ECE 667 Synthesis and Verification of Digital Systems 9/12/2019 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Sequential Equivalence Checking ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Formal Verification Deductive reasoning (theorem proving) 9/12/2019 Formal Verification Deductive reasoning (theorem proving) Uses axioms, rules to prove system correctness No guarantee that it will terminate Difficult, time consuming: for critical applications only Model checking Automatic technique to prove correctness of concurrent systems: digital circuits, communication protocols, etc. Practical tools become available, popular in industry Equivalence checking Check if two designs are equivalent OK for combinational circuits, unsolved for sequential systems ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Why do we need Formal Verification 9/12/2019 Why do we need Formal Verification Need for reliable hardware validation Simulation, test cannot handle all possible cases Formal verification conducts exhaustive exploration of all possible behaviors compare to simulation, which explores some of possible behaviors if correct, all behaviors are verified if incorrect, a counter-example (proof) is presented Examples of successful use of formal verification SMV system [McMillan 1993] verification of cache coherence protocol in IEEE Futurebus+ standard ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Basic Model: Finite State Machines 9/12/2019 Model sequential design as an FSM X=(x1,x2,…,xn) Y=(y1,y2,…,yn)   S=(s1,s2,…,sn) S’=(s’1,s’2,…,s’n) D M(X,Y,S,S0,,): X: Inputs Y: Outputs S: Current State S0: Initial State(s) : X  S  S (next state function) : X  S Y (output function) Delay element: Clocked: synchronous Unclocked: asynchronous ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Sequential Equivalence Checking 1 9/12/2019 Sequential Equivalence Checking 1 Represent each sequential circuit as an FSM verify if two FSMs are equivalent Simplistic approach: reduction to combinational circuit unroll each FSM over n time frames (flatten the design) this is called a bounded model (fixed number of time frames) also used in simulation based verification (using SAT) M(t1) x(1) s(1) M(t2) x(2) s(2) … M(tn) x(n) s(n) Combinational logic: F(x(1,2, …n), s(1,2, … n)) check equivalence of the resulting combinational circuits problem: the resulting circuit can be too large too handle ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Sequential Equivalence Checking 2 9/12/2019 Sequential Equivalence Checking 2 Simplest case: compare two structurally similar FSMs Same set of registers and state encoding Same initial state Register pairs match (name matching) Problem reduces to verifying equivalence of combinational logic component (CL) of the FSMs Output functions Next state logic CL1  CL2 (combinational)  FSM1  FSM2 (sequential)   D y1 M1 x s1   D y2 M2 x s2 ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Sequential Equivalence Checking 3 9/12/2019 Sequential Equivalence Checking 3 Another simplistic approach: based on checking isomorphism of state transition graphs (impractical) two machines M1, M2 are equivalent if their state transition graphs (STGs) are isomorphic perform state minimization of each machine check if STG(M1) and STG(M2) are isomorphic 0/0 0/1 1/0 1 2 M1 1/1 1/0 1.2 0/0 1/1 0/1 M1min State min.  1/0 1 0/0 1/1 0/1 M2 ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Sequential Equivalence Checking 9/12/2019 Sequential Equivalence Checking If combinational verification paradigm fails There is no name matching Bounded model insufficient No structural similarities, etc Two options: Sequential verification based on state traversal Expensive but most general Register matching structural register correspondence functional register correspondence ECE 667 - Synthesis & Verification ECE 667, Spring 2011

