Sequential Equivalence Checking : Need and Challenges

1
Sequential Equivalence Checking Need and
Challenges

• Anmol Mathur
• Chief Architect
• Calypto Design Systems

2
Outline

• Why sequential equivalence checking?
• Combinational vs sequential equivalence checking
• Existing system-level design/verification flows
• System-level to RTL equivalence checking
• RTL-RTL sequential equivalence checking
• Comparison to sequential property checking
• Taming sequential equivalence checking
• Demonstration of SLEC from Calypto

3
Combinational Equivalence Checking

• Most prevalent equivalence checking tools
  available today
• Appropriate for RTL to gate-level verification
• Expects exact 1-1 flop mapping and matching
  interfaces

4
The Power of One-One State Mapping

• Very strong inductive invariant
• Assuming that the one-one mapped flops (and
  inputs) are equal at time k, the next state
  functions (inputs to flops) and output functions
  (mapped primary outputs) are equal at time k1
• No state space analysis required
• Only combinational input constraints and output
  dont cares needed

5
System-Level to GDSII Process Flow
Manual Process
Process Flow
User Control
Limited Control
Broad Control
Broad Control
6
Levels of Systems
Software
Hardware
Hardware/software Interface verification
SOC
Boundary assertion verification
IP
Block verification
7
System-level Models

• Higher level of abstraction resulting in faster
  simulation turnaround time
• Performing architectural tradeoffs and
  performance validation
• Platform for software development

8
Functional Verification Landscape
System level
Simulation
RTL-SL co-simulation

• Simulation/emulation based
• verification
• Assertion based verification

RTL level
RTL-gate Equivalence Checking
Gate level
9
RTL-RTL Equivalence Checking

• Reasons
• Incremental development
• Feature creep
• Performance tuning
• Process migration
• Reuse across projects
• Common Refinements
• Buffer/Cache/Memory resizing
• Tuning cache replacement and coherence algorithms
• Pipeline insertion for performance
• Register retiming

10
Sequential Equivalence Checking
SLM
Process Flow
Process Flow
RTL
Imp.
User Control
User Control
Limited Control
Broad Control
Broad Control
Limited Control
Broad Control
Broad Control
11
Sequential Equivalence Checking
SLM
RTL
Interface mapping Interface constraints
SEC
Abstraction mappings
Proved equivalences Counterexamples
12
Key Advantages of SEC

• Allows complete verification of the RTL with
  respect to the SLM (the independently verified
  golden model) without testbenches
• Verification of the RTL is limited to the
  behaviors specified in the SLM
• Allows verification of RTL blocks to happen
  before the whole RTL or SLM is completed

13
SEC vs Assertion Checking

• Usability issues with assertion-based RTL
  verification
• Need to write design properties in a formal
  temporal logic
• Properties not independently verifiable
• How many properties are enough?
• Capturing input constraints and output dont
  cares
• Technology issues with assertion-based
  verification
• Comparing a complete design against a very
  incomplete specification (property)
• Sequential analysis problem is harder than
  equivalence checking of two designs!

14
Outline

• Why sequential equivalence checking?
• Taming sequential equivalence checking
• Notions of sequential equivalence
• Key technology challenges
• Demonstration of SLEC from Calypto

15
Combinational vs Sequential EC
Sequential EC
Sequential differences
Combinational EC
Data representation differences
FFs match

16
Scheduling

• The SLM could perform a computation in parallel
  while RTL schedules operations in multiple cycles
  with a scheduling FSM
• Introduces additional states due to scheduling
• Some operations that can use the same resource
  become temporally disjoint resulting in resource
  sharing

A
B
C

SLM

O
B
A
C
RTL
reset

clk
o
17
Micro-architectural Abstractions

• RTL has detailed micro-architectures like
• Scan chains
• Sleep mode logic
• Clock gating
• Memory caches
• Bus-based communication along with bus
  arbitration
• Serial communication with handshakes

