US20050114809A1 - Design verification using formal techniques - Google Patents
Design verification using formal techniques Download PDFInfo
- Publication number
- US20050114809A1 US20050114809A1 US10/835,561 US83556104A US2005114809A1 US 20050114809 A1 US20050114809 A1 US 20050114809A1 US 83556104 A US83556104 A US 83556104A US 2005114809 A1 US2005114809 A1 US 2005114809A1
- Authority
- US
- United States
- Prior art keywords
- model
- generating
- design
- circuit design
- reduced model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/30—Circuit design
- G06F30/32—Circuit design at the digital level
- G06F30/33—Design verification, e.g. functional simulation or model checking
- G06F30/3323—Design verification, e.g. functional simulation or model checking using formal methods, e.g. equivalence checking or property checking
Definitions
- This application relates to design verification and, more specifically, to formal analysis verification techniques.
- Verification of a circuit design typically involves testing the circuit design before the design is physically implemented as a circuit (e.g., fabricated as an integrated circuit). In this way, errors (i.e., “bugs”) in the design may be identified before the designer incurs the expense of fabrication.
- Simulation-based tools have traditionally been used to verify designs. These tools typically verify a design by randomly applying tests to portions of the design. However, simulation-based validation methodologies often fail to discover corner-case design errors.
- An example of a corner-case error may include an error that does not occur until a specific set of conditions occur at the same time wherein that set of conditions occurs relatively infrequently.
- formal techniques have been proposed for use in verification of circuit designs.
- the concept behind formal techniques is to thoroughly search the design for errors. Examples of formal techniques include model checking, theorem proving and symbolic simulation.
- Formal techniques are applied to industrial design problems such as verification of a circuit design. These techniques may include, for example, making verification decisions, defining properties to verify a design, creating an abstraction of the design and model checking. In some embodiments, verification may be further extended by performance analysis and/or verification of sequential operations.
- an abstraction e.g., a reduced model
- this abstraction is used in the model checking process. For example, building on classic model checking, an induction technique may be employed to avoid state explosion as the environment model becomes more sophisticated. As a result, the model checking operation may be performed more efficiently.
- a definition of “high-quality” bugs may be presented and results analyzed with respect to that definition. In this way, the results of the formal techniques may be compared with results from other verification techniques.
- the verification is extended to identify performance margin.
- Identifying performance margin may include, for example, modifying properties and applying the modified properties to the abstraction to identify timing margins. Such performance analysis may not be achieved by conventional formal or simulation approaches independently.
- the verification is extended to analyze design performance of sequential operations. This analysis may involve, for example, identifying initial and residual states of internal registers to be applied during model checking.
- a symbolic model checker validates circuits such as those found in an integrated circuit (i.e., a “chip”).
- a symbolic model checker such as Cadence SMV may be used to validate a circuit design with a dynamic nature and great concurrency such as an Ethernet switching logic block in a Gigabit Ethernet networking chip.
- abstraction may be applied to portions of the switching block to reduce the complexity of the model to be checked.
- performance such as switch latency may be verified using the described techniques.
- the techniques described herein may be applied to verify designs such as a networking chip that may have fundamentally different verification problems due to, for example, the absence of exact specifications.
- the verification techniques described herein may provide verification results not provided by conventional techniques.
- the teachings herein may be applied such that an initial decision is that a primary goal is to search the design for errors instead of completely verifying the design. In this way, errors may be identified more quickly as compared to some conventional techniques. Moreover, by using these techniques bugs may be found that might not be found using convention techniques.
- FIG. 1 is a flow chart of one example of verification operations that may be performed in accordance with the invention
- FIG. 2 is a flow chart of one example of performance analysis operations that may be performed in accordance with the invention.
- FIG. 3 is a flow chart of one example of sequential operation analysis that may be performed in accordance with the invention.
- FIG. 4 is a simplified block diagram of one embodiment of a circuit architecture
- FIG. 5 is a graph of an example of error stimulus in accordance with the invention.
- FIG. 6 is a graph of an example of error visibility in accordance with the invention.
- FIG. 7 is a simplified representation of performance analysis in accordance with the invention.
- FIG. 1 is a flowchart that represents one embodiment of design verification operations that may be performed in accordance with the invention.
- these operations are applied to a circuit design.
- a circuit design may be defined using a register-transfer-level (“RTL”) tool. It should be appreciated, however, that these operations may be applied to other types of designs.
- RTL register-transfer-level
- a model of the circuit design is defined. This may involve, for example, identifying features of the design and identifying issues that affect verification decisions.
- a given design may consist of various registers, tables and logic operations that need to be characterized to verify the design.
- decisions regarding the environment model may be made to increase the efficiency of the verification process. For example, a decision may be made to verify concurrent operations but not verify sequential operations.
- various properties are defined to verify the design. This process may involve, for example, defining, based on an extensive knowledge of the design, the state of internal registers under various conditions. For example, if the circuit is operating as intended the circuit may be designed such that after a given operation has been performed the values in a register may be limited to a certain values. If the register does not contain the expected values an error condition (and a corresponding “trace”) may be generated during model checking.
- the properties may be defined by writing a specification of the design using, for example, computational tree logic (“CTL”) specification language.
- CTL computational tree logic
- each property may be used to verify a different property of the design. For example, in embodiments where the design is defined in RTL, each property may verify a different RTL function.
- the properties may not be completely based on the design definition. As a result, the properties may not include the same errors as the design.
- Abstraction techniques may be applied to the model to reduce the size of the model (block 106 ). For example, induction may be applied to a table to establish that if a property is verified against a subset of the table then that property necessarily is verified against the entire table. In this way, the number of operations required during the model checking stage maybe substantially reduced because model checking may be performed on the subset of the table rather than the entire table.
- Examples of design aspects that may be reduced through the use of abstraction may include, for example, the size of tables, the number of entries in a table, the length of an address, the number of ports. It should be appreciated that abstraction is not limited to these examples and may be applied to many different aspects of a design.
- the reduced model may be generated, for example, by recoding the RTL design using a tool such as ePERL or VPP.
- Model checking is performed on the reduced model (block 108 ). Model checking may involve, for example, performing a state transversal to verify the design. Typically, the various properties are run at different times with different iterations in sequence to test various aspects of the design.
- the model checker may generate a trace.
- the trace may be analyzed to determine why the design does not satisfy the property.
- model checker Cadence symbolic model verifier (“SMV”).
- SMV Cadence symbolic model verifier
- Conventional model checkers may utilize binary decision diagrams (“BDD”) and/or satisfiability solvers (“SAT”).
- BDD binary decision diagrams
- SAT satisfiability solvers
- the results of the model checking may then be applied to the design. For example, once a bug is found, the corresponding error in the design may be modified. The verification process may then be performed again.
- Additional processes may be performed to improve the verification of the design.
- performance analysis may be performed to determine, for example, performance margins in the design.
- block 114 sequential operations may be verified. Blocks 112 and 114 will be discussed in more detail in conjunction with FIGS. 2 and 3 , respectively.
- FIG. 2 is a flowchart that represents one embodiment of performance analysis operations that may be performed in accordance with the invention.
- Performance analysis may involve, for example, determining a worst case condition for an operation.
- performance analysis may be used to determine the maximum number of clock cycles within which a given operation must be completed.
- Such an analysis may be critical in a design where proper operation of a subsequent operation depends on a preceding operation being completed before the subsequent operation begins.
- one or more properties are defined for the performance analysis.
- a property may be designed so that a specified number of cycles occurs before a given operation completes.
- the properties are applied to the reduced model (block 204 ). This may be accomplished, for example, using a model checker.
- the model checker will generate a result that indicates whether the design satisfies the property. For example, this result may indicate whether the design is operating within a design limit.
- the properties may be modified to further test the limits of the design (block 208 ). For example, in the example referred to in conjunction with block 202 , the number of clock cycles within which the operation completes may be increased. After the property has been modified, the properties are again applied to the reduced model (block 204 ) to determine whether a design limit has been reached.
- the design limit e.g., a worst case condition
- the model checker will generate a trace that may be analyzed to determine where the design limit was reached. This information may be used, for example, to define a performance margin of one or more aspects of the design.
