Property-based design with HORUS / SYNTHORUS

Similar documents
Fast Prototyping from Assertions: a Pragmatic Approach

MYGEN : Automata-Based On-line Test Generator for Assertion-Based Verification

Specifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

ON THE EFFECTIVENESS OF ASSERTION-BASED VERIFICATION

Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series

Specifying circuit properties in PSL

High-Level Information Interface

SVA Advanced Topics: SVAUnit and Assertions for Formal

IP Core Design. Lecture 11 Introduction to PSL

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Part 6: VHDL simulation. Introduction to Modeling and Verification of Digital Systems. Elaboration and simulation. Elaboration and simulation

High Level Synthesis Using Operation Properties

Efficient Automata-Based Assertion-Checker Synthesis of PSL Properties

Formal Verification of Synchronizers in Multi-Clock Domain SoCs. Tsachy Kapschitz and Ran Ginosar Technion, Israel

ECE 587 Hardware/Software Co-Design Lecture 11 Verification I

TIMA Lab. Research Reports

Mathematica for the symbolic. Combining ACL2 and. ACL2 Workshop 2003 Boulder,CO. TIMA Laboratory -VDS Group, Grenoble, France

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Distributed Systems Programming (F21DS1) Formal Verification

Assertion Checker Synthesis for FPGA Emulation

THE USE of assertions in hardware [1] has increased

Sugar 2.0 An Introduction

Leveraging Formal Verification Throughout the Entire Design Cycle

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

EE382V: System-on-a-Chip (SoC) Design

The SPIN Model Checker

Practical Approaches to Formal Verification. Mike Bartley, TVS

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Formal Methods in Software Engineering. Lecture 07

On the Design and Verification Methodology of the Look-Aside Interface

7.3.3 Same Inputs in Antecedent and Consequent

Formal Verification of Business Continuity Solutions

Cyber Physical System Verification with SAL

Qualification of Verification Environments Using Formal Techniques

Contents 1 Introduction 2 Functional Verification: Challenges and Solutions 3 SystemVerilog Paradigm 4 UVM (Universal Verification Methodology)

VHDL for Synthesis. Course Description. Course Duration. Goals

Overview. Ram vs Register. Register File. Introduction to Structured VLSI Design. Recap Operator Sharing FSMD Counters.

Assertions: Too good to be reserved for verification only.

Introduction to Electronic Design Automation. Model of Computation. Model of Computation. Model of Computation

Efficient Automata-Based Assertion-Checker Synthesis of SEREs for Hardware Emulation

Synthesizable Verilog

HECTOR: Formal System-Level to RTL Equivalence Checking

MetaRTL: Raising the Abstraction Level of RTL Design

Verilog. What is Verilog? VHDL vs. Verilog. Hardware description language: Two major languages. Many EDA tools support HDL-based design

ECE 545 Lecture 12. Datapath vs. Controller. Structure of a Typical Digital System Data Inputs. Required reading. Design of Controllers

FORMAL SPECIFICATION, SYSTEM VERILOG ASSERTIONS & COVERAGE. By Calderón-Rico, Rodrigo & Tapia Sanchez, Israel G.

IP Core Design. Lecture 10 Property/Assertion-Based Verification

Assertion and Model Checking of SystemC

PSL Assertion Checking with Temporally Extended High-Level Decision Diagrams

Model checking Timber program. Paweł Pietrzak

P2VSIM: A SIMULATION AND VISUALIZATION TOOL FOR THE P2V COMPILER. A Thesis OSCAR MICHAEL ALMEIDA

FPGA Design Challenge :Techkriti 14 Digital Design using Verilog Part 1

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

PROGRAM ANALYSIS & SYNTHESIS

Formal Verification Adoption. Mike Bartley TVS, Founder and CEO

Real life experiences of PSL. Magnus Björk Hardware Description and Verificatoin

PARTY Parameterized Synthesis of Token Rings

Functional Programming in Hardware Design

PARTY Parameterized Synthesis of Token Rings

By: Chaitanya Settaluri Devendra Kalia

Bulletproofing FSM Verification Automated Approach to Detect Corner Case Issues in an FSM Design

Using macros to mimic VHDL in ACL2

Post processing techniques to accelerate assertion development Ajay Sharma

SystemVerilog 3.1: It s What The DAVEs In Your Company Asked For

Design and Implementation of an Abstract Interpreter for VHDL

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Cover Page. The handle holds various files of this Leiden University dissertation

Applications of Program analysis in Model-Based Design

Administrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?

