HECTOR: Formal System-Level to RTL Equivalence Checking

Similar documents
Solver Technology for System-level to RTL Equivalence Checking

Symbolic and Concolic Execution of Programs

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Word-Level Equivalence Checking in Bit-Level Accuracy by Synthesizing Designs onto Identical Datapath

High-Level Information Interface

CS/ECE 5780/6780: Embedded System Design

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Administrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?

Combinational Equivalence Checking

ECE 587 Hardware/Software Co-Design Lecture 11 Verification I

Voting Machines and Automotive Software: Explorations with SMT at Scale

Lecture 2: Symbolic Model Checking With SAT

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

EE 4755 Digital Design Using Hardware Description Languages

3. Formal Equivalence Checking

BOOSTER: Speeding Up RTL Property Checking of Digital Designs by Word-Level Abstraction

ABSTRACT. Title: Equivalence Checking for High-Level Synthesis Flow

Advanced VLSI Design Prof. Virendra K. Singh Department of Electrical Engineering Indian Institute of Technology Bombay

Interplay Between Language and Formal Verification

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Marrying Formal Methods With Simulation-Based Verification Function Verification Research at UCSB. Tim Cheng & Li-C. Wang UC-Santa Barbara

8. Symbolic Trajectory Evaluation, Term Rewriting. Motivation for Symbolic Trajectory Evaluation

Efficient Circuit to CNF Conversion

Deductive Methods, Bounded Model Checking

Equivalence Checking of C Programs by Locally Performing Symbolic Simulation on Dependence Graphs

Lecture Notes on Real-world SMT

OpenSMT2. A Parallel, Interpolating SMT Solver. Antti Hyvärinen, Matteo Marescotti, Leonardo Alt, Sepideh Asadi, and Natasha Sharygina

Optimizing Blocks in an SoC Using

Unit 2: High-Level Synthesis

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

VHDL for Synthesis. Course Description. Course Duration. Goals

Verifying C & C++ with ESBMC

EECS 219C: Formal Methods Binary Decision Diagrams (BDDs) Sanjit A. Seshia EECS, UC Berkeley

System Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine

Minimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Lecture Notes for Chapter 2: Getting Started

Leveraging Formal Verification Throughout the Entire Design Cycle

Addressing Verification Bottlenecks of Fully Synthesized Processor Cores using Equivalence Checkers

EE382V: System-on-a-Chip (SoC) Design

Applications of Program analysis in Model-Based Design

Reliable Verification Using Symbolic Simulation with Scalar Values

Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers

Custom Design Formal Equivalence Checking Based on Symbolic Simulation. Overview. Verification Scope. Create Verilog model. Behavioral Verilog

Debugging Inconclusive Assertions and a Case Study

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

WITH an almost unmanageable increase in the size

ICS 252 Introduction to Computer Design

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

The Application of Formal Technology on Fixed-Point Arithmetic SystemC Designs

Lecture 9. VHDL, part IV. Hierarchical and parameterized design. Section 1 HIERARCHICAL DESIGN

Bulletproofing FSM Verification Automated Approach to Detect Corner Case Issues in an FSM Design

4.1 Review - the DPLL procedure

Pooya Saadatpanah, Michalis Famelis, Jan Gorzny, Nathan Robinson, Marsha Chechik, Rick Salay. September 30th, University of Toronto.

VHDL. VHDL History. Why VHDL? Introduction to Structured VLSI Design. Very High Speed Integrated Circuit (VHSIC) Hardware Description Language

Is Power State Table Golden?

