Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Formal Verification using Rulebase April 18, 2001 Rebecca Gott eServer I/O Development Hardware Verification

Published byAllen Shelton Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Formal Verification using Rulebase April 18, 2001 Rebecca Gott eServer I/O Development Hardware Verification"— Presentation transcript:

1 Introduction to Formal Verification using Rulebase April 18, 2001 Rebecca Gott eServer I/O Development Hardware Verification Email: gott@us.ibm.com

2 Today's Topics n Brief review n Introduction to the GenBuff example n Modeling the environment n Formulating Rules n Running Rulebase

3 Review of Requirements for FV n A good, written functional specification è All block level I/Os should be described, with timing diagrams è Function (internal state machines, etc.) n Partition selection n Communication with Designer n FV engineer MUST have thorough understanding of the logic & signals driving the logic

4 RuleBase Model Checker design (HDL) environ. (EDL) spec (sugar) RuleBase pass/fail

5 GenBuf Example GenBuf is a design block that queues words of data (32 bits) sent by four senders. GenBuf then transmits the data to two receivers. The four senders are equivalent and the two receivers are equivalent. STOB_REQ(0) BTOS_ACK(0) DI_0_(0..31) Sender0 Sender1 Sender2 Sender3 GENBUFGENBUF STOB_REQ(1) BTOS_ACK(1) DI_1_(0..31) STOB_REQ(2) BTOS_ACK(2) DI_2_(0..31) STOB_REQ(3) BTOS_ACK(3) DI_3_(0..31) BTOR_REQ(0) RTOB_ACK(0) BTOR_REQ(1) RTOB_ACK(1) Receiver0 Receiver1 D0(0..31)

6 GenBuf Sender Description n Communication w/ Senders takes place by means of a 4-phase handshaking è When sender(x) has data to send, it initiates a transfer by asserting STOB_REQ(x) ("Server x to Buffer Request") è If the queue is not full, the sender will be serviced; GenBuf will read the data from x's bus, and will then assert BTOS_ACK(x) ("Buffer to Server x Acknowledge") one cycle after reading the data è Sender x will hold its request signal until it gets BTOS_ACK(x); after BTOS_ACK(x) has been asserted, the sender will release the data bus and deassert STOB_REQ(x) è To conclude the transaction, GenBuf will deassert BTOS_ACK(x) n A sender should wait until BTOS_ACK(x) is deasserted before starting a new transaction n GenBuf uses a fair scheme to select the Sender

7 GenBuf Recevier Description n Communication w/ Receivers takes place by means of a 4-phase handshaking è When GenBuf has data, it will choose a receiver (y=0 or 1) and will initiate a data transfer by asserting BTOR_REQ(y) ("Buffer to Receiver Requests y") è When the receiver is ready, it will assert RTOB_ACK(y) ("Receiver to Buffer Acknowledge") è One cycle after RTOB_ACK(y) is asserted, GenBuf will put the data on the data bus (DO(0..31)) è The receiver will indicate to GenBuf that it has read the data by deasserting RTOB_ACK(y) n GenBuf should wait for RTOB_ACK(y) to be deasserted before it starts a new transaction n GenBuf uses a fair scheme to select the Receiver

8 Sender to GenBuf Signal Name Description STOB_REQ(0)Request Input for senders 0-3 DI_0_(0..31)Data in for Sender0 DI_1_(0..31)Data In for Sender1 DI_2_(0..31)Data In for Sender2 DI_3_(0..31)Data In for Sender3 GenBuf to Sender Signal NameDescription BTOS_ACK(0..3)Acknowledgment for Senders 0-3 I/O Specification for Sender

9 Receiver to GenBuf Signal Name Description RTOB_ACK(0..1)Acknowledgment from Receivers 0-1 GenBuf to Receiver Signal Name Description BTOR_REQ(0..1)Request to Receivers 0-1 DO(0..31)Data out I/O Specification for Receiver

10 Other inputs to GenBuf Signal Name Description RSTReset Signal: Active High (set to 1 for 2 cycles then to 0) CLKClock (set to 1) ERROR_FOUND(1..6)Set to 0 Other Inputs

11 Classification of Properties n Functional correctness - does the arbiter issue a grant within 4 cycles of receiving a request? n Safety properties - does the arbiter only issue a grant if a request is raised? n Liveness properties - does the arbiter eventually issue a grant for every request?

12 Sugar Basics n In the temporal logic CTL è Time is discrete è The world consists of a current state, mapped to a specific node in the computation tree, and of many possible futures (all computation paths emanating from this state) n CTL has no way to refer to the past è The only way to refer to the past is to have information stored in state variables

13 CTL Operators n Path quantifiers è A - for all paths è E - there exists a path n Tense Operators è Xp- p holds at the next cycle è Fp- p holds sometime in the future è Gp- p holds globally from the present time è p U q- p holds until q holds – Temporal Operators – AX, AF, AG, AU, EX, EF, EG, EU

14 Sugar - Bounded-Range Operators n AX[i] è Shorthand for n times AX – AG(req -> AX[2](ack)) – AG(req -> AX AX ack ) n ABF[i..j](f) è Constrains AF between i and j clocks – AG(req -> ABF[1..2](ack)) – AG(req -> AX(ack | AX (ack)) )

15 Sugar Bounded Range Operators Cont. n ABG[i..j](f) è Constrains the future of the operator AG between i and j clocks from now – AG(req -> ABG[0..2](busy) ) – AG(req -> (busy & AX(busy & AX busy)) )

