Aarti Gupta

Formal hardware verification methods: a survey

Growing advances in VLSI technology have led to an increased level of complexity in current hardware systems. Late detection of design errors typically results in higher costs due to the associated time delay as well as loss of production. Thus it is important that hardware designs be free of errors. Formal verification has become an increasingly important technique towards establishing the correctness of hardware designs. In this article we survey the research that has been done in this area, with an emphasis on more recent trends. We present a classification framework for the various methods, based on the forms of the specification, the implementation, and the proff method. This framework enables us to better highlight the relationships and interactions between seemingly different approaches.

Verification of scheduling in the presence of loops using uninterpreted symbolic simulation

We propose a novel procedure based on uninterpreted symbolic simulation for checking the scheduling step in high-level synthesis. The primary task in scheduling is the assignment of time steps or, equivalently, states to operations. Various transformations like operation reordering and loop unrolling may be performed in the process to meet the optimization criteria. The contribution of our proposal lied in its ability to efficiently handle loops and a wide range of loop transformations performed during scheduling. Our algorithm is based on loop invariant extraction using a combination of uninterpreted symbolic simulation and induction techniques. In spite of its wide scope, our procedure is relatively complete and practical. This work is a part of our effort to provide a suite of techniques for verifying the various steps involved in the high-level synthesis process. It is being implemented in an in-house verification system for checking equivalence of designs generated from high-level specifications through successive refinements. We present case studies to demonstrate the applicability of our approach. These case studies consist of examples where equivalence cannot be established using conventional FSM-based methods. By providing a viable automated equivalence checking technique for such examples, we improve on the state of the art.

SAT-Based Image Computation with Application in Reachability Analysis

Image computation finds wide application in VLSI CAD, such as state reachability analysis in formal verification and synthesis, combinational verification, combinational and sequential test. Existing BDD-based symbolic algorithms for image computation are limited by memory resources in practice, while SAT-based algorithms that can obtain the image by enumerating satisfying assignments to a CNF representation of the Boolean relation are potentially limited by time resources. We propose new algorithms that combine BDDs and SAT in order to exploit their complementary benefits, and to offer a mechanism for trading off space vs. time. In particular, (1) our integrated algorithm uses BDDs to represent the input and image sets, and a CNF formula to represent the Boolean relation, (2) a fundamental enhancement called BDD Bounding is used whereby the SAT solver uses the BDDs for the input set and the dynamically changing image set to prune the search space of all solutions, (3) BDDs are used to compute all solutions below intermediate points in the SAT decision tree, (4) a fine-grained variable quantification schedule is used for each BDD subproblem, based on the CNF representation of the Boolean relation. These enhancements coupled with more engineering heuristics lead to an overall algorithm that can potentially handle larger problems. This is supported by our preliminary results on exact reachability analysis of ISCAS benchmark circuits.

Dynamic detection and removal of inactive clauses in SAT with application in image computation

In this paper, we present a new technique for the efficient dynamic detection and removal of inactive clauses, i.e. clauses that do not affect the solutions of interest of a Boolean satisfiability (SAT) problem. The algorithm is based on the extraction of gate connectivity information during generation of the Boolean formula from the circuit, and its use in the inner loop of a branch-and-bound SAT algorithm. The motivation for this optimization is to exploit the circuit structure information, which can be used to find unobservable gates at circuit outputs under dynamic conditions. It has the potential to speed up all applications of SAT in which the SAT formula is derived from a logic circuit. In particular, we find that it has considerable impact on an image computation algorithm based on SAT. We present practical results for benchmark circuits which show that the use of this optimization consistently improves the performance for reachability analysis, in some cases enabling the prototype tool to reach more states than otherwise possible.

Parametric Circuit Representation Using Inductive Boolean Functions

We have developed a methodology based on symbolic manipulation of inductive Boolean functions (IBFs) for formal verification of inductively-defined hardware. This methodology combines the techniques of reasoning by induction and symbolic tautologychecking in an automated and potentially efficient way. In this paper, we describe a component of this methodology that regards various mechanisms used to represent inductivelydefined circuits in the form of IBFs. The focus is on general parameterization issues, such as multiple parameter functions, multiple output functions, interaction of different parameters for supporting compositions etc. These mechanisms, which may be useful in other applications involving parametric circuit descriptions, are illustrated through practical circuit examples along with preliminary results. We also describe an application of our formal verification methodology, where a proof by induction is performed by automatic symbolic manipulation of parametric circuit representations.

