Download - Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009
![Page 1: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/1.jpg)
Introduction to Formal Property Verification (FPV)
Erik Seligman
CS 510, Lecture 8, January 2009
![Page 2: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/2.jpg)
Agenda
Introduction To FPV The FPV Process Running FPV Using Jasper FPV Hints
![Page 3: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/3.jpg)
Agenda
Introduction To FPV The FPV Process Running FPV Using Jasper FPV Hints
![Page 4: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/4.jpg)
Definitions
• Assertion • Statement that must be true in all cases.
• Assumption • Assertion treated as always-true constraint for FPV.
• Cover Point• Condition that must be reachable for valid proof env
• Formal Property Verification (FPV)• Mathematical proofs, not simulation
• Proves assertions: all possible test vectors
![Page 5: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/5.jpg)
Simulation: spot coverage of design space
Motivation for Formal Property Verification
![Page 6: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/6.jpg)
Formal Property Verification (ideal case): full coverage of design space
Simulation: spot coverage of design space
Motivation for Formal Property Verification
![Page 7: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/7.jpg)
Formal Property Verification (ideal case): full coverage of design space
Simulation: spot coverage of design space
Motivation for Formal Property Verification
Formal Property Verification (real life): full coverage in some areas
![Page 8: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/8.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process
![Page 9: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/9.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process• Force Designer to Think Through Logic
![Page 10: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/10.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process• Force Designer to Think Through Logic
• Help Identify Hidden Assumptions
![Page 11: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/11.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process• Force Designer to Think Through Logic
• Help Identify Hidden Assumptions
Bug Hunting
![Page 12: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/12.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process• Force Designer to Think Through Logic
• Help Identify Hidden Assumptions
Bug Hunting• Unit-Level Validation (before testbench)
![Page 13: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/13.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process• Force Designer to Think Through Logic
• Help Identify Hidden Assumptions
Bug Hunting• Unit-Level Validation (before testbench)
• Find Corner Cases Missed in Simulation
![Page 14: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/14.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process• Force Designer to Think Through Logic
• Help Identify Hidden Assumptions
Bug Hunting• Unit-Level Validation (before testbench)
• Find Corner Cases Missed in Simulation
• Quickly Verify Design Changes
![Page 15: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/15.jpg)
Major Benefits of FPV for ASIC Projects
Improving Design Process• Force Designer to Think Through Logic
• Help Identify Hidden Assumptions
Bug Hunting• Unit-Level Validation (before testbench)
• Find Corner Cases Missed in Simulation
• Quickly Verify Design Changes
“Peace of Mind”
![Page 16: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/16.jpg)
Useful Assertions for FPV Focus on high-level intent
• Assertions = “executable comments”• Add insight to design
– Micro-assert on a couple of RTL lines less usefulassign foo = bar & baz;A1: assert property (foo == bar & baz);
Don’t be afraid of some modeling code• Auxiliary calculations / wires are fine
– Provide `ifdef to exclude from synthesis• Full reference models in areas of concern• Smaller “shadow models” often very useful
![Page 17: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/17.jpg)
Agenda
Introduction To FPV The FPV Process Running FPV Using Jasper FPV Hints
![Page 18: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/18.jpg)
Prerequisites for FPV
RTL design with assertions Clocks must be identified
• Critical since FPV runs over time
• Clocks are ‘special’: driven 1/0/1/0/…
• Need explicit ratios if multiple clocks
Reset pattern must be identified• FPV resets model to known state at start
• Common method: single rst signal (easy)
• More complex design may have reset sequence– Hold RST 10 cycles, then PowerGood for 5 cycles, …
![Page 19: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/19.jpg)
FPV Run Verilog RTL with
Assertions
FPV
![Page 20: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/20.jpg)
FPV Run Verilog RTL with
Assertions
Passing Assertions
FPV
![Page 21: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/21.jpg)
FPV Run Verilog RTL with
Assertions
Passing Assertions
Bounded-Passing
Assertions
FPV
![Page 22: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/22.jpg)
Bounded vs Full Proofs Which of these do you need?
• “Assertion can NEVER be violated”
• “Assertion can never be violated by any possible simulation of length up to <n>”
Bounded proof usually easier for tools
• Use cover point proofs to judge good bound
• Bound == lengths of interesting scenarios
• Some coverage lost vs full proofs
– But often at point of diminishing ROI
Consider modifying starting state
• Fill queue at start of proof…?
![Page 23: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/23.jpg)
FPV Run Verilog RTL with
Assertions
Passing Assertions
Bounded-Passing
Assertions
FPV
Failing Assertions
![Page 24: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/24.jpg)
FPV Run Verilog RTL with
Assertions
Passing Assertions
Bounded-Passing
Assertions
FPV
Failing Assertions
Unknown Assertions
![Page 25: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/25.jpg)
FPV Debug Loop
Verilog RTL with Assertions
Passing Assertions
Bounded-Passing
Assertions
FPV
Failing Assertions
Unknown Assertions
Analyze Failures: RTL error, assertion error, or assumption
needed?
Edit RTL: Fix bugs, add
assumptions
![Page 26: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/26.jpg)
FPV Debug Loop
Verilog RTL with Assertions
Passing Assertions
Bounded-Passing
Assertions
FPV
Failing Assertions
Unknown Assertions
Analyze Failures: RTL error, assertion error, or assumption
needed?
Edit RTL: Fix bugs, add
assumptions
• This is where FPVers spend their time!
![Page 27: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/27.jpg)
Cover Points and FPV Cover Point is opposite of assertion
• “Good”: FPV creates example trace
• “Bad”: FPV proves point unreachable
• Also may aid simulation coverage checks
Examplecover property (opcode == `ADD);
• If it passes, FPV reports trace with ADD op
• If it fails, ADD op cannot exist in FPV env– Maybe bad assumption prevents ADD op
– All proofs are suspect unless this was expected
Add cover points when doing FPV!• Good tools auto-generate some
![Page 28: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/28.jpg)
Agenda
Introduction To FPV The FPV Process Running FPV Using Jasper FPV Hints
![Page 29: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/29.jpg)
Running Jasper
Just run ‘JG’ from command line• Can use –batch to run without GUI
Runs are automatically logged• See jgproject/jg.log
GUI hints• Right-clicking usually gets useful options
• Pass over button with cursor for name
![Page 30: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/30.jpg)
Basic Jasper Command File# Load into JG using "source <file>.tcl".# load modelanalyze -clearanalyze -sva traffic_start.velaborate -top traffic # set clocks and resetsclock -clearclock clkreset -clearreset rst# Set engine mode & run proofsset_engine_mode {H D B3 H2}prove -all
![Page 31: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/31.jpg)
Proof Results
![Page 32: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/32.jpg)
View Violation Trace
• How would this work for liveness properties, like a |-> ##[0:$] b?
![Page 33: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/33.jpg)
Violation Trace: “Why”?
![Page 34: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/34.jpg)
Violation Trace: Why? Again
![Page 35: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/35.jpg)
Violation Trace for Liveness
• Trace shows possible infinite violation loop
![Page 36: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/36.jpg)
Alternate JG Debug Tool: The Visualizer
![Page 37: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/37.jpg)
Using The Visualizer
![Page 38: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/38.jpg)
Visualizing Constraints
![Page 39: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/39.jpg)
Visualize Options
![Page 40: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/40.jpg)
Replot With Constraints
![Page 41: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/41.jpg)
Adding More Constraints
![Page 42: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/42.jpg)
Replot Again
![Page 43: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/43.jpg)
Agenda
Introduction To FPV The FPV Process Running FPV Using Jasper FPV Hints
![Page 44: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/44.jpg)
Failing Assertions
Your first FPV run on a block *will* fail• Nobody writes right assumptions in advance!
• Always something you didn’t think of
Thus most of FPVers time is debug• This is OK– debug process gives insight
• Often debugging one assert can help identify other issues
• More assumptions improve counterexample
![Page 45: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/45.jpg)
Assumption Creation Loop: Majority of FV Time
Mindset change from sim; prepare team!
• Early runs have many false negatives More assumptions == more interesting CEX
• Interesting bugs not found on first run
• Several rounds of assumes deep traces
• Be sure to check assumptions too, in simulation or FV
Analyze Failures
Run FV
Add Assumes
![Page 46: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/46.jpg)
Example: Adding an Assumption
In one unit, many assertions failed
• Mid-transaction address changes Needed input assumption to prove
• Bug found when assumption fired in simulation!
RTL Under Test(several cycles per
transaction)
Address Bus
ASSUME (held for ASSUME (held for nn cycles)cycles)
![Page 47: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/47.jpg)
Assumption Count Exploding?
Possible bad choice of boundary• Effectively reimplementing neighbor block?
Consider increasing hierarchy level• Add upper level & many blackboxes?
Also consider simplifying problem•Only cover certain modes
–PCIE: prove for x16, not x4, x8?•Restrict data
–Will one bit test most major logic?–Are fully general payloads needed?
![Page 48: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/48.jpg)
Example: FV too hard?
MPE0
MRA1
MRA0
MPE1
MPE = Memory Protocol Engine
MRA = Memory Read Arbiter
![Page 49: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/49.jpg)
Correct Hierarchy Makes FV Easy
MPE0
MRA1
MRA0
MPE1
MSB
![Page 50: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/50.jpg)
Pick Your Battles
FPV can be effort-intensive• Need good understanding of requirements
• Should concentrate on high-risk areas
FPV owner needs deep understanding• Tool pokes at unusual behaviors, not typical
– Very different from simulation
• If not author of block, need to study intensely– Block owner should be available for questions
• Don’t assign random intern to FPV!
![Page 51: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/51.jpg)
Effective FPV At Intel (Info from public DAC 2008 talk) Chipsets: Found numerous bugs missed in
simulation (PCIe, memory controllers)
• Also uncovered flaw in one validation env CPU designs expanding this usage mode
• Competitive: Recent project devoted 8% of validation resources in front-end design, found 8% of bugs
• 30-35% of bugs found by assertion FV were unlikely to be found in simulation
![Page 52: Introduction to Formal Property Verification (FPV) Erik Seligman CS 510, Lecture 8, January 2009](https://reader033.vdocuments.net/reader033/viewer/2022061519/551bd41c550346c3588b5654/html5/thumbnails/52.jpg)
References / Further Reading•http://www.aracnet.com/~eseligma/docs/dvcon_2006.pdf
• Jasper documentation in /pkgs/jasper/current/doc on ECE systems
•http://www.systemverilog.org/pdf/3b_AssertionsUserTechnology.pdf
•http://www.aycinena.com/index2/index3/iccd%202006%20verification%20panel.html
• http://oskitech.com/papers/datta-mc-vlsi08.pdf