a comprehensive formal verification solution for arm based soc design

May 2, 2012 1

A Comprehensive Formal Verification Solution for ARM® Processor Based SoC

Design Laurent Arditi, PhD – ARM Formal Verification Expert

Ziyad Hanna, PhD – Jasper VP of Research & Chief Architect

| © 2012, Jasper Design Automation | Confidential

May 2, 2012 2

RTL Development   Designer-‐based verifica0on w/o testbench   Design trade-‐off analysis   X-‐propaga0on detec0on and debug   Power management verifica0on

Formal Property Verifica8on   Protocol cer0fica0on   End-‐to-‐end packet integrity   Asynchronous clocking effects   Asser0on-‐based verifica0on

SoC Integra8on   Automated register verifica0on   Glitch detec0on   Mul0-‐cycle path verifica0on   Chip-‐level connec0vity

Architecture Valida8on   Executable spec   Absence of deadlock   Cache coherency

Property Synthesis   Automated asser0on genera0on   Iden0fica0on of coverage holes   Inference and synthesis of func0onal proper0es

from RTL and simula0on waveforms

Post-‐Silicon Debug   Failure signature matching   Root cause isola0on   Candidate cause elimina0on   Valida0on of fixes before re-‐spin

Interac8ve Debug Modify/create proper0es on the fly to explore design

behavior

Increased Throughput U0lize mul0ple proof

engines on parallel compute resources

Wider Deployment Proliferate across

engineering teams with unique adop0on model

Higher Capacity Verify complex 100M gate

designs

Jasper Provides Verification Solutions to IP and System-on-chip Designs

Verifica8on IP   Cer0fica0on of AMBA 4/ACE checkers   Popular standard protocols   Configurable, illustra0ve, op0mized for formal


May 2, 2012 3

Customers

Locate a Sony Style Store Customer Care



Sony

Apple

SMI

AMCC

9/5/11 10:09 PMEricsson - A world of communication - Ericsson

Page 1 of 1http://www.ericsson.com/

WELCOME TO ERICSSON

News Center Show list

Unplug mobile broadbandUnplugging mobile broadband requires a newway of thinking. Ericsson Unplug logics takemobile broadband business models out of thepast and into the future.

Ericsson Responsepartners with SingTelGroup for disastercommunications

Partnership to provide emergency communications services to support disaster reliefefforts in South and Southeast Asia through Ericsson Response.

Tech Talk: LTE-AdvancedIn our latest Tech Talk film, Mikael Höök fromEricsson Research discusses LTE advanced.

Your app can make the bigtimeGot a great Android app? The EricssonApplication Awards give you and your team theopportunity to make a splash in the app industry,

get an instant and impressive contact network and win EUR 15,000. Sound good?Read on…

OSS and BSS: an analyst’sviewCurrent Analysis’ view on how operators canmeet the OSS and BSS, Cloud and userexperience challenges.

Digital natives’ role in theNetworked SocietyGrowing up in a world of computers, mobilephones and the internet, digital natives’ behaviorand attitudes towards these tools is shaping

society’s future.

Brush up on hot tech topics

LTE: A needed technology

M2M remote-subscriptions management

IP Talk Radio


May 2, 2012 4

Agenda

  IP Level Formal Verification at ARM

  System Level Verification of ARM® processor based

SoC


May 2, 2012 5

ARM Cortex-R7 Formal Verification with Jasper

  The ARM formal verification flow based on Jasper has been found to have capacity to support the

verification of a Cortex-R series real-time processor

  Setup

•  All the formal verification tasks for the ARM Cortex-R7

are applied at the top-level

•  The top-level constraints are “simple”

•  AXI protocol checkers

•  Models of RAMs only where needed (mostly cache

tags): CAMs with additional constraints to start from a

non-empty RAM content

•  A few assumptions to avoid fails due to software errors


May 2, 2012 6

Trial ARM Formal Verification Flow

design team RTL

properties

validation team setup

constraints abstractions

JasperGold

waveforms

report

leads & managers email ValSpider Excel Jira

Trial deployment on several blocks and units, with differing design size.


May 2, 2012 7

Formal for RTL Development - RTLD

  Designer-based verification w/o testbench

•  Allows early RTL exploration without the need to generate input stimulus

•  Start with simple behaviors about the design –  cover line_eop

•  Group simple behaviors together to build complex scenarios

•  Write assertions about events that are always/never true

  Design trade-off analysis

•  Behaviors and scenarios allow for easy incremental analysis and RTL

comparison tasks

  Higher quality RTL passed to other teams in the design/verification flow


May 2, 2012 8

Jasper Flow for RTL Designers*

RTL

Database

Scenario A Scenario B Scenario C Scenario D

Functional scenario A : assertion 5 violation Functional scenario B : assertion 7 violation Functional scenario C…… Functional scenario D…..

RTL’

What-if analysis

Debug failing scenarios

Combine and save multiple functional scenarios

Modified RTL

Visualize design behavior w/o testbench

Compare saved scenarios

against modified RTL

(*Partially used at ARM)


May 2, 2012 9

Jasper’s Visualize Technology

  Simula0on

•  More of an ‘input driven’ method, may not exercise desired behavior

•  Wiggle the inputs to produce a desired behavior (trial and error)

  Visualize

•  More of an ‘output driven’ method and u0lizes formal engines

•  QuietTraceTM minimizes inputs and s0ll produces desired behavior

•  Interac0vely add constraints to construct desired waveform

Simulator

RTL

Testbench

Simula0on Waveform

state == READ ack = 1

VisualizeTM

RTL

state == READ ack = 1

Visualize Waveform

Target Target is always in the waveform


May 2, 2012 10

ARM Experience

  Some simulation test benches were not ready soon enough to run

the first RTL modules with new features

  So used FV to check these new features

  Use of basic properties to check the RTL is not completely broken

  Use of visualize to show the design is alive and the new features “do

something” not stupid

  It’s much faster to get a working formal setup than a simulation one

  And designers find formal counter-examples to be easier to debug

than simulation failures

Laurent Arditi, Principal Engineer, Processor Division, Jasper User Group 2011


May 2, 2012 11

ARM’s Assertion Based Design with JasperGold

  Assertions were written for both simulation and formal

  Strong but simple SVA coding guidelines, for the ARM Cortex-R7:

•  Avoid non-synthetizable properties (but liveness is accepted)

•  Maximize the use of implications to get coverage points for free

•  Software constraints turned into assumes for formal

•  Critical properties on which a higher effort must be put

  X-Propagation checks

  Depending on the configuration, end-up with thousands of

properties


May 2, 2012 12

Formal Verification Dashboard

0

200

400

600

800

1000

1200

1400

1600

4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 2 4 6 8 10 12

Properties

Proven Fail Undetermined

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

% fail

% unreachable

Poly. (% fail)

Poly. (% unreachable)

beta EAC beta EAC


May 2, 2012 13

JasperGold Found 15% of The Bugs   Formal found many bugs at the start of the project. They were not tracked

  Started to count the assertion fails in Jan’11, and in Jira in July’11 (beta)

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18 % fail


May 2, 2012 14

Quality of bugs found by JasperGold   All bugs found by formal were not found earlier by simulation

  Very few false-negatives

•  They could be resolved by adding new constraints

•  A few remaining are UNPREDICTABLE cases and the constraints to discard them are too

complex to write. So these fails are “explained” and skipped

  Formal provides easy to debug waveforms

  Quality of the bugs found by formal:

•  Very good at the beginning: obvious design errors

•  Real corner cases

  Assertions are usually simple. More sequential ones would find more complex bugs

  Higher-level properties would allow to discover more fundamental bugs: deadlock,

coherency, determinism. Planned for maturity


May 2, 2012 15

Agenda

  IP Level Formal Verification at ARM

  System Level Verification of ARM processor based

SoC


May 2, 2012 16

ARM Based Heterogeneous System-on-Chip

Cache Coherent InterconnectCCI-400

I/O device

MMU-400

Dynamic Memory ControllerDMC-400

Network InterconnectNIC-400

Slaves Slaves

Network InterconnectNIC-400

LCDVideo

DDR3/LPDDR2 DDR3/LPDDR2

PHY

GIC-400Mali-T604 graphics

PHY

MMU-400 MMU-400

Quad Cortex-A7

Quad Cortex-A15

JUG-2011 Paul Martin [email protected]

ARM

ARM ARM


May 2, 2012 17

SoC Integration and Verification Challenges

  Protocol Modeling and Verification, Coherency

  Standard Interface Modeling and Verification (ProofKits)

  System Level Deadlocks Detection and Verification

  Connectivity and Integration

  Register programming sequence

  Power analysis and verification

  Security checks


May 2, 2012 18

ACE Verification – High-level Properties

  Coherence •  If a master’s cache has a line in UD or UC, no other master can

have the line in a valid state

•  If a master’s cache has a line in SD, no other cache master can have the line in SD

  Deadlock

•  At least one transaction can always make forward progress

  Data integrity

•  A read always reads the last write to an address


May 2, 2012 19

Jasper Architectural Validation Flow

Architectural waveforms

without testbench

Architectural proofs • Consistency • Completeness • E.g., coherency property

Table-‐based entry format (or Murphi)

Arch spec.

RTL Export properties to RTL simulation

Executable document view

RTL formal verification

Architectural requirements

Automatic Generation of SV Model and Properties


May 2, 2012 20

Advantages

  Verify architectural rules – cache coherence, deadlock

freedom

  Find corner case bugs – deadlocks, coherence issues

  Validate future protocol changes

  Remove specification ambiguities

  Downstream usage as VIP – checks + coverage model


May 2, 2012 21

ACE Protocol Modeling and Verification With Jasper

“Verifying cache coherent systems is difficult and designers need

sophisticated VIP to help solve these issues”

“ARM partners with EDA companies like Jasper to ensure our SiP’s are

enabled to take advantage of improved system performance and power

provided by AMBA 4” JUG-2011 – Paul Martin [email protected]


May 2, 2012 22

Chip-Level Connectivity Verification Solution

  Exhaustively verifies that the RTL matches the connectivity definition

•  Verify that point A is equivalent to point B (block or chip level)

as certain signals/modes can impact connections

•  No other signals/modes/settings can impact connections

•  Important aspect of system integration of many IP’s

  Types of connection

  Structural, Boolean condition, temporal condition, and temporal connection with latency and delay

  Allow fast and exhaustive verification

  Quickly reconfirm results (regressions) as RTL is being modified

  Automated flow allows early and frequent verification


May 2, 2012 23

Chip-Level Connectivity Verification Flow

Waveforms with connectivity

conditions

Connec0vity proofs (asser0ons and covers)

Connectivity map

cond A

RTL

Top-level of SoC

B


May 2, 2012 24

Automated Register Verification

D1 D2

rese

t

Register transfer

Expected reg-value Reset value D1 D2

D

Non-deterministic # (zero to infinite) of Rd/ Wr access to any address except A

Read from address A

Write D to address A

check update update check check

  Formal proofs are exhaustive

•  Checks for all possible sequences of RD/WRs in any order

•  Checks for all register addresses

  Conceptually, the following non-deterministic trace is considered

by formal for proving address A


May 2, 2012 25

RTL Development   Designer-‐based verifica0on w/o testbench   Design trade-‐off analysis   X-‐propaga0on detec0on and debug   Power management verifica0on

Formal Property Verifica8on   Protocol cer0fica0on   End-‐to-‐end packet integrity   Asynchronous clocking effects   Asser0on-‐based verifica0on

SoC Integra8on   Automated register verifica0on   Glitch detec0on   Mul0-‐cycle path verifica0on   Chip-‐level connec0vity

Architecture Valida8on   Executable spec   Absence of deadlock   Cache coherency

Property Synthesis   Automated asser0on genera0on   Iden0fica0on of coverage holes   Inference and synthesis of func0onal proper0es

from RTL and simula0on waveforms

Post-‐Silicon Debug   Failure signature matching   Root cause isola0on   Candidate cause elimina0on   Valida0on of fixes before re-‐spin

Interac8ve Debug Modify/create proper0es on the fly to explore design

behavior

Increased Throughput U0lize mul0ple proof

engines on parallel compute resources

Wider Deployment Proliferate across

engineering teams with unique adop0on model

Higher Capacity Verify complex 100M gate

designs

Jasper Provides Verification Solutions to IP and System-on-chip Designs

Verifica8on IP   Cer0fica0on of AMBA 4/ACE checkers   Popular standard protocols   Configurable, illustra0ve, op0mized for formal


May 2, 2012 26

Thanks

a comprehensive formal verification solution for arm based soc design

Technology

design engines

formal verification

jasper flow

working formal setup

design cover line

differing design size

jasper user group

rtl designers