- the trace may be used to determine the exact conditions (e.g., states of registers and variables, specific operations that were performed, etc.) under which the design limit is met. This information may be useful in redesigning the circuit to improve its performance.
- these results may then be applied to the design.
- the design may be modified if the performance margin needs to be increased.
- FIG. 3 is a flowchart that represents one embodiment of sequential operation verification that may be performed in accordance with the invention.
- a model may be designed such that it does not take sequential operations into account.
- the operations described in FIG. 3 may be used, for example, to improve the verification provided by such a model.
- One problem that may arise when verifying sequential operations is that the initial state of the operation may not be readily determinable for a subsequent operation. This problem may arise when the prior operation is not designed to set all the states used in the process to one or more predefined states. Accordingly, to effectively test such sequential operations, it is desirable to model the potential residual states that may result after a prior operation. In this way the operation of the subsequent operation may be verified more effectively.
- a set of initial states (e.g., internal states of the design such as the values of registers and variables) is defined for a sequential operation. This includes defining the known initial states (e.g., a reset state) and the residual states (e.g., states that exist after logic operations tend to “settle down”) that may result from a prior operation.
- the superset of initial conditions is defined by a series of subsets of the superset.
- a prediction may be made as to the projection of the subsets on sets of internal states (e.g., residual states). These internal states may, for example, relate to the states of registers.
- properties designed to check the subsequent operations may then be applied to the design (e.g., using a model checker). These properties may be verified using the subsets of initial states that were determined as discussed above.
- FIGS. 4-7 an example is presented of the application of the above techniques to verify a Gigabit Ethernet switch.
- This example first involves, in conjunction with FIG. 4 , describing the functionality and micro-architecture of the design. Then, specific features and intuitive observations that affect verification decisions are identified. Next, basic abstraction techniques are defined. Experimental results are then outlined by introducing two metrics to analyze bug quality in conjunction with FIGS. 5 and 6 . Examples of how the model checking capability may be extended including performance analysis ( FIG. 7 ) are presented. Finally, conclusions that may be made based on the above are discussed.
- FIG. 4 depicts one embodiment of a Gigabit Ethernet switch 400 that includes a single chip with 12 Gigabit Ethernet (“GE”) ports 402 , one 10-Gigabit high-speed interconnect (“10 G”) 404 and a CPU interface 406 .
- the switch 400 accomplishes switching functions such as Ethernet switching (Layer 2, or L2), IP switching (Layer 3, or L3) and higher level switching in an Address Resolution Logic (“ARL”) block, a portion of which is designated as block 408 in FIG. 4 .
- Ethernet switching Layer 2, or L2
- IP switching Layer 3, or L3
- ARL Address Resolution Logic
- each port e.g., a port associated with a GE 402 or 10 G 404
- the ARL logic returns an egress port based on the L2 or L3 destination address.
- L2 and L3 functions use hash tables, referred to as the L2 table and the L3 table, respectively. An example of verification of the L2 table follows.
- the L2 table maps MAC addresses to ports. Packets from Gigabit ports are forwarded to the appropriate egress port based on their destination MAC addresses. Switching information, in the form of a MAC address mapped to a port, is both learned and updated dynamically in hardware.
- the 10 G port is an interconnect.
- the CPU modifies the table by inserting or deleting entries, which may be exempt from dynamic updates. Entries are dynamically “aged” out of the table based either on usage over time, or upon request by the CPU.
- the ARL For each packet, there are at most three possible actions that the ARL performs: source MAC address lookup, destination MAC address lookup, and dynamic learning. If the chip is running at 125 MHz, the L2 table logic should finish these actions within 84 cycles for each Gigabit port and within 8 cycles for the 10-Gigabit port.
- the L2 table is structured as a hash table 410 as depicted in FIG. 1 .
- the 16K logical entries are mapped to 2K buckets, with 8 entries per bucket, using a hash function. There is no ordering between the buckets. Similarly, within each bucket, there is no ordering among the entries. Duplicate entries within a bucket are strictly forbidden. Dynamic modifications are read-modify-write operations which require coherency. The reads and writes are decoupled. Aging has lower priority than lookups, so the design accounts for starvation cases.
- the L2 table logic has traditionally been difficult to verify due to its dynamic nature. First, there may be no high level learning specification. Learns may be cancelled for many reasons. Without knowing the exact state of the logic on a cycle-accurate basis, it may be almost impossible to predict when learns happen. Aging and CPU operations also contribute dynamic activity, resulting in corner cases that are difficult to stimulate using traditional simulation techniques.
- performance issues may be difficult to identify in simulation.
- the design must handle multiple processes concurrently, fairly, and efficiently to meet throughput and latency considerations. Multiple operations associated with a single packet may be decoupled over many cycles. Erroneous behavior may thus result in an observable effect thousands of cycles after the fact, or not at all, depending on the test or application. This makes verifying performance in simulation difficult.
- teachings provided herein may provide more effective verification as compared to traditional simulation techniques.
- abstraction may be applied to reduce the design size.
- the L2 table logic includes approximately 3000 registers and a 16K-entry (1 Mbit) lookup table. It may be impracticable to verify a large design with complicated properties such as this with state-of-the-art model checkers. Thus, there may be advantages in applying aggressive abstraction even though this may result in some important features not being completely verified.
- h is a hash function that maps MAC addresses to indices of the L2 table.
- L does not include the labels related to the hash function.
- M ⁇ t be a short-hand notation for the model M where a function t is disabled. For example, M ⁇ aging represents the reduced L2 table model where aging is disabled.
- Lemma 1 implies that the buckets in the L2 table are fully symmetric when aging is disabled. Thus, instead of modeling all 2048 buckets, it may only be necessary to model two buckets. Here, the buckets are independent, yet effectively identical. Thus, the operation of one bucket is the same as the operation of another bucket.
- the reduced L2 table is used because the original table may be too large for practical verification.
- the aging behavior may be modified to match the reduced table. This may, however, introduce both false positive and false negative behaviors into the abstracted model. Such unwanted behaviors may be avoided by proper analysis of the design and debugging.
- Similar symmetry may also exist within buckets. For example, any two entries within a bucket may be symmetric. Thus, it may be possible to only model two entries per bucket, rather than eight entries per bucket.
- the MAC addresses may be represented by two bits instead of 48 bits because there are only four entries in the reduced L2 table. This is a known technique in formal verification.
- the behaviors of the 12 Gigabit ports may be independent even though they may not be symmetric. This lack of symmetry may, for example, be a result of arbitration whereby one port is assigned a higher priority than another port.
- M ⁇ port i denote the L2 table model without sending requests from port i and p be an ACTL property on M ⁇ port i , then M ⁇ port i p ⁇ M p.
- the reduced model may incorporate at most two Gigabit ports instead of twelve.
- the 10-Gigabit port and the CPU interface are modeled accurately.
- the size of the L2 table model may be reduced to fewer than 150 registers. See Table 1. TABLE 1 Original Model Abstract Model # registers 2878 ⁇ 150 # buckets 2048 2 # entries/bucket 8 2 # bits/mac addr 48 2 # Gig ports 12 2
- the environment model also may be simplified.
- a request from a Gigabit port to the L2 table arrives every 84 cycles. It may be difficult for SMV to complete a fix-point computation if every port request is modeled precisely.
- a single request from multiple ports may be more interesting from a design verification point of view than multiple requests from a single port. Therefore, only one request per port may be modeled, significantly reducing the verification computation time.
- ePerl may be used to generate the model and its related properties automatically. If a property is falsified by SMV, the tool may generate a counterexample that explains why that property is false.
- the number of properties defined to verify a design depends, in general, on the complexity of the design. In some applications, the number of properties may be between 150 and 300 properties. A typical runtime for every property may range, for example, from 15 seconds to 2 hours. To verify 35 different configurations and where all design changes are regressed against these 35 configurations it may take, for example, eight person months to complete the formal verification process.
- Verification as discussed herein may be more efficient than conventional simulation techniques. For example, a simulator may observe signals at the interface of the ARL block. Hence, it not only should stimulate the error behavior in the L2 table logic, it also should make them visible at the ARL interface. This reduces the effectiveness of the simulator.
