Certitude™ Functional Qualification with Formal Verification
Certitude™ Functional Qualification with Formal Verification
Certitude™ Functional Qualification with Formal Verification
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Certitude<br />
<strong>Functional</strong> <strong>Qualification</strong> <strong>with</strong> <strong>Formal</strong> <strong>Verification</strong><br />
Jean-Marc Forey<br />
November 2012<br />
Springsoft Proprietary
Topics<br />
Case study presentation<br />
Why <strong>Verification</strong><br />
<strong>Verification</strong> efficiency<br />
<strong>Formal</strong> verification<br />
Introduction to Certitude <strong>Functional</strong><br />
<strong>Qualification</strong><br />
Results obtained on the studied case<br />
Conclusion<br />
Q&A<br />
2 Springsoft Proprietary
Case study presentation<br />
Synchronous fifo<br />
•Clock, Reset_<br />
•ReadEn, WriteEn, DataIn<br />
•FifoEmpty, FifoFull, DataOut<br />
• All outputs are clocked<br />
<strong>Formal</strong> verification environment<br />
•Focused on flags<br />
•Leveraged from an other design<br />
•7 assertions<br />
Dynamic verification environment<br />
•Focused on data path<br />
•Directed test<br />
3 Springsoft Proprietary
Why verification?<br />
Designs are made by humans<br />
Humans make mistakes<br />
Hence designs have bugs<br />
However customers / consumers want<br />
• Bug free designs<br />
• Safer, more reliable products<br />
• More features, more powerful products<br />
How can providers satisfy the above constraints?<br />
=> Have computers make designs<br />
=> Wait for bugs to be reported by the users<br />
=> Audit the design to squeeze out the bugs<br />
4 Springsoft Proprietary
<strong>Verification</strong><br />
Set of techniques to find bugs in designs<br />
• Human contribution is primordial<br />
• Specs, Architecture, Methodology ...<br />
• Implementation aspects assisted by computers<br />
• For test generation<br />
• To check simulation results<br />
• To check which properties hold<br />
• And provide counter examples, for those that don’t<br />
But there are some little hurdles…<br />
• Size of the problem and available time<br />
• How to measure verification?<br />
• What is the meaning of the measure?<br />
• How to combine measurements?<br />
5 Springsoft Proprietary
<strong>Verification</strong><br />
<strong>Verification</strong> is partial<br />
• Art: what to verify, at which level, methods<br />
• Risk management: what to skip, when to stop<br />
• Combine techniques<br />
<strong>Verification</strong> too is subject to bugs<br />
• Missing properties<br />
• Missing / broken checkers<br />
• Missing tests<br />
• Missing scenarios<br />
Bugs in the VE hide bugs in the design<br />
How to gauge the efficiency of the verification?<br />
6 Springsoft Proprietary
<strong>Verification</strong> efficiency<br />
Metrics to estimate what was done<br />
• Bug rate<br />
• <strong>Functional</strong> coverage<br />
• Dynamic verification only<br />
• Structural coverage(s) of the design<br />
• Line, block, condition, expression, toggle,<br />
fsm, branch, path, MC/DC, ???<br />
• Which one(s) make(s) sense <strong>with</strong> <strong>Formal</strong><br />
verification?<br />
7 Springsoft Proprietary
Metrics meaning<br />
Metrics to estimate what was done<br />
• Really???<br />
• not covered => not verified<br />
• But Covered doesn’t mean Verified<br />
not (not covered => not verified) (verified =><br />
covered)<br />
How to combine metrics?<br />
• Ex: line, toggle, fsm, functional<br />
• How to combine data from dynamic / formal VE?<br />
What are the achievable scores for a given<br />
design?<br />
How much is a metric (score) telling about the<br />
VE effectiveness?<br />
8 Springsoft Proprietary
<strong>Formal</strong> verification<br />
Some key questions about formal<br />
verification in the following slides<br />
9 Springsoft Proprietary
<strong>Formal</strong> verification<br />
Properties<br />
• How many are needed?<br />
• Which ones?<br />
• Only asked questions are answered...<br />
• Have you got all the right questions?<br />
10 Springsoft Proprietary
<strong>Formal</strong> verification<br />
Properties<br />
No (explicit) stimuli, but there are implicit ones<br />
• All stimuli combinations are considered as being<br />
valid<br />
• Unless restricted by constraints<br />
• Doesn’t mean they are all valid<br />
• What if some combinations are illegal and no<br />
constraint was set<br />
• All the properties are passing<br />
• Isn’t it strange if invalid inputs don’t lead to output<br />
misbehaviours<br />
• How many properties are missing? Which ones?<br />
• Are the reached cover points valid???<br />
• Some may be reachable only through forbidden input<br />
combinations<br />
11 Springsoft Proprietary
<strong>Formal</strong> verification<br />
Properties<br />