P
C
SLM
P
C
Handshake controller
RTL
18
Data Type Abstractions

• SLM expression (E) could use C-like data types
  such as float, int, long and user defined data
  types
• RTL expression (E) could use finite precision
  bit-vectors (signed/unsigned) to represent
  fixed-point data values
• RTL may explicitly perform rounding and
  truncation on intermediate computations

function sum_of_product( float a, float b,
float c) return a b c
SLM
module sum_of_product(a,b,c, out) input
signed 70 a, b, c wire signed 150
prod wire signed 70 trunc_prod assign
prod a b assign trunc_prod prod gtgt 8
assign out trunc_prod c endmodule
RTL
19
Notions of Sequential Equivalence

• Cycle-accurate equivalence
• Starting from reset, designs produce identical
  outputs every cycle when equal inputs are applied
• Sequential hardware equivalence (Pixley)
• Requires equivalence from a set of states reached
  via an initializing sequence
• Safe replacement (Singhal, Pixley, Aziz, Brayton)
• No assumption about reset states

20
FSM Refinement

• The states in RTL that correspond to states in
  SLM, are referred to as synchronizing states

21
Sequential Equivalence

• Starting from corresponding reset states, for
  corresponding inputs, if the outputs are equal in
  all corresponding synchronizing states, then SLM
  and RTL are equivalent

22
Transactions State View
SL transaction
SLM
Refinement mapping
RTL
RTL transaction

• Encapsulates one or more units of computation for
  the design being verified
• Self-contained since it brings the machine back
  to a synchronizing state

23
Transactions

• Functional decomposition of the behaviors of a
  machine
• Transaction 1 opcodes ADD, SUB, MULT
• Transaction 2 opcodes DIV, MOD
• Allows sequential verification problem to be
  contained
• Unconstrained problem is intractable
• Verification plan naturally decomposes behaviors
• Debugging ease
• Allows composition of different behaviors
• Sequential composition
• Parallel composition

24
Transaction Memory
RD
WR
Design 1

• Design 1 transaction a single memory read/write
  occuring in a single cycle
• Design 2 transaction single memory read/write
  (potentially) happening over multiple cycles

OUT
Design 2
25
Transaction Equivalence
SLM
T0
T1
T2

• Starting at reset, for corresponding input
  sequences, if the design outputs are equal at
  transaction boundaries, then the designs are
  equivalent
• Transactions can be pipelined

RTL
T0
T1
T2
26
Arithmetic Equivalence

• Exact Equivalence
• For all the possible values in the input space, E
  and E evaluate to exactly the same value
• Bounded error equivalence
• For all corresponding values in the input spaces
  of E and E,
• E E lt e
• Infinite precision equivalence
• Ignoring loss of information at any of the
  intermediate points in the expressions, the
  expressions evaluate the same function

27
Outline

• Why sequential equivalence checking?
• Taming sequential equivalence checking
• Notions of sequential equivalence
• Key technology challenges
• Specifying interface differences
• Sequential analysis
• High-capacity solvers
• Demonstration of SLEC from Calypto

28
Specifying Interface Differences

• Specification of input/output dont cares
• Sequential signal relationships
• Combinational relations between signals
• Reset/non-reset values of signals
• Input mappings
• Factoring delay and throughput differences
• Handling protocol differences
• Blocking vs non-blocking communication
• Serial vs parallel communication

29
Specifying Interface Differences

• Output checks
• Handling latency and throughput differences
• Conditional output checks
• Variable delay or handshake-based checks
• Out-of-order checks
• Specifying transaction boundaries
• When can a new transaction start in the
  specification or implementation machine
• Only differences in the input and output
  interfaces need to be specified,not the actual
  input/output protocols

30
Specifying Interface Differences

• Specifying a transaction requires
• Begin-transaction sequence
• During-transaction invariants
• Ready-for-next-transaction condition
• Output valid condition

clk
reset
RD
ADDR
OUT
out_rdy
transaction
31
Outline

• Why sequential equivalence checking?
• Taming sequential equivalence checking
• Notions of sequential equivalence
• Key technology challenges
• Specifying interface differences
• Sequential analysis
• High-capacity solvers
• Demonstration of SLEC from Calypto

32
Sequential Analysis
SLM
T0
T1
T2
RTL
T0
T1
T2
33
Sequential Analysis Issues

• Efficient machine acceleration
• Cannot afford to replicate next-state/output
  functions in unrolling over many cycles
• Elimination of pipelining/transient states
• Aligning the machines
• Accounting for data-dependent delay between
  synchronizing states
• Accounting for out-of-order output checks

