400 likes | 569 Views
Post-Reboot Equivalence and Compositional Verification of Hardware. Zurab Khasidashvili Marcelo Skaba Daher Kaiss Ziyad Hanna Design Technology Solutions Intel, Haifa. FMCAD, SJ, Nov. 13 th 2006. The Scope. Hardware verification has many aspects We will focus of logic verification:
E N D
Post-Reboot Equivalence and Compositional Verification of Hardware Zurab Khasidashvili Marcelo Skaba Daher Kaiss Ziyad Hanna Design Technology Solutions Intel, Haifa FMCAD, SJ, Nov. 13th 2006
The Scope • Hardware verification has many aspects • We will focus of logic verification: • Assume there is temporal specification, P, of a design • There is a spec model written in RTL • There is a more detailed implementation model (RTL or extracted from circuit model) • Assume P is written in the common variables of spec and imp (so that P is “understood” in both models) • We want: • Prove spec satisfies the behavioral specification, P. We cal P a “design intent” property. • We want to prove spec and imp are “equivalent” • From the above two, we want to conclude the implementation model also satisfies P.
Overview • What we propose? A unified theory which combines equivalence verification with property verification and reboot sequence verification • Motivation for introducing post-reboot equivalence for hardware FSMs • why do we need yet another equivalence concept? • Lattice-theoretic characterization of post-reboot equivalence • Helps in defining the concept of hardware machine • Comparison of compositional post-reboot equivalence verification with combinational verification and retiming verification • Verifying a reboot sequence • is a given input vector sequence a weak-synchronizing sequence for (decomposed) spec and imp • Impact on property verification theory and practice • Conclusions
Equivalence Verification in Practice • Decompose the spec and imp models using mapped cut points. • Use boundary constraints to make the corresponding slices equivalent. • Build reboot sequence that brings the circuits to states satisfying all boundary constraints (and possibly other constraints). • Check the constraints remain valid post-reboot, using (non-exhaustive, 3-valued) simulation.
Equivalence Verification in Practice • Dominating in the EDA: slices are mostly combinational, rarely retimed. • For combinational slices, equivalence means equivalence of Boolean functions under input constraints • For retimed slices, equivalence means some form of steady-state equivalence • It is not clear what kind of equivalence is proved when combining various equivalence checking methods on the same designs, and how it is related to alignability • The part that relates reboot sequence with the used properties was not considered as part of “equivalence verification”. Indeed, it is based on non-exhaustive simulation.
Equivalence concepts • There have been many concepts of equivalence studied in the literature • Some of them require some form of reboot sequence before the comparison of output behavior of spec and imp will start • Delayed safe replaceability [SPAB01] • Sequential hardware equivalence or alignability [Pix92] • Exact 3-valued equivalence [RSSB99] • 3-valued safe replaceability [HC98] • Steady state equivalence [KH02] • Other known equivalence concepts: • Combinational equivalence • Replaceability • We will focus on alignability concept as we believe it fits well hardware verification
Weak synchronizing sequences • States s1 and s2 are equivalent states of an FSM M, written s1≃ s2, iff p : o1(s1,p)=o2(s2,p). • A weak synchronizing sequence for M is an input vector sequence that brings M from any (binary) state to a subset of equivalent states {s1,…,sm}, called weak synchronization states. t1 s1 p Out(t1) = Out(t2) t2 s2 s5 t1 p s4 t1≃ t2 ≃ t3 s1 t3 s3 t2 s2
Alignability Equivalence Pixley 1989 • A binary input sequence p is an aligning sequence for states (s1,s2) in FSM M1x M2if it brings M1x M2 from state (s1,s2) to an equivalent state. • FSMs M1 and M2 are alignable, written M1≃alnM, iff every state of M1x M2 has an aligning sequence • Equivalently, M1≃alnM2 iff a universal aligning sequence aligns every binary state of M1x M2. t1 s1 p t1 ≃ t2 t2 s2
The Idea of Weak Synchronization • If a FSM is not WS, whatever the sequence p, there always exist two power-up states s1 and s2 such that o1(s1,p) !=o2(s2,p). • This means, whatever the p, the FSM exhibits a non-deterministic observational (the outputs) behavior after p. • If a FSM is not WS, when it is not equivalent to itself according to [Pixley 89] – not alignable to itself. • A central observation: in practice, post-reboot states are a proper subset of WS states, satisfying (boundary) verification constraints as well as some non-functional constraints, like timing, power or other; these constraints are not directly captured by the output observability
The following FSM H is taken from [PR96]. State pairs (A, D), (B, E) and (C, F) are equivalent. Since A D, sequence 0 is a ws-sequence for the FSM, bringing the states {A, B} into A and states {C, D, E, F} into D. Since all states are accessible from A and D, all states are ws-states. An FSM from Pomeranz and Reddy [PR96]
In alignability equivalence, one works with equivalence classes of states. In the induced FSM, the ws form a strongly connected component. Therefore in alignability equivalence, the ws stets are (implicitly) considered as the operation states. The class of ws-sequences is a homogeneous one – no “good” or “bad” ws-sequences Property semantics
Property semantics (cont.) • If the designer wants the FSM to operate in all states after reboot, he/she can use a “week” reboot sequence, say, 0, 01, or 011 as the reboot sequence. • If the designer wants the FSM to operate in states {D, E, F} after reboot, he can choose a “strongest” reboot sequence, e.g. 0111, which transfers any state into the sink SCC {D, E, F}.
Property semantics (cont.) • Let P be a property true in {D, E, F}. Then P is valid in all post-reboot states wrt reboot sequence 0111, but is falsifiable in operation states wrt reboot sequence 0. • Thus, considering all ws states as the operation states is inadequate for defining property semantics for hardware FSMs – the chosen reboot sequence might very well be 0111.
Operation States for Hardware FSMs • In our definition of a Hardware FSM (or HFSM), we introduce a set of operation states, or post-reboot states, as a part of its specification: • Definition: A Hardware Machine (HM) is a pair H=(M, R), where M is an FSM and R WS(M) is closed under transition; R is called the set of operation states of H. • Here R must be seen as the set of states into which the H is brought after applying to it a reboot sequence r. • This actually makes r a part of definition of an HFSM. In practice, R is defined as a set of constraints – as a set of boundary (and possibly other) constraints of a decomposition of spec & imp, thus we found it more natural to use R rather than r as part of HFSM specification. • In practice, R WS(H) – a strict inclusion;
Alignability does not preserve validity of temporal properties • The following two FSM are alignable • Let P be true in {D, E, F} • When P is valid in (all post-reboot states of) FSM 2 • But P is not valid in FSM 1 for the rebut sequence 0 • Thus alignability equivalence does not preserve validity of temporal properties
FSM Bisimulation • Let Mi = (Si, S, G,di, li), i = 1,2, be FSMs, and let B S1S2 be a relation such that: • B(s1,s2) aS: l1(s1,a) =l2(s2,a) & B(d1(s1,a),d2(s2,a)). • Then, B is called an FSM bisimulation and M1 and M2 are called bisimilar with respect to B. States (s1,s2)S1S2 are called bisimilar, written as s1s2, if they are contained in a bisimulation on S1S2.
Bisimulation for FSMs with initial states (Gupta et al.) • A concept of bisimulation for FSMs was first studied by Asher, Gupta and Malik 2001 • They considered FSMs with an initial state, and assumed the initial state pair must belong to the bisimulation • That concept of FSM bisimulation can be seen as a special case of post-reboot bisimulation introduced next.
Post-reboot Hardware Equivalence • Definition: Let M1 and M2 be compatible FSMs, let p be an input vector sequence for M1 and M2, and let B be a bisimulation between M1 and M2. • A pair (p,B) is a post-reboot bisimulation between M1 and M2 iff • (s1,s2)S1S2. (p: s1 * t1 & p: s2 * t2) B(t1,t2). • M1 and M2 are called post-reboot bisimilar or post-reboot equivalent if there is a post-reboot bisimulation between them. p t1 s1 B(t1, t2) t2 s2
Alignability vs PRE for FSMs • Theorem: Let WS1 and WS2 be weak-synchronization states of FSMs M1 and M2, respectively. Further, let StateEq(WS1,WS2) = StateEq (WS1WS2). Then the following are equivalent: • M1 and M2 are alignable; • StateEq(WS1,WS2) ≠ ; • StateEq(WS1,WS2) is a non-empty on-to bisimulation, on WS1WS2, between M1 and M2. • M1 and M2 are post-reboot equivalent.
The order on PRBs • Define: (p1,B1)(p2, B2) iff B1 B2. • Theorem: The set of all post-reboot bisimulations between HFSMs H1 and H2, when it is a non-empty set, is a complete lattice with respect to the partial order .
