Equivalence Checking

Henrik Persson, Prover Technology

3
Agenda

• About Prover Technology

• Introduction to ASIC/FPGA flows
• Equivalence Checking basics
• Issues with Equivalence Checking
• eCheck Tutorial
• eCheck Demo

Confidential © 2001 Prover Technology, Inc.

4
Prover Technology in Brief

• Founded 1989
• 25 employers
• 3 offices
- Stockholm, Sweden (HQ)
- Toulouse, France
- Palo Alto, US
• Funded by MVI, Intel Capital etc
• Main markets: formal verification for
EDA and CASE

Confidential © 2001 Prover Technology, Inc.

5
Prover Technology’s Missions

1. Provide core technology for formal

verification
- Key advantage: speed and capacity
2. Help with efficient and correct
modeling of user problems
3. Develop complete end-user tools

Confidential © 2001 Prover Technology, Inc.

6
Three ways to build a tool

Design Specification Prover provides

the proof
engine
• Intel
Translator • Esterel Tech.
 Esterel
Studio
• iLogix/OSC
 Statemate
Internal Model • Xilinx
representation Proof Engine
 Coregen

Confidential © 2001 Prover Technology, Inc.

Interfaces
7
Three ways to build a tool

Design Specification Prover provides

proof engine
and modelling
• Volvo
 Sequence
Translator diagrams
• Esterel
 SCADE
• Bombardier
 SVT
Internal Model
representation Proof Engine

Confidential © 2001 Prover Technology, Inc.

Interfaces
8
Three ways to build a tool

Design Specification Prover builds the

complete tool
• Ericsson
 FABulous
• eCheck
Translator
 Equivalence
checker
• sCheck
 Sequential
Equivalence
Internal Model checker
representation Proof Engine • mCheck
 Model checker

Confidential © 2001 Prover Technology, Inc.

Interfaces
9
ASIC / FPGA development

Confidential © 2001 Prover Technology, Inc.

10
ASIC development

Application Specific Integrated Circuits

Used in applications with constraints in
• Speed
• Size
• Low power consumption
• Cost per units in mass-production
• One chip – self-contained
• >1 million gates
Used in: Consumer electronics, high-speed
processing, safety-critical systems

Confidential © 2001 Prover Technology, Inc.

11
FPGA development

Field Application Gate Arrays

Configurable/re-programmable circuits, used in
applications where
• Circuits may need to be changed
• Speed less important
• Cost per unit for small quantities important
• Size of chip less important
• <1 million gates
Used in: Prototypes for testing, Space/Weapon
industry, etc

Confidential © 2001 Prover Technology, Inc.

12
First: Focus on FV in ASIC flow

• ASIC flow much more complicated

- Several steps from idea to silicon
- Cost of mistakes often very expensive
• ASIC: Main interest in RTL/gate-gate
• FPGA: Increasing interest in RTL-RTL

Confidential © 2001 Prover Technology, Inc.

13
ASIC Development Flow

• The design is described in VHDL or

Verilog at a high-level, and then refined
to a low-level representation
- Often in the same language
- Much like compiling C to ”assembly C”
• In FV, we disregard physical constraints
- Timing
- Area
- Power consumption
Which often are the reason for modifications

Confidential © 2001 Prover Technology, Inc.

14
ASIC Refinement Steps

• Architectural and Behavioural Model

• Refine into Register-Transfer Level (RTL)
• Design For Test insertion (DFT)
- BIST, scan, JTAG
• Synthesis down to gates (Netlist)
• Optimisation
• Scan-chain hook-up
• Place & Route
• Clock-tree insertion
• Engineering Change Order (ECO)
Confidential © 2001 Prover Technology, Inc.
15 Verifying an ASIC flow

Goals:
Authoring Example ASIC Flow
• Input two circuit
descriptions (RTL
RTL
Synthesis FV or gate level)
Gates
• Automated analysis
Test Insertion FV and results: errors
identified or proven
not to exist
Chip Optimization FV FV
• 100% coverage

Clock Insertion FV

Confidential © 2001 Prover Technology, Inc.

16
Equivalence Check Advantages

Simulation/testing can be reused

• Your RTL is simulated and tested, but
then you modify it, is it still correct?
Easy to test new modifications
• Change clock-frequency, modify
placement, change RTL, etc....
One Golden Reference Model
• Equivalent to all stages in design-flow,
down to the final chip
Confidential © 2001 Prover Technology, Inc.
17
eCheck advantages

No more functional gate-level

simulation

Modify your RTL freely without risk

of introducing new bugs

Reuse your verification and testing

Confidential © 2001 Prover Technology, Inc.

18
Equivalence Checking Basics

• Check modifications in two HDL files

- Size: up to 10 million gates each!
- Wide range of programs often used to create
the HDL
- Many small changes, but similar structure
• Equivalence Checking Challenge:
- Partition the problem without loss of (too
much) generality
- Model the HDL to validate as much
modifications as possible

Confidential © 2001 Prover Technology, Inc.

19
Simple Representation of HDL

For EC, the HDL can be compiled

into the following primitives
• Logical gates (and, or, xor, not, ...)
• A full-adder and a mux
• A flip-flop with asynchronous set/reset
• A latch
• Blackbox-primitives
• A tristate-gate

Confidential © 2001 Prover Technology, Inc.

20
Two Approaches to EC

Sequential Equivalence Check

• Modelcheck: for all sequences of input, the
circuits behave the same
• Can compare completly dissimilar circuits
• Very restricted to size of circuit
Combinational Equivalence Check
• Check that all flip-flops are driven by equivalent
logic
• Can only compare circuits with similar state-
structure
• Much less sensitive to size of circuit
Confidential © 2001 Prover Technology, Inc.
21 Combinational Equivalence
Checking

Confidential © 2001 Prover Technology, Inc.

22
Combinational Equivalence

• Find mapping between compare-points

- Flip-flops, latches, blackbox-inputs, outputs
• Prove the “logical cones” equivalent

Confidential © 2001 Prover Technology, Inc.

23
Logical Cones

Confidential © 2001 Prover Technology, Inc.

24
Consistency

Consistency can be proven:

• If all compare-points in the two circuits
are driven by equivalent logic, the two
circuits are equivalent
The opposite is NOT true:
• If a compare-point is driven by different
logic in the two circuits, the two circuits
may still be equivalent
• ”False Negative”, a weakness of
combinational equivalence checking

Confidential © 2001 Prover Technology, Inc.

25
Issues

• Tristate logic
• Don’t cares
• State encoding
• Retiming
• Sequential propagation
• Combinational loops
• Hierarchical Comparison
• Mapping
• Debugging
Confidential © 2001 Prover Technology, Inc.
26
Tristate logic

Four valued logic: 0, 1, X, Z

• X – don’t care
- Implicit from RTL (case, undriven nets)
- Explicit from user
• Z – high impedence
- Implicit, e.g. multiple drivers
- Explicit, e.g. Tristate-buffers
Problem for equivalence checkers
• Synthesis tools instantiate X as seen fit
• Performance
• Makes post-synthesis vs post-synthesis
impossible in some cases

Confidential © 2001 Prover Technology, Inc.

27
State encoding

User have described state-machines,

but left encoding
• Binary, One-hot, Gray, ...
• VHDL more explicit compared to Verilog
• Synthesis tools agressive to meet constraints
- One-hot registers gives less load on registers =>
faster and less power consumption
Equivalence checkers need to deduce
encoding
• Need perfect match in state structure

Confidential © 2001 Prover Technology, Inc.

28
Retiming

To meet constraints, several

things may be needed:
• Reduce logic inbetween registers to
clock flip-flops faster
- Duplications of registers
- Push through negations
- Other retiming/pipelining
• Again, EC needs a perfect match
between state elements

Confidential © 2001 Prover Technology, Inc.

29
Sequential Propagation

Test logic may be inserted that

should not affect behaviour when
TEST=0
• TEST=0 often need to reset test-
circuitry in several clock-cycles
• Equivalence checker need to propagate
this through registers to ”realize” that
test-registers should be removed

Confidential © 2001 Prover Technology, Inc.

30
Combinational Loops

Combinational loops are inserted

as feedback-loops through gates
• Gives sequential behaviour (memory)
• Master-Slave flip-flop
• Various latch constructions
Makes EC harder, either choice:
• Model feedback loops hard
• Cutting loops using blackboxes hard
• Extracting flipflops/latches hard
Confidential © 2001 Prover Technology, Inc.
31
Hierarchical Comparison

• Equivalence-check the smaller sub-

modules first, then blackbox them and
check the rest of the design
- Repeat iteratively
• Problem with cross-boundary
optimisations
• Problem with test-insertion etc.

Confidential © 2001 Prover Technology, Inc.

32
Mapping

The compare points in design A and

design B must be mapped
• Using names, structure, functionality or rules

Confidential © 2001 Prover Technology, Inc.

33
Debugging

When a bug is found, how do you

fix it?
• In a 1 million gates design with 20,000
flip-flops, you have reduced the search
space
• Is it a ”false negative” or a real bug?
• Use schematic viewer with annotated
values and possibilities to trace
• Error candidates

Confidential © 2001 Prover Technology, Inc.

34
Modelling versus Rewriting

Two approaches to validate

ASIC/FPGA flows:
• Modelling – find a modelling of HDL which
justifies all valid modifications
- Easy to concieve EC correct
- Hard to model all rewriting (e.g. Gated clocks)
• Rewriting – add typical modifications as
rewriting rules which are applied before checking
- Verification by reverse engineering
- Harder to concieve EC correct
- Easy to add new valid modifications

Confidential © 2001 Prover Technology, Inc.

35
eCheck Tutorial

Confidential © 2001 Prover Technology, Inc.

36
eCheck

Confidential © 2001 Prover Technology, Inc.

37
eCheck Features

• Full Verilog/VHDL (Synthesizable RTL),

EDIF, Liberty
• Multi-million gates performance
• Blackboxing
- Memories
- IP-blocks
- Analog blocks
- Blocks with completely different structure
• Constraints
- Disable test logic
- Constrain states

Confidential © 2001 Prover Technology, Inc.

38
eCheck Features

• Detection of combinational loops

• Support for sequential optimizations
- Negation pushed through flip-flops
- Duplication of registers
• Flip-flop / latch conversions
• Produce independent elaborated netlists
• GUI generates batch-commands
• Powerful mapping heuristic based on
name, structure and functionality
• Available for Windows/Linux/Solaris

Confidential © 2001 Prover Technology, Inc.

39
eCheck Tool Compatibility

eCheck tested to work for

• Cadence BuildGates
• Synopsys Design Compiler
• Synplicity
• Get2Chip
• Leonardo Spectrum
• Incentia
• Xilinx ISE
• Altera Quartus
• LogicVision (BIST insertion)
• ASC VBIT (scan insertion)
• ASC vhdl2verilog and verilog2vhdl
Confidential © 2001 Prover Technology, Inc.
40
Running eCheck

Using eCheck consists of 3 steps

1. Input the design files, and configuring
the project [Configure]
2. Read the designs and map the compare
points, usually automatic [Validate]
3. Run the actual comparison of the two
designs [Compare]

Confidential © 2001 Prover Technology, Inc.

41
Step 1: Configure

Input design files

• Common libraries
• Gold design
• Impl design

Confidential © 2001 Prover Technology, Inc.

42
Configure specific options

Confidential © 2001 Prover Technology, Inc.

43
Step 2: Validate

Reads the design and automatically

maps compare points
• Name-based
• Function-based
• Rule-based

Confidential © 2001 Prover Technology, Inc.

44
Step 3: Compare

Confidential © 2001 Prover Technology, Inc.

45
eCheck verification flow

• Parse and elaborate design

- Parse errors, synthesis errors, warnings
• Map inputs, outputs and stateholding
elements
- Optionally blackboxes, loops and tristate
- Name-heuristic or functional
• Check logic inbetween mapped states
• Highlight failing points and give test-
vectors

Confidential © 2001 Prover Technology, Inc.

46
Demo

• DES encryption algorithm

- RTL versus post-synthesis
• Small RISC-processor
- post-synthesis netlist versus DFT netlist
- ASC SCAN-insertion
• Small VCR-controller
- Illustrates debugging

Confidential © 2001 Prover Technology, Inc.