Relativetiming based verification of timed circuits and systems

1
Relative-timing based verification of timed
circuits and systems

• Hoshik Kim and Peter A. Beerel
• Department of EE-Systems
• University of Southern California
• IWLS 99
• June 27-30, 1999

2
Motivation Timed Circuits and Systems

• Definition
• Any circuit/specification in which timing
  constraints/assumptions are necessary to ensure
  correct operation
• Examples
• Delayed-reset Domino Nowka et al., ICCD98
• Self-Resetting Domino Chappell et al., IBM96
• Timed (asynchronous) circuits Intels RAPPID,
  ASYNC99
• Advantages
• Extremely fast and dense
• Disadvantages
• Hard to design and verify
• Requires complicated timing verification

3
Self-Resetting Domino (SRCMOS)

• Characteristics
• The input signal to a SRCMOS stage is a pulse
  rather than a level
• Input pulse requirements
• must last until after N1 falls
• must be less than the reset delay (green path)
• Key implication
• Thus, a two-sided constraint on the pulse width
  exists

N2
Q
N1
A
B
A self-resetting 2-input OR gate
4
Possible Verification Approaches

• Our approach Reduce the cost of asynchronous
  analysis

5
Current State-of-the-Art Explicit-timing

• Features Belluomini et al., ASYNC99
• Bounds of delays used
• Time is dense - timed state space is infinite!
• Timed state space representation
• States labeled with binary value of all signals
• Regions used to characterize the time in each
  state

6
Issues with Explicit-timing approach

• Explicit-timing verification must overcome double
  exponential complexity (state space timing)
• Timing margins may need to be overly conservative
• Delay bounds must be valid across process
  variations
• Minor design changes that affect bounds require
  complete re-verification

7
Relative-Timing (RT) Verification

• Verification methodology
• Find relative-timing constraints on path delays
  that guarantee correctness
• If red path delay is smaller than green path, y
  is stable high - OK
• If red path delay is larger than yellow path, y
  has neg. pulse - OK
• Otherwise, a runt pulse (or hazard) can occur -
  FAILURE
• Analyze post-layout circuits to validate
  constraints
• SPICE-level simulation OR
• Simpler timing analysis using bounded delays

8
Advantages of Relative-Timing (RT)

• Reduces verification complexity
• RT techniques do not need to model timers
• Reduces complexity exponentially
• Facilitates use of mature symbolic methods
• Facilitates tighter timing margins
• RT constraints can be verified very aggressively
• Promotes easy incremental verification
• Many minor design changes easily verifiable
  (e.g., simulation)
• E.g., transistor sizing, layout,
  technology/process migration

9
The problem statement

• Definitions
• Event chain
• Sequence of transitions along
• a circuit path
• Delay of an event chain
• associated path delay
• E.g., DBA-y- DBA- DA-y-
• Relative-timing constraint
• Ordered triple of event chain delays
• view as two sided constraint on a target event
  chain delay
• E.g., DBA-
• Our Goal
• Find relative-timing constraints necessary and
  sufficient for correctness

10
Our approach

• Step 1
• Perform asynchronous reachability analysis (w/o
  regions)
• States labeled with binary values of all signals
• Over approximation because time is not considered
• Step 2
• Identify all possible failure transitions
• Formalized with notion of an event triples
• Step 3
• Determine causality of events in event triple
• Formalized with notion of an event PN
• Step 4
• Find relative timing constraint for each event PN
• Formalized with notion of time separation of
  events (TSE)
• Xie et al., ASYNC99

11
Event Triples

• Target event t
• labels a failure transition (causes a race)
• Dangerous set of states
• Q(t) s
• Event triple (l, t, u)
• t is a target event
• l is a lower bound event which enters Q(t)
• u is an upper bound event which escapes Q(t)
• Interpretation
• Target failure occurs if t happens after l enters
  Q(t) but before u occurs

12
An Event PN

• The Goal
• Characterize the causality of events in an event
  triple
• Event PN
• An acyclic Petri net describing causality of
  events
• Our Approach
• Create an Event PN to capture the causality
• Find a constraint using TSEs.
• TSE (l, t) 0 TSE (t, u) 0
• TSE expressions relate to delays of gates along
  circuit paths

13
One possible approach
Circuit Description
Specification

• Leverage off of advanced verification techniques
  Pastor99, Vakilotojar98, Yoneda96, Yenigun99
• Mapping PN from ETS is computationally complex
• The assignments of delays to places is unclear
  when label splitting occurs

Transition System (TS) ? Elementary TS (ETS)
Cortadella et al.95 ?
Event PN for each event triple
RT constraints
14
An alternative approach
Circuit Description
Specification

• Creating the Petri net model of a circuit is
  straight forward
• Leverage off of advanced verification techniques
  Pastor99, Vakilotojar98, Yoneda96, Yenigun99
• The correspondence of delays on places and gate
  delays is pre-determined in the Petri net gate
  library
• Looks more promising

RT constraints
15
Example 1 Static C-element
16
Example 1 (cont.)

• Generate RT Constraints
• 1. T B-, A-
• 2. For t B-,
• L C, U u3
• 3. Find an event PN and thus RT constraint
• for event triple (C, B-, u3)
• 4. For t A-,
• L C, U u2
• 5. Repeat Step 3 for event triple (C, A-, u2)
  
• The circuit will work correctly unless it
  satisfies any of the RT constraints.

17
Example 1 (cont.)

• A partial marking corresponds to a dangerous
  states set Q
• ? indicates input
• ! indicates output

18
Example 1 (cont.)

• Event PN for event triple (C, B-, u3)

• Double synchronization events here
• Thus, only upper and lower bounds on TSE can be
  found Xie et al.99
• The upper bound of TSE (TSEu) will be used in the
  constraints to be conservative

• Event triple (l, t, u) (C, B-, u3)
• ? TSE (C, B-) d(p3) 0 (Delay of a
  place is always positive)
• ? Leads to a trivial two-sided constraints
• ? TSEu (B-, u3)
• max max d(p4) d(p2) d(p5), d(p6)
  - d(p4) d(p2) d(p3), d(p5) - d(p3) 0
• DBu1CB- DCB-

19
Example 2 Two-sided constraints
000
00000
A
A
100
10000
B
y
State A B C
B
11000
10001
C-
y
B
x
110
C-
C
A-
11001
11010
x
y
State A B C x y
010
111
11011
C
A-
C
A-
A-
11111
011
F
A-
B-
A-
001
x
A-
00100
01000
y-
x
Specification
y-
00101
01010
01001
y
x-
00111
01011
C
B-
01111
Reachability Graph
20
Example 2 (cont.)

• Generate Chain Constraints
• 1. T A-, x
• 2. For t A-,
• L B, U x, y
• 3. Find an event PN and sub-constraint for each
  
• event triple (B, A-, x) and (B, A-, y).
• Conjunction of all sub-constraints is an RT
• constraint
• 4. For t x,
• L A-, U y-
• 5. Repeat Step 3 for event triple (A-, x, y-)

21
Example 2 (cont.)

• A partial marking corresponds to a dangerous
  states set Q
• ? indicates input
• ! indicates output

22
Example 2 (cont.)

• Event PN for event triple (A-, x, y-)

00000
A
10000
B
y
11000
10001
C-
y
B
x
11001
11010
x
y
State A B C x y
11011
C
A-
A-
11111
F
A-

• Event triple (l, t, u) (A-, x, y-)
• ? TSE (A-, x) d(p1) - d(p2) 0
• ? TSE (x, y-) d(p2) d(p3) - d(p1) 0
  
• (DBA-
• \ DBA-
• If we had only one bound DBx would remove good states - false negatives

A-
x
A-
00100
01000
y-
x
y-
00101
01010
01001
y
x-
00111
01011
C
B-
01111
23
Conclusion

• We presented novel verification techniques to
  support emerging high performance circuit design
  techniques.
• These techniques identify a set of two-sided path
  delay constraints that are sufficient to find any
  failure of the circuits
• Constraints can be verified using simulation or
  simpler timing analysis

24
Future Work

• Refine and implement the theory and algorithm
• Combine with hierarchical and other partial order
  approaches
• Test on both aggressively designed synchronous
  and asynchronous circuits