A method for verifying equivalence of a replacement circuit, an electronic device, and a storage medium

Abstract

This invention relates to the field of EDA technology, and in particular to an equivalence verification method, electronic device, and storage medium for replacement circuits. It involves obtaining the finite automata of the original circuit and the replacement circuit respectively; constructing a Miter circuit based on the original and replacement circuits; obtaining the finite automata of the Miter circuit; establishing the target property for equivalence verification based on the Miter circuit's finite automata; and obtaining the inductive invariants of all replacement circuits in the circuit to be verified. The steps for obtaining the inductive invariants include: obtaining matching point pairs with the same state in the original and replacement circuits under constraints; obtaining the matching formulas for the matching point pairs in the Miter circuit's finite automata; using a specified solver to determine whether the matching formulas are inductive invariants; and verifying whether the original and replacement circuits satisfy the target property based on the inductive invariants. Inductive invariants can improve verification efficiency.

Description

Technical Field

[0001] This invention relates to the field of EDA technology, and in particular to an equivalent verification method for a replacement circuit, an electronic device, and a storage medium. Background Technology

[0002] After the chip design is completed, it enters the tape-out stage. Tape-out is very costly. To reduce the risks during tape-out, the chip design is thoroughly verified before tape-out to identify and adjust any issues promptly, ensuring a smooth tape-out process. During chip verification, the IC code needs to be ported to an FPGA for prototyping. Because the physical structures of the chip and the FPGA are different—chip design is based on a standard cell library, while FPGA is based on macrocell modules provided by the manufacturer—the IC design must be converted before it can be ported to the FPGA. Generally, to port the chip design to an FPGA, the registers in the chip design need to be equivalently replaced with clock modules in the FPGA. The replaced clock module is functionally equivalent to the original registers, ensuring that the circuit's functionality remains unchanged.

[0003] To verify the functional equivalence of the replaced clock module and the original register, equivalence verification methods are needed. Equivalence verification, a type of formal verification, refers to a mathematically complete proof or verification of whether the replaced circuit implements the function described in the circuit design. Currently, two common methods are used: one is to simulate the circuit behavior, observe the clock model's output, and determine if the clock model's output is the same as the register's output. If they are the same, equivalence can be confirmed. The drawback of this method is that when a circuit includes many clock models, it is impossible to traverse all states; therefore, this method of verifying equivalence is incomplete. The second method is model checking, which needs to consider all cases, but model checking cannot cover large circuits, resulting in low verification efficiency. In summary, there is an urgent need for a method that efficiently verifies model equivalence while ensuring completeness. Summary of the Invention

[0004] To address the aforementioned technical problems, the present invention adopts the following technical solution: an equivalence verification method for a replacement circuit, the method comprising the following steps:

[0005] S100 is a finite automaton that obtains the original circuit and the replacement circuit respectively.

[0006] S200: Construct the Miter circuit based on the original circuit and the replacement circuit, and obtain the finite automaton of the Miter circuit.

[0007] S300 establishes the target properties for equivalent verification based on the finite automata of the miter circuit.

[0008] S400, obtain the inductive invariants of all substitution circuits in the circuit to be verified, including:

[0009] S410, obtain matching point pairs with the same state in the original circuit and the replacement circuit under constraints.

[0010] S420, obtain the matching formula for the matching point pairs in the finite automaton of the Miter circuit.

[0011] S430, using a specified solver to determine whether the matching formula is an inductive invariant, wherein the specified solver is a solver for constraint satisfaction problems, including:

[0012] If S431 is correct, then the inductive invariant is obtained, and S500 is executed.

[0013] S432, otherwise, obtain new matching point pairs based on the solver's output, and repeat S420 and S430.

[0014] S500 verifies whether the original circuit and the replacement circuit satisfy the target property based on the inductive invariant.

[0015] Furthermore, the present invention also provides a non-transitory computer-readable storage medium storing at least one instruction or at least one program segment, wherein the at least one instruction or the at least one program segment is loaded and executed by a processor to implement the above-described method.

[0016] In addition, the present invention provides an electronic device including a processor and the aforementioned non-transitory computer-readable storage medium.

