Daher Kaiss

CLEVER: Divide and Conquer Combinational Logic Equivalence VERification with False Negative Elimination

Formal equivalence verifiers for combinational circuits rely heavily on BDD algorithms. However, building monolithic BDDs is often not feasible for todays complex circuits. Thus, to increase the effectiveness of BDD-based comparisons, divide-and-conquer strategies based on cut-points are applied. Unfortunately, these algorithms may produce false negatives. Significant effort must then be spent for determining whether the failures are indeed real. In particular, if the design is actually incorrect, many cut-point based algorithms perform very poorly. In this paper we present a new algorithm that completely removes the problem of false negatives by introducing normalized functions instead of free variables at cut points. In addition, this approach handles the propagation of input assumptions to cut-points, is significantly more accurate in finding cut-points, and leads to more efficient counter-example generation for incorrect circuits. Although, naively, our algorithm would appear to be more expensive than traditional cut-point techniques, the empirical data on more than 900 complex signals from a recent microprocessor design, shows rather the opposite.

Industrial Strength SAT-based Alignability Algorithm for Hardware Equivalence Verification

Automatic synchronization (or reset) of sequential synchronous circuits is considered one of the most challenging tasks in the domain of formal sequential equivalence verification of hardware designs. Earlier attempts were based on Binary Decision Diagrams (BDDs) or classical reachability analysis, which by nature suffer from capacity limitations. A previous attempt to attack this problem using non-BDD based techniques was essentially a collection of heuristics aimed at toggling of the latches, and it is not guaranteed that a synchronization sequence will be computed if it exists. In this paper we present a novel approach for computing reset sequences (and reset states) in order to perform sequential hardware equivalence verification between circuit models. This approach is based on the dual-rail modeling of circuits and utilizes efficient SAT-based engines for Bounded Model Checking (BMC). It is implemented in Intels sequential verification tool, Seqver, and has been proven to be highly successful in proving the equivalence of complex industrial designs. The synchronization method described in this paper can be used in many other CAD applications, including formal property verification, automatic test generation, and power estimation.

An enhanced cut-points algorithm in formal equivalence verification

BDD-based cut-points verification is widely used informal verification. The authors have recently developed a cut-points verification algorithm that is unique in that it avoids generation of false-negatives and allows simplification of the circuits to be compared based on reconvergence of input variables. Here we describe several refinements and enhancements that lead both to drastic speedup as well increase in capacity. These methods are already implemented in Intels combinational verifier CLEVER and show very promising results on real life examples from the pentium design family.

A compositional theory for post-reboot observational equivalence checking of hardware

We propose an equivalence checking theory in a wider-than-usual sense. The theory shows how to combine Formal Equivalence Checking (FEC) of specification and implementation models with Assertion Based Verification (ABV) of the specification model, and with Reboot Sequence Checking (RSC) on both models, to ensure that the implementation model has the intended logic functionality. Here, FEC is performed to ensure that the input-output behavior of the models coincides in post-reboot states. ABV ensures that the specification model has the intended logic functionality captured by temporal assertions. RSC ensures deterministic behavior of the models after reboot. We propose a flexible compositional theory for FEC, an abstraction method for ABV, and a scalable algorithm for RSC, enabling performance of all three activities in a modular, compositional manner, and largely independently: FEC and ABV are performed without knowing the actual reboot sequence (and the respective initial states) of the two models; and FEC, ABV and RSC have the same observables.

Seqver : A Sequential Equivalence Verifier for Hardware Designs

This paper addresses the problem of formal equivalence verification of hardware designs. Traditional methods and tools which perform equivalence verification are commonly based on combinational equivalence verification (CEV) methods. We however present a novel method and tool (Seqver) for performing sequential equivalence verification (SEV). The theory behind Seqver is based on the alignability theory, however in this paper we present a refinement to that theory: strong alignability, which introduces a concept of automatic model synchronization to the verification process. Automatic synchronization (reset) of sequential synchronous circuits is considered as one of the most challenging tasks in the domain of sequential equivalence verification. Earlier attempts were based on BDDs or classical reachability analysis, which by nature suffer from capacity limitations. Seqver is empowered with hybrid verification engines which combine state of the art SAT and BDD based engines for performing synchronization and verification. Seqver is widely used today in Intel for formally verifying leading next generation CPU designs.

Post-reboot Equivalence and Compositional Verification of Hardware

We introduce a finer concept of a hardware machine, where the set of post-reboot operation states is explicitly a part of the FSM definition. We formalize an ad-hoc flow of combinational equivalence verification of hardware, the way it was performed over the years in the industry. We define a concept of post-reboot bisimulation, which better suits the hardware machines, and show that a right form of combinational equivalence is in fact a form of post-reboot bisimulation. Further, we show that alignability equivalence is a form of post-reboot bisimulation, too, and the latter is a refinement of alignability in the context of compositional hardware verification. We find that post-reboot bisimulation has important advantages over alignability also in the wider context of formal hardware verification, where equivalence verification is combined with formal property verification and with validation of a reboot sequence. As a result, we propose a more comprehensive, compositional, and fully-formal framework for hardware verification. Our results are extendible to other forms of labeled transition systems and adaptable to other forms of bisimulation used to model and verify complex hardware and software systems

Post-silicon Timing Diagnosis Made Simple using Formal Technology

With the increasing demand for microprocessor core operating frequencies, debugging post silicon synchronization (or speed) failures is a critical time consuming post silicon debug activity. Inability to complete the isolation of all possible speed failures on time, forces companies to go to market with products that run at a lower frequency than their upper frequency limits. This might cause revenue losses or lead to loss of market segment shares. Laser-Assisted Device Alternation (LADA) machines are the main vehicle for debugging post silicon speed failures at Intel. Operating such expensive machines consumes a substantial portion of the overall post silicon debug effort. Moreover, with the increasing complexity of manufacturing processes, these machines need to be renewed from one process generation to the next, which increases the product cost. This paper describes a novel method, based on formal technology, which brings a productivity breakthrough in isolating post-silicon speed failures. We demonstrate that in many cases optical probing using LADA can be fully replaced by our approach.

Boolean rings for intersection-based satisfiability

A potential advantage of using a Boolean-ring formalism for propositional formulae is the large measure of simplification it facilitates. We propose a combined linear and binomial representation for Boolean-ring polynomials with which one can easily apply Gaussian elimination and Horn-clause methods to advantage. We demonstrate that this framework, with its enhanced simplification, is especially amenable to intersection-based learning, as in recursive learning and the method of Stalmarck. Experiments support the idea that problem variables can be eliminated and search trees can be shrunk by incorporating learning in the form of Boolean-ring saturation.