34
Induction and Sequential EC

• Base case
• The corresponding outputs are equal in
  transaction 0 assuming the spec and impl machines
  start in reset states and the input
  mappings/constraints are obeyed
• Induction hypothesis
• Assuming that the spec and impl have equal
  outputs for the first k transactions assuming
  input mappings/constraints, then the outputs will
  be identical for the k1 th transaction
• Problem
• Corresponding states are no longer known
• Induction using the property that all reachable
  states (from reset) have been explored or purely
  by using the constraint that the outputs matched
  in the first k transactions

35
Inductive Proofs

• State-based forward induction
• Accumulating reachable synchronizing states
  during forward symbolic co-simulation
• SAT-based forward reachability
• Output-based induction
• Using equality of outputs in the first k
  transactions to prove equivalence of outputs at
  the k1 th transaction
• Strengthening the induction invariant
• Mapping flops (user-driven or automatic)
• Finding flop maps automatically in the presence
  of latency/throughput differences
• Automatic refinement of cut flops on
  falsification

36
Reasons for Incomplete Proofs

• Weaker induction hypothesis in sequential EC
• No state point or state mapping typically
  available
• Harder solver problems generated since the next
  state and output checks may require unrolling
  across multiple cycles
• Reset required for base case over-reset can
  cause incomplete proofs
• Constraints that span across transactions can
  invalidate induction

37
Bounded Equivalence Checking

• Symbolic simulation of the spec and impl machines
  for a fixed number of transactions from reset
• Bug-finding mode
• Coverage metrics
• How to quantify confidence in the equivalence of
  the machines from a bounded k-transaction proof?

38
Outline

• Why sequential equivalence checking?
• Taming sequential equivalence checking
• Notions of sequential equivalence
• Key technology challenges
• Specifying interface differences
• Sequential analysis
• High-capacity solvers
• Demonstration of SLEC from Calypto

39
Solvers
Word-level Solver
Hybrid Solver
Bit-level Solver
Simulation
40
Word Level Solver
BLS
WLS

• Word-level solver
• Strength proving arithmetic expressions
  equivalent
• Weakness generating counterexamples
• Bit-level solver (SAT-based)
• Strength proving expressions not equivalent
• Weakness proving arithmetic expressions
  equivalent

41
Finite Precision Reasoning

• The nice algebraic properties of the , are
  not true when arithmetic computations are done
  using finite precision

wire signed 70 a,b,c wire signed 70
tmp wire signed 80 out assign tmp a
b assign out tmp c
wire signed 70 a,b,c wire signed 70
tmp wire signed 80 out assign tmp b
c assign out tmp a
!
a 27 1 b 1 out -1 c -1
a 27 1 b 1 out 27 1
c -1
42
Finite Precision Control

• Mixed control-arithmetic reasoning
• Infinite precision canonization
• Combination of theories
• Finite precision arithmetic
• Propositional logic

if ( a b lt 0) x a else if (a b gt 0) x
b else x a b
if ( a -b) x 0 else if ( a gt -b) x
b else if (a lt -b) x a
43
WLS BLS Interface

• Leveraging word-level information in bit-level
  solvers
• Exploiting word-level symmetry information
• Using information about bits in a bus for
  variable ordering in BDDs and decision ordering
  in SAT
• Intelligent ordering of bit-level problems based
  on word-level analysis

44
Simulation Formal Solvers
E1
E2

• Simulation intermediate equivalent points
• Word and bit-level solvers work together
• Cut sets based on proven intermediate
  equivalences for proof simplification

45
Open Issues in Solvers

• Efficient identification of PENs in the presence
  of latency and throughput differences in the
  designs
• Which PENs to prove?
• Ordering of PEN proofs
• Use of predicate abstraction to simplify
  arithmetic-heavy proofs

46
Outline

• Why sequential equivalence checking?
• Taming sequential equivalence checking
• Notions of sequential equivalence
• Key technology challenges
• Demonstration of SLEC from Calypto

47
Frontend Architecture

• Language Neutrality
• Support multiple languages scalably
• Language independent transforms

