stmicroelectronics – agrate brianza - italy can we really do without the support of formal methods...
DESCRIPTION
Outline Progress through the last 10 years from STM view Progress through the last 10 years from STM view How Formal Verification is used in STM How Formal Verification is used in STM Examples of success in STM Examples of success in STM How Formal Verification can make the difference How Formal Verification can make the difference The example of IP Validation The example of IP Validation What can help Formal verification to fly What can help Formal verification to fly Hints for the future & conclusion Hints for the future & conclusionTRANSCRIPT
STMicroelectronics – Agrate Brianza - Italy
Can We Really do Without the Support of Formal Methods in the Verification of Large Designs ?
Special Session on Formal Special Session on Formal VerificationVerification
DAC 2005 – AnaheimDAC 2005 – AnaheimJun 16, 2005Jun 16, 2005
Umberto RossiUmberto Rossi
Outline Progress through the last 10 years from STM Progress through the last 10 years from STM
viewview How Formal Verification is used in STMHow Formal Verification is used in STM Examples of success in STMExamples of success in STM How Formal Verification can make the How Formal Verification can make the
differencedifference The example of IP ValidationThe example of IP Validation What can help Formal verification to flyWhat can help Formal verification to fly Hints for the future & conclusionHints for the future & conclusion
Progress through the last 10 years The Pentium FP bug made the concept ofThe Pentium FP bug made the concept of
“corner case” familiar to an extended community“corner case” familiar to an extended communityof designers (1994)of designers (1994)
ASIC design, 2 MGate systems, .35ASIC design, 2 MGate systems, .35 process process (1995)(1995)– commercial Formal Verification was limited to commercial Formal Verification was limited to
(combinational) Equivalence Checking(combinational) Equivalence Checking– mainly Gate 2 Gate – few 100’s KGate blocksmainly Gate 2 Gate – few 100’s KGate blocks
serious limitations in name mappingserious limitations in name mapping– custom-like designs via Transistor Abstractioncustom-like designs via Transistor Abstraction– only one design group was using E.C. in STonly one design group was using E.C. in ST
Commercial Property Checking was still to come Commercial Property Checking was still to come (98)(98)
Progress through the last 10 years SoC/SiP, 100’s MGate system, 90nm processSoC/SiP, 100’s MGate system, 90nm process Equivalence Checking is massively usedEquivalence Checking is massively used
– 2 commercial products used in ST2 commercial products used in ST Several formal products dealing withSeveral formal products dealing with
Functional VerificationFunctional Verification– 4 different solutions used in ST with little4 different solutions used in ST with little
penetration eachpenetration each
Progress through the last 10 years Long story of start-up’s, mergers and Long story of start-up’s, mergers and
acquisitions acquisitions (Verplex (Verplex CADENCE 0-In CADENCE 0-In MENTOR)MENTOR)just to mention the latestjust to mention the latest
The tools in the Formal verification arena have The tools in the Formal verification arena have completely re-shaped themselvescompletely re-shaped themselves
Testbench Automation has dominated the Testbench Automation has dominated the verification market since the last 90ties both verification market since the last 90ties both in the IP and the System Level domainsin the IP and the System Level domains
Functional Verification based on Formal Functional Verification based on Formal Verification has not even competed with Verification has not even competed with Testbench AutomationTestbench Automation
What is in a Formal Verification tool
Prop. 1 Prop. 2 Prop. 3
Solver Schedule
Sol ver 5Sol ver 4Sol ver 3Sol ver 2Sol ver 1
FormalFormalVerificationVerification
ProcessProcessRe
acha
b.
Reac
hab.
ATPGATPG
SAT
SAT
AbstractionAbstraction
CRTPGCRTPG
Solv. 1
Solver 2
Solver 3
Solver 4
Solver 5
User Solver Control
User Defined Properties
GDL/Sugar, PSL, SVA/OVA
Encrypted ProtocolVIP Libraries
How Formal Verification is used in STM Testbench based methodology is by far the Testbench based methodology is by far the
most used for IP validation, especially for most used for IP validation, especially for protocolsprotocols
Formal product-I for proof – module levelFormal product-I for proof – module level– 50%: “COPS” package for STBus protocol50%: “COPS” package for STBus protocol
checking – IP levelchecking – IP level– 50%: custom properties50%: custom properties
Formal product-II for bug hunting – IP levelFormal product-II for bug hunting – IP level Formal product-III used with ABV featuresFormal product-III used with ABV features about 10 people can address Formal about 10 people can address Formal
VerificationVerification
Typical usage of Protocol Checking
4.6MHz UIF
CCIR656CCP1.1
eWarp
T2/SRAM or Memory controller
SPI
ParallelInterface
FP_ALU eWar
p/T1
Brid
ge
VPArbiter
MCUData
MCU Code
PeripheralContr.
InterruptContr.
SensorComm.
Dual Pixel Pipe
JPEG
T2DMA
T2
YUV
T2DMA T2
T2
P2
P1
P2
P1
Host/I2CT1
T1/T2
GPIOs
T1
T2
RGB/YUV
Formal Verification is used on top of Testbench approach
for certain architecture hot spots
Taking advantage of Formal Verification beyond module level
End-to-End, black-box, “simple” properties End-to-End, black-box, “simple” properties – general functional properties that presumably general functional properties that presumably
involve the whole “block” functioninvolve the whole “block” function Typically ~10 independent propertiesTypically ~10 independent properties
– Data integrityData integrity– Data persistenceData persistence– ArbitrationArbitration
Allows checking robustness of RTL, via Allows checking robustness of RTL, via reasonable under-constraining of the reasonable under-constraining of the environmentenvironment
Ex: generating transaction scenario
Bus infrastructureBus infrastructure– 6 Masters 19 Slaves6 Masters 19 Slaves– matrix of relations is matrix of relations is
incomplete,incomplete,each master sees a each master sees a fraction of address fraction of address spacespace
– total utilization < ½ of total utilization < ½ of available address spaceavailable address space
Setup is the same for all Setup is the same for all mastersmasters– no need to bias address no need to bias address
generation depending generation depending on {master, slave}on {master, slave}
Found a protocol violation Found a protocol violation when error is notifiedwhen error is notified
slave 4
slave 1
slave 2
slave 3
slave 18
slave 19
.
.
.
M1
M2
M3
M4
M5
M6
232
addr space
Infrastructure implemented by Multi-Layer AHBInfrastructure implemented by Multi-Layer AHB
Testbench built by adapting Single Layer V.C.Testbench built by adapting Single Layer V.C.– avoid building new V.C. tried to re-use existingavoid building new V.C. tried to re-use existing– 11stst configuration, the violation is missed by configuration, the violation is missed by
monitors !monitors !– 22ndnd configuration, cumbersome but monitors work configuration, cumbersome but monitors work
Testbench verification setup
AHB bus
AHBMatrix
M1 M2 M3
S1 S14
M4
M5
M6
S15
S19
Formal Verification strengths Exploring a huge scenario of input sequencesExploring a huge scenario of input sequences Seamless configuration of environment Seamless configuration of environment
componentscomponents– eases reusability of environment blockseases reusability of environment blocks– eases environment component plug-ineases environment component plug-in
Does not need to weight/bias test pattern Does not need to weight/bias test pattern generationgeneration– like in the case of large address rangeslike in the case of large address ranges
protocol properties: 6 (master) + 29 (slave)protocol properties: 6 (master) + 29 (slave) 2 functional properties 2 functional properties Address Map Check Address Map Check
Ex: diagnosing a failure in the field
boolbool arm_writearm_write : ~ : ~nMREQnMREQ && && nWAITnWAIT && && nRWnRW && && ADDR_M0ADDR_M0[31:2]==30'h8000000; // `timeout’ [31:2]==30'h8000000; // `timeout’ addressaddress
assertassert check_regcheck_reg : : checkcheck (evn_check_reg); (evn_check_reg);clockclock posedgeposedge clkclk { { logiclogic [15:0] [15:0] reg_val reg_val = 16'hffff; // register reset= 16'hffff; // register reset
reg_valreg_val <= <= arm_writearm_write ? ? DATA_M0DATA_M0[15:0] : [15:0] : reg_valreg_val;; eventevent evn_check_reg : evn_check_reg : timeouttimeout====reg_valreg_val;;}}
A system hang occurred inA system hang occurred in the real siliconthe real silicon A block is suspectedA block is suspected
Problem: what are theProblem: what are the generating conditions ?generating conditions ?
Does the schema workDoes the schema workfor all transactionfor all transactioncombinations andcombinations andsequences ?sequences ?
M0 silent - M1 activeM0 silent - M1 active
BUGBUG:`timeout’ written:`timeout’ writtenby M0 is corrupted onby M0 is corrupted oninvalid transactioninvalid transaction
Formal Verification capabilities
End-to-EndProperties
Semantic Checks
Integrity Checks
Structural Checks
ImpliedIntent
FunctionalIntent
Out of Bounds
full_caseparallel_case
FIFO fullFIFO empty
Powerful Extraction
Capabilities
Mixed VHDL/VERILOG
AssertionLanguagese PSL
SVA/OVA
TemporalProperties
Formal Verification capacity
End-to-EndProperties
Semantic Checks
Integrity Checks
Structural Checks
ImpliedIntent
FunctionalIntent
Out of Bounds
full_caseparallel_case
FIFO fullFIFO empty
TemporalProperties
Full ChipFull Chip
Full IPFull IP
Full IPFull IP
Full BlockFull BlockComplex Complex Infrastr.Infrastr.
Opportunities for Verification success ? Cost of masks, exceeding $1M in 90nmCost of masks, exceeding $1M in 90nm
– makes re-spin impossible to sustainmakes re-spin impossible to sustain Number of transistors in IP (RTL ‘big’ Number of transistors in IP (RTL ‘big’
modules):modules):– .25.25 30% 30%– 90nm90nm 90% 90%– assuring IP quality becomes a key factor to assuring IP quality becomes a key factor to
achieve reusability among different projectsachieve reusability among different projects Address the right demanding marketAddress the right demanding market
– Automotive: the process qualification requires Automotive: the process qualification requires 2,3 years, so increasing the risk for late bug 2,3 years, so increasing the risk for late bug findingfinding
How to enhance the Verification flow ?
30% Design30% Designvsvs
70% Verification70% Verification is a dreamis a dream
– product groups cannot product groups cannot afford this rate as far as afford this rate as far as engineering resourcesengineering resources are consideredare considered
– team managers still team managers still feel more confident with feel more confident with system level verification system level verification but this makes but this makes controllability and controllability and debugging much harderdebugging much harder
Verif.Verif.70%70%
DesignDesign30%30%
How to enhance the Verification flow ? Formal Verification helps simplifying the Formal Verification helps simplifying the
scenario generation, e.g. by means of scenario generation, e.g. by means of assertion constraintsassertion constraints
Harry Foster’s et. al. “line of intent” conceptHarry Foster’s et. al. “line of intent” concept– formal verification can help in simplifying the formal verification can help in simplifying the
‘how’ and concentrate the effort on the ‘what’‘how’ and concentrate the effort on the ‘what’ Example: reachability analysis on FSMExample: reachability analysis on FSM
type state is (A,B,C,D,E ...);type state is (A,B,C,D,E ...);signal SM: state;signal SM: state;
– Reach all states in FSM: cover SM vectorReach all states in FSM: cover SM vector– Reach all arcs in FSM: cover {SM X SM} arrayReach all arcs in FSM: cover {SM X SM} array
Pervading the Verification flow Strong point of Testbench AutomationStrong point of Testbench Automation
– Scalability (layered verification methodology)Scalability (layered verification methodology)– Coverage metricsCoverage metrics
How to obtain better coverage, white box How to obtain better coverage, white box verificationverification– Checking forbidden conditions in state-holding Checking forbidden conditions in state-holding
loopsloops– Clock Domain CrossingClock Domain Crossing– Out of BoundsOut of Bounds– Bus Contention / Mutual exclusivityBus Contention / Mutual exclusivity– FSM traversalFSM traversal– Cross FSM traversalCross FSM traversal
The RTL-IP Verification flow
Functional Specification
Functional Validation
Integrity Checks
Struct/ArchChecks
DesignConventioncompliance
Reset StateAnalysis
1
2
3
4
5
What can help Formal Verification to fly Availability of `Verification Component’ s for Availability of `Verification Component’ s for
standard I/F, standard I/F, interoperableinteroperable with simulation with simulation Assertion Based VerificationAssertion Based Verification
– it is the simplest way to achieve a unified it is the simplest way to achieve a unified criterion of coverage among Simulation and criterion of coverage among Simulation and Formal VerificationFormal Verification
Provide “approximated” methods that can Provide “approximated” methods that can help to afford larger capacities – bug huntinghelp to afford larger capacities – bug hunting– Bounded Model CheckingBounded Model Checking– custom exploration capabilitiescustom exploration capabilities– Assertion Based Test GenerationAssertion Based Test Generation
Further application areas Sequential Equivalence CheckingSequential Equivalence Checking
– 90nm technology requires architectural 90nm technology requires architectural modificationmodificationof the RTL moduleof the RTL module
– a reasonable level of S.E.C. should be made a reasonable level of S.E.C. should be made availableavailable
RTL vs C formal proofRTL vs C formal proof– Supporting the development of Behavioral Supporting the development of Behavioral
SynthesisSynthesis Verification of parametric IP’sVerification of parametric IP’s
– The RTL instance of a parametric IP is verified The RTL instance of a parametric IP is verified stand-alone today, simply because we are not stand-alone today, simply because we are not sure that our configuration works correctly sure that our configuration works correctly
Open issues The problem of several assertion languagesThe problem of several assertion languages
– ee, PSL, SVA/OVA, PSL, SVA/OVA Support of mixed HDL languageSupport of mixed HDL language
– VHDL support generally comes very late inVHDL support generally comes very late incommercial productscommercial products
Functional coverage from Simulation and Functional coverage from Simulation and Formal Verification “reasonably” combinedFormal Verification “reasonably” combined
Ways to evaluate property coverageWays to evaluate property coverage
Conclusions Formal Methods are already penetrating classical Formal Methods are already penetrating classical
verification methodology, especially at the low verification methodology, especially at the low level, to verify the designer’s “implied intent”level, to verify the designer’s “implied intent”
Formal Verification usage model must become Formal Verification usage model must become closer to the traditional verification engineer closer to the traditional verification engineer cultureculture– standard Verification Components interoperable standard Verification Components interoperable
with simulation with simulation this is an important vendor this is an important vendor differentiator as it requires specific features in the differentiator as it requires specific features in the tools !tools !
– integrated coverage measure capabilities among integrated coverage measure capabilities among simulation and formal verificationsimulation and formal verification
No room for “gurus” exclusively devoted to FVNo room for “gurus” exclusively devoted to FV