Direct RTL-to-RTL Equivalence Verification

• Direct RTL-to-RTL model checking is a formal method that verifies the equivalence of a specification and implementation by constructing a joint finite-state transition system (FSTS).
• It employs sequential miters with helper assertions and input constraints to prune spurious counterexamples, ensuring complete coverage of design behaviors.
• Techniques such as k-induction and abstraction address design transformations like pipeline changes and logic redistribution, optimizing verification efficiency.

Direct RTL-to-RTL model checking is the process of formally verifying the functional equivalence of two Register-Transfer Level (RTL) hardware designs—typically a specification (SPEC) and an implementation (IMP)—by constructing and proving properties over their combined finite-state transition system (FSTS). This methodology enables exhaustive coverage and fast validation, addressing insufficiencies inherent in dynamic regression, particularly under conditions of increasing design complexity and aggressive time-to-market pressures. Modern formal verification techniques such as sequential hardware equivalence provide complete coverage, and this approach has demonstrated effectiveness across a spectrum of changes, including pipeline optimizations and logic redistributions (Kumar et al., 2014).

1. Finite-State Transition System (FSTS) Modeling

Each RTL design, both SPEC and IMP, is modeled as a deterministic FSTS:

$S_i = (V_i, I_i, O_i, R_i, T_i)$

where:

• $V_i$ denotes the set of state bits (flop outputs) for design $i$,
• $I_i$ is the vector of primary inputs,
• $O_i(V_i, I_i)$ represents outputs, including primary and internal signals of interest,
• $R_i(V_i)$ defines the initial-state predicate (e.g., reset conditions),
• $T_i(V_i, I_i, V_i')$ formalizes the transition relation such that $T_i(V_i, I_i, V_i')$ is true iff $V_i'$ is the correct next-state under $I_i$.

For state vector $V_i = (v_i^{(1)},\dots,v_i^{(n)})$, where each flop’s next-state is given by $v_i^{(k)'} = f_i^{(k)}(V_i, I_i)$, the transition relation becomes:

$$T_i(V_i, I_i, V_i') \equiv \bigwedge_k [v_i^{(k)'} \leftrightarrow f_i^{(k)}(V_i, I_i)]$$

This explicit modeling provides the formal basis for equivalence checking.

2. Sequential Equivalence Miter Construction

The core of RTL-to-RTL model checking uses a product "miter":

$M = (V_1 \cup V_2, I, R, T, \text{bad})$

where:

• $I = I_1 \cup I_2$ (with possible identification or constraints on corresponding inputs),
• $R(V_1, V_2) = R_1(V_1) \land R_2(V_2)$,
• $$T(V_1, V_2, I, V_1', V_2') = T_1(V_1, I_1, V_1') \land T_2(V_2, I_2, V_2')$$,
• $$\text{bad}(V_1, V_2) = \bigvee_\ell [O_1^\ell(V_1, I_1) \oplus O_2^\ell(V_2, I_2)]$$.

Intuitively, the miter captures the joint evolution of both designs and flags any state in which outputs diverge. The central verification goal is to show that $\text{bad}$ is unreachable for all time—i.e., a proof of unsatisfiability (UNSAT) for $M$ guarantees functional identity under all behaviors allowed by the models.

3. Input Constraints and Correspondence Points

Verifying equivalence benefits from (a) constraining the input space to authorized stimulus and (b) introducing correspondence (helper) assertions:

Input Constraints: Many legal behaviors restrict the Boolean input space, e.g., aligned addresses or mutually exclusive feature-select bits. A constraint predicate is enforced as:

$$C(I_1, I_2) \equiv (\text{SpecConstraint}(I_1) \land \text{ImplConstraint}(I_2) \land I_1 \equiv I_2)$$

This pruning dramatically reduces spurious counterexamples and focuses solver effort.

Correspondence Points: To accelerate convergence, internal pipeline "cutting planes" $P_1, ..., P_k$ where SPEC and IMP must always agree are used, typically after known alignment (e.g., post two pipeline stages):

$$H_k(V_1, V_2) \equiv \text{addr}_1(V_1[k]) \leftrightarrow \text{addr}_2(V_2[k])$$

These helper assertions are added to the miter at the relevant depths, effectively black-boxing complex downstream logic until $P_k$ is verified.

