Reasoning about Embedded System Correctness Embedded Systems Everywhere Hall of Shame Polar Lander Rover (2004) Therac-25 logic-error file-system error Radiation error Entertainment Alice Airbus Control systems, hardware and software, with many sensors, signal & data processing algorithms, communications over networks Rigorous Verification and Validation indispensable Generic structure of an Embedded System today Memory Controllers Interface Software (Application Programs) Processor Coprocessors ASIC Converters Analog Digital Analog Embedded Systems Design Flow Hardware Components Hardware Concept HW/SW Specification Partitioning Estimation - Exploration Software Components Software Dimensions of the challenge Discrete Architecture Continuous validation Boolean Logic Unit Hybrid Timing System Temporal Logic Microcode validation validation Non-Linear Type Formal FSM Cluster specs Equations Satisfiability Core Reliability validation Hybrid Automata System Synthesizability Problems Protocol Power validation Coverage validation Formal Verification • Task: Verify if a system design meet its specification • Standard Testing methods losing steam (system dynamics, stochastic, non-linear, mixed, thousands of states….) • Formal Verification showing much promise in recent times The promise of Formal Verification An algorithm which takes as input ■ (a) a model of a system A and ■ (b) a property P and terminates with output ■ (c) a proof that all the behaviors of A satisfy P OR ■ (d) a particular behavior of A that violates P A A satisfies P Verification Algorithm P Trace of A violating P Examples: 1. A: model of autonomous vehicle P: always stays on the road 2. A: model of a traffic control system P: vehicles do not collide Is completely automatic Design and Verification Design Specification Implementation Equivalent? Verification 7 Agenda for this talk A guided tour of digital design verification ■ Different approaches to verification A brief overview of software verification A brief overview of security verification Digital Design: Abstraction Levels Formalisms introduced at the Entry-Level Exponential growth in circuit size Register Transfer Level (Moore’s Law) always @( posedge clk ) Restricted semantics of begin Programming Languages, if (!rst) begin a1 <= a2; Communicating Concurrent a2 <= ~a1; end; State Machines (CSM) end Gate Level Boolean Logic Finite State Machines Transistor Level Schematic 9 Design and Verification specifications does it meet the specs? property micro-architecture checking does it implement the µ-arch? design RTL verification are they equivalent? gate netlist equivalence are they equivalent? checking layout 10 Design Cycle: Implementation Specs Document English documents Implementation validation (Spec RTL implementation Design integration vs RTL) Verilog, VHDL Synthesis Equivalence Gate Level Netlist checking Technology mapping Transistor Level Layout (Schematic) Mask 11 The Verification Challenge Objective: eliminate design defects before a product is shipped ? ~ Specification = Implementation The Verification task is becoming more complex: Micro-architecture complexities grow Market requirements get tougher Technologies change Simulation-based Verification Design Test Plan Test Bench Stimulus Generation Simulation Coverage Metrics Debug Bug Tracking 13 Exhaustive Simulation is Infeasible Consider a sequential circuit having N FFs and M inputs Exhaustive verification by simulation ■ Reach each state from the initial state ■ At each state verify the behavior for each input vector Upper-bound: ■ Number of states: S = O(2N) ■ Number of input vectors at a state: R = O(2M) ■ To reach a state we may have to pass through O(S) states, where each transition requires an input vector ■ Total number of input vectors = O(S X R) = O(2M+N) 14 What’s the Alternative? The design must be simulated using a well selected subset of input patterns Well selected? ■ Test plans and test scenarios ■ Coverage What do we observe? ■ Detecting errors by comparing a design’s primary outputs with the desired responses may not be the most efficient ● Internal error may take many cycles to propagate to a primary output to be detected ● It may not always propagate to the primary output ■ We must carefully choose the signals to be observed 15 Simulation-based Verification: State of technology Tool Support: ■ VCS, Modelsim, NC ■ University tools: Veriwell, Icarus State of technology ■ Constrained random test generation frameworks ■ Layered test architectures ■ Test-bench design languages ● Specman e, SystemVerilog, SystemC . Object oriented test support . Can model concurrency ■ Good coverage monitoring ● Can be used to generate test harness for uncovered areas The advent of Formal….. And then came formal ■ Explicit ■ SAT-based ■ BDD-based ■ … There is a mathematical way of checking everything The overall picture system model Yes! M Formal Engine (Does M satisfy ψ ?) No! + property “counterexample” ψ Where do we get the system model? hardware abstraction & other (semi-)automated e.g., Verilog or VHDL, transformations source code System model software e.g., C, C++ , or Java, source code Extended design models Where do we get the properties? requirements documentation + formal properties (insight) (typically based on temporal logic or automata) canned standard properties & templates (e.g., “deadlock-freedom”) Formal Verification System A mathematical model M Desired behavior A formal specification ψ The system has M satisfies ψ the required behavior Model checking Formal Property Verification (FPV) always !g1 || !g2 always r2 && !r1 next g2 Formal Properties Temporal Logics (Timed / Untimed, Linear Time / Branching Time): LTL, CTL Early Languages: Forspec (Intel), Sugar (IBM), Open Vera Assertions (Synopsys) Current IEEE Standards: SystemVerilog Assertions (SVA), Property Specification Language (PSL) 22 Model checking Input: a system M and a specification ψ. Output: does M satisfy ψ? Fully automatic. Counter example Does not scale Advantage of Model Checking Simulation Checks Only the Values We Select Even Small Systems Have Trillions (of Trillions) of Possible Tests! Advantage of Model Checking Model Checker Tries Every Possible Input and State! Model Checking: State of technology HDL Formal tools: ■ IFV, Magellan, Jasper, OneSpin ■ University tools: SMV, VIS, SPIN State of technology ■ Explicit state model checking ● Impractical for large circuits ■ Symbolic model checking ● Uses implicit representation of states and transitions ● BDD, SAT, ATPG ● Scales well to moderate circuits Emerging validation flow Architectural Specification Executable Specification [Assertions] [SAL, Lustre, SystemC, etc] Consistency Simulation, checks Customization, Perf. Eval. Design intent verification Implementation verification Module implementation Design integration [Module level assertions] [System-level assertions] Formal-V Simulation Simulation, Dynamic/Semi-Formal Property Verification Dynamic Property Verification Verify the properties during simulation Compromise: Exhaustive simulation is impractical – bugs can escape if the simulation does not cover the buggy run Test Bench Assertion Monitor Module under Test Semi-Formal Verification Method to leverage formal algorithms in resource-bounded way • Used to find bugs too complex / deep for pure formal search Often iterates between random simulation, formal algorithms Tool Support: Magellan from Synopsys Success stories reported from processor verification teams at IBM: The IBM Sixth Sense tool Formal Verification: A Deeper look inside 30 Advent of Formal Methods in EDA Goal: Exhaustive verification of the design intent within feasible time limits Philosophy: Extraction of formal models of the design intent and the implementation and comparing them using mathematical / logical methods Formal Properties Design Intent • Temporal Logics (1996: Turing Award: Amir Pnueli) • Adopted by Accelera / IEEE Model • Integrated into SystemVerilog Checking always @( posedge clk ) • Tools: begin Academia: NuSMV, VIS if (!rst) begin a1 <= a2; Register Transfer Industry: Magellan (Synopsys) a2 <= ~a1; end; Level IFV (Cadence) end • 2007: Clarke & Emerson get Turing Award Logical Gate Level Equivalence Checking Transistor Level 31 What is Formal Verification? Formally checking whether the implementation satisfies the specification Specification Yes Formal checker Implementation No What are the ways to specify the specification? Types of specifications The specification may be: ■ Boolean functions (combinational) – adder, multiplier, etc. ■ An implementation at a higher level of the design ■ A set of temporal properties ■ For the first two: ● We convert both specification and implementation into a common canonical form (BDD, BMD, SAT, etc) ● We then do formal equivalence checking ■ The third calls for Formal Property Verification (FPV) What is Formal Property Verification? The design intent is expressed in terms of formal properties. We check formally whether the implementation satisfies these properties. ■ If so, the checker reports success ■ Otherwise it produces a counter-example The formal method is called model checking Example: A Simple Pedestrian Crossing Control g1 g2 r2 r1 r1 g1 Control r2 g2 35 Example: A Simple Traffic Control Properties: 1. Request line r1 has higher priority than request line r2. Whenever r1 goes high, g1 must be asserted for the next two cycles always [ r1 ⇒ next g1 ∧ next next g1 ] 2. When none of the request lines are high, the control parks the grant on g2 in