ebook img

Formal Verification in a Commercial Setting PDF

8 Pages·1997·0.162 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Formal Verification in a Commercial Setting

00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 1 Formal Welcome Welcome Verification in a Commercial W elcome to Bell Labs Design formal verification as the inaugural Setting Automation’s Verification topic. Our feature article, which Times, a new forum for veri- explores the challenges of commer- fication issues! cializing formal verification, is written By R. P. Kurshan At BLDA, we’ve devoted more than by Bob Kurshan, one of the foremost Bell Laboratories twenty years to the development of experts on this topic in the world. effective design verification solutions. Sidebars throughout this article high- Excerpted from the embedded We’re excited about what’s happening light different aspects of formal verifi- tutorial, 34th Design Automation in the verification community today cation, as well as our new model Conference, Copyright © 1997 by the as the challenge of systems-on-silicon checking tool, FormalCheck™. By the Association for Computing is confronted. We can foresee an way, that’s why the “belly-band” wrap- Machinery, Inc. exciting future in chip design as per of this issue of Integrated System today’s verification puzzles are solved, Designdisplayed a penguin inviting Introduction paving the way for tomorrow’s super you to check out this insert; our pen- Formal methods long have been tout- chips. And we plan to be there when guin friend appears to be ever ready ed as a means to produce “provably it happens. for a formal event and thus has been correct implementations.” It is only adopted as the official mascot for recently, however, with rather more aren’t talking about verification and FormalCheck. modest claims, that one formal making it a priority. So we’ve devel- If you would like to receive future method-model checking-has been oped this forum to help do just that, versions of Verification Times or if you embraced by industry. In stark con- and we’ve chosen the hot subject of have any questions or comments about this one, either send ment, only the last two years have us e-mail (see last page) or laid witness to its commercial viabili- return the reader reply card ty. Nonetheless, in this very short found on the “belly-band” time, this technology has blossomed wrapper of this issue of from scattered pilot projects at a very ISD. We look forward to a few commercial sites, into implemen- fruitful dialogue with all of tations in at least five commercially you as together we face offered Design Automation tools. (and solve!) the design ver- This acceleration of activity has even ification puzzles of today caught the attention of the invest- and tomorrow. ment community. Happy graduate students of this technology are bask- Happy reading! ing in an unexpected competition for their talents. We will examine how this rather astonishing rapid acceptance of a new technology came about, where it a mathematical model of a physical ly effective debugging tool. With the is now, and where it may lead. First, object, and as such necessarily debugging potential afforded by why? It is with some annoyance that excludes most of the physical details model-checking, designs not only can the present-day practitioners of of the physical object. Moreover, on be made much more reliable than model-checking view the extravagant account of this intrinsic abstraction, ever before, but (and this may be the claims for general formal methods: it is of questionable value to under- real reason for all the excitement) these claims were (rightfully!) never take a tedious, detailed proof model-checking is seen to accelerate broadly accepted in the first place, process, when it is not so certain the design process, significantly and served mainly to undercut the what it really means in physical terms decreasing the time to market. credibility of the field. Indeed, even when the process is successful. Increased reliability comes from the the concept of “provably correct hard- Instead, model-checking today is ability of model-checking to check ware” is nonsensical: one cannot seen by the hardware design industry ``corner-cases’’, which are hard or prove anything about a physical not as a means to ``Bless the Fleet’’, infeasible to test through simulation. but merely as a new and uncommon- These include especially complex 00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 2 scenarios unanticipated by the technology having ``proved’’ itself in a In addition to these, Intel has very designer. Decreased time to market number of these projects. Around substantial in-house model-checking