February 22-25, 2010 Designers Work Less with Quality Formal Equivalence Checking by Orly Cohen, Moran Gordon, Michael Lifshits, Alexander Nadel, and Vadim Ryvchin Intel

Agenda Formal Equivalence Checking (FEC) in Parts Using Assume- Guarantee FEC Flow Description and the Importance of Assumptions Minimizing Assumptions –Naive Approaches –FEC as SAT Problem –Minimizing Assumptions Using SAT Comparison of SAT-Based and Naive Minimization Approaches Impact of Assumption Minimization on the Manual Debug Effort Conclusions and Recommendations Michael Lifshits, Intel 2 of 14

Assume-Guarantee in Formal Equivalence Checking (FEC) FEC proves the equivalence of 2 designs (e.g. schematics vs. RTL) FEC is done on small sub-blocks (slices) suitable for formal tools’ capacity Slices’ inputs are restricted with assumptions, e.g. in SVA DUT with Properties Inputs Outputs Assumption Assertion Michael Lifshits, Intel 3 of 14

Origins of Assumptions Manually added assumptions Design intent properties –ABV methodology Schematic Assumptions –appear in the standard cells library –save transistors, area, power Michael Lifshits, Intel INVERSE(a,b) 4 of 14

FEC Stages – the Importance of Assumptions Assumptions must be proved relative to the driving logic smaller set of assumptions is better! “Intel CPU project arrived with a dead A0 silicon due to a missed assumption verification step” Michael Lifshits, Intel Assumptions must be proved relative to the driving logic 5 of 14

Minimizing the Assumptions Set Naive approaches: Static Structural Analysis Iterative Trial and Error alg. Michael Lifshits, Intel MinAssump := ∅ // start without assumptions while verification fails and MinAssump  All_Assump do Try proving with assumptions in MinAssump if pass  Done Use the counterexample (CEX) and find A ∈ All_Assump : A ∈ MinAssump and A contradicts with CEX Add (at most K) such assumptions to MinAssump // K=20 return MinAssump 6 of 14

Formal as SAT Problem Most FEC tools are implemented with SAT-based FV engines FEC is reduced to a propositional formula: F=a AND b OR c… SAT solver proofs the lack of counterexamples for F; –CEX is an assignment for {a,b,c..} | F==TRUE O 1 O 2 O 1 O 2 ’same( O 1, O 2 )(t), F=XOR( O 1, O 2 ’ )(t), fails when F=TRUE NOTS 1 (t)AND(S 1 (t)… S 1 =T, S 2 =T, ENB=T NOTS 1 (t)AND(S 1 (t)… checked for t=1,2.. fails when S 1 =T, S 2 =T, ENB=T Unsatisfiable coreUnsatisfiable core – sub-formulas required for the proof ENB S1S1S1S1 S2S2S2S2 O 1 =NOTS 1 O 2 ’=(S 1 ANDS 2 ANDENB) OR (O 2 AND^ENB) Michael Lifshits, Intel 7 of 14

UNSAT CORE SAT Formula assumptions Minimizing Assumptions Using SAT The projection of UNSAT CORE onto the assumptions is the subset of assumptions required for the proof Minimization at the SAT level  minimal number of assumptions Simple approach: Our approach: Michael Lifshits, Intel 8 of 14

Iterative SAT Algorithm to Minimize Assumptions Solve formula F: SAT(F) with All_Assump Extract UNSAT CORE: UC MinAssump := A ∈ Assump: A ∩ Proj(UC) ≠ ∅ // start with all used for all A ∈ MinAssump do // try removing 1 assumption, reuse learning in SAT SAT(F) with MinAssump / {A}// solve F without A If pass  MinAssump := MinAssump /{A}, update UC return MinAssump Michael Lifshits, Intel 9 of 14 SAT-Based Minimization vs. Naive Trial and Error 50% assumptions in most cases, and dramatically fewer in some

UNSAT CORE Projection vs. Iterative Minimization (ours) It is justified mainly when minimizing the core is more important than reducing the run-time SAT-Based Minimization Algorithms Comparison Michael Lifshits, Intel 10 of 14 Run time (hours) Remaining properties

Impact of Assumption Reduction on the Manual Debug Effort All properties (including assumptions) are formally verified SQL database used to store the verification results Combined verification statusCombined verification status – status of the recursive set of used assumptions: For each used-by-FEC (UBF) property P Get the set of assumptions (Assump) used to verify a property P For each A i ∈ Assump Assump i := set of assumptions used to verify A i Assump all = Assump ∪ Assump i … ∪ Assump n // a recursive set if all A i ∈ Assump all pass status(P) = pass else status(P) = conditional Michael Lifshits, Intel 11 of 14

Impact of Assumption Reduction on the Manual Debug Effort 36% more properties passed Number of properties in FEC is large – a large amount of manual effort is saved to the design team Michael Lifshits, Intel 12 of 14 % of all properties

Reducing the number of used assumptions decreases manual debug time and computational effort UNSAT core-based techniques are much more effective than naive techniquesTradeoff between the reduction effectiveness and the run-timeDifferent SAT-based assumption minimization techniques fit various FEC stages Assumptions minimization is more important for RTL and SCH equivalence verification than for the RTL assumption verification RTL assumptions verification complexity is greater than RTL and SCH equivalence Iterative SAT-based assumption minimization for RTL and SCH equivalence Assumption reduction (UNSAT core projection) for RTL assumption verification Conclusion and Recommendations Michael Lifshits, Intel 13 of 14

Backup Michael Lifshits, Intel 14 of 14

SAT-Based Minimization vs. Naive Trial and Error 22 random microprocessor design blocks % indicate the improvement compared to the iterative Time (logarithmic scale) Michael Lifshits, Intel “naive” trial and error SAT-based Half as many assumptions in most cases, and dramatically fewer in some 50% == ½ assumptions 15 of 14