Pallab Dasgupta

Synthesis of System Verilog Assertions

In recent years, assertion-based verification is being widely accepted as a key technology in the pre-silicon validation of system-on-chip (SOC) designs. The System Verilog language integrates the specification of assertions with the hardware description. In this paper we show that there are several compelling reasons for synthesizing assertions in hardware, and present an approach for synthesizing System Verilog assertions (SVA) in hardware. Our method investigates the structure of SVA properties and decomposes them into simple communicating parallel hardware units that together act as a monitor for the property. We present a tool that performs this synthesis, and also show that the chip area required by the monitors for a industry standard ABV IP for the ARMAMBA AHB protocol is quite modest

A Roadmap for Formal Property Verification

1. Introduction. 1.1. Writing our First Formal Specification. 1.2. Is my specification correct? 1.3. Have I written enough properties? 1.4. Property Verification. 1.5. Verification by Specification Refinement. 1.6. The new flow. 2. Languages for Temporal Properties. 2.1. The basic temporal operators. 2.2. Logics for temporal specification. 2.3. System Verilog Assertions. 2.4. Architectural Styles for Assertion IPs. 2.5. Concluding Remarks. 2.6. Bibliographic Notes. 3. How does the property checker work? 3.1. Checkers are state machines! 3.2. The verification strategy. 3.3. Dynamic property verification. 3.4. Formal property verification. 3.5. BDD-based Formal Property Verification. 3.6. SAT-based Formal Property Verification. 3.7. Concluding Remarks. 3.8. Bibliographic Notes. 4. Is my specification consistent? 4.1. Satisfiability and Vacuity. 4.2. Satisfiability is not enough. 4.3. Games with the Environment. 4.4. Methods for Consistency Checking. 4.5. The SpecChecker Tool. 4.6. Concluding Remarks. 4.7. Bibliographic Notes. 5. Have I written enough properties? 5.1. Simulation Coverage Metrics. 5.2. Mutation-based FPV Coverage. 5.3. Structural versus Functional Coverage. 5.4. Fault-based FPV Coverage. 5.5. Concluding Remarks. 5.6. Bibliographic Notes. 6. Design Intent Coverage. 6.1. An Introductory Example. 6.2. The Formal Problem. 6.3. The Intent Coverage Algorithm. 6.4. Soundness of the Intent Coverage Algorithm. 6.5. Multi-property representation of the coverage gap. 6.6. SpecMatcher -- The Intent Coverage Tool. 6.7. Priority Cache Access -- A closer look. 6.8. Concluding Remarks. 6.9.Bibliographic Notes 7. Test Generation Games. 7.1. Constraint Random Test Generation. 7.2. Assertions viewed as Coverage Points! 7.3. Games with the Environment 7.4. Intelligent Test Generation for Property Coverage. 7.5. The Integrated Verification Flow. 7.6. Concluding Remarks. 7.7. BibliographicNotes. 8. A Roadmap for Formal Property Verification. 8.1. Simulation-based Validation Flow. 8.2. Formal Verification Flow. 8.3. The Three Pillars. 8.4. The Integrated Flow. 8.5. Sharing the Task. 8.6. Concluding Remarks. 8.7. Bibliographic Notes. 9. References

Have I Written Enough Properties

Logical bugs like to hide in the gap between the design intent specification and the implementation. The RTL designer typically receives the specification as an English document and develops the implementation on the basis of her understanding of this document. Using a natural language such as English creates the possibility of a gap between the design architect’s actual intent and the RTL designers’ perception of this intent. Some of the hardest logical bugs love to hide in this gap.

Policy Based Security Analysis in Enterprise Networks: A Formal Approach

In a typical enterprise network, there are several sub-networks or network zones corresponding to different departments or sections of the organization. These zones are interconnected through set of Layer-3 network devices (or routers). The service accesses within the zones and also with the external network (e.g., Internet) are usually governed by a enterprise-wide security policy. This policy is implemented through appropriate set of access control lists (ACL rules) distributed across various network interfaces of the enterprise network. Such networks faces two major security challenges, (i) conflict free representation of the security policy, and (ii) correct implementation of the policy through distributed ACL rules. This work presents a formal verification framework to analyze the security implementations in an enterprise network with respect to the organizational security policy. It generates conflict-free policy model from the enterprise-wide security policy and then formally verifies the distributed ACL implementations with respect to the conflict-free policy model. The complexity in the verification process arises from extensive use of temporal service access rules and presence of hidden service access paths in the networks. The proposed framework incorporates formal modeling of conflict-free policy specification and distributed ACL implementation in the network and finally deploys Boolean satisfiability (SAT) based verification procedure to check the conformation between the policy and implementation models.

Instrumenting AMS assertion verification on commercial platforms

The industry trend appears to be moving towards designs that integrate large digital circuits with multiple analog/RF (radio frequency) interfaces. In the verification of these large integrated circuits, the number of nets that need to be monitored has been growing rapidly. Consequently, the mixed-signal design community has been feeling the need for AMS (Analog and Mixed Signal) assertions that can automatically monitor conformance with expected time-domain behavior and help in debugging deviations from the design intent. The main challenges in providing this support are (a) developing AMS assertion languages or AMS verification libraries, and (b) instrumenting existing commercial simulators to support assertion verification during simulation. In this article, we report two approaches: the first extends the Open Verification Library (OVL) to the AMS domain by integrating a new collection of AMS verification libraries; while the second extends SystemVerilog Assertions (SVA) by augmenting analog predicates into SVA. We demonstrate the use of AMS-OVL on the Cadence Virtuoso environment while emphasizing that our libraries can work in any environment that supports Verilog and Verilog-A. We also report the development of tool support for AMS-SVA using a combination of Cadence NCSIM and Synopsys VCS. We demonstrate the utility of both approaches on the verification of LP3918, an integrated power management unit (PMU) from National Semiconductors. We believe that in the absence of existing EDA (Electronic Design Automation) tools for AMS assertion verification, the proposed approaches of integrating our libraries and our tool sets with existing commercial simulators will be of considerable and immediate practical value.

Formal methods for analyzing the completeness of an assertion suite against a high-level fault model

One of the emerging challenges in formal property verification (FPV) technology is the problem of deciding whether sufficient properties have been written to cover the design intent. Existing literature on FPV coverage does not solve this problem adequately, since they primarily analyze the coverage of a specification against a given implementation. On the other hand, we consider the task of determining the coverage of a formal specification against a high-level fault model that is independent of any specific implementation. We show that such a coverage analysis discovers behavioral gaps in the specification and prompts the design architect to add more properties to close the behavioral gaps. Our results establish that the coverage analysis task at this level is computationally complex, but it is possible to obtain a conservative estimate of the coverage at low cost.

Solving constraint optimization problems from CLP-style specifications using heuristic search techniques

Presents a framework for efficiently solving logic formulations of combinatorial optimization problems using heuristic search techniques. In order to integrate cost, lower-bound and upper-bound specifications with conventional logic programming languages, we augment a constraint logic programming (CLP) language with embedded constructs for specifying the cost function and with a few higher-order predicates for specifying the lower and upper bound functions. We illustrate how this simple extension vastly enhances the ease with which optimization problems involving combinations of Min and Max can be specified in the extended language CLP* and we show that CSLDNF (Constraint SLD resolution with Negation as Failure) resolution schemes are not efficient for solving optimization problems specified in this language. Therefore, we describe how any problem specified using CLP* can be converted into an implicit AND/OR graph, and present an algorithm called GenSolve which can branch-and-bound using upper and lower bound estimates, thus exploiting the full pruning power of heuristic search techniques. A technical analysis of GenSolve is provided. We also provide experimental results comparing various control strategies for solving CLP* programs.

Multiobjective search in VLSI design

Many optimization problems in VLSI design involve multiple, conflicting and non-commensurate objectives. The multiobjective approach, which models each objective by a scalar-valued criterion and attempts to find all non-dominated solutions, is a natural and efficient alternative to the conventional practice of combining all objectives into a single optimization criterion. In this paper we illustrate the multiobjective search approach MObj By applying it on two well known problems in VLSI, namely the scheduling problem in high level synthesis and the channel routing problem in layout synthesis. The efficiency of MObj and its linear space version SMObj is demonstrated by comparing their performances with multiobjective generalizations of the single objective strategies A* and DFBB.<<ETX>>

Agreement under faulty interfaces

In this paper we study the problem of achieving Byzantine agreement among a set of processors, where the processors are computationally sound but their interfaces with the communication channels may be faulty. We consider three types of fault, namely message corruption, message loss, and spurious message generation. We present the following results for this model: (i) If all three types of faults are present then the problem is equivalent to the classical Byzantine generals problem. (ii) In the cases where only message corruption can occur, agreement becomes trivial and can be achieved in one round. (iii) If spurious message generation is ruled out, that is, when interfaces may fault only when sensitized, agreement is possible irrespective of the ratio of the number of processors having faulty interfaces with the total number of processors.

Multiobjective Heuristic Search in AND/OR Graphs

The multiobjective search model is a framework for solving multi-criteria optimization problems using heuristic search techniques. In this framework, the different non-commensurate optimization criteria are mapped into distinct dimensions of a vector valued cost structure and partial order search techniques are used to determine the set of non-inferior solutions. Multiobjective state space search has been studied and generalizations of algorithms such asA* to the multiobjective framework have been considered. In this paper we address the problem of multiobjective heuristic (best-first) search of acyclic additive AND/OR graphs. We establish two results which show that in the multiobjective framework, the task of identifying a non-dominated cost potential solution graph is NP-hard in general. This indicates that by extending popular AND/OR graph search algorithms such asAO* to the multiobjective framework we will not be able to preserve some of their desirable properties. Under such circumstances, we investigate the task of developing effective algorithms for the multiobjective problem and present a linear space AND/OR graph search algorithm calledMObj*. Upper bounds on time and space complexities of this algorithm have been presented. It has also been established that when applied to OR graphs, the proposed algorithm is superior to the algorithm proposed by Stewart and White (MultiobjectiveA*,J. Assoc. Comput. Mech.38, No. 4 (1991), 775?814) in terms of the worst case set of nodes expanded.