# Improving Formal Verification Support in CIRCT Amelia Dobis - April 2024 to August 2024 # Goal of my work ⇒ Improve efficiency and capabilities of Formal Verification inside of CIRCT and Chisel. 1. Improve existing verification infrastructure. 2. Introduce a new dedicated end-to-end verification flow in Chisel and CIRCT. # Goal of my work - ⇒ Improve efficiency and capabilities of Formal Verification inside of CIRCT and Chisel. - 1. Improve existing verification infrastructure. - a. Update LTL dialect. - b. Improve SVA property emission. 2. Introduce a new dedicated end-to-end verification flow in Chisel and CIRCT. ### Goal of my work - ⇒ Improve **efficiency** and **capabilities** of **Formal Verification** inside of CIRCT and Chisel. - 1. Improve existing verification infrastructure. - a. Update LTL dialect. - b. Improve SVA property emission. - 2. Introduce a new dedicated end-to-end verification flow in Chisel and CIRCT. - a. Integrate and expand btor2 back-end. - b. Explore the ideas related to **co-locating designs and tests** for formal tests. - c. **Modularize formal verification** through the introduction of formal contracts. - d. Redesign LTL dialect to better support property assertion synthesis. # Improving Existing Verification Infrastructure Current Focus 7 # **Verification Maintenance and Debugging** - 1. Updating LTL to improve expressiveness - 2. Making SVA property emission more stable - 3. Debugging # **Updating LTL** - Write out an <u>SVA summary</u> which describes how each part of SVA can be mapped to CIRCT. This document was then <u>merged into the LTL rationale</u>. - Introduce 3 new ops to the LTL dialect. - <u>Porting the LTL intrinsics in Chisel</u> from intrinsic modules to intrinsic expressions, making the generated firrtl for property much smaller. - <u>Providing a simpler interface</u> for property assertions. - <u>Providing new interfaces</u> to access all of the ltl features that CIRCT supports. #### **Improving SVA Property Emission** - Flipped the polarity of all disable signals, such that everything in Chisel and CIRCT uses enables. - Removed the ltl.disable op from the IR thus simplifying the emission of property assertions. - Added an enable signal to the verif.assert like ops, to replace the removed ltl.disable op. - <u>Deprecated disabling individual properties</u> in Chisel, as this couldn't be mapped to SV. - Introduced clocked assertions. - <u>Fixed bugs related</u> to properties being used in disable signals (which is disallowed in SV). - Explored various encodings for disable signals. - Explored using the LTL type system to simplify the property assertion verifier logic. - Introduced the sv.assert property - <u>Updated ExportVerilog</u> to support the new, simpler and more concise, emission of property assertions. ### **Verification Debugging** - ExpandWhens not supporting AssertProperty. This meant that property assertions declared under a when would simply be ignored (fixed in <u>PR#7021</u> and later improved in <u>PR#7150</u>). - SVSim not firing assertions correctly when using Verilator (fixed in PR#4087). - Firrtool lowering assertions incorrectly (fixed in <u>PR#7157</u>). Current Focus 13 # Re-imagining Formal Verification in Chisel and CIRCT #### **Background: Formal Verification** #### What is Formal Verification? - <u>Idea</u>: Instead of testing your design through simulation, prove its correctness statically using formal methods. - <u>How?</u> - Annotate your design with a specification in the form of **assertions** and **assumptions**. - Use design + specification to generate **Verification Conditions (VC)**. - Check the satisfiability of the VCs using SMT solvers → if unsatisfiable then your design matches the spec. - Why? - Provides stronger guarantees than simulation → checks are exhaustive. - Can quickly find edge case bugs in the design implementation. #### **Background: Verification Conditions** <u>Idea:</u> Convert design into conjunction of constraints (signal definitions) and negated assertion conditions. ``` val a = IO(Input(32.W)) val b = a + 1.U assert (b > a) (and (eq b (add a 1)) // define b (not (gt b a)) // can assertion be violated? ) ``` #### **Background: Verification Conditions** <u>Handling State:</u> Create "state-transition systems" from registers + memories, requires **Bounded Model Checking** to be verified. #### **Background: BTOR2 and btormc** #### BTOR2: - SMTLib-like format that allows for the explicit encoding of state-transition systems. - Supports **bitvector** and **array** theories. - No need to manually unroll states, e.g. #### BTORMC: - Bounded Model Checker. - Supports btor2 format, uses the **boolector** SMT solver. - Optimized for solving in bitvector and array theories. #### **Motivation: Formal Verification** #### **Motivation: Formal Verification** Current Focus #### Overview: - <u>Idea:</u> Create a unified interface for all formal tests. - Allows for simple user interface. - Back-end can be defined through build parameters. - Test is co-located with design ``` class Foo extends Module { val in = IO(Input(UInt(32.W))) val out = IO(Output(UInt(32.W))) /* body of the module */ // Some formal test test formal testFoo(500) { val dut = Instantiate(Foo) AssertProperty(/* some property */) } } ``` ``` class Foo extends Module { val in = IO(Input(UInt(32.W))) val out = IO(Output(UInt(32.W))) /* body of the module */ // Some formal test test formal testFoo(500) { val dut = Instantiate(Foo) AssertProperty(/* some property */) } } ``` - Formal tests can target either **btor2** or **circt-bmc**. - Formal tests are ignored during SV generation for synthesis. - Formal tests are included in SV generation for testing. - Verif constructs: PR #7145 - FIRRTL op: <u>PR #7374</u> #### Current Focus #### Overview: #### Handling Modularity in Designs under Verification - <u>Problem:</u> Current solutions for generating VCs for module instances: - $\circ$ Inline Module VC $\rightarrow$ Requires re-checking the same VCs multiple times $\rightarrow$ slow verification - Manually define assumptions to abstract away certain parts - Difficult to get right - Very manual process - Often incomplete abstraction - → We only want to verify a module <u>exactly once.</u> (not once per instance) ## Handling Modularity in Designs under Verification - <u>Idea:</u> Allow for user to define "verification checkpoints" that can be used as abstractions to verify module instances. - <u>Formal Contracts</u>: Define a contract that the module is proven to support. - **Pre-conditions**: Specifications over the module's inputs - "What do I expect correct inputs to look like?" - **Post-conditions**: Guarantees for the module's outputs - "Given certain inputs, what do my outputs look like?" ## Handling Modularity in Designs under Verification Module Correctness: Assuming our preconditions can we use our module's definition to prove our post-conditions. ``` O VC: {Pre-conditions} -> ({Body} AND NOT({Post-conditions})) ``` • <u>Instance Correctness:</u> Knowing that our Module is correct, our pre-conditions holding implies that our post-conditions hold. ``` o Assert({Pre-conditions}) + Assume({Post-conditions}) ``` ``` class Foo extends Module with Contract { val in = IO(Input(UInt(32.W)) val out = IO(Output(UInt(32.W)) // define contract contract { require(in > 0.U) require(in < 1000.U) ensure(/* some post-condition */) /* body of the module */ // Some formal test test formal testFoo(500) { val dut = Instantiate(Foo) AssertProperty(/* some property */) ``` ``` class Foo extends Module with Contract { val in = IO(Input(UInt(32.W)) val out = IO(Output(UInt(32.W)) // define contract contract { require(in > 0.U) require(in < 1000.U) ensure(/* some post-condition */ /* body of the module */ // Some formal test test formal testFoo(500) { val dut = Instantiate(Foo) AssertProperty(/* some property */) ``` ``` // module test test formal Foo(500) { val dut = Instantiate(Foo) Assume(dut.in > 0.U) Assume(dut.in < 1000.U) Assert(/*Body*/ && /*Post-conditions*/) // module instance test test formal testFoo(500) { val dut = Instantiate(Foo) Assert(dut.in > 0.U) Assert(dut.in < 1000.U) Assume(/*Post-conditions*/) AssertProperty(/* some property */) ``` Current Focus #### Overview: ``` class Foo extends Module with Contract { val in = IO(Input(UInt(32.W)) val out = IO(Output(UInt(32.W)) // define contract contract { require(in > 0.U) require(in < 1000.U) ensure(/* some post-condition */) /* body of the module */ // Some formal test test formal testFoo(500) { val dut = Instantiate(Foo) AssertProperty(/* some property */) class Bar extends Module with Contract { val in = IO(Input(UInt(32.W)) val sign = IO(Input(Bool()) val out = IO(Output(UInt(32.W)) contract { require(sign |-> in > 0.U) require(!sign |-> in < 0.U) // Ensures support SVA properties ensure((sign |=> out > 0.U) && (!sign |=> out < 0.U)) val foo1 = Instantiate(Foo) val foo2 = Instantiate(Foo) /* body of bar that uses multiple Foos */ test formal testBar(500) { val foo1 = Instantiate(Bar) AssertProperty(/*some property*/) object Bar extends App { ChiselStage.emitBtor2(new Bar) ``` ``` class Foo extends Module with Contract { val in = IO(Input(UInt(32.W)) val out = IO(Output(UInt(32.W)) // define contract contract { require(in > 0.U) require(in < 1000.U) ensure(/* some post-condition */) /* body of the module */ // Some formal test test formal testFoo(500) { val dut = Instantiate(Foo) AssertProperty(/* some property */) class Bar extends Module with Contract { val in = IO(Input(UInt(32.W)) val sign = IO(Input(Bool()) val out = IO(Output(UInt(32.W)) contract { require(sign |-> in > 0.U) require(!sign |-> in < 0.U) // Ensures support SVA properties ensure((sign |=> out > 0.U) && (!sign |=> out < 0.U)) val foo1 = Instantiate(Foo) val foo2 = Instantiate(Foo) /* body of bar that uses multiple Foos */ test formal testBar(500) { val foo1 = Instantiate(Bar) AssertProperty(/*some property*/) object Bar extends App { ChiselStage.emitBtor2(new Bar) ``` Chisel ``` circuit Bar: public module Foo: public module Bar: input in : UInt<32> input s in : UInt<32> output out : UInt<32> input s en : Bool contract: inst dut of Bar node prec0 = qt(in, 0) connect dut.in, s in require prec0 connect dut.en, s en node prec1 = lt(in, 1000) intrinsic(circt verif assert(...)) require prec1 node post = ;;some post-condition;; formal testBar of Bar, bound = 500 ensure post ;; Body of the module :: Some Formal Test public module Foo: input s in : UInt<32> inst dut of Foo connect dut.in, s in intrinsic(circt verif assert(...)) formal testFoo of Foo, bound = 500 public module Bar: input in : UInt<32> input sign : Bool output out : UInt<32> contract: node prec0 = intrinsic(circt ltl implication(...)) require prec0 node prec1 = intrinsic(circt ltl implication(...)) require prec1 node post = ;;some post-condition;; ensure post inst fool of Foo inst foo2 of Foo ;; body of bar that uses multiple Foos ;; ``` **FIRRTL** ``` class Foo extends Module with Contract { val in = IO(Input(UInt(32.W)) val out = IO(Output(UInt(32.W)) // define contract contract { require(in > 0.U) require(in < 1000.U) ensure(/* some post-condition */) /* body of the module */ // Some formal test test formal testFoo(500) { val dut = Instantiate(Foo) AssertProperty(/* some property */) class Bar extends Module with Contract { val in = IO(Input(UInt(32.W)) val sign = IO(Input(Bool()) val out = IO(Output(UInt(32.W)) contract { require(sign |-> in > 0.U) require(!sign |-> in < 0.U) // Ensures support SVA properties ensure((sign |=> out > 0.U) && (!sign |=> out < 0.U)) val foo1 = Instantiate(Foo) val foo2 = Instantiate(Foo) /* body of bar that uses multiple Foos */ test formal testBar(500) { val foo1 = Instantiate(Bar) AssertProperty(/*some property*/) object Bar extends App { ChiselStage.emitBtor2(new Bar) ``` Chisel ``` circuit Bar: public module Foo: public module Bar: input in : UInt<32> input s in : UInt<32> output out : UInt<32> input s en : Bool contract: inst dut of Bar node prec0 = qt(in, 0) connect dut.in, s in require prec0 connect dut.en, s en node prec1 = lt(in, 1000) intrinsic(circt verif assert(...)) require prec1 node post = ;;some post-condition;; formal testBar of Bar, bound = 500 ensure post ;; Body of the module ;; Some Formal Test public module Foo: input s in : UInt<32> inst dut of Foo connect dut.in, s in intrinsic(circt verif assert(...)) formal testFoo of Foo, bound = 500 public module Bar: input in : UInt<32> input sign : Bool output out : UInt<32> contract: node prec0 = intrinsic(circt ltl implication(...)) require prec0 node prec1 = intrinsic(circt ltl implication(...)) require prec1 node post = ;;some post-condition;; ensure post inst fool of Foo inst foo2 of Foo ;; body of bar that uses multiple Foos ;; ``` **FIRRTL** **IowerToHW** ``` module - hw.module @Foo(in %in : i32, out : i32) { hw.module @Bar(in %in : i32, in %sign : i1, out : i32) { %bar.0 = verif.contract(%out) { %foo.0 = verif.contract(%out) : i32 -> (i32) { ^bb0(%bar.0 : i32): ^bb0(%foo.0 : i32): %c0 i32 = hw.constant 0 : i32 %c0 i32 = hw.constant 0 : i32 %prec0 = comb.icmp bin ugt %in, %c0 i32 : i32 %ingt0 = comb.icmp bin ugt %in, %c0 i32 : i32 verif.require %prec0 : i1 %prec0 = ltl.implication %sign, %ingt0 : ltl.property %c1000 i32 = hw.constant 1000 : i32 verif.require %prec0 : !ltl.property %prec1 = comb.icmp bin ult %in, c1000 i32 : i32 %inlt0 = comb.icmp bin ult %in, %c0 i32 : i32 verif.require %prec1 : i1 %true = hw.constant 1 : i1 %post = ... %ns = comb.xor %sign, %true : i1 verif.ensure %post : i1 %prec1 = ltl.implication %ns, %inlt0 : 1tl.property verif.yield %foo.0 : i32 verif.require %prec1 : !ltl.property verif.ensure ... %out = ... : i32 verif.yield %bar.0 : i32 hw.output %foo.0 %foo1.0 = hw.instance "foo1" @Foo(...) -> (...) %foo2.0 = hw.instance "foo2" @Foo(...) -> (...) verif.formal @testFoo(k = 500) { %out = ... %s in = verif.symbolic input : i32 hw.output %bar.0 %foo.0 = hw.instance "foo" @Foo( in: %s in : i32 ) -> ("" : i32) verif.formal @testBar(k = 500) { %s in = verif.symbolic input : i32 %spec = ... verif.assert %spec : i1 %s sign = verif.symbolic input : i1 %bar.0 = hw.instance "dut" @Bar( in: %s in : i32, sign: %s sign: i32 ) -> ("" : i32) %spec = ... verif.assert %spec : i1 ``` CORE ``` module - hw.module @Foo(in %in : i32, out : i32) { hw.module @Bar(in %in : i32, in %sign : i1, out : i32) { %foo.0 = verif.contract(%out) : i32 -> (i32) { %bar.0 = verif.contract(%out) { ^bb0(%foo.0 : i32): ^bb0(%bar.0 : i32): %c0 i32 = hw.constant 0 : i32 %c0 i32 = hw.constant 0 : i32 %ingt0 = comb.icmp bin ugt %in, %c0 i32 : i32 %prec0 = comb.icmp bin ugt %in, %c0 i32 : i32 %prec0 = ltl.implication %sign, %ingt0 : ltl.property verif.require %prec0 : i1 %c1000 i32 = hw.constant 1000 : i32 verif.require %prec0 : !ltl.property %prec1 = comb.icmp bin ult %in, c1000 i32 : i32 %inlt0 = comb.icmp bin ult %in, %c0 i32 : i32 verif.require %prec1 : i1 %true = hw.constant 1 : i1 %ns = comb.xor %sign, %true : il %post = ... verif.ensure %post : i1 %prec1 = ltl.implication %ns, %inlt0 : ltl.property IowerToHW verif.require %prec1 : !ltl.property verif.yield %foo.0 : i32 verif.ensure ... %out = ... : i32 verif.yield %bar.0 : i32 hw.output %foo.0 %foo1.0 = hw.instance "foo1" @Foo(...) -> (...) %foo2.0 = hw.instance "foo2" @Foo(...) -> (...) verif.formal @testFoo(k = 500) { %out = ... %s in = verif.symbolic input : i32 hw.output %bar.0 %foo.0 = hw.instance "foo" @Foo( in: %s in : i32 verif.formal @testBar(k = 500) { ) -> ("" : i32) %spec = ... %s in = verif.symbolic input : i32 verif.assert %spec : i1 %s sign = verif.symbolic input : i1 %bar.0 = hw.instance "dut" @Bar( in: %s in : i32, sign: %s sign: i32 ) -> ("" : i32) %spec = ... verif.assert %spec : i1 ``` FIRRTL CORE verif.formal @Bar(k = 500) { %s in = verif.symbolic input : i32 %s sign = verif.symbolic input : i1 %bar.0 = verif.symbolic input : i32 %ingt0 = comb.icmp bin ugt %s in, %c0 i32 : i32 %prec0 0 = comb.icmp bin ugt %..., %c0 i32 : %prec1 0 = comb.icmp bin ult %..., c1000 i32 verif.assert %prec0 0 : i1 verif.assert %prec1 0 : i1 verif.assume %post 0 : i1 %post 0 = ... %out = ... %prec0 = ltl.implication %s sign, %ingt0 : !ltl.property c0 i32 = hw.constant 0 : i32 #### **Formal** verif.assert %prec0 : !ltl.property %ns = comb.xor %s sign, %true : i1 verif.assert %prec1 : !ltl.property %true = hw.constant 1 : i1 verif.assume ... %spec = ... verif.assert %spec : i1 %inlt0 = comb.icmp bin ult %s in, %c0 i32 : i32 %prec1 = ltl.implication %ns, %inlt0 : !ltl.property module { // k can be a pass argument for modules %s in = verif.symbolic input : i32 %foo.0 = verif.symbolic input : i32 c0 i32 = hw.constant 0 : i32 %prec0 = comb.icmp bin ugt %in, %c0 i32 : i32 verif.formal @Foo(k = 500) { verif.assume %prec0 : i1 verif.assert %spec : i1 #### **Formal** ``` module { rerif.formal @Bar(k = 500) { // k can be a pass argument for modules %s in = verif.symbolic input : i32 verif.formal @Foo(k = 500) { %s sign = verif.symbolic input : i1 %s in = verif.symbolic input : i32 %bar.0 = verif.symbolic input : i32 %foo.0 = verif.symbolic input : i32 c0 i32 = hw.constant 0 : i32 c0 i32 = hw.constant 0 : i32 %prec0 = comb.icmp bin ugt %in, %c0 i32 : i32 %ingt0 = comb.icmp bin ugt %s in, %c0 i32 : i32 verif.assume %prec0 : i1 %prec0 = ltl.implication %s sign, %ingt0 : !ltl.property %c1000 i32 = hw.constant 1000 : i32 verif.assume %prec0 : !ltl.property %prec1 = comb.icmp bin ult %in, c1000 i32 : i32 %inlt0 = comb.icmp bin ult %s in, %c0 i32 : i32 verif.assume %prec1 : i1 %true = hw.constant 1 : i1 %post = ... %ns = comb.xor %s sign, %true : i1 verif.assert %post : i1 %prec1 = ltl.implication %ns, %inlt0 : !ltl.property // rest of the module verif.assume %prec1 : !ltl.property verif.assert ... verif.formal @testFoo(k = 500) { %s in = verif.symbolic input : i32 %foo1.0 = verif.symbolic_input : i32 %foo.0 = verif.symbolic input : i32 c0 i32 = hw.constant 0 : i32 c0 i32 = hw.constant 0 : i32 %prec0 = comb.icmp bin ugt %..., %c0 i32 : i32 PrepareForFormal %prec0 = comb.icmp bin ugt %in, %c0 i32 : i32 verif.assert %prec0 : i1 verif.assert %prec0 : i1 c1000 i32 = hw.constant 1000 : i32 verif.formal @testBar(k = 500) { %c1000 i32 = hw.constant 1000 : i32 %prec1 = comb.icmp bin ult %..., c1000 i32 : %s in = verif.symbolic input : i32 %prec1 = comb.icmp bin ult %in, c1000 i32 : i32 verif.assert %prec1 : i1 %s sign = verif.symbolic input : i1 verif.assert %prec1 : i1 %post = ... %bar.0 = verif.symbolic input : i32 %post = ... verif.assume %post : il c0 i32 = hw.constant 0 : i32 verif.assume %post : i1 // foo 2 instance %ingt0 = comb.icmp bin ugt %s in, %c0 i32 : i32 %spec = ... %foo2.0 = verif.symbolic input : i32 %prec0 = ltl.implication %s sign, %ingt0 : !ltl.property verif.assert %spec : i1 %prec0 0 = comb.icmp bin ugt %..., %c0 i32 : verif.assert %prec0 : !ltl.property verif.assert %prec0 0 : i1 %inlt0 = comb.icmp bin ult %s in, %c0 i32 : i32 %prec1 0 = comb.icmp bin ult %..., c1000 i32 %true = hw.constant 1 : i1 verif.assert %prec1 0 : i1 %ns = comb.xor %s sign, %true : i1 %post 0 = ... %prec1 = ltl.implication %ns, %inlt0 : !ltl.property verif.assume %post 0 : i1 verif.assert %prec1 : !ltl.property %011t = ... verif.assume ... %spec = ... verif.assert %spec : i1 ``` #### PrepareForFormal - Perform Contract replacement. - Module: assume preconditions + assert postconditions & body - Instance: assert preconditions + assume postconditions - Create Formal Tests for Modules. - Yield a format that can be used in formal back-ends. #### **Formal** # What has been done?: # Future Work: #### Conclusion - Formally Verifying Circuits should be as simple and efficient as implementing them. - Verification engineers should not have to repeat work. - Introduced a **unified interface** for writing **Formal Tests** for any back-end. - Introduced a **formal contract** system, for retaining modularity during verification. - Designed a compilation flow that integrates both elements in Chisel and CIRCT. - ⇒ This is a WIP, the core building blocks and passes are there, still need to **provide Chisel interfaces** and **connect everything together**. - → Please reach out if you want to help out! # What has been done?: