# ESE532: System-on-a-Chip Architecture

Day 20: November 11, 2020 Verification 2

Penn ESE532 Fall 2020 -- DeHor



## Today

- · Assertions (Part 1)
- Proving correctness (Part 2)
  - FSM Equivalence
- Timing and Testing (Part 3)

enn ESE532 Fall 2020 -- DeHon

### Message

- If you don't test it, it doesn't work.
- Testing can only prove the presence of bugs, not the absence.
  - Full verification strategy is more than testing.
- · Valuable to decompose testing
  - Functionality
  - Functionality at performance

Penn FSF532 Fall 2020 -- DeHon

### **Assertions**

Penn ESE532 Fall 2020 -- DeHon

### Assertion

- Predicate (Boolean expression) that must be true
- Invariant
  - Expect/demand this property to always hold
  - Never vary → never not be true

Penn ESE532 Fall 2020 -- DeHor

# Equivalence with Reference as Assertion

- Match of test and golden reference is a heavy-weight example of an assertion
- r=fimpl(in);
- assert (r==fgolden(in));

enn ESE532 Fall 2020 -- DeHon

### Assertion as Invariant

- May express a property that must hold without expressing how to compute it.
  - Different than just a simpler way to compute

```
int res[2];
res=divide(n,d);
assert(res[QUOTIENT]*d+res[REMAINDER]==n);
```

# Lightweight

- · Typically lighter weight (less computation) than full equivalence
- Typically less complete than full check
- · Allows continuum expression

### Preclass 1

```
What property needs to hold on 1?
    Note: divide: s/l
s=packetsum(p);
l=packetlen(p);
res=divide(s,1);
```

### Check a Requirement

```
s=packetsum(p);
l=packetlen(p);
assert(1!=0);
res=divide(s,1);
```

### Preclass 2

### What must be true of my\_array[loc] after call?

```
int findloc(int target, int *a, int limit);
           int loc;
           loc=findloc(my_target,my_array,MY_ARRAY_LEN);
           // property on my_array[loc] should hold here?
n ESE532 Fall 2020 -- DeHon
```

11

{ ostream.write(bin) bptr++; bstream.read(bin);}

ESEISE Mccopy over remaining from astream/bstream<sub>12</sub>

Day 13

Merge using Streams
• Merging two sorted list is a streaming

operation

- int aptr; int bptr;
- astream.read(ain); bstream.read(bin)
- For (i=0;i<MCNT;i++)

If ((aptr<ACNT) && (bptr<BCNT)) If (ain>bin) { ostream.write(ain); aptr++; astream.read(ain);}

### Merge Requirement

- · Require: astream, bstream sorted
- int aptr; int bptr;
- astream.read(ain); bstream.read(bin)
- For (i=0;i<MCNT;i++)</li>

```
If ((aptr<ACNT) && (bptr<BCNT))
```

If (ain>bin)

{ ostream.write(ain); aptr++; astream.read(ain);}

{ ostream.write(bin) bptr++; bstream.read(bin);}

Else // copy over remaining from astream/bstream

ESE532 Fall 2020 -- DeHon

### Merge Requirement

- · Require: astream, bstream sorted
- Int ptr; int bptr;
- astream.read(ain); bstream.read(bin)
- For (i=0;i<MCNT;i++) If ((aptr<ACNT) && (bptr<BCNT)) If (ain>bin) { ostream.write(ain); aptr++; int prev ain=ain; astream.read(ain); assert(prev ain<=ain);

SE532 Fall 2020 -- DeHon

## Merge with Order Assertion

- · When composed
  - Every downstream merger checks work of predecessor



### Merge Requirement

- · Require: astream, bstream sorted
- · Requirement that input be sorted is good
  - And not hard to check
- Not comprehensive
  - Weaker than saying output is a sorted version of
- · What errors would it allow?

### What do with Assertions?

- Include logic during testing (verification)
- · Omit once tested
  - Compiler/library/macros (#define) omit code
  - Keep in source code
- Maybe even synthesize to gate logic for FPGA testing
- · When assertion fail
  - Count
  - Break program for debugging (dump core)

17

### **Assertion Roles**

- Specification (maybe partial)
  - May address state that doesn't exist in gold reference
- Documentation
  - This is what I expect to be true
    - · Needs to remain true as modify in the future
- · Defensive programming
  - Catch violation of input requirements
- · Catch unexpected events, inputs
- Early failure detection
- Validate that something isn't happening

### **Assertion Discipline**

- · Worthwhile discipline
  - Consider and document input/usage requirements
  - Consider and document properties that must always hold
- Good to write those down
  - As precisely as possible
- · Good to check assumptions hold

Penn ESE532 Fall 2020 -- DeHon

10

### **Equivalence Proof**

FSM Part 2

Penn ESE532 Fall 2020 -- DeHon

20

### Prove Equivalence

- · Testing is a subset of Verification
- Testing can only prove the presence of bugs, not the absence.
- Depends on picking an adequate set of tests
- Can we guarantee that all behaviors are the correct? Same as reference?
   Seen all possible behaviors?

Penn ESE532 Fall 2020 -- DeHon

21

Day 19

### Idea

- · Reason about all behaviors
  - Response to all possible inputs
- Try to find if there is *any* way to reach disagreement with specification
- · Or can prove that they always agree
- · Still demands specification
  - ...but we can also relax that with assertions

Penn ESE532 Fall 2020 -- DeHon

~

# Testing with Reference Specification

Validate the design by testing it:

- · Create a set of test inputs
- · Apply test inputs
  - To implementation under test
  - To reference specification
- · Collect response outputs
- · Check if outputs match

enn ESE532 Fall 2020 -- DeHon

23

# Formal Equivalence with Reference Specification

Validate the design by proving equivalence between:

- implementation under consideration
- · reference specification

Penn ESE532 Fall 2020 -- DeHon

### Testing FSM Equivalence

- · Exhaustive:
  - Generate all strings of length |state|
    - (for larger FSM = the one with the most states)
  - Feed to both FSMs with these strings
  - Observe any differences?
- · How many such strings?
  - (N binary input bits to FSM, S states)
  - $-2^{N^*S}$

Penn ESE532 Fall 2020 -- DeHon

25

### **FSM Equivalence**

- Illustrate with concrete model of FSM equivalence
  - Is some implementation FSM
  - Equivalent to reference FSM

Penn ESE532 Fall 2020 -- DeHon

26

# Compare • Start with golden model setup — Run both and compare output • Create composite FSM — Start with both FSMs — Connect common inputs together (Feed both FSMs) — XOR together outputs of two FSMs • Xor's will be 1 if they disagree, 0 otherwise



# Creating Composite FSM

- Assume know start state for each FSM
- Each state in composite is labeled by the pair  $\{S1_i,\,S2_j\}$ 
  - How many such states?
- Start in {S1<sub>0</sub>, S2<sub>0</sub>}
- For each input a, create a new edge:
  - T(a,{S1<sub>0</sub>, S2<sub>0</sub>}) → {S1<sub>i</sub>, S2<sub>i</sub>}
  - If T₁(a, S1₀)→ S1ᵢ, and T₂(a, S2₀)→ S2ᵢ
- · Repeat for each composite state reached

nn ESE532 Fall 2020 -- DeHon

29

# Composite FSM

- · How much work?
- Hint:
  - Maximum number of composite states (state pairs)
  - Maximum number of edges from each state pair?
  - Work per edge?

Penn ESE532 Fall 2020 -- DeHon

### Composite FSM

- Work
  - At most |2N|\*|State1|\*|State2| edges ==
- · Can group together original edges
  - -i.e. in each state compute intersections of outgoing edges
  - Really at most |E<sub>1</sub>|\*|E<sub>2</sub>|

31

### Non-Equivalence

- State {S1<sub>i</sub>, S2<sub>i</sub>} demonstrates nonequivalence iff
  - $-\{S1_i, S2_j\}$  reachable
  - On some input, State S1i and S2i produce different outputs
- If S1<sub>i</sub> and S2<sub>i</sub> have the same outputs for all composite states, it is impossible to distinguish the machines
  - They are equivalent
- A reachable state with differing outputs

Implies the machines are not identical

### **Answering Reachability**

- Start at composite start state {S1<sub>0</sub>, S2<sub>0</sub>}
- · Search for path to a differing state
- · Use any search
  - Breadth-First Search, Depth-First Search
- · End when find differing state
  - Not equivalent
- · OR when have explored entire reachable graph without finding
  - Are equivalent

### Reachability Search

- · Worst: explore all edges at most once
  - $-O(|E|)=O(|E_1|^*|E_2|)$
- Can combine composition construction and search
  - i.e. only follow edges which fill-in as search
  - (way described)





# Creating Composite FSM

- · Assume know start state for each FSM
- Each state in composite is labeled by the pair {S1<sub>i</sub>, S2<sub>i</sub>}
- Start in {S1<sub>0</sub>, S2<sub>0</sub>}
- For each symbol a, create a new edge:
  - $T(a,{S1_0, S2_0})$  →  ${S1_i, S2_i}$ 
    - If  $T_1(a, S1_0) \rightarrow S1_i$ , and  $T_2(a, S2_0) \rightarrow S2_j$
    - Check that both state machines produce same outputs on input symbol a
- · Repeat for each composite state reached

enn ESE532 Fall 2020 -- DeHon

37



### FSM → Model Checking

- FSM case simple only deal with states
- · More general, need to deal with
  - operators (add, multiply, divide)
  - Wide word registers in datapath
    - · Cause state exponential in register bits
- Tricks
  - Treat operators symbolically
    - Separate operator verification from control verif.
  - Abstract out operator width
- · Similar flavor of case-based search
- Conditionals need to be evaluated symbolically

### Assertion Failure Reachability

- · Can use with assertions
- Is assertion failure reachable?
  - Can identify a path (a sequence of inputs) that leads to an assertion failure?

Penn ESE532 Fall 2020 -- DeHon

40

# Formal Equivalence Checking

- Rich set of work on formal models for equivalence
  - Challenges and innovations to making search tractable
  - Used with processor validation
- · Common versions
  - Model Checking (2007 Turing Award)
  - Bounded Model Checking

nn ESE532 Fall 2020 -- DeHon

41

# Timing

Part 3

nn ESE532 Fall 2020 -- DeHon

#### Issues

- Cycle-by-cycle specification can be overspecified
- Golden Reference Specification not run at target speed

Pann ESE532 Fall 2020 -- DaHon

40

### **Tokens**

- Use data presence to indicate when producing a value
- · Only compare corresponding outputs
  - Only store present outputs from computations, since that's all comparing
- · Relevant non-Real-Time
- Examples?
  - (not want to match cycle-by-cycle)

enn ESE532 Fall 2020 -- DeHon

4

### **Timing**

- · Record timestamp from implementation
- Allow reference specification to specify its time stamps
  - "Model this as taking one cycle"
  - Or requirements on its timestamps
    - This must occur before cycle 63
    - This must occur between cycle 60 and 65
- · Compare values and times
- · More relevant Real Time
- Example Real Time where exact cycle where exact cycle What does?

43

### Challenge

- · Cannot record at full implementation rate
  - Inadequate bandwidth to
    - · Store off to disk
    - · Get out of chip
- Cannot record all the data you might want to compare at full rate

Penn ESE532 Fall 2020 -- DeHon

46

# At Speed Testing

- · Compiled assertions might help
  - Perform the check at full rate so don't need to record
- · Capture bursts to on-chip memory
  - Higher bandwidth
  - ...but limited capacity, so cannot operate continuously

Penn ESE532 Fall 2020 -- DeHon

47

# Bursts to Memory

- · Run in bursts
- Repeat
  - Enable computation
  - Run at full rate storing to memory buffer
  - Stall computation
  - Offload memory buffer at (lower) available bandwidth
  - (possibly check against golden model)

Penn ESE532 Fall 2020 -- DeHon







- May only see high speed for computation/interactions that occur within a burst period
- May miss interaction at burst boundaries
- Mitigation

Issue

- Rerun with multiple burst boundary offsets
- So all interactions occur within some burst

- Decorrelate interaction and burst boundary

### **Timing Validation**

- · Doesn't need to be all testing either
- Static Timing Analysis to determine viable clock frequency
  - As Vivado is providing for you
- · Cycle estimates as get from Vivado - II, to evaluate a function
- · Worst-Case Execution Time for software

# **Decompose Verification**

Breaks into two pieces:

- 1. Does it function correctly?
- 2. What speed does it operate it?
  - Does it continue to work correctly at that speed?

nn ESE532 Fall 2020 -- DeHor

### Learn More

- CIS673 Computer Aided Verification
- CIS541 includes verification for realtime system properties
- CIS500 Software Foundations
  - Has mechanized proofs, proof checkers

## Big Ideas

- · Assertions valuable
  - Reason about requirements and invariants
  - Explicitly validate
- Formally validate equivalence when possible
- Valuable to decompose testing
  - Functionality
  - Functionality at performance
- ...we can extend techniques to address timing and support at-speed tests

enn ESE532 Fall 2020 -- DeHon

55

### Admin

- Feedback
- Reading for Monday on Canvas
- P2 due Friday
- P3 out

enn ESE532 Fall 2020 -- DeHon