introduction to cindy eisner formal methods group ibm haifa research laboratory february 2001...

Introduction to

Cindy Eisner

Formal Methods Group

IBM Haifa Research Laboratory

February 2001

Introduction to RuleBase 2

Overview - day 1

• What is functional formal verification?

• Model checking

• Sugar (basics)

• EDL (basics)

• Exercise: a simple arbiter

What is verification?

Verification is making sure that:

• what you designed is what you specified

functional verification• what you sent to manufacturing is what you

designed

equivalence checking• what was manufactured is what you sent to

manufacturing

production testing

specification

VHDL/Verilog

transistors

silicon

Formal verification

• Prove mathematically that a design obeys its specification

• Contrast to simulation:

Formal verification Simulation

all legal input sequences (large) set of particular cases

correctness expressed as correctness usually expressed perset of general properties run (expected results)

• Methods: theorem proving, model checking

Model checking

• A method for formal functional verification• Any piece of sequential random logic is a

(very large) state machine, so:• View design as a finite state machine • Traverse the state machine to determine the

truth or falsity of a specification• Provide a trace showing a counter-example (if

false)

Model checking (continued)

“if a request is received, it will be processed within 3 clocks”

• first, we need a language in which to express properties

Sugar - introduction

• Extension of the branching time temporal logic CTL• Unwind state graph to obtain infinite computation tree

• Reason about (infinite) paths in the computation tree

FSM Infinite Computation Tree

• Path quantifiers

A - for all paths E - there exists a path• Tense Operators

Xp - p holds at the next cycle Fp - p holds sometime in the future Gp - p holds globally from the present time p U q - p holds until q holds• Temporal Operators AX, AF, AG, AU, EX, EF, EG, EU

AG p (exercise)

Complete the figure below

A[p U q] (exercise)

Complete the figure below (use different colors for p and q)

EX p (exercise)

EF p (exercise)

E[p U q] (exercise)

Complete the figure below (use different colors for p and q)

AG AF p

Boolean operators

• & - and

• | - or

• ! - not

• -> - implies

CTL (exercise)

• Express in CTL:

“if a request is received, it will be processed within 3 clocks”

_______________________________

CTL (more exercises)

• “read_en and write_en are mutually exclusive” _________________________________________• “two consecutive grants are not allowed” _________________________________________• “every request will eventually receive a grant” _________________________________________• “whenever a request is issued, signal request will

stay asserted until a grant is received” _________________________________________

Sugar - syntactic sugaring of CTL

• AW, EW

• AX[i]

• ABG[i..j], ABF[i..j]

• f until! g, f until g

• f before! g, f before g

• next_event!(b)(f), next_event(b)(f), next_event!(b)[i](f), next_event(b)[i](f)

Sugar - additional boolean operators

• ^, xor, != - logical xor (not equals)

• <->, = - logical xnor (equals)

Sugar (exercises)• “if a request is received, it will be processed within 3

clocks” __________________________________________

• “if a request is received, it will be processed on the 3rd clock”

__________________________________________

• “between two requests, there must be an ack” __________________________________________• “whenever read is asserted, read_en must be asserted” __________________________________________

Sugar (more exercises)

• “done is a pulsed signal (i.e., it is never asserted for two consecutive cycles)”

__________________________________________

• “if there is an error indication, it will remain active forever”

__________________________________________

• “if grant is asserted, and there is no retry the next cycle, busy must be asserted two cycles after the grant”

__________________________________________

Vacuity

AG (req -> AX (ack -> AF grant))

• when is this formula meaningless?

• solution: vacuity check

• if formula is false: counter-example

• if formula is true: witness

• if formula is vacuous: vacuous pass

Environment

EDL - overview

var req: boolean;assign init(req) := 0;assign next(req) :=

if busy then 0 else {0,1} endif;

var cmd: {READ, WRITE, NOP};define read_req := req & cmd=READ;

EDL - constants and variables

• Numeric constants: – decimal (1276), binary (1011B), hex (7FFFH)

• Enumerated constants:– var state: {idle, st1, st2, st3, waiting};

• Variable reference:– name -- simple variable/signal– name(i) -- one bit of array– name(i..j) -- a range of bits

EDL - expressions• Boolean connectives:

& | ! ^

• Relational operators: = != < <= > >=

EDL - expressions (continued)• Arithmetic:

+ - * / mod

• Non-deterministic choice: {read, write, nop} i..j - equivalent to {i, i+1, …, j}

EDL - variable declarations

var name1, name2, name3 : type;

• type is one of: boolean {enum1, enum2, …, enumN} i .. j

• examples: var read, write : boolean; var state : {idle, read, write, hold} var counter {1,2,3,4,5} var length 4..10

EDL - the assign statement

assign init(sig1) := expression;

assign next(sig1) := expression;

assign sig2 := expression;

• init/next - memory element• assign “simple” - combinational element• init omitted for a memory element: begins unspecified

(any legal value)• next omitted for a memory element: can change to

any legal value at any moment

EDL - if expression

Syntax:

sig := if condition then expr else expr endif;

Example:

assign a := if reset then 0 else b endif;

EDL - case expressionSyntax:

sig := case

condition1 : expr1 ;

condition2 : expr2 ;

else : exprN+1 ;

else is not mandatory, but if you "fall" into esac the value is undefined

EDL - additional operators

• expr in {e1, e2, ... , eN} equivalent to expr=e1 | expr=e2 | ... | expr=eN

• fell(expr) expr was 1 and became 0• rose(expr) expr was 0 and became 1• prev(expr) value of expr in the last cycle

EDL - define statementSyntax:

define sig1 := expression1;

sig2 := expression2;

... • define’d signals are combinational signals• don't use define with non-deterministic expressions

(unless you know what you are doing.......)

Examples:

define selected_c := select & c1 | !selected & c2;

define cc := 3;

EDL - exercises

• sticky_bit: if rises, it stays active forever. __________________________________________

• req: may rise at any cycle. when rises, it must remain active until (including) the cycle in which gnt is active.

__________________________________________ • reset: active for 6 cycles. Then inactive forever. __________________________________________

• data: an integer of range 0 to 7, stable while data_ready (a boolean signal) is active, and have non-deterministic value elsewhere.

__________________________________________

EDL - more exercises

• model control of a cyclic fifo of depth 16• inputs:

– put - data is read in – get - data is written out

• outputs: full and empty• put and get can come together• put/get cannot come when the fifo is full/empty ___________________________________________________

_________________________________________________________________________________________________________________________________________________________

EDL - arrays

• declaration: var name ( index1 .. index2 ) : type ;• actually declares name(index1), ..., name(index2) • index1 can be either greater or less than index2• examples: var addr(0..7) : boolean; counter(4..5) : 0..3; status(0..3) : {empty, notempty, full };

EDL - array operations

• :=• = !=• & | ^ ! -> <-> -- boolean arrays only• > >= < <= -- boolean arrays

only• + - * -- boolean arrays only (beware of *)• >> << -- boolean arrays only

rhs is constant or integer

EDL - more array operations

• ++ -- concatenate bits or sub-vectors• zeroes(n) -- 0++0++ ... ++0 n times• ones(n) -- 1++1++ ... ++1 n times• nondets(n) -- {0,1}++ ... ++{0,1} n times• rep(expr,n) -- expr++ ... ++ expr n times• itobv(i) -- convert integer expr to bit vector• bvtoi(vec(i..j)) -- convert bit vector to integer expr

• no need for itobv with numeric constants

EDL - array examples• var a(0..2), b(0..8), c(7..0) : boolean;• define f(0..2) := b(2..0) & c(5..7); • assign next( a(0..2) ) := case reset : 0; a(0..2) > b(0..2) : c(1..3); a(0..1) = 10B : d(0..2); else : a(0..2); esac;• var counter(0..7) : boolean; assign init ( counter(0..7) ) := 0; next( counter(0..7) ) := counter(0..7) + 1;

EDL - more array examples

assign

co++sum(0..15) := 0++op1(0..15) + 0++op2(0..15);

prod(0..7) := zeroes(4)++op1(0..3) * zeroes(4)++op2(0..3);

var cmd(0..4): boolean;

assign cmd(0..4) := {5, 7, 13};

var cmd(0..4): {5, 7, 13}; -- totally different

EDL- array exercise

• cmd_lt(0..2) should be equal to the value of cmd(0..2) the previous cycle

________________________________________________________________________________________________

EDL - another array exercise

• cmd(0..2) can be one of read(101), write(010), sync(011), or idle(000). The command must be stable until (including) gnt is asserted. The cycle after gnt, cmd must be 0. gnt is a pulse.

________________________________________________________________________________________________

EDL - %for %for i in 0..3 do

define aa(i) := i > 2;

define bb%{ii} := i > 2;

is equivalent to:

define aa(0) := 0>2; define bb0 := 0>2;

EDL - %for example

define parity :=

%for i in 0..15 do

data(i) ^

EDL - clocks

• In a one clock design, declare the clock to be a constant 1:

define clk := 1;

• For multiple synchronous clocks, declare the fastest clock to be a constant 1, others to be a function of it

EDL -resets• Designs with reset signal: var reset_counter : 0..4; assign init(reset_counter) := 0; next(reset_counter) := if reset_counter=4 then 4 else reset_counter+1

endif; define RESET := reset_counter != 4;

• Designs with initial values don't need reset

EDL - exercises

• from the time data_en is asserted until one cycle after it, data should be stable, elsewhere it can change.

________________________________________________________________________________________________________________________________________________________________

EDL - more exercises

• config_reg: a 3-bit array variable that chooses a value from 0 through 5 and remains with it forever.

________________________________________________________________

• sticky_bit: may rise randomly and stay active forever.

________________________________

RuleBase exercise 1

• Copy directory exercise1 from $RBEXERCISES/exercise1

• See file README

Overview - day 2

• More Sugar• Fairness• More EDL• Size problems (basics)• Managing multiple environments• RuleBase options• Design for formal verification• Exercise - a simple buffer

Sugar - safety vs. liveness

• Safety: nothing bad ever happens AG, AX, AW, ABG, ABF, until, before,

next_event• Liveness: something good eventually happens

AF, AU, until!, before!, next_event!• Safety is easier to verify than liveness• Safety on-the-fly, liveness on-the-fly

Sugar - sequences

{e0,e1,e2,...}(f) • f must hold on the last cycle of all computations that

agree with the sequence e0 at cycle 0, e1 at cycle 1, e2 at cycle 2, etc.

Example: ”every req on cycle X that gets a gnt at cycle X+1 and doesn't get retried at cycle X+2, should cause busy to be active at cycle X+2"

• AG {req,gnt,!retry}(busy)

Sugar - sequence operators

• e1,e2 e1, then e2 (e2 starts the cycle after e1 completes)

• e1~e2 e1, then e2 (e2 starts the same cycle that e1 completes)

• e1||e2 either e1 occurs, or e2 occurs• e1&&e2 both e1 and e2 occur• e1[*] e1 occurs 0 or more times• e1[+] e1 occurs 1 or more times

Sugar - more sequence operators

• e1[i] e1 occurs i times• e1[i..j] e1 occurs at least i but not more than j times• e1[i..] e1 occurs i or more times• e1[..j] e1 occurs no more than j times• [*],[+], etc. abbreviate true[*], true[+], etc.• b[=j] a sequence in which b occurs i times• b[>j], b[>=j], b[<j], b[<=j], b[>j,<k], b[>=j, <k], etc.

Sugar - sequence examples

• “an urgent request must be served within the next five (not necessarily consecutive) scrolls

AG {urgent_req,{scroll[>5] && serve_urgent[=0]}}(false)

• “if there is a request and one cycle after there is either read and no cancel_read until done, or write and no cancel_write until done, then ok is asserted with done”

AG {request,{read,!cancel_read[*],done}|| {write,!cancel_write[*],done}}(ok)

Sugar - more sequences

{p, q} -> {s[*], t}!

{p, q} -> {s[*], t}

• A sequence matching the left-hand side must be followed by a sequence matching the right-hand side

• The strong version (!) must reach its end (in example above, t must eventually occur)

• The weak version is not required to reach its end (in example above, s may hold forever)

Sugar - sequence exercises

• “Whenever a read request is followed on the next cycle by an ack, then eventually we expect to see a grant followed by a read data cycle

__________________________________________

• “Whenever signal get is asserted and tag has the value 1, then the next time that signal get is asserted, tag will have the value 2. However, it is not required that there be such a next time.”

