Scribd
Upload
29 views29 pages

Course Formal Assertion Based Verification Session Formal Model Checking Meslinger

Uploaded by

Huy Vương
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views29 pages

Course Formal Assertion Based Verification Session Formal Model Checking Meslinger

Uploaded by

Huy Vương
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Formal Assertion-Based Verification

Formal Model Checking


Mark Eslinger
Verification Technologist

[email protected] | www.verificationacademy.com
Session Overview
In this session you will learn …
• Model Checking Overview
• ABC’s of Applying Formal

© Mentor Graphics Corporation, all rights reserved.


Model Checking Basics

Backgrounder Review
How Complete is Your Verification?
• Advanced testbench environments …
• Can take a long time to setup and get working
• Cannot traverse every part of a design’s state space
• The longer a bug goes undetected
• The more expensive it is to find
• The harder it is to fix
• The longer it takes to validate

© Mentor Graphics Corporation, all rights reserved.


Verification with Simulation-Based Techniques
• Fundamental verification technique in use today
• Generally scales well
• Testing all possible scenarios is generally incomplete

Measure Coverage
Simulation Testbench

Generate Design Check


Stimulus Model Results
Simulation and the Time Explosion Problem

• How long would it take to exhaustively simulate this example?

// SystemVerilog Assertion

1000000011101011011011110111
A [31:0] property p_comp;
@(posedge clk)
E E |-> (A==B);
101010001000110101110100101
B [31:0] endproperty
assert property (p_comp);

264 vectors X 1 vector every nano-second = >584 years

An extremely fast simulator by today’s standards!


How Simulation Explores the State Space
State Space

USB PHY Ethernet PHY PHYs PHY

Custom
USB
CPU DSP Ethernet Protocol Core
Controller
Front-end

Master IF Master IF Slave IF Master IF Master IF Slave IF

Arbiter AMBA AHB/AXI

Master IF Master IF Bridge


Bridge

Memory Custom
Core
DMA Back-end
AMBA AHB

PCI-Express

Slave IF Slave IF

PCI-E PHY

UART GPIO
Power-Management,
Clock, Reset, Test, Analog

Initial state

• Generate input sequence, check outputs


• Can find bugs “deep” into the state space
• Not enough time to cover all the state space
© Mentor Graphics Corporation, all rights reserved.
What is Formal Verification
• Mathematical and algorithmic
• Proves design correctness
• Ensures implementation meets requirements
• Requires no testbench or stimulus

“Formal verification uses mathematical formal methods to prove


or disprove the correctness of a system’s design with respect to
formal specifications expressed as properties….”
[Using Formal Methods to Verify Complex Designs, IBM Haifa Research Lab]

© Mentor Graphics Corporation, all rights reserved.


Verification with Formal-Based Techniques
• Does not require a testbench or input stimulus!
• Automatically uses algorithms to verify the functionality
• Verification can be complete
• Complements simulation-based techniques
Formal Pass Yes Done
Tool ?

No

Design
Assertions
Model
How Formal Explores the State Space
State Space

USB PHY Ethernet PHY PHYs PHY

Custom
USB
CPU DSP Ethernet Protocol Core
Controller
Front-end

Master IF Master IF Slave IF Master IF Master IF Slave IF

Arbiter AMBA AHB/AXI

Master IF Master IF Bridge


Bridge

Memory Custom
Core
DMA Back-end
AMBA AHB

PCI-Express

Slave IF Slave IF

PCI-E PHY

UART GPIO
Power-Management,
Clock, Reset, Test, Analog

Initial state

• Is there a state which can violate the property?


• Complete with respect to state space it covers
• Not enough memory to cover total state space
© Mentor Graphics Corporation, all rights reserved.
Classical Usage of Formal Techniques
• State S35 can be active for <= 5 cycles

SVA Assertion
S35
assert property (@(posedge clk)
$rose(S35) |=> S35[1:4] ##1 !S35 );
40 state FSM
12 inputs
> 4.5 years @ 1 vector/ns

• Aout and Bout are mutually exclusive


clk Aout SVA Assertion
req
DUT Bout assert property (@(posedge clk)
ack
!(Aout && Bout) );
ena
100K gate block
160 inputs
© Mentor Graphics Corporation, all rights reserved.
Model Checking Algorithms …
Are exponential with respect to …
• The number of state bits
• The number of inputs
• The size and sequential depth of the property
• The depth of analysis (number of cycles)

© Mentor Graphics Corporation, all rights reserved.


Formal Verification Terminology
• Property
• Description of design behavior
• Assertion
• Property being targeted by formal analysis
• Proof
• Property is true across the full design space
• Counterexample
• Stimuli that violates a property, usually shown as a waveform
• Assumption
• Property used to limit the input conditions considered by formal

© Mentor Graphics Corporation, all rights reserved.


Assertion Languages and Libraries
SVA (IEEE 1800) OVL (Accellera):
property buffer_overflow; ovl_never buffer_overflow
@(posedge clk) (.clock(clk), .reset(rst_n),
not (fifo_full && .enable(1’b1),.test_expr(
fifo_write); fifo_write && fifo_read) );
endproperty

assert property (buffer_overflow); QFL (Mentor Formal VIP):


qfl_fifo_single_clock #(
PSL (IEEE 1850) .WIDTH(32), .DEPTH(16) )
buffer_overflow (
property buffer_overflow = .enq(fifo_write),
never (fifo_full and .enq_data(fifo_write_data),
fifo_write) .deq(fifo_read),
@ (posedge clk); .deq_data(fifo_read_data),
.clk(clk),
assert buffer_overflow; .resetn(rst_n) );

© Mentor Graphics Corporation, all rights reserved.


3 Ways to Use a Property With Formal
• Assertion (assert property)
• Property is targeted for formal analysis
• Need at least one of these (or cover)
• Assumption (assume property)
• Property limits formal analysis
• Formal can not violate the assumption
• Cover Statement (cover property)
• Show stimulus which reaches the property/sequence

© Mentor Graphics Corporation, all rights reserved.


Model Checking

Setup/Initialization, Applying Formal, and Formal Results


Benefits of Using Formal Verification
• Reduces Risk
• Higher degree of confidence than simulation alone
• More Efficient
• Automated solutions for particular tasks
• Certain challenges are quicker/easier with formal
• Complementary with Simulation
• Can replace millions of cycles of simulation
• Can be used before a testbench is in place
• Can integrate results with verification management
© Mentor Graphics Corporation, all rights reserved.
What is Required to Successfully Run Formal
• A plan
• An assertion
• A synthesizable design
• Gate level representations will work too
• Knowledge of the design
• Clocks
• Initialization
• Configuration
• Function
© Mentor Graphics Corporation, all rights reserved.
Formal Setup: Design Knowledge
• Clocks
• Single-clock design vs. multi-clock designs
• If multi-clock, what frequencies to consider
• Modes of operation
• Normal, test, scan, …
• Where is the complex/high state logic
• Memories, counters, …

© Mentor Graphics Corporation, all rights reserved.


Formal Setup: Design Initialization
• Reset logic to consider
• POR, interrupt reset, soft reset, watch dog timer, …
• Reset sequence
• How long to hold the resets
• What order to apply the resets
• Configuration Registers
• What values to load
• What order to load them

© Mentor Graphics Corporation, all rights reserved.


The ABC’s of Formal
• Assurance : Proofs and bounded proofs
• Bug Hunting : Includes post-silicon debug
• Coverage Closure : Reachability analysis

Simulation Formal

Time Time

Cycle Depth Cycle Depth


© Mentor Graphics Corporation, all rights reserved.
Formal Verification Flow

always @(posedge clk)


A |=> B; compile work
q <= d;

formal Formal
compile Model
S’n+1(x) = S’n(x) + Sn+1(x)
P iff !$x S’n(x) & !P(x)

… formal
Formal
analysis
Results
© Mentor Graphics Corporation, all rights reserved.
Formal Results
• Inconclusive 0

• Bounded Proof
Proven Depth M M

• Proof
• Firing(CEX)
N
• Covered
• Uncoverable Any Input/Infinite Depth CEX with Depth N
© Mentor Graphics Corporation, all rights reserved.
Expectations for Formal Results
• Will my true assertion be proven?
• Mutex/LEC checks are easy (localized logic)
• Inductive checks are easy (localized in time)
• End to end check are difficult (long latency)
• Scoreboard checks are difficult (lots of state)
• Will my false assertion fire?
• The start state can impact if a CEX is found
• Most CEX are found within 10’s of cycles
• CEX have been found to 100’s or 1000’s of cycles
© Mentor Graphics Corporation, all rights reserved.
Questa® Property Checking (“PropCheck”)
• Mathematically prove the DUT=Spec
• For all inputs and for all time
• Advantages
• Industry leading performance
• Integrated with Questa® Verification Manager/UCDB

Yes! Record in UCDB/VM


Spec = DUT?
Waveform that shows violation
PropCheck

© Mentor Graphics Corporation, all rights reserved.


Benefits of Using Questa® PropCheck
• Begin verification when RTL is ready
• Minimize time to find, fix, and validate a bug
• Exhaustive formal analysis reduces risk
• Part of a broad verification platform
Full Language Industry Leading
Design Style Support Technology
UCDB Leverage UCDB/VM
Verilog/VHDL

A |=> B; Interactive Debug


PropCheck
© Mentor Graphics Corporation, all rights reserved.
Session Recap
In this session you learned …
• Model Checking Basics
• ABC’s of Applying Formal

© Mentor Graphics Corporation, all rights reserved.


Additional Resources
• Questa® PropCheck Demo
• Verification Academy
• Assertion-Based Verification Course
• Basic Formal Verification Course
• Other Automatic Formal Solutions Courses
• Mentor Graphics Training
• Wide range of instructor led classes and workshops
- At Mentor offices worldwide or Onsite
• Web-based and live events
© Mentor Graphics Corporation, all rights reserved.
Assertion-Based Formal Verification
Formal Model Checking
Mark Eslinger
Verification Technologist

[email protected] | www.verificationacademy.com

You might also like