Formal Verification(1)

1
Formal Verification(1)
2
Functional verification

• Simulation
• Emulation
• Emulator (general purpose)
• FPGA prototyping (specific application)
• Semi-formal verification
• Coverage measurement
• Test generation
• Symbolic simulation
• Formal verification
• Equivalence checking
• Theorem proving
• Model checking

3
Simulation

• Definition
• Representation of the operation or features of
  one process or system through the use of another
• Description level
• RT level, gate level, switch level, circuit level
  
• Simulation engine
• Event driven vs. Cycle based,
• Compiled code vs. Interpretive
• Advantage
• Can make trade-off between execution time and
  completeness
• Disadvantage
• Needs input generator and output checker (or
  manually generating and checking)

4
Emulation

• Definition
• Imitating the function of (another system), as by
  modifications to hardware or software that allow
  the imitating system to accept the same data,
  execute the same programs, and achieve the same
  results as the imitated system
• Advantage
• Can check design in real environment
• Faster than simulation
• Disadvantage
• Hard to make the whole system
• Needs to fix environment
• Hard to debug
• Simulation or emulationbased testing can reveal
  the presence of bugs but can never assure the
  absence of bugs. (Dijkstra in 1970s).

5
SFV Coverage measurement(1/3)

• Objective
• Increase the probability of bug detection by
  checking the quality(coverage) of stimulus
• Advantage
• Easy to apply
• Good guide to generate input stimulus
• Disadvantage
• Many metrics, but no good model for design errors

6
SFV Coverage measurement(2/3)

• Kinds of metrics
• Code-based metrics
• Line/code block coverage
• Branch/conditional coverage
• Path coverage
• Circuit structure based metrics
• Toggle coverage
• Register activity
• State-space based metrics
• Pair-arcs usually covered by Line condition
  coverage
• Spec-based metrics
• percentage of specifications satisfied

7
SFV Coverage measurement(3/3)

• Available tools
• VeriCover(Veritools)
• SureCov(Verisity)
• Coverscan(Cadence)
• HDLScore, VeriCov (Summit Design)
• HDLCover, VeriSure(TransEDA)
• Polaris (Avant!, now Synopsys)
• Covermeter(Synopsys)

8
SFV Test generation

• Object
• Automatically generate input stimulus to increase
  test coverage
• Kinds
• ATPG methods
• Dynamic formal, or ABV(assertion-based
  verification) (0-in search from 0-in Design
  Automation, Inc. refer to www.0-in.com)
• Advantage
• High productivity
• Disadvantage
• Needs result checker
• Ex) assertion statement in 0-in search
• No constrained inputs
• Generally ATPG-generated inputs may or may not
  meet the input constraints

9
State space vs search space
Formal Verification
Dynamic formal Verification (0-in)
Simulation
10
SFV Symbolic Simulation

• Object
• Compute an expression instead of a value
• Advantage
• More coverage per simulation
• Disadvantage
• Not good with state machines
• Does not support temporal logic
• Industrial success story
• Symbolic trajectory evaluation
• Tackle switch level design (Randal E. Bryant
  COSMOS)

11
(No Transcript)
12
FV Equivalence checking

• Object
• Checks equivalence of two models
• RTL vs. gate
• Before optimization vs. after optimization
• Before test insertion vs. after
• Reference model vs. implementation
• Advantage
• Guarantee functional equivalence of two models
  for all input values
• Disadvantage
• Needs golden reference model
• Targets implementation errors rather than design
  bugs

13
FV Theorem proving

• Deductive verification
• Use axioms and proof rules to model the system
  (formal system).
• State the property to be verified as a theorem of
  this formal system.
• Derive this theorem with the help of a
  theorem-prover which generates rules derivable
  from axiom and premises.
• Useful for verifying algorithm
• Industrial success story
• AMD K7 floating point verification
• Intel instruction decoder verification
• Disadvantage
• Very hard to automate.
• Requires user interaction.
• Deriving the formal system can be quite
  cumbersome.
• Requires an expert to use the theorem-prover.

14
FV Model Checking

• Object
• Check properties of model with all possible
  conditions
• Advantage
• Can be fully automated
• If the property does not hold, a counter-example
  will be generated
• Relatively easy to use
• Problem
• Works (well) only for finite state systems.
• Needs abstraction or extraction
• Both tend to cause errors
• Engineers are not always happy to use temporal
  logic which is used for property description in
  MC.

15
Verification in SoC design(1/3)

• Too big to verify the whole system
• Already verified IPs

Interconnection (custom designed)
Embedded Processor (IP)
Peripheral (IP)
External Device
External Device
Peripheral (Custom designed)
Memory interface
Memory
16
Verification in SoC design(2/3)

• Divide-and-conquer

Interconnection (custom designed)
Abstract model
Abstract model
Interconnection model or abstract model
External Device model
Peripheral (Custom designed)
Abstract model
Abstract model
Verify custom designed block, check spec. for
interconnection model
Verify interconnection model by using abstract
IP model (Check only transaction operation)
17
Verification in SoC design(3/3)

• Summary
• Divide-and-conquer
• Does not verify individual block
• Too big to verify the whole system
• Already verified IPs
• Checks basic interconnections among blocks
• Looks for unexpected transactions between blocks
• ? Spec. verification by model checking

18
Simple definition of FV

• Formal verification?
• Application of logical reasoning to the
  development of digital system
• Logic is concerned with what is true and how we
  know whether something is true
• Both design and its specification are described
  by a language in which semantics are based on
  mathematical rigor and the verification is then
  preformed using symbolic manipulation

19
Value and cost of FV

• Formal verification gives the ability to
• Express specs precisely
• Clearly define when an implementation meets the
  spec
• Understand the spec and the implementation
• Formal verification needs
• Language for specifying desired properties
• Mathematical model of a system
• Method of proof to verify that the specified
  properties are satisfied

20
Formal model

• Mathematical model for formal method
• Requirement of formal model
• Must be complete, representing all the essential
  aspects of the subject being modeled
• Must be predictive
• Conclusion from model observation results of
  the subject itself
• Must be well-formed
• Should not allow fallacious or ill-formed
  reasoning

21
Verification

• Verification involves checking a satisfaction
  relation, usually of the form of a sequent
• M F
• where
• M is a model (or implementation)
• F is a property (or specification)
• is a relationship that should hold between M
  and F.
• i.e. (M, F) ?
• Logic is used to express the model, property, and
  relation, and valid arguments of the logic are
  used to deduce whether the relation holds for the
  particular model and particular property.

22
Verification

• Verification involves
• Specifying the model/system
• Specifying the properties
• Choosing the satisfaction relations
• Checking the satisfaction relations
• Language
• Specifying something needs logic
• Different logic gives us different ways of
  expressing M and F and defines the pairs that are
  members of

23
Logic

• Logic
• Logic is concerned with the form of arguments and
  the principles of valid inferencing.
• Induction and deduction
• Symbolic logic is a modern type of formal logic
  using special mathematical symbols for
  propositions, quantifiers, and relationships
  among propositions and concerned with the
  elucidation of permissible operations upon such
  symbols. (Webster dictionary)
• Logic consists of
• Syntax
• Semantics
• Proof procedure(s) (also called proof theory)

24
Logical reasoning

• Example If the train arrives late and there are
  no taxis at the station, then John is late for
  his meeting. John is not late for his meeting.
  The train did arrive late.
• Question Were there taxis at the station or not?
• Answer There were taxis at the station.

25
Logical reasoning

• Symbolic describe
• p The train is late
• q There are taxis at the station
• r John is late for his meeting
• Valid arguments
• If p and not q then r
• Not r
• p
• q

26
Various Logic Classes

• Propositional logic
• Predicate logic
• Higher order logic
• Temporal logic
• Linear temporal logic (LTL)
• Branching temporal logic (BTL)
• Computational tree logic (CTL)
• Many other variations (CTL, CTL, )

27
1. Propositional logic

• Invented by Boole
• Syntax (well-formed formulae)
• Two constant symbols T and F
• Proposition letters (a, b, )
• Propositional connectives (not(), and(), or(),
  ?, ?)
• Brackets
• Semantics (truth tables)
• Proof theory
• Axiom systems
• Natural deduction
• Sequent calculus

28
Syntax (Well-formed formula)

• Ill-formed formula
• a(c?)b
• Construction rule
• The proposition letters, T, and F are atomic
  formulas.
• If a is an atomic formula, then a is a formula.
• If p and q are formulas, then each of the
  following are formulas
• (p), (p q), (p q), (p ? q), (p ? q)

29
Semantics (truth table)

• Two truth values Tr 1, 0
• Range of the semantics function for propositional
  logic is 1, 0
• Operator
• function from Tr to Tr
• , , ?, ? function from (Tr x Tr) to Tr
• Boolean valuation
• The semantics of propositional logic
• Mapping v from the set of propositional formulas
  to the set Tr meeting the conditions
• v(T) 1, v(F) 0
• v(p) (v(p))
• for all the connectives v(p ? q) v(p) ? v(q)
  where ? denotes any binary connectives

30
Proof theory axiom systems

• Axiom
• 1. A ? (B ? A)
• 2. (A ? (B ? C)) ? ((A ? B) ? (A ? C))
• 3. (A ? B) ? (B ? A)
• Inference rule
• From A and A ? B, B can be derived where A and B
  are well-formed formulas
• Ex) show (x ? y) ? (x ? x) is tautology
• x ? (y ? x) by axiom 1
• (x ? (y ? x)) ? ((x ? y) ? (x ? x)) by axiom 2
• (x ? y) ? (x ? x) by inference rule 1

31
Proof theory natural deduction(1/2)

• Method
• Make assumptions, and then discharge assumptions
• Inference rule
• And-introduction
• Premises p, q
• Conclusion p q
• And-elimination
• Premises p q
• Conclusion p, q
• Double negation-introduction
• Premises p
• Conclusion p
• Double negation-elimination
• Premises p
• Conclusion p

• Implies-introduction
• Assumption p
• Premises q
• Conclusion p ? q
• Implies-elimination
• Premises p, p ? q
• Conclusion q
• Modulus token
• Premises p ? q, q
• Conclusion p
• note) implies-introduction may use assumption and
  conclusion discharge assumption

32
Proof theory natural deduction(2/2)

• Ex) (q ? r) ? (( q ? p) ? (p ? r))
• (q ? r) assumption
• ( q ? p) assumption
• p assumption
• p double negation-introduction 3
• q modulus token 2, 4
• q double negation-elimination 5
• r implies-elimination 1, 6
• p ? r implies-introduction 3, 7
• (( q ? p) ? (p ? r)) implies-introduction 2,
  8
• (q ? r) ? (( q ? p) ? (p ? r))
  implies-introduction 1, 9

33
Satisfiability and Tautologies

• Satisfiable
• A formula a is satisfiable if there is a Boolean
  valuation v such that v(a) 1.
• Tautology
• A propositional formula a is a tautology (also
  called valid) if v(a) 1 for every Boolean
  valuation v.

34
Semantic entailment

• F1, F2 ,F3 ?
• means that if v(F1) 1 and v(F2) 1 and v(F3)
  1 then v(?) 1
• which is equivalent to saying
• (F1 F2 F3 ) ? ?
• is a tautology, i.e.,
• (F1, F2 ,F3 ?)((F1 F2 F3 ) ? ?)

35
Example

• p The train is late
• q There are taxis at the station
• r John is late for his meeting
• (p (q)) ? r, r, p q
• (((p (q)) ? r) (r) (p)) ? q
• (((p (q)) r) (r) (p)) q
• ((p (q) (r)) r (p) q

36
Consistency

• If a set of premises of an implication are not
  consistent, they can be used to prove a
  contradiction, i.e.,
• p, p q q
• or
• F ? F
• False implies anything problem
• First of all, model (implementation) should be
  consistent

37
Need of another logic

• Syllogism(3? ??)
• Man is mortal
• Socrates is man
• ? Socrates is mortal
• Best way to describe these in propositional
  logic
• a b ? c
• But not tautology ( ?c cannot be represented as
  some form of a, b.)

38
2. Predicate logic

• Invented by Gottlob Frege
• Also called first order logic
• Syntax
• Constants, variables x, y, ...
• Functions, predicates
• Logical connectives
• Quantifiers
• Punctuation , (enumeration) . (such that)
• Semantics
• Interpretation, Valuation
• Proof theory
• axiom systems, natural deduction, sequent calculus

39
Quantifier

• Universal quantification (?) for all
• Corresponds to finite or infinite conjunction of
  the application of the predicate to all elements
  of the domain.
• Existential quantification (?) there exist(s)
• Corresponds to finite or infinite disjunction of
  the application of the predicate to all elements
  of the domain.
• Relationship between ? and ?
• ?x.P(x) is the same as ?x.P(x)
• ?x.P(x) is the same as ?x.P(x)

40
Historical comment

• Hardware verification works based on First order
  logic
• Wagner (1977), Pitchumani and Stabler(1982) ,
  Hanes(1983), Wojcik(1983), Suzuki(1984),
  Hunt(1987)
• Boyer-Moore Theorem prover (1979)
• Quantifier-free first order logic with equality

41
3. Higher-order logic

• First order logic
• Only quantify over variable
• Higher order logic
• Also quantify over function and predicate
• Use special function-denoting terms
• ? expression which is term in ? calculus
• Ex) Induction principle
• ?P.(P(0) (?n.P(n) ? P(n1))) ? ?n.P(n)
• Zero order logic
• Propositional logic can be regarded as zero order
  logic

42
?-calculus

• Invented by Alonzo Church
• basic ?-expression
• ?x1x2xn.e
• x1, x2, xn parameters of function
• e expression which computes the value of the
  function in terms of the parameters x1, x2, xn
• Simple example
• ?xy.xy
• (?xy.xy) 2 3 2 3 5