO FUJITAMASAHIRO FUJITA
University of TokyoUniversity of Tokyo
Tokyo, JapanTokyo, Japan
[email protected]@ee.t.u-tokyo.ac.jp
Section OutlineSection Outline
System LSI designSystem LSI design From requirement to specification/functional From requirement to specification/functional
descriptionsdescriptions From functional description to implementationFrom functional description to implementation Verification problems in the design Verification problems in the design
methodologymethodology Verification techniques for high level designsVerification techniques for high level designs
System LSI DesignSystem LSI Design
System-on-Chip (SOC) designSystem-on-Chip (SOC) design Increase of design complexityIncrease of design complexity
1E0
1E1
1E2
1E3
1E4
1E5
1E6
1E7
Number of componentsLevel
Gate
RTL
Algorithm
System
Transistor
Ab
stra
ctio
n
Acc
ura
cy
System levelSystem levelSystem levelSystem level
IntroductionIntroduction System-on-Chip (SOC) designSystem-on-Chip (SOC) design Increase of design complexityIncrease of design complexity Move to higher levels of abstractionMove to higher levels of abstraction
1E0
1E1
1E2
1E3
1E4
1E5
1E6
1E7
Number of componentsLevel
Gate
RTL
Algorithm
Transistor
Ab
stra
ctio
n
Acc
ura
cy
System-On-Chip DesignSystem-On-Chip Design Specification to architecture to implementationSpecification to architecture to implementation Behavior to structureBehavior to structure
System level: system specification to system System level: system specification to system architecturearchitecture
RT/IS level: component behavior to component micro-RT/IS level: component behavior to component micro-architecturearchitecture
Specification+ constraints
Memory
Memory
µProcessor
Interface
Comp.IP
Bus
Interface
Interface
Interface
Custom HW
System architecture+ estimates
ProcessorsIPs
MemoriesBusses
RTL/IS Implementation+ results
RegistersALUs/FUsMemories
Gates
Mem RFState
Control
ALU
Datapath
PC
Control Pipeline
State
IF FSM
State
IF FSMIP Netlist
RAM
IR
Memory
Section OutlineSection Outline
System LSI designSystem LSI design From requirement to specification/functional From requirement to specification/functional
descriptionsdescriptions From functional description to implementationFrom functional description to implementation Verification problems in the design Verification problems in the design
methodologymethodology Verification techniques for high level designsVerification techniques for high level designs
What is UML? What is UML? UML is a language for:UML is a language for:
Specifying, Visualizing, Constructing, and Documenting Specifying, Visualizing, Constructing, and Documenting Software ArtifactsSoftware Artifacts
What does a modeling language provide?What does a modeling language provide? Model elementsModel elements: Concepts and semantics: Concepts and semantics NotationNotation: Visual rendering of model elements: Visual rendering of model elements GuidelinesGuidelines: Hints and suggestions for using : Hints and suggestions for using
elements in notationelements in notation
From Requirement to From Requirement to Specification/functional DescriptionsSpecification/functional Descriptions
Representing System ArchitectureRepresenting System Architecture
Conceptual Physical
Logical View
End-user Functionality
Implementation View
Programmers Software management
Process View
PerformanceScalabilityThroughput
System integrators
Deployment View
System topology Delivery, installation
Communication
System engineering
Use Case View
Ready-to-use, expressive visual modeling Ready-to-use, expressive visual modeling language that promotes language that promotes development/Exchangedevelopment/Exchange
Extensibility/specialization of core conceptsExtensibility/specialization of core concepts Independent of programming languages Independent of programming languages
and development processesand development processes Formal basis for understanding languageFormal basis for understanding language Encourage growth of OO tools marketEncourage growth of OO tools market Support higher level design conceptsSupport higher level design concepts
Collaborations, frameworks, patterns, etc.Collaborations, frameworks, patterns, etc.
Integrate the best practices of all OODIntegrate the best practices of all OOD
The Goals of UMLThe Goals of UML
UML Modeling Constructs/diagrams:UML Modeling Constructs/diagrams:Static vs. Dynamic PerspectivesStatic vs. Dynamic Perspectives
A diagram is a view into a modelA diagram is a view into a model Presented from the aspect of a particular Presented from the aspect of a particular
stakeholderstakeholder Provides a partial representation of the systemProvides a partial representation of the system Is semantically consistent with other viewsIs semantically consistent with other views
In UML, there are nine standard diagramsIn UML, there are nine standard diagrams Static ViewsStatic Views: Use Case, Class, Object, : Use Case, Class, Object,
Component, DeploymentComponent, Deployment Dynamic ViewsDynamic Views: Sequence, Collaboration, : Sequence, Collaboration,
Statechart, ActivityStatechart, Activity
Use-Case DiagramsUse-Case Diagrams Class and Object DiagramsClass and Object Diagrams Behavior DiagramsBehavior Diagrams
Statechart DiagramsStatechart Diagrams Activity DiagramsActivity Diagrams
Interaction DiagramsInteraction Diagrams Sequence DiagramSequence Diagram Collaboration DiagramCollaboration Diagram
Implementation DiagramsImplementation Diagrams Component DiagramComponent Diagram Deployment DiagramDeployment Diagram
UML Modeling Constructs/diagrams:UML Modeling Constructs/diagrams:Classification by Capability/timelineClassification by Capability/timeline
Relationship of Models and DiagramsRelationship of Models and Diagrams
Use CaseDiagramsUse Case
DiagramsUse CaseDiagrams
ScenarioDiagramsScenario
DiagramsCollaborationDiagrams
StateDiagramsState
DiagramsComponentDiagrams
ComponentDiagramsComponent
DiagramsDeploymentDiagrams
StateDiagramsState
DiagramsObjectDiagrams
ScenarioDiagramsScenario
DiagramsStatechartDiagrams
Use CaseDiagramsUse Case
DiagramsSequenceDiagrams
StateDiagramsState
DiagramsClassDiagrams
ActivityDiagrams
Models
Description ExampleDescription Example Host interface for compact flash memory Host interface for compact flash memory
Interface between NAND type flash memory and Interface between NAND type flash memory and host PChost PC
Use data buffer for asynchronous data Use data buffer for asynchronous data transfer and protocolstransfer and protocols
Use Case diagramUse Case diagram
Data transferswith protocol change
Confirm and changevarious status
Host PC NANDflashmemory
Design target
Interface between NAND Flash Interface between NAND Flash Memory and the Design TargetMemory and the Design Target
Use Case diagramUse Case diagram
Dataread/write
Confirm/changestatus
NANDflashmemory
Buffer
CPU
Activity DiagramActivity Diagram
Wait
NAND status
Ready
Busy
Send statusto CPU
Wait
ATA command/Interrupt
Interpret command
Data transferb/w Host andthe design target
Send statusto CPU
Sequence DiagramSequence Diagram
Databuffer
Synchro-nous IF CPU
NANDflash memory
Request data transferData transfer
BusyAsk statusReady
Get access rightStart transfer
Data transferFinish transfer
Finish transfer
Section OutlineSection Outline
System LSI designSystem LSI design From requirement to specification/functional From requirement to specification/functional
descriptionsdescriptions From functional description to implementationFrom functional description to implementation Verification problems in the design Verification problems in the design
methodologymethodology Verification techniques for high level designsVerification techniques for high level designs
Abstraction LevelsAbstraction LevelsStructure /
Implementation detailOrder /
Timing detail
Functional Untimed(causality)Specification
Structural Timed (estimated)
Architecture
Gate netlist
Gatedelays
Manufacturing
Bus-functional
Timing- accurate
Communication
RTL/IS Cycle-accurate
Implementation
Application domain MOCs (Matlab, SDF, etc.)
Requirements Constraints
Many small stepsof incremental refinement
Design FlowDesign Flow
Bus-functional
Structural
System design
Specification model
Algor.IP
Proto.IP
Architecture model
Communication synthesis
Communication model
Comp.IP
Implementation model
Softwarecompilation
Interfacesynthesis
Hardwaresynthesis
Backend
RTOSIP
RTLIP
Architecture exploration
Capture
Timed (estimated)
RTL/IS Cycle-accurate
Functional
Structure /Implementation detail
Untimed(causality)
Order /Timing detail
Timing- accurate
SpecC MethodologySpecC MethodologySystem design Validation flow
Specification model
Algor.IP
Proto.IP
Architecture model
Communication synthesis
Communication model
Comp.IP
Estimation
ValidationAnalysis
Compilation Simulation model
Estimation
ValidationAnalysis
Compilation Simulation model
Estimation
ValidationAnalysis
Compilation Simulation model
Implementation model
Softwarecompilation
Interfacesynthesis
Hardwaresynthesis
Backend Estimation
ValidationAnalysis
Compilation Simulation model
RTOSIP
RTLIP
Architecture exploration
Capture
Specification ModelSpecification Model
High-level, abstract modelHigh-level, abstract model Pure system functionalityPure system functionality Algorithmic behaviorAlgorithmic behavior No implementation detailsNo implementation details
No implicit structure / architectureNo implicit structure / architecture Behavioral hierarchyBehavioral hierarchy
UntimedUntimed Executes in zero (logical) timeExecutes in zero (logical) time Causal orderingCausal ordering Events only for synchronizationEvents only for synchronization
Specification model
Architecture exploration
Architecture model
Communication model
Implementation model
Communication synthesis
Backend
Specification Model ExampleSpecification Model Example
B1
v1
v2
e2
B1
B2 B3
Simple, typical specification modelSimple, typical specification model Hierarchical parallel-serial compositionHierarchical parallel-serial composition Communication through ports and variables, eventsCommunication through ports and variables, events
Architecture ExplorationArchitecture Exploration
Component allocation / Component allocation / selectionselection
Behavior partitioningBehavior partitioning
Variable partitioningVariable partitioning
SchedulingScheduling
Specification model
Architecture exploration
Architecture model
Communication model
Implementation model
Communication synthesis
Backend
Allocation, Behavior PartitioningAllocation, Behavior Partitioning
Allocate PEsAllocate PEs
Partition Partition behaviorsbehaviors
Globalize Globalize communicationcommunication
B2 B3c2
B1
v1
B1
Additional level of hierarchy to model PE structure
PE1
PE2
Architecture Model ExampleArchitecture Model Example
B3
B13rcv
B34snd
B2
B1B1
B13snd
B34rcv
PE1
c2
v1
cb13
cb34
PE2
v1
Architecture ModelArchitecture Model
Component structure/architectureComponent structure/architecture Top level of behavior hierarchy Top level of behavior hierarchy
Behavioral/functional component Behavioral/functional component
viewview Behaviors grouped under top-level Behaviors grouped under top-level
component behaviorscomponent behaviors Sequential behavior executionSequential behavior execution
TimedTimed Estimated execution delaysEstimated execution delays
Specification model
Architecture model
Communication model
Implementation model
Backend
Architecture exploration
Communication synthesis
Communication SynthesisCommunication Synthesis
Bus allocation / protocol Bus allocation / protocol selectionselection
Channel partitioningChannel partitioning
Protocol, transducer insertionProtocol, transducer insertion
InliningInlining
Specification model
Architecture model
Communication model
Implementation model
Backend
Communication synthesis
Architecture exploration
Bus Allocation / Channel PartitioningBus Allocation / Channel Partitioning
B3
B34snd
B2
B1B1
B13snd
B34rcv
PE1
c2
v1
cb13
cb34
PE2
v1
B13rcv
Allocate bussesAllocate busses
Partition channelsPartition channels
Update Update communicationcommunication
Additional level of hierarchy to model bus structure
Bus1
Model after Channel PartitioningModel after Channel Partitioning
B3
B34snd
B2
B1B1
B13snd
B34rcv
PE1
v1
PE2
v1
B13rcv
c2
cb13
cb34
Bus1
Communication Model ExampleCommunication Model Example
ready
ack
address[15:0]
data[31:0]
B3
B34snd
v1
B13rcv
B2
B1B1
B13snd
B34rcv
PE1
v1
PE2
Communication ModelCommunication Model
Component & bus Component & bus structure/architecturestructure/architecture Top level of hierarchyTop level of hierarchy
Bus-functional component modelsBus-functional component models Timing-accurate bus protocolsTiming-accurate bus protocols Behavioral component descriptionBehavioral component description
TimedTimed Estimated component delaysEstimated component delays
Specification model
Architecture model
Communication model
Implementation model
Backend
Communication synthesis
Architecture exploration
BackendBackend
Clock-accurate Clock-accurate implementation of PEsimplementation of PEs Hardware synthesisHardware synthesis
Software synthesisSoftware synthesis
Interface synthesisInterface synthesis
Specification model
Architecture model
Communication model
Implementation model
Backend
Communication synthesis
Architecture exploration
Hardware SynthesisHardware Synthesis
Schedule operations into clock cyclesSchedule operations into clock cycles Define clock boundaries in leaf behavior C codeDefine clock boundaries in leaf behavior C code Create FSMD model from scheduled C codeCreate FSMD model from scheduled C code
B3
B34snd
v1
B13rcv
PE2
PE2_CLK
PE2_CLK
PE2_CLK
Clock boundaries
Software SynthesisSoftware Synthesis Implement behavior on processor instruction-setImplement behavior on processor instruction-set
Code generationCode generation CompilationCompilation
B2
B1B1
B13snd
B34rcv
PE1
v1
Ff2 MOVE r0, r1
SHL r3 ADD r2, r3, r4 INC r2
PUSH r1 CALL Ff3 POP r0
Interface SynthesisInterface Synthesis
Implement communication on componentsImplement communication on components Hardware bus interface logicHardware bus interface logic
Software bus driversSoftware bus drivers
PE2Bus
IBu
sSla
ve
PE
2Pro
toco
l
IPro
toco
lSla
ve
ready
ack
addr[15:0]
data[31:0]
PE1Bus
IBu
sMas
ter
PE
1Pro
toco
l
IPro
toco
lMas
ter
ready
ack
addr[15:0]
data[31:0]
S0
S1
S2
S3
S4
DRV
Implementation Model ExampleImplementation Model Example
Software processor Custom hardware
ready
ack
address[15:0]
data[31:0]
PE2
PE2_CLKPE1_CLK
OBJ
PORTA
PORTB
INTA
PORTC
PE1
Instruction Set Simulator (ISS)
S0
S1
S2
S3
S4
Implementation ModelImplementation Model
Cycle-accurate system descriptionCycle-accurate system description RTL description of hardwareRTL description of hardware
Behavioral/structural FSMD viewBehavioral/structural FSMD view
Object code for processorsObject code for processors Instruction-set co-simulationInstruction-set co-simulation
Clocked bus communicationClocked bus communication Bus interface timing based on PE clockBus interface timing based on PE clock
Specification model
Architecture model
Communication model
Implementation model
Backend
Communication synthesis
Architecture exploration
Support: 1. Modeling EngineSupport: 1. Modeling Engine
Specification model
Architecture model
Communication model
Arch. refinement
Comm. refinement
Implementation model
Capture
Simulate
Compile
Simulate
Simulate
Simulate
Validation
Impl. refinement
Support: 2. Refinement EngineSupport: 2. Refinement Engine
Specification model
Architecture model
Communication model
Arch. refinement
Comm. refinement
Allocation
Beh. partitioning
Scheduling / RTOS
Refinement
Protocol selection
Channel partitioning
Spec. optimization
Arbitration
Impl. refinement
Implementation model
Capture
Cycle scheduling
Protocol scheduling
SW assembly
Browsing
Alg. selection
Validation
Compile
Simulate
Simulate
Simulate
Simulate
Support: 3. Exploration EngineSupport: 3. Exploration Engine
Specification model
Architecture modelEstimation
Profiling
Profiling data
Communication model
Profiling weights
Arch. refinement
Comm. refinement
Estimation results
Estimation
Estimation results
Impl. refinement
Implementation model
Capture
Validation
Protocolmodels
Comp. / IPmodels
Profile
Estimate
Estimate
Refinement
Allocation
Beh. partitioning
Scheduling / RTOS
Protocol selection
Channel partitioning
Spec. optimization
Cycle scheduling
Protocol scheduling
Browsing
Arbitration
SW assembly
Alg. selection
Simulate
Compile
Simulate
Simulate
Simulate
Support: 4. Synthesis EngineSupport: 4. Synthesis Engine
Specification model
Architecture modelEstimation
Profiling
Profiling data
Design decisions
Communication model
Profiling weights
Arch. synthesis
Arch. refinement
Comm. synthesis
Comm. refinement
Refinement
Estimation results
Design decisions
Estimation
Impl. synthesis
Estimation results
Design decisionsImpl. refinement
Implementation model
Capture
RTLcomp.
Validation
Protocolmodels
Comp. / IPattributes
Protocolattributes
Comp. / IPmodels
Verify
Synthesize
Synthesize
Synthesize
Verify
Verify
Verify
Compile
Estimate
Simulate
Simulate
Estimate
Simulate
Profile
Simulate
Allocation
Beh. partitioning
Scheduling / RTOS
Protocol selection
Channel partitioning
Spec. optimization
Cycle scheduling
Protocol scheduling
Browsing
Arbitration
SW assembly
Alg. selection
Tool example: SoC Environment: SCE Tool example: SoC Environment: SCE from UCIfrom UCI
Specification model
Architecture modelEstimation
Profiling
Profiling data
Communication model
Profiling weights
Arch. refinement
Comm. refinement
Estimation results
Estimation
Estimation results
Impl. refinement
Implementation model
Capture
Validation
Protocolmodels
Comp. / IPmodels
Profile
Estimate
Estimate
Refinement
Allocation
Beh. partitioning
Scheduling / RTOS
Protocol selection
Channel partitioning
Spec. optimization
Cycle scheduling
Protocol scheduling
Browsing
Arbitration
SW assembly
Alg. selection
Simulate
Compile
Simulate
Simulate
Simulate
Simulate
http://www.ics.uci.edu/~cad/sce.html
Section OutlineSection Outline
System LSI designSystem LSI design From requirement to specification/functional From requirement to specification/functional
descriptionsdescriptions From functional description to implementationFrom functional description to implementation Verification problems in the design Verification problems in the design
methodologymethodology Verification techniques for high level designsVerification techniques for high level designs
Formal verification in SpecC based Formal verification in SpecC based design methodologydesign methodology
C based design C based design description from description from specification (functional) specification (functional) level down to RTLlevel down to RTL
Incremental refinement on Incremental refinement on the SpecC/C descriptionsthe SpecC/C descriptions
Equivalence checking Equivalence checking between refinementsbetween refinements Between sequential and Between sequential and
parallel descriptions parallel descriptions Between two same control Between two same control
structuresstructures Property checking on each Property checking on each
refinementrefinement
Specificationin C
Refined description for hardware partsSoftware parts remain the same
Refined descriptionwith concurrency
Removal of pointer,recursive calling
Introduction ofconcurrency(SpecC or SystemCmay be used here) To RTL
design: Refinement step
Equivalence checking between two descriptions
Figure 1. C-based system design flow
Model checking on each description
Execution semantics in SpecCExecution semantics in SpecC
Sequentiality rule:Sequentiality rule:Tstart(B1) <= Tstart(a) < Tend(a) <=Tstart(B1) <= Tstart(a) < Tend(a) <=
Tstart(b) < Tend(b) <= Tstart(b) < Tend(b) <= Tstart(c) < Tend(c) <= Tend(B1) Tstart(c) < Tend(c) <= Tend(B1)
Sequential execution within a threadSequential execution within a thread
behavior B1{ void main(void) { a.main(); b.main(); c.main(); }};
B1
a b c
time
ExampleExample
d
a b c
time
B
e f
Execution semantics in SpecC (cont.)Execution semantics in SpecC (cont.)
Possible Schedule
Sequentiality rule:Sequentiality rule:Tstart(B) <= Tstart(a) < Tend(a) <=Tstart(B) <= Tstart(a) < Tend(a) <=
Tstart(b) < Tend(b) <= Tstart(b) < Tend(b) <= Tstart(c) < Tend(c) <= Tend(B) Tstart(c) < Tend(c) <= Tend(B)
Tstart(B) <= Tstart(d) < Tend(d) <=Tstart(B) <= Tstart(d) < Tend(d) <= Tstart(e) < Tend(e) <= Tstart(e) < Tend(e) <= Tstart(f) < Tend(f) <= Tend(B) Tstart(f) < Tend(f) <= Tend(B)
behavior B2{ void main(void) { d.main(); e.main(); f.main();} };
behavior B1{ void main(void) { a.main(); b.main(); c.main();} };
behavior B{ void main(void) { par { b1.main(); b2.main();} }};
Example: concurrencyExample: concurrency
Execution semantics in SpecC (cont.)Execution semantics in SpecC (cont.)
Waitfor rule: Waitfor rule: 0 <= Tstart(a) < Tend(a) < 10 <= Tstart(a) < Tend(a) < 10 <= Tstart(w) < Tend(w) = 100 <= Tstart(w) < Tend(w) = 1010 <= Tstart(b) < Tend(b) < 1110 <= Tstart(b) < Tend(b) < 11
behavior B{ void main(void) { a.main(); waitfor 10; b.main(); } };
a w b
timet = 0 t = 1 t = 10 t = 11
Time-interval formalism Time-interval formalism Simulation time Simulation time Only waitfor increases simulation timeOnly waitfor increases simulation time Other statements execute in zero simulation timeOther statements execute in zero simulation time
ExampleExample
Synchronization SemanticsSynchronization Semantics wait/notify rule in time-interval formalism:wait/notify rule in time-interval formalism:
waitwait cannot proceed until it receives a notified cannot proceed until it receives a notified eventevent
notified event is validnotified event is validuntil a until a waitwait or or waitforwaitfor statement is reached statement is reached
Example:Example: Notify-wait rule derives: Tend(w) >= Tend(n)Notify-wait rule derives: Tend(w) >= Tend(n)
wait cannot proceed until it receives notified eventwait cannot proceed until it receives notified event
a w b
c n d
A
B
thread
time
‘wait e1’ starts
‘notify e1’ done
‘wait e1’ succeeds
this order is guaranteed!
behavior A: a.main(); wait e1; b.main();behavior B: c.main(); notify e1; d.main();
void A() {
}void B() {
}
void main() { A(); B(); C();}
void C() {
}
Incremental Refinement Steps Incremental Refinement Steps
A
B
C
Starting with a functional model, make each part more Starting with a functional model, make each part more detaileddetailed A1, B1, and C1 are refinement of A, B, and C respectivelyA1, B1, and C1 are refinement of A, B, and C respectively
void A1() {
}void B1() {
}
void main() { A1(); B1(); C1();}
void C1() {
}
A1
B1
C1
Incremental Refinement StepsIncremental Refinement Steps
A1 B1
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C1
Change of control structuresChange of control structures IF-THEN-ELSEIF-THEN-ELSE Sequential to parallelSequential to parallel
void A1() {
}void B1() {
}
void main() { A1(); B1(); C1();}
void C1() {
}
A1
B1
C1
notify wait
Incremental Refinement StepsIncremental Refinement Steps
A2 B2
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C2
Again make each part more detailedAgain make each part more detailed A2, B2, and C2 are refinement of A1, B1, and C1 A2, B2, and C2 are refinement of A1, B1, and C1
respectivelyrespectively
A1 B1
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C1
notify wait
notify wait
Equivalence Checking Comparison of Equivalence Checking Comparison of two Descriptions with Same Controltwo Descriptions with Same Control
A1 B1
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C1
If A and A1, B and B1, C and C1 are equivalent, then entire If A and A1, B and B1, C and C1 are equivalent, then entire descriptions are equivalentdescriptions are equivalent Comparison of two “similar” descriptionsComparison of two “similar” descriptions
A B
void A() {
}void B() {
}
void main() { par{ A.main(); B.main(); } C.main();}
void C() {
}
C
notify wait
notify wait
void A() {
}void B() {
}
void main() { A(); B(); C();}
void C() {
}
Equivalence Checking between Equivalence Checking between Sequential and Parallel VersionsSequential and Parallel Versions
A
A B
B
C
void A() {
}void B() {
}
void main() { par{ A.main(); B.main(); } C.main();}
void C() {
}
C
Based on synchronization verification, prove equivalenceBased on synchronization verification, prove equivalence Extraction of synchronizationExtraction of synchronization and dependency analysis and dependency analysis
notify-wait pairare supposed to communicate !
notify wait
void A() {
}void B() {
}
void main() { A(); B(); C();}
void C() {
}
Various SpecC Description Refinements Various SpecC Description Refinements
A
B
C
Starting from pure functional ones, refine them into Starting from pure functional ones, refine them into more HW/SW oriented onesmore HW/SW oriented ones
void A1() {
}void B1() {
}
void main() { A1(); B1(); C1();}
void C1() {
}
A1
B1
C1
SpecC Description Refinements (cont.)SpecC Description Refinements (cont.)
A1 B1
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C1
From sequential ones to parallel onesFrom sequential ones to parallel ones
void A1() {
}void B1() {
}
void main() { A1(); B1(); C1();}
void C1() {
}
A1
B1
C1
SpecC Description Refinements (cont.)SpecC Description Refinements (cont.)
A2 B2
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C2
More refinement on each block of descriptionsMore refinement on each block of descriptions
A1 B1
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C1
Equivalence Checking between Equivalence Checking between Same Control StructuresSame Control Structures
A1 B1
void A1() {
}void B1() {
}
void main() { par{ A1.main(); B1.main(); } C1.main();}
void C1() {
}
C1
The two below are equivalence, if A and A1, B and B1, C and C1 The two below are equivalence, if A and A1, B and B1, C and C1 are equivalentare equivalent Equivalence checking between two very similar descriptionsEquivalence checking between two very similar descriptions
A B
void A() {
}void B() {
}
void main() { par{ A.main(); B.main(); } C.main();}
void C() {
}
C
void A() {
}void B() {
}
void main() { A(); B(); C();}
void C() {
}
Equivalence Checking between Equivalence Checking between Sequential and Parallel StructuresSequential and Parallel Structures
A
A B
B
C
void A() {
}void B() {
}
void main() { par{ A.main(); B.main(); } C.main();}
void C() {
}
C
For example, if A and B are totally independent computations, they For example, if A and B are totally independent computations, they are equivalentare equivalent Extract control structureExtract control structure and check the final computation is equal and check the final computation is equal
Verification ofSynchronization
void A() {
}void B() {
}
void main() { A(); B(); C();}
void C() {
}
Synchronization Verification: Synchronization Verification: Par Statement in SpecCPar Statement in SpecC
A
A B
C Language SpecC Language
B
C
void A() {
}void B() {
}
void main() { par{ A.main(); B.main(); } C.main();}
void C() {
}
C
Synchronization in SpecCSynchronization in SpecC
Add notify/wait of event e for sync.Add notify/wait of event e for sync. ‘‘wait’ will stop process until it is ‘notify’ wait’ will stop process until it is ‘notify’
A B
void A() {
}void B() {
}
void main() { par { A.main(); B.main(); }}
notify e1;wait e2;
wait e1;notify e2; wait e1
Process B stopsand wait untile1 is notified
notify e1
B resumeswait e2
Process A stopsand wait untile2 is notified
notify e2
A resumes
main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ }} behavior b { main() { x=20; /*st3*/ }}
time
a.main()
b.main()
St1 St2
St3
Tas T1s T1e T2s T2e Tae
Tbs T3s T3e Tbe
main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}
time
a.main()
b.main()
St1 St2
St3
Tas T1s T1e T2s T2e Tae
Tbs T3s T3e Tbe
Synchronization by Notify/wait
Synchronization in SpecC (cont.)Synchronization in SpecC (cont.)
