1 JAA, 3/21/2007 JAA, 3/21/2007 Practical Formal – Practical Formal – Mainstream Formal for the Mainstream Formal for the Rest of Us Rest of Us Jacob A. Abraham Jacob A. Abraham DVClub Meeting DVClub Meeting Austin, Texas Austin, Texas March 21, 2007 March 21, 2007
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1JAA, 3/21/2007JAA, 3/21/2007
Practical Formal – Practical Formal – Mainstream Formal for the Mainstream Formal for the
Deal with design descriptions at higher levelsReduce complexity of analysisStatic analysis of design description will scale (unlike a functional analysis)
●
Automated techniques which fit into the design flowNo distractions when concentrating on design
4JAA, 3/21/2007JAA, 3/21/2007
ATPG Engines to Check PropertiesSome work in checking safety properties
Detecting “stuck-at-0” fault on p
is equivalent to establishing EFp
Circuit
p
Verify design at the lowest level possible:
example, ATPG levelDeal with tri-states, multiple clocks, etc.
5JAA, 3/21/2007JAA, 3/21/2007
RTL to RTL Equivalence Checking
Use Term Rewriting Systems (TRS) Significant success with RTL “Term” level
reductions Verification of arithmetic circuits at the RTL
level using term rewriting RTL to RTL equivalence checking Verified large multiplier designs like Booth,
Wallace Tree and many optimized multipliers using this rewriting technique
6JAA, 3/21/2007JAA, 3/21/2007
RTL Equivalence Using TRSs
GoldenRTL
RevisedRTL
RevisedTRS
GoldenTRS
Equivalence Proof
VTrans
VTrans
Vprover
Translation
Translation
7JAA, 3/21/2007JAA, 3/21/2007
Why it WorksCongruence between RTL-states (terms) of two designs, given the RTL state-transition graph (TRS) Equivalence is proved by showing that one term can be rewritten to the other
SAT solvers, STE engines, gate-level equivalence checkers, etc., as proof engines
Comparison points in RTL-state space Congruence at every comparison pointCover entire data space of the designs
Introduce notion of sequential compare points Sequential compare points are two-tuple entitiesIdentification w.r.t. relative position in time
Identification w.r.t. space (data or variables)
Co-ordinates on space-time axis of both designs being comparedExactly model the sequential behavior of designs
10JAA, 3/21/2007JAA, 3/21/2007
Equivalence Checking Using Sequential Compare Points
Variables of interest (observables) obtained from user/block diagram
Typically include primary outputsCan also include relevant intermediate variables
Symbolic expressions obtained for observables assigned in a given cycleSymbolic expressions compared at sequential compare pointsComparison using a SAT solver in this work
Other Boolean level engines can also be used
11JAA, 3/21/2007JAA, 3/21/2007
Example: Viterbi Decoder
Part of digital radio (DRM) in System CDRM SoC partitioned to implement Viterbi decoder as a hardware acceleratorSystem C specification
Basic model implementing Viterbi algorithmNo optimizations
Viterbi Verilog RTL implementationsFirst implementation: Optimized for speedSecond implementation: Optimized for area
12JAA, 3/21/2007JAA, 3/21/2007
Results
13JAA, 3/21/2007JAA, 3/21/2007
Antecedent Conditioned Slicing for Verification
• Slicing part of design irrelevant to property being verified
• Safety Properties of the form• G (antecedent => consequent)
• Use antecedent to specify states in which we are interested
• We do not need to preserve program executions where the antecedent is false
• The resulting abstraction is called an antecedent conditioned slice
14JAA, 3/21/2007JAA, 3/21/2007
Example Properties of USB 2.0 CoreG((crc5err) V match) => send_token))
If a packet with a bad CRC5 is received, or there is an endpoint field mismatch, the token is ignored
If the machine is in the speed negotiation state, then in the next clock cycle, if it is in high speed mode for more than 3 ms, it will go to the suspend state