# ESE5320: Today System-on-a-Chip Architecture • Assertions (Part 1) Day 21: November 11, 2024<br/>Verification 2 • Froving correctness (Part 2)<br/> - FSM Equivalence • Timing and Testing (Part 3) • Timing and Testing (Part 3)

 Message

 • If you don't test it, it doesn't work.

 • Testing can only prove the presence of bugs, not the absence.

 • Full verification strategy is more than testing.

 • Valuable to decompose testing

 • Functionality

 • Functionality at performance

3



Assertion

- · Properties expect/demand to hold
- Predicate (Boolean expression) that must be true
- Add to code
- Can uses variables in code to write expression
- Example: assert(num<100);
- Invariant
- Expect/demand this property to always hold  $h = SE_{\text{Never}} \text{ vary} \rightarrow \text{ never not be true}$

## Equivalence with Reference as Assertion

- Match of test and golden reference is a heavy-weight example of an assertion
- r=fimpl(in);
- assert (r==fgolden(in));

enn ESE5320 Fall 2024 -- DeH

6

5

5











#### Merge Requirement

- Require: astream, bstream sorted
- int aptr; int bptr;
- astream.read(ain); bstream.read(bin)
- For (i=0;i<MCNT;i++)</li>

If ((aptr<ACNT) && (bptr<BCNT))

If (ain>bin)

{ ostream.write(ain); aptr++; astream.read(ain);} Else

{ ostream.write(bin) bptr++; bstream.read(bin);} Else // copy over remaining from astream/bstream

13



14









<sup>18</sup> <sup>18</sup> <sup>18</sup> <sup>18</sup>





Prove Equivalence
Testing is a subset of Verification
Testing can only prove the presence of bugs, not the absence.
Depends on picking an adequate set of tests
Can we guarantee that all behaviors are the correct? Same as reference? Seen all possible behaviors?

21

## Testing with Reference Specification

Validate the design by testing it:

- Create a set of test inputs
- · Apply test inputs
  - To implementation under test
  - To reference specification
- · Collect response outputs
- Check if outputs match

Penn ESE5320 Fall 2024 -- DeHon

Idea
Reason about all behaviors

Response to all possible inputs

Try to find if there is *any* way to reach disagreement with specification
Or can prove that they always agree
Still demands specification

...but we can also relax that with assertions

22

320 Fall 202

## Formal Equivalence with Reference Specification

Validate the design by proving equivalence between:

- implementation under consideration
- · reference specification

24

23

22

















## Non-Equivalence State {S1<sub>i</sub>, S2<sub>j</sub>} demonstrates non-equivalence iff {S1<sub>i</sub>, S2<sub>j</sub>} reachable On some input, State S1<sub>i</sub> and S2<sub>j</sub> produce different outputs If S1<sub>i</sub> and S2<sub>j</sub> have the same outputs for all composite states, it is impossible to distinguish the machines They are equivalent A reachable state with differing outputs for any state states with differing outputs

































Burst Testing
 Issue

 May only see high speed for computation/interactions that occur within a burst period
 May miss interaction at burst boundaries
 Mitigation

 Rerun with multiple burst boundary offsets
 So all interactions occur within some burst
 Decorrelate interaction and burst boundary
 50



Learn More

CIS6730 – Computer Aided Verification

· CIS5410 - includes verification for real-

- Has mechanized proofs, proof checkers

CIS5000 – Software Foundations

time system properties

51





- Assertions valuable
  - Reason about requirements and invariants
     Explicitly validate
- Formally validate equivalence when possible
- Valuable to decompose testing
  - Functionality
  - Functionality at performance
- ...we can extend techniques to address timing and support at-speed tests

54

53

enn ESE5320 Fall 2024 -- DeHo

53

### Admin

55

- Feedback
- Reading for Wednesday on Canvas
- P3 due Friday

Penn ESE5320 Fall 2024 -- DeHon