comes from the ability to apply 1990, other serious commercial pro- support and Motorola also has in- model-checking earlier in the design jects began ramping up, notably in house support, in both cases based cycle and thus find bugs sooner than Intel but also at IBM, Motorola and on core technology developed at is possible with simulation. Since somewhat more speculatively at a CMU. IBM has an in-house equiva- model-checking is relatively easier to number of other companies. But the lence-checker called Verity, which was apply than simulation which needs applications remained largely in pilot briefly offered as a commercial tool test vectors and a test bed, model- projects, and although there was called BoolesEye. There also is a checking may be used when the heightened interest, the general atti- small industrial effort focused on soft- design is fluid or only partially tude remained “wait and see.” Today, ware verification, notably Telelogic’s defined. Finding bugs early in the only a few years later, one can pur- SDT/SDL tool for the protocol specifi- design cycle is a well-known acceler- chase verification tools from Abstract cation language SDL. This involves a ant of design development. Hardware Ltd. (CheckOff—core tech- different execution semantics than is Between 1980 and 1990, there were nology developed at Siemens), used with hardware (an asynchronous several commercial applications of Chrysalis (Design Verifyer), Compass interleaving of local events) [5], which model-checking in AT&T Bell Labs (VFormal—core technology devel- I will not address further. pilot projects. There were a few simi- oped at BULL), IBM (RuleBase—core So what happened between 1990 lar pilot projects in France, Holland technology developed at CMU), and and now to cause a technology so and the UK, and undoubtedly some Lucent Technologies (FormalCheck). recently held in circumspect reserve, others of which I am unaware. But the [All of the above names are trade- to suddenly be the focus of such total number of commercial applica- marks of the respective companies.] intense commercialization? There is tions (by which I mean ones in which Although the main tools of Chrysalis no single answer, but a number of verification was actually inserted in a and Compass are equivalence-check- clear and compelling ones, which not commercial development process— ers (to check the logical equivalence singly but all together provided the not just practiced on the side) were of two designs), they each have stimulus. pitifully few. This was in spite of the model-checkers under development. In the beginning of the decade, a number of companies perceived the need for something better than simu- Formal Verification— lation test, understood the promise of model-checking and even accepted The Next Logical Step the significance of the success of sev- eral pilot projects. However, it Formal verification is a whole new approach to verifying correct behavior in remained a major step to commit the logic designs. Unlike simulation—where “confidence” comes from running an resources necessary to support arbitrary number of test cases through a design—formal verification uses (much less commercialize) a main- mathematical techniques to examine the entire solution space of a specified stream tool. There were all the lurking design property. There are no vectors. If formal verification says a property is uncertainties of whether the technol- verified, it is—under all conditions. Thus, while simulation is open-ended and ogy really would generalize, would be uncertain, formal verification removes uncertainty, increasing designer confi- viable in the hands of non-experts, dence and reducing verification time. and would pay for its own support. Today, there are two types of commercial formal verification products: But designs were becoming equivalence checkers and model checkers. Equivalence checkers can compare untestable, the cost of bugs was sky- two versions of a circuit to guarantee that they are logically identical—a com- rocketing and the need in the hard- mon and formerly tedious post-synthesis task. By contrast, model checkers ware design industry for some new are most effective when checking a high-level design model (like the Golden testing technology was becoming RTL) against the original spec. Since model checkers insure that each proper- painfully apparent. Like runners ty is checked under all possible scenarios, the designer can spend more time tensed at a starting line, a number of insuring that all aspects of the spec have been considered. forward-looking companies were waiting for some signal. They wanted Functional Verification Tools neither to chase windmills nor to be also-rans. The