Introduction to Formal Verificationsak/courses/foav/Intro-Formal...Introduction to Formal Verification P. P. Chakrabarti Dept. of Computer Sc. & Engg., & Advanced VLSI Design Laboratory

11

Introduction to Formal Introduction to Formal VerificationVerification

P. P. P. P. ChakrabartiChakrabartiDept. of Computer Sc. & Dept. of Computer Sc. & EnggEngg.,.,& Advanced VLSI Design Laboratory& Advanced VLSI Design LaboratoryIndian Institute of Technology KharagpurIndian Institute of Technology Kharagpur

Presented by:

22Formal-V Group, IIT KGP NWCV 2005NWCV 2005

Typical SOC ArchitectureTypical SOC Architecture

ProcessorProcessor

MemoryMemory

BRIDGE

BRIDGE

PowerMgmtPowerMgmt

Analog blocks withDigital interfaces

Digital blocks


Two ExamplesTwo ExamplesLow-power, low-cost embedded

systems• High-performance multiprocessors

for complete applications


Networked Embedded ApplianceNetworked Embedded Appliance

RF & IF Transceiver

Baseband Processing

CustomASICLogic

AlgorithmAccelerationCoprocessors

DSP Core

RAM/ROM

WirelessProtocol

ProcessorRAMROM

DRAM

Network/Host/PeripheralInterface

(Microcontroller)

Application

OS & Middleware

TransportCODECActuatorSensor

Peripherals Network

MAC/Link

Physical

Application

OS & Middleware

Transport CODECActuatorSensor

PeripheralsNetwork

MAC/Link

Physical

PROTOCOLS

Flow of bits

Application

OS & Middleware

TransportCODECActuatorSensor

Peripherals Network

MAC/Link

Physical

Application

OS & Middleware

Transport CODECActuatorSensor

PeripheralsNetwork

MAC/Link

Physical

PROTOCOLS

Flow of bits

The challenge is to make a Computer and a Radio (Transmitter& Receiver on a Single Chip)

We need to bridge the Analog & Digital Design Divide at Nanometer scale


Verification Dominates DesignVerification Dominates Design

Simulation46%

Design27%

Structural12%

Emulation15%

• Synthesis• Timing analysis• Equivalence checking• DFT

• Behavioral modeling• Architecture level simulation• System level simulation

• High-level design• RTL coding• Block-level simulation


Chip: Chip: From concept to marketFrom concept to market

Specification

Implementation

Prototyping

Manufacturing

Pre-siliconPost-silicon

Design validationDesign validation

TestingTesting


•• Specification verificationSpecification verification•• System verificationSystem verification•• Performance verificationPerformance verification•• Testability verificationTestability verification•• Timing verificationTiming verification•• Silicon verificationSilicon verification

PrePre--silicon Validation Taskssilicon Validation Tasks


System Architecture

Processor Design

Software Design

Blocks

Design LevelsApplication Spec

Process/Behavior

Register Transfer

Gate

Transistor/RLC

Layout

Processor Code

BUS

Block 2Block 1 Block N

Registers Custom Logic

Interconnect

FU 2FU 1 FU n


Implementation Rules

Description ofDesign

ImplementationProcessor Code

BUS


IMPLVERIFIER

DESIGNVERIFIER

Co-Verification

Coverage Analyzer

SystemDesign

Design Rules

System

Tests

A Design & Verification FlowA Design & Verification Flow




ImplementationRegisters Custom Logic

Interconnect

FU 2FU 1 FU n

IMPLVERIFIER

DESIGNVERIFIER

Co-Verification

Coverage Analyzer

SystemDesign

Design Rules

System

Tests

Hardware VerificationHardware Verification


Important TasksImportant Tasks• System-level design validation

– High-level modelling of CCS (SDL, UML, SystemC)

– Verification by simulation and assertion checking • Processor and Toolset Design

– Flexible Architecture Design & DSE– Systems Software Generation

• Designing & Verifying Custom Blocks– Architecture Spec and RTL– Coverage Analysis

• RTL Validation– Functional & Timing Verification – Modular Verification





BUS


IMPLVERIFIER

DESIGNVERIFIER

Co-Verification

Coverage Analyzer

SystemDesign

Design Rules

System

Tests

High Level Design High Level Design


SystemSystem--Level DesignLevel Design

• Modelling Communicating Concurrent Processes

• Typical Interest ranges from:– Interface Verification (handshaking, data-

transfer)– Complete Cycle Accurate Simulation with

processor cores, memories, etc• Synthesis from High-level specs like SDL to

cycle accurate models like SystemC• Verification by a method of of controlled

simulation traces and trace analysis by temporal logic.


