Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASPDAC/VLSI 2002 Tutorial Functional Verification of System on Chip - Practices, Issues and Challenges ASPDAC / VLSI 2002 - Tutorial on "Functional Verification.

Similar presentations


Presentation on theme: "ASPDAC/VLSI 2002 Tutorial Functional Verification of System on Chip - Practices, Issues and Challenges ASPDAC / VLSI 2002 - Tutorial on "Functional Verification."— Presentation transcript:

1 ASPDAC/VLSI 2002 Tutorial Functional Verification of System on Chip - Practices, Issues and Challenges ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

2 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Presenters: Subir K. Roy (Co-ordinator), Synplicity Inc., 935 Stewart Drive, Sunnyvale CA 94085, USA Tel. : Fax. : ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

3 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Presenters: S.Ramesh Dept. of Computer Sc. & Engg., IIT-Bombay, Powai, Mumbai Tel. : Fax. : ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

4 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Presenters: Supratik Chakraborty, Dept. of Computer Sc. & Engg., IIT-Bombay, Powai, Mumbai Tel. : Fax. : ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

5 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Presenters: Tsuneo Nakata, Fujitsu Laboratories Limited, 1-1, Kamikodanaka, 4-Chome, Nakahara-ku, Kawasaki, , Japan Tel. : Fax. : ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

6 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Presenters: Sreeranga P. Rajan, Fujitsu Labs. Of America, 595 Lawrence Expressway, Sunnyvale CA , USA Tel. : Fax. : ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

7 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Tutorial Outline Motivation & Introduction to SoC Design & Re-use. System Verification Techniques for Module Verification : Formal, Semi-Formal Techniques for System Verification : Simulation, Hybrid, Emulation Quality of Functional Verification : Coverage Issues Academic & Research Lab Verification Tools Case Studies ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

8 Tutorial Outline (contd.)
Commercial Tools Issues and Challenges / Future Research Topics Summary & Conclusions Bibliography Appendix ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

9 Tutorial Outline (Contd.)
Motivation & Introduction to SoC Design & Re-use (Subir K. Roy) Motivation, Verification Heirarchy, System Level Design Flow, SoC Design, SoC Core Types, SoC Design Flow, Implications on Verification. System Verification (S. P. Rajan) Current Design Cycle, Design Cycle with System Verification. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

10 Tutorial Outline (Contd.)
Techniques for Module Verification Formal Approaches (S. Ramesh) Introduction to Formal Verification Formal Models, Modeling Languages, Formal Methods, Formal Specification, Temporal Logics, CTL, Automatic Verification, Theorem Proving. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

11 Tutorial Outline (Contd.)
Implementation of Formal Approaches (S. Chakraborty) Binary Decision Diagrams, Combinational Equivalence Checking, Sequential Equivalence Checking, Commercial Equivalence Checkers, Symbolic CTL Model Checking of Sequential Circuits, Forward & Backward Reachability, State of the Art, Related Techniques. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

12 Tutorial Outline (Contd.)
Techniques for Module Verification(contd.) Semi-Formal Approaches Semi-Formal Verification (S. Chakraborty) Interface Specification for Divide & Conquer Verification (T. Nakata) Techniques for System Verification Symbolic Simulation & Symbolic Trajectory Evaluation (S. Chakraborty) Hybrid Verification (S. P. Rajan) Emulation (Subir K. Roy) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

13 Tutorial Outline (Contd.)
Quality of Functional Verification (Subir K. Roy) Coverage Metrics – Informal, Semi-Formal, Formal. Academic & Research Lab Verification Tools Verification Tools – 1 (S. Ramesh) VIS, SMC, FC2toolset, STeP Verification Tools – 2 (S. P. Rajan) Fujitsu High Level Model Checking Tool, VeriSoft. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

14 Tutorial Outline (Contd.)
Case Studies Case Study – 1 (S. P. Rajan) ATM Switch Verification Case Study – 2 (T. Nakata) Semi-Formal Verification of Media Instruction Unit Commercial Tools (Subir K. Roy) FormalCheck, Specman Elite, ZeroIn-Search, BlackTie ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

15 Tutorial Outline (contd.)
Issues and Challenges / Future Research Topics High Level Specification & Modeling using UML (T. Nakata) Research Issues ( S. Chakraborty) Future Research Directions (S. P. Rajan) Summary & Conclusions Summary ( S. Chakraborty) Conclusions (Subir K. Roy) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

16 Tutorial Outline (contd.)
Bibliography Papers, Books, Important Web Sites, Conferences, Journals/Magazines. Appendix Linear Temporal Logic, w-Automata based Formal Verification (S. Ramesh) Neat Tricks in BDD Packages (S. Chakraborty) More Research Tools – SPIN, FormalCheck (S. Ramesh) More on UML (T. Nakata) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

17 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SoC Design & Re-use (Subir K. Roy) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

18 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Motivation Pentium SRT Division Bug : $0.5 billion loss to Intel Mercury Space Probe : Veered off course due to a failure to implement distance measurement in correct units. Ariane-5 Flight 501 failure : Internal sw exception during data conversion from 64 bit floating point to 16 bit signed integer value led to mission failure. The corresponding exception handling mechanism contributed to the processor being shutdown (This was part of the system specification). ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

19 Verification Hierarchy
Higher-Order Theorem Proving Coverage/ Expressive Power First-Order Theorem Proving Temporal Logic Based Model Checking Assume-Guarantee based symbolic simulation/Model Checking Equivalence Checking Equivalence Checking of structurally similar circuits Simulation Degree of Automation ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

20 System Level Design Flow
Interface Definition Component Selection ASIC & Software Implementation Glue Logic Implementation PCB Layout Implementation Integration & Validation of Software into System Debugging Board - Manufacturing & Test ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

21 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SoC Design Core based design approach Design Complexity Time To Market Core : A pre-designed, pre-verified Silicon circuit block. Eg. Microprocessor, VPU, Bus Interface, BIST Logic, SRAM, Memory. Core Integration Re-usable cores : different types, different vendors User defined logic ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

22 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SoC Design Designing Cores for integration Parameterization Customizable soft cores. Core provider supp-lies essential set of pre-verified parameters. Functionality Single core - preferable Multiple core - Needs good partitioning Interface Support std. buses to ease integration. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

23 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SoC Core Types [Anderson, 2001] Cell/Macro Library elements DSPs, Microcontrollers Implementation of Standards Function (MPEG, JPEG, CRC, PicoJava,…) Interconnects (PCI, SCSI, USB, 1394, IrDA, Bus Bridges) Networking (10/100 ethernet, ATM etc.) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

24 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SoC Core Types Soft Cores : Technology Independent Synthesizable Description. White Box Implementation - Visible & Modifiable. Core can be extended functionally. Firm Cores : Technology Dependent Gate Level Netlist. Internal implementation of core cannot be modified. User can parameterize I/O to remove unwanted functionality. Hard Cores : Layout & Timing Information provided. Cannot be re-synthesized. Integration is simple & can result in highly predictable performance. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

25 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SoC Design Flow Co-design approach : Software + Hardware Design exploration at behavioral level (C, C++, etc.) by system architects Creation of Architecture Specification RTL Implementation (Verilog/VHDL) by hardware designers ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

26 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SoC Design Flow Drawbacks Specification Errors - susceptible to late detection Correlating validations at Behavioral & RTL level difficult Common interface between system & hw designers based on natural language ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

27 SoC Implementation Approaches
Vendor Based Approach : ASIC Vendor/Design service group carries out implementation Partial Integration : System Designer implements proprietary & application specific logic. ASIC Vendor integrates above with their cores In house : ASIC Vendor designs specialized cores. System Designer implements proprietary & appli-cation specific logic, integrates cores & verifies integrated design ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

28 Multiple Sources for IP Reuse
Semiconductor houses I/O Pad, Processor Core, Custom Logic, Memory, Peripheral Interface IP/Core Suppliers Processor Core, Peripheral Interface, Analog /Mixed Signal blocks (DAC, ADC, PLL) System Designer Controller, Custom Logic, AMS blocks ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

29 Advantages of Core/IP based approach
Short Time To Market (pre-designed) Less Expensive (reuse) Faster Performance (optimized algorithms and implementation) Lesser Area (optimized algorithms and implementation) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

30 Implications on Verification
[Mosensoson, DesignCon 2000] Verification Focus Integration Verification & Complexity. Bug Classes Interactions between IP/Core/VC blocks Conflicts in accessing shared resources Deadlocks & Arbitration Priority conflicts in exception handling Unexpected HW/SW sequencing ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

31 Implications on Verification
Need to capture complexity of an SoC into an executable verification environment Automation of all verification activities Reusability of verification components of unit Cores/IPs/VCs Abstraction of verification goals (Eg., Signals to Transcations, End to End Transactions) Checkers for internal properties Interface Monitors (BFM, Integration Monitors) Coverage monitors ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

32 Implications on Verification
Rigorous verification of each individual SoC component seperately Extensive verification of full system Requirements Efficient Verification Methodologies Efficient Tools High Level of Automation ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

33 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
System Verification (S. P. Rajan) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

34 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Current Design Cycle RTL Description (from Spec/Doc) Simulation + Formal Verification Modify RTL Source RTL/logic Synthesis Modify Script Timing Analysis NOT OK OK ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

35 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Current Design Cycle Methodology fixed parameter modeling large-scale simulation (expensive) synthesis large-scale validation (expensive) Design cycle iteration expensive for changes in design parameters Does RTL Description satisfy Specification? ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

36 Design Cycle with System Verification
Cycle Accurate Behavior Validate Generic Parameters Instantiation Cycle Accurate Behavior Cycle Accurate Behavior Fixed Parameters Fixed Parameters High/RT-Level Synthesis Gate-Level (Large Design) Gate-Level (Small) Validate Logic Synthesis Chip Chip Validate = Formally Verify + Simulate ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

37 Design Cycle with System Verification
Parametric Design Methodology: Higher abstraction level -- Reusable generic parametric model -- small-scale simulation (low cost) -- formal verification viable -- Automatic high-level synthesis validation on a small scale (low cost) Formal verification early in design cycle Drastic reduction in design cost, time-to-market ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

38 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Techniques for Module Verification ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

39 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Verification (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

40 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Methods Functional verification SOC context: block level verification, IP Blocks and bus protocols Formally check a formal model of a block against its formal specification Formal - Mathematical, precise, unambiguous, rigorous Static analysis No test vectors Exhaustive verification Prove absence of bugs rather than their presence Subtle bugs lying deep inside caught ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

41 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Three-step process Formal specification Precise statement of properties System requirements and environmental constraints Logic - PL, FOL, temporal logic Automata, labeled transition systems Models Flexible to model general to specific designs Non-determinism, concurrency, fairness, Transition systems, automata ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

42 Three-step process (contd.)
Verification Checking that model satisfies specification Static and exhaustive checking Automatic or semi-automatic ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

43 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal verification Major techniques Equivalence checking Model checking Language containment Theorem proving Lang. Containment Obs. Equivalence Automata/ Tr. Systems Th. Proving Eq. Checking Model Checking Logic Tr. Systems/ Automata Model Spec ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

44 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
EQUIVALENCE CHECKING Checking equivalence of two similar circuits Comparison of two boolean expressions - BDDs Highly automatic and efficient Useful for validating optimizations, scan chain insertions Works well for combinational circuits Limited extension to sequential circuits Most widely used formal verification technique. Many commercial tools: Design VERIFYer (Chrysalis), Formality (Synopsis), FormalPro (Mentor Graphics), Vformal(Compass), Conformal (Verplex), etc. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

45 Model checking/Language Containment
Another promising automatic technique Checking design models against specifications Specifications are temporal properties and environment constraints Design models are automata or HDL subsets Checking is automatic and bug traces Very effective for control-intensive designs Commercial and Academic tools: FormalCheck (Cadence), BlackTie (Verplex), VIS (UCB), SMV(CMU, Cadence), Spin (Bell labs.), etc. In-house tools: IBM (Rulebase), Intel, SUN, Fujitsu (Bingo), etc. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

46 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Theorem proving Theoretically most powerful technique Specification and design are logical formulae Checking involves proving a theorem Semi-automatic High degree of human expertise required Mainly confined to academics Number of public domain tools ACL2 (Nqthm), PVS, STeP, HOL ACL2 used in proving correctness of floating point algorithms ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

47 Formal verification (experiences)
Very effective for small control-intensive designs-blocks of hundreds of latches Many subtle bugs have been caught in designs cleared by simulation Strong theoretical foundation High degree of confidence Hold a lot of promise Require a lot more effort and expertise Large designs need abstraction Many efforts are underway to improve ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

48 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Systems verified Various microprocessors (instruction level verification): DLX pipelined architectures, AAMP5 (avionics applications), FM9001 (32 bit processor), PowerPC Floating point units: SRT division (Pentium), recent Intel ex-fpu, ADK IEEE multiplier, AMD division Multiprocessor coherence protocols SGI, sun S3.Mp architectures, Gigamax, futurebus+ Memory subsystems of PowerPC Fairisle ATM switch core ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

49 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
State of the art FSM based methods : ~ 500 registers STE: ~ k registers Equivalence checking : ~ million gates designs Simulation : million gates capacity ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

50 Challenges of formal verification
Complexity of verification Automatic for finite state systems (HW, protocols) Semi-automatic in the general case of infinite state systems (software) State explosion problem Symbolic model checking Homomorphism reduction Compositional reasoning Partial-order reduction ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

51 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Modeling (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

52 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Models High level abstractions of real systems Contain details of relevance Full Systems detailed and complex Physical components and external components e.g. buses, schedulers, OS/network support software Modeling Modeling is a (pre-) design activity Models relatively easier to build Higher level than behavioral models (C models) early detection of bugs, design space exploration and verification, prototypes and synthesis ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

53 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Models Mathematical description of models Precise and unambiguous Consistent and complete Formal Verification Applies to mathematical models and not to real objects (hence called Design Verification) Faithful models essential False negatives (Spurious Errors) False positives (Models pass but System fails) Simulation/Testing cannot be dispensed with! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

54 Formal Modeling Languages
Enable abstract and high level descriptions Real languages often ambiguous Variation in HDL semantics Real languages require more details and effort Features Limited and High Level Data Types Nondeterminism (arising out of abstractions) Concurrency (to structure large systems) Communication (for internal and external interaction) Fairness (abstraction of real concurrency and schedulers) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

55 Example Modeling Languages
Finite State Machines CSP, CCS, SDL, Promela (for Asynchronous Systems and Protocols) Esterel, CFSM (Embedded Controllers) Statecharts, UM L (System level models) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

56 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Models of Hardware Hardware blocks are reactive systems: Reactive systems exhibit infinite behavior Termination is a bad behavior Timing/Causality information important ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

57 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Finite State Machines Well-known model for describing control or sequential circuits An example (3-bit counter) State labels describe bit status ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

58 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Another Example A Traffic Light Controller States HG - Highway green, FY – Farm road Yellow C - Car in Farm road, S,L - Short and long timer signal TGR - reset timer, set highway green and farm road red ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

59 States and Transitions
States are abstract description of actual machine states decided by the states of latches and registers Finite no. of States No final state - reactive systems not supposed to terminate Edge labels - input/condition and output/action ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

60 States and Transitions
Many Flavors of State Machines edge labeled - Mealy machines state labeled - Kripke structures state and edge labeled - Moore machines Labels Boolean combination of input signals and outputs communication events (CSP, Promela) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

61 Semantics of Finite State Systems
The above description is syntactic Semantics associates behaviors Branching Time semantics the tree of states obtained by unwinding the state machine graph possible choices are explicitly represented Linear Time Semantics the set of all possible `runs' in the system the set of all infinite paths in the state machine ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

62 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Non-determinism 2-master arbiter, reqi - request from Master i This machine is nondeterministic In Idle state when req1 and req2 arrive. Non-determinism due to abstraction More than one behaviour for a given input ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

63 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Concurrency A concurrent (and hierarchical) description of Counter ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

64 Concurrent Descriptions
Compact and easy to understand Natural model for hardware and complex systems Clear semantics required Interleaved model and synchronous models Appropriate communication primitives Concurrent machines composed to a single global machine Global machine captures all possible executions Exponential blow-up ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

65 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Fairness Constraints In general, not every run in a state machine is a valid behavior Arbiter example the run in which master 2 is never granted the resource But all runs are included in transition systems Fairness constraints rule out certain runs Modeling abstraction of real-time or schedulers Example Every request eventually considered The clock tick arrives infinitely often ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

66 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Fairness Constraints Not required with a more concrete description But concrete description too complex to verify A given property may not require concrete details For verification, abstract designs are preferable. proof is simpler proof is robust under alternate implementations. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

67 Generating Formal Models
Pre-design activity Automatic Translation from circuits/HDL designs States decided by the latches/registers in the ckt. Exponential blow-up in the size (State-explosion problem) Usually abstractions required ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

68 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Design errors Deadlock Look at state (1,1) Unspecified Receptions State (1,1) P1 can send message 2 P2 cannot receive this Non executable interaction - 'Dead code‘ State 3 of P1 cannot be reached at all ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

69 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Live lock/Divergence An example: Formal Verification generalizes early approaches to detection of such errors! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

70 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Specification (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

71 Formal Specifications
Verification involves checking that a design model meets its specification. Specification states what the system is supposed to do Design describes how this is done Specification Describes unambiguously and precisely the expected behavior of a design. In general, a list of properties. Includes environment constraints. Symbolic logic or automata formalisms Consistency and Completeness ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

72 Specification of Hardware blocks
Properties and Constraints specify possible states and transitions They state set of possible valid `runs' Valid runs are infinite sequences (or trees) of states and transitions Formal specifications are finitistic and precise descriptions Classification of Properties: Safety properties "undesirable states are never reached", "desirable things always happen". Progress or Liveness Properties "desirable state repeatedly reached" "desirable state eventually reached" ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

73 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples Safety Properties A bus arbiter never grants the requests to two masters Message received is the message sent Elevator does not reach a floor unless it is requested At any time traffic is let either in the farm road or on the highway every received message was sent Liveness Properties car on the farm road is eventually allowed to pass Elevator attends to every request eventually every bus request is eventually granted every sent message was received ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

74 Specification Formalisms
Properties and Constraints specify permissible behaviours Behaviours are infinite runs (reactive systems) They are infinite objects, in general. We need finitistic representation of such infinite objects for precision Two Major formalisms: Symbolic Logics: Linear and Branching Temporal Logics, Automata ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

75 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Temporal Logics Logics well-known for precise specification, amenable to symbolic manipulations. used in a variety of contexts: Propositional Logic/Boolean algebra for combinational HW Predicate logics for software Higher order logics for language semantics. Temporal logic for hardware and protocols. Qualitative temporal statements Examples: If it is cloudy, eventually it will rain It never rains here ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

76 Properties of Hardware blocks
Temporal in nature At any time only one units is accessing the bus every request to access the bus is granted ultimately. Two Kinds of TL Linear Temporal Logic (LTL): Time is a linear sequence of events Branching time temporal logic (CTL, CTL*): Time is a tree of events ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

77 Computational Tree Logic (CTL)
CTL formulae describe properties of Computation Trees Computation Trees are obtained by unwinding the transition system model of blocks Branching structure due to nondeterminism CTL is the simplest branching temporal logic CTL* is more powerful, includes CTL and LTL ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

78 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Syntax of CTL Every atomic proposition is a CTL formula If f and g are formulae then so are Øf, (f Ù g), (f Ú g), (f ® g), (f « g) AG f - in all paths, in all state f (in all future, f) EG f - in some path, in all states f AF f - in all paths, in some state f (in every future f) EF f - in some future f A(f U g) - in all paths, f holds until g E(f U g) - in some path, f holds until g AX f - in every next state, f holds EX f - in some next state f holds ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

79 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples AG ¬ (farm_go Ù high_go_B) AGAF (farm_car ® AF(farm_go)) AG (mem_wr U mem_ack) EF (req0 U grant0 ) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

80 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Model Checking (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

81 Automatic Verification
Model Checking and Language Containment For finite state systems like Hardware blocks, protocols and controllers. Systems modeled as transition systems or automata Specifications temporal formulae (LTL, CTL) or automata Verification: Model Checking: A finite state system or automaton satisfies a temporal logic specification iff it is a model of the formula. Language Containment: An automaton model (M) of the system satisfies an automaton specification (S) if the language of M is contained in that of S. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

82 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
CTL model checking (Clarke and Emerson, Quielle and Sifakis) M╞ F M Transition System and F, CTL formulae M defines a tree (unwind the Transition System) F specifies existence of one or all paths satisfying some conditions. Verification involves checking whether these conditions hold for the tree defined by M. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

83 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
EXAMPLE Which of the following hold ? AG p, EF¬q, AX p, AG ¬q, EG ¬q, AX(p Ú q) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

84 CTL Verification by Explicit Enumeration
Iterative labeling algorithm that labels all the states with sub formulae. Start from the initial labels of atomic propositions Iteratively add sub formulae as labels with each state based on the following equations: EF p = p Ú EX p Ú EX(EX p) Ú . . . EG p = p Ù EX p Ù EX(EX p) Ù . . . E (q U p) = p Ú (q Ù EX p) Ú (q Ù EX(q Ù EX p)) Ú . . . ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

85 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
CTL Verification Iteration terminates since states and subformulae are finite. If initial states are labeled with the given formula then the model checking succeeds if it fails, counterexample can be generated ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

86 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Illustration To compute EF p which is: EF p = p Ú EX(p) Ú EX(EX(p)) Ú . . . ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

87 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Illustration contd. Iterative computation I step : ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

88 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Illustration contd. II step : III step : ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

89 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Illustration contd. Computation terminates EF p Holds in all striped states Computation involves backward breadth first traversal and calculation of Strongly Connected Subgraphs (cycles) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

90 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
2. Compute EG p in EG p = p Ù EX p Ù EX(EX p) Ù . . . ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

91 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Illustration contd. Start with I iteration ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

92 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Illustration contd. II iteration III iteration Iteration terminates ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

93 Complexity of CTL model checking
Algorithm involves backward traversal Linear on the sizes of both formulae and model Size of the model exponential in size of latches Reduction Techniques: Symbolic Model checking Techniques Compositional Verification Symmetry based reduction ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

94 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
by Theorem Proving (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

95 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Theorem Proving Classical technique Most general and powerful non-automatic (in general) Idea Properties specified in a Logical Language (SPEC) System behavior also in the same language (DES) Establish (DES ® SPEC) as a theorem. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

96 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
A Logical System A language defining constants, functions and predicates A no. of axioms expressing properties of the constants, function, types, etc. Inference Rules A Theorem `follows' from axioms by application of inference rules has a proof ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

97 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Proof Syntactic object A1, A2, , An A1: axiom instance An: theorem Ai+1 - Syntactically obtainable from A1, , Ai using inference rules. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

98 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples Propositional logic and its natural deduction system Prove SNi=1 i = N(N + 1)/2, using Peano's axioms and mathematical induction ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

99 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Full Adder sum := (x Å y) Å cin cout := (x Ù y) Ú ((x Å y) Ú cin) Theorem: sum = x + y + cin – 2 * cout Proof : Use properties of boolean and arithmetic operators. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

100 Problems with the approach
Verification is a laborious process Manual proofs could contain error If proof exists, system is correct otherwise, no conclusion. Interactive Theorem Provers Ease the process of theorem proving Proof-Checking Decision Procedures Proof Strategies Theory building Many systems are available: Nqthm, PVS, HOL, Isabelle, etc. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

101 Binary Decision Diagrams (S. Chakraborty)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

102 Boolean Function Representation
Boolean logic: Foundation of digital design Need to represent and manipulate Boolean functions efficiently Common representations: Truth table, Karnaugh map, Canonical sum-of-products Size always 2n for n-arguments Operations (e.g. AND, NOT) inefficient Inappropriate for practical applications E.g., representing carry-out function of 64-bit adder ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

103 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Binary Decision Diagrams (BDDs) A graphical representation [Bryant ’96] Allows efficient representation & manipulation of Boolean functions Worst-case behavior still exponential Example: f = x1.x2 + x3’ Represent as binary tree Evaluating f: Start from root For each vertex xi left branch if xi = 0 else right branch x3 x1 x2 1 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

104 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
BDDs Underlying principle: Shannon decomposition f(x1, x2, x3) = x1.f(1, x2, x3) + x1’.f(0, x2, x3) = x1. (x2 + x3’) + x1’. (x3’) Apply recursively to f(1, x2, x3) and f(0, x2, x3) Extend to n arguments Number of nodes can be exponential in number of arguments f = x1.x2 + x3’ x1 x2 x3 1 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

105 Restrictions on BDDs Ordering of variables
In all paths from root to leaf, variable labels of nodes must appear in specified order Reduced graphs No two distinct vertices represent same function Each non-leaf vertex has distinct children REDUCED ORDERED BDDs (ROBDDs): DAG x1 x3 x2 x3 x2 x2 x3 1 1 1 1 1 f = x1’.x2’ + x1.x2 + x1.x3’ ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

106 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
ROBDDs x1 Example: Properties Unique representation of f for given variable ordering Checking f1 = f2: ROBDD isomorphism Shared subgraphs: size reduction Every path might not have all labels Every non-leaf vertex has path(s) to 0 and 1 So far good ! f = x1.x2 + x3’ x2 x3 1 x1 x2 x2 x3 x3 x3 1 1 1 1 1 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

107 Variable Ordering Problem
f = x1.x2 + x3.x4 + x5.x6 1 3 5 2 4 6 Order 1,3,5,2,4,6 1 3 5 2 4 6 Order 1,2,3,4,5,6 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

108 Variable Ordering Problem
ROBDD size extremely sensitive to variable ordering f = x1.x2 + x3.x4 + … + x2n-1.x2n 2n+2 vertices for order 1, 2, 3, 4…2n-1, 2n 2n+1 vertices for order 1, n+1, 2, n+2,…n, 2n f = x1.x2.x3….xn n+2 vertices for all orderings Output functions of integer multipliers Exponential size for all orderings [Bryant ‘91] ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

109 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Variable Ordering Problem Determining best variable order to minimize BDD size NP-complete [Bollig, Wegener ‘96] Heuristics: Static and dynamic ordering [Fujita et al ‘92, Rudell ‘93] Sampling based schemes [Jain et al‘98] ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

110 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Operations on BDDs Operation Complexity Reduce O(|G|) G reduced to canonical form Apply O(|G1||G2|) Any binary Boolean op: AND, XOR … Compose O(|G1|2|G2|) g1(x1, x2, x5) composed with g2(x3, x4) at position of x2: g1(x1, g2(x3,x4), x5) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

111 Operations on BDDs (Contd.)
Operation Complexity Satisfy-one O(n) Assignment of x1, … xn for which f(x1,… xn) = 1 Restrict O(|G|) ROBDD for f(x1, x2, …,1, ... xn) or f (x1, x2, … 0 … xn) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

112 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Operations on BDDs Operators: Take ROBDD arguments, return ROBDD result. Complexity polynomial in BDD size BDD size limiting factor in most applications Ongoing research on avoiding BDD blowup Variable ordering, Partitioned BDDs, Implicitly conjoined BDDs etc. Quantification with BDDs x1. f(x1, x2, x3) = f(0, x2, x3) + f(1, x2, x3) x1. f(x1, x2, x3) = f(0, x2, x3) . f(1, x2, x3) Useful in Symbolic Model Checking ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

113 BDD Packages/Libraries Out There
CUDD package (Colorado University) Carnegie Mellon BDD package afs/cs/project/modck/pub/www/bdd.html TiGeR BDD library (commercial package) CAL (University of California, Berkeley) Respep/Research/bdd/cal_bdd/ BuDDy ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

114 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
BDD Packages/Libraries Out There ABCD BDDNOW PPBF ... ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

115 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Applications of BDDs Extensively used in CAD for digital hardware Some applications (partial listing) Combinational logic verification through equivalence checking Sequential machine equivalence Using combinational equivalence of next-state logic Symbolic model checking Automatic test pattern generation (ATPG) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

116 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Applications of BDDs Timing verification Representing false paths in circuits Representing discrete time encoded in binary Symbolic simulation Assigning symbolic values to circuit inputs and determining symbolic output values Symbolic trajectory evaluation Checking temporal properties over sequences of symbolic values Logic synthesis and optimization ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

117 Combinational Equivalence Checking (S. Chakraborty)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

118 Combinational Equivalence Checking
Given two combinational designs Same number of inputs and outputs Determine if each output of Design 1 is functionally equivalent to corresponding output of Design 2 Design 1 could be a set of logic equations/RTL Design 2 could be a gate level/transistor level circuit Design 1 Design 2 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

119 Right Fit for ROBDDs ROBDD for every function is canonical
Construct ROBDDs for each output in terms of inputs Use same variable order Check if the graphs are isomorphic ROBDD isomorphism is simple Alternatively Design 1 F Designs functionally equivalent if and only if F is identical to 0 (0 for all inputs) Design 2 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

120 ROBDDs in Equivalence Checking
Problem reduces to checking F for unsatisfiability If ROBDD has a non-leaf vertex or a 1 leaf, F is satisfiable But there are problems … For 32 bit multiplier, there are 64 inputs and BDD blows up Same is true for other real-life circuits Interestingly, several of these are actually easy to check for equivalence ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

121 ROBDDs in Equivalence Checking
Something smarter needed … Worst case must still be exponential complexity Unsatisfiability: co-NP complete! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

122 Using Structural Information
Structural similarities between designs help If A1 equivalent to A2 & B1 equivalent to B2, Design1 equivalent to Design2 Simplifies equivalence checking But consider B1 not equiv to B2, but Design 1 equiv to Design 2 A1 B1 A2 B2 A1 B1 A2 B2 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

123 Using Structural Information
False negative Analysis indicates designs may not be equivalent, but designs are actually equivalent Use logical implication to reduce false negatives If out1 is not equivalent to out2, out1 out2 is satisfiable Express out1 out2 in terms of internal signals in design1 and design2 Design 1 F Internal signals Design 2 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

124 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Method of Implication Derive set of internal signals that must be not equivalent if out1 out2 is satisfiable Propagate implications back towards inputs Stop when Primary inputs reached Two primary inputs never equivalent So, out1 out2 is satisfiable ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

