# Logic Synthesis and Verification

Jie-Hong Roland Jiang 江介宏

Department of Electrical Engineering National Taiwan University

Fall 2010

# Equivalence and Property Checking

part of the following slides are by courtesy of Andreas Kuehlmann

#### Equivalence Checking in Microprocessor Design



### Equivalence Checking in ASIC Design



#### Finite State Machine Model



Sequential Equivalence Checking

Definition: Two FSMs  $M_1$  and  $M_2$  are functionally equivalent iff the product machine  $M_1 \times M_2$  produces a constant 0 sequence for all valid input sequences  $\{X^{(1)}, ..., X^{(t)}\}$ 



# General Approach to SEC



#### Inductive proof of equivalence:

Find subset  $R \subseteq S$  with characteristic function r:  $S \rightarrow \{0,1\}$  such that:

- 1.  $r(s^0) = 1$  (initial state is in R)
- 2.  $(r(s) = 1) \Rightarrow r(\Delta(x,s)) = 1$  (all R states cannot go to R' states)
- 3.  $(r(s) = 1) \Rightarrow \Lambda(x,s) = 0$  (all R states are good states)





#### Soundness and Completeness

With a candidate state set R we can
 prove equivalence
 that means the method is "sound"
 we will not produce "false positives"

but not disprove equivalence
 that means the method is "incomplete"
 we may produce "false negatives"

#### Inductive State Set Derivation

#### Reachability analysis:

state traversal until no more states can be explored
 forward vs. backward
 explicit vs. implicit (symbolic)

#### Relying on the design methodology to provide R:

- equivalent state encoding in both machines
- synthesis tool provides hint for R from sequential optimization

manual register correspondence

automatic register correspondence

#### Combination of them

### Combinational EC

- Industrial equivalence checkers almost exclusively use an combinational EC paradigm
  - sequential EC is too complex, can only be applied to design with a few hundred state bits
  - combinational methods scale linearly with the design size for a given fixed size and "functional complexity" of the individual cones
- □ Still, pure BDDs and plain SAT solver cannot handle all cones
  - BDDs can be built for about 80% of the cones of high-speed designs
  - less for complex ASICs
  - plain SAT blows up on a "miter" structure
- Contemporary method highly exploit structural similarity of designs to be compared

#### Combinational EC

Basic methods:

- random simulation, good for finding mis-compares
- BDD-based with modifications
- structural SAT-based with modifications



#### Combinational EC

Memory statistics of BDD-based EC on a PowerPC processor design



## Combinational EC

Runtime statistics of BDD-based EC on a PowerPC processor design



#### Combinational EC



#### Structure and Verification

- Structure-independent techniques
  - Exhaustive simulation
  - Decision diagrams
- Structure-dependent techniques
  - Graph hashing
  - SAT based cutpoint identification



# Constrained EC

#### □ Input constraints:

- Non-occurring input values (don't cares)
- Unreachable states
- Candidate for R



### Cutpoint-Based EC



#### Cutpoint-Based EC

#### False negatives

Outputs may miscompare for invalid cutpoint values



#### What can we do about false negatives:

- constrain input space to  $c = (v \equiv y+z)$
- if v in SUPPORT(out), then out = compose(out, v,  $f_v$ )

#### Cutpoint-Based EC



0?

- If combinational verification paradigm fails (e.g. we have no name matching)
- Two options:
  - Run full sequential verification based on state traversal
    - Very expensive but most general
  - Try to match registers automatically
     Structural register correspondence
     Functional register correspondence

### Register Correspondence

- Find registers in product machine that implement identical or complemented function
  - These are matching registers in the two FSMs under comparison
  - BUT: might be more, we may have redundant registers
- □ Definition: A register correspondence  $RC \subseteq \underline{s} \times \underline{s}$  is an equivalence relation in the set of registers  $\underline{s}$ 
  - Can be extended to also include complemented functions
  - A register correspondence can be used as a candidate for R:

$$r(s) = \prod_{\forall (s^i, s^j) \in RC} (s^i \equiv s^j) \qquad RC \subseteq \underline{s} \times \underline{s}$$