Specification in SDLSpecification in SDL





BUS


IMPLVERIFIER

DESIGNVERIFIER

Co-Verification

Coverage Analyzer

SystemDesign

Design Rules

System

Tests

Design Intent Verification Design Intent Verification


SDLDesign

Simulator(with featuresof scheduling & backtracking)

Test bench

Watchdog Verifier(Use of Temporal Logic

Assertions)

Verification using Controlled Simulation





BUS


IMPLVERIFIER

DESIGNVERIFIER

Co-Verification

Coverage Analyzer

SystemDesign

Design Rules

System

Tests

Design Implementation: Design Implementation: Partitioning, Processor Design, Software Tools, Custom BlocksPartitioning, Processor Design, Software Tools, Custom Blocks


Processor Design CycleProcessor Design Cycle

PerformanceMetrics

Processor/Sys. Description Experiment newer design

Compiler

Assembler

Linker

Simulator

FPGA

Debugger/GUIProcessor/Sys. Performance(ISA + uArch) Designer Metrics

Quality Assurance Framework

ISA

Regs

Cache

Mem

Pipeline

Bus. . .

Cycle-counts

Speed

Time

Power

BW req.

Stats. . .

Optimizer

Library


Custom BlocksCustom Blocks





BUS


IMPLVERIFIER

DESIGNVERIFIER

Co-Verification

Coverage Analyzer

SystemDesign

Design Rules

System

Tests

Implementation VerificationImplementation Verification


System Architecture

Processor Design

Software Design

Blocks

RTL DesignApplication Spec

Process/Behavior

Register Transfer

Gate

Transistor/RLC

Layout

Processor Code

BUS


Registers Custom Logic

Interconnect

FU 2FU 1 FU n




ImplementationRegisters Custom Logic

Interconnect

FU 2FU 1 FU n

IMPLVERIFIER

DESIGNVERIFIER

Co-Verification

Coverage Analyzer

SystemDesign

Design Rules

System

Tests

Hardware VerificationHardware Verification


Design intent creationDesign intent creation

Design Cycle: Design Cycle: Intent CreationIntent Creation

ArchitecturalSpecification

ExecutableSpecs (CSpec)

ComponentSpecs Document

Is the intent correct?Is the intent correct?

EnglishEnglish

EnglishEnglish

C, C, SystemCSystemC, , EsterelEsterel


Design Cycle: Design Cycle: ImplementationImplementation

ComponentSpecs Document

RTL implementation

Gate Level Netlist

Verilog, VHDLVerilog, VHDL

English documentsEnglish documents

Transistor Level(Schematic)

Design integration

SynthesisSynthesis

Technology mappingTechnology mapping

Mask

Layout

Equivalence Equivalence checkingchecking

ImplementationImplementationvalidationvalidation

(Spec(Specvsvs RTL)RTL)


Main validation tasksMain validation tasks

Architectural Specification[Schematic, Assertions]

Executable Specification[SpecC, SystemC, etc]

Modules[Module level assertions]

FormalProperty Verf

Simulation

Consistencychecks

Simulation, Customization,

Perf. Eval.Design intent verificationDesign intent verification

Implementation verificationImplementation verification

Design integration[System-level assertions]

Simulation,Dynamic property verf


Example: Priority Arbiter [ Schematic and Example: Priority Arbiter [ Schematic and HighHigh--Level Spec ]Level Spec ]

r1

r2

g1

g2

The system requires to The system requires to arbitratearbitrate between requests between requests r1r1and and r2r2 and provide grants and provide grants g1g1 and and g2g2 in such a way in such a way that that r2 r2 isis defaultdefault but but r1r1 is given is given higher priorityhigher priority over over r2. r2. Mutual exclusionMutual exclusion must be guaranteed.must be guaranteed.


Example: Priority Arbiter [ Verilog Code Example: Priority Arbiter [ Verilog Code and Formal Model ]and Formal Model ]

always always beginbegin @(@(posedgeposedge clkclk))

beginbeginif(r1 == 1)if(r1 == 1)

@(@(posedgeposedge clkclk))beginbegin g1 = 1; g2 = 0; g1 = 1; g2 = 0; endend

if(r2 == 1 && r1 == 0)if(r2 == 1 && r1 == 0)@(@(posedgeposedge clkclk))beginbegin g2 = 1; g1 = 0; g2 = 1; g1 = 0; endend

if(r2 == 0 && r1 == 0)if(r2 == 0 && r1 == 0)@(@(posedgeposedge clkclk))beginbegin g2 = 1; g1 = 0; g2 = 1; g1 = 0; endend

