1 / 42

Formal Verification(1)

Formal Verification(1). Functional verification. Simulation Emulation Emulator (general purpose) FPGA prototyping (specific application) Semi-formal verification Coverage measurement Test generation Symbolic simulation Formal verification Equivalence checking Theorem proving

bela
Download Presentation

Formal Verification(1)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Verification(1)

  2. Functional verification • Simulation • Emulation • Emulator (general purpose) • FPGA prototyping (specific application) • Semi-formal verification • Coverage measurement • Test generation • Symbolic simulation • Formal verification • Equivalence checking • Theorem proving • Model checking

  3. Simulation • Definition • Representation of the operation or features of one process or system through the use of another • Description level • RT level, gate level, switch level, circuit level … • Simulation engine • Event driven vs. Cycle based, • Compiled code vs. Interpretive • Advantage • Can make trade-off between execution time and completeness • Disadvantage • Needs input generator and output checker (or manually generating and checking)

  4. Emulation • Definition • Imitating the function of (another system), as by modifications to hardware or software that allow the imitating system to accept the same data, execute the same programs, and achieve the same results as the imitated system • Advantage • Can check design in real environment • Faster than simulation • Disadvantage • Hard to make the whole system • Needs to fix environment • Hard to debug • Simulation or emulation–based testing can reveal the presence of bugs but can never assure the absence of bugs. (Dijkstra in 1970s).

  5. SFV: Coverage measurement(1/3) • Objective • Increase the probability of bug detection by checking the ‘quality(coverage)’ of stimulus • Advantage • Easy to apply • Good guide to generate input stimulus • Disadvantage • Many metrics, but no good model for design errors

  6. SFV: Coverage measurement(2/3) • Kinds of metrics • Code-based metrics • Line/code block coverage • Branch/conditional coverage • Path coverage • Circuit structure based metrics • Toggle coverage • Register activity • State-space based metrics • Pair-arcs : usually covered by Line + condition coverage • Spec-based metrics • percentage of specifications satisfied

  7. SFV: Coverage measurement(3/3) • Available tools • VeriCover(Veritools) • SureCov(Verisity) • Coverscan(Cadence) • HDLScore, VeriCov (Summit Design) • HDLCover, VeriSure(TransEDA) • Polaris (Avant!, now Synopsys) • Covermeter(Synopsys)

  8. SFV: Test generation • Object • Automatically generate input stimulus to increase test coverage • Kinds • ATPG methods • Dynamic formal, or ABV(assertion-based verification) (‘0-in search’ from 0-in Design Automation, Inc. refer to www.0-in.com) • Advantage • High productivity • Disadvantage • Needs result checker • Ex) ‘assertion’ statement in 0-in search • No constrained inputs • Generally ATPG-generated inputs may or may not meet the input constraints

  9. State space vs search space Formal Verification Dynamic formal Verification (0-in) Simulation

  10. SFV: Symbolic Simulation • Object • Compute an expression instead of a value • Advantage • More coverage per simulation • Disadvantage • Not good with state machines • Does not support temporal logic • Industrial success story • Symbolic trajectory evaluation • Tackle switch level design (Randal E. Bryant – COSMOS)

  11. FV: Equivalence checking • Object • Checks equivalence of two models • RTL vs. gate • Before optimization vs. after optimization • Before test insertion vs. after • Reference model vs. implementation • Advantage • Guarantee functional equivalence of two models for all input values • Disadvantage • Needs golden reference model • Targets implementation errors rather than design bugs

  12. FV: Theorem proving • Deductive verification • Use axioms and proof rules to model the system (formal system). • State the property to be verified as a theorem of this formal system. • Derive this theorem with the help of a theorem-prover which generates rules derivable from axiom and premises. • Useful for verifying algorithm • Industrial success story • AMD K7 floating point verification • Intel instruction decoder verification • Disadvantage • Very hard to automate. • Requires user interaction. • Deriving the formal system can be quite cumbersome. • Requires an expert to use the theorem-prover.

  13. FV: Model Checking • Object • Check properties of model with all possible conditions • Advantage • Can be fully automated • If the property does not hold, a counter-example will be generated • Relatively easy to use • Problem • Works (well) only for finite state systems. • Needs abstraction or extraction • Both tend to cause errors • Engineers are not always happy to use temporal logic which is used for ‘property’ description in MC.

