#### **Amelia Dobis** PhD Student - Advisor: Mae Milano - Princeton PL/SNS OPLSS 2025 # Motivation: Practical Reality of Hardware Design - Hardware is **hard**: Very difficult to implement correctly - Mistakes are expensive: Tape-out costs <u>millions of dollars</u> - We need strong correctness guarantees that dynamic testing methods don't give us - <insert Dijkstra quote here> #### Motivation: Hardware Verification is Terrible ## Motivation: "reasons" why HW Verification is bad - <u>academia</u>: "Hardware Verification is a solved problem just use BMC" - Peter Müller, Spring 2022 - <u>industry</u>: "You should use Synopsis VC Formal" - Every verification engineer, all day every day #### How much does Synopsys cost? ### Motivation: Deductive Program Verification is cool - Meanwhile: Software get to use interactive modular verification tools. - o here's a demo - These are unified and are adaptable to multiple (frontend) languages. - Hardware engineers deserve nice things too! # Background: Deductive Program Verifiers ## Background: CIRCT [2] CIRCT: Intermediate Representations as a Shared Foundation for Hardware Compilation; Amelia Dobis, Bea Healy, Schuyler Eldridge, Tobias Grosser, Andrew Lenharth, Andrew Young, Chris Lattner, Fabian Schuiki, Hideto Ueno, John Demme, Julian Oppermann, Lenny Truong, Leon Hielscher, Mae Milano, Martin Erhart, Mike Urbach, Morten Borup Petersen, Prithayan Barua, Robert Young, Stephen Neuendorffer, Will Dietz; 2025 #### Goal: Deductive Hardware Verification - Can we create a "Viper for Hardware"? - How does Program Verification differ from Hardware Verification? - What **underlying methods** do we need? - Can we **bypass SystemVerilog**? | Unified | Deductive | Hardware Verification | |--------------------------|--------------------------------------|-----------------------------------| | Single Interface | Verification Condition<br>Generation | Supports Sequential Designs | | Supports many front-ends | Weakest Precondition computation | Supports Temporal Logic | | Supports many backends | Maintains Modularity | Supports Parallel<br>Verification | • **How**? $\rightarrow$ Introduce *First Class Verification ops* to the CIRCT compiler ``` verif_op ::= assert <s> <clk> | assume <s> <clk> | cover <s> <clk> formal <@sym> <body> | <s> = symbolic input op ::= verif.verif op : <type> class formalTest extends Module with Formal { // Inputs are interpreted as free/symbolic Chisel val a = IO(Input(UInt(32.W))) verif.formal @formalTest {bound=500, method=BMC} { %a = verif.symbolic input : i32 MI IR ``` | Unified | Deductive | Hardware Verification | |--------------------------|--------------------------------------|-----------------------------------| | Single Interface | Verification Condition<br>Generation | Supports Sequential Designs | | Supports many front-ends | Weakest Precondition computation | Supports Temporal Logic | | Supports many backends | Maintains Modularity | Supports Parallel<br>Verification | - Goal: Maintain modularity during verification - **Problem:** Current verification tools duplicate verification tasks for module instances. - **Solution:** Introduce modularity into the specification language. - Hoare Logic can help with this! - Extend verif dialect to include hoare triples. - %out = verif.contract (<inputs>) {<body>} - $\circ$ declares a Hoare Triple $\rightarrow$ inputs will be abstracted during verification. - Output is the result that can referenced in postconditions - verif.requires %precondition : <type> - o declares a **precondition** - Only valid inside of a verif.contract body - verif.ensures %postcondition : <type> - o declares a **postcondition** - Only valid inside of a verif.contract body ``` class A extends Module { val in = IO(Input(UInt(32.W))) val out = IO(Output(UInt(32.W))) contract { requires in >= 0.U ensures out === in + 42.U } // ... Module body ... } ``` - Goal: Generate **verif.formal** tests for every module. - Convert modules into formal tests by: - Replace **inputs** and **outputs** with **symbolic variables** - **Assume** all **preconditions** on the inputs - Assert all postconditions on the outputs - Replace module instances with their contracts where: - All **preconditions** are **asserted** on the inputs given to the instance - All **postconditions** are **assumed** on the result of the instance ``` hw.module @A (in %in: i32, out %out: i32) { ;; Module body defining res %out = verif.contract %res { verif.requires %gt verif.ensures %post verif.formal @A {...