Vhdl Bounded Model Checker (VBMC): A Formal Verification Tool for - - PowerPoint PPT Presentation

Vhdl Bounded Model Checker (VBMC): A Formal Verification Tool for VHDL Designs

Ajith John, A. K. Bhattacharjee RCnD, BARC Supratik Chakraborty, CFDVS, IIT Bombay

Introduction

Exhaustive simulation impossible in practice

Design of modern computer based systems involves partitioning

• f system into hardware subsystems and software subsystems

Introduction

Exhaustive simulation impossible in practice

Design of modern computer based systems involves partitioning

• f system into hardware subsystems and software subsystems

Hardware subsystems are often implemented in Hardware Description Languages (HDL) such as VHDL, Verilog etc.

Specifications

VHDL Program Synt hesis

Place & Route FPGA

Introduction

Exhaustive simulation impossible in practice

Design of modern computer based systems involves partitioning

• f system into hardware subsystems and software subsystems

Hardware subsystems are often implemented in Hardware Description Languages (HDL) such as VHDL, Verilog etc. The programs written in VHDL are converted to hardware realizations in FPGA through a sequence of transformations

VHDL Program Synt hesis

Place & Route FPGA

Introduction

Exhaustive simulation impossible in practice

Design of modern computer based systems involves partitioning

• f system into hardware subsystems and software subsystems

Hardware subsystems are often implemented in Hardware Description Languages (HDL) such as VHDL, Verilog etc. The programs written in VHDL are converted to hardware realizations in FPGA through a sequence of transformations Correctness of the final FPGA implementation depends on the correctness of the VHDL program

Specifications

VHDL Program Synt hesis

Place & Route FPGA

Introduction

Exhaustive simulation impossible in practice

Design of modern computer based systems involves partitioning

• f system into hardware subsystems and software subsystems

Hardware subsystems are often implemented in Hardware Description Languages (HDL) such as VHDL, Verilog etc. The programs written in VHDL are converted to hardware realizations in FPGA through a sequence of transformations Correctness of the final FPGA implementation depends on the correctness of the VHDL program Ensuring the correctness (verification) of VHDL programs extremely important when used in safety-critical applications

Specifications

Simulation (ModelSim, NCSim)

VHDL Program Synt hesis

Place & Route FPGA

Conventional Verification: Simulation

Specifications

Simulation (ModelSim, NCSim)

VHDL Program Synt hesis

Place & Route FPGA

Conventional Verification: Simulation

Exhaustive simulation covering all possible input combinations impossible in practice

Specifications

Simulation (ModelSim, NCSim)

VHDL Program Synt hesis

Place & Route FPGA

Conventional Verification: Simulation

Exhaustive simulation covering all possible input combinations impossible in practice VHDL Program

32-bit input 32-bit input

• utput

232 * 232 = 264 possible input combinations !!

Specifications

Simulation (ModelSim, NCSim)

VHDL Program Synt hesis

Place & Route FPGA

Conventional Verification: Simulation

Exhaustive simulation covering all possible input combinations impossible in practice

We cannot use exhaustive simulation to prove the functional correctness of the program

VHDL Program

32-bit input 32-bit input

• utput

232 * 232 = 264 possible input combinations !!

Specifications

VHDL Program Synt hesis

Formal Verification

Exhaustive simulation covering all possible input combinations impossible in practice

Formal Verificati

• n

Formal verification proves / refutes the functional correctness of

the program using rigorous mathematical techniques

Simulation (ModelSim, NCSim)

Exhaustive simulation covering all possible input combinations impossible in practice

Place & Route FPGA

We cannot use exhaustive simulation to prove the functional correctness of the program

Specifications

VHDL Program Synt hesis

Vhdl Bounded Model Checker

Indigenously developed tool for formal verification of VHDL designs

VBMC

Simulation (ModelSim, NCSim)

Exhaustive simulation covering all possible input combinations impossible in practice