signal came not as a seminal event, but a course of events. gngn BBeehhaavviioorr Equivalence-checkers had paved a sisi path, showing the utility of even this ee FFoorrmmaallCChheecckk DD TTrraaddiittiioonnaall weak form of model-checking. Bugs of of RRTTLL VVeeccttoorr--BBaasseedd were becoming news items even s s MMeetthhooddss before the notorious Pentium bug. elel vv Computers ever faster, memory ever ee LL GGaattee//SSww EEqquuiivvaalleennccee CChheecckkiinngg larger and BDD-based algorithms [2, 7] made the application of verifica- CCoommbbiinnaattoorriiaall LLooggiicc MMuullttii--CCyyccllee LLooggiicc tion technology simpler and simpler: what needed days and advanced TTyyppeess ooff DDeessiiggnn techniques only a few years earlier, 2 The Verification Times 00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 3 practices is correct. However, all my utilities for doing this to some extent. Model information has been obtained from However, there is a great variability in second-hand sources, and hence the success of these utilities. Since Checking— there could be inaccuracies, for which these utilities determine the extent to I apologize in advance. which a tool will be able to check a An Overview range of designs, they could be con- Reduction sidered the most critical aspect of a Model checking represents the If we focus on verification as it is model-checking tool. most advanced application of practiced today in hardware design Most of the reductions tend to be formal verification today. Unlike industries, then what we see is property-dependent localization equivalence checking, which is model-checking. What makes this reductions [6], in which the parts of limited to verifying that two ver- technology so attractive to industry is the design model which are irrelevant sions of a design fulfill the same its high degree of automation: the to the property being checked, are function, model checking allows tools can be used by mainstream (automatically) abstracted away. In the designer to verify the designers, undiverted by a great deal COSPAN [4], the verification engine design’s behavior against the of thought about the verification of FormalCheck, localization reduc- specification. That makes model process. However, this works only so tion is applied dynamically as illus- checking most useful before far as the algorithms actually can trated in Fig. 1. At each step of the synthesis where the cost of handle the size designs the designers algorithm, the model is adjusted by repairing design flaws is lowest. need to verify. Even with the best advancing its “free fence” of induced Early model checkers model-checking technology available primary inputs, in order to discard required their users to learn today, compromises are necessary. spurious counterexamples to the complex languages for property One cannot even think about entering stated query [6]. specification. Today, things are a whole microprocessor, much less different. For example, Bell Labs an entire circuit board design into a Design Automation’s model verification tool. In fact, although the AAccttiivvee QQUUEERRYY checker, FormalCheck, uses a maximum size design that may be straightforward template verified is growing literally month by approach that guides the user month, the upper limit for verification through assembling a complete today is toward the lower limit of a query. FormalCheck queries moderate-sized RTL level block. We specify not only the behavior to have succeeded in checking designs PPrruunneedd FFrreeee FFeennccee be verified but also the pre- and with 5,000 latches and 100,000 com- post-conditions which must binational variables (counting busses also be present. If the property and enumerated types as single vari- SSYYSSTTEEMM is proven true, the designer has ables), but for some properties even 100% confidence that the 500 latches and 50,000 variables is desired behavior is present more than we can handle. In the lat- under all conditions. That’s ter cases, in keeping with the need to without writing thousands of remain highly automated, we simply vectors. pass over these properties, focusing Figure 1. The COSPAN Localization Reductionalgorithm, through which a design But what if the query fails? instead on the ones which can be model is reduced dynamically, relative to the Model checkers provide all the handled automatically. This is in con- query being checked. data needed to trace the source trast to the academic community, of a failing case. FormalCheck, which may dwell on such difficult-to- for example, provides a familiar verify designs, apply advanced ad Interfaces waveform display with a link hoc techniques and ultimately A vital part of any commercial