HLDVT November 2006

Semi-Formal Verification at IBMSemi-Formal Verification at IBM

Jason Baumgartner,

Viresh Paruthi, Robert Kanzelman,

Hari Mony

IBM Corporation

2

Outline

What is semi-formal verification (SFV)?

Challenges in industrial-strength SFV

SixthSense: IBM’s SFV Toolset

SFV Applications at IBM

Conclusion

3

What is Semi-Formal Verification (SFV)?

A method to leverage formal algos in resource-bounded way

Used to find bugs too complex / deep for pure formal search

Often iterates between random simulation, formal algos

4

Challenges of Effective SFV

Approaches:

State prioritization: try to trigger iterations from new / interesting states

Light-houses / stepping-stones: use formal analysis to identify states leading towards fail

Can use formal algos to try to tunnel between these

Clever input generation: make simulation itself “smarter”

Or weaken formal algos through lossiness

SFV is only effective if a formal search is triggered near a fail

Otherwise, does not improve falsification capability of formal search

5

Industrial SFV Experience

However, advances in SFV technologies tend to have marginal benefit for many industrial designs

SFV is a very useful technology

Critical for deep bugs

Key to scaling formal algos to large, complex designs

Increasing exhaustive search depth capability by 1 will likely expose more bugs than incremental SFV advances

E.g., improvements to SAT technology

6

Abstraction-Guided Search

Abstraction-guided stepping stones: promising technology

But for many complex designs it does not work very well

Abstraction is obviously prone to dead-ends

Abstract depth may not match concrete depth

May memout if abstraction becomes too large

Management of large preimages may also slow SFV

May yield too shallow of preimages, saturating in a few iterations

Abstract preimages do not adequately simplify (shorten) search

Less effective than target enlargement, since approximate

7

Advancing SFV Technologies

Please continue research in this area!!

We feel that SFV is still a relatively immature technology

Numerous directions for improvement, such as:

Abstraction-guided search

Difficult to obtain a small enough abstraction which captures the deep behavior of design

Need a customized abstraction-refinement scheme?

State prioritization and clever input stimuli generation:

Borrow from and improve upon testcase generation technologies

Improved methods to leverage formal analysis to define and reach prioritized states

8

SixthSense: IBM’s SFV Toolset

SixthSense is a system of cooperating algorithms

Semi-Formal engines

Formal engines

Transformation engines: simplification / abstraction algorithms

Transformation-Based Verification (TBV) framework

Exploits maximal synergy between various algorithms

Redundancy removal, retiming, induction, localization, ...Incrementally chop problem into simpler sub-problems until solvable

Used for functional verification + sequential equiv checking

9

Design + Properties

SixthSense

140000 registers

Transformation-Based Verification Framework

ReachabilityEngine

Min-Area RetimingEngine

75000 registers

retimed, localized trace

retimed trace

LocalizationEngine

150 registers

Problemdecompositionvia synergistic

transforms

CounterexampleTrace consistent

with Original Design

All transformationsare transparent to the user

All results are in terms of original design

10

SixthSense: IBM’s SFV Toolset

Transforms yield exponential speedups to semi-formal applications, as well as to formal applications

Very useful to enable deeper exhaustive search

Simplify the sequential design once, unfold many timesUnfolding amplifies the benefit of the simplification

Transforms can even be integrated within SAT

Applied directly to unfolded instanceUnfolding opens up more reduction potential

TBV impact is particularly profound on high-performance designs

Though useful on all types of logic we have encountered

11

Example SixthSense Engines

Combinational rewriting

Sequential redundancy removal

Min-area retiming

Sequential rewriting

Input reparameterization

Localization

Target enlargement

State-transition folding

Isomorphic property decomposition

Unfolding

Semi-formal search

Symbolic sim: SAT+BDDs

Symbolic reachability

Induction

Interpolation

… 

Expert System Engine automates optimal engine sequence experimentation

12

Applications

Wide-spread adoption of FV requires scalability to sim-sized testbenches

Easier to specify larger functional units vs. components thereof

E.g: specify IEEE-compliant FPU check, vs. criteria for correctness of each FPU pipeline-stage controller

Scalability implies the need for SFV

SFV can wring through bugs even if size too big for proofs

Nonetheless, strong motivation to tune tool for large-scale proofs!

A robust toolset needs to integrate falsification + proof threadsIn many cases, large-scale proof is possible without a need for manual decompositions

13

Applications

Virtually all SixthSense applications benefit from semi-formal search

1. Assertion-based verification

Typically done by designers

Lesser experience level with FV and toolsetTestbenches developed with little thought about “proof strategy”

SFV very useful to wring out bugs

2. Reference-model based verification

Comprehensive checks, usually implemented as an abstract reference model

For larger units, often benefits from SFV to wring out early bugs

14

Applications

4. Coverage analysis

Leverage formal algos to help simulation reach hard-to-hit scenarios

3. Silicon-failure recreation efforts: When a chip misbehaves…

On-chip debug facilities offer partial insight into cause

Usually have a good idea of property to check, “buggy region”

SFV very useful since often requires a fairly large design slice

And bug-hunting vs. proving is “the mission”

5. Sequential equiv checking: semi-formal search useful to find mismatches, assist in guessing equivalent gates

15

Conclusion

SFV is an enabling technology for wide-spread FV usage

Eliminates “risk” associated with developing a complex formal spec, only to choke FV tool

Enables greater return on spec investment at higher, more encompassing interfaces

SFV will wring out bugs early – even if expert manual decomposition performed later to yield proofsEncourages development of meaningful specs, reusable in sim + emulation

Minimizes learning curve: corner-case bugs found by casual users

No need for a team of PhDs to use the formal tool!

16

Conclusion

SFV advances useful for certain classes of designs

However, they can easily get lost on many designs

More research is needed!

SixthSense approach: increase formal BMC depth by synergistic transformations

Simplify the sequential design once, unfold many times

Also simplify the unfolded instance within the SAT engine, within the SFV engine

Powerful SFV engine will benefit a variety of tasks: functional verification + sequential equiv checking