Ambiguous results on y causing from x = 10; /*st1*/x = 20; /*st3*/
y = 20 (always)
Synchronization in SpecC (cont.)Synchronization in SpecC (cont.)
y = 20 (always)
main() { par{ a.main(); b.main(); }} behavior a { main() { x=10; /*st1*/ y=x+10; /*st2*/ notify e; /*New*/}} behavior b { main() { wait e; /*New*/ x=20; /*st3*/ }}
time
a.main()
b.main()
St1 St2
St3
Tas T1s T1e T2s T2e Tae
Tbs T3s T3e Tbe
Synchronization by Notify/wait
Tas=Tbs, Tae=TbeTas=Tbs, Tae=Tbe Tas<=T1s<T1e<=T2s<T2e<=TasTas<=T1s<T1e<=T2s<T2e<=Tas Tbs<=T3s<T3e<=TbeTbs<=T3s<T3e<=Tbe T2e<=T3sT2e<=T3s
Section OutlineSection Outline
System LSI designSystem LSI design From requirement to specification/functional From requirement to specification/functional
descriptionsdescriptions From functional description to implementationFrom functional description to implementation Verification problems in the design Verification problems in the design
methodologymethodology Verification techniques for high level designsVerification techniques for high level designs
Basic Method: Symbolic SimulationBasic Method: Symbolic Simulation
Example of checking the behavioral Example of checking the behavioral consistency based on symbolic simulationconsistency based on symbolic simulation Equivalent variables are collected into EqvClassEquivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
EqvClass
Symbolic simulation
We are going to check the equivalencebetween add1 and add2
** Further discussed in later Section Further discussed in later Section
Symbolic Simulation ExampleSymbolic Simulation Example
This is an example of equivalence checking This is an example of equivalence checking based on symbolic simulationbased on symbolic simulation Equivalent variables are collected into EqvClassEquivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
EqvClass
Symbolic simulation
E1 (a, v1)E2 (b, v2)E3 (add1, a+b)
Description1 is simulated
Symbolic Simulation ExampleSymbolic Simulation Example
This is an example of equivalence checking This is an example of equivalence checking based on symbolic simulationbased on symbolic simulation Equivalent variables are collected into EqvClassEquivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
EqvClass
Symbolic simulation
E1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)
Description2 is simulated
Symbolic Simulation ExampleSymbolic Simulation Example
This is an example of equivalence checking This is an example of equivalence checking based on symbolic simulationbased on symbolic simulation Equivalent variables are collected into EqvClassEquivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
EqvClass
Symbolic simulation
E1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)
Due to the equivalencesin E1, E2
Symbolic Simulation ExampleSymbolic Simulation Example
This is an example of equivalence checking This is an example of equivalence checking based on symbolic simulationbased on symbolic simulation Equivalent variables are collected into EqvClassEquivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
EqvClass
Symbolic simulation
E1 (a, v1)E2 (b, v2)E3’ (add1, a+b, add2, v1+v2)
E3 & E4 are mergedinto E3’
Program Slicing for C/SpecCProgram Slicing for C/SpecC
The codes to be symbolically simulated are extracted The codes to be symbolically simulated are extracted by program slicingby program slicing This means This means onlyonly extracted codes will be simulated for extracted codes will be simulated for
verificationverification Program slicing can extract the codes that can affect Program slicing can extract the codes that can affect
(be affected by) a variable(be affected by) a variable Two kinds of slicing: backward slicing and forward Two kinds of slicing: backward slicing and forward
slicingslicing Based on C program slicer, program slicer for SpecC Based on C program slicer, program slicer for SpecC
is developed based on VHDL program slicer [Shankar]is developed based on VHDL program slicer [Shankar] IF the two descriptions have the same control structures, a IF the two descriptions have the same control structures, a
little bit of extension is enoughlittle bit of extension is enough
Backward SlicingBackward Slicing
Backward slicing for a variable Backward slicing for a variable vv extracts extracts all codes that affect the variable all codes that affect the variable vv
a = 2;
b = 3;
c = 5;
a = a + 10;
b = a * c; /start/
c = c + a;
a = a * b;
a = 2;
b = 3;
c = 5;
a = a + 10;
b = a * c; /start/
c = c + a;
a = a * b;
Backward slicing
Forward SlicingForward Slicing
Forward slicing for a variable Forward slicing for a variable v v extracts all extracts all codes that are affected by the variable codes that are affected by the variable vv
a = 2;
b = 3;
c = 5;
a = a + 10;
b = a * c; /start/
c = c + a;
a = a * b;
Forward slicinga = 2;
b = 3;
c = 5;
a = a + 10;
b = a * c; /start/
c = c + a;
a = a * b;
Efficient Equivalence CheckingEfficient Equivalence Checking Comparison of two similar design descriptionsComparison of two similar design descriptions
Extract textual differencesExtract textual differences Dependency analysis by program slicing type Dependency analysis by program slicing type
techniquestechniques Symbolically simulate the real difference and analyze Symbolically simulate the real difference and analyze
the resultsthe results
Description1 Description2
return a; return a; return a; return a;
: textual differences
Description1 Description2
Verification Flow (1)Verification Flow (1)
Description 1 Description 2
Pre-processes
Identification of textual differences & ordering them
Output the set of textual differences (d1, d2, d3, …)
Identification of Textual DifferencesIdentification of Textual Differences
First, textual differences are identified by “diff”First, textual differences are identified by “diff” Then, they are sorted in the order of executionThen, they are sorted in the order of execution
int v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}
Description 1
int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}
Description 2
d1
d2
d3
Consistencyis proved
Verification Flow (2)Verification Flow (2)
Is there any differences left?
Decision of target variables
Backward slicing
Symbolic simulation
Symbolic simulation
Forward slicing
Yes
NoVerification terminates successfully
An erroneous trace is reported
Consistency is not proved
Consistencyis proved
Consistency is not proved
(d1, d2, d3, …)
Verification Flow (2)Verification Flow (2)
Is there any differences left?
Decision of target variables
Backward slicing
Symbolic simulation
Symbolic simulation
Forward slicing
Yes
NoVerification terminates successfully
An erroneous trace is reported
Consistencyis proved Consistency is not proved
Consistencyis proved
Consistency is not proved
(d1, d2, d3, …)
Decision of Target VariablesDecision of Target Variables A variable A variable vv in a difference in a difference dd is a target variable, is a target variable,
When the variable When the variable vv is defined in both descriptions, and is defined in both descriptions, and assigned in the difference assigned in the difference dd
int v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}
Description 1
int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}
Description 2
d1
d2
d3
Consistencyis proved
Case SplitCase Split
Is there any differences left?
Decision of target variables
Backward slicing
Symbolic simulation
Symbolic simulation
Forward slicing
Yes
NoVerification terminates successfully
An erroneous trace is reported
Consistency is not proved
Consistencyis proved
Consistency is not proved
(d1, d2, d3, …)
Symbolic Simulation/ Bounded Symbolic Simulation/ Bounded Model CheckingModel Checking
Reduced to Boolean SAT problems (OBDD or SAT)Reduced to Boolean SAT problems (OBDD or SAT)
Is there an input
pattern generating “one” at the
output
0x nx…
… …
Mem.
Expand k times
0y
my my
0y
… … …
Cycle 1 Cycle 2 Cycle k
…
…
00x 0
nx 1nx1
0x kx0knx
00y
0my
10y
1my
ky0
kmy
… … …
Checker Circuit
Convert
Property
(reset && X(reset) && XX(reset) &&c) ⇒ ( XX(out)=in)
Approaches for Verifying High-level DesignsApproaches for Verifying High-level Designs
Propositional logic First-order logic, ...⇒Propositional logic First-order logic, ...⇒ e.g. Abstraction of arithmetic op’s by symbols(<, +, *,...)e.g. Abstraction of arithmetic op’s by symbols(<, +, *,...)
ApproachesApproaches SAT for Logic of uninterpreted functions with equality SAT for Logic of uninterpreted functions with equality
Equivalence checking without considering meaning of Equivalence checking without considering meaning of functionsfunctions
Hybrid SATHybrid SAT SAT for Boolean formulas with linear constraintsSAT for Boolean formulas with linear constraints
ToolTool SVC(Stanford Validity Checker) toolSVC(Stanford Validity Checker) tool
– Boolean logic, linear programming, uninterpreted Boolean logic, linear programming, uninterpreted function,. arrays..function,. arrays..
Logic of Uninterpreted Functions with Logic of Uninterpreted Functions with EqualityEquality
Arithmetic operations are handled as symbolsArithmetic operations are handled as symbols
Equivalence checking :“Design 1 = Design 2 ?”Equivalence checking :“Design 1 = Design 2 ?” There is a decision procedure.There is a decision procedure. Can be checked by SVC tool.Can be checked by SVC tool.
f Yx
yc
Y:= if c then x else f(x,y)1
0
AbstractionAbstraction
Like to handle very large Like to handle very large descriptionsdescriptions
Reduction of the number Reduction of the number of states is a mustof states is a must Merging multiple states Merging multiple states
into a single stateinto a single state Abstracted designs contain Abstracted designs contain
more behaviors than the more behaviors than the originalsoriginals
False-negative results False-negative results possible, but never false-possible, but never false-positivepositive
A set of behaviors of the abstracted design
A set of behaviorsof the original design
** Further discussed in later Section Further discussed in later Section
AbstractionAbstraction
If some property holds,If some property holds, then the original design is correctthen the original design is correct Otherwise,Otherwise,
the design is incorrect, or the the design is incorrect, or the abstraction is too strongabstraction is too strong
Refinement is necessary to Refinement is necessary to prove the propertyprove the property
Behaviors allowed by a property
“The property holds”. “The property does not hold”.
incorrect
abstraction is too strong
Indistinguishablefrom the verification
result for the abstracted design
Model Checking of C programsModel Checking of C programs
Basic techniquesBasic techniques abstraction, model checking, and error analysis + abstraction, model checking, and error analysis +
refinementrefinement
ModifiedProgram
C Program
Properties
AbstractedBoolean Program
Counter-example
New constraint
s
Abstraction
Model
Checking
Error analysis
Bugs
Correct
Microsoft’s SLAM tool
Tutorial OutlineTutorial Outline
IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Theorem Proving & Decision Theorem Proving & Decision ProceduresProcedures
MASAHIRO FUJITAMASAHIRO FUJITA
University of TokyoUniversity of Tokyo
Tokyo, JapanTokyo, Japan
[email protected]@ee.t.u-tokyo.ac.jp
Symbolic LogicSymbolic Logic
Symbolic logic deals with the structure of Symbolic logic deals with the structure of reasoningreasoning
It defines ways to deal with relationships It defines ways to deal with relationships between conceptsbetween concepts
Provides ways to compose proofs of Provides ways to compose proofs of statementsstatements
Provides ways to express statements in a Provides ways to express statements in a precise, compact and symbolic mannerprecise, compact and symbolic manner
Symbolic Logic (cont.)Symbolic Logic (cont.)
More precisely, a formal symbolic More precisely, a formal symbolic logic consists of logic consists of A notation (symbols and syntax)A notation (symbols and syntax)
A set of axioms (facts)A set of axioms (facts) A set of inference rules (deduction A set of inference rules (deduction
sheme)sheme)
Types of Symbolic LogicTypes of Symbolic Logic
Propositional Logic – commonly known as Propositional Logic – commonly known as Boolean algebraBoolean algebra Variables in this algebra Variables in this algebra {0,1} {0,1}
First Order LogicFirst Order Logic Existential (Existential () and Universal () and Universal () quantifiers ) quantifiers
over variables over variables
Higher Order LogicHigher Order Logic Existential and Universal quantification over Existential and Universal quantification over
sets and functionssets and functions
Key Features of a TheoryKey Features of a Theory
Expressiveness Expressiveness what kind of statements can be written what kind of statements can be written
in the theoryin the theory Completeness Completeness
all valid formulas are provableall valid formulas are provable DecidabilityDecidability
there exists an algorithm to deduce the there exists an algorithm to deduce the truth of any formula in the theorytruth of any formula in the theory
Comparison of Types of LogicComparison of Types of Logic
PropositionalPropositional Least expressive, decidable, completeLeast expressive, decidable, complete
First Order LogicFirst Order Logic More expressive, decidable, not More expressive, decidable, not
completecomplete Higher Order LogicHigher Order Logic
Most expressive, not decidable, not Most expressive, not decidable, not completecomplete
First-Order LogicFirst-Order Logic
First-Order Logic First-Order Logic theory in symbolic logic theory in symbolic logic formalizes quantified statements formalizes quantified statements
E.g: “there exists an object such that…” or “for all objects, it is E.g: “there exists an object such that…” or “for all objects, it is the case that…”the case that…”
Statements in first-order logic built using:Statements in first-order logic built using: VariablesVariables x, yx, y ConstantsConstants 0, C, 0, C, FunctionsFunctions f (x ), x + yf (x ), x + y PredicatesPredicates p (x ), x > y, x = yp (x ), x > y, x = y Boolean connectivesBoolean connectives , , , , , , QuantifiersQuantifiers , ,
First-Order TheoriesFirst-Order Theories
A first-order theory A first-order theory a set of first-order statements about a related a set of first-order statements about a related
set of constants, functions, and predicates.set of constants, functions, and predicates. Example:Example:
A theory of arithmetic might include the A theory of arithmetic might include the following statements about following statements about 00 and and ++::
x. ( x + 0 = x )x. ( x + 0 = x )
x,y. (x + y = y + x )x,y. (x + y = y + x )
Validity of an Expression in a TheoryValidity of an Expression in a Theory
Given Given a theory and an expression a theory and an expression
Using Using building blocks of that theorybuilding blocks of that theory if expression evaluates to true for every if expression evaluates to true for every
evaluation, then it is valid in the theoryevaluation, then it is valid in the theory Example: Example:
X >= 0 is a valid expression in positive real X >= 0 is a valid expression in positive real arithmeticarithmetic
Validity Checking & UndecidabilityValidity Checking & Undecidability
Given a theory Given a theory in first-order logic and an in first-order logic and an expression expression we wish to prove that we wish to prove that is valid is valid in in Validity of Validity of in in is written as is written as |= |= Undecidability of FOLUndecidability of FOL
A well-known result states that in general it is undecidable A well-known result states that in general it is undecidable whether a FOL formula is valid in a given first-order whether a FOL formula is valid in a given first-order theorytheory
However with appropriate restrictions on However with appropriate restrictions on and and the theory can be made decidable and practical the theory can be made decidable and practical programs can be built around itprograms can be built around it
Why is Validity Checking Interesting?Why is Validity Checking Interesting?
Many practical problems can be posed as Many practical problems can be posed as formulas in a certain theory or a formulas in a certain theory or a combination of theoriescombination of theories
A proof of validity of this formula results in a A proof of validity of this formula results in a solution to the problemsolution to the problem ExampleExample
Scheduling of complex operations in a manufacturing Scheduling of complex operations in a manufacturing plantplant
Proof SystemProof System
A formal proof in a theory A formal proof in a theory a set of steps of statements a set of steps of statements a statement is derived from a previous statement using a a statement is derived from a previous statement using a
set of defined inference rulesset of defined inference rules Rewrite rulesRewrite rules
deal with mechanical massaging of statements deal with mechanical massaging of statements irrespective of the meaning of the statementsirrespective of the meaning of the statements
Key requirement of a proof system Key requirement of a proof system soundness : all provable formulas are logically true!soundness : all provable formulas are logically true!
A proof system need not be complete or decidable A proof system need not be complete or decidable in order to be useful!in order to be useful!
Theorem ProverTheorem Prover
Given Given a theory, a proof system, and a formula whose a theory, a proof system, and a formula whose
validity must be provedvalidity must be proved a system that allows a user to carry out the a system that allows a user to carry out the
proof is broadly classified as a theorem proverproof is broadly classified as a theorem prover AdvantagesAdvantages
Expressive, high abstraction, powerful Expressive, high abstraction, powerful reasoning, reasoning,
DisadvantagesDisadvantages Low automation, expert knowledge requiredLow automation, expert knowledge required
Automated vs. Interactive Theorem Automated vs. Interactive Theorem Proving Proving John Rushby, SRI, asserts “John Rushby, SRI, asserts “There are no fully There are no fully
automatic theorem proversautomatic theorem provers”.”. For best performance most theorem provers require For best performance most theorem provers require
user guidanceuser guidance Variable ordering, weighting of literals, function symbols, Variable ordering, weighting of literals, function symbols,
strategy selection, orientation of equations, invention of strategy selection, orientation of equations, invention of ordering lemmas, induction hintsordering lemmas, induction hints
Automation in certain domainsAutomation in certain domains Propositional logic using SAT solvers, BDDsPropositional logic using SAT solvers, BDDs Linear arithmetic – integer/linear programmingLinear arithmetic – integer/linear programming Temporal logic – model checkingTemporal logic – model checking Induction (Boyer-Moore heuristics)Induction (Boyer-Moore heuristics)
Well-known Theorem ProversWell-known Theorem Provers
Higher order: ALF, Alfa, Coq, HOL, PVSHigher order: ALF, Alfa, Coq, HOL, PVS Logical Frameworks: Isabelle, LF, TwelfLogical Frameworks: Isabelle, LF, Twelf Inductive: ACL2, InkaInductive: ACL2, Inka Automated: Gandalf, TPS, Otter, Setheo, Automated: Gandalf, TPS, Otter, Setheo,
SPASSSPASS EQP, Maude, SVCEQP, Maude, SVC Provers used in Verification – Provers used in Verification – HOL, PVS, HOL, PVS,
ACL2, SVCACL2, SVC
PVSPVS
A
PVS File
System model
FormulaeTo be proved
Proofs
• Owre et al., 1992 at SRIOwre et al., 1992 at SRI
• System model is translated either automatically or manuallySystem model is translated either automatically or manually• Formulae to be proved are also translated from their native formsFormulae to be proved are also translated from their native forms• Proofs are usually carried out interactivelyProofs are usually carried out interactively
PVS MethodologyPVS Methodology
Automate everything that is decidableAutomate everything that is decidable Propositional calculus, linear arithmetic, finite-state Propositional calculus, linear arithmetic, finite-state
model checkingmodel checking Heuristic automation for obvious cases for other Heuristic automation for obvious cases for other
problemsproblems Hashing conditional rewriter integrated with decision Hashing conditional rewriter integrated with decision
proceduresprocedures Instantiation, inductionInstantiation, induction
Human control for things difficult to automateHuman control for things difficult to automate Sequent calculus presentationSequent calculus presentation Tactic language for defining higher-level proof strategiesTactic language for defining higher-level proof strategies
Stanford Validity Checker (SVC)Stanford Validity Checker (SVC)
Started with applications to processor verificationStarted with applications to processor verification [Burch and Dill ‘94][Burch and Dill ‘94] [Jones et al. ‘95][Jones et al. ‘95]
Applications since releaseApplications since release Symbolic simulation Symbolic simulation [Su et al. ‘98][Su et al. ‘98] Software specification checking Software specification checking [Park et al. ‘98][Park et al. ‘98] Infinite-state model checking Infinite-state model checking [Das and Dill ‘01][Das and Dill ‘01] Theorem prover proof assistance Theorem prover proof assistance [Heilmann ‘99][Heilmann ‘99] Integration into programming languages Integration into programming languages [Day et al. ‘99][Day et al. ‘99]
Overall Flow of SVCOverall Flow of SVC Given an expression whose validity has to be Given an expression whose validity has to be
checkedchecked Choose an atomic formula Choose an atomic formula ƒ ƒ in the expressionin the expression Case split on the atomic formulaCase split on the atomic formula
Create two subformulas, for Create two subformulas, for ƒƒ = 0, and = 0, and ƒ = ƒ = 11 Simplify the two subformulasSimplify the two subformulas Iteratively check the validity of the two subformulasIteratively check the validity of the two subformulas
Example: Example: ( ( x x << y ) y ) ( y ( y < < x ) x ) ( x ( x == y ) y ) Choose Choose f = ( x < y )f = ( x < y ) Case split on f to get two subformulasCase split on f to get two subformulas
Simplify
Simplify
( true ) ( y < x )
true
( false ) ( y < x ) ( x = y ) ( y < x ) ( x = y )
Example (cont.)Example (cont.)
( y ( y < < x ) x ) ( x ( x == y ) y ) Choose Choose f = ( y f = ( y < < x ) x ) Case splitting gives two subformulasCase splitting gives two subformulas
true true ( x ( x == y ) true y ) true
false false ( x ( x == y ) ( x y ) ( x == y ) y )
Case splitting onCase splitting on f = ( x = y ) f = ( x = y ) gives two subformulasgives two subformulas
true and falsetrue and false The only false node is formula:The only false node is formula: ( x y ) ( y x ) ( x y )
Simplify
Simplify
If this formula can be proved unsatisfiable by theory then formula is a If this formula can be proved unsatisfiable by theory then formula is a tautologytautology
How is Validity Checking done?How is Validity Checking done? The validity checker is built on top of a core The validity checker is built on top of a core
decision procedure for decision procedure for satisfiabilitysatisfiability in a theory in a theory of a set of literals in the theory of a set of literals in the theory A literal is an atomic formula or its negationA literal is an atomic formula or its negation The core decision procedure depends on the The core decision procedure depends on the
theorytheory e.g. a Satisfiability Solver can be used for Propositional e.g. a Satisfiability Solver can be used for Propositional
LogicLogic
SVC proposesSVC proposes use of several decision theories targeted to use of several decision theories targeted to
several theories several theories gives the strongest decision proceduregives the strongest decision procedure
Need for Multiple TheoriesNeed for Multiple Theories
Why are multiple theories needed?Why are multiple theories needed? Most real-life problems when cast into a problem Most real-life problems when cast into a problem
of proving validity of a formula span a set of of proving validity of a formula span a set of theoriestheories Propositional logicPropositional logic Bit-vectors and arraysBit-vectors and arrays Real, linear arithmeticReal, linear arithmetic Uninterpreted functions & predicatesUninterpreted functions & predicates
A decision procedure isA decision procedure is a combination of theories must be able to a combination of theories must be able to
combine decision procedures that reason in combine decision procedures that reason in each of these theories!each of these theories!
How are Multiple Decision How are Multiple Decision Procedures Combined?Procedures Combined?
Shostak’s methodShostak’s method 1984 [Shostak ‘84]1984 [Shostak ‘84] Future corrections & clarificationsFuture corrections & clarifications
[Cyrluk et al. ‘96][Cyrluk et al. ‘96] [Ruess and Shankar ‘01][Ruess and Shankar ‘01]
Used in several automated deduction systemsUsed in several automated deduction systems PVS, STeP, SVCPVS, STeP, SVC
Shostak’s Method - CanonizerShostak’s Method - Canonizer
Two main componentsTwo main components CanonizerCanonizer SolverSolver
The canonizer rewrites terms into a unique The canonizer rewrites terms into a unique formform == a a == b b canon canon ((a a ) ) == canon canon ((b b ))
Examples of canonizer for linear arithmeticExamples of canonizer for linear arithmetic canoncanon ( (a a ++ a a ) ) == 2 2aa Unique ordering of variablesUnique ordering of variables
canoncanon ( b + a ) = a + b( b + a ) = a + b
Shostak’s Method – Solved formShostak’s Method – Solved form
Solved form – A set of equations Solved form – A set of equations is said to is said to be in solved form if the variable on the LHS be in solved form if the variable on the LHS of each equation appears in the set only onceof each equation appears in the set only once In solved form: In solved form: a = xa = x + c+ c
b = 2x + yb = 2x + y Not in solved form: Not in solved form: a = b + ca = b + c
x = a + zx = a + z RR denotes replacement of each LHS denotes replacement of each LHS
variable occuring in any RHS with its variable occuring in any RHS with its equationequation R R ((a + xa + x) ) = = 2b + 2c + z2b + 2c + z
Shostak’s Method - SolverShostak’s Method - Solver
The solver transforms an equation into a The solver transforms an equation into a corresponding set of equations in solved formcorresponding set of equations in solved form If If == a a b b , then , then solve solve ((a a == b b ) ) == { { false false }} Otherwise:Otherwise:
solve solve ((a a == b b ) ) == a set of equations a set of equations in solved formin solved form == ((a a == b b x.x. ))
– xx is a set of fresh variables appearing in is a set of fresh variables appearing in , but not in , but not in aa or or bb..