A complete lattice of PRBs Order on PRBs:The larger the operating states set, the stronger the PRB
PRB order ws order on ws sequences Order on PRBs:The larger the operating states set, the stronger the PRB Order on ws sequences:The smaller the operating states set, the stronger the ws sequence
Partial Order on WS-sequences • The order has upper bounds but need not have a bottom element – thus need not be a lattice – it is an upper semi-lattice. Here is an example: • Since s1 s4 and s2 s3, input sequences 1 and 0 are WS, and so is 10. Further, 111111 …; 000000…; 0110 100….; And 0 and 1 have upper bound 01, but have no lower bound.
Partial Order on WS-sequences • Let (p,B) be a post-reboot bisimulation between M1 and M2. We associate with p a smallest bisimulation B[p] such that (p,B[p]) is a PRB; B[p] is the intersection of all Bi such that (p,Bi) is a post-reboot bisimulation. • Define (strict) order on such sequences as follows: define p1≺p2 iff B[p1] B[p2]; • that is, p1 cannot transfer all state pairs of M1M2 into B[p2], while p2 can; therefore we call p2 a stronger reboot sequence than p1. • We write p1p2 iff B[p1] = B[p2]. • When H1=H2=H, the order is in fact an order on the ws-sequences of H
Equivalence and property semantics for Hardware Machines • We call HMs H1=(M1,R1) and H2=(M2,R2) equivalent if there is a post-reboot bisimulation (p,B) between FSMs M1 and M2 such that B R1R2. • We call a CTL* formula [CGP99] valid in H1 iff it is valid in all states in R1. • We will see that if post-reboot equivalence between HMs is proven using the compositional method proposed in [KSKH 04], then a post-reboot bisimulation is built allowing proving that equivalent HMs satisfy the same class of CTL* formulas • To show this, we need to see how to specify the operation states of HMs – we will use stable decompositions of HMs.
C1 (spec) l3 l1 i o1 CL1 A B l4 l2 cut C2 (imp) l3 l1 i o2 CL2 C D l2 l4 cut Stable Decomposition (example)
C1 (spec) l3 l1 i o1 CL1 A B l4 Prove l1 = l2 on ws-states of A and C l2 Impose l1 = l2 when verifying B and D cut C2 (imp) l3 l1 i o2 CL2 C D l2 l4 cut Example: usage of constraint l1 = l2
Stable Properties and Stable FSM • A “conditional” FSM can be given as an FSM and a set of properties (or constraints) on it. • Combinational properties may disable several transitions • Sequential properties (written with next state operator, w/o temporal operators) can disable transition (sub) paths. • To insure a reasonable theory for divide and conquer alignability verification, we need the verification properties to be stable: • For stable properties, the conditional FSM induced by the subcircuit and the property is a sub-FSM of the FSM corresponding to the subcircuit. • Intuitively, this means that some of the arcs in the FSM may be disabled “permanently”, independently on how do we arrive to a corresponding state (with a forbidden transition). • This will be clarified on examples.
i=1 i= 0 i= 0 i=1 Example of a Non-Stable Property • A property stating that next value of an input i coincides with the negation of i – next(i) = !i -- is not stable: • From any of the two states, a transition w/ i=1 is allowed (and forced) iff the previous incoming transition was w/ i = 0.
i= 0 i= 0 i=1 i=1 Examples of Stable Properties • Property next(i) = i is stable: two possible sub-FSMs (depending of the first transition) are: • Any combinational property (written with Boolean connectives alone, w/o the next-state operator) can easily be shown to be stable.
State relation R(D) induced by decomposition D • A stable decomposition D of (H1, H2) determines a bisimulation R[D]S(H1)S(H2) defined as follows: (s1,s2) R[D] iff • (s1,s2) satisfies the boundary properties; • the induced state of each component is a ws-state for that (constrained) component. • It is assumed that the same name (mapped) latches are assigned same values in (s1,s2). • This observation allowed us to prove the following weak compositionality result for alignability [KSKH 04]: • Theorem: Under the assumptions that FSMs M1 and M2 are weakly synchronizable, alignability of corresponding slices in the stable decomposition of M1x M2 implies alignability of the circuits.