[0017] The present invention has at least the following beneficial effects:

[0018] This invention uses inductive invariants to assist in verifying target properties. Inductive invariants can eliminate states that do not satisfy the target properties, improve the correctness of state variable values, reduce the number of states while ensuring state completeness, and improve verification efficiency. Attached Figure Description

[0019] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0020] Figure 1A flowchart illustrating an equivalence verification method for a replacement model provided in an embodiment of the present invention;

[0021] Figure 2 This is a schematic diagram illustrating the relationship between corresponding sets in an embodiment of the present invention;

[0022] Figure 3 A schematic diagram of the circuit graphical representation of the original circuit of the finite automaton provided in the embodiments of the present invention;

[0023] Figure 4 A schematic diagram of the circuit structure of the clock model provided in an embodiment of the present invention. Detailed Implementation

[0024] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0025] Please see Figure 1 It illustrates an equivalence verification method for a replacement model, the method comprising the following steps:

[0026] S100 is a finite automaton that obtains the original circuit and the replacement circuit respectively.

[0027] Optionally, the original circuit is a register or flip-flop in the IC design. The original circuit is a naming method relative to the replacement circuit. The replacement circuit is used to replace the original circuit, and then the original circuit is replaced with the replacement circuit and ported to the FPGA.

[0028] Optionally, when the original circuit is a register or flip-flop, the replacement circuit is a clock model.

[0029] In the prior art, other combinations of original circuits and replacement circuits that utilize replacement circuits to replace the original circuits also fall within the protection scope of this invention.

[0030] Optionally, the finite automaton is a Mealy-type finite automaton. The function and limitations of the original circuit are described using a Mealy-type finite automaton. Specifically, the finite automaton is described by a six-tuple, including the input alphabet Y, the output alphabet F, the state transition function δ, the output function γ, the initial state q0, and the state set Q. The initial state is the starting point for the finite automaton. At any given moment, the finite automaton can only be in one specific state q. i And it can only accept one specific input aj, where q i ∈Q, aj∈Y. For example, in state qi Given an input aj, the finite automaton enters a new state determined by the state transition function δ. Under the action of the output function, the new state outputs the final transition state b. k , where b k ∈F. That is, the input is restricted by limiting the input alphabet, the circuit function is described by the transition function and the output function, and all possible states that the circuit can reach are represented by a set of states. It should be noted that the more state variables there are, the more states there are; the power set of the state variables constitutes all states. The power set of the input variables constitutes all the input alphabets. Other existing methods for describing circuit functions using finite automata fall within the scope of this invention.

[0031] It should be noted that the circuit function of the replacement circuit is described by finite automata in the same way as the original circuit, and will not be repeated here.

[0032] S200: Construct the Miter circuit based on the original circuit and the replacement circuit, and obtain the finite automaton of the Miter circuit.

[0033] The Miter circuit connects each pair of original inputs of the finite automata in the original circuit and the finite automata in the replacement circuit together, allowing the original and replacement circuits to share the input signals. Simultaneously, each pair of corresponding original outputs is connected to an XOR gate, the output of which is the output of the Miter circuit.

[0034] It should be noted that the method of describing the finite automata of the Miter circuit is the same as that of the original circuit, and will not be repeated here.

[0035] S300 establishes the target properties for equivalent verification based on the finite automata of the miter circuit.

[0036] The objective property is that, under constraints, the outputs of the original circuit and the replacement circuit are equal. It should be noted that the constraints are determined by the circuit itself.

[0037] Optionally, the constraint can be the rising or falling edge of the clock signal.

[0038] In the context of circuits, the transformation of a circuit is the transformation of registers or flip-flops within the circuit. If the transformation of each register or flip-flop is correct, that is, if it satisfies the target property, then the transformation of the circuit is correct.

[0039] Where the input variables of the miter circuit are (y1, y2, ..., y n When ), the state variables of the miter circuit are (x1, x2, ..., x). K z1, z2……, z M ), where (x1,x2,…,xK The state variables (z1, z2, ..., z) originate from the state variables of the original circuit. M The state variables originate from the replacement circuit. The state variables of the finite automaton of the original circuit are (x1, x2, ..., x...). K The output is f(x1,x2,…,x). K ,y1,y2,…,y n The state variables of the finite automaton with the replacement circuit are (z1, z2, ..., z). M The output is g(z1, z2, ..., z). M ,y1,y2,…,y n The output of the Miter circuit is h(x1,x2,…,x). K z1, z2……, z M , y1, y2, ..., yn). When f = g, h = 1. That is, the target property to be verified is ((x a =t1)∧(z b =u1)∧…∧(x c =t2)∧(z d =u2))->h=1, meaning that the outputs are equal when certain state variables in the circuit have specific values; otherwise, there is no requirement for the outputs to be equal. It should be noted that the state variables in the formula for the target property are a subset of all state variables in the Miter circuit, not all state variables in the Miter circuit. Where t1, t2, u1, u2 ∈ {1, 0}. The formula expression for the target property varies depending on the circuit to be verified and can be created by the user.

[0040] For a certain state (x1, x2, ..., x) of the finite automaton of the Miter circuit K z1, z2……, z M If for any input (y1, y2, ..., y) that satisfies the constraints n If all the target properties hold, then the state (x1, x2, ..., x...) is... K z1, z2……, z M The current state is the one that satisfies the target property.

[0041] During verification, under a certain input condition, the current state in the state set can make the target property hold. However, since the state variable is transitioned under the action of the input signal, if the next state after the transition cannot make the formula hold, it is considered that the current state in the state set cannot make the formula hold always. In order to find the current state that makes the target property hold always, further processing is required.

[0042] S400, obtain the inductive invariants of all the replacement circuits in the circuit to be verified.

[0043] The inductive invariant is the logical AND of all matching formulas, and the matching formula is the matching point where the original circuit and the replacement circuit always have the same state under the constraints. The matching point is the logical formula of the state variables in the original circuit or clock model. If the initial state satisfies the inductive invariant, and assuming the current state also satisfies the inductive invariant, if the state after one transition still satisfies the inductive invariant, then it means that all states transitioned from the initial state satisfy the inductive invariant. The inductive invariant can further eliminate all states that do not satisfy the matching formula, reducing the number of states processed during verification and saving hardware computing resources.

[0044] Furthermore, the S400 includes:

[0045] S410, obtain matching point pairs with the same state in the original circuit and the replacement circuit under constraints.

[0046] S420, obtain the matching formula for the matching point pairs in the finite automaton of the Miter circuit.

[0047] S430, use a specified solver to determine whether the matching formula is an inductive invariant, wherein the specified solver is a solver for the constraint satisfaction problem.

[0048] The S430 also includes:

[0049] If S431 is correct, then the inductive invariant is obtained, and S500 is executed.

[0050] S432, otherwise, obtain new matching point pairs based on the solver's output, and repeat S420 and S430.

[0051] In a preferred embodiment, step S430, determining whether a matching formula is an inductive invariant, includes: the logical AND of all matching formulas is an inductive invariant when the matching formula satisfies the following condition: the intersection of the complement of the current state set A and the reachable state set B is an empty set. Here, the current state set A is the set of all current states that satisfy the target property, and the reachable state set B is the set of all reachable states after one transition from the current state.

[0052] It should be noted that a reachable state is the state after one transition from the current state, that is, the next state of the current state. If the next state of the current state also belongs to the set of current states, then the objective property always holds. However, when the intersection is not empty, meaning that the reachable states in the intersection do not belong to the set of current states, the objective property does not hold, and further processing is needed to filter out the reachable states in the intersection. When the intersection is empty, it means that a complete inductive invariant has been found; if the intersection is empty on the first attempt at this step, it means that the objective property does not require the constraint of the inductive invariant.

[0053] In a preferred embodiment, when the intersection between the complement of the current state set A and the reachable state set B is not empty, step S432 is executed. After S432 is completed, when S420 is executed again, it further includes: removing current states from the current state set A that do not match the description, and updating the current state set A. Step S430 then determines whether the matching formula is an inductive invariant based on the updated current state set. It should be noted that the matching formula, as a constraint condition, further constrains the range of values ​​for the corresponding state variables, making the values ​​of the state variables more consistent with the actual circuit and improving the accuracy of the state variable values. Under the constraint of the inductive invariant, it can be obtained that all reachable state sets are within the current state set.

[0054] In a preferred embodiment, the step of obtaining the reachable state set B further includes:

[0055] S4301 obtains the state transition relationships of the finite automaton of the miter circuit.

[0056] Optionally, the state transition relationship can be a transition state table, a transition state diagram, or a formula representing the state and transition relationship.

[0057] A transition state table or transition state diagram is a method used to describe the behavior of a finite automaton. It is a table or state diagram used to show the reachable states based on the current state and the stimuli. The transition state table or transition state diagram includes inputs, the current state, and outputs. The inputs are the stimuli, the current state is the state in the current state set, and the output is the output result of the finite automaton. The current state, under the influence of the inputs, produces an output result and transitions to the next state.

[0058] Preferably, the state transition relationship is represented by a formula. Using formulas in conjunction with a solver, it is possible to represent a large number of states and the transition relationships between them, such as tens of thousands of states (e.g., 2 to the power of tens of thousands). These states cannot be represented by a state transition table or diagram, and therefore require formulas.

[0059] S4302, based on the logical AND of the current state set and the state transition relationship, obtain the reachable state after one transition, and obtain the reachable state set B.

[0060] The reachable state is obtained by comparing the current state in the current state set with the current input query state transition relationship.

[0061] Other existing methods for obtaining the reachable state after a single migration of the current state all fall within the protection scope of this invention.

[0062] To illustrate the relationships between sets more clearly, please refer to [link / reference]. Figure 2 This illustrates the relationships between states. Figure 2 In the diagram, elliptical region P represents the current state set A, rectangular region not P is the complement of current state set A, elliptical region inductive invariant is the state set B constrained by inductive invariant, and init represents the initial state. The constraints of inductive invariant allow the current state to transition within P and then return to P. If a reachable state after a transition from the current state lies within the not P region, it indicates that the current state does not satisfy the target property and needs to be eliminated using inductive invariant. Inductive invariant constrains the current state to a smaller set than P, improving the accuracy of state variable values.

[0063] S500 verifies whether the original circuit and the replacement circuit satisfy the target property based on the inductive invariant.

[0064] S500 further includes verifying whether the following two logical relations always hold true: the first logical relation is whether the initial state is in the inductive invariant; the second logical relation is whether all current states in the inductive invariant are still in the current state set after one transition. If these two logical relations always hold true, then the objective property is proven to be satisfied.

[0065] The S500 also includes:

[0066] S510 verifies whether the initial states of the original circuit and clock model meet the constraints of the inductive invariant.

[0067] S520, verify whether the state after one transition in the inductive invariant belongs to the current state set.

[0068] As an example, to further aid in understanding the invention, please refer to [link / reference]. Figure 3 , Figure 3 After describing the original circuit as a finite automaton, the circuit of the described finite automaton will be represented graphically for easier understanding. Figure 4 This is a circuit modeled as a clock. Among them, Figure 3The description of the finite automaton includes: the original circuit includes a data signal din input to the data input terminal, a clock signal glk1 input to the user clock terminal, and an output signal dout_reg_0_Q output from the data output terminal. Three state variables H1, H2, and H3 store the corresponding states: H2 stores the data state, H3 stores the clock state, and H1 stores the output state. The current state of state variable H2 is the data signal stored in H2, and the next state is the input data signal din; the current state of state variable H3 is the stored clock signal, and the next state is the input clock signal glk1; the current state of state variable H1 is the stored output signal dout_reg_0_Q, and the next state is the output signal dout_reg_0_Q. The function of the original circuit is to output the current state of the data signal din stored in H2 when the falling edge of the user clock input arrives; and to output the current state of the output signal dout_reg_0_Q stored in state variable H1 when the rising edge arrives. Figure 4 The clock model circuit includes the data signal din connected to the data input terminal, the clock signal glk1 connected to the user clock terminal, and the output signal dout_reg_1_Q output from the data output terminal. Three state variables are used to store the corresponding states: MCK_DF_din stores the data state of the clock model, MCK_istate stores the clock state of the clock model, and dout_reg_1 stores the output state of the clock model. The next state of the data state variable MCK_DF_din is: din when the master clock is active; otherwise, the output signal of MCK_DF_din. The next state of the output state variable dout_reg_1 is: the output signal of MCK_DF_din when the enable terminal is active and the master clock is active; otherwise, the current state of the output state variable dout_reg_1. The next state of the clock state variable MCK_istate is: the current state of the master clock when the master clock is low; otherwise, the current state of the MCK_istate output signal. The enable terminal being active is the NOT of the current state of the MCK_istate output signal and the AND operation of the current state of the master clock. Figure 3 The original circuit and the converted circuit Figure 4When performing equivalence verification on the clock model, a Mealy-type automaton of the Miter circuit needs to be constructed. The objective property is a Boolean expression for the master clock being valid and the output signals of the original circuit and the clock model being equal. It needs to be verified that the objective property is always true. The inductive invariants obtained from the above steps are: H1 = dout_reg_1_Q, H2 = dout_reg_1_D, etc., where dout_reg_1_D is the data input signal of dout_reg_1. H1, H2, dout_reg_1_Q, and dout_reg_1_D are the corresponding matching points, and {H1, dout_reg_1_Q} and {H2, dout_reg_1_D} are the corresponding matching point pairs. "H1 = dout_reg_1_Q" and "H2 = dout_reg_1_D" represent the determined state matching relationships of the corresponding matching point pairs. Matching point pairs can assist in defining target properties and constrain the invariant physical relationships between corresponding matching point pairs, thereby filtering out states that do not conform to the physical matching relationships of the circuit. This reduces the number of states while ensuring state completeness and improves verification efficiency.

