Motivation Framework Proposed theory Summary

Similar documents
USING SAT FOR COMBINATIONAL IMPLEMENTATION CHECKING. Liudmila Cheremisinova, Dmitry Novikov

Integrating Induction and Deduction for Verification and Synthesis

CLEVER: Divide and Conquer Combinational Logic Equivalence VERification with False Negative Elimination

Ranking Verification Counterexamples: An Invariant guided approach

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

PSL Model Checking and Run-time Verification via Testers

DVClub Europe Formal fault analysis for ISO fault metrics on real world designs. Jörg Große Product Manager Functional Safety November 2016

Principles of Sequential-Equivalence Verification

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Lecture 7: Logic design. Combinational logic circuits

Self-Timed is Self-Checking

Sequential logic and design

Equivalence Checking of Sequential Circuits

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

The State Explosion Problem

Equalities and Uninterpreted Functions. Chapter 3. Decision Procedures. An Algorithmic Point of View. Revision 1.0

CSE 140 Midterm 3 version A Tajana Simunic Rosing Spring 2015

Synthesis of Designs from Property Specifications

Finite-State Model Checking

Formal Methods Lecture VII Symbolic Model Checking

Lecture 2: Symbolic Model Checking With SAT

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

EECS Components and Design Techniques for Digital Systems. FSMs 9/11/2007

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

CPE100: Digital Logic Design I

Hardware Equivalence & Property Verification

Binary Decision Diagrams and Symbolic Model Checking

CE1911 LECTURE FSM DESIGN PRACTICE DAY 1

Testability. Shaahin Hessabi. Sharif University of Technology. Adapted from the presentation prepared by book authors.

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Model checking the basic modalities of CTL with Description Logic

Lecture 3: Semantics of Propositional Logic

Example: vending machine

Model Checking: An Introduction

Security as a Resource in Process-Aware Information Systems

Sequential Logic Design: Controllers

Reactive Synthesis. Swen Jacobs VTSA 2013 Nancy, France u

Programmable Logic Devices II

CS61c: Representations of Combinational Logic Circuits

Memory Elements I. CS31 Pascal Van Hentenryck. CS031 Lecture 6 Page 1

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Digital Design 2010 DE2 1

Different encodings generate different circuits

Chapter 3. Digital Design and Computer Architecture, 2 nd Edition. David Money Harris and Sarah L. Harris. Chapter 3 <1>

ECE 407 Computer Aided Design for Electronic Systems. Simulation. Instructor: Maria K. Michael. Overview

Models for representing sequential circuits

COE 202: Digital Logic Design Sequential Circuits Part 3. Dr. Ahmad Almulhem ahmadsm AT kfupm Phone: Office:

Linear Temporal Logic and Büchi Automata

Logic. Propositional Logic: Syntax

Sequential Equivalence Checking without State Space Traversal

Sequential Circuits. Circuits with state. Silvina Hanono Wachman Computer Science & Artificial Intelligence Lab M.I.T. L06-1

Formal Verification Methods 1: Propositional Logic

Ch 7. Finite State Machines. VII - Finite State Machines Contemporary Logic Design 1

Introduction to Artificial Intelligence Propositional Logic & SAT Solving. UIUC CS 440 / ECE 448 Professor: Eyal Amir Spring Semester 2010

The Eager Approach to SMT. Eager Approach to SMT

Assertions and Measurements for Mixed-Signal Simulation

EXPERIMENT Traffic Light Controller

SAT-based Combinational Equivalence Checking

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Combinational Logic. Mantıksal Tasarım BBM231. section instructor: Ufuk Çelikcan

A Hierarchy for Accellera s Property Specification Language

Automatic Synthesis of Distributed Protocols

Synchronous Sequential Circuit Design. Digital Computer Design

CSC 322: Computer Organization Lab

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Outline Fault Simulation

Sequential Logic Optimization. Optimization in Context. Algorithmic Approach to State Minimization. Finite State Machine Optimization

Requirements Validation. Content. What the standards say (*) ?? Validation, Verification, Accreditation!! Correctness and completeness

Outline. EECS Components and Design Techniques for Digital Systems. Lec 18 Error Coding. In the real world. Our beautiful digital world.

