on-the-fly synthesis of multi-clock sva

On-the-fly Synthesis of Multi-Clock SVA

Jiang Long

Andrew Seawright

Paparao Kavalipati

IWLS’ 2008

2

Outline

Introduction— Background and scope— Related works

Synthesizing multi-clock SVA— Single clock assertion compilation— Compile through rewriting— On-the-fly synthesis algorithm

Proof of correctness

Experimental results and conclusions

3

Formal Model for Multi-Clock Designs

Clock

Specification

RTL

Design

SVA

Assertions

4

Multi-Clock Modeling

0

1

clk0_posedge

data_in1

@posedge clk0

data_in1

mclk

5

Objective

Synthesize SVA into Checker logic— Generic checker logic

Utilize existing FV framework/technique/optimization Utilize existing multi-clock network

— Optimize checker logic size Number of sequentials and gates

— Validation Proof of correctness

6

SVA Abstract Grammar – Unclocked Sequence

Sequences define language of words

Booleans b

Concatenation R1 ##1 R2

Or R1 or R2

Repetition R1 [*0:$]

Fusion R1 ##0 R2

Intersect R1 intersect R2

Local Variable b, v=e

7

SVA Abstract Grammar – Clocked Sequence

Grammar for clocked sequence S

S ::= @(clk) R

| ( S ##1 S)

Single clock @clk R

Multi-clock @clk1 R1 ##1 @clk2 R2

8

SVA Abstract Grammar - Property

Properties evaluate true/false over words

Regular expression R

Implication R |-> P

R |=> P

Or P1 or P2

And P1 and P1

Not not P

9

SVA Abstract Grammar - Property

Properties evaluate true/false over finite words

Implication R |-> P

R |=> P

10

SVA Multi-Clock Assertions

11

SVA Multi-Clock Assertions

12

SVA Multi-Clock Assertions

13

SVA Multi-Clock Assertions

14

SVA Multi-Clock Assertions

15

Synthesis of regular expression + “actions”— Seawright / Brewer - synthesis of controllers

Synthesis of SVA— Pellauer / Lis / Baltus / Nikhil - using Blue Spec

Checkers in Formal Verification— Beer / Ben-David / Landver: on-fly-model checking of RCTL

Synthesis of SVA Local Variables— Long/Seawright

Multi-Clock assertion synthesis for verification— Ganai, et al.

Annotating OVL 2.0 with SVA — Long, Seawright, et al.

Related Work

16

Contribution

Synthesize SVA into Checker logic— Adapt single-clock SVA compilation procedure— Generic checker logic

Utilize existing FV framework/technique/optimization Utilize existing multi-clock network

— Optimized checker logic size— Validation

Proof of correctness based on SVA semantics

17

Outline

Introduction— Background and scope— Related works

Synthesizing Multi-clock SVA— Single clock assertion compilation— Compile through semantic rewriting

Penalty: Double the checker logic size— On-the-fly synthesis algorithm

No penalty Proof of correctness

Experimental results and conclusions

18

SVA compilation

Prop

Bool

R

|=>

term [*2:M]

gnt

req1

##1

req0

term

term

Property p_m1;

@(posedge clk0) req0 ##1 req1[*2:M] |=> gnt;

endproperty

20

|=>

term [*2:M]

gnt

req1

##1

req0

term

term

Recursive Construction

21

|=>

term [*2:M]

gnt

req1

##1

req0

term

term

Recursive Construction

0

1

clk0_posedge

data_in1

22

R1 ##1 R2

R1

APstart

R2

APstart

clk

start AP

R1 R2

##1

23

R1 ##0 R2

R1

APstart

R2

APstartstart AP

24

R1 ##0 R2

R1

APstart

R2

APstartstart AP

R is equivalent to

(R ##0 1)

(1 ##0 R)

25

Outline

Introduction— Background and scope— Related works

Synthesizing Multi-clock SVA— Single clock assertion compilation— Compile through semantic rewriting

Penalty: Double the checker logic size— On-the-fly synthesis algorithm

No penalty Proof of correctness

Experimental results and conclusions

26

SVA Semantic Rewriting Rules

27

Rewriting: An Example

28

Synthesize Through Rewriting

|=>

##1

[*2:3]

[*0:$]

##1

term

!clk1clk1&&req1

term

[*0:$]

##1

term

!clk0 clk0&&req0

term

[*0:$]

##1

term

!clk2 clk2&&gnt

term

|=>

##1

req0

term

req1

term

gnt

term

[*2:3]

29

Synthesiz3 Through Rewriting

|=>

##1

[*2:3]

[*0:$]

##1

term

!clk1clk1&&req1

term

[*0:$]

##1

term

!clk0 clk0&&req0

term

[*0:$]

##1

term

!clk2 clk2&&gnt

term

|=>

##1

req0

term

req1

term

gnt

term

[*2:3]

1. Checker logic: Correct by Construction

30

Synthesis Through Rewriting

|=>

##1

[*2:3]

[*0:$]

##1

term

!clk1clk1&&req1

term

[*0:$]

##1

term

!clk0 clk0&&req0

term

[*0:$]

##1

term

!clk2 clk2&&gnt

term

|=>

##1

req0

term

req1

term

gnt

term

[*2:3]

2. Rewriting rule (2.1): size of the tree doubled

1. Checker logic: Correct by Construction

31

On-the-fly Synthesis

Motivation— Avoid the penalty from the rewriting— Model clock directly

Compilation procedure— Annotate syntax tree with clock information— Adapt to existing recursive compilation— Model clocked constructs directly— Proof of correctness through construction

32

Annotated Abstract Syntax Tree

Prop

Bool

R

|=>

term [*2:M]

gnt

req1

##1

req0

term

term

clk2

clk1

clk1

clk1 clk2 clk2

clk2 clk3

clk3clk3

clk2 clk2

33

Annotated Abstract Syntax Tree

Prop

Bool

R

|=>

term [*2:M]

gnt

req1

##1

req0

term

term

clk2

clk1

clk1

clk1 clk2 clk2

clk2 clk3

clk3clk3

clk2 clk2

34

Annotated Abstract Syntax Tree

Prop

Bool

R

|=>

term [*2:M]

gnt

req1

##1

req0

term

term

clk2

clk1

clk1

clk1 clk2 clk2

clk2 clk3

clk3clk3

clk2 clk2

35

On-the-fly Model

Annotated node with a single clock 1. @clk (b)

2. @clk (R1 ##1 R2)

Annotated node with two different clocks3. @clk1 R1 ##1 @clk2 R2

36

Basic Block 1: @clk(b)

@clk

bAp

1

0

1

37

Basic Block 2: @clk(R1 ##1 R2)

Ap Ap

startstart

IA

@clk

R1

01

R21

##1

38

Basic Block 2: @clk(R1 ##1 R2)

Ap Ap

startstart

IA

@clk

R1

01

R21

39

Building Block 3: @clk1 R1 ##1 @clk2 R2

Ap Apstartstart

IA

@clk1

R1 R2

@clk2

and or

and

1

s0

40

Building Block 3: @clk1 R1 ##1 @clk2 R2

Ap Apstartstart

IA

@clk1

R1 R2

@clk2

and or

and

1

s0

41

Building Block 3: @clk1 R1 ##1 @clk2 R2

Ap Apstartstart

IA

@clk1

R1 R2

@clk2

and or

and

1

s0

s0 <= ( R1.Ap && @clk1 )

||

( s0 && !@clk2 )

42

NFA View: @clk1 R1 ##1 @clk2 R2

Ap start

IA

startR2 Ap

@clk1

@clk2

@clk1

!@clk2

@clk2

R1s0

43

Outline

Introduction— Background and scope— Related works

Synthesizing Multi-clock SVA— Single clock assertion compilation— Compile through semantic rewriting