The design of a programming language for provably correct programs: success and failure

Debug enhancements in assertion-checker generation

CS232 VHDL Lecture. Types

VHDL Essentials Simulation & Synthesis

Formal Verification. Lecture 10

System Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine

MLR Institute of Technology

ECE 587 Hardware/Software Co-Design Lecture 12 Verification II, System Modeling

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Property Specification Language. Reference Manual. Version 1.01

Sunburst Design - Verilog-2001 Design & Best Coding Practices by Recognized Verilog & SystemVerilog Guru, Cliff Cummings of Sunburst Design, Inc.

Assertion-Based Verification

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

EE 4755 Digital Design Using Hardware Description Languages

SystemC-based ESL Verification Flow Integrating Property Checking and Automatic Debugging

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Hardware Verification 2IMF20

Static Analysis by A. I. of Embedded Critical Software

Cadence SystemC Design and Verification. NMI FPGA Network Meeting Jan 21, 2015

VHDL simulation and synthesis

SystemC AssertionLibrary

Formal modelling and verification in UPPAAL

INSTITUTE OF AERONAUTICAL ENGINEERING Dundigal, Hyderabad ELECTRONICS AND COMMUNICATIONS ENGINEERING

1 Design Process HOME CONTENTS INDEX. For further assistance, or call your local support center

System On Chip: Design & Modelling (SOC/DAM)

Automatic Hardware Synthesis from Specifications: A Case Study

Symbolic Trajectory Evaluation - A Survey

Design and Analysis of Distributed Interacting Systems

The University of Alabama in Huntsville ECE Department CPE Midterm Exam February 26, 2003

Overview of Timed Automata and UPPAAL

CprE 583 Reconfigurable Computing

Transcription:

Property-based design with HORUS / SYNTHORUS Dominique Borrione, Negin Javaheri, Katell Morin-Allory, Yann Oddos, Alexandre Porcher Radboud University, Nijmegen 1 March 27, 2013

Functional specifications with assertions Assertion: A design property that is declared to be true Declarative style An assertion states expected facts about the design or its environment Assert A implies next[2] (B = C) Assertions are used to express functional design intent Expected input-output behavior Constraints on inputs Forbidden behavior Architectural properties ( fairness, deadlock) 2

Use of Assertions Where should you place assertions? White-box: in the design itself (simulation, formal verification) Black-box: observe interface constraints and protocols from the outside Test-bench support: verification during simulation/emulation or offline 3

Processing Assertions Assertion evaluation techniques Simulation Emulation Formal Verification Test patterns Generation On-line monitoring 4

Some implementations 5 Simulation: all modern simulators implement PSL/SVA monitors Check properties during simulation Much easier for debugging than formal tools Automatic Property Checking Industrial Model Checkers: Magellan, Incisive, 0-in, Jasper Gold, etc... University tools: RAT, Cando Emulation, on-line test FoCs: first industrial tool Many industrial tools restricted to OVL Academic tools: MBAC (McGill), Horus (TIMA),

Assume-Guarantee Paradigm C1 C2 C3 Properties used to describe: environment behavior assumptions C4 Example M1 M2 M3 Assume Always A -> { B ; C } 6

Assume-Guarantee Paradigm C1 C2 C3 Properties used to describe: C4 design behavior assertions Example M1 M2 M3 Assert Always A -> { B ; C } 7

Assume-Guarantee Paradigm C1 C2 C4 C3 Same property used to describe: environment behavior assumption for C3 design behavior assertion for C4 For online verification, synthesize assumptions and assertions in hardware M1 M2 M3 Example Always A -> { B ; C } 8

Assume-Guarantee Paradigm C1 C2 C3 For online verification synthesize assertions as monitors C4 Monitor Valid Pending M1 M2 M3 Example Assert Always A -> { B ; C } 9

Assume-Guarantee Paradigm C1 C2 C3 For online verification synthesize assumptions as generators C4 Generator Example M1 M2 M3 Assume Always A -> { B ; C } 10