Example: solver for real linear arithmeticExample: solver for real linear arithmetic solve solve ((x x -- y y -- z z == 0 ) 0 ) = = { { x x == y y ++ z z }} solvesolve ( (x x ++ 1 1 == x x -- 1 ) 1 ) = = { { false false }}
The Simplified Shostak AlgorithmThe Simplified Shostak Algorithm
Simplified algorithm due to Clark Barrett, Simplified algorithm due to Clark Barrett, NYUNYU
Given a set of equations Given a set of equations EE and and disequations disequations DD Step 1: Use the solver to convert Step 1: Use the solver to convert EE into an into an
equisatisfiable set of equations equisatisfiable set of equations E’E’ in solved form in solved form Step 2: Use this set of equations together with Step 2: Use this set of equations together with
the canonizer to check if any disequality is the canonizer to check if any disequality is violatedviolated For each For each a a b b DD Check if Check if canon canon ((E’E’ ( (a a ) ) ) ) == canon canon ((E’E’ ( (b b ) )) )
Combining Theories in ShostakCombining Theories in Shostak
Two Shostak theories Two Shostak theories 11 and and 22 can be can be
combined under certain restrictions to combined under certain restrictions to form a new Shostak theory form a new Shostak theory == 22 2 2
Solvers from two theories can be Solvers from two theories can be combinedcombined
Treating terms from other theory as variablesTreating terms from other theory as variables Repeatedly apply solvers from each theory until Repeatedly apply solvers from each theory until
resulting set of equations is in solved formresulting set of equations is in solved form Issue of applying appropriate constraints to the Issue of applying appropriate constraints to the
variables from other theories is trickyvariables from other theories is tricky
Summing UpSumming Up
A very powerful proof methodologyA very powerful proof methodology can describe and prove properties on the most wide array of can describe and prove properties on the most wide array of
systems and abstractionssystems and abstractions
Proof is not fully automaticProof is not fully automatic requires manual interventionrequires manual intervention requires expertise and understanding of modeling conceptsrequires expertise and understanding of modeling concepts some proofs may not terminatesome proofs may not terminate
Industrial useIndustrial use not yet very popularnot yet very popular some dedicated specialized use in Intelsome dedicated specialized use in Intel need to make procedure more automated for practical useneed to make procedure more automated for practical use
Tutorial OutlineTutorial Outline
Introduction Introduction Design flow and verification issuesDesign flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models
model checking and formal enginesmodel checking and formal engines model checking in practicemodel checking in practice equivalence checkingequivalence checking
Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Model Checking and Formal Model Checking and Formal EnginesEngines
MUKUL PRASAD
Fujitsu Labs. of America Sunnyvale, California
Section OutlineSection Outline
Introduction to Model CheckingIntroduction to Model Checking Engines for model checkingEngines for model checking
SAT SolversSAT Solvers Binary Decision Diagrams (BDDs)Binary Decision Diagrams (BDDs)
Symbolic Model Checking with BDDsSymbolic Model Checking with BDDs Model Checking using SAT Model Checking using SAT
Sequential Logic CircuitSequential Logic Circuit
AND OR
NOT XOR
Logic Gates
c
a
b
y
Y = c ( a b )
Combinational Circuit
Present
states
INPUTS
OUTPUTS
LATCHES
Next States
CombLogi
c
a
b
DQ
c
np
o
Sequential Circuit
Temporal Logic Model CheckingTemporal Logic Model CheckingVerify Reactive SystemsVerify Reactive Systems
Construct state machine representation of reactive systemConstruct state machine representation of reactive system Nondeterminism expresses range of possible behaviorsNondeterminism expresses range of possible behaviors ““Product” of component state machinesProduct” of component state machines
ModelChecker
Traffic LightController
Design
FSM rep.
“It is never possible to
have a green light for both
N-S and E-W.”
Property in some TL e.g.
CTL, LTL
True
False+ Counterexample
Express desired behavior as formula in temporal logic (TL)Express desired behavior as formula in temporal logic (TL) Determine whether or not property holdsDetermine whether or not property holds
MoC: Finite State Machine (FSM)MoC: Finite State Machine (FSM)
I: input alphabet S: finite, non-empty set of states : S I S, next-state function S0 S : set of initial (reset) states O: output alphabet : S I O , output function
S3 S2
S1
0/0
1/1
0/0 1/0
0/0
1/1
S1
S2
S3
x = 0 x = 1
S1,0 S2,1
S1,0
S3,0
S2,0
S1,1
State Transition Table
State Transition GraphMealy FSM: I, S, , S0, O, )
INPUTS OUTPUTS
LATCHES
Next States
Present states
CombLogic
Classification of PropertiesClassification of Properties Safety PropertiesSafety Properties
““undesirable things never happen”undesirable things never happen” ““desirable things always happen”desirable things always happen” Examples:Examples:
A bus arbiter never grants the requests to two mastersA bus arbiter never grants the requests to two masters Elevator does not reach a floor unless it is requestedElevator does not reach a floor unless it is requested Message received is the message sentMessage received is the message sent
Liveness (progress) propertiesLiveness (progress) properties ““desirable state repeatedly reached”desirable state repeatedly reached” ““desirable state eventually reached”desirable state eventually reached” Examples:Examples:
Every bus request is eventually grantedEvery bus request is eventually granted A car at a traffic light is eventually allowed to passA car at a traffic light is eventually allowed to pass
Fairness ConstraintsFairness Constraints In general, not every run in a state machine is a In general, not every run in a state machine is a
valid behaviorvalid behavior But all runs are included in transition systemsBut all runs are included in transition systems Fairness constraints rule out certain runsFairness constraints rule out certain runs
Properties only checked for fair paths !!Properties only checked for fair paths !!
Fairness constraints can be expressed as CTL Fairness constraints can be expressed as CTL formulasformulas A fair path must satisfy each formula infinitely oftenA fair path must satisfy each formula infinitely often Path quantifiers are restricted to only the fair paths Path quantifiers are restricted to only the fair paths
Fairness examplesFairness examples An arbiter arbitrates each requestor infinitely oftenAn arbiter arbitrates each requestor infinitely often In a communication channel a continuously transmitted In a communication channel a continuously transmitted
message is received infinitely oftenmessage is received infinitely often
Temporal LogicsTemporal Logics Precise specificationPrecise specification Amenable to symbolic manipulationAmenable to symbolic manipulation Two kinds of temporal logics (TL)Two kinds of temporal logics (TL)
Linear Temporal Logic (LTL):Linear Temporal Logic (LTL): Time is a linear sequence of eventsTime is a linear sequence of events
Branching time temporal logic (CTL, CTL*):Branching time temporal logic (CTL, CTL*): Time is a tree of eventsTime is a tree of events
CTLCTL Formulae describe properties of computation treesFormulae describe properties of computation trees Computation Trees are obtained by unwinding the Computation Trees are obtained by unwinding the
transition system model transition system model Branching structure due to nondeterminismBranching structure due to nondeterminism CTL* is more powerful, includes CTL and LTLCTL* is more powerful, includes CTL and LTL
Syntax of CTLSyntax of CTL Every atomic proposition is a CTL formulaEvery atomic proposition is a CTL formula If If ff and and gg are formulae then so are are formulae then so are
f, (f f, (f g), (f g), (f g), (f g), (f g), (f g), (f g) g) AG fAG f - in all paths, in all state - in all paths, in all state f f (in all future, (in all future, ff)) EG fEG f - in some path, in all states - in some path, in all states ff AF fAF f - in all paths, in some state - in all paths, in some state f f (in every future (in every future ff)) EF fEF f - in some future - in some future ff A(f U g)A(f U g) - in all paths, - in all paths, ff holds until holds until gg E(f U g)E(f U g) - in some path, f holds until - in some path, f holds until gg AX fAX f - in every next state, - in every next state, f f holds holds EX fEX f - in some next state - in some next state ff holds holds
ExamplesExamples AG ¬ (EW_light_go AG ¬ (EW_light_go NS_light_go) NS_light_go) AG (car_at_intersection AG (car_at_intersection AF(light_green)) AF(light_green)) AG (EF Restart)AG (EF Restart) EF (Start EF (Start ¬Ready)¬Ready)
CTL model checkingCTL model checking
MM:: Transition System, Transition System, FF:: CTL formulae CTL formulae MM defines a tree (unwind the transition system) defines a tree (unwind the transition system) FF specifies existence of one or all paths satisfying specifies existence of one or all paths satisfying
some conditionssome conditions Verification checks whether these conditions hold Verification checks whether these conditions hold
for the tree defined by for the tree defined by MM Specifically:Specifically:
Compute the set of states of Compute the set of states of MM satisfying satisfying FF MM ╞ F╞ F iffiff initial states of initial states of MM are in this set are in this set
(Clarke and Emerson, Quielle and Sifakis)(Clarke and Emerson, Quielle and Sifakis)
M╞ FM╞ F
CTL Model Checking Example 1CTL Model Checking Example 1P Compute Compute EFpEFp
EF p = p EX(p) EX(EX(p)) . . .
PSTEP 1
PSTEP 3
PSTEP 2
Fixed Point !! Computation terminates Computation terminates EFEF p Holds in all green states p Holds in all green states Computation involves Computation involves
backward breadth first traversal backward breadth first traversal Calculation of Strongly Calculation of Strongly
Connected Subgraphs (cycles)Connected Subgraphs (cycles)
CTL Model Checking Example 2CTL Model Checking Example 2PP P
EG p = p EX p EX(EX p) . . .
ComputeCompute EG p EG p
PP P
Initial:STEP 1PP P
STEP 2
PP P
STEP 3
PP P
TERMINATION
Checking Safety ConditionsChecking Safety Conditions
Start from SStart from S00 (Z)(Z) = set of initial = set of initial (bad)(bad) states states
Perform forward Perform forward (backward)(backward) reachability analysis reachability analysis to compute a reached state set R to compute a reached state set R (B)(B)
Determine if R Determine if R (B)(B) intersects Z intersects Z (S(S00))
S0
R
Z Z
B
Forward Reachability Backward Reachability
S0
S0: Initial states Z : Bad states
Model Checking ApproachesModel Checking Approaches Explicit state model checkingExplicit state model checking
Requires explicit enumeration of statesRequires explicit enumeration of states Impractical for circuits with large state spaces Impractical for circuits with large state spaces Useful tools exist: Murphi, SPIN, …Useful tools exist: Murphi, SPIN, …
Symbolic model checkingSymbolic model checking Representation & manipulation in terms of Representation & manipulation in terms of
ROBDDs or SAT solversROBDDs or SAT solvers Core tasks:Core tasks:
Represent state machine (transition relation) and sets of Represent state machine (transition relation) and sets of states states
Forward/backward reachability analysisForward/backward reachability analysis Based on computing image/pre-image of set of statesBased on computing image/pre-image of set of states Fixed-point detectionFixed-point detection
Section OutlineSection Outline
Introduction to Model CheckingIntroduction to Model Checking Engines for model checkingEngines for model checking
SAT SolversSAT Solvers Binary Decision Diagrams (BDDs)Binary Decision Diagrams (BDDs)
Symbolic Model Checking with BDDsSymbolic Model Checking with BDDs Model Checking using SAT Model Checking using SAT
SAT Problem DefinitionSAT Problem Definition
Given a CNF formula, f :Given a CNF formula, f :
(C(C11,C,C22,C,C33)) Conjunction of clausesConjunction of clauses
(a,b,c)(a,b,c) A set of variables, A set of variables, VV
Each clause: disjunction of literals over Each clause: disjunction of literals over VV
C1 C2 C3
a = b = c = 1a = b = c = 1))()(( cbacacba Example :Example :
Does there exist an assignment of Boolean values to the variables, V which sets at least one literal in each
clause to ‘1’ ?
CC11
CONFLICTCONFLICT!!
DPLL Algorithm for SATDPLL Algorithm for SAT
Given :Given : CNF formula f(vCNF formula f(v11,v,v22,..,v,..,vkk) , and an ) , and an
ordering functionordering function Next_VariableNext_Variable
))()(( bacaba
Example :Example :
C1 C2 C3
11
CC33
CC22
SATSAT!!
11c
11
00b
00
a0
[Davis, Putnam, Logemann, Loveland 1960,62][Davis, Putnam, Logemann, Loveland 1960,62]
DPLL Algorithm: Unit Clause RuleDPLL Algorithm: Unit Clause Rule
Rule:Rule: Assign toAssign to truetrue any single literal clauses.any single literal clauses.
)( cba =
0
=
0c = 1
))()()()()(( edcedeccbacbcaa
))()()(( edcedeccbc
)( ede
Apply Iteratively: Apply Iteratively: Boolean Constraint Propagation (BCP)Boolean Constraint Propagation (BCP)
Anatomy of a Modern SAT SolverAnatomy of a Modern SAT Solver
SAT Solver
Search RestartsTo correct for bad To correct for bad choices in variable choices in variable orderingorderingRestart algorithm Restart algorithm “periodically”“periodically”Retain some/all Retain some/all recorded clausesrecorded clauses
Clause database managementDiscard useless clauses (e.g. inactive or large clauses)
Efficient garbage collection
Conflict-driven learning
DPLL Algorithm Efficient BCP
Conflict Driven Search Pruning Conflict Driven Search Pruning (GRASP)(GRASP)
SATSAT
Non-chronological backtrackingNon-chronological backtracking
Conflict-clause recording Conflict-clause recording
xxk-1k-1xxk-1k-1
xxkkxxkk
xx22xx22
xx11xx11
xxjjxxjj
11
22
Silva & Sakallah ‘95
Conflict Analysis: An ExampleConflict Analysis: An Example
)( 21 xx
)( 9312 xxx
)( 4323 xxx
)( 10544 xxx
)( 11645 xxx )( 656 xx
)( 818 xx )( 12717 xxx
)( 13879 xxx
}6@1{ 1 xDecision Assignment:Decision Assignment:
}2@1,2@1,3@0,3@0,1@0{ 131211109 xxxxx
Current Assignment:Current Assignment:
Example Contd: Implication GraphExample Contd: Implication Graph
)(( 111091 xxxxc )( 4323 xxx
xx22= 1@6= 1@6
xx1111= 0@3= 0@3
xx66= 1@6= 1@6
xx55= 1@6= 1@6
xx11= 1@6= 1@6
xx99= 0@1= 0@1
xx44= 1@6= 1@6
xx33= 1@6= 1@6
xx1010= 0@3= 0@3
33
33
11
22
22
44
44
55
55
66
66
Example Contd….Example Contd….
x1
55
33
66
Decision Decision LevelLevel
xx77= 1@6= 1@6
xx1313= 1@2= 1@2
xx1212= 1@2= 1@2
xx88= 1@6= 1@6
`̀`̀ 99
99
99
77
77
88
xx11= 0@6= 0@6
xx99= 0@1= 0@1
xx1010= 0@3= 0@3
xx1111= 0@3= 0@3
Variable OrderingVariable Ordering
Significantly impacts size of search treeSignificantly impacts size of search tree Ordering schemes can be Ordering schemes can be static static or or
dymamicdymamic Conventional wisdom (pre-chaff):Conventional wisdom (pre-chaff):
Satisfy most number of clauses ORSatisfy most number of clauses OR Maximize BCP Maximize BCP e.g.e.g. DLIS, MOMs, BOHMs DLIS, MOMs, BOHMs etc.etc.
Variable Ordering: New IdeasVariable Ordering: New Ideas
New wisdom:New wisdom: Recorded clauses key in Recorded clauses key in guiding searchguiding search
Conflict-driven variable ordering:Conflict-driven variable ordering: Chaff (DAC’01): Pick var. appearing in Chaff (DAC’01): Pick var. appearing in mostmost
number of number of recentrecent conflict clausesconflict clauses BerkMin (DATE’02): Pick var. BerkMin (DATE’02): Pick var. involvedinvolved in most in most
number of number of recentrecent conflicts conflicts
Semi-static in nature, for efficiencySemi-static in nature, for efficiency Statistics updated on each conflictStatistics updated on each conflict
Side-effect:Side-effect: Better cache behavior Better cache behavior
Efficient Boolean Constraint PropagationEfficient Boolean Constraint Propagation
Observation:Observation: BCP almost 80% of compute time, BCP almost 80% of compute time, under clause recordingunder clause recording
Traditional implementation:Traditional implementation: Each clause: Counter for #literals set to falseEach clause: Counter for #literals set to false Assgn. to variable ‘x’: Update all clauses having x, xAssgn. to variable ‘x’: Update all clauses having x, x
New Idea:New Idea: Only need to monitor event when # free Only need to monitor event when # free literals in a clause goes from 2 to 1literals in a clause goes from 2 to 1 Need to Need to watchwatch only 2 literals per clause : only 2 literals per clause : SATOSATO
(Zhang’97),(Zhang’97),ChaffChaff (DAC’01) (DAC’01)
…… …x1 w1w2 xk
SAT Solvers Today SAT Solvers Today Capacity:Capacity:
Formulas upto a Formulas upto a million variablesmillion variables and and 3-4 3-4 millionmillion clausesclauses can be solved in can be solved in few hoursfew hours
Only for Only for structured instancesstructured instances e.g.e.g. derived from derived from real-world circuits & systemsreal-world circuits & systems
Tool offerings:Tool offerings: Public domainPublic domain
GRASP : Univ. of MichiganGRASP : Univ. of Michigan SATO: Univ. of IowaSATO: Univ. of Iowa zChaff: Princeton UniversityzChaff: Princeton University BerkMin: Cadence Berkeley Labs.BerkMin: Cadence Berkeley Labs.
CommercialCommercial PROVER: Prover TechnologiesPROVER: Prover Technologies
Section OutlineSection Outline
Introduction to Model CheckingIntroduction to Model Checking Engines for model checkingEngines for model checking
SAT SolversSAT Solvers Binary Decision Diagrams (BDDs)Binary Decision Diagrams (BDDs)
Symbolic Model Checking with BDDsSymbolic Model Checking with BDDs Model Checking using SAT Model Checking using SAT
Decision StructuresDecision Structures
Vertex represents decisionVertex represents decision Follow green (dashed) line for value 0Follow green (dashed) line for value 0 Follow red (solid) line for value 1Follow red (solid) line for value 1 Function value determined by leaf valueFunction value determined by leaf value
Truth Table Decision Tree
0 0
x3
0 1
x3
x2
0 1
x3
0 1
x3
x2
x1
00001111
00110011
01010101
00010101
x1 x2 x3 f
Source: Prof. Randal Bryant
Variable OrderingVariable Ordering Assign arbitrary total ordering to variablesAssign arbitrary total ordering to variables
e.g.e.g. x x11 < x < x22 < x < x33
Variables must appear in ascending order along all Variables must appear in ascending order along all pathspaths
PropertiesProperties No conflicting variable assignments along path Simplifies manipulation
x1
x2
x3
x1
x3
x3
x2
x1
x1
x1
OK Not OK
Reducing OBDDs: Rule #1Reducing OBDDs: Rule #1
11 1
Eliminate duplicate terminals
0 0
x3
0 1
x3
x2
0 1
x3
0 1
x3
x2
x1
x3 x3
x2
x3
0 1
x3
x2
x1
Reducing OBDDs: Rule #2Reducing OBDDs: Rule #2
x3 x3
x2
x3
0 1
x3
x2
x1
x3
x2
0 1
x3
x2
x1
a
b
a
c
a
b c
01 0
1 0 1
Merge isomorphic nodes, i.e. nodes that reference the same variable and point to the same successors
Reducing OBDDs: Rule #3Reducing OBDDs: Rule #3Eliminate a node if its 0 and 1 edges lead to the same node
x3
x2
0 1
x3
x2
x1
x2
0 1
x3
x1
a
b
b0 1
0 1
0 1
Example OBDDExample OBDD
Canonical representation of Boolean functionCanonical representation of Boolean function For given variable orderingFor given variable ordering Two functions equivalent if and only if graphs Two functions equivalent if and only if graphs
isomorphicisomorphic Can be tested in linear timeCan be tested in linear time
Desirable property: Desirable property: simplest form is canonicalsimplest form is canonical..
0 0
x3
0 1
x3
x2
0 1
x3
0 1
x3
x2
x1
x2
0 1
x3
x1
Initial Graph Reduced Graph
(x 1+x 2)· x 3
Effect of Variable OrderingEffect of Variable Ordering
Good Ordering
Linear Growth
0
b3
a3
b2
a2
1
b1
a1
Bad Ordering
Exponential Growth
a3 a3
a2
b1 b1
a3
b2
b1
0
b3
b2
1
b1
a3
a2
a1
)()()( 332211 bababa
ROBDD sizes & Variable OrderingROBDD sizes & Variable Ordering Bad News Bad News
Finding optimal variable ordering NP-HardFinding optimal variable ordering NP-Hard Some functions have exponential BDD size for all Some functions have exponential BDD size for all
orders orders e.g.e.g. multiplier multiplier Good News Good News
Many functions/tasks have reasonable size ROBDDsMany functions/tasks have reasonable size ROBDDs Algorithms remain practical up to 500,000 node OBDDsAlgorithms remain practical up to 500,000 node OBDDs Heuristic ordering methods generally satisfactoryHeuristic ordering methods generally satisfactory
What works in Practice What works in Practice Application-specific heuristics e.g. DFS-based ordering Application-specific heuristics e.g. DFS-based ordering
for combinational circuitsfor combinational circuits Dynamic ordering based on variable sifting Dynamic ordering based on variable sifting (R. Rudell)(R. Rudell)
Variants of Decision DiagramsVariants of Decision Diagrams Multiterminal BDDs (MTBDD)Multiterminal BDDs (MTBDD) – Pseudo Boolean functions – Pseudo Boolean functions BBn n N, N,
terminal nodes are integersterminal nodes are integers Ordered Kronecker FunctionalDecision Diagrams (OKFDD)Ordered Kronecker FunctionalDecision Diagrams (OKFDD) – uses – uses
XOR in OBDDsXOR in OBDDs Binary Moment Diagrams (BMD)Binary Moment Diagrams (BMD) – good for arithmetic operations – good for arithmetic operations
and word-level representationand word-level representation Zero-suppressed BDD (ZDD)Zero-suppressed BDD (ZDD) – good for representing sparse sets – good for representing sparse sets Partitioned OBDDs (POBDD)Partitioned OBDDs (POBDD) – highly compact representation – highly compact representation
which retains most of the features of ROBDDswhich retains most of the features of ROBDDs BDD packagesBDD packages – –
CUDD from Univ. of Colorado, Boulder,CUDD from Univ. of Colorado, Boulder, CMU BDD package from Carnegie Mellon Univ.CMU BDD package from Carnegie Mellon Univ. In addition, companies like Intel, Fujitsu, Motorola etc. have In addition, companies like Intel, Fujitsu, Motorola etc. have
their own internal BDD packagestheir own internal BDD packages
Section OutlineSection Outline
Introduction to Model CheckingIntroduction to Model Checking Engines for model checkingEngines for model checking
SAT SolversSAT Solvers Binary Decision Diagrams (BDDs)Binary Decision Diagrams (BDDs)
Symbolic Model Checking with BDDsSymbolic Model Checking with BDDs Model Checking using SAT Model Checking using SAT
Symbolic Manipulation with OBDDsSymbolic Manipulation with OBDDs
StrategyStrategy Represent data as set of OBDDsRepresent data as set of OBDDs
Identical variable orderingsIdentical variable orderings Express solution method as sequence of symbolic Express solution method as sequence of symbolic
operationsoperations Implement each operation by OBDD manipulationImplement each operation by OBDD manipulation
Key Algorithmic PropertiesKey Algorithmic Properties Arguments: OBDDs with identical variable ordersArguments: OBDDs with identical variable orders Result is OBDD with same orderingResult is OBDD with same ordering Each step polynomial complexityEach step polynomial complexity
Arguments Arguments II, , TT, , EE Functions over variables X Represented as OBDDs
ResultResult OBDD representing
composite function (I T) (I E)
MUX1
0
I T, E
X
I
T
E
If-Then-Else OperationIf-Then-Else Operation ConceptConcept
Basic technique for building OBDD from logic Basic technique for building OBDD from logic network or formula.network or formula.
0 1
d
c
a
B3 B4
B2
B5
B1
Argument I
1
Argument T Argument E
A4,B3 A5,B4
A3,B2
A6,B2
A2,B2
A3,B4A5,B2
A6,B5
A1,B1
Recursive Calls
b
0
d
1
c
a
A4 A5
A3
A2
A6
A1
If-Then-Else Execution ExampleIf-Then-Else Execution Example
OptimizationsOptimizations Dynamic programmingDynamic programming Early termination rulesEarly termination rules Apply reduction rules bottom-up as return from recursive callsApply reduction rules bottom-up as return from recursive calls
(Recursive calling structure implicitly defines unreduced BDD)(Recursive calling structure implicitly defines unreduced BDD)
Derived Algebraic OperationsDerived Algebraic Operations Other operations can be expressed in Other operations can be expressed in
terms of If-Then-Elseterms of If-Then-Else
MUX1
0
F G, 0
X
F
G
0
MUX1
0
F 1, G
X
F
G
1
XF
G
XF
G
And(F, G)
Or(F, G)
If-Then-Else(F, G, 0)
If-Then-Else(F, 1, G)
Generating OBDD from NetworkGenerating OBDD from Network
Task: Represent output functions of gate network as OBDDs.
Network
Evaluation
A
B
C
T1
T2
Out
Resulting Graphs
A B CT1 T2
Out
0 1
a
0 1
c
0 1
b
0 1
b
a
0 1
c
b
c
b
0 1
b
a
A A new_var ("a");new_var ("a");BB new_var ("b");new_var ("b");CC new_var ("c");new_var ("c");T1T1 And (A, 0, B);And (A, 0, B);T2T2 And (B, C); And (B, C);OutOut Or (T1, T2);Or (T1, T2);
A0 /1
Set Operations
A
B
UnionA
B
Intersection
Characteristic FunctionsCharacteristic FunctionsConceptConcept
AA {0,1} {0,1}nn
Set of bit vectors of length Set of bit vectors of length nn Represent set Represent set AA as Boolean as Boolean
function function AA of of nn variables variables XX AA if and only if A( if and only if A(XX ) = 1 ) = 1
Nondeterministic FSM Symbolic Representation
o1,o2 encodedold state
n1, n2 encodednew state
00
10
01
11 o2
o1
1
n2
0
n1
o2
Symbolic FSM RepresentationSymbolic FSM Representation
Represent set of transitions as function Represent set of transitions as function ((OldOld, , NewNew)) Yields 1 if can have transition from state Yields 1 if can have transition from state OldOld to state to state NewNew
Represent as Boolean functionRepresent as Boolean function Over variables encoding statesOver variables encoding states
Reachability AnalysisReachability AnalysisTaskTask
Compute set of states reachable from initial state Compute set of states reachable from initial state QQ00
Represent as Boolean function Represent as Boolean function R(R(SS)) Never enumerate states explicitlyNever enumerate states explicitly
Rstate 0/1old state
new state0/1
Given Compute
InitialR0
=
Q0
R0
00
Breadth-First Reachability AnalysisBreadth-First Reachability Analysis
RRii – set of states that can be reached in– set of states that can be reached in ii transitionstransitions Reach fixed point when Reach fixed point when RRn n = R= Rnn+1+1
Guaranteed since finite stateGuaranteed since finite state
00
10
01
11
R1R0
00 01
R2R1R0
00 01 10
R3R2R1R0
00 01 10
Iterative ComputationIterative Computation
Ri
Ri
Ri +1
old
new
)],'()'([)()( '1 sssRsRsR isii
1 ii
1 ii RR
00 QR do
until ALGORITHM
BDD-based MC: Current StatusBDD-based MC: Current Status Symbolic model checkers can analyze Symbolic model checkers can analyze
sequential circuits with ~200- 400 flip flopssequential circuits with ~200- 400 flip flops For specific circuit types, larger state spaces have For specific circuit types, larger state spaces have
been analyzedbeen analyzed ChallengesChallenges
Memory/runtime bottlenecksMemory/runtime bottlenecks Adoption of TLs for property specificationAdoption of TLs for property specification
Frontier constantly being pushedFrontier constantly being pushed Abstraction & approximation techniquesAbstraction & approximation techniques Symmetry reductionSymmetry reduction Compositional reasoningCompositional reasoning Advances in BDD technology …Advances in BDD technology …
Section OutlineSection Outline
Introduction to Model CheckingIntroduction to Model Checking Engines for model checkingEngines for model checking
SAT SolversSAT Solvers Binary Decision Diagrams (BDDs)Binary Decision Diagrams (BDDs)
Symbolic Model Checking with BDDsSymbolic Model Checking with BDDs Model Checking using SAT Model Checking using SAT
Solving Circuit Problems as SATSolving Circuit Problems as SAT
a
b
c
d
e
f
g
h
i
Primary Output ‘i’ toPrimary Output ‘i’ to 1 1 ??Input Vector AssignmentInput Vector Assignment ??