- error stimulus To quantify the quality of bugs discovered, two metrics may be defined: error stimulus and error visibility.
- the error visibility (“EV”) of a bug is a function of time and input stimuli.
- EV time is the number of cycles required for erroneous behavior to propagate to the test bench.
- EV is evaluated conservatively because EV time is approximated using the shortest trace and EV stim is the upper-bound probability for stimuli required to propagate the bug.
- FIGS. 5 and 6 Two examples of the error stimulus ES and error visibility EV are depicted in FIGS. 5 and 6 .
- the X axis corresponds to the cumulative number of bugs and the Y axis corresponds to ES and EV separately.
- the lower the value the less likely that the bug may be found by a simulator.
- FIG. 5 depicts that it is much more difficult to stimulate bug No. 16 than bug No. 15 . It may be relatively easy for a simulator to detect bug No. 15 . In contrast, without formal approaches, it may be extremely difficult for random simulation to detect bug No. 16 .
- FIG. 5 depicts that it is much more difficult to stimulate bug No. 16 than bug No. 15 . It may be relatively easy for a simulator to detect bug No. 15 . In contrast, without formal approaches, it may be extremely difficult for random simulation to detect bug No. 16
- the EVs for bug No. 4 and No. 5 are not computed because they have not been propagated to the ARL interface directly. However, these bugs would degrade the system performance. Accumulated inefficiencies eventually lead to a visible error. The required number of simulation cycles to detect such bugs may be prohibitively large. Accordingly, bugs that have lower ES or EV are defined as “high quality” bugs.
- SMV may be used to determine that a learn is served far later than expected when the logic transitions from the aging mode to the normal switching mode. If a lookup request comes just before that transition, it is possible that its learn happens much later.
- performance analysis may be used to determine, for example, that the performance requirement for learns is only marginally satisfied. For example, the margin for learns may actually be 3% rather than 21% (see, for example, FIG. 7 ).
- the performance analysis process may involve constructing properties to test the design limits, performing model checking and modifying the properties to determine the actual design limits.
- properties may be defined to test the lookup and learn operations. Starting with an SMV trace, an initial informal analysis of the margin may be made. The lookup and learns may then be repeatedly pushed back later in the request cycle (e.g., by modifying the properties) until SMV generates a trace.
- this problem may be addressed by modeling consecutive requests using a set Q of initial states larger than I, i.e., I c Q, and Q-I models the set of residual states.
- the L2 table may already be modeled non-deterministically. Thus, only the initial values for the registers outside the L2 table may need to be considered. This results in the following theorem.
- p ⁇ M ′ ⁇ req
- AX 84 ⁇ ⁇ Q ⁇ M
- AX 84 Q i .
- Different embodiments of the invention may be implemented using a variety of hardware and software processing components.
- hardware components such as controllers, state machines and/or logic are used in a system constructed in accordance with the invention.
- code such as software or firmware executing on one or more processing devices may be used to implement one or more of the described operations.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Evolutionary Computation (AREA)
- Geometry (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Design And Manufacture Of Integrated Circuits (AREA)
- Tests Of Electronic Circuits (AREA)
Abstract
Description
- This application claims the benefit of U.S. Provisional Application No. 60/563,205, filed Apr. 17, 2004, and U.S. Provisional Application No. 60/524,365 filed Nov. 21, 2003, the disclosures of which are incorporated herein by reference.
- This application relates to design verification and, more specifically, to formal analysis verification techniques.
- Verification of a circuit design typically involves testing the circuit design before the design is physically implemented as a circuit (e.g., fabricated as an integrated circuit). In this way, errors (i.e., “bugs”) in the design may be identified before the designer incurs the expense of fabrication.
- As circuit designs have become increasingly complex, the task of creating efficient and effective verification tools has become increasing difficult. For example, conventional system-on-chip designs may include relatively large, fast and complex integrated memories, on-chip buses, and sophisticated arbiters. Moreover, these designs typically involve concurrent processes many of which may be interdependent.
- Simulation-based tools have traditionally been used to verify designs. These tools typically verify a design by randomly applying tests to portions of the design. However, simulation-based validation methodologies often fail to discover corner-case design errors. An example of a corner-case error may include an error that does not occur until a specific set of conditions occur at the same time wherein that set of conditions occurs relatively infrequently.
- Various formal analysis techniques (“formal techniques”) have been proposed for use in verification of circuit designs. The concept behind formal techniques is to thoroughly search the design for errors. Examples of formal techniques include model checking, theorem proving and symbolic simulation.
- Applications of formal techniques include verifying a cache coherency protocol using a symbolic model checker and verifying commonly used design structures such as arithmetic circuits, pipelines, bus arbiters and Tomasulo's algorithm. Recently, formal techniques have been applied on a wider range of designs. For example, B. Bentley, Validating the Intel Pentium 4 microprocessor, In Design Automation Conference, pages 244-248, 2001, discusses the use of formal techniques to find over 100 “high-quality” logic bugs in the Pentium 4®.
- Most formal techniques cannot, however, be applied efficiently to relatively large industrial designs. Some techniques have been proposed to address this problem, including symbolic algorithms, SAT procedures, and abstraction techniques, however, solutions to such problems remain a continuing need.
- Formal techniques are applied to industrial design problems such as verification of a circuit design. These techniques may include, for example, making verification decisions, defining properties to verify a design, creating an abstraction of the design and model checking. In some embodiments, verification may be further extended by performance analysis and/or verification of sequential operations.
- In some embodiments, an abstraction (e.g., a reduced model) of the design is generated and this abstraction is used in the model checking process. For example, building on classic model checking, an induction technique may be employed to avoid state explosion as the environment model becomes more sophisticated. As a result, the model checking operation may be performed more efficiently.
- In some embodiments, a definition of “high-quality” bugs may be presented and results analyzed with respect to that definition. In this way, the results of the formal techniques may be compared with results from other verification techniques.
- In some embodiments, the verification is extended to identify performance margin. Identifying performance margin may include, for example, modifying properties and applying the modified properties to the abstraction to identify timing margins. Such performance analysis may not be achieved by conventional formal or simulation approaches independently.
- In some embodiments, the verification is extended to analyze design performance of sequential operations. This analysis may involve, for example, identifying initial and residual states of internal registers to be applied during model checking.
- In some embodiments, a symbolic model checker validates circuits such as those found in an integrated circuit (i.e., a “chip”). For example, a symbolic model checker such as Cadence SMV may be used to validate a circuit design with a dynamic nature and great concurrency such as an Ethernet switching logic block in a Gigabit Ethernet networking chip. Here, abstraction may be applied to portions of the switching block to reduce the complexity of the model to be checked. In addition, performance such as switch latency may be verified using the described techniques. In contrast with some conventional techniques, the techniques described herein may be applied to verify designs such as a networking chip that may have fundamentally different verification problems due to, for example, the absence of exact specifications.
- Thus, the verification techniques described herein may provide verification results not provided by conventional techniques. For example, the teachings herein may be applied such that an initial decision is that a primary goal is to search the design for errors instead of completely verifying the design. In this way, errors may be identified more quickly as compared to some conventional techniques. Moreover, by using these techniques bugs may be found that might not be found using convention techniques.
- These and other features, aspects and advantages of the present invention will be more fully understood when considered with respect to the following detailed description, appended claims and accompanying drawings, wherein:
-
FIG. 1 is a flow chart of one example of verification operations that may be performed in accordance with the invention; -
FIG. 2 is a flow chart of one example of performance analysis operations that may be performed in accordance with the invention; -
FIG. 3 is a flow chart of one example of sequential operation analysis that may be performed in accordance with the invention; -
FIG. 4 is a simplified block diagram of one embodiment of a circuit architecture; -
FIG. 5 is a graph of an example of error stimulus in accordance with the invention; -
FIG. 6 is a graph of an example of error visibility in accordance with the invention; -
FIG. 7 is a simplified representation of performance analysis in accordance with the invention. - In accordance with common practice the various features illustrated in the drawings may not be drawn to scale. Accordingly, the dimensions of the various features may be arbitrarily expanded or reduced for clarity. In addition, some of the drawings may be simplified for clarity. Thus, the drawings may not depict all of the components of a given apparatus or method. Finally, like reference numerals denote like features throughout the specification and figures.
- The invention is described below, with reference to detailed illustrative embodiments. It will be apparent that the invention may be embodied in a wide variety of forms, some of which may be quite different from those of the disclosed embodiments. Consequently, the specific structural and functional details disclosed herein are merely representative and do not limit the scope of the invention.
-
FIG. 1 is a flowchart that represents one embodiment of design verification operations that may be performed in accordance with the invention. In the embodiment ofFIG. 1 , these operations are applied to a circuit design. For example, a circuit design may be defined using a register-transfer-level (“RTL”) tool. It should be appreciated, however, that these operations may be applied to other types of designs. - As represented by
block 102, a model of the circuit design is defined. This may involve, for example, identifying features of the design and identifying issues that affect verification decisions. As an example, a given design may consist of various registers, tables and logic operations that need to be characterized to verify the design. In addition, decisions regarding the environment model may be made to increase the efficiency of the verification process. For example, a decision may be made to verify concurrent operations but not verify sequential operations. - Next, as represented by
block 104, various properties are defined to verify the design. This process may involve, for example, defining, based on an extensive knowledge of the design, the state of internal registers under various conditions. For example, if the circuit is operating as intended the circuit may be designed such that after a given operation has been performed the values in a register may be limited to a certain values. If the register does not contain the expected values an error condition (and a corresponding “trace”) may be generated during model checking. - In some embodiments the properties may be defined by writing a specification of the design using, for example, computational tree logic (“CTL”) specification language. In some embodiments, each property may be used to verify a different property of the design. For example, in embodiments where the design is defined in RTL, each property may verify a different RTL function.
- In some applications it may be desirable to define properties at a relatively high level. In this way, the properties may not be completely based on the design definition. As a result, the properties may not include the same errors as the design.
- In some cases there may not be a complete specification of the design. Here, it may be desirable to define as many properties as possible to verify the design as much as possible.
- Abstraction techniques may be applied to the model to reduce the size of the model (block 106). For example, induction may be applied to a table to establish that if a property is verified against a subset of the table then that property necessarily is verified against the entire table. In this way, the number of operations required during the model checking stage maybe substantially reduced because model checking may be performed on the subset of the table rather than the entire table.
- Examples of design aspects that may be reduced through the use of abstraction may include, for example, the size of tables, the number of entries in a table, the length of an address, the number of ports. It should be appreciated that abstraction is not limited to these examples and may be applied to many different aspects of a design.
- The reduced model may be generated, for example, by recoding the RTL design using a tool such as ePERL or VPP.
- Model checking is performed on the reduced model (block 108). Model checking may involve, for example, performing a state transversal to verify the design. Typically, the various properties are run at different times with different iterations in sequence to test various aspects of the design.
- If the design does not satisfy a property, the model checker may generate a trace. The trace may be analyzed to determine why the design does not satisfy the property.
- An example of a model checker is Cadence symbolic model verifier (“SMV”). Conventional model checkers may utilize binary decision diagrams (“BDD”) and/or satisfiability solvers (“SAT”).
- Through the use of the reduced model, it may be possible to find bugs more quickly as compared to conventional processes. In some cases, it may be advantageous to use these techniques to simply find bugs more quickly during the design process rather than attempt to completely verify the design.
- As represented by
block 110, the results of the model checking may then be applied to the design. For example, once a bug is found, the corresponding error in the design may be modified. The verification process may then be performed again. - Additional processes may be performed to improve the verification of the design. As represented by
block 112, performance analysis may be performed to determine, for example, performance margins in the design. As represented byblock 114, sequential operations may be verified.Blocks FIGS. 2 and 3 , respectively. -
FIG. 2 is a flowchart that represents one embodiment of performance analysis operations that may be performed in accordance with the invention. Performance analysis may involve, for example, determining a worst case condition for an operation. Thus, performance analysis may be used to determine the maximum number of clock cycles within which a given operation must be completed. Such an analysis may be critical in a design where proper operation of a subsequent operation depends on a preceding operation being completed before the subsequent operation begins. - As represented by
block 202, one or more properties are defined for the performance analysis. For example, a property may be designed so that a specified number of cycles occurs before a given operation completes. - Next, the properties are applied to the reduced model (block 204). This may be accomplished, for example, using a model checker.
- As represented by
block 206 the model checker will generate a result that indicates whether the design satisfies the property. For example, this result may indicate whether the design is operating within a design limit. - If the design limit (e.g., a worst case condition) has not been reached, the properties may be modified to further test the limits of the design (block 208). For example, in the example referred to in conjunction with
block 202, the number of clock cycles within which the operation completes may be increased. After the property has been modified, the properties are again applied to the reduced model (block 204) to determine whether a design limit has been reached. - If, at block 206 a design limit has been reached, the model checker will generate a trace that may be analyzed to determine where the design limit was reached. This information may be used, for example, to define a performance margin of one or more aspects of the design.
- Moreover, the trace may be used to determine the exact conditions (e.g., states of registers and variables, specific operations that were performed, etc.) under which the design limit is met. This information may be useful in redesigning the circuit to improve its performance.
- As represented by
block 210, these results may then be applied to the design. For example, the design may be modified if the performance margin needs to be increased. - From the above, it should be appreciated that performance analysis may be performed more efficiently when the performance analysis is applied to the reduced model. When the reduced model is properly selected as discussed herein, the results obtained for the reduced model may be applied to the full design.
-
FIG. 3 is a flowchart that represents one embodiment of sequential operation verification that may be performed in accordance with the invention. As discussed above, in some embodiments a model may be designed such that it does not take sequential operations into account. The operations described inFIG. 3 may be used, for example, to improve the verification provided by such a model. - One problem that may arise when verifying sequential operations is that the initial state of the operation may not be readily determinable for a subsequent operation. This problem may arise when the prior operation is not designed to set all the states used in the process to one or more predefined states. Accordingly, to effectively test such sequential operations, it is desirable to model the potential residual states that may result after a prior operation. In this way the operation of the subsequent operation may be verified more effectively.
- It may be established using induction that the properties of the initial states of the design may be defined as a superset of the initial states. This superset may then be applicated to a matrix representative of the design to verify the desired properties. Accordingly, as represented by
block 302, a set of initial states (e.g., internal states of the design such as the values of registers and variables) is defined for a sequential operation. This includes defining the known initial states (e.g., a reset state) and the residual states (e.g., states that exist after logic operations tend to “settle down”) that may result from a prior operation. - As represented by
block 304, the superset of initial conditions is defined by a series of subsets of the superset. In some embodiments, instead of exhaustively searching for the exact superset, a prediction may be made as to the projection of the subsets on sets of internal states (e.g., residual states). These internal states may, for example, relate to the states of registers. - As represented by
block 306, properties designed to check the subsequent operations may then be applied to the design (e.g., using a model checker). These properties may be verified using the subsets of initial states that were determined as discussed above. - Referring now to
FIGS. 4-7 , an example is presented of the application of the above techniques to verify a Gigabit Ethernet switch. This example first involves, in conjunction withFIG. 4 , describing the functionality and micro-architecture of the design. Then, specific features and intuitive observations that affect verification decisions are identified. Next, basic abstraction techniques are defined. Experimental results are then outlined by introducing two metrics to analyze bug quality in conjunction withFIGS. 5 and 6 . Examples of how the model checking capability may be extended including performance analysis (FIG. 7 ) are presented. Finally, conclusions that may be made based on the above are discussed. -
FIG. 4 depicts one embodiment of aGigabit Ethernet switch 400 that includes a single chip with 12 Gigabit Ethernet (“GE”)ports 402, one 10-Gigabit high-speed interconnect (“10 G”) 404 and aCPU interface 406. Theswitch 400 accomplishes switching functions such as Ethernet switching (Layer 2, or L2), IP switching (Layer 3, or L3) and higher level switching in an Address Resolution Logic (“ARL”) block, a portion of which is designated asblock 408 inFIG. 4 . - At the architectural level, each port (e.g., a port associated with a
GE - The L2 table maps MAC addresses to ports. Packets from Gigabit ports are forwarded to the appropriate egress port based on their destination MAC addresses. Switching information, in the form of a MAC address mapped to a port, is both learned and updated dynamically in hardware. The 10 G port is an interconnect. The CPU modifies the table by inserting or deleting entries, which may be exempt from dynamic updates. Entries are dynamically “aged” out of the table based either on usage over time, or upon request by the CPU.
- For each packet, there are at most three possible actions that the ARL performs: source MAC address lookup, destination MAC address lookup, and dynamic learning. If the chip is running at 125 MHz, the L2 table logic should finish these actions within 84 cycles for each Gigabit port and within 8 cycles for the 10-Gigabit port.
- The L2 table is structured as a hash table 410 as depicted in
FIG. 1 . The 16K logical entries are mapped to 2K buckets, with 8 entries per bucket, using a hash function. There is no ordering between the buckets. Similarly, within each bucket, there is no ordering among the entries. Duplicate entries within a bucket are strictly forbidden. Dynamic modifications are read-modify-write operations which require coherency. The reads and writes are decoupled. Aging has lower priority than lookups, so the design accounts for starvation cases. - The L2 table logic has traditionally been difficult to verify due to its dynamic nature. First, there may be no high level learning specification. Learns may be cancelled for many reasons. Without knowing the exact state of the logic on a cycle-accurate basis, it may be almost impossible to predict when learns happen. Aging and CPU operations also contribute dynamic activity, resulting in corner cases that are difficult to stimulate using traditional simulation techniques.
- Second, performance issues may be difficult to identify in simulation. The design must handle multiple processes concurrently, fairly, and efficiently to meet throughput and latency considerations. Multiple operations associated with a single packet may be decoupled over many cycles. Erroneous behavior may thus result in an observable effect thousands of cycles after the fact, or not at all, depending on the test or application. This makes verifying performance in simulation difficult.
- Third, writing a checker for this block may not be appropriate. Due to its dynamic nature, the checker may be easily written similarly to the RTL. However, it is then difficult to guarantee the checker's correctness given the similarity of the checker and the RTL.
- Accordingly, for a design such as this, the teachings provided herein may provide more effective verification as compared to traditional simulation techniques.
- To discover design errors efficiently, two verification decisions may be made for this example. First, in the case where there is no complete specification available, it may be desirable to define as many properties as possible. In this example, each property verifies a different RTL function.
- As discussed above, properties may be defined to verify various aspects of a design. For example, to test the operation of a stack bit in the L2 table, one property may involve verifying that when the valid bit=0 and the learn operation is in progress, the stack bit should not be set. Another property may verify that if there is no current CPU operation, the stack bit should not be set.
- Second, abstraction may be applied to reduce the design size. In this example, the L2 table logic includes approximately 3000 registers and a 16K-entry (1 Mbit) lookup table. It may be impracticable to verify a large design with complicated properties such as this with state-of-the-art model checkers. Thus, there may be advantages in applying aggressive abstraction even though this may result in some important features not being completely verified.
- Assume that a Kripke structure M=(S, I, R, L, h) models the L2 table logic where S is the set of states, I⊂S is the set of initial states, R⊂S×S represents the transition relation, L is the set of labels on S and h: N48→N11 is the surjection where Ni=[1 . . . 2i}. In other words, h is a hash function that maps MAC addresses to indices of the L2 table. Also assume that L does not include the labels related to the hash function. Finally, let M↓t be a short-hand notation for the model M where a function t is disabled. For example, M↓aging represents the reduced L2 table model where aging is disabled.
-
Lemma 1 Let i and j be two indices to the hash table, i.e., there are two MAC addresses a and b where h(a)=i and h(b)=j. Assume that M′↓aging is the modified L2 table model by swapping two entries indexed by i and j separately. Then M ↓aging is bisimilar to M′↓aging. -
Lemma 1 implies that the buckets in the L2 table are fully symmetric when aging is disabled. Thus, instead of modeling all 2048 buckets, it may only be necessary to model two buckets. Here, the buckets are independent, yet effectively identical. Thus, the operation of one bucket is the same as the operation of another bucket. - With aging enabled, the reduced L2 table is used because the original table may be too large for practical verification. Thus, the aging behavior may be modified to match the reduced table. This may, however, introduce both false positive and false negative behaviors into the abstracted model. Such unwanted behaviors may be avoided by proper analysis of the design and debugging.
- Similar symmetry may also exist within buckets. For example, any two entries within a bucket may be symmetric. Thus, it may be possible to only model two entries per bucket, rather than eight entries per bucket.
- In addition to reducing the table size, two more abstractions may be applied to further reduce the complexity of the reduced model. First, the MAC addresses may be represented by two bits instead of 48 bits because there are only four entries in the reduced L2 table. This is a known technique in formal verification. Second, the behaviors of the 12 Gigabit ports may be independent even though they may not be symmetric. This lack of symmetry may, for example, be a result of arbitration whereby one port is assigned a higher priority than another port.
-
- According to
Lemma 2, if a universal property on the reduced model M↓porti is disproved, that property will be false in the original model M. Hence, the reduced model may incorporate at most two Gigabit ports instead of twelve. Here, the 10-Gigabit port and the CPU interface are modeled accurately. By applying these abstractions, the size of the L2 table model may be reduced to fewer than 150 registers. See Table 1.TABLE 1 Original Model Abstract Model # registers 2878 <150 # buckets 2048 2 # entries/ bucket 8 2 # bits/mac addr 48 2 # Gig ports 12 2 - In addition to abstractions, the environment model also may be simplified. A request from a Gigabit port to the L2 table arrives every 84 cycles. It may be difficult for SMV to complete a fix-point computation if every port request is modeled precisely. In some applications, a single request from multiple ports may be more interesting from a design verification point of view than multiple requests from a single port. Therefore, only one request per port may be modeled, significantly reducing the verification computation time.
- These abstractions may be accomplished by recoding the RTL using eperl. The rewritten code may be configurable. For example, to verify the logic with one Gigabit port, one 10-Gigabit port, and aging, ePerl may be used to generate the model and its related properties automatically. If a property is falsified by SMV, the tool may generate a counterexample that explains why that property is false.
- The number of properties defined to verify a design depends, in general, on the complexity of the design. In some applications, the number of properties may be between 150 and 300 properties. A typical runtime for every property may range, for example, from 15 seconds to 2 hours. To verify 35 different configurations and where all design changes are regressed against these 35 configurations it may take, for example, eight person months to complete the formal verification process.
- Verification as discussed herein may be more efficient than conventional simulation techniques. For example, a simulator may observe signals at the interface of the ARL block. Hence, it not only should stimulate the error behavior in the L2 table logic, it also should make them visible at the ARL interface. This reduces the effectiveness of the simulator.
- To quantify the quality of bugs discovered, two metrics may be defined: error stimulus and error visibility.
- The first metric, error stimulus function (“ES”) is the probability of the input stimuli required to discover the bug starting with the initial states. For example, assume that a valid MAC address A is stored in a particular bucket of the L2 table. ES for a lookup of MAC address B with h(B)=h(A) is 1/2048. The lower the value ES is, the less likely that the bug can be exercised by random simulation. In computing ES, only the best possible known case may be considered to stimulate the corresponding bug. This provides a conservative approximation of ES.
- The error visibility (“EV”) of a bug is a function of time and input stimuli. EVtime is the number of cycles required for erroneous behavior to propagate to the test bench. EVstim measures the probability of the input stimuli required to propagate the bug from cause to externally visible symptom. Then EV=EVstim/EVtime provides a means of comparing the relative visibility of bugs. EVstim is calculated similarly as ES, based on a conservative approximation. As an example, assume that the minimum number of cycles to propagate a bug to the ARL interface is 84 cycles. Also assume that the required stimuli include a sequence of events:
-
- Two consecutive 10 Gigabit port lookup requests on bucket i,
- A specific Gigabit port lookup request also on bucket i, then
EV stim=(1/13)2*1/2048*1/13*1/2048=2.5e−7
and
EV=EV stim /EV time=3.0e−9.
- Thus EV is evaluated conservatively because EVtime is approximated using the shortest trace and EVstim is the upper-bound probability for stimuli required to propagate the bug.
- Two examples of the error stimulus ES and error visibility EV are depicted in
FIGS. 5 and 6 . In both figures, the X axis corresponds to the cumulative number of bugs and the Y axis corresponds to ES and EV separately. The Y axis is in logarithm scale. For example, inFIG. 6 , −6 means that EV=10−6. In both figures, the lower the value, the less likely that the bug may be found by a simulator.FIG. 5 depicts that it is much more difficult to stimulate bug No. 16 than bug No. 15. It may be relatively easy for a simulator to detect bug No. 15. In contrast, without formal approaches, it may be extremely difficult for random simulation to detect bug No. 16. InFIG. 6 , the EVs for bug No. 4 and No. 5 are not computed because they have not been propagated to the ARL interface directly. However, these bugs would degrade the system performance. Accumulated inefficiencies eventually lead to a visible error. The required number of simulation cycles to detect such bugs may be prohibitively large. Accordingly, bugs that have lower ES or EV are defined as “high quality” bugs. - When aggressive abstraction is used, certain important performance issues may not be addressed. For example, in the above example all Gigabit port lookup requests and learns should be served within 84 cycles. An initial analysis may establish that the design has, for example, 47% and 21% margin for lookups and learns, respectively.
- Given the abstracted model, these performance requirements may not have been completely verified. However, in an abstracted configuration, SMV may be used to determine that a learn is served far later than expected when the logic transitions from the aging mode to the normal switching mode. If a lookup request comes just before that transition, it is possible that its learn happens much later. By manual construction of a similar scenario for all ports, performance analysis may be used to determine, for example, that the performance requirement for learns is only marginally satisfied. For example, the margin for learns may actually be 3% rather than 21% (see, for example,
FIG. 7 ). - This may raise potential problems due to the assumptions made in the RTL design. It may be difficult for simulation to detect this trace because it may require, for example, that over twenty different behaviors occur in a specific order and time. In contrast, starting with an SMV trace, an informal analysis may be constructed using performance analysis as described herein to provide verification results that may not be accomplished by either simulation or formal verification independently.
- As discussed above, the performance analysis process may involve constructing properties to test the design limits, performing model checking and modifying the properties to determine the actual design limits.
- For example, properties may be defined to test the lookup and learn operations. Starting with an SMV trace, an initial informal analysis of the margin may be made. The lookup and learns may then be repeatedly pushed back later in the request cycle (e.g., by modifying the properties) until SMV generates a trace.
- In the abstracted model discussed above, only one request from each port was considered. That is, sequential requests were not considered. Thus, the interaction between consecutive requests from the same port may not have been modeled or verified.
- Ideally, if a request is served, the related state registers return to the reset values. In reality, this may not always be true because the residual state of the previous request may not be cleared. This may introduce unexpected behavior for subsequent requests. In some embodiments, this problem may be addressed by modeling consecutive requests using a set Q of initial states larger than I, i.e., I c Q, and Q-I models the set of residual states. The L2 table may already be modeled non-deterministically. Thus, only the initial values for the registers outside the L2 table may need to be considered. This results in the following theorem.
-
Theorem 1 Let M↓req=(S, I, R↓req, L) be the L2 table model with only one request for each port and p be an ACTL property on M↓req. Let I⊂Q, Q⊂S and M′↓req=(S, Q, R↓req, L) be a modified Kripke structure using Q as an initial set of states. Then - Sketch of Proof: There are at least 84 cycles between every two requests from a Gigabit port. The above theorem is easily proved by reasoning inductively on every 84 cycles per port.
- A key to extend the result is to find the reachable set of states Q. This may be a relatively difficult task. Instead of searching for the exact Q, its projection on subsets of registers may be predicted. Assume that V is the set of registers on M↓req. Partitioning V into m equivalence classes: Vi, i.e.,
and Vi∩Vj=Φ. Let Qi denote the projection of Q on Vi. Then predict Qi using the model checker with the requirement that
M i ′↓req=(S, Q i , R↓req, L) and M i ′↓req|=AX 84 Q i. - If it is not possible to predict Qi, or Qi is too large, then use the projection of I on Vi, denoted as Ii. Eventually, Q′=Qi1× . . . ×Qij×Ik1× . . . ×Ikp may be used as the set of initial states for model checking. It may not always be possible to fully verify the intended property on M with this approximation. However, this extension does increase verification confidence.
- From the above it may be appreciated that formal techniques may be used to verify circuits such as a complicated Ethernet switching table. In summary, this process may involve, for example, applying aggressive abstraction to debug the basic logic. The effectiveness of this technique may be demonstrated by a number of “high-quality” RTL bugs. Then, based on classic model checking, the techniques are extended formally and informally to analyze performance. In contrast to ad hoc performance simulation, such rigorous analysis may be beyond the capability of either simulation or formal techniques alone. Next, the classic model checking may be extended using a novel induction to avoid state explosion as the environment model becomes more sophisticated. These techniques may be applied with relatively little difficulty to many table driven designs.
- Different embodiments of the invention may be implemented using a variety of hardware and software processing components. In some embodiments of the invention, hardware components such as controllers, state machines and/or logic are used in a system constructed in accordance with the invention. In some embodiment of the invention, code such as software or firmware executing on one or more processing devices may be used to implement one or more of the described operations.
- In addition, the teachings herein may be applied to a variety of design problems and are not limited to the embodiments described herein.
- In summary, the invention described herein generally relates to an improved verification technique. While certain exemplary embodiments have been described above in detail and shown in the accompanying drawings, it is to be understood that such embodiments are merely illustrative of and not restrictive of the broad invention. In particular, it should be recognized that the teachings of the invention apply to a wide variety of systems and processes. It will thus be recognized that various modifications may be made to the illustrated and other embodiments of the invention described above, without departing from the broad inventive scope thereof. In view of the above it will be understood that the invention is not limited to the particular embodiments or arrangements disclosed, but is rather intended to cover any changes, adaptations or modifications which are within the scope and spirit of the invention as defined by the appended claims.
Claims (29)
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/835,561 US20050114809A1 (en) | 2003-11-21 | 2004-04-29 | Design verification using formal techniques |
EP04026607A EP1533722A3 (en) | 2003-11-21 | 2004-11-09 | Design verification using formal techniques |
TW093135264A TWI266216B (en) | 2003-11-21 | 2004-11-17 | Design verification using formal techniques |
CN2004100976180A CN1667622B (en) | 2003-11-21 | 2004-11-22 | Design verification using formal techniques |
US11/735,808 US7562322B2 (en) | 2003-11-21 | 2007-04-16 | Design verification for a switching network logic using formal techniques |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US52436503P | 2003-11-21 | 2003-11-21 | |
US56320504P | 2004-04-17 | 2004-04-17 | |
US10/835,561 US20050114809A1 (en) | 2003-11-21 | 2004-04-29 | Design verification using formal techniques |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/735,808 Division US7562322B2 (en) | 2003-11-21 | 2007-04-16 | Design verification for a switching network logic using formal techniques |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050114809A1 true US20050114809A1 (en) | 2005-05-26 |
Family
ID=34437681
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/835,561 Abandoned US20050114809A1 (en) | 2003-11-21 | 2004-04-29 | Design verification using formal techniques |
US11/735,808 Expired - Fee Related US7562322B2 (en) | 2003-11-21 | 2007-04-16 | Design verification for a switching network logic using formal techniques |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/735,808 Expired - Fee Related US7562322B2 (en) | 2003-11-21 | 2007-04-16 | Design verification for a switching network logic using formal techniques |
Country Status (4)
Country | Link |
---|---|
US (2) | US20050114809A1 (en) |
EP (1) | EP1533722A3 (en) |
CN (1) | CN1667622B (en) |
TW (1) | TWI266216B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060212837A1 (en) * | 2005-03-17 | 2006-09-21 | Prasad Mukul R | System and method for verifying a digital design using dynamic abstraction |
US20060248494A1 (en) * | 2005-04-14 | 2006-11-02 | International Business Machines Corporation | Method and system for parametric reduction of sequential designs |
US7237208B1 (en) * | 2004-04-05 | 2007-06-26 | Jasper Design Automation, Inc. | Managing formal verification complexity of designs with datapaths |
US20070168372A1 (en) * | 2006-01-17 | 2007-07-19 | Baumgartner Jason R | Method and system for predicate selection in bit-level compositional transformations |
US20070226663A1 (en) * | 2005-09-15 | 2007-09-27 | Bormann Joerg | Method for the determination of the quality of a set of properties, usable for the verification and specification of circuits |
US7370298B2 (en) * | 2005-04-14 | 2008-05-06 | International Business Machines Corporation | Method for heuristic preservation of critical inputs during sequential reparameterization |
US20080270086A1 (en) * | 2005-10-13 | 2008-10-30 | International Business Machines Corporation | Predicate-based compositional minimization in a verification environment |
US7454727B1 (en) * | 2003-12-18 | 2008-11-18 | Synopsys, Inc. | Method and Apparatus for Solving Sequential Constraints |
US20090150839A1 (en) * | 2007-12-10 | 2009-06-11 | Inpa Systems, Inc. | Integrated prototyping system for validating an electronic system design |
US20090150838A1 (en) * | 2007-12-10 | 2009-06-11 | Huang Thomas B | Method of progressively prototyping and validating a customer's electronic system design |
EP2153350A1 (en) * | 2007-05-24 | 2010-02-17 | Palo Alto Research Center Incorporated | Dynamic domain abstraction through meta-analysis |
US20160231990A9 (en) * | 2014-06-10 | 2016-08-11 | Toyota Motor Engineering And Manufacturing North America, Inc. | Simulation-guided incremental stability analysis |
US10331831B2 (en) * | 2016-05-25 | 2019-06-25 | Imagination Technologies Limited | Assessing performance of a hardware design using formal evaluation logic |
US11314620B1 (en) * | 2020-12-09 | 2022-04-26 | Capital One Services, Llc | Methods and systems for integrating model development control systems and model validation platforms |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8032848B2 (en) * | 2009-01-29 | 2011-10-04 | Synopsys, Inc. | Performing abstraction-refinement using a lower-bound-distance to verify the functionality of a circuit design |
US20100313175A1 (en) * | 2009-06-05 | 2010-12-09 | Advanced Micro Devices, Inc. | Verification systems and methods |
US8862439B1 (en) * | 2009-06-25 | 2014-10-14 | Cadence Design Systems, Inc. | General numeric backtracking algorithm for solving satifiability problems to verify functionality of circuits and software |
US9471327B2 (en) | 2013-08-20 | 2016-10-18 | International Business Machines Corporation | Verifying forwarding paths in pipelines |
US9058463B1 (en) * | 2013-12-03 | 2015-06-16 | Cavium, Inc. | Systems and methods for specifying. modeling, implementing and verifying IC design protocols |
US10002218B2 (en) | 2015-03-12 | 2018-06-19 | Cavium, Inc. | Verification of a multichip coherence protocol |
US10331829B2 (en) | 2015-12-15 | 2019-06-25 | International Business Machines Corporation | System design using accurate performance models |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5999717A (en) * | 1997-12-31 | 1999-12-07 | Motorola, Inc. | Method for performing model checking in integrated circuit design |
US6141633A (en) * | 1997-02-28 | 2000-10-31 | Fujitsu Limited | Logical device verification method and apparatus |
US20010050912A1 (en) * | 2000-05-03 | 2001-12-13 | Govind Malalur | Gigabit switch on chip architecture |
US20030225552A1 (en) * | 2002-05-30 | 2003-12-04 | Nec Corporation | Efficient approaches for bounded model checking |
US20040006451A1 (en) * | 2002-06-27 | 2004-01-08 | Ramesh Bharadwaj | Invariant checking method and apparatus using binary decision diagrams in combination with constraint solvers |
US20040093571A1 (en) * | 2002-11-13 | 2004-05-13 | Jawahar Jain | Circuit verification |
US20040210860A1 (en) * | 2003-04-07 | 2004-10-21 | Nec Laboratories America, Inc | Efficient distributed SAT and SAT-based distributed bounded model checking |
US20040230407A1 (en) * | 2003-04-15 | 2004-11-18 | Nec Laboratories America, Inc | Iterative abstraction using SAT-based BMC with proof analysis |
US6929630B2 (en) * | 2002-05-07 | 2005-08-16 | Baylor College Of Medicine | Infusion clamp |
US6957404B2 (en) * | 2002-12-20 | 2005-10-18 | International Business Machines Corporation | Model checking with layered localization reduction |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6080203A (en) * | 1997-12-18 | 2000-06-27 | Advanced Micro Devices, Inc. | Apparatus and method for designing a test and modeling system for a network switch device |
US6324496B1 (en) * | 1998-06-18 | 2001-11-27 | Lucent Technologies Inc. | Model checking of hierarchical state machines |
US6311293B1 (en) | 1998-12-14 | 2001-10-30 | Lucent Technologies Inc. | Detecting of model errors through simplification of model via state reachability analysis |
US6708143B1 (en) | 2000-05-22 | 2004-03-16 | Lucent Technologies Inc. | Verification coverage method |
US6728939B2 (en) * | 2001-01-08 | 2004-04-27 | Siemens Aktiengesellschaft | Method of circuit verification in digital design |
-
2004
- 2004-04-29 US US10/835,561 patent/US20050114809A1/en not_active Abandoned
- 2004-11-09 EP EP04026607A patent/EP1533722A3/en not_active Withdrawn
- 2004-11-17 TW TW093135264A patent/TWI266216B/en not_active IP Right Cessation
- 2004-11-22 CN CN2004100976180A patent/CN1667622B/en not_active Expired - Fee Related
-
2007
- 2007-04-16 US US11/735,808 patent/US7562322B2/en not_active Expired - Fee Related
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6141633A (en) * | 1997-02-28 | 2000-10-31 | Fujitsu Limited | Logical device verification method and apparatus |
US5999717A (en) * | 1997-12-31 | 1999-12-07 | Motorola, Inc. | Method for performing model checking in integrated circuit design |
US20010050912A1 (en) * | 2000-05-03 | 2001-12-13 | Govind Malalur | Gigabit switch on chip architecture |
US6929630B2 (en) * | 2002-05-07 | 2005-08-16 | Baylor College Of Medicine | Infusion clamp |
US20030225552A1 (en) * | 2002-05-30 | 2003-12-04 | Nec Corporation | Efficient approaches for bounded model checking |
US20040006451A1 (en) * | 2002-06-27 | 2004-01-08 | Ramesh Bharadwaj | Invariant checking method and apparatus using binary decision diagrams in combination with constraint solvers |
US20040093571A1 (en) * | 2002-11-13 | 2004-05-13 | Jawahar Jain | Circuit verification |
US6957404B2 (en) * | 2002-12-20 | 2005-10-18 | International Business Machines Corporation | Model checking with layered localization reduction |
US20040210860A1 (en) * | 2003-04-07 | 2004-10-21 | Nec Laboratories America, Inc | Efficient distributed SAT and SAT-based distributed bounded model checking |
US20040230407A1 (en) * | 2003-04-15 | 2004-11-18 | Nec Laboratories America, Inc | Iterative abstraction using SAT-based BMC with proof analysis |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7454727B1 (en) * | 2003-12-18 | 2008-11-18 | Synopsys, Inc. | Method and Apparatus for Solving Sequential Constraints |
US7237208B1 (en) * | 2004-04-05 | 2007-06-26 | Jasper Design Automation, Inc. | Managing formal verification complexity of designs with datapaths |
US7290230B2 (en) * | 2005-03-17 | 2007-10-30 | Fujitsu Limited | System and method for verifying a digital design using dynamic abstraction |
US20060212837A1 (en) * | 2005-03-17 | 2006-09-21 | Prasad Mukul R | System and method for verifying a digital design using dynamic abstraction |
US20060248494A1 (en) * | 2005-04-14 | 2006-11-02 | International Business Machines Corporation | Method and system for parametric reduction of sequential designs |
US7882470B2 (en) | 2005-04-14 | 2011-02-01 | International Business Machines Corporation | Method for heuristic preservation of critical inputs during sequential reparameterization |
US7689943B2 (en) | 2005-04-14 | 2010-03-30 | International Business Machines Corporation | Parametric reduction of sequential design |
US7367002B2 (en) * | 2005-04-14 | 2008-04-29 | International Business Machines Corporation | Method and system for parametric reduction of sequential designs |
US20080104560A1 (en) * | 2005-04-14 | 2008-05-01 | Baumgartner Jason R | Method and system for parametric reduction of sequential designs |
US7370298B2 (en) * | 2005-04-14 | 2008-05-06 | International Business Machines Corporation | Method for heuristic preservation of critical inputs during sequential reparameterization |
US20080109774A1 (en) * | 2005-04-14 | 2008-05-08 | Baumgartner Jason R | Method and system for parametric reduction of sequential designs |
US20080235637A1 (en) * | 2005-04-14 | 2008-09-25 | Baumgartner Jason R | Method for heuristic preservation of critical inputs during sequential reparameterization |
US20090327984A1 (en) * | 2005-09-15 | 2009-12-31 | Jorg Bormann | Method For Determining The Quality Of A Quantity Of Properties, To Be Employed For Verifying And Specifying Circuits |
US8166430B2 (en) | 2005-09-15 | 2012-04-24 | Onespin Solutions Gmbh | Method for determining the quality of a quantity of properties, to be employed for verifying and specifying circuits |
US20070226663A1 (en) * | 2005-09-15 | 2007-09-27 | Bormann Joerg | Method for the determination of the quality of a set of properties, usable for the verification and specification of circuits |
US7571398B2 (en) | 2005-09-15 | 2009-08-04 | Bormann Joerg | Method for the determination of the quality of a set of properties, usable for the verification and specification of circuits |
US8086429B2 (en) | 2005-10-13 | 2011-12-27 | International Business Machines Corporation | Predicate-based compositional minimization in a verification environment |
US20080270086A1 (en) * | 2005-10-13 | 2008-10-30 | International Business Machines Corporation | Predicate-based compositional minimization in a verification environment |
US20070168372A1 (en) * | 2006-01-17 | 2007-07-19 | Baumgartner Jason R | Method and system for predicate selection in bit-level compositional transformations |
EP2153350A1 (en) * | 2007-05-24 | 2010-02-17 | Palo Alto Research Center Incorporated | Dynamic domain abstraction through meta-analysis |
EP2153350A4 (en) * | 2007-05-24 | 2014-06-25 | Palo Alto Res Ct Inc | Dynamic domain abstraction through meta-analysis |
US7908576B2 (en) | 2007-12-10 | 2011-03-15 | Inpa Systems, Inc. | Method of progressively prototyping and validating a customer's electronic system design |
US8136065B2 (en) | 2007-12-10 | 2012-03-13 | Inpa Systems, Inc. | Integrated prototyping system for validating an electronic system design |
US20090150839A1 (en) * | 2007-12-10 | 2009-06-11 | Inpa Systems, Inc. | Integrated prototyping system for validating an electronic system design |
US20090150838A1 (en) * | 2007-12-10 | 2009-06-11 | Huang Thomas B | Method of progressively prototyping and validating a customer's electronic system design |
US20160231990A9 (en) * | 2014-06-10 | 2016-08-11 | Toyota Motor Engineering And Manufacturing North America, Inc. | Simulation-guided incremental stability analysis |
US9606773B2 (en) * | 2014-06-10 | 2017-03-28 | Toyota Motor Engineering & Manufacturing North America, Inc. | Simulation-guided incremental stability analysis |
US10331831B2 (en) * | 2016-05-25 | 2019-06-25 | Imagination Technologies Limited | Assessing performance of a hardware design using formal evaluation logic |
US10963611B2 (en) | 2016-05-25 | 2021-03-30 | Imagination Technologies Limited | Assessing performance of a hardware design using formal evaluation logic |
US11531799B2 (en) * | 2016-05-25 | 2022-12-20 | Imagination Technologies Limited | Assessing performance of a hardware design using formal evaluation logic |
US20230094774A1 (en) * | 2016-05-25 | 2023-03-30 | Imagination Technologies Limited | Assessing performance of a hardware design using formal evaluation logic |
US11314620B1 (en) * | 2020-12-09 | 2022-04-26 | Capital One Services, Llc | Methods and systems for integrating model development control systems and model validation platforms |
US20220179771A1 (en) * | 2020-12-09 | 2022-06-09 | Capital One Services, Llc | Methods and systems for integrating model development control systems and model validation platforms |
US11599444B2 (en) * | 2020-12-09 | 2023-03-07 | Capital One Services, Llc | Methods and systems for integrating model development control systems and model validation platforms |
Also Published As
Publication number | Publication date |
---|---|
US20070186197A1 (en) | 2007-08-09 |
EP1533722A2 (en) | 2005-05-25 |
US7562322B2 (en) | 2009-07-14 |
CN1667622B (en) | 2010-10-06 |
EP1533722A3 (en) | 2005-06-01 |
TW200534131A (en) | 2005-10-16 |
CN1667622A (en) | 2005-09-14 |
TWI266216B (en) | 2006-11-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7562322B2 (en) | Design verification for a switching network logic using formal techniques | |
Lahiri et al. | A symbolic approach to predicate abstraction | |
US7260799B2 (en) | Exploiting suspected redundancy for enhanced design verification | |
US7281225B2 (en) | Circuit verification using multiple engines | |
US6035107A (en) | Method for performing functional comparison of combinational circuits | |
Jain et al. | Word level predicate abstraction and refinement for verifying RTL Verilog | |
US6698003B2 (en) | Framework for multiple-engine based verification tools for integrated circuits | |
US8359561B2 (en) | Equivalence verification between transaction level models and RTL at the example to processors | |
Duan et al. | A unified model checking approach with projection temporal logic | |
Park et al. | Protocol verification by aggregation of distributed transactions | |
US7308657B2 (en) | Method for generating hints for program analysis | |
Habibi et al. | An approach for the verification of systemc designs using asml | |
US7428712B1 (en) | Design optimization using approximate reachability analysis | |
US8201119B2 (en) | Formal equivalence checking between two models of a circuit design using checkpoints | |
US10852354B1 (en) | System and method for accelerating real X detection in gate-level logic simulation | |
Lu et al. | Verifying a gigabit ethernet switch using SMV | |
Bingham | Automatic non-interference lemmas for parameterized model checking | |
US20180089341A1 (en) | Self Equivalence in Hardware Designs | |
US7650579B2 (en) | Model correspondence method and device | |
Jorda | Verifying A Gigabit Ethernet Switch Using SMV | |
US20090235213A1 (en) | Layout-Versus-Schematic Analysis For Symmetric Circuits | |
Azimi et al. | Experience with applying formal methods to protocol specification and system architecture | |
Zheng et al. | Local state space analysis leads to better partial order reduction | |
Pierre | Auxiliary Variables in Temporal Specifications: Semantic and Practical Analysis for System-Level Requirements | |
CN113496106A (en) | Method and system for validating a sequencer |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BROADCOM CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LU, YUAN;REEL/FRAME:015288/0780 Effective date: 20040428 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:037806/0001 Effective date: 20160201 Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:037806/0001 Effective date: 20160201 |
|
AS | Assignment |
Owner name: AVAGO TECHNOLOGIES GENERAL IP (SINGAPORE) PTE. LTD., SINGAPORE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:041706/0001 Effective date: 20170120 Owner name: AVAGO TECHNOLOGIES GENERAL IP (SINGAPORE) PTE. LTD Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:041706/0001 Effective date: 20170120 |
|
AS | Assignment |
Owner name: BROADCOM CORPORATION, CALIFORNIA Free format text: TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BANK OF AMERICA, N.A., AS COLLATERAL AGENT;REEL/FRAME:041712/0001 Effective date: 20170119 |