Modern digital electronic circuits are typically designed at the register-transfer (RTL) level in hardware description languages such as Verilog (see “The Verilog Hardware Description Language”, Third Edition, Don E. Thomas and Philip R. Moorby, Kluwer Academic Publishers, 1996) or VHDL (see “A Guide to VHDL”, Stanley Mazor and Patricia Langstraat, Kluwer Academic Publishers, 1992). A circuit description in such a hardware description language can be used to generate logic circuit elements (including logic gates and registers) as described, for example, in U.S. Pat. No. 5,661,661 granted to Gregory and Segal that is incorporated by reference herein in its entirety.
Such hardware description languages facilitate extensive simulation and emulation of the described circuit using commercially available products such as Verilog-XL available from Cadence Design Systems, San Jose, Calif., QuickHDL available from Mentor Graphics, Wilsonville, Oreg., Gemini CSX available from IKOS Systems, Cupertino, Calif., and System Realizer available from Quickturn Design Systems, Mountain View, Calif. These hardware description languages also facilitate automatic synthesis of ASICs (see “HDL Chip Design”, by Douglas J. Smith, Doone Publications, 1996; “Logic Synthesis Using Synopsys”, Pran Kurup and Taher Abbasi, Kluwer Academic Publishers, 1997) using commercially available products such as Design Analyzer and Design Compiler, available from Synopsys, Mountain View, Calif.
As described in “Architecture Validation for Processors”, by Richard C. Ho, C. Han Yang, Mark A. Horowitz and David L. Dill, Proceedings 22nd Annual International Symposium on Computer Architecture, pp. 404-413, June 1995, “modern high-performance microprocessors are extremely complex machines which require substantial validation effort to ensure functional correctness prior to tapeout” (see page 404).
Recently, a formal verification method called bounded model checking (“BMC”) has been used to validate the functional correctness of large digital circuits. For example, the following two references describe BMC, and each is incorporated by reference herein in its entirety:
BMC converts a sequential digital circuit to a C-cycle time-frame-expanded combinational circuit and uses a Boolean satisfiability (“SAT”) algorithm to check whether the time-frame-expanded circuit can violate a pre-determined property, starting from a given initial state. By systematically increasing C from 1 to a pre-determined limit, L, BMC determines the shortest stimulus sequence not greater than L cycles long that will cause the circuit to violate the property, starting from the given initial state, or else determines that no such sequence exists.
Many of the published approaches to SAT algorithms are based on the Davis-Putnam procedure, described in the following references, each of which is incorporated by reference herein in its entirety:
Recently, advances in SAT algorithms have resulted in much faster and more efficient BMC implementations. For example, see the following references, each of which is incorporated by reference herein in its entirety:
In general, the computational complexity of all SAT algorithms known to the inventors is exponential with respect to the maximum stimulus length, L, and also with respect to the number of circuit elements in the circuit under verification (see “Computing Science: Can't get no satisfaction”, by B. Hayes, American Scientist, Vol. 85, pp. 108-112, 1997, and “Computing Science: On the threshold”, by B. Hayes, American Scientist, Vol. 91, pp 12-17, 2003). Therefore, for large L (for example, 100 cycles) and for large circuits (for example, 1,000,000 gates), analysis of a single initial state using the most efficient BMC implementation may require several hours of CPU time using a typical computer available today such as a PowerEdge 1600SC server from Dell, Round Rock, Tex., based on the 2 GHz Xeon microprocessor from Intel, Santa Clara, Calif.
Some large digital circuits are so complex that certain modes of operation of the circuits cannot be reached within the range of analysis of existing BMC methods, starting from a single start state. For example, some large digital circuits contain internal counters which require more than 100 cycles to reach states which are indicative of corner-case modes of operation, starting from the reset state. For this reason, prior-art BMC functional verification methods may fail to detect some defective behaviors of large digital circuits and such circuits may fail when operated in the real world. Therefore, a method is needed which will simplify functional verification using BMC starting from multiple different start states.
A computer is programmed in accordance with the invention to automatically analyze a digital circuit, to check if the digital circuit can enter a target state starting from a start state, by reusing information learned during another analysis, checking if the same digital circuit can enter the same or different target state from a different start state. Use of learned information in accordance with the invention simplifies the analysis of the digital circuit (e.g. by allowing skipping one or more analysis acts). The learned information may be stored in a database. Depending on the embodiment, the two or more analyses may check on operation of the digital circuit for the same or different numbers of cycles.
In accordance with the invention, a computer is programmed to perform functional verification of a digital circuit by repeatedly analyzing a description of the circuit along with input data provided by the user, saving certain information (also called “learned information”) representing invariants learned during the analysis, and using the learned information during subsequent analyses.
In several embodiments, use of learned information as described herein enables the programmed computer to perform its subsequent analysis faster, at least by avoiding repetition of acts in a previous analysis that generated the learned information.
In several examples, the digital circuit that is described in a description to be analyzed by the programmed computer is a sequential digital circuit wherein one or more storage elements (such as registers) are intermixed with Boolean and/or arithmetic operators. In the case of a sequential digital circuit, several embodiments require the user to specify two or more analyses to be performed by the programmed computer, by identifying for each analysis the following: two states of the digital circuit, and a number of cycles of operation of the digital circuit. In these embodiments, the computer is programmed to analyze whether or not the digital circuit can enter one of the user-specified states (also called “target state”) in the user-specified number of cycles of operation (also called “analysis depth”), starting from another of the user-specified states (also called “start state”).
In some embodiments of the invention, the just-described start state can be selected to be any one of a number of states generated during simulation of the digital circuit being analyzed. Operation of the digital circuit is simulated using a commercially available logic simulator, such as the VCS simulator available from Synopsys. During each simulated cycle of operation, the simulator determines the logic values (0 or 1) of the registers of the simulated digital circuit (“simulation state”) and outputs them in a report, and the user simply picks one or more different states in the report to be used as start states.
Several embodiments use certain states from simulation that are automatically selected by a computer programmed to use one or more criteria of the type described in the commonly owned U.S. patent application, [Attorney Docket No. 0IN004 US] entitled “Selection of Initial States for Formal Verification” filed concurrently herewith by James Andrew Garrard Seawright et al. that is incorporated by reference herein in its entirety.
In some embodiments of the invention, a computer programmed to perform functional verification of a digital circuit in accordance with the invention searches for functional defects in the digital circuit by performing analysis to check if the digital circuit can enter one or more predetermined target states in a pre-determined number of cycles of operation, starting from any one of a set of two or more start states pre-determined using simulation.
Also, in several embodiments the user specifies target states, for example, using checkers that flag pre-determined defective behaviors, as described in U.S. Pat. No. 6,175,946 B1, “Method for automatically generating checkers for finding functional defects in a description of a circuit”, Tai An Ly, et al. that is incorporated by reference herein in its entirety. Depending on the embodiment, one or more target states may be identified (either by the user or pre-programmed into a computer) to be the one or more error state(s) of each checker (or a limited set of checkers) in any commonly available library of checkers.
In certain embodiments illustrated in
In certain embodiments, during this first analysis, programmed computer 120 either 1) determines that every possible sequence of input values applied to the inputs of the digital circuit in description 131 fails to cause the digital circuit to enter the first target state in the first number of cycles of operation (e.g. D1 cycles), starting from the first start state, or 2) determines a sequence of logic values to apply to the inputs of the digital circuit to cause the digital circuit to enter the first target state in D1 cycles of operation, starting from the first start state.
Next, in an act 122 (
During this second analysis, programmed computer 120 again either 1) determines that every possible sequence of input values applied to the inputs of the digital circuit in description 131 fails to cause the digital circuit to enter the second target state in the second number of cycles (e.g. D2 cycles) of operation, starting from the second start state, or 2) determines a sequence of logic values to apply to the inputs of the digital circuit to cause the digital circuit to enter the second target state in D2 cycles of operation, starting from the second start state.
In certain embodiments, the process described above in reference to
Although
Furthermore, the first analysis has not completed in act 171, and therefore another part of the first analysis is performed in act 175, followed by saving of the information learned during this part of the first analysis as per act 176. Note that the first analysis part in act 175 uses information that was previously learned in the first analysis part in act 172.
At this stage, the second analysis has also not completed in act 173, and a part of the second analysis is therefore performed as per act 177, followed by saving of the information learned during this part of the second analysis as per act 178. Note that the second analysis part in act 177 uses information that was previously learned in the first analysis part in act 172, the second analysis part in act 174, and the first analysis part in act 176.
Although
In several embodiments, programmed computer 120 performs time-frame expansion of the digital circuit 181 (
Next, the time-frame-expanded circuit 182 (
Regardless of the type of problem expressed, computer 120, when programmed in accordance with the invention, learns during the problem solving process, certain information related to digital circuit 181 that can be used during another analysis of the same digital circuit 181 (“learned invariants”). Learned invariants remain true even if a different start state is used by computer 120, when programmed in accordance with the invention, in a subsequent analysis of the same digital circuit 181, to check if the digital circuit 181 can enter the same or different target state in the same or different analysis depth number of cycles of operation, starting from a different start state.
As noted above, in a number of embodiments, computer 120 is programmed to solve a satisfiability (“SAT”) problem, and several embodiments perform the acts illustrated in
Hereinafter, all references to a functional verification tool are intended to mean an appropriately programmed computer 120 that performs method 200. Such a programmed computer 120 can be, for example, a workstation computer that includes memory (e.g., 512 MB of random access memory) and central processing unit (CPU) of the type well known to a person skilled in the art of electronic design automation (EDA).
Moreover, simulation of the functional behavior of a digital circuit 181 is sometimes described herein as simply simulation of a circuit or simulation. Such simulation can be performed by programming the computer 120 with simulation software, such as Verilog-XL available from Cadence Design Systems, San Jose, Calif., and VCS available from Synopsys, Mountain View, Calif.
In some embodiments of the invention, the functional verification tool performs functional verification of a circuit-under-verification comprising registers, AND, OR, and NOT logic gates and inputs. The circuit-under-verification is represented in an input file as a netlist indicating the type, output node name and input node names of each logic gate and register in the circuit. For example the element “AND (N1,N2,N3)” of a netlist represents a single AND logic gate with a single output node named “N1”, and inputs connected to other nodes named “N2” and “N3”. It will be apparent to a person skilled in the art of EDA in view of this disclosure that any digital circuit can be represented using a netlist containing only registers, AND, OR and NOT logic gates and inputs. Also, various alternative formats for representing a digital circuit as a netlist containing registers, AND, OR and NOT logic gates and inputs will be apparent to a person skilled in the art of EDA in view of this disclosure.
In several embodiments of the invention, the user specifies target states representing pre-determined defective behaviors of the circuit-under-verification. Each target state is characterized by a single target state register being logic value 1. (Logic value 1 is also called “asserted” or “true” and logic value 0 is also called “de-asserted” or “false”.) Regardless of the logic values of all other registers, the circuit-under-verification is considered to be in the target state if the target state register is asserted and the circuit-under-verification is considered not to be in the target state if the target state register is not asserted.
Various alternative forms of target-state specification will be apparent to a person skilled in the art of EDA in view of this disclosure, including forms in which, for the circuit-under-verification to be considered to be in the target state, a subset of registers must be asserted and another subset of registers must be de-asserted and still another subset of registers may be either asserted or de-asserted (“don't care”).
In several embodiments of the invention, the user specifies start states of the circuit-under-verification. Each start state is characterized by a subset of the state registers being de-asserted, a subset of the state registers being asserted, and all other state registers being don't care. Various alternative forms of start-state specification will be apparent to a person skilled in the art of EDA in view of this disclosure, including forms in which every state register is specified as being either de-asserted or asserted.
It will be apparent to a person skilled in the art of EDA in view of this disclosure that the circuit-under-verification may include circuitry to detect the pre-determined defective behaviors. Also, it will be apparent to a person skilled in the art of EDA in view of this disclosure in view of this disclosure that the target states may represent pre-determined behaviors of the circuit-under-verification that are not defective behaviors, for example, the target states may represent corner-case behaviors of the circuit-under-verification which are unusual but not defective, or the target states may represent other states of the circuit-under-verification which are of interest to the user. Also, it will be apparent to a person skilled in the art of EDA in view of this disclosure that the first and second target states may be identical or the first and second target states may be different.
Computer 120 of some embodiments is programmed to receive as input a description of the circuit-under-verification in the format discussed above, and also receive as input at least one target state and at least two different start states in the format discussed above, so that at least a pair of analyses need to be performed. Referring to
Next, in act 203 (
At this stage, if this is the first iteration for the digital circuit 181, clause database 250 typically includes CNF clauses 251 that are based on the netlist, and CNF clauses 253 and 255 that are respectively based on the start and target states. Moreover, at this stage, since this is the first iteration for the digital circuit 181, computer 120 goes from act 205 directly to act 209 to implement a SAT solver (e.g., based on the GRASP algorithm), as illustrated by branch 206 in
In some embodiments illustrated in
Moreover, as would be apparent to the skilled artisan in view of the disclosure, instead of using CNF clauses in a method of the type illustrated in
Therefore, during act 209 (
However, in alternative embodiments, after performance of act 209, another act 211 is performed wherein the newly-learned CNF clauses 257 saved in a repository (also called “archive”) different from the clause database (in addition to being saved in clause database 250). In such embodiments, on performing act 205 two or more times, computer 120 performs act 207 in which all previously learned CNF clauses 257 (
As noted above, just as programmed computer 120 learns and stores CNF clauses during a first analysis using a first start state, it learns and stores additional clauses during the second analysis using a second start state. The programmed computer 120 uses the additional clauses learned during both the first and second analyses to simplify a third and other analyses to check if the digital circuit can enter any of a set of target states in a pre-determined number of cycles of operation, starting from any of a set of start states.
The method of storing clauses learned when applying a SAT solver using a first start state and re-using the learned clauses during SAT analyses using a second, third and additional start states reduces the number of acts required for SAT solver and reduces the total time required for the SAT solver to complete using all start states in a set of start states. Therefore, the method of several embodiments reduces the time required for a programmed computer to automatically check if the digital circuit can enter a state indicative of a pre-determined defective behavior, starting from any of a set of start states, and reduces the time required for functional verification of the digital circuit.
In several embodiments, programmed computer 120 receives as input a description of the digital circuit 181, specifications of a first state, a second state, a third state and a fourth state of the digital circuit 181, wherein the fourth state is different from the second state, and two numbers D1 and D2. The programmed computer 120 performs a first analysis to determine whether at least one sequence of logic values applied to the inputs of the digital circuit causes the digital circuit to enter the first state in D1 cycles of operation, starting from the second state. During the first analysis, the programmed computer learns invariants related to the digital circuit and stores the learned invariants for later use. The programmed computer performs a second analysis to determine whether at least one sequence of logic values applied to the inputs of the digital circuit causes the digital circuit to enter the third state in D2 cycles of operation, starting from the fourth state. The programmed computer of several embodiments uses the learned invariants to simplify the second analysis.
In some embodiments of the invention, the user simulates the circuit-under-verification using a commercially available simulator and a simulation testbench that applies logic values to all inputs of the simulated circuit during each simulated cycle of operation. Starting from a reset state or a user-specified state of the circuit-under-verification, for each simulated cycle, the simulator determines the logic values of all registers in the current cycle based on the logic values of the registers and inputs in the preceding cycle. After each cycle of simulation, the simulator outputs the simulated state of the circuit-under-verification (“simulation state”), comprising the logic values of all registers, to an output file. The user then selects two or more different simulation states to be used in the analysis as start states.
Various alternative methods of determining states of the circuit-under-verification to be used as start states in the analysis will be apparent to a person skilled in the art of EDA in view of this disclosure. For example, the user may manually specify the start states without using a simulator. Various methods of selecting simulation states for analyses will be apparent to a person skilled in the art of EDA in view of this disclosure, including selecting sequential simulation states, selecting simulation states separated by a fixed number of cycles of operation greater than one cycle, randomly selecting simulation states, and selecting simulation states according to a simulation coverage metric such as corner-case coverage, and selecting simulation states according to the method described in the commonly owned U.S. patent application, [Attorney Docket No. 0IN004 US] entitled “Selection of Initial States for Formal Verification” filed concurrently herewith by James Andrew Garrard Seawright et al. that is incorporated by reference herein in its entirety.
In some embodiments of the invention, the user delivers files containing a netlist describing the circuit-under-verification and specifying the target states, the start states, and the analysis depths to the functional verification tool for analysis.
In some embodiments of the invention, the functional verification tool performs time-frame expansion of the netlist of the circuit-under-verification using the procedure shown below. Time-frame-expansion may be done by any well-known prior-art method, and many variants of this time-frame expansion procedure will be apparent to a person skilled in the art of EDA in view of this disclosure.
In some embodiments of the invention, digital circuit 181 is combinational (i.e., contains no state registers). It will be apparent to a person skilled in the art of EDA in view of this disclosure that, in case digital circuit 181 is combinational, the netlist of digital circuit 181 can be used directly in lieu of the time-frame-expanded netlist, without performing the time-frame-expansion procedure.
The following is an exemplary procedure for C-cycle time-frame expansion for a selected target state register of a digital circuit represented as a netlist of logic gates, registers and inputs:
After time-frame expansion using this procedure, the resulting time-frame-expanded netlist represents a combinational circuit (the “time-frame-expanded circuit”). The time-frame-expanded circuit corresponds to C cycles of operation of the original circuit, as follows: For each input “I” of the original circuit, input “I—1” of the time-frame-expanded netlist corresponds to input “I” in the first cycle of operation of the circuit, input “I—2” of the time-frame-expanded netlist corresponds to input “I” in the second cycle of operation of the circuit, etc.
Also, the logic-gate output in the time-frame-expanded netlist corresponding to the target state register after C cycles of operation has the name “Din” suffixed with “_” and the integer C, where “Din” is the name used as the data input of the target state register in the original netlist. Also, each input of each logic gate in the time-frame-expanded netlist that uses the same name as the output of a register in the original circuit corresponds to said register in the first cycle of operation of the original circuit, starting from the start state being analyzed.
In some embodiments of the invention, the functional verification tool converts the time-frame-expanded netlist to a CNF (conjunctive normal form) representation, as illustrated in
Any logic gate can be represented as an equivalent CNF formula. In particular, the logic gates AND, OR and NOT can be represented by the equivalent CNF formulae shown below:
Furthermore, any netlist containing logic gates can be represented as an equivalent CNF formula by replacing each logic gate in the netlist by its equivalent CNF formula. Therefore, to convert the time-frame-expanded netlist to an equivalent CNF formula, the functional verification tool replaces each logic gate in the time-frame-expanded netlist by its equivalent CNF formula, shown above, to form a new CNF formula (hereinafter called the “time-frame-expanded CNF formula”).
Some embodiments generate a clause database from a time-frame-expanded circuit by performing several acts illustrated in
Within the above described loop, a check is made if the current gate is an AND gate (in act 405) and if so, the clause (N1 !N2 !N3)(!N1 N2)(!N1 N3) is added to the clause database (as per act 406). Note that in act 406, N2 and N3 denote the inputs to the AND gate and N1 denotes the output. After performing act 406, control transfers to act 413 (described above). If the answer is no in act 405, a check is made if the current gate is an OR gate (in act 407) and if so, the clause (!N1 N2 N3)(N1 !N2)(N1 !N3) is added to the clause database and control transfers to act 413. If the gate is neither OR gate nor AND gate, then it is checked in act 409 for being a NOT gate, and if so, the clause (N1 N2)(!N1 !N2) is added to the clause database and control transfers to act 413. If the answer is no in act 409, an error is printed, because these embodiments do not handle any devices other than AND, OR and NOT gates.
In some embodiments of the invention, to perform a specific analysis (for example, a first analysis, a second analysis, or a third analysis) to determine whether at least one sequence of logic values applied to inputs of the circuit-under-verification causes the circuit to enter a specific target state (for example, a first target state, a second target state, or a third target state) in D cycles of operation, starting from a specific start state (for example, a first start state, a second start state, or a third start state), the functional verification tool creates a CNF formula (hereinafter called “target CNF formula”) as follows.
Using the netlist of the circuit-under-verification as input, the functional verification tool creates a D-cycle time-frame-expanded netlist for the target state register, as shown above. Then, the functional verification tool converts the D-cycle time-frame-expanded netlist to a time-frame-expanded CNF formula, as shown above. Then, the functional verification tool concatenates the clause “(T)” to the resulting CNF formula, where “T” is the name of the output of the time-frame-expanded netlist corresponding to the target state register. Then, for each register R of the circuit-under-verification, the functional verification tool does the following: if R is asserted in the specification of the specific start state, the functional verification tool concatenates the CNF clause “(R)” to the resulting formula, otherwise, if R is de-asserted in the specification of the specific start state, the functional verification tool concatenates the CNF clause “(!R)” to the resulting formula, otherwise, R is don't care in the specification of the specific start state and the functional verification tool concatenates neither “(R)” nor “(!R)” to the resulting formula.
In some embodiments of the invention, the functional verification tool incorporates a SAT program implementing a prior-art CNF-based SAT algorithm such as GRASP. The SAT program receives as input a target CNF formula created as described above, using a specific target state, a specific start state, and a specific analysis depth D. The functional verification tool uses the SAT program to perform analysis to determine whether at least one assignment of logic values to the variables of the target CNF formula causes the target CNF formula to evaluate to true. Such an assignment of logic values to the variables of the target CNF formula (a “satisfying assignment”) includes assignments of logic values to all inputs of the time-frame-expanded circuit. (“Don't care” variables of the target CNF formula are considered to be assigned to logic value 0 in the satisfying assignment.)
A method of some embodiments described herein to construct the target CNF formula guarantees that, in any satisfying assignment, the inputs of the time-frame-expanded netlist corresponding to registers in the circuit-under-verification must be assigned the logic values specified for those registers in the specific start state and the target output of the time-frame-expanded netlist must be assigned the logic value 1. Therefore, any satisfying assignment corresponds to a sequence of logic values to apply to inputs of the circuit-under-verification to cause the circuit to enter the specific target state in D cycles of operation, starting from the specific start state. It follows that in such embodiments the acts performed by the SAT program determine whether at least one sequence of logic values applied to the inputs of the circuit-under-verification causes the circuit to enter the specific target state in D cycles of operation, starting from the specific start state. Similarly, it follows that in such embodiments the acts performed by the SAT program check if the circuit can enter the specific target state in D cycles of operation, starting from the specific start state.
The SAT problem has been extensively studied and various types of CNF-based SAT algorithms and methods will be apparent to a person skilled in the art of EDA in view of this disclosure. One example of a SAT program (also “example program”) is shown in Appendix A14. The example SAT program is written in the “C++” language and implements a SAT algorithm similar to GRASP. A number of functions that are used in the example SAT program are described at the end of this description, just before the claims.
In some embodiments of the invention, a SAT program (for example, the example program) implementing a CNF-based SAT algorithm stores all the clauses of the target CNF formula in a clause database in the memory of the programmed computer. The SAT program performs acts, as described below just before the claims, including assigning logic values to variables of the target CNF formula as per act 501 (
In act 503, if there is no unsatisfiable clause, the context is pushed, as per act 517, and a case split is performed, identifying a variable to assign as per act 519, and a check is made for any unassigned variables being left as per act 521. If “no” in act 521, then the satisfying assignment is returned in act 523, but if “yes” in act 521, there is an assignment of the case split variable in act 525. Acts 501 et seq. are repeated after each of acts 515 and 525.
Various alternative methods of learning invariants related to the digital circuit will be apparent to person skilled in the art of EDA in view of this disclosure, including “recursive learning”. Various alternative methods of storing the learned clauses will be apparent to a person skilled in the art of EDA in view of this disclosure, including converting the learned clauses into equivalent logic gates (“learned logic gates”) and storing the learned logic gates in the memory of the programmed computer; converting the learned clauses into equivalent “C”, “C++” or “Java” code (“learned code”) and storing the learned code in the memory of the programmed computer; converting the learned clauses into a data-structure to be interpreted by a “C”, “C++” or “Java” program (“learned data structure”) and storing the learned data-structure in the memory of the programmed computer; and storing any of the equivalent forms described above on a peripheral device accessible by the programmed computer. Various alternative methods of performing the other analysis acts described above will be apparent to a person skilled in the art of EDA in view of this disclosure. In particular, prior-art SAT references cited in the “Background” section, above, describe alternative methods for performing these analysis acts.
In some embodiments of the invention, the functional verification tool performing functional verification of the circuit-under-verification performs analysis of the netlist of the circuit-under-verification. The functional verification tool uses a SAT program implementing a CNF-based SAT algorithm to perform a first analysis using a user-specified first target state, a first start state determined during simulation of the circuit-under-verification, and a user-specified first analysis depth D1, to determine whether at least one sequence of logic values applied to the inputs of the circuit-under-verification causes the circuit to enter the first target state in D1 cycles of operation, starting from the first start state. The functional verification tool stores invariants learned during the first analysis (“first learned invariants”) as CNF clauses. The functional verification tool uses the SAT program to perform a second analysis using a user-specified second target state, a second start state different from the first start state, determined during simulation of the circuit-under-verification, and a user-specified second analysis depth D2, to determine whether at least one sequence of logic values applied to the inputs of the circuit-under-verification causes the circuit to enter the second target state in D2 cycles of operation, starting from the second start state.
The SAT program of some embodiments uses the first learned invariants to simplify the second analysis by avoiding repeating analysis acts performed during the first analysis. The functional verification tool stores invariants learned during the second analysis (“second learned invariants”) as CNF clauses. The functional verification tool uses the SAT program to perform a third analysis using a user-specified third target state, a third start state different from both the first start state and the second start state, determined during simulation of the circuit-under-verification, and a user-specified third analysis depth D3, to determine whether at least one sequence of logic values applied to the inputs of the circuit-under-verification causes the circuit to enter the third target state in D3 cycles of operation, starting from the third start state. The SAT program uses the first learned invariants and the second learned invariants to simplify the third analysis by avoiding repeating analysis acts performed during the first analysis and the second analysis.
The method of one embodiment is illustrated herein using a small example: The circuit-under-verification comprises four registers R1-R4, 24 logic gates N1-N24 and two inputs I1-I2 (
In the small example, the analysis depth is equal to two and the target state register is R4 for all of the first, second and third target states, therefore the functional verification tool performs two-cycle time-frame expansion for register R4 of the netlist of the circuit-under-verification according to the procedure above, producing the time-frame-expanded netlist shown in Appendix A2. (The CNF formula corresponding to the time-frame-expanded netlist is shown in Appendix A3.) Inputs I1_1 and I1_2 of the time-frame-expanded netlist correspond to input I1 of the circuit-under-verification in the first and second cycles of operation, respectively. Inputs I2_1 and I2_2 of the time-frame-expanded netlist correspond to input I2 of the circuit-under-verification in the first and second cycles of operation, respectively. Output N24_2 of the time-frame-expanded netlist corresponds to target state register R4 of the circuit-under-verification after two cycles of operation. Inputs R1-R3 of the time-frame-expanded netlist correspond to registers R1-R3, respectively, of the circuit-under-verification in the specific start state to be used in the specific analysis.
For illustrative purposes, the first, second and third analysis depths of the small example are identical and the first, second and third target states of the small example are identical. As a result, the time-frame-expanded netlists used in the first, second and third analyses are identical. It will be apparent to a person skilled in the art of EDA in view of this disclosure that in other examples using the method of certain embodiments of the invention the first, second and third analysis depths may not be identical and that the first, second and third target states may not be identical, and that in such examples the target time-frame-expanded netlists used in the first, second and third analyses may not be identical.
The example program receives as input a file specifying the two-cycle time-frame-expanded netlist for the target register of the circuit-under-verification, a start state, the name of the target output, and (optionally) learned clauses from a previous analysis (“externally learned clauses”). The example program creates a target CNF formula as described above, using the time-frame-expanded netlist, the start state and the target output. The example program concatenates the externally learned clauses, if any, to the target CNF formula. The example program then uses a SAT algorithm similar to GRASP to perform a series of analysis acts to determine whether at least one assignment of logic values to variables of the target CNF formula causes the CNF formula to evaluate to true.
In case the example program determines that every possible assignment of logic values to variables of the target CNF formula fails to cause the CNF formula to evaluate to true, it prints “Inconsistent” and exits. In case the example program finds an assignment of logic values to the variables of the target CNF formula to cause the CNF formula to evaluate to true, it prints “Satisfiable” and reports the assignment of logic values to the variables corresponding to inputs of the time-frame-expanded circuit, which, in turn, correspond to logic values to apply to the inputs of the circuit-under-verification to cause the circuit-under-verification to enter the target state in two cycles of operation, starting from the start state.
In a first analysis of the circuit of the small example, the example program receives as input the file shown in Appendix A4. The start state is characterized by R3 being asserted, R1 and R2 being de-asserted, and R4 being don't care. The target output is N24_2. The program performs a series of analysis acts, producing the output shown in Appendix A5. Specifically, the program performs the following analysis acts:
By determining that there is no satisfying assignment of the variables of the target CNF formula, the example program has also determined that every possible sequence of logic values applied to the inputs of the circuit-under-verification fails to cause R4 of the circuit to be asserted (the target state) in two cycles of operation (the analysis depth D), starting from a state in which R3 is asserted and R1 and R2 are de-asserted (the first start state).
Importantly, the example program learns the following clauses during the first analysis:
Each learned clause represents a learned invariant related to the circuit-under-verification and can be used in other analyses of the circuit using different start states.
The first learned clause shown above represents an invariant related to the circuit-under-verification as follows: When the example circuit-under-verification shown in
Similarly, the second learned clause shown above represents an invariant related to the circuit-under-verification as follows: When the example circuit-under-verification shown in
A learned clause also effectively summarizes the solution of a sub-problem by indicating that certain assignments of logic values to the variables of the target CNF formula (assignments for which each term in the learned clause evaluates to false) cause the entire target CNF formula to evaluate to false. Any other analysis of the circuit-under-verification can avoid solving the sub-problem again by using the learned clause to avoid considering such assignments. The example program uses externally learned clauses by concatenating them to the target CNF formula and performing BCP using the externally learned clauses together with the clauses of the target CNF formula.
In order to understand the simplification that results from using externally learned clauses in a second analysis of the circuit of the small example, consider the sequence of analysis acts performed by the example program in a hypothetical second analysis without using the externally learned clauses from the first analysis. In this hypothetical second analysis, the example program receives as input the file shown in Appendix A6. The start state is characterized by R1, R2 and R3 being de-asserted, and R4 being don't care. The target output is N24_2. The program performs a series of analysis acts, producing the output shown in Appendix A7. Specifically, the program performs the following analysis acts:
Note that acts 5-10 of the hypothetical second analysis using the second start state are identical to acts 5-10 of the first analysis using the first start state.
By determining that the variables of the target CNF formula have no satisfying assignment, the example program has also determined that every possible sequence of logic values applied to the inputs of the circuit-under-verification fails to cause R4 of the circuit to be asserted (the target state) in two cycles of operation (the analysis depth D), starting from a state in which R1, R2, and R3 are all de-asserted (the second start state).
Now, consider the sequence of analysis acts performed by the example program in an actual second analysis of the circuit of the small example according to certain embodiments of the invention. The actual second analysis is similar to the hypothetical second analysis but uses the externally learned clauses from the first analysis. In this actual second analysis, the example program receives as input the file shown in Appendix A8, which includes the externally learned clauses from the first analysis. The start state is characterized by all of R1, R2, and R3 all being de-asserted, and R4 being don't care. The target output is N24_2. The program performs a series of analysis acts, producing the output shown in Appendix A9. Specifically, the program performs the following analysis acts:
Importantly, using the externally learned clauses, the example program correctly determines that the variables of the target CNF formula have no satisfying assignment, and therefore that every possible sequence of logic values applied to the inputs of the circuit-under-verification fails to cause R4 of the circuit to be asserted (the target state) in two cycles of operation (the analysis depth D), starting from a state in which R1, R2 and R3 are all de-asserted (the second start state).
As can be easily seen, the hypothetical second analysis without the externally learned clauses repeats acts 5-10 of the first analysis, but in the actual second analysis, using the two externally learned clauses from the first analysis causes the example program to avoid repeating acts 5-10 of the first analysis, thus simplifying the analysis.
Using the externally learned clauses from the first analysis can similarly simplify an analysis that succeeds in determining a satisfying assignment. In order to understand the simplification that results from using externally learned clauses in a third analysis that succeeds in finding a satisfying assignment, consider the sequence of analysis acts performed by the example program in a hypothetical third analysis of the circuit of the small example without using the externally learned clauses from the first analysis. In this hypothetical third analysis, the example program receives as input the file shown in Appendix A10. The start state is characterized by R1 being asserted, R2 and R3 being de-asserted, and R4 being don't care. The target output is N24_2. The program performs a series of analysis acts, producing the output shown in Appendix A11. Specifically, the program performs the following analysis acts:
Note that acts 5-10 of the hypothetical third analysis using the third start state are identical to acts 5-10 of the first analysis using the first start state.
Note that the satisfying assignment of the variables of the target CNF formula corresponds to the following sequence of logic values to apply to the inputs of the circuit-under-verification to cause the circuit to enter a state with R4 asserted (the target state) in two cycles of operation (the analysis depth D), starting from a state in which R1 is asserted and R2 and R3 are de-asserted (the third start state):
Now, consider the sequence of analysis acts performed by the example program in an actual third analysis of the circuit of the small example according to certain embodiments of the invention. The actual third analysis is similar to the hypothetical third analysis but uses the externally learned clauses from the first analysis. In the actual third analysis, the example program receives as input the file shown in Appendix A12, which includes the externally learned clauses from the first analysis. The start state is characterized by R1 being asserted, R2 and R3 being de-asserted, and R4 being don't care. The target output is N24_2. The program performs a series of analysis acts, producing the output shown in Appendix A13. Specifically, the program performs the following analysis acts:
Importantly, using the externally learned clauses, the example program correctly determines a satisfying assignment of the variables of the target CNF formula, corresponding to a sequence of logic values to apply to the inputs of the circuit-under-verification to cause the circuit to enter a state with R4 asserted (the target state) in two cycles of operation (the analysis depth D), starting from a state in which R1 is asserted and R2 and R3 are de-asserted (the third start state).
As can be easily seen, the hypothetical third analysis without the externally learned clauses repeats acts 5-10 of the first analysis, but in the actual third analysis, using the two externally learned clauses from the first analysis causes the example program to avoid repeating acts 5-10 of the first analysis, thus simplifying the analysis.
Just as storing clauses learned during a first analysis using a first start state and using the stored clauses during a second analysis using a second start state simplifies the second analysis, storing clauses learned during the second analysis using the second start state and using the stored clauses during a third and other analyses using a third and other start states simplifies the third and other analyses, reducing the time required for analysis using each of a large set of start states determined during simulation.
For digital circuits other than the example circuit, the method of certain embodiments of the invention may allow substantially more simplification of the analysis than is illustrated above. For example, during the first analysis, the clause “(!N)” may be learned, where “N” is the name of the target output of the time-frame-expanded netlist. In this case, the first “Propagate” act performed by the example program in the second analysis using the externally learned clause will immediately determine that the variables of the target CNF formula have no satisfying assignment, because, regardless of whether N is asserted or de-asserted, one of the two clauses “(N)” and “(!N)” evaluates to false. In this case, the analysis is greatly simplified.
In general, the more similar the start states are, the more simplification may result from re-using the learned invariants.
For illustrative purposes, the size of the example circuit is small and the depth of analysis is also small, therefore the number of clauses learned during each analysis using each start state is small. For large circuits (for example, circuits containing 10,000 logic gates or more) and for large analysis depths (for example, analysis depths of 10 cycles or more) the number of externally learned clauses may be much greater than shown in this example (for example, 1,000 externally learned clauses or more). Also, the clauses learned during each analysis using each simulation state of a large set of simulation states (for example, 100 simulation states) can be saved and used in every subsequent analysis. As a result, for large circuits, large analysis depths and large sets of simulation states, the number of redundant analysis acts that can be skipped due to using externally learned clauses may be much greater than shown in this example. Therefore, the amount of simplification of the analysis may be much greater than shown in this example.
Therefore, the method of certain embodiments of this invention reduces the time required for a programmed computer to automatically check if the digital circuit can enter a state indicative of a pre-determined defective behavior, starting from any of a set of simulation states. Therefore, the method of certain embodiments of this invention reduces the time required for functional verification of the digital circuit.
Several embodiments of the invention use initial states representing corner-case modes of operation determined during simulation of the digital circuit. During development of a large digital circuit, design verification engineers may develop hundreds of different directed simulation test programs, each targeting a different corner-case behavior. The states of the circuit determined during simulation of the directed simulation tests can be used as initial states representing corner-case modes of operation of the circuit. BMC using initial states determined during simulation is briefly described in “Deep formal verification powers assertions”, Curtis Widdoes and Richard Ho, EEdesign.com, Apr. 18, 2002, and this article is incorporated by reference herein in its entirety.
Several such embodiments simplify BMC analysis using multiple start states (e.g. representing each of several different corner-case modes of operation) by learning information during each BMC analysis using each start state and using the learned information to simplify additional BMC analyses using different start states, thus reducing the time required to perform the additional BMC analyses and reducing the time required for functional verification of the digital circuit.
Several embodiments of the invention simplify and accelerate determination of the “proof radius” of a digital circuit, as described in the commonly owned U.S. patent application, application Ser. No. 10/174,379, [Attorney Docket No. 0IN003 US], filed Jun. 17, 2002, entitled “Measure of Analysis Performed In Property Checking” filed by Jeremy Rutledge Levitt et al. that is incorporated by reference herein in its entirety. Specifically, in such embodiments, by systematically increasing C from 1 up to a finite limit, and repeatedly applying the method of the invention for each value of C, to check if the digital circuit can enter a pre-determined target state in C cycles of operation, starting from a pre-determined start state, determination is made that the proof radius is equal to the finite limit.
In certain embodiments of the invention, if the two start states are different from one another, then the two analyses using the two start states are considered to be different from one another, even if the analyses use the same target state and the same analysis depth, therefore, in such embodiments, learned clauses that are transferred between the two analyses are considered to be externally learned clauses as discussed above. In several such embodiments, a majority of the externally learned clauses have more than three terms.
In certain embodiments of the invention, if the two start states are different from one another, and the two target states are different from one another, and the two analysis depths are different from one another, then the corresponding two analyses are considered to be different from one another, therefore, in such embodiments, learned clauses that are transferred between the two analyses are considered to be externally learned clauses as discussed above.
Numerous modifications and adaptations of the embodiments described herein will be apparent to a person skilled in the art of EDA in view of this disclosure (including the software and documentation in Appendices A1-A14 attached hereto). Other embodiments of a method in accordance with the invention include one or more of the following steps: automatically converting a description of the circuit-under-verification written in either the Verilog or VHDL hardware description language into a netlist representation, using, for example, a commercially available logic synthesis product such as Design Compiler available from Synopsys; optimizing the netlist representation of the circuit-under-verification before the first analysis using the first start state; optimizing the netlist representation of the circuit-under-verification using invariants learned during the first analysis using the first start state; optimizing the CNF formula representing the netlist of the circuit-under-verification before the first analysis using the first start state; optimizing the CNF formula representing the netlist of the circuit-under-verification using invariants learned during the first analysis using the first start state; optimizing the time-frame-expanded netlist of the circuit-under-verification using invariants learned during the first analysis using the first start state; optimizing the CNF formula representing the time-frame-expanded netlist of the circuit-under-verification using invariants learned during the first analysis using the first start state; using invariants learned during the first analysis using the first start state to simplify the second analysis using the second start state, wherein the second analysis uses a different analysis depth than the first analysis; using invariants learned during the first analysis using the first start state to simplify the second analysis using the second start state, wherein the target state of the second analysis is different from the target state of the first analysis; using invariants learned during the first analysis using the first start state to simplify the second analysis using the second start state, wherein the algorithm used for the first analysis is different from a SAT algorithm; and using invariants learned during the first analysis using the first start state to simplify the second analysis using the second start state, wherein the algorithm used for the second analysis is different from a SAT algorithm.
Therefore, many such variations of the embodiments described herein are encompassed by the attached claims.
The following is an explanation of various functions of an example Boolean satisfiability program that is listed in Appendix A14 in file APPENDIXA.txt the attached CD-ROM.
inline void Push (void)
Push( ) checkpoints the current set of assignments, and identifies the checkpoint with the value of the global integer variable “d1”. The value of d1 is then incremented.
void Pop (int bktLevel)
Let integer “bktLevel” be the argument to this function. Pop( ) restores to the current set of assignments the checkpointed set of assignments identified by bktLevel. All checkpoints identified with values greater than or equal to bktLevel are deleted. The global integer variable “d1” is assigned the value of bktLevel.
const ClsC* Propagate (void)
Propagate( ) performs unit propagation. It continuously loops over all the clauses in the global list of clauses, until either (1) an unsatisfiable clause is detected or (2) the list contains no unit clauses. If a unit clause is encountered while looping over the list of clauses, the function performs unit propagation by adding the implied assignment to the set of current assignments. This also converts the unit clause to a satisfied clause. If an unsatisfiable clause is encountered, the function immediately returns the unsatisfied clause. If the list contains no unit clauses or unsatisfiable clauses, the function returns NULL.
VarC* CaseSplit (void)
Loop over the list of variables. Return the first unassigned variable in the list. If all the variables in the list are assigned, return NULL.
int Diagnose (const ClsC* cls)
Diagnose( ) identifies a set of assignments, say A, that is a subset of a checkpointed set of assignments and that logically implies an assignment, say var=˜val, where var=val is in the current set of assignments. A “conflict” clause is built that will unit propagate the assignment var=˜val given the the set of assignments A. The conflict clause is added to the global list of clauses. The function returns the identity of the least recently checkpointed set of assignments in which the conflict clause is a unit clause. The steps performed are:
bool Satisfy (void)
Satisfy( ) is the entry-point to the SAT solver. It loops continuously over the following steps until either a consistent set of assignments for all variables has been found, or the initial variable assignments (i.e. the initial state plus the desired assignment in the target state) are proven to be inconsistent. The steps are:
void Read (char *filename)
Read( ) inputs the unrolled netlist from a file, converting each gate to a set of CNF clauses and adding the clauses to the global list of clauses. The function also reads in the values of the register bits in the initial state and the desired values of the register bits in the target state, and creates unit clauses that unit propagate the values to the corresponding variables.
int main (int argc, char **argv)
main( ) reads in a SAT problem from the file specified on the command line, prints the value of the initial state and calls the SAT solver. If the SAT problem is satisfiable, the satisfying input assignments are printed. The clauses comprising the SAT problem and the “conflict” clauses learned during the analysis performed by the SAT solver are optionally printed depending on the verbosity specified on the command line.
Appendices A1-A14 are located in a single file “APPENDIXA.txt” in one CD-ROM (of which two identical copies are attached hereto), and these appendices form a part of the present disclosure and are incorporated by reference herein in their entirety. Volume in drive D is 030110—1743 Volume Serial Number is 4596-85E4 Directory of D:\ 01/10/2003 11:36a22,979 APPENDIXA.txt1 File(s) 22,979 bytes0 Dir(s)0 bytes free Appendices A1-A14 are described below, in the Detailed Description section. The software in Appendix A14 is used in some embodiments of the invention with a C Compiler, such as GNU Compiler (e.g. gcc 3.2), described on the Internet at http://www.gnu.org/software/gcc/gcc.html. The software may be used to program any computer well known in the art, such as a SUN Solaris 2.7 machine with 500 MB memory, to create a programmed computer embodiment of the type described herein. A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever. This application is related to and incorporates by reference herein in their entirety, each of the following commonly owned and copending U.S. patent applications: Application Ser. No., Unknown, attorney docket [0IN004 US] filed on Jan. 10, 2003, entitled “Selection of Initial States for Formal Verification” by James Andrew Garrard Seawright et al. Application Ser. No. 09/635,598, attorney docket [0IN005-1C US], filed Aug. 9, 2000, entitled “A Method For Automatically Generating Checkers for Finding Functional Defects in a Description of a Circuit” by Tai An Ly et al.; and Application Ser. No. 09/849,005, attorney docket [0IN006-1C US], filed May 4, 2001, entitled “Method for Automatically Searching for Functional Defects in a Description of a Circuit” by Chian-Min Richard Ho, et. al.; and Application Ser. No. 10/174,379, attorney docket [0IN003 US], filed Jun. 17, 2002, entitled “Measure of Analysis Performed In Property Checking” filed by Jeremy Rutledge Levitt et al.