Place & Route FPGA

Specifications

VHDL Program Synt hesis

Vhdl Bounded Model Checker

Indigenously developed tool for formal verification of VHDL designs

VBMC

Expressed as Formal Specification (Property)

Simulation (ModelSim, NCSim)

Exhaustive simulation covering all possible input combinations impossible in practice

Place & Route FPGA

Specifications

VHDL Program Synt hesis

Vhdl Bounded Model Checker

Indigenously developed tool for formal verification of VHDL designs

VBMC

Bound K (integer) (number

• f clock cycles)

Simulation (ModelSim, NCSim)

Exhaustive simulation covering all possible input combinations impossible in practice

Place & Route FPGA

Expressed as Formal Specification (Property)

Specifications

VHDL Program Synt hesis

Vhdl Bounded Model Checker

Indigenously developed tool for formal verification of VHDL designs

VBMC

Two possible

• utcomes

Simulation (ModelSim, NCSim)

Exhaustive simulation covering all possible input combinations impossible in practice

Place & Route FPGA

Bound K (integer) (number

• f clock cycles)

Expressed as Formal Specification (Property)

Specifications

VHDL Program Synt hesis

Vhdl Bounded Model Checker

Indigenously developed tool for formal verification of VHDL designs

VBMC

Property satisfied for K clock cycles/

Two possible

• utcomes

Simulation (ModelSim, NCSim)

Exhaustive simulation covering all possible input combinations impossible in practice

Place & Route FPGA

Bound K (integer) (number

• f clock cycles)

Expressed as Formal Specification (Property)

Specifications

VHDL Program Synt hesis

Vhdl Bounded Model Checker

Indigenously developed tool for formal verification of VHDL designs

VBMC

Property satisfied for K clock cycles/ Property violated with Counterexample (execution of program violating property)

Two possible

• utcomes

Simulation (ModelSim, NCSim)

Exhaustive simulation covering all possible input combinations impossible in practice

Place & Route FPGA

Bound K (integer) (number

• f clock cycles)

Expressed as Formal Specification (Property)

Specifications

VBMC

VHDL program Property

Property satisfied/ Property violated with Counterexample (execution of program violating property)

VBMC: Internals

Bound, K

VBMC

VHDL program Property

Property satisfied/ Property violated with Counterexample (execution of program violating property)

VBMC: Internals

Generation of transition relation

Bounded model checking Transition relation abstraction Steps inside VBMC

Bound, K

Transition relation: relation between present and next states (R) of the program

Generation of Transition Relation

Transition relation: relation between present and next states (R) of the program Using symbolic simulation: Involves simulation of the VHDL program with symbols as inputs, rather than concrete values

Generation of Transition Relation

VHDL program

Transition relation: relation between present and next states (R) of the program Using symbolic simulation: Involves simulation of the VHDL program with symbols as inputs, rather than concrete values

Generation of Transition Relation

input d; output t; entity register is signal p; .... process(clk) if(clk'event) p<=d; process(clk) if(clk'event) t<=p; .... end register;

input d; output t; entity register is signal p; .... process(clk) if(clk'event) p<=d; process(clk) if(clk'event) t<=p; .... end register; if_then_else(clk1≠clk0,p1=d1,p1=p0) ᐱ if_then_else(clk1≠clk0, t1=p0, t1=t0)

Transition relation R(state0, state1) VHDL program

Transition relation: relation between present and next states (R) of the program Using symbolic simulation: Involves simulation of the VHDL program with symbols as inputs, rather than concrete values

Generation of Transition Relation

input d; output t; entity register is signal p; .... process(clk) if(clk'event) p<=d; process(clk) if(clk'event) t<=p; .... end register; if_then_else(clk1≠clk0,p1=d1,p1=p0) ᐱ if_then_else(clk1≠clk0, t1=p0, t1=t0)

Transition relation R(state0, state1) VHDL program

Transition relation: relation between present and next states (R) of the program Using symbolic simulation: Involves simulation of the VHDL program with symbols as inputs, rather than concrete values