SAT Formulas for simple gatesSAT Formulas for simple gates
ab
c
))(( baba
a b
))()(( bacbcac
a
bc
))()(( bacbcac
a
bc
Solving Circuit problems as SATSolving Circuit problems as SAT
Set of clauses representing function of each gateSet of clauses representing function of each gate
))()(( fcbfcfb
))()(( hfahfha
))()(( gedgegd
)(i))()(( ighigih
a
b
c
d
e
f
g
h
i
Unit literal clause asserting output to Unit literal clause asserting output to ‘1’‘1’
SAT-based Unbounded MCSAT-based Unbounded MC
SAT-based Inductive reasoningSAT-based Inductive reasoning Exact image computationExact image computation
Use SAT solver just for fixed-point detectionUse SAT solver just for fixed-point detection Image computation using SAT solverImage computation using SAT solver
McMillan CAV’02, Kang & Park DAC’02McMillan CAV’02, Kang & Park DAC’02
Approximate image computationApproximate image computation Using Craig Interpolants Using Craig Interpolants (McMillan CAV’03)(McMillan CAV’03)
Abstraction refinementAbstraction refinement Discussed later in the tutorialDiscussed later in the tutorial
SAT-Based Reasoning on ILAsSAT-Based Reasoning on ILAs
PI PO
LATCHES
NSPS
CL
CL1 CL2 CLk NSk
PI2
POk
PI1 PIk
PO1 PO2
PS3PS2 PSk
NS1 NS2 NSk-1PS1
Unroll k-Steps
Popularized by the BMC work (Biere et al)
Current SAT solvers have shown good results
SAT-Based Inductive ReasoningSAT-Based Inductive Reasoning
P
CLk+1 P ‘1’
‘1’
‘1’
Ind
ucti
on
S
tep
Simple Induction
UNSAT
UNSAT
AG P is TRUE+
P
I0
‘1’B
ase
Case
SAT-Based Inductive ReasoningSAT-Based Inductive Reasoning
P
P
CL1 CL2 CLkI0 P
P‘1’B
ase
Case
P
P
CL1 CLk
P
CLk+1 P ‘1’
‘1’
‘1’
‘1’
Ind
ucti
on
S
tep
Induction with depth ‘k’(Sheeran et al, Bjesse et al FMCAD 2000)
SAT-based InductionSAT-based Induction
Can prove or disprove propertiesCan prove or disprove properties k-depth induction:k-depth induction:
Can check more properties for larger kCan check more properties for larger k Base case is simply k-length BMCBase case is simply k-length BMC But But notnot complete ! complete !
Not k - depth inductive for
any k !P P
Unreachable state-space
Example:
Complete!
SAT-based Inductive ReasoningSAT-based Inductive Reasoning
Unique paths Induction:Unique paths Induction: Restrict unrolled ILA to be loop-freeRestrict unrolled ILA to be loop-free Sheeran et al, Bjesse et al FMCAD’00Sheeran et al, Bjesse et al FMCAD’00 Unrolling upto Unrolling upto recurrence diameterrecurrence diameter i.e. length of longest loop-free pathi.e. length of longest loop-free path
Summary:Summary: Stronger induction methods can be expensiveStronger induction methods can be expensive But,But, some properties very easy to prove by some properties very easy to prove by
induction, very hard by state-space traversalinduction, very hard by state-space traversal Simple induction can be cheap, first step in Simple induction can be cheap, first step in
verification flowverification flow
SAT-based Image ComputationSAT-based Image Computation
Bug found ! Fixed-point
InitsR )(0
))()',(.(toProp)'(1 sRssTrssR ii
i
k
i
k
kk sRsR0
1
0
)()(
)()( sPsRi
do
until or
1ii
0i
SATSolver
Issues: Function representation Quantification
Function RepresentationFunction Representation Representation of: Representation of: Init, RInit, Rii(s), P(s), Tr(s,s’)(s), P(s), Tr(s,s’)
Converted to CNF for SAT solvingConverted to CNF for SAT solving
x z y
Reduced Boolean Circuit (RBC)
b
b a
0 1
Boolean Expression Diagram (BED)Abdulla et al, TACAS 2000 Williams et al, CAV 2000
QuantificationQuantification Apply definition of existential quantification:Apply definition of existential quantification:
Mitigate formula blow-up by:Mitigate formula blow-up by: Inherent reduction rules of function rep.Inherent reduction rules of function rep. Special case quantification rules:Special case quantification rules:
Limitation:Limitation: Suitable only when small number Suitable only when small number of variables to be quantified of variables to be quantified
)1()0()(. xxxx
Inlining: )()().( xxx )(Vars xwhere
))(.()(. xxxx
))(.())(.()()(. xxxxxxx
Scope Reduction:)(Vars xwhere
Exact Image Computation Using SATExact Image Computation Using SATMcMillan, CAV 2002
Solution: Express f in CNF: fCNF
Drop all wi literals from fCNF
Core problem: Express a given formula f in CNF
CTL Model CTL Model CheckingCheckingprocedure AG(p)procedure AG(p)
Let Z = Q = pLet Z = Q = p
while Z while Z 1 1
let Z = (let Z = (W W · p· pii/s/sii))QQ let Q = Q let Q = Q Z Zreturn Qreturn Q
SolveSolve W W · f· f
Computing a CNF representation for fComputing a CNF representation for f
Basic AlgorithmBasic Algorithm Create CNF(f)Create CNF(f) Solve Solve SAT(CNF(f) SAT(CNF(f) vf) Compute Compute blocking clauseblocking clause
for each satisfying for each satisfying assignmentassignment
Collect all blocking Collect all blocking clauses clauses f fCNFCNF
Blocking Clauses Must:Blocking Clauses Must: Contain only original vars. of Contain only original vars. of ff Be false under some sat. assgn. Be false under some sat. assgn.
of CNF(f) of CNF(f) vf
Be implied by CNF(f) CNF(f) vf
e.g. f = (ab)c
a
b
c
vab
CNF(f)
fCNF= (bc) (ac)
: (b: (bc) ) , (a(ac))Blocking Blocking ClausesClauses
vf
Some IssuesSome Issues Issues:Issues:
Blocking clauses expressed in terms of original Blocking clauses expressed in terms of original variables of variables of ff Extracted from a separate implication graphExtracted from a separate implication graph
Quantification of Quantification of WW vars. can be performed on vars. can be performed on each generated blocking clause: each generated blocking clause: Combine both Combine both steps into one!! steps into one!!
Conclusions:Conclusions: Technique promising where BDDs blow upTechnique promising where BDDs blow up BDDs superior as a general purpose techniqueBDDs superior as a general purpose technique Proposed technique needs more polishingProposed technique needs more polishing
Tutorial OutlineTutorial Outline Introduction Introduction Design flow and verification issuesDesign flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models
model checking and formal enginesmodel checking and formal engines model checking in practicemodel checking in practice equivalence checkingequivalence checking
Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Model Checking in PracticeModel Checking in Practice
INDRADEEP GHOSH
Fujitsu Labs. of America Sunnyvale, California
Section OutlineSection Outline
Enhancing Formal Verification CapacityEnhancing Formal Verification Capacity Abstraction-refinementAbstraction-refinement Assume guarantee/Compositional ReasoningAssume guarantee/Compositional Reasoning ApproximationApproximation Symmetry reductionSymmetry reduction Partial Order ReductionPartial Order Reduction
Formal Verification: Case StudyFormal Verification: Case Study Industrial and Research Tool OfferingsIndustrial and Research Tool Offerings
AbstractionAbstraction
Limitations of symbolic model checkingLimitations of symbolic model checking Suffers from state explosionSuffers from state explosion
ConcurrencyConcurrency Data domainsData domains
Abstraction of state spaceAbstraction of state space Represent the state space using a smaller modelRepresent the state space using a smaller model Pay attention to preserving the checked properties.Pay attention to preserving the checked properties. Do not affect the flow of controlDo not affect the flow of control..
ExampleExample
Use smaller data objectsUse smaller data objects HDL Code:HDL Code:
X:= f(m);X:= f(m);
Y:=g(n);Y:=g(n);
if (X*Y>0) if (X*Y>0)
then …then …
else …else …
X, Y never X, Y never
used again.used again.
Assign values {-1, 0, 1} to X and Y.Assign values {-1, 0, 1} to X and Y. Based on the following connection:Based on the following connection:
sgn(X) = 1 if X>0,sgn(X) = 1 if X>0, 0 if X=0, and 0 if X=0, and -1 if X<0. -1 if X<0.sgn(X)*sgn(Y)=sgn(X*Y).sgn(X)*sgn(Y)=sgn(X*Y).
Change f and g to produce abstract Change f and g to produce abstract values for X and Yvalues for X and Y
Abstraction vs. SimplificationAbstraction vs. Simplification
Not every simplified system is an Not every simplified system is an abstractionabstraction
The key question is:The key question is: If we prove or disprove a property of the If we prove or disprove a property of the
simplified system, what have we learned simplified system, what have we learned about the original system?about the original system?
Abstraction (Cont)Abstraction (Cont) Abstract transition relation is conservativeAbstract transition relation is conservative
Abstract next states Abstract next states mustmust contain all concrete successors contain all concrete successors And possibly more statesAnd possibly more states
RA
Abstract
Concrete
RC
s
t
x y
Abstract Counter-ExampleAbstract Counter-Example
If model checking fails an abstract counter-example is If model checking fails an abstract counter-example is producedproduced
Concrete transitions are present for each pair of Concrete transitions are present for each pair of consecutive abstract statesconsecutive abstract states But concrete counter-example may not be present!But concrete counter-example may not be present!
x
y’
zy’’
Abstract
ConcreteReal Trace
Spurious Trace
Abstraction RefinedAbstraction Refined
Abstraction is refined by adding more statesAbstraction is refined by adding more states prevents previous spurious counter exampleprevents previous spurious counter example
Model checking is repeated on new abstractionModel checking is repeated on new abstraction iterateiterate
x
y1
z
y’’
Abstract
ConcreteReal Trace
New Trace
Abstraction Refinement Algorithm Abstraction Refinement Algorithm
Build abstract model
Model check
abstractmodel
Check abstract
counterexampleon concrete
model
abstractcounterexample
True on concrete model
true
Infeasible
abort
False on concrete model
real counterexample
Refinement
spuriouscounterexample
Assume-Guarantee ReasoningAssume-Guarantee Reasoning
Used for:Used for: Compositional reasoningCompositional reasoning In a refinement checking In a refinement checking
settingsetting
[Stark] [Chandy-Misra] [Abadi-Lamport][Alur-Henzinger][McMillan]
Ref:
P Q
P’ Q’
Q’P
P’
P’ Q
Q’
+
AG Reasoning: ExampleAG Reasoning: Example
a’ � b’ := true � a’ b’ := false
P
true � b’ := true
P’
b’ � a’ := true � b’ a’ := false
Q
true � a’ := true
Q’
Assume all variables are initialized to trueX X
AG Reasoning: ExampleAG Reasoning: Example
a’ � b’ := true � a’ b’ := false
P
true � b’ := true
P’
true � a’ := true
Q’
b’ � a’ := true � b’ a’ := false
Q true � a’ := true
Q’
true � b’ := true
P’
Assume all variables are initialized to true
Symmetry ReductionsSymmetry Reductions
Idea: If state space is symmetric, explore only a symmetric “quotient” of the state space
A permutation function f : S A permutation function f : S S S is an automorphism if:is an automorphism if:
( x, z) ( x, z) ( f(x), f(z))( f(x), f(z))
0,0
1,1
0,1
1,0
f: f(0,0) = 1,1 f(1,1) = 0,0f: f(0,0) = 1,1 f(1,1) = 0,0
f(0,1) = 0,1 f(1,0) = 1,0f(0,1) = 0,1 f(1,0) = 1,0
e.g.
The set of all automorphisms forms a The set of all automorphisms forms a group!group!
Automorphism groups induce Automorphism groups induce equivalence classes (orbits) over the equivalence classes (orbits) over the state spacestate space [ (0,1), (1,0) ][ (0,1), (1,0) ]
[ (0,0), [ (0,0), (1,1) ](1,1) ]
e.g.
Quotient MachineQuotient Machine
Map each state to its representative in Map each state to its representative in the orbitthe orbit
Do model checking analysis on the Do model checking analysis on the quotient machinequotient machine
0,0
1,1
0,1
1,0
[ (0,0),(1,1) ]
[ (0,1), (1,0) ]
Quotient machine
Symmetry ReductionsSymmetry Reductions
DifficultyDifficulty Identifying symmetry groupsIdentifying symmetry groups Computing function mapping states to Computing function mapping states to
representativesrepresentatives
SolutionsSolutions Ask user to tell you where the symmetries are Be satisfied with multiple representatives for
each orbit
Tools: Mur, Nitpick, RuleBase
Over-Approximate ReachabilityOver-Approximate Reachability Exact reachability captures the exact reachable Exact reachability captures the exact reachable
state-spacestate-space Problem: BDD-blowup in many real designsProblem: BDD-blowup in many real designs
Solution: Compute over-approximation of the Solution: Compute over-approximation of the reachable statesreachable states
R1
R2+R1
+
R2R
I0
R+ Often sufficient to prove Often sufficient to prove properties correctproperties correct
Error could be a false Error could be a false negativenegative
Can trade off BDD-size Can trade off BDD-size and runtime with accuracy and runtime with accuracy of approximationof approximation
Over-approx. Reachability TechniquesOver-approx. Reachability Techniques
Split FSM into sub-Split FSM into sub-machines by machines by partitioning state-partitioning state-varsvars
Perform (exact) Perform (exact) reachability on each reachability on each machinemachine
Cross-product of Cross-product of reached state reached state spaces gives over-spaces gives over-approx. for original approx. for original FSMFSM
LATCHES
PI PO
NSPS
CL
X X
Over-approx: More IssuesOver-approx: More Issues
Communicate between sub-FSMs to tighten Communicate between sub-FSMs to tighten approximationapproximation After each time-frameAfter each time-frame After least fixpoint computation for a sub-FSMAfter least fixpoint computation for a sub-FSM
Computing partitionsComputing partitions Heuristic and/or manualHeuristic and/or manual Disjoint partitions Disjoint partitions (Cho et al)(Cho et al) Overlapping partitions Overlapping partitions (Govindaraju et al)(Govindaraju et al)
Can capture limited interaction among sub FSMsCan capture limited interaction among sub FSMs Tighter approximationTighter approximation May not increase BDD sizes muchMay not increase BDD sizes much
Partial Order ReductionPartial Order Reduction
Factor out independent state transitions!Factor out independent state transitions!(typical for asynchronous communication (typical for asynchronous communication as in Software- and Protocol-Checking)as in Software- and Protocol-Checking)
May result in exponential reductionMay result in exponential reductionin the number of statesin the number of states
Synchronization
Irrele
vant
StatesOne Relevant Trace of States
Process B
transition
Process Atransition
Case Study: VGICase Study: VGI
VGI = “Video-Graphics-Image”VGI = “Video-Graphics-Image” Designed by Infopad group at Berkeley Designed by Infopad group at Berkeley Purpose: web-based image processingPurpose: web-based image processing Designed using Designed using
VHDL (control) VHDL (control) Schematics (Data path)Schematics (Data path)
Source:Source: T. Henzinger, X. Liu, S. Qadeer and S. Rajamani, T. Henzinger, X. Liu, S. Qadeer and S. Rajamani, “Formal Specification and Verification of a Dataflow Processor “Formal Specification and Verification of a Dataflow Processor Array,” ICCAD 1999 Array,” ICCAD 1999
VGI ArchitectureVGI Architecture
16 clusters with 6 processors in each - 4 16 clusters with 6 processors in each - 4 compute, 1 memory, 1 I/O compute, 1 memory, 1 I/O
~30K logic gates per processor~30K logic gates per processor Pipelined compute processorsPipelined compute processors Low latency data transfer between Low latency data transfer between
processors - complex controlprocessors - complex control
Complex handshake
VGI ArchitectureVGI Architecture
pipeline
pipeline pipeline
pipeline
pipeline
FIFO buffer
ISA
ISA
ISA ISA
ISA
VerificationVerification
Different time scalesDifferent time scales ImplementationImplementation
two-phase clocktwo-phase clock level-sensitive latches level-sensitive latches activity on both HI and LO phases of clkactivity on both HI and LO phases of clk
Specification Specification no clk signalno clk signal
S
I
Sample OperatorSample Operator
I’ = Sample I at
Runs of I’ = Runs of I sampled at instances where holds
Difficulty - VerificationDifficulty - Verification
Size of the VGI chip Size of the VGI chip ~800 latches in each compute processor~800 latches in each compute processor 64 compute processors64 compute processors
Need “divide and conquer”Need “divide and conquer” assume guarantee reasoningassume guarantee reasoning compositional reasoningcompositional reasoning refinement checkingrefinement checking
MochaMocha
Reactive Modules - language for Reactive Modules - language for describing designsdescribing designs
Assume-guarantee refinement checkingAssume-guarantee refinement checking
““Mocha: modularity in model Mocha: modularity in model checking,” Alur, Henzinger, Mang, checking,” Alur, Henzinger, Mang, Qadeer, Rajamani, Tasiran, CAV 1998Qadeer, Rajamani, Tasiran, CAV 1998
Network of Processors to Single ProcessorNetwork of Processors to Single Processor
pipeline
pipeline
pipeline
ISA
ISA
ISAISA
ISA
pipeline
pipeline
clk
clk clk
clkclk
Single ProcessorSingle Processor
Single processor still has ~800 latchesSingle processor still has ~800 latches Need “divide-and-conquer” againNeed “divide-and-conquer” again
ISA
pipeline
clk
TP
CommStage
PIPE
ALUGateLevel
REGFILE
ALUSpec
ISA REGFILE
FIFObuffer
OPGEN
Input from upstream processor
Input from upstream processor
clk
Refinement MapRefinement Map
CommStage
ALUGateLevel
FIFObuffer
clk
PIPE
REGFILE
Input from upstream processor
Decompose ProofDecompose Proof
ALU ALUSpec
ISA REGFILE
OPGEN
Input from upstream processor
AbsAluOut
AbsAluOut
aluOutSpec
aluOutImpl
stall
stall aluOutImpl’ = aluOutImpl stall aluOutImpl’ = aluOutSpec
PIPE
ALUGateLevel
REGFILE
much smaller than
Abstraction and Compositional Abstraction and Compositional ReasoningReasoning
FIFObuffer
AbsAluOut
CommStage
TP
clk
Property: Communication ControlProperty: Communication Control
CommStage
PIPE
ALUGateLevel
REGFILE
ALUSpec
ISA REGFILE
FIFObuffer
OPGEN
Input from upstream processor
Input from upstream processor
clk
AbsOps
Refinement CheckingRefinement Checking
AbsAluOut
ResultsResults
Circular assume-guarantee Circular assume-guarantee AbsOpsAbsOps used to verify used to verify AbsAluOutAbsAluOut AbsAluOutAbsAluOut used to verify used to verify AbsOpsAbsOps
All lemmas (except one) checked by All lemmas (except one) checked by Mocha in a few minutesMocha in a few minutes
3 bugs in communication control found 3 bugs in communication control found and fixedand fixed
Abstraction modules crucial - designer Abstraction modules crucial - designer insight neededinsight needed
Model Checkers - Research ToolsModel Checkers - Research Tools
SMV (CMU, Cadence)SMV (CMU, Cadence) VIS (UC Berkeley)VIS (UC Berkeley) Mocha (UC Berkeley, compositional Mocha (UC Berkeley, compositional
reasoning) reasoning) Verisoft (AT&T, C-model checker)Verisoft (AT&T, C-model checker) Bandera (Java model checker)Bandera (Java model checker)
Industrial Model Checkers Industrial Model Checkers
FormalCheckFormalCheck (Cadence) (Cadence) COSPANCOSPAN (from Bell Labs) under the hood (from Bell Labs) under the hood Support for arbitrary precision arithmeticSupport for arbitrary precision arithmetic Automatic bus-contention, multi-driver Automatic bus-contention, multi-driver
violation, tri-state support fir high-impedance violation, tri-state support fir high-impedance checkcheck
Powerful design reduction techniquesPowerful design reduction techniques Removal of portions of design that do not affect the Removal of portions of design that do not affect the
property being provenproperty being proven Constant & constraint propagationConstant & constraint propagation Iterative reduction guarantees that queries proven on Iterative reduction guarantees that queries proven on
the reduced design hold on the entire designthe reduced design hold on the entire design
EDA Vendor Tool OfferingsEDA Vendor Tool Offerings Verplex (Cadence) Verplex (Cadence) BlacktieBlacktie IBM IBM RuleBaseRuleBase @HDL - @HDL - @Verifier@Verifier
works on Verilog RTLworks on Verilog RTL static assertion checksstatic assertion checks automatic property extractionautomatic property extraction clock domain synchronization errorsclock domain synchronization errors
Real Intent Real Intent VerixVerix slimilar to @Verifierslimilar to @Verifier
Averant Averant Solidify Solidify Jasper design automation Jasper design automation Jasper GoldJasper Gold
Tutorial OutlineTutorial Outline Introduction Introduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models
model checking and formal enginesmodel checking and formal engines model checking in practicemodel checking in practice equivalence checkingequivalence checking
Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Equivalence CheckingEquivalence Checking
MUKUL PRASAD
Fujitsu Labs. of America Sunnyvale, California
Formal Equivalence CheckingFormal Equivalence Checking
Given two designs, prove that for all possible input stimuli their corresponding outputs are equivalent
Design A
Design B
=?Input Yes/No
Product Machine
Formal Equivalence CheckingFormal Equivalence Checking
Equivalence checking can be applied at or Equivalence checking can be applied at or across various levelsacross various levels
RTL
Gate Level
System Level
Device Level
Combinational Equivalence Checking (CEC)Combinational Equivalence Checking (CEC)
Currently most practical and pervasive Currently most practical and pervasive equivalence checking technologyequivalence checking technology
Nearly full automation possibleNearly full automation possible Designs of up to several million gates Designs of up to several million gates
verified in a few hours or minutesverified in a few hours or minutes Hierarchical verification deployedHierarchical verification deployed Full chip verification possibleFull chip verification possible Key methodology:Key methodology: Convert sequential Convert sequential
equivalence checking to a CEC problem!equivalence checking to a CEC problem! Match Latches & extract comb. portions for ECMatch Latches & extract comb. portions for EC
CEC in Today’s ASIC Design FlowCEC in Today’s ASIC Design Flow
RTL Design
Synthesis & optimization
DFT insertion
IO Insertion
Placement
Clock tree synthesis
CEC
CEC
CEC
CEC
CECCEC
Routing
ECO
Solving Seq. EC as Comb. ECSolving Seq. EC as Comb. EC
LATCHES
NS1
PI
PO
PS1
Comb.Logic
CIR
CU
IT 1
PI
PO
NS2PS2
Comb.Logic
CIR
CU
IT 2
MATCH PI
PS
PO
NS
Comb. Logic 1
Comb. Logic 2
=?
PO
NS
Combinational Combinational Equiv. CheckingEquiv. Checking
Methods for Latch MappingMethods for Latch Mapping Incomplete MethodsIncomplete Methods
Regular expression-based using latch namesRegular expression-based using latch names Using simulation (Cho & Pixley ‘97): Using simulation (Cho & Pixley ‘97):
Group latches with identical simulation signaturesGroup latches with identical simulation signatures Group based on structural considerations e.g. Group based on structural considerations e.g.
cone of influencecone of influence Incomplete run of complete method below Incomplete run of complete method below
(Anastasakis et al DAC ‘02)(Anastasakis et al DAC ‘02)
Complete MethodsComplete Methods Functional fixed-point iteration based on Van Functional fixed-point iteration based on Van
Eijk’s algorithm (van Eijk ’95)Eijk’s algorithm (van Eijk ’95)
Van Eijk’s Method for Latch MappingVan Eijk’s Method for Latch Mapping
PI
PS
Comb. Logic 1
Comb. Logic 2
NS
NS=?
Apply Latch Mapping
Assumptions
Initial Latch Mapping
Approximation
Verify Latch Mapping
Assumptions
Fixed-point ?
Iterate
Done !!
Yes
No
CEC in PracticeCEC in Practice
Key Observation:Key Observation: The circuits being verified usually The circuits being verified usually have a number of internal equivalent functionshave a number of internal equivalent functions
To proveTo prove f (f (i1, i2,…in) = f’ () = f’ (i1, i2,…in))
i2i1
f
in
f’
xkx2x1
x1’x2’xk’
x1(i1, i2,…in) = x1’(i1, i2,…in)
x2(i1, i2,…in) = x2’(i1, i2,…in)
xk(i1, i2,…in) = xk’(i1, i2,…in)
f(x1, x2,…xk) = f’(x1’, x2’,…xk’)
Check
Internal Equiv. Based CEC AlgorithmInternal Equiv. Based CEC Algorithm
Random Simulation
Gather PENs
Is x=y?
Refine PEN sets using counter-
example
Is there an unjustified PEN
pair x,y ?
Structurally merge x,y
Done!
