February 22-25, 2010An Experience of Complex Design
Validation: How to Make Semiformal Verification Work
by Orly Cohen, Moran Gordon, Michael Lifshits,
Alexander Nadel, and Vadim RyvchinIntel
AgendaWhy Semiformal Verification?Semi-FV Flow Description Algorithm details• Calculation of New Initial States• Multi-threaded Search to Enhance Coverage
Experiments and Results• Application of Semi-FV on Resource Manager block• Real bugs and other results
Semi-FV Application ExperienceConclusions and RecommendationsMichael Lifshits, Intel 2 of 17
Michael Lifshits, Intel
Why Semiformal Verification?Two main approaches to RTL validation • Formal verification (FV)
– exhaustive (mathematical proof)– limited DUT size, complexity ~ exponential in the size of
DUT
• Dynamic simulation (DV) – unlimited DUT size, complexity ~ linear in the size of DUT– functionality coverage: no practical number of runs can
provide exhaustive verification
Validation gap keeps increasing…3 of 17
Dynamic Simulation
• Prone to controllability and observability
• Full-chip simulation with checkers runs close to 0 Hz
Michael Lifshits, Intel
Test bench
DUT (RTL)
stimulus checking
coverage
all design behaviors
corner case bugs
DV cannot detect all corner-case bugs
4 of 17
Formal Verification
• Limited capacity & high modeling effort – applied on few blocks only
• Limited verified scenarios length – cannot address deep
structures
Michael Lifshits, Intel
FV cannot address “deep” bugs
RTLblock
reduction, constraining complex interfaces FV modeling
FV DUT
initial states
max FV bound
bug free area
all design behaviors
deep bugs
5 of 17
Limited Verification Bound in FV • FV examines: 2^3=8 possible
input patterns
Michael Lifshits, Intel
# scenarios = 2^(inputs X clock cycles)
5 10 30 50
FV bound (# of clock cycles)
Tim
e
6 of 17
Semiformal Verification Aims at Deep Corner-Case RTL Bugs• Utilize user guidance to
reach much deeper scenarios in FPV– Detect bugs missed
today– Decrease DUT FV
manual modeling effort (black boxing, pruning, etc.)
Michael Lifshits, Intel
Covered byFV
Covered by DV
7 of 17
BMC-Based Semiformal Verification
Michael Lifshits, Intel
defined with SVA cover
8 of 17
Create a path with ‘waypoints’
Search for a path for eachwaypoint (BMC)
Check properties from last waypoint
Michael Lifshits, Intel
New Initial states
New Initial states
New Initial states
initial states
deep bugs
Max
FV bound
9 of 17
Calculation of New Initial States
• If a = 1 appears immediately before the last step in the waypoint witness, next BMC run must start with q2 = 1
• Reuse of: initial q1, q2, q3, q4 = ’0; will cause bogus results
Michael Lifshits, Intel
bit q1, q2, q3, q4;initial {q1, q2, q3, q4} = ’0;
always @(posedge clk) begin q1 <= a; q2 <= q1; q3 <= q2; q4 <= q3;endwire fail = !b && q4;
example: assume property (a |-> ##4 b);
10 of 17
Calculation of New Initial States
Michael Lifshits, Intel
FPV towards waypoint
Synthesize:• sampled value functions ($past, $rose, etc.)• property automaton states (a-> ##10 b)
RTL
Checkers Checkers
RTLCEX trace
Synthesizedelements FULL/CONSISTENT
INITIAL STATE
11 of 17
Multi-Threaded Search to Enhance Coverage• Randomly chosen path through waypoints may miss
the bug• Multi-threaded search algorithm on multiple paths in
parallel
Michael Lifshits, Intel 12 of 17
For each waypoint Wi
Calculate a set of random witnesses (vs. single witness)
Launch a separate verification process towards Wi+1
Experiments and Results: Resource Manager – a Mature CPU Block
Validation goal – verify the correctness of resources management – no resource is allocated twice– no resources are lost– …
Michael Lifshits, Intel 13 of 17
High model complexityInsufficient bounded proofDeep scenarios not covered
FV
Complex logic with huge random coverage space Hard to define and hit corner-case scenarios DV
SFV Bug Detection Capability• Manually modified control logic to
miscalculate STALL conditions– Premature wrap-around of “next free” pointer– Resource trampling
Michael Lifshits, Intel 14 of 17
Waypoints – table lines are allocatedwayp_i: cover property `Allocated(Table[i]);Assertion: “resources are not lost” SFV runs #: 3(witnesses)6(waypoints)=729
Real Bugs in Resource Manager Found by SFV
• Incorrect STALL calculation when very specific requests
• A bug in recovery/restart event handling
• Corruption of a resource integrity mechanismMichael Lifshits, Intel 15 of 17
Other ResultsRevealed bugs in the FV environment modeling
Allowed to root-cause a fatal post-silicon bug (after a two-months of unsuccessful reproduction using other techniques)• Post-silicon debug using formal verification waypoints. R. Ho et al
DVCon, 09.•Enabled stress verification of large blocks with deep scenarios • non-addressable with traditional FV • insufficient simulation coverage
Eliminated manual effort to create reduced models required for FV • Save up to 50% of validation effort
Michael Lifshits, Intel 16 of 17
Required Expertise• Micro-architectural DUT specification
• Property specification language, i.e. SVA
• FPV tools and methodology to determine that SFV is the right solution
Michael Lifshits, Intel 17 of 17
Requires limited expertise in FV as model pruning and tools tuning
Conclusions
• BMC-based semiformal verification flow provides good design space coverage and is able to detect tough bugs in complex industrial designs, missed by FV and simulation
• Environment modeling for SFV is easier than for FV since SFV may handle bigger blocks without pruning
• Using multi-threaded search significantly boost the design coverage and bug detection capability
Michael Lifshits, Intel 18 of 17
Conclusions• Design areas that fit Semiformal Verification flow
– Large DUTs, where FPV is unable to achieve sufficient confidence
– DUTs including complex mixed control/datapath logic with big coverage space (long latency flows, protocols with deep pipelining and queues and/or counters)
• Basic algorithm is relatively simple and may be implemented on top of existing FV tools in case of combinatorial properties
Michael Lifshits, Intel 19 of 17
Backup
Michael Lifshits, Intel 20 of 17
BMC-Based SemiformalVerification
• Eliminates DV and FV environments synchronization issues
• Can find deep bugs (5x than FV)• Manual guidance takes
advantage of user knowledge of the design
• Dependent on cover points and user intuition
Michael Lifshits, Intel
Create path with ‘waypoints’(waypoint == SVA cover)
Search for a path for eachWaypoint (BMC)
Check properties from last waypoint
21 of 17
Semiformal VerificationMethods Taxonomy
• Waypoint definition• Waypoint traversal policy• Propagation policy• Formal verification engine• Number of search threads
Michael Lifshits, Intel 22 of 17
Semi formal usage modesManual– Verify design around
“stress” point(s) e.g. full queue
– Requires good knowledge of DUT behavior
– SF paths are specified manually
Automatic– Verify design and cover all
state space– Requires less knowledge of
DUT behavior– SF paths are computed by
the toolMichael Lifshits, Intel 23 of 17