memory.
Using the described optimal candidate invariant, the decision that the models are equivalent took EASY 8017 seconds and used the full 64 GB of memory.
Weakening the candidate invariant only slightly, e.g., by removing the equality of two corresponding registers, will produce a miter during the execution of the algorithm, that leads to a memory overflow during the CBMC call.
This experiment has shown, that our algorithms can handle more complex models but comes close to the limits of our underlying model checker and requires an optimal candidate invariant.
In summary of the experiments, EASY has additional overhead that is not needed in some cases and equivalence can be decided faster by the “lighter”
NSMC. However, EASY can decide equivalence in cases that NSMC cannot decide within the time limit. This is especially true when underapproximations are used as candidate invariants, that usually lead to a timeout in NSMC.
3.5 Conclusion
In this chapter, we presented two algorithms to prove functional equivalence of two hardware description on the system level. The presented algorithm uses a hypothesis that is stepwisely refined to approximate the set of all equivalent states of the two designs. The hypothesis allows to use the expert knowledge of a designer to speed up verification. Preliminary experimental results for two case studies, a scale parallel counter and a processor model, show that the runtime can be significantly reduced, even for complex designs, when the “right”
hypothesis has been chosen.
In this chapter, we presented NSMC and EASY, two algorithms for functional equivalence checking of ESL description written in C++. The algorithms generate an inductive invariant to prove equivalence or detects a reachable counterexample that disproves equivalence. While NSMC uses a candidate invariant and advances it with each discovered spurious counterexample, EASY uses a PDR-like approach that can easily drop some clauses. If the models are not equivalent, the returned counterexample can be used as a starting point for debugging and if they are equivalent the algorithm returns an inductive invariant that can support future equivalence checks. We proposed an implementation of NSMC and EASY on top of the standard bounded model checker CBMC and presented experiments with three examples to show the applicability of the approach.
56 CHAPTER 3. SYSTEM LEVEL EQUIVALENCE CHECKING
Chapter 4
Robustness Checking
While new technologies facilitate the creation of more advanced systems, the systems become more susceptible to transient faults. External factors like cosmic radiation may induce glitches in the system, which can lead to erroneous behavior.
A circuit needs to be analyzed to ensure that no erroneous output is produced under transient faults, i.e., that the circuit is robust. Otherwise vulnerable gates have to be determined. The effects of transient faults may be masked due to logic, timing or electrical effects. During the analysis, variation in the gates’
parameters must be taken into account.
An easy way to get a basic idea of the robustness of a circuit are simulation and testing. But these cannot prove the absence of possible errors except for very small circuits.
Our formal approaches are the first to analyze aSingle Event Transient(SET) under logic, electrical, and timing masking including variation while considering all possible input assignments. Moreover, the analysis is conservative, i.e., if our approach decides that an SET may not cause an error this decision is safe under the given constraints for variation. Technically, we model the behavior using three-valued logic (0,1,X) where unknown values (X) conservatively approximate variation effects. The decision engine is based onBoolean Satisfiability(SAT).
For brevity, we only consider combinational circuits. Along the lines of [19] the extension to sequential circuits is straight-forward.
The downside of a SAT formula that models the circuit in high detail can become very complex, especially if the signal that contains the SET reconverges.
While the described monolithic approach can handle most circuits of the ISCAS-89 benchmarks, the number of variables to describe signals after a reconvergence increases exponentially with the depth after the reconvergence.
To prevent this complication, we also present a hybrid approach that combines simulation and formal verification to achieve scalability while keeping a detailed technology model. We describe a circuit in high detail dependent on the used technology. The resulting circuit is partitioned into a front and a back partition.
Different partitionings are possible. For our work, we put all gates that are affected by reconvergence of the SET in the back partition. We can easily analyze the front partition by using a SAT solver. Afterwards, we simulate detected possible counterexamples on the whole circuit, generalize the counterexamples, and modify the SAT formula until a robustness can be decided.
57
58 CHAPTER 4. ROBUSTNESS CHECKING As another advantage, the hybrid approach allows us to consider the delays in higher detail, as we can easily differentiate between the different delays of a gate depending on the input values during simulation.
In summary, the contributions of this chapter are two algorithms that
• consider logical, timing, and electrical masking,
• describe the gates in great detail, specific to the used technology and considering variability,
• allow a monolithic approach to decide robustness, where the whole circuit under an SET is described as SAT formula,
• allows a hybrid approach that uses SAT solving to check the front partition and uses simulation to verify detected counterexamples on the complete circuit, and
• can use composition as it partitions the circuit into two partitions to prevent reconvergence in the front partition.
The following Section 4.1 introduces some preliminaries. Sections 4.2 and 4.3 describe our monolithic and hybrid algorithms for robustness, respectively. Exper-iments with both algorithms are shown in Section 4.4 and Section 4.5 concludes this chapter.