16 Sugar - sequences n {e0,e1,e2,...}(f) n f must hold on the last cycle of all computations that agree with the sequence e0 at cycle 0, e1 at cycle 1, e2 at cycle 2, etc. n Example: ” every req on cycle X that gets a gnt at cycle X+1 and doesn't get retried at cycle X+2, should cause busy to be active at cycle X+2" n AG {[*],req,gnt,!retry}(busy)

17 Sugar - until n CTL A[q U r] è r must occur eventually – strong operator: makes demand on terminating condition è r can occur in the current state, in which case q may not appear at all è q need not hold at the time r holds – AG(req -> A[busy U ack] ) n Sugar q until r è Weak version: does not require r eventually occur n Sugar q until! r è Strong version - equivalent to AU

18 Rule Partitioning rule check_ack { formula "An ack should be issued one cycle after a request is asserted." {AG ( req -> AX(ack) ) } formula "An a req is not raised this cycle, then an ack cannot be asserted upon the next cycle." {AG ( !req -> AX(!ack) ) } } rule check_waddr { formula 'If an ack has been issued, then on the next cycle the write address should be incremented' {AG ( ack -> AX(wp_incr) ) } }

19 Modeling the Environment n Study block interfaces in detail n Plan hierarchical structure of environment models, grouping related signals & reusing components where possible n Decide how to model each input - which inputs should be nondeterministic n Code the logic in EDL n Take time to verify environment model - especially if complex

20 Key Environment Concepts n Fairness n Invariants

21 Fairness var req : boolean; assign init(req) := 0; assign next(req) := case req & !ack : req; ack : 0; else : {0,1} esac; Problem - What if we are not interested in the path where req is never asserted? Consider the rule: {AG ( AF(req) ) }

22 Fairness n To be used when we are only interested in the correctness along fair computation paths n Using a fairness constraint restricts the search to fair paths n A path is fair if each fairness constraint is true infinitely often along the path

23 Fairness Constraints n Syntax: è fairness expr; n Example: è fairness req; n {AG ( AF (req) ) } è would fail without a fairness constraint è would pass with the constraint: l fairness req;

24 EDL - invariants n Allows you to specify a boolean formula that you want to be true at every cycle n Restricts the analysis to states in which expr holds n Can be used to model the environment or to (over) restrict the design n Syntax: è invar expr;

25 EDL - invariant example n Suppose the environment must supply a read request, or a write request, but never both: è var read_req, write_req: boolean; è assign write_req := if read_req then 0 else {0,1} endif; n a simpler way using invariants: è var read_req, write_req: boolean; è invar !(read_req & write_req);

26 EDL - invariant example var req : boolean; assign init(req) := 0; assign next(req) := case req & !ack : req; ack : 0; else : {0,1} esac; Consider this invariant - what is wrong with it?: invar req;

27 RuleBase options

28 BDD Order n Rulebase uses a data structure called a Binary Decision Diagram (BDD) è Every state variable (flip-flop) has a distinct level from 1 to n, where n is the number of state variables è The order in which the levels are allocated to the state variables has a large impact on the size of the BDD è The smaller the BDD, the less machine memory consumed

29 BDD Ordering n Rulebase performs BDD ordering during model checking n Extremely CPU intensive n Turn it on for initial runs, and then use resulting order for consecutive runs

30 Reductions n Eliminates logic that is not in the cone of influence n Propagates constants from the environment forward n Eliminates redundant logic

31 SMV Reductions n Over-reductions to find constant flip-flops; applies reductions based on constants search results n Used when a size problem is encountered n Any constants found will be added to the orders pool è no need to activate if no new constants may be added n Parameter sets effort level

32 Safety On-The-Fly n In normal mode of operation, Rulebase computes reachable state space before checking any formula è reachable state space is the set of all states of the design that can be reached from the initial state n Rulebase (in many cases) can determine the falsity of the formula before it has completed the search of the reachable state space - counter- example produced earlier

33 Safety On-The-Fly n Formulas that do not suit Safety On-The-Fly è Formulas mixing A and E path quantifiers è Formulas that use AF, AU, EG or any strong Sugar operator è Formulas in which there is a '|' (or) between temporal subformulas n Specify trade off btw memory and time consumption during run è Larger this parameter is, the less memory consumed, but counter examples will take longer – Suggest small parameter value if expect failure

34 Liveness On-The-Fly n Liveness formulas can be checked during reachability è May take a long time è If formula is likely to pass, this option is not recommended

35 Other Options n Reachability è Determines if a search of the reachable state space of the circuit is to be the first step of verification è For most designs, this should be enabled n Stop after iteration è Integer indicating how far into the reachability analysis should go è Rulebase will not examine states that are further than X steps from the initial state

36 Rulebase Results n Fail n Tautology n Vacuous Pass è AG (req -> AX (ack) ) è when is this formula meaningless? è solution: vacuity check n Pass with witness or non-vacuously

37 How does Rulebase work? n Load the environment & rules; checks syntax n Loads the design, builds a module that includes the design and relevant enviroment n Perform the first phase of optimization and reports how many flip-flops in the design influence the rule & how many env variables influence the rule n Searches for best order file, or takes the rule_name.order n Performs a 2nd phase of optimization if SMV reduction is set to 'on' n Checks if the formula is a tautolgy

38 n Checks formulas using the light proof algorithm (if enabled) n Checks formulas on the fly n If a bug is found, creates a counter example; if not, creates a witness if not vacuous n For a liveness formula, stops every several steps and performs additional reduction phases with an attempt to evaluate the formula How does Rulebase work?

39 Summary n GenBuf Example n Environment Modeling n Sugar n Running Rulebase

Download ppt "Introduction to Formal Verification using Rulebase April 18, 2001 Rebecca Gott eServer I/O Development Hardware Verification"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Network II.5 simulator ..

Network II.5 simulator ..
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.

Similar presentations

Ads by Google