경종민 kyung@ee.kaist.ac.kr

1

Formal Verification(1)

2

Functional verification• Simulation• Emulation

– Emulator (general purpose)– FPGA prototyping (specific application)

• Semi-formal verification – Coverage measurement– Test generation– Symbolic simulation

• Formal verification– Equivalence checking– Theorem proving– Model checking

3

Simulation• Definition

– Representation of the operation or features of one process or system through the use of another

• Description level– RT level, gate level, switch level, circuit level …

• Simulation engine– Event driven vs. Cycle based, – Compiled code vs. Interpretive

• Advantage– Can make trade-off between execution time and

completeness

• Disadvantage– Needs input generator and output checker (or manually

generating and checking)

4

Emulation• Definition

– Imitating the function of (another system), as by modifications to hardware or software that allow the imitating system to accept the same data, execute the same programs, and achieve the same results as the imitated system

• Advantage– Can check design in real environment– Faster than simulation

• Disadvantage– Hard to make the whole system– Needs to fix environment– Hard to debug

• Simulation or emulation–based testing can reveal the presence of bugs but can never assure the absence of bugs. (Dijkstra in 1970s).

5

SFV: Coverage measurement(1/3)

• Objective– Increase the probability of bug detection by checking

the ‘quality(coverage)’ of stimulus

• Advantage– Easy to apply– Good guide to generate input stimulus

• Disadvantage– Many metrics, but no good model for design errors

6

SFV: Coverage measurement(2/3)

• Kinds of metrics– Code-based metrics

• Line/code block coverage• Branch/conditional coverage• Path coverage

– Circuit structure based metrics• Toggle coverage• Register activity

– State-space based metrics• Pair-arcs : usually covered by Line + condition

coverage

– Spec-based metrics• percentage of specifications satisfied

7

SFV: Coverage measurement(3/3)

• Available tools– VeriCover(Veritools)– SureCov(Verisity)– Coverscan(Cadence)– HDLScore, VeriCov (Summit Design)– HDLCover, VeriSure(TransEDA)– Polaris (Avant!, now Synopsys)– Covermeter(Synopsys)

8

SFV: Test generation• Object

– Automatically generate input stimulus to increase test coverage

• Kinds– ATPG methods– Dynamic formal, or ABV(assertion-based verification) (‘0-in

search’ from 0-in Design Automation, Inc. refer to www.0-in.com)

• Advantage– High productivity

• Disadvantage– Needs result checker

• Ex) ‘assertion’ statement in 0-in search– No constrained inputs

• Generally ATPG-generated inputs may or may not meet the input constraints

9

State space vs search space

Simulation Dynamic formalVerification (0-in)

FormalVerification

10

SFV: Symbolic Simulation• Object

– Compute an expression instead of a value

• Advantage– More coverage per simulation

• Disadvantage– Not good with state machines– Does not support temporal logic

• Industrial success story– Symbolic trajectory evaluation

• Tackle switch level design (Randal E. Bryant – COSMOS)

11

12

FV: Equivalence checking• Object

– Checks equivalence of two models• RTL vs. gate• Before optimization vs. after optimization• Before test insertion vs. after• Reference model vs. implementation

• Advantage– Guarantee functional equivalence of two models for all

input values

• Disadvantage– Needs golden reference model– Targets implementation errors rather than design bugs

13

FV: Theorem proving• Deductive verification

– Use axioms and proof rules to model the system (formal system).

– State the property to be verified as a theorem of this formal system.

– Derive this theorem with the help of a theorem-prover which generates rules derivable from axiom and premises.

– Useful for verifying algorithm• Industrial success story

– AMD K7 floating point verification– Intel instruction decoder verification

• Disadvantage– Very hard to automate.– Requires user interaction.– Deriving the formal system can be quite cumbersome.– Requires an expert to use the theorem-prover.

14

FV: Model Checking• Object

– Check properties of model with all possible conditions

• Advantage– Can be fully automated– If the property does not hold, a counter-example will be

generated– Relatively easy to use

• Problem– Works (well) only for finite state systems.– Needs abstraction or extraction

• Both tend to cause errors

– Engineers are not always happy to use temporal logic which is used for ‘property’ description in MC.

15

Verification in SoC design(1/3)

EmbeddedProcessor

(IP)

Peripheral(IP)

Peripheral(Custom designed)

Memoryinterface

Interconnection (custom designed)

Memory

ExternalDevice

ExternalDevice

• Too big to verify the whole system

• Already verified IP’s

16

Verification in SoC design(2/3)

• Divide-and-conquer

Peripheral(Custom designed)

ExternalDevicemodel

Interconnection modelor abstract model

Abstractmodel

Interconnection (custom designed)

Abstractmodel

Abstractmodel

Abstractmodel

Verify interconnection model by using abstract IP model(Check only transaction operation)

Verify custom designed block, check spec. for interconnection model

17

Verification in SoC design(3/3)

• Summary– Divide-and-conquer– Does not verify individual block

• Too big to verify the whole system• Already verified IP’s

– Checks basic interconnections among blocks– Looks for unexpected transactions between blocks

Spec. verification by model checking

18

Simple definition of FV• Formal verification?

