### ESE532: System-on-a-Chip Architecture Day 20: November 6, 2019 Verification 2 Merification 2 Merification





### Assertion

- Predicate (Boolean expression) that must be true
- Invariant
  - Expect/demand this property to always hold
  - Never vary  $\rightarrow$  never not be true

### Penn ESE532 Fall 2019 -- DeHon

# Equivalence with Reference as Assertion

- Match of test and golden reference is a heavy-weight example of an assertion
- r=fimpl(in);

ESE532 Fall 2019 -- DeHo

5

assert (r==fgolden(in));

### Assertion as Invariant

 May express a property that must hold without expressing how to compute it.
 Different than just a simpler way to compute

```
int res[2];
res=divide(n,d);
assert(res[QUOTIENT]*d+res[REMAINDER]==n);
```

Penn ESE532 Fall 2019 -- DeHon



Preclass 1 What property needs to hold on 1? Note: divide: s/1

Preclass 2

int findloc(int target, int \*a, int limit);

loc=findloc(my\_target,my\_array,MY\_ARRAY\_LEN);
// property on my\_array[loc] should hold here?

What must be true of my array[loc]

s=packetsum(p); l=packetlen(p); res=divide(s,l);

### Check a Requirement

s=packetsum(p); l=packetlen(p); assert(l!=0); res=divide(s,l);

ESE532 Fall 2019 -- DeHor

9

11

Penn ESE532 Fall 2019 -- DeHon

after call?

ESE532 Fall 2019 -- DeHor

int loc:



2

### Merge Requirement

- · Require: astream, bstream sorted
- int aptr; int bptr;
- astream.read(ain); bstream.read(bin)
- For (i=0;i<MCNT;i++)</li>

If ((aptr<ACNT) && (bptr<BCNT))

If (ain>bin)

{ ostream.write(ain); aptr++; astream.read(ain);} Else

{ ostream.write(bin) bptr++; bstream.read(bin);} Else // copy over remaining from astream/bstream



Merge with Order Assertion
 When composed

 Every downstream merger checks work of predecessor

 merge merge merge merge talt
 Pent ESESS2 Fall 2019 – Detton

# Merge RequirementRequire: astream, bstream sorted

- Requirement that input be sorted is good – And not hard to check
- Not comprehensive

ESE532 Fall 2019 -- DeH

- Weaker than saying output is a sorted version of input
- What errors would it allow?





<sup>18</sup> \*\*\*\*\* **Validate** that something isn't happening <sup>18</sup>







23

ESE532 Fall 2019 -- DeHor

# Testing with Reference Specification

Validate the design by testing it:

- Create a set of test inputs
- · Apply test inputs
  - To implementation under test
  - To reference specification
- · Collect response outputs
- Check if outputs match

Penn ESE532 Fall 2019 -- DeHon

Formal Equivalence with Reference Specification Validate the design by proving equivalence between: • implementation under consideration • reference specification 22











### Composite FSM

- Work
  - At most |2<sup>N</sup>|\*|State1|\*|State2| edges == work
- Can group together original edges

   *i.e.* in each state compute intersections of outgoing edges

31

- Really at most |E1|\*|E2|

Penn ESE532 Fall 2019 -- DeHon

### Non-Equivalence

- State {S1<sub>i</sub>, S2<sub>j</sub>} demonstrates nonequivalence iff
  - {S1<sub>i</sub>, S2<sub>j</sub>} reachable
  - On some input, State S1<sub>i</sub> and S2<sub>j</sub> produce different outputs
- If S1<sub>i</sub> and S2<sub>j</sub> have the same outputs for all composite states, it is impossible to distinguish the machines
  - They are equivalent
- A **reachable** state with differing outputs









### FSM → Model Checking

- FSM case simple only deal with states
- More general, need to deal with – operators (add, multiply, divide)
  - Wide word registers in datapath
  - Cause state exponential in register bits
- Tricks

ESE532 Fall 2019 -- DeHor

- Treat operators symbolically
  - Separate operator verification from control verif.
- Abstract out operator width
- Similar flavor of case-based search

### Assertion Failure Reachability

· Can use with assertions

n ESE532 Fall 2019 -- DeHon

 Is assertion failure reachable?
 Can identify a path (a sequence of inputs) that leads to an assertion failure?

Formal Equivalence Checking
Rich set of work on formal models for equivalence

Challenges and innovations to making search tractable

Common versions

Model Checking (2007 Turing Award)
Bounded Model Checking

39

Timing Penr ESE532 Fall 2019 - DeHon





### Timing

- Record timestamp from implementation
- Allow reference specification to specify its time stamps
  - "Model this as taking one cycle"
  - Or requirements on its timestamps
    - This must occur before cycle 63
    - This must occur between cycle 60 and 65
- · Compare values and times
- More relevant Real Time
- Example Real Time where exact cycle

# Challenge • Cannot record at full implementation rate – Inadequate bandwidth to • Store off to disk • Get out of chip • Cannot record all the data you might want to compare at full rate

44



43

ESE532 Fall 2019 -- DeHon





## **Burst Testing**



49

- Issue
  - May only see high speed for computation/interactions that occur within a burst period
  - May miss interaction at burst boundaries
- Mitigation
  - Rerun with multiple burst boundary offsets
  - So all interactions occur within some burst
- Decorrelate interaction and burst boundary



50

ann ESE532 Fall 2019 -- DeHon



53

### **Big Ideas**

- · Assertions valuable
  - Reason about requirements and invariants
     Explicitly validate
- Formally validate equivalence when possible
- · Valuable to decompose testing
  - Functionality
  - Functionality at performance
- ....we can extend techniques to address timing and support at-speed tests