endendendend

¬¬g1, g2, ¬r1, r2g1, g2, ¬r1, r2

¬¬g1, g2, r1, r2g1, g2, r1, r2

g1, ¬g2, ¬r1, r2g1, ¬g2, ¬r1, r2

g1, ¬g2, r1, r2g1, ¬g2, r1, r2

g1, ¬g2, ¬r1, ¬r2g1, ¬g2, ¬r1, ¬r2

¬¬g1, g2, r1, ¬r2g1, g2, r1, ¬r2

g1, ¬g2, r1, ¬r2g1, ¬g2, r1, ¬r2

¬¬g1, g2, ¬r1, ¬r2g1, g2, ¬r1, ¬r2


HighPriorityUser

LowPriorityUser

HighPriority

Interface

Arbiter

request hpreq

hpgrant

lpgrant

lpusing

hpusing

Resource Arbiter System Resource Arbiter System (Schematic)(Schematic)


initial begin hpreq=0; hpusing=0; endalways @(posedge request)beginhpreq=1; #1;if (hpgrant==1) #2;else begin@(posedge hpgrant); #2;

endhpusing=1; hpreq=0;@(negedge hpgrant);hpusing=0;end

High Priority InterfaceHigh Priority Interface hpreq=0, hpusing=0

@(posedge request)

hpreq=1

@(posedgehpgrant)

hpusing=1

hpreq=0@(negedge hpgrant)

hpusing=0ε

ε

ε

ε

ε

ε

#1

#2 #2

hpgrant ?


hpgrant=0,lpgrant=1

@(posedge hpreq)

Lpgrant=0lpusing?

hpgrant=1@(posedge hpusing)

hpgrant=0,lpgrant=1

ε

ε

ε

εε

#4

#64

initial beginhpgrant=0; lpgrant=1;

end

always @(posedge hpreq)beginlpgrant=0;if (lpusing !=0)

#4;hpgrant=1;@(posedge hpusing);#64;hpgrant=0; lpgrant=1;

end

ArbiterArbiter


hpreq=0, hpusing=0hpgrant=0, lpgrant=1

request?

hpreq=1, lpgrant=0lpusing?

hpgrant=1

hpgrant=1

hpusing=1, hpreq=0

lpgrant=1, hpgrant=0hpusing=0

#1#3

#2

#64

#1

#2

#1εε

ε

εTimed event structure

(after composition)(after composition)


The Design Verification ProblemThe Design Verification Problem

Transition System(Kripke Structure)

Property(Temporal Logic)

Formal Verification(Model Checker)


Priority Arbiter: PropertiesPriority Arbiter: Properties

r1

r2

g1

g2

•• Whenever r1 is asserted, g1 is given in the next cycleWhenever r1 is asserted, g1 is given in the next cycle

•• When r2 is the sole request, g2 comes in the next cycleWhen r2 is the sole request, g2 comes in the next cycle

•• When none of them are requesting, the arbiter parks the grant When none of them are requesting, the arbiter parks the grant on g2 on g2

•• g1 and g2 can not be true at the same time (mutual exclusion)g1 and g2 can not be true at the same time (mutual exclusion)


c

s

b

a5

3

4

2

1 1

1

1

1

12

9

5

gr

req

req

reqreq

req

gr

grgr

grgrgr

• From s the system always makes a request in future• All requests are eventually granted• Sometimes requests are immediately granted• Requests are not always immediately granted• Requests are held till grant is received

Analyzing Request and GrantsAnalyzing Request and Grants


Timing PropertiesTiming Properties

• Whenever a hpreq is recorded, the hpgrant should take place within 4 units of time.

• The arbiter will provide exactly 64 units of time to high-priority users in each grant.


What is temporal logic?What is temporal logic?

•• Logic with Logic with temporaltemporal operators (operators operators (operators that talk about time)that talk about time)

–– EgEg. Tense Logic (A. N. Prior, 1957). Tense Logic (A. N. Prior, 1957)

•• P P “It has at some time been the case that …”“It has at some time been the case that …”

•• F F “It will at some time be the case that …”“It will at some time be the case that …”

•• H H “It has always been the case that …”“It has always been the case that …”

•• G G “It will always be the case that …”“It will always be the case that …”


Temporal Logic for ValidationTemporal Logic for Validation

•• Formalism for describing sequences of transitions Formalism for describing sequences of transitions between states in a reactive system between states in a reactive system

•• Time is not mentioned explicitlyTime is not mentioned explicitly

–– eventuallyeventually some designated state is reachedsome designated state is reached–– an error state is an error state is nevernever enteredentered–– eventuallyeventually or or nevernever are specified using special temporal are specified using special temporal

operatorsoperators–– temporal operators can also be combined with Boolean temporal operators can also be combined with Boolean

connectives or nested arbitrarilyconnectives or nested arbitrarily


Informal SemanticsInformal Semantics

•• p holds in the next statep holds in the next state

X pX p

p holdsp holds



• p holds always (globally)holds always (globally)alternativelyalternatively

•• ¬¬p does not hold eventuallyp does not hold eventually

G pG p

p holdsp holds



•• p holds eventually (in future)p holds eventually (in future)alternativelyalternatively

