COMS31700 Design Verification:

## Block-level Case Study

(with demonstration of ABV and Formal Verification)

### Kerstin Eder

(Acknowledgement: I gratefully acknowledge the support from Jasper Design Automation who provide the licenses for the Formal Verification Tool demonstration.)





### Case Study

Specification
Verification Plan
Directed Testing
(Code Coverage)
Functional Coverage
Assertion-based Verification
Formal Property Checking



**Specification** 

### **Example DUV Specification - Inputs**



- Inputs:
  - wr indicates valid data is driven on the data\_in bus
  - data\_in is the data to be pushed into the DUV
  - rd pops the next data item from the DUV in the next cycle
  - clear resets the DUV

### Example DUV Specification - Outputs



- Outputs:
  - data\_out\_valid indicates that valid data is driven on the data\_out bus
  - data\_out is the data item requested from the DUV
  - empty indicates that the DUV is empty
  - full indicates that the DUV is full

6

### **DUV Specification**

- High-Level functional specification of DUV
  - The design is a FIFO.
  - Reading and writing can be done in the same cycle.
  - Data becomes valid for reading one cycle after it is written.
  - No data is returned for a read when the DUV is empty.
  - Clearing takes one cycle.
  - During clearing read and write are disabled.
  - Inputs arriving during a clear are ignored.
  - The FIFO is 8 entries deep.

Verification Plan

Those who fail to plan, plan to fail.

### The Verification Plan

- Functions to be verified:
  - unctions to be verified:

    For each level in the design verified at that level.

    Verification Plans are "live" documents. They change as our understanding of the DUV increases.
  - In particular, identify corner
- Methods of verification: Def

- Comp Def
- The Verification Plan is the Specification
  - for the Verification Process
- In p Resources required (people) and schedule details:
  - Integrate the verification plan into the overall design plan and estimate the cost of verification
- Required tools:
  - List the software and hardware necessary to perform verification.

Test Scenarios Matrix - Basic

| Test # | Description                   |                                 |  |
|--------|-------------------------------|---------------------------------|--|
| 1.1    | Check the write functionality |                                 |  |
| 1.2    | Check the read functionality  | Develop a Test Scenarios Matrix |  |
| 1.3    | Check the reset functionality | for our Case                    |  |
| 1.4    | Check                         | Study DUV.                      |  |

NOTE: "Check that X" should be read as "Create a scenario that allows checking X"

- These generic tests should be broken to more specific tests
  - Test case 1.1.1: Check write when empty
     Test case 1.1.2: Check write when full

  - Test case 1.1.3: Check write during reset

White Box View **DUV** Implementation

### **Example DUV Implementation**

- Implementation based on a circular buffer
  - nxt\_wr and nxt\_rd pointers indicate where the next entry will be written to or read from.
  - data\_counter indicates the number of valid data items in the FIFO.
  - Complex control logic for pointers and counter.



### **Functional Coverage**

### Cross-Product Functional Coverage

[O Lachish, E Marcus, S Ur and A Ziv. Hole Analysis for Functional Coverage Data. In proceedings of the 2002 Design Automation Conference (DAC), June 10-14, 2002, New Orleans, US.]

### A cross-product coverage model is composed of the following parts:

- 1. A semantic description of the model (story)
- 2. A list of the attributes mentioned in the story
- 3. A set of all the possible values for each attribute (the attribute value domains)
- 4. A list of restrictions on the legal combinations in the cross-product of attribute values

### FIFO Cross Product Coverage Model

- From a "White Box" verification perspective:
  - The FIFO is implemented using a circular buffer.
  - The circular buffer implementation is based on the following control signals:
    - nxt rd, nxt wr, data counter
  - These signals are used to control the data flow and also the empty and full signals.
  - Verification Plan:
    - Interactions of read and write transactions can create complex and unexpected conditions. All combinations need to be verified to gain confidence in the correctness of the FIFO.
- This is the story.

### FIFO Cross Product Coverage Model

- Attributes relevant to the coverage model:
  - nxt\_rd, nxt\_wr, data\_counter, empty, full signals
- Attribute value domains:
  - nxt\_rd ∈ {0,1,2,3,4,5,6,7}
  - nxt\_wr ∈ {0,1,2,3,4,5,6,7}
  - data\_counter ∈ {0,1,2,3,4,5,6,7,8}
  - empty € {0,1}
  - full ∈ {0,1}
- Full coverage space:
  - 8\*8\*9\*2\*2 = 2304 coverage tasks
  - Format: (nxt\_rd, nxt\_wr, data\_counter, empty, full)
  - Find some legal and some illegal examples

### FIFO Cross Product Coverage Model

- Attributes relevant to the coverage model:
  - nxt\_rd, nxt\_wr, data\_counter, empty, full signals
- Attri **Legal Coverage Tasks:** (0,0,0,1,0)
  - nxt
  - (2,2,8,0,1)
  - dat – em
- Full coverage space:

full ∈ {0,1}

- 8\*8\*9\*2\*2 = 2304 coverage tasks
- Format: (nxt\_rd, nxt\_wr, data\_counter, empty, full)
- Find some legal and some illegal examples

Illegal Coverage Tasks:

(1,1,4,0,0)

### FIFO Cross Product Coverage Model

- - data counter is only important when nxt rd==nxt wr so that one can tell the difference between empty and full

Defining meaningful functional coverage requires design understanding and engineering

- 64 combinations of nxt rd and nxt wr
- 56 cases are for nxt rd!=nxt wr, so er
- 8 cases are for nxt\_rd==nxt\_wr
- one set of 8 is for data\_counter==0, so
- one set of 8 is for data\_counter==8, so empty and full are not both asserted at
- Revised format of coverage model:
- (nxt\_rd, nxt\_wr, empty, full)
- total size of coverage space: 8\*8\*2\*2 = 256 coverage tasks
- Encode assumptions into properties
- Only 56+8+8 = 72 coverage tasks are legal and meaningful.
- It is worth noting the close link of the above coverage model to the properties for formal verification.

### Constraint Pseudo Random Test Generation



# Test Scenarios Matrix — Advanced Topic Test # Description 2.1 Data is not modified 2.2 2.2 2.3 2.4



| rest             | Sce    | enarios Matrix – Advanced            |
|------------------|--------|--------------------------------------|
|                  |        |                                      |
| Topic            | Test # | Description                          |
| Data<br>checking | 2.1    | Data is not modified                 |
|                  | 2.2    | Data is not lost                     |
|                  | 2.3    | Data is not duplicated               |
|                  | 2.4    | Data order is maintained             |
| Corner cases     | 2.3    | Reading and writing at the same time |
|                  | 2.3.1  |                                      |
|                  | 2.3.2  |                                      |
|                  |        |                                      |
|                  |        |                                      |
|                  |        |                                      |
|                  | •      |                                      |

| Topic            | Test # | Description                          |
|------------------|--------|--------------------------------------|
| Data<br>checking | 2.1    | Data is not modified                 |
|                  | 2.2    | Data is not lost                     |
|                  | 2.3    | Data is not duplicated               |
|                  | 2.4    | Data order is maintained             |
| Corner<br>cases  | 2.3    | Reading and writing at the same time |
|                  | 2.3.1  |                                      |
|                  | 2.3.2  |                                      |
|                  |        |                                      |
|                  |        |                                      |
|                  |        |                                      |



### **Bug Hunting**

### Given the following bug...

- Concurrent reading from and writing to FIFO
  - Should the data counter change its value?

27

### Given the following bug...

- Concurrent reading from and writing to FIFO
  - ok, the data counter should not change its value
  - unless reading from and writing to the same data slot
  - this only happens when the FIFO is
    - empty: When the FIFO is empty and there is a write at the same time as a read (from empty), then the read should be ignored.
    - full: When the FIFO is full and there is a read at the same time as a write, then the write (to full) should be ignored.
  - But the logic that controls the value of the data counter does not distinguish these special cases.
  - What do we need to do to find these bugs?

28





## **ABV**

### Properties of the DUV

### Black box view:

An invariant property.

- Empty and full are never asserted together.
- After clear the FIFO is empty
- After writing 8 data items the FIFO is full.
- Data items are moving through the FIFO unchanged in terms of data content and in terms of data order.
- No data is duplicated.
- No data is lost.
- data\_out\_valid only for valid data, i.e. no x's in data.

### Properties of the DUV

- White box view:
  - The value range of the read and write pointers is between 0 and 7.
  - The data\_counter ranges from 0 to 8.
  - The data in the FIFO is not changed during a clear.
  - For each valid read the read pointer is incremented.
  - For each valid write the write pointer is incremented.
  - Data is written only to the slot indicated by nxt wr.
  - Data is read only from the slot indicated by nxt\_rd.
  - When reading and writing the data\_counter remains unchanged.
    - What about a RW from an empty/full FIFO?

### **Property Formalization**

## Formalization of key DUV Assertions

- System Verilog Assertions (SVA) for:
  - Empty and full are never asserted together. property not\_empty\_and\_full;

@ (posed Challenge: After c There are many more simulation. propert interesting @ (posed assertions.

ertions can be nitored during

ertions can also used for formal perty checking.

 On empty after one write the FIFO is no longer empty. property not\_empty\_after\_write\_on\_empty;
@ (posedge clk) (empty && wr |=> !empty); endproperty

assert property (not empty after write on empty);

### Corner case properties

• FIFO empty: When the FIFO is empty and there is a write at the same time as a read (from empty), then the read should be ignored.

property empty\_write\_ignore\_read;
@ (posedge clk) {empty && wr && rd |=> data\_counter == \$past(data\_counter)+1}; endproperty

assert property (empty\_write\_ignore\_read); cover property (empty write ignore read);

 FIFO full: When the FIFO is full and there is a read at the same time as a write, then the write (to full) should be ignored.

property full\_read\_ignore\_write @ (posedge clk) {full && rd && wr |=> data\_counter == \$past(data\_counter)-1); endproperty assert property (full\_read\_ignore\_write); cover property (full read ignore write);

## Formal Property Checking











### The Role of Formal Property Checking

- Property Checking is the most common form of high-level formal verification used in practice
  - Property checking is fully automatic.
    - Requires the properties to be written.
  - It performs exhaustive verification of the design wrt the specified properties.
  - It provides proofs and can demonstrate the absence of bugs.
  - A counter example is presented for failed properties
  - Used for critical well specified parts of the design
    - Cache coherence protocols, Bus protocols, Interrupt controllers
- Formal Methods can suffer from capacity limits
  - There are tried and trusted techniques to overcome these:
    - Restrict property checking to work over finite small time windows
    - Limit environment behaviour by strengthening constraints
    - Case splits over a set of properties, partitioning and black boxing.





### How do you know you've encoded the property right?

- Keep properties and sequences simple.
  - Build complex properties from simple, short properties
    - Peer review properties you write.



- If the property fails, you can investigate the counter example:
  - Is it reachable or not?
- But if the property succeeds, how do you know whether you've encoded the property right?

### Formal Property Checking

- Property checking tools can formally verify assertions
  - Basic properties (visualize):
    - Basic functionality
  - Range checks
  - Re-use SV Assertions as properties (check):
    - Empty and full are never asserted together.
    - After clear the FIFO is empty.
    - On empty after one write the FIFO is no longer empty.
  - Understanding counter examples:
    - Debug an assumption
    - Debug a design property

- Note: Closely related to functional coverage.
  - Link from env\_constraints to simulation assertions

### Formal Property Checking

- Jasper DEMO
  - Formal verification of selected FIFO properties from ABV

JasperGold Copyright Notice and Proprietary Information Copyright © 2000-2012 Jasper Design Automation, Inc. All rights reserved.

- This software and documentation ("Materials") are owned by Jasper Design
- No part of these Materials may be reproduced, transmitted, or translated, in any rm or by any means, electronic, mechanical, manual, optical, or otherwise, without prior written permission of Jasper Design Automation.
- Any disclosure about the Jasper Design Automation software or its use model to any third party violates the written Non-Disclosure Agreement between Jasper Design Automation and the University.

  This software contains confidential information and trade secrets of Jasper Design
- Automation, Inc. use, disclosure, or reproduction is prohibited without the prior express written permission of Jasper Design Automation, Inc.

### How big is Exhaustive?

- Consider simulating a typical CPU design
  - 500k gates, 20k DFFs, 500 inputs
    70 billion sim cycles,

  - running on 200 linux boxes for a week

     How big: 2<sup>36</sup> cycles
- Consider formally verifying this design
- That's a big number!
  - Cycles to simulate the 500k design:Cycles to formally verify a 32-bit adder:

  - Number of stars in universe:
  - Number of atoms in the universe: Possible X combinations in 500k design:
  - Cycles to formally verify the 500k design:

 Input sequences: cycles 2<sup>(inputs-state)</sup> = 2<sup>20500</sup>
 What about X's: 2<sup>15000</sup> (5,000 X-assignments + 10,000 non-reset DFFs)
 How big: 2<sup>20500</sup> cycles (2<sup>15000</sup> combinations of X is not significant here!) (70 billion) (18 billion billion) (10<sup>21</sup>) (10<sup>78</sup>) (10<sup>4515</sup> x 3) (10<sup>6171</sup>) 2<sup>70</sup> 2<sup>260</sup>

### Summary

- Block-level Case Study
  - Specification

  - Verification PlanDirected Testing
  - (Code Coverage)

  - Functional CoverageAssertion-based Verification
  - Formal Property Checking



- No single method is adequate to cover a whole design in practice.
  - Carefully select the verification methods that maximize ROI.
  - Complement simulation with formal: Integrated approach

### Merry Christmas and a Happy New Year



Why red wine is so important for Christmas