Industrial Strength SAT-based Alignability Algorithm for Hardware Equivalence Verification Daher Kaiss, Marcelo Skaba, Ziyad Hanna, Zurab Khasidashvili Formal Technologies Group Intel, Israel Design Center, Haifa
Feb 04, 2016
Industrial Strength SAT-based Alignability Algorithm for
Hardware Equivalence Verification
Daher Kaiss, Marcelo Skaba, Ziyad Hanna, Zurab Khasidashvili
Formal Technologies GroupIntel, Israel Design Center, Haifa
2
PurposePurpose
• Sequential Equivalence Verification (SEV) as a Sequential Equivalence Verification (SEV) as a productivity boost in hardware designproductivity boost in hardware design
• A novel method for automatic initialization of A novel method for automatic initialization of hardware designhardware design
3
AgendaAgenda
• Problem statementProblem statement• IntroductionIntroduction• What is Seqver?What is Seqver?• Initialization algorithmInitialization algorithm• Experimental resultsExperimental results• ConclusionsConclusions
4
Problem StatementProblem Statement
• Traditional methods for doing Formal Equivalence Traditional methods for doing Formal Equivalence Verification (FEV) between RTL and Schematics Verification (FEV) between RTL and Schematics are not efficientare not efficient
• Require one-to-one correspondence between the Require one-to-one correspondence between the sequential elements in the compared modelssequential elements in the compared models– Negative impact on the abstraction level of the RTLNegative impact on the abstraction level of the RTL– Negative impact on design convergence as changes in Negative impact on design convergence as changes in
the schematics need to be reflected in the RTLthe schematics need to be reflected in the RTL
5
AgendaAgenda
• Problem statementProblem statement• IntroductionIntroduction• What is Seqver?What is Seqver?• Initialization algorithmInitialization algorithm• Experimental resultsExperimental results• ConclusionsConclusions
6
IntroductionIntroduction
• Formal Equivalence Verification (FEV) is the Formal Equivalence Verification (FEV) is the process of verifying that the schematic is process of verifying that the schematic is functionally equivalent to the RTLfunctionally equivalent to the RTL
• Formal verification tools are limited in capacity Formal verification tools are limited in capacity and complexityand complexity
• Mapping is an association between signals in the Mapping is an association between signals in the compared designscompared designs– Central role in the FEV design activityCentral role in the FEV design activity– Thus defines boundaries for decompositionsThus defines boundaries for decompositions
7
FEV flowFEV flow
SynthesisSynthesis
Modify the Schematic
Verification
Passed
RTLRTL
ExtractionExtraction
FEV(Seqver)
FEV(Seqver)
DebugDebug
Diff
SchematicsSchematics
Map FileMap File
Complex
8
Traditional way of doing FEVTraditional way of doing FEV• The designs are decomposed at the sequential elementsThe designs are decomposed at the sequential elements
– There is a one-to-one correspondence between the sequential There is a one-to-one correspondence between the sequential elements in both designselements in both designs
• This method is called Combinational Equivalence This method is called Combinational Equivalence Verification (CEV)Verification (CEV)
RTL – Fub level Schematic – Fub level
9
Impact on chip design developmentImpact on chip design development
• Detailed RTL isDetailed RTL is– Expensive to develop & maintainExpensive to develop & maintain– Slow to validateSlow to validate– Error proneError prone
• Much of the design cycle deals with “tweaking” Much of the design cycle deals with “tweaking” the circuit to meet timing/area/… constraintsthe circuit to meet timing/area/… constraints– Most of these changes should not change the visible Most of these changes should not change the visible
behavior of a unit/fub.behavior of a unit/fub.