9/12/2019 FSM Equivalence Most general approach: construct a product machine M1M2:   D y1 M1 {1,1,…,1} {X1,X2,…,Xn}   D y2 M2 M1 and M2 are functionally equivalent iff the product machine M1  M2 produces a constant 1 for all valid input sequences {X1,…,Xn}. ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Sequential Verification 9/12/2019 Sequential Verification Most general approach: symbolic (implicit) FSM traversal of the product machine Given two FSMs: M1(X,S1, 1, 1,O1), M2(X,S2, 2, 2,O2) Create a product FSM: M = M1 M2 traverse the states of M and check its output for each transition the output O(M) =1, if outputs O1= O2 if all outputs of M are 1, M1 and M2 are equivalent otherwise, an error state is reached error trace is produced to show: M1  M2 M1 M2 S1 S2 O2 O1 X O(M) ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Product Machine - Construction 9/12/2019 Product Machine - Construction Define the product machine M(X,S, , ,O) states, S = S1  S2 next state function, (s,x) : (S1  S2)  X  (S1  S2) output function, (s,x) : (S1  S2)  X  {0,1} O = 1 if O1=O2 0 otherwise (s,x) = 1(s1,x) 2(s2,x)  M1 M2 1 2 2 1 X Error trace (distinguishing sequence) that leads to an error state sequence of inputs which produces 0 at the output of M produces a state in M for which M1 and M2 give different outputs ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Construction of the Product FSM 9/12/2019 Construction of the Product FSM M2 1/1 2 1 0/0 0/1 1/0 1/0 1 0/0 1/1 0/1 M1 For each pair of states, s1 M1, s2 M2 create a combined state s = (s1. s2) of M create transitions out of this state to other states of M label the transitions (input/output) accordingly M1 1/0 0/1 1 0/1 11 Output = { 1 OK 0 error 1/1 0.2 00 M2 2 0/1 1/0 1 1.1 ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Product FSM – Example 1 Product machine for equivalent FSMs 9/12/2019 Product FSM – Example 1 Error states are unreachable ! (machines are equivalent) Product machine for equivalent FSMs (Hachtel, Somenzi, Fig. 7.41) ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Product FSM – Example 2 Product machine for non-equivalent FSMs 9/12/2019 Product FSM – Example 2 Error states Good states Product machine for non-equivalent FSMs (Hachtel, Somenzi, Fig. 7.45, 7.46) Error states are reachable ! (machines are NOT equivalent) ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Explicit FSM Traversal in Action 9/12/2019 Explicit FSM Traversal in Action M2 2 1 0/0 0/1 1/1 1/0 1/0 1 0/0 1/1 0/1 M1 Initiall states: s1=0, s2=0,s=(0.0) Error state 1.0 0/0 1/0 0.1 1/0 0/0 Out(M) State reached x=0 x=1 0/1 0.2 1/1 New 0 = (0.0) 1 1 0/0 1.2 1/0 New 1 = (1.1) 1 1 1.1 0/1 1/1 New 2 = (0.2) 1 1 0.0 0/1 1/1 M New 3 = (1.0) 0 0 STOP - backtrack to initial state to get error trace: x={1,1,1,0} ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Explicit FSM Traversal 9/12/2019 Explicit FSM Traversal Breadth-first Search (BFS) procedure on a product machine ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Explicit FSM Traversal 9/12/2019 Explicit FSM Traversal Error Trace computation ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Symbolic FSM Traversal 9/12/2019 Symbolic FSM Traversal Explicit methods are expensive Must evaluate all input combinations Use symbolic (implicit methods): traverse the product machine M(X,S,, ,O) start at an initial state S0 iteratively compute symbolic image Img(S0,R) (set of next states) until an error state is reached Img( S0,R ) = x s S0(s) • R(x,s,t) R = i Ri = i (ti  i(s,x)) transition relation Ri for each next state variable ti can be computed as ti = (t  (s,x)) this is an alternative way to compute transition relation, when design is specified at gate level, without explicitly creating a product machine. ECE 667 - Synthesis & Verification ECE 667, Spring 2011

