back to basics: doing formal the right way”€¦ · back to basics: doing formal “the right way...
TRANSCRIPT
Mark Handover
Back to Basics: Doing Formal “The Right Way”
Digital Design & Verification Solutions
Mentor Graphics Corporation
May 21, 2015
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Formal Fact #1: Design Size
20%
26%
41%
0%
10%
20%
30%
40%
< 5M 5 - 20M > 20M
No
n-F
PG
A S
tud
y P
art
icip
an
ts
Formal Property Checking Adoption by Design Size (Gate Count Excluding Memories)
Source: Wilson Research Group and Mentor Graphics, 2012 Functional Verification Study
MH, TVS UK - Back to Basics, May 2015 2
Larger Designs Use More Formal
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Formal Fact #2: Formal Usage
Bug Hunting Assurance
Many RTL assertions A few spec focused assertions
Success: # bugs found Success: Design meet spec
Productivity focus Quality focus
Bug hunting
Assurance B
ug
s F
ou
nd
Time Rev 0 RTL Tapeout
Useful for both Bug Hunting and Assurance
MH, TVS UK - Back to Basics, May 2015 3
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
High-Level Assertions
Requirement focused
Black-box assertions
Accounted for in testplan
Compliance traceability
Create reusable ABV IP
Low-Level Assertions
Implementation focused
White-box assertions
Not accounted for in testplan
Improve observability
Reduce debugging time
Verification Engineer Design Engineer
Formal Fact #3: Who writes assertions?
Both Design and Verification Engineers do
MH, TVS UK - Back to Basics, May 2015 4
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
“The Right Way” Rests on the 4 Pillars of a Successful Formal Test Plan
5
DV
C s
up
po
rt
Tra
inin
g
Do
cu
me
nta
tio
n
To
ol
use
mo
de
l
Verification Infrastructure
Formal Test Plan
Desig
n S
tyle
Asse
rtio
ns
Fo
rmal
En
gin
es
Co
vera
ge
MH, TVS UK - Back to Basics, May 2015
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Design Style: The Wrong Way
MH, TVS UK - Back to Basics, May 2015 6
Running formal on the whole SoC design — Formal capacity is limited
Running formal on a block you know nothing about — Won’t be able to debug
Running formal on a block without a proper design spec — Reading the RTL code too much
Data transform block is typically beyond formal capacity — Other verification approaches are more efficient for this
Design Specification
Control Datapath
Data Transport Data Transform
Control
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Design Style: The Right Way
MH, TVS UK - Back to Basics, May 2015 7
Design and interface specifications are important
Control logic is typically the sweet-spot
Verification of data transportation is good for formal
• Arbiters of many different kinds
• Interrupt controller
• Clock programming unit
• Power management unit
• DMA controller
• Host bus interface unit
• Scheduler, multiple channels for QoS
• On-chip bus bridge
• Memory controller
• Token generator
• Credit manager block
• Standard interface (AMBA, PCI Express)
• Proprietary interfaces
Run automatic formal or coverage checking to understand the controllability and observability of the design
Recommendation
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Assertions: The Wrong Way
MH, TVS UK - Back to Basics, May 2015 8
Putting assertions on a lot of low-level structures (counters, FSMs, etc) of the design. — Subject too much to design changes
Trying to describe everything in the assertion language — Properties need to be synthesized for formal verification — Lead to overly complex representation
Creating assertions based too much on the internal signals of the design. — They may not behave correctly.
A mix of RTL + assertions may be the best approach to capture complex behavior.
Recommendation
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Assertions: The Right Way
MH, TVS UK - Back to Basics, May 2015 9
Capture high-level functionality — Based on specification — Consist of
– Functional properties – Interface constraints – Coverage goals
Decomposition — Based on functional blocks — Generally hierarchical in nature
Refinement — assume-guarantee proof status — simulate the constraints — status of lower-level properties
may affect upper-level properties
Architectural
µ-Arich
Feature
Decomposed
Property P0.1
Decomposed
Property P0.m . . . .
P1.1
P2.2
P1.2 P1.p . . . .
P2.1 P2.n . . . .
C.1 C.q . . . . Failing simulation constraint
Architectural
µ-Arch Feature
Decomposed
Property P0.1
Decomposed
Property P0.m . . . .
P1.1
P2.2
P1.2 P1.p . . . .
P2.1 P2.n . . . .
Constraints C.1
Constraints C.q
. . . . Failing proof
High-level functionality and intentions
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Formal Engines: The Wrong Way
MH, TVS UK - Back to Basics, May 2015 10
Assuming formal works the same way as simulation — Simulation: exercises events sequentially — Simulation: the same engine on multiple servers — Formal: examines events concurrently — Formal: multiple engines on multiple servers
Throwing all (too many) properties to the tool — Insufficient formal time was spent with each property — Using the right formal engine on a few properties
Assuming the best engine(s) for one design is the best for all — Sometimes true, but most often not
Understanding the formal complexity of the properties is the best way to lead the formal verification process.
Recommendation
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Formal Engines: Time Share Orchestration
By limiting the amount of time formal spent on the difficult assertions P2, P3, and P4, the simple assertions P1, P5 and P6 were verified in the first pass.
Verified assertions are used for fan-in cone pruning and to aid formal in the next pass.
P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8
Formal Engines Pass 1
Formal Engines Pass 2
Formal Engines Pass 3
Time out
Time out
Time out
Time out
Time out
Time out
Time out
Asse
rtion
Diffic
ulty
MH, TVS UK - Back to Basics, May 2015 11
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Coverage: Formal-Specific Issues
Assertion Density — Number of assertions per 100 lines of code — Anywhere from 1-10 based on design complexity — Reported early by formal tool
Minimum Sequential Distance (MSD) — Number of flops between assertions — Identifies registers that are not covered by any assertion — Reported after design elaboration by formal tool
Cone of Influence — The logic that is functionally covered by the assertion — Examine the fan-in cone of logic for each assertion — Reported after formal analysis
MH, TVS UK - Back to Basics, May 2015 12
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Formal Coverage: Minimum Sequential Distance
Measures how well you are implementing ABV
Sequential distance between observation points
Heuristic measure of functional vs. assertion complexity
Blind spots due to inadequate assertion coverage
Register coverage
aggregated for
every module
instance
Reg r1
Reg r3
Reg r2
Logic Logic Logic
Assertion 1 Level of Logic 1 Level of Logic
Minimum Sequential Distance of r1 = 2
MH, TVS UK - Back to Basics, May 2015 13
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
14
Formal ABV Capability Maturity Model
The ABV Capability Maturity Model is a process reference model
Used by organizations to assess: —Current capability to implement an integrated ABV methodology
– Formal Verification – Assertions – Advanced coverage
—Current capability for predictability in terms of schedule and quality
The model helps the organization answer the following questions: —What value will be realized by increasing the organization’s maturity level? —What infrastructure is required to move to the next level of maturity? —What people skills and process management resources are required?
MH, TVS UK - Back to Basics, May 2015
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
15
Formal ABV Capability Maturity Model
Capability levels represent the ABV maturity of engineering organizations.
Level 1 Ad-hoc assertions
Some interest
Not coordinated
Level 2 Planned & tracked
ABV within design
Used in simulation Automatic Formal
Applications
Improved debugging time
Improved structural quality
Level 3 Assertions
Bug-hunting of assertions at block level
Focus on high-value low-effort blocks (bounded formal!)
Improved functional quality and schedule
Level 4 Targeted proofs
High-level requirements proved on targeted blocks
Unbounded formal proofs (high-value and higher-effort)
Improved quality
Level 5 optimizing
Higher-level assertions proved on blocks
Eliminate block-level simulation when possible
Fully proved blocks integrated with system-simulation
Improved schedule (focus is on optimizing processes)
1
ad-hoc
2
planned
3
bug-hunting
4
targeted
proofs
5
Optimizing
0 not
performed
MH, TVS UK - Back to Basics, May 2015
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Oracle: Evolution of Formal Plan: 1.0
“What can formal model checking do for us?”
Static Clock Domain Checking
SoC Interconnect Verification — Interrupts — DFT signals
CMM Level 2
MH, TVS UK - Back to Basics, May 2015 16
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Oracle: Evolution of Formal Plan: 2.0
“We think formal model checking can help us!”
IP Assurance
Replacing simulation for unit verification — SRAM Controller — Event Monitors — System Interrupt Controller — Arbiters
CMM Level 3
MH, TVS UK - Back to Basics, May 2015 17
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Oracle: Evolution of Formal Plan: 3.0
“Where else can we leverage formal model checking?”
Bug Hunting
Augmenting simulation to accelerate IP verification closure — Caches — Fuse Ctrl <-> MBIST Interface — Clock Control Unit
CMM Level 4
MH, TVS UK - Back to Basics, May 2015 18
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Oracle: Today’s Formal Plan of Record
A key pillar for RAPID SoC Verification — More aggressive, and yet, practical plans
Design for Formal Verification
Optimal mix of Simulation + Formal
Broader deployment with more users CMM Level 5
MH, TVS UK - Back to Basics, May 2015 19
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
For the Full Story …
MH, TVS UK - Back to Basics, May 2015 20
Verification Horizons, March 2015: Evolving the Use of Formal Model Checking in SoC Design Verification, By Ram Narayan, Oracle https://verificationacademy.com/verification-horizons/ march-2015-volume-11-issue-1/Evolving-the-Use-of-Formal-Model-Checking-in-SoC-Design-Verification
Verification Academy Maturing a Project’s Formal ABV Process Capabilities https://verificationacademy.com/sessions/maturing-abv-process-capabilities
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Questa Formal Solutions & Apps Automated, Exhaustive Verification For Complex Challenges
21 MH, TVS UK - Back to Basics, May 2015
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
Summary
MH, TVS UK - Back to Basics, May 2015 22
It’s critical to provide clear guidance to formal novices so they will not get too frustrated and “revert” back to sims
The methods reviewed in this presentation aim to start novices off on the right foot with formal
The Oracle case study shows complete novices can “cross the chasm” starting w/apps and solid fundamentals
Share your favorite “righteous” formal tips! [LinkedIn] > [Experts in Assertion-Based Verification] https://www.linkedin.com/grp/home?gid=3925032
www.mentor.com © 2015 Mentor Graphics Corp. All Rights Reserved
w w w.ment o r. com