EEE2135 Digital Logic Design

Sequential Logic. Handouts: Lecture Slides Spring /27/01. L06 Sequential Logic 1

Undergraduate work. Symbolic Model Checking Using Additive Decomposition by. Himanshu Jain. Joint work with Supratik Chakraborty

A Theory for Composing Distributed Components, Based on Temporary Interference

ECE 341. Lecture # 3

2. Elements of the Theory of Computation, Lewis and Papadimitrou,

Chapter 3. Chapter 3 :: Topics. Introduction. Sequential Circuits

CPE100: Digital Logic Design I

From Sequential Circuits to Real Computers

COE 202: Digital Logic Design Sequential Circuits Part 3. Dr. Ahmad Almulhem ahmadsm AT kfupm Phone: Office:

Machine Learning and Logic: Fast and Slow Thinking

LUTMIN: FPGA Logic Synthesis with MUX-Based and Cascade Realizations

Logic Model Checking

Formal Verification of Systems-on-Chip

THE MULTIPLE-VALUED LOGIC.

Digital Design. Sequential Logic

2009 Spring CS211 Digital Systems & Lab CHAPTER 2: INTRODUCTION TO LOGIC CIRCUITS

Spiking Neural P Systems with Anti-Spikes as Transducers

Sequential Equivalence Checking of Hard Instances with Targeted Inductive Invariants and Efficient Filtering Strategies

CPE100: Digital Logic Design I

ESE535: Electronic Design Automation. Today. Motivation. FSM Equivalence. Question. Cornerstone Result. Sequential Verification

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Homework #4. CSE 140 Summer Session Instructor: Mohsen Imani. Only a subset of questions will be graded

Detecting Support-Reducing Bound Sets using Two-Cofactor Symmetries 1

CHAPTER 10. Gentzen Style Proof Systems for Classical Logic

Synchronous Sequential Circuit Design. Dr. Ehab A. H. AL-Hialy Page 1

Design of Control Modules for Use in a Globally Asynchronous, Locally Synchronous Design Methodology

An Introduction to Symbolic Trajectory Evaluation. Koen Lindström Claessen Chalmers University / Jasper AB Gothenburg, Sweden

Sequential Logic Worksheet

Transcription:

A Compositional Theory for Observational Equivalence Checking of Hardware Presenter : Authors : Daher Kaiss Zurab Khasidashvili Daher Kaiss Doron Bustan Formal Technology and Logic Group Core Cad Technologies Intel Corporation, Haifa Page 1

Motivation RTL validation continues to dictate the CPU development schedule at Intel raising the RTL abstraction is one way to deal with it Sequential Equivalence Checking is an enabler Usage of Sequential Equivalence Checking at Intel is increasing Intel Core i7 was the first CPU project to utilize Sequential Equivalence extensively This paper is about extensions to the existing Sequential Equivalence Theory Page 2

Background Combinational Equivalence RTL (Specification) always_latch begin for(int portnum = 0; portnum <= (WR_PORTS-1); portnum++) if(!ckwrcbout[portnum]) for(int i = WR_LATENCY-1; i > 0; i = i-2) LAT_Wr[portnum][i] <= LAT_Wr[portnum][i-1]; end Schematic (Implement.) Equivalent? A OUT B Page 3 3

Background Cont. Reboot sequence? Page 4

RTL Background Sequential Equivalence always_latch begin for(int portnum = 0; portnum <= (WR_PORTS-1); portnum++) if(!ckwrcbout[portnum]) for(int i = WR_LATENCY-1; i > 0; i = i-2) LAT_Wr[portnum][i] <= LAT_Wr[portnum][i-1]; end Schematic A OUT B Page 5 5

(Previously solved) challenges in Sequential Equivalence Compositionality and handling properties Addressed in ICCAD 2004 Post-Reboot equivalence theory Addressed in FMCAD 2006 Automatic initialization Addressed in FMCAD 2007 Page 6

Challenges dealt in this paper Question #1: Preserving the validity of RTL properties on the implementation model Is the property valid? RTL L1 L2 Property = Inverse(L1, L2) O1 Schematic O2 Page 7

