Techniques based on automatic validity checking have been successfully applied to equivalence checking of descriptions at behavioral rt-level and structural rt- level. They divide the verification problem into two steps:
• a formula F is built which implies that the verification goal is satisfied, i.e., F ⇒ verification goal, and then
• a validity checker demonstrates automatically that F ≡ true.
Some verification problems can be reduced to a formula in which all functions except equivalence and the Boolean operators are considered as uninterpreted functions. Ackermann [Ack54] demonstrated such a reduction to formulas of the theory of equality without interpreted functions while preserving validity.10
For many verification problems, it is not sufficient to have only a decision pro- cedure for uninterpreted equality, e.g., because bit-vector arithmetic is required to demonstrate the verification goal. The problem is to consider different decision procedures of the component theories like arithmetic, arrays etc. Two approaches of decision procedures for combinations of theories have been pioneered in the seventies [CLS96]. Nelson and Oppen [NO79, NO80] combine theories by itera- tively propagating equalities between different decision procedures. A practically more efficient procedure developed by Shostak [Sho84, Sho79] combines the sim- plifiers of different theories into a single decision procedure. A good description of Shostak’s algorithm is given in [CLS96]. Note that decision procedures are also used in theorem provers (see section 3.4), e.g., PVS uses Shostak’s algorithm [ORSvH95].
A prominent example for applying automatic validity checking to hardware verification was presented by [BD94]. They were first to propose a technique to generate a logic formula that is sufficient to verify a pipelined system against its sequential specification. This approach has also been extended to dual-issue pro- cessors [JDB95], super-scalar architectures [Bur96, WB96]11, and with some lim-
itations to out-of-order execution by using incremental flushing [SJD98, JSD98].
9Assertions about the correct effects of single instructions of a small 16Bit-CISC-processor
have been manually derived and verified in [BB94] using STE (although the term STE is not used in [BB94], see [SB95]).
10Ackermann’s formulas include also existential and universal quantifiers, which are not
considered in the following.
11[WB96] provides a formal verification (using HOL) of the decomposition theory given in
3.3 Validity Checking Based Techniques 25
SVC (the Stanford Validity Checker) [BDL96, BDL98, JDB95] was used to au- tomatically verify the formulas. SVC is a proof tool using an algorithm similar to Shostak’s decision procedure. SVC requires also for each theory to add that functions are canonizable and algebraically solvable, because every expression must have a unique representation. The tool can fail to prove equivalence if a design is transformed by using theories, that are not fast to canonize/solve or that are not supported.
[BDL98] describes the extension of SVC with bit-vector arithmetic (inspired by the work in [CMR97]12). Verification of bit-vector arithmetic is often required
to prove equivalence in control logic design and is fast using SVC if expressions can be canonized without slicing them into single bits. Otherwise computation time can increase exponentially. Our approach does not generally canonize ex- pressions. Only if corner-cases of equivalence have to be detected to demonstrate the verification goal, then formulas are constructed using previously collected in- formation and are checked using vectors of OBDDs. The efficiency of vectors of OBDDs in our application area is compared with SVC and *BMDs in section 6.3. Verification of memories using SVC is discussed in section 3.7.
SVC is not an uninterpreted approach since a selection of functions is inter- preted by SVC. Only uninterpreted functions with the exception of memory- operations13 are used by [VB00, BGV99, VB99a, VB99b] for equivalence check-
ing of high-level descriptions of processors against instruction set specifications. Two abstract formulas are built, similar to the approach of [BD94, Bur96], and compared using OBDDs. An extension which exploits positive equality makes verification of pipelined [BGV99, VB99a] and superscalar [VB00, VB99b] pro- cessors feasible in seconds, a significantly inferior verification time compared to [BD94, Bur96]. This extension considers that some comparisons only occur in monotonically positive formulas, i.e., they do not appear in the scope of a logical negation. The approach is well suited for the given verification examples. The pipelined or superscalar architectures could be derived from the sequential spec- ifications mostly by scheduling and without considering bit-vector arithmetic operations, see also section 7.1. The approach is limited to such verification examples which do not require an interpretation of functions.
[LO97, LO96] propose an approach for pipeline verification different to the technique of [BD94]. The pipeline verification problem is decomposed in smaller, simpler steps by “unpipelining” successively the implementation. The result is a sequential description. The formulas implying correctness of the different steps were checked using SVC. Their specialized approach relies on a standard design style and requires that different parts of the pipeline stages can be extracted.
12[CMR97] developed a decision procedure for fixed-size bit-vectors. The main difference
in [BDL98] is that ”bitplus”-expressions, i.e., addition of bit-vector variables modulo the bit- width, are used as internal representation in SVC to increase the range of examples which can be verified automatically.
26 CHAPTER 3 Related Work
Techniques generating a single formula for the verification problem, which is verified afterwards with a validity checker like SVC, do not distinguish explic- itly the different intermediate symbolic values of the registers: an assignment is considered by using the symbolic term assigned whenever the register is used afterwards. This can lead to term-size explosion and/or case-explosion for se- quential verification, especially at structural level. For example, a big ROM or the implementation of the control part by multiplexers has to be considered as argument after each sequential step and the corresponding expression may not be simplified on the fly. In general, an application to gate-level descriptions is not possible since in each step the whole gate-level expression has to be substituted and the resulting formula cannot be checked even with support by bit-vector arithmetic decision procedures. Furthermore, the information about the sequen- tial behavior gets lost and the debugging information of the counterexample is restricted to an expression in the initial register values. Therefore, we do not replace in our approach the intermediate register values but distinguish them only by indices, see section 2.4.