verifi- back to the source design code. succeed. cation tool is its user interface. Until Design flaws can be quickly There is another model for the ver- recently, the academic community found and repaired. ification process, in which verification largely ignored user interface issues No vectors and complete experts dwell on such hard-to-check (it was boring research!), which confidence—no wonder model properties. However, at Lucent helped to retard industry acceptance checking is taking the design Technologies we have not been suc- of model-checking. FormalCheck has community by storm! cessful with this model: as the verifi- addressed the user interface issue cation experts commonly are not con- head-on, providing a commercially- versant with the details of the design, acceptable solution to this tough now could be done automatically in a they find it hard to keep up with the problem. [Editor’s Note: See sidebars few hours. The race was on. product development pace. elsewhere in this issue.] The what, the how, and the why are Thus, it is of paramount impor- the subjects of the following sections. tance that the tool be able to reduce Support the model automatically relative to Critical to the success of a model- Disclaimer:to the best of my the property under check, to the checker, or any commercial tool, is knowledge, the foregoing and follow- greatest extent possible. Most com- support. This includes documenta- ing discussion of various companies’ mercial model-checkers have built-in tion, tutorials, an active help-line and The Verification Times 3 00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 4 of course timely bug fixes in the tool error track waveform, and what is each level with the previous level, itself. Unlike most other tools, how- wrong in an invalid waveform. Today, thereby guaranteeing that properties ever, an industrial model-checking “behavioral” tends to mean RTL. checked at one level of abstraction tool must keep up with a still rapidly However, there is a strong movement are inherited by all subsequent lev- evolving technology. This requires a toward more abstract designs. For els. When an automata-theoretic highly competent staff capable of now, these too can be represented in framework is used, the consistency of implementing new ideas as the tech- VHDL or even Verilog, with the addi- constraints also may be verified from nology develops, as well as originat- tion of nondeterminism as an one level to the next. ing new algorithms internally. As abstraction mechanism [6]. There are In spite of the availability of this much of this technology is being several ways to introduce nondeter- technology today, few designers are patented, commercial players need to minism, but the most direct may be using it, preferring instead to produce be active participants. through an added primary input flat designs specified and verified at (which then implements a nondeter- the synthesizable RTL level (meaning, Examples of Practice ministic choice operator). Using this without using nondeterminism as To be most effective, model-checking simple stratagem, designs at any abstraction). However, this is sure to should be introduced into the design level of abstraction may be defined, change quickly, as soon as the cur- process at the same time that the verified and then refined in a logically rent set of designer-verifiers become first behavioral models are written. consistent manner to a more detailed more comfortable with their verifica- The designer is the one who can level of specification. Repeating this tion tools. In fact, the tools them- apply the tool most effectively, as it is process gives rise to a classical “top- selves are frequently automatically the designer who best knows the down” design strategy, implemented performing such abstractions inter- areas of the design which need the as step-wise refinement. The model- nally (cf. localization reduction, most checking, how to interpret an checker can verify the consistency of discussed above). A Case Study: Improving Design Confidence FormalCheck was recently used to around its 2,500 gates of control model required searching only 2.5 verify a block within an MPEG logic, which controlled the onboard million states and analyzing 9.8 mil- decoder called the Compressed Data data FIFO containing 2,500 latches lion transitions, compared with the Interface Controller (CDIC). The (described in 2,000 lines of VHDL 1030states on the original design. results present a good example of code). Bell Labs engineers used This reduction enabled FormalCheck the tool’s speed and efficacy. FormalCheck to determine if the to find an error in short order that The CDIC was responsible for data FIFO within the CDIC would ever had been missed in months of framing, start code alignment, and overflow under the control protocol. simulation. synchronization between the incom- FormalCheck’s automatic reduc- ing data stream, processor, and data tion algorithms produced a reduced 90 Seconds to Detect an Error buffer. Although the block as a whole model of the CDIC that accurately After only 90 seconds of checking the was a complex verification problem, and exhaustively analyzed all poten- design on a SPARC workstation, much of the complexity was centered tial overflow conditions. The new FormalCheck detected an error. The trace vectors showed a condition The Confidence Gap under which the request to write data to external DRAM was inhibit- CCoommppuuttaattiioonnaall BBootthh CCoonnttrrooll ed, causing the internal FIFO to over- flow. The error trace spanned 2,000 clock cycles, a subtle sequential ortort MMooddeell CChheecckkiinngg problem that would have been diffi- EffEff cult to uncover with vector-based e/e/ techniques. After the error was cor- ncnc rected, the analysis proved exhaus- ee onfidonfid CCoonnGGffiiadadppeennccee toicvceulyr .that overflow could never CC Bugs of this nature are becoming increasingly common and hard to SSiimmuullaattiioonn catch, as demonstrated by today’s laborious verification efforts. Model checking is a dramatically faster and CCoommbbiinnaattoorriiaall LLooggiicc MMuullttii--CCyyccllee LLooggiicc more effective way to find them and AALLUU MMuullttiipplliieerr EECCCC AArrbbiitteerr CCaacchheeIInnssStStrereuquqcucuttieieononcnucnuceceroronnttrroolllmlmeermrmuunniiccaatBtiBiuouossn n ssCCoonnttrrHoHolalannddsshhaakkee tdoe simigpnr. ove the confidence of the CCoo 4 The Verification Times 00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 5 Although verification can be advantageously applied to global FormalCheck Has Been Designed systems such as cache coherence to Snap Right Into Your Existing protocols, this often requires some expertise concerning which parts of Methodology an otherwise too-large system to include in the verification process. More commonly, industrial practice FormalCheck accepts the synthesizable subsets of both Verilog and today is limited to more local “bor- VHDL, ensuring that your verified HDL is exactly the one you will synthe- ing” (but nonetheless problematic) size with no changes and no additional editing. The Queries required for controllers such as DMA controllers, verification are easily entered in minutes and replace the tedious entry of bus controllers, MPEG, and arbiters. test benches and test vectors. The output FormalCheck produces for These alone provide a significant debugging is identical to the output from simulation. In other words, assortment of important applica- FormalCheck truly does snap right into your existing design flow. tions, more than enough to justify the practice of model-checking, and FormalCheck Fits Into Existing Design Flow yet sufficiently limited that the cur- rent generation of tools can handle FFoorrmmaall CChheecckk CCyyccllee--BBaasseedd SSiimm them fairly automatically. SSttiimmuulluuss Future QQuueerriieess GGeenneerraattiioonn RRTTLL DDeessiiggnn MMooddeell The practice of verification already is ((VVeerriilloogg oorr VVHHDDLL)) PPaassss//FFaaiill && RReessuullttss evolving in two directions: upward EErrrroorr TTrraaccee CCoommppaarriissoonn into more abstract behavioral mod- els, and outward into a larger panorama of designs which may be verified automatically. For an SSyynntthheessiiss overview of current verification prac- tices, see the lecture notes posted from last year’s week-long DIMACS tutorial on verification [8]. The upward direction embraces not only abstraction and top-down at CMU, Bell Labs and elsewhere is a [3] E. M. Clarke, R. P. Kurshan, (“object-oriented” of course!) design graceful integration of some possibly Computer-Aided Verification, development as described in the pre- limited theorem-proving capabilities IEEE Spectrum, June 1996, 61-67. vious section, but also a new notion into the model-checking paradigm. of code reuse: at the design level [6]. While successes in this direction have [4] R. H. Hardin, Z. Har’El, R. P. An abstract verified design may be been too limited to be able to predict Kurshan, COSPAN, Springer implemented into several different much promise for this direction, the LNCS 1102 (1996) 423-427. instantiations, saving not the coding potential is large, and research in this time, but the verification time to direction is welcome. [5] G. J. Holzmann, Design and check the design. Finally, as the field evolves, it Validation of Computer In the outward direction, strides undoubtedly will expand its influence Protocols, Prentice Hall, 1991. already have been made at CMU in on the evolution of the hardware word-level model-checking [3], per- description languages, leading to [6] R. P. Kurshan, Computer-Aided mitting the verification of arithmetic ones more suitable and attractive for Verification of Coordinating units long thought to be beyond the verification. The very strong interest Processes, Princeton Univ. Press, reach of model-checking. Intel (natu- in software verification, as yet with- 1994. rally!) has embraced this new tech- out a firm footing, may find its base nology and reportedly is using it in its in the hardware/software (“co-design”) [7] K. L. McMillan, Symbolic Model current suite of verification tools. interface, where a number of Checking, Kluwer, 1993. Timing verification [1] is an area in researchers currently are working. which the technology has advanced [8] http://dimacs.rutgers.edu/ well beyond current practice. References Workshops/SYLA-Tutorials/ However, with a renewed interest in [1] R. Alur, R. P. Kurshan, Timing program.html asynchronous design, applications Analysis in COSPAN, Springer may soon be found. Moreover, as LNCS 1066 (1996) 220-231. Design Automation Conference® Copyright © 1997 by the Association for Computing designers gain confidence in verifica- Machinery, Inc. Permission to make digital or hard copies of tion, they may dare to implement [2] J. R. Burch, E. M. Clarke, D. Long, part or all of this work for personal or classroom use is grant- ed without fee provided that copies are not made or distrib- prospective design efficiencies that K. L. McMillan, D. L. Dill, uted for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights depend upon timing, armed with the Symbolic Model Checking for for components of this work owned by others than ACM must confidence that the soundness of Sequential Circuit Verification, be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute these dependencies may be verified. IEEE Trans. Computer Aided to lists, requires prior specific permission and/or fee. Request permissions from Publications Dept, ACM Inc., Another direction actively pursued Design, 13 (1994) 401-424. fax +1 (212) 869-0481, or [email protected]. The Verification Times 5 00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 6 Working with Intellectual Property Today’s designs are often centered specs supply only “good” behaviors core to the designer of the larger on the re-use of previous designs, or like timing diagrams and test vec- chip, then the constraints can be ver- on purchased Intellectual Property tors; the more important “bad” ified as required behavior of the larg- (IP), or “cores,” used to speed the applications are rarely specified. er design. creation of a larger design. Buying a When FormalCheck is used to veri- This duality of constraints and core or re-using a cell designed by fy a core, part of the process requires properties gives FormalCheck an another group introduces a new that these assumptions be specifi- advantage in smoothing out the problem into the design flow: how cally stated as constraints on the problems engineers are finding at can you be sure you are using the IP environment. Unlike a specification, the interface between their design the way its designer expected it with FormalCheck these assump- and the IP their design incorporates. would be used? tions cannot be under- When a core is being designed, its stated. If they are, the FormalCheck Supports IP and Reuse designer makes assumptions about verification of the core how it will be used. These assump- will fail. The format of MMyy CCoonnssttrraaiinnttss == IIPP PPrrooppeerrttiieess tions include details such as how these “constraints” is data is passed and what transitions exactly the same as the ee are allowed (or perhaps more impor- format for the proper- MMyy acac IInntteelllleeccttuuaall tantly, illegal) in handshaking with ties (behaviors) the DDeessiiggnn erferf PPrrooppeerrttyy the core. Such assumptions are designer wants to veri- IntInt often subconscious and so poorly fy. If these constraints documented in a specification. Most are passed with the MMyy PPrrooppeerrttiieess == IIPP CCoonnssttrraaiinnttss The FormalCheck Architecture FormalCheck requires only two inputs from the user: the handle larger designs and run faster. Also at this point, if design and the queries. The design is exactly what will be the query has been previously verified and is being run passed on to the synthesis tool to create the gate level on an updated design for regression purposes, model; it requires no additional work by the user. The FormalCheck automatically checks to see if the design queries represent the behaviors (properties in changes could have altered the results of the previous FormalCheck speak) which need to be verified, and the verification. If not, the query is marked as re-verified in a assumptions about the environment (constraints in minute or so instead of re-running the full verification FormalCheck speak) under which the design is expected algorithm. If the regression test algorithm cannot re-veri- to exhibit proper behavior. Entering the queries is simpli- fy the design, the full algorithm is run. fied by the use of a template library. The user can select any of FormalCheck’s four verifica- These pieces are automatically combined into the for- tion algorithms. The early model algorithm uses explicit mal model, a formal statement of the problem to be state enumeration and is good at finding errors in a solved. At this point, FormalCheck applies any reduction model which is still very green. As the design becomes in the model consistent with the query. This lets the tool more robust, the large model algorithm based on BDD’s becomes the most efficient. For models which are too large to verify flat, the FormalCheck Architecture probabilistic verification is excellent at CChhiipp--,, BBlloocckk--LLeevveell,, IIPP MMooddeellss finding errors. Since each state transi- iinn VVeerriilloogg oorr VVHHDDLL VVeerriiffiiccaattiioonn EEnnggiinneess tion is tested only once, it is much more GGaatteess efficient than simulation using random AAuuttoorreessttrriicctt vectors. Finally, the auto-restrict algo- RRTTLL rithm combines the probabilistic and PPrroobbaabbiilliissttiicc TTeemmppllaattee--BBaasseedd BDD-based algorithms, again to speed QQuueerryy IInnppuuttss LLaarrggee MMooddeell error detection in very large models. QQuueerryy FFoorrmmaall MMooddeell EEaarrllyy MMooddeell The output from FormalCheck is pass CCaappttuurree or fail. That is, the user receives either a verification that the behavior is true QQuueerryy--SSppeecciiffiicc RReessuullttss DDiissppllaayy under all allowed input conditions, or a RReedduuccttiioonn && RReeggrreessssiioonn RReessuullttss && simulation-like error trace which can be QQuueerryy EErrrroorr TTrraacceess used to debug the design. That elimi- TTeemmppllaattee nates the possibility of missing the bad LLiibbrraarryy behavior because it was buried in mil- IInnppuuttss FFoorrmmaall CCuurrrreenntt OOuuttppuuttss lions of cycles of simulation output. MMooddeell EEnnggiinneess 6 The Verification Times 00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 7 A: Because we’ve hidden the details vectors? FormalCheck exhaustively behind our intuitive user interface. checks every reachable state transi- All you need to know is the behavior tion exactly once and, with its sym- you want to verify, the event that trig- bolic states and reduction algo- gers it, and the event that signals rithms, can often verify more state when it’s no longer required. Pardon transitions in an hour than could be the expression, but it’s as easy as run with years of simulation. So, one, two, three. unless your project has a deadline, the answer to this question is NO. Questions about design verification? Q: Are there any bugs FormalCheck Our verification expert, Dr. V, wants can find that vector-based solutions Q: I understand that FormalCheck to help! Just submit your questions can’t? verifies behaviors under all possible to [email protected] and Dr. V conditions. Should I throw out my will provide the answers. A: Technically, no. Any bug found HDL simulators? with FormalCheck can be fed into a Q: They give out Ph.D.’s in formal simulator and re-found. It only takes A: No. These tools complement each verification. Why do you think I’ll be the right set of vectors. The real other. Here’s why. Some circuits, like able to use FormalCheck? question is: how do you find the right ALUs, adders and multipliers, are FormalCheck Is Easy to Use— You Don’t Have to Be an Expert Much of BLDA’s recent work on FormalCheck has been to make the tool easy-to-use for the mainstream design engineer. Queries are template-based, so there’s no need to learn a new verification language, and most queries take only minutes to write. All queries are expressed by using only five simple concepts: never, always, eventually, eventually always and strong liveness. Each of these properties can be controlled by an enabling con- dition and a discharging condition. The enabling condition is a trigger that must be met before the fulfilling behavior is required and the discharging condition describes an event that signals when the behavior is no longer needed. Enabling: After Data Transmission Starts Fulfilling: Never Six Consecutive Ones Transmitted Discharging: Unless Transmission Ended