Challenges dealt with in this paper Cont. Question #2: Can we use wider classes of properties during the Equivalence Checking? L1 Property = Inverse(L1, L2) O1 L2 O2 Does it need to be a combinational safety property only? Page 8

Challenges dealt with in this paper Question #3: At which cone will a property be verified? L1 Property(L1, L2) L2 Page 9

Challenges dealt with in this paper Cont. Question #4: Is there any way formal way to check the validity of the reboot sequence? Page 10

Theory Framework Page 11

State Equivalence Given two hardware models M1 and M2 States s 1 and s 2 in M1, M2 are equivalent states (s 1 s 2 ) iff for any input sequence π, the corresponding outputs of M1 and M2 in states t1 and t2 obtained from s1 and s2 by applying π are equal s 1 π t 1 Out(t 1 ) = Out(t 2 ) s 2 t 2 Page 12

State Equivalence M1 (RTL) i1 i2 FF1 FF3 o 1 010 1 0 0 101 1 1 0 001 0 1 FF2 equivalent states 1 0 0 M2 (SCH) i1 i2 FF FF3 o 1 0 0 0 1 0 Not equivalent 1 1 0 1 1 1 1 0 1 1 1 1 1 1 0 1 1 0 1 0 1 Page 13

Alignability Equivalence (Pixley 1989) An input sequence π is an aligning sequence for states s 1,s 2 in FSMs M 1 and M 2 if it brings M 1 and M 2 from states s 1 and s 2 into equivalent states s 1 π t 1 t1 t2 s 2 t 2 FSMs M 1 and M 2 are alignable (M 1 aln M) iff every state pair of M 1 and M 2 has an aligning sequence Equivalently, M 1 aln M 2 iff a universal aligning sequence aligns every state pair of M 1 and M 2 Page 14

Weak Synchronization An input sequence π is a weakly synchronizing sequence for M if it brings M from any state to a subset of equivalent states {t 1,,t m }, which are called weak synchronization states of M. s 5 s 4 π s 1 t 3 s 2 s 3 t 1 t 2 t 1 t 2 t 3 When m=1, when π is called synchronizing When we consider a larger set of observables (containing all the outputs), then we call π observably synchronizing; and we will talk about observably equivalent states Page 15

Alignability Theorem Theorem: FSMs M1 and M2 are alignable iff: 1. both of them are weakly synchronizable and 2. have an equivalent state pair Big questions: How can we prove existence of equivalent states in M1 and M2? Given a reboot sequence for M1 (or M2), how can we prove that it is weakly synchronizing for M1 (or M2)? Besides, if we prove that M1 and M2 are alignable, can we be sure that all temporal properties valid on M1 will be valid on M2 as well? Page 16

Observation: Alignability does not preserve the validity of temporal properties FSM1 FSM2 0/0 1/1 1/0 s1 s2 s3 0/0 -/1 1/1 1/0 0/0 s4 0/0 s5 s6 of temporal properties -/1 0/0 0/0 1/1 1/0 s1 s2 s3 0/0 -/1 Thus, alignability equivalence does not preserve the validity 1/1 1/0 s4 0/0 s5 s6 That is, if RTL model is designed correctly, its ` equivalent schematic model may not behave correctly!! The two FSMs are alignable (apply 0 sequence on any of the states) Let P be true in {s4, s5, s6} Let 0 be the reboot sequence used for both FSMs Then P is valid in the operation states of FSM1 But P is not valid in some operation states of FSM2 -/1 Page 17

Coping with simulation complexity 3-valued logic Besides T and F, one also considers an value, meaning 0 information! = Z T & =, T + = T F & = F, F + = T F &! = while for any Boolean variable a, one has a &! a = F Z values means a contradiction (both T and F at the same time) and is rarely considered in formal analysis Page 18

-Initialization An -initializing sequence of M is a sequence of inputs which, when applied to the unknown state of M (where all latches are ), brings M into a binary state (where each latch is T or F). For any binary a, a xor a = F, while xor =. (=conservativeness of 3-valued simulation.) Therefore the circuit below is not -initializable, but any non-empty input sequence can synchronize (thus weakly synchronize) it. out Page 19

Related work Synopsys (Moon, Bjesse, Pixley, DATE07) improved the ICCAD04 work in some aspects, but they do not allow usage of constraints in local equivalence proofs Very active research in Berkeley (Brayton, Mishchenko) working on sequential synthesis and equivalence checking (ABC tool) IBM s sequential equivalence checker (Baumgartner et al) works with -initializable designs, with a user-given reboot sequence, therefore sequential EC in this scenario reduces to classical MC trivially Page 20

The proposed approach Page 21

Weak (and observable) -initialization FSM M state π state s F T T F T F T T T F F τ observable / not observable We call an input sequence π of an FSM M weakly (respectively, observably) -initializing if in the ternary state s obtained from the state by applying π, the values never propagate to the outputs (respectively, observables) of M under any input sequence τ of M. Page 22

Our approach: A wider view of equivalence checking ABV (Assertion Based Verification, also known as FPV): Make sure that the specification model satisfies the temporal assertions, in the operation states; EC (Equivalence Checking): Make sure that the specification and implementation models are equivalent, in the operation states; RSV (Reboot Sequence Verification): Make sure that the reboot sequence brings the specification and implementation models into the intended set of operation states; Equivalence checking in a wider sense: Conclude from the above that all observable behavior of the specification model (captured by spec assertions and the output operability) is preserved in the implementation model, in the operation states. Page 23

Our assumption on the initial states We want to perform compositional verification without knowing the initial states of the full designs Here we see an important difference (a paradigm shift) from the classical model checking where initial states are assumed When a module is ready and we want to verify it against local assertions, the entire design may not be ready, thus the initial states are even not defined Page 24

FEC: Building observationally equivalent states Theorem: Let M 1 and M 2 be observably -initializable FSMs, with sets of observables O 1 and O 2, respectively, such that there is a one-toone correspondence between observable variables in O 1 and O 2. Further, Let decompositions of M 1 and M 2 be given such that the inputs and outputs of the sub-fsms are observable variables Assume that the corresponding sub-fsms in M 1 and M 2 have states that are equivalent under input constraints of the form Gφ Assume each such constraint Gφ is valid in a state of M 1 Then, M 1 and M 2 have an observably equivalent state pair Page 25

Compositional FEC using boundary assumptions i1 i2 M1 component A1 component B1 FF1 FF2 FF3 = o i1 component A2 component B2 FF1 FF3 = o i2 FF2 M2 It is safe to use G(l1= l2) since it is valid in all operation states Page 26

ABV: Proving assertions locally Theorem: Let the specification model M be observably -initializable, and let it be decomposed into M * M let Gφ be a property whose variables are observables in M, let the variables of Gψ be inputs of M Further, assume Gψ is valid in a state of M Then M M M If Gφ is valid in a state of M constrained with Gψ, (any linear time temporal property) then Gφ and Gψ are valid in all observably initial states of M Gψ boundary assumption Gφ assertion Page 27

RSV: Reboot Sequence Verification The task is to prove that the reboot sequence π for M is observably -initializing We compute the 3-valued state s obtained by applying π to M from the -state; we need to show that s is deterministic the s cannot propagate to the observables from s under any input sequence of M For any observable variable l, the property that l is never can be expressed as a safety property, using the dual-rail encoding of value Thereby the reboot sequence checking is reduced to model checking, and the classical abstraction techniques for proving linear temporal properties can be used Page 28

Summary We have proposed a compositional theory for observational post-reboot equivalence checking of hardware We have shown how to prove existence of equivalent states compositionally, w/o knowing the reboot sequence We have proposed an assume-guarantee technique for proving assertions Gφ locally, using assumptions Gψ that are valid globally, w/o knowing the reboot sequence We have shown how to ensure preservation of the validity of temporal properties between equivalent models We have discussed a formal method for proving that a reboot sequence is a valid one (is observably -initializing) Page 29

Sequential Equivalence at Intel Intel Sequential Equivalence Tool is accepted and used by hundreds of designers at Intel spanning over multiple design projects We already started to see impact on the validation effort of the RTL thanks to sequential equivalence Mainly towards the late stages of convergence This paper concludes a sound and complete theory combined with a convenient methodology to ensure100% correctness of the CPU implementations Page 30

Thank you! Page 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback