Hardware verification at Computational Logic, Inc. by Brock, Bishop C. & Hunt, Warren A., Jr.
5/7._-- ._
f N91-17571
Hardware Verification
at
Computational Logic, Inc.
Bishop C. Brock
Warren A. Hunt, Jr.
Computational Logic Incorporated
1717 West Sixth Street, Suite 290
Austin, Texas 78703-4776
+1 512 322 9951
Brock@CLI.COM, Hunt@CLI.COM
J
3 August 1990
https://ntrs.nasa.gov/search.jsp?R=19910008258 2020-03-19T19:40:17+00:00Z
\Talk Topics
• Hardware Verification: What Is It?
• Formal Methods: What Good Are They?
• Verification Methodology
• Present Accomplishments
• Expected Near Term Results
• Present Trends
• Future Directions
• Collaborations and Technology Transfer
• Technology Enablers
• Conclusions
J
3 August lgg0
Hardware Verification: What Is It?
The mathematical formalization of the specification of
any (all) aspects of hardware design.
We specifically are interested in the design of
hardware for digital computing.
Goals"
• Completely replace programmer's manuals,
timing diagrams, interface specifications,
power requirements, etc. with clear precise
formulas.
• Provide a perfectly clear foundation upon
which systems can be built.
J
3 August 1990
Formal Methods: What Good Are They?
Formal methods in the U.S. have a bad credit rating.
Over the years, good mechanized software
verification systems have been constructed.
Good software verification tools are being extended to
include hardware verification, thus providing good
systems verification tools.
Hardware verification seems more tractable than
software verification:
• few, repeatedly-used, low-level constructs;
• specification domain is less abstract (fairly
concrete); and
• formal methods can be used incrementally.
Last point is critical, note Bryant's work.
J
3 August 1990
Our Verification Methodology
We employ the Boyer-Moore logic to:
• write design specifications;
• write behavioral specifications; and
• record relations.
The Boyer-Moore theorem prover
• insures that definitions are well formed;
• checks that proofs are correct; and
• manages our evolving database of facts.
J
3 August 1990
Present Accomplishments
Our application of formal methods to hardware
specification and verification include:
• Core RISC specification;
• FM8502 microprocessor verification;
• verification of circuits using standard TTL
components;
• a formalization of a simple HDL; and
• verified synthesis of combinational circuits.
Let us consider several in more detail.
J
3 August 1990
Core RISC
Bill Bevier has formally specified a set of instructions
that characterize a Core RISC-complient processor.
This formalization includes:
• byte, half-word, and long-word memory accesses;
• Boolean, natural number, and integer ALU
operations;
• a minimum register set; and
• an exception mechanism.
The emphasis here has been on mathmatically
modeling the instruction set.
Our study of RISC architectures indicates that we
need to be able to model multi-phase clocking
schemes before we attempt to design a build a
verified Core RISC processor. This effort is ongoing.
J
3 August 1990
The FM8502 Fabrication
Currently, our primary effort involves the fabrication of
the FM8502 microprocessor.
This fabrication effort is a test-of-concept; that is, can
we manufacture formally modeled circuits and get
them working?
The FM8502 microprocessor is a 32-bit general
purpose microprocessor with:
• 32-bit addressing;
• 16 general-purpose registers;
• two-address architecture;
• 5 addressing modes;
• a 16-function ALU
• extensive flag support; and
• little else.
J
3 August 1990
f31 2928 2524 2120191817161514 11109 6 5 4 3 0
OP-CO0_ $TOR6- N Z MOD6_ RBGB 0 UNUSED MODEA REGA
llJ[llli llilll]llltl    lillll
31 2928 2524 2120191817161514 11109 '0
US D OP-COD_ SI"ORNCC C V N Z MODF_ REOB 1 IMMEDIATE
Llllll lal [llltl llkllt ll
MODE OPERAND DESCRIPTION
00 Rn Register Direct
01 (Rn) Register Indirect
10 -(Rn) Register Indirect Pre-decremem
11 (Rn)+ Register Indirect Post-increment
OP-CODE OPERATION DESCRIPTION
0000 b <- a Move
0001 b <- a + I Increment
0010 b <- a+b+c Add withcarry
0011 b <- b+a Add
0100 b <- 0- a Negation
0101 b <- a- ! Decrement
0110 b <- b - a - c Subtract with borrow
0111 b <- b - a Subtract
1000 b <- a >> I Rotate right through carry
1001 b <- a >> 1 Arithmetic shift right
1010 b <- a >> I Logical shift right
1011 b <- bXORa XOR
1100 b <- bOR a OR
II01 b <- bANDa AND
Ill0 b <- NOTa NOT
IIII b <- a Move
STORE-CC CONDITION
0000 Carry clear
0001 Carry set
0010 Overflow clear
0011 Overflow set
0100 Not negative
0101 Negative
Ol I0 Not zero
Ol 1i Zero
1000 Higher
1001 Lower or same
1010 Greater or equal
1011 Less
11 O0 Greater
1101 Less or equal
III0 True
1111 False
J
k
3 August 1090
The FM8502 Implementation
Specification
To be able to manufacture the FM8502 with some
precision, we have been working on the formalization
of an HDL.
We will prove the correctness of our HDL description
of the FM8502, and then translate our HDL
description into a commercial HDL.
Our HDL provides our lowest-level model for the
FM8502 implementation"
• every internal gate and register is described;
• every I/O pad is defined; and
• we expect to validate our test vectors directly on
our HDL description.
Our HDL specification also includes all of the internal
test logic.
J
3 August 1990
The FM8502 Pinout
Below is a pictorial diagram of the FM8502 pinout.
Quite a number of pins are allocated to testing
purposes.
VDD
I
CLK
RESET
HOLD
DTACK
PC[4I
LDPC
TEST
SCAN-IN
TN
TE
RT
RAD[4]
LDRAD
VSS
I
ADDRESS[32]
DATA[32]
HOLDA
RW-
STROBE-
CNTL[6]
FLAGS[4]
SCAN-OUT
TIMING
PO
J
3 August lgg0
A Formal HDL
Our HDL is structured like commercial HDL's:
• netlist based;
• heirarchicaly structured;
• occurence-oriented; and
• allows multiple views of circuits.
We have a formal specification of our HDL:
• a predicate recognizes well-formed circuits; and
• several interpreters define the semantics.
J
3 August 1990
HDL Examples of Circuits
' (HALF-ADDER (A B)
(SUM CARRY)
(( GO (SUM) B-XOR(A B) )
( G1 (CARRY) B-AND (A B) )))
AiDB_ CARRY
The following full-adder specification refers twice to
the half-adder specification above.
' (FULL-ADDER (A B C)
(SUM CARRY)
( ( TO (SUM1 CARRYI) HALF-ADDER(A B) )
( T1 (SUM CARRY2) HALF-ADDER(SUM1 C) )
( T2 (CARRY) B-OR(CARRY1 CARRY2) )) )
A ---1 A CARRY CARRYI
IIALF-ADDER
B --_ B SUM SUM_
C
A CARRY
HALF-ADDER
B SUM
CARRY
SUM
J
3 August 1990
Verified Synthesis
We perform synthesis by
• writing circuit generator programs;
• verifying the circuit generator programs; and
• then running the generators to produce provably
correct circuits.
In other words, after a circuit has been generated we
need not inspect it for the Boolean correctness.
J
3 August 1990
An ALU Generator
We have an arbitrary size, 16-function ALU generator
which is:
• programmable-- ALUs with different internal
structure can be produced;
• "intelligent"--internal buffers are only added when
needed; and
• has been verified to generate correct n-bit, gate-
level ALU descriptions.
Simple translators can convert the ALU descriptions
into conventional CAD languages (e.g., VHDL).
To replay the proof only takes about 20 (Sun 3)
minutes.
J
3 August 1990
fALU Generator Output Summary
Summarized below are some characteristics of the
ALUs generated by our verified ALU generator.
ALU Characteristics
Size Gate Count Fanout Delay
1 bit 126 8 12
2 bits
4 bits
8 bits
16 bits
32 bits
64 bits
128 bits
149
196
297
491
88O
1665
3227
8
8
8
8
8
14
17
22
26
3O
35
39
Payoff: It only takes 0.6 seconds to generate a
correct 32-bit ALU, 1.3 seconds for a 64-bit ALU, and
3.1 seconds for a 128-bit ALU.
J
3 August 1990
Expected Near Term Results
Several projects underway which will conclude this
year are:
• an ability to verify sequential circuits generators;
and
• the fabrication of the FM8502 microprocessor.
We are using both combinational and sequential logic
synthesis techniques in the fabrication of the FM8502.
We will be able to generate a correct n-bit
microprocessor (so long as the word size is large
enough to contain FM8502 instructions.)
We will generate a gate-array specification directly.
We are generating our test-vectors directly from our
formal circuit specifications.
J
3 August 1990
Present Trends
There is increasing interest in:
• boolean comparison -- which should lead the way
to more general purpose techniques;
• register-transfer specifications with circuit
verification;
• formalization of self-timed circuits;
• formalization of timing behavior; and
• transformational systems.
These trends are all indicative of increased use of
formal techniques for hardware specification and
verification.
And these techniques are being applied
incrementally.
J
3 August 1990
Future Directions
In the future we hope to:
• formalize a subset of VHDL (using our Ada
formali;;ation experience);
• perform tool verification (e.g., logic minimizer,
tautology checkers);
• verify a Core RISC microprocessor with memory
management; and
• continue our work on formalizing hardware
interfacing and use specifications.
This last item is hardest and has the biggest payoff.
J
3 August 1990
fIndustrial Collaborations
We have been working with DEC for two years.
Motorola may attempt the specification (and possibly
the verification) of one of their microcontrollers.
Technology Transfer
We highly value interactions with industry; we all
profit.
Our formal techniques may be used incrementally,
i.e., "creeping formalization."
Industry first employs our techniques for
(unambiguous) specification, later for verification.
Specification is a big problem for industry -- formal
specification allows analysis without exhaustive
testing.
J
3 August 1990
Technology Enablers
Is the state-of-the-art separating further from the
state-of-the-practice?
To enable the use of formal techniques in hardware
design we need to:
• train more engineers with formal methods (not train
mathematicians to be engineers);
• make existing tools and techniques more
accessible to engineers; and
• make formal techniques the most economical
method of hardware validation.
A big success or two would help us get industry's
attention.
J
3 August 1990
Conclusions
Formal methods can be used to provide accurate
specifications.
Hardware verification provides increased assurance
of circuit correctness.
Formal techniques provide a good growth path; they
scale up well.
The credit rating of formal techniques is improving.
Goals:
• Completely replace programmer's manuals,
timing diagrams, interface specifications,
power requirements, etc. with clear precise
formulas.
• Provide a perfectly clear foundation upon
which systems can be built.
J
3 August 1990
