introduction to formal verificationsak/courses/foav/intro-formal...introduction to formal...
TRANSCRIPT
11
Introduction to Formal Introduction to Formal VerificationVerification
P. P. P. P. ChakrabartiChakrabartiDept. of Computer Sc. & Dept. of Computer Sc. & EnggEngg.,.,& Advanced VLSI Design Laboratory& Advanced VLSI Design LaboratoryIndian Institute of Technology KharagpurIndian Institute of Technology Kharagpur
Presented by:
22Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Typical SOC ArchitectureTypical SOC Architecture
ProcessorProcessor
MemoryMemory
BRIDGE
BRIDGE
PowerMgmtPowerMgmt
Analog blocks withDigital interfaces
Digital blocks
33Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Two ExamplesTwo ExamplesLow-power, low-cost embedded
systems• High-performance multiprocessors
for complete applications
44Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Networked Embedded ApplianceNetworked Embedded Appliance
RF & IF Transceiver
Baseband Processing
CustomASICLogic
AlgorithmAccelerationCoprocessors
DSP Core
RAM/ROM
WirelessProtocol
ProcessorRAMROM
DRAM
Network/Host/PeripheralInterface
(Microcontroller)
Application
OS & Middleware
TransportCODECActuatorSensor
Peripherals Network
MAC/Link
Physical
Application
OS & Middleware
Transport CODECActuatorSensor
PeripheralsNetwork
MAC/Link
Physical
PROTOCOLS
Flow of bits
Application
OS & Middleware
TransportCODECActuatorSensor
Peripherals Network
MAC/Link
Physical
Application
OS & Middleware
Transport CODECActuatorSensor
PeripheralsNetwork
MAC/Link
Physical
PROTOCOLS
Flow of bits
The challenge is to make a Computer and a Radio (Transmitter& Receiver on a Single Chip)
We need to bridge the Analog & Digital Design Divide at Nanometer scale
55Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Verification Dominates DesignVerification Dominates Design
Simulation46%
Design27%
Structural12%
Emulation15%
• Synthesis• Timing analysis• Equivalence checking• DFT
• Behavioral modeling• Architecture level simulation• System level simulation
• High-level design• RTL coding• Block-level simulation
66Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Chip: Chip: From concept to marketFrom concept to market
Specification
Implementation
Prototyping
Manufacturing
Pre-siliconPost-silicon
Design validationDesign validation
TestingTesting
77Formal-V Group, IIT KGP NWCV 2005NWCV 2005
•• Specification verificationSpecification verification•• System verificationSystem verification•• Performance verificationPerformance verification•• Testability verificationTestability verification•• Timing verificationTiming verification•• Silicon verificationSilicon verification
PrePre--silicon Validation Taskssilicon Validation Tasks
88Formal-V Group, IIT KGP NWCV 2005NWCV 2005
System Architecture
Processor Design
Software Design
Blocks
Design LevelsApplication Spec
Process/Behavior
Register Transfer
Gate
Transistor/RLC
Layout
Processor Code
BUS
Block 2Block 1 Block N
Registers Custom Logic
Interconnect
FU 2FU 1 FU n
99Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Implementation Rules
Description ofDesign
ImplementationProcessor Code
BUS
Block 2Block 1 Block N
IMPLVERIFIER
DESIGNVERIFIER
Co-Verification
Coverage Analyzer
SystemDesign
Design Rules
System
Tests
A Design & Verification FlowA Design & Verification Flow
1010Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Implementation Rules
Description ofDesign
ImplementationRegisters Custom Logic
Interconnect
FU 2FU 1 FU n
IMPLVERIFIER
DESIGNVERIFIER
Co-Verification
Coverage Analyzer
SystemDesign
Design Rules
System
Tests
Hardware VerificationHardware Verification
1111Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Important TasksImportant Tasks• System-level design validation
– High-level modelling of CCS (SDL, UML, SystemC)
– Verification by simulation and assertion checking • Processor and Toolset Design
– Flexible Architecture Design & DSE– Systems Software Generation
• Designing & Verifying Custom Blocks– Architecture Spec and RTL– Coverage Analysis
• RTL Validation– Functional & Timing Verification – Modular Verification
1212Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Implementation Rules
Description ofDesign
ImplementationProcessor Code
BUS
Block 2Block 1 Block N
IMPLVERIFIER
DESIGNVERIFIER
Co-Verification
Coverage Analyzer
SystemDesign
Design Rules
System
Tests
High Level Design High Level Design
1313Formal-V Group, IIT KGP NWCV 2005NWCV 2005
SystemSystem--Level DesignLevel Design
• Modelling Communicating Concurrent Processes
• Typical Interest ranges from:– Interface Verification (handshaking, data-
transfer)– Complete Cycle Accurate Simulation with
processor cores, memories, etc• Synthesis from High-level specs like SDL to
cycle accurate models like SystemC• Verification by a method of of controlled
simulation traces and trace analysis by temporal logic.
