Formal Verification of Partial Good Self-Test Fencing Structures Rick Seigler, Gary Van Huben, Hari Mony
Outline Overview of Partial LBIST Fencing Traditional Approach to Partial LBIST Fencing Verification Verification Model Overview Methodology Flow Verification Results Tuning Considerations Summary and Conclusions Rick Seigler et al. 12/5/2018
Overview of Partial LBIST Fencing Multiple core chip with common logic Core 1 Core 2 Common Logic Core 3 Core N Design Under Test (DUT) Partial Good Interface Core 1 Partial Good Fence Core 1 Sequential Logic Partial Good Interface Core N Sequential Logic MISR Partial Good Fence Core N Sequential Logic Red Latch Represents Non Partial Good Interface or Common Logic Rick Seigler et al. 12/5/2018
Traditional Approach to Partial LBIST Fencing Verification Logic Simulation Exercise LBIST procedure to obtain and verify LBIST signature Major limitation is that simulation of LBIST procedure is inherently complex Requires proper initialization Requires complex driver sequencing Even more complex with multiple clock domains Time consuming to get running Best case verification run times are typically measured in days and increases proportional to chain length Not possible to prove correctness because can't cover all possible state transitions via simulation Rick Seigler et al. 12/5/2018
Verification Model Overview Formal Verification Model using SixthSense Sequential Equivalence Checking DUT Inactive state Partial Good Interface Signal 1 Non-deterministic Partial Good Fence Signal 1 Sequential Logic Active state Model 1 Driver Sequential Logic Partial Good Interface Signal N MISR Partial Good Fence Signal N Sequential Logic Equiv Check DUT Partial Good Interface Signal 1 Partial Good Fence Signal 1 Sequential Logic Model 2 Driver Sequential Logic X-State Detect Partial Good Interface Signal N MISR Partial Good Fence Signal N Sequential Logic Rick Seigler et al. 12/5/2018
Methodology Flow STEP 1 STEP 4 STEP 6 IDENTIFY PG INTERFACES STEP 4 CREATE X-STATE ASSERT STEP 6 OVERRIDE SCAN INPUTS TO INVERTED LATCHES STEP 2 CREATE WRAPPER STEP 5 CHECK PROPERTIES STEP 7 REBUILD MODELS AND RE-CHECK PROPERTIES STEP 3 CREATE DRIVERS N Y INVERSIONS ? N Y Y N PROPERTY VIOLATIONS ? INVERSIONS ? DESIGN BUG(S) DONE Rick Seigler et al. 12/5/2018
Verification Results Verification Metric Core Level Model Chip Level Model Inputs (thousands) 6.1 41 Gates (millions) 2 24 Registers (millions) 2.1 2.8 Run Time (sec) 639 1654 Peak Memory Usage (GB) 6.8 16.7 Design Bugs 4 Rick Seigler et al. 12/5/2018
Tuning Considerations Two primary challenges Quickly find bugs Used SAT-based Bounded Model Checking (BMC) on speculatively reduced model Efficiently complete proofs Imperative since model size and diameter limits the # of BMC cycles Strategy: Sequential redundancy removal [MBPK 05] using assume-then-prove paradigm Guess candidates using name comparison, semi-formal analysis, etc Assume candidates to be redundant and create speculatively reduced model Validate the correctness of candidates (proof step) Bug Finding BMC on original model ran out of resources due to model size and diameter BMC on the spec-reduced model [MBPK 05] was successful and avoided resource crunch Proof Completion Inductive analysis insufficient; localization transformations very effective Identified causal redundancy candidates that made proofs difficult; very useful Rick Seigler et al. 12/5/2018
Summary and Conclusions Case study on IBM z-Series multi-core chip demonstrated our partial lbist verification methodology is: Scalable More than a million latches and gates in DUT Fast Verification run times less than 30 minutes Easy to implement Knowledge of LBIST design details and sequences not required Drivers easily auto-generated once partial good interfaces and fence signals identified No complex assertions Applicable to any partial good self-test structure Six design bugs found and resolved prior to initial release Very unlikely would have been discovered with simulation Rick Seigler et al. 12/5/2018