PI
PS
PONS
Comb. Logic 1
Comb. Logic
2
=?PO
NS
Combinational miter after latch mapping
Yes
Yes
No
NoPENs: Potentially equivalent nodes, i.e. nodes with identical simulation signature
BDD/ATPG/SAT
Anatomy of Typical CEC ToolsAnatomy of Typical CEC Tools
Circuit A
Circuit B
BDDSAT
ATPG
Multi-engine solver
Structural methods
Learning
Quick Synthesis
Latch Mapper
Counter-example
viewer
Error Diagnosis
Engine
Major Industrial Offerings of CECMajor Industrial Offerings of CEC
Formality Formality (Synopsys)(Synopsys) Conformal Suite Conformal Suite (Verplex, now Cadence)(Verplex, now Cadence) FormalPro FormalPro (Mentor Graphics)(Mentor Graphics) Typical capabilities of these tools:Typical capabilities of these tools:
Can handle circuits of up to Can handle circuits of up to several million gates flatseveral million gates flat in up in up to a few hours of runtimeto a few hours of runtime
Comprehensive Comprehensive debug tooldebug tool to pinpoint error-sources to pinpoint error-sources Counter-example displayCounter-example display && cross-linkcross-link of RTL and gate-level of RTL and gate-level
netlists for easier debuggingnetlists for easier debugging Ability to Ability to checkpointcheckpoint verification process and restart from verification process and restart from
same point latersame point later What ifWhat if capability (unique to FormalPro) capability (unique to FormalPro)
Reachability-based Equivalence CheckingReachability-based Equivalence Checking
Build product machine of MBuild product machine of M11 and M and M22
Traverse state-space of product Traverse state-space of product machine starting from reset states machine starting from reset states SS00, S, S11
Test equivalence of outputs in each Test equivalence of outputs in each statestate
Can use any state-space traversal Can use any state-space traversal techniquetechnique
M1
M2
=?
OutputsInputs
S0
S1Product Machine
S0
S1
Move to System-Level DesignMove to System-Level Design
System-level design
Manual effort
RTL
Gate-level design
Architecture exploration
Current design iterations
Barrier to adoption of System-level design
Methodology!Errors
!
System-Level VerificationSystem-Level Verification
Property & Model
Checking
Equivalence
Checking
System-level design
Manual effort
RTL
Gate-level design
System-level SynthesisSystem-level Synthesis
Automatic Synthesis
System-level design
Manual effort
RTL
Gate-level design
Scope of Today’s EC Technology Scope of Today’s EC Technology
Seq
uen
tial
diff
ere
nces
Data representation differences
Bit-accurate
Identical data typesComposite data types
Precision/roundingdifferences
FFs match
pipelining
scheduling
Serial vs parallel interfaces
Re-encoding of state
CombinationalEC
Upcoming: Transaction-Based ECUpcoming: Transaction-Based EC
The states in RTL that correspond to states The states in RTL that correspond to states in system-level model (SLM), are referred in system-level model (SLM), are referred to as to as synchronizingsynchronizing states states
SLM
RTL
Refinement mapping
Transient states
Complete Verification
or
Sequentialcounterexample
Transactions : State ViewTransactions : State View
Encapsulates one or more units of Encapsulates one or more units of computation for the design being verifiedcomputation for the design being verified
Self-contained since it brings the machine Self-contained since it brings the machine back to a synchronizing stateback to a synchronizing state
Refinement mapping
SLM
RTLRTL transaction
SL transaction
Equivalence Checking: ConclusionsEquivalence Checking: Conclusions Currently equivalence checking based on Currently equivalence checking based on
latch mapping+CEClatch mapping+CEC Methodology premised on structural similarity Methodology premised on structural similarity
of designs under comparisonof designs under comparison Efficient & scalableEfficient & scalable Maybe applicable to system-level problemsMaybe applicable to system-level problems
More general sequential EC somewhat More general sequential EC somewhat less exploredless explored
Might be needed for system level Might be needed for system level equivalence checkingequivalence checking
Tutorial OutlineTutorial Outline
Introduction Introduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Semi-Formal Verification Semi-Formal Verification TechniquesTechniques
MUKUL PRASAD
Fujitsu Labs. of America Sunnyvale, California
The need for Semi-formal VerificationThe need for Semi-formal Verification
Coverage
2K 20K 200K 2M
Existing
Formal
Verification
Random simulation
Manual testw/ coverage
FV Augmented Simulation
(Falsification)
GATES
FV + Complete coverage - Limited capacity
Simulation +Unlimited capacity - Poor coverage
FV Augmented Simulation+ Good coverage+ Good capacity
Section OutlineSection Outline
Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model Sequential ATPG-based model
checkingchecking Guided SearchGuided Search Smart SimulationSmart Simulation
Symbolic SimulationSymbolic Simulation
Symbolic simulation:Symbolic simulation: Symbolic expressions used for inputsSymbolic expressions used for inputs Expressions propagated to compute outputsExpressions propagated to compute outputs Equivalent to multiple constant simulations !!Equivalent to multiple constant simulations !!
a·b+b·c
a
b
c
1
1
0
1
Conventional Simulation:Conventional Simulation: Input & outputs are constants (0,1,X,…)Input & outputs are constants (0,1,X,…)
Problem: Too many constant
input combinations to simulate !!
Ref: Prof. David Dill, CAV ’99c
Symbolic Simulation (sequential case)Symbolic Simulation (sequential case)
a0
b0
a1
b1
c
a1·b1+b1·(a0·b0 + b0·c)
Unrolled Circuit
a0
b0
c
a0·b0 + b0 ·c
Time frame 1
a1·b1+b1·(a0·b0 + b0·c)
a1
b1
a0·b0 + b0·c
Time frame 2
Symbolic SimulationSymbolic Simulation
a
b
c
a·b + b ·c
1
b
c
b + c
a+b
b
c
b + c
Inputs can be constants
Input expressions
can be related
Simulate certain set Simulate certain set of patterns of patterns
Model signal Model signal correlationscorrelations
Can result in simpler Can result in simpler output expressionsoutput expressions
Symbolic SimulationSymbolic Simulation
Use BDDs as the symbolic representationUse BDDs as the symbolic representation Work at gate and MOS transistor levelWork at gate and MOS transistor level Can exploit abstraction capabilities of ’X’ Can exploit abstraction capabilities of ’X’
valuevalue Can be used to model unknown/don’t care Can be used to model unknown/don’t care
valuesvalues Common use in representing uninitialized state Common use in representing uninitialized state
variablesvariables Boolean functions extended to work with {0,1,X}Boolean functions extended to work with {0,1,X} Two BDD (binary) variables used to represent Two BDD (binary) variables used to represent
each symbolic variableeach symbolic variable
Symbolic SimulationSymbolic Simulation
Advantages Advantages Can handle larger designs than model checkingCan handle larger designs than model checking Can use a large variety of circuit modelsCan use a large variety of circuit models Possibly more natural for non-formalists.Possibly more natural for non-formalists. Amenable to partial verification.Amenable to partial verification.
Disadvantages Disadvantages Not good with state machines (possibly better Not good with state machines (possibly better
with data paths).with data paths). Does not support temporal logicDoes not support temporal logic
Requires ingenuity to prove properties.Requires ingenuity to prove properties.
Practical DeploymentPractical Deployment Systems:Systems:
COSMOS [bryant et al], Voss[Seger et al Intel]COSMOS [bryant et al], Voss[Seger et al Intel] Magellan [Synopsys]Magellan [Synopsys] InnologicInnologic
Exploiting hierarchyExploiting hierarchy Symbolically encode circuit structureSymbolically encode circuit structure
Based on hierarchy in circuit descriptionBased on hierarchy in circuit description Simulator operates directly on encoded circuitSimulator operates directly on encoded circuit
Use symbolic variables to encode both data values & Use symbolic variables to encode both data values & circuit structurecircuit structure
Implemented by Innologic, Synopsys (DAC ‘02)Implemented by Innologic, Synopsys (DAC ‘02) Greatest success in memory verification Greatest success in memory verification
(Innologic)(Innologic)
High-level Symbolic SimulationHigh-level Symbolic Simulation Data Types:Data Types: Boolean, bitvectors, int, reals, arrays Boolean, bitvectors, int, reals, arrays Operations:Operations: logical, arithmetic, equality, logical, arithmetic, equality,
uninterpreted functions uninterpreted functions Final expression contains variables and Final expression contains variables and
operatorsoperators Coupled with Decision procedures to check Coupled with Decision procedures to check
correctness of final expressioncorrectness of final expression Final expressions can also be manually checked Final expressions can also be manually checked
for unexpected terms/variables, flagging errors for unexpected terms/variables, flagging errors e.g. in JEM1 verification [Greve ‘98]e.g. in JEM1 verification [Greve ‘98]
High-level Symbolic SimulationHigh-level Symbolic Simulation Manipulation of symbolic expressions done Manipulation of symbolic expressions done
withwith Rewrite systems like in PVSRewrite systems like in PVS Boolean and algebraic simplifiers along with Boolean and algebraic simplifiers along with
theories of linear inequalities, equalities and theories of linear inequalities, equalities and uninterpreted functionsuninterpreted functions
Extensively used along with decision Extensively used along with decision procedures in microprocessor verificationprocedures in microprocessor verification Pipelined processors: DLXPipelined processors: DLX Superscalar processors: Torch (Stanford)Superscalar processors: Torch (Stanford) Retirement logic of Pentium ProRetirement logic of Pentium Pro Processors with out of order executionsProcessors with out of order executions
Section OutlineSection Outline
Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model Sequential ATPG-based model
checkingchecking Guided SearchGuided Search Smart SimulationSmart Simulation
Symbolic Trajectory Evaluation (STE)Symbolic Trajectory Evaluation (STE) Trajectory : Sequence of values of system Trajectory : Sequence of values of system
variablesvariables Example: c = AND (a, b) and delay is 1Example: c = AND (a, b) and delay is 1 A possible trajectory : (a,b,c) = (0, 1, X), (1, 1, 0), (1, 0, A possible trajectory : (a,b,c) = (0, 1, X), (1, 1, 0), (1, 0,
1), (X, X, 0), (X, X, X),… 1), (X, X, 0), (X, X, X),… Express behavior of system model as a set of Express behavior of system model as a set of
trajectories trajectories II and desired property as a set of and desired property as a set of trajectories trajectories SS
Determine if Determine if II is inconsistent with is inconsistent with SS Inconsistent: Inconsistent: II says 0 but says 0 but SS says 1 for a signal at time t says 1 for a signal at time t Consistent: Consistent: II says 0 but says 0 but SS says X or 0 for a signal at says X or 0 for a signal at
time ttime t
STE: An ExampleSTE: An Example
DinX
DoutX X X T = 0X
Dina
DoutX X X X T = 1X
DinX
DoutX a X X T = 2X
DinX
DoutX X a X T = 3X
DinX
DoutX X X a T = 4a
Din = a NNNN Dout = a
aAssert
Check
Din Dout
4-Bit Shift Register
Din = a NNNN Dout = a
Specification
If apply input a then 4 cycles later will get output a
Ref: Prof. Randal Bryant, 2002
STE: Pros, Cons & Practical UseSTE: Pros, Cons & Practical Use Advantage: Higher capacity than symbolic Advantage: Higher capacity than symbolic
model checkingmodel checking Disadvantage: Properties checkable not as Disadvantage: Properties checkable not as
expressive as CTLexpressive as CTL Practical success of STEPractical success of STE
Verification of arrays (memories, TLBs etc.) in Verification of arrays (memories, TLBs etc.) in Power PC architecturePower PC architecture
x86 Instruction length decoder for Intel processorx86 Instruction length decoder for Intel processor Intel FP adderIntel FP adder Microprocessor verificationMicroprocessor verification
Section OutlineSection Outline
Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model Sequential ATPG-based model
checkingchecking Guided SearchGuided Search Smart SimulationSmart Simulation
SAT-Based Bounded Model CheckingSAT-Based Bounded Model Checking
PI PO
LATCHES
NSPS
CL
FSM M
Question: Does M have a counter-example to F within k transitions ?
Biere et al (TACAS’99, DAC’99)
P ?
Example F: AG P
Property F
SAT-Based Bounded Model CheckingSAT-Based Bounded Model Checking
P
P
CL1 CL2 CLkI0 P
P‘1’
Unroll M for k time-frames
CNFSAT
Solver
Counter-example to AG
P
No Counter-example within k
steps
SAT
UNSAT
Open problem!!
SAT-based BMCSAT-based BMC
Primarily used for finding bugs !Primarily used for finding bugs ! Verification complete if Verification complete if k > sequential k > sequential
depthdepth of M of M Sequential depth computation or tight Sequential depth computation or tight
estimation intractable in practice estimation intractable in practice
Can express both safety and liveness Can express both safety and liveness properties (bounded semantics)properties (bounded semantics) All LTL formulasAll LTL formulas Unbounded fairness by detecting loopsUnbounded fairness by detecting loops
SAT-based BMC: Pros & Cons SAT-based BMC: Pros & Cons Advantages Advantages
SAT-BMC good at producing counter-examples SAT-BMC good at producing counter-examples upto medium depths (upto 50-60)upto medium depths (upto 50-60)
SAT solvers less sensitive to size of design: SAT solvers less sensitive to size of design: SAT-BMC can handle larger designsSAT-BMC can handle larger designs
SAT solvers require less parameter tuning: SAT solvers require less parameter tuning: Productivity gainProductivity gain
Drawbacks Drawbacks Incomplete method: Cannot verify propertiesIncomplete method: Cannot verify properties Ineffective at larger depths: Slow, CNF blow-upIneffective at larger depths: Slow, CNF blow-up Cannot describe all CTL propertiesCannot describe all CTL properties
Enhancements to basic SAT-BMCEnhancements to basic SAT-BMC
CNF generation for BMCCNF generation for BMC Bounded cone-of-influence: Biere Bounded cone-of-influence: Biere et alet al CAV’99 CAV’99 Circuit-graph compression: Ganai Circuit-graph compression: Ganai et alet al VLSID’02 VLSID’02 Binary time-frame expansion: Fallah ICCAD’02Binary time-frame expansion: Fallah ICCAD’02
Decision variable orderingDecision variable ordering BMC-specific static ordering: Strichman CAV’00BMC-specific static ordering: Strichman CAV’00 Tuning VSIDS for BMC: Shacham Tuning VSIDS for BMC: Shacham et alet al MTV’02 MTV’02
Addition of clauses/constraintsAddition of clauses/constraints Sharing clauses across BMC runs: Strichman CHARME’01Sharing clauses across BMC runs: Strichman CHARME’01 Learning clauses from BDDs: Gupta Learning clauses from BDDs: Gupta et alet al DAC’03 DAC’03 Using BDD reachability over-approx: Cabodi Using BDD reachability over-approx: Cabodi et alet al DATE’03 DATE’03
Section OutlineSection Outline
Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model Sequential ATPG-based model
checkingchecking Guided SearchGuided Search Smart SimulationSmart Simulation
Sequential ATPG for MCSequential ATPG for MC
CIRCUIT AUTOMATA
TEST NETWORK
from property
stuck-at fault
INPUT
CIRCUIT
s-a-0 fault
INPUT
p
AG p EF pe.g.
Proposed by Boppana, Rajan, Takayama & Fujita, CAV ‘99
Advantages of Sequential ATPG-based MCAdvantages of Sequential ATPG-based MC
No explicit storage of No explicit storage of statesstates
No need to build No need to build transition relationtransition relation
Good balance of DFS Good balance of DFS and BFS traversal of and BFS traversal of state-spacestate-space
Can model real-world Can model real-world primitives, primitives, e.g.e.g. tri-state tri-state buses, high impedence buses, high impedence valuevalue
No explicit unrolling of No explicit unrolling of time-framestime-frames
Uses circuit-based Uses circuit-based heuristics to guide or heuristics to guide or speed-up searchspeed-up search
vs BDDs vs SAT-BMC
Sequential ATPG for BMCSequential ATPG for BMC
Recent work Recent work by Abraham by Abraham et alet al (ITC’02, (ITC’02, VLSID’03)VLSID’03)
Model both Model both safety & safety & liveness liveness properties properties (bounded)(bounded)
ORIGINAL CIRCUIT
MONITOR
PROPERTY n
stuck-at faultTEST
NETWORK
start0 1 2 n-1 n
p
pp pp p
pp
pExample:
…
EG p
ATPG-MC: Current statusATPG-MC: Current status
Attempts to use simulation-based ATPG for Attempts to use simulation-based ATPG for falsification (Hsiao falsification (Hsiao et alet al HLDVT’01, DAC’02) HLDVT’01, DAC’02)
No research characterizing fragment of No research characterizing fragment of language (e.g. CTL, LTL) checkable through language (e.g. CTL, LTL) checkable through ATPG-based MCATPG-based MC
Some works report dramatic improvements of Some works report dramatic improvements of seq. ATPG-BMC vs. SAT-BMCseq. ATPG-BMC vs. SAT-BMC
Current efforts towards combining SAT Current efforts towards combining SAT solvers and sequential ATPG (SATORI solvers and sequential ATPG (SATORI ICCAD’03)ICCAD’03)
Section OutlineSection Outline
Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model checkingSequential ATPG-based model checking Guided Search (academic)Guided Search (academic) Smart Simulation (mixed engine)Smart Simulation (mixed engine)
SIVA (academic)SIVA (academic) Coverage-driven test generation: Magellan Coverage-driven test generation: Magellan
(industrial)(industrial) Test amplification: 0-in search (industrial)Test amplification: 0-in search (industrial)
Guided Search Guided Search
State-space search optimized for bug-State-space search optimized for bug-searching (Yang & Dill, DAC 98)searching (Yang & Dill, DAC 98)
Use prioritized searchUse prioritized search Cost function to pick next state to searchCost function to pick next state to search
Hamming distance to error statesHamming distance to error states
Prioritized Search
Error State
Breadth-first Search
Error State
Improving Guided SearchImproving Guided Search
Target enlargementTarget enlargementalso Yuan et al CAV 97also Yuan et al CAV 97
Improved cost functionImproved cost function TracksTracks
Compute series of approximate preimages
Use the approximate pre-image to estimate distance to enlarged target
GuidepostsGuideposts Designer provided hints/necessary Designer provided hints/necessary
pre-conditions for assertion violationpre-conditions for assertion violation
Bias search to explore search with Bias search to explore search with those pre-conditionsthose pre-conditions
Without Target
Enlargement
ErrorStates
Reset State
Enlarged Error States
Section OutlineSection Outline
Symbolic SimulationSymbolic Simulation Symbolic Trajectory evaluation (STE)Symbolic Trajectory evaluation (STE) SAT-based Bounded Model CheckingSAT-based Bounded Model Checking Sequential ATPG-based model checkingSequential ATPG-based model checking Guided Search (academic)Guided Search (academic) Smart Simulation (mixed engine)Smart Simulation (mixed engine)
SIVA (academic)SIVA (academic) Coverage-driven test generation: Magellan Coverage-driven test generation: Magellan
(industrial)(industrial) Test amplification: 0-in search (industrial)Test amplification: 0-in search (industrial)
Smart Simulation I : SIVASmart Simulation I : SIVA
Combines random simulation with BDDs and Combines random simulation with BDDs and combinational ATPGcombinational ATPG
Identify targetsIdentify targets Indicator variables, coverage goals, fail states etc.Indicator variables, coverage goals, fail states etc. Lighthouses: Lighthouses:
Several per targetSeveral per target ““Sub-targets” to guide SIVA to reach a targetSub-targets” to guide SIVA to reach a target
At each state identify targets with constant At each state identify targets with constant simulation signaturesimulation signature
Advance simulation by visiting states which causes Advance simulation by visiting states which causes such targets to toggle valuesuch targets to toggle value Search for such next state by ATPG/BDDsSearch for such next state by ATPG/BDDs
[Ganai, Aziz, Kuehlmann DAC ‘99]
R1’R1’
R5000’R5000’
RANDOMRANDOM
INITIALINITIAL
BDDBDD
ATPGATPG
R1R1
R2R2
R5000R5000
D1D1
D2D2
D1’D1’
SIVA - a run SIVA - a run
Key:Key: Determination of appropriate targets, Determination of appropriate targets, lighthouses etc. to guide the searchlighthouses etc. to guide the search
Smart Simulation II: MagellanSmart Simulation II: Magellan
Approach: Approach: Coverage-driven test generationCoverage-driven test generation Identify few interesting signals (typically <64): Identify few interesting signals (typically <64):
coverage signalscoverage signals Goal:Goal: Maximize Maximize state-coveragestate-coverage on coverage on coverage
signalssignals Test generationTest generation
Interleave random simulation with symbolic Interleave random simulation with symbolic simulation & SAT-BMCsimulation & SAT-BMC
Unreachability analysis Unreachability analysis (under-approx)(under-approx) Identify unreachable coverage states to reduce Identify unreachable coverage states to reduce
coverage target coverage target
[Ho et al, ICCAD 2000 (Synopsys)]
Magellan MethodologyMagellan Methodology
Random simulation:Random simulation: Deep narrow search Deep narrow search SAT-BMC:SAT-BMC: Short-range exhaustive (wide) search (<10 steps) Short-range exhaustive (wide) search (<10 steps) Symbolic simulation:Symbolic simulation: Middle range exhaustive (wide) search Middle range exhaustive (wide) search
Initial state
Coverage state
Random simulation
Symbolic simulation / SAT-BMC
(10-50 steps)(10-50 steps)
Smart Simulation III: 0-in SearchSmart Simulation III: 0-in Search
Approach:Approach: Test amplificationTest amplification Identify Identify “seed states”“seed states” reached through reached through
simulation simulation i.e.i.e. directed or random simulation directed or random simulation Explore exhaustively behavior around seed Explore exhaustively behavior around seed
states using formal methodsstates using formal methods SAT-BMC, BDDs, symbolic simulationSAT-BMC, BDDs, symbolic simulation
+ =
Formal Simulation 0-In Search
Methodology: Assertion-based VerificationMethodology: Assertion-based Verification
Use checkers (written in HDL) to:Use checkers (written in HDL) to: Specify targets for simulation/formal methods Specify targets for simulation/formal methods
Capturing buggy conditionsCapturing buggy conditions Specify environment of a module Specify environment of a module
Can be synthesized into constraintsCan be synthesized into constraints Specify interfaces between componentsSpecify interfaces between components
Inserting checkers:Inserting checkers: From 0-in From 0-in CheckerWareCheckerWare library (~60 checkers) library (~60 checkers) Specified by the user in VerilogSpecified by the user in Verilog Created automatically from RTL directives Created automatically from RTL directives
By By 0-in Check functional0-in Check functional tool tool Suggested by Suggested by 0-in Checklist0-in Checklist while analyzing RTL while analyzing RTL
A kind of sophisticated lint checkingA kind of sophisticated lint checking
0-in Search: Tool Flow0-in Search: Tool Flow
Instrumented Verilog RTL
Verilog Tests and Testbench
Standard Verilog Simulator
No firings in Verilog output
Simulation Trace (Seed)
Firings Log 0-in View GUI Standard Waveform Tool
Checker Control File
Verilog simulator (Firing Replay)
0-in Search 0-in Confirm
Verilog Files with 0-in Checkers
Source: 0-in Design Automation Verification
White-paper
Tutorial OutlineTutorial Outline
IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM Formal verification techniques for FSM Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Simulation Based VerificationSimulation Based Verification
INDRADEEP GHOSH
Fujitsu Labs. of America Sunnyvale, California
Section OutlineSection Outline
IntroductionIntroduction why simulationwhy simulation types of simulationtypes of simulation
Making simulation effectiveMaking simulation effective Coverage analysisCoverage analysis Test bench automationTest bench automation RTL ATPGRTL ATPG
SOC verification challengesSOC verification challenges Case studyCase study
Verification Using SimulationVerification Using Simulation
Test Sequences Test Cases/ Features
SpecImplementation to be Verified
Output Responses
=?
Expected Responses
Simulation and Abstraction LevelsSimulation and Abstraction Levels
Specification level simulationSpecification level simulation particular behavior or properties can be captured in UML like particular behavior or properties can be captured in UML like
languages and simulated. e.g. protocolslanguages and simulated. e.g. protocols Behavioral simulationBehavioral simulation
possible to simulate just C/C++/SpecC/SystemC programpossible to simulate just C/C++/SpecC/SystemC program checking with spec requires cutting out relevant portions of behaviorchecking with spec requires cutting out relevant portions of behavior
RTL simulationRTL simulation most widely used in industrymost widely used in industry many commercial toolsmany commercial tools checking with behavior requires time checkpointingchecking with behavior requires time checkpointing
Logic simulationLogic simulation fairly straight forward and easy to check with RTLfairly straight forward and easy to check with RTL detailed timing simulation comes into picturedetailed timing simulation comes into picture
Advantages/DisadvantagesAdvantages/Disadvantages
AdvantagesAdvantages simple conceptsimple concept scales well with design size compared to formal or semi-scales well with design size compared to formal or semi-
formal methodsformal methods most popular strategy in industrymost popular strategy in industry
DisadvantagesDisadvantages simulation semantics may not mimic hardwaresimulation semantics may not mimic hardware cannot be exhaustive cannot be exhaustive
cannot prove correctnesscannot prove correctness writing extensive test benches is tediouswriting extensive test benches is tedious do not know when to stopdo not know when to stop still can be resource intensive and slowstill can be resource intensive and slow
Static RTL checks : LintingStatic RTL checks : Linting
Design rule basedDesign rule based coding, style, documentation, naming, customcoding, style, documentation, naming, custom
Fix non-synthesizeable codeFix non-synthesizeable code no point simulating stuff that cannot be synthesizedno point simulating stuff that cannot be synthesized
Synthesis results vary based on coding stylesSynthesis results vary based on coding styles force uniform and correct style among all designersforce uniform and correct style among all designers
Verilog syntax can compile but create problems in Verilog syntax can compile but create problems in synthesis and simulationsynthesis and simulation comparing different length variables if(a[2:0] == b[1:0] )comparing different length variables if(a[2:0] == b[1:0] ) using blocking/non-blocking assignments at wrong placesusing blocking/non-blocking assignments at wrong places latch interfaces etc.latch interfaces etc.
Standard set of rules are based on Reuse Methodology Standard set of rules are based on Reuse Methodology Manual (RMM) (reference page 2)Manual (RMM) (reference page 2)
Linting CAD ToolsLinting CAD Tools
LEDA LEDA from Synopsysfrom Synopsys
nLintnLint from Novas Software from Novas Software integrated with the Debussy debugging systemintegrated with the Debussy debugging system
HDLLintHDLLint from Veritools from Veritools
VN-checkVN-check from TransEDA from TransEDA
SurelintSurelint from Verisity from Verisity
Spyglass Spyglass from Atrentafrom Atrenta
Tackling Simulation DrawbacksTackling Simulation Drawbacks
Simulation semantics may not mimic hardwareSimulation semantics may not mimic hardware Cannot be exhaustive Cannot be exhaustive
cannot prove correctnesscannot prove correctness
Writing extensive test benches is tediousWriting extensive test benches is tedious Do not know when to stopDo not know when to stop Still can be resource intensive and slowStill can be resource intensive and slow
RTL Simulation SemanticsRTL Simulation Semantics delay modeldelay model
each operation takes negligible timeeach operation takes negligible time operations are scheduled in terms of clock boundariesoperations are scheduled in terms of clock boundaries explicitly specified delay may be usedexplicitly specified delay may be used functional simulation may be different from later stage timing functional simulation may be different from later stage timing
simulationsimulation 4 valued logic is usually used (0, 1, X, Z)4 valued logic is usually used (0, 1, X, Z)
more complex logic possible e.g. more complex logic possible e.g. std_logic_vectorstd_logic_vector in VHDL in VHDL Blocking and Non-blocking assignments using syntaxBlocking and Non-blocking assignments using syntax
blocking assignments are sequentially executedblocking assignments are sequentially executed non blocking assignments are executed in parallel at end of a clock non blocking assignments are executed in parallel at end of a clock
boundaryboundary Value Change Dump (Value Change Dump (VCDVCD) file captures changes in values of ) file captures changes in values of
variables with timevariables with time
Event-driven SimulationEvent-driven Simulation
Event: change in logic value at a node, at Event: change in logic value at a node, at a certain instant of time a certain instant of time (V,T) (V,T)
Event-driven: only considers active nodesEvent-driven: only considers active nodes EfficientEfficient
Performs both timing and functional Performs both timing and functional verificationverification All nodes are visibleAll nodes are visible Glitches are detectedGlitches are detected
Most heavily used and well-suited for all Most heavily used and well-suited for all types of designstypes of designs
Event-driven SimulationEvent-driven Simulation
Event: change in logic value, at a certain instant of time Event: change in logic value, at a certain instant of time (V,T) (V,T)
10
1
0
1
0
1
D=2a
b
cEvents:•Input: b(1)=1•Output: none
10
1
0
1
0
1
D=2a
b
cEvents:•Input: b(1)=1•Output: c(3)=03
Event-driven SimulationEvent-driven Simulation
Uses a timewheel to manage the Uses a timewheel to manage the relationship between componentsrelationship between components
TimewheelTimewheel = list of all events not = list of all events not processed yet, sorted in time (complete processed yet, sorted in time (complete ordering)ordering)
When event is generated, it is put in the When event is generated, it is put in the appropriate point in the timewheel to appropriate point in the timewheel to ensure causalityensure causality
Event-driven SimulationEvent-driven Simulation
b(1)=1d(5)=1
D=1
10
1
0
1
D=2a
b
c
d(5)=1
d5
0
1
e
0
1
3
c(3)=0d(5)=1
0
1
4
d(5)=1
e(4)=0
6
e(6)=1
Cycle-based SimulationCycle-based Simulation Take advantage of the fact that most digital Take advantage of the fact that most digital
designs are largely synchronousdesigns are largely synchronous
Synchronous circuit: state elements change value on Synchronous circuit: state elements change value on active edge of clockactive edge of clock
Only boundary nodes are evaluatedOnly boundary nodes are evaluated
Internal Node
Boundary NodeLatches
Latches
Cycle-based SimulationCycle-based Simulation
Compute steady-state response of the circuit Compute steady-state response of the circuit at each clock cycleat each clock cycle at each boundary nodeat each boundary node
Latches
Latches
Internal Node
Cycle-based vs Event-drivenCycle-based vs Event-driven
Cycle-based:Cycle-based: Only boundary Only boundary
nodesnodes No delay No delay
informationinformation
Event-driven:Event-driven: Each internal nodeEach internal node Need scheduling and Need scheduling and
functions may be functions may be evaluated multiple evaluated multiple timestimes
At RTL if timing information is unknown Cycle-based is more At RTL if timing information is unknown Cycle-based is more appropriateappropriate
Cycle-based is 10x-100x faster than event-driven (and less Cycle-based is 10x-100x faster than event-driven (and less memory usage)memory usage)
Cycle-based does not detect glitches and setup/hold time Cycle-based does not detect glitches and setup/hold time violations, while event-driven doesviolations, while event-driven does
Simulation CAD ToolsSimulation CAD Tools
Event-driven simulatorsEvent-driven simulators Synopsys Synopsys VCS, SiroccoVCS, Sirocco
VCS is a fast Verilog simulatorVCS is a fast Verilog simulator Sirocco is a VHDL simulatorSirocco is a VHDL simulator
Cadence Cadence NCSim NCSim (VHDL, Verilog, mixed)(VHDL, Verilog, mixed) Model Tech. Model Tech. Modelsim Modelsim (VHDL, Verilog, mixed)(VHDL, Verilog, mixed)
Cycle-based simulatorsCycle-based simulators Quickturn Quickturn SpeedSimSpeedSim (VHDL) (VHDL) Synopsys Synopsys PureSpeedPureSpeed (Verilog) (Verilog) Cadence Cadence CobraCobra
VCD dump viewerVCD dump viewer e.g. Cadence e.g. Cadence SignalscanSignalscan
Integrated debugging environmentIntegrated debugging environment more sophisticated toolmore sophisticated tool cross references code, VCD waveform viewer, coverage analysis etc.cross references code, VCD waveform viewer, coverage analysis etc. integrates software debug features and hardware debug featuresintegrates software debug features and hardware debug features e.g. Novas Software e.g. Novas Software DebussyDebussy
Debugging ToolsDebugging Tools
clk
ab
bus[0:3] xxxx 5H 3H
time 0 10 20 30 40 50
Simulation semantics may not mimic hardwareSimulation semantics may not mimic hardware Cannot be exhaustive Cannot be exhaustive
cannot prove correctnesscannot prove correctness
Writing extensive test benches is tediousWriting extensive test benches is tedious Do not know when to stopDo not know when to stop Still can be resource intensive and slowStill can be resource intensive and slow
Tackling Simulation DrawbacksTackling Simulation Drawbacks
Coverage AnalysisCoverage Analysis Quantitative measure of simulation effectivenessQuantitative measure of simulation effectiveness Determines if the simulation test bench is exercising Determines if the simulation test bench is exercising
the design effectivelythe design effectively Concepts borrowed from software testingConcepts borrowed from software testing Various metrics availableVarious metrics available
HDL Design
Coverage Analysis Tool
Instrumented Design
Test Bench RTLSimulation
Gather Coverage Data
Display in GUI
Common Coverage MetricsCommon Coverage Metrics
* Statement Coverage - see if all statements are covered by testbench if ( a > 0)
e = c * d;else f = c + d;
if (b > 0) e = e + 1;
Example
Statement Coverage: 66.7%
* Branch Coverage - see if both sides are taken in all possible branches
if (b <= 0) did not occur Branch Coverage: 50%
Verification engineers shouldaim for 100% statement, branch and toggle coverage
* Toggle Coverage - see if each variable bit value has toggled
Condition CoverageCondition Coverage
* See if all possible conditions in an expression are taken
Example:if ((a < 0) && (b > 3) && (c = 5)) { ..... }
* All eight possibilities are to be present for 100% condition coverage - e.g. {(a>=0), (b<=3), (c != 5)} ; {(a >=0), (b<=3), (c=5)} etc.* All don’t care possibilities may not be feasible
- use only care combinations
Focussed Expression Coverage* Only try possibilities that make each clause important Thus try {(true, true, true); (false, true, true); (true, false, true); (true, true, false)}If some combinations are still not possible then expression in redundant!
Verification engineers should aim for > 95% FEC
Path CoveragePath Coverage
State = Q
Isb == ‘1’
State <= S
Done == ‘1’
State = R
yesno
yesno
State = Q
Isb == ‘1’
State <= S
Done == ‘1’
State = R
yesno
yesno
State = Q
Isb == ‘1’
State <= S
Done == ‘1’
State = R
yesno
yesno
State = Q
Isb == ‘1’
State <= S
Done == ‘1’
State = R
yesno
yesno
* Path Coverage: What % of paths are covered? - exponential number of paths - difficult to do the bookkeeping - impossible to get good coverage - false paths may hinder coverage - supported to a limited extent in most tools
Mostly ignored by verification engineerers
FSM CoverageFSM Coverage
If there are FSM descriptions in the machineIf there are FSM descriptions in the machine see that all states of all FSMs are visitedsee that all states of all FSMs are visited all possible state transitions in every FSM is takenall possible state transitions in every FSM is taken
FSMs need to be described in particular mannerFSMs need to be described in particular manner automatic extraction fails mostlyautomatic extraction fails mostly if other coverage metrics are good, this is already taken if other coverage metrics are good, this is already taken
care ofcare of else this should at least be 100%else this should at least be 100%
A B
C D
Cover - 4 states - 7 transitions
Coverage Analysis CAD ToolsCoverage Analysis CAD Tools
Work in conjunction with RTL simulatorsWork in conjunction with RTL simulators Synopsys Synopsys CovermeterCovermeter
Verilog coverage integrated with VCS simulatorVerilog coverage integrated with VCS simulator Verisity Verisity SurecovSurecov
Verilog coverage analysis tool integrated with Specman Verilog coverage analysis tool integrated with Specman Elite toolElite tool
TransEDA TransEDA Verification NavigatorVerification Navigator supports both VHDL and Verilog supports both VHDL and Verilog works with all major simulatorsworks with all major simulators
Cadence Cadence AffirmaAffirma works with their NCSim RTL simulators (VHDL and Verilog)works with their NCSim RTL simulators (VHDL and Verilog)
Coverage Analysis - Pros & ConsCoverage Analysis - Pros & Cons
Pros:Pros: provides some quantitative analysis of verification effortprovides some quantitative analysis of verification effort increases confidence level in simulation based verificationincreases confidence level in simulation based verification points out untested functionality in the designpoints out untested functionality in the design gives some type of closure to verification effortgives some type of closure to verification effort
Cons:Cons: cannot model many types of errorscannot model many types of errors high confidence level due to good coverage numbers can give high confidence level due to good coverage numbers can give
false sense of securityfalse sense of security observability of error is ignoredobservability of error is ignored still covering implementation, not specificationstill covering implementation, not specification
Importance of ObservabilityImportance of Observability
Example:Example:input a, b, c, d;f = 1;e = 0;
if ( a > 0) e = c * d;else f = c + d;
if (b > 0) print(e);else print(f);
simulate:a = 1, b = -1;a = 0, b = 1;
100% statement andbranch coverage, butno errors detected
error
error
Observability Enhanced Code Coverage AnalysisObservability Enhanced Code Coverage Analysis
Does vector set propagate an erroneous value on variable Does vector set propagate an erroneous value on variable aa to an to an observable output?observable output?
a = 1;
c = 4 - a;
printf(“%d”, c);
erroneous value
• This metric known as This metric known as OCCOMOCCOM is based on Fallah et.al’s work at DAC 98. is based on Fallah et.al’s work at DAC 98.
• Possibility of an error represented by tagging variable in left-hand side of Possibility of an error represented by tagging variable in left-hand side of an assignment or an expression by an assignment or an expression by +D+D oror -D-D ..
• A Tag at a location/variableA Tag at a location/variable represents the possibility that an represents the possibility that an incorrect value is present at the location/variableincorrect value is present at the location/variable
• Goal: see if Tag injected at a location is propagated to output by test setGoal: see if Tag injected at a location is propagated to output by test set
Tag PropagationTag Propagation
Positive, Negative and Unsigned tag Positive, Negative and Unsigned tag
Single error assumptionSingle error assumption
);printf( 4
1
%d",C "CA ;C
;A
Error ModelError Model
Errors in design modeled as errors in assignment statements Errors in design modeled as errors in assignment statements and expression clausesand expression clauses only positive and negative errors tackled to reduce complexityonly positive and negative errors tackled to reduce complexity sometimes unkown tags (sometimes unkown tags ('') ) generatedgenerated
Method confirms that a design error is detected if the vector Method confirms that a design error is detected if the vector set set activatesactivates and and propagatespropagates the required tag on the location of the required tag on the location of the errorthe error error may propagate even if tag does noterror may propagate even if tag does not tag propagation is conservativetag propagation is conservative if if ++ andand --collide then usuallycollide then usually ( ('') ) tag is killed after sometime but error tag is killed after sometime but error
can still be observablecan still be observable
Error model is sufficient but not necessary for error detectionError model is sufficient but not necessary for error detection
Research ResultsResearch Results
* How good is the tag coverage metric for tracking bugs?
- 30 typical bugs were introduced into a Fujitsu RTL circuit
- functional simulation done using intelligent vectors that target tag coverage and random vectors
Conclusion: Tag coverage closely tracks bug coverage but is slightly pessimistic.
Bug Coverage
Intelligent Vectors
Tag Coverage
Bug Coverage
Random Vectors
Tag Coverage
CWL (Component Wrapper Language)CWL (Component Wrapper Language)
Jointly developed by Hitachi and FujitsuJointly developed by Hitachi and Fujitsu Hierarchical description aimed at Hierarchical description aimed at
abstraction level conversionabstraction level conversion Support for split transactionsSupport for split transactions Support for interface specific hardwareSupport for interface specific hardware
Specification Coverage using CWLSpecification Coverage using CWL
Hierarchical Description: BaseHierarchical Description: Base
signalset all = {clk,rst, en, ad,wait,dt}; N : { R, 1, 1, x, 1, x}; I : { R, 0, x, x, 1, x}; Q(a): { R, 1, 0, a, 1, x}; W : { R, 1, 1, x, 0, x}; S(d): { R, 1, 1, x, 1, d}; endsignalset
signalset all = {clk,rst, en, ad,wait,dt}; N : { R, 1, 1, x, 1, x}; I : { R, 0, x, x, 1, x}; Q(a): { R, 1, 0, a, 1, x}; W : { R, 1, 1, x, 0, x}; S(d): { R, 1, 1, x, 1, d}; endsignalset
clk
rst
en
ad[9:0]
wait
dt[7:0]
II NN Q(a)Q(a) WW WW S(d)S(d)
a
d
NN
sentencesentence
Hierarchical Description: TransactionHierarchical Description: Transaction
word; nop : N ; reset : I ; read(a,d) : Q(a) W* S(d) ; endword
word; nop : N ; reset : I ; read(a,d) : Q(a) W* S(d) ; endword
resetreset
clk
rst
en
ad[9:0]
wait
dt[7:0]
nopnop read(a,d)read(a,d) nopnop
I N Q(a) W W S(d) N
a
d
sentence; reset [ nop | read ]+ ; endsentence
sentence; reset [ nop | read ]+ ; endsentence
Once specification sentence protocol generatedOnce specification sentence protocol generated create complete regular expressioncreate complete regular expression create FSM that recognizes regular expressioncreate FSM that recognizes regular expression convert FSM to Verilog monitorconvert FSM to Verilog monitor during simulation see that all transitions in FSM are during simulation see that all transitions in FSM are
coveredcovered
Then protocol specification completely verifiedThen protocol specification completely verified ensures coverage of all possible legal signal ensures coverage of all possible legal signal
combinationscombinations not just the interesting scenariosnot just the interesting scenarios
Specification Coverage using TransitionsSpecification Coverage using Transitions
Tackling Simulation DrawbacksTackling Simulation Drawbacks
Simulation semantics may not mimic hardwareSimulation semantics may not mimic hardware Cannot be exhaustive Cannot be exhaustive
cannot prove correctnesscannot prove correctness
Writing extensive test benches is tediousWriting extensive test benches is tedious Do not know when to stopDo not know when to stop Still can be resource intensive and slowStill can be resource intensive and slow
Test Bench AutomationTest Bench Automation Today’s ASICs and SOCsToday’s ASICs and SOCs
multi million gates, extremely complexmulti million gates, extremely complex 1000s of inputs and outputs1000s of inputs and outputs
Writing meaningful input patterns in 1s and 0s impossibleWriting meaningful input patterns in 1s and 0s impossible Impossible to verify output pattern in 1s and 0sImpossible to verify output pattern in 1s and 0s Need specialized language and framework Need specialized language and framework
toto write good, complex and extensive test benchwrite good, complex and extensive test bench Example: Ethernet frameExample: Ethernet frame
header, addresses, payload (variable length), error correction header, addresses, payload (variable length), error correction code (72 bytes to 10000 bytes)code (72 bytes to 10000 bytes)
Write function Write function Create_frame(parameters)Create_frame(parameters) creates correct frame in terms of patterns of 1s and 0s creates correct frame in terms of patterns of 1s and 0s
Key FeaturesKey Features Constrained input sequence generationConstrained input sequence generation
write input sequence in high level constructwrite input sequence in high level construct may use structures, fields etc.may use structures, fields etc.
put constraints on input fields put constraints on input fields tool converts these to signal level test sequencetool converts these to signal level test sequence tool can also solve for constraints on some inputstool can also solve for constraints on some inputs tool can iterate on several parameters to generate numerous test tool can iterate on several parameters to generate numerous test
sequences automaticallysequences automatically Automatic Output Checker generationAutomatic Output Checker generation
create a set of rules to check expected outputcreate a set of rules to check expected output again high level structures can be usedagain high level structures can be used e.g. if packet sent to port A from port B earlier that port C, they are output in e.g. if packet sent to port A from port B earlier that port C, they are output in
sequence in port A [check_packet( )]sequence in port A [check_packet( )] Concise property specification languagesConcise property specification languages Support for constrained random test generationSupport for constrained random test generation
Bus Functional ModelsBus Functional Models
These HDL models are used to convert higher level These HDL models are used to convert higher level transaction behavior to signal level inputstransaction behavior to signal level inputs test bench can be written and analyzed in high leveltest bench can be written and analyzed in high level once done prevents detailed signal level stimulus once done prevents detailed signal level stimulus
more robust and less error prone, hides detailsmore robust and less error prone, hides details
Example: memoryExample: memory
read()
write() BusFunctional Model
address[7:0]
data[7:0
rw
alevald Pre-defined
protocol with timing
Property Specification LanguagesProperty Specification Languages Is needed for unambiguous modeling of SpecIs needed for unambiguous modeling of Spec Should be formal yet easy to read/understandShould be formal yet easy to read/understand
support for real life properties - Boolean, temporal etcsupport for real life properties - Boolean, temporal etc support for modeling design input behavior support for modeling design input behavior
PSL SugarPSL Sugar from IBM standardized by Accellera from IBM standardized by Accellera it has 4 layers of formalismit has 4 layers of formalism Boolean layerBoolean layer
describes states of designdescribes states of design Temporal layerTemporal layer
describes behavior of design over timedescribes behavior of design over time Modeling layerModeling layer
model auxiliary state variables and state machines and input environmentmodel auxiliary state variables and state machines and input environment Verification layerVerification layer
directives to verification tool assume/assert/cover etc.directives to verification tool assume/assert/cover etc.
Writing Properties in Sugar Writing Properties in Sugar
ExampleExample {true[*];req;ack} |=> {start;busy[*];end}{true[*];req;ack} |=> {start;busy[*];end}
true
req
ack
start
busy
endif then
if then
Temporal OperatorsTemporal Operators
nevernever (read_enable and write_enable) (read_enable and write_enable) always always (req -> next ack)(req -> next ack)
when request is asserted ack must be asserted next cyclewhen request is asserted ack must be asserted next cycle
using using forallforall operator operator alwaysalways (req && data_in == ‘b000 -> next data_out == ‘b000) (req && data_in == ‘b000 -> next data_out == ‘b000) alwaysalways (req && data_in == ‘b001 -> next data_out == ‘b001) (req && data_in == ‘b001 -> next data_out == ‘b001) .. .. can be written ascan be written as forallforall i in 0..7 i in 0..7 alwaysalways (req && data_in == i -> next data_out == i) (req && data_in == i -> next data_out == i)
ExampleExample assert if assert if requestrequest signal is high for 5 cycles without the signal is high for 5 cycles without the acknowledgeacknowledge
signal going high, then system should assert signal going high, then system should assert busy flagbusy flag Sugar propertySugar property
vunit check_busy_flag {vunit check_busy_flag { assert assert { [*], {request & !acknowledge} [*5] } |-> {busy flag}{ [*], {request & !acknowledge} [*5] } |-> {busy flag} }}
If this checker is written in VerilogIf this checker is written in Verilog 50 lines of HDL code50 lines of HDL code
Automatic translators exist now Automatic translators exist now e.g. e.g. FOCS FOCS from IBMfrom IBM
Verification efficiency is increased a lotVerification efficiency is increased a lot
Assertion CheckingAssertion Checking
CAD Tools for Test Bench Automation CAD Tools for Test Bench Automation & Assertion Checking& Assertion Checking
Verisity Verisity Specman EliteSpecman Elite uses proprietary E language (free licenses available)uses proprietary E language (free licenses available)
Cadence Cadence TestbuilderTestbuilder uses C++ classes to automate testsuses C++ classes to automate tests
Synopsys Synopsys VeraVera uses its own OVL (Open Vera Language) (now open)uses its own OVL (Open Vera Language) (now open)
Avery Avery VCKVCK uses VLE (Verilog language enhancements)uses VLE (Verilog language enhancements)
As Accellera Sugar has become industry As Accellera Sugar has become industry standard all tools are now supporting itstandard all tools are now supporting it
Automatic Test Pattern Generation at RTLAutomatic Test Pattern Generation at RTL
Generating good RTL simulation test benches is hard and Generating good RTL simulation test benches is hard and tedioustedious still manual process still manual process
test bench automation helps somewhat but still need to write tests in test bench automation helps somewhat but still need to write tests in high-level test language like Sugar etc.high-level test language like Sugar etc.
may not exercise design completely (bugs may remain)may not exercise design completely (bugs may remain) Alternative: Alternative: attempt to generate RTL test benches attempt to generate RTL test benches
automatically by analyzing the RTL design (ATPG)automatically by analyzing the RTL design (ATPG) only HDL design is needed only HDL design is needed approach is bottom up as opposed to top downapproach is bottom up as opposed to top down
may not be suitable in all casesmay not be suitable in all cases
Requires RTL error models Requires RTL error models currently stuck-at fault model and OCCOM is usedcurrently stuck-at fault model and OCCOM is used experimentally determined they correlate well with bugsexperimentally determined they correlate well with bugs
Application ScenariosApplication Scenarios
Test Generation Algorithm/Tool
SCENARIO 2
Golden RTL Model
TestResponses
TestResponses=?
TestBench
OptimizedRTL model
* Formal RTL equivalence checking fails as circuits are too dissimilar
near 100% coverage
Test Generation Algorithm/Tool
SCENARIO 1
RTL Design Under Test
TestResponses
TestResponses=?
TestBench
ExecutableSpecification
near 100% coverage
Data Structure UsedData Structure Used Represent RTL netlist as an Represent RTL netlist as an
Assignment Decision Assignment Decision Diagram (ADD)Diagram (ADD)
Previously proposed for high-Previously proposed for high-level synthesis by Chaiyakul level synthesis by Chaiyakul et.al.et.al. (DAC 93) (DAC 93)
a 7 state st3 p q
< =
!
&
&
+ -
rc
c vv
• Advantages– Represents a structural view suitable for ATPG
Assignment Value
AssignmentTarget
AssignmentCondition
Case state is when st3 => if (a < 7) r = p + q; else r = p - q;
Example
Convert HDL file into a series of ADDsConvert HDL file into a series of ADDs each process converted to an ADDeach process converted to an ADD ADDs connected together by read and write nodesADDs connected together by read and write nodes
Infer RTL structural components from ADDsInfer RTL structural components from ADDs
Each inferred component is fed its logic-level stuck-at testEach inferred component is fed its logic-level stuck-at test 2-to-1 mux2-to-1 mux : 4 vectors: 4 vectors register / latchregister / latch : 4 / 2 vectors: 4 / 2 vectors logic gate logic gate : well known test set: well known test set memoriesmemories : checker board test: checker board test arithmetic module : precomputed testarithmetic module : precomputed test
an universal test set preferablean universal test set preferable random logic / test set unavailable random logic / test set unavailable
excite HDL code and observe effect at system primary outputexcite HDL code and observe effect at system primary output
Algorithm OverviewAlgorithm Overview
<
PI PI
PO
logic
Modeling RTL ValuesModeling RTL Values CgCg : control an n-bit bus to any of 2: control an n-bit bus to any of 2n n valuevalue C0C0 : control a variable to the 0 value (00..00): control a variable to the 0 value (00..00) C1C1 : control a variable to the 1 value (00..01): control a variable to the 1 value (00..01) Ca1Ca1 : control a variable to the all ones vector (11..11): control a variable to the all ones vector (11..11)
CA1 of 1 bit variable is C1CA1 of 1 bit variable is C1 CqCq : control a variable to any constant (5, 10, etc.): control a variable to any constant (5, 10, etc.) CsCs : control a state variable to a particular state value (St1): control a state variable to a particular state value (St1) CzCz : control to high-impedance state (zz..zzz): control to high-impedance state (zz..zzz) Cp : control to a particular range of integers (16-32)Cp : control to a particular range of integers (16-32) OO : observe an any fault on multi-bit variable or an 1/0 : observe an any fault on multi-bit variable or an 1/0
fault on a single-bit variable fault on a single-bit variable O’O’ : observe a 0/1 fault only for a single-bit variable: observe a 0/1 fault only for a single-bit variable
* These constants are sufficient to propagate test vectors across all RTL modules
Results & Ongoing ResearchResults & Ongoing Research This is in technology transfer phaseThis is in technology transfer phase
Has been applied on industrial examplesHas been applied on industrial examples Prototype shows huge speed up over logic ATPGPrototype shows huge speed up over logic ATPG
2 to 3 orders of magnitude reduction in CPU time 2 to 3 orders of magnitude reduction in CPU time Test sets automatically give close to 100% line, branch and condition Test sets automatically give close to 100% line, branch and condition
coveragecoverage Can be used as initial filter before manual test benches or formal Can be used as initial filter before manual test benches or formal
verificationverification Disadvantages:Disadvantages:
application scenarios limitedapplication scenarios limited still block level tool, about 20,000-50,000 line flat HDLstill block level tool, about 20,000-50,000 line flat HDL
search is NP complete and uses branch and boundsearch is NP complete and uses branch and bound
Ongoing researchOngoing research speed up engine using circuit SAT techniquesspeed up engine using circuit SAT techniques modify engine for RTL property checking modify engine for RTL property checking
Simulation semantics may not mimic hardwareSimulation semantics may not mimic hardware Cannot be exhaustive Cannot be exhaustive
cannot prove correctnesscannot prove correctness
Writing extensive test benches is tediousWriting extensive test benches is tedious Do not know when to stopDo not know when to stop Still can be resource intensive and slowStill can be resource intensive and slow
Tackling Simulation DrawbacksTackling Simulation Drawbacks
Stopping Criteria Stopping Criteria
Coverage basedCoverage based e.g. >99.5% line coverage, >99% branch coverage, >90% condition e.g. >99.5% line coverage, >99% branch coverage, >90% condition
coveragecoverage Bug rate basedBug rate based
when rate of new bugs detected fallen below particular level, e.g. - 2 when rate of new bugs detected fallen below particular level, e.g. - 2 per weekper week
Random simulation basedRandom simulation based e.g. random simulation ran for 3 days without probleme.g. random simulation ran for 3 days without problem
Some weighted average of all the aboveSome weighted average of all the above Use case emulationUse case emulation
e.g. video processor e.g. video processor watch output of emulator in real time on a TV screenwatch output of emulator in real time on a TV screen
Deadline basedDeadline based need to tape out chip, hence stop simulation !!need to tape out chip, hence stop simulation !!