– Application of logical reasoning to the development of digital system

• Logic is concerned with what is true and how we know whether something is true

– Both design and its specification are described by a language in which semantics are based on mathematical rigor and the verification is then preformed using symbolic manipulation

19

Value and cost of FV• Formal verification gives the ability to

– Express specs precisely– Clearly define when an implementation meets the

spec– Understand the spec and the implementation

• Formal verification needs– Language for specifying desired properties– Mathematical model of a system– Method of proof to verify that the specified

properties are satisfied

20

Formal model• Mathematical model for formal method• Requirement of formal model

– Must be complete, representing all the essential aspects of the subject being modeled

– Must be predictive• Conclusion from model = observation results of the

subject itself

– Must be well-formed• Should not allow fallacious or ill-formed reasoning

21

Verification• Verification involves checking a satisfaction relation,

usually of the form of a sequent:M ╞

whereM is a model (or implementation)

is a property (or specification)╞ is a relationship that should hold between M and .

i.e. (M, ╞Logic is used to express the model, property, and relation,

and valid arguments of the logic are used to deduce whether the relation holds for the particular model and particular property.

22

Verification• Verification involves

– Specifying the model/system– Specifying the properties– Choosing the satisfaction relations– Checking the satisfaction relations

• Language– Specifying something needs logic– Different logic gives us different ways of expressing

M and and defines the pairs that are members of ╞

23

Logic• Logic

– Logic is concerned with the form of arguments and the principles of valid inferencing.

– Induction and deduction– Symbolic logic is a modern type of formal logic using

special mathematical symbols for propositions, quantifiers, and relationships among propositions and concerned with the elucidation of permissible operations upon such symbols. (Webster dictionary)

• Logic consists of– Syntax– Semantics– Proof procedure(s) (also called proof theory)

24

Logical reasoning• Example: If the train arrives late and there are

no taxis at the station, then John is late for his meeting. John is not late for his meeting. The train did arrive late. – Question: Were there taxis at the station or not?– Answer: There were taxis at the station.

25

Logical reasoning• Symbolic describe

– p : The train is late– q : There are taxis at the station– r : John is late for his meeting

• Valid argumentsIf p and not q then rNot rp

q

26

Various Logic Classes1. Propositional logic2. Predicate logic3. Higher order logic4. Temporal logic

– Linear temporal logic (LTL)– Branching temporal logic (BTL)

• Computational tree logic (CTL)• Many other variations (CTL*, CTL+, …)

27

1. Propositional logic• Invented by Boole• Syntax (well-formed formulae)

– Two constant symbols: T and F– Proposition letters (a, b, …)– Propositional connectives (not(~), and(&), or(|), ⇒, ⇔)– Brackets

• Semantics (truth tables)• Proof theory

– Axiom systems– Natural deduction– Sequent calculus

28

Syntax (Well-formed formula)

• Ill-formed formula– a(&c⇒)b

• Construction rule– The proposition letters, T, and F are atomic formulas.– If a is an atomic formula, then a is a formula.– If p and q are formulas, then each of the following

are formulas:• (~p), (p & q), (p | q), (p ⇒ q), (p ⇔ q)

29

Semantics (truth table)• Two truth values Tr = {1, 0}

– Range of the semantics function for propositional logic is {1, 0}

• Operator– ~ : function from Tr to Tr– &, |, ⇒, ⇔: function from (Tr x Tr) to Tr

• Boolean valuation– The semantics of propositional logic– Mapping v from the set of propositional formulas to the set

Tr meeting the conditions:• v(T) = 1, v(F) = 0• v(~p) = ~(v(p))• for all the connectives : v(p ⊙ q) = v(p) ⊙ v(q) where ⊙

denotes any binary connectives

30

Proof theory – axiom systems• Axiom

1. A ⇒ (B ⇒ A)2. (A ⇒ (B ⇒ C)) ⇒ ((A ⇒ B) ⇒ (A ⇒ C))3. (~A ⇒ ~B) ⇒ (B ⇒ A)

• Inference rule1. From A and A ⇒ B, B can be derived where A and B

are well-formed formulas

Ex) show (x ⇒ y) ⇒ (x ⇒ x) is tautologyx ⇒ (y ⇒ x) : by axiom 1(x ⇒ (y ⇒ x)) ⇒ ((x ⇒ y) ⇒ (x ⇒ x)) : by axiom 2(x ⇒ y) ⇒ (x ⇒ x) : by inference rule 1