__________________________________________

Sugar - more exercises

• “whenever a high priority request is received, then one of the next two grants must be to a high priority requestor”

____________________________________________________________________________________

• “every transaction must complete, and within every transaction, a full data transfer must occur”

____________________________________________________________________________________

Sugar - more exercises

• “a sequence beginning with the assertion of signal start, and containing eight not necessarily consecutive assertions of signal get, during which kill is not asserted, must be followed by a sequence containing eight assertions of signal put before signal end can be asserted”

______________________________________________________________________________________________________________________________

Fairness

Design underverification

idle busy

gendone

!startstart

problem - the env model can stay in state busy forever

Fairness (continued)

• fairness is used to filter out paths from the environment

• Syntax:

fairness expr;

• requires that expr occur an infinite number of times

idle busy

gendone

!startstart

• Be careful with fairness! What is wrong with the following?

• fairness state=gen_done;

idle busy

gendone

!startstart

• What is the correct fairness constraint? ____________________________________

EDL - modules

module proc(gnt)(req, cmd) {

var req: boolean;

var cmd: {read, write, nop};

assign init(req) := 0;

assign next(req) := if gnt then {0,1} else 0 endif;

instance proc1: proc(gnt1)(req1, cmd1);

instance proc2: proc(gnt2)(req2, cmd2);

EDL - processes

process { var a: boolean; a := 0; if (b | c) a := 1;

EDL - assign vs. define

• assign requires a state variable

• define is “for free”

EDL - invariants

• Syntax:

invar expr;

• restricts the analysis to states in which expr holds

• can be used to model the environment or to (over) restrict the design

EDL - invariant example

• Suppose the environment must supply a read request, or a write request, but never both:

var read_req, write_req: boolean; assign write_req := if read_req then 0 else {0,1} endif;

• a simpler way using invariants:

var read_req, write_req: boolean; invar !(read_req & write_req);

Size problems - strategies

• (over) restrict the environment: define pipeline_enable := 0;• design overrides: var override internal_sig1: boolean; define override internal_sig2 := 0; var override internal_sig3: boolean; assign init(internal_sig3) := …; assign next(internal_sig3) := …;

Size problems - strategies (continued)

• Safety on-the-fly

• BDD reordering– enabling– configuring– toggling– bdd order pool

Managing multiple environments

foo(1) lowest priority

define override foo := …; (2)

mode read_only {

define override foo := …;

rule read_only_no_pipeline {

envs read_only; (3)

define override foo := …; (4) highest priority

RuleBase options

Design for Formal Verification

• Control works well under model checking, datapath doesn’t: – Separate control from datapath!– Also separate control from address path,

bookkeeping code

RuleBase exercise 2

• Copy directory exercise2 from $ $RBEXERCISES/exercise2

• See file README

RuleBase exercise 3

• Copy directory exercise3 from $ $RBEXERCISES/exercise3

• See file README

introduction to cindy eisner formal methods group ibm haifa research laboratory february 2001...

rulebaseag p exercisecomplete

cyclefp p

futuregp p

rulebaseef p exercisecomplete

rulebaseex p exercisecomplete

rulebaseeg p introduction

figure belowintroduction

pathtense operatorsxp

Documents

ibm haifa research lab © 2008 ibm corporation concurrent...

ibm research © 2007 ibm corporation ibm haifa labs © 2006...

database-inspired search david konopnicki and oded shmueli...

ibm haifa research lab...ibm haifa research lab © 2007 ibm...

© 2015 ibm corporation unit 2: bigdata analytics with spark...

2001 announce overview ibm server iseries - recursos …...

other tools - ibm...

ibm labs in haifa © ibm corporation ilami symposium on...

stocs – a stochastic csp solver bella dubrov ibm haifa...

security and deduplication in the cloud danny harnik - ibm...

ibm labs in haifa © 2006 ibm corporation constraint...

oopsla 2003 mostly concurrent garbage collection revisited...

ibm haifa research labs project highlights

ibm labs in haifa generation core: ibm's systematic...

why work…? when you can play! yaniv corem ibm research –...

ibm haifa research lab ibm haifa labs an open source...

ibm labs in haifa © copyright ibm challenges in constraint...

© 2010 ibm corporation ibm research – haifa virage logic...

ibm haifa labs © 2005 ibm corporation ibm haifa tools...

ibm labs in haifa 1 gcc tutorial – the compilation flow of...