Verification of Designs Containing Black Boxes - CiteSeerX

Workshop "Methoden und Beschreibungssprachen zur Modellierung und Verifikation von Schaltungen und Systhemen", Frankfurt, March 2000

Verification of Designs Containing Black Boxes Wolfgang G¨unther

Nicole Drechsler

Rolf Drechsler

Bernd Becker

Institute of Computer Science Albert-Ludwigs-University 79110 Freiburg im Breisgau, Germany fguenther,ndrechsl,drechsle,becker [email protected]

Abstract Often modern designs contain regions where the implementation of certain components is not (fully) known. These regions are called black boxes in the following. They occur e.g. if different designers work on a project in parallel or if IP cores are used. In this paper an approach based on a symbolic representation of characteristic functions for verifying circuits with black boxes is presented. We show that by this method more faults can be detected than with pure binary simulation and symbolic simulation using BDDs, respectively, only. This results from the formulation of our algorithm that allows implications over the black box. Experimental results are given to show what parts of a design can be proven to be correct, if black boxes are assumed. Of course, the probability for the detection of a fault in general depends on the size of the unknown regions. But fault injection experiments on benchmarks show that for many circuits even up to 90% of the faults are detected, even though large parts of the design are unspecified.

1 Introduction Often modern designs contain regions where the functionality and/or implementation of these components is not (fully) known. A design with black boxes in illustrated in Figure 1. Due to the following reasons the so-called black boxes have to be considered during circuit synthesis: 1. Different parts of a circuit have been designed separately, i.e. by several groups or designers. Then it may happen that the implementation of subcircuits is unknown during a phase of the design. 2. In hierarchical synthesis often components are considered as black boxes (see e.g. [8]). 3. More and more complex designs make use of Intellectual Property (IP) [5, 6]. Often the exact implementation is not known due to IP protection. One of the most important tasks in VLSI CAD is to verify the design [10, 4]. Nowadays modern circuit designs can contain several million transistors. For this, also verification of such large designs

x1

x2

x3

x4

x5

x6

x7

Black Box 1

Black Box 2

y1

y2

y3

y4

Figure 1: A design containing Black Boxes becomes more and more difficult, since pure simulation cannot guarantee the correct behavior and exhaustive simulation is too time consuming. It is important to find errors in designs as early as possible to keep the costs of the design moderate. For designs containing black boxes it is therefore desirable that circuits can already be verified early, even though not all components are fully specified. In the approach presented in this paper, Binary Decision Diagrams (BDDs) [1, 4] are the underlying data structure for the verification process. Using a symbolic representation of the circuit implications – based on the characteristic function – over the (functionally unknown) black boxes are possible. The BDD for the characteristic function is constructed for the implemented parts of the design. The outputs of the black boxes are treated as primary inputs. We give a sufficient condition under which all errors in the implemented circuit can be found using this method. Additionally, it is shown that the method is more powerful than pure symbolic simulation based on BDDs. An example is presented pointing out the difficulties resulting from black boxes, i.e. a faulty implementation that seems to be correct when the BDDs for implementation and specification of the outputs are compared separately. However, the errors can be found using our technique based on the characteristic function, since this approach allows to handle the outputs simultaneously. We report on several fault injection experiments for designs containing black boxes (of various size). Surprisingly, for many circuits faults can be found even if the functionality of large parts of the design is unknown. The paper is structured as follows: BDDs and the characteristic function are defined in Section 2. In Section 3 the approach of verifying designs with black boxes is described in detail. Experimental results are given in Section 4. Finally, the results are summarized.

2 Preliminaries

B

B

As is well-known, each Boolean function f : n ! can be represented by a Binary Decision Diagram (BDD) [1, 4], i.e. a directed acyclic graph where a Shannon decomposition

f = xifx =0 + xifx =1 i

(1

i



i n) 

is carried out in each node. A BDD is called ordered if each variable is encountered at most once on each path from the root to a terminal node and if the variables are encountered in the same order on all such paths. A BDD is called reduced if it does neither contain isomorphic sub-graphs nor vertices where both edges point to the same node. Reduced and ordered BDDs are a canonical representation, i.e. for each Boolean function the BDD can be uniquely determined. For functions represented by reduced, ordered BDDs efficient manipulations are possible [1]. In the following, only reduced, ordered BDDs are considered and for briefness these graphs are called BDDs. BDDs are defined analogously for multi-output functions f : n ! m as for the case of single-

B

output functions: A BDD for each component function fj (1  j  representation for f . The variable ordering is fixed for all BDDs. For a Boolean function f : n ! m , the characteristic function f

B

f (x; y) = 1

B

()

B

m) is used for the shared BDD

Bn+m B is defined as x B n ; y Bm :

f (x) = y

8

2

:

!

2

Using BDDs f can be computed using the following equation:

f (x; y) =

m Y j =1

f (x; yj ); j

(1)

where fj can be obtained using the equivalence function.

3 Verification in the Presence of Black Boxes In this section we describe our approach to verify designs containing black boxes. If the functionality of the whole circuit is known to the verification tool, then standard techniques for (combinatorial) verification can be applied. If a complete BDD construction for both the specification and the circuit is possible, a quick comparison to the functionality can be performed [2, 7]. However, if the contents of the black boxes are unknown, a BDD construction is only possible for the surrounding region, and the outputs of the black boxes become additional inputs 1. We will refer to the surrounding circuit as G and to the set of functions it represents as fG in the following. Analogously, spec denotes the specification of the design. Although the functionality of the black boxes is not known, it is often possible to conclude that the surrounding circuit G is faulty. This is demonstrated by the following simple example. 1

By this approach also combinational cycles [3, 9] can be handled easily.

verify(spec, netlist net) f compute G , using additional variables z for the outputs of the black boxes;  := bdd existential quantification(G, z); result := bdd less or equal(spec,  ); return result; 0

0

g

Figure 2: Sketch of the decision procedure Example 1 Consider the circuit given in Figure 1. For input x1 = 0 the value of output y 1 does not depend on the implementation of the black boxes, i.e. y 1 = 0, due to the chain of AND gates on the left hand side. To extract as much of the functionality as possible, the characteristic function for the surrounding circuit is computed, i.e.

G (x; y; z) = 1

,

fG(x; z) = y

where x (y , z ) denotes the set of primary inputs (primary outputs, black box outputs). The correctness of the implementation can be computed as follows: If

x; y : z : spec(x; y) > G(x; y; z);

9

(2)

8

there is definitely an error in the surrounding circuit G. Otherwise, the implementation is correct up to the unknown functionality of the black boxes. In other words, if there is an input assignment x 2 n for which the original circuit and the faulty one have at least one different output value, independent of the implementation of the black boxes (which may have arbitrary functionality), then this error is detected by the characteristic function.

B

The computation of the characteristic function can be done as follows: First, the BDD for the Boolean function of the specification is computed and converted into a characteristic function using Equation (1). For the circuit containing black boxes, the BDD is constructed using additional input variables for the outputs of the black boxes. Note that it is not necessary to compute the functions for the inputs of the black boxes. Then these functions are transformed to a characteristic function using Equation (1) again. Both characteristic functions are compared using the equation    8x; y : spec(x; y)  9z : G(x; y; z) (3)

B

which is the complement of Equation (2), since spec does not depend on variable z 2 k . It can be computed using standard BDD techniques. A sketch of the resulting algorithm is given in Figure 2. In the following, a sufficient condition is given under which the above algorithm is complete. Theorem 1 Assume that each black box is at least connected to all primary inputs of the circuit. Furthermore, assume there is a fault in the surrounding circuit, i.e. there is some x 2 n ; y 2 m with fspec(x) = y and for all possible implementations of the black boxes it holds fimpl (x) 6= y . Then this error is detected by the algorithm.

B

B

Proof: Assume that x and y fulfill the properties of the theorem. Since fspec (x) = y , it follows that

spec(x; y) = 1: Furthermore, assume that an implementation for the black boxes is given by a Boolean function bb. It is known that for all such implementations the value of at least one output is wrong, i.e. fG (x; bb) 6= y . Thus,

G(x; y; bb) = 0:

Since x is constant in this proof and the black box is assumed to be connected to all primary inputs, the Boolean function bb can be replaced by a Boolean vector z which yields

z : spec(x; y) > G(x; y; z);

8

which fulfills the necessary condition of Equation (2) of the algorithm.

2

In the following we want to compare our approach using the characteristic function against symbolic simulation based on BDDs: the BDD is built for one output after another, comparing every time the correctness. The following example demonstrates that some errors cannot be found that can be identified using our approach. Example 2 Consider the function of Figure 3. Obviously, this design cannot realize the identity function y1 = x1 ; y2 = x2 , whatever implementation for the black box is chosen. However, this fault cannot be detected considering the outputs separately, since for each output there is a black box realization creating the correct function: For output y1 , function blackbox (x1 ; x2 ) = x1 results in the correct functionality, for output y2 this can be achieved by blackbox (x1 ; x2 ) = x2 . Thus the fault is not detected by this method. On the other hand, the characteristic function of the specification is

spec(x1 ; x2 ; y1; y2) = (y1 x1 ) 

^

y2 x2 );

(



while the characteristic function of the (faulty) implementation is

G(x1 ; x2 ; y1; y2; z) = (y1 z) 

Using Equation (2) for x1

=

y2 z):

(



x2 = y1 = y2 = 1 yields

spec(1; 1; 1; 1) G(1; 1; 1; 1; z) Thus,

^

=

(1

=

((1



1) ^ (1



z)

^



(1

;

1) = 1



z)) = (z z) = 0: ^

z : spec(1; 1; 1; 1) > G(1; 1; 1; 1; z);

8

i.e. the error in the design is found. As can be seen from this simple example the method proposed in this section is more powerful than symbolic simulation and of course also than “pure” simulation. All in all, it is possible to find errors in the design at an early stage and in the presence of black boxes.

x1 1

x2

Black Box z

y1

y2

Figure 3: A faulty design for the identity function

4 Experimental Results In this section we describe experimental results that have been carried out on a SUN Ultra 2. We used a memory limit of 256 MBytes. All times are given in CPU seconds. The CUDD package [11] was used as underlying BDD package. Analogously to [8], we used the following experimental setup: first, the characteristic function for the benchmark was computed. We will refer to this function as the specification later on. Then several black boxes of a fixed size were randomly selected, i.e. some blocks of connected cells were marked. After that, an error was randomly inserted in the circuit by changing the functionality of one gate, e.g. an AND gate is transformed to an OR gate. Finally, we applied the method proposed in Section 3 to detect the error. The results are given in Table 1. In the first column, the name of the benchmark circuit is given. The next three columns refer to the number of primary inputs, primary outputs, and basic gates, respectively. Column n refers to the number of black boxes, whereas jBB j gives the size of each black box, i.e. the total number of black box gates is n
jBB j. For each circuit up to 100 (dependent on the complexity) fault injection experiments have been carried out to also get an impression on the robustness of the method proposed. The number of trials is given in column trials, and the percentage of errors which were detected is given in the next column. Column jC j refers to the average size of the specification measured in number of BDD nodes. In the last column, the average CPU time is given. As expected, it can be seen that the larger the black boxes become, the less errors can be found. However, even if a high percentage of gates is in the black boxes, it is still possible that many errors can be detected. E.g. for circuit c499 still nearly 50% of the faults can be detected if more than one third of the gates belong to black boxes. For each circuit different choices on the number of black boxes are given to demonstrate this effect. Surprisingly, in almost all cases a large number of faults can still be detected without any assumptions on the functionality of the black box. This allows to identify many errors at an early stage of the design.

5 Conclusions In this paper we presented an algorithm for verifying designs containing black boxes. The method is based on Binary Decision Diagrams (BDDs) and computes the characteristic function of the incom-

circuit alu4 alu4 alu4 alu4 apex7 apex7 apex7 apex7 apex7 comp comp comp comp comp c432 c432 c432 c432 c432 c499 c499 c499 c499 c499 c1355 c1355 c1355 c1355 c1355 dalu dalu dalu dalu dalu term1 term1 term1 term1 term1

in out gates 14 8 672 14 8 672 14 8 672 14 8 672 49 37 408 49 37 408 49 37 408 49 37 408 49 37 408 32 3 315 32 3 315 32 3 315 32 3 315 32 3 315 36 7 203 36 7 203 36 7 203 36 7 203 36 7 203 41 32 275 41 32 275 41 32 275 41 32 275 41 32 275 41 32 619 41 32 619 41 32 619 41 32 619 41 32 619 75 16 6147 75 16 6147 75 16 6147 75 16 6147 75 16 6147 34 10 983 34 10 983 34 10 983 34 10 983 34 10 983

n BB j

1 2 3 4 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5

j

100 100 100 100 10 10 10 10 10 10 10 10 10 10 20 20 20 20 20 20 20 20 20 20 50 50 50 50 50 10 10 10 10 10 50 50 50 50 50

trials detected? 100 0.34 100 0.20 100 0.10 100 0.08 100 0.90 100 0.93 100 0.84 100 0.81 100 0.84 100 0.73 100 0.48 100 0.37 100 0.21 100 0.17 100 0.54 100 0.31 100 0.12 100 0.08 100 0.00 50 0.82 50 0.68 50 0.64 50 0.50 50 0.46 50 0.74 50 0.60 50 0.54 50 0.32 50 0.28 100 0.92 100 0.88 100 0.92 100 0.89 100 0.84 100 0.81 100 0.71 100 0.57 100 0.52 100 0.44

Table 1: Experimental results

C

j

j

1925 1764 1854 1853 14360 14866 12608 10453 10096 125 125 125 125 125 1733 1733 1733 1733 1733 45561 45971 52886 51608 48538 60309 59887 63346 60025 59175 8980 8634 8598 8708 8919 2767 2726 2417 1956 1708

max. time 14.65 s 2.51 s 1.23 s 0.83 s 38.91 s 51.08 s 45.32 s 41.57 s 39.62 s 0.31 s 0.32 s 0.32 s 0.31 s 0.29 s 2.27 s 1.56 s 1.11 s 0.98 s 0.96 s 524.66 s 554.49 s 437.91 s 405.70 s 381.87 s 1146.88 s 400.51 s 361.19 s 319.69 s 321.07 s 15.19 s 32.67 s 40.86 s 55.31 s 119.68 s 1.97 s 2.00 s 1.88 s 1.64 s 1.46 s

plete design, whereas the secondary outputs of the black boxes are treated as primary inputs. This allows to make implications over the black boxes. Additionally, we have proven that our method is more powerful than the straightforward approach to compare the BDDs of the primary outputs separately. In our experiments we considered benchmarks where the black boxes are determined randomly. It has been shown that a large number of faults can be identified using our algorithm, i.e. up to 90% of the errors are identified, even though large parts of the design are not (fully) specified.

Acknowledgement The authors would like to thank Dr. Christoph Scholl for helpful comments on an early version of this paper.

References [1] R.E. Bryant. Graph - based algorithms for Boolean function manipulation. IEEE Trans. on Comp., 35(8):677–691, 1986. [2] R.E. Bryant. Symbolic Boolean manipulation with ordered binary decision diagrams. ACM, Comp. Surveys, 24:293–318, 1992. [3] J.R. Burch, D. Dill, E. Wolf, and G. De Micheli. Modeling hierarchical combinational circuits. In Int' l Conf. on CAD, pages 612–617, 1993. [4] R. Drechsler and B. Becker. Binary Decision Diagrams – Theory and Implementation. Kluwer Academic Publishers, 1998. [5] A.B. Kahng, J. Lach, W.H. Mangione-Smith, S. Mantik, I.L. Markov, M. Potkonjak, P. Tucker, H. Wang, and G. Wolfe. Watermarking techniques for intellectual property protection. In Design Automation Conf., 1998. [6] M. Keating and P. Bricaud. Reuse Methodology Manual for System-on-a-Chip Designs. Kluwer Academic Publishers, 1999. [7] A. Kuehlmann and F. Krohm. Equivalence checking using cuts and heaps. In Design Automation Conf., pages 263–268, 1997. [8] T.-H. Liu, K. Sajid, A. Aziz, and V. Singhal. Optimizing designs containing black boxes. In Design Automation Conf., pages 113–136, 1997. [9] S. Malik. Analysis of cyclic combinational circuits. IEEE Trans. on CAD, 13(7):950–956, 1994. [10] K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publisher, 1993. [11] F. Somenzi. CUDD: CU Decision Diagram Package Release 2.3.0. University of Colorado at Boulder, 1998.