hector: c formal system-level to rtl equivalence checking...
TRANSCRIPT
![Page 1: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/1.jpg)
ATG
SoC
HECTOR: Formal System-Level to RTL Equivalence Checking
HECTOR: HECTOR: FormalFormal SystemSystem--Level to RTL Level to RTL Equivalence CheckingEquivalence Checking
Alfred Koelbl, Sergey Berezin, Reily Jacoby,
Jerry Burch, William Nicholls, Carl Pixley
Advanced Technology Group
Synopsys, Inc.
June 2008
![Page 2: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/2.jpg)
�
OutlineOutline
�Motivation�Architecture of Hector
� Frontend� Notions of equivalence and interface
specification� Proof procedure� Solvers� Debugging
�Customer results�Additional applications�Conclusion
![Page 3: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/3.jpg)
MOTIVATIONMOTIVATION
![Page 4: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/4.jpg)
�
System-level designSystem-level design
� Some reasons for system-level design:� Faster verification at the system-level� Easier architectural exploration� No need to worry about implementation details� Productivity gain by using High-Level-
Synthesis� RTL Verification problems:
� Verification of RTL doesn’t get any easier� Bugs due to faulty specification� Bugs due to wrong implementation
![Page 5: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/5.jpg)
�
=?
Data
Result Result
� System-level model is a transaction/word level model for the hardware
� System and RTL compute same outputs given same inputs� Equivalence checking proves functional equivalence� Timing and internal structure can differ significantly, but the
observable results must be the same
RTL��������������� ��������
���������
��������������������������
�����������������������
������������
�����
System Model���� !�"������
#���� !�"����
������������
���������$������
!����������
��#�%��&����'����(�
�����������
Functional equivalence checkingFunctional equivalence checking
![Page 6: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/6.jpg)
�
Manual (Ad hoc) FlowManual (Ad hoc) Flow
� Architect creates C++ specification� RTL designer creates RTL implementation� RTL contains much more implementation
details� Problems:
� Designs often embedded in own simulation environment, need to specify input/output mapping, notion of equivalence
� Specification and implementation can be significantly different
� Constraints are often in designer’s head, need to be formalized
� Input/output differences sometimes difficult to capture in a formal model
![Page 7: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/7.jpg)
�
High-Level Synthesis FlowHigh-Level Synthesis Flow
� Equivalence checker proves correctness of produced RTL
� You cannot sell a high level synthesis tool without a verification tool!!!
� Advantages:� All information about constraints & interface
mappings / latency differences available from the synthesis tool
� Hints can significantly simplify proof� Push-button solution possible
� Problems:� Every assumption given as hint must be proven by
equivalence checker� High-level synthesis tool must be able to produce
the information
![Page 8: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/8.jpg)
�
HL-Synthesis integrationHL-Synthesis integration
Proof strategy
High-Level Synthesis
EquivalenceChecker
CoreProof
CEX
Timeout
Waveform
vcd.dump
Constraints
Database
Design C/C++/RTL
![Page 9: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/9.jpg)
ARCHITECTUREARCHITECTURE
![Page 10: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/10.jpg)
��
BDD
C++ Frontend VHDLVerilog
CompilerCFG
Interface definition
TestbenchWrapper
ConstrainedRandom Simulator
Proof engine OrchestrationSAT
Mem-model
Counterexample
WaveformViewer
ConstraintsMappings
Bit-level solver
Word-level solver
Formal model
ComponentsComponents
Formal modelFormal model
![Page 11: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/11.jpg)
��
BDD
C++ Frontend VHDLVerilog
CompilerCFG
Interface definition
TestbenchWrapper
ConstrainedRandom Simulator
Proof engine OrchestrationSAT
Mem-model
Counterexample
WaveformViewer
ConstraintsMappings
Bit-level solver
Word-level solver
Formal model
Front-EndFront-End
Formal modelFormal model
![Page 12: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/12.jpg)
INTERFACE SPECIFICATION
INTERFACE SPECIFICATION
![Page 13: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/13.jpg)
�
BDD
C++ Frontend VHDLVerilog
CompilerCFG
Interface definition
TestbenchWrapper
ConstrainedRandom Simulator
Proof engine OrchestrationSAT
Mem-model
Counterexample
WaveformViewer
ConstraintsMappings
Bit-level solver
Word-level solver
Formal model
Interface specificationInterface specification
Formal modelFormal model
![Page 14: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/14.jpg)
��
Notions of equivalenceNotions of equivalence
� What does equivalence mean for comparing system-level models against RTL ?� Depends on how abstract the system-level model is� Different customers, different applications� Different design styles� No definite answer (yet)
� Identify commonly used notions:� Combinational equivalence� Cycle-accurate equivalence� Pipelined equivalence� Stream-based equivalence� Transaction equivalence� … ?
![Page 15: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/15.jpg)
��
How to deal with different notions ?How to deal with different notions ?
� Idea: Reduction to cycle-accurate equivalence check
� Rule of thumb: If you can build random pattern testbench, checking outputs on the fly, you’re safe.
![Page 16: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/16.jpg)
��
Verification wrapper generationVerification wrapper generation
� User (or synthesis tool) provides the following information:� Input/output mapping between C++ and RTL� Input constraints� Output don’t cares� Memories / memory mappings� Register mappings� Notion of equivalence (optional)
� Verification wrapper is automatically generated
� Reduces problem to cycle-accurate sequential equivalence check
![Page 17: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/17.jpg)
PROOF PROCEDUREPROOF PROCEDURE
![Page 18: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/18.jpg)
��
BDD
C++ Frontend VHDLVerilog
CompilerCFG
Interface definition
TestbenchWrapper
ConstrainedRandom Simulator
Proof engine OrchestrationSAT
Mem-model
Counterexample
WaveformViewer
ConstraintsMappings
Bit-level solver
Word-level solver
Formal model
Proof procedureProof procedure
Formal modelFormal model
![Page 19: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/19.jpg)
�
Verification approachVerification approach
� Constrained Random simulator checks for easily detectable discrepancies
� Bounded formal check for harder discrepancies� Formal proof (complete):
� Problem reduced to sequential equivalence checking� Reachability analysis would be an approach� But: Most system-level designs are arithmetic heavy,
reachability infeasible� Induction proof
� Proof idea:� Implementation and specification perform same computations� Not necessarily in the same number of cycles� Unroll for the duration of a transaction, prove that symbolic
expressions are the same� Proof engines:
� Bit-level equivalence checkers (SAT, BDDs)� Word-level rewriting engine for arithmetic (COMBAT)� Hybrid (word & bit) engine for orchestration� PEP’s
![Page 20: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/20.jpg)
��
Induction proofInduction proof
� Transaction equivalence� Assume that designs start in valid state (superset of
reachable state set)� Execute single transaction by unrolling ESL and RTL
models for one transaction� Check outputs after transaction� Check state after transaction
� Proof strategy: Induction� Needs state invariants
� Register mappings� Memory mappings & memory constraints� Additional invariants
� Prove that resulting SAT formula is UNSAT
![Page 21: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/21.jpg)
��
Transaction equivalenceTransaction equivalence
SA
SB
MA
MB
ESL
RTL
IA
IB
OA
OB
![Page 22: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/22.jpg)
��
Transaction equivalenceTransaction equivalence
SA
SB
MA
MB
ESL0 ESL1
RTL0 RTL1 RTL2
IA0
IB0 IB1 IB2
OA
OB
Transaction TA
Transaction TB
SA’MA’
SB’MB’
IA1
![Page 23: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/23.jpg)
�
Transaction equivalenceTransaction equivalence
ESL0 ESL1
RTL0 RTL1 RTL2
IA0 IA1
IB0 IB1 IB2
OA
OB
SA
SB
MA
MB
SA’MA’
SB’MB’
Valid starting state(superset of reachable state set)
Outputs equivalent ? =
![Page 24: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/24.jpg)
��
Valid end state ?
Transaction equivalenceTransaction equivalence
ESL0 ESL1
RTL0 RTL1 RTL2
IA0 IA1
IB0 IB1 IB2
OA
OB
SA
SB
MA
MB
SA’MA’
SB’MB’
• Memory mappings• Constraints on memories
• Register mappings• State invariants
![Page 25: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/25.jpg)
��
Proof procedureProof procedure
� Assumptions
� Proof obligations
� Check model assumptions, e.g., that no array accesses are out-of-bounds
�
�
�
�
)S ,S ,M ,(Mi a )S ,(Sr )S ,(Sr a
)M ,(Mc )M ,(Mc a )M ,(MMM )M ,(MMM a
BABA03
BA1BA02
BA1BA01
BA1BA00
��
���
���
���
BA3210
BABA03210
BA03210
BA03210
BA03210
O O a a a a )S ,S ,M ,M(i a a a a
)S ,S(r a a a a )M ,M(c a a a a
)M ,M(MM a a a a
�����
���������
�������
�������
�������
�
�
�
�
![Page 26: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/26.jpg)
SOLVERSSOLVERS
![Page 27: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/27.jpg)
��
BDD
C++ Frontend VHDLVerilog
CompilerCFG
Interface definition
TestbenchWrapper
ConstrainedRandom Simulator
Proof engine OrchestrationSAT
Mem-model
Counterexample
WaveformViewer
ConstraintsMappings
Bit-level solver
Word-level solver
Formal model
SolversSolvers
Formal modelFormal model
![Page 28: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/28.jpg)
��
� Core technology for formal reasoning
� Used for intermediate equivalences� Used for output equivalences� Word-level solvers
� Good for equivalent arithmetic� Bad for producing counter-examples
� Bit-level solvers� Good for falsification� Bad for arithmetic
Decision ProceduresDecision Procedures
Formula DecisionProcedure
Satisfying solution(Counter-example)
Unsatisfiable(Proof)
![Page 29: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/29.jpg)
�
Equivalence check of two DFGsEquivalence check of two DFGs
=?C++ RTL
1. Find potentially equivalent points (PEPs) (e.g. by simulation)2. Prove them equivalent using bit- and word-level engines3. Merge equivalent points thereby increasing sharing4. Prove outputs equivalent
Oa Ob
![Page 30: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/30.jpg)
�
Equivalence check of two DFGsEquivalence check of two DFGs
=?C++ RTL
1. Find potentially equivalent points (PEPs) (e.g. by simulation)2. Prove them equivalent using bit- and word-level engines3. Merge equivalent points thereby increasing sharing4. Prove outputs equivalent
![Page 31: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/31.jpg)
�
Word-level solversWord-level solvers
� SMT solvers (SAT module theories)� Reason about arithmetic� Theories for linear arithmetic, bit-vectors,
uninterpreted functions, arrays, real arithmetic� Need to be able to deal with finite word-sizes
� Re-writing engines� Re-write formulas into normal-form� Convergence can be an issue� CVCLite from Stanford
� Lessons learned:� Only Bit-Vector theory (and maybe theory of arrays
if powerful enough) useful� Many abstraction techniques are only useful for
property checking� Few solver techniques specifically target
equivalence checking problem
![Page 32: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/32.jpg)
�
Bit-level solversBit-level solvers
� Construct Boolean circuit based on bit-level representation of operations
� BDDs� Canonical representation, very easy to check if
formula is unsatisfiable � Tendency to memory blowup� Good for local intermediate equivalences� Good for XOR trees
� SAT� Convert circuit to Conjunctive Normal Form (CNF)� Branch-and-bound search� Efficient optimizations (conflict analysis, non-
chronological backtracking)� ATPG / Circuit-based SAT
� Branch-and-bound search directly on Boolean circuit
![Page 33: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/33.jpg)
� Compare word-level graphs modulo zero-extension / sign-extension and merge intermediate equivalent points
Solver technologySolver technology
cast cast
in_a in_b
+ +
3 3
4
3232
32cast
=?
32
![Page 34: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/34.jpg)
�
� Compare word-level graphs modulo zero-extension / sign-extension and merge intermediate equivalent points
Solver technologySolver technology
cast
in_a in_b
+
3 3
432
![Page 35: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/35.jpg)
�
� Compare word-level graphs modulo observability
Solver technologySolver technology
+ +
1
1 0
0
c1
c2
Observable(a) -> (a = b)(c1 & c2) -> (a = b)
o
a b
![Page 36: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/36.jpg)
�
� Compare word-level graphs modulo observability
Solver technologySolver technology
+
1
1 0
0
c1
c2
o
b
Replace ‘a’ by ‘b’
![Page 37: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/37.jpg)
�
Effectiveness comes from many techniquesEffectiveness comes from many techniques
52 unsolved
RRBDDSAT
orchestration
18 unsolved
5 unsolved
SAT-equivoptimizations
0 unsolved
� 68 word (as opposed to bit) outputs� SL – RTL : different data path architectures� Different multiplier implementations� Different adder tree structure� DFG nodes: 1400
RRBDDSAT
orchestration
SAT-equivoptimizations
RRBDDSAT
orchestration
RRBDDSAT
orchestration
SMT SMT SMT
GraphRe-writes
![Page 38: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/38.jpg)
�
The Algebraic Solver StrategyThe Algebraic Solver Strategy
AlgebraicRewrites
SATsolver
Proof Search
Normal form
Consider cases
Smart simplifications
Abstractions,Approximations
When all else fails...
Split cases
{ (x *[32] y)[31:16] , x *[16] y }= { (x *[32] y)[31:16] , (x *[32] y)[15:0] }
= x *[32] y
![Page 39: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/39.jpg)
CUSTOMER EXPERIENCES
CUSTOMER EXPERIENCES
![Page 40: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/40.jpg)
COMPANYB
COMPANYB
![Page 41: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/41.jpg)
��
Experience w. Company BExperience w. Company B
� Ad Hoc (manual) design flow� All modules are parts of a router design� Customer wanted free consulting.
