Classics Of FPV
Erik Seligman
CS 510, Lecture 10, January 2009
Goals
View examples of successful FPV cases• Abstracted a bit from real life
• But concepts reusable for actual design
See common patterns of FPV usage• Begin building ‘cookbook’ for designers
• Use past successes as guide
• Recognize cases well-suited for FPV
Encore Gigamax Cache
What is this example?
From Ken McMillan’s thesis• Key example using BDDs for FPV
• Major early-90’s PoC that FPV is viable
Basics of Gigamax Cache• Distributed multiprocessor system
• Detailed prototcol for maintaining coherence– Multiple proc need consistent view of memory
– Bus free between req & response, for other activity
– Memory block may be invalid, shared, or owned state at each processor
– One ‘master’ chosen on a bus at each cycle
Gigamax Abstract View
More on Gigamax Protocol
Important Properties for Cache Coherence Free from deadlock Sequential Consistency Various safety properties
Q: state ‘free from deadlock’ in SVA• Given variables readable and writable
Important Properties for Cache Coherence Free from deadlock Sequential Consistency Various safety properties
Q: state ‘free from deadlock’ in SVA• Given variables readable and writable
A1: assert property
(##[0:$] readable && ##[0:$] writable)
FPV Found Deadlock
Based on abstract model of protocol Found long sequence of events that
would lead to deadlock• Owner of mem block sends write cmd
• Remote block sends read to owner– Requests pass in transit
• Another remote request for same block– Locks global bus, nobody unlocks
New find, unknown to makers of Gigamax!
PCIE Packet Assembly
Packet Assembly Example
Abstracted from PCI-Express verification• FPV done by Erik
Fixed-size packets (DWORDS) from link layer• Assembled into transactions
– Start, end, type markers visible– Data errors detected & abort transaction
• Transaction may have variable # of packets– Type info at transaction start
• Transaction may commit or abort
“Garbage traffic” must be ignored• System guarantees no fake transaction-start
Link/Transaction Interface (abstract view)
FPV Challenge
Model complete correctness?• Possible, but would require lots of code
• Estimated to rival size of RTL– Insufficient ROI
Instead, create set of safety properties• Observe start, end, commit/abort, and types
• Can you guess some properties?
FPV Safety Properties
Examples of implemented properties• If START seen, END seen at legal time
• After END, see a COMMIT or ABORT in specified amount of time
• Without END, see no COMMIT or ABORT Required “shadow model” code
• Limited modeling but not full packet checking
• Kept track of various parts of state:– Inside or outside transaction– Transaction type
FPV Results
Basic method used for several chipsets Found serious errors missed by sim
• Simulation env omitted certain transactions
• Garbage traffic created fake transaction
• Could get into bad state & not commit or abort one packet
• Unlucky data confusing the state machine
Transaction Queue FPV
Transaction Queue
Another abstracted PCIE case• Also FPVed by Erik
• FIFO stores incoming transactions
Transaction Queue FPV
Designer was worried about overflow• Minimized size due to area/timing worries
• But what if transactions arrive too fast?– Misc logic must create backpressure in time– Some transactions need to hold >1 cycle
FPV requirements• Assumption: backpressure worksassume property (backpressure |=> !trans_valid);
• Assertion: queue won’t overflowassert property (!(fifo_cur == FIFO_MAX));
FPV Results
First got bogus pass, needed coverage
cover property (fifo_cur == FIFO_MAX-1);
• Revealed some minor assumption errors
Found real bug!• Queue needed to be 1 deeper
– Or generate backpressure one cycle earlier
• Due to backpressure latency in misc logic
• Miscalculation by designer
OpenSparc DDR2 Memory Controller
DDR2 Memory Controller (MC) Described in 2008 Datta/Singhal paper Various safety requirements
• Priority: refresh, CAS, scrub, read, write
• Max # commands in interval
Issue: Complex Startup
Control registers• Set by system during boot
• Take thousands of cycles– FPV would never get a good result!
Similar issues with software startup• Many command words needed to initialize
Get simulation values for registers, use assumptions to set & hold constant
Opportunity: Design Symmetry All bits of datapath basically identical So reduce width to 1 for FPV
• Code must be well-parameterized to enable
8 Banks in design, all with identical logic• Just need to FPV 1 for good confidence
Issue: Large Counters
13-bit refresh interval, 12-bit scrub interval• So potentially 2^13 cycles to see error
• Worse if independent & need both at once!
Solution: abstract counters• Create cut points at counter outputs
• Counters get arbitrary values for FPV– Potential problems?
Issue: Hazard Conditions
Important to check hazards like RAW• Read-after-write (RAW): Read from address
with write pending
• Requires 32-bit address compare– Complexity for FPV
Solution: free the RAW bit• At arbitrary time, FPV can assume hazard hit
– Potential problems?
MC Property Example
• No more than 4 ACTIVATE commands may be issued to the DDR2 SDRAM within a window of T_FAW clock cycles
• Added verilog code for tfaw_counter• Property violated: bug found!
Basic FPV Patterns
Reference Models
• assert property (rtl.o1 == abstract.o1)
• assert property (rtl.o2 == abstract.o2)
Shadow Models
• assert property (rtl.o1 == abstract.o1)
• o2 not represented in model, no property
Arbiters
Classic, common case for useful FPV Multiple requests come for a bus
• Arbiter decides who owns bus each cycle
What are some important properties?
Arbiters
Classic, common case for useful FPV Multiple requests come for a bus
• Arbiter decides who owns bus each cycle
What are some important properties?• Fair
req[i] |-> ##[1:`BOUND] owner[i]
owner[i] |-> ##[1:`BOUND] !owner[i]
• Conflict-free$onehot0(owner)
• Efficiency– (|req) |=> (|owner)
State Machines
Another common case for FPV Common state machine assertions?
State Machines
Another common case for FPV Common state machine assertions?
• Each SM state reachable
cover property (state == STATE_VALS[i]);
• System consistent with SM state
assert property ((state == `WAITING) |-> (req==1));
• State machine will always return to idle
assert property ((state == STATE_VAL[i]) |-> ##[1:`BOUND] (state == `IDLE));
General FIFO Assertions
Fifos are another common FPV case. Fifo assertion ideas?
General FIFO Assertions
Fifos are another common FPV case. Fifo assertion ideas?
Overflow/underflowassert property (fifo_cur==DEPTH |=> !write);
assert property (fifo_cur==0 |=> !read);
Successful flushassert property (flush |=> (fifo_cur==0));
Cover conditions of filling/emptying queuecover property (fifo_cur==DEPTH-1 ##1 fifo_cur==DEPTH);
cover property (fifo_cur==1 ##1 fifo_cur=0);
FIFO: Tracking A Value
Common for FIFO: we saw value go in, make sure it comes out
“Local variable” feature of SVA
property data_check;
bit [`SIZE:0] lvar;
(write, lvar = data_in) |-> ##[0:`BOUND]
(read && (data_out == lvar)) ); Watch for danger of sim performance hit
• Many threads may be needed
Sets of Related Properties
Suppose we see many failures in module Think about common causes
• Some overall constraint on inputs missing?
• Some conceptual issue missed?
Examples• Clocks/Reset: Are they correct? Are clock
ratios legal?
• Address/Command const for <n> cycles?
• Legal commands supplied?
References / Further Reading
http://www.kenmcmil.com/pubs/thesis.pdf http://oskitech.com/papers/datta-mc-vlsi08.pdf http://oskitech.com/wiki/index.php?title=Main_Page http://www.eetimes.com/news/design/showArticle.jhtml
;jsessionid=FQOK0R2XZXMHOQSNDLRSKHSCJUNN2JVN?articleID=190301228&pgno=1
http://ebook.dicder.com/verification/SystemVerilog%20Assertion%20Handbook.pdf
http://www.amazon.com/Assertion-Based-Design-Information-Technology-Transmission/dp/1402080271/ref=sr_1_1?ie=UTF8&s=books&qid=1233705569&sr=8-1 (especially ch.7)