[0069] Wherein, when the original circuit is Figure 3 The original circuit in, and the replacement circuit is Figure 4 In the clock model, its function is to update the value of the register or flip-flop when a valid edge arrives. A valid edge is either a rising edge or a falling edge. The target property is then a logical OR operation between the first logical expression and the second logical expression, where the first logical expression determines whether a valid edge has occurred, and the second logical expression determines whether the outputs of the original circuit and the clock model are equal.

[0070] This invention uses inductive invariants to assist in verifying target properties. Inductive invariants can eliminate states that do not satisfy the target properties, improve the correctness of state variable values, reduce the number of states while ensuring state completeness, and improve verification efficiency.

[0071] Embodiments of the present invention also provide a non-transitory computer-readable storage medium that can be disposed in an electronic device to store at least one instruction or at least one program related to implementing a method in the method embodiments, wherein the at least one instruction or the at least one program is loaded and executed by the processor to implement the method provided in the above embodiments.

[0072] Embodiments of the present invention also provide an electronic device, including a processor and the aforementioned non-transitory computer-readable storage medium.

[0073] Embodiments of the present invention also provide a computer program product including program code, which, when the program product is run on an electronic device, causes the electronic device to perform the steps of the methods described above in various exemplary embodiments of the present invention.

[0074] While specific embodiments of the invention have been described in detail by way of example, those skilled in the art should understand that the above examples are for illustrative purposes only and are not intended to limit the scope of the invention. Those skilled in the art should also understand that various modifications can be made to the embodiments without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.

Claims

1. A method for verifying the equivalence of a replacement circuit, characterized in that, The method includes the following steps: S100, a finite automaton that obtains the original circuit and the replacement circuit respectively; S200: Construct the Miter circuit based on the finite automata of the original circuit and the replacement circuit, and obtain the finite automata of the Miter circuit. S300 establishes the target properties for equivalent verification based on the finite automata of the Miter circuit; S400, obtain the inductive invariants of all substitution circuits in the circuit to be verified, including: S410, obtain matching point pairs in the original circuit and the replacement circuit with the same state under the constraints; wherein, a matching point pair is a pair of two matching points, and the two matching points are nodes in the original circuit and the replacement circuit with the same state under the constraints. S420, Obtain the matching formula for the matching point pair in the finite automaton of the Miter circuit; wherein, the matching formula is a logical formula in which the state variables of the original circuit and the replacement circuit are always the same under the constraints. S430, using a specified solver to determine whether the matching formula is an inductive invariant, wherein the specified solver is a solver for constraint satisfaction problems, including: If S431 is correct, then the inductive invariant is obtained, and S500 is executed; S432, otherwise, based on the solver's output, obtain new matching point pairs again, and repeat S420 and S430; S500 verifies whether the original circuit and the replacement circuit satisfy the target property based on the inductive invariant. In S430, the steps for determining whether a matching formula is an inductive invariant include: The logical sum of all matching formulas is an inductive invariant when the following condition is met: the intersection of the complement of the current state set A and the reachable state set B is an empty set. Wherein, the current state set A is the set of all current states that satisfy the target property, and the reachable state set B is the set of all reachable states after the current state has undergone one transition; When S432 is executed, when S420 is executed again, it also includes: removing current states from the current state set A that do not match the matching formula, and updating the current state set A; The steps for obtaining the reachable state set B also include: S4301, obtain the state transition relationship of the finite automaton of the Miter circuit; S4302, based on the logical AND of the current state set and the state transition relationship, obtain the reachable state after one transition, and obtain the reachable state set B.

2. The method according to claim 1, characterized in that, The state transition relationship is a transition state table, a transition state diagram, or a formula representing the state and the transition relationship.

3. The method according to claim 1, characterized in that, The S500 also includes: S510, verify whether the initial state of the finite automaton of the miter circuit satisfies the constraints of the inductive invariant. S520, verify whether the state after one transition in the inductive invariant belongs to the current state set.

4. The method according to claim 1, characterized in that, When the original circuit is a register or flip-flop in an IC design, the replacement circuit is a clock model.

5. A non-transitory computer-readable storage medium, wherein the storage medium stores at least one instruction or at least one program segment, characterized in that, The at least one instruction or the at least one program segment is loaded and executed by the processor to implement the method as described in any one of claims 1-4.

6. An electronic device, characterized in that, Includes a processor and the non-transitory computer-readable storage medium as described in claim 5.

Images