Penalty: Double the checker logic size— On-the-fly synthesis algorithm

No penalty Proof of correctness

Experimental results and conclusions

44

SVA Rewriting Rules

45

Proof of Correctness

Lemmas1. R equals. R ##0 12. R equals. 1 ##0 R

46

Proof of Correctness

Lemmas1. R equals. R ##0 12. R equals. 1 ##0 R3. @clk R equals. @clk ( R ##0 1 )4. @clk R equals. @clk ( 1 ##0 R)

47

Lemmas1. R equals. R ##0 12. R equals. 1 ##0 R3. @clk R equals. @clk ( R ##0 1 )4. @clk R equals. @clk ( 1 ##0 R)5. @clk R equals. @clk 1 ##0 @clk R6. @clk R equals. @clk R ##0 @clk 1

Proof of Correctness

48

Proof of Correctness

Lemmas1. R equals. R ##0 12. R equals. 1 ##0 R3. @clk R equals. @clk ( R ##0 1 )4. @clk R equals. @clk ( 1 ##0 R)5. @clk R equals. @clk 1 ##0 @clk R6. @clk R equals. @clk R ##0 @clk 1

@clk1 R1 ##1 @clk2 R2

49

Proof of Correctness

Lemmas1. R equals. R ##0 12. R equals. 1 ##0 R3. @clk R equals. @clk ( R ##0 1 )4. @clk R equals. @clk ( 1 ##0 R)5. @clk R equals. @clk 1 ##0 @clk R6. @clk R equals. @clk R ##0 @clk 1

@clk1 R1 ##1 @clk2 R2

7. @clk1 (R1 ##0 1) ##1 @clk2 ( 1 ##0 R2 )

50

Proof of Correctness

Lemmas1. R equals. R ##0 12. R equals. 1 ##0 R3. @clk R equals. @clk ( R ##0 1 )4. @clk R equals. @clk ( 1 ##0 R)5. @clk R equals. @clk 1 ##0 @clk R6. @clk R equals. @clk R ##0 @clk 1

@clk1 R1 ##1 @clk2 R2

7. @clk1 (R1 ##0 1) ##1 @clk2 ( 1 ##0 R2 )

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

51

Proof

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

52

Proof

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

53

Proof

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

54

Proof

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

9. !clk1[*0:$] ##1 clk1 ##1 !clk2[*0:$] ##1 clk2

55

Proof

!clk1[*0:$] ##1 clk1 ##1 !clk2[*0:$] ##1 clk2

Ap Apstartstart

IA

@clk1

R1 R2

@clk2

and or

and

1

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

9. !clk1[*0:$] ##1 clk1 ##1 !clk2[*0:$] ##1 clk2

56

Proof

!clk1[*0:$] ##1 clk1 ##1 !clk2[*0:$] ##1 clk2

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

9. !clk1[*0:$] ##1 clk1 ##1 !clk2[*0:$] ##1 clk2

Ap start

IA

startR2 Ap

@clk1

@clk2

@clk1

!@clk2

@clk2

R1s1

57

Proof

!clk1[*0:$] ##1 clk1 ##1 !clk2[*0:$] ##1 clk2

8. @clk1 R1 ##0 @clk11 ##1 @clk21 ##0 @clk2 R2

9. !clk1[*0:$] ##1 clk1 ##1 !clk2[*0:$] ##1 clk2

Ap Apstartstart

IA

@clk1

R1 R2

@clk2

and or

and

1

s0

58

Special Case: @clk(R1 ##1 R2)

Ap Ap

startstart

IA

@clk

R1

01

R21

59

Ap Ap

startstart

IA

@clk

R1

01

R21

clk1==clk2

Special Case: @clk(R1 ##1 R2)

Ap Apstartstart

IA

@clk1

R1 R2

@clk2

and or

and

1

s0

60

Experimental Results

61

Experimental Results

62

Experimental Results

2x

63

Conclusion

Efficient synthesis of multi-clock assertions— Create a generic checker logic— Direct modeling to avoid the doubling penalty— Proof of correctness

On-the-fly Synthesis of Multi-Clock SVA

Jiang Long

Andrew Seawright

Paparao Kavalipati

IWLS’ 2008