EE 4755 Digital Design Using Hardware Description Languages

Boolean Representations and Combinatorial Equivalence

[Draft. Please do not distribute] Online Proof-Producing Decision Procedure for Mixed-Integer Linear Arithmetic

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Verilog for High Performance

Decision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion

Finite Model Generation for Isabelle/HOL Using a SAT Solver

HySAT. what you can use it for how it works example from application domain final remarks. Christian Herde /12

Hardware Design Environments. Dr. Mahdi Abbasi Computer Engineering Department Bu-Ali Sina University

Two HDLs used today VHDL. Why VHDL? Introduction to Structured VLSI Design

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Formal Verification throughout the Development of Robust Systems

NEW FPGA DESIGN AND VERIFICATION TECHNIQUES MICHAL HUSEJKO IT-PES-ES

Design Verification Lecture 01

Handling Loops in Bounded Model Checking of C Programs via k-induction

Recommended Design Techniques for ECE241 Project Franjo Plavec Department of Electrical and Computer Engineering University of Toronto

Reachability Analysis of RTL Circuits Using k-induction Bounded Model Checking and Test Vector Compaction

F-Soft: Software Verification Platform

Speed up Emulation Debugging using Whitebox Assertions

COMP 410 Lecture 1. Kyle Dewey

MODELING AND FORMAL VERIFICATION OF COUNTING HEADS FOR RAILWAYS 1

Coverage at the Formal Specification Level

9 Penn ESE 535 Spring DeHon. Arch. Select Schedule RTL FSM assign Two-level, Multilevel opt. Covering Retiming

MOJTABA MAHDAVI Mojtaba Mahdavi DSP Design Course, EIT Department, Lund University, Sweden

How Can You Trust Formally Verified Software?

1. Choose a module that you wish to implement. The modules are described in Section 2.4.

Integrating an AIG Package, Simulator, and SAT Solver

Seminar decision procedures: Certification of SAT and unsat proofs

Binary Decision Diagrams and Symbolic Model Checking

HW/SW Co-Verification of a RISC CPU using Bounded Model Checking

A New High Level Model Based on Integer Equations to Check CTL Properties in VHDL Environment

BITCOIN MINING IN A SAT FRAMEWORK

SAT, SMT and QBF Solving in a Multi-Core Environment

Unbounded Scalable Hardware Verification

Automated Requirements-Based Testing

OUTLINE RTL DESIGN WITH ARX

Overview. Design flow. Principles of logic synthesis. Logic Synthesis with the common tools. Conclusions

COE 561 Digital System Design & Synthesis Introduction

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

Non-cycle-accurate Sequential Equivalence Checking

Advanced Synthesis Techniques

EITF35: Introduction to Structured VLSI Design

Use of Non-linear Solver to Check Assertions of Behavioral Descriptions

Reading part: Design-Space Exploration with Alloy

Transcription:

ATG SoC HECTOR: Formal System-Level to RTL Equivalence Checking Alfred Koelbl, Sergey Berezin, Reily Jacoby, Jerry Burch, William Nicholls, Carl Pixley Advanced Technology Group Synopsys, Inc. June 2008

Outline Motivation Architecture of Hector Frontend Notions of equivalence and interface specification Proof procedure Solvers Debugging Customer results Additional applications Conclusion

MOTIVATION

System-level design Some reasons for system-level design: Faster verification at the system-level Easier architectural exploration No need to worry about implementation details Productivity gain by using High-Level- Synthesis RTL Verification problems: Verification of RTL doesn t get any easier Bugs due to faulty specification Bugs due to wrong implementation

Functional equivalence checking System Model Result Data? = RTL!" #!" $! #%&'( Result System-level model is a transaction/word level model for the hardware System and RTL compute same outputs given same inputs Equivalence checking proves functional equivalence Timing and internal structure can differ significantly, but the observable results must be the same

Manual (Ad hoc) Flow Architect creates C++ specification RTL designer creates RTL implementation RTL contains much more implementation details Problems: Designs often embedded in own simulation environment, need to specify input/output mapping, notion of equivalence Specification and implementation can be significantly different Constraints are often in designer s head, need to be formalized Input/output differences sometimes difficult to capture in a formal model

High-Level Synthesis Flow Equivalence checker proves correctness of produced RTL You cannot sell a high level synthesis tool without a verification tool!!! Advantages: All information about constraints & interface mappings / latency differences available from the synthesis tool Hints can significantly simplify proof Push-button solution possible Problems: Every assumption given as hint must be proven by equivalence checker High-level synthesis tool must be able to produce the information