� Problems� Customer did not do block-level verification� Constraint/counterexample loop� Manager did not understand the idea of equivalence
checking—he thought Hector was a bug finder� We did the work but eventually the customer could
run Hector by herself� C++ model not entirely complete: one case of two
modules in RTL and one in the C++� Abstracted away the simulation environment
manually
![Page 42: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/42.jpg)
��
Experience w. Company BExperience w. Company B
� Core algorithms improved greatly during evaluation
� Developed different memory models, e.g., TCAM.
� Successes� Were able to conclusively compare all outputs� The D5 was not completed by customer
![Page 43: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/43.jpg)
�
Design # lines of code
# arrays# rams
#discrepancies
#bugs found
time final result
C RTLD1 50 6200 1 / 1 0 0 4min proven
D2 70 580 1 / 1 0 0 2min proven
D3 570 1720 1 / 3 9 1 RTL1 C++
4min proven
D4 1700 7500 4 / 4 8 1 RTL1 C++
<1h proven
D5 4300 6700 31 / 33 >40 4 RTL 43min 62 proven, 15 cex
Hector experimental resultsHector experimental results
![Page 44: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/44.jpg)
COMPANYN
COMPANYN
![Page 45: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/45.jpg)
��
Experience w. Company NExperience w. Company N
� Ad Hoc (manual) design flow� All modules were from an arithmetic unit: both
integer and floating point� GPU design � C++ models act as reference models to provide
expected/correct output values� Coverage metrics help but not always reliable� bugs missed� Customer was very experienced with formal
methods.
![Page 46: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/46.jpg)
��
Experience w. Company NExperience w. Company N
� Many mismatches are found� Real design bugs were caught
� mostly corner cases� C++ model bugs were found� Raised questions on the definition of correct
behavior� Specification documents clarified/modified
� Some instructions are proven automatically by the tool without any human assistance
� Some instructions are too complex or too large for the tool to handle
� Several techniques for the user to try to assist the tool
� The main theme is divide-and-conquer
![Page 47: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/47.jpg)
��
Experience w. Company NExperience w. Company N
� Due to the initial success in finding bugs and proving correctness, the use of high level equivalence checking expands to several designs of company’s active GPU development project� 10 design blocks, 119 sessions set up and run, 107
proven (some after fixes to bugs found by FV)� Includes multiplication logic
� Focused on designs with a high probability of success� data transform with simple temporal behavior and
input constraints� A bug was found in a previous project that would
have been caught by running this� a special case only affects a single input value
![Page 48: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/48.jpg)
��
Experience w. Company NExperience w. Company N
� High-level equivalence checking will become part of company’s verification plan� Demonstrated its value for suitable designs� Increase confidence and find difficult bugs
more quickly� Will not replace other forms of verification,
complementary to existing methodology
![Page 49: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/49.jpg)
COMPANYT
COMPANYT
![Page 50: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/50.jpg)
��
Experience w. Company TExperience w. Company T
� Designs generated automatically from C++ by Synfora synthesis tool� Four designs from four different encryption
algorithms + fir filter� All four had streams� Designs were run entirely automatically!� Put in scripting capability to tool� Synfora gave Hector hints—all were checked
independently� Had to support many Synfora features such as
streams, bit width pragmas, loop unroll pragmas, memories
� Hector can now handle loops without unrolling.
![Page 51: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/51.jpg)
��
� Synfora Pico-Extreme synthesized designs� Encryption designs for GSM/GPRS/UMTS
protocols
Behavioral synthesis resultBehavioral synthesis result
Design # lines of code
# arrays# rams
#discrepancies
#bugs found
time final result
C RTLDS1 293 5663 0 / 0 0 0 5min proven
DS2 579 14015 0 / 0 1 0 17min proven
DS3 717 11563 2 / 2 2 0 21min proven
DS4 931 45274 4 / 4 2 0 19min proven
![Page 52: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/52.jpg)
ADDITIONAL APPLICATIONS
ADDITIONAL APPLICATIONS
![Page 53: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/53.jpg)
�
Word/Transaction Level ToolsWord/Transaction Level Tools
� Datapath verification in Synopsys’s Formality equivalence checker� The core solver is the Hector core engine
� Formal front end for SynplicityDSP
� Equivalence checking of Simulation vs. Synthesis models of Synopsys IP
� Model checking at the word level: Bjesse CAV’08, FMCAD’08
![Page 54: HECTOR: C Formal System-Level to RTL Equivalence Checking ...research.ibm.com/haifa/conferences/hvc2008/present/CarlPixleyHVC08.pdf · System-level model is a transaction/word level](https://reader030.vdocuments.site/reader030/viewer/2022040908/5e8040183770ac730447a89f/html5/thumbnails/54.jpg)
��
ConclusionsConclusions
� System-level to RTL equivalence checking is a very hard problem
� But… We do it on live commercial designs NOW
� Synthesis is MUCH easier to verify than manual (ad hoc) design flow
� HECTOR is not a product – yet.