

## Formal background and algorithms

**Other Conference Item** 

Author(s): Biere, Armin

Publication date: 2001

Permanent link: https://doi.org/10.3929/ethz-a-004239730

Rights / license: In Copyright - Non-Commercial Use Permitted

#### Formal Methods

- Goal: complete coverage
- Ist Step: precise semantics
- 2nd Step: property languages
- Tool: rigorous mathematical reasoning

### Complete Coverage

- execute all possible behavior
- simulate all possible input vectors
- check abstract properties



### Complete Coverage

- execute all possible behavior
- simulate all possible input vectors
- check abstract properties



#### **Precise Semantics**



## Mathematical Representation of Combinational Circuits

- structural representation net lists, equations, signed-and-graphs propositional formulae, CNF terms (first order), lambda-calculus (higher order)
- semantic representation
  karnaugh maps, function tables
  decision diagrams (BDD, BMD, ADD, ...)
  term rewriting systems (no other canonical)

Equivalence Checking of Combinational Circuits



 $\forall a,b,c. \quad f(a,b,c) = g(a,b,c)$ 





#### **Structural Properties**



 $\forall n, a, b, s, c.$  RTL $(n, a, b, 0, s, c) \implies a + b = s + (c << n)$ 

#### **Reasoning Techniques about Circuits**



## Automation versus Interaction

Push-Button Tools with YE\$/NO Answer Inspection of (spurious) Counterexamples Abstraction, Environment Constraints Invariant/Lemma Generation Compositional Reasoning Tactical Proof-Construction Proof-Checking Tools



## Model Checking

- State Space Exploration
- Breadth First Search (BFS)
- Depth First Search (DFS)



- Look for Traces as well Start
- Find States with certain Properties
- Find Loop on which certain Properties hold
- Specify Properties with Temporal Logic

## Typical Properties (Safety)

 No Bus Contention (drivers never access the bus simoultaneously)



- Some vector is a one-hot-encoding
- No grant without a previous request
- Generally: Verilog \$assert() does not fail

Search for violating states starting from the initial states (after reset) Typical Properties (Liveness)

- requests will finally be granted
- no deadlocks or livelocks
- For instance:

root assignment in FireWire<sup>TM</sup> terminates

Search for unsuccessful looping traces starting from the initial states (after reset)



## Temporal Logic

- LTL, CTL, μ-calculus
  - Mathematical language for describing sequential properties
  - Formulation of complex properties require skill
- Templates
  - Verilog extensions
  - Open Verification Library (OVL)
  - Look at templates, learn from others, change parts (if you are not a mathematician)

#### LTL

- Linear Temporal Logic fixes one execution trace, relates properties along this traces
- Safety: Gexclusive (globally)
- Liveness: **F** *initialized* (finally)
- Nesting:  $\mathbf{G}$  (request  $\rightarrow$  **F** grant)
- easy to comprehend, compositional (but harder to check)





|A| defined as number of flip-flops of Block A||A|| defined as number of states of Block A

|Design| = |A| + |B| + |C| + |D|

 $||\text{Design}|| = ||A|| \cdot ||B|| \cdot ||C|| \cdot ||D||$ 

#### State Explosion Problem Example

| 8 bit register                   | accumulator |
|----------------------------------|-------------|
| 8 bit register<br>8 bit register | control     |
| 8 bit register                   | Р           |

8 bit processor4 registers, 8 bit wide16 bit accumulator, control

$$|\mathbf{P}|| \approx 2^8 \cdot 2^8 \cdot 2^8 \cdot 2^8 \cdot 2^{16} \cdot 2^{16} = 2^{4 \cdot 8 + 2 \cdot 16} = 2^{64}$$

State space grows exponentially with the number of flip-flops

## **Explicit Model Checking**

- Traverse state space in DFS (because the search stack needs less space)
- Save reached states explicitly in hash table
- Size of hash table ||model|| · |model|
- Limit: several millions of states (= ||model||)
- Typical Application: interacting state machines

Small Designs with small number of flip-flops (<80) and small number of primary inputs (<20)

Otherwise usually the fastest model checking technology

### Partial Order Reduction

- Factor out independent state transitions! (typical for asynchronous communication as in Software- and Protocol-Checking)
- May result in exponential reduction in the number of states



## **Explicit Model Checking**

- Invented by [Clarke,Emerson]
- Academic Tools:
  - SPIN [Holzmann]
    - C like input language (PROMELA) partial order reduction, large user base, applicable to protocol & software validation
  - Murphi [Dill]

hardware oriented input language symmetry reduction, smaller user base

## Symbolic Model Checking

- Explicit Model Checking: number of states limited (< 10<sup>10</sup>)
- Symbolic Representation of States: potentially many more states (> 10<sup>20</sup>)
- However: Complexity Theory tells us that model checking is PSPACE hard in the number of state bits (flip-flops), so probably exponential!
- In Practice: works for hundreds of state-bits

## Symbolic Model Checking

- Set of States instead of Single States
- Represent Set of States with their Characteristic Functions
- Usually Boolean Encoding leads to Boolean Characteristic Functions
- Set Operations as Boolean Operations
- Efficient Data Structure for Boolean Functions: Binary Decision Diagrams (BDDs)

### Set of States instead of Single States



Breadth First Search (BFS)

### **Characteristic Functions for Sets**



### Symbolic Operations on Set of States



## **Binary Decision Diagrams**

- Fixed global variable order
- Reduced Ordered BDDs by [Bryant]
- Canonical data structure for boolean functions
- Efficient (linear) boolean operations
- Good variable orders are necessary ...
- but often do not exist (e.g. multipliers)

## **Binary Decision Diagrams**



## BDD Reduction: Merge Equivalent Nodes



one level deep look-ahead

## **BDD** Reduction: Eliminate Redundant Nodes



one level deep look-ahead

## Recursive Step for Conjunction of BDDs



#### Generic BDD Operation Apply



## Variable Order for Comparison of Vectors



## Variable Ordering in Practice

- Static Heuristics
  - Use Circuit Structure (e.g. DFS occurrence)
  - Model Checking usually does not benefit
- Dynamic Reordering [Rudell]
  - Inplace Swapping of variable levels
  - Necessary (no success without reordering)
  - Very Expensive (often dominates runtimes)
  - Fails (sometimes good orders do not exists)

### **Bounded Model Checking**

- Invented by [Biere,Cimatti,Clarke,Zhu]
- No Calculation of Images
- Symbolic Unrolling of Transition Relation
- Incomplete in Practice:
  Can not show absence of a bug in general
- SAT procedures for detecting reachability of a bug in a fixed number of time steps
- No Variable Ordering Problem: much larger designs (thousands of state bits)



## Capacity of Algorithms for Checking Sequential Properties

# typical number of state bits (flip-flops)

| Explicit MC       | 30-100   | complete     |
|-------------------|----------|--------------|
| Symbolic MC (BDD) | 100-500  |              |
| Bounded MC (SAT)  | 200-2000 | incomplete   |
| Simulation        | > 10000  | > incomplete |

(primary inputs counted as state bits)

## Recipe for Applying Formal Methods

- Theorem Proving for checking algorithms
- Equivalence Checking for refinements
- Model Checking:
  - Check protocols and complex interacting state machines in high-level design
  - Check sequential properties on RTL-level
    - Simulation
    - Explicit Model Checking
    - Bounded Model Checking
    - BDD based Model Checking

## **Commercial Model Checkers**

- 0-in
- Avanti
- Averant
- Cadence

- Innologic
- Real Intent
- Synopsys
- Verplex