Hardware Verification Fu Song

Main References Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series A Roadmap for Formal Property Verification Pallab Dasgupta Springer

Design, Validation and Testing

Digital Design: Abstraction Levels

Design Example: 2-bit Gray Counter Gray Counter: Successive values should differ only in one bit. Reset signal resets the counter to zero.

Design Example: 2-bit Gray Counter

Design Example: 2-bit Gray Counter

Abstractions in Design Flow

Design and Verification

Functional Verification Challenge Is the implementation correct? How do we define correct? Classical: Simulation result matches with golden output Formal: Equivalence with respect to a golden model Property verification: Correctness properties (assertions) expressed in a formal language  Formal: Model checking  Semi-formal: Assertion-based verification Trade-off between computational complexity and exhaustiveness

Simulation

Advent of Formal Methods in EDA Goal: Exhaustive verification of the design intent within feasible time limits Philosophy: Extraction of formal models of the design intent and the implementation and comparing them using mathematical / logical methods

Toy example: Priority Arbiter

Dynamic Property Verification (DPV)

Formal Property Verification (FPV)

Equivalence Checking Two designs are defined to be functionally equivalent if they produce identical output sequences for all valid input sequences

Equivalence Checking

Combinational Equivalence Checking Basic Approach Step-1: Register Correspondence The register correspondence is either guessed using simple heuristics or computed exactly Step-2: Functional Comparison This step involves the actual functional comparison of the individual circuits This can be done using a variety of methods, including BDDs, SAT and ATPG （automatic test pattern generation ）

Regsiter Correspondence In many practical design flows, a candidate register correspondence is derived from naming conventions Otherwise, register correspondence can be computed automatically as a greatest fixed point The algorithm starts with one equivalence class (bucket) containing all the registers During each iteration: A unique variable is introduced for the outputs of all registers of each bucket All next state functions are computed based on these variables Next the buckets are partitioned into pieces that have identical next-state functions

Equivalence Checking with SAT To check equivalence between f and g, we add the following clauses: Satisfiable = not equivalent

Equivalence Checking with BDD Two BDDs are same = Equivalent

Sequential Equivalence Checking When register correspondence cannot be found easily or it does not exist, we may compare the state machines Basic approach Core problem: Partition the state space into sets of equivalent states Equivalence can be defined in terms of input/output behavior Bisimulation equivalence Stuttering equivalence

Sequential Equivalence Checking Extract designs as finite-state machine M1, M2 Minimize M1 and call the result N1 Minimize M2 and call the result N2 Check if the states of N1 can be renamed so that N1 and N2 are identical

Model Checking

Model Checking

FSM Extraction

Transition Relation

Computational facts On On-the the-fly model checking