Formal Verification SE303 Conception des systèmes sur puces (SoC)

Size: px

Start display at page:

Download "Formal Verification SE303 Conception des systèmes sur puces (SoC)"

Melina Davis
5 years ago
Views:

1 Formal Verifiation SE33 Coneption des systèmes sur pues (SoC) Ulrih Kühne 29//27

2 Outline Introdution Short History of Hardware Failures Design and Verifiation Proess Funtional Verifiation Ciruit Models Linear Time Logi (LTL) Computation Tree Logi (CTL) Model Cheking Equivalene Cheking Prolem Formulation Boolean Satisfiaility 2/42 SE33 Ulrih Kühne 29//27

3 Motivation 3/42 SE33 Ulrih Kühne 29//27

4 Motivation [Soure: 4/42 SE33 Ulrih Kühne 29//27

5 Motivation [ CC photo y mark.sze ] Transistor ount of > 3 illion Gate level models are huge Big designer teams (several hundreds) Big orretness issues Late ugs are extremely expensive 5/42 SE33 Ulrih Kühne 29//27

6 Motivation The First Bug (947) [ Photo: U.S. Naval Historial Center ] 6/42 SE33 Ulrih Kühne 29//27

7 Motivation The Pentium FDIV Bug (994) let x = , y = x x y = 256 y Bug in floating point unit $ 45 Mio. loss for Intel 82 Chipset MTH Bug (2) Error in memory translator hu Reall of around Mio. motheroards $ 253 Mio. finanial loss Intel i6/i7 (Skylake) Hyperthreading Bug (27) Speifi operating onditions ause unpreditale ehavior Found y Linux/OCaml developers 7/42 SE33 Ulrih Kühne 29//27

8 Hardware Design Flow Req. eng., modeling Design Spae expl., partitioning Implementation, refinement Synthesis Plae & route Manufaturing Speifiation Eletr. System Lvl. Transation Lvl. Register Transfer Lvl. Netlist Layout Chip Natural language UML, SysML, Matla,... C, C++, SystemC,... VHDL, Verilog,... Gate models Geometri, eletr. models Silion 8/42 SE33 Ulrih Kühne 29//27

9 Hardware Verifiation Flow Model Driven Eng. Performane Evaluation Coverage Model Cheking Deugging Roustness Speifiation Eletr. System Lvl. Transation Lvl. Register Transfer Lvl. Netlist Layout Chip NLP Tehniques High Lvl. Synth. Conf. Cheking Equiv. Cheking ATPG Diagnosis 9/42 SE33 Ulrih Kühne 29//27

10 Design Gap Verifiation Gap manufature # Transistors verify design Years /42 SE33 Ulrih Kühne 29//27

11 Outline Introdution Short History of Hardware Failures Design and Verifiation Proess Funtional Verifiation Ciruit Models Linear Time Logi (LTL) Computation Tree Logi (CTL) Model Cheking Equivalene Cheking Prolem Formulation Boolean Satisfiaility /42 SE33 Ulrih Kühne 29//27

12 Funtional Verifiation Dynami verifiation (= simulation) still standard tehnology Pentium 4 overall simulated yles < one minute at operation speed [Bentley, 25] Full overage is infeasile Inreasing use of formal methods 2/42 SE33 Ulrih Kühne 29//27

13 Sequential Ciruit Model I n k λ δ m k O Mealy Mahine: M = (I, O, S, S, δ, λ) δ : S I S λ : S I O S S Memory I = {, } n O = {, } m S = {, } k 3/42 SE33 Ulrih Kühne 29//27

14 From Verilog to Mealy Mahine module ount(clk, EN, CLR, S, S, S2, V); EN input CLK, EN, CLR; output reg S, S, S2; output V; assign V = S & S & S2 &!CLR & EN; EN EN EN EN EN EN CLR EN EN CLK) egin if (CLR) {S2, S, S} <= ; else if (EN) {S2, S, S} <= {S2, S, S} + ; end endmodule // ount EN EN/V EN EN EN EN EN 4/42 SE33 Ulrih Kühne 29//27

15 What do we want to verify? Safety Something ad will never happen, e.g. The stak pointer will never overflow The traffi lights will never e green at the same time Liveness Something good will eventually happen, e.g. Every request will e granted The ahe and the main memory will eventually e onsistent 5/42 SE33 Ulrih Kühne 29//27

16 How to speify suh properties? Temporal logi = propositional logi + time Disrete vs. ontinuous time Linear time view Branhing time view LTL CTL CTL 6/42 SE33 Ulrih Kühne 29//27

17 The Linear Time View Computation paths π :... π :... π 2 : /42 SE33 Ulrih Kühne 29//27

18 Linear Time Logi (LTL) p holds (in the initial state) p... p p holds in the next state p... X p p holds in the future p... F p p holds gloally p p p p... G p p holds until q p p q... p U q 8/42 SE33 Ulrih Kühne 29//27

19 Linear Time Logi (LTL) An LTL formula over propositional variales V has the form LTL ::= p, where p V ϕ ϕ ψ X ϕ F ϕ G ϕ ϕ U ψ, where ϕ, ψ LTL. 9/42 SE33 Ulrih Kühne 29//27

20 Branhing Time View Computation Tree /42 SE33 Ulrih Kühne 29//27

21 Computation Tree Logi (CTL) Some property p holds (in the initial state) p p holds in some next state p holds in all next states p p p p EX p AX p path quantifier next operator 2/42 SE33 Ulrih Kühne 29//27

22 Further Modalities p holds in some future state p holds eventually p holds gloally on some path p holds gloally on all paths p p p p p p p p p p p p p p EF p AF p EG p AG p 22/42 SE33 Ulrih Kühne 29//27

23 Until Modalities On some path, q holds until p holds q On all paths, q holds until p holds q q p q p E(p U q) p A(p U q) p 23/42 SE33 Ulrih Kühne 29//27

24 Computation Tree Logi (CTL) A CTL formula over propositional variales V has the form CTL ::= p, where p V ϕ ψ ϕ EX ϕ AX ϕ EF ϕ AF ϕ EG ϕ AG ϕ E(ϕ U ψ) A(ϕ U ψ), where ϕ, ψ CTL 24/42 SE33 Ulrih Kühne 29//27

25 What do we want to verify? Safety The stak pointer will never overflow AG (sp < 496) The traffi lights will never e green at the same time EF (tl tl 2 ) Liveness Every request will e granted The ahe and the main memory will eventually e onsistent AG (req AF gnt) AF (mem i = ahe i ) 25/42 SE33 Ulrih Kühne 29//27

26 Model Cheking Model Cheking Given a Mealy Mahine M and a CTL formula ϕ, hek if M = ϕ. How do we do this?. Compute all states in whih ϕ holds: τ(ϕ) = {s S M, s = ϕ} 2. Chek if the initial states are a suset of those states: S \ τ(ϕ) = 26/42 SE33 Ulrih Kühne 29//27

27 Example s s s 2 p τ(p) = {s 2, s 4, s 5 } p p s 3 s 4 s 5 27/42 SE33 Ulrih Kühne 29//27

28 Example s s s 2 p τ(p) = {s 2, s 4, s 5 } τ(ex p) = {s, s 2, s 3, s 5 } p p s 3 s 4 s 5 27/42 SE33 Ulrih Kühne 29//27

29 Example s s s 2 p τ(p) = {s 2, s 4, s 5 } τ(ex p) = {s, s 2, s 3, s 5 } τ(ax p) = {s, s 2, s 5 } p p s 3 s 4 s 5 27/42 SE33 Ulrih Kühne 29//27

30 Example s s s 2 p p p s 3 s 4 s 5 τ(p) = {s 2, s 4, s 5 } τ(ex p) = {s, s 2, s 3, s 5 } τ(ax p) = {s, s 2, s 5 } τ(ef p) = {s 2, s 4, s 5 } {s, s 3 } {s } Expansion rules: EF ϕ = ϕ EX EF ϕ 27/42 SE33 Ulrih Kühne 29//27

31 Example s s s 2 p p p s 3 s 4 s 5 Expansion rules: EF ϕ = ϕ EX EF ϕ AG ϕ = ϕ AX AG ϕ τ(p) = {s 2, s 4, s 5 } τ(ex p) = {s, s 2, s 3, s 5 } τ(ax p) = {s, s 2, s 5 } τ(ef p) = {s 2, s 4, s 5 } {s, s 3 } {s } τ(ag p) = {s 2, s 4, s 5 } {s 2, s 5 } 27/42 SE33 Ulrih Kühne 29//27

32 Fixed Point Algorithm for EF p... p S = p S = p EX p S 2 = p EX p EX EX p... S n = p n EX i p = S n i=... S n = τ(ef p) 28/42 SE33 Ulrih Kühne 29//27

33 Model Cheking Complexity depends heavily on state spae Need for effiient data strutures State spae explosion still a prolem Works for small to medium (or very regular) systems Popular tool: NuSMV [Cimatti et al., 22] Ongoing researh /42 SE33 Ulrih Kühne 29//27

34 Outline Introdution Short History of Hardware Failures Design and Verifiation Proess Funtional Verifiation Ciruit Models Linear Time Logi (LTL) Computation Tree Logi (CTL) Model Cheking Equivalene Cheking Prolem Formulation Boolean Satisfiaility 3/42 SE33 Ulrih Kühne 29//27

35 Equivalene Cheking Model Driven Eng. Performane Evaluation Model Cheking Speifiation Eletr. System Lvl. Transation Lvl. Register Transfer Lvl. Netlist NLP Tehniques High Lvl. Synth. Conf. Cheking Equiv. Cheking Layout Chip 3/42 SE33 Ulrih Kühne 29//27

36 Equivalene Cheking RTL Hardware synthesis is omplex Aggressive optimization Automati pipelining, retiming,... Tehnology mapping Tools are losed soure Does the netlist do what we think it does?? Netlist 32/42 SE33 Ulrih Kühne 29//27