Automatic module design from assertions C1 C2 C3 Properties completely specify the design behavior: C4 Input-output relations Over time For all interface signals M1 M2 M3 11

Outline A simple running example Brief introduction to Property Specification Languages Proven correct hardware verification IP s from PSL Automatic Hardware Generation from PSL: problems and partial solutions Conclusion 12

Sources Generalized Buffer https://www.research.ibm.com/haifa/projects/verification/ RB_Homepage/tutorial3/GenBuf_english_spec.htm R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, M. Weiglhofer: «Specify, Compile, Run: Hardware from PSL», Electronic Notes in Theoretical Computer Science, vol190, N 4, 2007 GenBuf Queues words of (32 bit) data sent by 4 senders to 2 receivers Depth 4 FIFO Interface GenBuf <-> senders: 4-phase handshaking protocol 13

Generalized Buffer 14

Outline A simple running example Brief introduction to Property Specification Languages Proven correct hardware verification IP s from PSL Automatic Hardware Generation from PSL: problems and partial solutions Conclusion 15

Temporal properties Used to assert desirable features (safety, liveness, absence of deadlock, absence of starvation ) of a circuit description. Partial specifications, expressed in some temporal logic (LTL, CTL, PSL, SystemVerilog, etc.). Verified over all the states of one FSM, reachable from the initial state. 16

Looking at TIME Linear vs. branching time Discrete vs. continuous time Time points vs. time intervals Past time vs. future time reasoning 17

Computation Tree Obtained by unrolling the FSM Used to define the CTL Semantics Path view to the structure s 0 s 1 a a b a b c s 2 a b b,c b c a b b b,c c b c a 18

The limits of readability Each time a request is raised and the acknowledge is low, the acknowledge is raised within 3 to 5 cyles G ( REQ ACK X(REQ ACK) -> X (X ( ACK) XX ( ACK) ( XXX ACK XXXX ACK XXXXX ACK) )) 19

A more user friendly expression Each time a request is raised and the acknowledge is low, the acknowledge is raised within 3 to 5 cyles With sequential regular expressions always {not REQ and not ACK; REQ and not ACK} => {not ACK[*2 to 4]; ACK} With temporal operators always rose (REQ) and not fell(ack) and not ACK -> (next_a[1 to 2] (not ACK) and (next_e [3 to 5] ACK ) 20

Brief History of PSL Sugar 1.0 94: syntactic sugar for CTL for formal verification with RuleBase (IBM) 95: addition of regular expressions 97: automatic generation of simulation checkers Sugar 2.0 01: from CTL, moved to linear-time LTL semantics 02: selected by Accelera for IEEE standardisation 03: Reference Manual: PSL 1.0 05: IEEE standard 08: Included in VHDL standard 21

4 layers of language in PSL Boolean layer rose (REQ) and not fell(ack) and not ACK Temporal layer Sequences of values over time {not ACK[*2 to 4]; ACK} Temporal relations between signals next_a[1 to 2] (not ACK) Verification layer Directives to the software: assert, assume, fairness, cover Modeling layer REQ <= REQ1 or REQ2 assert always rose (REQ) and not fell(ack) and not ACK -> (next_a[1 to 2] (not ACK) and (next_e [3 to 5] ACK ) 22

SERE Construction A SERE is a sequence of Boolean expressions over one or more signals If only a signal name appears, it means the value of the signal is TRUE In the following slides, we assume a default rising clock edge 23

SEREs Example1 A SERE describes a set of sequences of states (which are represented using timing diagrams) {req; busy; gnt} clk req busy 24 gnt

{req; busy; gnt} clk req SEREs Example1 This diagram is also described by the same SERE busy 25 gnt

SEREs Example 2 {req; busy [*4]; gnt} signal busy holds 4 times clk req busy gnt 26

Temporal operators: GenBuf Example StoB_REQ GenBuf Sender_i BtoS_ACK DI(0..31) 27