4. Proof Strategies: Induction and Abstraction

Two principal proof strategies are employed:

Induction (k-induction): The methodology proceeds by induction over time steps:

• Base case $(t=0)$: Verify $R(V_1, V_2) \land \text{bad}(V_1, V_2)$ is UNSAT.
• Inductive step: For all $V_1,V_2,I,V_1',V_2'$,

$$[\text{Inv}(V_1, V_2) \land T(V_1, V_2, I, V_1', V_2')] \implies \text{Inv}(V_1', V_2')$$

where $\text{Inv}$ typically consists of $\lnot\text{bad}$ and helper assertions. In practical terms, k-induction is run for $k=1,2,\ldots$: no $\text{bad}$ reachable in $k$ steps, and any state maintaining the invariant ensures $\text{bad}$ remains unreachable.

Abstraction and Refinement: For subsystems with prohibitive state space (e.g., large memories, deep FIFOs), abstraction by uninterpreted functions or small BDDs is leveraged. If abstraction yields a false counterexample, refinement selectively restores implementation detail to the relevant region.

5. Handling Design Transformations

RTL2RTL equivalence is robust against common design transformations:

Pipeline Depth Changes: When SPEC and IMP have varied pipeline depths, latency alignment is achieved by introducing helper flops or partial black-boxing to synchronize state cones.

Logic Redistribution: In scenarios such as timing fixes, where combinational logic migrates across pipeline boundaries, state matching can fail. "Automatic state-splitting" is applied:

• Mapping each SPEC flop to a corresponding throttle point in IMP,
• Temporarily excluding unmappable flops until subset equivalence is established,
• Propagating proven matches as new helper assertions, iteratively shrinking the unresolved design space.

6. Tool Flow and State-Space Optimizations

Efficient formal equivalence checking uses multi-stage flow:

Step	Action	Optimization Techniques
1. Preprocess	Elaborate RTL1, RTL2 to flattened netlists	-
2. Miter Generation	Generate conjunction $T_1 \land T_2 \land R \land \lnot\text{bad}$, apply constraints	Input pruning, helper assertions
3. SAT/SMT Backend	Translate to CNF (SAT) or bit-vector formulas (SMT)	-
4. Bounded-Model Unrolling	For $k$ steps, build $M_k$, unroll transitions and bad checks	Case splitting
5. SAT Solve	Solve $M_k$; UNSAT followed by induction yields equivalence	Divide-and-conquer by block
6. BDD/Hybrid	Use BDD or hybrid SAT+BDD engines on small sub-blocks	Dependency tree reduction
7. Complexity Reduction	Subdivide by block, utilize helper assertions and case-splitting	State-space pruning

A plausible implication is that dividing the design, employing helper assertions, and input pruning collectively enable exponential reduction in state space, increasing overall tractability.

7. Performance, Coverage, and Practical Experience

Empirical results on large graphics designs demonstrate the efficacy of direct RTL2RTL verification (Kumar et al., 2014):

• Full databus regression, previously requiring 3–5 days across 10 machines, was reduced to approximately 1 hour on a single 32 GB machine.
• End-to-end mantissa-control datapath equivalence (∼1 M gates per design) typically converged in less than two hours, with 100% coverage confirmed by UNSAT proofs.
• Design transformations, especially pipeline optimizations, revealed subtle corner-case bugs missed by dynamic regression even after extensive randomized test campaigns.

Worked Example: In the parity generator versus pipelined version, the methodology was illustrated concretely for single and two-stage pipeline implementations, showing that the miter’s bad predicate was UNSAT by induction at relevant depths, generalizing to hundreds of registers and complex logic. The method replaces labor-intensive dynamic testing or symbolic trajectory evaluation (STE) with exhaustive functional coverage.

A plausible implication is that formal equivalence checking at the RTL level via sequential miters and solver-backed induction or abstraction yields rigorous validation, increased design confidence, and accelerated closure in the face of aggressive feature and timing churn.