VLSI DESIGN FLOW: RTL TO

GDS

Lecture 19
Formal Verification- III
Sneh Saurabh
Electronics and Communications
Engineering
IIIT Delhi
Lecture Plan
Model Checking
▪ Verifies that for a given model
(design), whether the
Formal Verification
specifications or given set of
Usage
properties are satisfied

Equivalence Checking
Model Checking Equivalence Checking ▪ Verifies that the two
representations of the same
design will exhibit exactly the
same behavior

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

 Formal Verification

Model Checking

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

Model Checking: Framework
Inputs
▪ Given design in RTL or Netlist
➢ Typically modelled as an FSM
▪ Set of properties that a model checker needs to
verify

Challenges
▪ Model checker needs to verify that the given
property is valid as the FSM evolves through its
states
▪ For 𝑁 state elements: number of states can be
2𝑁
▪ This problem is known as the state explosion
problem

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

Model Checking: Property Specification
▪ Properties are specified in Temporal Logic ▪ Ordering of events is implicit
▪ eventually, never, always, whenever,
Temporal Logic etc.
▪ System properties need time-related ▪ Modelled using System Verilog Assertion
specification, in addition to logic related (SVA)
expressions ➢ Embed SVA in RTL
➢ Checked by both model checker and
Examples of temporal properties simulators
▪ Whenever a correct password is entered, ➢ Can specify assumptions and
the door eventually opens constraints (to make property
▪ For traffic lights at a given post, one of the checking easier for the tool)
red, yellow or green light is always ON
▪ Whenever a request is made by multiple
requesters, it is never granted to more
than one requesters simultaneously

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

Model Checking: Techniques
Primary Difficulty:
▪ Exhaustive search becomes difficult due to the state explosion problem
➢ Explicitly enumerating states and representing them as graphs could not scale
▪ A breakthrough came around 1990 when symbolic state-space exploration was proposed :
➢ First it employed BDDs
➢ Later SAT-based techniques.

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

 Formal Verification

BDD-based Model
Checking

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

BDD-based Model Checking: Characteristics Function
Characteristic Function for a set:
▪ Consider an FSM with a finite set of states 𝑄.
▪ Further, consider a subset of states 𝐴 ⊂ 𝑄
➢ 𝐴 can be represented by a Boolean function 𝑓 such that for any state 𝑥 ∈ 𝑄, 𝑓(𝑥) = 1 if
and only if 𝑥 ∈ 𝐴

Example:
▪ Consider an FSM with five states 𝑄 = {𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 , 𝑠4 }.
▪ Let the states be represented by 3 bits {𝑥2 𝑥1 𝑥0 }. We refer to these bits as state bits.
▪ We can encode these states {𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 , 𝑠4 } as {000,001,010,011,100}.
▪ In this representation we can represent the subset of states: 𝐴 = 𝑠0 , 𝑠2 , 𝑠4 as a Boolean
function: 𝑓 𝑥2 , 𝑥1 , 𝑥0 = 𝑥2 ′𝑥1 ′𝑥0 ′ + 𝑥2 ′𝑥1 𝑥0 ′ +𝑥2 𝑥1 ′𝑥0 ′

▪ We can represent a large set using its characteristics function with the help of compact
BDDs
▪ We can also compute the transition from a set of states to another set of states very
efficiently using BDDs

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

BDD-based Model Checking: Transition Relation
▪ Consider an FSM with set of states 𝑄. Transition relation for an FSM:
▪ Let us denote the set of input values as 𝐼. ▪ The transition can be defined using a
▪ Let us denote the next-state function as transition relation 𝑇(𝑥, 𝑖, 𝑥′) such that
𝑥′ = 𝛿(𝑥, 𝑖) for 𝑥 ∈ 𝑄 and 𝑖 ∈ 𝐼. 𝑇(𝑥, 𝑖, 𝑥′) = 1 if and only if 𝛿(𝑥, 𝑖) = 𝑥′.

▪ We can represent a transition

relation 𝑇 𝑥, 𝑖, 𝑥 ′ compactly
using BDD
▪ Subsequently, we use the
transition relation in BDD-based
model checking

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

BDD-based Model Checking: Image/Preimage
Image of a set of states:
▪ Image for a given set of states 𝑆 is the set of states 𝑆′ that we can reach in one step from 𝑆.
▪ We denote the image computation as 𝑆′ = 𝐼𝑚𝑎𝑔𝑒(𝑆, 𝑇) [𝑇 is the transition relation].

Preimage of a set of states:

▪ Preimage of a set of states 𝑆′ is a set of states 𝑆 from which we can reach 𝑆′ in one step.
▪ We denote preimage computation as 𝑆 = 𝑃𝑟𝑒𝑖𝑚𝑎𝑔𝑒(𝑆′, 𝑇).

▪ For a given set of states, we can compute image and preimage very efficiently using BDDs.
▪ BDD-based model checking relies on this computation

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

BDD-based Model Checking: Computing Reachable
States
Input: ▪ The set of reachable states 𝑆𝑟𝑒𝑎𝑐ℎ until no
▪ Given starting set of states 𝑆0 more new states are discovered
▪ Transition relation 𝑇(𝑥, 𝑖, 𝑥′) ➢ Algorithm is said to have attained a fixed
Output: point.
▪ Returns reachable set of states 𝑆𝑟𝑒𝑎𝑐ℎ

1: 𝑆𝑟𝑒𝑎𝑐ℎ ← 𝑆0
2: 𝑆𝑛𝑒𝑤 ← 𝑆0 ▪ States represented compactly
3: 𝑘 = 0 as characteristic functions
4: while (𝑆𝑛𝑒𝑤 ≠ {}) do using BDDs
5: 𝑘 ← 𝑘 + 1 ▪ Canonicity of BDDs eases
6: 𝑆𝑘 ← 𝐼𝑚𝑎𝑔𝑒(𝑆𝑛𝑒𝑤 , 𝑇) manipulation
7: 𝑆𝑛𝑒𝑤 ←𝑆𝑘 − 𝑆𝑟𝑒𝑎𝑐ℎ ▪ Pre-image computation: set of
8: 𝑆𝑟𝑒𝑎𝑐ℎ ← 𝑆𝑟𝑒𝑎𝑐ℎ ∪ 𝑆𝑛𝑒𝑤 all states from which 𝑆0 can be
9: end while reached.
10: return 𝑆𝑟𝑒𝑎𝑐ℎ

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

BDD-based Model Checking: Technique
Example: Suppose it is required to check whether a state satisfying a Boolean function 𝑃 is
reachable from a given initial state 𝑠0 .
▪ Let both the states and the Boolean function 𝑃 be represented in terms of state bits.
▪ A model checker considers a set of states 𝑆𝑃 for which 𝑃 holds.
▪ Let us represent the set 𝑆𝑃 using the characteristic function 𝐶𝐹𝑆𝑃 .
▪ But, 𝐶𝐹𝑆𝑃 = 𝑃 (i.e., the characteristic function of the set of states for which 𝑃 holds is
nothing but 𝑃)
➢ Consider a state 𝑥 for which 𝑃 holds. Therefore, 𝑃(𝑥) = 1 and 𝑥 should belong to 𝑆𝑃 .
Hence, 𝐶𝐹𝑆𝑃 (𝑥) = 1
➢ Consider a state 𝑦 for which 𝐶𝐹𝑆𝑃 (𝑦) = 1 . Therefore, 𝑦 belongs to 𝑆𝑃 and 𝑃 should hold
for it. Hence, 𝑃(𝑦) = 1.
➢ Thus, 𝐶𝐹𝑆𝑃 = 𝑃

▪ Using preimage computation, we can determine the set of all states 𝑆𝑟𝑒𝑎𝑐ℎ ′ from which 𝑆𝑃
can be reached.
▪ If 𝑆𝑟𝑒𝑎𝑐ℎ ′ includes the initial state 𝑠0 , given property holds.
▪ If 𝑆𝑟𝑒𝑎𝑐ℎ ′ does not include the initial state 𝑠0 , the given property does not hold
VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh
BDD-based Model Checking: Limitations
▪ In the worst case, the size of BDD can be exponential in the number of inputs.
➢ A BDD-based representation of transition relation can blow up with an increase in the
number of state bits.
➢ Different variable orders can be tried

▪ Manual interventions, such as adding constraints, can help.

➢ Simplify the problem for the model checker and make it solvable.

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

 Formal Verification

SAT-based Model
Checking

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

SAT-based Model Checking: Technique
Approach:
▪ Obtain a counterexample of a finite length 𝑛 (𝑛 is the number of clock cycles from the initial
state)
▪ We derive a Boolean function 𝜙𝑛 using the given circuit and the given property such that:
the function 𝜙𝑛 is satisfiable if and only if a counterexample of length exists.
▪ This type of model checking is known as Bounded Model Checking (BMC)
➢ Typically, we carry out BMC iteratively by incrementing 𝑛.
➢ It continues until we have found a counterexample or the problem becomes too
complicated to be handled by the SAT solver.

Mechanism:
▪ To derive 𝜙𝑛 , we unfold the behavior of the system one cycle at a time using the next-state
function until it reaches 𝑛th clock cycle.
▪ The Boolean function 𝜙𝑛 is the logical conjunction (ANDs) of clauses obtained from:
➢ Given initial state.
➢ The system behavior obtained from the next-state function.
➢ A Boolean expression that evaluates to 1 for a counterexample (derived from the given
property).
VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh
SAT-based Model Checking: Merits/Demerits
Merits:
▪ Avoids the problem of memory blow-up in representing transition relations in the BDD-based
model checking
➢ Next-state function grows linearly as the BMC traverses the next state in each cycle.
➢ But can take longer time by SAT solver because introduction of new variables
▪ Exploits power of SAT solver

Demerits:
▪ Lacks completeness.
➢ In practice, can quickly find bugs (if it exists)

VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh

 References
▪ J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L.-J. Hwang. “Symbolic model
checking: 1020 states and beyond.” Information and Computation 98 (1992), no. 2, pp. 142–
170.

▪ J. Herve, S. Hamid, L. Bill, K. B. Robert, and S.-V. Alberto. “Implicit state enumeration of
finite state machines using BDD’s.” Computer-aided Design, 1990ICCAD-90. Digest of
Technical Papers. 1990 IEEE International Conference on (1990), pp. 130–133.

▪ S. Saurabh, “Introduction to VLSI Design Flow”. Cambridge: Cambridge University Press,

2023.

inprotected.com VLSI Design Flow: RTL to GDS NPTEL 2023 S. Saurabh