Semi-Formal Verification at IBM Jason Baumgartner, Viresh Paruthi, Robert Kanzelman, Hari Mony IBM Corporation

Outline What is semi-formal verification (SFV)? Challenges in industrial-strength SFV SixthSense: IBM’s SFV Toolset SFV Applications at IBM Conclusion

What is Semi-Formal Verification (SFV)? A method to leverage formal algos in resource-bounded way Used to find bugs too complex / deep for pure formal search Often iterates between random simulation, formal algos

Challenges of Effective SFV SFV is only effective if a formal search is triggered near a fail Otherwise, does not improve falsification capability of formal search Approaches: State prioritization: try to trigger iterations from new / interesting states Light-houses / stepping-stones: use formal analysis to identify states leading towards fail Can use formal algos to try to tunnel between these Clever input generation: make simulation itself “smarter” Or weaken formal algos through lossiness

Industrial SFV Experience SFV is a very useful technology Critical for deep bugs Key to scaling formal algos to large, complex designs However, advances in SFV technologies tend to have marginal benefit for many industrial designs Increasing exhaustive search depth capability by 1 will likely expose more bugs than incremental SFV advances E.g., improvements to SAT technology

Abstraction-Guided Search Abstraction-guided stepping stones: promising technology But for many complex designs it does not work very well Abstraction is obviously prone to dead-ends Abstract depth may not match concrete depth May memout if abstraction becomes too large Management of large preimages may also slow SFV May yield too shallow of preimages, saturating in a few iterations Abstract preimages do not adequately simplify (shorten) search Less effective than target enlargement, since approximate

Advancing SFV Technologies We feel that SFV is still a relatively immature technology Numerous directions for improvement, such as: Abstraction-guided search Difficult to obtain a small enough abstraction which captures the deep behavior of design Need a customized abstraction-refinement scheme? State prioritization and clever input stimuli generation: Borrow from and improve upon testcase generation technologies Improved methods to leverage formal analysis to define and reach prioritized states Please continue research in this area!!

SixthSense: IBM’s SFV Toolset SixthSense is a system of cooperating algorithms Semi-Formal engines Formal engines Transformation engines: simplification / abstraction algorithms Transformation-Based Verification (TBV) framework Exploits maximal synergy between various algorithms Redundancy removal, retiming, induction, localization, ... Incrementally chop problem into simpler sub-problems until solvable Used for functional verification + sequential equiv checking

Transformation-Based Verification Framework Counterexample Trace consistent with Original Design All transformations are transparent to the user All results are in terms of original design Design + Properties SixthSense 140000 registers Min-Area Retiming Engine 75000 registers Localization Engine 150 registers Problem decomposition via synergistic transforms retimed trace retimed, localized trace Reachability Engine

SixthSense: IBM’s SFV Toolset Transforms yield exponential speedups to semi-formal applications, as well as to formal applications Very useful to enable deeper exhaustive search Simplify the sequential design once, unfold many times Unfolding amplifies the benefit of the simplification Transforms can even be integrated within SAT Applied directly to unfolded instance Unfolding opens up more reduction potential TBV impact is particularly profound on high-performance designs Though useful on all types of logic we have encountered

Example SixthSense Engines Combinational rewriting Sequential redundancy removal Min-area retiming Sequential rewriting Input reparameterization Localization Target enlargement State-transition folding Isomorphic property decomposition Unfolding Semi-formal search Symbolic sim: SAT+BDDs Symbolic reachability Induction Interpolation …  Expert System Engine automates optimal engine sequence experimentation

Applications Wide-spread adoption of FV requires scalability to sim-sized testbenches Easier to specify larger functional units vs. components thereof E.g: specify IEEE-compliant FPU check, vs. criteria for correctness of each FPU pipeline-stage controller Scalability implies the need for SFV SFV can wring through bugs even if size too big for proofs Nonetheless, strong motivation to tune tool for large-scale proofs! A robust toolset needs to integrate falsification + proof threads In many cases, large-scale proof is possible without a need for manual decompositions

Virtually all SixthSense applications benefit from semi-formal search Assertion-based verification Typically done by designers Lesser experience level with FV and toolset Testbenches developed with little thought about “proof strategy” SFV very useful to wring out bugs Reference-model based verification Comprehensive checks, usually implemented as an abstract reference model For larger units, often benefits from SFV to wring out early bugs

Applications Silicon-failure recreation efforts: When a chip misbehaves… On-chip debug facilities offer partial insight into cause Usually have a good idea of property to check, “buggy region” SFV very useful since often requires a fairly large design slice And bug-hunting vs. proving is “the mission” Coverage analysis Leverage formal algos to help simulation reach hard-to-hit scenarios Sequential equiv checking: semi-formal search useful to find mismatches, assist in guessing equivalent gates

Conclusion SFV is an enabling technology for wide-spread FV usage Eliminates “risk” associated with developing a complex formal spec, only to choke FV tool Enables greater return on spec investment at higher, more encompassing interfaces SFV will wring out bugs early – even if expert manual decomposition performed later to yield proofs Encourages development of meaningful specs, reusable in sim + emulation Minimizes learning curve: corner-case bugs found by casual users No need for a team of PhDs to use the formal tool!

Conclusion SFV advances useful for certain classes of designs However, they can easily get lost on many designs More research is needed! SixthSense approach: increase formal BMC depth by synergistic transformations Simplify the sequential design once, unfold many times Also simplify the unfolded instance within the SAT engine, within the SFV engine Powerful SFV engine will benefit a variety of tasks: functional verification + sequential equiv checking