37 Miter Struture a C? C 33/42 SE33 Ulrih Kühne 29//27

38 SAT Prolem Boolean Satisfiaility (SAT) Given a Boolean funtion f : {, } n {, } (in onjuntive normal form), is there an assignment X {, } n, suh that f (X) =? Conjuntive Normal Form A Boolean formula over variales X = {x... x n } is in onjuntive normal form if it is a onjuntion of lauses (l, l,2 l,m ) (l k, l k,mk ). A lause is a disjuntion of literals l = x i or l = x i for some x i X. NP-omplete prolem [Cook, 97] 34/42 SE33 Ulrih Kühne 29//27

39 Tseitin Transformation q p r s z (p q) r t z s p q t r z s t s p q (s p q) (p q s) ( s p q) ( (p q) s) ( s p q) (( p q) s) ( s p q) ( p s) ( q s) t r ( t r) (t r) z s t ( s t z) (s z) (t z) 35/42 SE33 Ulrih Kühne 29//27

40 How it Looks Like in Pratie... example iruit p nf ( s p q) ( p s) ( q s) ( t r)... 36/42 SE33 Ulrih Kühne 29//27

41 SAT-Based Equivalene Cheking Counterexample Prolem C C SAT Solver SAT CNF UNSAT 37/42 SE33 Ulrih Kühne 29//27

42 SAT-Based Equivalene Cheking Counterexample Prolem C C Prolem Enoding SAT Solver SAT CNF UNSAT 37/42 SE33 Ulrih Kühne 29//27

43 DPLL Algorithm DPLL Davis-Putnam-Logemann-Loveland [Davis et al., 962] Data: Set of lauses C DPLL(C) egin if all lauses satisfied then return SAT if C ontains empty lause then return UNSAT Propagate(); l ChooseLiteral(); return DPLL(C l) or DPLL(C l) 38/42 SE33 Ulrih Kühne 29//27

44 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

45 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

46 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

47 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

48 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

49 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

50 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

51 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

52 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

53 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

54 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

55 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

56 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

57 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

58 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

59 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

60 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

61 SAT Solving in a Nutshell ( a ) (a d) (a d) (a d) (a d) ( d) ( a ) ( a ) a 39/42 SE33 Ulrih Kühne 29//27

62 Advanements in SAT Solving 962: DPLL aktraking algorithm [Davis et al., 962] 996: Conflit learning [Silva and Sakallah, 996] 2: Loal searh, deision heuristis, engineering... Modern solvers handle millions of variales and lauses Popular solvers: MiniSAT Gluose Lingeling Extensions of SAT: Satisfiaility Modulo Theories (SMT) Quantified Boolean Formulae (QBF) Max-SAT 4/42 SE33 Ulrih Kühne 29//27

63 Summary Equivalene Cheking and SAT Verifying orretness of hardware synthesis Separation of verifiation prolem and deision engine Many more appliations in hardware & software verifiation Convenient and standardized APIs for ease of use Ative field of researh 4/42 SE33 Ulrih Kühne 29//27

64 Bounded Model Cheking =? ϕ [,k] I I I 2 I k S M M M 2... M k S k+ O O O 2 O k 42/42 SE33 Ulrih Kühne 29//27

65 Referenes I Bentley, B. (25). Validating a modern miroproessor. In Etessami, K. and Rajamani, S., editors, Computer Aided Verifiation, volume 3576 of Leture Notes in Computer Siene, pages 2 4. Springer Berlin Heidelerg. Cimatti, A., Clarke, E., Giunhiglia, E., Giunhiglia, F., Pistore, M., Roveri, M., Seastiani, R., and Tahella, A. (22). NuSMV Version 2: An OpenSoure Tool for Symoli Model Cheking. In Pro. International Conferene on Computer-Aided Verifiation (CAV 22), volume 244 of LNCS, Copenhagen, Denmark. Springer. Cook, S. (97). The omplexity of theorem proving proedures. In 3. ACM Symposium on Theory of Computing, pages Davis, M., Logemann, G., and Loveland, D. (962). A mahine program for theorem-proving. Commun. ACM, 5(7): /42 SE33 Ulrih Kühne 29//27

66 Referenes II Silva, J. a. P. M. and Sakallah, K. A. (996). Grasp a new searh algorithm for satisfiaility. In Proeedings of the 996 IEEE/ACM International Conferene on Computer-aided Design, ICCAD 96, pages , Washington, DC, USA. IEEE Computer Soiety. 44/42 SE33 Ulrih Kühne 29//27

An Efficient Sequential SAT Solver With Improved Search Strategies

An Efficient Sequential SAT Solver With Improved Search Strategies An Effiient Sequential SAT Solver With Improved Searh Strategies F. Lu, M.K. Iyer, G. Parthasarathy, L.-C. Wang, and K.-T. Cheng K.C. Chen Department of ECE, Design Tehnology University of California at