No (explicit) stimuli<br />
Execution traces / waveforms<br />
• For counter examples only<br />
• One has to believe the formal tool when it<br />
reports a pass<br />
12 Springsoft Proprietary
<strong>Formal</strong> verification<br />
Properties<br />
No (explicit) stimuli<br />
Traces<br />
How much of the design is used to get the<br />
proofs?<br />
Which aspects of the design are “verified”?<br />
White box verification remains a misleading<br />
friend<br />
IU<br />
ID<br />
.<br />
B1<br />
P1 B2 P2<br />
?<br />
13<br />
Springsoft Proprietary
<strong>Formal</strong> verification<br />
not (FifoFull && FifoEmpty)<br />
ReadEn<br />
WriteEn<br />
DataIn<br />
Cone Of Influence<br />
Reduced cone<br />
FifoEmpty<br />
FifoFull<br />
DataOut<br />
In the above example<br />
• Inputs ReadEn/WriteEn can influence the FifoEmpty<br />
output<br />
• Only 1 gate is needed to prove the property<br />
• The property is necessary but not sufficient<br />
Cone of influence != What is verified ≅ Reduced cone<br />
14<br />
Springsoft Proprietary
How do you find the reduced cone?<br />
Inject (artificial) bugs!<br />
At least one property fail<br />
• Good<br />
All property passes<br />
• Bad<br />
• The same bug would be missed<br />
• Can be very shocking<br />
• Bugs <strong>with</strong> similar effect would be missed too<br />
• Ex: not detected SA0 on FifoFull<br />
• Missing properties? Over-constraints?<br />
• More verification is needed<br />
• Dynamic and/or formal<br />
15 Springsoft Proprietary
Certitude principle<br />
Inject faults (artificial bugs)<br />
ReadEn<br />
WriteEn<br />
DataIn<br />
FifoEmpty<br />
FifoFull<br />
DataOut<br />
Run the verification<br />
• At least 1 Fail => fault is detected (good)<br />
• All Pass => fault is not detected (bad)<br />
16<br />
Springsoft Proprietary
Certitude principle<br />
Inject faults (artificial bugs)<br />
ReadEn<br />
WriteEn<br />
DataIn<br />
FifoEmpty<br />
FifoFull<br />
DataOut<br />
Run the verification<br />
• At least 1 Fail => fault is detected (good)<br />
• All Pass => fault is not detected (bad)<br />
17<br />
Springsoft Proprietary
How it Works<br />
Modifies RTL code to insert faults<br />
out1 = f(i1) out1 = 1’b0 // disconnect output and tie it to constant<br />
if (a) if (TRUE) // remove “else” branch<br />
f1();<br />
f1();<br />
else<br />
f2();<br />
else<br />
f2();<br />
a = b | c a = b & c // change operator<br />
Same principle and definition is applicable to both<br />
dynamic and formal verification<br />
• Combining data from dynamic and formal is immediate<br />
18 Springsoft Proprietary
Case study results<br />
Fifo presented previously<br />
<strong>Formal</strong> verification<br />
• Focused on flags<br />
• Properties:<br />
P_correct_flag_interval: not(F1 ##1 !F2[*0:14] ##1 F2)<br />
• With F1=FifoEmpty and F2=FifoFull<br />
• With F1=FifoFull and F2=FifoEmpty<br />
P_never_FE_FF: not (FifoEmpty && FifoFull)<br />
P_deassert_FE: WriteEn && !ReadEn |=> !FifoEmpty<br />
P_deassert_FF: !WriteEn && ReadEn |=> !FifoFull<br />
P_FF_Stable: !ReadEn && FifoFull |=> FifoFull<br />
P_FE_Stable: !WriteEn && FifoEmpty |=> FifoEmpty<br />
19 Springsoft Proprietary
Case study<br />
<strong>Qualification</strong> of the formal verification<br />
• 28 NA and 14 ND out of 83 faults<br />
• NA: not in the cone of influence of any<br />
property<br />
• ND: all properties are proven on the<br />
modified design<br />
• SA0 on FifoEmpty and FifoFull are ND<br />
• A pair of properties don’t seem effective<br />
p_correct_flag_interval: not(F1 ##1<br />
!F2[*0:14] ##1 F2)<br />
20 Springsoft Proprietary
Case study<br />
21 Springsoft Proprietary
Case study<br />
Added 2 properties<br />
p_getFull: !ReadEn throughout (WriteEn[->4]) |=><br />
FifoFull<br />
p_getEmpty: !WriteEn throught (ReadEn[->4]) |=><br />
FifoEmpty<br />
Got 2 failures (due to 2 bugs) for specific<br />
Read/Write pointer values<br />
• Due to expressions like<br />
if (… && (ReadPtr+1==WritePtr) && …)<br />
• Was replaced by<br />
`define ONE {{ADDR_WIDTH{1’b0}},1’b1}<br />
if (… && (ReadPtr+`ONE==WritePtr) && …)<br />
<strong>Qualification</strong> of the formal verification after fixes<br />
• 34 NA and 2 ND out of 93 faults<br />
22 Springsoft Proprietary
Case study<br />
23 Springsoft Proprietary
Case study<br />
Dynamic verification focused on data side<br />
<strong>Qualification</strong> of the dynamic verification<br />
• 5 NA, 9 NP, 11 ND out of 83 faults<br />
• NA: non activated<br />
• NP: non propagated; no influence at the boundary of<br />
the design and test passed<br />
• ND: output behaviour is different, and tests pass<br />
Improved VE and found 2 bugs on the data side<br />
• Related to Read / Write in the memory when the fifo is<br />
empty/full<br />
<strong>Qualification</strong> of the dynamic verification after the<br />
fixes<br />
• 2 NA, 2 NP, 2 ND faults out of 95 faults<br />
