Hardware Description Language Program Slicing and way to Reduce Bounded Model Checking Search Overhead by Jen-Chieh Ou Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Advisor: Dr. Daniel G. Saab Department of Electrical Engineering and Computer Science CASE WESTERN RESERVE UNIVERSITY January 2007 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the dissertation of ______________________________________________________ candidate for the Ph.D. degree *. (signed)_______________________________________________ (chair of the committee) ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ (date) _______________________ *We also certify that written approval has been obtained for any proprietary material contained therein. To My Parents Table of Contents 1 INTRODUCTION 1 2 BACKGROUND 6 2.1 Basic Concepts . 6 2.2 Graphs . 8 2.3 Software Program Slicing . 13 2.4 Hardware Program Slicing . 16 3 RTL SLICER 20 3.1 Static/Conditioned RTL slicer . 20 3.2 VRM . 21 3.3 Static/Conditioned VRM Slicer . 23 3.4 RTL slicer example . 25 3.5 HDL Slicing vs. Cone of Influence Reduction . 27 4 FORMAL VERIFICATION METHODS 35 4.1 Temporal Logic . 38 4.2 Bounded Model Checking . 40 5 ATPG-Based BMC Formal 44 6 EXPERIMENT 48 6.1 USB2.0 IP Core . 48 6.2 Experiment Results . 49 7 CONCLUSIONS 59 List of Tables 1 Node statements of the VRM . 29 2 VRM for example Verilog code. 30 3 USB2.0 IP core property descriptions. 53 4 Slice size for each USB2.0 IP core property. 54 5 CPU time(second) of SMV. 55 6 Memory usage(MB) of SMV. 56 7 CPU time(second) of Formal. 57 8 Memory usage(MB) of Formal. 58 iv List of Figures 1 Overview . 5 2 A example for program slicing { Original Program . 9 3 The static slice with respect to the slicing criterion < S11, z > 10 4 The static slice with respect to the slicing criterion < S10, y > 10 5 Control Flow Graph . 11 6 Program Dependenc Graph . 12 7 The conditioned slice w.r.t. the slicing criterion < (x < 0) , S10, y > . 16 8 RTL slicer Framework . 21 9 Algorithm: Static/Conditioned VRM Slicer . 31 10 A hierarchical Verilog design. 32 11 Static slice . 33 12 Conditioned slice . 34 13 Framework of ATPG-based BMC. 46 14 Justification on k time frames. 47 15 USB2.0 functional blocks. 49 16 Building blocks of IP core for SIE. 49 v ACKNOWLEDGMENTS First of all, I would like to acknowledge my adviser Dr. Daniel G. Saab who always guides and encourages me through my entire Ph.D. research. Special thanks are given to his instructions, experiences and knowledge to help me overcome all the difficulties and challenges I have met in the past three and half years. I want to express deep gratitude to Dr. Christos A. Papachristou, Dr. Massood Tabib-Azar, and Dr. Swarup Bhunia, for serving on my dissertation committee and their valuable comments and suggestions to my research. I also want to thank my friends in the department, Qiang Qiang, Siva, Chia-Lun Chang, Chih-Hsueh Chang, Noppasit and Wen-Teng Chang, for their help and friendship. Finally, to my family in Taiwan. Thanks to all their support and encouragement in these years, I really appreciated. vi Hardware Description Language Program Slicing and way to Reduce Bounded Model Checking Search Overhead Abstract by Jen-Chieh Ou Modern complex digital systems are described in Hardware Description Language (HDL). The increase in design complexity is causing verification tools to require large amount of resources. In this research, we present a program slicing technique to extract statements from an RTL design that directly or indirectly contribute to a formal verification rule. The extracted statements constitute a less complex design that reduces the resource needed by verification tools without compromising the quality of the result. Both static and conditioned Verilog slicer is implemented in a computer program that is used as a pre-processor to SAT-based bounded model checker SMV and ATPG-based bounded model checker Formal. We show experimentally that the resources of the formal verification tool in terms of both CPU and memory are reduced significantly when verifying the USB2.0 IP core. The proposed slicer is the first hardware slicing technique that handles inter-module signal dependency in a hierarchical Verilog design environment. vii 1 INTRODUCTION 1 1 INTRODUCTION As the transistor count exceeds one hundred million per die in modern semiconductor devices, it allows circuit designers to add more functionality onto a single chip. The increasing circuit complexity poses a challenge to Computer-Aid Design (CAD) tools. These CAD tools are used at every step in the design cycle. A typical design cycle for a digital system starts with a specification that defines a desired function. Typically a design is described in a Hardware Description Language such as VHDL or Verilog. Simulation and verification tools are used to ensure correctness of the design by verifying that the implementation is consistent with the specification. After the behavioral hardware description is verified, another gate-level verification is performed. The process of behavioral verification and the gate-level verification is repeated until the design is verified. The final step is the technology mapping place and route to produce a layout. In the design process, verification is a crucial step. It requires large amount resource that is proportional to the size of the search space that is related to the HDL description. In current design, it is estimated that over 60% [48] of design effort is consumed by verification tools and it is expected to increase. This complexity is due to the trend in System on a Chip (SoC) and high-level design process which relying on the use of complex blocks with well defined functionally and interfaces and on integrating those blocks 1 INTRODUCTION 2 to produce a system. This is highlighted in the International Technology Road-map for Semiconductors (ITRS) documents which points to the fact that verification has become the dominant cost in the design process, and that verification engineers outnumber design engineers up to three to one on complex designs. It points out that design conception and implementation are becoming mere preludes to the main activity of verification. Simulation of the design using validation tests is the main technique used in industry to verify large designs. However, as designs become larger, the percentage of the simulated possible behavior becomes smaller and the confidence in the design obtained by simulation diminishes. There is a growing interest in complementing simulation based verification with formal methods. Unlike simulation, formal methods use mathematical reasoning to search the entire design space in order to verify design correctness. However, the design space is too large to be searched exhaustively in large designs. For this reason, the existing formal methods are only applicable to small portions of a design. In this research, we present a program slicing technique to extract statements from an RTL design that directly or indirectly contribute to a formal verification rule. The extracted statements constitute a small design that formal methods can be applied with reasonable CPU time and memory requirement. We implemented this technique in a computer program and 1 INTRODUCTION 3 compared its impact on a SAT-based bounded model checker SMV and on an ATPG-based bounded model checker Formal. Figure 1 shows how program slicing is integrated with a formal verification tool. In this approach, a set of Slice Target Variable (STV) and the Condition (Con) is generated based on the circuit property that needs to be verified. RTL program slicer reads the STV, Con and the Verilog description to compute a design slice that is behaviorally equivalent to the original design with respect to the property under verification. The slice that is smaller than the original design in terms of size and complexity is read by the verification tools, which verifies the validity of the property. We show experimentally that the resources of the formal verification tool in terms of both CPU and memory are reduced. In addition, the technique made it possible to verify properties that the verification tools could not verify. This verification does not compromise the quality of the result. The proposed slicer is the first hardware slicing technique that handles inter-module signal dependency in a hierarchical Verilog design environment. The principle contribution of this work is: 1. This is the first fully automated conditioned HDL slicer. 2. The first slicer that handles the inter-module signal dependency in a hierarchical Verilog design. 3. Users do not need to specify the slicing variables location like the 1 INTRODUCTION 4 conventional method. This allows designers with little knowledge of the Verilog code to generate meaningful slices. The rest of this thesis is organized as follows: Chapter 2 presents the basic concept and definition that used in our method. In this chapter, the program slicing concepts are defined in Chapter 2.1. The variant graphs that used by different program slicing methods are described in Chapter 2.2. The previous works on program slicing for software and hardware are reviewed in Chapter 2.3 and Chapter 2.4 respectively. In Chapter 3, we introduce a RTL program slicer and provide an example to show the static and conditioned slice of a hierarchical Verilog design obtained by our slicer. Chapter 4 gives a background of formal verification methods. Chapter 5, we formulates ATPG-based BMC and describes ATPG heuristic. Chapter 6 shows its impact of our method by verifying USB2.0 IP Core properties. Chapter 7 concludes. 1 INTRODUCTION 5 Property Condition(Con) Slice Target Variable(STV) Sliced Witness RTL Verilog Verification or Verilog Design Program Design Tool Valid Slicer Figure 1: Overview 2 BACKGROUND 6 2 BACKGROUND 2.1 Basic Concepts The following definitions are derived from earlier work in [55].