Representation and symbolic manipulation of linearly inductive Boolean functions

We consider a class of practically useful Boolean functions, called linearly inductive functions (LIFs), and present a canonical representation as well as algorithms for their automatic symbolic manipulation. LIFs can be used to capture structural induction in parameterized circuit descriptions, whereby our LIF representation provides a fixed-sized representation for all size instances of a circuit. Furthermore, since LIFs can naturally capture the temporal induction inherent in sequential system descriptions, our representation also provides a canonical form for sequential functions. This allows for a wide range of applications of symbolic LIF manipulation in the verification and synthesis of digital systems. We also present practical results from a preliminary implementation of a general purpose LIF package.

Fast error diagnosis for combinational verification

We address the problem of localizing error sites in a combinational circuit that has been shown to be inequivalent to its specification. In the typical case, it is not possible to identify the error location exactly. We propose a novel diagnosis strategy of gradually increasing the level of detail in the analysis algorithm to ultimately derive a small list of potential error sites in a short time. Our techniques combine the use of simulation, BDDs, and SAT in a novel way to achieve the goal. A limitation of many previous approaches has been that they have been constrained to a specific error model. No such assumption is made in our work. We show through experimental results that these techniques are successful in that the final set of error sites derived is small, contains the actual error sites and is derived in a reasonable amount of time.

Proof by Induction

Note that 5 cannot be represented in the form 4a + 3b/ Let P (k) be the proposition: for every m with 5 < m ≤ k there exist a and b such that 4a + 3b = m. Proof. We will prove by induction on n ≥ 8 that P (n) holds. We need P (8). Claim 1: P (13) holds. Check Claim 1: 6 = 2 · 3, 7 = 4 + 3, 8 = 2 · 4. Claim 2: P(k) implies P(k+1). Proof of Claim 2. Let m = (k+1)−3. By induction there exist there exist a′ and b′ such that 4a′+3b′ = m. That is, 4a′+3b′ = k−2. So, 4a′+3b′+3 = k+1. So if we set a = a′ and b = b′ + 1, 4a + 3b = k + 1. Since for any k, we have shown P (k) implies P (k + 1) by the mathematical induction we have shown: for all n, P (n).

Exploiting Retiming in a Guided Simulation Based Validation Methodology

There has been much interest recently in combining the strengths of formal verification techniques and simulation for functional validation of large designs [6].Typically, a formal test model is first obtained from the design. Then, test sequences which satisfy certain coverage criteria are generated from the test model, which are simulated on the design for functional validation. In this paper, we focus on automatic abstractions for obtaining the test model from the design for simulation vector generation under the transition tour coverage model. Since most efforts using guided simulation have concentrated only on state/transition coverage, without relating these to error coverage of the original design, there is hardly any notion of preserving correctness, which has made it hard to use abstraction effectively.

Property-specific witness graph generation for guided simulation

A practical solution to the complexity of design validation is semi-formal verification, where the specification of correctness criteria is done formally, as in model checking, but checking is done using simulation, which is guided by directed vector sequences derived from knowledge of the design and/or the property being checked. Simulation vectors must be effective in targeting the types of bugs designers expect to find rather than some generic coverage metrics. The focus of our work is to generate property-specific testbenches for guided simulation, that are targeted either at proving the correctness of a full CTL property or at finding a bug. This is facilitated by generation of a property-specific model, called a witness graph, which captures interesting paths in the design. Starting from an initial abstract model of the design, symbolic model checking, pruning, and refinement steps are applied in an iterative manner, until either a conclusive result is obtained or computing resources are exhausted. The witness graph is annotated with, e.g., state or transition priorities before testbench generation. The overall testbench generation flow, and the iterative flow for witness graph generation are shown.