•• ¬¬p does not hold alwaysp does not hold always

F pF p

p holdsp holds



•• q holds eventually q holds eventually andand p holds until q holdsp holds until q holds

p U qp U q

p holdsp holds

q holdsq holds


Duality between Temporal OperatorsDuality between Temporal Operators

G p

p holds always

¬p does not hold eventually

¬( ¬p holds eventually )

¬F( ¬p )


Nesting of Temporal OperatorsNesting of Temporal Operators

F G pF G p

G F pG F p

Along the path there exists a state from which Along the path there exists a state from which pp will hold foreverwill hold forever

Along the path for all states there will be eventually some statAlong the path for all states there will be eventually some state e where where pp holds holds

alternativelyalternatively

Along the path p will hold Along the path p will hold infinitely ofteninfinitely often


ExampleExample

r1

r2

g1

g2

•• Either g1 or g2 is alwaysEither g1 or g2 is alwaysfalse (mutual exclusion)false (mutual exclusion)

G[G[¬¬g1 g1 ∨∨ ¬¬g2]g2]

•• Whenever r1 is asserted, g1 is given in the next cycleWhenever r1 is asserted, g1 is given in the next cycle

G[ r1 G[ r1 ⇒⇒ Xg1 ]Xg1 ]

•• When r2 is the sole request, g2 comes in the next cycleWhen r2 is the sole request, g2 comes in the next cycle

G[ (G[ (¬¬r1 r1 ∧∧ r2) r2) ⇒⇒ Xg2 ]Xg2 ]

•• When none are requesting, the arbiter parks the grant on g2 When none are requesting, the arbiter parks the grant on g2 G[ (G[ (¬¬r1 r1 ∧∧ ¬¬r2) r2) ⇒⇒ Xg2 ]Xg2 ]


c

s

b

a5

3

4

2

1 1

1

1

1

12

9

5

gr

req

req

reqreq

req

gr

grgr

grgrgr

From s the system always makes a request in future: AFreqAll requests are eventually granted:AG(req → AFgr)Sometimes requests are immediately granted: EF(req → EXgr)Requests are not always immediately granted: ¬ AG(req → AXgr)Requests are held till grant is received: AG(req → AF(req U gr))

Analyzing Request and GrantsAnalyzing Request and Grants


Timing PropertiesTiming Properties

• Whenever a hpreq is recorded, the hpgrantshould take place within 4 units of time.AG(posedge(hpreq) → A(true U[0,4] posedge(hpgrant)))

• The arbiter will provide exactly 64 units of time to high-priority users in each grant.AG(posedge(hpusing) →

A(¬negedge(hpusing) U[64,64] negedge(hpusing)))


Model Checking of a Temporal Logic FormulaModel Checking of a Temporal Logic Formula

temporal formula

MC

G(p -> F q)yes

nop

q

finite-state model

algorithm

pq

counterexamplecounterexample

OKOK


SatisfiabilitySatisfiability Checking of a Temporal Logic FormulaChecking of a Temporal Logic Formula

Temporal formula

SATChecker

yes

no

a model of a model of the formula the formula

existsexists

no model no model exists for the exists for the

formulaformula

unsatisfiableunsatisfiable

satisfiableatisfiable


AssertionAssertion--Based Verification (ABV) Based Verification (ABV)

•• Design intent is expressed using assertionsDesign intent is expressed using assertions•• Simulation is done as usualSimulation is done as usual

–– Assertions find more bugs fasterAssertions find more bugs faster–– Assertions isolate the source of the problemAssertions isolate the source of the problem

•• Use formal methods to guide simulationUse formal methods to guide simulation

AssertionMonitor

Test Bench

ModuleunderTest

Interface bind


Design Team

SpecificationDesign

Model Checker

Coverage Estimator Correct the Design

Property Refinement

Refined Property

Design Team

Validation

Correct Incorrect

Identify theportion of the design where it holds

Property IncorrectNot a

correctnessproperty

Property correct

Refine Specwith the property

Add the negationof the property

Property Refinement And Coverage


Advanced VLSI Design LabAdvanced VLSI Design Lab

Analog / RFDesign

Analog / RFDesign Digital

DesignDigitalDesign

CADCAD

Direct conversion radio

Power management

Analog behavioral models

Formal verification

Test AutomationAnalog CAD

Embedded System Design

Cryptography

Digital Communication

Processor Design

25 chips taped out in the last 3 years!!25 chips taped out in the last 3 years!!

RFID

Documents

Introduction to Formal Verificationsak/courses/foav/Intro-Formal...Introduction to Formal Verification P. P. Chakrabarti Dept. of Computer Sc. & Engg., & Advanced VLSI Design Laboratory