Embed Size (px)
Citation preview
Theory, Practice and Perspectives of
Operation-Based Formal Circuit VerificationWolfram Büttner
December 2012
Overall objective
- Construct mathematical object
- Document understanding of object in terms of theorems
Process of gaining understanding
- Pre-proof: Set up hypothesis, constraints, assertions
- Proof: Prove hypothesis or adjust hypothesis, constraints, assertions until proof succeeds
Principles of Mathematical Work
December 2012
Page 2
- Proof: Prove hypothesis or adjust hypothesis, constraints, assertions until proof succeeds
- Theory formation: Develop hierarchy of theorems to achieve good understanding of object
Formal verification
- Analyze mathematical models capturing key functionality of technical systems – most
important models are FSM‘s describing discrete control
- Emphasis is on finding errors – proof as termination criterion for successful verification
- Automated proof is essential for acceptance in Engineering
- Automated proof is necessary, but is it sufficient for a good verification solution?
Model Checking: Automated Debugging/ProofTemporal Logic as Property Description Language for FSM‘s
AGp - p holds for all
states of all traces
EGp - p holds for all
states of some trace
AFp - p holds for some
state in every trace
December 2012
Page 3
states of all traces states of some trace state in every trace
EFp - p holds for some
state in some trace
More complex properties
e.g. AG(p AFq), AGAFp, AGEFp
Model Checking: Automated Debugging/ProofDoes temporal logic formula hold for FSM ?
AGp - p holds for all
states of all traces
Basic Model Checking:if p does not hold for z0 then reset activation defines counterexample,
else for i > 0 … {
• calculate Zi+1
• if Zi+1 = Zi proof holds, stop else
• examine all new z that can be reached from Zi in one step
if p does not hold for z then calculate trace to z,
stop
z0
December 2012
Page 4
stop
}
}z0 = reset state
Z0 = {z0}
….
Zi+1 = Zi plus new
states reachable
from states in Zi
in one step
Symbolic Model Checking:• Identify sets Zi with their characteristic (Boolean) functions
• f Boolean then f(x1, …, xn) = ite (x1=1, f(1, ……, xn), f(0, …… , xn))
• Iterated decomposition represents f as directed acyclic graph (BDD)
• Graph is often compact; permits efficient build-up of Zi, comparison
of Zi and Zi+1 and intersection of Zi+1 with set of states violating p
Status of approach
• Best known automated formal verification paradigm
• Bound to be an add-on to conventional simulation-based testing
• Applied in various domains by experts verifying critical functionality – no
generally accepted engineering practice
• Often faces state-explosion requiring problem specific abstractions
Model Checking: Automated Debugging/ProofAssessment
December 2012
Page 5
• Often faces state-explosion requiring problem specific abstractions
• Finding safe abstractions requires deep knowledge of tool and application
Conclusions
• Push-button verification solution based on MC works only for simple properties
• Additional support of „process of gaining understanding“ is essential for broad
acceptance of formal verification in industry
• In early 1990s new circuit verification approach emerged supporting pre-proof,
proof and theory formation – OFV (operation-based formal circuit verification)
OFV: Running Example - Memory Controller
SDRAM Controller
(for e.g., DDR 2 RAMs)
Processor
request rw address wdata rdata ready
December 2012
Page 6
SDRAM
SDRAM Controller
(for e.g., DDR 2 RAMs)
sd_addr sd_ctrlsd_wdata sd_rdata
OFV: Operation Properties/Abstract VHDL
IDLE
ROW_ACT
resetpnop / mnop
pnop /
precharge
pread(R,C) /
activate(R) &
mread(C),
actrow = R
pwrite(R,C,D) /
activate(R),
mwrite(C,D),
actrow <= R
pwrite(R,C,D)
and R = actrow /
mwrite(C,D)
pwrite(R,C,D)
and R ≠ actrow /
precharge,
activate(R),
mwrite(C,D),
pread(R,C)
and R = actrow /
mread(C)
pread(R,C)
and R ≠ actrow /
precharge,
activate(R),
idle
req = '1' and rw = '1‚
and row(address)
= last_row /
sd_ctrl <= read;
(req = '0' or
row(address /=
last_row) /
sd_ctrl <=
precharge;
ready <= '0';
req = '0' /
sd_ctrl <= nop;
ready <= '0';
req = '1' /
sd_ctrl <= activate;
sd_addr <= row(address);
last_row <= row(address);
ready <= '0';
sd_ctrl <= nop;
ready <= '0';
sd_ctrl <= nop;
ready <= '0'
reset
row_act
sd_ctrl <= nop;
ready <= '0';
December 2012
Page 7
mwrite(C,D),
actrow <= R
activate(R),
mread(C),
actrow <= R
(req = '1' and rw = '0'
and row(address) =
last_row) /
sd_ctrl <= write;
sd_addr <= col(address);
ready <= '1';
sd_wdata <= wdata;
sd_ctrl <= stop;
ready <= '0';
sd_ctrl <= read;
sd_addr <= col(address)
ready <= '0';
sd_ctrl <= nop;
ready <= '0';
sd_ctrl <= nop;
ready <= '0';
rdata <= sd_rdata;
ready <= '1';
Sd_ctrl <= nop;
sd_ctrl <= nop;
ready <= '0'; sd_wdata
sd_rdatasd_addr
sd_ctrl
wdata
rdata
address
ready
rw
request
D
D
R
nopreadnopactivatenopprech
C
R ≠ actrow
t T
state
actrow
ROW_ACT
R
R,C
nop
Verification of single operation property is reduced to SAT-problem
• A = A(z0, Z, I, O, R(z0, Z, I, O)) (Mealy automaton of VHDL program)
R defines transition equations zj+1 = zj+1(zj, ij), oj = oj(zj, ij) (polynomials in zj, ij)
• P = P(it, it+1, …, it+n, zt, zt+1, … zt+n, ot, ot+1, …, ot+n) ε { True, False}
Property describes behaviour of an operation over n cycles (usually n ≤ 50)
OFV: Formal Verification of Single
Operation Property
December 2012
Page 8
Property describes behaviour of an operation over n cycles (usually n ≤ 50)
• By inserting transition equations of A into P a property P‘ of A arises with
P‘ = P‘(it, it+1, …, it+n, zt)
• Application of SAT solver:
P holds for A iff P‘ = True otherwise solver computes trace T (counter example)
triggered by it‘, it+1‘, …, it+n ‘ such that T starts at zt‘ and P fails for T
• Complexity shifted from BDD representation to SAT search; heuristics deal with
many thousand variables; few properties run longer than 5 minutes
Review VHDL/spec and automatically verify identified behavior
• Verification engineer searches in VHDL for start and ending states of operations
of abstract VHDL
• Incremental build-up of these states and connecting operations by firstly
inspecting state machine (s) of code and then taking data path into account:
– Suspected (stage of) operation is formalized by – possibly partial - operation property
OFV: Methodology to Systematically Find
Operation Properties
December 2012
Page 9
– Suspected (stage of) operation is formalized by – possibly partial - operation property
– Property checking reveals errors or ensures correct behavior of code fragments
• This way engineer walks through code, operation by operation, and covers
behaviour of VHDL by operation properties
• Review stops once automated completeness check confirms coverage of full
functionality of code by properties
• Productivity: 2000-4000 lines of fully verified VHDL per person month
OFV: Completeness of Set of Operation
Properties
Set of operation properties of an automaton A describing a VHDL program is
complete iff for every input trace of A a chain of properties exists which uniquely
determines A‘s output trace – i.e. A and its Abstract VHDL have same I/O behavior.
In order to gap-free chain operation properties for any such property P its ending
and starting states must comprise conditions which permit tests ensuring
completeness of a property set:
December 2012
Page 10
For every property P1. and for every input stimulus there exist successor properties Qi such that the ending state
condition of P fulfills the starting state condition of Qi (successor test)
2. and for every input stimulus any successor Qi of P uniquely determines the output trace in
the considered interval (determination test)
3. the input conditions of the successors Qi of P cover all possible inputs (case split test)
Similarly as for property checking completeness tests amount to solving SAT problems
and starting states must comprise conditions which permit tests ensuring
completeness of a property set:
• Verisoft-Project funded by German Ministry
for Education and Research to challenge
formal techniques
• Testcase due to Verisoft-Partner Infineon:
– New superscalar 32-bit microcontroller-DSP, 3
pipelines, 850 instructions
– Around 100k lines VHDL/1000 pages spec
OFV: Success StoryOperation-Based Formal Verification of Large Industrial Processor
Program
Scratch RAM
Program
Scratch RAM
Data
Scratch RAM
TriCore 1.3
Core
Bus Interface Unit
Data
Scratch RAM
MMU
Interrupt & Interrupts
FPU
Program
Cache
Data
Cache
I n
t e
r f
a c
e
I n
t e
r f
a c
e
December 2012
Page 11
– Around 100k lines VHDL/1000 pages spec
– Widely used in automotive applications
• Effort: 4 PY vs. significantly higher effort
needed for simulation
• Critical bugs found by OFV in spec and RTL
• 1532 properties; 5 processes; 30 k lines of
property code
• Correctness proven on single WS in 5 days Source: Infineon; Verisoft project 2007
System Bus
Interrupt &
Debug UnitInterrupts
Other IPOther IP Crossbar (64 bit)
Bridge
formally verified
Early phase
• set up/assess functional prototypes
Architecture
• explore architectural choices
• specify modules and communication for target architecture
Design
Chip Development and Main Hurdle for OFV
December 2012
Page 12
• Development and verification or re-use of modules (e.g. VHDL programs)
• Verification engineers used to black-box verification (random test generation)
• system integration, communication structures
Lower-Level Activities
• Automated implementation of logic firstly by gates then by transistors
• Generation of production data and tests
Further Perspectives of Abstract VHDLOperation-Based Design, Optimization wrt. Area, Speed, Power,
Functional Safety Analysis
IDLE
ROW_ACT
resetpnop / mnop
pnop /
precharge
pread(R,C) /
activate(R) &
mread(C),
actrow = R
pwrite(R,C,D) /
activate(R),
mwrite(C,D),
actrow <= R
pwrite(R,C,D)
and R = actrow /
mwrite(C,D)
pwrite(R,C,D)
and R ≠ actrow /
precharge,
activate(R),
mwrite(C,D),
pread(R,C)
and R = actrow /
mread(C)
pread(R,C)
and R ≠ actrow /
precharge,
activate(R),
idle
req = '1' and rw = '1‚
and row(address)
= last_row /
sd_ctrl <= read;
(req = '0' or
row(address /=
last_row) /
sd_ctrl <=
precharge;
ready <= '0';
req = '0' /
sd_ctrl <= nop;
ready <= '0';
req = '1' /
sd_ctrl <= row_act;
sd_addr <= row(address);
last_row <= row(address);
ready <= '0';
sd_ctrl <= nop;
ready <= '0';
sd_ctrl <= nop;
ready <= '0'
reset
row_act
sd_ctrl <= nop;
ready <= '0';
December 2012
Page 13
mwrite(C,D),
actrow <= R
activate(R),
mread(C),
actrow <= R
(req = '1' and rw = '0'
and row(address) =
last_row) /
sd_ctrl <= write;
sd_addr <= col(address);
ready <= '1';
sd_wdata <= wdata;
sd_ctrl <= stop;
ready <= '0';
sd_ctrl <= read;
sd_addr <= col(address)
ready <= '0'; (ready <= '1')
sd_ctrl <= stop;
ready <= '0';
sd_ctrl <= nop;
ready <= '0';
rdata <= sd_rdata;
ready <= '1';
ctrl <= nop;
sd_ctrl <= nop;
ready <= '0'; sd_wdata
sd_rdatasd_addr
sd_ctrl
wdata
rdata
address
ready
rw
request
D
D
R
nopreadnopactivatenopprech
C
R ≠ actrow
t T
state
actrow
ROW_ACT
R
R,C
nop
• Modules are built to implement operations - often computing results within few cycles.
• Functional essence of an operation is captured by concept of operation property.
• Start/end states of operations and operation properties define abstract automaton -
tool-supported code review extracts this Abstract VHDL from VHDL and spec.
• SAT-based property checking and completeness tests guarantee functional equivalence
between VHDL and Abstract VHDL or reveal errors in code or spec – respective tools
Summary
December 2012
Page 14
between VHDL and Abstract VHDL or reveal errors in code or spec – respective tools
are supported and marketed by OneSpin Solutions GmbH.
• OFV is a full verification solution supporting pre-proof, proof, theory formation -
reliably yields top quality at reasonable effort.
• Two barriers prevent OFV from entering mainstream engineering:
– Chip manufacturers now focus on system construction – most modules exist as re-use blocks
– Verification engineers got used to black box verification - automated random test simulation
• Way forward: Operation-based design, exploitation of full potential of Abstract VHDL
Reference: J. Bormann: "Vollständige funktionale Verifikation", Dissertation, TU Kaiserslautern, 2009
Danke!
December 2012
Page 15
Danke!