Genbuf specification: the 4-phase handshake protocol with the senders Sender i initiates a transfer by raising StoB_REQ(i) One cycle later, the sender puts the data on its data bus DI To service the sender, GenBuf reads the data from the data bus and raises BtoS_ACK(i). One cycle after, the sender should lower StoB_REQ(i). From this point onwards, the data on the data bus is considered invalid. The end of the transaction is marked by GenBuf lowering BtoS_ACK(i). Note: GenBuf may hold BtoS_ACK(i) high for several cycles before lowering it. A new transaction may begin one cycle after BtoS_ACK(i) has become low. StoB_REQ GenBuf Sender_i BtoS_ACK 28 DI(0..31)

A request from a sender is always acknowledged default clock is rising_edge (Clk); forall i in {0:3} : always (StoB_REQ(i) -> eventually! BtoS_ACK(i)) Clk StoB_Req BtoS_Ack StoB_REQ GenBuf pass pass Sender_i BtoS_ACK 29 DI(0..31)

A request may only be raised when acknowledge is down default clock is rising_edge (Clk); forall i in {0:3} : always (rose(stob_req(i) -> not BtoS_ACK(i); Clk StoB_Req BtoS_Ack StoB_REQ pass GenBuf pass Sender_i BtoS_ACK 30 DI(0..31)

An acknowledge is not deasserted unless the sender deasserts its request first forall i in {0:3} : always ((BtoS_ACK(i) and StoB_REQ(i)) next! BtoS_ACK(i)) Clk StoB_Req BtoS_Ack Sender_i StoB_REQ BtoS_ACK GenBuf pass 31 DI(0..31)

There is no acknowledge if there is not a request forall i in {0:3} : always ((not BtoS_ACK(i) and (not StoB_REQ(i) -> next! (not BtoS_ACK(i)) Clk StoB_Req BtoS_Ack Sender_i StoB_REQ BtoS_ACK GenBuf fail 32 DI(0..31)

Complete specification of the 4-phase protocol forall i in {0:3} : always ((BtoS_ACK(i) and StoB_REQ(i)) -> next! BtoS_ACK(i)) always ((not BtoS_ACK(i) and StoB_REQ(i)) -> next! StoB_REQ(i)) always (StoB_REQ(i) -> eventually! BtoS_ACK(i)) always (not StoB_REQ(i) -> eventually! not BtoS_ACK(i)) always (rose(stob_req(i) -> not BtoS_ACK(i)) always (BtoS_ACK(i) -> next! not StoB_REQ(i) ) always ((not BtoS_ACK(i) and (not StoB_REQ(i) -> next! (not BtoS_ACK(i)) Clk StoB_Req BtoS_Ack 33

Outline A simple running example Brief introduction to Property Specification Languages Proven correct hardware verification IP s from PSL Automatic Hardware Generation from PSL: problems and partial solutions Conclusion 34

Automata-theoretic Approach The set of traces that satisfy a property P is interpreted as the words of an infinite language Build a non-deterministic automaton that recognizes all the traces that satisfy the property Property P2 : always (sig1 -> next sig2) 35

Automata-based method in MBAC (Boulé 08) Transform recognizing automaton into failure automaton (may modify the automaton structure) Efficiently produce synthesizable RTL checker. Most efficient technique for SERE s Property P2 : always (sig1 -> next sig2) First_Fail 36

Principles of the construction in HORUS A monitor for Property P is a synchronous design detecting dynamically all the violations of P A generator for Property P is a synchronous design producing sequences of signals complying with P Both types of IP s based on A library of primitive modules An interconnection scheme directed by the syntax tree of P Most efficient technique for temporal operators 37

Primitive Modules Clk Reset_n CTRL Start Cond SEM Valid Pending 38

Verification IP Synthesis P1 : always (Req -> (Busy until Ack)) Monitor for F1 Valid Primitive monitors Start always always and -> or eventually! until before next_event Primitive generators always and -> always -> until Start -> until Req Busy Ack Generator for F1 always or eventually! until before next_event Interconnection of primitive modules -> until 39 Req Busy Ack

Interconnect of Primitive Modules assert always (Req -> (Busy until! Ack)) 40

Proof of correctness of the library modules 41

PSL semantics modeled in PVS: signal PSL semantics are defined on traces. Signals are seen as functions over discrete time Semantic definition of a signal monitoring Valid_Signal (t:nat): Boolean = ( if t=0 then True elsif Reset_N = False then True elsif Start (t-1) = True then Expr (t-1) else True end if ) 42

