Formal Verification

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 18

Formal Verification in VLSI

Dilawar Singh

Indian Institute of Technology Bombay

November 28, 2010

Dilawar Singh Formal Verification in VLSI


These slides were evolved

during Testing and
Verification of VLSI
course offered by Prof. M. P.
Desai at IIT Bombay. It deals
with non-technicalities of the
’formal verification’ rather
than theories and principles.
Some comments are
personal.Reader discretion is
advised. :-)
Figure: From

Dilawar Singh Formal Verification in VLSI

Formal Verification

I Traditionally one discovers error in software and hardware by

testing all possible combination e.g. using simulation.1
I Since VLSI systems are too large, one can test only a (tiny?)
fraction of them in practice. And this is when computer
computer runs faster than Chacha Chaudhary’s Brain.
I Besides, everything runs on simulation is orders of magnitude
slower than the real hardware, so pre-silicon testing is limited.
That is why so little new design are coming out of industries.
Testing has become way too costly. Over 25% of total cost.
I Formal verification is an alternative that proves
mathematically that given VLSI system will work as intended.
I Testing is for fault detection.Formal Verification is fault
avoidance technique.

I’m done simulating; Now what?, Kantrowiz M and Noack Lisa, DEC
Dilawar Singh Formal Verification in VLSI

I In 1914, Littlewood proved that π(n) − li(n) changes sign

infinitely often, where pi(n) is the number of primes ≤ n and
li(n) = lnduu though first instant of sign change occurs when
n ≥ 1.39822 × 10316 discovered by Bays & Hudson (2000).
I Exhaustive testing using brute force may miss some
errors which can be detected by formal verification.
I Most notable example is Pentium FDIV Bug
I It’s good to be paranoid while verifying.

Dilawar Singh Formal Verification in VLSI

Formal Models

I Specification First of all, we need to write down how my

system should behave. Mathematical Description.
I Kripke Structures.
I Formal verification that aims to prove the correctness of
design with respect to a given mathematical formal
I However, checking against a reference does not mean that
reference is correct. Sanity check of the reference is required.

Dilawar Singh Formal Verification in VLSI

How hard is formal verification

I Writing out complete

proof for correctness is
like defeating Tai Lung
without a dragon scroll.
And even one has one,
not necessarily one can
use it.
I Assumptions and special
cases must be made
explicit. Even for small
undertaking, this is a big
task. Figure: Stick to details and
procedures. Not everyone is gifted!

Dilawar Singh Formal Verification in VLSI

Theorem Provers

I It would be great if one can prove or

even generate a proof using computer.
I It will reduce the risk of mistakes and
can automate some part of it for a
large system.
I Downside: People may become
dumber at a cost of smarter planet.
I There are many software package
available for this purpose. A very good
list can be found here.a
education/Tools/ Figure: From

Dilawar Singh Formal Verification in VLSI

Verification - Hardware V/S Software

I In recent years, formal hardware

verification have become very
important part of development
process. Almost all of the leading
companies use them but software
companies are still lagging. a
I Why?
I Probably because they can get away
with it. A faulty software does not
throw you our of business. Microsoft
Windows is still around.
I Its easy to write patches for software. Figure: A faulty hardware (and
Almost impossible for a hardware. or (= xor ?)) faulty software) can
make your machine life miserable.
Formal methods : State of Art and Future Take care!
Directions, Clarke and Wing, CMU.
Dilawar Singh Formal Verification in VLSI
Combinational Comparison

I One very fundamental question is whether two given

combinational circuits are equivalent for a given input
combination. For example, output of a synthesis tool modified
by a designer to reduce the gate.
I Task is that optimised and unoptimised circuits are
equivalent. This can be done by verifying truth table.
Tautology checking.
I Though this can be automated, but in practice, working with
truth table are tedious and inefficient.

Dilawar Singh Formal Verification in VLSI

Efficient tautology checking

I Tautology is NP-complete problem. One have to find

heuristics for given cases till someone gives an efficient
algorithm to solve these problems.
I Divide the circuit and solve for smaller parts.
I In practice, Binary Decision Diagrams are efficient. They also
give a canonical representation for a given boolean formula
with a specific variable ordering. 2
I Other methods are Integer Programming, Davis-Putnam
I Symbolic simulation is also a candidate. They have been
inefficient till now.

Bounded Model Checking, Armien Biere et al. Advances in computers,
Dilawar Singh Formal Verification in VLSI
Symbolic Trajectory Evaluation

I One can write specification in a restricted temporal logic

specifying the behavior over bounded-length trajectories
(sequence of circuit state).
I One example : if the circuit satisfy the property P then after
n transition it will satisfy the property Q. E.g. if P (a counter
is reset) is true then Q (the output is n) will be true after n
I The the circuit can be checked for this specification. If this
does not hold true then a witness will be found.

Dilawar Singh Formal Verification in VLSI

Temporal Logic Model Checking
I In general, specification can be written in more general
temporal logic without the limitation of bounded
trajectories.Hardware is reduced to a state transition system in
which at every state, one checks whether a given atomic
formula holds or not.
I Linear Temporal Logic (LTL) and Computation Tree Logic
(CTL) can be used to describe the behaviour.
I In CTL, behaviour can be specified by quantifying both over
future and over all range of possible states transition
sequence. Kripke Structure are natural for these specification.
I Since every transition system is coded up with combination of
boolean variables, BDD are used to represent them. There are
many BDD packages available. 3
I For example, EGf means that there exists a paths for which f
holds in every state. A path is a sequence of possible state
Dilawar Singh Formal Verification in VLSI
Example : Kripke Structure

I Kripke structure K = (S, I , T , L) .

I S is the set of states; I ⊆ S is the set
of initial states; T ⊆ S × S is the
transition relations and L : S 7→ P(A)
is the labeling function, where A is the
set of atomic proposition, and P(A)
denotes the power-set of A i.e. for a
state s ∈ S the set L(s) is made of the
atomic proposition that holds in s.

S = {00, 01, 10, 11}

I = {00} Figure: A finite State Machine!
T = {(00, 01), (00, 11), (01, 00), (01, 10),
(10, 11), (10, 01), (11, 10), (11, 00), (10, 00)}

Dilawar Singh Formal Verification in VLSI

Example : Temporal representation

I Let xnext is the next state and x is the

current state of two bit vector.
Assuming that both up and down can
not be 0 at same time,

xp (0) = ¬x(0) (1)

xp (1) = x(0) Y x(1) (2)
xm (0) = ¬x(0) (3)
xm (1) = ¬(x(1) Y ¬x(0)) (4)
Figure: A finite State Machine!
T (xnext , x) : xnext = (up ∧ ¬down ∧ xp(5)
∨(¬up ∧ down ∧ xm ) ∨ (up ∧ down ∧ x(6)

I f : T holds.
I EGf is true. In fact for every path f is
true i.e. AGf holds.
Dilawar Singh Formal Verification in VLSI
Model Checking
I In model checking, one builds a finite model of a system and
check that a desired property holds in that system. This is
done by search exhaustively (and some times wisely), if it does
not hold and a counterexample is produced. That is its
greatest strength to able to produce and error and thus
suitable for debugging. Since model is finite, it will terminate.
It is mostly used in hardware and protocol verification.
I Two approaches are genrally used in model checking,
TEMPORAL MODEL CHECKING (we have seeb them ) and
‘find and automation and compare to the specification to
determine whether or not its behaviour conforms to that
specification . For example, Language Inclusion (Har’El and
Krushan, 19941], refinement ordering [Cleaveland et all. 93],
observal equivalence [Cleaveland et all 93, Fernandez, 96, Roy
and de Simone 90].
I Vardi and Wolper [1986] have shown how the temporal model
checking problem could be recast in terms of automata, thus
Dilawar Singh Formal Verification in VLSI
Theorem Proving V/s Model Checking

I Two well established approach to verification are model

checking and theorem proving. Model checking is very fast
but can handle finite states.
I When theorem proving fails, unlike Model Checking, it does
not produce a counter-example.
I Model checking is much faster than theorem proving. But the
problem is STATE EXPLOSION. There are heuristics to
improve this though [Krushan 1994; Krushan 1994] and
semantic minimization (Elseaidy et al. 1996] to eliminate
unnecessary states from a system modeling. Using this
method one has verified 101 20 reachable states.
I Theorem proving can deal with infinite state space. It uses
structural induction to prove over infinite domains.

Dilawar Singh Formal Verification in VLSI

Blah Blah
I The overreaching goal of formal methods is to help engineers
construct more reliable systems. A global property is broken
into local properties which are conceptually easier to handle.
I Abstraction is also needed. Hardware specification can written
down in more abstract language like Esteral (good for control
engineering freaks).
I Combination of mathematical theories is also a very less
explored area. One solid concepts from one discipline can find
application in another numerous fields, graph theory is one of
the most remarkable example of it.
I Who can forget to include better data structures and
I Rather than building models for some specific problem, one
can ambitiously romanticise “meta-tools” which themselves
can produce or change themselves to handle a particular
problem domain. Integration of available methods?
Dilawar Singh Formal Verification in VLSI

I In the hand of a Jedi Knight a simple looking light saber is

more efficient that a million dollar weapon. How to use your
available tool efficiently, one should learn through practice.
Anyone who have mastered vim editor will probably agree
with me.
I A list of available tools are given here

Dilawar Singh Formal Verification in VLSI

You might also like