#### Register Correspondence

```
■ Algorithm REGISTER_CORRESPONDENCE {

RC' = \{(s^i, s^j) | s^i_0 = s^j_0\}

//start with registers with identical initial values

do {

RC = RC'

r(s) = \Pi_{\forall(si,sj)\in RC} (s^i \equiv s^j)

RC' = \{(s^i, s^j) | (s^i, s^j)\in RC \land \delta^i(x, s) = \delta^j(x, s) \land r(s)\}

//\delta^i is the transition function of s^i

} while (RC' != RC)

return RC

}
```

#### In essence

- The algorithm starts with an initial partitioning with two equivalence classes, one for each initial value
- The algorithm computes iteratively the next state function, assuming that the RC is correct
  - □ if yes, fixed point is reached and RC returned
  - if no, split equivalence classes along the mis-compares

### Register Correspondence



# Register Correspondence

#### ■ Potential problems:

- In case of mis-comparing designs
  - Effect of mis-compared cone may ripple through entire algorithm and split all equivalence classes until they contain only single registers

Difficult to debug since no hint of error locationSolution:

- Relax equivalence criteria
  - E.g. structural register correspondence algorithm based on support set of registers
- Combine with name mapping, functional/structural criteria

#### Sequential EC

□ In case that combinational EC model fails:

- Use generalized register correspondence to also consider retiming
  - In essence, use all internal nets as candidates for possible matches

□ Worst case: general sequential verification

- Prove that the output of the product machine is not satisfiable (sequentially)
- Special case of general property checking

- State traversal
  - Forward
    - □ Start from initial state(s)
    - □ Traverse forward to check whether "bad" state(s) is reachable
  - Backward
    - □ Start from bad state(s)
    - Traverse backward to check whether initial state(s) can reach them
  - Hybrid
    - Compute over-approximation of reachable states by forward traversal
    - For all bad states in overapproximation, start backward traversal to see whether initial state can reach them



### Sequential EC

#### Transition relation

Transition Relation t(s,s'): t(s,s') =

$$=\begin{cases} 1 & \text{if there is a transition from s to s'} \\ 0 & \text{otherwise} \end{cases}$$

$$t(s,s') = \exists x.(s' \equiv \delta(x,s))$$

#### Example

| x | S | $\delta(x,s)$ | <i>s</i> ' | $s' \equiv \delta(x,s)$ | $t(s,s') = \exists x.(s' \equiv \delta(x,s))$ | )               |
|---|---|---------------|------------|-------------------------|-----------------------------------------------|-----------------|
| 0 | 0 | 1             | 0          | 0                       | 0                                             | X=0             |
| 1 | 0 | 1             | 0          | 0                       | 0                                             | $\frown$        |
| 0 | 1 | 0             | 0          | 1                       | 1 -                                           |                 |
| 1 | 1 | 1             | 0          | 0                       | 1                                             | 0,1             |
| 0 | 0 | 1             | 1          | 1                       | 1                                             |                 |
| 1 | 0 | 1             | 1          | 1                       | 1                                             |                 |
| 0 | 1 | 0             | 1          | 0                       | 1                                             | $-\exists r$    |
| 1 | 1 | 1             | 1          | 1                       | 1                                             | <b>∧.</b><br>28 |

Image and pre-image of states

Image of a set of states r(s):

Pre-Image of a set of states r(s):

 $PREIMG(t, r) = \exists s'. (r(s') \land t(s, s'))$ 

 $IMG(t,r) = \exists s.(r(s) \land t(s,s'))$ 





| $= (s \equiv 0) \lor (s \equiv 1)$                | {0,1}   |
|---------------------------------------------------|---------|
| $=$ (s $\equiv$ 0) $\land$ (s' $\equiv$ 2) $\lor$ | {(0,2), |

| ,- , | $(s \equiv 0) \land (s' \equiv 3) \lor$ $(s \equiv 1) \land (s' \equiv 3) \lor$ $(s \equiv 2) \land (s' \equiv 4)$ | (0,3),<br>(1,3),<br>(2,4)} |
|------|--------------------------------------------------------------------------------------------------------------------|----------------------------|
| r    | $= (s \equiv 0) \land (s' \equiv 2) \lor (s \equiv 0) \land (s' \equiv 3) \lor$                                    | $\{(0,2), (0,3)\}$         |