• ND are detected by the static VE<br />
• NP are in redundant code<br />
24 Springsoft Proprietary
Conclusion<br />
Certitude helps understand what parts of the design are<br />
verified<br />
• Even more important <strong>with</strong> formal verification<br />
Addressing verification issues pointed out by Certitude<br />
allows verifier to discover design bugs<br />
• The bugs discovered <strong>with</strong> formal would probably not have<br />
been found <strong>with</strong> dynamic verification – too corner case<br />
Easy to merge metrics from dynamic and formal<br />
verification environments<br />
• Get a global picture of the verification strengths and<br />
weaknesses<br />
• Address the issues where best suited<br />
• Optimize the verification effort<br />
Certitude provides a strong unified metric for both<br />
dynamic and formal verification<br />
25 Springsoft Proprietary
Q&A<br />
26 Springsoft Proprietary
Impact of Poor <strong>Verification</strong> Environment<br />
Wasted CPU cycles<br />
• Missing / buggy checkers and assertions<br />
mean RTL bugs go undetected even <strong>with</strong><br />
more tests and CPU time<br />
Inefficient resource allocation<br />
• Which blocks are poorly verified?<br />
• Do I need better stimulus / scenario?<br />
Late-stage identification of problems<br />
• ECOs required close to tape-out<br />
Silicon re-spins<br />
• Bug escapes Significant $$<br />
27 Springsoft Proprietary
Effective <strong>Verification</strong><br />
It’s all about activation, propagation, and detection<br />
Activation<br />
Bug<br />
Propagation<br />
Detection<br />
Stimulus<br />
Design under<br />
<strong>Verification</strong><br />
Compare<br />
Reference Model<br />
<strong>Verification</strong> Environment<br />
To detect a bug…<br />
• The stimulus must activate the buggy logic<br />
• An effect of the bug must propagate to an observation point<br />
• The environment must detect the behavior difference due to the bug<br />
28 Springsoft Proprietary
Existing Tools are Insufficient<br />
Code coverage measures activation, but says<br />
nothing about propagation or detection<br />
Activation<br />
Bug<br />
Propagation<br />
Detection<br />
Stimulus<br />
Design under<br />
<strong>Verification</strong><br />
Compare<br />
Reference Model<br />
<strong>Verification</strong> Environment<br />
<strong>Functional</strong> coverage checks “important” functional<br />
points, but is subjective and incomplete<br />
29 Springsoft Proprietary
Introducing <strong>Functional</strong> <strong>Qualification</strong><br />
<strong>Functional</strong> <strong>Qualification</strong><br />
Activation<br />
Fault<br />
Propagation<br />
Detection<br />
Stimulus<br />
Design under<br />
<strong>Verification</strong><br />
Compare<br />
Reference Model<br />
<strong>Verification</strong> Environment<br />
• Inserts “artificial bugs” called faults into the design<br />
• Measures the ability of the verification environment to<br />
activate, propagate, and detect the faults<br />
• “<strong>Qualification</strong>” of the verification environment against many<br />
inserted faults provides objective measure of overall quality<br />
and identifies holes and weaknesses<br />
30 Springsoft Proprietary
Typical Problems Found by Certitude<br />
Missing or incomplete<br />
checker/assertion<br />
• Hole in test plan<br />
• Test plan item not implemented<br />
• Test plan item misinterpreted<br />
• Checker disabled and forgotten<br />
Missing or incomplete test<br />
scenario<br />
• Hole in test plan<br />
• Test plan item not implemented<br />
• Environment over-constrained<br />
• Thought test wasn’t important<br />
Process problem<br />
• Script error gives false positive “pass”<br />
• Checker disabled and forgotten<br />
• Areas that need closer review<br />
Redundant logic or dead code<br />
• Unreachable due to RTL bug<br />
• Useless logic from re-use<br />
Areas of low coverage<br />
• Some logic not activated by any test<br />
• Logic activated but poorly propagated<br />
• Test subset not as good as thought<br />
Springsoft Proprietary
Certitude <strong>Functional</strong> <strong>Qualification</strong> System<br />
The industry’s first and only <strong>Functional</strong> <strong>Qualification</strong><br />
solution<br />
Production-proven<br />
• Extensive worldwide customer list<br />
• Processor, communication, automotive, network, storage,<br />
wireless, multimedia, …<br />
Supports all common RTL languages and simulators<br />
• Verilog, VHDL, SystemVerilog<br />
• VCS, Questa, IUS/NC<br />
Supports all verification environments<br />
• Verilog, VHDL, SystemVerilog, C/C++, Specman/e, Vera, …<br />
Integrates quickly and easily <strong>with</strong> your simulation<br />
environment<br />
• Based on infrastructure already available in your regression<br />
flow<br />
32 Springsoft Proprietary