1 / 15

Designers Work Less with Quality Formal Equivalence Checking

Designers Work Less with Quality Formal Equivalence Checking. by Orly Cohen, Moran Gordon, Michael Lifshits , Alexander Nadel, and Vadim Ryvchin Intel. Agenda. Formal Equivalence Checking (FEC) in Parts Using Assume-Guarantee FEC Flow Description and the Importance of Assumptions

teenie
Download Presentation

Designers Work Less with Quality Formal Equivalence Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Designers Work Less with Quality Formal Equivalence Checking by Orly Cohen, Moran Gordon, Michael Lifshits, Alexander Nadel, and Vadim Ryvchin Intel

  2. Agenda • Formal Equivalence Checking (FEC) in Parts Using Assume-Guarantee • FEC Flow Description and the Importance of Assumptions • Minimizing Assumptions • Naive Approaches • FEC as SAT Problem • Minimizing Assumptions Using SAT • Comparison of SAT-Based and Naive Minimization Approaches • Impact of Assumption Minimization on the Manual Debug Effort • Conclusions and Recommendations Michael Lifshits, Intel

  3. Assume-Guarantee in Formal Equivalence Checking (FEC) • FEC proves the equivalence of 2 designs (e.g. schematics vs. RTL) • FEC is done on small sub-blocks (slices) suitable for formal tools’ capacity • Slices’ inputs are restricted with assumptions, e.g. in SVA Inputs Outputs Assumption Assertion DUT with Properties Michael Lifshits, Intel

  4. Origins of Assumptions • Manually added assumptions • Design intent properties • ABV methodology • Schematic Assumptions • appear in the standard cells library • save transistors, area, power INVERSE(a,b) Michael Lifshits, Intel

  5. FEC Stages – the Importance of Assumptions Assumptions must be proved relative to the driving logic smaller set of assumptions is better! Assumptions must be proved relative to the driving logic “Intel CPU project arrived with a dead A0 silicon due to a missed assumption verification step” Michael Lifshits, Intel

  6. Minimizing the Assumptions Set Naive approaches: • Static Structural Analysis • Iterative Trial and Error alg. MinAssump:= ∅// start without assumptions while verification fails and MinAssumpAll_Assumpdo Try proving with assumptions in MinAssump if pass  Done Use the counterexample (CEX) and find A ∈ All_Assump: A ∈ MinAssump and A contradicts with CEX Add (at most K) such assumptions to MinAssump// K=20 return MinAssump Michael Lifshits, Intel

  7. Formal as SAT Problem • Most FEC tools are implemented with SAT-based FV engines • FEC is reduced to a propositional formula: F=a AND b OR c… • SAT solver proofs the lack of counterexamples for F; • CEX is an assignment for {a,b,c..} | F==TRUE • same(O1,O2)(t), F=XOR(O1, O2’)(t), fails when F=TRUE NOTS1(t)AND(S1(t)… checked for t=1,2.. fails when S1=T, S2=T, ENB=T • Unsatisfiable core – sub-formulas required for the proof ENB • O1=NOTS1 • S1 • O2’=(S1ANDS2ANDENB) OR (O2AND^ENB) • S2 Michael Lifshits, Intel

  8. Minimizing Assumptions Using SAT • The projection of UNSAT CORE onto the assumptions is the subset of assumptions required for the proof • Minimization at the SAT level minimal number of assumptions • Simple approach: • Our approach: assumptions SAT Formula UNSAT CORE Michael Lifshits, Intel

  9. Iterative SAT Algorithm to Minimize Assumptions Solve formula F: SAT(F) with All_Assump Extract UNSAT CORE:UC MinAssump:= A ∈ Assump: A ∩ Proj(UC) ≠∅ // start with all used for all A ∈ MinAssump do // try removing 1 assumption, reuse learning in SAT SAT(F) with MinAssump/ {A} // solve F without A If pass MinAssump:= MinAssump /{A} , update UC return MinAssump SAT-Based Minimization vs. Naive Trial and Error 50% assumptions in most cases, and dramatically fewer in some Michael Lifshits, Intel

  10. SAT-Based Minimization Algorithms Comparison • UNSAT CORE Projection vs. Iterative Minimization (ours) • It is justified mainly when minimizing the core is more important than reducing the run-time Run time (hours) Remaining properties Michael Lifshits, Intel

  11. Impact of Assumption Reduction on the Manual Debug Effort • All properties (including assumptions) are formally verified • SQL database used to store the verification results • Combined verification status – status of the recursive set of used assumptions: For each used-by-FEC (UBF) property P Get the set of assumptions (Assump) used to verify a property P For each Ai ∈ AssumpAssumpi:= set of assumptions used to verify Ai Assumpall= Assump ∪ Assumpi …∪ Assumpn// a recursive set if all Ai ∈ Assumpallpass status(P) = pass else status(P) = conditional Michael Lifshits, Intel

  12. Impact of Assumption Reduction on the Manual Debug Effort % of all properties • 36% more properties passed • Number of properties in FEC is large – a large amount of manual effort is saved to the design team Michael Lifshits, Intel

  13. Conclusion and Recommendations Michael Lifshits, Intel

  14. Backup Michael Lifshits, Intel

  15. SAT-Based Minimization vs. Naive Trial and Error • 22 random microprocessor design blocks • % indicate the improvement compared to the iterative “naive” trial and error SAT-based Time (logarithmic scale) 50% == ½ assumptions Half as many assumptions in most cases, and dramatically fewer in some Michael Lifshits, Intel

More Related