Introduction to F onnal Hardware Verification Springer-Verlag Berlin Heidelberg GmbH Thomas Kropf Introduction to Formal Hardware Verification With 137 Figures and 32 Tables , Springer Dr. Thomas Kropf Robert Bosch GmbH Department K8IDIC3 Tiibinger StraBe 123, D-72762 Reutlingen, Germany [email protected] and University of Tiibingen Wilhelm Schickard Institute of Computer Science Sand 13, D-72076 Tiibingen, Germany [email protected] Library of Congress Cataloging-in-Publication Data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Kropf, Thomas: Introduction to formal hardware verification / Thomas Kropf. ISBN 978-3-642-08477-5 ISBN 978-3-662-03809-3 (eBook) DOl 10.1007/978-3-662-03809-3 ACM Computing Classification (1998): B.l.2, B.2.2, BAA, B.5.2, B.6.3, 1.2.3 ISBN 978-3-642-08477-5 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German copyright law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag Berlin Heidelberg GmbH. Violations are liable for prosecution under the German Copyright Law. © Springer-Verlag Berlin Heidelberg 1999 Originally published by Springer-Verlag Berlin Heidelberg New York in 1999 The use of general descriptive names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Cover design: design & production GmbH, Heidelberg Typesetting: Camera-ready by the author Printed on acid-free paper-SPIN: 10696609 45/3142 ud-54321 0 Preface The correctness of a hardware design is a crucial property. Both the increasing defi ciencies of traditional simulation to cope with complex designs and the break through of new algorithms have drawn attention to formal verification: the formal proof of correctness of a design with regard to a given specification. Thus, formal verification has become one of the most interesting and challenging techniques in hardware and system design. Some people consider hardware verification a tech nique that will have a similar impact on the design process as has automated syn thesis. This includes improved design quality and turnaround time - both key is sues in being successful in a highly competitive market. In recent years, a plethora of different approaches and methods have been pre sented - far too many for an introductory textbook in this field. Hence a selection had to be made which is based on real world applicability. This may be an arguable criterion and many important aspects of the field are missing. On the other hand, this book contains a good part of the algorithms which are used in today's verifica tion tools - both commercial and academic. These techniques are key technologies not only in hardware verification but also in related areas such as the verification of telecommunication software. The increasing interest in formal verification has led to a tremendous increase in conference and journal publications. As a textbook can never keep the pace with ongoing research, the emphasis has been always on explaining the basics and ratio nale of a certain approach. After having read the respective chapter, the reader should easily be able to extend this basic knowledge by reading current publica tions. For this purpose, each chapter gives numerous references to current litera ture. The book requires no basic knowledge in formal techniques. A background in electrical engineering or computer science is sufficient for understanding most parts of the book. However, each section also contains a section dedicated to verifi cation experts. Although not necessary for understanding the underlying technol ogy, these parts cover more in-depth material and additional formal background. Thus, this book is well suited for a variety of people: students and researchers inter- VI Preface ested in formal verification as well as design engineers who are interested in the possibilities but also the limitations of formal verification tools. The textbook is based on lectures and seminars on formal verification which I have given at the University of Karlsruhe since 1992. The contents have matured over the years due to the constructive feedback of many students. It turned out that although very many people have made valuable contributions to this field, there are a few outstanding people who have laid the seminal foundations for many others. According to personal biased and without any guarantee of com pleteness, I mention: Randy Bryant's work on binary decision diagrams; Olivier Coudert, Christian Berthet and Jean Christophe Madre for their idea of symbolic state space traversal; Amir Pnueli for his ideas of using temporal logics not only in a philosophical context but to verify systems; E. Allen Emerson, Ed Clarke and Ken McMillan, who laid the foundations of branching time temporal logic and symbolic model checking, respectively, and Mike Gordon, who demonstrated how higher-order logic can be used to verify hardware. Their key publications directly influenced this book. I am grateful for the help of many people who have carefully proofread the text and contributed countless ideas which made it much more readable: the members of the hardware verification group at the University of Karlsruhe, Dirk Hoffmann, Michaela Huhn, Ralf Reetz, Jiirgen Ruf, and Klaus Schneider. Rolf Drechsler from the University of Freiburg helped considerably in improving the parts dealing with ROBDDs. I also want to thank Hans W6ssner at Springer-Verlag for smooth and productive cooperation. Books are never perfect, errors can never be completely avoided (there is no for mal proof of a book's correctness ... ), and there is always room for improvement. Thus I am eager to get feedback of any kind. Please contact me using the address given on the title verso page or just send me an e-mail. Tiibingen, Germany, June 1999 Thomas Kropf Contents 1 Introduction............................................... 1 1.1 Setting the Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Faults and the Design Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 Avoiding Design Errors in Hardware Designs . . . . . . . . . . . . . 3 1.2 Circuit Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Fighting Design Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4 Verification versus Validation. . . . . . . . . . . . . . . . . . . . . . . . .. 10 1.5 Hardware Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 10 1.5.1 Verification versus Simulation. . . . . . . . . . . . . . . . . . . . . . . .. 