1414Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Specification in SDLSpecification in SDL
1515Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Implementation Rules
Description ofDesign
ImplementationProcessor Code
BUS
Block 2Block 1 Block N
IMPLVERIFIER
DESIGNVERIFIER
Co-Verification
Coverage Analyzer
SystemDesign
Design Rules
System
Tests
Design Intent Verification Design Intent Verification
1616Formal-V Group, IIT KGP NWCV 2005NWCV 2005
SDLDesign
Simulator(with featuresof scheduling & backtracking)
Test bench
Watchdog Verifier(Use of Temporal Logic
Assertions)
Verification using Controlled Simulation
1717Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Implementation Rules
Description ofDesign
ImplementationProcessor Code
BUS
Block 2Block 1 Block N
IMPLVERIFIER
DESIGNVERIFIER
Co-Verification
Coverage Analyzer
SystemDesign
Design Rules
System
Tests
Design Implementation: Design Implementation: Partitioning, Processor Design, Software Tools, Custom BlocksPartitioning, Processor Design, Software Tools, Custom Blocks
1818Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Processor Design CycleProcessor Design Cycle
PerformanceMetrics
Processor/Sys. Description Experiment newer design
Compiler
Assembler
Linker
Simulator
FPGA
Debugger/GUIProcessor/Sys. Performance(ISA + uArch) Designer Metrics
Quality Assurance Framework
ISA
Regs
Cache
Mem
Pipeline
Bus. . .
Cycle-counts
Speed
Time
Power
BW req.
Stats. . .
Optimizer
Library
1919Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Custom BlocksCustom Blocks
2020Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Implementation Rules
Description ofDesign
ImplementationProcessor Code
BUS
Block 2Block 1 Block N
IMPLVERIFIER
DESIGNVERIFIER
Co-Verification
Coverage Analyzer
SystemDesign
Design Rules
System
Tests
Implementation VerificationImplementation Verification
2121Formal-V Group, IIT KGP NWCV 2005NWCV 2005
System Architecture
Processor Design
Software Design
Blocks
RTL DesignApplication Spec
Process/Behavior
Register Transfer
Gate
Transistor/RLC
Layout
Processor Code
BUS
Block 2Block 1 Block N
Registers Custom Logic
Interconnect
FU 2FU 1 FU n
2222Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Implementation Rules
Description ofDesign
ImplementationRegisters Custom Logic
Interconnect
FU 2FU 1 FU n
IMPLVERIFIER
DESIGNVERIFIER
Co-Verification
Coverage Analyzer
SystemDesign
Design Rules
System
Tests
Hardware VerificationHardware Verification
2323Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Design intent creationDesign intent creation
Design Cycle: Design Cycle: Intent CreationIntent Creation
ArchitecturalSpecification
ExecutableSpecs (CSpec)
ComponentSpecs Document
Is the intent correct?Is the intent correct?
