Date post: | 10-May-2015 |
Category: |
Technology |
Upload: | chiportal |
View: | 915 times |
Download: | 4 times |
May 2, 2012 1
A Comprehensive Formal Verification Solution for ARM® Processor Based SoC
Design Laurent Arditi, PhD – ARM Formal Verification Expert
Ziyad Hanna, PhD – Jasper VP of Research & Chief Architect
Page 2 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 2
RTL Development Designer-‐based verifica0on w/o testbench Design trade-‐off analysis X-‐propaga0on detec0on and debug Power management verifica0on
Formal Property Verifica8on Protocol cer0fica0on End-‐to-‐end packet integrity Asynchronous clocking effects Asser0on-‐based verifica0on
SoC Integra8on Automated register verifica0on Glitch detec0on Mul0-‐cycle path verifica0on Chip-‐level connec0vity
Architecture Valida8on Executable spec Absence of deadlock Cache coherency
Property Synthesis Automated asser0on genera0on Iden0fica0on of coverage holes Inference and synthesis of func0onal proper0es
from RTL and simula0on waveforms
Post-‐Silicon Debug Failure signature matching Root cause isola0on Candidate cause elimina0on Valida0on of fixes before re-‐spin
Interac8ve Debug Modify/create proper0es on the fly to explore design
behavior
Increased Throughput U0lize mul0ple proof
engines on parallel compute resources
Wider Deployment Proliferate across
engineering teams with unique adop0on model
Higher Capacity Verify complex 100M gate
designs
Jasper Provides Verification Solutions to IP and System-on-chip Designs
Verifica8on IP Cer0fica0on of AMBA 4/ACE checkers Popular standard protocols Configurable, illustra0ve, op0mized for formal
Page 3 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 3
Customers
Locate a Sony Style Store Customer Care
Locate a Sony Style Store Customer Care
Locate a Sony Style Store Customer Care
Sony
Apple
SMI
AMCC
9/5/11 10:09 PMEricsson - A world of communication - Ericsson
Page 1 of 1http://www.ericsson.com/
WELCOME TO ERICSSON
News Center Show list
Unplug mobile broadbandUnplugging mobile broadband requires a newway of thinking. Ericsson Unplug logics takemobile broadband business models out of thepast and into the future.
Ericsson Responsepartners with SingTelGroup for disastercommunications
Partnership to provide emergency communications services to support disaster reliefefforts in South and Southeast Asia through Ericsson Response.
Tech Talk: LTE-AdvancedIn our latest Tech Talk film, Mikael Höök fromEricsson Research discusses LTE advanced.
Your app can make the bigtimeGot a great Android app? The EricssonApplication Awards give you and your team theopportunity to make a splash in the app industry,
get an instant and impressive contact network and win EUR 15,000. Sound good?Read on…
OSS and BSS: an analyst’sviewCurrent Analysis’ view on how operators canmeet the OSS and BSS, Cloud and userexperience challenges.
Digital natives’ role in theNetworked SocietyGrowing up in a world of computers, mobilephones and the internet, digital natives’ behaviorand attitudes towards these tools is shaping
society’s future.
Brush up on hot tech topics
LTE: A needed technology
M2M remote-subscriptions management
IP Talk Radio
Page 4 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 4
Agenda
IP Level Formal Verification at ARM
System Level Verification of ARM® processor based
SoC
Page 5 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 5
ARM Cortex-R7 Formal Verification with Jasper
The ARM formal verification flow based on Jasper has been found to have capacity to support the
verification of a Cortex-R series real-time processor
Setup
• All the formal verification tasks for the ARM Cortex-R7
are applied at the top-level
• The top-level constraints are “simple”
• AXI protocol checkers
• Models of RAMs only where needed (mostly cache
tags): CAMs with additional constraints to start from a
non-empty RAM content
• A few assumptions to avoid fails due to software errors
Page 6 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 6
Trial ARM Formal Verification Flow
design team RTL
properties
validation team setup
constraints abstractions
JasperGold
waveforms
report
leads & managers email ValSpider Excel Jira
Trial deployment on several blocks and units, with differing design size.
Page 7 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 7
Formal for RTL Development - RTLD
Designer-based verification w/o testbench
• Allows early RTL exploration without the need to generate input stimulus
• Start with simple behaviors about the design – cover line_eop
• Group simple behaviors together to build complex scenarios
• Write assertions about events that are always/never true
Design trade-off analysis
• Behaviors and scenarios allow for easy incremental analysis and RTL
comparison tasks
Higher quality RTL passed to other teams in the design/verification flow
Page 8 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 8
Jasper Flow for RTL Designers*
RTL
Database
Scenario A Scenario B Scenario C Scenario D
Functional scenario A : assertion 5 violation Functional scenario B : assertion 7 violation Functional scenario C…… Functional scenario D…..
RTL’
What-if analysis
Debug failing scenarios
Combine and save multiple functional scenarios
Modified RTL
Visualize design behavior w/o testbench
Compare saved scenarios
against modified RTL
(*Partially used at ARM)
Page 9 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 9
Jasper’s Visualize Technology
Simula0on
• More of an ‘input driven’ method, may not exercise desired behavior
• Wiggle the inputs to produce a desired behavior (trial and error)
Visualize
• More of an ‘output driven’ method and u0lizes formal engines
• QuietTraceTM minimizes inputs and s0ll produces desired behavior
• Interac0vely add constraints to construct desired waveform
Simulator
RTL
Testbench
Simula0on Waveform
state == READ ack = 1
VisualizeTM
RTL
state == READ ack = 1
Visualize Waveform
Target Target is always in the waveform
Page 10 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 10
ARM Experience
Some simulation test benches were not ready soon enough to run
the first RTL modules with new features
So used FV to check these new features
Use of basic properties to check the RTL is not completely broken
Use of visualize to show the design is alive and the new features “do
something” not stupid
It’s much faster to get a working formal setup than a simulation one
And designers find formal counter-examples to be easier to debug
than simulation failures
Laurent Arditi, Principal Engineer, Processor Division, Jasper User Group 2011
Page 11 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 11
ARM’s Assertion Based Design with JasperGold
Assertions were written for both simulation and formal
Strong but simple SVA coding guidelines, for the ARM Cortex-R7:
• Avoid non-synthetizable properties (but liveness is accepted)
• Maximize the use of implications to get coverage points for free
• Software constraints turned into assumes for formal
• Critical properties on which a higher effort must be put
X-Propagation checks
Depending on the configuration, end-up with thousands of
properties
Page 12 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 12
Formal Verification Dashboard
0
200
400
600
800
1000
1200
1400
1600
4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 2 4 6 8 10 12
Properties
Proven Fail Undetermined
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
% fail
% unreachable
Poly. (% fail)
Poly. (% unreachable)
beta EAC beta EAC
Page 13 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 13
JasperGold Found 15% of The Bugs Formal found many bugs at the start of the project. They were not tracked
Started to count the assertion fails in Jan’11, and in Jira in July’11 (beta)
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18 % fail
Page 14 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 14
Quality of bugs found by JasperGold All bugs found by formal were not found earlier by simulation
Very few false-negatives
• They could be resolved by adding new constraints
• A few remaining are UNPREDICTABLE cases and the constraints to discard them are too
complex to write. So these fails are “explained” and skipped
Formal provides easy to debug waveforms
Quality of the bugs found by formal:
• Very good at the beginning: obvious design errors
• Real corner cases
Assertions are usually simple. More sequential ones would find more complex bugs
Higher-level properties would allow to discover more fundamental bugs: deadlock,
coherency, determinism. Planned for maturity
Page 15 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 15
Agenda
IP Level Formal Verification at ARM
System Level Verification of ARM processor based
SoC
Page 16 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 16
ARM Based Heterogeneous System-on-Chip
Cache Coherent InterconnectCCI-400
I/O device
MMU-400
Dynamic Memory ControllerDMC-400
Network InterconnectNIC-400
Slaves Slaves
Network InterconnectNIC-400
LCDVideo
DDR3/LPDDR2 DDR3/LPDDR2
PHY
GIC-400Mali-T604 graphics
PHY
MMU-400 MMU-400
Quad Cortex-A7
Quad Cortex-A15
JUG-2011 Paul Martin [email protected]
ARM
ARM ARM
Page 17 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 17
SoC Integration and Verification Challenges
Protocol Modeling and Verification, Coherency
Standard Interface Modeling and Verification (ProofKits)
System Level Deadlocks Detection and Verification
Connectivity and Integration
Register programming sequence
Power analysis and verification
Security checks
Page 18 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 18
ACE Verification – High-level Properties
Coherence • If a master’s cache has a line in UD or UC, no other master can
have the line in a valid state
• If a master’s cache has a line in SD, no other cache master can have the line in SD
Deadlock
• At least one transaction can always make forward progress
Data integrity
• A read always reads the last write to an address
Page 19 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 19
Jasper Architectural Validation Flow
Architectural waveforms
without testbench
Architectural proofs • Consistency • Completeness • E.g., coherency property
Table-‐based entry format (or Murphi)
Arch spec.
RTL Export properties to RTL simulation
Executable document view
RTL formal verification
Architectural requirements
Automatic Generation of SV Model and Properties
Page 20 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 20
Advantages
Verify architectural rules – cache coherence, deadlock
freedom
Find corner case bugs – deadlocks, coherence issues
Validate future protocol changes
Remove specification ambiguities
Downstream usage as VIP – checks + coverage model
Page 21 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 21
ACE Protocol Modeling and Verification With Jasper
“Verifying cache coherent systems is difficult and designers need
sophisticated VIP to help solve these issues”
“ARM partners with EDA companies like Jasper to ensure our SiP’s are
enabled to take advantage of improved system performance and power
provided by AMBA 4” JUG-2011 – Paul Martin [email protected]
Page 22 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 22
Chip-Level Connectivity Verification Solution
Exhaustively verifies that the RTL matches the connectivity definition
• Verify that point A is equivalent to point B (block or chip level)
as certain signals/modes can impact connections
• No other signals/modes/settings can impact connections
• Important aspect of system integration of many IP’s
Types of connection
Structural, Boolean condition, temporal condition, and temporal connection with latency and delay
Allow fast and exhaustive verification
Quickly reconfirm results (regressions) as RTL is being modified
Automated flow allows early and frequent verification
Page 23 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 23
Chip-Level Connectivity Verification Flow
Waveforms with connectivity
conditions
Connec0vity proofs (asser0ons and covers)
Connectivity map
cond A
RTL
Top-level of SoC
B
Page 24 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 24
Automated Register Verification
D1 D2
rese
t
Register transfer
Expected reg-value Reset value D1 D2
D
Non-deterministic # (zero to infinite) of Rd/ Wr access to any address except A
Read from address A
Write D to address A
check update update check check
Formal proofs are exhaustive
• Checks for all possible sequences of RD/WRs in any order
• Checks for all register addresses
Conceptually, the following non-deterministic trace is considered
by formal for proving address A
Page 25 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 25
RTL Development Designer-‐based verifica0on w/o testbench Design trade-‐off analysis X-‐propaga0on detec0on and debug Power management verifica0on
Formal Property Verifica8on Protocol cer0fica0on End-‐to-‐end packet integrity Asynchronous clocking effects Asser0on-‐based verifica0on
SoC Integra8on Automated register verifica0on Glitch detec0on Mul0-‐cycle path verifica0on Chip-‐level connec0vity
Architecture Valida8on Executable spec Absence of deadlock Cache coherency
Property Synthesis Automated asser0on genera0on Iden0fica0on of coverage holes Inference and synthesis of func0onal proper0es
from RTL and simula0on waveforms
Post-‐Silicon Debug Failure signature matching Root cause isola0on Candidate cause elimina0on Valida0on of fixes before re-‐spin
Interac8ve Debug Modify/create proper0es on the fly to explore design
behavior
Increased Throughput U0lize mul0ple proof
engines on parallel compute resources
Wider Deployment Proliferate across
engineering teams with unique adop0on model
Higher Capacity Verify complex 100M gate
designs
Jasper Provides Verification Solutions to IP and System-on-chip Designs
Verifica8on IP Cer0fica0on of AMBA 4/ACE checkers Popular standard protocols Configurable, illustra0ve, op0mized for formal
Page 26 | © 2012, Jasper Design Automation | Confidential
May 2, 2012 26
Thanks