AT

G S

oCMemory Modeling in ESL-RTL Memory Modeling in ESL-RTL Equivalence CheckingEquivalence Checking

Alfred Koelbl, Jerry Burch,Carl Pixley

Advanced Technology Group

Synopsys, Inc.

June 2007

OutlineOutline

Motivation

Transaction equivalence

Requirements for a memory modelMemory layout differencesMultiple memoriesConstraints on memories

Proof procedure

Experimental results

Conclusion

MotivationMotivation

Problem: ESL to RTL equivalence checking

Arrays in ESL model are often implemented by memories in RTL

Given mapping can greatly simplify equivalence check

Many implementations possible: Differing memory layout Multiple memories Constraints on memory contents Timing differences

Need to be able to reason about memoryreads / writes

Related WorkRelated Work

Simple read/write memory model used inPipeline verification (Burch, Dill 1994)Symbolic simulation (Bryant, Velev 1997)Microprocessor verification

Stump et al. 2001:Extensional theory of arrays

Clever encoding:Manolios et al. 2006, Ganai et al. 2005

Bradley et al. 2006:Extensional theory with quantifiers

Proof procedureProof procedure

Transaction equivalence Assume that designs start in valid state (superset of

reachable state set) Execute single transaction by unrolling ESL and RTL

models for one transaction Check outputs after transaction Check state after transaction

Proof strategy: Induction

Needs state invariants Register mappings Memory mappings & memory constraints Additional invariants

Prove that resulting SAT formula is UNSAT

Transaction equivalenceTransaction equivalence

SA

SB

MA

MB

ESL

RTL

IA

IB

OA

OB

ESL0 ESL1

RTL0 RTL1 RTL2

IA0

IB0 IB1 IB2

OA

OB

Transaction TA

Transaction TB

SA’MA’

SB’MB’

IA1

Valid end state ?

Transaction equivalenceTransaction equivalence

ESL0 ESL1

RTL0 RTL1 RTL2

IA0 IA1

IB0 IB1 IB2

OA

OB

SA

SB

MA

MB

SA’MA’

SB’MB’

Valid starting state(superset of reachable state set)

Outputs equivalent ? =

Transaction equivalenceTransaction equivalence

ESL0 ESL1

RTL0 RTL1 RTL2

IA0 IA1

IB0 IB1 IB2

OA

OB

SA

SB

MA

MB

SA’MA’

SB’MB’

• Memory mappings• Constraints on memories

• Register mappings• State invariants

10

7

19

1024

203

48

0

1

2

3

4

5

write(Ma, 3, 1024)

Ma’

read(Ma, 1) → 7

Memories / ArraysMemories / Arrays

Operations: read(M, addr), write(M, addr, data) (no timing)

How can we express relationships between memories/arrays?

10

7

19

5

203

48

0

1

2

3

4

5

Ma

Memory mappingMemory mapping

Relates content of one memory to another

Universally quantified expression over all memory locations

Expressed in terms of reads

Example: One-to-one mapping between Ma and Mb:

i) ,read(M i) ,read(M : )M ,MM(M baba i

Layout differencesLayout differences

struct elem{ char a; char b;}

elem MA[4]

reg [3:0] MB[2:0]

0000000100000001

0000001100000000

0000001000000000

0000000100000000

0

1

2

3

01 1 11 0 10 0 01 0

0 1 2 3

Layout differencesLayout differences

Differing memory layout due to lack of bit-accurate data-types

Memory mapping is big expression with bit-extracts and concatenation

User can specify mapping with “template”

template_t{

a = [2:1];b = [0];

}

Memory mapping expression:

i)) ,t(read(M template_ i) ,read(M : )M ,MM(M ba4i0

ba

Multiple memoriesMultiple memories

Single array in ESL implemented by multiple memories in RTL

Increasing memory access performanceShadow registersCache in RTL

Complex address mappings between memories

Optimized memory access pattern in RTLSplitting / Merging memories in RTL

Multiple memoriesMultiple memories

5) ,read(M : i) ,read(M ? 4) (i i) ,read(M : )M ,MM(M EEF5i0

EF

ESL Memory ME RTL Memory MF RTL Memory MG

6) ,read(M : i) ,read(M ? 4) (i i) ,read(M : )M ,MM(M EEG5i0

EG

0

1

2

3

4

5

6

Constraints on memoriesConstraints on memories

Designs may only be equivalent if memory contents are constrained

Constraints on individual memory elements

Constraints on all memory elements

Constraints relating multiple memories

Constraint becomes proof obligation

2 3) ,read(M : c A0

3) i) ,(read(M : c Ai

1

i)) ,read(M i) ,read(M i) ,(read(M : c CBAi

2

Proof procedureProof procedure

Assumptions

Proof obligations

Check model assumptions, e.g., that no array accesses are out-of-bounds

)S ,S ,M ,(Mi a

)S ,(Sr )S ,(Sr a

)M ,(Mc )M ,(Mc a

)M ,(MMM )M ,(MMM a

BABA03

BA1BA02

BA1BA01

BA1BA00

BA3210

BABA03210

BA03210

BA03210

BA03210

O O a a a a

)S ,S ,M ,M(i a a a a

)S ,S(r a a a a

)M ,M(c a a a a

)M ,M(MM a a a a

Proof procedureProof procedure

Propagate reads over writes

Replace universal quantifier variables in proof obligations by free variables

Expand assumption quantifiers

Perform completeness check

i)) ,read(M i) ,(read(M a BAi

))i read(M )i (read(M a B,A,

j)) read(M, d, j, ite(i j) d), i, (M, read(write

))b ,read(M ),a p(read(M i)) ,read(M i) ,(read(M BA,BAi

))b ,read(M ),a ,p(read(M ))b ,read(M )b ,(read(M ))a ,read(M )a ,(read(M BABABA

Proof procedureProof procedure

Replace reads by free variables

Prove formulas using validity checker

)) v, vb, ite(c , va, ite(c c) read(M,

) v, va, ite(b b) read(M,

va) read(M,

321

21

1

Hector experimental resultsHector experimental results

Design # lines of code

# arrays# rams

#discrepancies

#bugs found

time final result

C RTL

D1 50 6200 1 / 1 0 0 4min proven

D2 70 580 1 / 1 0 0 2min proven

D3 570 1720 1 / 3 9 1 RTL1 C++

4min proven

D4 1700 7500 4 / 4 8 1 RTL1 C++

<1h proven

D5 4300 6700 31 / 33 >40 4 RTL 43min 62 proven, 15 cex

ConclusionConclusion

Arrays in ESL model are often implemented as memories in RTL

Relationship between memories expressed by universally quantified memory map

Memory map must be able to handle Layout differences Complicated address mappings Multiple memories Constraints on memories

Proof procedure based on induction Memory maps as assumption and proof obligations Quantifier elimination