What is Combinational Equivalence Proving • Combinational decomposition of state-matching circuits can be seen as a special form of stable decomposition, when only stable boundary constraints are allowed (and all latches are cut points). • Here combinational equivalence is defined as follows: • slice outputs equal in current time (under constraints) => (a) slice outputs remain equal in next time; and (b) the constraints are valid in next time. • Theorem: Given a combinational, stable decomposition D=D1xD2 of FSMs M1xM2, proving that M1 and M2 are combinationally equivalent is exactly proving that the state relation R[D] is a bisimulation. • This bisimulation is included in R(D1) X R(D2).
Is proving combinational equivalence sufficient? • Unless there is a sequence r that brings any pair of states of M1 and M2 into a state pair in R[D], the fact that R[D] is a bisimulation cannot guarantee that M1 and M2 will have same observable behavior in post-reboot states from any power-up states. • That is, w/o relating combinational equivalence to a sufficiently strong reboot sequence, combinational equivalence is meaningless. • When we do combine proving combinational equivalence with checking that for the given reboot sequence p the pair (p ,R[D]) is a post-reboot bisimulation, then combinational equivalence also proves post-reboot equivalence (and thus alignability too).
What steady-state equivalence proves for ws (sub) circuits • Similarly, for ws-FSMs, steady-state equivalence (used for verifying retimed circuits) implies alignability. • Thus by the weak compositionality theorem, it is safe to combine combinational verification with retiming verification and alignability verification on slices of the same design – provided both FSMs are ws. • It is unclear how one can verify whether a given input vector sequence is a ws sequence • Fortunately, we need to prove a simpler result:We need to show where an input vector sequence is a legal reboot sequence for a given stable decomposition of spec and imp. • Any legal input vector sequence is a ws-sequence for both FSMs
Proving Post-reboot Equivalence • In practice, proving PRE means: • building a stable decomposition D (entirely combinational or with sequential slices, retimed or not). • building a reboot sequence r. • proving that (p, R[D]) is a PRB. • Parts 1 and 2 are mainly manual (part 1 is actually semi-automatic, aided by automatic, counter-example based abstraction algorithms and GUI tools). Part 3 was not studied as part of formal equivalence verification (it was performed by semi-formal methods).
Proving Post-reboot Equivalence • For checking part 3 formally (full proof), we propose the following algorithm: • H1 and H2 are 3-valued simulated with the reboot sequence p, starting from the X-states. • For the resulting set of X-states, the boundary constraints (and the latch mapping) must be checked for the set S(X, p ) of all binary instances of these X-states; the later is a simple model checking problem for slices, thus is completely computationally feasible.
Relation with Property Verification • Because we know that all boundary properties are satisfied at all post-reboot states R, for a design intent property P, we need to prove that s R P(s) • If we were using alignability equivalence, we would have to prove s WS P(s); • In practice, for industrial designs, the relation WS(s) cannot be computed, thus it is unclear how one can formally prove the validity of temporal properties in all WS states.
assertions EI inputs latches gates BP cpu (sec) assert 1 2 114 26 1674 17 154 assert 2 1 24 20 221 1 155 assert 3 0 18 3 1012 9 209 assert 4 0 835 4 6986 64 209 assert 5 0 19 4 873 2 312 Table 1: assertion verification using boundary properties assertions EI inputs latches gates cpu (sec) assert 1 10 125 526 7871 256 assert 2 10 369 1133 17690 262 assert 3 9 69 114 954 211 assert 4 2 858 37424 250745 596 assert 5 1 675 18 2585 1325 Table 2: assertion verification without boundary properties Experimental Results
Conclusions • From practice to the theory: • Formalize the several dominating hardware equivalence verification methods into a unified theory – the outcome is post-reboot hardware equivalence • From theory to practice: • Propose a fully formal, practically applicable hardware equivalence verification algorithms and methodology. • Give experimental data where the new theory “makes difference” in the practice of full-chip verification. • We base our theory on bisimulation, and it is easy to adapt our theory to equivalence concepts requiring other forms of bisimulation (such as weak bisimulation, bisimulation up-to an equivalence relation, etc.).
Future Work • In this work, we mainly focused on justifying a new equivalence concept – post-reboot bisimulation – end showing how it makes property verification and reboot sequence verification feasible • We are working on a comprehensive theory for property verification that will be fully aligned with compositional post-reboot equivalence verification and reboot sequence verification for Hardware Machines. • An important and very challenging problem is to build algorithms for funding latch mapping automatically.