$$(S \equiv 0) \land (S' \equiv 3) \lor (0,3),$$
  
 $(S \equiv 1) \land (S' \equiv 3)$  (1,3)}

$$\exists s.(r \land t) = (s' \equiv 2) \lor (s' \equiv 3) \qquad \{2,3\}$$

### Sequential EC

```
Forward state traversal
Algorithm TRAVERSE_FORWARD(t, \lambda,S0) {
  reached = \emptyset
  current = S0
                                             // start from init
  while (reached \neq (reached \vee current)) { // fixed point
    reached = reached < current
                                            // add new states
    next = IMG(t,current)
                                             // one step transition
                                             // rename variable
    current = next
  }
  return \exists x.(\lambda(x,s) \land reached)
}
```

```
Example
```

|     |     | Iteration: | 1     | 2       | 3         |
|-----|-----|------------|-------|---------|-----------|
|     | 4   | Reached:   | {0}   | {0,1,2} | {0,1,2,3} |
|     |     | Current:   | {0}   | {1,2}   | {1,2,3}   |
| 3-2 | 5-6 | Next:      | {1,2} | {1,2,3} | {0,1,2,3} |

```
□ Forward state traversal
Algorithm TRAVERSE_BACKWARD(t, λ ,S0) {
  reached = Ø
  current = ∃x.(λ(x,s)=1) // start from bad
  while (reached ≠ (reached ∨ current)) { // fixed point
    reached = reached ∨ current // add new states
    previous = PRE_IMG(t,current) // one step transition
    current = previous // rename variable
  }
  return (S0 ∧ reached)
}
```

Example



| Iteration: | 1   | 2     | 3       |
|------------|-----|-------|---------|
| Reached:   | {6} | {4,6} | {4,5,6} |
| Current:   | {6} | {4}   | {4,5}   |
| Previous:  | {4} | {4,5} | {4,5,6} |

31

#### Sequential EC

- Explicit reachability analysis
  - Represent states explicitly (e.g. as bit string) => limited capacity
  - Use hashtable to find quickly whether state was reached before
  - Image operation: simple simulation
  - Preimage operation: SAT run
- Symbolic reachability analysis
  - Represent states and transition relation symbolically
     E.g. BDDs, circuits, DNF, etc.
  - Use BDD operations to perform image and preimage operation (simple AND or AND\_EXIST)
  - Lots of heuristic improvements to keep BDD size under control

Let R(s) be the characteristic function of the set of reachable states of the product FSM M<sub>1×2</sub> obtained from forward reachability analysis. Then FSMs M<sub>1</sub> and M<sub>2</sub> are equivalent if and only if

 $\lambda_{1\times 2}(x,s)\,\wedge\,R(s)$ 

is constant 0 for all valuations on input variables x and state variables s

This can be checked in constant time for BDD

#### Sequential EC

Example

To check: The equivalence of M<sub>1</sub> and M<sub>2</sub>









Example (cont'd)

Construct product FSM of M<sub>1</sub> and M<sub>2</sub>



35

#### Sequential EC



#### Example (cont'd)

Backward reachability analysis based on pre-image computation  $PreImg(C,T) = [\exists \vec{x}, \vec{s} '.T(\vec{x}, \vec{s}, \vec{s} ') \land C(\vec{s} ')]_{\vec{s} \leftarrow \vec{s} '}$ 



# Sequential EC

Alternative approach beyond reachability analysis

- Based on state equivalence
  - Two FSMs are equivalent if and only if their initial states are equivalent
    - Two states of an FSM are equivalent if starting these two states the FSM behaves indistinguishably
- Explicit algorithm (based on state transition graph enumeration) is known

Used in state minimization where equivalent states must be identified

How about implicit algorithm (based on Boolean manipulation) ?