PSL semantics modeled in PVS: operator 43

Theorem to be proved Pending(t) 44

Semantics of a property: induction over the structure assert always (Req -> next! (Busy before! Ack)) always -> Req Busy next! before! Ack 45

Proof of the interconnection 46

Proof figures 47

Outline A simple running example Brief introduction to Property Specification Languages Proven correct hardware verification IP s from PSL Automatic Hardware Generation from PSL: problems and partial solutions Conclusion 48

Considerations Goal: Automatic production of a circuit prototype from PSL specifications assert always assert always 49 Two hypotheses Ensuring that the specification is complete (on-going work at Chalmers Univ. and TIMA) Ensuring that the specification has no contradiction (RAT, on going work at TIMA) New look at verification IP s: reactants

Back to Genbuf: generation of Controller StoB_REQ GenBuf Sender_i BtoS_ACK DI(0..31) 50

forall i in {0:3} : Back to the 4-phase protocol: Phase 1: suppress assume assert always ((BtoS_ACK(i) and StoB_REQ(i)) -> next! BtoS_ACK(i)) assume always ((not BtoS_ACK(i) and StoB_REQ(i)) -> next! StoB_REQ(i)) assert always (StoB_REQ(i) -> eventually! BtoS_ACK(i)) assert always (not StoB_REQ(i) -> eventually! not BtoS_ACK(i)) assert always (rose(stob_req(i) -> not BtoS_ACK(i)) assume always (BtoS_ACK(i) -> next! not StoB_REQ(i) ) assert always ((not BtoS_ACK(i) and (not StoB_REQ(i) -> next! (not BtoS_ACK(i)) Clk StoB_Req BtoS_Ack 51

Phase 2: top level annotation using port direction forall i in {0:3} : assert always ((BtoS_ACK(i) and StoB_REQ(i)) -> next! BtoS_ACK(i)) assert always (StoB_REQ(i) -> eventually! BtoS_ACK(i)) assert always (not StoB_REQ(i) -> eventually! not BtoS_ACK(i)) assert always (rose(stob_req(i) -> not BtoS_ACK(i)) assert always ((not BtoS_ACK(i) and (not StoB_REQ(i) -> next! (not BtoS_ACK(i)) Clk StoB_Req BtoS_Ack 52

Phase 3: annotation at property level forall i in {0:3} : P1: assert always ((BtoS_ACK(i) and StoB_REQ(i)) -> next! BtoS_ACK(i)) P2: assert always (StoB_REQ(i) -> eventually! BtoS_ACK(i)) P3: assert always (not StoB_REQ(i) -> eventually! not BtoS_ACK(i)) P4: assert always (rose(stob_req(i) -> not BtoS_ACK(i)) P5: assert always ((not BtoS_ACK(i) and (not StoB_REQ(i) -> next! (not BtoS_ACK(i)) Clk StoB_Req BtoS_Ack 53

Considerations P1: assert always ((BtoS_ACK(i) and StoB_REQ(i)) -> next! BtoS_ACK(i)) P2: assert always (StoB_REQ(i) -> eventually! BtoS_ACK(i)) Each asserted property constrains at least one signal In a property, some signals are read, others are generated. Several properties may name the same signal Some properties observe the signal, other properties generate the signal An algorithm has been defined to annotate the signals as IN or OUT for each property, based on a dependency graph When a signal is generated by 2 or more properties, there is a solver 54

Compiled 4-phase controller StoB_REQ P1 P2 P3 P4 P5 Solver BtoS_Ack 55

Conclusions HORUS = Verification IP s for Monitoring: done SYNTHORUS = Prototyping from PSL Compilation status FL operators only Generated: Logical signals only On going Checking specification completeness and coherence Optimization of compiled code Definition of a synthesizable PSL subset Future works SERE s Arithmetic signals 56

The full story SyntHorus Isis Màat Property refinement 57 Synchronous Monitors D. Borrione, Miao Liu, Katell Morin-Allory Aton Synchronous Generators Yann Oddos Property based design RTL D. Borrione, Negin Javaheri, Katell Morin-Allory, Axandre Porcher TLM Monitors L. Pierre, L. Ferro, Z. Bel Hadj Amor

58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback