TOWARDS EQUIVALENCE CHECKING BETWEEN TLM and RTL MODELS PRINCIPLES OF SEQUENTIAL EQUIVALENCE VERIFICATION Giray Kömürcü Boğaziçi University CMPE 58Q

MOTIVATION Verification is a crucial step in microelectronic design cycle Has to be done in a limited time with 100% success

OUTLINE PART 1 Sequential Circuit Representations Introduction to Sequential Equivalence State & Sequential Equivalence Product Machine Approaches to Sequential Equivalence Verification BDD-Based Symbolic CNF-Based Induction Structure Driven

SEQUENTIAL CIRCUIT REPRESENTATION m # of inputs l # of outputs n # of memory elements k # of internal signals Clock(clk) signal

SEQUENTIAL VERIFICATION Checking the equivalence of two models is crucial in transformation based design flow Combinational Equivalence Verification is appropriate when the transformations effect the combinational parts only Sequential Equivalence Verification is needed if the transformations effect the correspondence between the memory elements Retiming State Minimization Sequential Redundancy removal Classical Algorithms have exponential complexity Recently Symbolic Traversal, Induction, Structural approaches developed

SEQUENTIAL CIRCUIT REPRESENTATION FSM is represented by state transition graph Edges: input/output y1y1 y2y2 state

STATE EQUIVALENCE Two states s1, s2 of a FSM M are equivalent (s1~s2) if: For every possible input sequence applied from these states results the same output sequence If (s1!~ s2) they are distinguishable Sequence that results in different outputs is distinguishing sequence

SYNCHRONIZING and INITIALIZING SEQUENCES Synchronizing sequence of machine M is an input sequence that drives M to a specific state s sync when applied form any state of M If s sync exists; M is synchronizable Input sequence 0-0 results in state 00 from any state Initializing sequence is a synchronizing sequence identifiable through three-valued logic simulation

SEQUENTIAL EQUIVALENCE Two circuits are sequentially equivalent if each state of one FSM is equivalent to a state in the other Generally reset signal is applied and number of possible Initial States are limited Initial States’ equivalence is enough If reset is not applicable, various equivalence notions have been devised

PRODUCT MACHINE Miter Circuit is used to check equivalence FSM of Miter is called Product Machine Each state of product machine is a state pair s 1 s 2 If output of a state is 0 its unsafe State s j is reachable from s i if an input sequence takes the machine from s i to s j Two states s 1 of M 1 and s 2 of M 2 are equivalent if all states reachable from state s 1 s 2 are safe

PRODUCT MACHINE

CIRCUITS with ONE INITIAL STATE When each circuit has one initial state, initial states’ equivalence is enough Locally checking wheather two states are equivalent: Breadth-first search to find the set of states reachable from the product machine’s initial state called forward FSM traversal If all reachable states are safe circuits are equivalent

CIRCUITS with ONE INITIAL STATE Alternatively, we compute the set of non equivalent state pairs. If these pairs belong to initial state or the states reachable from the initial state designs are non-equivalent Backward FSM Traversal

STATE EXPLOSION Verifying Sequential Equivalence via graph traversal problem has exponential complexity State transition graphes’ size grow exponentially with the number of memory elements n memory elements 2 n vertices No algorithms working in polynomial time Several heuristics developed to solve the problem

SYMBOLIC GRAPH TRAVERSAL Proven effective in practice Perform search by manipulating the characteristic functions of sets and relations States are not evaluated one-by-one BDD’s are used Efficient data structure for representing and manipulating Boolean functions Memory requirements are prohibitive Memory explosion!

CNF BASED INDUCTION If we show that the initial state is safe And every safe state transitions to safe states only We can conclude that all reachable states are safe Sufficient but not necessary S safe might have transitions to unsafe states but if S safe is not reachable from initial state this is not a problem Can be solved via increasing the induction depth

CNF BASED INDUCTION For Figure a at induction depth 4 problem resolves For Figure b at any induction depth fails s5-s7-s8 s6-s5-s7-s8 s9-s9....-s9-s10

STRUCTURE DRIVEN Use functional relations that exist among the two circuits’ signals Circuits compared are related since one is derived from the other through transformations Functional relations make verification more tractable Equivalent state variables Delayed equivalent signals Functional relations between state variables

STRUCTURE DRIVEN Example: State variables y 2, y 5 are equivalent Speed up verification

CIRCUITS WITH UNKNOWN INITIAL STATE Resetting the flip-flops is costly in hardware With nonreset flip-flops single initial state no longer holds Classical FSM Equivalence: For each state of M1 there is a corresponding state in M2

SEQUENTIAL HARDWARE EQUIVALENCE For no known initial state Find a “aligning” sequence that brings the circuits to an equivalent state regardless of their current states Aligning responses may be arbitrary If the two designs are equivalent under SHE, they are equivalent in their steady state behaviour

SAFE REPLACEMENT EQUIVALENCE No Assumptions about a circuits operation Machine M2 is a safe replacement for M1 (M 2 ≤ safe M 1 ) iff:Any state s2 of M2 & for any input sequence There exists a state s1 of M1 produce the same output to same input M1 and M2 are self replacement equivalent if: M 2 ≤ safe M 1 & M 1 ≤ safe M 2 I/O behavior of every state of M2 (M1) can be reproduced by some state of M1 (M2) States do not have to be equivalent

SAFE REPLACEMENT EQUIVALENCE M 3 ≤ safe M 1 do not hold (11 input to v 4 outputs 11 in M 3 & not in M 1 ) M 4 ≤ safe M 1 holds

OUTLINE PART 2 Introduction to RTL-TLM Equivalence Event-Based Equivalence RTL-TLM Event-Based Equivalence

INTRODUCTION Transaction Level Modelling (TLM) High level to check functionality Fast for simulation Register Transfer Level Modelling (RTL) Ready for Place & Route TLM to RTL & RTL to TLM is required In either case equivalence checking is mandatory

TLM & RTL EQUIVALENCE CHECKING Open Problem No temporal or structural similarities Traditional techniques inapplicaple Event based equivalence is based on sequence of events Models compared are considered as black boxes, only I/O behaviours are matched No similarity required No timing correlation is needed

EVENT BASED EQUIVALENCE Event: Something happening at a certain time during the evaluation of the system model Sequence of events will be compared Ordering Sequences of Events by “Happens Before” a “happens before( )” b, if a is executed before b If a b & b c then a c If neither a b nor b a, a & b are concurrent; a||b At different abstraction levels internal structures are very different for the same functionality so equivalence should be proved in terms of sequence of events Informally outputs to same inputs should be the same Definition of equivalence can be applied to formally prove that two models abstracted or refined from each other is correct by construction

EVENT BASED EQUIVALENCE

RTL-TLM EVENT BASED EQUIVALENCE TLM has different abstraction levels based on timing and communication mechanism TLM Programmers View(PV): transaction based, untimed Functional specification is created HW/SW partition is not certain Communication and computation untimed Data transfers are abstract and by function calls TLM Programmers View with Time(PVT): aprx. timed Simulates in non-zero simulation time: performance estimation can be done HW/SW Partition is done Abstract Architecture mapped to interconnected blocks Data transactions are characterized in terms of bus-width and message size: bus burst estimation

RTL-TLM EVENT BASED EQUIVALENCE TLM Cycle Accurate(CA): cycle based and timed HW components are similar to RTL Descriptions Bus model is introduced & cycle accurate protocols are mapped to HW interfaces Transactions are mapped to bus cycles CA TLM is very close to RTL models More Accurate than Transaction Based models CA models: CA TLM & RTL descriptions TB models: PV & PVT TLM descriptions

TB EVENTS vs CA EVENTS Both TB & CA event sequences can be ordered according to “Happen Before” relation Def: In a TB Model an event occurs when a transaction starts or finishes. In a CA Model an event occurs when a read on PI or write on PO is performed

TB-CA EVENT BASED EQUIVALENCE CHECKING IO Operations performed by the models can be put in correspondence Event Based Equivalence holds iff both implementations produce the same result independently of timing But the strategy and data structure required for reading input stimuli or writing results is generally different Also number of events during the input or output phase is generally different

TB-CA EVENT BASED EQUIVALENCE CONDITIONS Designers should provide the set of relevant IO objects and correspondence of PIs/POs between the CA & TB models PIs & POs may differ in type and in number The sequences of events observed during the evolution of the models to be compared must correspond Such correspondence is automatically achieved by two abstraction functions; one for CA and one for TB

TB-CA EVENT BASED EQUIVALENCE Example: Read data1, Read data2, Write sum Events are not matchable

TB-CA EVENT BASED EQUIVALENCE Relevant I/O objects must be defined by the designers Concurrent events must be collapsed by abstraction functs. Events specifically generated for compliance with the communication protocol must be removed by abs. functs. is preserved only

TB-CA EVENT BASED EQUIVALENCE is preserved only

TB-CA EVENT BASED EQUIVALENCE

CONCLUSION Sequential synthesis and optimization of digital circuits requires robust equivalence checking Heuristic approaches increase the capacity of basic approaches Still inadequate for large designs More research is needed for sequential equivalence checking for a reliable system that can be used in the industry widely RTL-TLM event based equivalence is a newly developed promising approach

REFERENCES PRINCIPLES OF SEQUENTIAL EQUIVALENCE VERIFICATION Maher N. Mneimneh, Karem A. Sakallah TOWARDS EQUIVALENCE CHECKING BETWEEN TLM and RTL MODELS Nicola Bombieri, Franco Fummi, Graziano Pravadelli

THANK YOU & QUESTIONS?