# State partitioning based sequential EC Construct and multiplexed FSM (disjoint union of the state graphs)

#### Example



#### 39

### Sequential EC

State partitioning over multiplexed FSM
 Using BDD-based functional decomposition

Example (cont'd)





#### Sequential EC

Example (cont'd)State partitioning







Connection between reachability based SEC and state partitioning based SEC

Backward reachability analysis can be considered as state partitioning in the product state space

#### Sequential EC

#### Summary

- Industrial EC checkers almost exclusively use an combinational EC paradigm even for sequential EC
  - Sequential EC is too complex and can only be applied to design with a few hundred state bits
  - Structure similarity should be identified to simplify sequential EC
- Besides sequential equivalence checking, reachability analysis is useful in sequential circuit optimization
  - Recall in sequential optimization that unreachable states can be used as sequential don't cares to optimize a sequential circuits

# Model Checking

#### A model checking problem is defined by



#### Model Checking

- $\square$  M |=  $\varphi$ 
  - Check if system model M satisfies a system property φ
  - System model M is described with a state transition system
    - □ finite state or infinite state
  - Temporal property φ can be described with three orthogonal choices:
    - 1.operational vs. declarative: automata vs. logic
    - 2.may vs. must: branching vs. linear time
    - 3.prohibiting bad vs. desiring good behavior: safety vs. liveness

Different choices lead to different model checking problems.

# Property Checking

#### Assertion-based verification

- Properties are expressed as RTL annotations in terms or assertions ("This statement must hold true")
- E.g. AG(x=y) "For all paths from the initial state and all successor states x=y"

Expressivness

- Formal verification methods:
  - Exhaustive, do not require simulation vectors

#### Main methods:

- Theorem proving
- Model Checking
   Liveness property checking
   Safety property checking
- Refinement checking
- Equivalence checking
- Bounded property checking



47

#### **Property Checking**

- Safety property: Something "bad" will never
  - happen
    - Safety property violation always has a finite witness
      - if something bad happens on an infinite run, then it happens already on some finite prefix
    - Example
      - Two processes cannot be in their critical sections simultaneously

- Liveness property: Something "good" will eventually happen
  - Liveness property violation never has a finite witness
    - no matter what happens along a finite run, something good could still happen later
  - Example
    - Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually

For finite state systems, liveness can be converted to safety!

# Safety Property Checking

 Safety property checking can be formulated as a reachability problem
 Are bad states reachable from good states?

- Sequential equivalence checking can be considered as one kind of safety property checking
  - M: product machine
  - φ : all states reachable from initial states has output 0

### Safety Property Checking

**Concept**:

- Counter example has finite length
- Specification in terms of "bad behavior" that should not happen
- E.g. specify a state with a bad property or a bad output condition
- Handles 95% of practical properties

#### Basic approach:

- Express property as formula on state and inputs
- Single reachability analysis sufficient to decide about correctness



Property:

AG(^overflow)

"The history buffer never overflows"

- Bad state (overflow)
- Good state (no overflow)

# Liveness Property Checking

#### Concept:

- Counter example has infinite length
- Specification in terms of "good behavior" that should always happen
- E.g. AG(req=>AF ack)

#### Basic approach:

Nested reachability analysis according to formula



<u>Property:</u> AG(req=> AF ack) "A request from M1 will always be acknowledged by M2"

#### Model Checking



#### Bounded Model Checking



#### Bounded Model Checking

#### Notation

- Variables for current and next state: s, s'
- Predicate for transition relation: t(s,s')
  - $\Box t(s,s')=1$  iff there is a transition from s to s'
- Predicate for initial states: i(s)
  I iff s is an initial state
- Predicate for property: p(s)
  \$\Box\$p(s)=1 iff s satisfies property p

Predicate for all paths of length k:

 $t^{k}(s_{0'}, s_{k}) = \prod_{0 \le i < k} t(s_{i'}, s_{i+1})$  $t^{k}(s_{0'}, s_{k}) = 1 \text{ iff there is a transition path of length } k \text{ from } s_{0} \text{ to } s_{k}$ 

#### Bounded Model Checking

**D**BMC for length kBMC<sub>k</sub> =  $i(s_0) \wedge t^k(s_0, s_k) \wedge \neg p(s_k)$ 



Bounded Model Checking



Comments:

- Any SAT technique can be used for checking frames
- Combination with random simulation, parallel runs etc.

56

# Unbounded Model Checking



#### Model Checking

Summary

- Temporal logic is a variation of mathematical logic and is concerned with temporal reasoning
   Developed since 1970's
- Model checking is concerned with algorithmic verification of temporal properties
  - Developed since 1980's
  - Hardware model checking techniques are being applied in the software domain
- Reference
  - K. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993
  - M. Clarke, O. Grumberg, and D. Peled. *Model Checking*. MIT Press, 1999