Download - Semi-Formal Verification at IBM
HLDVT November 2006
Semi-Formal Verification at IBMSemi-Formal Verification at IBM
Jason Baumgartner,
Viresh Paruthi, Robert Kanzelman,
Hari Mony
IBM Corporation
2
Outline
What is semi-formal verification (SFV)?
Challenges in industrial-strength SFV
SixthSense: IBM’s SFV Toolset
SFV Applications at IBM
Conclusion
3
What is Semi-Formal Verification (SFV)?
A method to leverage formal algos in resource-bounded way
Used to find bugs too complex / deep for pure formal search
Often iterates between random simulation, formal algos
4
Challenges of Effective SFV
Approaches:
State prioritization: try to trigger iterations from new / interesting states
Light-houses / stepping-stones: use formal analysis to identify states leading towards fail
Can use formal algos to try to tunnel between these
Clever input generation: make simulation itself “smarter”
Or weaken formal algos through lossiness
SFV is only effective if a formal search is triggered near a fail
Otherwise, does not improve falsification capability of formal search
5
Industrial SFV Experience
However, advances in SFV technologies tend to have marginal benefit for many industrial designs
SFV is a very useful technology
Critical for deep bugs
Key to scaling formal algos to large, complex designs
Increasing exhaustive search depth capability by 1 will likely expose more bugs than incremental SFV advances
E.g., improvements to SAT technology
6
Abstraction-Guided Search
Abstraction-guided stepping stones: promising technology
But for many complex designs it does not work very well
Abstraction is obviously prone to dead-ends
Abstract depth may not match concrete depth
May memout if abstraction becomes too large
Management of large preimages may also slow SFV
May yield too shallow of preimages, saturating in a few iterations
Abstract preimages do not adequately simplify (shorten) search
Less effective than target enlargement, since approximate
7
Advancing SFV Technologies
Please continue research in this area!!
We feel that SFV is still a relatively immature technology
Numerous directions for improvement, such as:
Abstraction-guided search
Difficult to obtain a small enough abstraction which captures the deep behavior of design
Need a customized abstraction-refinement scheme?
State prioritization and clever input stimuli generation:
Borrow from and improve upon testcase generation technologies
Improved methods to leverage formal analysis to define and reach prioritized states
8
SixthSense: IBM’s SFV Toolset
SixthSense is a system of cooperating algorithms
Semi-Formal engines
Formal engines
Transformation engines: simplification / abstraction algorithms
Transformation-Based Verification (TBV) framework
Exploits maximal synergy between various algorithms
Redundancy removal, retiming, induction, localization, ...Incrementally chop problem into simpler sub-problems until solvable
Used for functional verification + sequential equiv checking
9
Design + Properties
SixthSense
140000 registers
Transformation-Based Verification Framework
ReachabilityEngine
Min-Area RetimingEngine
75000 registers
retimed, localized trace
retimed trace
LocalizationEngine
150 registers
Problemdecompositionvia synergistic
transforms
CounterexampleTrace consistent
with Original Design
All transformationsare transparent to the user
All results are in terms of original design
10
SixthSense: IBM’s SFV Toolset
Transforms yield exponential speedups to semi-formal applications, as well as to formal applications
Very useful to enable deeper exhaustive search
Simplify the sequential design once, unfold many timesUnfolding amplifies the benefit of the simplification
Transforms can even be integrated within SAT
Applied directly to unfolded instanceUnfolding opens up more reduction potential
TBV impact is particularly profound on high-performance designs
Though useful on all types of logic we have encountered
11
Example SixthSense Engines
Combinational rewriting
Sequential redundancy removal
Min-area retiming
Sequential rewriting
Input reparameterization
Localization
Target enlargement
State-transition folding
Isomorphic property decomposition
Unfolding
Semi-formal search
Symbolic sim: SAT+BDDs
Symbolic reachability
Induction
Interpolation
…
Expert System Engine automates optimal engine sequence experimentation
12
Applications
Wide-spread adoption of FV requires scalability to sim-sized testbenches
Easier to specify larger functional units vs. components thereof
E.g: specify IEEE-compliant FPU check, vs. criteria for correctness of each FPU pipeline-stage controller
Scalability implies the need for SFV
SFV can wring through bugs even if size too big for proofs
Nonetheless, strong motivation to tune tool for large-scale proofs!
A robust toolset needs to integrate falsification + proof threadsIn many cases, large-scale proof is possible without a need for manual decompositions
13
Applications
Virtually all SixthSense applications benefit from semi-formal search
1. Assertion-based verification
Typically done by designers
Lesser experience level with FV and toolsetTestbenches developed with little thought about “proof strategy”
SFV very useful to wring out bugs
2. Reference-model based verification
Comprehensive checks, usually implemented as an abstract reference model
For larger units, often benefits from SFV to wring out early bugs
14
Applications
4. Coverage analysis
Leverage formal algos to help simulation reach hard-to-hit scenarios
3. Silicon-failure recreation efforts: When a chip misbehaves…
On-chip debug facilities offer partial insight into cause
Usually have a good idea of property to check, “buggy region”
SFV very useful since often requires a fairly large design slice
And bug-hunting vs. proving is “the mission”
5. Sequential equiv checking: semi-formal search useful to find mismatches, assist in guessing equivalent gates
15
Conclusion
SFV is an enabling technology for wide-spread FV usage
Eliminates “risk” associated with developing a complex formal spec, only to choke FV tool
Enables greater return on spec investment at higher, more encompassing interfaces
SFV will wring out bugs early – even if expert manual decomposition performed later to yield proofsEncourages development of meaningful specs, reusable in sim + emulation
Minimizes learning curve: corner-case bugs found by casual users
No need for a team of PhDs to use the formal tool!
16
Conclusion
SFV advances useful for certain classes of designs
However, they can easily get lost on many designs
More research is needed!
SixthSense approach: increase formal BMC depth by synergistic transformations
Simplify the sequential design once, unfold many times
Also simplify the unfolded instance within the SAT engine, within the SFV engine
Powerful SFV engine will benefit a variety of tasks: functional verification + sequential equiv checking