  14. Verification in SoC design(1/3) • Too big to verify the whole system • Already verified IP’s Interconnection (custom designed) Embedded Processor (IP) Peripheral (IP) External Device External Device Memory interface Peripheral (Custom designed) Memory

  15. Verification in SoC design(2/3) • Divide-and-conquer Interconnection (custom designed) Abstract model Abstract model Interconnection model or abstract model External Device model Peripheral (Custom designed) Abstract model Abstract model Verify custom designed block, check spec. for interconnection model Verify interconnection model by using abstract IP model (Check only transaction operation)

  16. Verification in SoC design(3/3) • Summary • Divide-and-conquer • Does not verify individual block • Too big to verify the whole system • Already verified IP’s • Checks basic interconnections among blocks • Looks for unexpected transactions between blocks  Spec. verification by model checking

  17. Simple definition of FV • Formal verification? • Application of logical reasoning to the development of digital system • Logic is concerned with what is true and how we know whether something is true • Both design and its specification are described by a language in which semantics are based on mathematical rigor and the verification is then preformed using symbolic manipulation

  18. Value and cost of FV • Formal verification gives the ability to • Express specs precisely • Clearly define when an implementation meets the spec • Understand the spec and the implementation • Formal verification needs • Language for specifying desired properties • Mathematical model of a system • Method of proof to verify that the specified properties are satisfied

  19. Formal model • Mathematical model for formal method • Requirement of formal model • Must be complete, representing all the essential aspects of the subject being modeled • Must be predictive • Conclusion from model = observation results of the subject itself • Must be well-formed • Should not allow fallacious or ill-formed reasoning

  20. Verification • Verification involves checking a satisfaction relation, usually of the form of a sequent: M ╞ F where M is a model (or implementation) F is a property (or specification) ╞ is a relationship that should hold between M and F. i.e. (M, F) ╞ Logic is used to express the model, property, and relation, and valid arguments of the logic are used to deduce whether the relation holds for the particular model and particular property.

  21. Verification • Verification involves • Specifying the model/system • Specifying the properties • Choosing the satisfaction relations • Checking the satisfaction relations • Language • Specifying something needs logic • Different logic gives us different ways of expressing M and F and defines the pairs that are members of ╞

  22. Logic • Logic • Logic is concerned with the form of arguments and the principles of valid inferencing. • Induction and deduction • Symbolic logic is a modern type of formal logic using special mathematical symbols for propositions, quantifiers, and relationships among propositions and concerned with the elucidation of permissible operations upon such symbols. (Webster dictionary) • Logic consists of • Syntax • Semantics • Proof procedure(s) (also called proof theory)

  23. Logical reasoning • Example: If the train arrives late and there are no taxis at the station, then John is late for his meeting. John is not late for his meeting. The train did arrive late. • Question: Were there taxis at the station or not? • Answer: There were taxis at the station.

  24. Logical reasoning • Symbolic describe • p : The train is late • q : There are taxis at the station • r : John is late for his meeting • Valid arguments If p and not q then r Not r p q

  25. Various Logic Classes • Propositional logic • Predicate logic • Higher order logic • Temporal logic • Linear temporal logic (LTL) • Branching temporal logic (BTL) • Computational tree logic (CTL) • Many other variations (CTL*, CTL+, …)

  26. 1. Propositional logic • Invented by Boole • Syntax (well-formed formulae) • Two constant symbols: T and F • Proposition letters (a, b, …) • Propositional connectives (not(~), and(&), or(|), ⇒, ⇔) • Brackets • Semantics (truth tables) • Proof theory • Axiom systems • Natural deduction • Sequent calculus

  27. Syntax (Well-formed formula) • Ill-formed formula • a(&c⇒)b • Construction rule • The proposition letters, T, and F are atomic formulas. • If a is an atomic formula, then a is a formula. • If p and q are formulas, then each of the following are formulas: • (~p), (p & q), (p | q), (p ⇒ q), (p ⇔ q)

  28. Semantics (truth table) • Two truth values Tr = {1, 0} • Range of the semantics function for propositional logic is {1, 0} • Operator • ~ : function from Tr to Tr • &, |, ⇒, ⇔: function from (Tr x Tr) to Tr • Boolean valuation • The semantics of propositional logic • Mapping v from the set of propositional formulas to the set Tr meeting the conditions: • v(T) = 1, v(F) = 0 • v(~p) = ~(v(p)) • for all the connectives :v(p ⊙ q) = v(p) ⊙ v(q) where ⊙ denotes any binary connectives

  29. Proof theory – axiom systems • Axiom 1. A ⇒ (B ⇒ A) 2. (A ⇒ (B ⇒ C)) ⇒ ((A ⇒ B) ⇒ (A ⇒ C)) 3. (~A ⇒ ~B) ⇒ (B ⇒ A) • Inference rule • From A and A ⇒ B, B can be derived where A and B are well-formed formulas Ex) show (x ⇒ y) ⇒ (x ⇒ x) is tautology x ⇒ (y ⇒ x) : by axiom 1 (x ⇒ (y ⇒ x)) ⇒ ((x ⇒ y) ⇒ (x ⇒ x)) : by axiom 2 (x ⇒ y) ⇒ (x ⇒ x) : by inference rule 1

