Formal Equivalence Checking

Logic Verification
„ Full-chip functional verification
Full-chip functional to verify the correctness of the
verification design

RTL „ Equivalence checking to verify

Equivalence Checking
that actual implement = design
Verification
of Test
Schematic „ Equivalence checking to make
sure test model is appropriate
Gate

Timing, Power, etc.

„ Timing and power are analyzed at
layout level

Slide # 2

1
1
 Boolean Equivalence Checking

Latch

Latch
MEM MEM

RTL Schematic

¾ Check for “structural equivalence”

¾ Require one-to-one latch correspondence
» Partition design into independent combinational cone
¾ Verify each combinational logic cone independently
¾ Impose additional restrictions on custom design

Slide # 3

Approaches
• Step 1 – Extract gate-level model from
transistor-level schematics
¾Explicit – pattern matching + symbolic
analysis
¾Implicit – symbolic simulation/analysis
• Step 2 – Check equivalence between two
(combinational) logic cones
¾OBDD-based approach
¾SAT-based approach

Slide # 4

2
2
 Model Extraction
Spice
Netlist ?
Gate Gate RTL
Schematics

• Model extraction
¾Symbolic boolean analysis + pattern matching
¾Need to recognize precharge, self-timed
circuitry, latches, sometimes even memory cells
¾Need to find an “acceptable” gate-level model
9May not be exactly as what the original design intended
¾Useful for testing as well

Slide # 5

Symbolic Analysis
• For each CCC component
¾ consider all lines to the transistor
gates as inputs
¾ consider all lines to the transistor CCC
gates in other components as
outputs
• Steady state response
¾ given a set of input values,
compute steady output values
• Each component behaves like
an independent function block
¾ When extracting, we handle each
component separately

Slide # 6

3
3
 Symbolic Analysis of Transistor Network

• Inputs and node states can be “symbols”

¾ a symbol can be either 0 or 1
¾ if all inputs are symbols, we try to compute the boolean
function given by the network
9f = ab+cd, etc.
• Basic idea:
¾ Develop the symbolic equation for every CCC
¾ Synthesize the equation into gate netlist
¾ Connect the netlists together to form the final circuit

Slide # 7

Construct Gate Level Model

• Symbolic Boolean Analysis gives us for CCC

¾Each output node as a boolean function of inputs
¾Try to convert that function into Gates
• Gate primitives used
¾AND, OR, NOT, MERGE, ENABLE
¾Operate on a 4-value system
90, 1, Z, X

• Apply heuristics to prune the gate level model

Slide # 8

4
4
 Construction Gate Level Model 2
X
• 0, 1, Z, X
¾ Z means “no value” 0 1
¾ X means “conflicting
values” Z e
Z 0 1 X
• ENABLE e Z Z Z Z
¾ Acts as an optimistic TSD a a 0 Z 0 0
1 Z 1 1
¾ Can use TSD instead X Z X X
9 The result will be pessimistic
b
• MERGE Z 0 1 X
Z Z 0 1 X
¾ Acts as LUB a
a 0 0 0 X X
b 1 1 X 1 X
X X X X X

Slide # 9

Pattern Matching + Path Enumeration

• Ex. GateMaker (IBM, Motorola)
¾Preserve schematic structure better
• Classify circuit into 4 families
¾Combinational Static
¾Differential Cascode Voltage Switch
¾Pass Gate Logic
¾Dynamic Domino
• Recognize special design styles
¾Keeper
¾Feedback logic

Slide # 10

5
5
 Patterns
O
O
F
F G

G F=G?
F=G?

Clk
A
A
B
B

Slide # 11

Suppose Extraction Works

Spice
Netlist EQ ?
Gate Gate RTL
Schematics
extraction synthesis

• EQ checker works on 2 gate level models

¾Identify latch correspondences
¾Incrementally prove permissible signal pairs
¾Use ATPG, BDD, or both

Slide # 12

6
6
 Identify Latch Correspondences
Latch
Latch Latch
…
Latch which?

• Manually or automatically?
• Manually – much overhead to the user
• Automatically -various heuristics are applied
¾Identify a latch point
¾Identify structural similarity
¾Utilizes design information (hierarchy, names, etc.)
Slide # 13

Checking EQ of 2 Logic Cones

Latch
s-a-0?
?=
Latch

• ATPG-based approach
¾ To prove that the s-a-0 is a redundant fault
¾ Less memory constraint and hence, scale better
• (SAT-based approach)
• OBDD-based approach
¾ More memory constraint

Slide # 14

7
7
 Structural Similarity Helps

?= ⇒ ?=

• Structural similarity allows EQ to proceed

incrementally
¾Divide and conquer
¾Employ various heuristic to guess matching points
¾Most EQ tools explore structural similarity to speed
up the process

Slide # 15

Local BDD can help

a a’

• When proving a=a’, the cones of logic may be very

different
¾ ATPG approach becomes inefficient
¾ Similarity can’t be found
• Use local BDDs – BDDs based on internal points
¾ Local BDDs can quickly show the equivalence of a and a’
given that all supporting points are equivalent
¾ Proceed backward with a limited # of levels to search for
local-BDD-based equivalent
Slide # 16