• Powerful, automatic, sequential verification can Powerful, automatic, sequential verification can allow this tight coupling SCH-RTL to be relaxedallow this tight coupling SCH-RTL to be relaxed
10
Sequential Equivalence Verification (SEV)Sequential Equivalence Verification (SEV)
• Compare designs in which there are different Compare designs in which there are different number of latches and/or locations of the latchesnumber of latches and/or locations of the latches
RTL – Fub level Schematic – Fub level
11
SEV – Example 1 (Abstraction)SEV – Example 1 (Abstraction)
Dec
PostDec
PreDec
A[0]
A[1]
A[2]
A[n]
A[0]
A[1]
A[2]
A[n]
Out
Out
Latch
Latch
RTL
Schematic Latch based memory implementation
FlipFlop based memory implementation
D[0..m]
D[0..m]
Latch
12
SEV–Example 2 (Power saving)SEV–Example 2 (Power saving)
clk
enable
out
D
outDDD
D
En
D
En
enable
D
En
clk
RTL
Schematic
13
Challenges in SEV compared to CEVChallenges in SEV compared to CEV
• SEV is considered a more complex task than CEVSEV is considered a more complex task than CEV– In CEV, the slices are combinational, and thus methods like In CEV, the slices are combinational, and thus methods like
Binary Decision Diagrams (BDDs) or Combinational Binary Decision Diagrams (BDDs) or Combinational Satisfiability (SAT) checkers can be employedSatisfiability (SAT) checkers can be employed
a
c b
0 1
0 1
1
1
0
0
BDD
c
0 1
0 1
c
0 1
0 1
b
0 1
a0 1SAT
c
0 1
0 1
1
b
0 1
14
Challenges in SEV compared to CEV – Cont.Challenges in SEV compared to CEV – Cont.
• The most challenging question in SEV is The most challenging question in SEV is initializationinitialization– What is the initial state of the two compared designs?What is the initial state of the two compared designs?– Example (retiming)Example (retiming)
out
D
D
D
RTL Schematic
out
15
Challenges in SEV compared to Challenges in SEV compared to CEV – Cont.CEV – Cont.
• The most challenging question in SEV is The most challenging question in SEV is initializationinitialization– What is the initial state of the two compared designs?What is the initial state of the two compared designs?– Example (retiming)Example (retiming)
out
D
D
Dout
1
110
1
Mismatch
RTL Schematic
16
Challenges in SEV compared to Challenges in SEV compared to CEV – Cont.CEV – Cont.
• The most challenging question in SEV is The most challenging question in SEV is initializationinitialization– What is the initial state of the two compared designs?What is the initial state of the two compared designs?– Example (retiming)Example (retiming)
out
D
D
Dout
0
001
0
Mismatch
RTL Schematic
17
AgendaAgenda
• Problem statementProblem statement• IntroductionIntroduction• What is Seqver?What is Seqver?• Initialization algorithmInitialization algorithm• Experimental resultsExperimental results• ConclusionsConclusions
18
What is ‘Seqver’?What is ‘Seqver’?
• Sequential EQuivalence VERifierSequential EQuivalence VERifier• It addresses the following design activities:It addresses the following design activities:
– Formal equivalence verification of two designs with Formal equivalence verification of two designs with similar or different placement of state elementssimilar or different placement of state elements– State matching (combinational) and non state matching designs State matching (combinational) and non state matching designs
verificationverification– RTL2Sch, Sch2Sch and RTL2RTL RTL2Sch, Sch2Sch and RTL2RTL
• For more information, please refer to ICCD 2006 For more information, please refer to ICCD 2006 paperpaper
19
How is the initialization problem How is the initialization problem addressed in Seqver?addressed in Seqver?
• Automatic initialization of the designsAutomatic initialization of the designs• Seqver theory is based on the alignability theory Seqver theory is based on the alignability theory
which was first introduced by Carl Pixley (1982)which was first introduced by Carl Pixley (1982)• It is motivated by the fact that a power-up state It is motivated by the fact that a power-up state
of a hardware design cannot be predicted or of a hardware design cannot be predicted or controlledcontrolled
• Thus the design must be brought into a smaller Thus the design must be brought into a smaller set of states where the design is supposed to set of states where the design is supposed to work correctlywork correctly
20
Verification stepsVerification steps
21
Verification stepsVerification steps
22
PreliminariesPreliminaries• The The unknownunknown statestate of a circuit of a circuit CC is the state in which all the is the state in which all the
storage elements have the storage elements have the undefined value Xundefined value X• A A binarybinary statestate of a circuit of a circuit CC is a state in which all the state is a state in which all the state
elements have elements have binary valuesbinary values
• An An initializationinitialization sequencesequence of of CC is a sequence of binary is a sequence of binary inputs which, when applied to the inputs which, when applied to the unknown state of unknown state of CC,, brings brings C C to a binary stateto a binary state
• A A resetreset sequencesequence of of CC is a sequence of binary inputs which, is a sequence of binary inputs which, when applied to when applied to any state of any state of CC,, brings brings C C to the to the samesame binary binary statestate
• Without loss of generality, we will assume one circuit only Without loss of generality, we will assume one circuit only that needs to be initialized that needs to be initialized – As the initialization sequence of the product machine of As the initialization sequence of the product machine of
two given circuits C2 and C2 is an initialization sequence two given circuits C2 and C2 is an initialization sequence for each of themfor each of them
23
AgendaAgenda
• Problem statementProblem statement• IntroductionIntroduction• What is Seqver?What is Seqver?• Initialization algorithmInitialization algorithm• Experimental resultsExperimental results• ConclusionsConclusions
24
Initialization algorithmInitialization algorithm• The idea is to assign the The idea is to assign the unknown value (X)unknown value (X) on each of the on each of the
sequential elements sequential elements • Call formal engine to find an input sequence to the inputs Call formal engine to find an input sequence to the inputs
that makes all the sequential element initialized with 0’s or that makes all the sequential element initialized with 0’s or 1’s1’s
• The theory guarantees no verification hole although the The theory guarantees no verification hole although the “real reboot sequence” might be different from the one “real reboot sequence” might be different from the one found by Seqverfound by Seqver
• Example : possible initialization sequences are (A=0,B=0) Example : possible initialization sequences are (A=0,B=0) (A=1,B=0) (A=0,B=1) (A=1,B=1) (A=1,B=0) (A=0,B=1) (A=1,B=1)
out
D
D
outD
Schematic
X
XXX
XRTL A
B
A
B
25
Which formal engine to choose?Which formal engine to choose?
• Traditional methods for initializing hardware Traditional methods for initializing hardware designs are based on BDDsdesigns are based on BDDs– Advantages: very convenient data structuresAdvantages: very convenient data structures– Disadvantages : very limited in terms of number of Disadvantages : very limited in terms of number of
variablesvariables
• We chose to use Satisfiability (SAT) based We chose to use Satisfiability (SAT) based methodsmethods– Very powerful combinational and sequential enginesVery powerful combinational and sequential engines– iProver : Intel Formal Technology SAT engines based on iProver : Intel Formal Technology SAT engines based on
Eureka – world class SAT solverEureka – world class SAT solver
26
Modeling challengesModeling challenges• Challenge:Challenge: All the known SAT solvers All the known SAT solvers
are binary value based, while we are binary value based, while we need a three valued representation need a three valued representation (modeling 0, 1, and X)(modeling 0, 1, and X)
• Solution:Solution: Dual rail modeling Dual rail modeling– Every signal is modeling using Every signal is modeling using
dual value (High, Low)dual value (High, Low)– SAT is being applied in parallel SAT is being applied in parallel
on both the high and low railson both the high and low rails– Due to the large similarity Due to the large similarity
between the high and low rails, between the high and low rails, no overhead was observed due to no overhead was observed due to
this duplicationthis duplication
ValueValue EncodingEncoding
00 (0,1)(0,1)
11 (1,0)(1,0)
XX (1,1)(1,1)
Input aInput a (a, !a)(a, !a)
State sState s (s_H, s_L)(s_H, s_L)
NOT (NOT (a,ba,b)) (b, a)(b, a)
((a, ba, b) AND () AND (c, dc, d)) ((aa AND AND cc, , bb OR OR dd))
((a, ba, b) OR () OR (c, dc, d)) ((aa OR OR cc, , bb AND AND dd))
Dual Rail Encoding
27
Modeling challenges – Cont.Modeling challenges – Cont.• Challenge:Challenge: How do we model sequential behavior using How do we model sequential behavior using
propositional logic?propositional logic?• Solution: Solution: Every variable is represented using infinite sequenceEvery variable is represented using infinite sequence
ValueValue ModelingModeling
00 0, 0, 0, …0, 0, 0, …
11 1, 1, 1, …1, 1, 1, …
Input aInput a a0, a1, a2, …a0, a1, a2, …
NOT aNOT a !a0, !a1, !a2, …!a0, !a1, !a2, …
a AND a AND bb a0 AND b0, a1 AND b1, a2 AND b2 ,…a0 AND b0, a1 AND b1, a2 AND b2 ,…
a OR a OR bb a0 OR b0, a1 OR b1, a2 OR b2 ,…a0 OR b0, a1 OR b1, a2 OR b2 ,…
Next aNext a a1, a2, …a1, a2, …
Sequential Logic Encoding• Unrolling operation of an Unrolling operation of an
output function up-to depth output function up-to depth
kk simply means applying simply means applying
the the Next Next operator operator kk times times• We denote the value of We denote the value of
stream stream v v at time at time k k usingusing
v[k]v[k]
28
So what’s novel in our method ?So what’s novel in our method ?