HL-Synthesis integration Waveform High-Level Synthesis vcd.dump CEX Proof Timeout Equivalence Checker Core Database Design C/C++/RTL Proof strategy Constraints

ARCHITECTURE

Components C++ Frontend CFG Formal model Interface definition Constraints Mappings Testbench Wrapper Formal model Verilog VHDL Compiler Formal model Constrained Random Simulator Proof engine Counterexample Orchestration Mem-model SAT BDD Bit-level solver Word-level solver Waveform Viewer

Front-End C++ Frontend CFG Formal model Interface definition Constraints Mappings Testbench Wrapper Formal model Verilog VHDL Compiler Formal model Constrained Random Simulator Proof engine Counterexample Orchestration Mem-model SAT BDD Bit-level solver Word-level solver Waveform Viewer

INTERFACE SPECIFICATION

Interface specification C++ Frontend CFG Formal model Interface definition Constraints Mappings Testbench Wrapper Formal model Verilog VHDL Compiler Formal model Constrained Random Simulator Proof engine Counterexample Orchestration Mem-model SAT BDD Bit-level solver Word-level solver Waveform Viewer

Notions of equivalence What does equivalence mean for comparing system-level models against RTL? Depends on how abstract the system-level model is Different customers, different applications Different design styles No definite answer (yet) Identify commonly used notions: Combinational equivalence Cycle-accurate equivalence Pipelined equivalence Stream-based equivalence Transaction equivalence?

How to deal with different notions? Idea: Reduction to cycle-accurate equivalence check Rule of thumb: If you can build random pattern testbench, checking outputs on the fly, you re safe.

Verification wrapper generation User (or synthesis tool) provides the following information: Input/output mapping between C++ and RTL Input constraints Output don t cares Memories / memory mappings Register mappings Notion of equivalence (optional) Verification wrapper is automatically generated Reduces problem to cycle-accurate sequential equivalence check

PROOF PROCEDURE

Proof procedure C++ Frontend CFG Formal model Interface definition Constraints Mappings Testbench Wrapper Formal model Verilog VHDL Compiler Formal model Constrained Random Simulator Proof engine Counterexample Orchestration Mem-model SAT BDD Bit-level solver Word-level solver Waveform Viewer

Verification approach Constrained Random simulator checks for easily detectable discrepancies Bounded formal check for harder discrepancies Formal proof (complete): Problem reduced to sequential equivalence checking Reachability analysis would be an approach But: Most system-level designs are arithmetic heavy, reachability infeasible Induction proof Proof idea: Implementation and specification perform same computations Not necessarily in the same number of cycles Unroll for the duration of a transaction, prove that symbolic expressions are the same Proof engines: Bit-level equivalence checkers (SAT, BDDs) Word-level rewriting engine for arithmetic (COMBAT) Hybrid (word & bit) engine for orchestration PEP s

Induction proof Transaction equivalence Assume that designs start in valid state (superset of reachable state set) Execute single transaction by unrolling ESL and RTL models for one transaction Check outputs after transaction Check state after transaction Proof strategy: Induction Needs state invariants Register mappings Memory mappings & memory constraints Additional invariants Prove that resulting SAT formula is UNSAT

Transaction equivalence I A O A M A ESL S A M B S B RTL O B I B

Transaction equivalence I A0 I A1 O A M A S A ESL 0 ESL 1 M A S A Transaction T A M B S B Transaction T B RTL 0 RTL 1 RTL 2 M B S B O B I B0 I B1 I B2

Transaction equivalence I A0 I A1 O A M A S A ESL 0 ESL 1 M A S A Valid starting state (superset of reachable state set) Outputs equivalent? = M B S B RTL 0 RTL 1 RTL 2 M B S B O B I B0 I B1 I B2

Transaction equivalence I A0 I A1 O A M A S A ESL 0 ESL 1 Register mappings State invariants Memory mappings Constraints on memories Valid end state? M A S A M B S B RTL 0 RTL 1 RTL 2 M B S B O B I B0 I B1 I B2

