경종민 [email protected] 1 formal verification(1)
TRANSCRIPT
2
Functional verification• Simulation• Emulation
– Emulator (general purpose)– FPGA prototyping (specific application)
• Semi-formal verification – Coverage measurement– Test generation– Symbolic simulation
• Formal verification– Equivalence checking– Theorem proving– Model checking
3
Simulation• Definition
– Representation of the operation or features of one process or system through the use of another
• Description level– RT level, gate level, switch level, circuit level …
• Simulation engine– Event driven vs. Cycle based, – Compiled code vs. Interpretive
• Advantage– Can make trade-off between execution time and
completeness
• Disadvantage– Needs input generator and output checker (or manually
generating and checking)
4
Emulation• Definition
– Imitating the function of (another system), as by modifications to hardware or software that allow the imitating system to accept the same data, execute the same programs, and achieve the same results as the imitated system
• Advantage– Can check design in real environment– Faster than simulation
• Disadvantage– Hard to make the whole system– Needs to fix environment– Hard to debug
• Simulation or emulation–based testing can reveal the presence of bugs but can never assure the absence of bugs. (Dijkstra in 1970s).
5
SFV: Coverage measurement(1/3)
• Objective– Increase the probability of bug detection by checking
the ‘quality(coverage)’ of stimulus
• Advantage– Easy to apply– Good guide to generate input stimulus
• Disadvantage– Many metrics, but no good model for design errors
6
SFV: Coverage measurement(2/3)
• Kinds of metrics– Code-based metrics
• Line/code block coverage• Branch/conditional coverage• Path coverage
– Circuit structure based metrics• Toggle coverage• Register activity
– State-space based metrics• Pair-arcs : usually covered by Line + condition
coverage
– Spec-based metrics• percentage of specifications satisfied
7
SFV: Coverage measurement(3/3)
• Available tools– VeriCover(Veritools)– SureCov(Verisity)– Coverscan(Cadence)– HDLScore, VeriCov (Summit Design)– HDLCover, VeriSure(TransEDA)– Polaris (Avant!, now Synopsys)– Covermeter(Synopsys)
8
SFV: Test generation• Object
– Automatically generate input stimulus to increase test coverage
• Kinds– ATPG methods– Dynamic formal, or ABV(assertion-based verification) (‘0-in
search’ from 0-in Design Automation, Inc. refer to www.0-in.com)
• Advantage– High productivity
• Disadvantage– Needs result checker
• Ex) ‘assertion’ statement in 0-in search– No constrained inputs
• Generally ATPG-generated inputs may or may not meet the input constraints
10
SFV: Symbolic Simulation• Object
– Compute an expression instead of a value
• Advantage– More coverage per simulation
• Disadvantage– Not good with state machines– Does not support temporal logic
• Industrial success story– Symbolic trajectory evaluation
• Tackle switch level design (Randal E. Bryant – COSMOS)
12
FV: Equivalence checking• Object
– Checks equivalence of two models• RTL vs. gate• Before optimization vs. after optimization• Before test insertion vs. after• Reference model vs. implementation
• Advantage– Guarantee functional equivalence of two models for all
input values
• Disadvantage– Needs golden reference model– Targets implementation errors rather than design bugs
13
FV: Theorem proving• Deductive verification
– Use axioms and proof rules to model the system (formal system).
– State the property to be verified as a theorem of this formal system.
– Derive this theorem with the help of a theorem-prover which generates rules derivable from axiom and premises.
– Useful for verifying algorithm• Industrial success story
– AMD K7 floating point verification– Intel instruction decoder verification
• Disadvantage– Very hard to automate.– Requires user interaction.– Deriving the formal system can be quite cumbersome.– Requires an expert to use the theorem-prover.
14
FV: Model Checking• Object
– Check properties of model with all possible conditions
• Advantage– Can be fully automated– If the property does not hold, a counter-example will be
generated– Relatively easy to use
• Problem– Works (well) only for finite state systems.– Needs abstraction or extraction
• Both tend to cause errors
– Engineers are not always happy to use temporal logic which is used for ‘property’ description in MC.
