Formal Verification of Systems-on-Chip Industrial Practices

Similar documents
Formal Verification of Systems-on-Chip

CSE Computer Architecture I

Project Two RISC Processor Implementation ECE 485

Table of Content. Chapter 11 Dedicated Microprocessors Page 1 of 25

Computer Engineering Department. CC 311- Computer Architecture. Chapter 4. The Processor: Datapath and Control. Single Cycle

Path Predicate Abstraction by Complete Interval Property Checking

CPU DESIGN The Single-Cycle Implementation

Abstractions and Decision Procedures for Effective Software Model Checking

Finite-State Model Checking

The Design Procedure. Output Equation Determination - Derive output equations from the state table

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc.

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

INF2270 Spring Philipp Häfliger. Lecture 8: Superscalar CPUs, Course Summary/Repetition (1/2)

ECE 448 Lecture 6. Finite State Machines. State Diagrams, State Tables, Algorithmic State Machine (ASM) Charts, and VHDL Code. George Mason University

Ranking Verification Counterexamples: An Invariant guided approach

Model Checking: An Introduction

CprE 281: Digital Logic

Appendix B. Review of Digital Logic. Baback Izadi Division of Engineering Programs

And Inverter Graphs. and and nand. inverter or nor xor

CMP 338: Third Class

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Logic and Computer Design Fundamentals. Chapter 8 Sequencing and Control

Integrating Induction and Deduction for Verification and Synthesis

Models for representing sequential circuits

NCU EE -- DSP VLSI Design. Tsung-Han Tsai 1

Sequential logic and design

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

CPSC 3300 Spring 2017 Exam 2

Spiral 1 / Unit 3

Lecture 13: Sequential Circuits, FSM

Lecture: Pipelining Basics

L07-L09 recap: Fundamental lesson(s)!

Verilog HDL:Digital Design and Modeling. Chapter 11. Additional Design Examples. Additional Figures

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Binary Decision Diagrams and Symbolic Model Checking

Sequential Logic Optimization. Optimization in Context. Algorithmic Approach to State Minimization. Finite State Machine Optimization

Administrivia. Course Objectives. Overview. Lecture Notes Week markem/cs333/ 2. Staff. 3. Prerequisites. 4. Grading. 1. Theory and application

Introduction The Nature of High-Performance Computation

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Basic Computer Organization and Design Part 3/3

EE382 Processor Design Winter 1999 Chapter 2 Lectures Clocking and Pipelining

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

CS 700: Quantitative Methods & Experimental Design in Computer Science

From Sequential Circuits to Real Computers

Semi-formal verification of the steady state behavior of mixed-signal circuits by SAT-based property checking

Analysis of a Boost Converter Circuit Using Linear Hybrid Automata

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

19. Extending the Capacity of Formal Engines. Bottlenecks for Fully Automated Formal Verification of SoCs

Performance Metrics for Computer Systems. CASS 2018 Lavanya Ramapantulu

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

CMP N 301 Computer Architecture. Appendix C

Worst-Case Execution Time Analysis. LS 12, TU Dortmund

Chapter 3. Digital Design and Computer Architecture, 2 nd Edition. David Money Harris and Sarah L. Harris. Chapter 3 <1>

Hardware Equivalence & Property Verification

EC 413 Computer Organization

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

EECS150 - Digital Design Lecture 23 - FSMs & Counters

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

COEN6551: Formal Hardware Verification

Lecture 13: Sequential Circuits, FSM

Synchronous Sequential Circuit Design. Dr. Ehab A. H. AL-Hialy Page 1

TESTING is one of the most important parts of the

Goals for Performance Lecture

SAT-Based Verification with IC3: Foundations and Demands

Lecture 2: Symbolic Model Checking With SAT

UNIVERSITY OF BOLTON SCHOOL OF ENGINEERING BENG (HONS) ELECTRICAL & ELECTRONICS ENGINEERING EXAMINATION SEMESTER /2017

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Lecture 3, Performance

DVClub Europe Formal fault analysis for ISO fault metrics on real world designs. Jörg Große Product Manager Functional Safety November 2016

High Performance Computing

ENGG 1203 Tutorial _03 Laboratory 3 Build a ball counter. Lab 3. Lab 3 Gate Timing. Lab 3 Steps in designing a State Machine. Timing diagram of a DFF

COMPUTER SCIENCE TRIPOS

IC3 and Beyond: Incremental, Inductive Verification

CSE. 1. In following code. addi. r1, skip1 xor in r2. r3, skip2. counter r4, top. taken): PC1: PC2: PC3: TTTTTT TTTTTT

Predicate Abstraction: A Tutorial

Formal Verification of Analog and Mixed Signal Designs in Mathematica

Enrico Nardelli Logic Circuits and Computer Architecture

Deductive Verification

EECS150 - Digital Design Lecture 11 - Shifters & Counters. Register Summary

TEST 1 REVIEW. Lectures 1-5

Special Nodes for Interface

ECE/CS 250 Computer Architecture

Algorithmic verification

FAIRNESS FOR INFINITE STATE SYSTEMS

Alan Bundy. Automated Reasoning LTL Model Checking

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

CSE370: Introduction to Digital Design

Example: vending machine

ECE 250 / CPS 250 Computer Architecture. Basics of Logic Design Boolean Algebra, Logic Gates

ww.padasalai.net

A Formal Model of Clock Domain Crossing and Automated Verification of Time-Triggered Hardware

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

An Informal introduction to Formal Verification

Configurable Verification of RISC Processors

Design of Digital Circuits Lecture 14: Microprogramming. Prof. Onur Mutlu ETH Zurich Spring April 2017

PERFORMANCE METRICS. Mahdi Nazm Bojnordi. CS/ECE 6810: Computer Architecture. Assistant Professor School of Computing University of Utah

EECS Components and Design Techniques for Digital Systems. FSMs 9/11/2007

CSCI-564 Advanced Computer Architecture

Transcription:

Formal Verification of Systems-on-Chip Industrial Practices Wolfgang Kunz Department of Electrical & Computer Engineering University of Kaiserslautern, Germany Slide 1 Industrial Experiences Formal verification of Systems-on-Chip in industrial practice Industrial partners: Slide 2

Example: SoC for automotive application processors hardware accelerators memories I/O controllers mixed signal blocks communication structures Slide 3 SoC Design Flow Early phase set up and assess functional prototypes Architecture model and explore architectural choices specify modules and communication for target architecture Design (RT) Register-Transfer (RT) description of modules system integration, communication structures Implementation Synthesis and optimization test preparation Slide 4

SoC Design Flow Early phase set up and assess functional prototypes Property Checking Architecture Given: model and explore architectural informal specification choices RT-level circuit specify description modules and communication for target architecture Prove (by checking properties) that the Design (RT) RT-level design description fulfills the Register-Transfer (RT) description of specification modules system integration, communication structures Implementation Synthesis and optimization test preparation Slide 5 SoC Design Flow Early phase set up and assess functional Equivalence prototypes Checking Given: two Architecture design descriptions (e.g. model 1x RTL, and 1x explore Gatelevel) architectural choices Prove that specify both designs modules are and functionally communication equivalent for target architecture Design (RT) Register-Transfer (RT) description of modules system integration, communication structures Implementation Synthesis and optimization test preparation Slide 6

Verification Tasks The hot spot for property checking Given: informal specification of modules and communication between modules (protocols) Implementation at the registertransfer (RT) level in Verilog or VHDL (hardware description languages) Approach: Verify each module individually Verify interfaces between modules Verify global behavior of entire chip (FV quite established) (FV feasible but not mature) (FV out of reach) Slide 7 RT-level module verification by IPC A typical property for RT-level module verification: AG(a c) a : assumptions - module is in some control state V - certain inputs X occur c : commitments - module goes into certain control state V - certain outputs Y occur Slide 8

RT-level module verification: operation by operation Control 1 Property 1: AG(a control 1 c control 2 ) / data_path_control_signals data path n cycles Control 2 Property 2: AG(a control 2 c control ) Slide 9 RT-level module verification: operation by operation Typical methodology for Property Checking of SoC modules: Control 1 Adopt an operational view of the design Each operation can be associated with certain important control states in which the operation starts and ends n cycles Specify a set of properties for every operation, i.e., for every important control state Verify the module operation by operation by moving along the important control states of the design Control 2 The module is verified when every operation has been covered by a set of properties Slide 10

RT-level module verification by IPC AG(a control 1 c control 2 ) Control 1 a control 1 : c control 2 : a j n = j= 0 j 1( V ) AX ( a ( X )) j n AX ( c ( X, Y )) AX ( c ( V )) j j n control = j= 0 j control 2 V: state variables / data_path_control_signals n cycles data path Control 2 Slide 11 Property for RT-level module verification InTerval Language AG(a c) a = a j n j n c = = AX ( c j ( X, Y )) AX ( cend ( V )) =0 j j n j ( V ) AX ( a ( X )) start = j= 0 j property myexample is assume: at t: a start (V); //starting state // at t: a 0 (X); at t+1: a 1 (X); at at t+n: a n (X); prove: at t: c 0 (X,Y); at t+1: c 1 (X,Y); at at t+n: c n (X,Y); at t+n: c end (V); //ending state // end property; V: state variables, X: inputs, Y: outputs Slide 12

Property for RT-level module verification Interval Temporal Logic Assumptions a() - we start in a certain control state - a certain input sequence arrives Commitments c() - certain input/output relations hold - operation ends in a certain control state property myexample is assume: at t: a start (s); //starting state // at t: a 0 (x); at t+1: a 1 (x); at at t+n: a n (x); prove: at t: c 0 (x,y); at t+1: c 1 (x,y); at at t+n: c n (x,y); at t+n: c end (s); //ending state // end property; s: state variables, x: inputs, y: outputs Slide 13 Formal Module Verification Usage model: Automated code inspection Code review: verification engineer inspects code of chip designer Looks at RT code and seeks explanation in specification Formulates hypothesis on behavior of implementation, formulates this hypothesis in terms of property that can be checked automatically If property fails, design error is detected, or, verification engineer improves his understanding of implementation and specification and corrects his property Every true property documents a piece of correct design behavior Walks through the code, operation by operation, and covers each piece of code by appropriate hypotheses Process is continued until implementation code is completely covered by properties (metrics available to check completeness!) Slide 14

TriCore 2 Microprocessor System of Infineon Program Cache Program Scratch RAM Program Scratch RAM I n t e r f a c e MMU TriCore 2 Core FPU Bus Interface Unit I n t e r f a c e Data Cache Data Scratch RAM Data Scratch RAM Architectural characteristics unified 32-Bit-RISC/DSP/MC architecture 853 instructions 6-stage superscalar pipeline multithreading extensions coprocessor support/floating point unit Interrupts Other IP Interrupt & Debug Unit Crossbar (64 bit) Bridge System Bus Other IP Current Implementation 0.13 micron technology 3 mm 2 core area/8 mm 2 hardmacro area typical frequency ~ 500 MHz typical compiled code 1.5 MIPS / MHz 2 MMACS/MHz, 0.5 mw/mhz @ 1.5 V Deployment primarily in automotive high-end subject to formal verification Slide 15 Infineon Tricore 2 project Example Every instruction of the processor is verified by formulating a property (or set of properties) describing its behavior MAC Unit: multiply, multiply/add, multiply/subtract saturation, rounding, shift-bits e.g. MUL.H - packed multiply - 2 parallel multiplications - 8 variants +12 special cases - 16 bit operands - 64 bit result MADD(S).Q - multiply/add in Q-format - 40 variants + 24 special cases - 32/16 bit operands - 64/32 bit results - some variants with saturation Slide 16

Verification of processor pipelines Goal Prove that instructions are performed correctly Example Property in ITL (Interval Temporal Language): "assumption + commitment" "assumptions" "commitments" theorem mul; // packed half word multiplication assume: at t: command_dec(mul,op1,op2); during[t,t+3]: no_reset; during[t,t+3]: no_cancel; prove: at t+3: ip_res[31:0] == op1[15:0]*op2[15:0]; at t+3: ip_res[63:32] == op1[31:16]*op2[31:16]; end Slide 17 Simulation vs. Complete Formal Module Verification effort? simulation complete formal module verification setting up properties proving completeness achieved quality quality Slide 18

