verification beyond doubtverification beyond doubt fileverification improvements: a key need ”...

Verification Beyond DoubtVerification Beyond DoubtVerification Beyond DoubtVerification Beyond Doubt

OneSpin SolutionsCorporate Presentation

D-CON 2010

Introduction to OneSpin Solutions

• Founded in May 2005• Founded in May 2005 – Venture-funded (APAX) Infineon spin-off– 300+ engineer-years of R&D and application

experience in formal verificationexperience in formal verification

• Established ProductsFormal RTL Verification solutions field– Formal RTL Verification solutions - field-proven on hundreds of complex designs, modules, and IP

• Global Operation– Headquartered in Munich, Germany– Field offices in Sunnyvale, CA, USA andField offices in Sunnyvale, CA, USA and

Tokyo, Japan– 34 employees worldwide

January 2010,

Verification Improvements: A Key Need

” ´We need to have as much as a 675% percent improvement in RTL verification

productivity during the next few years,´ de Geus warned.“

” ´We need to have as much as a 675% percent improvement in RTL verification

productivity during the next few years,´ de Geus warned.“Geus warned. Geus warned.

”Without major breakthroughs, functionalverification will be a non-scalable, show-stopping barrier to further progress in thesemiconductor industry.“ (ITRS)

January 2010,

Major Industry Trend in Functional RTL Verification

Assertion-Based Verification (ABV)

SimulationSimulation--Based Based Verification + Verification + A tiA ti

Assertions (SVA PSL

Formal Formal AssertionAssertion--based based

V ifi tiV ifi tiAssertionsAssertions (SVA, PSL, OVL)

VerificationVerification

ABV is the major Industry Trend!• 65% of all system/IP companies already use ABV (Gary Smith EDA 2009)• 65% of all system/IP companies already use ABV (Gary Smith EDA, 2009)• 18 of the top 20 system/IC companies use assertions and formal ABV• ABV is a major step to increase RTL verification productivity and quality

January 2010,

OneSpin‘s Formal ABV Solution (I)

Key Benefits

– ProductivityUp to 5X effort reduction compared to

GapGap--FreeVerificationFreeVerificationTMTM ProcessProcess

p p“thorough” testbench approaches

– QualityHighest possible verification quality th h ti l ABV d

OneSpin 360OneSpin 360TMTM

MV Product FamilyMV Product Family

through operational ABV and automatic detection of coverage holes

– ApplicabilityModular product offering as well as

OneSpin Foundation TechnologyOneSpin Foundation TechnologyModular product offering as well as operational ABV eases and speeds step-wise learning and use

– Capacity and PerformanceyVerification of designs >100K lines RTL flatVerification and Methodology Verification and Methodology

ServicesServices

January 2010,

OneSpin‘s Formal ABV Solution (II)

Onespin 360™ MV Product FamilyInformal Informal

SpecificationSpecification Systematic Formal Verification with Gap Detection

– Significant effort reduction and highest possible design quality through operational

Systematic FV with Systematic FV with Gap DetectionGap Detection

SpecificationSpecification

Functional RequirementsHighest capacity and performance verification

possible design quality through operational ABV and GapFreeVerification™ process

FunctionalFunctionalRequirementsRequirements

pp

360 MV

Implementation Intent

– Highest-capacity and performance verification of functional requirements using high-level propertiesImplementationImplementation

IntentIntent

StandardFormal Tools

AutoChecks– Push-button detection of common RTL coding

– Easy and fast analysis of RTL implementations using low-level assertionsAutoChecksAutoChecks

Push button detection of common RTL coding errors through extensive set of fully automatic RTL code checks

360 MV = Most comprehensive formal ABV Solution

RTL CodeRTL Code

January 2010,

360 MV = Most comprehensive formal ABV Solution

OneSpin’s Value Proposition

Informal Informal SpecificationSpecification RTL CodeRTL Code

AssertionsVerification Plan

AssertionAssertionDevelopmentDevelopment

Anything

Gap:Refine Start Verification and Verification and

DebugDebugVerificationVerificationPlanningPlanning

Anything missed?

AssertionGap:

Assertion DebugDebugPlanningPlanning

No More Gaps = Done

AssertionSet

pAddAssertion

AutomaticAutomaticGap DetectionGap Detection

• Reference Model • Equivalent RTL Code

January 2010,

GapFreeVerification™ = First closed-Loop Verification Process

Verification Effort Comparison

Customer Project Example: • Critical, intricate IP module: ~ 5.000 lines of RTL code, ~ 3.000 Flip-Flops• Thorough constrained random testbench approach• 360 MV applied from scratch in parallel• Discovered 11 errors missed by testbench with less than half the effort

OngoingVerification

Verification and Debug

Testbench Developmentvs.

Assertion Development

VerificationPlanning

3 pw

Assertion Development

6 pw3 pw

estb

ench

VTe

’Thorough‘ Testbench Earlier and higher 2pw3pw1pw36

0 M

V 2X to 5X Effort / Time Savings

January 2010,

gRelease

gQuality Release

Productivity and Quality Improvements

Comparison:– Common testbench / formal ABV verification flow

Quality beyond simulation

– Verification flow enhanced with 360 MV product family rs

Fou

nd

Productivity gain in

y yand standard formal ABV

# of

Err

or Productivity gain in verification flow

Time / Effort

Earlier Tape-out (TO)

or: Higher TO Quality

Start whenCode available

Earlier Hand-over

Si ifi t P d ti it d Q lit G i h b

January 2010,

Significant Productivity and Quality Gains have been confirmed in over 200 completed Verification Projects

Completed Applications

Verified designs in consumer, communication, t ti d f t d b dd d t

Functions Verified Designs

automotive, defense, computer, and embedded systems

Functions Verified Designs

ProcessorsSuperscalar 32 bit processor, Multi-threaded network processor, IEEE floating point processor

IRDA IF O Wi I t f T h S M t I/F USB t I/FPeripherals

IRDA IF, One-Wire Interface, Touch Screen Measurement I/F, USB master I/F, Counter/Timer, UART, Interrupt Controllers, A/D Converter Controller (legacy), FCDP Flash Card data port, Camera I/F, Multimedia Card Interface

Bus Arbiters AHB (I/F and bridges) AXI proprietary protocols protocol adaptationBus Interfaces

Bus Arbiters, AHB (I/F and bridges), AXI, proprietary protocols, protocol adaptation to legacy code, CAN, LIN, FlexRay, SRC Audio bus Interface

Memory ControllersSDRAM Controllers, Cache Controllers, Advanced Memory Bus, SATA, Processor memory controllers, Flash memory IFy y

Error Correction ECC, Error redundancy of board to board communication

Data processingAAL2 Termination Element, Address management unit in ATM switch, Sonet / SDH Frame alignment DSP coprocessor ASIC for correlation computation

January 2010,

Data processing Frame alignment, DSP coprocessor, ASIC for correlation computation

Selected Customers

January 2010,

Comparison: Formal RTL Verification

Unique 360 MV Approach

Operational ABV with automatic

Coverage Analysis

• Unprecedented verification coverage• Finds errors in design and specification• Guided SVA development from timing

diagrams g yg• Best-in-class SVA debugging and

diagnosis

Verification of

Verification of Functional RequirementsStandard formal ABV

Adds productivity and quality• Fast, early detection of bugs, but

Automatic RTL Analysis

Implementation Intent• Unclear if assertions are sufficient• Unclear contribution to coverage

Leverage Advantages of standard Formal RTL Verification and achieve

January 2010,

unprecedented Coverage / Productivity with 360 MV’s unique Capabilities

Summary

• Current Functional Verification Approaches – Limit design productivity– Compromise product quality

OneSpin = Award winning Verification Solution• OneSpin = Award-winning Verification Solution– Industry’s first and only closed loop verification process – Most comprehensive formal verification solution

P bl ifi i f ili i d dProvable verification facilitation and speed-upDelivery of highest possible functional quality

– Proven track record at major semiconductor and system companies

• OneSpin = Right Relationships, Right Team, Right Expertise– Strong top-tier customer relationships of trust with key semiconductor players– Top-notch technical team with exceptional verification and application experience– Top-notch technical team with exceptional verification and application experience– Global field applications team, well-versed in supporting worldwide customers– Internationally experienced exec management team

January 2010,

Revolutions in EDA industry

• Biere et al.: Symbolic model checking without BDDsy g

– Encode model checking problem for LTL as SAT

– Up to a certain depth incomplete– Up to a certain depth, incomplete

• Zhang: Engineering an efficient SAT solver (2001)

– Up to two decades faster than solvers up to that point

• McMillan & Amla: Automatic abstraction without

counterexamples (2003)

– Until that point, only counterexamples from solvers were p y p

used, not information derived from unsatisfiability

– Hybrid technique, uses SAT as well as symbolic model

January 2010,

y q , y

checking

Revolutions in EDA industry, cntd.

• Een, Sörensson: Temporal induction byincremental SAT solving (2003)– BMC problems have a repeating structure

T l i d ti i f l t d l– Temporal induction is a way for a complete model checking procedure using SAT

• McMillan: Interpolation and SAT-based ModelMcMillan: Interpolation and SAT based Model Checking (2003)– Use the resolution trace to compute a Craig interpolant– In the context of verification, this is an overapproximation

of reachable states in one stepSometimes works wonders“– „Sometimes works wonders

• In addition to these many more evolutionary steps.– Invariants between signals

January 2010,

Invariants between signals

Requirements for an Industrial Tool

• To be competitive in assertion checking, all theseare required.

• Compared to university software– An EDA tool has to be easy to use– GUI

It has to be much more thoroughly tested– It has to be much more thoroughly tested

• Ideally:– Check assertion assertion nameCheck_assertion assertion_name

January 2010,

Question???

• What will be the next practical important step– Word-level solvers?– Satisfiability Modulo Theories?

Effi i t ll li ti f d l h ki bl ?– Efficient parallelization of model checking problems?

• If YOU have a great idea or implementation:Hardware Model Checking Competition (HWMCC)– Hardware Model Checking Competition (HWMCC)

– Common input format (Aiger)– 2008 645 examples, industrial and academicalp ,– 2010 solver deadline, June 4– Results presented in FLoC 2010

January 2010,

OneSpin 360 MV Certify: OneSpin 360 MV Certify: p yp yGapFreeVerificationGapFreeVerification

www.onespin-solutions.com

Agenda

I t d tiIntroduction

The GapFreeVerification ProcessThe GapFreeVerification Process

Operations

Operation Properties

Automatic Gap Detection

Summary

January 2010,

IntroductionIntroductionIntroductionIntroduction

January 2010,

Integrated 360 MV Product Family

GapGap FreeFreeGapGap FreeFree• Products/Packages for

formal verificationGapGap FreeFreeGapGap FreeFree360 MV Certify™360 MV Certify™ GapGap--Free Free VerificationVerification

Gap DetectionGap Detection

360 MV Certify™ GapGap--Free Free VerificationVerification


formal verification novices, experienced users, and experts

ality

Gap DetectionGap Detection360 MV Assure™360 MV Assure™ Gap DetectionGap Detection360 MV Assure™

360 MV Certify™360 MV Certify™ GapGap--Free Free VerificationVerification


360 MV Certify™ GapGap--Free Free VerificationVerification


F ti lF ti l

Design Design OperationsOperations

F ti lF ti l


• Common Graphical User Interface

vity

and

QuaGap DetectionGap Detection360 MV Assure360 MV Assure


Gap DetectionGap Detection360 MV Assure

Design Design OperationsOperationsDesign Design

OperationsOperationsDesign Design

OperationsOperationsF ti lF ti l


F ti lF ti l


Functional Functional RequirementsRequirements

ImplementationImplementationIntentIntent



• Common scripting Tcl Shell Interface

g P

rodu

ctiv


ImplementationImplementation


ImplementationImplementation


pp

360 MV Verify™360 MV Verify™Functional Functional

RequirementsRequirements

pp

360 MV Verify™Functional Functional

RequirementsRequirements




AutoChecksAutoChecks

IntentIntent


IntentIntent

• Support for multi-core & multi-CPU platformsIn

crea

sin








ImplementationImplementationIntentIntentImplementationImplementation

IntentIntent360 MV Check™360 MV Check™ ImplementationImplementation

IntentIntent360 MV Check™


IntentIntent


IntentIntent

• Support for distributed execution in heterogeneous

Step-by-stepLearning and Adoption

AutoChecksAutoChecksAutoChecksAutoChecksAutoChecksAutoChecks360 MV Inspect™

January 2010,

heterogeneous computing environments

Learning and Adoption

IP Functional Verification Evolution

Assertions currently capture only locali l l“ d i i t t„scenario level“ design intent

Evolution

Specification TLM

OperationsCompact intuitive executable model of full

I/O models

Compact, intuitive, executable model of full functionality of IP built from

‘composable’ assertions

Operation-Based approach enables– Full formal equivalence check against RT– Solutions for further functionalImplem. intent

TB Solutions for further functional verification tasks

– Better code – less redundant, faster, better structured

pTB

January 2010,

– Productivity boost by interleaving specification, coding, verificationRT Code

OBV in a Nutshell

Block diagrams, state transition diagrams, timing diagrams, …Informal Spec

nop single readrow actburst read

Formal

Manual Spec-Compliance

burst write

idle activep

precharge

single read

single write

_Formal Design Spec

pr ra

idle

Formal Equivalence

pr ra

row_act

RT Code

sw1

bw1

bw2

br1

br2

sr1

sr2

Code

January 2010,

bw4 br7 sr4

Verification Plan in Different Approaches

• Used to structure and plan an overall verification task

• Provides termination criterion for simulation or ti b d ifi tiassertion based verification

– Quality of verification plan is crucialVerification plan needs to be very detailed– Verification plan needs to be very detailed

– Developing a verification plan requires expertise– Developing a verification plan is time-consuming creative p g p g

task

G F V ifi ti• GapFreeVerification process:– Only used to structure and plan overall verification

Lean verification plan sufficient

January 2010,

– Lean verification plan sufficient

Application of 360 MV Certify: Systematic OBVSystematic OBV

Systematic OBV (full design behavior)• Verification of RTL against a specification

Applicability• All designs implementing

operations

Benefits• Systematic method to derive operations

• Application sweet spots:– Interface Protocols

properties from spec• Operation properties speed up

verification and increase– Bus bridges– Arbiters / Arbitration– Control Logic (Finite State

verification and increase performance

January 2010,

g (Machines)

TheThe GapFreeGapFreeVerification ProcessVerification ProcessThe The GapFreeGapFreeVerification ProcessVerification Process

January 2010,

GapFreeVerification™First Closed-Loop SVA-Based Verification Process

AutoChecks

p

RTL CODESpecificationread_request_i

address_i[23:0]burst_single_i

state

last row

Property

TIDAL(SVA Library)

Specificationsdram_addr_o[11:0]sdram_read_data_i

read_data_oready_o

cas_n_owe_n_o

cs_n_oras_n_o

last_row

Property Development PropertiesVerification

Plan

Verification Planning

Verification and Debug

Gap:refine property

Start

Automatic Gap Detection

Property SetGap: properties

i i

Anything missed?

Gap Detection

No more gaps

missing

• Reference Model in SVAGapFreeVerification™

Full user guidance

January 2010,

• Equivalent RTL Code• Gap-free Verification

Full user guidance

Intuitive, Module-Level Operation Verification

High-level view of devices-under-verification (DUV): – the module-level operations of the DUV– the conceptual states of the DUV

Example: DMA controller

NOPtransferstart_transfer

t f l t

resetidle busy

conceptual module-leveloperations

transfer_last wait_for_buswrite_sfrread_sfrstates

Generic methodology for property development:• Properties describe intended behavior of operations ( operation properties)• Timing diagrams describing operations ease property development

January 2010,

• Timing diagrams describing operations ease property development

Structuring the Verification

• Small number of different operations in designs– Examples: read transaction, write transaction, idle

• Arbitrarily long simulation trace from reset covered b f tiby sequence of operations

• Idea:V if ti h ti l– Verify operations exhaustively

– Verify sequencing of operations fully (completeness)

load add storereset

inputs

t tstates

outputs

January 2010,

Completeness

• Definition:– Set of operations is complete if for each simulation trace

of arbitrary length, a sequence of operations exists such that the sequence of operations provides a unique valuethat the sequence of operations provides a unique value for each output at all times

• Alternative Definition:– The set of operations forms a model of the design

load add storereset

inputs

t tstates

outputs

January 2010,

Structuring the Verification

• Partition operations into “normal” and “extended” operations

• Typical candidates for extended operations:– Bursts– Exceptions

Error handling– Error handling

• Start verification with operations of normal operations (core functionality)operations (core functionality)

• Verification of extended functionality only after verification of core functionalityy

January 2010,

5-Step Process

• Decide verification objectives, requirements, techniquesPlan

j , q , q• Identify Operations

Prepare• Read, configure & compile RTL

(SystemVerilog, VHDL, any mixture)

• Gap-FreeVerification: Edit + Verify:GFV

Gap FreeVerification: Edit Verify:• Create properties in 4 phases

Close• Create & run regressions• Review results against plan

January 2010,

Four phases of GFV

• Start with control partPh 1 j t t l t l ith i t l i l– Phase 1: just central control with internal signals

– Phase 2: verify correct triggering of operations

• Focus on data path afterwards• Focus on data path afterwards– Phase 3: verify outputs

• Address extended functionality afterwardsAddress extended functionality afterwards

Phase One Phase Two Phase FourPhase Three

Core functionality Extended functionality

Control path Data path

Only control with Control derived from inputs and Outputs and

Everything

Everything

January 2010,

yinternal signals from inputs and

visible registers visible registers Everything

Phases of the GapFreeVerification Process

Input: Specification and RT code of the DUV

• Phase 1: Capture/verify central control of core operations– Termination: the internal control and sequencing of the core operations

has been fully captured

• Phase 2: Capture/verify full control of core operations– Termination: the full control and sequencing of the core operations has

been captured without gaps

• Phase 3: Capture/verify full behavior of core operations

Ph 4 C t / if t d d f ti lit

– Termination: all output signals of core operations are verified to have the expected value - always

• Phase 4: Capture/verify extended functionality– Termination: 100% input scenarios coverage, 100% output behavior

coverage (full completeness check)

January 2010,

Output: Error-free operation of the DUV

360 MV Certify: tool flow

• Check properties against the implementationCh k ti f• Check properties for gaps

RTLcode

Assertion exhaustively Proven

OneSpin 360TM MV Certify

Design Setup

ProofEngines

Assertions,Constraints

Counter-Example:• bug in design?• incorrect assertion? • missing constraint?

DesignSpecification

all operations capturedOperation

Specification

Gap detectionchecker

captured

Counter-Example:• missing assertion• missing constrain

Properties

January 2010,

missing constrain• incomplete trigger• missing commitment

Automatic GapAutomatic Gap DDetectionetectionAutomatic Gap Automatic Gap DDetectionetection

January 2010,

Tool Support for Gap Detection

In addition to assertion/property checking, 360 MV Certify offers:

• Reset test(CSM l i iti li d ?)(CSM properly initialised ?)

• Case split test(all scenarios covered?)(all scenarios covered?)

• Successor test(do operations fit together?)(do operations fit together?)

• Determination test(all outputs covered by properties?)(all outputs covered by properties?)

January 2010,

Successor Test

• Examines timing and trigger of operation property• Checks whether trigger or timing depend on

internal signals• Check examines two traces starting with

predecessor property with identical visible registers at right hook and identical inputsregisters at right hook and identical inputs

• Check fails if trigger and timing can be fulfilled on one trace but violated on other trace

storetrace 1 ?one trace, but violated on other trace

add

trace 2 ?T o possible traces after

store fits trace 1 but

January 2010,

Two possible traces after add with common inputs

and visible registers

trace 1, but not trace 2

Determination Test

• Examines prove part of operation property• Checks whether property provides unique value

for visible registers at right hook and for outputs• Check examines two traces for property with

identical visible registers at left hook and identical inputsinputs

• Check fails if output or visible register can have different values in the two traces

trace 1

different values in the two tracesTwo possible traces fitting add with common inputs

addtrace 2

?and visible registers

Do all outputs and

January 2010,

outputs ? Do all outputs and visible registers have

fixed values?

SummarySummarySummarySummary

January 2010,

Summary

• GapFreeVerification process– Is engineering process taking RTL and design

specification as inputs and producing an error-free DUVPartitions verification into tractable subtask via– Partitions verification into tractable subtask via operations and phases

– Subtasks guided and partially automated by 360 MV– Provides formal design specification (abstract RT) in

operation properties and property graphProvides clean termination criteria for phases and overall– Provides clean termination criteria for phases and overall verification

– Termination criterion for verification automatically checked

January 2010,

verification beyond doubtverification beyond doubt fileverification improvements: a key need ”...

Documents