9/12/2019 Transition Relation Transition Relation t(s,s’) – characteristic function x=0 x=1 Example 1 ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Image Computation - example 9/12/2019 Image Computation - example Boolean notation Set notation Image of a set of states r(s): IMG( t, r ) = s ( r(s) • t(s.s’) ) Initial state: r(s) = (s 0) (s 1) {0,1} Transition relation: t(s,s’) = (s 0) (s’ 2)  {(0,2), (s 0) (s’ 3)  (0,3), (s 1) (s’ 3)  (1,3), (s 2) (s’ 4) (2,4)} t  r = (s 0) (s’ 2)  {(0,2), (s 1) (s’ 3) (1,3)} s(r t) = (s’ 2) (s’ 3) {(2,3)} Example: 2 1 3 4 r(s) IMG(t,r(s)) ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Forward State Traversal 9/12/2019 Forward State Traversal Algorithm TRAVERSE_FORWARD(t,  ,S0) { reached =  current = S0 // start from init while (reached  (reached  current)) { // fixed point reached = reached  current // add new states next = IMG(t,current) // one trans. current = next // rename variable } return x((x,s)  reached) Example: 1 3 2 4 5 6 Iteration: 1 2 3 Reached: {0} {0,1,2} {0,1,2,3} Current: {0} {1,2} {1,2,3} Next: {1,2} {1,2,3} {0,1,2,3} ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Backward State Traversal 9/12/2019 Backward State Traversal Algorithm TRAVERSE_BACKWARD(t,  ,S0) { reached =  current = x.(l(x,s)=1) // start from bad while (reached  (reached  current)) { // fixed point reached = reached current // add new states previous = PRE_IMG(t,current) // one trans. current = previous // rename variable } return (S0  reached) Example: 1 3 2 4 5 6 Iteration: 1 2 3 Reached: {6} {4,6} {4,5,6} Current: {6} {4} {4,5} Previous: {4} {4,5} {4,5,6} ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Implicit State Traversal Another Look 9/12/2019 Implicit State Traversal Another Look O X R (s,x) (s,x) s s’ Product machine: M(X,S, , ,O) Inputs: X Outputs: O States: S Next state function, (s,x) : S  X  S Output function, (s,x) : S  X  O ECE 667 - Synthesis & Verification ECE 667, Spring 2011

FSM Traversal State Transition Graphs 9/12/2019 FSM Traversal State Transition Graphs directed graphs with labeled nodes and arcs (transitions) symbolic state traversal methods important for symbolic verification, state reachability analysis, FSM traversal, etc. 0/1 1/0 s0 s1 s2 0/0 ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Existential Quantification 9/12/2019 Existential Quantification Existential quantification (abstraction) x f = f |x=0 + f |x=1 Example: x (x y + z) = y + z Note: x f does not depend on x (smoothing) Useful in symbolic image computation (deriving sets of states) ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Existential Quantification - cont’d 9/12/2019 Existential Quantification - cont’d Function can be existentially quantified w.r.to a vector: X = x1x2… X f = x1x2... f = x1 x2 ... f Can be done efficiently directly on a BDD Very useful in computing sets of states Image computation: next states Pre-Image computation: previous states from a given set of initial states ECE 667 - Synthesis & Verification ECE 667, Spring 2011

9/12/2019 Image Computation Computing set of next states from a given initial state (or set of states) Img( S,R ) = u S(u) • R(u,v) Img(v) R(u,v) S(u) FSM: when transitions are labeled with input predicates x, quantify w.r.to all inputs (primary inputs and state var) Img( S,R ) = x u S(u) • R(x,u,v) ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Image Computation - example 9/12/2019 Image Computation - example Compute a set of next states from state s1 Encode the states: s1=00, s2=01, s3=10, s4=11 Write transition relations for the encoded states: R = (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) s1 s2 s3 s4 a a’ 00 01 10 11 a xy XY 1 00 01 0 00 10 - 10 11 ………. ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Example - cont’d = a xy (x’y’) • (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) 9/12/2019 Example - cont’d Compute Image from s1 under R Img( s1,R ) = a xy s1(x,y) • R(a,x,y,X,Y) = a xy (x’y’) • (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) = axy (ax’y’X’Y + a’x’y’XY’ ) = (X’Y + XY’ ) = {01, 10} = {s2, s3} s1 s2 s3 s4 a a’ 00 01 10 11 Result: a set of next states for all inputs s1  {s2, s3} ECE 667 - Synthesis & Verification ECE 667, Spring 2011

Pre-Image Computation 9/12/2019 Pre-Image Computation Computing a set of present states from a given next state (or set of states) Pre-Img( S’,R) = v R(u,v) )• S’(v) R(u,v) Pre-Img(u) S’(v) Similar to Image computation, except that quantification is done w.r.to next state variables The result: a set of states backward reachable from state set S’, expressed in present state variables u Useful in computing CTL formulas: AF, EF ECE 667 - Synthesis & Verification ECE 667, Spring 2011