CPT
CPT to CDB xforms
CDB
SLS Synthesis Engine
SLEC Verification Engine
Future Products
48
Verification Engine Architecture
49
Demonstration Example

• DES Encryption Block
• Symmetric key encryption/decryption
• 64 bit data message, 64 bit key
• 16 rounds of computation

50
RTL System Continuum

• C0 Untimed Functional (C/SystemC)
• C1 Timed Functional (SystemC)
• V2 Serial RTL (Verilog)
• V3 Pipelined RTL (Verilog)

51
SLEC Setup and Operation

• Two designs are setup and verified for functional
  equivalence.
• If not equivalent, a short counterexample
  demonstrates the differences.

• For common cases, most setup information is
  automatically inferred.

52
SLEC Setup and Operation

1. The spec and impl designs are read in.

53
SLEC Setup and Operation

1. Clocks are specified to achieve a common frame of
   reference for timing relationships.

• For common cases, clocking information is
  automatically inferred.

54
SLEC Setup and Operation

1. Corresponding starting states, usually reset
   states, are described.

• Options include reset sequences, reset images,
  and explicit state setting.

55
SLEC Setup and Operation

1. Correspondence is established between the design
   interfaces, constraining input space and aligning
   output comparisons.

• For common cases, interface information is
  automatically inferred.

56
SLEC Setup and Operation

1. The designs are verified and either proven
   equivalent, or short counterexamples are
   generated which demonstrate the differences.

57
C0 - Untimed Functional Design

• Untimed DES algorithm
• written in C
• wrapped in SystemC.

58
C0 - Untimed Functional Design

• C/SystemC Design

Simulation
/ DES function. / sc_bvlt64gt des(sc_bvlt64gt
data_in, sc_bvlt64gt key_in, bool decrypt)
sc_bvlt56gt cd0 sc_bvlt64gt lr0, lr16, rl16,
data_out lr0 des_ip(data_in) cd0
des_ic(key_in) lr16 des_compute(lr0, cd0,
decrypt) rl16 (lr16.range(31, 0),
lr16.range(63, 32)) data_out des_iip(rl16)
return data_out / DES function wrapper.
/ SC_MODULE(des_c0) sc_outltsc_bvlt64gt gt
data_out sc_inltsc_bvlt64gt gt data_in,
key_in sc_inltboolgt decrypt_in
SC_CTOR(des_c0) SC_METHOD(evaluate)
sensitive ltlt data_in ltlt key_in ltlt decrypt_in
void evaluate() data_out.write(
des(data_in.read(), key_in.read(),
decrypt_in.read()))
c0gt sim c0 DES C0 ECB Mode Message
Simulation Original message ----gt
Calypto Bridging System and RTL Encrypted
message ----gt f4966ffc92c8df0c 6b6c41c883c70700
615617aac9640b2e 0f434cdf068b53e1 Decrypted
message ----gt Calypto Bridging
System and RTL simulation complete.
59
V2 - Serial RTL Design

• Verilog RTL implementation
• Throughput 16 cycles.
• Latency 16 cycles.

60
V2 - Serial RTL Design

• Verilog Design

Simulation
module des_v2_compute(lr_out, lr_in, cd_in,
decrypt_in, rst, clk) output 630 lr_out
input 630 lr_in input 550 cd_in input
decrypt_in, rst, clk reg 30
round_reg reg 630 lr_reg wire 630
lr1, lr2 reg 550 cd_reg wire 550
cd1, cd2 reg decrypt_reg wire
decrypt2 assign lr1 (round_reg 0)? lr_in
lr_reg assign cd1 (round_reg 0)? cd_in
cd_reg assign decrypt2 (round_reg 0)?
decrypt_in decrypt_reg des_round
rnd(lr2,cd2,lr1,cd1,decrypt2,round_reg)
always _at_(posedge clk) if (rst) begin
round_reg lt 0 lr_reg lt 0 cd_reg
lt 0 decrypt_reg lt 0 end else begin
round_reg lt (round_reg15)? 0round_reg
1 lr_reg lt lr2 cd_reg lt cd2
decrypt_reg lt decrypt2 end assign lr_out
lr_reg endmodule // additional modules...
v2gt sim v2 DES V2 ECB Mode Message
Simulation Original message ----gt
Calypto Bridging System and RTL Encrypted
message ----gt f4966ffc92c8df0c eb6c41c883c70700
e15617aac9640b2e 0f434cdf068b53e1 Decrypted
message ----gt CalyptoBridgin'
System and RTL simulation complete.
61
C0V2 Verification Setup
c0v2 verification run.tcl

1. Specify designs
2. Specify clocks
3. Specify reset state
4. Align interfaces
5. Verify designs

build_design -spec -systemc c0/des_c0.h build_desi
gn -impl -verilog v2/des_v2.v v2/des_common.v
automatically inferred.
create_waveform -name one -width 1
1 create_constraint -impl -reset -waveform one
impl.rst
create_waveform -name zero -width 1
0 create_constraint impl -waveform zero
impl.rst set_global impl_throughput
16 set_global impl_output_latency 16
verify mode full_proof
62
C0V2 Verification Setup
c0v2 verification run.tcl

1. Specify designs
2. Specify clocks
3. Specify reset state
4. Align interfaces
5. Verify designs

build_design -spec -systemc c0/des_c0.h build_desi
gn -impl -verilog v2/des_v2.v v2/des_common.v
automatically inferred.
create_waveform -name one -width 1
1 create_constraint -impl -reset -waveform one
impl.rst
create_waveform -name zero -width 1
0 create_constraint impl -waveform zero
impl.rst set_global impl_throughput
16 set_global impl_output_latency 16
verify mode full_proof
63
C0V2 Verification Setup
c0v2 verification run.tcl

1. Specify designs
2. Specify clocks
3. Specify reset state
4. Align interfaces
5. Verify designs

build_design -spec -systemc c0/des_c0.h build_desi
gn -impl -verilog v2/des_v2.v v2/des_common.v
automatically inferred.
create_waveform -name one -width 1
1 create_constraint -impl -reset -waveform one
impl.rst
create_waveform -name zero -width 1
0 create_constraint impl -waveform zero
impl.rst set_global impl_throughput
16 set_global impl_output_latency 16
verify mode full_proof
64
C0V2 Verification Setup
c0v2 verification run.tcl

1. Specify designs
2. Specify clocks
3. Specify reset state
4. Align interfaces
5. Verify designs

build_design -spec -systemc c0/des_c0.h build_desi
gn -impl -verilog v2/des_v2.v v2/des_common.v
automatically inferred.
create_waveform -name one -width 1
1 create_constraint -impl -reset -waveform one
impl.rst
create_waveform -name zero -width 1
0 create_constraint impl -waveform zero
impl.rst set_global impl_throughput
16 set_global impl_output_latency 16
verify mode full_proof
65
C0V2 Verification Setup
c0v2 verification run.tcl

1. Specify designs
2. Specify clocks
3. Specify reset state
4. Align interfaces
5. Verify designs

build_design -spec -systemc c0/des_c0.h build_desi
gn -impl -verilog v2/des_v2.v v2/des_common.v
automatically inferred.
create_waveform -name one -width 1
1 create_constraint -impl -reset -waveform one
impl.rst
create_waveform -name zero -width 1
0 create_constraint impl -waveform zero
impl.rst set_global impl_throughput
16 set_global impl_output_latency 16
verify mode full_proof
66
C0V2 Verification Setup
c0v2 verification run.tcl

1. Specify designs
2. Specify clocks
3. Specify reset state
4. Align interfaces
5. Verify designs

build_design -spec -systemc c0/des_c0.h build_desi
gn -impl -verilog v2/des_v2.v v2/des_common.v
automatically inferred.
create_waveform -name one -width 1
1 create_constraint -impl -reset -waveform one
impl.rst
create_waveform -name zero -width 1
0 create_constraint impl -waveform zero
impl.rst set_global impl_throughput
16 set_global impl_output_latency 16
verify
67
C0V2 Verification Results

