Content uploaded by Anna Slobodova
Author content
All content in this area was uploaded by Anna Slobodova on Sep 30, 2015
Content may be subject to copyright.
A preview of the PDF is not available
Use of Formal Verification at Centaur Technology
Abstract and Figures
We describe the formal methodology we are using to verify components of a commercial 64-bit, x86-compatible microprocessor design at Centaur Technology. This methodology is based on the ACL2 theorem prover. In this methodology, we mechanically translate the RTL design into a formal HDL for which we have an interpreter in ACL2. We use AIG-and BDD-based symbolic simulation and theorem proving techniques to show that the hardware models satisfy their specifications, which are ACL2 functions. Completed verifications yield theorems admitted by ACL2, ensuring that the verification is based on sound reasoning. We have used this methodology to verify instructions such as SIMD floating-point addition and subtraction, integer and floating-point multiplication, comparisons, bit-wise logical operations, and integer/float conversions. We discuss our floating-point addition verification as a case study.
Figures - uploaded by Anna Slobodova
Author content
All figure content in this area was uploaded by Anna Slobodova
Content may be subject to copyright.
... At Centaur Technology, we have been doing formal verification of execution units-those that perform logical, integer, SIMD integer, and floating-point operations-for over a decade [19,9,14]. Formal methods have proven to be very effective in the validation of data-path intensive designs. With the size of operands in the x86 ISA growing to 512 bits, targeted or random simulations have become inadequate to cover arithmetic and cryptographic units. ...
... In contrast to these approaches, we extended our prior work on the execution unit [19,9] as well as microcode [17] verification, and along with proofs about instruction decoding and composition of uops, are able to prove instruction implementations correct. Notably, the operational semantics of uops provably reflects behavior of the RTL design. ...
Verification of modern microprocessors is a complex task that requires a substantial allocation of resources. Despite significant progress in formal verification, the goal of complete verification of an industrial design has not been achieved. In this paper, we describe a current contribution of formal methods to the validation of modern x86 microprocessors at Centaur Technology. We focus on proving correctness of instruction implementations, which includes the decoding of an instruction, its translation into a sequence of micro-operations, any subsequent execution of traps to microcode ROM, and the implementation of these micro-operations in execution units. All these tasks are performed within one verification framework, which includes a theorem prover, a verified symbolic simulator, and SAT solvers. We describe the work of defining the needed formal models for both the architecture and micro-architecture in this framework, as well as tools for decomposing the requisite properties into smaller lemmas which can be automatically checked. We additionally cover the advantages and limitations of our approach. To our knowledge, there are no similar results in the verification of implementations of an x86 microprocessor.
... This approach works only when the reference design is structurally close to the original under verification and relies on the correctness of the reference design and proof maintenance whenever designers make structural changes. Another approach is to find a suitable decomposition of a design into parts that can be verified automatically and compose those results into a top-level theorem [13,15,30]. The drawback of this method is that it requires manual intervention by the verification engineer who decides about the boundaries of the decomposition. ...
... Rewriting with Lemmas 12-17 does not affect the value of f 4 since they are restricted to rewrite terms that contain only the + and − functions, and minterms. For Lemmas 12,13,and 14, x can only be unified with a positive minterm. Therefore, rewriting with these lemmas does not change f 3 . ...
The automatic formal verification of multiplier designs has been pursued since the introduction of BDDs. We present a new rewriter-based method for efficient and automatic verification of signed and unsigned integer multiplier designs. We have proved the soundness of this method using the ACL2 theorem prover, and we can verify integer multiplier designs with various architectures automatically, including Wallace, Dadda, and 4-to-2 compressor trees, designed with Booth encoding and various types of final stage adders. Our experiments have shown that our approach scales well in terms of time and memory. With our method, we can confirm the correctness of \(1024\times 1024\)-bit multiplier designs within minutes.
... However, these methods, as well as SAT Solvers [22], do not scale for automatic verification of more common multiplier architectures, i.e., Wallace-tree like multipliers and Booth Encoding. Their irregular and more advanced structure complicates the process for automatic tools; therefore, verification of industrial designs is carried out mostly manually [10,11,12,21,23]. Recent studies have focused on computer algebra based methods and they have shown significant improvements [5,13,17,18,31]. ...
