Upload
teenie
View
38
Download
0
Embed Size (px)
DESCRIPTION
Designers Work Less with Quality Formal Equivalence Checking. by Orly Cohen, Moran Gordon, Michael Lifshits , Alexander Nadel, and Vadim Ryvchin Intel. Agenda. Formal Equivalence Checking (FEC) in Parts Using Assume-Guarantee FEC Flow Description and the Importance of Assumptions - PowerPoint PPT Presentation
Citation preview
February 22-25, 2010
Designers Work Less with Quality Formal Equivalence Checking
by Orly Cohen, Moran Gordon, Michael Lifshits,
Alexander Nadel, and Vadim RyvchinIntel
Agenda• Formal Equivalence Checking (FEC) in Parts Using
Assume-Guarantee• FEC Flow Description and the Importance of
Assumptions• Minimizing Assumptions
– Naive Approaches– FEC as SAT Problem– Minimizing Assumptions Using SAT
• Comparison of SAT-Based and Naive Minimization Approaches
• Impact of Assumption Minimization on the Manual Debug Effort
• Conclusions and RecommendationsMichael Lifshits, Intel 2 of 14
Assume-Guarantee in Formal Equivalence Checking (FEC)• FEC proves the equivalence of 2 designs (e.g. schematics vs. RTL)• FEC is done on small sub-blocks (slices) suitable for formal
tools’ capacity• Slices’ inputs are restricted with assumptions, e.g. in SVA
DUT with Properties
Inpu
ts
Outp
uts
Assumption Assertion
Michael Lifshits, Intel 3 of 14
Origins of Assumptions• Manually added assumptions
• Design intent properties– ABV methodology
• Schematic Assumptions – appear in the standard cells library– save transistors, area, power
Michael Lifshits, Intel
INVERSE(a,b)
4 of 14
FEC Stages – the Importance of Assumptions
Assumptions must be proved relative to the
driving logic
smaller set of assumptions is better!
“Intel CPU project arrived with a dead A0 silicon due to a missed assumption verification step”
Michael Lifshits, Intel
Assumptions must be proved relative
to the driving logic
5 of 14
Minimizing the Assumptions SetNaive approaches:
• Static Structural Analysis• Iterative Trial and Error alg.
Michael Lifshits, Intel
MinAssump := ∅ // start without assumptionswhile verification fails and MinAssump All_Assump do Try proving with assumptions in MinAssump if pass Done Use the counterexample (CEX) and find A ∈ All_Assump : A ∈ MinAssump and A contradicts with CEX Add (at most K) such assumptions to MinAssump // K=20return MinAssump
6 of 14
Formal as SAT Problem• Most FEC tools are implemented with SAT-based FV
engines• FEC is reduced to a propositional formula: F=a AND b
OR c…• SAT solver proofs the lack of counterexamples for F;
– CEX is an assignment for {a,b,c..} | F==TRUE
• same(O1,O2)(t), F=XOR(O1, O2’)(t), fails when F=TRUENOTS1(t)AND(S1(t)… checked for t=1,2.. fails when S1=T, S2=T, ENB=T
• Unsatisfiable core – sub-formulas required for the proof
ENB
S1
S2
O1=NOTS1
O2’=(S1ANDS2 ANDENB) OR (O2AND^ENB)
Michael Lifshits, Intel 7 of 14
UNSAT CORESAT Formula
assumptions
Minimizing Assumptions Using SAT• The projection of UNSAT CORE onto the assumptions is the
subset of assumptions required for the proof• Minimization at the SAT level minimal number of
assumptions• Simple approach:
• Our approach:
Michael Lifshits, Intel 8 of 14
Iterative SAT Algorithm to Minimize Assumptions
Solve formula F: SAT(F) with All_AssumpExtract UNSAT CORE: UC
MinAssump := A ∈ Assump: A ∩ Proj(UC) ≠ ∅ // start with all usedfor all A MinAssump do∈ // try removing 1 assumption, reuse learning in SAT SAT(F) with MinAssump / {A} // solve F without A If pass MinAssump := MinAssump /{A} , update UCreturn MinAssump
Michael Lifshits, Intel 9 of 14
SAT-Based Minimization vs. Naive Trial and Error50% assumptions in most cases, and dramatically fewer in some
• UNSAT CORE Projection vs. Iterative Minimization (ours)
• It is justified mainly when minimizing the core is more important than reducing the run-time
SAT-Based Minimization Algorithms Comparison
Michael Lifshits, Intel 10 of 14
DUT1 DUT2 DUT3 DUT40%
5%
10%
15%
20%
25%
30%
35%
0.005.0010.0015.0020.0025.0030.0035.0040.0045.00
ProjectionIterative Min-imizationProjection TIMEIterative Min-imization TIME
Run
tim
e (h
ours
)
Rem
aini
ng p
rope
rtie
s
Impact of Assumption Reduction on the Manual Debug Effort• All properties (including assumptions) are formally verified• SQL database used to store the verification results
• Combined verification status – status of the recursive set of used assumptions:
For each used-by-FEC (UBF) property P Get the set of assumptions (Assump) used to verify a property P For each Ai Assump Assump∈ i := set of assumptions used to verify Ai
Assumpall = Assump Assump∪ i … Assump∪ n // a recursive set if all Ai Assump∈ all pass status(P) = pass else status(P) = conditional
Michael Lifshits, Intel 11 of 14
Impact of Assumption Reduction on the Manual Debug Effort
• 36% more properties passed
• Number of properties in FEC is large – a large amount of manual effort is saved to the design team
Michael Lifshits, Intel 12 of 14
Conditional Failed Not Run Passed Problematic0%
10%20%30%40%50%60%
original assump_min
% o
f all
prop
ertie
s
Reducing the number of used assumptions decreases manual debug time and computational effortUNSAT core-based techniques are much more effective than naive techniquesTradeoff between the reduction effectiveness and the run-timeDifferent SAT-based assumption minimization techniques fit various FEC stages
• Assumptions minimization is more important for RTL and SCH equivalence verification than for the RTL assumption verification
• RTL assumptions verification complexity is greater than RTL and SCH equivalenceIterative SAT-based assumption minimization for RTL and SCH equivalenceAssumption reduction (UNSAT core projection) for RTL assumption verification
Conclusion and Recommendations
Michael Lifshits, Intel 13 of 14
Backup
Michael Lifshits, Intel 14 of 14
SAT-Based Minimization vs. Naive Trial and Error
• 22 random microprocessor design blocks • % indicate the improvement compared to the iterative
Tim
e (lo
garit
hmic
sca
le)
Michael Lifshits, Intel
“naive” trial and errorSAT-based
Half as many assumptions in most cases, and dramatically fewer in some
50% == ½ assumptions
15 of 14