• SLEC falsifies and generates a counterexample

linuxgt slec run.tcl slecgt c0v2
verification ... (abridged results log) slecgt
verify -mode full_proof ORC-PON
Optimized 'impl' netlist ORC-PON
Optimized 'spec' netlist ORC-SDM
Mapping the Specification and Implementation
Hierarchies ... ORC-UDM Unrolling the
design to obtain outputs and flops for
transaction 1. ORC-UDDM Successfully
obtained outputs and flops for transaction 1.
ORC-SSA Starting to perform sequential
analysis. SEQ-STFE Performing Simulation
to find intermediate equivalences ...
SEQ-NPP1 Number of intermediate equivalence
problems proven 1136 SIM-VMM
Simulation verified the falsification for map
'name_mapltspec.data_out,impl.data_o
utgt' in transaction 1. CEG-SGLT Started
generating Verilog testbench for
counter-example... ltWRNgt CEG-UHNP User design
header not provided. SystemC counter-example
testbench will fail to
compile. CEG-FGLT Finished generating
Verilog testbench for counter-example.
SIM-SVF Split VCD files into file 'impl.vcd'
and file 'spec.vcd'. Output-pair spec.data_out
(throughput1, latency0) and impl.data_out
(throughput16, latency16) falsified at
transaction number 1. Summary of key results
Proven Bounded-Proven
Falsified Not-Attempted Output Pairs
0 0 1
0 Flop Pairs 0 0
0 0 498.510u 1.396s
499.906 842.000 66.952m 118.020p (SLEC process
used 118 MB and 499 seconds)
68
C0V2 Verification Debug

• Mismatch in data_out.
• Single-bit error suggests the bug is likely in
  the final permutation, not in the compute rounds.

69
C0V2 Verification Debug
Verilog Design v2.v

• Mismatch found in the output permutation block
  (IIP).
• The data_out63 assignment was mistranslated
  from the original NIST permutation table.
• Should be 64 - 40 24.

/ Data inverse initial permutation
function. / module des_iip(data_out, rl_in)
output reg 630 data_out input 630
rl_in always _at_(rl_in) begin
data_out63 rl_in25 data_out62
rl_in56 data_out61 rl_in16
data_out60 rl_in48 data_out59
rl_in 8 data_out58 rl_in40
data_out57 rl_in 0 data_out56
rl_in32 data_out55 rl_in25
data_out54 rl_in57 data_out53
rl_in17 data_out52 rl_in49 // .
. . end endmodule
70
C0V2 Verification Debug
Verilog Design v2.v

• Mismatch found in the output permutation block
  (IIP).
• The data_out63 assignment was mistranslated
  from the original NIST permutation table.
• Should be 64 - 40 24.
• Correct V2 and re-run SLEC.

/ Data inverse initial permutation
function. / module des_iip(data_out, rl_in)
output reg 630 data_out input 630
rl_in always _at_(rl_in) begin
data_out63 rl_in24 data_out62
rl_in56 data_out61 rl_in16
data_out60 rl_in48 data_out59
rl_in 8 data_out58 rl_in40
data_out57 rl_in 0 data_out56
rl_in32 data_out55 rl_in25
data_out54 rl_in57 data_out53
rl_in17 data_out52 rl_in49 // .
. . end endmodule
71
C0V2 Verification Results

• Re-running SLEC proves full functional
  equivalence

linuxgt slec run.tcl slecgt c0v2
verification ... (abridged results log)
ORC-SDM Mapping the Specification and
Implementation Hierarchies ... ORC-FDM
Finished mapping successfully. SIM-VOM
Simulation successfully validated the specified
output-maps. ORC-UDM Unrolling the
design to obtain outputs and flops for
transaction 1. ORC-UDDM
Successfully obtained outputs and flops for
transaction 1. ORC-SSA Starting to
perform sequential analysis. SEQ-STFE
Performing Simulation to find intermediate
equivalences ... SEQ-NPP Number of
intermediate equivalence problems posed 1136
SEQ-NPP1 Number of intermediate equivalence
problems proven 1136 SEQ-NPF Number
of intermediate equivalence problems falsified
0 SEQ-DOP Completed output proofs for
Transaction Number 1. ORC-FSA Done
performing sequential analysis. Output-pair
spec.data_out (throughput1, latency0) and
impl.data_out (throughput16, latency16) proven
to be equivalent. Summary of key results
Proven Bounded-Proven
Falsified Not-Attempted Output Pairs
1 0 0
0 Flop Pairs 0 0
0 0 slecgt slecgt end of
file 418.865u 1.043s 419.908 728.000 69.957m
78.512p (SLEC process used 78 MB and 419 seconds)
72
V3 Pipelined RTL Design

• Verilog RTL implementation
• Throughput 4 cycles
• Latency 16 cycles

73
V3 Pipelined RTL Design

• Verilog Design

Simulation
module des_v3_control(sample_inputs_out,
round0_out, round1_out, round2_out, round3_out,
rst, clk) output reg
sample_inputs_out output reg 30
round0_out, round1_out,
round2_out, round3_out input rst,
clk reg 10 cycle always
_at_(cycle) begin sample_inputs_out (cycle
0)? 1 0 round0_out cycle round1_out
cycle 4 round2_out cycle 8
round3_out cycle 12 end always
_at_(posedge clk) begin if (rst) begin
cycle lt 0 end else begin cycle lt
(cycle 3)? 0 cycle 1 end
end endmodule // additional modules...
v3gt sim v3 DES V3 ECB Mode Message
Simulation Original message ----gt
Calypto Bridging System and RTL Encrypted
message ----gt f4966ffc92c8df0c 6b6c41c883c70700
615617aac9640b2e 0f434cdf068b53e1 Decrypted
message ----gt Calypto Bridging
System and RTL simulation complete.
74
V2V3 Verification Setup
v2v3 verification run.tcl

1. Specify designs
2. Specify clocks
3. Specify reset state
4. Align interfaces
5. Verify designs

build_design -spec -verilog v2/des_v2.v
v2/des_common.v build_design -impl -verilog
v3/des_v3.v v3/des_common.v
automatically inferred.
create_waveform -name one -width 1
1 Create_constraint spec reset waveform one
spec.rst create_constraint -impl -reset -waveform
one impl.rst
create_waveform -name zero -width 1
0 create_constraint spec -waveform zero
spec.rst create_constraint impl -waveform
zero impl.rst set_global spec_throughput
4 set_global impl_throughput 16 set_global
spec_output_latency 16 set_global
impl_output_latency 16
verify mode full_proof
75
V2V3 Verification Results

• Running SLEC proves full functional equivalence

linuxgt slec run.tcl slecgt c0v2
verification ... (abridged results log)
ORC-PON Optimized 'impl' netlist
ORC-PON Optimized 'spec' netlist
ORC-SDM Mapping the Specification and
Implementation Hierarchies ... ORC-FDM
Finished mapping successfully. SIM-VOM
Simulation successfully validated the specified
output-maps. ORC-UDM Unrolling the
design to obtain outputs and flops for
transaction 1. ORC-UDDM
Successfully obtained outputs and flops for
transaction 1. ORC-SSA Starting to
perform sequential analysis. SEQ-STFE
Performing Simulation to find intermediate
equivalences ... SEQ-NPP Number of
intermediate equivalence problems posed 0
SEQ-NPP1 Number of intermediate equivalence
problems proven 0 SEQ-NPF Number of
intermediate equivalence problems falsified 0
SEQ-DOP Completed output proofs for
Transaction Number 1. ORC-FSA Done
performing sequential analysis. Output-pair
spec.data_out (throughput16, latency16) and
impl.data_out (throughput4, latency16) proven
to be equivalent. Summary of key results
Proven Bounded-Proven
Falsified Not-Attempted Output Pairs
1 0 0
0 Flop Pairs 0 0
0 0 248.788u 0.597s
249.385 418.000 104.103m 119.172p (SLEC
process used 119 MB and 249 seconds)
76
Bridging System and RTL

• C0 Untimed Functional (SystemC)
• V2 Serial RTL (Verilog)
• Design error found and corrected
• Proven equivalent with C0.
• V3 Pipelined RTL (Verilog)
• Proven equivalent with V2.

77
Summary

• Equivalence checking between system-level models
  and RTL will provide a big value to customers by
  easing the RTL verification bottleneck
• There are significant abstractions in the
  system-level models that need to be bridged
• The key technology pieces that are required are
• Intuitive specification of interface differences
• Scalable and robust sequential analysis
  techniques for proving equivalence
• Synergistic use of bit-level, word-level solvers
  with simulation
• Hardware model extraction from system-level
  models