The Tricore processor some results Performance of property checking 99.9 % of properties run in less than 2 minutes on solaris machine current property suite runs in 40 hours on 1 solaris machine Productivity 2k LoC per person month exhaustively verified Quality formal techniques identified bugs that are hard or impossible to find by conventional technique drastic reduction of errata sheets seems realistic Slide 19 New-Generation Property Checking x y s δ, λ s' Computation and representation of state sets are very hard! Consider machine in selected time window y t x t+1 y t+1 x t+2 y t+2 x t δ, λ δ, λ δ, λ Property checking mapped to satisfiability problem (SAT) s t s t+1 s t+2 s t+3 property satisfiable? Slide 20

Bounded Model Checking Properties are proved for finite time interval! y 0 x 1 y 1 x 2 x 2 bound k x 0 δ, λ δ, λ δ, λ s 0 s 1 s 2 s 3 Property of length n = 3 satisfiable? generate SAT instance: I( s k + n C k t 0 ) τ ( si, xi, si+ 1) [ p] i= 0 t= 0 initial states transition relation unrolled k+n times propositional formula for internal formula of AGp, k instances Slide 21 Modified formulation Proving safety properties (AGp) using bounded circuit model y t x t+1 y t+1 x t+2 y t+2 x t δ, λ δ, λ δ, λ s t s t+1 s t+2 s t+3 Property of length n = 3 satisfiable? generate SAT instance: Interval Property Checking (IPC) [Siemens: 1995] t n + i= t t τ s [ p] ( i, xi, si+ 1) transition relation unrolled n times one instance of propositional formula for property Slide 22

New-Generation Property Checking y t x t+1 y t+1 x t+2 y t+2 x t δ, λ δ, λ δ, λ s t s t+1 s t+2 s t+3 property satisfiable? Interval Property Checking essentially means that we prove safety properties constructing a certain combinational circuit and solve a SAT problem for it. So, what about all the classical notions of - reachability analysis - representations and operations for large state sets - finite state machine traversal techniques - Slide 23 Example: Registers of an SoC-module Program Counter Data register Instruction register State register of control unit Status register Register file Buffer register op [31-26] control 01 0 01(subtract) 0 oder 1 11 1 1 PCWriteCond PCWrite lord MemRead MemWrite IIRWrite RegDst MemtoReg RegWrite ALUSrcB ALUSrcA ALUOp IntCause PCSource EPCWrite CauseWrite bool PC 0 1 address memory MemData write data instruction [31 26] instruction [25 21] instruction [20 16] instruction [15 0] instruction register memory data register instr. [25-0] instr. [15-11] 0 1 0 1 instr. [5-0] read register1 read read data 1 register2 register file write register read write data 2 data 16 sign 32 extend shift left 2 A B 4 0 1 0 1 2 3 26 28 shift left 2 PC [31-28] zero ALU result ALU Control 0 1 0 1 T 0 1 2 3 C0000000 EPC Status Slide 24

Representation of SoC Module as Moore- or Mealy machine Inputs (X) data register pipeline buffer instruction register Outputs (Y) States (V) register file control unit register Status register program counter counter / timer combinational logic Clock The registers of the SoC module correspond to different segments in the global state vector V. Slide 25 ITL operational property InTerval Language Note: In general, operational properties specify the register contents only for a subset of the SoC registers. e.g., a property may specify the opcode bits of the instruction register as well as some bits of the control unit registers. Nothing is said about all other registers. property myexample is assume: at t: a start (V); //starting state // at t: a 0 (X); at t+1: a 1 (X); at at t+n: a n (X); prove: at t: c 0 (X,Y); at t+1: c 1 (X,Y); at at t+n: c n (X,Y); at t+n: c end (V); //ending state // end property; V: state variables, X: inputs, Y: outputs Slide 26

Example: Verifying communication structures IDLE input = REQ cnt n cnt = n / output := ACK FSM describes a transaction in a request/acknowledge protocol. System waits for input "request". If it arrives a counter is started. When the counter has counted up to n an acknowledge is given and the FSM goes into state READY. READY Slide 27 Example IDLE input = REQ cnt n Property assume: at t: (state = IDLE && input = REQ) prove: at t+n:(state = READY && output = ACK) cnt = n / output := ACK Operational property with IDLE and READY as starting and ending states READY Slide 28

Example x x x x x 1 0 1 0 0 x x x IDLE m-1 q p 1 0 input = REQ cnt n IDLE and READY are specified by asserting certain state bits in the global state vector cnt = n / output := ACK x x x x x 1 0 1 0 0 x x x READY m-1 q p global state vector with m bits 1 0 Slide 29 Example Property IDLE input = REQ assume: at t: (state = IDLE && input = REQ) prove: at t+n:(state = READY && output = ACK) cnt n cnt = n / output := ACK False! Counterexample: READY after n-1 cycles but not later READY Slide 30

Example Verification engineer analyzes situation: Inspection of counterexample at time t: counter value is 1 when the controller is in IDLE, but should be 0 Is there a bug? Forgot to initialize the counter properly? Inspection of design Design is correct! Counter is always 0 when controller is in state IDLE The tool s answer is wrong! ( False Negative ) Slide 31 Example y t x t+1 y t+1 x t+2 y t+2 x t δ, λ δ, λ δ, λ s t s t+1 s t+2 s t+3 property satisfiable? At time t: counter value is 1 when controller is in IDLE This is possible in our computational model, even if it is not possible in the real design! Note: there are no restrictions on s t all binary code words are considered to be reachable states at time t! Slide 32

IPC: The reachability problem Do we still need this stuff? But then - reachability analysis - representations and operations for large state sets - finite state machine traversal techniques we are back in the 90s and we can only handle small designs Slide 33 IPC with invariants Proving safety properties (AGp) by IPC with invariants y t x t+1 y t+1 x t+2 y t+2 x t δ, λ δ, λ δ, λ s t s t+1 s t+2 s t+3 need to add reachability information here! generate SAT instance: Property of length n = 3 t n ( t ) + τ ( si, xi, si+ 1) i= t t φ s [ p] satisfiable? Invariant (special case: φ = 1) transition relation unrolled n times one instance of propositional formula for property Slide 34

Invariants The notion of an invariant Definition: A set of states W in a finite state machine M is called invariant if W contains all states being reachable from W. Example: The set of all reachable states in M is an invariant. Can there be other invariants than the reachable state set R? Slide 35 Invariants Example: FSM with 3 state variables 111 100 110 001 011 101 000 010 Reachable states: R = {000, 001, 010, 011, 100} Unreachable states: U = {101, 110, 111} initial state Slide 36

Invariants Example (continued) Invariants: 111 100 110 001 011 101 000 010 initial state W 1 = R = {000, 001, 010, 011, 100} W 2 = {001, 011, 010, 100} W 3 = {010} W 4 = {011, 010, 100} W 5 = {100} W 6 = {101, 110, 000, 001, 010, 011, 100} W 7 = {110, 001, 011, 010, 100} W 8 = {111, 110, 001, 011, 010, 100} W 9 = {010, 100} W 10 = {111, 101, 110, 000, 001, 010, 011, 100} Slide 37 Proving Safety Properties with Invariants Let p be a Boolean formula. We want to prove that p holds in every reachable state of the system ( safety property, in CTL: AGp). If the formula p holds for some invariant W that includes the initial state, then, p holds in every reachable state of the system, i.e., the system fulfills this safety property. Which invariants of the previous example can be useful to prove the safety property? W 1, W 6, W 10 E.g., consider W 6 : W 6 R W 6 over-approximates the reachable state set Slide 38

Proving Safety Properties with Invariants Over-approximating the state space For any state set W - which is an invariant and - which includes the initial state it must hold that W R. Obviously, if a property holds for a superset of the reachable state set, it must also for the reachable state set itself. Therefore, we can prove safety properties based on invariants that overapproximate the reachable state set. Slide 39 Proving Safety Properties with Invariants False negatives But, what if the property fails for an invariant W, with W R? Then, we need to distinguish: 1) Property fails for one or more reachable states (e.g. states 000, 001, 010, 011, 100 in W 6 ) there is a bug in the design ( True Negative ) 2) Property fails only for one or more unreachable states (e.g. states 101, 110 in W 6 ) there is no bug in the design ( False Negative ) The counterexample is spurious, i.e., it is based on states that are unreachable in the design. Fortunately, the verification engineer can usually recognize this by inspection. Slide 40

Interval Property Checking with Invariants y t x t+1 y t+1 x t+2 y t+2 x t δ, λ δ, λ δ, λ s t s t+1 s t+2 s t+3 property satisfiable? May need to add reachability information here! This reachability information is added in terms of an invariant! Slide 41 IPC: The reachability problem y t x t+1 y t+1 x t+2 y t+2 x t δ, λ δ, λ δ, λ s t s t+1 s t+2 s t+3 property satisfiable? Which states are reachable in this model? at time t: all binary state codes (includes unreachable states) at time t+1: only those states that are the image of some state code at time t+2: only those states that are the image of an image of a state code Slide 42

Invariants in IPC Proving AGp t n ( t ) + τ ( si, xi, si+ 1) i= t t φ s [ p] Invariants: sets of states closed under reachability Invariants in this formulation compared to invariants in most other model checking techniques: can be weaker can be of simpler syntactic forms are more intuitive to the designer common practice to derive invariants manually Slide 43 IPC: the standard case The good cases computation RISC I/O controller System-on-Chip Block Interfaces DSP φ = 1 φ = 1 HW accelerator φ = 1 φ = 1 φ = 1 holds in most cases when verifying individual modules Slide 44

IPC with invariants The difficult cases communication φ 1 System-on-Chip RISC DSP φ 1 Block Interfaces φ 1 I/O controller HW accelerator φ 1 φ 1 for implementations of SoC protocols! Slide 45 IPC with Invariants In industrial practice invariants are often described implicitly: all states of the code space that fulfill certain constraints Example constraint: the counter value is 0 whenever the controller is in state IDLE. This means: the designer sets up constraints (e.g. implications, equivalences) which he/she expects to hold in the design. These constraints implicitly describe a state set. Then, we try to prove that the state set characterized by the constraints is an invariant. Idle cnt = 0 m-1 1 0 global state vector for design Slide 46

IPC with Invariants Tool produces counterexample, false negative? How to proceed in practice? Step 1: Inspect counterexample: check e.g. whether important states are combined with weird, possibly unreachable states in other parts of the design IDLE and cnt = 5 This should be impossible! m-1 1 0 global state vector for design Slide 47 IPC with Invariants Tool produces counterexample, false negative? How to proceed in practice? Step 2: Formulate a reachability constraint that you expect to hold for the design. IDLE cnt = 0 m-1 1 0 global state vector for design Slide 48

IPC with Invariants Tool produces counterexample, false negative? How to proceed in practice? Step 3: Prove the reachability constraint by induction. property 1 (base case) Assume: initial state Prove: IDLE cnt = 0 property 2 (induction step) Assume: at t: IDLE cnt = 0 Prove: at t+1: IDLE cnt = 0 Hence, the state set characterized by (IDLE cnt = 0) includes the initial state (base case) and is an invariant (induction step). Slide 49 IPC with Invariants Tool produces counterexample, false negative? How to proceed in practice? Step 4: Prove the original property using the reachability constraint. This means that you prove the property for all states of the design that fulfill the constraint. Since the constraint is proved to be valid for the design it means that your proof is based on a state set that is an invariant and which includes the initial state. Property assume: at t: (state = IDLE && input = REQ && cnt = 0) prove: at t+n:(state = READY && output = ACK) Slide 50

Advanced Feature in OSS 360MV IDLE READY input = REQ cnt n cnt = n / output := ACK assertion reachabiliy_constraints := if state = IDLE then cnt = 0 end if; end assertion; property improved is dependencies: reachability_constraints; assume: at t: state = IDLE and input = REQ; prove: at t+n: state = READY and output = ACK; end property; Property proven! Slide 51 Methodology RTL description informal specification writes properties finds reachability constraints updates properties false negative properties (ITL) property checking (interval-based) property fails counterexample property holds true negative Slide 52

Reachability Problem in IPC IPC may sometimes have poor productivity due to manual identification of reachability constraints In principle, the notions of symbolic FSM traversal can be applied but they fail for large designs Can we device specialized algorithms for reachability computation exploiting the IPC paradigm? [M. Nguyen, M. Wedler, D. Stoffel, W. Kunz: Unbounded Protocol Compliance Verification by Interval Property Checking with Invariants IEEE Transactions on Computer-Aided Design of Circuits and Systems, Vol. 27, pp. 2068-2082, November 2008.] Slide 53 Example Concrete and abstract machine Consider a Finite State Machine M with a transition relation R: 0000 M 0110 0101 1011 1010 1100 1101 1110 Slide 54

Example Concrete and abstract machine Suppose the operational properties are formulated in terms of the two most significant bits: Vˆ 0000 M 0110 0101 1011 1010 1100 1101 1110 concrete machine Slide 55 Example Concrete and abstract machine Vˆ This means that the properties refer to the states of an abstract machine Mˆ 00 Mˆ 01 10 11 abstract machine This abstract machine is also called Main-FSM or Conceptual FSM Slide 56

Example Concrete and abstract machine 0000 Vˆ 00 0110 0101 Mˆ 01 10 1011 1010 Every abstract state ŝ in Mˆ corresponds to a set of concrete states Ss ˆ in the concrete machine M. 11 1100 1101 1110 Slide 57 IPC moves along abstract states Specify properties in terms of main states ŝ 1 ŝ 2 Main state bits S ŝ1 S ŝ2 property myexample is assume: at t: Vˆ = sˆ 1 ; //starting main-state // at t: a 0 (X); at t+1: a 1 (X); at at t+n: a n (X); prove: at t: c 0 (X,Y); at t+1: c 1 (X,Y); at at t+n: c n (X,Y); at t+n: Vˆ = sˆ 2 ; //ending main-state // end property; Slide 58

Methodology RTL description (automatic) extraction main FSM informal specification TBTtraversal reachability constraints writes properties finds reachability constraints updates properties false negative properties (ITL) property checking (interval-based) property fails counterexample property holds true negative Slide 59 FSM Traversal ŝ For every state of the main FSM: compute the set of reachable states. Image computation: Consider a transition of the main FSM S ˆ S Ss ˆ s ˆ sˆ Given s, compute the set sˆ sˆ of immediate successors of that can be reached under the condition that the main FSM makes a transition from to. ŝ s ˆ Ss ˆ constrained image for transition img sˆ sˆ' where From S s ˆ sˆ ( From) = { s' S s From ( s, s') Rsˆ sˆ '} Slide 60

Traversal: transition by transition Idea S ˆ compute the sets sstep by step according to the transitions of the main FSM S Sŝ 2 ŝ ŝ 1 1 ŝ2 S ŝ4 ŝ 4 ŝ 3 Ssˆ s 1 ˆ3 S ŝ3 S sˆ Ssˆ s 2 ˆ3 = img ( sˆ ) ( ) 1 sˆ S 3 sˆ U img 1 sˆ 2 sˆ S 3 s 2 3 ˆ Formulate a fixed point iteration based on constrained image operation: TBT_traversal() Slide 61 Industrial case study Industrial design (flash-memory controller using AMBA-flavor protocol): 493 state variables, 23 properties to prove compliance with protocol specification correct execution of functional operations main FSM: 38 states, 103 transitions (extracted automatically by Debussy ) Verification effort without proposed approach: approximately 1 person month 70% of the time needed for code inspection to refine reachability constraints Results with proposed approach: 38 reachability constraints identified: used as assumption in properties total CPU time: 0:07:10h all properties proved, no manual refinements needed! Slide 62

Conclusion FV for modules getting established, what's next? Correctness by integration Better leverage of low level guarantees in high level verification Better synergy between automatic and manual abstractions System level verification Low level guarantees FV of interfaces (communication) FV of modules (computation) 50% algorithms plus 50% methodology! Slide 63

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback