xiushan feng* shaunf@nvidia asic verification nvidia corporation

Xiushan Feng*[email protected]

ASIC Verification

Nvidia Corporation

Assertion-Based Design Partition

1

TM

Jayanta Bhadra, Ross Patterson

{JayantaBhadra, RossPatterson}@freescale.com

Freescale Semiconductor

*The work is done when the author worked at Freescale

mailto:[email protected]



Docket – MT11774TS

Problem Statement – Assertion-Based Design Verification Challenges

► Assertion-Based Verification is broadly used in circuit verification• Increase the visibility of internal signals • Use assertions as checkers. Pass of assertions == pass of verification• Verify the correctness of design – improve the quality

► For large designs, simulation speed is slow and may blow up formal verification due to exponential state space. • Slow down verification process – more resource, longer design cycles.• For certain cases, it is not feasible to verify certain assertions.

► Most time, partial design is good enough to verify assertions. • For example, for SOC PAD connectivity check, assertions are written to verify that signals

can propagate from source to target under certain conditions. We don’t need logic that drives sources, loads values from targets.

• Unneeded logic usually is VERY big, removing them can achieve huge gains► However, manually identifying and removing unneeded logic is very hard.

• Need to understand assertions and the design indent • Failing to include logic can cause false verification results.

► An automatic solution is possible using Assertion-Based Partition

2


Verification (simulation or formal verification)

The Current Verification Environment

3

RTL Constraints

Pass/Fail & Circuit Debug

• Compiled database is huge.• Verification is slowed down• More resources needed (licenses, engineering hours, computing machines)•This technique attempts to reduce verification cycles and improve verification quality

RTL Compile

Assertions


RTL Compile

The Proposed Verification Environment

4

LEGEND: Yellow: NEWWhite: Prior Art

RTL Assertions

Pass/Fail & Circuit Debug

1. Signal propagation Signal reachability

2. Get boundary signals in ABV

Constraints

3. Condition-base design partition with formal prove

Assertions1

Assertions2

Verification (simulation or formal verification)

RTL(partitioned)RTL(partitioned)

RTL(partitioned)


Definition of Signal Propagation and Reachability

5

a a'A B C D

Signal Propagation:a is directly connected by wires to a’. i.e., a and a’ are interchangeable inside the assertions,

assign B = A; assign D = C;

Signal Reachability:If signal S1 is inside fan-in logic cone of signal S2, then S2 is reachable by S1. D is reachable by A, B, but not C.

A

B

C

D E

E

D C

A B

partially ordered graph

assertion: assert property (condition |->a == ….)update assertion: assert property (condition |->a’ == …)

foo bar

RTL:FOO foo (.A(a), .B(X)…);BAR bar (.C(X),.D(a’)…);

X


Signal Propagation and Reachability Computation

6

For each assertion, compute the boundary pointsFor each pair of signals x, y of the assertion, compute whether y can be (forward/backward) reached by x.

Reachable?

Y

assertions state stage

partially ordered graph

Build directed edge from z to y

Compute state stage graphwith all signals of assertions

replace x by z in assertions.

X tied to z && z is on the path from x to y

Y

N

RTL


Example

7

inputs

ast0

inputs

ast0

state stage partially ordered graph

State points(Latch/Flop)

output output

Signal propagationand reachability


Get Boundary Signals

8

partially ordered graphKeep lower bound and upper bounds Boundary signals

State points(Latch/Flop)

inputs

ast0

output

inputs

ast0

output


Conditional RTL Partition with Formal Prove

9

inputs

ast0

ast1

output

lower bounds inputs (IN)upper bounds outputs (OUT)Boundary signals

Assertions1

Conditional compute cone of influence for all OUT

Constraints RTL(partitioned)

RTL

Assertions2(Optimized)


Conditional RTL Partition with Formal Prove – Cont.

10

For each OUT, backward partition RTL. When hit a condition, build symbolic expression for condition and prove the condition

Assertions1

compute cone of influence for both cases

Constraints

RTL(partitioned)

RTL

Assertions2(Optimized)

prove?N

Partition RTL only for proven case. Update assertion based proven results

Formal prove engine


Build Symbolic Expression for Conditions and Prove

11

R

Constraints

cond

R: RegisterIN: Input

Recursively build expression for each fan-in

f_in is R/IN?

Y

Terminate from the recursive procedure

get fan-ins (f_ins) of condexpr(cond) = f (f_ins)

N

symbolic expression

Constraints

Formal prove engine

True/False

Light-weightNo expression blow up


Example

12

a b'A B C D

assign B = A;b

cond

For example: Input X, Y;b’ = (cond)? b : C…If we can prove cond is always true, then we don’t need to trace path for signal C. we know b’ = b, and use it to update assertions and propagate signal. If we can prove cond is always false, then, we just need to trace signal C and propagate signals if feasible.

R


Assertion Grouping and Parallel

► Concept of assertion groups• Assertions have hidden “locations”

Logic regions Assertion types

• Assertion-based partition can be done on assertion groups► Assertion groups can be verified in parallel with design partitions

Groups are verified independently. Verification results inside one region can be re-used by others. E.g., verified

proves can be assumptions for others, etc.► Assume-and-guarantee is done at the boundary of groups.

• One assertion can be re-written into multiple ones that belong to different groups.

• Abstraction techniques are done differently for groups. E.g., Assertions of analog behavior models are verified inside analog

groups. Verification of digital groups has analog blackboxed and analog drivers properly constrained, which will be proven by analog assertions.

13


Assertion Grouping Example

14

R1

R2inputs R3

output

► Several groups of assertions that verify a few logic regions • Logic needed to prove a group may not be necessary for another• Inputs of a region can be outputs of another

cutpoints can force internal wires as inputs► One assertion can be broken down into multiple assertions.

• For example, enable and reg R1; foo, bar, A, B R1 • ast: enable && reg[19] && bar |-> A == B can be replaced by

ast1: enable && reg[19] |-> foo ast2: foo && bar -> A ==B


Results

► We applied the ideas on Freescale PAD IO verification. ► Without the ideas, original formal verification ran weeks and

required VERY large machines (>100GB) • A smaller and simpler design took >1week on large machines but

didn’t get good coverage.• This highlighted the need for this work

► With ABP, we are able to prove 25+K assertions within 2.5 hours. ► Critical SOC-level bugs were caught !

15

With this disclosure Without this disclosure

Memory Usage <4G (normal machine is enough) > 100G

Licenses used <30 100

Simulation Runtime Reduced Significantly – 2.5 hours (> 100X reduction)

Could be several weeks

Debug Debugging is possible and easier (therefore quicker)

GUI Debugging is not feasible

xiushan feng* shaunf@nvidia asic verification nvidia corporation

Documents