![Page 1: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/1.jpg)
1© 2010 Cisco and/or its affiliates. All rights reserved. 1
How We Verified 5000 Lines of RTL with 3 Assertions
Nalin Nimavat (Cisco Systems) [email protected] Singhal (Oski Technology) [email protected] May 2012
![Page 2: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/2.jpg)
2
The Device Under Test (DUT)
FED.vsd
Over 2N possible cases to verify!
![Page 3: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/3.jpg)
3
DUT and Test Plan Implications for the Formal Verification• Key characteristics:
• First pass: (2N + 1) assertions to be formally verified.
• There are N fields, but all the fields are of different widths.
• Though the DUT is more like a register, can we apply memory abstractions to reduce the number of assertions and formal run time?
![Page 4: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/4.jpg)
4
Memory Depth, Width Abstraction
![Page 5: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/5.jpg)
5
Introduction to Symbolic Variables• Symbolic variables can sweep the whole range of variables.
• No change in RTL is required.
// If valid is high, for any given memory address, content of//the memory matches incoming data after 3 cycles.
bit[15:0] formalAddr;
assert property P1 (vld == 1 |-> #3 mem[formalAddr] == $past(inData, 3);)
Symbolic Variable
![Page 6: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/6.jpg)
6
How Symbolic Variables Are Used
• All memory locations and bits are present.
• An arbitrary address formalAddr, with the same width as an actual address, is created.
• An arbitrary bit fvBit, ranging from 0 to max width of data, is created.
• Symbolic variables are free running—they can point to anywhere.
• No change in RTL is required.
• As with abstractions, only one symmetric location and one symmetric data bit are used in the formal proof.
![Page 7: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/7.jpg)
7
DUT: Create Symmetry
![Page 8: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/8.jpg)
8
DUT: Hold Original Widths
![Page 9: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/9.jpg)
9
Symbolic Variable for Depth
![Page 10: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/10.jpg)
10
Symbolic Variable for Width
![Page 11: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/11.jpg)
11
After Applying Symbolic Variables
• Create helper code to determine the msb and lsb of a field in the outVector, outVector(msb, lsb).
• Benefit of symmetry: We can now reduce the first and second requirements from N down to one assertion each!
After applying symbolic constants, only three assertions are used to completely verify the 5000 lines of DUT RTL.
![Page 12: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/12.jpg)
12
Sample DUT Assertion
// If there is space in input to accomodate full field, field // should be copied to the output
property fieldMatch; lsb >= 0 && dataSel[formalIndex] == 1 |-> ##n outVector[$past(lsb, n) + fvBit] == $past(field[formalIndex][fvBit] , n);endproperty
assert_fieldMatch : assert property(fieldMatch);
Symbolic Variable for Depth
Symbolic Variable for
Width
![Page 13: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/13.jpg)
13
Bugs Found with the Formal Tool• All three assertions found bugs:
• Output for fieldM didn’t match • When there is no space for someId, all lsb's were not 0's.• When all N fields are on, 0's were not inserted in rest of lsb's
• Formal hit a bug instantly, took a long time in simulation.• In simulation, a lot of traffic was sent.• One field (in 2N) for which all lsb’s were not 0 for this condition.• Formal hit this bug right away.
• Formal guarantees regular and corner case coverage for all N fields – something impossible to achieve in simulation.
![Page 14: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/14.jpg)
14
Limitations of symbolic variables
• Symbolic variables can be easily applied to memories and other designs with symmetry.
• For non-memory, non-symmetric designs, creating symmetry to exploit power of symbolic variables can be challenging.
• Symbolic variables needs to be properly constrained in order to achieve desired range.
![Page 15: 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Nalin Nimavat (Cisco Systems) nnimavat@cisco.com Vigyan Singhal (Oski Technology) vigyan@oskitech.com](https://reader036.vdocuments.us/reader036/viewer/2022062804/5697bf981a28abf838c91235/html5/thumbnails/15.jpg)
15
Summary
• Applying symbolic variables can dramatically increase the scalability and decrease the run time of formal analysis.
• Creating symmetry and using helper code can dramatically simplify or reduce the number of assertions required.
• Bonus: No modifications to the original RTL are required!