February 22-25, 2010An Experience of Complex Design

Validation: How to Make Semiformal Verification Work

by Orly Cohen, Moran Gordon, Michael Lifshits,

Alexander Nadel, and Vadim RyvchinIntel

AgendaWhy Semiformal Verification?Semi-FV Flow Description Algorithm details• Calculation of New Initial States• Multi-threaded Search to Enhance Coverage

Experiments and Results• Application of Semi-FV on Resource Manager block• Real bugs and other results

Semi-FV Application ExperienceConclusions and RecommendationsMichael Lifshits, Intel 2 of 17

Michael Lifshits, Intel

Why Semiformal Verification?Two main approaches to RTL validation • Formal verification (FV)

– exhaustive (mathematical proof)– limited DUT size, complexity ~ exponential in the size of

DUT

• Dynamic simulation (DV) – unlimited DUT size, complexity ~ linear in the size of DUT– functionality coverage: no practical number of runs can

provide exhaustive verification

Validation gap keeps increasing…3 of 17

Dynamic Simulation

• Prone to controllability and observability

• Full-chip simulation with checkers runs close to 0 Hz

Michael Lifshits, Intel

Test bench

DUT (RTL)

stimulus checking

coverage

all design behaviors

corner case bugs

DV cannot detect all corner-case bugs

4 of 17

Formal Verification

• Limited capacity & high modeling effort – applied on few blocks only

• Limited verified scenarios length – cannot address deep

structures

Michael Lifshits, Intel

FV cannot address “deep” bugs

RTLblock

reduction, constraining complex interfaces FV modeling

FV DUT

initial states

max FV bound

bug free area

all design behaviors

deep bugs

5 of 17

Limited Verification Bound in FV • FV examines: 2^3=8 possible

input patterns

Michael Lifshits, Intel

# scenarios = 2^(inputs X clock cycles)

5 10 30 50

FV bound (# of clock cycles)

Tim

e

6 of 17

Semiformal Verification Aims at Deep Corner-Case RTL Bugs• Utilize user guidance to

reach much deeper scenarios in FPV– Detect bugs missed

today– Decrease DUT FV

manual modeling effort (black boxing, pruning, etc.)

Michael Lifshits, Intel

Covered byFV

Covered by DV

7 of 17

BMC-Based Semiformal Verification

Michael Lifshits, Intel

defined with SVA cover

8 of 17

Create a path with ‘waypoints’

Search for a path for eachwaypoint (BMC)

Check properties from last waypoint

Michael Lifshits, Intel

New Initial states

New Initial states

New Initial states

initial states

deep bugs

Max

FV bound

9 of 17

Calculation of New Initial States

• If a = 1 appears immediately before the last step in the waypoint witness, next BMC run must start with q2 = 1

• Reuse of: initial q1, q2, q3, q4 = ’0; will cause bogus results

Michael Lifshits, Intel

bit q1, q2, q3, q4;initial {q1, q2, q3, q4} = ’0;

always @(posedge clk) begin q1 <= a; q2 <= q1; q3 <= q2; q4 <= q3;endwire fail = !b && q4;

example: assume property (a |-> ##4 b);

10 of 17

Calculation of New Initial States

Michael Lifshits, Intel

FPV towards waypoint

Synthesize:• sampled value functions ($past, $rose, etc.)• property automaton states (a-> ##10 b)

RTL

Checkers Checkers

RTLCEX trace

Synthesizedelements FULL/CONSISTENT

INITIAL STATE

11 of 17

Multi-Threaded Search to Enhance Coverage• Randomly chosen path through waypoints may miss

the bug• Multi-threaded search algorithm on multiple paths in

parallel

Michael Lifshits, Intel 12 of 17

For each waypoint Wi

Calculate a set of random witnesses (vs. single witness)

Launch a separate verification process towards Wi+1

Experiments and Results: Resource Manager – a Mature CPU Block

Validation goal – verify the correctness of resources management – no resource is allocated twice– no resources are lost– …

Michael Lifshits, Intel 13 of 17

High model complexityInsufficient bounded proofDeep scenarios not covered

FV

Complex logic with huge random coverage space Hard to define and hit corner-case scenarios DV

SFV Bug Detection Capability• Manually modified control logic to

miscalculate STALL conditions– Premature wrap-around of “next free” pointer– Resource trampling

Michael Lifshits, Intel 14 of 17

Waypoints – table lines are allocatedwayp_i: cover property `Allocated(Table[i]);Assertion: “resources are not lost” SFV runs #: 3(witnesses)6(waypoints)=729

Real Bugs in Resource Manager Found by SFV

• Incorrect STALL calculation when very specific requests

• A bug in recovery/restart event handling

• Corruption of a resource integrity mechanismMichael Lifshits, Intel 15 of 17

Other ResultsRevealed bugs in the FV environment modeling

Allowed to root-cause a fatal post-silicon bug (after a two-months of unsuccessful reproduction using other techniques)• Post-silicon debug using formal verification waypoints. R. Ho et al

DVCon, 09.•Enabled stress verification of large blocks with deep scenarios • non-addressable with traditional FV • insufficient simulation coverage

Eliminated manual effort to create reduced models required for FV • Save up to 50% of validation effort

Michael Lifshits, Intel 16 of 17

Required Expertise• Micro-architectural DUT specification

• Property specification language, i.e. SVA

• FPV tools and methodology to determine that SFV is the right solution

Michael Lifshits, Intel 17 of 17

Requires limited expertise in FV as model pruning and tools tuning

Conclusions

• BMC-based semiformal verification flow provides good design space coverage and is able to detect tough bugs in complex industrial designs, missed by FV and simulation

• Environment modeling for SFV is easier than for FV since SFV may handle bigger blocks without pruning

• Using multi-threaded search significantly boost the design coverage and bug detection capability

Michael Lifshits, Intel 18 of 17

Conclusions• Design areas that fit Semiformal Verification flow

– Large DUTs, where FPV is unable to achieve sufficient confidence

– DUTs including complex mixed control/datapath logic with big coverage space (long latency flows, protocols with deep pipelining and queues and/or counters)

• Basic algorithm is relatively simple and may be implemented on top of existing FV tools in case of combinatorial properties

Michael Lifshits, Intel 19 of 17

Backup

Michael Lifshits, Intel 20 of 17

BMC-Based SemiformalVerification

• Eliminates DV and FV environments synchronization issues

• Can find deep bugs (5x than FV)• Manual guidance takes

advantage of user knowledge of the design

• Dependent on cover points and user intuition

Michael Lifshits, Intel

Create path with ‘waypoints’(waypoint == SVA cover)

Search for a path for eachWaypoint (BMC)

Check properties from last waypoint

21 of 17

Semiformal VerificationMethods Taxonomy

• Waypoint definition• Waypoint traversal policy• Propagation policy• Formal verification engine• Number of search threads

Michael Lifshits, Intel 22 of 17

Semi formal usage modesManual– Verify design around

“stress” point(s) e.g. full queue

– Requires good knowledge of DUT behavior

– SF paths are specified manually

Automatic– Verify design and cover all

state space– Requires less knowledge of

DUT behavior– SF paths are computed by

the toolMichael Lifshits, Intel 23 of 17