Proof procedure Proof procedure Assumptions Proof obligations Check model assumptions, e.g., that no array accesses are out-of-bounds ) S, S M, (M, i a ) S, (S r ) S, (S r a M ) (M, c M ) (M, c a M ) MM (M, M ) MM (M, a B A B A 0 3 B A 1 B A 0 2 B A 1 B A 0 1 B A 1 B A 0 0 B A 3 2 1 0 B A B A 0 3 2 1 0 B A 0 3 2 1 0 B A 0 3 2 1 0 B A 0 3 2 1 0 O O a a a a ) S, S, M, (M i a a a a ) S, (S r a a a a ) M, (M c a a a a ) M, MM (M a a a a

SOLVERS

Solvers C++ Frontend CFG Formal model Interface definition Constraints Mappings Testbench Wrapper Formal model Verilog VHDL Compiler Formal model Constrained Random Simulator Proof engine Counterexample Orchestration Mem-model SAT BDD Bit-level solver Word-level solver Waveform Viewer

Decision Procedures Core technology for formal reasoning Formula Decision Procedure Satisfying solution (Counter-example) Unsatisfiable (Proof) Used for intermediate equivalences Used for output equivalences Word-level solvers Good for equivalent arithmetic Bad for producing counter-examples Bit-level solvers Good for falsification Bad for arithmetic

Equivalence check of two DFGs 1. Find potentially equivalent points (PEPs) (e.g. by simulation) 2. Prove them equivalent using bit- and word-level engines 3. Merge equivalent points thereby increasing sharing 4. Prove outputs equivalent C++ =? RTL O a O b

Equivalence check of two DFGs 1. Find potentially equivalent points (PEPs) (e.g. by simulation) 2. Prove them equivalent using bit- and word-level engines 3. Merge equivalent points thereby increasing sharing 4. Prove outputs equivalent C++ =? RTL

Word-level solvers SMT solvers (SAT module theories) Reason about arithmetic Theories for linear arithmetic, bit-vectors, uninterpreted functions, arrays, real arithmetic Need to be able to deal with finite word-sizes Re-writing engines Re-write formulas into normal-form Convergence can be an issue CVCLite from Stanford Lessons learned: Only Bit-Vector theory (and maybe theory of arrays if powerful enough) useful Many abstraction techniques are only useful for property checking Few solver techniques specifically target equivalence checking problem

Bit-level solvers Construct Boolean circuit based on bit-level representation of operations BDDs Canonical representation, very easy to check if formula is unsatisfiable Tendency to memory blowup Good for local intermediate equivalences Good for XOR trees SAT Convert circuit to Conjunctive Normal Form (CNF) Branch-and-bound search Efficient optimizations (conflict analysis, nonchronological backtracking) ATPG / Circuit-based SAT Branch-and-bound search directly on Boolean circuit

Solver technology Compare word-level graphs modulo zeroextension / sign-extension and merge intermediate equivalent points? = 32 32 cast + + 4 32 cast 32 cast in_a 3 3 in_b

Solver technology Compare word-level graphs modulo zeroextension / sign-extension and merge intermediate equivalent points 32 cast + 4 in_a 3 3 in_b

Solver technology Compare word-level graphs modulo observability o c1 1 0 c2 1 0 Observable(a) -> (a = b) (c1 & c2) -> (a = b) a + + b

Solver technology Compare word-level graphs modulo observability o c1 1 0 c2 1 0 Replace a by b + b

Effectiveness comes from many techniques 68 word (as opposed to bit) outputs SL RTL : different data path architectures Different multiplier implementations Different adder tree structure DFG nodes: 1400 5 unsolved 0 unsolved Graph Re-writes 18 unsolved SAT-equiv optimizations SAT-equiv optimizations 52 unsolved SMT SMT SMT RR BDD SAT orchestration RR BDD SAT orchestration RR BDD SAT orchestration RR BDD SAT orchestration