15
Verification in SoC design(1/3)
EmbeddedProcessor
(IP)
Peripheral(IP)
Peripheral(Custom designed)
Memoryinterface
Interconnection (custom designed)
Memory
ExternalDevice
ExternalDevice
• Too big to verify the whole system
• Already verified IP’s
16
Verification in SoC design(2/3)
• Divide-and-conquer
Peripheral(Custom designed)
ExternalDevicemodel
Interconnection modelor abstract model
Abstractmodel
Interconnection (custom designed)
Abstractmodel
Abstractmodel
Abstractmodel
Verify interconnection model by using abstract IP model(Check only transaction operation)
Verify custom designed block, check spec. for interconnection model
17
Verification in SoC design(3/3)
• Summary– Divide-and-conquer– Does not verify individual block
• Too big to verify the whole system• Already verified IP’s
– Checks basic interconnections among blocks– Looks for unexpected transactions between blocks
Spec. verification by model checking
18
Simple definition of FV• Formal verification?
– Application of logical reasoning to the development of digital system
• Logic is concerned with what is true and how we know whether something is true
– Both design and its specification are described by a language in which semantics are based on mathematical rigor and the verification is then preformed using symbolic manipulation
19
Value and cost of FV• Formal verification gives the ability to
– Express specs precisely– Clearly define when an implementation meets the
spec– Understand the spec and the implementation
• Formal verification needs– Language for specifying desired properties– Mathematical model of a system– Method of proof to verify that the specified
properties are satisfied
20
Formal model• Mathematical model for formal method• Requirement of formal model
– Must be complete, representing all the essential aspects of the subject being modeled
– Must be predictive• Conclusion from model = observation results of the
subject itself
– Must be well-formed• Should not allow fallacious or ill-formed reasoning
21
Verification• Verification involves checking a satisfaction relation,
usually of the form of a sequent:M ╞
whereM is a model (or implementation)
is a property (or specification)╞ is a relationship that should hold between M and .
i.e. (M, ╞Logic is used to express the model, property, and relation,
and valid arguments of the logic are used to deduce whether the relation holds for the particular model and particular property.
22
Verification• Verification involves
– Specifying the model/system– Specifying the properties– Choosing the satisfaction relations– Checking the satisfaction relations
• Language– Specifying something needs logic– Different logic gives us different ways of expressing
M and and defines the pairs that are members of ╞
23
Logic• Logic
– Logic is concerned with the form of arguments and the principles of valid inferencing.
– Induction and deduction– Symbolic logic is a modern type of formal logic using
special mathematical symbols for propositions, quantifiers, and relationships among propositions and concerned with the elucidation of permissible operations upon such symbols. (Webster dictionary)
• Logic consists of– Syntax– Semantics– Proof procedure(s) (also called proof theory)
24
Logical reasoning• Example: If the train arrives late and there are
no taxis at the station, then John is late for his meeting. John is not late for his meeting. The train did arrive late. – Question: Were there taxis at the station or not?– Answer: There were taxis at the station.
25
Logical reasoning• Symbolic describe
– p : The train is late– q : There are taxis at the station– r : John is late for his meeting
• Valid argumentsIf p and not q then rNot rp
q
26
Various Logic Classes1. Propositional logic2. Predicate logic3. Higher order logic4. Temporal logic
– Linear temporal logic (LTL)– Branching temporal logic (BTL)
• Computational tree logic (CTL)• Many other variations (CTL*, CTL+, …)
27
1. Propositional logic• Invented by Boole• Syntax (well-formed formulae)
– Two constant symbols: T and F– Proposition letters (a, b, …)– Propositional connectives (not(~), and(&), or(|), ⇒, ⇔)– Brackets
• Semantics (truth tables)• Proof theory
– Axiom systems– Natural deduction– Sequent calculus
28
Syntax (Well-formed formula)
• Ill-formed formula– a(&c⇒)b
• Construction rule– The proposition letters, T, and F are atomic formulas.– If a is an atomic formula, then a is a formula.– If p and q are formulas, then each of the following
are formulas:• (~p), (p & q), (p | q), (p ⇒ q), (p ⇔ q)
29
Semantics (truth table)• Two truth values Tr = {1, 0}
– Range of the semantics function for propositional logic is {1, 0}
• Operator– ~ : function from Tr to Tr– &, |, ⇒, ⇔: function from (Tr x Tr) to Tr
• Boolean valuation– The semantics of propositional logic– Mapping v from the set of propositional formulas to the set
Tr meeting the conditions:• v(T) = 1, v(F) = 0• v(~p) = ~(v(p))• for all the connectives : v(p ⊙ q) = v(p) ⊙ v(q) where ⊙
denotes any binary connectives
30
Proof theory – axiom systems• Axiom
1. A ⇒ (B ⇒ A)2. (A ⇒ (B ⇒ C)) ⇒ ((A ⇒ B) ⇒ (A ⇒ C))3. (~A ⇒ ~B) ⇒ (B ⇒ A)
• Inference rule1. From A and A ⇒ B, B can be derived where A and B
are well-formed formulas
Ex) show (x ⇒ y) ⇒ (x ⇒ x) is tautologyx ⇒ (y ⇒ x) : by axiom 1(x ⇒ (y ⇒ x)) ⇒ ((x ⇒ y) ⇒ (x ⇒ x)) : by axiom 2(x ⇒ y) ⇒ (x ⇒ x) : by inference rule 1
31
Proof theory – natural deduction(1/2)
• Method– Make assumptions, and
then discharge assumptions– Inference rule
• And-introduction– Premises: p, q– Conclusion: p & q
• And-elimination– Premises: p & q– Conclusion: p, q
• Double negation-introduction
– Premises: p– Conclusion: ~~p
• Double negation-elimination
– Premises: ~ ~ p– Conclusion: p
• Implies-introduction– Assumption: p– Premises: q– Conclusion: p ⇒ q
• Implies-elimination– Premises: p, p ⇒ q– Conclusion: q
• Modulus token– Premises: p ⇒ q, ~q– Conclusion: ~p
– note) implies-introduction may use assumption and conclusion discharge assumption
32
Proof theory – natural deduction(2/2)
• Ex) (q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r))1. (q ⇒ r) : assumption2. ( ~q ⇒ ~p) : assumption3. p : assumption4. ~~p : double negation-introduction 35. ~~q : modulus token 2, 46. q : double negation-elimination 57. r : implies-elimination 1, 68. p ⇒ r : implies-introduction 3, 79. (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : implies-introduction 2, 810.(q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : implies-introduction
1, 9
33
Satisfiability and Tautologies
• Satisfiable– A formula a is satisfiable if there is a Boolean
valuation v such that v(a) = 1.
• Tautology– A propositional formula a is a tautology (also called
valid) if v(a) = 1 for every Boolean valuation v.
34
Semantic entailment1, 2 ,3 ╞ Ψ
means that if v(1) = 1 and v(2) = 1 and v(3) = 1 then v(Ψ) = 1
which is equivalent to saying(1 & 2 & 3 ) ⇒ Ψ
is a tautology, i.e., 1, 2 ,3 ╞ Ψ)≡( (1 & 2 & 3 ) ⇒ Ψ)
35
Example– p : The train is late– q : There are taxis at the station– r : John is late for his meeting
(p & (~q)) ⇒ r, ~r, p ╞ q
(((p & (~q)) ⇒ r) & (~r) & (p)) ⇒ q~((~(p & (~q)) | r) & (~r) & (p)) | q((p & (~q) & (~r)) | r | (~p) | q
36
Consistency• If a set of premises of an implication are not
consistent, they can be used to prove a contradiction, i.e.,
p, ~p ╞ q &~qor
F ⇒ F• ‘False implies anything’ problem
– First of all, model (implementation) should be consistent
37
Need of another logic• Syllogism(3 단 논법 )
– Man is mortal– Socrates is man
Socrates is mortal
Best way to describe these in propositional logic
a & b ⇒ cBut not tautology ( ∵‘c’ cannot be represented as some
form of a, b.)
38
2. Predicate logic• Invented by Gottlob Frege• Also called “first order logic”• Syntax
– Constants, variables x, y, ...– Functions, predicates– Logical connectives– Quantifiers– Punctuation: , (enumeration) . (‘such that’)
• Semantics– Interpretation, Valuation
• Proof theory– axiom systems, natural deduction, sequent calculus
39
Quantifier• Universal quantification (∀) ; ‘for all’
– Corresponds to finite or infinite conjunction of the application of the predicate to all elements of the domain.
• Existential quantification (∃) ; ‘there exist(s)’– Corresponds to finite or infinite disjunction of the
application of the predicate to all elements of the domain.
• Relationship between ∀ and ∃– ∃x.P(x) is the same as ~ ∀x.~P(x)– ∀x.P(x) is the same as ~ ∃x.~P(x)
40
Historical comment• Hardware verification works based on First
order logic– Wagner (1977), Pitchumani and Stabler(1982) ,
Hanes(1983), Wojcik(1983), Suzuki(1984), Hunt(1987)
• Boyer-Moore Theorem prover (1979)– Quantifier-free first order logic with equality
41
3. Higher-order logic• First order logic
– Only quantify over variable
• Higher order logic– Also quantify over function and predicate– Use special function-denoting terms
• λ – expression which is term in λ – calculus
– Ex) Induction principle• ∀P.(P(0) & (∀n.P(n) ⇒ P(n+1))) ⇒ ∀n.P(n)
• Zero order logic– Propositional logic can be regarded as zero order
logic