Sequential Equivalence Checking Need and

Challenges

- Anmol Mathur
- Chief Architect
- Calypto Design Systems

Outline

- Why sequential equivalence checking?
- Combinational vs sequential equivalence checking
- Existing system-level design/verification flows
- System-level to RTL equivalence checking
- RTL-RTL sequential equivalence checking
- Comparison to sequential property checking
- Taming sequential equivalence checking
- Demonstration of SLEC from Calypto

Combinational Equivalence Checking

- Most prevalent equivalence checking tools

available today - Appropriate for RTL to gate-level verification
- Expects exact 1-1 flop mapping and matching

interfaces

The Power of One-One State Mapping

- Very strong inductive invariant
- Assuming that the one-one mapped flops (and

inputs) are equal at time k, the next state

functions (inputs to flops) and output functions

(mapped primary outputs) are equal at time k1 - No state space analysis required
- Only combinational input constraints and output

dont cares needed

System-Level to GDSII Process Flow

Manual Process

Process Flow

User Control

Limited Control

Broad Control

Broad Control

Levels of Systems

Software

Hardware

Hardware/software Interface verification

SOC

Boundary assertion verification

IP

Block verification

System-level Models

- Higher level of abstraction resulting in faster

simulation turnaround time - Performing architectural tradeoffs and

performance validation - Platform for software development

Functional Verification Landscape

System level

Simulation

RTL-SL co-simulation

- Simulation/emulation based
- verification
- Assertion based verification

RTL level

RTL-gate Equivalence Checking

Gate level

RTL-RTL Equivalence Checking

- Reasons
- Incremental development
- Feature creep
- Performance tuning
- Process migration
- Reuse across projects
- Common Refinements
- Buffer/Cache/Memory resizing
- Tuning cache replacement and coherence algorithms
- Pipeline insertion for performance
- Register retiming

Sequential Equivalence Checking

SLM

Process Flow

Process Flow

RTL

Imp.

User Control

User Control

Limited Control

Broad Control

Broad Control

Limited Control

Broad Control

Broad Control

Sequential Equivalence Checking

SLM

RTL

Interface mapping Interface constraints

SEC

Abstraction mappings

Proved equivalences Counterexamples

Key Advantages of SEC

- Allows complete verification of the RTL with

respect to the SLM (the independently verified

golden model) without testbenches - Verification of the RTL is limited to the

behaviors specified in the SLM - Allows verification of RTL blocks to happen

before the whole RTL or SLM is completed

SEC vs Assertion Checking

- Usability issues with assertion-based RTL

verification - Need to write design properties in a formal

temporal logic - Properties not independently verifiable
- How many properties are enough?
- Capturing input constraints and output dont

cares - Technology issues with assertion-based

verification - Comparing a complete design against a very

incomplete specification (property) - Sequential analysis problem is harder than

equivalence checking of two designs!

Outline

- Why sequential equivalence checking?
- Taming sequential equivalence checking
- Notions of sequential equivalence
- Key technology challenges
- Demonstration of SLEC from Calypto

Combinational vs Sequential EC

Sequential EC

Sequential differences

Combinational EC

Data representation differences

FFs match

Scheduling

- The SLM could perform a computation in parallel

while RTL schedules operations in multiple cycles

with a scheduling FSM - Introduces additional states due to scheduling
- Some operations that can use the same resource

become temporally disjoint resulting in resource

sharing

A

B

C

SLM

O

B

A

C

RTL

reset

clk

o

Micro-architectural Abstractions

- RTL has detailed micro-architectures like
- Scan chains
- Sleep mode logic
- Clock gating
- Memory caches
- Bus-based communication along with bus

arbitration - Serial communication with handshakes

P

C

SLM

P

C

Handshake controller

RTL

Data Type Abstractions

- SLM expression (E) could use C-like data types

such as float, int, long and user defined data

types - RTL expression (E) could use finite precision

bit-vectors (signed/unsigned) to represent

fixed-point data values - RTL may explicitly perform rounding and

truncation on intermediate computations

function sum_of_product( float a, float b,

float c) return a b c

SLM

module sum_of_product(a,b,c, out) input

signed 70 a, b, c wire signed 150

prod wire signed 70 trunc_prod assign

prod a b assign trunc_prod prod gtgt 8

assign out trunc_prod c endmodule

RTL

Notions of Sequential Equivalence

- Cycle-accurate equivalence
- Starting from reset, designs produce identical

outputs every cycle when equal inputs are applied - Sequential hardware equivalence (Pixley)
- Requires equivalence from a set of states reached

via an initializing sequence - Safe replacement (Singhal, Pixley, Aziz, Brayton)
- No assumption about reset states

FSM Refinement

- The states in RTL that correspond to states in

SLM, are referred to as synchronizing states

Sequential Equivalence

- Starting from corresponding reset states, for

corresponding inputs, if the outputs are equal in

all corresponding synchronizing states, then SLM

and RTL are equivalent

Transactions State View

SL transaction

SLM

Refinement mapping

RTL

RTL transaction

- Encapsulates one or more units of computation for

the design being verified - Self-contained since it brings the machine back

to a synchronizing state

Transactions

- Functional decomposition of the behaviors of a

machine - Transaction 1 opcodes ADD, SUB, MULT
- Transaction 2 opcodes DIV, MOD
- Allows sequential verification problem to be

contained - Unconstrained problem is intractable
- Verification plan naturally decomposes behaviors
- Debugging ease
- Allows composition of different behaviors
- Sequential composition
- Parallel composition

Transaction Memory

RD

WR

Design 1

- Design 1 transaction a single memory read/write

occuring in a single cycle - Design 2 transaction single memory read/write

(potentially) happening over multiple cycles

OUT

Design 2

Transaction Equivalence

SLM

T0

T1

T2

- Starting at reset, for corresponding input

sequences, if the design outputs are equal at

transaction boundaries, then the designs are

equivalent - Transactions can be pipelined

RTL

T0

T1

T2

Arithmetic Equivalence

- Exact Equivalence
- For all the possible values in the input space, E

and E evaluate to exactly the same value - Bounded error equivalence
- For all corresponding values in the input spaces

of E and E, - E E lt e
- Infinite precision equivalence
- Ignoring loss of information at any of the

intermediate points in the expressions, the

expressions evaluate the same function

Outline

- Why sequential equivalence checking?
- Taming sequential equivalence checking
- Notions of sequential equivalence
- Key technology challenges
- Specifying interface differences
- Sequential analysis
- High-capacity solvers
- Demonstration of SLEC from Calypto

Specifying Interface Differences

- Specification of input/output dont cares
- Sequential signal relationships
- Combinational relations between signals
- Reset/non-reset values of signals
- Input mappings
- Factoring delay and throughput differences
- Handling protocol differences
- Blocking vs non-blocking communication
- Serial vs parallel communication

Specifying Interface Differences

- Output checks
- Handling latency and throughput differences
- Conditional output checks
- Variable delay or handshake-based checks
- Out-of-order checks
- Specifying transaction boundaries
- When can a new transaction start in the

specification or implementation machine - Only differences in the input and output

interfaces need to be specified,not the actual

input/output protocols

Specifying Interface Differences

- Specifying a transaction requires
- Begin-transaction sequence
- During-transaction invariants
- Ready-for-next-transaction condition
- Output valid condition

clk

reset

RD

ADDR

OUT

out_rdy

transaction

Outline

- Why sequential equivalence checking?
- Taming sequential equivalence checking
- Notions of sequential equivalence
- Key technology challenges
- Specifying interface differences
- Sequential analysis
- High-capacity solvers
- Demonstration of SLEC from Calypto

Sequential Analysis

SLM

T0

T1

T2

RTL

T0

T1

T2

Sequential Analysis Issues

- Efficient machine acceleration
- Cannot afford to replicate next-state/output

functions in unrolling over many cycles - Elimination of pipelining/transient states
- Aligning the machines
- Accounting for data-dependent delay between

synchronizing states - Accounting for out-of-order output checks

Induction and Sequential EC

- Base case
- The corresponding outputs are equal in

transaction 0 assuming the spec and impl machines

start in reset states and the input

mappings/constraints are obeyed - Induction hypothesis
- Assuming that the spec and impl have equal

outputs for the first k transactions assuming

input mappings/constraints, then the outputs will

be identical for the k1 th transaction - Problem
- Corresponding states are no longer known
- Induction using the property that all reachable

states (from reset) have been explored or purely

by using the constraint that the outputs matched

in the first k transactions

Inductive Proofs

- State-based forward induction
- Accumulating reachable synchronizing states

during forward symbolic co-simulation - SAT-based forward reachability
- Output-based induction
- Using equality of outputs in the first k

transactions to prove equivalence of outputs at

the k1 th transaction - Strengthening the induction invariant
- Mapping flops (user-driven or automatic)
- Finding flop maps automatically in the presence

of latency/throughput differences - Automatic refinement of cut flops on

falsification

Reasons for Incomplete Proofs

- Weaker induction hypothesis in sequential EC
- No state point or state mapping typically

available - Harder solver problems generated since the next

state and output checks may require unrolling

across multiple cycles - Reset required for base case over-reset can

cause incomplete proofs - Constraints that span across transactions can

invalidate induction

Bounded Equivalence Checking

- Symbolic simulation of the spec and impl machines

for a fixed number of transactions from reset - Bug-finding mode
- Coverage metrics
- How to quantify confidence in the equivalence of

the machines from a bounded k-transaction proof?

Outline

- Why sequential equivalence checking?
- Taming sequential equivalence checking
- Notions of sequential equivalence
- Key technology challenges
- Specifying interface differences
- Sequential analysis
- High-capacity solvers
- Demonstration of SLEC from Calypto

Solvers

Word-level Solver

Hybrid Solver

Bit-level Solver

Simulation

Word Level Solver

BLS

WLS

- Word-level solver
- Strength proving arithmetic expressions

equivalent - Weakness generating counterexamples
- Bit-level solver (SAT-based)
- Strength proving expressions not equivalent
- Weakness proving arithmetic expressions

equivalent

Finite Precision Reasoning

- The nice algebraic properties of the , are

not true when arithmetic computations are done

using finite precision

wire signed 70 a,b,c wire signed 70

tmp wire signed 80 out assign tmp a

b assign out tmp c

wire signed 70 a,b,c wire signed 70

tmp wire signed 80 out assign tmp b

c assign out tmp a

!

a 27 1 b 1 out -1 c -1

a 27 1 b 1 out 27 1

c -1

Finite Precision Control

- Mixed control-arithmetic reasoning
- Infinite precision canonization
- Combination of theories
- Finite precision arithmetic
- Propositional logic

if ( a b lt 0) x a else if (a b gt 0) x

b else x a b

if ( a -b) x 0 else if ( a gt -b) x

b else if (a lt -b) x a

WLS BLS Interface

- Leveraging word-level information in bit-level

solvers - Exploiting word-level symmetry information
- Using information about bits in a bus for

variable ordering in BDDs and decision ordering

in SAT - Intelligent ordering of bit-level problems based

on word-level analysis

Simulation Formal Solvers

E1

E2

- Simulation intermediate equivalent points
- Word and bit-level solvers work together
- Cut sets based on proven intermediate

equivalences for proof simplification

Open Issues in Solvers

- Efficient identification of PENs in the presence

of latency and throughput differences in the

designs - Which PENs to prove?
- Ordering of PEN proofs
- Use of predicate abstraction to simplify

arithmetic-heavy proofs

Outline

- Why sequential equivalence checking?
- Taming sequential equivalence checking
- Notions of sequential equivalence
- Key technology challenges
- Demonstration of SLEC from Calypto

Frontend Architecture

- Language Neutrality
- Support multiple languages scalably
- Language independent transforms

CPT

CPT to CDB xforms

CDB

SLS Synthesis Engine

SLEC Verification Engine

Future Products

Verification Engine Architecture

Demonstration Example

- DES Encryption Block
- Symmetric key encryption/decryption
- 64 bit data message, 64 bit key
- 16 rounds of computation

RTL System Continuum

- C0 Untimed Functional (C/SystemC)
- C1 Timed Functional (SystemC)
- V2 Serial RTL (Verilog)
- V3 Pipelined RTL (Verilog)

SLEC Setup and Operation

- Two designs are setup and verified for functional

equivalence. - If not equivalent, a short counterexample

demonstrates the differences.

- For common cases, most setup information is

automatically inferred.

SLEC Setup and Operation

- The spec and impl designs are read in.

SLEC Setup and Operation

- Clocks are specified to achieve a common frame of

reference for timing relationships.

- For common cases, clocking information is

automatically inferred.

SLEC Setup and Operation

- Corresponding starting states, usually reset

states, are described.

- Options include reset sequences, reset images,

and explicit state setting.

SLEC Setup and Operation

- Correspondence is established between the design

interfaces, constraining input space and aligning

output comparisons.

- For common cases, interface information is

automatically inferred.

SLEC Setup and Operation

- The designs are verified and either proven

equivalent, or short counterexamples are

generated which demonstrate the differences.

C0 - Untimed Functional Design

- Untimed DES algorithm
- written in C
- wrapped in SystemC.

C0 - Untimed Functional Design

- C/SystemC Design

Simulation

/ DES function. / sc_bvlt64gt des(sc_bvlt64gt

data_in, sc_bvlt64gt key_in, bool decrypt)

sc_bvlt56gt cd0 sc_bvlt64gt lr0, lr16, rl16,

data_out lr0 des_ip(data_in) cd0

des_ic(key_in) lr16 des_compute(lr0, cd0,

decrypt) rl16 (lr16.range(31, 0),

lr16.range(63, 32)) data_out des_iip(rl16)

return data_out / DES function wrapper.

/ SC_MODULE(des_c0) sc_outltsc_bvlt64gt gt

data_out sc_inltsc_bvlt64gt gt data_in,

key_in sc_inltboolgt decrypt_in

SC_CTOR(des_c0) SC_METHOD(evaluate)

sensitive ltlt data_in ltlt key_in ltlt decrypt_in

void evaluate() data_out.write(

des(data_in.read(), key_in.read(),

decrypt_in.read()))

c0gt sim c0 DES C0 ECB Mode Message

Simulation Original message ----gt

Calypto Bridging System and RTL Encrypted

message ----gt f4966ffc92c8df0c 6b6c41c883c70700

615617aac9640b2e 0f434cdf068b53e1 Decrypted

message ----gt Calypto Bridging

System and RTL simulation complete.

V2 - Serial RTL Design

- Verilog RTL implementation
- Throughput 16 cycles.
- Latency 16 cycles.

V2 - Serial RTL Design

- Verilog Design

Simulation

module des_v2_compute(lr_out, lr_in, cd_in,

decrypt_in, rst, clk) output 630 lr_out

input 630 lr_in input 550 cd_in input

decrypt_in, rst, clk reg 30

round_reg reg 630 lr_reg wire 630

lr1, lr2 reg 550 cd_reg wire 550

cd1, cd2 reg decrypt_reg wire

decrypt2 assign lr1 (round_reg 0)? lr_in

lr_reg assign cd1 (round_reg 0)? cd_in

cd_reg assign decrypt2 (round_reg 0)?

decrypt_in decrypt_reg des_round

rnd(lr2,cd2,lr1,cd1,decrypt2,round_reg)

always _at_(posedge clk) if (rst) begin

round_reg lt 0 lr_reg lt 0 cd_reg

lt 0 decrypt_reg lt 0 end else begin

round_reg lt (round_reg15)? 0round_reg

1 lr_reg lt lr2 cd_reg lt cd2

decrypt_reg lt decrypt2 end assign lr_out

lr_reg endmodule // additional modules...

v2gt sim v2 DES V2 ECB Mode Message

Simulation Original message ----gt

Calypto Bridging System and RTL Encrypted

message ----gt f4966ffc92c8df0c eb6c41c883c70700

e15617aac9640b2e 0f434cdf068b53e1 Decrypted

message ----gt CalyptoBridgin'

System and RTL simulation complete.

C0V2 Verification Setup

c0v2 verification run.tcl

- Specify designs
- Specify clocks
- Specify reset state
- Align interfaces
- Verify designs

build_design -spec -systemc c0/des_c0.h build_desi

gn -impl -verilog v2/des_v2.v v2/des_common.v

automatically inferred.

create_waveform -name one -width 1

1 create_constraint -impl -reset -waveform one

impl.rst

create_waveform -name zero -width 1

0 create_constraint impl -waveform zero

impl.rst set_global impl_throughput

16 set_global impl_output_latency 16

verify mode full_proof

C0V2 Verification Setup

c0v2 verification run.tcl

- Specify designs
- Specify clocks
- Specify reset state
- Align interfaces
- Verify designs

build_design -spec -systemc c0/des_c0.h build_desi

gn -impl -verilog v2/des_v2.v v2/des_common.v

automatically inferred.

create_waveform -name one -width 1

1 create_constraint -impl -reset -waveform one

impl.rst

create_waveform -name zero -width 1

0 create_constraint impl -waveform zero

impl.rst set_global impl_throughput

16 set_global impl_output_latency 16

verify mode full_proof

C0V2 Verification Setup

c0v2 verification run.tcl

- Specify designs
- Specify clocks
- Specify reset state
- Align interfaces
- Verify designs

build_design -spec -systemc c0/des_c0.h build_desi

gn -impl -verilog v2/des_v2.v v2/des_common.v

automatically inferred.

create_waveform -name one -width 1

1 create_constraint -impl -reset -waveform one

impl.rst

create_waveform -name zero -width 1

0 create_constraint impl -waveform zero

impl.rst set_global impl_throughput

16 set_global impl_output_latency 16

verify mode full_proof

C0V2 Verification Setup

c0v2 verification run.tcl

- Specify designs
- Specify clocks
- Specify reset state
- Align interfaces
- Verify designs

build_design -spec -systemc c0/des_c0.h build_desi

gn -impl -verilog v2/des_v2.v v2/des_common.v

automatically inferred.

create_waveform -name one -width 1

1 create_constraint -impl -reset -waveform one

impl.rst

create_waveform -name zero -width 1

0 create_constraint impl -waveform zero

impl.rst set_global impl_throughput

16 set_global impl_output_latency 16

verify mode full_proof

C0V2 Verification Setup

c0v2 verification run.tcl

- Specify designs
- Specify clocks
- Specify reset state
- Align interfaces
- Verify designs

build_design -spec -systemc c0/des_c0.h build_desi

gn -impl -verilog v2/des_v2.v v2/des_common.v

automatically inferred.

create_waveform -name one -width 1

1 create_constraint -impl -reset -waveform one

impl.rst

create_waveform -name zero -width 1

0 create_constraint impl -waveform zero

impl.rst set_global impl_throughput

16 set_global impl_output_latency 16

verify mode full_proof

C0V2 Verification Setup

c0v2 verification run.tcl

- Specify designs
- Specify clocks
- Specify reset state
- Align interfaces
- Verify designs

build_design -spec -systemc c0/des_c0.h build_desi

gn -impl -verilog v2/des_v2.v v2/des_common.v

automatically inferred.

create_waveform -name one -width 1

1 create_constraint -impl -reset -waveform one

impl.rst

create_waveform -name zero -width 1

0 create_constraint impl -waveform zero

impl.rst set_global impl_throughput

16 set_global impl_output_latency 16

verify

C0V2 Verification Results

- SLEC falsifies and generates a counterexample

linuxgt slec run.tcl slecgt c0v2

verification ... (abridged results log) slecgt

verify -mode full_proof ORC-PON

Optimized 'impl' netlist ORC-PON

Optimized 'spec' netlist ORC-SDM

Mapping the Specification and Implementation

Hierarchies ... ORC-UDM Unrolling the

design to obtain outputs and flops for

transaction 1. ORC-UDDM Successfully

obtained outputs and flops for transaction 1.

ORC-SSA Starting to perform sequential

analysis. SEQ-STFE Performing Simulation

to find intermediate equivalences ...

SEQ-NPP1 Number of intermediate equivalence

problems proven 1136 SIM-VMM

Simulation verified the falsification for map

'name_mapltspec.data_out,impl.data_o

utgt' in transaction 1. CEG-SGLT Started

generating Verilog testbench for

counter-example... ltWRNgt CEG-UHNP User design

header not provided. SystemC counter-example

testbench will fail to

compile. CEG-FGLT Finished generating

Verilog testbench for counter-example.

SIM-SVF Split VCD files into file 'impl.vcd'

and file 'spec.vcd'. Output-pair spec.data_out

(throughput1, latency0) and impl.data_out

(throughput16, latency16) falsified at

transaction number 1. Summary of key results

Proven Bounded-Proven

Falsified Not-Attempted Output Pairs

0 0 1

0 Flop Pairs 0 0

0 0 498.510u 1.396s

499.906 842.000 66.952m 118.020p (SLEC process

used 118 MB and 499 seconds)

C0V2 Verification Debug

- Mismatch in data_out.
- Single-bit error suggests the bug is likely in

the final permutation, not in the compute rounds.

C0V2 Verification Debug

Verilog Design v2.v

- Mismatch found in the output permutation block

(IIP). - The data_out63 assignment was mistranslated

from the original NIST permutation table. - Should be 64 - 40 24.

/ Data inverse initial permutation

function. / module des_iip(data_out, rl_in)

output reg 630 data_out input 630

rl_in always _at_(rl_in) begin

data_out63 rl_in25 data_out62

rl_in56 data_out61 rl_in16

data_out60 rl_in48 data_out59

rl_in 8 data_out58 rl_in40

data_out57 rl_in 0 data_out56

rl_in32 data_out55 rl_in25

data_out54 rl_in57 data_out53

rl_in17 data_out52 rl_in49 // .

. . end endmodule

C0V2 Verification Debug

Verilog Design v2.v

- Mismatch found in the output permutation block

(IIP). - The data_out63 assignment was mistranslated

from the original NIST permutation table. - Should be 64 - 40 24.
- Correct V2 and re-run SLEC.

/ Data inverse initial permutation

function. / module des_iip(data_out, rl_in)

output reg 630 data_out input 630

rl_in always _at_(rl_in) begin

data_out63 rl_in24 data_out62

rl_in56 data_out61 rl_in16

data_out60 rl_in48 data_out59

rl_in 8 data_out58 rl_in40

data_out57 rl_in 0 data_out56

rl_in32 data_out55 rl_in25

data_out54 rl_in57 data_out53

rl_in17 data_out52 rl_in49 // .

. . end endmodule

C0V2 Verification Results

- Re-running SLEC proves full functional

equivalence

linuxgt slec run.tcl slecgt c0v2

verification ... (abridged results log)

ORC-SDM Mapping the Specification and

Implementation Hierarchies ... ORC-FDM

Finished mapping successfully. SIM-VOM

Simulation successfully validated the specified

output-maps. ORC-UDM Unrolling the

design to obtain outputs and flops for

transaction 1. ORC-UDDM

Successfully obtained outputs and flops for

transaction 1. ORC-SSA Starting to

perform sequential analysis. SEQ-STFE

Performing Simulation to find intermediate

equivalences ... SEQ-NPP Number of

intermediate equivalence problems posed 1136

SEQ-NPP1 Number of intermediate equivalence

problems proven 1136 SEQ-NPF Number

of intermediate equivalence problems falsified

0 SEQ-DOP Completed output proofs for

Transaction Number 1. ORC-FSA Done

performing sequential analysis. Output-pair

spec.data_out (throughput1, latency0) and

impl.data_out (throughput16, latency16) proven

to be equivalent. Summary of key results

Proven Bounded-Proven

Falsified Not-Attempted Output Pairs

1 0 0

0 Flop Pairs 0 0

0 0 slecgt slecgt end of

file 418.865u 1.043s 419.908 728.000 69.957m

78.512p (SLEC process used 78 MB and 419 seconds)

V3 Pipelined RTL Design

- Verilog RTL implementation
- Throughput 4 cycles
- Latency 16 cycles

V3 Pipelined RTL Design

- Verilog Design

Simulation

module des_v3_control(sample_inputs_out,

round0_out, round1_out, round2_out, round3_out,

rst, clk) output reg

sample_inputs_out output reg 30

round0_out, round1_out,

round2_out, round3_out input rst,

clk reg 10 cycle always

_at_(cycle) begin sample_inputs_out (cycle

0)? 1 0 round0_out cycle round1_out

cycle 4 round2_out cycle 8

round3_out cycle 12 end always

_at_(posedge clk) begin if (rst) begin

cycle lt 0 end else begin cycle lt

(cycle 3)? 0 cycle 1 end

end endmodule // additional modules...

v3gt sim v3 DES V3 ECB Mode Message

Simulation Original message ----gt

Calypto Bridging System and RTL Encrypted

message ----gt f4966ffc92c8df0c 6b6c41c883c70700

615617aac9640b2e 0f434cdf068b53e1 Decrypted

message ----gt Calypto Bridging

System and RTL simulation complete.

V2V3 Verification Setup

v2v3 verification run.tcl

- Specify designs
- Specify clocks
- Specify reset state
- Align interfaces
- Verify designs

build_design -spec -verilog v2/des_v2.v

v2/des_common.v build_design -impl -verilog

v3/des_v3.v v3/des_common.v

automatically inferred.

create_waveform -name one -width 1

1 Create_constraint spec reset waveform one

spec.rst create_constraint -impl -reset -waveform

one impl.rst

create_waveform -name zero -width 1

0 create_constraint spec -waveform zero

spec.rst create_constraint impl -waveform

zero impl.rst set_global spec_throughput

4 set_global impl_throughput 16 set_global

spec_output_latency 16 set_global

impl_output_latency 16

verify mode full_proof

V2V3 Verification Results

- Running SLEC proves full functional equivalence

linuxgt slec run.tcl slecgt c0v2

verification ... (abridged results log)

ORC-PON Optimized 'impl' netlist

ORC-PON Optimized 'spec' netlist

ORC-SDM Mapping the Specification and

Implementation Hierarchies ... ORC-FDM

Finished mapping successfully. SIM-VOM

Simulation successfully validated the specified

output-maps. ORC-UDM Unrolling the

design to obtain outputs and flops for

transaction 1. ORC-UDDM

Successfully obtained outputs and flops for

transaction 1. ORC-SSA Starting to

perform sequential analysis. SEQ-STFE

Performing Simulation to find intermediate

equivalences ... SEQ-NPP Number of

intermediate equivalence problems posed 0

SEQ-NPP1 Number of intermediate equivalence

problems proven 0 SEQ-NPF Number of

intermediate equivalence problems falsified 0

SEQ-DOP Completed output proofs for

Transaction Number 1. ORC-FSA Done

performing sequential analysis. Output-pair

spec.data_out (throughput16, latency16) and

impl.data_out (throughput4, latency16) proven

to be equivalent. Summary of key results

Proven Bounded-Proven

Falsified Not-Attempted Output Pairs

1 0 0

0 Flop Pairs 0 0

0 0 248.788u 0.597s

249.385 418.000 104.103m 119.172p (SLEC

process used 119 MB and 249 seconds)

Bridging System and RTL

- C0 Untimed Functional (SystemC)
- V2 Serial RTL (Verilog)
- Design error found and corrected
- Proven equivalent with C0.
- V3 Pipelined RTL (Verilog)
- Proven equivalent with V2.

Summary

- Equivalence checking between system-level models

and RTL will provide a big value to customers by

easing the RTL verification bottleneck - There are significant abstractions in the

system-level models that need to be bridged - The key technology pieces that are required are
- Intuitive specification of interface differences
- Scalable and robust sequential analysis

techniques for proving equivalence - Synergistic use of bit-level, word-level solvers

with simulation - Hardware model extraction from system-level

models