The Algebraic Solver Strategy Normal form Split cases Algebraic Rewrites Proof Search Consider cases Abstractions, Approximations SAT solver When all else fails... Smart simplifications { (x * [32] y)[31:16], x * [16] y } = { (x * [32] y)[31:16], (x * [32] y)[15:0] } = x * [32] y

CUSTOMER EXPERIENCES

COMPANY B

Experience w. Company B Ad Hoc (manual) design flow All modules are parts of a router design Customer wanted free consulting. Problems Customer did not do block-level verification Constraint/counterexample loop Manager did not understand the idea of equivalence checking he thought Hector was a bug finder We did the work but eventually the customer could run Hector by herself C++ model not entirely complete: one case of two modules in RTL and one in the C++ Abstracted away the simulation environment manually

Experience w. Company B Core algorithms improved greatly during evaluation Developed different memory models, e.g., TCAM. Successes Were able to conclusively compare all outputs The D5 was not completed by customer

Hector experimental results Design # lines of code C RTL # arrays # rams #disc repan cies #bugs found time final result D1 50 6200 1 / 1 0 0 4min proven D2 70 580 1 / 1 0 0 2min proven D3 570 1720 1 / 3 9 1 RTL 1 C++ 4min proven D4 1700 7500 4 / 4 8 1 RTL 1 C++ <1h proven D5 4300 6700 31 / 33 >40 4 RTL 43min 62 proven, 15 cex

COMPANY N

Experience w. Company N Ad Hoc (manual) design flow All modules were from an arithmetic unit: both integer and floating point GPU design C++ models act as reference models to provide expected/correct output values Coverage metrics help but not always reliable bugs missed Customer was very experienced with formal methods.

Experience w. Company N Many mismatches are found Real design bugs were caught mostly corner cases C++ model bugs were found Raised questions on the definition of correct behavior Specification documents clarified/modified Some instructions are proven automatically by the tool without any human assistance Some instructions are too complex or too large for the tool to handle Several techniques for the user to try to assist the tool The main theme is divide-and-conquer

Experience w. Company N Due to the initial success in finding bugs and proving correctness, the use of high level equivalence checking expands to several designs of company s active GPU development project 10 design blocks, 119 sessions set up and run, 107 proven (some after fixes to bugs found by FV) Includes multiplication logic Focused on designs with a high probability of success data transform with simple temporal behavior and input constraints A bug was found in a previous project that would have been caught by running this a special case only affects a single input value

Experience w. Company N High-level equivalence checking will become part of company s verification plan Demonstrated its value for suitable designs Increase confidence and find difficult bugs more quickly Will not replace other forms of verification, complementary to existing methodology

COMPANY T

Experience w. Company T Designs generated automatically from C++ by Synfora synthesis tool Four designs from four different encryption algorithms + fir filter All four had streams Designs were run entirely automatically! Put in scripting capability to tool Synfora gave Hector hints all were checked independently Had to support many Synfora features such as streams, bit width pragmas, loop unroll pragmas, memories Hector can now handle loops without unrolling.

Behavioral synthesis result Synfora Pico-Extreme synthesized designs Encryption designs for GSM/GPRS/UMTS protocols Design # lines of code C RTL # arrays # rams #disc repan cies #bugs found time final result DS1 293 5663 0 / 0 0 0 5min proven DS2 579 14015 0 / 0 1 0 17min proven DS3 717 11563 2 / 2 2 0 21min proven DS4 931 45274 4 / 4 2 0 19min proven

ADDITIONAL APPLICATIONS

Word/Transaction Level Tools Datapath verification in Synopsys s Formality equivalence checker The core solver is the Hector core engine Formal front end for SynplicityDSP Equivalence checking of Simulation vs. Synthesis models of Synopsys IP Model checking at the word level: Bjesse CAV 08, FMCAD 08

Conclusions System-level to RTL equivalence checking is a very hard problem But We do it on live commercial designs NOW Synthesis is MUCH easier to verify than manual (ad hoc) design flow HECTOR is not a product yet.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback