# A DE Verification Framework for Asynchronous Circuit Verification

Cuong Chau

ckcuong@cs.utexas.edu

Department of Computer Science

The University of Texas at Austin

January 27, 2017

# Introduction

- 2 The DE Verification System
- 3 Modeling and Verifying Asynchronous Circuits Using the DE System
- 4 Asynchronous Serial Adder Verification

### 5 Conclusions

# Introduction

- 2 The DE Verification System
- 3 Modeling and Verifying Asynchronous Circuits Using the DE System
- 4 Asynchronous Serial Adder Verification

#### 5 Conclusions

Synchronous circuits (Clocked circuits): changes in the state of storage elements are synchronized by **a global clock signal**.

Asynchronous circuits (Self-timed circuits): there is no global clock signal distributed in asynchronous circuits. The communication between components is performed via **local communication protocols**.

Synchronous circuits (Clocked circuits): changes in the state of storage elements are synchronized by **a global clock signal**.

Asynchronous circuits (Self-timed circuits): there is no global clock signal distributed in asynchronous circuits. The communication between components is performed via **local communication protocols**.

Why asynchronous?

Synchronous circuits (Clocked circuits): changes in the state of storage elements are synchronized by **a global clock signal**.

Asynchronous circuits (Self-timed circuits): there is no global clock signal distributed in asynchronous circuits. The communication between components is performed via **local communication protocols**.

Why asynchronous?

- Low power consumption,
- High operating speed,
- Better composability and modularity,

• ...

- Leveraging existing work in the clocked design paradigm.
- Developing new approaches for modeling and verifying asynchronous systems in ACL2. Dealing with:

- Leveraging existing work in the clocked design paradigm.
  - The DE verification system [W. Hunt, 2000].
- Developing new approaches for modeling and verifying asynchronous systems in ACL2. Dealing with:

- Leveraging existing work in the clocked design paradigm.
  - The DE verification system [W. Hunt, 2000].
- Developing new approaches for modeling and verifying asynchronous systems in ACL2. Dealing with:
  - no global clock signal,

- Leveraging existing work in the clocked design paradigm.
  - The DE verification system [W. Hunt, 2000].
- Developing new approaches for modeling and verifying asynchronous systems in ACL2. Dealing with:
  - no global clock signal,
  - local communication protocols,

- Leveraging existing work in the clocked design paradigm.
  - The DE verification system [W. Hunt, 2000].
- Developing new approaches for modeling and verifying asynchronous systems in ACL2. Dealing with:
  - no global clock signal,
  - local communication protocols,
  - non-deterministic behavior due to variable delays in wires and gates.

## Introduction

- 2 The DE Verification System
- 3 Modeling and Verifying Asynchronous Circuits Using the DE System
- 4 Asynchronous Serial Adder Verification

#### 5 Conclusions

A DE description is an ACL2 constant containing an **ordered list of modules**, which we call a **netlist**.

A DE description is an ACL2 constant containing an **ordered list of modules**, which we call a **netlist**.

Each module consists of five elements: a netlist-unique module name, inputs, outputs, internal states, and occurrences.

A DE description is an ACL2 constant containing an **ordered list of modules**, which we call a **netlist**.

Each module consists of five elements: a netlist-unique module name, inputs, outputs, internal states, and occurrences.

Each occurrence consists of four elements: a module-unique occurrence name, outputs, **a reference to a primitive or defined module**, and inputs.



```
(defconst *half-adder*
'((half-adder ;; module name
 (a b) ;; module inputs
 (sum carry) ;; module outputs
 () ;; internal states
 ;; occurrences
 ((g0 ;; occurrence name
   (sum) ;; occurrence outputs
   b-xor ;; a primitive reference
   (a b)) ;; occurrence inputs
   (g1 (carry) b-and (a b))))))
```

The evaluation of a DE netlist eventually results in the interpretation of **primitives**, which are specified in the DE primitive database.

- Logic gates: AND, OR, NOT, XOR,...
- State-holding primitives: latches, flip-flops,...



< ∃⇒

Image: A matrix and a matrix

æ

```
(defconst *full-adder*
(cons
'(full-adder
 (a b c)
 (sum carry)
 ()
 ((t0 (sum1 carry1) half-adder (a b))
 (t1 (sum carry2) half-adder (sum1 c))
 (t2 (carry) b-or (carry1 carry2))))
```

```
*half-adder*))
```

э



э

(日) (四) (日) (日) (日)

```
(defconst *one-bit-counter*
(cons
'(one-bit-counter
  (clk carry-in reset-)
  (out carry)
  (g0)
  ((g0 (out out~) fd1 (clk sum-reset-))
   (g1 (sum carry) half-adder (carry-in out))
  (g2 (sum-reset-) b-and (sum reset-))))
```

```
*half-adder*))
```

The DE simulator is composed of two sets of mutually recursive functions.

• The se function computes the **outputs** of a module being evaluated given its inputs and its current state.

The DE simulator is composed of two sets of mutually recursive functions.

• The se function computes the **outputs** of a module being evaluated given its inputs and its current state. The se-occ function, which is mutually recursive with se, iteratively computes the **outputs** of each occurrence declared in the module.

The DE simulator is composed of two sets of mutually recursive functions.

- The se function computes the **outputs** of a module being evaluated given its inputs and its current state. The se-occ function, which is mutually recursive with se, iteratively computes the **outputs** of each occurrence declared in the module.
- The de function computes the **next state** of a module being evaluated given its inputs and its current state.

The DE simulator is composed of two sets of mutually recursive functions.

- The se function computes the **outputs** of a module being evaluated given its inputs and its current state. The se-occ function, which is mutually recursive with se, iteratively computes the **outputs** of each occurrence declared in the module.
- The de function computes the **next state** of a module being evaluated given its inputs and its current state. The de-occ function, which is mutually recursive with de, iteratively computes the (possibly empty) **next state** of each occurrence declared in the module.

The DE verification system supports hierarchical verification:

• If a module doesn't have an internal state (purely combinational), only the value lemma needs to be proven.

- If a module doesn't have an internal state (purely combinational), only the value lemma needs to be proven.
- These lemmas are used to prove the correctness of yet larger modules containing these submodules, without the need to dig into any details about the submodules.

- If a module doesn't have an internal state (purely combinational), only the value lemma needs to be proven.
- These lemmas are used to prove the correctness of yet larger modules containing these submodules, without the need to dig into any details about the submodules.

This approach has been demonstrated its **scalability** to large systems, as shown on contemporary x86 designs at Centaur Technology [A. Slobodova et al., 2011].

# 1 Introduction

2 The DE Verification System

## 3 Modeling and Verifying Asynchronous Circuits Using the DE System

Asynchronous Serial Adder Verification

#### 5 Conclusions

- No global clock signal
- Local communication protocols

• Non-deterministic behavior

• No global clock signal

 $\Rightarrow$  Every state-holding device is governed by its own clock signal.

• Local communication protocols

• Non-deterministic behavior

No global clock signal

 $\Rightarrow$  Every state-holding device is governed by its own clock signal.

- Local communication protocols
  - $\Rightarrow$  Modeling the link-joint interface introduced by Roncken et
  - al. [M. Roncken et al., 2015].
- Non-deterministic behavior

No global clock signal

 $\Rightarrow$  Every state-holding device is governed by its own clock signal.

- Local communication protocols
  - $\Rightarrow$  Modeling the link-joint interface introduced by Roncken et
  - al. [M. Roncken et al., 2015].
- Non-deterministic behavior
  - $\Rightarrow$  Employing an oracle.

## The Link-Joint Interface



<□▶ <□▶ < □▶ < □▶ < □▶ < □ > ○ < ○

## The Link-Joint Interface



January 27, 2017 18 / 32

Hierarchical verification is still applicable and critical to asynchronous circuit verification.

э

Hierarchical verification is still applicable and critical to asynchronous circuit verification.

Asynchronous modules are treated as **communication links** that communicate with each other via local communication protocols.

#### Async Modules vs. Primitive Links



Cuong Chau (UT Austin)

Asynchronous Circuit Verification

## Async Modules vs. Primitive Links



# Async Modules vs. Primitive Links

#### Communication status:

**Async modules:** full, empty, both full and empty, not ready (neither full nor empty).

**Primitive links:** either full or empty.

#### Communication signals:

**Async modules** use separate incoming and outgoing communication signals.

**Primitive links** only need one signal for both incoming and outgoing communications.



• Computing **invariance properties** in asynchronous systems becomes much more complicated and less systematic.

- Computing **invariance properties** in asynchronous systems becomes much more complicated and less systematic.
- Non-determinism results in asynchronous circuits having a large state space.

- Computing **invariance properties** in asynchronous systems becomes much more complicated and less systematic.
- Non-determinism results in asynchronous circuits having a large state space.

Simplifying the verification task by reducing non-determinism, and consequently reducing the state space.

- Computing **invariance properties** in asynchronous systems becomes much more complicated and less systematic.
- Non-determinism results in asynchronous circuits having a large state space.

Simplifying the verification task by reducing non-determinism, and consequently reducing the state space.

• Imposing extra sequential dependencies among operations in asynchronous circuits.

- Computing **invariance properties** in asynchronous systems becomes much more complicated and less systematic.
- Non-determinism results in asynchronous circuits having a large state space.

Simplifying the verification task by reducing non-determinism, and consequently reducing the state space.

 Imposing extra sequential dependencies among operations in asynchronous circuits. In particular, a module is ready to communicate with other modules only if it finishes all of its internal operations and becomes quiescent.

#### 1 Introduction

- 2 The DE Verification System
- 3 Modeling and Verifying Asynchronous Circuits Using the DE System

#### 4 Asynchronous Serial Adder Verification

#### 5 Conclusions



## Ripple-Carry Adder



æ

▶ < ∃ >

< (17) × <



Goal: Given an appropriate initial condition, prove that the asynchronous serial adder produces the same result with the ripple-carry adder.









Cuong Chau (UT Austin)

Asynchronous Circuit Verification

# Dependency



## Dependency



January 27, <u>2017</u>

**A** ► <

э

#### $lnputs = ((\dots go-a0 go-b0) (\dots go-a1 go-b1) \dots)$

Inputs = ((... go-a0 go-b0) (... go-a1 go-b1) ...) • (go-a go-b)  $\Rightarrow$  ((... T F) (... go-a1 T) ...)

▲□▶▲□▶▲≡▶▲≡▶ ≡ ∽○○○

 $\mathsf{Inputs} = ((\ldots \text{ go-a0 go-b0}) (\ldots \text{ go-a1 go-b1}) \ldots)$ 

- (go-a go-b)  $\Rightarrow$  ((... T F) (... go-a1 T) ...)
- (go-b go-a)  $\Rightarrow$  ((... F T) (... T go-b1) ...)

▲□▶▲□▶▲≡▶▲≡▶ ≡ ∽○○○

 $Inputs = ((\dots go-a0 go-b0) (\dots go-a1 go-b1) \dots)$ 

- (go-a go-b)  $\Rightarrow$  ((... T F) (... go-a1 T) ...)
- (go-b go-a)  $\Rightarrow$  ((... F T) (... T go-b1) ...)
- ((go-a go-b))  $\Rightarrow$  ((... T T) ...)

#### 1 Introduction

- 2 The DE Verification System
- 3 Modeling and Verifying Asynchronous Circuits Using the DE System

#### 4 Asynchronous Serial Adder Verification

#### 5 Conclusions

- We have presented our framework for modeling and verifying asynchronous circuits using the DE system.
- Hierarchical verification is critical to circuit verification.
- Reasoning with highly non-deterministic behavior is burdensome to asynchronous circuit verification.

#### References



#### W. Hunt (2000)

#### The DE Language

*Computer-Aided Reasoning: ACL2 Case Studies*, Kluwer Academic Publishers Norwell, MA, USA, 151 – 166.

W. Hunt & E. Reeber (2006) Applications of the DE2 Language DCC 2006, Vienna, Austria.

#### B. Brock & W. Hunt (1997)

The DUAL-EVAL Hardware Description Language and Its Use in the Formal Specification and Verification of the FM9001 Microprocessor

Formal Methods in System Design, 11, 71 – 104.



M. Roncken, S. Gilla, H. Park, N. Jamadagni, C. Cowan, I. Sutherland (2015) Naturalized Communication and Testing ASYNC 2015, 77 – 84.

A. Slobodova, J. Davis, S. Swords, and W. Hunt (2011) A Flexible Formal Verification Framework for Industrial Scale Validation *MEMOCODE 2011*, 89 – 97.

Cuong Chau (UT Austin)

Asynchronous Circuit Verification

January 27, 2017 30 / 32

Phase 1: Pick a topic

Phase 2: ?

Phase 3: Defend

ヨト イヨト

Image: A matrix and a matrix

2

# Questions?

ヨト イヨト

Image: A matrix and a matrix

2