1
Formal Verification(1)
경종민
[email protected]
2
Functional verification
• Simulation
• Emulation
– Emulator (general purpose)
– FPGA prototyping (specific application)
• Semi-formal verification
– Coverage measurement
– Test generation
– Symbolic simulation
• Formal verification
– Equivalence checking
– Theorem proving
– Model checking
3
Simulation
• Definition
– Representation of the operation or features of one process or
system through the use of another
• Description level
– RT level, gate level, switch level, circuit level …
• Simulation engine
– Event driven vs. Cycle based,
– Compiled code vs. Interpretive
• Advantage
– Can make trade-off between execution time and completeness
• Disadvantage
– Needs input generator and output checker (or manually
generating and checking)
4
Emulation
• Definition
– Imitating the function of (another system), as by
modifications to hardware or software that allow the imitating
system to accept the same data, execute the same programs,
and achieve the same results as the imitated system
• Advantage
– Can check design in real environment
– Faster than simulation
• Disadvantage
– Hard to make the whole system
– Needs to fix environment
– Hard to debug
• Simulation or emulation–based testing can reveal the
presence of bugs but can never assure the absence of
bugs. (Dijkstra in 1970s).
5
SFV: Coverage measurement(1/3)
• Objective
– Increase the probability of bug detection by checking the
‘quality(coverage)’ of stimulus
• Advantage
– Easy to apply
– Good guide to generate input stimulus
• Disadvantage
– Many metrics, but no good model for design errors
6
SFV: Coverage measurement(2/3)
• Kinds of metrics
– Code-based metrics
• Line/code block coverage
• Branch/conditional coverage
• Path coverage
– Circuit structure based metrics
• Toggle coverage
• Register activity
– State-space based metrics
• Pair-arcs : usually covered by Line + condition coverage
– Spec-based metrics
• percentage of specifications satisfied
7
SFV: Coverage measurement(3/3)
• Available tools
–
–
–
–
–
–
–
VeriCover(Veritools)
SureCov(Verisity)
Coverscan(Cadence)
HDLScore, VeriCov (Summit Design)
HDLCover, VeriSure(TransEDA)
Polaris (Avant!, now Synopsys)
Covermeter(Synopsys)
8
SFV: Test generation
• Object
– Automatically generate input stimulus to increase test coverage
• Kinds
– ATPG methods
– Dynamic formal, or ABV(assertion-based verification) (‘0-in
search’ from 0-in Design Automation, Inc. refer to www.0in.com)
• Advantage
– High productivity
• Disadvantage
– Needs result checker
• Ex) ‘assertion’ statement in 0-in search
– No constrained inputs
• Generally ATPG-generated inputs may or may not meet the input
constraints
9
State space vs search space
Simulation
Dynamic formal
Verification (0-in)
Formal
Verification
10
SFV: Symbolic Simulation
• Object
– Compute an expression instead of a value
• Advantage
– More coverage per simulation
• Disadvantage
– Not good with state machines
– Does not support temporal logic
• Industrial success story
– Symbolic trajectory evaluation
• Tackle switch level design (Randal E. Bryant – COSMOS)
11
12
FV: Equivalence checking
• Object
– Checks equivalence of two models
•
•
•
•
RTL vs. gate
Before optimization vs. after optimization
Before test insertion vs. after
Reference model vs. implementation
• Advantage
– Guarantee functional equivalence of two models for all
input values
• Disadvantage
– Needs golden reference model
– Targets implementation errors rather than design bugs
13
FV: Theorem proving
• Deductive verification
– Use axioms and proof rules to model the system (formal
system).
– State the property to be verified as a theorem of this formal
system.
– Derive this theorem with the help of a theorem-prover which
generates rules derivable from axiom and premises.
– Useful for verifying algorithm
• Industrial success story
– AMD K7 floating point verification
– Intel instruction decoder verification
• Disadvantage
–
–
–
–
Very hard to automate.
Requires user interaction.
Deriving the formal system can be quite cumbersome.
Requires an expert to use the theorem-prover.
14
FV: Model Checking
• Object
– Check properties of model with all possible conditions
• Advantage
– Can be fully automated
– If the property does not hold, a counter-example will be
generated
– Relatively easy to use
• Problem
– Works (well) only for finite state systems.
– Needs abstraction or extraction
• Both tend to cause errors
– Engineers are not always happy to use temporal logic which is
used for ‘property’ description in MC.
15
Verification in SoC design(1/3)
• Too big to verify the
whole system
• Already verified IP’s
Embedded
Processor
(IP)
Peripheral
(IP)
External
Device
Interconnection (custom designed)
Memory
interface
Memory
Peripheral
(Custom
designed)
External
Device
16
Verification in SoC design(2/3)
• Divide-and-conquer
Abstract
model
Abstract
model
Interconnection model
or abstract model
Interconnection (custom designed)
Abstract
model
Abstract
model
Verify interconnection model
by using abstract IP model
(Check only transaction operation)
Peripheral
(Custom
designed)
External
Device
model
Verify custom designed block,
check spec. for interconnection
model
17
Verification in SoC design(3/3)
• Summary
– Divide-and-conquer
– Does not verify individual block
• Too big to verify the whole system
• Already verified IP’s
– Checks basic interconnections among blocks
– Looks for unexpected transactions between blocks
 Spec. verification by model checking
18
Simple definition of FV
• Formal verification?
– Application of logical reasoning to the development of
digital system
• Logic is concerned with what is true and how we know
whether something is true
– Both design and its specification are described by a
language in which semantics are based on mathematical
rigor and the verification is then preformed using
symbolic manipulation
19
Value and cost of FV
• Formal verification gives the ability to
– Express specs precisely
– Clearly define when an implementation meets the spec
– Understand the spec and the implementation
• Formal verification needs
– Language for specifying desired properties
– Mathematical model of a system
– Method of proof to verify that the specified properties
are satisfied
20
Formal model
• Mathematical model for formal method
• Requirement of formal model
– Must be complete, representing all the essential aspects
of the subject being modeled
– Must be predictive
• Conclusion from model = observation results of the subject
itself
– Must be well-formed
• Should not allow fallacious or ill-formed reasoning
21
Verification
• Verification involves checking a satisfaction relation, usually
of the form of a sequent:
M╞F
where
M is a model (or implementation)
F is a property (or specification)
╞ is a relationship that should hold between M and F.
i.e. (M, F) 
Logic is used to express the model, property, and relation, and
valid arguments of the logic are used to deduce whether the
relation holds for the particular model and particular property.
22
Verification
• Verification involves
–
–
–
–
Specifying the model/system
Specifying the properties
Choosing the satisfaction relations
Checking the satisfaction relations
• Language
– Specifying something needs logic
– Different logic gives us different ways of expressing M
and F and defines the pairs that are members of ╞
23
Logic
• Logic
– Logic is concerned with the form of arguments and the
principles of valid inferencing.
– Induction and deduction
– Symbolic logic is a modern type of formal logic using
special mathematical symbols for propositions,
quantifiers, and relationships among propositions and
concerned with the elucidation of permissible operations
upon such symbols. (Webster dictionary)
• Logic consists of
– Syntax
– Semantics
– Proof procedure(s) (also called proof theory)
24
Logical reasoning
• Example: If the train arrives late and there are no
taxis at the station, then John is late for his
meeting. John is not late for his meeting. The train
did arrive late.
– Question: Were there taxis at the station or not?
– Answer: There were taxis at the station.
25
Logical reasoning
• Symbolic describe
– p : The train is late
– q : There are taxis at the station
– r : John is late for his meeting
• Valid arguments
If p and not q then r
Not r
p
q
26
Various Logic Classes
1.
2.
3.
4.
Propositional logic
Predicate logic
Higher order logic
Temporal logic
– Linear temporal logic (LTL)
– Branching temporal logic (BTL)
•
•
Computational tree logic (CTL)
Many other variations (CTL*, CTL+, …)
27
1. Propositional logic
• Invented by Boole
• Syntax (well-formed formulae)
–
–
–
–
Two constant symbols: T and F
Proposition letters (a, b, …)
Propositional connectives (not(~), and(&), or(|), ⇒, ⇔)
Brackets
• Semantics (truth tables)
• Proof theory
– Axiom systems
– Natural deduction
– Sequent calculus
28
Syntax (Well-formed formula)
• Ill-formed formula
– a(&c⇒)b
• Construction rule
– The proposition letters, T, and F are atomic formulas.
– If a is an atomic formula, then a is a formula.
– If p and q are formulas, then each of the following are
formulas:
• (~p), (p & q), (p | q), (p ⇒ q), (p ⇔ q)
29
Semantics (truth table)
• Two truth values Tr = {1, 0}
– Range of the semantics function for propositional logic is {1, 0}
• Operator
– ~ : function from Tr to Tr
– &, |, ⇒, ⇔: function from (Tr x Tr) to Tr
• Boolean valuation
– The semantics of propositional logic
– Mapping v from the set of propositional formulas to the set Tr
meeting the conditions:
• v(T) = 1, v(F) = 0
• v(~p) = ~(v(p))
• for all the connectives : v(p ⊙ q) = v(p) ⊙ v(q) where ⊙ denotes
any binary connectives
30
Proof theory – axiom systems
•
Axiom
1. A ⇒ (B ⇒ A)
2. (A ⇒ (B ⇒ C)) ⇒ ((A ⇒ B) ⇒ (A ⇒ C))
3. (~A ⇒ ~B) ⇒ (B ⇒ A)
•
Inference rule
1. From A and A ⇒ B, B can be derived where A and B are
well-formed formulas
Ex) show (x ⇒ y) ⇒ (x ⇒ x) is tautology
x ⇒ (y ⇒ x) : by axiom 1
(x ⇒ (y ⇒ x)) ⇒ ((x ⇒ y) ⇒ (x ⇒ x)) : by axiom 2
(x ⇒ y) ⇒ (x ⇒ x) : by inference rule 1
31
Proof theory – natural deduction(1/2)
•
•
Method
–
–
–
– Make assumptions, and then
discharge assumptions
– Inference rule
•
• And-introduction
–
–
Premises: p, q
Conclusion: p & q
•
Premises: p & q
Conclusion: p, q
• Double negation-introduction
–
–
Premises: p
Conclusion: ~~p
• Double negation-elimination
–
–
Premises: ~ ~ p
Conclusion: p
Premises: p, p ⇒ q
Conclusion: q
Modulus token
–
–
–
Assumption: p
Premises: q
Conclusion: p ⇒ q
Implies-elimination
–
–
• And-elimination
–
–
Implies-introduction
Premises: p ⇒ q, ~q
Conclusion: ~p
note) implies-introduction
may use assumption and
conclusion discharge
assumption
32
Proof theory – natural deduction(2/2)
•
Ex) (q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r))
1. (q ⇒ r)
: assumption
2. ( ~q ⇒ ~p)
: assumption
3. p
: assumption
4. ~~p
: double negation-introduction 3
5. ~~q
: modulus token 2, 4
6. q
: double negation-elimination 5
7. r
: implies-elimination 1, 6
8. p ⇒ r
: implies-introduction 3, 7
9. (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : implies-introduction 2, 8
10.(q ⇒ r) ⇒ (( ~q ⇒ ~p) ⇒ (p ⇒ r)) : impliesintroduction 1, 9
33
Satisfiability and Tautologies
• Satisfiable
– A formula a is satisfiable if there is a Boolean valuation v
such that v(a) = 1.
• Tautology
– A propositional formula a is a tautology (also called valid)
if v(a) = 1 for every Boolean valuation v.
34
Semantic entailment
F1, F2 ,F3 ╞ Ψ
means that if v(F1) = １ and v(F2) = １ and v(F3)
= １ then v(Ψ) = 1
which is equivalent to saying
(F1＆ F2 ＆F3 ) ⇒ Ψ
is a tautology, i.e.,
（F1, F2 ,F3 ╞ Ψ）≡（(F1＆ F2 ＆F3 ) ⇒ Ψ）
35
Example
– p : The train is late
– q : There are taxis at the station
– r : John is late for his meeting
(p & (~q)) ⇒ r, ~r, p ╞ q
(((p & (~q)) ⇒ r) & (~r) & (p)) ⇒ q
~((~(p & (~q)) | r) & (~r) & (p)) | q
((p & (~q) & (~r)) | r | (~p) | q
36
Consistency
• If a set of premises of an implication are not
consistent, they can be used to prove a
contradiction, i.e.,
p, ~p ╞ q &~q
or
F⇒F
• ‘False implies anything’ problem
– First of all, model (implementation) should be consistent
37
Need of another logic
• Syllogism(3단 논법)
– Man is mortal
– Socrates is man
 Socrates is mortal
Best way to describe these in propositional logic
a&b⇒c
But not tautology ( ∵‘c’ cannot be represented as some
form of a, b.)
38
2. Predicate logic
• Invented by Gottlob Frege
• Also called “first order logic”
• Syntax
–
–
–
–
–
Constants, variables x, y, ...
Functions, predicates
Logical connectives
Quantifiers
Punctuation: , (enumeration) . (‘such that’)
• Semantics
– Interpretation, Valuation
• Proof theory
– axiom systems, natural deduction, sequent calculus
39
Quantifier
• Universal quantification (∀) ; ‘for all’
– Corresponds to finite or infinite conjunction of the
application of the predicate to all elements of the domain.
• Existential quantification (∃) ; ‘there exist(s)’
– Corresponds to finite or infinite disjunction of the
application of the predicate to all elements of the domain.
• Relationship between ∀ and ∃
– ∃x.P(x) is the same as ~ ∀x.~P(x)
– ∀x.P(x) is the same as ~ ∃x.~P(x)
40
Historical comment
• Hardware verification works based on First order
logic
– Wagner (1977), Pitchumani and Stabler(1982) ,
Hanes(1983), Wojcik(1983), Suzuki(1984), Hunt(1987)
• Boyer-Moore Theorem prover (1979)
– Quantifier-free first order logic with equality
41
3. Higher-order logic
• First order logic
– Only quantify over variable
• Higher order logic
– Also quantify over function and predicate
– Use special function-denoting terms
• λ – expression which is term in λ – calculus
– Ex) Induction principle
• ∀P.(P(0) & (∀n.P(n) ⇒ P(n+1))) ⇒ ∀n.P(n)
• Zero order logic
– Propositional logic can be regarded as zero order logic
42
λ-calculus
• Invented by Alonzo Church
• basic λ-expression
– λx1x2…xn.e
• x1, x2, …xn: parameters of function
• e: expression which computes the value of the function in
terms of the parameters x1, x2, …xn
• Simple example
– λxy.x+y
– (λxy.x+y) 2 3 = 2 + 3 = 5