125 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Method of Implication Stop when Internal signals reached are known to be equivalent Conclude out1 out2 is unsatisfiable So, out1 is equivalent to out2 Some pairs of signals can be quickly identified as not equivalent by random simulation ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

126 Structural Simplifications
Once two internal signals are found equivalent, the circuit can be simplified Suppose outputs of corresponding AND gates are equivalent Helps reduce size of circuit to deal with later ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

127 An Efficient Equivalence Checker
Finds pairs of equivalent signals in two designs [Matsunaga ‘96] Start CEP: Candidate equivalent pairs Random simulation  CEP list NO VEP: Verified equivalent pairs More pairs to verify? YES Verify pair, update VEP list and CEP list, Restructure circuit Check if primary output pair is in VEP list End ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

128 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Some Observations Most non-equivalent pairs filtered by random simulation Equivalent pairs identified early by proper choice of internal variables when propagating implications backwards If pair under investigation is expressed in terms of already known equivalent pairs, we are done! Leverage Automatic Test Pattern Generation (ATPG) techniques to detect when a pair is not equivalent Targets implementation error, error due to translation or incremental modification, NOT design error ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

129 Checking Arithmetic Circuits
Equivalence checking of multipliers acknowledged to be hard ROBDD blowup for bit-level representation Multiplicative Binary Moment Diagrams (*BMDs) [Bryant, Chen ‘95] Boolean assignment of variables maps to a number (integer, rational) Canonical representation of linear functions, e.g. integer multiplication Word level representation of function Allows efficient verification of multipliers and other arithmetic circuits ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

130 Sequential Machine Equivalence
Restricted case: Reduces to combinational equivalence Given machines M1 and M2 with correspondence between state and output variables Checking equivalence of M1 and M2 reduces to equivalence checking of next-state and output logic Comb Logic1 Comb Logic2 FF FF Given Equivalence ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

131 Equivalence Checking - Extensions
For best results, knowledge about structure crucial Divide and conquer Learning techniques useful for determining implication State of the art tools claim to infer information about circuit structure automatically Potentially pattern matching for known subcircuits -- Wallace Tree multipliers, Manchester Carry Adders ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

132 Equivalence Checkers Out There
Commercial equivalence checkers in market Abstract, Avant!, Cadence, Synopsys, Verplex, Veritas (IBM internal) ... ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

133 Symbolic Model Checking (S. Chakraborty)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

134 Model Checking Sequential Circuits
Given: A sequential circuit Finite state transition graph Flip-flops with next-state logic Transition relation between present and next states A property in specialized logic Prove that MODEL satisfies SPECIFICATION In case of failure, counterexample desirable MODEL SPECIFICATION ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

135 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Example: 3-bit Counter Model State transition graph defined by X0 = NOT(x0) X1 = XOR(x1, x0) X2 = XOR(x2, x0. x1) x2 X2 x1 X1 Property State x0, x1, x2 = 111 is reached infinitely often starting from state 000 X0 x0 Clk ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

136 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Basic Approaches Explicit state model checking Requires explicit enumeration of states Impractical for circuits with large state spaces Useful tools exist: EMC, Murphi, SPIN, SMC … Symbolic model checking Represent transition relations and sets of states implicitly (symbolically) BDDs used to manipulate implicit representations Scales well to large state spaces (few 100 flip flops) Fairly mature tools exist: SMV, VIS, FormalCheck ... ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

137 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Model Checking Reachability analysis Find all states reachable from an initial set S0 of states Check if a safety condition is violated in any reachable state CTL property checking Express property as formula in Computation Tree Logic (CTL) Check if formula is satisfied by initial state in state transition graph ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

138 Symbolic Model Checking
For 3-bit counter, set of states x0, x1, x2 = {000, 010, 011, 001} can be represented by S (x0, x1, x2) = S(x) = x0’. BDD: Set of state transitions can be represented by N (x0, x1, x2, X0, X1, X2) = N (x, X) = (X x0’) (X x x0) (X x (x1. x0)) BDD: x0 1 1 x0 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

139 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Forward Reachability Start from set S0 of states Set of states reachable in at most 1 step: S1 = S { X | x in S N(x, X) = 1} Expressed as Boolean functions: Given S0 (x0, x1, x2), S1 (X0, X1, X2) = S0 (X0, X1, X2) x0, x1, x2 . [S0 (x0, x1, x2) N(x0, x1, x2, X0, X1, X2)] Given BDDs for S0 and N, BDD for S1 can be obtained S1 S0 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

140 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Forward Reachability Compute S1 from S0, S2 from S1, S3 from S2, … Predicate transformer F: Si+1 = F (Si) Continue until Sk+1 = F (Sk) = Sk Least fixed point of F Sk = Set of all states reachable from S0 Computed symbolically -- using BDDs Very large state sets can be represented compactly S0 Reachable states ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

141 Backward Reachability
Give a set Z0 of states Compute set of states from which some state in Z0 can be reached. Analogous to forward reachability with minor modifications Z0 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

142 Checking Safety Conditions
Safety condition must ALWAYS hold E.g. Two bits in one-hot encoded state cannot be 1 Z = set of states violating safety condition Given S0 = set of initial states of circuit, Compute R = set of all reachable states Determine if Z intersects R, i.e. (Z R) If YES, safety condition violated Satisfying assignment of (Z R): counterexample If NO, circuit satisfies safety condition All computations in terms of BDDs ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

143 Checking Safety Conditions
Start from Z = set of “bad” states Find by backward reachability set of states B that can lead to a state in Z Determine if S0 intersects B S0 S0 B R Z Z Forward Reachability Backward Reachability ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

144 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
CTL Properties “Once req goes high, grant eventually goes high” Not expressible as safety property Use formulae in Computation Tree Logic (CTL) CTL formulae at state S0 Atomic proposition: x1 = x2 = x3 = 0 AG f: In all paths from S0, f holds globally AF f: In all paths from S0, f holds finally AX f: In all paths from S0, f holds in next state A[f U g]: In all paths from S0, g holds finally, and f holds until then S0 Computation tree of states ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

145 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
More on CTL EG f, EF f, EX f, E [f U g] defined similarly “There exists a path from current state …” f and g can themselves be CTL formulae E.g., AG AF (x1 x2) x1 or x2 is satisfied infinitely often in the future Recall 3-bit counter example: “ The state x0, x1, x2 = 111 is reached infinitely often starting from 000” x0’ x1’ x2’ AG AF (x0 x1 x2) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

146 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
CTL Model Checking Clarke, Emerson, Sistla proposed algorithm for CTL model checking on explicit state graph representation [Clarke et al ‘86] Linear in graph size and formula length Burch, Clarke, Long, McMillan, Dill gave algorithm for CTL model checking with BDDs [Burch et al’94] Suffices to have algorithms for checking EG f, EX f, and E [f U G] Other formulae expressed in terms of these EF f = E [true U f] AF f = (EG ( f)) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

147 Symbolic CTL Model Checking
Given a model with set S0 of initial states and a CTL formula f To determine if f is satisfied by all states in S0 Convert f to g that uses only EX, EG, E[p U q] CHECK(g) returns set of states satisfying g If g = atomic proposition (e.g., x1. x2 + x3), CHECK returns BDD for g If g = EX p, EG p, E[p U q], CHECK uses reachability analysis to return BDD for set of states Worst-case exponential complexity Finally, determine if S CHECK(g) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

148 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
State of the Art Techniques to address memory/runtime bottlenecks Partitioned transition relations Addresses BDD blowup in representing transitions Early quantification of variables Addresses BDD blowup during image computation Iterative squaring Exponential reduction in number of steps to fixed point ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

149 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
State of the Art Techniques to address memory/runtime bottlenecks (contd.) Use domain knowledge to order BDD variables and order quantified variables Modified breadth first search To explore state space of loosely coupled systems Active ongoing research … ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

150 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
State of the Art Symbolic model checkers can analyze sequential circuits with ~ 200 flip flops For specific circuit types, larger state spaces have been analyzed Frontier constantly being pushed Abstract, Avant!, IBM, Cadence, Intel & Motorola (internal) ... ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

151 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
State of the Art Specifying properties in specialized logic often daunts engineers Better interfaces needed for property specification Monitor-based model checking Monitor observes system states and flags when something “bad” happens Property to check: “Does monitor ever raise flag?” ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

152 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Related techniques Model checking for bugs Prioritize state space search to direct it towards bugs Start from error state and current state Compute pre-image of error states & image of current state Choose states for further expansion in order of their “proximity” to pre-image of error states Proximity metrics: Hamming distance, tracks, guideposts [Yang, Dill ‘98] Helps find bugs in erroneous circuits quickly No advantages if circuit is bug-free ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

153 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Related techniques Approximate Model Checking Representing exact state sets may involve large BDDs Compute approximations to reachable states Potentially smaller representation Over-approximation : No bugs found Circuit verified correct Bugs found may be real or false Under-approximation : Bug found Real bug No bugs found Circuit may still contain bugs Buggy states Reachable states ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

154 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Related techniques Bounded model checking Check property within k steps from given set S0 of states S F(S0) F2(S0) … Fk(S0) Unroll sequential machine for k time steps To check property Z, test satisfiability of (S0 Z) (S Z) (S1 Z) … (Sk Z) Leverages work done on SAT solvers PI1 PI2 PI PO PI0 PS NS S0 S1 S2 S3 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

155 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Semi-formal Methods (S. Chakraborty) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

156 Semi-formal Verification
Formal verification still a bottleneck Simulation and emulation not keeping up with design complexity Designs with bugs being produced FV methods haven’t yet been able to scale to all types of industry designs Fundamental complexity limits restrict how much FV can do Need some viable alternative Use a hybrid of testing, simulation and formal methods to fill the gap ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

157 Semi-formal Verification
Simulation Driver Simulation Engine Simulation Monitor Symbolic Simulation Conventional Diagnosis of Unverified Portions Guided vector generation Coverage Analysis Extension Devadas and Keutzer’s proposal: A pragmatic suggestion for SOC verification ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

158 Semi-formal Verification
Smart simulation: Maximize chances of detecting bugs at small cost Coverage metrics crucial Code based (conditionals/assignments in HDL) Circuit-structure based (node toggle) State-space based (states reached) Functionality based (user defined event sequences) More to come ... Use metrics to determine Unexercised parts of design: Guide vector generation Adequacy of verification: When to stop? ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

159 Semi-formal Verification
Metric Coverage Measure of how adequately design is exercised A measure of controllability Observability is another major issue Must propagate a mismatch in an internal signal value (which can cause problems later on) to the observable outputs “White Box” techniques help Assertion checkers [0-In] Techniques from testing can be borrowed ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

160 Semi-formal Verification
Coverage + observability can be used to direct simulation Test generation Model design errors by fault model (e.g. stuck-at) Generate tests automatically that maximize coverage metric per test simulation cycle Sequential ATPG methods can be used But hard problem in general! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

161 Semi-formal Verification
Test generation (contd.) Generate tests for FSMs (deep inside design) using model checking techniques Map test inputs of FSM deep inside design to design inputs User guided Automatic using sequential ATPG ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

162 Semi-formal Verification
Test Amplification Make use of interesting test cases already generated by ATPG or user Explore behavior “near” tested region of state space Rationale: Generated tests may take the design into an error-prone corner but may not detect any/all errors there. Goal : Detect as many “near-miss” bugs as possible by looking around paths taken by known tests ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

163 Semi-formal Verification
Partial model checking When BDDs start to blow up, delete part of state space from consideration Choose parts to delete such that maximum number of states can be explored with given resources Hash tables in explicit model checking to prevent blow-up of state space Aliasing problem Suitable choice of hashing function gives very low alias prob ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

164 Interface Specification for Divide & Conquer Verification (T. Nakata)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

165 Constraints in Module Verification
Properties Input constraints Verification engine Module under verification Constraints problem in a case study Not specified by the designers Defined by verification team through verification process Result: # of constraints=1818, # of properties=118 (# of constraints < 50 if correctly specified) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

166 Two Ways to Define Constraints
Module under verification Add pseudo module to inputs Module under verification // PSE_BGN // PSE_ERR [ data == ‘CLD ] [ data != ‘CB ]{,1} [ data == ‘CB ] // PSE_END Interface specification language Specify constraints by a certain language Specify constraints by a certain language ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

167 Category of I/F Spec. Languages
Verification languages e, VERA, TestBuilder, … Special syntax in HDLs or system description languages SystemC, SpecC, VHDL+, … Dedicated languages for I/F specification OwL, CWL, … ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

168 Design and Verification Support
I/F specification Verification support Design support Sim. pattern generation Spec. sheet generator Checker generation I/F Synthesis Coverage criteria ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

169 Verification Support (1)
Checker generation Input constraint checker that rules out invalid transactions Output checker that checks consistency to specification Error Module ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

170 Verification Support (2)
Simulation pattern generation Random pattern generator in conformance with input constraints Good pattern Module ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

171 Verification Support (3)
Abstraction level converter for verification scenarios Conversion between transaction-level and signal-level scenarios* * e.g. TestBuilder TVM generator Scenario Comparison do { wait(); } while (!grant); m1.write(d); Module Level converter ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

172 Example of I/F Specification Language
CWL (Component Wrapper Language) Jointly developed by Hitachi and Fujitsu Hierarchical description aimed at abstraction level conversion Support for split transactions Support for useful interface patterns Arrays FIFOs Priority queues ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

173 Hierarchical Description: Base
clk a d rst en ad[9:0] wait dt[7:0] I N Q(a) W W S(d) N signalset all = {clk,rst, en, ad,wait,dt}; N : { R, 1, 1, x, 1, x}; I : { R, 0, x, x, 1, x}; Q(a): { R, 1, 0, a, 1, x}; W : { R, 1, 1, x, 0, x}; S(d): { R, 1, 1, x, 1, d}; endsignalset ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

174 Hierarchical Description: Transaction
clk a d rst en ad[9:0] wait dt[7:0] I reset N nop read(a,d) Q(a) W W S(d) N nop word; nop : N ; reset : I ; read(a,d) : Q(a) W* S(d) ; endword ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

175 Hierarchical Description: Sentence
clk a d rst en ad[9:0] wait dt[7:0] sentence I reset nop N Q(a) read(a,d) W W S(d) N nop sentence; reset [ nop | read ]+ ; endsentence ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

176 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Split Transactions I N N Q1 Q2 S1 Q3 S2 S3 reset nop nop read1 read1 read2 read2 read3 read3 sentence; INITIAL: reset; FOREGROUND: read; BACKGROUND: nop; endsentence ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

177 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Summary Interface specification is crucial in module verification Design and verification support from I/F spec. Activities in I/F specification languages ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

178 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Techniques for System Verification ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

179 Symbolic Trajectory Evaluation (S. Chakraborty)
Symbolic Simulation and Symbolic Trajectory Evaluation (S. Chakraborty) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

180 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Symbolic Simulation Conventional simulation Combinational circuits: Output for a given set of inputs Sequential circuits: Output for a given initial state and sequence of inputs Inputs and initial state are specified constants Output is also a constant # Constant input combinations too large! Alternative approach Allow symbolic variables as inputs and initial state Compute outputs & states as symbolic expressions ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

181 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Symbolic Simulation A symbolic expression represents a set of values Inputs: x = a, y = b, c = b’ Output: f(x,y,z) = a + b’ represents set of values at output on applying 001, 010, 101 and 110 to inputs Result of multiple simulations in one pass Examine expression for outputs to see if desired property is satisfied Primary outputs a, 1, a F1(a,S), F2(a,b,S), F3(a,b,S) Sequential Circuit a’, b, a + b Next states Initial state S G1(a,S), G2(a,b,S), G3(a,b,S) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

182 Low-level Symbolic Simulation
Symbolic simulation at gate and MOS transistor level Variables can take value {0, 1, X} X represents an unknown state of the signal Boolean functions extended to operate on {0, 1, X} AND(0, {0,1,X}) = {0} AND(1, {1,X}) = {1,X} AND(X, {X}) = {X} Common use of X: Representing uninitialized state variables Outputs can be checked to see if desired value appears Simulators: COSMOS, Voss, Innologic, Intel Labs ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

183 Low-level Symbolic Simulation
{0, 1, X} encoded in binary Two binary variables used to represent each symbolic variable Extend operations to pairs of binary variables AND( (a,b), (c,d) ) = (AND(a,c), AND(b,d)) Each signal value now represented using two BDDs Generalizing, a vector of BDDs encodes a symbolic expression Operation on symbolic expressions = Operation on BDD vectors 0: : X: 01 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

184 High-level Symbolic Simulation
Variables: boolean, bitvectors, int, reals, arrays … Operations: Arithmetic, logical, bitvector operations Uninterpretted functions, equality, disequality Final expression contains variables and operators Decision procedures needed to check whether final expression is as desired Final expressions can also be manually checked for unexpected terms/variables, flagging errors -- e.g. in JEM1 verification [Greve ‘98] ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

185 High-level Symbolic Simulation
Manipulation of symbolic expressions done with Rewrite systems like in PVS Boolean and algebraic simplifiers along with theories of linear inequalities, equalities and uninterpretted functions Extensively used along with decision procedures in microprocessor verification Pipelined processors: DLX Superscalar processors: Torch (Stanford) Retirement logic of Pentium Pro Processors with out of order executions JEM1 (no decision procedures used) ... ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

186 Symbolic Trajectory Evaluation (STE)
Trajectory : Sequence of values of system variables c = AND (a, b) and delay is 1 A possible trajectory : (a,b,c) = (0, 1, X), (1, 1, 0), (1, 0, 1), (X, X, 0), (X, X, X) and so on Express behavior of system model as a set of trajectories I and express desired property as a set of trajectories S Determine if I is inconsistent with S Inconsistent: I says 0 but S says 1 for a signal at time t Consistent: I says 0 but S says X or 0 for a signal ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

187 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
STE Several success stories with STE Verification of memories, TLBs in Power PC Verification of instruction length decoder in Intel x86 architecture Verification of Intel FP adder Microprocessor verification, ... Enables efficient analysis of much larger state spaces than symbolic model checking However, properties that can be checked are restricted compared to CTL ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

188 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Hybrid Verification (S. P. Rajan) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

189 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Hybrid Verification Formal Verification using Theorem Proving + Model Checking (PVS) PVS = Prototype Verification System (SRI International) Tight integration of theorem prover and model checker ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

190 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Hybrid Verification Basic Decision Procedures Model Checker Model-Check Hardware Specification Simplify Decision Procedures data-structures BDD Rewrite Arith Properties to be Verified Assert Rewriter ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

191 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
PVS System Overview Powerful specification language Based on typed-higher-order logic Can express VHDL/verilog specifications Parametric specifications Combines theorem proving and model checking (using BDDs) Currently, there is no tool that can match PVS in the combined features of specification & verification ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

192 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
PVS System Overview Decision procedures including BDDs and model-checking in PVS Support for verification strategies and quick proof prototyping Support for quick debugging: theory extensions on the fly PVS used to verify commercial designs (AAMP-5, Rockwell Collins) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

193 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
PVS Drawbacks Developing semi-automatic proof strategies difficult Large designs might challenge PVS resource usage VHDL/verilog to PVS translators yet to be developed (significant effort needed) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

194 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Emulation (Subir K. Roy) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

195 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Emulation Systems Systems using hardware emulators to do physical prototyping. Hardware emulators : Specially designed h/w & s/w systems using reconfigurable h/w such as FPGAs. Implements a design by mapping it to these FPGAs, which are mounted in fixed arrays on PCBs in a dedicated piece of equipment that communicates with the design environment. Prototype Design – Checked for functional correction In Circuit Emulation - Emulator can also be connected to target system. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

196 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Emulation Systems Emulation justified when Absolute real time performances not required Simulation is extremely slow Design complexity significant Few bugs related to system integration remain Though accelerates simulation runs, debug and design iterations can be long due to setup costs. Usually follows static functional verification of modules. Emulation requires an additional design flow ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

197 FPGAs as logic emulators
~ Several trillion gate evaluations/sec. Efficient high end synthesis tools available. Multiple FPGA board architectures give >5 million gates (can be extended to 10 –15 million gates) – Can target entire SoC designs. Same architecture can be re-used for other designs. Programmable interconnect makes it possible to achieve optimal mapping of partitioned RTL behaviors to different FPGAs. Can be tested by ICE or by test vectors. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

198 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Emulation Flow Import Netlist Generate Memory Clock Analysis Constraint Design Partition System Setup Vector Translation Vector Debugging ICE Setup Target Interface Logic Analyzer Setup Verilog RTL Code Behavioral Simulation Netlist Synthesis Gate Level Emulator Environment In Circuit Emulation Error ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

199 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Total Emulation System PC Target Board Clock Source Power Host Interface Module ViewStore WorkStation Emulation Hardware System LAN ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

200 Emulation Systems - Major components
Hardware in emulation box Multiple PCBs & specialized parallel architecture around FPGAs/board. 1 CPU/board : Hyb. Emln, Behav. Test Bench Interconnect : Programmable Crossbars, Nearest Neighbor Time Multiplexing I/Os. Memories : SRAMs, DRAMs, SDRAMs Target Interface h/w : ICE cable & interface. Logic Analyzer or specialized h/w to capture o/p response. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

201 Emulation Systems - Major components
Software Specialized compiler/synthesizer for mapping flattened RTL/gate netlists to emulation hardware. Mapper uses Multiway, Multilevel partitioning s/w to Multi-FPGA, Multi-Board emulator target architecture. Specialized timing analysis for clocking issues related to Multi-FPGA mapping. Execution software. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

202 Emulation Systems - Drawbacks
Expensive & Proprietary hardware. Additional Design flow High designer skill in vendor specific tools. Design iterations can be time consuming. Requires high performance workstations On board memories require logic wrappers. DRAMs & SDRAMs impose proper refresh strategies at lower emulation speeds Needs careful attention to setup & hold times when exercising test vectors. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

203 Emulation Systems - Drawbacks (contd.)
Data buffers susceptible to overruns & underruns. Debugging difficult as errors can also arise due to data interfaces to emulation model. Proprietary simulator ICE can impose target h/w to be slowed down. Inflexible due to interconnect architecture. SoCs will be limited by interconnect capacity. Facing competition : Simulation farms, Cheaper Rapid Prototyping Systems. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

204 Commercial Emulators [Butts & Keutzer,’99]
Cadence/Quickturn Mercury : 10M gates, Xilinx FPGA, Two level time multi-plexed crossbar interconnect, PowerPC/board (Verilog h/w accelerator). IKOS VirtualLogic : 5M gates, Xilinx FPGAs, Nearest neighbor time multiplexed interconnect (Virtual Wires), Compiler analyzes clock trees to synchronize time multiplexing. Axis Excite : FPGAs on PCI cards, Tightly coupled to proprietary Verilog simulator. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

205 Quality of Verification (Subir K. Roy)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

206 Quality of Verification
Motivation Has verification been done comprehensively? All expected behavior excited & observed? Compare runs based on different approaches. Semi-Formal (Simulation + Model Checking) Stopping criteria (Intelligent Simulation) Formal (Model Checking) Adequacy of set of properties? ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

207 Coverage Metric - Informal
Coverage Metric helpful in detecting Useful structures in a design Useful classes of behavior Classification : Based on abstraction and level of design representation [Dill, Tesiran, ICCAD 99]. Code (HDL code) Circuit structure (Netlist) State space (STG) Functional (User defined tasks) Specification (Executable) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

208 Coverage Metric - Informal
Different Coverage Metrics : Branch Expression FSM Arc Functional Hardware Code Path Signal Statement Toggle Triggering ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

209 Coverage Metric - Informal
Desirable Qualities [Dill, Tesiran, ICCAD 99]. Direct correspondence between metric & design errors or bugs. Tolerable computational overhead to measure coverage Reasonable analysis overhead Data interpretation High Coverage Stimuli generation ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

210 Coverage Metric - Semi-formal
Informal Coverage Metrics – Ad-hoc. Is it possible to formalize metrics for certain classes of designs? Semi-formal [Gupta et. al. DAC 97] Mixes formal verification and simulation approaches. Generate : Test model - Simple ( Formal Ver-ification). Implementation model - Complex (Simulation) Use FV to drive test set (test vector seqs.) Coverage : Defined on Test model. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

211 Coverage Metric - Semi-formal
Can coverage on test model be translated into good coverage on implementation model? Coverage of design behavior Coverage of design errors Guarantees w.r.t. completeness of validation. Test model derived from Implementation model through abstraction of data path & control part. Can this be made more precise? Gupta et. al. show under a reasonable set of assumptions one can define metrics formally. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

212 Coverage Metric - Semi-formal
New Coverage Metric(TTM) : Based on Transition Tour on test model Transition Tour : A test set that covers each transition in a FSM. Transition tours can catch all errors if there exists an input which produces a unique output in each state, & causes the FSM to stay in the same state. Test model based on Mealy machine. Test generator – Uses FV techniques to traverse reachable state space for desired target coverage. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

213 Coverage Metric - Semi-formal
Limitation : Does not cover all sequences (path coverage). Not all errors exposed. Transition tour metric can excite errors, but may not expose errors. Complete test set generation rules Application TTM used in processor verification General Purpose Processors Digital Signal Processors Case Study - DLX RISC Processor. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

214 Coverage Metric - Formal
Formal Verification : Is system correct with respect to a specification? How complete is the set of specification? Coverage Metric captures relevance of different parts of the system for the verification process when modifications are effected in the System Under Verification (SUV) What does it mean for a specification Φ to cover a system/circuit S? Does Φ describes S exhaustively? ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

215 Coverage Metric - Formal
Intuitively, uncovered part of S amenable to modification without falsifying Φ in S. Different definitions of coverage implies different ways in which parts of S can be modified. Captures errors in the modeling of a system Vacuous satisfaction of specification Captures errors in validity of specification Sanity checks for constraint validation (Eg. Enabling conditions, Variable values & usage). ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

216 Coverage Metric - Formal
Completeness of Specifications Erroneous behavior not caught if no spec captures this behavior Fully describe all possible behavior of system Check if system contains redundancies Simplify system Analyzing coverage in MC can find portion of design not relevant for verification to succeed. Coverage check – Feedback mechanism. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

217 Coverage Metric - Formal
Approaches in Temporal Logic MC [Katz et. al., ‘99] Compare SUV with Tableau of spec Φ [An abs-tract system satisfying Φ and subsuming all behavior allowed by Φ.] Detects portions irrelevant to satisfaction of Φ : Behaviors indistinguishable by Φ & those allowed by Φ but not generated by SUV Drawbacks : Imposes severe restriction on system & its tableau, Supports only ACTL ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

218 Coverage Metric - Formal
[Hoskote et. al., DAC 99] Coverage : Effect of modi-fications in system on satisfaction of the specs. Given, System : Modeled by a Kripke Structure, K; Spec, Φ : A formula satisfied in K; q : Signal; w : A state in K. Defn. : w in K is q-covered by Φ if K' derived from K by flipping value of q in w no longer satisfies Φ. q-cover(K, Φ) : Set of states q-covered by Φ in K. CM Computation : Naïve – Perform model checking of Φ in K' for each state w of K. {Acceptable ACTL }. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

219 Coverage Metric - Formal
[Chockler et. al., CHARME 2000]: Distinction bet-ween ways to model a system. State based : Design Level (Hoskote et. al.)-System modeled as a circuit with state space Logic based : Implementation Level - Signal value fixed to 0, 1, or X everywhere, then model check for satisfaction of Φ. Closed system : No env. inputs (Kripke Structure). Open System : Inputs from environment + Outputs supplied by system to environment; Modeled by sequential machines; Coverage metric w.r.t. o/ps. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

220 Coverage Metric - Formal
Coverage Metric Computation Naïve approach : Find set of covered states (state based approach), or set of covered signals (logic based approach) by model checking every modified system. Alternative approaches Find uncovered parts of system Utilize overlaps among modified systems: Each modification involves small change in system. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

221 Coverage Metric - Formal
Presentation of Output : What do we do after we detect portions of system (or circuit) S that are not covered w.r.t. a signal x? Compute : X = {x-cover(S, Φ) / for several x in O}; Coverage = | x-cover(S, Φ) | / |States in S|. Analysis : Is x-cover(S, Φ) empty? - Implies vacuity (X can be used for generating uncovered computa-tions). s in S not in x-cover(S, Φ)?- Implies Φ fails to distinguish between S & S‘; Implies errors arising out of erroneous values of signal x in s are not captured by spec. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

222 Coverage Metric - Formal
Advantages Applicable to full CTL. CM not sensitive to abstraction. CM is compositional Drawbacks Complexity of computing CM much greater than that of model checking. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

223 Academic & Research Lab Verification Tools
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

224 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Verification Tools – 1 (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

225 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Verification tools A large number of tools exist Exhaustive review impossible For a comprehensive list and details: Formal Methods Home Page: Centre for Formal Design and Verification of Software (CFDVS) at IIT Bombay BRIEF review of a VERY FEW model-checking tools in order now! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

226 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
VIS VIS Home page: www-cad.eecs.berkeley.edu/ Respep/Research/vis/ Verification Interacting with Synthesis. A research prototype tool (Proof of Concept) U. California, Berkeley (Brayton et. al.) U.Texas, Austin, U.Colorado, Boulder VIS integrates verification, simulation and synthesis of finite state HW system. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

227 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Modeling Language A subset of Verilog VHDL and Esterel planned The back-end language is BLIFF-MV Specification Language CTL, CTL* and Automata ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

228 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Symbolic Model Checking Language Emptiness Check Equivalence Checking of Combinational designs Speciality: Simulation and Synthesis Various representations of Boolean functions (BDD, MDD, etc.) variable ordering heuristics ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

229 Specification Examples
AG ((bit[0] = 1) ® AX (bit[0] = 0)) Flipping of the zeroth bit in a counter. AG ((Req = 1) ® AF (Ack = 1) ) Every Req is greeted with an Ack eventually AG (EX:5 (State = TRST)) Always state TRST is reached in 5 steps. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

230 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
SMV Home page: kenmcmil/smv/ Experimental Research tool from Cadence Berkeley Labs. (McMillan) Originally from CMU (McMillan's Ph.D.thesis) Modelling Language: Interacting State Machines, Synchronous Verilog Specification Language: CTL, LTL Verification Approach: Symbolic Model Checking Compositional and Symmetry-based Verification Strategy ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

231 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Modeling language Interacting state machines synchronous and asynchronous concurrency allow modular and hierarchical description of finite state systems finite data types: Booleans, scalars, fixed arrays ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

232 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples: 1. MODULE MAIN VAR request : boolean; state : {ready, busy} ASSIGN init(state):=ready; next(state):=case state=ready&request: busy 1 : {ready,busy } ; esac; SPEC AG (request ® AF state = busy) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

233 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples: 1. Old Syntax `request' unconstrained (input) non-deterministic assignment OBDD representation of tr. reln. constructed and SMC performed. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

234 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Example - 3bit counter MODULE main VAR bit0 : counter cell(1); bit1 : counter cell(bit0, carry-out); bit2 : counter cell(bit0, carry-out); SPEC AG AG bit2. carry-out MODULE counter cell(carry-in) VAR value : boolean; ASSIGN init(value) :=0; next(value) := value+carry-in mod 2; DEFINE carry-out : = value & carry-in ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

235 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Example - 3bit counter Assign sections of bit0, bit1 and bit2 execute in parallel Data dependence respected ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

236 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
FC2toolset Home page: Automatic Verification of Finite State Communicating systems Form the basis for Esterel verification Developed at INRIA and Ecole de Mines, Sophia Antipolis Based upon process algebra notation Modeling Language: CSP/CCS, Esterel (Xeve tool) Specification language: abstract state machines ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

237 Verification Approach
Comparison of specification machine with the model after abstraction: use of Observational Equivalence, Symbolic Bisimulation Compositional Minimization and Abstraction A very powerful notion of abstraction (re-labeling complex sequence into a single label) Explicit and BDD representation of state machines ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

238 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Example DLX Controller An Esterel model 100s of states abstracted using FC2tools: ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

239 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
STeP Homepage : Stanford Temporal Prover Interactive theorem proving tool for verification of concurrent and reactive systems Combines model-checking and deductive approaches and verifies parameterized(N-component) circuit designs parameterized(N-process) programs and programs with infinite data-domains ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

240 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
STeP Modeling Language: SPL and fair Transition Systems Specification Language: LTL and First Order Logic Verification Approach: Theorem Proving and Model-checking ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

241 Fair Transition System
STeP overview Temporal Logic Formula Reactive System (SPL) Program Hardware Description Model Checker Fair Transition System Automatic Prover Verification Rules Bottom-up Invarient Generator Strengthening of Invariants Propagation First-order Prover Simplification Decision procedures P- valid Counter example Debugging Guidance Interactive Prover User ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

242 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Verification in STeP Very powerful theorem prover Automatic Invariant Generation, Collection of Simplification rules Decision procedures for linear arithmetic, arrays, bit vectors, etc. Generation of Verification Conditions BDD simplification Rich set of tactics and tacticals ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

243 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
An example SPL Program main :: [ in a : int where ((a 127) ^ (a > - 128)) in b : int where ((b<127) ^ (b > - 128)) out c, d : int if (a > 0 ^ b > 0) then [ if (a > b) then [ 12 : skip;c:= a-b] else [ 13 : skip;c:=b-a] ] else if (a < 0 ^ b <0) then [ 14:skip;c:= -(b + 1)] else [15: skip; c:=a + b ] ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

244 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Specification file SPEC PROPERTY P1 : l2 ® ((a – b) £ 127 ) Ù ((a – b) ³ ) P2 : l3 ® ((b – a) £ 127 ) Ù ((b – a) ³ ) P3 : l4 ® (-(b + 1) £ 127 ) Ù (-(b + 1) ³ ) P4 : l5 ® ((a + b) £ 127 ) Ù ((a + b) ³ ) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

245 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples Leader-Election algorithms Needham-Schroeder Security protocol Ricart and Agrawala's mutual exclusion algorithm Bus scheduler verification ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

246 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Verification Tools – 2 (S. P. Rajan) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

247 Fujitsu’s High-Level Model Checking Tool
A high-level symbolic safety property checker based on Stanford Validity Checker (SVC) decision procedures Has a state-transition input language that extends SVC expression syntax Provides code to translate XE VHDL synthesis tool's ADDs into HMC input HMC has been applied for verification of portions of Fujitsu ATM switch specified in VHDL ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

248 HMC Basics: Pre- and Back-Image
Representing sets and relations with their characteristic functions: PreImage[Q] = l s. s’. R(s,s') And Q(s') PreImage corresp. to EX Q in CTL. BackImage [Q] = l s. s’. R(s,s') => Q(s') BackImage (aka. Weakest Precondition) corresp. to AX Q in CTL. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

249 Basics: Fixpoints and Safety Properties
Z0 = Q Zi+1 = Q And BackImage [Zi] If [ k. Zk = Zk+1] then [Zk = n Z. (Q And BackImage [Z])] This fixpoint corresp. to AG Q If initial states Q0 is a subset of Zk, then Q is a safety property. Otherwise, a counterexample trace exists, starting in Q0 \ Zj, where Zj is the first Zi s.t. Q0 is not a subset of Zi ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

250 HMC: Data-Type and Expression Support
Quantifier-free first order logic with linear arithmetic and uninterpreted functions Built-in theories in SVC: uninterpretted functions under equality, linear arithmetic, stores, records, bitvectors. Approach equally applicable to other decision procedures. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

251 VeriSoft from Lucent Bell Labs
A New “Model Checking” approach. A New Approach to Communication Software Analysis What is VeriSoft? How does it work? Industrial applications. Related work and discussion. Project status and conclusions. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

252 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
What is VeriSoft? Concurrent Reactive System Analysis Each component is viewed as a ``reactive'' system, i.e., a system that continuously interacts with its environment. Precisely, we assume: finite set of processes executing aribitrary code (e.g., C, C++, Java, Tcl, ...); finite set of communication objects (e.g., message queues, semaphores, shared memory,...). ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

253 What is VeriSoft? (contd.)
Problem: Developing concurrent reactive systems is hard! (many possible interactions); Traditional testing is of limited help! (poor coverage); Scenarios leading to errors are hard to reproduce! Alternative: Systematic State­Space Exploration ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

254 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
How does VeriSoft work? VeriSoft looks simple! Why did we have to wait for so long (15 years) to have it? Existing state­space exploration tools are restricted to the analysis of models (i.e., abstract descriptions) of software systems. Each state is represented by a unique identifier. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

255 How does VeriSoft work?(contd.)
During state­space exploration, visited states are saved in memory (hash­table, BDD,...). With programming languages, states are much more complex! Computing and storing a ``unique identifier'’ for each state is unrealisitc! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

256 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
State­Less Search Idea: perform a state­less search! still terminate when state space is acyclic Equivalent to ``state­space caching'' with an empty cache: this search technique is terribly inefficient! [H85,JJ91] ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

257 An Efficient State­Less Search
[GHP92]: Redundant explorations due to state­space caching can be strongly reduced by using Sleep Sets [G90], and ``partial­order methods'' in general [G96]. VeriSoft: original algorithm combining state­less search, sleep sets [G90,GW93], conditional stubborn sets [V90,GP93,G96]. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

258 An Efficient State­Less Search(contd.)
Theorem : For finite acyclic state spaces, the above algorithm can be used for the detection of deadlocks and assertion violations without incurring the risk of any incompleteness in the verification results. Observation : When using this algorithm, most of the states are visited only once during the search. Not necessary to store them! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

259 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
VeriSoft -- Summary VeriSoft is the first tool for systematically exploring the state spaces of systems Composed of several concurrent processes executing arbitrary (e.g., C or C++) code. Originality: Framework, Search, Tool [POPL'97]. The key to make this approach tractable is to use smart state­space exploration algorithms! In practice, the search is typically incomplete. From a given initial state, VeriSoft can always guarantee a complete coverage of the state space up to some depth. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

260 Industrial Applications
Examples of Applications: (within Lucent Technologies) 4ESS Heart­Beat Monitor analysis (debugging, reverse­engineering). Wavestar 40G integration testing (testing). Automatic Protection Switching analysis (interoperability protocol testing). ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

261 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Conclusion VeriSoft (tool + approach) can find bugs in nontrivial concurrent/reactive software system. 1. Concurrent/reactive/real­time software is hard to design and test. 2. Traditional testing techniques are not adequate (poor coverage, lack of observability and controllability). 3. Systematic testing using an approach specially developed for detecting race conditions and timing issues can rather easily expose previously unknown bugs. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

262 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Case Studies ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

263 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Case Study 1 (S. P. Rajan) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

264 Motivation: Real Buggy Chip
Bug identified in a real chip design ATM Switch: 156 MHz, gates. (B. Chen, M. Yamazaki, and M. Fujita) Field test showed abnormal behavior after several seconds Data disappeared/duplicated Simulation prohibitively expensive (100 million cycles required) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

265 Motivation: State Explosion
Formal Verification to find bugs Symbolic Model Checking using SMV for control-block verification State-space explosion (large datapath) Abstraction to reduce state-space ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

266 Motivation: Abstraction Expensive
Too much abstraction revealed no bugs - 8 bit to 1 bit; Single module verification Trial-and-error method to come up with right abstraction: 8 bits to 2 bits Bug revealed: Reset incomplete! Coming up with right abstraction: Tedious ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

267 Motivation: Design Change
Changes in design require revalidation Revalidation expensive TAT too long Design cycle cost expensive ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

268 Typical ATM Switch Fabric
2 x 2 Switch 2 x 2 Switch 2 x 2 Switch 2 x 2 Switch ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

269 ATM Switch Architecture
HW_clk|SW_clk: Multiple Clocks iHW0/1 oHW0/1 S/P Cell FIFO P/S RAF0 Write Control (WC) Read Control (RC) RAF1 WAF Cell Counter (wBC) Copy Cell Flag ccf ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

270 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
ATM Switch Highlights 2 X 2 switch multiple clocks: faster external HW_clk; slower internal SW_clk 1 cell-buffer shared by 2 ports address-FIFO for supplying cell addresses addresses recycled ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

271 ATM Switch: Generic Parametric description
Modification of existing fixed parameter high-level description in VHDL Parametrized the external/internal clock ratio: synthesized designs with specific ratios by simple instantiation ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

272 ATM Switch Generic Parametric Description
Parametrized the number of switch input/output ports: synthesized designs with specific number of ports by simple instantiation Parametrization of cell-buffer size also possible Reusable generic model ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

273 Complexity of Design Spec
~ 20 Communicating Processes ~1500 lines of VHDL code at high-level ~20000 lines of VHDL at gate-level after synthesis ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

274 Behavior Partitioning
Partitioning based on clock: Faster HW_clk; slower SW_clk functionality: Serial/Parallel (S/P); Write Control (WC); Read Control (RC) throuput requirement: pipeline latency Modeling: VHDL process for partition “wait until clk = 1” for control step Define interface between partitions eg: clk conversion in S/P & P/S ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

275 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Generic ATM VHDL Model entity: atm_sw is begin generic ( n: integer, -- ext/int clk ratio m: integer -- number of input/out ports ); port ( ... ); end atm_sw ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

276 SP conversion module 1: VHDL
iHW_sp1: process begin for i in 1 to n loop iHW_bword(1)(i) <= iHW_cell_word; if i = 1 then elsif i = n then iHW_cycle_counter <= iHW_cycle_counter (n downto 2) & '1'; endif; wait until (HW_clk'event and HW_clk = '1'); end loop; end process iHW_sp1; Stores the incoming word and updates cycle counter ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

277 SP Conversion Module 2: VHDL
iHW_sp2: process begin for i in 2 to n loop ... iHW_bpc(i) <= iHW_bpc(i-1); for j in 1 to n loop iHW_bword(i)(j) <= iHW_bword(i-1)(j); end loop; wait until (HW_clk'event and HW_clk='1'); end process iHW_sp2; Shifts contents of registers by one place ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

278 SP conversion module: VHDL model
to_FIFO: process begin for j in 1 to n loop iHW_word(j) <= iHW_bword(index-1)(j); header_parity_check := bit_or(iHW_bpc(j)); end loop; wait until (sw_clk'event and sw_clk='1'); end process; The proper word is fetched to the FIFO from the shift-register ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

279 Synthesis: Generic Clock Ratio
Clk Ratio Ports Nets Cells Area (bc) delay (ns) 3 4 5 6 118 Area and delay of synthesized ATM switches different clock ratios Fujitsu CS35R technology Number of ATM input ports = 2 and ouput ports = 2 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

280 Synthesis: Generic Clock Ratio
Clk Ratio Ports Nets Cells Area (bc) delay (ns) 3 4 5 6 118 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

281 Synthesis: Generic number of in/out ports
Area and Delay of Synthesized ATM Switches Varying number of input/output ports Fujitsu CS35 technology Clock ratio = 3 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

282 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Verification Overall correctness property - Input cells switched to proper output ports,- The order of input cells is maintained at the output. ATM is a complex design:-- Compositional verification technique: verify ATM modules separately and compose Verification of the generic parametric model automatically implies the verification of a family of ATM designs ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

283 Formal Verification : Bugs found
Address pointers to WAF not initialized to 0 Analysis by model checking in PVS Mistake due to hidden assumptions in synthesis Counter-example generated Combined with other verified modules ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

284 SP conversion: PVS Spec
sp_conversion_theory[n: posnat]: THEORY BEGIN IMPORTING signal,signal[n], ... register_array: TYPE = ARRAY ... iHW0_bword: [nat -> register_array] iHW0_cell_word: signal[16] forloop0(t,i,n): bool = % i indexes rows …. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

285 SP conversion: PVS Spec
…... iHW0_bword(t)(0,i) = iHW0_cell_word(t) AND IF n > 1 THEN (i = n-1 IMPLIES iHW0_cycle_counter(t+1) = iHW0_cycle_counter(t)^(n-1,1) o b1) ELSE iHW0_cycle_counter(t+1) = b1 ENDIF END sp_conversion_theory ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

286 SP Conversion: PVS Spec
loop0(t,i,m): RECURSIVE bool = IF i = n THEN TRUE ELSE iHW0_cycle_counter(t) = bvec0 AND (forloop0(t,i,n) AND loop0(t+1,i+1,n)) ENDIF MEASURE n-i sp(0,n) = to_fifo(n,n) = ... VHDL to PVS translation non-trivial ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

287 SP Conversion:Formal Verification
theorem2: THEOREM % When clk rising edges are synchronized FORALL (n:posnat):FORALL (i:nat|i<n): sp(0,n) AND to_fifo(n,n) IMPLIES iHW0_word(n)(i) = iHW0_cell_word(i) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

288 SP Conversion:Formal Verification
Finaltheorem: THEOREM % When clk rising edges need not be synchronized FORALL (n:posnat): FORALL (i:nat|i<n): sp(0,n) AND to_fifo(n,n) IMPLIES EXISTS (t:time | n <= t AND t <= 2 * n) iHW0_word(t)(i) = iHW0_cell_word(i) Proof by induction and rewriting: Secs on Sparc-20, 64 Meg RAM ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

289 Address Recycle Verification
Theorem : FORALL (t: time), (ptr: {ptr: address_type | RAF0_tptr(t) <= ptr AND ptr <= RAF0_hptr(t)}): whileloop(t) AND more(t) AND RAF0_hptr_tptr_update(t) AND RAF1_hptr_tptr_update(t) IMPLIES iHW0_write_addr(t) /= MEM(t)(ptr) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

290 Address Recycle Verification
Symbolic Model-Check proof strategy in PVS used Theorem not proved Counter-example evident from the proof script 19 Seconds cpu time on Sparc-20 / 32 Meg ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

291 Address Recycling: Bug Found
WAF_hptr and WAF_tpr not initialized to 0 Bug found easily by model checking original VHDL description in an integrated theorem proving and model checking framework Another error suspected in cell buffer update ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

292 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Conclusions Introduced formal verification early in the design cycle to remove bugs Serious bugs found in initialization related to address recycling High-level parametric validation reduces cost of formal verification: small-scale gate-level validation suffices for sign-off Drastic reduction in cost and time-to-market ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

293 Case Study 2 [Formal meets semi-formal] (T. Nakata)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

294 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Outline Target design: media instruction unit (MU) of a VLIW multimedia processor core Verification strategy: divide-and-conquer Right tool in the right place Specification language Formal verifier Semi-formal verifier Logic simulator ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

295 Divide-and-Conquer Verification
Isolate a module using formal I/F specification Verify a module by integrated verification tools I/F specification Pattern/property gen. Checker MPU DSP Module I/F Integrated verification engine Module DRAM ROM I/O GDC ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

296 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Verification Tools Interface specification toolkit (in-house) Language based on regular expression Pattern/property/checker generator Formal verifier (in-house) Model checker Automatic/semi-automatic design abstraction tool Semi-formal verifier 0-In Search & Checkerware Logic simulator ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

297 Verification Flow Design under verification Black-box spec. White-box
scenario I/F spec. I/F specification language Design model Input constraints Properties Scenarios Integrated verification engine ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

298 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Verification of MU MU Pipeline for media instruction RTL model: 14,000 lines in Verilog 2,000 registers in total Basic strategy As formal as possible* Semi-formal verification for the whole unit Formal verification for an important unit: instruction decoder * Simulation completed before this attempt ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

299 Verification of MU (1st)
41 constraints 4 properties I/F spec. HDL Test patterns augmented by 0-In Search Test pattern MU Many design errors detected, but all from input patterns that do not satisfy input constraints Result: Insufficient constraints ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

300 Verification of MU (2nd)
Pseudo models (I/F spec. lang. and HDL) Test patterns augmented by 0-In Search Test pattern I/F spec. HDL MU A known error in interlock logic and an unknown error in decoder detected Result: ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

301 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Detected Error Indicator of no hazards “e-wait” may be asserted under a certain hazard condition Length of augmented* patterns: 7 cycles * By 0-In Search 0x0 xxx 0xf clock m0_valid m1_valid i0_valid m0_rd m0_rs1 m1_rd i0_rd e_wait ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

302 Summary of MU Verification Flow
Test vectors M-Unit (HDL) Properties (I/F spec) Constraints (I/F spec) Pseudo (HDL) Converter Properties/constraints (HDL+0-In Check) 0-In compile Design database 0-In Search ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

303 Verification of Instruction Decoder
Complete verification required 200 registers Property and constraints Property: detection of unsupported instructions Constraints: valid instructions Described in I/F spec. language (460 lines) Results Two errors detected Correctness proven after revision Model checker ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

304 Decoder Verification Flow
M-Unit decoder (HDL) Properties (I/F spec) Constraints (I/F spec) Model checker Note: No abstraction/ reduction required in this example ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

305 Properties (I/F spec. lang.) Constraints (I/F spec. lang.)
Statistics Verification team: 3 people Term: 4 months Build specification: 2 months Apply semi-formal verification: 3 months Apply model checker: 2 months Sources for verification Properties (I/F spec. lang.) 118 1,818 Constraints (I/F spec. lang.) 1,518 Pseudo (HDL) 14,320 MU (HDL) Lines ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

306 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Conclusions Interface specification essential For module isolation For a single source for verification tools Formal/semi-formal verification mandatory Serious bugs may leak from simulation Earlier collaboration among designers and verification team will produce better results For extracting good constraints/properties ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

307 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Commercial Tools (Subir K. Roy) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

308 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Commercial Tools Several tools available as commercial offerings. Different approaches taken. Most are based on Simulation Formal Verification Semi-Formal Verification Most support IP-verification re-use (intuitive, but can be formally related to compositional techniques). ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

309 Assume & Guarantee - Basic Idea
Global Property defined on o2 P Q i1 o2 o1 i2 Decompose Assumption Guarantee ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

310 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Smarter Simulation [Gupta, Malik & Ashar, DAC 97] Test Set Generator Behavioral simulator RTL Test Model Design Implmt (RTL Level Description) Design Spec (Behav Level Function Test Set =? Validation ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

311 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
FormalCheck Model Checking based on COSPAN from Bell Labs Integrated debug environment with back references to HDL source codes Property specification (Queries) based on template approach with user guidance Two reduction technologies for large designs Supports hierarchical + IP + Re-use verification Assumptions stated as constraints on environment using same format as behaviors or properties ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

312 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
FormalCheck Target Blocks System Interface = Properties Constraints Block ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

313 FormalCheck Architecture
Gates Query Template Library Capture Formal Model Query-Specific Reduction RTL Autorestrict Probabilistic Large Model Early Model Results & Error Traces Inputs Outputs Template-Based Query Inputs Chip, Blocks, IP Models In Verilog or VHDL Results Display ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

314 Specman Elite - Verisity
Simulation & Spec-Based Verification (executable) White Box – Drive & Test Internal Signals On the Fly Test Generation Test Checking is automatic : On the Fly Supports metrics to track progress of verification effort & measure coverage of functional test plan To verify temporal behavior & protocols - Cons-tantly monitors design by sensing for triggers signaling beginning of a sequence and follow it to verify conformance to temporal/protocol rules. Supports uniform verification environment instead of an adhoc one consisting of HDL code, C code, A variety of legacy software & new point tools. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

315 Specman Elite - Verisity
New & Powerful temporal constructs to easily specify complex checkers – Less Time Consuming Supports data checks &coverage based feedback mechanism. Allows executable checkers around boundary of IP. Allows checks for arbitrarily complex, mode inde-pendent, multi-cycle scenarios that IP vendor specifies. Allows boundary checks to ensure correctness of integration process. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

316 Specman Elite - Verisity
Allows Internal Checks - Provides a handle to the IP integrator to analyze failures in IP after integration. SPEC CONSTRAINTS Protocols I/O Relationships Context Dependencies Input Definition TEST CONSTRAINTS CONSTRAINT SOLVER Next Cycle’s Stimulus HDL SIMULATION Target Areas Weights/Probabilities Corner Case Tests Structured Sequences Current Cycle’s HDL Signal & Register Values ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

317 Specman Elite - Verisity
e-language e-language Bus Functional Model e-language Monitor & Protocol Checker Coverage Collector Verilog BLOCK e-language e-language Monitor & Protocol Checker Coverage Collector Verilog BLOCK e-language e-language Monitor & Protocol Checker Coverage Collector Bus Functional Model e-language ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

318 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
ZeroIn-Search Semiformal verification based on formal techni-ques & simulation -- Sweeps formal techniques through a larger state space by extensively explo-ring around each state in a “seed’’ trace. “Seed’’ comes from functional simulation test. Two step process Embedded Checkers - written in HDL (No sepe-rate property or assertion language needed) Protocol Checkers - provides verification enviro-nment (reports errors by models stimulating IP) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

319 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
ZeroIn-Search 0_In Check Tool Instruments the Core/IP/VC with embedded chec-kers automatically based upon comments in RTL code (increases observability & detects bugs at source). 0_In provides CheckerWare Library of checkers for internal design structures & interfaces + pre-verified protocol monitors for standard buses - PCI, PCI-X, Utopia. (Formal techniques try to find new ways to fire embedded checkers.) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

320 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
ZeroIn-Search More than 50 embedded checkers Checkers for datapath elements, FSMs & other control flow elements, buses and interfaces. Approach finds bugs, not just new coverage. If a checker fires in simulation, then a bug is present. If amplification finds a new way to fire a checker, it detects a bug. Stress tests interface to design interactions. Checkers & monitors track coverage statistics & corner cases. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

321 0_inSearch Verification Flow
Verilog RTL with Directives Verilog RTL with Checkers Verilog Tests & Test Benches Checker Library Checker Generator Verilog Simulator Firing Messages in Verilog o/p Simulation Files with Checkers Captured Seed Values Information on New Firings Semiformal Amplification Tool ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

322 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
BlackTie - Verplex Based on Formal Verification Allows full system level integration verification (Multimillion gate capacity tool) Free open source assertion monitor library (Verilog) Simulation (through any Verilog simulator) & For-mal Verification (BlackTie) can operate seamlessly With BlackTie no test vectors, exhaustive coverage, automatic diagnosis. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

323 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
BlackTie - Verplex Automates checking of global & common place errors. Automatic generation of checkers for, Contention Problems. Asynchronous Clock Domain Crossings Dead-End States Conflicting values loaded to Multi-Port Registers Simultaneous Set & Reset conditions Mutual Exclusivity Checks Tri-state stuck in a particular state. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

324 Issues & Challenges & Future Research Topics
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

325 High Level Specification and Modeling (T.Nakata)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

326 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Why Specification? Specification errors/misunderstandings take 50% of SoC design man-power. Verification tools can’t handle such errors enough. Design man-power for SoCs Verif. tools Verification 70% Simple mistakes Misunderstanding Of Spec. Wrong Spec. Others Spec. design support ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

327 Issues in Specification and Verification
Idea and/or requirement Specification Design data SoC Validation Does specification match requirement? Formalization Is specification defined clearly? Wrong specification Misunderstanding of specification We need: Methodology for specification analysis Standard language with formal semantics 適当なツールがないため、アーキテクチャが何をやっているか何を考えているかが わからない。 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

328 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
UML UML is: Standard in object-oriented software design Devised and designed under the object-oriented analysis theory A set of diagrams that represent components of a system and relationships among them Modeling a system from multiple angles with use-case/class/object/state/sequence/ activity/collaboration/component/deployment ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

329 Object-Oriented Analysis
For system architect to understand “WHAT” to design not “HOW” Analysis Requirement Interview with customers Docs on existing systems Use-case Scenario Structure Behavior ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

330 UML and Object-Oriented Analysis
Use-case diagram Sequence diagram Class diagram State diagram Use-case Scenario Structure Behaviour Analysis Requirement Interview with customers Docs on existing systems Use-case Scenario Structure Behavior ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

331 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Case Study Objectives --- getting answers to: Is object-oriented analysis by UML effective? Is there a way from UML to implementation? Example: error correction with two code types Bit-wise error correction: Code A Word-wise error correction: Code B Claims before analysis Two code types are similar HW implementation cannot be shared though ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

332 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Error Correction Message Sent word Received word Encoder Channel Decoder Errors Noise Systematic code 説明のポイント: FECの基本原理の説明:図に沿って 目的を説明する。共通なアーキテクチャを探索することを強調する。 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

333 Analysis and Design Flow
Step 1 Extract concepts Step 2 Build structure Step 3 Enumerate scenarios Step 4 Identify hardware modules ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

334 Analysis and Design Flow
Step 1 Extract functions Inputs: requirement from users Flow: Find actors that cause stimulus Define use-cases from viewpoints of actors Relate use-cases and actors Output: use-case diagram Step 2 Build structure Step 3 Enumerate scenarios Step 4 Identify hardware modules ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

335 Use-Case Diagram of Error Correction
Encode B Encode A <<extend>> Encode Sender Send Receiver Receive Decode B Decode A <<extend>> Decode 説明のポイント ユースケース間の関係だと説明する。 Channel ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

336 Analysis and Design Flow
Step 1 Extract functions Step 2 Build structure Input: use-case diagram Flow: Refine use-cases Extracting concepts --- candidates of classes Define and relate classes Output: class diagram Step 3 Enumerate scenarios Step 4 Identify hardware modules ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

337 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Use-case Refinement Example: decoding code A Refine a use-case with natural language Extract important nouns Calculate syndrome from received word and received code polynomial Judge as no errors detected if syndrome is 0 Calculate coefficients of error location polynomial Calculate roots as many as degrees of error location polynomial Correct word by flipping bits designated by roots Calculate syndrome from received word and received code polynomial Judge as no errors detected if syndrome is 0 Calculate coefficients of error location polynomial Calculate roots as many as degrees of error location polynomial Correct word by flipping bits designated by roots 説明のポイント テキストから実現手順を文章化する 名詞を注目する。 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

338 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Concept Extraction Classifying classes and properties Received word Error location polynomial Coefficient Degree Root Decoded word Code word Message length Syndrome polynomial Syndrome Generator polynomial Code Parity Block code LFSR Generator matrix Error Galois field Code length Element Message length Code length Properties rather than classes 説明のポイント 全ての概念を取り出す ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

339 Relationships among Classes
Vector {Word-wise} Code word Code B {Bit-wise} Code word Code A Message word Systematic code Code A is a special case of Code B. Data structure is deduced from relationships. 説明のポイント 左の図: BCH符号とRS符号は実は同じクラスの二つ異なるロールとして取られることができる。つまり、ビット単位の時の符号語はBCHで、バイト単位の符号語がRS符号である。 右の図: 符号語、通報語、組織符号語が同じクラス「ベクトル」で表現することができる。つまり、「汎化」関係である。さらに符号語は通報語と組織符号語から構成されていることを「集約」関係で表すことができる。 3. 全てのクラスについてこのように関係を付けることによって、システムの静的な論理構造が分かる。 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

340 Received code polynomial Error location polynomial
Class Diagram Decode Coefficient Root Received word Syndrome Received code polynomial Polynomial Error location polynomial Galois field * Input 説明のポイント 簡単なクラス構成図である 入力が受信語を処理するので、受信語に「依存」関係である。 受信語から受信多項式を作るので、もちろんその間も「依存」関係である。 シンドロームが受信多項式によって計算され、ガロア体で表現される。 受信多項式や誤り多項式が多項式のサブクラスの「汎化」されたクラスである。 多項式には係数と根を二つの要素をもっている。関係も1対多である。 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

341 Analysis and Design Flow
Step 1 Extract functions Step 2 Build structure Step 3 Enumerate scenarios Inputs: use-case sentences, class diagram Flow: Describe sequence diagrams corresponding to refined use-cases Define methods and properties from sequence diagrams Outputs: sequence diagram, class diagram with methods Step 4 Identify hardware modules ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

342 Sequence Diagram for Decode
Input r1:received word :received polynomial :error location polynomial Receive Assign(r1) Generate() s1: syndrome IsZero() Calc_coef(s[]) 説明のポイント 流れを説明する。 赤になっているのは各クラスが持つべき機能である。それが最終的にクラスのメソッドとなる。 Calc_loc(coef) Correct (location, value) Calc_error(root) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