} { hw.output %out ;; Module body defining res %in = verif.symbolic input : i32 %out = verif.symbolic input : i32 verif.assume %qt verif.assert %post ``` Verification Compilation Flow (Weakest Precondition Computation): ``` class A extends Module { //... IO ... contract { requires ... ensures ... } class B extends Module with Formal { val a1 = Instance(A) val a2 = Instance(A) assert(...) } ``` ``` verif.formal @A {attr} { %in = verif.symbolic_input : i32 %out = verif.symbolic_input : i32 verif.assume ... verif.assert ... } ``` ``` verif.formal @B {attr} { %a1.in = verif.symbolic_input : i32 %a2.in = verif.symbolic_input : i32 %a1.out = verif.symbolic_input : i32 verif.assert prec_a1 verif.assume post_a1 %a2.out = verif.symbolic_input : i32 ;...contract a2 } ``` CIRCT core IR CIRCT verification IR | Unified | Deductive | Hardware Verification | |--------------------------|-----------------------------------|-----------------------------------| | Single Interface | Verification Condition Generation | Supports Sequential<br>Designs | | Supports many front-ends | Weakest Precondition computation | Supports Temporal Logic | | Supports many backends | Maintains Modularity | Supports Parallel<br>Verification | - Goal: Allow for generation of Bounded Model Checking (BMC) problems from CIRCT. - How? Lower to BTOR2 from the CIRCT verification IR. - <u>idea</u>: Convert design into state-transition system + FOL # Formal Verification of Hardware using MLIR Chapter 3 Formal Back End for CIRCT ``` 1 sort bitvector 32 2 state 1 count 3 zero 1 4 init 1 2 3 5 sort bitvector 1 6 constd 1 22 7 eq 5 2 6 class Counter extends Module { 8 ite 1 7 3 2 val count = RegInit(0.U(32.W)) 8 neg 5 2 6 when (count === 22.U) { count := 0.U } 9 ite 1 7 3 2 when (count =/= 22.U) { count := count + 1.U } 10 one 1 11 sort bitvector 33 assert(count =/= 10.U) 12 add 11 2 10 13 slice 1 12 31 0 14 ite 1 8 13 8 15 next 1 2 14 16 constd 1 10 17 neq 5 2 16 18 not 5 17 19 bad 18 ``` - Goal: Support Temporal Logic in Specifications. - How: Design a "reactive" IR that encodes LTL through small incremental transformations. - <u>idea:</u> encode LTL expression as "triggering asynchronous blocks". # Incremental Conversion of SVA Properties to Synthesizable Hardware | Amelia Dobis | Fabian Schuiki | Mae Milano | |----------------------|----------------|----------------------| | Princeton University | SiFive | Princeton University | | USA | USA | USA | a ##1 b[+] ##1 c trigger: observe reg(valid(b+)) valid: observe c & has been triggered ``` trigger: observe reg(valid(a)) has_been_triggered: trigger | has_been_triggered has_observed_b: has_been_triggered & (has_observed_b | b) valid: observe has_observed_b & has_been_triggered ``` - Enables Solver Parallelism - Simplifies individual verification problems - No single verification task needs to solve for the entire system | Unified | Deductive | Hardware Verification | |--------------------------|-----------------------------------|--------------------------------| | Single Interface | Verification Condition Generation | Supports Sequential Designs | | Supports many front-ends | Weakest Precondition computation | Supports Temporal Logic | | Supports many backends | Maintains Modularity | Supports Parallel Verification | #### Conclusion - Introduced the concept of **Deductive Hardware Verification**. - o idea: use small bmc problems in a similar way as SMT Solver Queries - Designed a unified system to support many hardware languages. - Implemented System as part of the CIRCT Core. - Tooling not perfect but a good start to make hardware verification as efficient as program verification. #### Resources **<u>CIRCT</u>**: Final MLIR implementation of language constructs https://github.com/llvm/circt Formal Verification of Hardware using MLIR, ETHZ Master Thesis https://doi.org/10.3929/ethz-b-000668906 Incremental Conversion of SVA Properties to Synthesizable Hardware, LATTE'2025 https://capra.cs.cornell.edu/latte25/paper/14.pdf