Generation of Transition Relation

input d; output t; entity register is signal p; .... process(clk) if(clk'event) p<=d; process(clk) if(clk'event) t<=p; .... end register; if_then_else(clk1≠clk0,p1=d1,p1=p0) ᐱ if_then_else(clk1≠clk0, t1=p0, t1=t0)

Transition relation R(state0, state1) VHDL program

Transition relation: relation between present and next states (R) of the program Using symbolic simulation: Involves simulation of the VHDL program with symbols as inputs, rather than concrete values

Generation of Transition Relation

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles Check if the property is violated in k (bound) clock cycles

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0)

Formula for initial states; i.e, state0 represents all initial states

Formula I derived from the property Check if the property is violated in k (bound) clock cycles

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0) ∧R(state0, state1)

Transition Relation: Relation between present state state0 and next state state1 reachable in 1 clock cycle from initial states

Check if the property is violated in k (bound) clock cycles Formula I derived from the property

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)

reachable in k clock cycles from initial states Transition Relation: Relation between present state state0 and next state state1

Check if the property is violated in k (bound) clock cycles Formula I derived from the property

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)

Step-2: Check if a bad state ~Property is reachable in k clock cycles Check if the property is violated in k (bound) clock cycles

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Step-2: Check if a bad state ~Property is reachable in k clock cycles Check if the property is violated in k (bound) clock cycles

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Step-2: Check if a bad state ~Property is reachable in k clock cycles Check if the property is violated in k (bound) clock cycles

Verification Condition

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Step-2: Check if a bad state ~Property is reachable in k clock cycles

Solution of Verification Condition => Execution violating

Property Verification Condition has no solution => No execution violating Property => Program satisfies property for K clock cycles Check if the property is violated in k (bound) clock cycles

Verification Condition

Bounded Model Checking

Step-1: Find the states reachable in k clock cycles

I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Step-2: Check if a bad state ~Property is reachable in k clock cycles

SMT Solver No solutions: design safe up to k cycles of operation solution: counterexample

Check if the property is violated in k (bound) clock cycles

Verification Condition

Simulation Vs Bounded Model Checking

Initial states: I Buggy states: ~Property

Consider a VHDL program and Property

Simulation Vs Bounded Model Checking

Counterexample trace Initial states: I Buggy states: ~Property

Consider a VHDL program and Property

Simulation

Counterexample trace Trace followed in simulation

Counterexample is missed in simulation

Buggy states: ~Property Initial states: I

Consider a VHDL program and Property

Bounded Model Checking

Counterexample trace

R

I(state0) ∧R(state0, state1)

state0 : initial states state1: all states reachable in 1 clock cycle from initial states

Initial states: I Buggy states: ~Property

Bounded Model Checking

Counterexample trace

R R

I(state0) ∧R(state0, state1)∧R(state1, state2)

state0 : initial states state2: all states reachable in 2 clock cycles from initial states

Initial states: I Buggy states: ~Property

Bounded Model Checking

Counterexample trace

R R R

I(state0) ∧R(state0, state1)∧R(state1, state2)∧R(state2, state3)

state0 : initial states state3: all states reachable in 3 clock cycles from initial states

Buggy states: ~Property Initial states: I

Bounded Model Checking

Counterexample trace

R R R R

I(state0) ∧R(state0, state1)∧R(state1, state2)∧R(state2, state3)∧R(state3, state4)

state0 : initial states state4: all states reachable in 4 clock cycles from initial states

Initial states: I Buggy states: ~Property

Bounded Model Checking

Counterexample trace

Counterexample is found by BMC

R R R R

I(state0) ∧R(state0, state1)∧R(state1, state2)∧R(state2, state3)∧R(state3, state4)∧~Property

Initial states: I Buggy states: ~Property

Transition Relation Abstraction

Optional optimization step

Transition Relation Abstraction

Time to solve exponential in number of variables Optional optimization step I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Verification condition

Transition Relation Abstraction

Can we simplify R intelligently ?