343 Complete Class Diagram
Decode Coefficient Root -Code length -Corrections +Correct(loc, val) Received word Polynomial +Assign(val) Galois field +sum() +multiply() +divide() +exp(power) +IsZero() +Order * Syndrome -Index -Value Error location polynomial +Calc_coef(syndrome) -Calc_loc(coef) Error loc. poly. for A -Calc_error(root) Error loc. poly. for B Input +Receive() Input for A Input for B Received code polynomial 説明のポイント メソッドが追加された。 継承を使ってRS符号とBCH符号の差分を表す。 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

344 Analysis and Design Flow
Step 1 Extract functions Step 2 Build structure Step 3 Enumerate scenarios Step 4 Identify hardware modules Input: class diagram Flow Correspond methods to hardware modules Define messages from relationships among modules Define interfaces from messages Outputs: class diagram, block diagram (in hardware design context) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

345 Methods to Hardware Modules
Disband classes Map each methods to modules Re-bundle modules if possible Error loc. poly. +Calc_coef(syndrome) -Calc_loc(coef) Error loc. calculator Coefficient calculator Galois adder Galois 0 checker Galois field +sum() . . . +IsZero() +Order 説明のポイント 全てクラスのメソッドをハードウェアモジュールにマッピングする。 例えば... ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

346 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Initial Block Diagram Decode Assignment module for received poly. Coefficient calculator Receiver Syndrome -Index -Value Coefficient Root Error info -Location Received word -Code length -Corrections Receiver for Code A Receiver for Code B Correction module Error calculator Location calculator 説明のポイント モジュール間が通信するデータを関係(クラス)として表す モジュールの動作が変換する前のメソッドから詳細化することができ、インタフェースが通信するメッセージから詳細化できる。 Galois adder Error calculator for Code A Error calculator for Code B Galois adder Galois adder Galois adder ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

347 From Messages to Interface
Assignment module for received polynomial +clock: input +reset: input +enable: input +received word: input +syndrome: output +received word: input +syndrome: output Received word - Code length - Corrections Syndrome - Index - Value C++ / HDL HW design 説明のポイント メッセージからインタフェースへ 自動生成も可能 まだ検討中 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

348 Block Diagram of Decoder
Correction Code A receiver Assignment Code B receiver Error location calculation for Code A Coefficient calculation Error location calculation for Code B 説明のポイント 解析した結果によって、BCH、RS符号の両方機能を持つ符号化回路のブロック図を作成した。 入力のところにBCH,RS符号に両方に対応するインタフェースを用意する。(先ほどのモジュール図の継承から) 制御信号によって、どの符号で復号化するを選択する 誤り計算モジュールも同じ。 これで論理的なアーキテクチャからハードウェアアーキテクチャにマッピング完了 Location calculation enable ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

349 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Conclusions Is object-oriented analysis by UML effective? For common understandings For validation For analyses of specification changes Is there a way from UML to HW implementation? For design optimization For verification Already proven in software designs Proven this time (partially) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

350 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Verification Issues For simulation-based verification Develop a systematic way to co-verification models Generate corner case scenarios from existing use-cases and scenarios Prioritize verification scenarios for efficient verification For formal verification Build up mathematical model Define important properties for system level designs ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

351 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Issues & Challenges (S. Chakraborty) (S. P. Rajan) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

352 Where do we stand? Based on Dill and Tesiran’99 Coverage Scale (gates)
Model checking Based on Dill and Tesiran’99 Coverage FSM-based generation Symbolic simulation Manual test w/ coverage Random simulation Scale (gates) 1 FSM 50K 250K 2M ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

353 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Research Issues Fundamental complexity hurdles in scaling formal verification methods with design sizes Approximate verification methods, semi-formal methods will be important tools in future Approximate methods: Model approximations should be driven by property being checked Available computing resources can be used to guide nature of approximation Verification should give some coverage metric on termination “Out of memory” after 48 hours not of any use! ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

354 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Research Issues Abstraction of system behavior crucial for analyzing large designs Must employ right degree of abstraction automatically or semi-automatically More research needed Different degrees of abstraction at different levels of hierarchical designs Can this be done automatically? Approximate and semi-formal methods “Test of the pudding” is on large real examples Most published examples are small A lot of ideas -- no clear winners so far An active area of research ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

355 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Research Issues With IP based designs, supplier of IP must provide hints on how to verify IP core RTL with assertion checks Hints on exercising combinations of inputs IP verification test suite with coverage metric Formal verification of IP-based SOCs will be challenging Success constrained by verifiability, controllability and observability of IP-core ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

356 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Research Issues Runtime/memory bottlenecks of existing formal verification methodologies must be addressed to scale them to larger designs Active field of ongoing research Suitable combination of techniques (random simulation, model checking, theorem-proving …) to be selected for each verification task Understanding which techniques work well under what circumstances Can this be automated? ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

357 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Research Issues Sequential verification still very limited to under 500 latches Concurrent system verification very difficult without abstraction Real-time systems verification not yet practical Formal verification at RTL and above not in the main stream ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

358 Future Research Directions
How to come up with a verification framework which involves different verification methods cooperating in a single environment? What should be the data structure? Design for Verifiability -- is it viable and practical? How do we integrate formal verification with conventional simulation and testing? How do we integrate verification tools with synthesis tools? How do we generate counter-examples for sequential, concurrent, and real-time systems verifiers? ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

359 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Summary & Conclusions (S. Chakraborty) (Subir K. Roy) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

360 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Summary Formal verification of SOCs has brought hard-core engineers and theoreticians on a common platform Model checking most successful so far Equivalence checking successful in restricted cases, catching up fast The gap between VLSI advancements and advancements in FV techinques can be filled to some extent by semi-formal methods Hard to measure “success” for such techniques? I might not have detected one out of bugs, but this might be the killer bug ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

361 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Summary SOC verification will be an important area in future Simulation and emulation still predominant techniques used in industry and justifiably so However, formal methods ARE NEEDED when applicable and when one can’t afford to miss a bug Success stories: Protocols, FSMs, specific processors, floating point arithmetic etc. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

362 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Conclusions Functional verification of SoCs critically dependent on verification re-use of Cores/IPs/VCs. Semi-Formal approach based on application of diff-erent combinations of verification technologies seem important. No single approach will suffice. Formal & executable specifications have to be used at all levels of design hierarchy. High degree of automation will be needed to over-come complexities inherent in SoCs. Exciting Area for Research. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

363 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Bibliography ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

364 VLSI/ASPDAC : Tutorial on Functional Verification of SoCs
Papers S. Owre and S. Rajan and J.M. Rushby and N. Shankar and M.K. Srivas, “PVS: Combining Specification, Proof Checking, and Model Checking”, , CAV96. C.-J. H. Seger, "An Introduction to Formal Verification", Technical Report 92-13, UBC, Department of Computer Science, Vancouver, B.C., Canada, June 1992. Aarti Gupta, "Formal Hardware Verification Methods: A Survey", Formal Methods in System Design, Vol. 1, pp , 1992. E. Clarke and J. Wing, Formal Methods: State of the Art and Future Directions, CMU Computer Science Technical Report CMU-CS , August 1996. A. U. Shankar, "An Introduction to Assertional Reasoning for Concurrent Systems", ACM Computing Surveys, Sept. 1993, Vol 25, No. 3, pp D. Dill, "What's Between Simulation and Formal Verification?", slides from a presentation by Prof. Dill, Stanford University at DAC'98. D. Dill, "Alternative Approaches to Formal Verification (Symbolic Simulation)", slides from a presentation at CAV 1999. M.C. McFarland, "Formal Verification of Sequential Hardware: A Tutorial", IEEE Trans Comput.-Aided Des. Integr. Circuits Syst, Vol 12, No 5, pp , May 1993. D. L. Dill, “The Mur Verification System”, , CAV96. T. L. Anderson, “Accelerating Bug Discovery with White-Box Verification”, Proc. Of DAC 2000. VLSI/ASPDAC : Tutorial on Functional Verification of SoCs

365 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers C. Kern and M. Greenstreet, "Formal Verification in Hardware Design: A Survey", ACM Transactions on Design Automation of E. Systems, Vol. 4, April 1999, pp H. Iwashita and T. Nakata, `` Forward Model Checking Techniques Oriented to Buggy Designs'', Proceedings of ICCAD, pp , 1997. K. Takayama, T. Satoh, T. Nakata, and F. Hirose, ``An approach to Verify a Large Scale System-on-a-chip Using Symbolic Model Checking'', Proceedings of ICCD, 1998. S. K. Roy, H. Iwashita and T. Nakata, ``Data Flow Analysis for Resource Contention and Register Leakage Properties'', Proceedings of the 13th International Conference on VLSI Design, January 2000. S. Berezin, S. Campos and E. M. Clarke, ``Compositional Reasoning in Model Checking'', Technical Report - CMU-CS , School of Computer Science, Carnegie Mellon University, February, 1998. T. Schlipf, T. Buechner, R. Fritz, M. Helms and J. Koehl,``Formal Verification Made Easy'', IBM Journal of Research and Development, Vol. 41, No. 4/5, pp , July/September 1997. D. D. Gajski, ``IP-Based Design Methodology'', Proc. of the 36th Design Automation Conference, pp. 43, New Orleans, June 1999. M. Kaufmann, A. Martin, and C. Pixley, "Design Constraints in Symbolic Model Checking", Proc. CAV-98, pp , 1998. K. L. McMillan, "Fitting formal methods into the design cycle", Proceedings of the 31st Design Automation Conference, pp , 1994. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

366 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers A. Gupta, S. Malik and P. Ashar, ”Toward Formalizing a Validation Methodology Using Simulation Coverage”, Proceedings of DAC, 1997. S. Devadas, A. Ghosh and K. Keutzer, " An Observability-Based Code Coverage Metric for Functional Simulation”, Proceedings of ICCAD, 1996. H. Chockler, O. Kupferman, and M. Y. Vardi, "Coverage Metrics for Temporal Logic Model Checking", TACAS 2001, LNCS 2031, Springer-Verlag, pp Y. Hoskote, T. Kam, P. Ho and X. Zhao, ``Coverage Estimation for Symbolic Model Checking'', Proc. of the 36th Design Automation Conference, New Orleans, June 1999. S. Katz, O. Grumberg and D. Geist, ``Have I written enough properties? - A method of comparison between specification and implementation'', Technical Report, IBM Haifa Research Laboratory, Haifa, Israel, 1999. S. Campos, E. Clarke, W. Marrero and M. Minea, ``Verifying the Performance of the PCI Local Bus using Symbolic Techniques'', Technical Report - CMU-CS , School of Computer Science, Carnegie Mellon University, June, 1996. S. Chakraborty, D. L. Dill and K. Y. Yun, "Min-max Timing Analysis and an Application to Asynchronous Circuits", Proc. of the IEEE, Vol. 87, No. 2, pp , Feb 1999. R. Hersemeule, B. Clement, E. Lantreibecq, P. Coulomb, B. Ramanadin, and F. Pogodalla, ”Fast Prototyping : A System Design Flow applied to a complex System-On-Chip Multiprocessor Design", DAC 1999. A. J. Hu, “Formal Hardware Verification with BDDs : An Introduction”, ACM Transactions on Programming Languages and Systems, 1997. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

367 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers K. L. McMillan, "A compositional rule for hardware design refinement", Computer Aided Verification (CAV97), O. Grumberg (Ed.), Haifa, Israel, pp , 1997. T.A.Henzinger, S. Qadeer, and S.K.Rajamani, "You assume, We guarantee : Methodology and Case Studies" CAV98: Computer Aided Verification, Lecture Notes in Computer Science, Springer-Verlag, pp , 1998. M. C. Browne, E. M. Clarke and D. L. Dill and B. Mishra, ``Automatic Verification of Sequential Circuits using Temporal Logic'', IEEE Transactions on Computers, Vol. C-35, No. 12, pp , Dec E. M. Clarke, E. A. Emerson and A. P. Sistla, ``Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications'', ACM Trans. on Programming Language and Systems, Vol.8, No.2, pp , April 1986. G. Mosensoson, “Practical Approaches to SoC Verification”, DATE 2000. J. L. Nielsen, H. R. Andersen, G. Behrmann, H. Hulgaard, K. Kristoffersen and K. G. Larsen, “Verification of Large State/Event Systems using Compositionality and Dependency Analysis”, Proceedings of TACAS 1998, LNCS 1384, April 1998. S. Bose and A. Fisher, “Verifying Pipelined hardware using symbolic logic simulation”, ICCD 1989. D. Geist, G. Biran, T. Arons, M. Slavkin, Y. Nustov, M. Farkas, and K. Holtz, “A Methodology for the verification of a System on Chip”, Proc. Of DAC 1999, pp A. Evans, A. Silburt, G. Vrckovnik, T. Brown, M. Dufresne, G. Hall, T. Ho and Y. Liu, “Functional Verification of Large ASICs”, Proc. Of DAC, 1998. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

368 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers S. Taylor, M. Quinn, D. Brown, N. Dohm, S. Hildebrandt, J. Higgins and C. Ramey, “Functional Verification of a Multiple-issue, Out-of-Order, Superscalar Alpha Processor – the DEC Alpha Microprocessor”, Proc. Of DAC, 1998. S. Ramesh and P. Bhaduri, “Validation of Pipelined Processor Designs using Esterel Tools: A Case Study”, Proc. of CAV '99, LNCS Vol. 1633, 1999. J. R. Burch, E. M. Clarke, D. Long, K. L. McMillan, D. L. Dill, “Symbolic Model Checking for Sequential Circuit Verification”, IEEE Trans. Computer Aided Design, 13, 1994, E. M. Clarke, R. P. Kurshan, “Computer Aided Verification”, IEEE Spectrum, June 1996, D. Cyrluk, S. Rajan, N. Shankar and M. K. Srivas, “Effective Theorem Proving for Hardware Verification”, pp , TPCD94. S. J. Garland and J. V. Guttag, “An Overview of LP: the Larch Prover”, Proceedings of the Third International Conference on Rewriting Techniques and Applications, 1989, Springer-Verlag. J. Staunstrup and M. Greenstreet, “Synchronized Transitions”, Formal Methods for VLSI Design, 1990, IFIP, North-Holland. R. Vemuri, “How to Prove the Completeness of a Set of Register Level Design Transformations”, Proceedings of the 27th ACM/IEEE Design Automation Conference, 1990, 207—212. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

369 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers Jeffrey J. Joyce and Carl-Johan H. Seger, “Linking Bdd Based Symbolic Evaluation to Interactive Theorem Proving”, Proceedings of the 30th Design Automation Conference, 1993. S. P. Rajan, N. Shankar and M. Srivas, “An Integration of Model-Checking with Automated Proof Checking”, 7th Conference on Computer-Aided Verification, July, 1995. R. E. Bryant, “Graph Based Algorithms for Boolean Function Manipulation”, IEEE Transactions on Computers, Vol. C-35-8, pp , August 1986 R. E. Bryant, “On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication”, IEEE Transactions on Computers, Vol. 40, No. 2, pp, , February 1991 B. Bollig and I. Wegener, “Improving the variable ordering for OBDDs is NP-complete”, IEEE Transactions on Computers, Vol. 45, No. 9, pp , September 1996 M. Fujita, H. Fujitsawa and Y. Matsunaga, “Variable Ordering Algorithms for Ordered Binary Decision Diagrams and their Evaluation”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 12, No. 1, pp , January 1993 R. Rudell, “Dynamic Variable Ordering for Ordered Binary Decision Diagrams”, Proceedings of ICCAD 1993, pp ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