Simulation semantics may not mimic hardwareSimulation semantics may not mimic hardware Cannot be exhaustive Cannot be exhaustive
cannot prove correctnesscannot prove correctness
Writing extensive test benches is tediousWriting extensive test benches is tedious Do not know when to stopDo not know when to stop Still can be resource intensive and slowStill can be resource intensive and slow
Tackling Simulation DrawbacksTackling Simulation Drawbacks
Still huge amounts of time and resources Still huge amounts of time and resources required to simulate multi-million gate designsrequired to simulate multi-million gate designs but only simulation scales to large designsbut only simulation scales to large designs
AlternativesAlternatives Hardware emulation/accelerationHardware emulation/acceleration Core based design of SOCCore based design of SOC
use preverified modules and just verify interfaceuse preverified modules and just verify interface some peculiar problems arisesome peculiar problems arise
Correct by construction designCorrect by construction design
Tackling the Time ComplexityTackling the Time Complexity
EmulationEmulation Compile RTL design into a number of FPGAs and PLDsCompile RTL design into a number of FPGAs and PLDs Directly simulate test bench on the hardware using a Directly simulate test bench on the hardware using a
computer interfacecomputer interface Capture output responses in a memory buffer and Capture output responses in a memory buffer and
display using the computerdisplay using the computer AdvantagesAdvantages
10X to 100X faster than software simulation10X to 100X faster than software simulation simulation semantics problems are lowersimulation semantics problems are lower
DisadvantagesDisadvantages systems are expensivesystems are expensive cumbersome to set upcumbersome to set up debugging support weaker than software debuggersdebugging support weaker than software debuggers
Tackling the Time ComplexityTackling the Time Complexity
Still huge amounts of time and resources Still huge amounts of time and resources required to simulate multi-million gate designsrequired to simulate multi-million gate designs but only simulation scales to large designsbut only simulation scales to large designs
AlternativesAlternatives Hardware emulation/accelerationHardware emulation/acceleration Core based design of SOCCore based design of SOC
use preverified modules and just verify interfaceuse preverified modules and just verify interface some peculiar problems arisesome peculiar problems arise
Correct by construction designCorrect by construction design
SOC Verification IssuesSOC Verification Issues What is new in SOC verification?What is new in SOC verification?
Why is SOC verification more challenging?Why is SOC verification more challenging? SOCs - large designs, small teamsSOCs - large designs, small teams
closer to computer systems than ASICscloser to computer systems than ASICs but built rapidly with small design teams using coresbut built rapidly with small design teams using cores
Verification team cannot get deep understanding of Verification team cannot get deep understanding of target designtarget design
Not enough resources to develop verification tools Not enough resources to develop verification tools specific to designspecific to design
Verification teams must rely on existing tools and Verification teams must rely on existing tools and technologytechnology generic knowledge of domain with small adaptationsgeneric knowledge of domain with small adaptations
More ChallengesMore Challenges Most SOCs contain a processorMost SOCs contain a processor
big and complex and programmablebig and complex and programmable Processors can be used to stimulate rest of the system but..Processors can be used to stimulate rest of the system but.. How to treat system softwareHow to treat system software
ignoring means not testing entire systemignoring means not testing entire system leaving it in means more difficult to use processor to test other leaving it in means more difficult to use processor to test other
componentscomponents HW/SW co-simulation a major issueHW/SW co-simulation a major issue
simulating processor will slow down RTL simulationsimulating processor will slow down RTL simulation hardware and software operate at different rateshardware and software operate at different rates modeling solutions are required modeling solutions are required
e.g. Instruction Set Architecturee.g. Instruction Set Architecture Interface issuesInterface issues
how to check that the cores are talking correctly with each other e.g. how to check that the cores are talking correctly with each other e.g. protocol verificationprotocol verification
Solution - Raise Abstraction LevelSolution - Raise Abstraction Level
Focus at level where design complexity liesFocus at level where design complexity lies AdvantagesAdvantages
match shift in design paradigmmatch shift in design paradigm improved productivity due to reasoning at right levelimproved productivity due to reasoning at right level early start of verification effortearly start of verification effort
start on high-level models of designstart on high-level models of design but use same methodology for lower levelbut use same methodology for lower level
New building blocksNew building blocks signals, packets, complex transactionssignals, packets, complex transactions cores instead of registers, FSMs etc.cores instead of registers, FSMs etc.
New Paradigms New Paradigms
Transaction based verification and coverageTransaction based verification and coverage System level test generatorsSystem level test generators New applications of formal verificationNew applications of formal verification
protocol verificationprotocol verification E.g. - Product by Jasper Design AutomationE.g. - Product by Jasper Design Automation
High Level Checking TechniquesHigh Level Checking Techniques
Behavioral rules can be checked to test aspects Behavioral rules can be checked to test aspects of behaviorof behavior e.g. : transaction ordering, coherencee.g. : transaction ordering, coherence
Need means to describe rules and check themNeed means to describe rules and check them e.g. : when write transaction begins all previous read e.g. : when write transaction begins all previous read
transactions have finishedtransactions have finished look for all read transactions and check their statuslook for all read transactions and check their status check order with respect to write transactioncheck order with respect to write transaction
Data flow is a good source of behavioral rulesData flow is a good source of behavioral rules record the history of each transactionrecord the history of each transaction analyze the the behavior of system according to the flow analyze the the behavior of system according to the flow
of transactions and their interactionof transactions and their interaction
Using System Level Test GeneratorsUsing System Level Test Generators
Goal: Systematic verification of IP (core) Goal: Systematic verification of IP (core) interaction to verify global functional behaviorinteraction to verify global functional behavior assumes each IP has been individually verifiedassumes each IP has been individually verified
Generates tests that cover the interaction among Generates tests that cover the interaction among IPsIPs
Tool Tool Esterel StudioEsterel Studio based on hierarchical concurrent finite state machines based on hierarchical concurrent finite state machines
(HFSMs)(HFSMs) Four step processFour step process
model system as HFSM (need lot of abstraction)model system as HFSM (need lot of abstraction) create symbolic testscreate symbolic tests transform tests to concrete teststransform tests to concrete tests simulate the concrete testssimulate the concrete tests
Creating Symbolic TestsCreating Symbolic Tests
Use BDD based traversal engine to compute all Use BDD based traversal engine to compute all the possible paths to the the possible paths to the test_completedtest_completed state in state in the global test scheduling FSMthe global test scheduling FSM each path is associated with an input sequenceeach path is associated with an input sequence
Transform input sequences to output sequences Transform input sequences to output sequences using the Esterel Studio simulatorusing the Esterel Studio simulator
The resulting sequences are commands to and by The resulting sequences are commands to and by the IPs that create the requested scenariothe IPs that create the requested scenario
config_data_channel_1req_dst_wav req_srcwrite_frame
Tackling the Time ComplexityTackling the Time Complexity
Still huge amounts of time and resources Still huge amounts of time and resources required to simulate multi-million gate designsrequired to simulate multi-million gate designs but only simulation scales to large designsbut only simulation scales to large designs
AlternativesAlternatives Hardware emulationHardware emulation Core based design of SOCCore based design of SOC
use preverified modules and just verify interfaceuse preverified modules and just verify interface some peculiar problems arisesome peculiar problems arise
Correct by construction designCorrect by construction design
Correct By ConstructionCorrect By Construction
Translation from higher to lower level descriptionTranslation from higher to lower level description automatic and correctautomatic and correct no need to verify lower level no need to verify lower level
Easier said than doneEasier said than done CAD tools will contain bugs (software program)CAD tools will contain bugs (software program) requires years of use before some degree of confidencerequires years of use before some degree of confidence
ExampleExample Synopsys Design CompilerSynopsys Design Compiler RTL to gate level generatorRTL to gate level generator after 12 years of use and numerous bug fixes most designers trust its after 12 years of use and numerous bug fixes most designers trust its
output in terms of functionalityoutput in terms of functionality timing still not completely robusttiming still not completely robust
Platform based designPlatform based design another design flow with this philosophyanother design flow with this philosophy
Case Study: Fujitsu 10GB Ethernet SwitchCase Study: Fujitsu 10GB Ethernet Switch
Fujitsu 10 Gb Ethernet Switch ChipFujitsu 10 Gb Ethernet Switch Chip Layer 2 SwitchLayer 2 Switch
12 I/O XAUI ports (IEEE 802.3ae)12 I/O XAUI ports (IEEE 802.3ae) MAC frame relay and spanning tree (802.1D)MAC frame relay and spanning tree (802.1D) Virtual LAN (802.1Q)Virtual LAN (802.1Q)
Design ComplexityDesign Complexity 6.3 million gates & 900 KBytes SRAM6.3 million gates & 900 KBytes SRAM approximately 70 million transistorsapproximately 70 million transistors process 0.11process 0.11
Processor(BPDU, GMRP, GVRP,
Management)
Switch Chip(Filtering, Relay)
Our mission is to verify the Switch Chip
Verification FrameworkVerification Framework
Test Program-1 (.cc)
Frame Generator(.cc)
ProcessorBFM (.v)
EEPROMBFM (.v)
XGMIIDriver /
Receiver (.cc)
XAUIDriver /
Receiver (.cc)
XAUIBFM(.v)
Sw
itch C
hip
(D
UV
)
Driver (.cc)
Interrupt Handler /Device Driver (.cc)
XA
UI
XGMIIBFM(.v) M
AC
ReferenceModel (.cc)
Verilog-HDL TestBuilder
Test Program-2 (.cc)
APIs
Black Box VerificationBlack Box Verification
Just see if design conforms to Spec.Just see if design conforms to Spec. Spec. - IEEE 802.3ae, 802.1D, 802.1QSpec. - IEEE 802.3ae, 802.1D, 802.1Q
over 1000 pages of English textover 1000 pages of English text IEEE Specifications conformance testIEEE Specifications conformance test
Micro-architecture independentMicro-architecture independent PICS (Protocol Implementation Conformance Statement)PICS (Protocol Implementation Conformance Statement)
somebody painfully went through the text to extract about 200 somebody painfully went through the text to extract about 200 points to test (this is well known)points to test (this is well known)
extracted 39 test cases (one test case can cover multiple tests)extracted 39 test cases (one test case can cover multiple tests)
Example: frame address is learnt by switchExample: frame address is learnt by switch send frame with source address A from port 2send frame with source address A from port 2 send frame with destination address A from port 3send frame with destination address A from port 3 check that second frame comes out at port 2check that second frame comes out at port 2
White Box VerificationWhite Box Verification
Test the special features of the chip not mentioned Test the special features of the chip not mentioned in IEEE Specin IEEE Spec implementation dependentimplementation dependent verification engineer need to understand design verification engineer need to understand design
functionalityfunctionality Micro-architecture dependent test casesMicro-architecture dependent test cases
E.g. 1. memory corruption testE.g. 1. memory corruption test memory protected by error correcting codememory protected by error correcting code intentionally corrupt memory during frame transmission intentionally corrupt memory during frame transmission see that error correction is occurring correctlysee that error correction is occurring correctly
E.g. 2. mode registers: extracted 88 test casesE.g. 2. mode registers: extracted 88 test cases Total dedicated test cases - 200Total dedicated test cases - 200
simulation cycles - 25.9 million simulation cycles - 25.9 million
IP VerificationIP Verification
Design used one 3rd party soft IPDesign used one 3rd party soft IP IP came with own testbenchIP came with own testbench Manually translated IP test bench to Manually translated IP test bench to
system test bench for regression testssystem test bench for regression tests verified line coverage of IP > 99.5% even within verified line coverage of IP > 99.5% even within
systemsystem 5 bugs were found in the IP5 bugs were found in the IP
Random SimulationRandom Simulation
Random testRandom test Arbitrary random frames generationArbitrary random frames generation Reference model for automatic verificationReference model for automatic verification
this is tricky as bugs may be in reference modelthis is tricky as bugs may be in reference model may be tedious to writemay be tedious to write
Best used to hit assertions put in by Best used to hit assertions put in by designerdesigner the random seeds needs to be stored for each the random seeds needs to be stored for each
test case so that failed test may be reproducedtest case so that failed test may be reproduced Random testRandom test
#cycles: 1B (2M frames)#cycles: 1B (2M frames)
Coverage AnalysisCoverage Analysis At this pointAt this point
line coverage > 95%line coverage > 95% branch coverage > 90%branch coverage > 90%
If not rethink verification strategyIf not rethink verification strategy OtherwiseOtherwise
find uncovered codefind uncovered code ask designer what he intended to do in that piece of code (broad ask designer what he intended to do in that piece of code (broad
idea only)idea only) write test case to test functionalitywrite test case to test functionality careful not to repeat same bugcareful not to repeat same bug
Final CoverageFinal Coverage line - 99.3%line - 99.3% branch - 99.5%branch - 99.5% condition - 94.5%condition - 94.5%
Code SizeCode Size
10 Gb Switch Chip (Hierarchical RTL Verilog): 10 Gb Switch Chip (Hierarchical RTL Verilog): 75k lines75k lines Bus Functional Models (Verilog) : Bus Functional Models (Verilog) : 6k lines6k lines Transaction Verification Model (C++)Transaction Verification Model (C++)
with random testwith random test : : 10k lines10k lines Test Programs (C++)Test Programs (C++) : : 48k lines48k lines Total RTL Verilog - Total RTL Verilog - 75K lines75K lines Total Verification Testbench - Total Verification Testbench - 64K lines64K lines (almost same as (almost same as
design)design)
Bug RateBug Rate
0
50
100
150
200
250
300TotalBlock LevelSystem Level
271
157114
2468
1012141618
Block LevelSystem Level
00 2 4 6 8 11 13 15 17 19 21 23 25 27week
00 2 4 6 8 11 13 15 17 19 21 23 25 27week
Start Unit Level Verification
Start System Level Verification(early functional)
Start System Level Verification (full functional)
First Code Review
LogicFreeze
Use Case SimulationUse Case Simulation Final stepFinal step
Get a few typical applications running on 2 to 3 serversGet a few typical applications running on 2 to 3 servers these applications should need to exchange data between them these applications should need to exchange data between them
frequently over the LANfrequently over the LAN obtain data traffic trace over the LAN assuming they are obtain data traffic trace over the LAN assuming they are
connected by this switchconnected by this switch
Simulate/Emulate with this traffic and the applicationsSimulate/Emulate with this traffic and the applications
Check applications are running correctlyCheck applications are running correctly
This step is more involved than software simulationThis step is more involved than software simulation requires testing board, emulator, memory dump, accelerator etc.requires testing board, emulator, memory dump, accelerator etc.
Lessons LearntLessons Learnt
Verification needs to start early in design cycleVerification needs to start early in design cycle even with partial designseven with partial designs
Designers are responsible for block-level verificationDesigners are responsible for block-level verification
Dedicated verification team for system-level verificationDedicated verification team for system-level verification
Equivalence check after scan insertionEquivalence check after scan insertion
Coverage analysis necessary but not sufficient Coverage analysis necessary but not sufficient
Hardware/Software co-simulation necessaryHardware/Software co-simulation necessary
Only function verification not enoughOnly function verification not enough Timing verification & complete DRC check equally importantTiming verification & complete DRC check equally important
Tutorial OutlineTutorial Outline
IntroductionIntroduction High level design flow and verification issuesHigh level design flow and verification issues Theorem proving and Decision proceduresTheorem proving and Decision procedures Formal verification techniques for FSM modelsFormal verification techniques for FSM models Semi-formal verification techniquesSemi-formal verification techniques Simulation based verification techniquesSimulation based verification techniques Conclusions and future directionsConclusions and future directions
Verification ImportanceVerification Importance It is obvious that we need to verify a design before fabricationIt is obvious that we need to verify a design before fabrication Many famous bugsMany famous bugs
Pentium floating pointPentium floating point Arian 5 rocket blow upArian 5 rocket blow up Mars polar lander crash landsMars polar lander crash lands
Design productivity gapDesign productivity gap technology available to put 1 billion transistors on chiptechnology available to put 1 billion transistors on chip inability of designers to design that kind of chipinability of designers to design that kind of chip verification bottleneckverification bottleneck
70% of chip design effort is spent on verification70% of chip design effort is spent on verification
Robust and scalable solutions are requiredRobust and scalable solutions are required verification effort is reducedverification effort is reduced larger designs can be addressedlarger designs can be addressed
Various Types of VerificationVarious Types of Verification Higher order theorem proving and decision proceduresHigher order theorem proving and decision procedures
mostly manual effort and cumbersomemostly manual effort and cumbersome requires deep understanding of algorithmrequires deep understanding of algorithm still mostly in research phase with limited industrial applicationstill mostly in research phase with limited industrial application
Formal VerificationFormal Verification has become industrial practice in last few yearshas become industrial practice in last few years combinational equivalence checking very successfulcombinational equivalence checking very successful sequential equivalence checking needs worksequential equivalence checking needs work model checking automatic but does not scale wellmodel checking automatic but does not scale well
still block level (10,000 gates 1,000 FFs)still block level (10,000 gates 1,000 FFs) some techniques to reduce state space are practicalsome techniques to reduce state space are practical
may increase frontier by 4-5 timesmay increase frontier by 4-5 times
Semiformal VerificationSemiformal Verification recently SAT solvers have become extremely efficient recently SAT solvers have become extremely efficient bounded model checking is being used bounded model checking is being used
handles large designs but can go to about 1,000 cycles deephandles large designs but can go to about 1,000 cycles deep
Simulation BasedSimulation Based most popular in industry (mature technology)most popular in industry (mature technology) scalable but requires huge amounts of CPU and memory scalable but requires huge amounts of CPU and memory full chip simulation may not be practical in few yearsfull chip simulation may not be practical in few years coverage is an issue and cannot prove correctnesscoverage is an issue and cannot prove correctness
Various Types of VerificationVarious Types of Verification
Verification DirectionsVerification Directions Driven by design flowDriven by design flow
higher levels of abstractionhigher levels of abstraction formal specification languagesformal specification languages mapping verification problems to lower level enginesmapping verification problems to lower level engines
design reusedesign reuse interface verificationinterface verification system level verificationsystem level verification
Tackling larger designs in formal verificationTackling larger designs in formal verification efficient formal enginesefficient formal engines sequential equivalence checkerssequential equivalence checkers filter based techniquesfilter based techniques
using multiple enginesusing multiple engines hybrid engineshybrid engines
e.g. BDD/SAT/ATPG combinatione.g. BDD/SAT/ATPG combination higher level reasoning higher level reasoning
need to automateneed to automate
Current Industry PracticesCurrent Industry Practices Most designs still start at RTLMost designs still start at RTL
RTL simulation well understood and usedRTL simulation well understood and used many mature CAD toolsmany mature CAD tools getting more and more difficult to do full chip simulationgetting more and more difficult to do full chip simulation
Model checking tools gaining popularity at block levelModel checking tools gaining popularity at block level writing meaningful set of properties difficultwriting meaningful set of properties difficult designers need to change mindsetdesigners need to change mindset
property specification languages becoming popularproperty specification languages becoming popular automatic property extraction cannot go very farautomatic property extraction cannot go very far many new CAD tool offerings from EDA vendorsmany new CAD tool offerings from EDA vendors
functionality still evolvingfunctionality still evolving
Equivalence checking mainstream for certain casesEquivalence checking mainstream for certain cases Emulation used for real-time systemsEmulation used for real-time systems Functional verification not end of storyFunctional verification not end of story
timing verification and DRC check very importanttiming verification and DRC check very important
New CAD Tool OfferingsNew CAD Tool Offerings
Model Checking toolsModel Checking tools @HDL, Real Intent, Verplex@HDL, Real Intent, Verplex
Semi-formal verification toolsSemi-formal verification tools 0-in 0-in Synopsys MagellanSynopsys Magellan
Interface/Protocol Verification toolsInterface/Protocol Verification tools Jasper Design AutomationJasper Design Automation
Hardware accelerationHardware acceleration Tharus SystemsTharus Systems
Coverage analysis and debugging toolsCoverage analysis and debugging tools Novas DebussyNovas Debussy Sugar based tools from TransEDA, VerisitySugar based tools from TransEDA, Verisity
Research IssuesResearch Issues Design and Verification at high levels of abstractionDesign and Verification at high levels of abstraction
new modeling issuesnew modeling issues Eg: what if Spec is in UMLEg: what if Spec is in UML
how to generate problem, map problemhow to generate problem, map problem
Faster enginesFaster engines more efficient BDDsmore efficient BDDs
efficient and automatic abstraction-refinementefficient and automatic abstraction-refinement faster SAT solversfaster SAT solvers
better learning and pruning techniquesbetter learning and pruning techniques combining enginescombining engines
ATPG/SAT combinationATPG/SAT combination BDD/SAT combinationBDD/SAT combination
use of higher level information to guide searchuse of higher level information to guide search methodology issuesmethodology issues
Interface specification and verificationInterface specification and verification automatic static checks automatic static checks
Concluding RemarksConcluding Remarks Verification is a fundamental problem for everyoneVerification is a fundamental problem for everyone
not only hardware but software, mechanical, electrical everywherenot only hardware but software, mechanical, electrical everywhere will not be irrelevant until correct-by-construction from English is will not be irrelevant until correct-by-construction from English is
possible (looks impossible so far)possible (looks impossible so far) It is becoming a design bottleneck in hardwareIt is becoming a design bottleneck in hardware
path breaking inventions are requiredpath breaking inventions are required serious industrial and academic efforts are requiredserious industrial and academic efforts are required
Newer products will emerge in the formal domainNewer products will emerge in the formal domain still nascent technologystill nascent technology
Remains an exciting filed of researchRemains an exciting filed of research Verification will evolve as design methodology evolvesVerification will evolve as design methodology evolves
newer problems, newer solutionsnewer problems, newer solutions No single approach will sufficeNo single approach will suffice
BooksBooks B. Berard et. al., “Systems and Software Verification: Model Checking Techniques and Tools”, Springer
Verlag, 2001. J. Bergeron, “Writing Testbenches: Functional Verification of HDL Models”, Kluwer Academic
Publishers, Boston, 2000. D.D. Gajski et. al., “SpecC: Specification Language and Methodology”, Kluwer Academic Publishers,
Boston, 2000. J. Bhasker, “ A SystemC Primer ”, Star Galaxy Press, Allentown, 2002. M. Suart and D. Dempster, “ Verification Methodology Manual for Code Coverage in HDL Designs”,
Teamwork International, Hampshire, UK, 2000. K. L. McMillan, ``Symbolic Model Checking'', Kluwer Academic Publishers, 1993. Z. Manna and A. Pnueli, “Temporal Specification and Verification of Reactive Systems” Vol. I and II,
Springer 1995. Ching-Tsun Chou, "The Mathematical Foundation of Symbolic Trajectory Evaluation", Springer-Verlag
1999. Thomas Kropf: "Introduction to Formal Hardware Verification", (Springer Verlag; ISBN: 3540654453, 299
pages, January 2000) E. M. Clarke, O. Grumberg and D. Peled, "Model Checking", (MIT Press; ISBN: 0262032708; 330 pages;
January 2000) G. J. Holzmann, “Design and Validation of Computer Protocols”, Prentice Hall, 1991. M. P. Fourman, “Formal System Design”, Formal Methods for VLSI Design, IFIP, 1990, North-Holland. C. Meinel and T. Theobald, “Algorithms and Data Structures in VLSI Design”, Springer-Verlag, 1998. Hassan Gomaa, “Designing Concurrent, Distributed and Real-Time Applications with UML”, Addison-
Wesley, July 2000.
BooksBooks L. Bening and H. Foster, “Principles of Verifiable RTL Design: Functional Coding Style Supporting
Verification Processes in Verilog”, published by Kluwer Academic Publishers, 2000. R. P. Kurshan, “Computer Aided Verification of Coordinating Processes”, Princeton University Press,
1994. Robert B. Jones, “Symbolic Simulation Methods for Industrial Formal Verification”, Kluwer Academic
Publishers, Boston, 2002. M. Yoeli, "Formal Verification of Hardware Design", IEEE Computer Society Press, 1991. (Book
containing a collection of papers) R. P. Kurshan, “Computer Aided Verification of Coordinating Processes”, Princeton University Press,
1994. G. J. Holzmann, “Design and Validation of Computer Protocols”, Prentice Hall, 1991. M. P. Fourman, “Formal System Design”, Formal Methods for VLSI Design, IFIP, 1990, North-Holland. C. Meinel and T. Theobald, “Algorithms and Data Structures in VLSI Design”, Springer-Verlag, 1998. M. Kaufmann, P. Manolios, and J S. Moore, "Computer-Aided Reasoning: An Approach", (Kluwer
Academic Publishers, June 2000; ISBN 0792377443) Robert B. Jones, Symbolic Simulation Methods for Industrial Formal Verification, Kluwer Academic
Publishers, Boston, 2002. M. Yoeli, "Formal Verification of Hardware Design", IEEE Computer Society Press, 1991. (Book
containing a collection of papers) M. Kaufmann, P. Manolios, and J S. Moore, "Computer-Aided Reasoning: An Approach", (Kluwer
Academic Publishers, June 2000; ISBN 0792377443) M. Keating and P. Bricaud “Reuse Methodology Manual for System-On-A-Chip Designs,” Kluwer
Academic Publishers, June 1998.