EnglishEnglish
EnglishEnglish
C, C, SystemCSystemC, , EsterelEsterel
2424Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Design Cycle: Design Cycle: ImplementationImplementation
ComponentSpecs Document
RTL implementation
Gate Level Netlist
Verilog, VHDLVerilog, VHDL
English documentsEnglish documents
Transistor Level(Schematic)
Design integration
SynthesisSynthesis
Technology mappingTechnology mapping
Mask
Layout
Equivalence Equivalence checkingchecking
ImplementationImplementationvalidationvalidation
(Spec(Specvsvs RTL)RTL)
2525Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Main validation tasksMain validation tasks
Architectural Specification[Schematic, Assertions]
Executable Specification[SpecC, SystemC, etc]
Modules[Module level assertions]
FormalProperty Verf
Simulation
Consistencychecks
Simulation, Customization,
Perf. Eval.Design intent verificationDesign intent verification
Implementation verificationImplementation verification
Design integration[System-level assertions]
Simulation,Dynamic property verf
2626Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Example: Priority Arbiter [ Schematic and Example: Priority Arbiter [ Schematic and HighHigh--Level Spec ]Level Spec ]
r1
r2
g1
g2
The system requires to The system requires to arbitratearbitrate between requests between requests r1r1and and r2r2 and provide grants and provide grants g1g1 and and g2g2 in such a way in such a way that that r2 r2 isis defaultdefault but but r1r1 is given is given higher priorityhigher priority over over r2. r2. Mutual exclusionMutual exclusion must be guaranteed.must be guaranteed.
2727Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Example: Priority Arbiter [ Verilog Code Example: Priority Arbiter [ Verilog Code and Formal Model ]and Formal Model ]
always always beginbegin @(@(posedgeposedge clkclk))
beginbeginif(r1 == 1)if(r1 == 1)
@(@(posedgeposedge clkclk))beginbegin g1 = 1; g2 = 0; g1 = 1; g2 = 0; endend
if(r2 == 1 && r1 == 0)if(r2 == 1 && r1 == 0)@(@(posedgeposedge clkclk))beginbegin g2 = 1; g1 = 0; g2 = 1; g1 = 0; endend
if(r2 == 0 && r1 == 0)if(r2 == 0 && r1 == 0)@(@(posedgeposedge clkclk))beginbegin g2 = 1; g1 = 0; g2 = 1; g1 = 0; endend
endendendend
¬¬g1, g2, ¬r1, r2g1, g2, ¬r1, r2
¬¬g1, g2, r1, r2g1, g2, r1, r2
g1, ¬g2, ¬r1, r2g1, ¬g2, ¬r1, r2
g1, ¬g2, r1, r2g1, ¬g2, r1, r2
g1, ¬g2, ¬r1, ¬r2g1, ¬g2, ¬r1, ¬r2
¬¬g1, g2, r1, ¬r2g1, g2, r1, ¬r2
g1, ¬g2, r1, ¬r2g1, ¬g2, r1, ¬r2
¬¬g1, g2, ¬r1, ¬r2g1, g2, ¬r1, ¬r2
2828Formal-V Group, IIT KGP NWCV 2005NWCV 2005
HighPriorityUser
LowPriorityUser
HighPriority
Interface
Arbiter
request hpreq
hpgrant
lpgrant
lpusing
hpusing
Resource Arbiter System Resource Arbiter System (Schematic)(Schematic)
2929Formal-V Group, IIT KGP NWCV 2005NWCV 2005
initial begin hpreq=0; hpusing=0; endalways @(posedge request)beginhpreq=1; #1;if (hpgrant==1) #2;else begin@(posedge hpgrant); #2;
endhpusing=1; hpreq=0;@(negedge hpgrant);hpusing=0;end
High Priority InterfaceHigh Priority Interface hpreq=0, hpusing=0
@(posedge request)
hpreq=1
@(posedgehpgrant)
hpusing=1
hpreq=0@(negedge hpgrant)
hpusing=0ε
ε
ε
ε
ε
ε
#1
#2 #2
hpgrant ?
3030Formal-V Group, IIT KGP NWCV 2005NWCV 2005
hpgrant=0,lpgrant=1
@(posedge hpreq)
Lpgrant=0lpusing?
hpgrant=1@(posedge hpusing)
hpgrant=0,lpgrant=1
ε
ε
ε
εε
#4
#64
initial beginhpgrant=0; lpgrant=1;
end
always @(posedge hpreq)beginlpgrant=0;if (lpusing !=0)
#4;hpgrant=1;@(posedge hpusing);#64;hpgrant=0; lpgrant=1;
end
ArbiterArbiter
3131Formal-V Group, IIT KGP NWCV 2005NWCV 2005
hpreq=0, hpusing=0hpgrant=0, lpgrant=1
request?
hpreq=1, lpgrant=0lpusing?
hpgrant=1
hpgrant=1
hpusing=1, hpreq=0
lpgrant=1, hpgrant=0hpusing=0
#1#3
#2
#64
#1
#2
#1εε
ε
εTimed event structure
(after composition)(after composition)
3232Formal-V Group, IIT KGP NWCV 2005NWCV 2005
The Design Verification ProblemThe Design Verification Problem
Transition System(Kripke Structure)
Property(Temporal Logic)
Formal Verification(Model Checker)
3333Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Priority Arbiter: PropertiesPriority Arbiter: Properties
r1
r2
g1
g2
•• Whenever r1 is asserted, g1 is given in the next cycleWhenever r1 is asserted, g1 is given in the next cycle
•• When r2 is the sole request, g2 comes in the next cycleWhen r2 is the sole request, g2 comes in the next cycle
•• When none of them are requesting, the arbiter parks the grant When none of them are requesting, the arbiter parks the grant on g2 on g2
•• g1 and g2 can not be true at the same time (mutual exclusion)g1 and g2 can not be true at the same time (mutual exclusion)
3434Formal-V Group, IIT KGP NWCV 2005NWCV 2005
c
s
b
a5
3
4
2
1 1
1
1
1
12
9
5
gr
req
req
reqreq
req
gr
grgr
grgrgr
• From s the system always makes a request in future• All requests are eventually granted• Sometimes requests are immediately granted• Requests are not always immediately granted• Requests are held till grant is received
Analyzing Request and GrantsAnalyzing Request and Grants
3535Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Timing PropertiesTiming Properties
• Whenever a hpreq is recorded, the hpgrant should take place within 4 units of time.
• The arbiter will provide exactly 64 units of time to high-priority users in each grant.
3636Formal-V Group, IIT KGP NWCV 2005NWCV 2005
What is temporal logic?What is temporal logic?
•• Logic with Logic with temporaltemporal operators (operators operators (operators that talk about time)that talk about time)
–– EgEg. Tense Logic (A. N. Prior, 1957). Tense Logic (A. N. Prior, 1957)
•• P P “It has at some time been the case that …”“It has at some time been the case that …”
•• F F “It will at some time be the case that …”“It will at some time be the case that …”
•• H H “It has always been the case that …”“It has always been the case that …”
•• G G “It will always be the case that …”“It will always be the case that …”
3737Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Temporal Logic for ValidationTemporal Logic for Validation
•• Formalism for describing sequences of transitions Formalism for describing sequences of transitions between states in a reactive system between states in a reactive system
•• Time is not mentioned explicitlyTime is not mentioned explicitly
–– eventuallyeventually some designated state is reachedsome designated state is reached–– an error state is an error state is nevernever enteredentered–– eventuallyeventually or or nevernever are specified using special temporal are specified using special temporal
operatorsoperators–– temporal operators can also be combined with Boolean temporal operators can also be combined with Boolean
connectives or nested arbitrarilyconnectives or nested arbitrarily
3838Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Informal SemanticsInformal Semantics
•• p holds in the next statep holds in the next state
X pX p
p holdsp holds
3939Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Informal SemanticsInformal Semantics
• p holds always (globally)holds always (globally)alternativelyalternatively
•• ¬¬p does not hold eventuallyp does not hold eventually
G pG p
p holdsp holds
4040Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Informal SemanticsInformal Semantics
•• p holds eventually (in future)p holds eventually (in future)alternativelyalternatively
•• ¬¬p does not hold alwaysp does not hold always
F pF p
p holdsp holds
4141Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Informal SemanticsInformal Semantics
•• q holds eventually q holds eventually andand p holds until q holdsp holds until q holds
p U qp U q
p holdsp holds
q holdsq holds
4242Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Duality between Temporal OperatorsDuality between Temporal Operators
G p
p holds always
¬p does not hold eventually
¬( ¬p holds eventually )
¬F( ¬p )
4343Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Nesting of Temporal OperatorsNesting of Temporal Operators
F G pF G p
G F pG F p
Along the path there exists a state from which Along the path there exists a state from which pp will hold foreverwill hold forever
Along the path for all states there will be eventually some statAlong the path for all states there will be eventually some state e where where pp holds holds
alternativelyalternatively
Along the path p will hold Along the path p will hold infinitely ofteninfinitely often
4444Formal-V Group, IIT KGP NWCV 2005NWCV 2005
ExampleExample
r1
r2
g1
g2
•• Either g1 or g2 is alwaysEither g1 or g2 is alwaysfalse (mutual exclusion)false (mutual exclusion)
G[G[¬¬g1 g1 ∨∨ ¬¬g2]g2]
•• Whenever r1 is asserted, g1 is given in the next cycleWhenever r1 is asserted, g1 is given in the next cycle
G[ r1 G[ r1 ⇒⇒ Xg1 ]Xg1 ]
•• When r2 is the sole request, g2 comes in the next cycleWhen r2 is the sole request, g2 comes in the next cycle
G[ (G[ (¬¬r1 r1 ∧∧ r2) r2) ⇒⇒ Xg2 ]Xg2 ]
•• When none are requesting, the arbiter parks the grant on g2 When none are requesting, the arbiter parks the grant on g2 G[ (G[ (¬¬r1 r1 ∧∧ ¬¬r2) r2) ⇒⇒ Xg2 ]Xg2 ]
4545Formal-V Group, IIT KGP NWCV 2005NWCV 2005
c
s
b
a5
3
4
2
1 1
1
1
1
12
9
5
gr
req
req
reqreq
req
gr
grgr
grgrgr
From s the system always makes a request in future: AFreqAll requests are eventually granted:AG(req → AFgr)Sometimes requests are immediately granted: EF(req → EXgr)Requests are not always immediately granted: ¬ AG(req → AXgr)Requests are held till grant is received: AG(req → AF(req U gr))
Analyzing Request and GrantsAnalyzing Request and Grants
4646Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Timing PropertiesTiming Properties
• Whenever a hpreq is recorded, the hpgrantshould take place within 4 units of time.AG(posedge(hpreq) → A(true U[0,4] posedge(hpgrant)))
• The arbiter will provide exactly 64 units of time to high-priority users in each grant.AG(posedge(hpusing) →
A(¬negedge(hpusing) U[64,64] negedge(hpusing)))
4747Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Model Checking of a Temporal Logic FormulaModel Checking of a Temporal Logic Formula
temporal formula
MC
G(p -> F q)yes
nop
q
finite-state model
algorithm
pq
counterexamplecounterexample
OKOK
4848Formal-V Group, IIT KGP NWCV 2005NWCV 2005
SatisfiabilitySatisfiability Checking of a Temporal Logic FormulaChecking of a Temporal Logic Formula
Temporal formula
SATChecker
yes
no
a model of a model of the formula the formula
existsexists
no model no model exists for the exists for the
formulaformula
unsatisfiableunsatisfiable
satisfiableatisfiable
4949Formal-V Group, IIT KGP NWCV 2005NWCV 2005
AssertionAssertion--Based Verification (ABV) Based Verification (ABV)
•• Design intent is expressed using assertionsDesign intent is expressed using assertions•• Simulation is done as usualSimulation is done as usual
–– Assertions find more bugs fasterAssertions find more bugs faster–– Assertions isolate the source of the problemAssertions isolate the source of the problem
•• Use formal methods to guide simulationUse formal methods to guide simulation
AssertionMonitor
Test Bench
ModuleunderTest
Interface bind
5050Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Design Team
SpecificationDesign
Model Checker
Coverage Estimator Correct the Design
Property Refinement
Refined Property
Design Team
Validation
Correct Incorrect
Identify theportion of the design where it holds
Property IncorrectNot a
correctnessproperty
Property correct
Refine Specwith the property
Add the negationof the property
Property Refinement And Coverage
5151Formal-V Group, IIT KGP NWCV 2005NWCV 2005
Advanced VLSI Design LabAdvanced VLSI Design Lab
Analog / RFDesign
Analog / RFDesign Digital
DesignDigitalDesign
CADCAD
Direct conversion radio
Power management
Analog behavioral models
Formal verification
Test AutomationAnalog CAD
Embedded System Design
Cryptography
Digital Communication
Processor Design
25 chips taped out in the last 3 years!!25 chips taped out in the last 3 years!!
RFID