31

Proof theory – natural deduction(1/2)

• Method– Make assumptions, and

then discharge assumptions– Inference rule

• And-introduction– Premises: p, q– Conclusion: p & q

• And-elimination– Premises: p & q– Conclusion: p, q

• Double negation-introduction

– Premises: p– Conclusion: ~~p

• Double negation-elimination

– Premises: ~ ~ p– Conclusion: p

• Implies-introduction– Assumption: p– Premises: q– Conclusion: p ⇒ q

• Implies-elimination– Premises: p, p ⇒ q– Conclusion: q

• Modulus token– Premises: p ⇒ q, ~q– Conclusion: ~p

– note) implies-introduction may use assumption and conclusion discharge assumption

32

Proof theory – natural deduction(2/2)

• Ex) (q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r))1. (q ⇒ r) : assumption2. ( ~q ⇒ ~p) : assumption3. p : assumption4. ~~p : double negation-introduction 35. ~~q : modulus token 2, 46. q : double negation-elimination 57. r : implies-elimination 1, 68. p ⇒ r : implies-introduction 3, 79. (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : implies-introduction 2, 810.(q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : implies-introduction

1, 9

33

Satisfiability and Tautologies

• Satisfiable– A formula a is satisfiable if there is a Boolean

valuation v such that v(a) = 1.

• Tautology– A propositional formula a is a tautology (also called

valid) if v(a) = 1 for every Boolean valuation v.

34

Semantic entailment1, 2 ,3 ╞ Ψ

means that if v(1) = １ and v(2) = １ and v(3) = １ then v(Ψ) = 1

which is equivalent to saying(1 ＆ 2 ＆ 3 ) ⇒ Ψ

is a tautology, i.e., 1, 2 ,3 ╞ Ψ）≡（ (1 ＆ 2 ＆ 3 ) ⇒ Ψ）

35

Example– p : The train is late– q : There are taxis at the station– r : John is late for his meeting

(p & (~q)) ⇒ r, ~r, p ╞ q

(((p & (~q)) ⇒ r) & (~r) & (p)) ⇒ q~((~(p & (~q)) | r) & (~r) & (p)) | q((p & (~q) & (~r)) | r | (~p) | q

36

Consistency• If a set of premises of an implication are not

consistent, they can be used to prove a contradiction, i.e.,

p, ~p ╞ q &~qor

F ⇒ F• ‘False implies anything’ problem

– First of all, model (implementation) should be consistent

37

Need of another logic• Syllogism(3 단 논법 )

– Man is mortal– Socrates is man

Socrates is mortal

Best way to describe these in propositional logic

a & b ⇒ cBut not tautology ( ∵‘c’ cannot be represented as some

form of a, b.)

38

2. Predicate logic• Invented by Gottlob Frege• Also called “first order logic”• Syntax

– Constants, variables x, y, ...– Functions, predicates– Logical connectives– Quantifiers– Punctuation: , (enumeration) . (‘such that’)

• Semantics– Interpretation, Valuation

• Proof theory– axiom systems, natural deduction, sequent calculus

39

Quantifier• Universal quantification (∀) ; ‘for all’

– Corresponds to finite or infinite conjunction of the application of the predicate to all elements of the domain.

• Existential quantification (∃) ; ‘there exist(s)’– Corresponds to finite or infinite disjunction of the

application of the predicate to all elements of the domain.

• Relationship between ∀ and ∃– ∃x.P(x) is the same as ~ ∀x.~P(x)– ∀x.P(x) is the same as ~ ∃x.~P(x)

40

Historical comment• Hardware verification works based on First

order logic– Wagner (1977), Pitchumani and Stabler(1982) ,

Hanes(1983), Wojcik(1983), Suzuki(1984), Hunt(1987)

• Boyer-Moore Theorem prover (1979)– Quantifier-free first order logic with equality

41

3. Higher-order logic• First order logic

– Only quantify over variable

• Higher order logic– Also quantify over function and predicate– Use special function-denoting terms

• λ – expression which is term in λ – calculus

– Ex) Induction principle• ∀P.(P(0) & (∀n.P(n) ⇒ P(n+1))) ⇒ ∀n.P(n)

• Zero order logic– Propositional logic can be regarded as zero order

logic

42

λ-calculus• Invented by Alonzo Church• basic λ-expression

– λx1x2…xn.e

• x1, x2, …xn: parameters of function

• e: expression which computes the value of the function in terms of the parameters x1, x2, …xn

• Simple example– λxy.x+y– (λxy.x+y) 2 3 = 2 + 3 = 5