Formal Hardware Verification (some key ideas) Mary Sheeran - - PDF document

formal hardware verification some key ideas
SMART_READER_LITE
LIVE PREVIEW

Formal Hardware Verification (some key ideas) Mary Sheeran - - PDF document

Nov 16, 2023 176 likes •404 views

4/3/2008 Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not formal 1 4/3/2008 Idealised Flow High level Not formal Equally high level Formal spec. Math, expressive logic Idealised Flow High level

slide-1
SLIDE 1

4/3/2008 1

Formal Hardware Verification (some key ideas)

Mary Sheeran

Idealised Flow

High level Not formal

slide-2
SLIDE 2

4/3/2008 2

Idealised Flow

High level Not formal Formal spec. Equally high level Math, expressive logic

Idealised Flow

High level Not formal Formal spec. Equally high level Math, expressive logic

Specification Validation

Not a formal process (big demand for tools that assist)

slide-3
SLIDE 3

4/3/2008 3

Refinement

Formal spec. (inc. Constraints) Formal spec. (inc. Constraints) Formal spec. (inc. Constraints)

Refinement

Formal spec. (inc. Constraints) Formal spec. (inc. Constraints) Formal spec. (inc. Constraints) Proof Mechanically checked

slide-4
SLIDE 4

4/3/2008 4 Formal spec. (inc. Constraints) n

. . . .

n Proof by induction

and so on recursively ….

Stop when reach library components that have physical implementation(s)

slide-5
SLIDE 5

4/3/2008 5

Design verification

Run proof from bottom up

Formal spec. MODEL of the system

Pros

Hierarchy is a (the?) way to manage complexity. Scalable. This approach can span abstraction levels and in particular can start high up close to the original informal spec. The proof is based on the circuit structure It is mechanically checked. Can prove generic (or parameterised) systems. (One proof gives a lot.)

slide-6
SLIDE 6

4/3/2008 6

Cons

Interactive theorem proving is difficult and time- consuming (often tedious too) May need the lowest level components to be rather abstract to make it feasible Hard to make the link to the very low level physical

  • details. Risk leaving a gap to what is actually

implemented

Idealised Implementation

Keep exact structure Conservative design rules used to ensure that the abstract behaviour of the silicon is faithfully reflected in the system model Link between implementation and design is checked in Implementation verification Remember that the model captures only a simplified version of the behaviour. Usually only function

slide-7
SLIDE 7

4/3/2008 7

Implementation verification

Often done by extracting a model from the actual layout (look in it to find where the transistors or gates are and how they are connected) Make a model of this result and compare with the design (using Equivalence Checking (EC)) To make this feasible the design (golden model) has to be close to the actual implementation

Post-silicon verification

Did the manufacturing work? Very Hard because have few pins for pumping data in and out (Formal methods used here too, more needed)

slide-8
SLIDE 8

4/3/2008 8 Specification validation (not formal) Design Verification Implementation Verification Post-silicon Verification

Reality gets in the way 

Pipelining State encoding Physical design messes up logical structure Optimisations

  • Spec. is

dragged downwards

slide-9
SLIDE 9

4/3/2008 9

What can we do??

Aim for automation (bit level) Find niches where formal methods work well Use assertions / properties first in sim. and then in FV Idea 1: make simulators a little cleverer

Symbolic simulation

Take a simulator (can be quite low level, accurate one) Make it work not only on 0, 1, X (unknown) (or a larger group of constants) but ALSO on symbols

slide-10
SLIDE 10

4/3/2008 10

Ordinary simulation xor ? simulation

1 1

slide-11
SLIDE 11

4/3/2008 11

simulation

1 1 1

simulation

1 1 1 1

slide-12
SLIDE 12

4/3/2008 12

simulation

1 1 1 1 4 runs to check exhaustively Q: how many for n inputs?

Symbolic simulation Idea 1

Use X values Halves number of sim. runs! Why? X

slide-13
SLIDE 13

4/3/2008 13

Symbolic simulation Idea 1

Use X values Halves number of sim. runs! BUT may lose information (try on xor example) X X 1 X

Symbolic simulation Idea 2

Use symbolic values Think of giving input values names rather than constant values Build up an expression in terms of (some of the) inputs May Rep. Using Binary Decision Diagrams (BDDs) a 1 a a ¬a

slide-14
SLIDE 14

4/3/2008 14

Symbolic simulation

1 a

Symbolic simulation

1 a ¬a

slide-15
SLIDE 15

4/3/2008 15

Symbolic simulation

1 a ¬a a

Symbolic simulation

1 a ¬a a 1 ¬a ¬a 1X X 1a ¬a

slide-16
SLIDE 16

4/3/2008 16

Symbolic simulation

Widely used (applies also to sequential circuits) Forms basis of model checking method called Symbolic Trajectory Evaluation (STE) User must make judicious choice of 0,1 X a, b, … X halves sim runs, but may result in X at a point vital to the verification Symbolic variable halves sim. runs without losing info. BUT BDD somewhere in the sim. may grow too big

Questions?

slide-17
SLIDE 17

4/3/2008 17

Binary Decision Diagrams

Vital enabling technology Data structure for representing a Boolean function (current form introduced by Bryant, known earlier) Canonical form (constant time comparison) Used in Symbolic Model Checking

a c d d d d d d d d c c c b b 0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1 ab + cd (a b) (c d) 0 1 0 1 0 1 0 1 0 1 0 1 0 1

Ordered Decision Tree

slide-18
SLIDE 18

4/3/2008 18

a c d d d d d d d d c c c b b 0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1 ab + cd (a b) (c d) 0 1 0 1 0 1 0 1 0 1 0 1 0 1

Ordered Decision Tree

Every path from root to leaf obeys the variable ordering (a,b,c,d)

a c d d d d d d d d c c c b b 0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1 ab + cd (a b) (c d) 0 1 0 1 0 1 0 1 0 1 0 1 0 1

Ordered Decision Tree

Every path from root to leaf obeys the variable ordering (a,b,c,d)

slide-19
SLIDE 19

4/3/2008 19

a c d d d d d d d d c c c b b 0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

a b c d 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 1 1 . . .

truth table

To get OBDD

Combine isomorphic subtrees (same label, same children) Eliminate redundant nodes (those with two identical children) until no more reductions possible Tree becomes a graph

slide-20
SLIDE 20

4/3/2008 20

ab + cd (a b) (c d) a b c d 0 1 1 1 1

(O)BDD

(

Make (O)BDD for

x y z

is xor

slide-21
SLIDE 21

4/3/2008 21

Above method just conceptual

In reality generated and manipulated in fully reduced form Sharing exploited everywhere (hashing) Efficient (polynomial time) algorithms for all usual

  • perations (and, or etc., quantification)

Representation is canonical (for a given variable

  • rdering)

Pros

Comparing Boolean functions cheap [could use for what?] Many small and usual functions have small BDDs [example parity above How big BDD for n inputs? Exercise: How would it look in Conjunctive Normal Form (CNF)?]

slide-22
SLIDE 22

4/3/2008 22

Cons

Some usual and important functions have GIGANTIC BDDs Q: How big is the BDD for a 16-bit binary multiplier? Shifters are also problematic Getting the variable order right is vital Can make the difference between linear and exponential size!

Next Step

Model checking (week after next)