Automatic Back Referencing to Source Code That’s it. Once the queries are entered, the tool does the rest. FormalCheck searches the reachable state space of the design using this query and exhaustively searches for problems. Failed queries generate error traces which are viewed in a simulation viewer. You can back reference from the traces to the source code line which caused the transition by just clicking on the unexpected value in the error trace. Click Here The Verification Times 7 00 Lucent Insert Ad 6/97 1/29/98 3:43 PM Page 8 close to pure combinational logic. To Q: I understand that checking for How simple is exhaustively verify these circuits, you deadlock at the block level is not need only verify the behavior under all enough and that deadlock-free blocks simple? possible input combinations. may deadlock when hooked together. Simulators, because of years of tuning Can’t this reduction algorithm hide Exhaustive simulation is a and hardware acceleration, will still system level deadlock? myth. The smallest of real out-perform FormalCheck for these designs cannot be truly exhaus- circuits. However, at the other end of A: No. FormalCheck’s automatic tively simulated in our lifetimes. the scale are the control circuits. The reduction algorithm always does the Even a trivial example requires behavior of these circuits depends reduction based on the specific millions of vectors for exhaus- greatly on their history (current state) query. It never reduces the design in tive simulation. As an example, and exhaustive verification requires any way which can change the out- we give you a Tic-Tac-Toe trying all possible input combinations come of the verification. Thus, the design and ask, how may vec- from all possible current states. amount of reduction achieved for a tors are needed to simulate FormalCheck, because it understands design will vary from query to query. every possible, legal Tic-Tac-Toe state machines and only verifies each game. state transition once, out-performs Q: My team is focused on building Count the vectors this way. simulation on these circuits. Using designs by reusing previous designs or Two vectors are needed at the simulation to find bugs in control purchased IP. How does FormalCheck beginning of each game to reset circuits is like going skeet shooting work in this environment. the board, cycle the clock and with a b-b gun. You might get lucky. set who moves first, X or O. A: FormalCheck supports re-use in Then each move constitutes two Q: What about the size of my design? two ways. First, since the properties vectors (to cycle the clock). How big is too big for FormalCheck? are written using concepts like A move adds one symbol to an “eventually” or “always,” they usually empty square alternating A: FormalCheck can verify larger do not contain the cycle by cycle between X and O. The game designs than any other model checker implementation details found in ends when either player gets on the market today. It has verified vectors or test benches. Thus they are three identical symbols in a row properties on designs of up to 5,000 more easily reused when verifying a either horizontally, vertically or latches and 100,000 combinational modified version of the IP or previous diagonally, or when the board is variables. To tackle such designs, work. Secondly, FormalCheck requires full and no one has three identi- FormalCheck uses a set of automatic the IP designer to formalize his cal symbols in a row. Thus the reduction algorithms that verify as assumptions about how the core is to shortest game takes 12 vectors small a subset of the design as possi- be used. These assumptions can be (a reset and 5 moves) and the ble where the desired behavior still verified on the larger design. (see the longest game takes 20 vectors. holds. Meanwhile, the size of the IP sidebar) Check out our web page for a largest verifiable design continues to more detailed description of the grow rapidly. problem and how you can gain notoriety by submitting the right answer. The results and How to Reach Us real answers will be posted in July. Our web site is at Sales Offices: Lucent Technologies http://www.bell-labs.com/ 600 Mountain Avenue Bell Labs Design Automation formalcheck Room 3B-431 [email protected] P.O. Box 636 www.bell-labs.com/org/blda Murray Hill, NJ 07974-0636 800-875-6590 Phone: 908-582-5724 Tic-Tac-Toe Fax: 908-582-5145 9430 Research Boulevard Echelon IV, Suite 431 Austin, TX 78759 Phone: 512-343-3618 Fax: 512-342-1985 2600 San Tomas Expwy. Santa Clara, CA 95051 Phone: 408-562-1358 Fax: 408-562-1301 FormalCheck is a registered trademark of Lucent Technologies. 8 The Verification Times

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.