Automatic and efficient verification of multiplier designs, especially through a provably correct method, is a difficult problem. We show how to utilize a theorem prover, ACL2, to implement an efficient rewriting algorithm for multiplier design verification. Through a basic understanding of the features and data structures of ACL2, we created a verified program that can automatically verify various multiplier designs much faster than the other state-of-the-art tools. Additionally, users of our system have the flexibility to change the specification for the target design to verify variations of multipliers. We discuss the challenges we tackled during the development of this program as well as key implementation details for efficiency and verifiability. Those who plan to implement an efficient program on a theorem prover or those who wish to implement our multiplier verification methodology on a different system may benefit from the discussions in this paper.
... Some engineers verify reference designs using mechanized proof systems [20]. Another common analysis method is to decompose a design into smaller parts, reason about these parts separately, and then compose these proofs into a top-level theorem [21]- [23]. Finding a workable decomposition and combining individual proofs of multiplier fragments can be a cumbersome task. ...
We have developed an algorithm, S-C-Rewriting, that can automatically and very efficiently verify arithmetic modules with embedded multipliers. These include ALUs, dot-product, multiply-accumulate designs that may use Booth encoding, Wallace-trees, and various vector adders. Outputs of the target multiplier designs might be truncated, right-shifted, or a combination of both. We evaluate the performance of other state-of-the-art tools on verification problems beyond isolated multipliers and we show that our method applies to a broader range of design techniques encountered in real-world modules. Our verification software is verified using the ACL2 theorem prover, and we can soundly verify 1024x1024-bit isolated multipliers and similarly large dot-product designs in minutes. We can also generate counterexamples in case of a design bug. Our tool and benchmarks are available online.
Formal methods are becoming an indispensable part of the design process in software and hardware industry. It takes robust tools and proofs to make formal validation of large scale projects reliable. In this paper, we will describe the current status of formal verification at Centaur Technology. We will explain our challenges and our methodology—how various proofs and verification artifacts are interconnected and how we keep them consistent over the duration of a project. We also describe our main engine—a powerful symbolic simulator with rewriting capabilities that is integrated in a theorem prover and proven correct.
We present a methodology for formal verification of arithmetic RTL designs that combines sequential logic equivalence checking with interactive
theorem proving. An intermediate model of a Verilog module is hand-coded in Restricted Algorithmic C (RAC), a primitive subset of C
augmented by the integer and fixed-point register class templates of Algorithmic C. The model is designed to be as abstract and compact as
possible, but sufficiently faithful to the RTL to allow efficient equivalence checking with a commercial tool. It is then automatically translated
to the logic of ACL2, enabling a mechanically checked proof of correctness with respect to a formal architectural specification. In this paper,
we describe the RAC language, the translation process, and some techniques that facilitate formal analysis of the resulting ACL2 code.
We present a tool that primarily supports the ability to check bounded properties starting from a sequence of states in a run. The target design is compiled into an AIGNET which is then selectively and iteratively translated into an incremental SAT instance in which clauses are added for new terms and simplified by the assignment of existing literals. Additional applications of the tool can be derived by the user providing alternative attachments of constrained functions which guide the iterations and SAT checks performed. Some Verilog RTL examples are included for reference.
One obstacle to mathematical verification of industrial hard- ware designs is that the commercial hardware description languages
in which they are usually encoded are too complicated and poorly spec- ified to be readily susceptible to formal analysis.
As an alternative to these commercial languages, AMD1 has developed an RTL language for microprocessor designs that is simple enough to admit a clear semantic definition, providing
a basis for formal verification. We describe a me- chanical proof system for designs represented in this language, consisting
of a translator to the ACL2 logical programming language and a method- ology for verifiying properties of the resulting programs
using the ACL2 prover. As an illustration, we present a proof of IEEE compliance of the floating-point adder of the AMD Athlon
processor.
