February 22-25, 2010

Designers Work Less with Quality Formal Equivalence Checking

by Orly Cohen, Moran Gordon, Michael Lifshits,

Alexander Nadel, and Vadim RyvchinIntel

Agenda• Formal Equivalence Checking (FEC) in Parts Using

Assume-Guarantee• FEC Flow Description and the Importance of

Assumptions• Minimizing Assumptions

– Naive Approaches– FEC as SAT Problem– Minimizing Assumptions Using SAT

• Comparison of SAT-Based and Naive Minimization Approaches

• Impact of Assumption Minimization on the Manual Debug Effort

• Conclusions and RecommendationsMichael Lifshits, Intel 2 of 14

Assume-Guarantee in Formal Equivalence Checking (FEC)• FEC proves the equivalence of 2 designs (e.g. schematics vs. RTL)• FEC is done on small sub-blocks (slices) suitable for formal

tools’ capacity• Slices’ inputs are restricted with assumptions, e.g. in SVA

DUT with Properties

Inpu

ts

Outp

uts

Assumption Assertion

Michael Lifshits, Intel 3 of 14

Origins of Assumptions• Manually added assumptions

• Design intent properties– ABV methodology

• Schematic Assumptions – appear in the standard cells library– save transistors, area, power

Michael Lifshits, Intel

INVERSE(a,b)

4 of 14

FEC Stages – the Importance of Assumptions

Assumptions must be proved relative to the

driving logic

smaller set of assumptions is better!

“Intel CPU project arrived with a dead A0 silicon due to a missed assumption verification step”

Michael Lifshits, Intel

Assumptions must be proved relative

to the driving logic

5 of 14

Minimizing the Assumptions SetNaive approaches:

• Static Structural Analysis• Iterative Trial and Error alg.

Michael Lifshits, Intel

MinAssump := ∅ // start without assumptionswhile verification fails and MinAssump All_Assump do Try proving with assumptions in MinAssump if pass Done Use the counterexample (CEX) and find A ∈ All_Assump : A ∈ MinAssump and A contradicts with CEX Add (at most K) such assumptions to MinAssump // K=20return MinAssump

6 of 14

Formal as SAT Problem• Most FEC tools are implemented with SAT-based FV

engines• FEC is reduced to a propositional formula: F=a AND b

OR c…• SAT solver proofs the lack of counterexamples for F;

– CEX is an assignment for {a,b,c..} | F==TRUE

• same(O1,O2)(t), F=XOR(O1, O2’)(t), fails when F=TRUENOTS1(t)AND(S1(t)… checked for t=1,2.. fails when S1=T, S2=T, ENB=T

• Unsatisfiable core – sub-formulas required for the proof

ENB

S1

S2

O1=NOTS1

O2’=(S1ANDS2 ANDENB) OR (O2AND^ENB)

Michael Lifshits, Intel 7 of 14

UNSAT CORESAT Formula

assumptions

Minimizing Assumptions Using SAT• The projection of UNSAT CORE onto the assumptions is the

subset of assumptions required for the proof• Minimization at the SAT level minimal number of

assumptions• Simple approach:

• Our approach:

Michael Lifshits, Intel 8 of 14

Iterative SAT Algorithm to Minimize Assumptions

Solve formula F: SAT(F) with All_AssumpExtract UNSAT CORE: UC

MinAssump := A ∈ Assump: A ∩ Proj(UC) ≠ ∅ // start with all usedfor all A MinAssump do∈ // try removing 1 assumption, reuse learning in SAT SAT(F) with MinAssump / {A} // solve F without A If pass MinAssump := MinAssump /{A} , update UCreturn MinAssump

Michael Lifshits, Intel 9 of 14

SAT-Based Minimization vs. Naive Trial and Error50% assumptions in most cases, and dramatically fewer in some

• UNSAT CORE Projection vs. Iterative Minimization (ours)

• It is justified mainly when minimizing the core is more important than reducing the run-time

SAT-Based Minimization Algorithms Comparison

Michael Lifshits, Intel 10 of 14

DUT1 DUT2 DUT3 DUT40%

5%

10%

15%

20%

25%

30%

35%

0.005.0010.0015.0020.0025.0030.0035.0040.0045.00

ProjectionIterative Min-imizationProjection TIMEIterative Min-imization TIME

Run

tim

e (h

ours

)

Rem

aini

ng p

rope

rtie

s

Impact of Assumption Reduction on the Manual Debug Effort• All properties (including assumptions) are formally verified• SQL database used to store the verification results

• Combined verification status – status of the recursive set of used assumptions:

For each used-by-FEC (UBF) property P Get the set of assumptions (Assump) used to verify a property P For each Ai Assump Assump∈ i := set of assumptions used to verify Ai

Assumpall = Assump Assump∪ i … Assump∪ n // a recursive set if all Ai Assump∈ all pass status(P) = pass else status(P) = conditional

Michael Lifshits, Intel 11 of 14

Impact of Assumption Reduction on the Manual Debug Effort

• 36% more properties passed

• Number of properties in FEC is large – a large amount of manual effort is saved to the design team

Michael Lifshits, Intel 12 of 14

Conditional Failed Not Run Passed Problematic0%

10%20%30%40%50%60%

original assump_min

% o

f all

prop

ertie

s

Reducing the number of used assumptions decreases manual debug time and computational effortUNSAT core-based techniques are much more effective than naive techniquesTradeoff between the reduction effectiveness and the run-timeDifferent SAT-based assumption minimization techniques fit various FEC stages

• Assumptions minimization is more important for RTL and SCH equivalence verification than for the RTL assumption verification

• RTL assumptions verification complexity is greater than RTL and SCH equivalenceIterative SAT-based assumption minimization for RTL and SCH equivalenceAssumption reduction (UNSAT core projection) for RTL assumption verification

Conclusion and Recommendations

Michael Lifshits, Intel 13 of 14

Backup

Michael Lifshits, Intel 14 of 14

SAT-Based Minimization vs. Naive Trial and Error

• 22 random microprocessor design blocks • % indicate the improvement compared to the iterative

Tim

e (lo

garit

hmic

sca

le)

Michael Lifshits, Intel

“naive” trial and errorSAT-based

Half as many assumptions in most cases, and dramatically fewer in some

50% == ½ assumptions

15 of 14