  30. Method Make assumptions, and then discharge assumptions Inference rule And-introduction Premises: p, q Conclusion: p & q And-elimination Premises: p & q Conclusion: p, q Double negation-introduction Premises: p Conclusion: ~~p Double negation-elimination Premises: ~ ~ p Conclusion: p Implies-introduction Assumption: p Premises: q Conclusion: p ⇒ q Implies-elimination Premises: p, p ⇒ q Conclusion: q Modulus token Premises: p ⇒ q, ~q Conclusion: ~p note) implies-introduction may use assumption and conclusion discharge assumption Proof theory – natural deduction(1/2)

  31. Proof theory – natural deduction(2/2) • Ex) (q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r)) • (q ⇒ r) : assumption • ( ~q ⇒ ~p) : assumption • p : assumption • ~~p : double negation-introduction 3 • ~~q : modulus token 2, 4 • q : double negation-elimination 5 • r : implies-elimination 1, 6 • p ⇒ r : implies-introduction 3, 7 • (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : implies-introduction 2, 8 • (q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : implies-introduction 1, 9

  32. Satisfiability and Tautologies • Satisfiable • A formula a is satisfiable if there is a Boolean valuation v such that v(a) = 1. • Tautology • A propositional formula a is a tautology (also called valid) if v(a) = 1 for every Boolean valuation v.

  33. Semantic entailment F1, F2 ,F3 ╞Ψ means that if v(F1) = 1 and v(F2) = 1 and v(F3) = 1 thenv(Ψ) = 1 which is equivalent to saying (F1& F2&F3 ) ⇒ Ψ is a tautology, i.e., (F1, F2 ,F3 ╞Ψ)≡((F1& F2&F3 ) ⇒ Ψ)

  34. Example • p : The train is late • q : There are taxis at the station • r : John is late for his meeting (p & (~q)) ⇒ r, ~r, p ╞ q (((p & (~q)) ⇒ r) & (~r) & (p)) ⇒ q ~((~(p & (~q)) | r) & (~r) & (p)) | q ((p & (~q) & (~r)) | r | (~p) | q

  35. Consistency • If a set of premises of an implication are not consistent, they can be used to prove a contradiction, i.e., p, ~p ╞ q &~q or F ⇒ F • ‘False implies anything’ problem • First of all, model (implementation) should be consistent

  36. Need of another logic • Syllogism(3단 논법) • Man is mortal • Socrates is man  Socrates is mortal Best way to describe these in propositional logic a & b ⇒ c But not tautology ( ∵‘c’ cannot be represented as some form of a, b.)

  37. 2. Predicate logic • Invented by Gottlob Frege • Also called “first order logic” • Syntax • Constants, variables x, y, ... • Functions, predicates • Logical connectives • Quantifiers • Punctuation: , (enumeration) . (‘such that’) • Semantics • Interpretation, Valuation • Proof theory • axiom systems, natural deduction, sequent calculus

  38. Quantifier • Universal quantification (∀) ; ‘for all’ • Corresponds to finite or infinite conjunction of the application of the predicate to all elements of the domain. • Existential quantification (∃) ; ‘there exist(s)’ • Corresponds to finite or infinite disjunction of the application of the predicate to all elements of the domain. • Relationship between ∀ and ∃ • ∃x.P(x) is the same as ~ ∀x.~P(x) • ∀x.P(x) is the same as ~ ∃x.~P(x)

  39. Historical comment • Hardware verification works based on First order logic • Wagner (1977), Pitchumani and Stabler(1982) , Hanes(1983), Wojcik(1983), Suzuki(1984), Hunt(1987) • Boyer-Moore Theorem prover (1979) • Quantifier-free first order logic with equality

  40. 3. Higher-order logic • First order logic • Only quantify over variable • Higher order logic • Also quantify over function and predicate • Use special function-denoting terms • λ– expression which is term in λ– calculus • Ex) Induction principle • ∀P.(P(0) & (∀n.P(n) ⇒ P(n+1))) ⇒ ∀n.P(n) • Zero order logic • Propositional logic can be regarded as zero order logic

  41. λ-calculus • Invented by Alonzo Church • basic λ-expression • λx1x2…xn.e • x1, x2, …xn: parameters of function • e: expression which computes the value of the function in terms of the parameters x1, x2, …xn • Simple example • λxy.x+y • (λxy.x+y) 2 3 = 2 + 3 = 5

More Related