Formal verification of arithmetic datapaths has been part of the established methodology for most Intel processor designs
over the last years, usually in the role of supplementing more traditional coverage oriented testing activities. For the recent
Intel
\circledR^{\tiny\circledR} CoreTM i7 design we took a step further and used formal verification as the primary validation vehicle for the core execution cluster,
the component responsible for the functional behaviour of all microinstructions. We applied symbolic simulation based formal
verification techniques for full datapath, control and state validation for the cluster, and dropped coverage driven testing
entirely. The project, involving some twenty person years of verification work, is one of the most ambitious formal verification
efforts in the hardware industry to date. Our experiences show that under the right circumstances, full formal verification
of a design component is a feasible, industrially viable and competitive validation approach.
In this paper, we present a "black box" version of verification of FP adders. In our approach, FP adders are verified by an extended word-level SMV using reusable specifications without knowing the circuit implementation. Word-level SMV is improved by using Multiplicative Power HDDs (*PHDDs), and by incorporating conditional symbolic simulation as well as a short-circuiting technique. Based on a case analysis, the adder specification is divided into several hundred implementation-independent sub-specifications. We applied our system and these specifications to verify the IEEE double precision FP adder in the Aurora III Chip from the University of Michigan. Our system found several design errors in this FP adder. Each specification can be checked in less than 5 minutes. A variant of the corrected FP adder was created to illustrate the ability of our system to handle different FP adder design. For each adder, the verification task finished in 2 CPU hours on a Sun UltraSPARC-II server.
A data structure is presented for representing Boolean functions and an associated set of manipulation algorithms. Functions are represented by directed, acyclic graphs in a manner similar to the representations introduced by C. Y. Lee (1959) and S. B. Akers (1978), but with further restrictions on the ordering of decision variables in the graph. Although, in the worst case, a function requires a graph where the number of vertices grows exponentially with the number of arguments, many of the functions encountered in typical applications have a more reasonable representation. The algorithms have time complexity proportional to the sizes of the graphs being operated on, and hence are quite efficient as long as the graphs do not grow too large. Experimental results are presented from applying these algorithms to problems in logic design verification that demonstrate the practicality of the approach.
Due to a patent dispute, full text of this article is not available
at this time.
form only given. This talk focuses on the IBM internal (semi-)formal verification toolset SixthSense. We first provide a high-level overview of the SixthSense tool, developed to perform functional verification as well as sequential equivalence checking. We introduce the various synergistic transformation and verification engines it encompasses, encapsulated within a novel transformation-based verification framework. We have found this algorithmic synergy critical to enabling core semi-formal search algorithms to identify the most complex and deep bugs, as well as to enabling the completion of difficult correctness proofs. We additionally discuss various industrial applications of this toolset, from lighter-weight assertion and constraint-based verification to comprehensive block or unit-level reference model style of verification to silicon-failure recreation efforts
We have created an experimental extension to ACL2 that provides a means to symbolically evaluate ACL2 expres-sions. This modified implementation can be used to compute the 'general' application of an ACL2 function to generalized data. In particular, we use uBDDs to represent functions from Boolean variables to finite sets of ACL2 objects, and for guard-checked ACL2 functions we can automatically cre-ate corresponding generalized functions to operate on such generalized data. The DEFTHM hint mechanism has been extended to permit the direct application of symbolic simulation as a part of a proof attempt. This extension made it possible to di-rectly verify the Legato Challenge using only symbolic sim-ulation; this challenge involves proving the correctness of a 6502 assembly-language program that performs an 8-bit by 8-bit multiplication through repeated addition. We need only provide the initial symbolic data, i.e., two 8-bit, sym-bolic numbers, and we symbolically simulate the assembly-language program by symbolically simulating an ISA-level 6502-program interpreter that produces a symbolic result that we compare to its specification.
We have developed an extension of ACL2 that includes the implementation of hash-based association lists and func- tion memoization; this makes some algorithms execute more quickly. This extension, enabled partially by the imple- mentation of Hash-CONS, represents ACL2 data objects in a canonical way, thus the comparison of any two such objects can be determined without the cost of descending through their CONS structures. A restricted set of ACL2 user- defined functions may be memoized; the underlying imple- mentation may conditionally retain the values of such func- tion calls so that if a repeated function application is re- quested, a previously computed value may instead be re- turned. We have defined a fast association list access and update functions using hash tables. We provide a file reader that identifies and eliminates duplicate representations of re- peated objects, and a file printer that produces output with no duplicate subexpressions.