PapersPapersHigh Level Design and Verification Modeling D. D. Gajski, ``IP-Based Design Methodology'', Proc. of the 36th Design Automation Conference, pp.
43, New Orleans, June 1999. D. Kroening and E. Clarke, “Behavioral consistency of C and Verilog programs using bounded model
checking,” in Proc. DAC, June 2003. T. Sakunkonchak and M. Fujita, “Verification of synchronization in SpecC description with the use of
difference decision diagram,” IEICE Trans. Fundamentals, Vol. E85-A, Jan 2002. T. Matsumoto and M. Fujita, “Equivalence checking of C-based hardware descriptions by using
symbolic simulation and program slicer,” in Proc. IWLS, May 2003. T. Ball and S. Rajamani, “Checking Temporal Properties of Software with Boolean Programs”, in
Proc. Computer Aided Verification 2000, [Microsoft SLAM project] R. Bryant et . al. “Processor Verification Using Efficient Reductions of the Logic of Uninterpreted
Functions to Propositional Logic” in ACM Trans. on Computational Logic, Vol 2., 2001.
S. Singh, “Design and Verification of CoreConnectTM IP using Esterel,” in Proc CHARME 2003
S. Sutherland, “System Verilog 3.1 Its what the DAVEs in you company asked for”. in Proc. DVCON 2003
S. Abdi, D. Shin and D. Gajski, "Automatic Communication Refinement for System Level Design,” Proceedings of Design Automation Conference, Anaheim, CA, June 2003.
W. Mueller, R. Dömer, A. Gerstlauer, "The Formal Execution Semantics of SpecC,"in Proceedings of International Symposium on System Synthesis, October 2002.
PapersPapersTheorem Proving & Decision Procedures S. Owre and S. Rajan and J.M. Rushby and N. Shankar and M.K. Srivas, “PVS: Combining
Specification, Proof Checking, and Model Checking”, 411-414, CAV96. S. Owre and S. Rajan and J.M. Rushby and N. Shankar and M.K. Srivas, “PVS: Combining
Specification, Proof Checking, and Model Checking”, 411-414, CAV96. D. Cyrluk, S. Rajan, N. Shankar and M. K. Srivas, “Effective Theorem Proving for Hardware
Verification”, pp. 287-305, TPCD94. S. J. Garland and J. V. Guttag, “An Overview of LP: the Larch Prover”, Proceedings of the
Third International Conference on Rewriting Techniques and Applications, 1989, Springer-Verlag.
J. Staunstrup and M. Greenstreet, “Synchronized Transitions”, Formal Methods for VLSI Design, 1990, IFIP, North-Holland.
R. Vemuri, “How to Prove the Completeness of a Set of Register Level Design Transformations”, Proceedings of the 27th ACM/IEEE Design Automation Conference, 1990, 207—212.
D. Cyrluk, S. Rajan, N. Shankar and M. K. Srivas, “Effective Theorem Proving for Hardware Verification”, pp. 287-305, TPCD94.
S. J. Garland and J. V. Guttag, “An Overview of LP: the Larch Prover”, Proceedings of the Third International Conference on Rewriting Techniques and Applications, 1989, Springer-Verlag.
J. Staunstrup and M. Greenstreet, “Synchronized Transitions”, Formal Methods for VLSI Design, 1990, IFIP, North-Holland.
C. M. Angelo, “Formal Hardware Verification ina Silicon Compilation Environment by means of Theorem Proving”, Ph.D. Dissertation, Katholieke Universiteit Leuven (February, 1994).
PapersPapers R. Vemuri, “How to Prove the Completeness of a Set of Register Level Design
Transformations”, Proceedings of the 27th ACM/IEEE Design Automation Conference, 1990, 207—212.
Jeffrey J. Joyce and Carl-Johan H. Seger, “Linking Bdd Based Symbolic Evaluation to Interactive Theorem Proving”, Proceedings of the 30th Design Automation Conference, 1993.
S. P. Rajan, N. Shankar and M. Srivas, “An Integration of Model-Checking with Automated Proof Checking”, 7th Conference on Computer-Aided Verification, July, 1995.
M.D. Aagard, R.B. Jones and C.-J.H. Seger, “Combining Theorem Proving and Trajectory Evaluation in an Industrial Environment”, Proceedings of DAC 1998, pp. 538-541
C.W. Barrett, D.L. Dill and J.R. Levitt, “A Decision Procedure for Bit-Vector Arithmetic”, Proceedings of DAC 1998
J.R. Burch and D.L. Dill, “Automatic Verification of Pipelined Microprocessor Control”, Proceedings of CAV 1994
J.X. Su, D.L. Dill and C.W. Barrett, “Automatic Generation of Invariants in Processor Verification”, Proceedings of FMCAD 1996
M. Aagaard, M. E. Leeser, and P. J. Windley, “Toward a Super Duper Hardware Tactic”, in Higher Order Logic Theorem Proving and its Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 399-412.
F. Andersen, K. D. Petersen, and J. S. Pettersson, `A Graphical Tool for Proving UNITY Progress', in Higher Order Logic Theorem Proving and Its Applications: 7th International Workshop, Valletta, Malta, September 1994: Proceedings, edited by T. F. Melham and J. Camilleri, Lecture Notes in Computer Science, Volume 859 (Springer-Verlag, 1994), pp. 17-32.
PapersPapers S. Agerholm, `Domain Theory in HOL', in Higher Order Logic Theorem Proving and its
Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 295-310.
S. Agerholm, `Formalising a Model of the lambda-calculus in HOL-ST' Technical Report Number 354, University of Cambridge Computer Laboratory (1994).
S. Agerholm, “A HOL Basis for Reasoning about Functional Programs”, Ph.D. Dissertation, BRICS Technical Report RS-94-44, Department of Computer Science, University of Aarhus (December 1994).
S. Agerholm, “LCF Examples in HOL”, The Computer Journal, vol. 38, no. 2 (July 1995), pp. 121-130.
S. Agerholm, `Mechanizing Program Verification in HOL', in Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications, Davis, August 1991, edited by M. Archer, J. J. Joyce, K. N. Levitt, and P. J. Windley (IEEE Computer Society Press, 1992), pp. 208-222.
S. Agerholm, `Mechanizing Program Verification in HOL', M.Sc. Dissertation, DAIMI Report Number IR-111, Department of Computer Science, University of Aarhus (April 1992).
S. Agerholm “Non-Primitive Recursion Function Definition”, in Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Aspen Grove, Utah, September 1995: Proceedings, edited by E. T. Schubert, P. J. Windley, and J. Alves-Foss, Lecture Notes in Computer Science, Volume 971 (Springer-Verlag, 1995), pp. 17-31.
F. Andersen and K. D. Petersen, `Recursive Boolean Functions in HOL', in Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications, Davis, August 1991, edited by M. Archer, J. J. Joyce, K. N. Levitt, and P. J. Windley (IEEE Computer Society Press, 1992), pp. 367-377.
PapersPapers C. M. Angelo, L. Claesen, and H. De Man, “Degrees of Formality in Shallow Embedding
Hardware Description Languages in HOL”, in Higher Order Logic Theorem Proving and its Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 89-100.
C. M. Angelo, L. Claesen, and H. De Man, `The Formal Semantics Definition of a Multi-Rate DSP Specification Language in HOL', in Higher Order Logic Theorem Proving and its Applications: Proceedings of the IFIP TC10/WG10.2 International Workshop, Leuven, September 1992, edited by L. J. M. Claesen and M. J. C. Gordon, IFIP Transactions A-20 (North-Holland, 1993), pp. 375-394.
C. M. Angelo, L. Claesen, and H. De Man, “Modeling Multi-rate DSP Specifiction Semantics for Formal Transformational Design in HOL”, Formal Methods in System Design, vol. 5, nos. 1/2 (July 1994), pp. 61-94.
R. J. R. Back and J. von Wright, `Predicate Transformers and Higher Order Logic', in Semantics: Foundations and Applications: REX Workshop, Beekbergen, June 1992, edited by J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, Lecture Notes in Computer Science, Volume 666 (Springer-Verlag, 1993), pp. 1-20.
R. J. R. Back and J. von Wright, `Refinement Concepts Formalised in Higher Order Logic', Formal Aspects of Computing, Vol. 2, No. 3 (July-September 1990), pp. 247-272.
S. Bainbridge, A. Camilleri, and R. Fleming, `Industrial Application of Theorem Proving to System Level Design', in Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications, Davis, August 1991, edited by M. Archer, J. J. Joyce, K. N. Levitt, and P. J. Windley (IEEE Computer Society Press, 1992), pp. 130-142.
F. Andersen, K. D. Petersen, and J. S. Pettersson, `Program Verification using HOL-UNITY', in Higher Order Logic Theorem Proving and its Applications: 6th International Workshop, HUG'93, Vancouver, B.C., August 11-13 1993: Proceedings, edited by J. J. Joyce and C.-J. H. Seger, Lecture Notes in Computer Science, vol. 780 (Springer-Verlag, 1994), pp. 1-15.
PapersPapers R. H. Beers and P. J. Windley, `Abstracting Signals: The waveform Library', in
Supplementary Proceedings of the 9th International Conference on Theorem Proving in Higher Order LogicsL TPHOLs ’96, edited by J. von Wright, J. Grundy, and J. Harrison, TUCS General Publication No 1, Turku Centre for Computer Science (August, 1996), pp. 1-13.
G. Birtwistle and B. Graham, `Verifying SECD in HOL', in Formal Methods for VLSI Design: IFIP WG 10.2 Lecture Notes, edited by J. Staunstrup (North-Holland, 1990), pp. 129-177.
G. Birtwistle, B. Graham, and S.-K. Chin, “New theory HOL: An Introduction to Hardware Verification in Higher Order Logic”, (August 1994). [Published electronically.]
R. Boulton, `Boyer-Moore Automation for the HOL System', in Higher Order Logic Theorem Proving and its Applications: Proceedings of the IFIP TC10/WG10.2 International Workshop, Leuven, September 1992, edited by L. J. M. Claesen and M. J. C. Gordon, IFIP Transactions A-20 (North-Holland, 1993), pp. 133-142.
R. Boulton, “Combining Decision Procedures in the HOL System”, in Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Aspen Grove, Utah, September 1995: Proceedings, edited by E. T. Schubert, P. J. Windley, and J. Alves-Foss, Lecture Notes in Computer Science, Volume 971 (Springer-Verlag, 1995), pp. 75-89.
R. J. Boulton, “Efficiency in a Fully-Expansive Theorem Prover”, Ph.D. Dissertation, Technical Report Number 337, University of Cambridge Computer Laboratory (May 1994).
PapersPapersFormal Verification: SAT Solvers J. Marques-Silva and K. Sakallah, “GRASP: A Search Algorithm for Propositional
Satisfiability”, IEEE Transactions on Computers, 48(5):506-521, May 1999 M. Sheeran and G. Stalmarck, “A tutorial on Stalmarck’s proof procedure for propositional
logic”, Formal Methods in System Design, 16(1):23-58, January 2000 M.H. Moskewicz et. al., “Chaff: engineering an efficient SAT solver,” in Proc. Design
Automation Conf., June 2001. E. Goldberg and Y. Novikov, “BerkMin: a Fast and Robust Sat-Solver”, Proceedings of Design
Automation and Test in Europe, pp.142-149, March 2002.
Formal Verification: BDDs R. E. Bryant, “Graph Based Algorithms for Boolean Function Manipulation”, IEEE
Transactions on Computers, Vol. C-35-8, pp. 677- 691, August 1986 R. Rudell, “Dynamic Variable Ordering for Ordered Binary Decision Diagrams”, Proceedings
of ICCAD 1993, pp. 42- 45 R. E. Bryant, “On the Complexity of VLSI Implementations and Graph Representations of
Boolean Functions with Application to Integer Multiplication”, IEEE Transactions on Computers, Vol. 40, No. 2, pp, 205-213, February 1991
B. Bollig and I. Wegener, “Improving the variable ordering for OBDDs is NP-complete”, IEEE Transactions on Computers, Vol. 45, No. 9, pp. 993-1002, September 1996
M. Fujita, H. Fujitsawa and Y. Matsunaga, “Variable Ordering Algorithms for Ordered Binary Decision Diagrams and their Evaluation”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 12, No. 1, pp. 6- 12, January 1993
R. Bryant, “Symbolic Boolean Manipulation with Ordered Binary Decision Diagrams”, slides from a presentation by Prof. Bryant in August 1999
PapersPapersFormal Verification: Symbolic Model Checking (BDDs) D. L. Dill, “The Mur Verification System”, 390-393, CAV96. R. Bryant, E. Clarke, K. McMillan and A. Emerson, “Binary Decision Diagrams and
Symbolic Model Checking”, slides from a presentation at Symposium on Algorithms in the Real World, May, 2000
E. M. Clarke, E. A. Emerson and A. P. Sistla, ``Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications'', ACM Trans. on Programming Language and Systems, Vol.8, No.2, pp 244-263, April 1986.
J. Burch, E. Clarke, D. Long, K. McMillan, D. Dill, “Symbolic Model Checking for Sequential Circuit Verification”, IEEE Trans. Computer Aided Design, 13, 1994, 401-424.
C. Kern and M. Greenstreet, "Formal Verification in Hardware Design: A Survey", ACM Transactions on Design Automation of E. Systems, Vol. 4, April 1999, pp. 123-193.
H. Iwashita and T. Nakata, `` Forward Model Checking Techniques Oriented to Buggy Designs'', Proceedings of ICCAD, pp. 400-404, 1997.
K. Takayama, T. Satoh, T. Nakata, and F. Hirose, ``An approach to Verify a Large Scale System-on-a-chip Using Symbolic Model Checking'', Proceedings of ICCD, 1998.
A. J. Hu, “Formal Hardware Verification with BDDs : An Introduction”, ACM Transactions on Programming Languages and Systems, 1997.
M. Kaufmann, A. Martin, and C. Pixley, "Design Constraints in Symbolic Model M. Kaufmann, A. Martin, and C. Pixley, "Design Constraints in Symbolic Model Checking", Proc. CAV-98, pp. 477-487, 1998.Checking", Proc. CAV-98, pp. 477-487, 1998.
K. L. McMillan, "Fitting formal methods into the design cycle", Proceedings of the 31st K. L. McMillan, "Fitting formal methods into the design cycle", Proceedings of the 31st Design Automation Conference, pp. 314-19, 1994Design Automation Conference, pp. 314-19, 1994
PapersPapersFormal Verification with SAT solvers P. Abdulla, P. Bjesse and N. Een, “Symbolic Reachability Analysis Based on SAT
Solvers”, Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 41-425, March 2000
P. Williams et al, “Combining Decision Diagrams and SAT Procedures for Efficient Symbolic Model Checking”, Proc. of the 12th CAV, pp. 124-138, July 2000
M. Sheeran, S. Singh and G. Stalmarck, “Checking Safety Properties Using Induction and a SAT Solver”, Proc. of the 3rd Intl. Conference on Formal Methods in CAD (FMCAD), pp. 208-125, Nov. 2000
P. Bjesse and K. Claessen, “SAT-based Verification without State Space Traversal”, Proc. of the 3rd FMCAD, pp. 372-389, Nov. 2000
K.L. McMillan, “Applying SAT Methods in Unbounded Model Checking”, Proc. of the 14th CAV, pp. 250-264, July 2002
K.L. McMillan, “Interpolation and SAT-based Model Checking”, Proc. of the 15 th CAV, July 2003
I. Park and H. Kang, “SAT-based unbounded symbolic model checking”, Proceedings of DAC, pp. 840-843, June 2003
PapersPapers
Equivalence Checking D. Brand, “Verification of Large Synthesized Designs”, Proceedings of ICCAD,
November 1993, pp. 534-537 A. Kuehlmann and F. Krohm, “Equivalence Checking using Cuts and Heaps”,
Proceedings of DAC 1997, pp. 263-268 Y. Matsunaga, “An Efficient Equivalence Checker for Combinational Circuits”,
Proceedings of DAC 1996, pp. 629-634 R. Mukherjee, J. Jain, K. Takayama, M. Fujita, J. Abraham and D. Fussell, “An
Efficient Filter Based Approach for Combinational Verification”, in IEEE Transactions on CAD, 18:1542-1557, Nov. 1999
H. Cho and C. Pixley, “Apparatus and Method for deriving correspondences between storage elements of a first circuit model and storage elements of a second circuit model”, U.S. Patent 5,638,381, June 1997
K. Ng, M. Prasad, R. Mukherjee and J. Jain, “Solving the Latch Mapping Problem in an Industrial Setting”, Proceedings of DAC 2003, pp. 442-447
C.A.J. van Eijk, “Sequential Equivalence Checking Based on Structural Similarities”, IEEE Transactions on CAD, 19(7):814-819, July 2000
S.-Y. Huang, K.-T. Cheng, K.-C. Chen and F. Brewer, “AQUILA: An Equivalence Checking System for Large Sequential Circuits”, IEEE Transactions on Computers, 49(5), May 2000
PapersPapersSemi-Formal Verification R. E. Bryant, “Symbolic Simulation -- Techniques and Applications”, Proceedings of
DAC 1990 R.B. Jones, “Applications of Symbolic Simulation to the Formal Verification of
Microprocessors”, Ph.D. Thesis, Computer Systems Laboratory, Stanford University, August 1999
R.E. Bryant and C.J.H. Seger, “Formal hardware verification by symbolic trajectory evaluation,” in Proc. Design Automation Conf., June 1991.
C.-J.H. Seger and R.E. Bryant, “Formal Verification by Symbolic Evaluation of Partially Ordered Trajectories”, Formal Methods in System Design, Vol. 6, No. 2, pp. 147-190, 1995
E. Clarke, A Biere, R. Raimi and Y. Zhu, “Bounded Model Checking Using Satisfiability Solving”, in Formal Methods in System Design, 19(1): 7-34, July 2001, Kluwer Academic Publishers
O. Shtrichman, “Tuning SAT Checkers for bounded model checking,” in Proc. Int. Conf. on Computer-Aided Verification, July 2000.
F. Fallah, “Binary Time-Frame Expansion”, Proc. of ICCAD, pp. 458-464, Nov. 2002 A. Gupta et al, “Learning from BDDs in SAT-based bounded model checking,” in
Proc. Design Automation Conf., June 2003. V. Boppana, S. Rajan, K. Takayama and M. Fujita, “Model Checking Based on
Sequential ATPG”, Proceedings of CAV, pp. 418-430, July 1999. J. Abraham, V. Vedula and D. Saab, “Verifying Properties Using Sequential ATPG”,
Proceedings of International Test Conference, October 2002
PapersPapers D. Dill and S. Tasiran, "Simulation meets Formal Verification?", slides from a
presentation at ICCAD'99. D. Dill, "Alternative Approaches to Formal Verification (Symbolic Simulation)", slides
from a presentation at CAV 1999. C. H. Yang and D. L. Dill, “Validation with Guided Search of the State Space”,
Proceedings of DAC 1998 M. Ganai et al, “SIVA: A System for Coverage Directed State Space Search”, In Journal
of Electronic Testing: Theory and Applications (JETTA), February 2001 P.-H. Ho et al, “Smart Simulation Using Collaborative Formal and Simulation Engines”,
Proceedings of ICCAD, pp. 120-126, November 2000 Y. Hoskote, T. Kam, P. Ho and X. Zhao, ``Coverage Estimation for Symbolic Model
Checking'', Proc. of the 36th Design Automation Conference, New Orleans, June 1999. S. Katz, O. Grumberg and D. Geist, ``Have I written enough properties? - A method of
comparison between specification and implementation'', Technical Report, IBM Haifa Research Laboratory, Haifa, Israel, 1999.
Model Checking in Practice S. Berezin, S. Campos and E. M. Clarke, ``Compositional Reasoning in Model
Checking'', Technical Report - CMU-CS-98-106, School of Computer Science, Carnegie Mellon University, February, 1998.
PapersPapers K. L. McMillan, "A compositional rule for hardware design refinement", Computer Aided Verification
(CAV97), O. Grumberg (Ed.), Haifa, Israel, pp. 24-35, 1997. T.A.Henzinger, S. Qadeer, and S.K.Rajamani, "You assume, We guarantee : Methodology and Case
Studies" CAV98: Computer Aided Verification, Lecture Notes in Computer Science, Springer-Verlag, pp. 440-451, 1998.
G. Mosensoson, “Practical Approaches to SoC Verification”, DATE 2000. J. L. Nielsen, H. R. Andersen, G. Behrmann, H. Hulgaard, K. Kristoffersen and K. G. Larsen, “Verification
of Large State/Event Systems using Compositionality and Dependency Analysis”, Proceedings of TACAS 1998, LNCS 1384, April 1998.
D. Geist, G. Biran, T. Arons, M. Slavkin, Y. Nustov, M. Farkas, and K. Holtz, “A Methodology for the verification of a System on Chip”, Proc. Of DAC 1999, pp. 574-579.
A. Evans, A. Silburt, G. Vrckovnik, T. Brown, M. Dufresne, G. Hall, T. Ho and Y. Liu, “Functional Verification of Large ASICs”, Proc. Of DAC, 1998.
S. Taylor, M. Quinn, D. Brown, N. Dohm, S. Hildebrandt, J. Higgins and C. Ramey, “Functional Verification of a Multiple-issue, Out-of-Order, Superscalar Alpha Processor – the DEC Alpha 21264 Microprocessor”, Proc. Of DAC, 1998.
T. Henzinger, X. Liu, S. Qadeer and S. Rajamani, “Formal Specification and Verification of a Dataflow Processor Array,”Proceedings of ICCAD 1999
D. Wang, “SAT based Abstraction Refinement for Hardware Verification”, Ph.D. thesis, ECE Dept., Carnegie Mellon University, May 2003
Shankar G. Govindaraju, David L. Dill, Alan J. Hu, and Mark A. Horowitz. "Approximate Reachability with BDDs using Overlapping Projections,” in Proc. DAC 1998
Gaurishankar Govindaraju, "Approximate Symbolic Model Checking using Overlapping Projections" Ph.D. thesis, Stanford University, August 2000.
PapersPapersSimulation Based Verification I. Ghosh and M. Fujita, ``Automatic test pattern generation for functional register-transferlevel circuits using
assignment decision diagrams,'' IEEE. Trans. on Computer-Aided Design, Vol. 20, No. 3, pp. 402-415, March 2001.
F. Fallah, S. Devadas, and K. Keutzer, ``OCCOM: Efficient computation of observability-based code coverage metrics for functional verification,'' IEEE. Trans. on Computer-Aided Design, Vol. 20, No. 8, pp. 1003-1015, Aug. 1998.
F. Fallah, S. Devadas, and K. Keutzer, ``Functional vector generation for HDL models using linear programming and 3-satisfiability,”{\em IEEE. Trans. on Computer-Aided Design}, Vol. 20, No. 8, pp. 994-1002, Aug. 1998.
S. Ravi, G. Lakshminarayana, and N.K. Jha, ``TAO: Regular expression based high-level testability analysis and optimization,'' in Int. Test Conf., pp. 331-340, Oct. 1998.
I. Ghosh and S. Ravi, “On automatic generation of RTL validation test benches using circuit testing techniques,” in Proc. Great Lakes Symposium on VLSI, April 2003.
L. Zhang, I. Ghosh and M. Hsiao, “Efficient sequential ATPG for functional RTL circuits,” in Proc. International Test Conference, Oct. 2003.
L. Zhang, I. Ghosh and M. Hsiao, “Automatic design validation framework for HDL descriptions via RTL ATPG,” in Proc. Asian Test Symposium, Nov. 2003
F. Fallah, I. Ghosh, and M. Fujita, “Event driven observability enhanced coverage analysis of C programs for functional validation,” in {\em Proc. Asia and South Pacific Design Automation Conference}, Jan. 2003.
K. Ara and K. Suzuki, “A proposal for transaction level verification with component wrapper language,” Proc. Design Automation and Test in Europe, March 2003.
A. U. Shankar, "An Introduction to Assertional Reasoning for Concurrent Systems", ACM Computing Surveys, Sept. 1993, Vol 25, No. 3, pp. 225-262
PapersPapers S. Ramesh and P. Bhaduri, “Validation of Pipelined Processor Designs using Esterel
Tools: A Case Study”, Proc. of CAV '99, LNCS Vol. 1633, 1999. C. Eisner et. al. “The Temporal Logic Sugar” in Proc. Int Conf. on Computer-aided
Verification 2001.
Miscellaneous J. Jain, W. Adams and M .Fujita, “Sampling Schemes for Computing OBDD Variable
Orderings”, Proceedings of ICCAD 1998, pp. 331-338 J. Jain, R. Mukherjee and M. Fujita, “Advanced Verification Technique Based on
Learning”, Proceedings of DAC 1995, pp. 420-426 C. H. Yang and D. L. Dill, “Validation with Guided Search of the State Space”,
Proceedings of DAC 1998 A. Jain, “Formal Hardware Verification by Symbolic Trajectory Evaluation”, Ph.D.
Thesis, Dept. of Electrical and Computer Engineering, Carnegie Mellon University, August 1997
C.-J.H. Seger and R.E. Bryant, “Formal Verification by Symbolic Evaluation of Partially Ordered Trajectories”, Formal Methods in System Design, Vol. 6, No. 2, pp. 147-190, 1995
Important web-sitesImportant web-sites
http://www.comlab.ox.ac.uk/archive/formal-methods.html
http://www.csl.sri.com
http://www-cad.eecs.Berkeley.edu/ vis
http://godel.ece.utexas.edu/texas97-benchmarks/
http://citeseer.nj.nec.com/
http://www.rational.com/uml (Universal Modelling Language HOME-PAGE)
http://www-sop.inria.fr/meije/verification/esterel
http://www.accellera.org
http://www.systemC.org
http://www.specC.org
Conference ProceedingsConference Proceedings Computer Aided Verification (CAV)
Formal Methods in Computer Aided Design (FMCAD)
International Conference on Computer-Aided Design (ICCAD)
International Conference on Computer Design (ICCD)
Design Automation Conference (DAC) Asia South Pacific Design Automation Conference (ASPDAC)
International Conference on VLSI Design (VLSI)
Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME)
Journals/MagazinesJournals/Magazines IEEE Design and Test of Computers
IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
IEEE Transactions on Computers
IEEE Transactions on VLSI Systems
ACM Transactions on Design Automation of ELectronic Systems
Formal Methods in System Design
Formal Aspects of Computing