11 1.5.2 Formal Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 12 1.5.3 Formal Implementation Description. . . . . . . . . . . . . . . . . . . .. 15 1.5.4 Correctness Relation and Proof. . . . . . . . . . . . . . . . . . . . . . . .. 18 1.6 The Success of Formal Hardware Verification . . . . . . . . .. 21 1.6.1 Prerequisites for the Success of Hardware Verification. . . . .. 22 1.6.2 Properties of Successful Hardware Verification Approaches.. 23 1.7 Limitations of Formal Hardware Verification ........... 25 1.8 The Pragmatic Approach - Recipes for Verifying Circuits 26 1.9 Summary............................................. 26 1.10 Structure of the Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 28 1.11 Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 28 2 Boolean Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 31 2.1 Motivation ............................................ 31 2.1.1 Hardware Verification Tasks .......................... 31 2.2 Representations for Boolean Functions . . . . . . . . . . . . . . . .. 32 2.2.1 Function Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 33 2.2.2 Propositional Logic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 34 2.2.3 Binary Decision Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . .. 37 VIII Contents 2.3 Modeling Hardware Behavior. . . . . . . . . . . . . . . . . . . . . . . . .. 48 2.3.1 Functional Circuit Representation. . . . . . . . . . . . . . . . . . . . . .. 48 2.3.2 Relational Circuit Representation. . . . . . . . . . . . . . . . . . . . . .. 49 2.3.3 Characteristic Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 51 2.4 Specification, Proof Goals and Proof . . . . . . . . . . . . . . . . . .. 52 2.4.1 Implicit Hardware Verification. . . . . . . . . . . . . . . . . . . . . . . .. 52 2.4.2 Explicit Hardware Verification. . . . . . . . . . . . . . . . . . . . . . . .. 53 2.4.3 Model-Based Proof Approaches. . . . . . . . . . . . . . . . . . . . . . .. 55 2.5 Further Developments and Tools. . . . . . . . . . . . . . . . . . . . . .. 55 2.5.1 Extensions and Variants of Binary Decision Diagrams . . . . .. 55 2.5.2 Variable Ordering Heuristics. . . . . . . . . . . . . . . . . . . . . . . . .. 71 2.6 Technical Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 76 2.6.1 Classes of Boolean Functions. . . . . . . . . . . . . . . . . . . . . . . . .. 77 2.7 Summary............................................. 80 3 Approaches Based on Finite State Machines. . . . . . . . . . . . . .. 83 3.1 Motivation............................................ 83 3.2 Formal Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 84 3.2.1 Automata for Finite Sequences. . . . . . . . . . . . . . . . . . . . . . . .. 85 3.2.2 Automata for Infinite Sequences. . . . . . . . . . . . . . . . . . . . . . .. 89 3.2.3 Image and Pre-Image of a Function. . . . . . . . . . . . . . . . . . . .. 90 3.3 Modeling Hardware Behavior. . . . . . . . . . . . . . . . . . . . . . . . .. 93 3.4 Specification, Proof Goal and Proof .................... 94 3.4.1 Symbolic State Machine Traversal. . . . . . . . . . . . . . . . . . . . .. 95 3.5 Further Developments ................................. 100 3.5.1 Structural Approaches to Circuit Equivalence ............. 102 3.5.2 Relational FSM Representation ........................ 103 3.5.3 Functional FSM Representation ........................ 114 3.5.4 State Space Traversal Variants ......................... 119 3.5.5 ROBDD Variable Ordering for FSM Equivalence Checking .. 132 3.5.6 Verification of Sequential Circuits without Reset Lines ...... 133 3.5.7 Verification based Test Generation for Fabrication Faults .... 147 3.6 Summary ............................................. 148 4 Propositional Temporal Logics ............................ 151 4.1 Motivation ............................................ 151 4.2 Formal Basics ......................................... 153 4.2.1 Temporal Structures ................................. 153 4.2.2 The Propositional Temporal Logics CTL*, CTL and LTL .... 156 4.2.3 Comparing CTL, LTL and CTL* ....................... 164 4.2.4 Proof Algorithms .................................... 167 4.2.5 Comparing Proof Complexity .......................... 180 Contents IX 4.3 Modeling Hardware Behavior .......................... 183 4.3.1 Describing Implementations with Temporal Structures ...... 184 4.3.2 Describing Implementations by Temporal Logic Formulas ... 188 4.4 Specification, Proof Goal and Proof .................... 188 4.4.1 Creating Temporal Logic Specifications .................. 189 4.5 Further Developments ................................. 192 4.5.1 Increasing Efficiency ................................. 192 4.5.2 Specifications ...................................... 192 4.6 Technical Details ...................................... 194 4.6.1 Proof Algorithm .................................... 194 4.7 Summary ............................................. 204 5 Higher-Order Logics ...................................... 207 5.1 Motivation ............................................ 207 5.2 Formal Basics ......................................... 209 5.2.1 Formal Systems ..................................... 209 5.2.2 First Order Logic .................................... 210 5.2.3 Higher-Order Logic .................................. 213 5.3 Modeling Hardware Behavior .......................... 225 5.3.1 Representing Modules by Predicates .................... 225 5.3.2 Modeling Structures ................................. 227 5.4 Specification and Proof ................................ 227 5.5 Performing Proofs ..................................... 228 5.5.1 Methodology for Establishing Circuit Correctness .......... 229 5.5.2 Abstraction Mechanisms .............................. 235 5.5.3 Verification of Generic Circuits ........................ 242 5.6 Technical Details ...................................... 245 5.6.1 Some More Theory .................................. 245 5.6.2 Modeling Hardware Behavior .......................... 247 5.6.3 Formalizing Abstraction Mechanisms ................... 249 5.7 Summary ............................................. 253 Appendix A Mathematical Basics ........................... 255 Appendix B Axioms and Rules for CTL* .................... 267 Appendix C Axioms and Rules for Higher Order Logic ..... 271 References .................................................... 277 Index ......................................................... 291 X Contents