Time to solve exponential in number of variables Optional optimization step I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Verification condition

Transition Relation Abstraction

Can we simplify R intelligently ? Do transition relation abstraction Eliminate variables from R so that it has fewer variables

Time to solve exponential in number of variables Optional optimization step I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Verification condition

Transition Relation Abstraction

Can we simplify R intelligently ? Do transition relation abstraction Eliminate variables from R so that it has fewer variables We use a novel algorithm for transition relation abstraction – to generate R', simplified (abstract) transition relation

Time to solve exponential in number of variables Optional optimization step I(state0) ∧R(state0, state1)∧....∧R(statek-1, statek)∧~Property

Transition Relation Abstraction

Can we simplify R intelligently ? Do transition relation abstraction Eliminate variables from R so that it has fewer variables We use a novel algorithm for transition relation abstraction – to generate R', simplified (abstract) transition relation

Time to solve exponential in number of variables Optional optimization step I(state0) ∧R'(state0, state1)∧....∧R'(statek-1, statek)∧~Property

Verification Steps using VBMC

FPGA Requirements Specification Find specifications to be checked Express as properties VHDL Program VBMC Set Verification Bound (K) = Number of Clock Cycles Property is not Satisfied Analyse counterexample Review program, property Increase K, until resources are exhausted Property is Satisfied for K cycles Counter example

Verification Steps using VBMC

FPGA Requirements Specification Find specifications to be checked Express as properties VHDL Program VBMC Set Verification Bound (K) = Number of Clock Cycles Property is not Satisfied Analyse counterexample Review program, property Increase K, until resources are exhausted Property is Satisfied for K cycles Counter example

Manualy done Manualy done

Other Formal Verification Tools

Existing Formal Verification Tools : Commercial : JasperGold, Incisive (Cadence) , Questa (Mentor Graphics) Academic : SMV, NuSMV (CMU), VIS, ABC (Berkely), PdTrav (Politecnico di Torino)

Other Formal Verification Tools

Existing Formal Verification Tools : Commercial : JasperGold, Incisive (Cadence) , Questa (Mentor Graphics) Academic : SMV, NuSMV (CMU), VIS, ABC (Berkely), PdTrav (Politecnico di Torino) Problem with existing academic tools :

– Take input in gate-level (bit-level) formats like AIGs – Need to convert the RTL-level (word-level) constructs

(eg: +, -) in the program to gate-level and perform verification at gate-level Scaling issues for verification of designs with wide data paths

VBMC

Word-level constructs in the VHDL program are kept at

word-level and verification at word-level (word-level verification) Transition relation abstraction generates word-level abstractions

VBMC

Word-level constructs in the VHDL program are kept at

word-level and verification at word-level (word-level verification) Transition relation abstraction generates word-level abstractions

Scalable for verification of VHDL programs with wide data-

paths

Applications of VBMC

Formal verification of VHDL programs used in boards developed at RCnD, ED in BARC and in NPCIL

Limitations of VBMC

Supports only a subset of VHDL: Includes almost all synthesizable constructs Provides only bounded guarantee: Design is safe up to K clock cycles, No guarantee after K clock cycles

57

A Quantifier Elimination Algorithm for Linear Modular Equations and

Disequations in Computer Aided Verification (CAV) 2011 Extending Quantifier Elimination to Linear Inequalities on Bit-Vectors in Tools and Algorithms for the Construction and Analysis of Systems (TACAS) 2013 Quantifier Elimination for Linear Modular Constraints in International Congress on Mathematical Software (ICMS) 2014 A Layered Algorithm for Quantifier Elimination from Linear Modular Constraints, Formal Methods in System Design (FMSD), Volume 49, Issue 3, 2016

VBMC: A Formal Verification Tool for VHDL Programs, BARC External

Technical Report, BARC/2014/E/010 Design and Application of a Formal Verification Tool for VHDL Designs, In BARC Newsletter, ISSN: 0976-2108, 2012

Publications

Thank you Demo @ 3:30 pm