• Recall that our method assumed all the Recall that our method assumed all the sequential elements are initialized with the sequential elements are initialized with the unknown value (X)unknown value (X)
• The main The main drawbackdrawback of this methods is that of this methods is that sometimes the circuit is resettable but the sometimes the circuit is resettable but the described method wouldn’t find the reset described method wouldn’t find the reset sequencesequence– Due to weakness properties of X (X AND !X = X)Due to weakness properties of X (X AND !X = X)– The described method could find a sequence that The described method could find a sequence that
initializes partial set of the sequential elementsinitializes partial set of the sequential elements– A novel method was developed in order to complement A novel method was developed in order to complement
this sequencethis sequence
29
Verification stepsVerification steps
30
Initialization stepsInitialization steps
s0
s2
s1 s4
s3
s5
s7
s6
s8
s9
Final reset sequence is :
31
Algorithm illustrationAlgorithm illustration
32
Algorithm illustrationAlgorithm illustration
Stage 1 : Initialize all the state elements with X. Find initialization sequence
33
Algorithm illustrationAlgorithm illustration
Stage 1 : If all the sequential elements are initialized, then we are done. Pick as as the initialization sequence
34
Algorithm illustrationAlgorithm illustration
Stage 2 : If not all the sequential elements are initialized, then
35
Algorithm illustrationAlgorithm illustration
Stage 2 : If not all the sequential elements are initialized, then•Build a new circuit by duplicating the original one
36
Algorithm illustrationAlgorithm illustration
Stage 2 : If not all the sequential elements are initialized, then•Build a new circuit by duplicating the original one•Initialize the not-initialized sequential elements with different values
37
Algorithm illustrationAlgorithm illustration
Stage 2 : Try now to find a new sequence that brings both models into one state•If this sequence doesn’t exist, then we are done. This model is not resettable !
38
Algorithm illustrationAlgorithm illustration
Stage 2 : However is this sequence really exists, then check whether this sequence initializes the models now
39
Algorithm illustrationAlgorithm illustration
40
Algorithm illustrationAlgorithm illustration
41
Algorithm illustrationAlgorithm illustration
42
Algorithm illustrationAlgorithm illustration
43
AgendaAgenda
• Problem statementProblem statement• IntroductionIntroduction• What is Seqver?What is Seqver?• Initialization algorithmInitialization algorithm• Experimental resultsExperimental results• ConclusionsConclusions
44
Experimental resultsExperimental resultsInputsInputs LatchesLatches ResultResult #Iterations#Iterations CPU(Sec.)CPU(Sec.)
C1C1 15651565 13481348 EQUALEQUAL 00 124124
C2C2 509509 302302 EQUALEQUAL 22 1313
C3C3 385385 314314 EQUALEQUAL 00 1111
C4C4 9696 132132 EQUALEQUAL 11 1010
C5C5 14871487 12741274 EQUALEQUAL 00 22
C6C6 381381 402402 EQUALEQUAL 22 11
C7C7 106106 152152 EQUALEQUAL 00 11
C8C8 871871 764764 EQUALEQUAL 00 11
C9C9 961961 834834 EQUALEQUAL 00 11
C10C10 2323 7272 Not Init.Not Init. 22 11
45
AgendaAgenda
• Problem statementProblem statement• IntroductionIntroduction• What is Seqver?What is Seqver?• Initialization algorithmInitialization algorithm• Experimental resultsExperimental results• ConclusionsConclusions
46
ConclusionsConclusions
• Sequential equivalence verification using ‘Seqver’ Sequential equivalence verification using ‘Seqver’ opens the door for raising the RTL abstractionopens the door for raising the RTL abstraction
• First large scale usage in Intel – hundreds of First large scale usage in Intel – hundreds of designersdesigners
• A new approach which automates the generation A new approach which automates the generation of initial state for hardware designs of initial state for hardware designs
• New sequential modeling techniques empowered New sequential modeling techniques empowered with world-class combinational SAT solvers with world-class combinational SAT solvers enables solving tough sequential problems like enables solving tough sequential problems like ATPG and automatic sequential property ATPG and automatic sequential property verificationverification
QuestionsQuestions