370 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers J. Jain, W. Adams and M .Fujita, “Sampling Schemes for Computing OBDD Variable Orderings”, Proceedings of ICCAD 1998, pp J. Jain, R. Mukherjee and M. Fujita, “Advanced Verification Technique Based on Learning”, Proceedings of DAC 1995, pp Y. Matsunaga, “An Efficient Equivalence Checker for Combinational Circuits”, Proceedings of DAC 1996, pp A. Kuehlmann and F. Krohm, “Equivalence Checking using Cuts and Heaps”, Proceedings of DAC 1997, pp C. H. Yang and D. L. Dill, “Validation with Guided Search of the State Space”, Proceedings of DAC 1998 R. E. Bryant, “Symbolic Simulation -- Techniques and Applications”, Proceedings of DAC 1990 A. Jain, “Formal Hardware Verification by Symbolic Trajectory Evaluation”, Ph.D. Thesis, Dept. of Electrical and Computer Engineering, Carnegie Mellon University, August 1997 C.-J.H. Seger and R.E. Bryant, “Formal Verification by Symbolic Evaluation of Partially Ordered Trajectories”, Formal Methods in System Design, Vol. 6, No. 2, pp , 1995 R. E. Bryant, D. L. Beatty and C.-J.H. Seger, “Formal Hardware Verification by Symbolic Trajectory Evaluation”, Proceedings of DAC 1991 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

371 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers D. Greve, “Symbolic Simulation of the JEM1 Microprocessor”, Proceedings of FMCAD 1998, pp D.L. Dill and S. Tesiran, “Simulation meets Formal Verification”, Embedded Tutorial at ICCAD 1999 R.B. Jones, M.D. Aagard and C.-J.H. Seger, “Formal Verification using Parametric Representations of Boolean Constraints”, Proceedings of DAC 1999, pp R.B. Jones, “Applications of Symbolic Simulation to the Formal Verification of Microprocessors”, Ph.D. Thesis, Computer Systems Laboratory, Stanford University, August 1999 J.U. Skakkebaek, R.B. Jones and D.L. Dill, “Formal Verification of Out-of-Order Execution using Incremental Flushing”, Proceedings of CAV 1998, pp R.B. Jones, C.-J.H. Seger and D.L. Dill, “Self Consistency Checking”, Proceedings of FMCAD 1996, pp M.D. Aagard, R.B. Jones and C.-J.H. Seger, “Combining Theorem Proving and Trajectory Evaluation in an Industrial Environment”, Proceedings of DAC 1998, pp C.W. Barrett, D.L. Dill and J.R. Levitt, “A Decision Procedure for Bit-Vector Arithmetic”, Proceedings of DAC 1998 J.R. Burch and D.L. Dill, “Automatic Verification of Pipelined Microprocessor Control”, Proceedings of CAV 1994 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

372 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Papers M.N. Velev, “Automatic Abstraction of Memories in the Formal Verification of Superscalar Microprocessors”, Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS) 2001, pp M.N. Velev, “Formal Verification of VLIW Microprocessors with Speculative Execution”, Proceedings of CAV 2000, pp M. Pandey, “Formal Verification of Memory Arrays”, Ph.D. Thesis, School of Computer Science, Carnegie Mellon University, May 1997 J.X. Su, D.L. Dill and C.W. Barrett, “Automatic Generation of Invariants in Processor Verification”, Proceedings of FMCAD 1996 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

373 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Books K. L. McMillan, ``Symbolic Model Checking'', Kluwer Academic Publishers, 1993. Z. Manna and A. Pnueli, Temporal Specification and Verification of Reactive Systems Vol. I and II, Springer 1995. Ching-Tsun Chou, "The Mathematical Foundation of Symbolic Trajectory Evaluation", Springer-Verlag 1999. Thomas Kropf: "Introduction to Formal Hardware Verification", (Springer Verlag; ISBN: , 299 pages, January 2000) E. M. Clarke, O. Grumberg and D. Peled, "Model Checking", (MIT Press; ISBN: ; 330 pages; January 2000) L. Bening and H. Foster, “Principles of Verifiable RTL Design: Functional Coding Style Supporting Verification Processes in Verilog”, published by Kluwer Academic Publishers, 2000. M. Yoeli, "Formal Verification of Hardware Design", IEEE Computer Society Press, (Book containing a collection of papers) R. P. Kurshan, “Computer Aided Verification of Coordinating Processes”, Princeton University Press, 1994. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

374 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Books G. J. Holzmann, “Design and Validation of Computer Protocols”, Prentice Hall, 1991. M. P. Fourman, “Formal System Design”, Formal Methods for VLSI Design, IFIP, 1990, North-Holland. C. Meinel and T. Theobald, “Algorithms and Data Structures in VLSI Design”, Springer-Verlag, 1998. M. Kaufmann, P. Manolios, and J S. Moore, "Computer-Aided Reasoning: An Approach", (Kluwer Academic Publishers, June 2000; ISBN ) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

375 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Important web-sites: vis (Universal Modelling Language HOME-PAGE) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

376 Conference Proceedings
Computer Aided Verification (CAV) Formal Methods in Computer Aided Design (FMCAD) International Conference on Computer-Aided Design (ICCAD) International Conference on Computer Design (ICCD) Design Automation Conference (DAC) Asia South Pacific Design Automation Conference (ASPDAC) International Conference on VLSI Design (VLSI) Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

377 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Journals/Magazines IEEE Design and Test of Computers IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems IEEE Transactions on Computers IEEE Transactions on VLSI Systems ACM Transactions on Design Automation of ELectronic Systems Formal Methods in System Design Formal Aspects of Computing ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

378 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Appendix ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

379 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Modeling (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

380 Non-determinism (another example)
3- floor elevator controller, Si - in floor i ri - request from floor i This machine is also nondeterministic In S2 state when r1 and r3 arrive. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

381 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Formal Specification (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

382 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Linear Temporal Logic Syntax Atomic propositions are formulae If f, g are formulae then so are ¬f, f Ù g, f Ú g, f ® g, f « g □ f - Henceforth f ◊ f - Eventually f f U g - f until g f W g - f unless g Of - next f state formulae - no temporal operators ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

383 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Semantics Formulae interpreted over infinite sequences of states States evaluate state formulae Let s = q0, q1 , … be a sequence Each qi assigns truth values to atomic propositions Semantic definition defines when a formula satisfies a sequence ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

384 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Semantic Definition Notation: s ╞ A stands for A holds in s. s ╞ A iff (s ,0) ╞ A (s , j) ╞ A - defined inductively Base case: (s , j) ╞ f for any state formula f iff f holds in the state s [j] ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

385 Semantics of Temporal Operators
□(s , j) ╞ □f iff "k³ j, (s, k) ╞ f ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

386 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Semantics Contd. (s , j) ╞ ◊f iff $k ³ , ( s ,k) ╞ f ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

387 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Semantics Contd. (s , j) ╞ f U g iff $k ³ j : (s, k)╞ g and "i s.t. j £ i < k, (s , i)╞ f ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

388 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Semantics Contd. (s , j) ╞ f W g iff (s , j) ╞ f U g or (s , j) ╞ □ f (s , j) ╞ Ο f iff (s , j + 1) ╞ f ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

389 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples p ® □q If p holds in the beginning then q holds always □(p ® □q) Whenever p holds there is a future instant in which q holds □ ◊ p p holds infinitely often ◊ □ p p holds at all but finitely many positions ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

390 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples - Properties □¬(farm_go Ù high_go) □ (farm_car ® ◊ farm_go) □ (mem_rd ® ◊ mem_ack) □ (mem_rd ® mem_rd W mem_ack) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

391 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
w- Automata An alternate formalism for specifying infinite objects Extension of Finite Automata to specify properties about infinite runs The simplest kind is Büchi automaton: < Q, S, ®, q0 , A > Q - finite no. of states S - Edge labels q0 - initial state ® Í Q x S x Q A Í Q, Accepting (not final) states ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

392 Behavior of w- Automata
starts from the initial state, `runs forever' accepts infinite sequences over label alphabet s = l0, l1, l2, is accepted by the automaton, provided there exists q0, q1,… s.t. (qi, li, qi+1) Є ® for i = 0, 1, … there is an accepting state that occurs infinitely often in s. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

393 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples All sequences containing only 1. An infinite set of infinite sequences! But finite description ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

394 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples contd. All sequences that has at least one occurrence of 1 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

395 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples contd. Sequences containing all but finitely many occurrences of 1s ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

396 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Examples contd. All sequences containing infinitely many 1s ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

397 Features of w- automata
useful for specifying properties and constraints precise and unambiguous consistency can be checked (Emptiness of automata) has many properties useful for verification: w - languages closed under union, intersection and complementation ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

398 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Model Checking (S. Ramesh) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

399 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
LTL Model Checking (Pnueli, Lichtenstein, Vardi, Wolper) M╞ F Read: M `contains' only models of F M a finite state system or an w-automaton F a linear TL formula M defines a set of infinite state sequences LM and F another set of sequences LF . Checking M╞ F amounts to checking LM Í LF Hence referred to as language containment problem ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

400 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Illustration Which of the following hold for all the sequences generated by the above ◊p, ◊¬q, □p, □ (p Ú q) ◊(p Ú q), ◊ (p Ù q), □◊(p Ú q), ◊ □p, (p ® ◊q). ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

401 LTL Verification Method
Two related Methods: Tableau – based Automata – based ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

402 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Automata based Method Obtain an w-automaton for the negation of the formula Take the product of system model and w- Automaton Check whether the resulting automaton accepts any string at all (Emptiness Check). Existence of an accepting cycle in the product graph If no cycle then original property holds. A cycle gives a counterexample - an execution trace that violates the formula; useful for debugging ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

403 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Example 1. To check whether this is a model for □ P, construct first a w- Automata for ◊¬p ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

404 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Example contd. Construct the product of the two automata: No reachable accepting cycle It is a model of □ p. ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

405 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Another Example Check whether the following automaton satisfies □ ◊¬p w- Automata for : ¬( ◊ □ ¬p) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

406 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Product Automata There is a cycle and hence the automaton is not a model If state 4 is the only accepting state then the formula holds ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

407 Complexity of LTL model-checking
Linear on model size and exp. on formula size Formulae are generally small! Model size exponential on block size (no. of storage elements). State Explosion Problem Various Reduction Techniques: Nested depth first search for cycles On the fly checking Partial order reduction Clever hashing techniques OBDD based Symbolic techniques Compositional Verification ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

408 Binary Decision Diagrams (S. Chakraborty)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

409 Neat Tricks in BDD Packages
Shared BDDs (SBDDs) Multiple functions represented simultaneously as a multi-rooted DAG. Each root and descendants form an ROBDD Different roots can share subgraphs Representing functions using ITE operator if-then-else (x, y, z) = x.y + x’z Natural implementation using BDDs Can express any binary Boolean operation : NAND(x, y) = ITE(x, y’, 0); NOT(x) = ITE(x, 0, 1) Efficient algorithm for computing ITE with BDDs exists ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

410 Neat Tricks in BDD Packages
f = x1.x2 + x3’ Complement edges If a vertex is reached by a complement edge, take the complement of the function represented by the vertex Simplifies complementation Saves duplication of computation Hash Tables and Caches Facilitates identifying ROBDD node for an already computed function Avoids computation duplication x1 x2 x3 1 f = (x1.x2’x3’ + x1’x3)’ x1 x2 x3 1 ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

411 Academic & Research Lab Verification Tools (S. Ramesh)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

412 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Spin Home page: Bell Labs. (G. Holzmann) Verification of asynchronous protocol descriptions Modeling Language: PROMELA Specification Language: LTL Verification Approach: Automata Containment (Explicit Model Checking) Symbolic verification (recent addition) Promela (Protocol Modeling Language) Concurrent and nondeterministic processes Process communication: messages via buffered and non buffered channels ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

413 An Example Promela Program
chan in = [size] of {short} chan out1 = [16] of {short} chan out2 = [16] of {short} proctype split() {short x do :: in?x ® if :: (x>=100) ® out1!x :: (x<=100) ® out2!x fi od } ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

414 An Example Promela Program
proctype merge() { short y do :: if :: out1?y :: out2?y fi; out!y od } init {run split(); run merge() } ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

415 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Spin Features Random Simulation Deadlock detection and Formal verification A clever implementation of on-the- fly model checking algorithm A number of powerful reduction techniques: Supertrace algorithm: bit state hashing Partial order reduction Symbolic techniques Many telecommunication protocols have been verified ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

416 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
More on FormalCheck Home page: Commercial model-checking tool (Cadence) Originated from COSPAN (Bell Labs.) Modeling languages: synthesizable subsets of Verilog and VHDL Specification Language: FQL – FormalCheck Query language (A variant of LTL, Syntax same as HDL) Verification Approach: Automata Containment Powerful compositional reduction strategies Clever representation for specifications ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

417 Example Specifications
after { Req == 1 } eventually { Ack == 1 } after { Timer.Start == 1 } always { Timer.counting == 1 } unless { Timer.Restart == 1 } After timer starts, counting is on unless it is restarted ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

418 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
Example contd. never { TAP.State == TRST } within -delay 0 -duration 6 { Clock.rising } States that it is not possible to reach the TRST state in 5 steps. after { Counter.bit[0] == 1 } eventually { Counter.bit[0] == 0 } within -delay 0 -duration 2 {Clock.rising } ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

419 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
FQL Formulae after( ) always/never( ) [unless[ after]( )] [within(m,n)] always/never( ) [unless[ after]( )] after( ) eventually( ) [unless( )] [within(m,n)] eventually( ) [unless( )] after( ) eventually always( ) [unless( )] [within(m,n)] eventually always( ) [unless( )] if repeatedly( ) eventually always( ) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

420 Appendix High Level Specification and Modeling (T. Nakata)
ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

421 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
UML : Use-Case Diagram Define system functions from users’ view Use-case Actor Vending machine Buy a juice Customer Refill products Gather changes Supplier Services ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

422 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
UML : Sequence Diagram Describe a scenario --- an instance of a use-case Specify interactions among objects in order of time Scenario: buy juice :Panel :Container :Emitter Inject a coin Send Choose juice Equal to price Emit a can of juice ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

423 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
UML : Class Diagram Describe static aspects of a system by relationships among classes A class represents a “concept” in a system Employee PC Name: string ID: integer CPU: string uses 0..1 1..* ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"

424 ASPDAC / VLSI 2002 - Tutorial on "Functional Verification of SoCs"
UML : State Diagram Describe states and their transitions of objects Almost the same as hierarchical FSMs Ground floor Up(fl) Ascend to floor fl Arrived Up(fl) Descend to floor fl Arrived Stop timer=0 inc timer Down(fl) [timer=time_out]/Down(0) ASPDAC / VLSI Tutorial on "Functional Verification of SoCs"


Download ppt "ASPDAC/VLSI 2002 Tutorial Functional Verification of System on Chip - Practices, Issues and Challenges ASPDAC / VLSI 2002 - Tutorial on "Functional Verification."

Similar presentations