andreas kuehlmann

1kuehl@cadence.com

Giving the Gorilla Some Brains: Giving the Gorilla Some Brains: How Can Formal Complement How Can Formal Complement

Simulation?Simulation?

FMCAD Panel DiscussionFMCAD Panel DiscussionNovember 14, 2006November 14, 2006

Andreas KuehlmannAndreas Kuehlmann

2kuehl@cadence.com

““Simulation” vs. “Formal Verification”Simulation” vs. “Formal Verification”

• Let’s look into terminology!Let’s look into terminology!

We as FMCAD community should know what formal means!

FMCAD = “Formal Methods on CAD”

“Precise Formalists” versus the “Sloppy Informalists” ??

But what does Simulation mean?

3kuehl@cadence.com

Let’s Check out Wikipedia…Let’s Check out Wikipedia…

A simulation is an imitation of some real thing, state of affairs, or process. The act of simulating something generally

entails representing certain key characteristics or behaviors of a selected physical or abstract system.

…for Distinction Sake, a Deceiving by Words, is commonly called a Lye,

and a Deceiving by Action, Gestures, or Behavior,is called Simulation

But it continues….

4kuehl@cadence.com

Let’s Google it…Let’s Google it…

• http://embedded.eecs.berkeley.edu/research/vis/ttc/lecDir/ps/session3.ppt.pshttp://embedded.eecs.berkeley.edu/research/vis/ttc/lecDir/ps/session3.ppt.ps

5kuehl@cadence.com

Simulation in the Formal WorldSimulation in the Formal World

“A Simulation Preorder is a relation between state transition systems

associating systems which behave in the

same way in the sense that one system “simulates” the other”

In other, words a system simulates another system if it can match all of its moves.

… looks to me like a pretty formal and “complete” approach

6kuehl@cadence.com

versus Simulation in the “Informal World”versus Simulation in the “Informal World”

DUVSubset of

Input

Stimuli

Monitor

RTL simulation -> stick a tiny subset of the input stimuli into the system,

simulate the behavior and see if the output matches what you expect

The formal world calls this

Testing

7kuehl@cadence.com

But Wait a Minute….But Wait a Minute….

… for others Testing means this:

The testing community uses formal methods to generate test vectors

E.g. D-Algorithm for ATPG

Paul Roth: Diagnosis of Automata Failure: A Calculus & MethodIBM Journal of R&D 1966 (10), pp. 278-291

Later we “renamed” sequential ATPG into Bounded Model Checking

8kuehl@cadence.com

… … and then there are the Companiesand then there are the Companies

• IBM IBM – Verification includes simulation and formal methodsVerification includes simulation and formal methods

• Intel:Intel:– Validation (simulation)Validation (simulation)

– versus Verification (formal)versus Verification (formal)

• The restThe rest– Whatever is fashionableWhatever is fashionable

9kuehl@cadence.com

Two Introductory LecturesTwo Introductory Lectures

• Robert Jones Robert Jones

Principal Engineer, Intel Corp. Hillsboro, ORPrincipal Engineer, Intel Corp. Hillsboro, OR

““Life in the Jungle: Simulation vs. Verification”Life in the Jungle: Simulation vs. Verification”

• Wolfgang RoesnerWolfgang Roesner

Distinguished Engineer IBM Server Division, Austin, TXDistinguished Engineer IBM Server Division, Austin, TX

””Ecological Niche or Survival Gear? - Improving an Industrial Ecological Niche or Survival Gear? - Improving an Industrial Simulation Methodology with Formal Methods”Simulation Methodology with Formal Methods”

10kuehl@cadence.com

How can Formal Complement How can Formal Complement SimulationSimulation• Technology:Technology:

– Are there methods from the formal world that are usable in a Are there methods from the formal world that are usable in a simulation based flow?simulation based flow?

• Methodologies:Methodologies:– Should we do simulation first to catch the “easy bugs” and then Should we do simulation first to catch the “easy bugs” and then

switch to formal for the “hard” ones?switch to formal for the “hard” ones?

• Teams:Teams:– In many projects designers are responsible for “almost” correctness In many projects designers are responsible for “almost” correctness

and hand the difficult part to the verification team. Does this make and hand the difficult part to the verification team. Does this make sense?sense?

11kuehl@cadence.com

A “typical” Simulation SetupA “typical” Simulation Setup

Testbench

DUVConstraint

Solver

Constraints

Biasing

Monitor

Coverage

Analysis

12kuehl@cadence.com

Points where “Formal” Could HelpPoints where “Formal” Could Help

Testbench

DUVConstraint

Solver

Constraints

Biasing

Monitor

Coverage

Analysis

13kuehl@cadence.com

Questions for the PanelQuestions for the Panel

• Are there interesting techniques from the formal world that can Are there interesting techniques from the formal world that can complement simulation methods?complement simulation methods?

• Does the traditional tool partitioning betweenDoes the traditional tool partitioning between• Simulation and test generationSimulation and test generation

• Equivalence checkingEquivalence checking

• Formal property checkingFormal property checking

encourage cross-fertilization between technologies?encourage cross-fertilization between technologies?

• Do we have the appropriate verification methodologies and Do we have the appropriate verification methodologies and team structures reflecting this?team structures reflecting this?

14kuehl@cadence.com

PanelistsPanelists

• Warren Hunt (UT Austin)Warren Hunt (UT Austin)• Robert Jones (Intel)Robert Jones (Intel)• Robert Kurshan (Cadence)Robert Kurshan (Cadence)• Wolfgang Paul (University Saarbruecken)Wolfgang Paul (University Saarbruecken)• Carl Pixley (Synopsys)Carl Pixley (Synopsys)• Wolfgang Roesner (IBM)Wolfgang Roesner (IBM)