ATG SoC
Memory Modeling in ESL-RTL
Equivalence Checking
Alfred Koelbl, Jerry Burch,
Carl Pixley
Advanced Technology Group
Synopsys, Inc.
June 2007
Outline
 Motivation
 Transaction
equivalence
 Requirements
for a memory model
Memory layout differences
 Multiple memories
 Constraints on memories

 Proof
procedure
 Experimental
 Conclusion
results
Motivation

Problem: ESL to RTL equivalence checking

Arrays in ESL model are often implemented by
memories in RTL

Given mapping can greatly simplify equivalence
check

Many implementations possible:





Differing memory layout
Multiple memories
Constraints on memory contents
Timing differences
Need to be able to reason about memory
reads / writes
Related Work
 Simple
read/write memory model used in
Pipeline verification (Burch, Dill 1994)
 Symbolic simulation (Bryant, Velev 1997)
 Microprocessor verification

 Stump
et al. 2001:
Extensional theory of arrays
 Clever
encoding:
Manolios et al. 2006, Ganai et al. 2005
 Bradley
et al. 2006:
Extensional theory with quantifiers
Proof procedure

Transaction equivalence




Assume that designs start in valid state (superset of
reachable state set)
Execute single transaction by unrolling ESL and RTL
models for one transaction
Check outputs after transaction
Check state after transaction

Proof strategy: Induction

Needs state invariants




Register mappings
Memory mappings & memory constraints
Additional invariants
Prove that resulting SAT formula is UNSAT
Transaction equivalence
IA0
A
IA1
OA
ESL0
MA
SA
OA
ESL1
MA’
SA’
Transaction TA
Transaction TB
MB
SB
RTL0
RTL1
RTL2
OB
IB0
B
IB1
MB ’
SB’
OB
IB2
Transaction equivalence
IA0
IA1
OA
ESL0
MA
SA
ESL1
Valid starting state
(superset of reachable state set)
MA’
SA’
Outputs
Validequivalent
end state ??
MB
SB
RTL0
RTL1
RTL2
=
MB ’
SB’
OB
IB0
IB1
IB2
Transaction equivalence
IA0
IA1
OA
ESL0
MA
SA
ESL1
MA’
SA’
• Register mappings
• State invariants
• Memory mappings
• Constraints on memories
MB
SB
RTL0
RTL1
RTL2
MB ’
SB’
OB
IB0
IB1
IB2
Memories / Arrays
Ma ’
Ma
0
10
0
10
1
7
1
7
2
19
2
19
3
5
3
1024
4
203
4
203
5
48
5
48
read(Ma, 1) → 7
write(Ma, 3, 1024)

Operations: read(M, addr), write(M, addr, data) (no timing)

How can we express relationships between memories/arrays?
Memory mapping
 Relates
content of one memory to another
 Universally
quantified expression over all
memory locations
 Expressed
 Example:
in terms of reads
One-to-one mapping between Ma
and Mb:
MM(M a, Mb) :  read(Ma, i)  read(Mb, i)
i
Layout differences
struct elem
{
char a;
char b;
}
reg [3:0] MB[2:0]
0
1
2
3
01 1 11 0 10 0 01 0
elem MA[4]
0
00000001
00000001
1
00000011
00000000
2
00000010
00000000
3
00000001
00000000
Layout differences

Differing memory layout due to lack of bit-accurate data-types

Memory mapping is big expression with bit-extracts and
concatenation

User can specify mapping with “template”
template_t
{
a = [2:1];
b = [0];
}

Memory mapping expression:
MM(M a, Mb) :  read(Ma, i)  template_ t(read(M b, i))
0i  4
Multiple memories
 Single
array in ESL implemented by multiple
memories in RTL
Increasing memory access performance
 Shadow registers
 Cache in RTL

 Complex
address mappings between
memories
Optimized memory access pattern in RTL
 Splitting / Merging memories in RTL

Multiple memories
ESL Memory ME
RTL Memory MF
RTL Memory MG
0
1
2
3
4
5
6
MM(M F, ME) :  read(MF, i)  (i  4) ? read(ME, i) : read(ME, 5)
0i 5
MM(M G, ME) :  read(MG, i)  (i  4) ? read(ME, i) : read(ME, 6)
0i 5
Constraints on memories

Designs may only be equivalent if memory contents
are constrained

Constraints on individual memory elements
c0 : read(M A, 3)  2

Constraints on all memory elements
c1 : (read(MA, i)  3)
i

Constraints relating multiple memories
c2 : (read(MA, i)  read(MB, i)  read(MC, i))
i

Constraint becomes proof obligation
Proof procedure

Assumptions
a0  MM0(MA, MB)  MM1(MA, MB)  
a1  c0(MA, MB)  c1(MA, MB)  
a2  r0(SA, SB)  r1(SA, SB)  
a3  i0(MA, MB, SA, SB)  

Proof obligations
a0  a1  a2  a3  MM0(MA, MB)  
a0  a1  a2  a3  c0(MA, MB)  
a0  a1  a2  a3  r0(SA, SB)  
a0  a1  a2  a3  i0(MA, MB, SA, SB)  
a0  a1  a2  a3  OA  OB

Check model assumptions, e.g., that no array accesses are
out-of-bounds
Proof procedure

Propagate reads over writes
read(write (M, i, d), j)  ite(i  j, d, read(M, j))

Replace universal quantifier variables in proof obligations by
free variables
a   (read(MA, i)  read(MB, i))
i
a  (read(M A, i)  read(MB, i))

Expand assumption quantifiers
(read(MA, i)  read(MB, i))  p(read(MA, â), read(MB, b̂))
i
(read(M A, â)  read(MB, â))  (read(M A, b̂)  read(MB, b̂))  p(read(M A, â), read(MB, b̂))

Perform completeness check
Proof procedure

Replace reads by free variables
read(M, a)  v1
read(M, b)  ite(b  a, v1, v2)
read(M, c)  ite(c  a, v1, ite(c  b, v2, v3))

Prove formulas using validity checker
Hector experimental results
Design
# lines of
code
D1
C
50
RTL
6200
D2
70
D3
# arrays #disc #bugs
# rams repa found
ncies
time
final result
1/1
0
0
4min
proven
580
1/1
0
0
2min
proven
570
1720
1/3
9
1 RTL
1 C++
4min
proven
D4
1700
7500
4/4
8
1 RTL
1 C++
<1h
proven
D5
4300
6700
31 / 33
>40
4 RTL 43min
62 proven,
15 cex
Conclusion

Arrays in ESL model are often implemented as
memories in RTL

Relationship between memories expressed by
universally quantified memory map

Memory map must be able to handle





Layout differences
Complicated address mappings
Multiple memories
Constraints on memories
Proof procedure based on induction


Memory maps as assumption and proof obligations
Quantifier elimination