8
8
 BEQ IS Practical!!
• BEQ is practical
¾ Has been applied to full-chip μ-processors
¾ Commercially available
• BEQ check for “strong equivalence;” however
¾ Consistency may be enough
9 Both behave the same in the care functional space
¾ Equivalence up to limited clock cycles may be
enough
• BEQ will have its difficulty
¾ on memory designs
¾ when there is no structural similarity (on large and
complex cones)
¾ when there is no 1-to-1 latch correspondence
Slide # 17

Symbolic Simulation

9
9
 Arrays

Logic
Latch

Latch
Logic
Latch
Memory
Core

Latch
Logic
Logic

• Custom design at transistor level

• Large in Size (Millions of Transistors)
• High-Performance Sequential Logic
• Examples: Cache, Tag, BAT, TLB, Regs, Status Array, etc.

Slide # 19

Symbolic Simulation
1 0 0 F(A,B,C,D,E,F,G,H)
C

G G 1
I F D
B

H E E
A

1 1 1
CLK
1 0

• Traditional 0/1 vector simulation

» Input 0/1 vector; Results in 0/1
• Symbolic Simulation
» Input arbitrary symbols; Results in logic functions
(often represented as OBDDs)
» Bounded by a constant number of clock cycles

Slide # 20

10
10
 Why It Is Good For Memories?
• Symbolic simulation of an address A =
[a1,a2,…,an] with a data D = [d1,d2,…,dm]
can cover all memory cells at once
¾ In contrast, imagine you perform 0/1 simulation on
a large memory block
¾ Today, an array easily has millions of cells
• Memories are often custom designs that
contains sequential behavior
¾ Contain dynamic logic
¾ Hard to model at gate-level
¾ LEQ does not apply

Slide # 21

Symbolic Trajectory Evaluation

F(D,E,F,G)
1 0 0
when F’(D,E,F,G) is true
X

G X 1
I F D
X

X X E
X

1 1 1
CLK
1 0 1 0

• X’s at inputs are “don’t care”

• X’s during simulation are “don’t know”
• Allow more flexibility to partition functional space
» Easy handling of tri-state buffers, bus, etc.
» Improve symbolic simulation efficiency (simulate only
the case functional space)
» Bounded by certain clock cycles
Slide # 22

11
11
 Trajectory Evaluation
• Based on three-value logic: {0,1,X}
A B State of this inverter is a 2-tuple <A,B>
where both A,B can have a value in {0,1,X}

0 delay Assert: If A=1 then B=0

t=0 t=1 t=2 t=3

<A,B> <0,X> <X,0> <0,X> A valid trajectory

<A,B> <0,X> <X,0> <0,0> A valid trajectory

<A,B> <0,X> <X,1> <0,X> An invalid trajectory

This cannot be!

Slide # 23

Correct Trajectory
Antecedent
A B Assert: If (A is 0 from 0 to 1)
then (B=1 from 1 to 2)
1 unit delay Consequent

t=0 t=1 t=2 t=3

<A,B> <0,X> <X,X> <X,X> <X,X> Weakest sequenct

satisfying Antecedent
<A,B> <0,X> <X,1> <X,X> <X,X> Weakest satisfying
trajectory
<A,B> <X,X> <X,1> <X,X> <X,X> Weakest sequenct
satisfying Consequent

Note that: 1⊆X, and 0⊆X

Slide # 24

12
12
 Incorrect Trajectory
Antecedent
A B Assert: If (A is 0 from 0 to 1)
then (B=1 from 1 to 2)
1 unit delay Consequent

t=0 t=1 t=2 t=3

<A,B> <0,X> <X,X> <X,X> <X,X> Weakest sequenct

satisfying Antecedent
<A,B> <0,X> <X,0> <X,X> <X,X> This doesn’t hold

<A,B> <X,X> <X,1> <X,X> <X,X> Weakest sequenct

satisfying Consequent
<X,0> ⊆ <X,1>
Slide # 25

STE Assertion
1 0 0 F(A,B,C,D,E,F,G) when F’ is true
C

G X 1
I F D
B

X E E OBDD
A

1 1 1
CLK
1 0 1 0

• Express each array operation as “Antecedent =>

Consequent”
¾ where Ant and Con are written in a functional language
following a restricted linear time logic
• The number of assertions for a design may vary
depending on the person who creates them

Slide # 26

13
13
 A Write Assertion Example
Constant Control Values
Symbolic Control Values
Data D2 T0:Initialize What to
T0 be seen?
Address A2 Array[A1]=D1
time T

• At time T,
¾ If (A1 = A2) then Array[A1] = D2
¾ else { Array[A1] = D1 and Array[A2] = D2 }
• Describe how outputs behave based on symbolic
controls during CLK high
• Describe output behavior during CLK low

Slide # 27

STE Methodology
manual
RTL Gate Schematic
Assertions

STE Symbolic Simulation Engine

• Assertions capture the high level

functionality
• RTL can be verified independently
¾achieve both logic and functional
verification w.r.t. the set of assertions

Slide # 28

14
14
 STE = EQ
Automatic
RTL Gate Schematic
Assertions

STE Symbolic Simulation Engine

¾ Extract assertions from RTL

¾ Do not verify RTL independently
¾ Provide a bounded-cycle sequential
equivalence checking methodology

Slide # 29

An Array Bit Cell

C2
8
C1 wl
decoded address

Data Data_b
bl blb
C2
Bitline

VDD Bitcell VDD

14
C1 bl_pchg_b

Write enable
C2 wen
9

Read enable din din_b

C1 iso
4 12 VDD VDD

sa pchg_b
Write enable from L1 latch
Sense line

Read enable from L2 latch VDD VDD

dout latched in a L1 latch
din and din_b from L1 latch

saen
4 4 unit delays

9 9 unit delays

dout

Slide # 30

15
15
 Bit Cell Timing Diagram
C1

C2

(L1 LATCH) Write enable

(L2 LATCH) Read enable

(L1 LATCH) din A D_NEW

bl_pchg_b pchg 14

sa_pchg_b

8
wl
4
saen
12
iso
9
wen

dout D_OLD

(Bitcell) Data D _OLD D_NEW

TIME
Slide # 31

A Verification Example
RTL model

module(C1,C2,Ain,Bin,Cout)
RTL model
input Ain,Bin,C1,C2;
output Cout;
wire and_out;
Custom-built schemetic implementation
reg A.L1, A.L2, B.L1,B.L2, C.L1, C.L2 VDD
assign and_out = A.L2 & B.L2; Din D
L1
always @(C1 or Ain or Bin or and_out) Dl2out
L2 F
if (C1) C1
y L1
A.L1 = Ain; B.L1 = Bin; C.L1 = and_out; C2
always @(C2 or A.L1 or B.L1 or C.L1) Ein L2
E C1 Fl2out
if (C2) L1
A.L2 = A.L1; B.L2 = B.L1; C.L2 = C.L1; L2 C2
C1
C2 El2out GND
assign Cout = C.L2;

endmodule

Slide # 32

16
16
 Verifying The Schematic
t0 t1 t2 t3- t4 t5 t6+ t8 t9
t3 t7
t6
C2 X X

C1 X c1 X
Antecedent

F.L1SN X c X

D.L2out X a X
Derive
E.L2out X b X
C1 & (A&B) |
F.L1SN X c [ c1 & (a & b) | (~c1 & c ) ] X (~C1 & C)
simulation
Symbolic

D.L2out X a X from the RTL

E.L2out X b X automatically
Consequent

F.L1SN X X
Check for
[ c1 & (a & b) | (~c1 & c ) ]

Slide # 33

Overall Verification Strategy

Read enable
Write enable Read/write
control logic m rows X n columns
Sense-amp outputs
column MUX

C1 clock
Primary outputs
Bitcell
Address Address matrix
decode logic

Data
conditioning
Data in logic

Feedback

col0 col1 coln

WL’s from row decoder
To column MUX To word lines

1 wl0
Bitcell Bitcell
Row address
(log n + log m)

Row wl1
decoder n
Address

log n Bitcell Bitcell

log m 1
Column Sense amp Sense amp
Word line
Column address Decoder m Din
column decoder
Selects from

Column mux
Array control signals

Read enable
Bitlines

Bitline

Write enable Carefully timed

read and write Bitcell
C1 clock control logic and Primary Outputs
data conditioning
Data in Combined read and write port

Slide # 34

17
17
 Results – Motorola Versys2
Array block Bit cells Latches Control logic transistors Assertions runtime (hrs)
A 73,728 1,346 69,000 11–12
B 24,576 1,612 87,500 15–16
C 3,968 357 31,000 15–16
D 24,576 935 44,000 16–17
E 131,072 330 177,500 19–20
F 88,704 445 39,500 12–13
G 50,688 706 156,000 11–12 Validation time
H 71,680 276 60,000 15–16 Array block (person-months) Discrepancies
I 21,824 1,192 27,000 2–3 A 3 4
J 1,024 0 8,950 1.5–2 B 3 6
K 4,096 0 7,900 5–6 C 3 5
L 8,512 0 8,800 5–6 D 3 5
M 256 0 4,500 6–7 E 3 9
N 512 0 1,250 1–2 F 2 6
O 2,096 0 32,400 1–2 G 2 5
P 4,192 0 6,050 4–5 H 3 4
I 2 2
J 1 1
K 2 4
L 2 5
M 2 5
N 1 3
O 1 0
P 1 2

Slide # 35

In Summary
• Symbolic simulation is efficient for
embedded array verification
¾Symbolic addressing covers all space at once
¾Can be used for both logic and functional
verification (for array blocks)
¾Has been applied to very large array designs in
practice
• The methodology is not as rigorous as LEQ
¾LEQ checks for strong equivalence
¾Symbolic simulation checks for consistency
based on a pre-defined range of clock cycles

Slide # 36

18
18