4Complexity in FPV Complexity shows up in several ways FPV never terminatesFPV runs out of memoryBounded proof, but to bad boundMuch more likely than in FEVSequential analysis is more complicatedAbstract properties may be hard to proveSome subset of desired proofs likely hard
5Initial Things To Look At Is proof bound less than expected?Add cover points to try to justify boundMaybe it’s OK after all!Are better engines available?Most FPV tools have multiple enginesEngines tuned for design characteristicsDatapatch or control?Arithmetic logic?Liveness assertions?
6Run At Lower Hierarchy? MSB Maybe tried to swallow too much logic Tradeoff: may need more assumptionsNeed to examine ROI at lower levelRemember this example?MPE0MRA0MSBMPE1MRA1
7Case Splitting Large parts of logic operate separately? Modes: PCIE 4x/8x/16xOpcodes: ADD, MULT, …Set control bits to constants, verify oneSame technique used in FEVOften more important for FPV than FEVDon’t stop at flops interactions more likelyWithout case splitting, FPV effectively verifying multiple sub-machines at oncePotential exponential blowup
8Property Simplification Is a property overly complex?Maybe can replace with 2+ simple onesMight be easier for FPV toolsMaybe one of simplified asserts is provableOr one easily reveals a bug!ExamplesA |-> B && CA ##1 B |-> C ##1 D
9Property Simplification Is a property overly complex?Maybe can replace with 2+ simple onesMight be easier for FPV toolsMaybe one of simplified asserts is provableOr one easily revelas a bug!ExamplesA |-> B && C(A |-> B) , (A |-> C)A ##1 B |-> C ##1 D(A ##1 B |-> C), (A ##1 B |=> D)
11Design Abstraction Think about ways to simplify design Are there repeated, identical blocks?Do size of data structures & buses matter?Are complex pieces of logic really used?Simplify model for FPVKeep RTL parameterized to enableAvoid hard-coded ‘mybus[31:0]’, etcCan some structures be ignored?Be careful: potentially losing some coverageMay benefit from using free variables
12Basic Abstraction Look for large/repeated elements Queues, arrays, busesCan size be reduced for FPV?Smaller queue, buses, etc.Does full size really matter, or is logic repeated?No need to re-verify repeated logicMany instances of identical module?Blackbox all but one for FPV
13Controller with assertions Ignoring Extra LogicRecall memory controller from Lecture 10Read After Write hazard computationExamined 64-bit address busAssertions weren’t testing RAW computationWere testing controller’s reaction to itDidn’t matter if computation was accurateCompute RAWRAW bitController with assertions
14Controller with assertions Ignoring Extra LogicRecall memory controller from Lecture 10Read After Write hazard computationExamined 64-bit address busAssertions weren’t testing RAW computationWere testing controller’s reaction to itDidn’t matter if computation was accurateCut & replace RAW bit with free inputRisks…?Compute RAWRAW bitController with assertionsFree Bit
15General Free Variables Cutting logic introduces a free variableFPV assumes any value at any timeMay need related assumptionsFree vars can make assertion generalHelpful for some FPV enginesReplace <n> assertions with one assertion that covers all casesWarning: may reduce simulation coverageSimulator just checks sample value
16Free Variable Example parameter CONTROL_RING = 357; generate for (i=0;i<CONTROL_RING; i++) beginring_elt r1(clk,ff[i],ff[i+1],stuff)endendgenerate// Original assert, no free variablemodule r1(clk,cur_ff,nxt_ff,stuff);…a1: assert property (p1(clk,cur_ff,nxt_ff,stuff))
17Free Variable Example parameter CONTROL_RING = 357; generate for (i=0;i<CONTROL_RING; i++) beginring_elt r1(clk,ff[i],ff[i+1],stuff)endendgenerate// int test_bit added as top-level inputassm: assume property (##1 $stable(test_bit));a1: assert property (p1(clk,ff[test_bit],ff[test_bit+1],stuff));
19FPV Analysis Frontier FPV doesn’t examine all logic at first True of most enginesHelps reduce complexity issuesLook from property back to ‘frontier’If you can prove with subset of logic, good!If false on subset, maybe need more logicGenerate partial cexMany asserts provable with partial logicBut partial cex means more work needed
25Consequences Of Frontier Tools begin by examining partial logicOpportunity for user: provide hintsDirected pruning of logic not neededInclude logic known to be importantPruning is key to complex FPVDesigner often knows bestMakes FPV possible on blocks way too large for automated runBe careful– CEXs are suspiciousUnless all constraints known on pruned nodes
26Pruning Directive: Free Free an internal nodeTreat as primary input, can get any valueSimplest pruning directiveVery precise : aimed at single nodeFree is called ‘stop_at’ in Jasper
27‘Free’ Example n1 i1 o1 i2 o2 i3 o3 o4 i4 free n1 // Now P1: assert property (o1 |-> !o2); is provable
28Pruning Directive: Blackbox Blackboxing already seen in FEVSame basic concept: ignore submoduleBlackbox inputs become primary outputsBlackbox outputs become free inputsSame constraint problem as in FEVReally worse: no auto-cut at states like FEVSo expect to see more of previous logic
29Blackbox Example i1 o1 i2 o2 i3 o3 o4 i4 Submod blackbox submod; // Can we prove P2: assert property (!o2 |-> o3); now?
30‘Include’:Mitigating Blackbox Blackbox is a powerful directiveIgnores all logic in moduleCan we un-blackbox just what we need?Some subset of logic may be relevantBut still ignore most of submoduleSolution: ‘Include’ directiveInclude fanin cone of designated bbox outputReverses bboxing for that coneNot directly in JG, but doable thru script
31Blackbox With Include i1 o1 i2 o2 n1 i3 o3 o4 i4 Submod blackbox submod;include n1;// Can we prove P2: assert property (!o2 |-> o3); now?
32Advanced Pruning Directives Level <n>Include only <n> levels of logic preceding each node in propertyCan override with includeSiglevel <sig> <n>Include <n> levels of logic preceding designated signalThese are shortcutsCould replicate with lots of freesAgain, not directly in JG, but doable with scripts
33Manual Pruning: The Negative Method Start by trying to run full module FPVMaybe no complexity, then no problemNext try simple solutionsEngines, hierarchy change, case splittingThen examine for pruning opportunitiesGood FPV tool may give partial-frontier CEXSee what parts look relevant, vs what looks prunable
34Manual Pruning: The Positive Method Start with low level pruningEliminates most logicGet cex based on inputs to frontierThen gradually include missing logicLook at cex, figure out what’s suspiciousInclude logic (thru include/siglevel) to rule out suspicious casesJG “design tunneling” aids in guiMost tools require you do it manually
35Manual Pruning Example o1i2o2n1i3o3i4o4level 1;// Try to prove P2: assert property (!o2 |-> o3);// Get CEX: o2=0, n1=1, o3=0// Looks suspicious: Can n1 really be 1 while o2 is 0?
36Manual Pruning Step 2 i1 o1 i2 o2 n1 i3 o3 o4 i4 level 1; include n1; // Now we can prove P2: assert property (!o2 |-> o3);