More Related Content
Similar to A comprehensive formal verification solution for ARM based SOC design (20)
![From Curiosity to ROI — Cost-Benefit Analysis of Agentic Automation [3/6]](https://cdn.slidesharecdn.com/ss_thumbnails/session-3-250903141006-a3917e1a-thumbnail.jpg?width=560&fit=bounds)
A comprehensive formal verification solution for ARM based SOC design
- 1. A Comprehensive Formal Verification Solution for ARM® Processor Based SoC Design Laurent Arditi, PhD – ARM Formal Verification Expert Ziyad Hanna, PhD – Jasper VP of Research & Chief Architect May 2, 2012 1
- 2. Jasper Provides Verification Solutions to IP and System-on-chip Designs Property Synthesis Formal Property Verifica8on Automated asser0on genera0on Protocol cer0fica0on Iden0fica0on of coverage holes End-‐to-‐end packet integrity Inference and synthesis of func0onal proper0es Asynchronous clocking effects from RTL and simula0on waveforms Asser0on-‐based verifica0on RTL Development Verifica8on IP Designer-‐based verifica0on w/o testbench Cer0fica0on of AMBA 4/ACE checkers Design trade-‐off analysis Popular standard protocols X-‐propaga0on detec0on and debug Configurable, illustra0ve, op0mized for formal Power management verifica0on Architecture Valida8on Post-‐Silicon Debug SoC Integra8on Executable spec Failure signature matching Automated register verifica0on Absence of deadlock Root cause isola0on Glitch detec0on Cache coherency Candidate cause elimina0on Mul0-‐cycle path verifica0on Valida0on of fixes before re-‐spin Chip-‐level connec0vity Higher Capacity Interac8ve Debug Increased Throughput Wider Deployment Verify complex 100M gate Modify/create proper0es on U0lize mul0ple proof Proliferate across designs the fly to explore design engines on parallel compute engineering teams with behavior resources unique adop0on model Page 2 | © 2012, Jasper Design Automation | Confidential May 2, 2012 2
- 3. Customers Ericsson - A world of communication - Ericsson Apple WELCOME TO ERICSSON Sony SMI AMCC Page 3 | © 2012, Jasper Design Automation | Confidential May 2, 2012 3
- 4. Agenda IP Level Formal Verification at ARM System Level Verification of ARM® processor based SoC Page 4 | © 2012, Jasper Design Automation | Confidential May 2, 2012 4
- 5. ARM Cortex-R7 Formal Verification with Jasper The ARM formal verification flow based on Jasper has been found to have capacity to support the verification of a Cortex-R series real-time processor Setup • All the formal verification tasks for the ARM Cortex-R7 are applied at the top-level • The top-level constraints are “simple” • AXI protocol checkers • Models of RAMs only where needed (mostly cache tags): CAMs with additional constraints to start from a non-empty RAM content • A few assumptions to avoid fails due to software errors Page 5 | © 2012, Jasper Design Automation | Confidential May 2, 2012 5
- 6. Trial ARM Formal Verification Flow waveforms RTL design team properties JasperGold setup validation team constraints abstractions report leads & managers email Excel ValSpider Jira Trial deployment on several blocks and units, with differing design size. Page 6 | © 2012, Jasper Design Automation | Confidential May 2, 2012 6
- 7. Formal for RTL Development - RTLD Designer-based verification w/o testbench • Allows early RTL exploration without the need to generate input stimulus • Start with simple behaviors about the design – cover line_eop • Group simple behaviors together to build complex scenarios • Write assertions about events that are always/never true Design trade-off analysis • Behaviors and scenarios allow for easy incremental analysis and RTL comparison tasks Higher quality RTL passed to other teams in the design/verification flow Page 7 | © 2012, Jasper Design Automation | Confidential May 2, 2012 7
- 8. Jasper Flow for RTL Designers* What-if analysis Visualize design behavior w/o testbench RTL Debug failing scenarios Functional scenario A : assertion 5 violation Functional scenario B : assertion 7 violation Combine and save Functional scenario C…… multiple functional Functional scenario D….. scenarios Scenario A Compare saved Scenario B RTL’ scenarios Scenario C Database against modified Scenario D RTL Modified RTL (*Partially used at ARM) Page 8 | © 2012, Jasper Design Automation | Confidential May 2, 2012 8
- 9. Jasper’s Visualize Technology Simula0on Visualize RTL Waveform RTL Waveform Simulator VisualizeTM Testbench state == READ ack = 1 state == READ ack = 1 Target is always in the Target waveform Simula0on • More of an ‘input driven’ method, may not exercise desired behavior • Wiggle the inputs to produce a desired behavior (trial and error) Visualize • More of an ‘output driven’ method and u0lizes formal engines • QuietTraceTM minimizes inputs and s0ll produces desired behavior • Interac0vely add constraints to construct desired waveform Page 9 | © 2012, Jasper Design Automation | Confidential May 2, 2012 9
- 10. ARM Experience Laurent Arditi, Principal Engineer, Processor Division, Jasper User Group 2011 Some simulation test benches were not ready soon enough to run the first RTL modules with new features So used FV to check these new features Use of basic properties to check the RTL is not completely broken Use of visualize to show the design is alive and the new features “do something” not stupid It’s much faster to get a working formal setup than a simulation one And designers find formal counter-examples to be easier to debug than simulation failures Page 10 | © 2012, Jasper Design Automation | Confidential May 2, 2012 10
- 11. ARM’s Assertion Based Design with JasperGold Assertions were written for both simulation and formal Strong but simple SVA coding guidelines, for the ARM Cortex-R7: • Avoid non-synthetizable properties (but liveness is accepted) • Maximize the use of implications to get coverage points for free • Software constraints turned into assumes for formal • Critical properties on which a higher effort must be put X-Propagation checks Depending on the configuration, end-up with thousands of properties Page 11 | © 2012, Jasper Design Automation | Confidential May 2, 2012 11
- 12. Formal Verification Dashboard 1600 Properties 18% 1400 Proven % fail 16% Fail 1200 14% % unreachable Undetermined 12% 1000 Poly. (% fail) 10% Poly. (% unreachable) 800 8% 6% 600 4% 400 2% 200 0% 0 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 2 4 6 8 10 12 beta EAC beta EAC Page 12 | © 2012, Jasper Design Automation | Confidential May 2, 2012 12
- 13. JasperGold Found 15% of The Bugs Formal found many bugs at the start of the project. They were not tracked Started to count the assertion fails in Jan’11, and in Jira in July’11 (beta) 0.18 % fail 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0 Page 13 | © 2012, Jasper Design Automation | Confidential May 2, 2012 13
- 14. Quality of bugs found by JasperGold All bugs found by formal were not found earlier by simulation Very few false-negatives • They could be resolved by adding new constraints • A few remaining are UNPREDICTABLE cases and the constraints to discard them are too complex to write. So these fails are “explained” and skipped Formal provides easy to debug waveforms Quality of the bugs found by formal: • Very good at the beginning: obvious design errors • Real corner cases Assertions are usually simple. More sequential ones would find more complex bugs Higher-level properties would allow to discover more fundamental bugs: deadlock, coherency, determinism. Planned for maturity Page 14 | © 2012, Jasper Design Automation | Confidential May 2, 2012 14
- 15. Agenda IP Level Formal Verification at ARM System Level Verification of ARM processor based SoC Page 15 | © 2012, Jasper Design Automation | Confidential May 2, 2012 15
- 16. ARM Based Heterogeneous System-on-Chip GIC-400 ARM Video LCD Mali-T604 I/O graphics device ARM ARM Network Interconnect Quad Quad NIC-400 Cortex-A15 Cortex-A7 MMU-400 MMU-400 MMU-400 Cache Coherent Interconnect CCI-400 Dynamic Memory Controller Network Interconnect DMC-400 NIC-400 PHY PHY DDR3/LPDDR2 DDR3/LPDDR2 Slaves Slaves JUG-2011 Paul Martin [email protected] Page 16 | © 2012, Jasper Design Automation | Confidential May 2, 2012 16
- 17. SoC Integration and Verification Challenges Protocol Modeling and Verification, Coherency Standard Interface Modeling and Verification (ProofKits) System Level Deadlocks Detection and Verification Connectivity and Integration Register programming sequence Power analysis and verification Security checks Page 17 | © 2012, Jasper Design Automation | Confidential May 2, 2012 17
- 18. ACE Verification – High-level Properties Coherence • If a master s cache has a line in UD or UC, no other master can have the line in a valid state • If a master s cache has a line in SD, no other cache master can have the line in SD Deadlock • At least one transaction can always make forward progress Data integrity • A read always reads the last write to an address Page 18 | © 2012, Jasper Design Automation | Confidential May 2, 2012 18
- 19. Jasper Architectural Validation Flow Automatic Generation of SV Model and Properties Architectural proofs Arch spec. • Consistency • Completeness • E.g., coherency property Architectural waveforms without testbench Table-‐based entry format (or Murphi) Architectural requirements RTL Executable Export properties RTL formal document view to RTL simulation verification Page 19 | © 2012, Jasper Design Automation | Confidential May 2, 2012 19
- 20. Advantages Verify architectural rules – cache coherence, deadlock freedom Find corner case bugs – deadlocks, coherence issues Validate future protocol changes Remove specification ambiguities Downstream usage as VIP – checks + coverage model Page 20 | © 2012, Jasper Design Automation | Confidential May 2, 2012 20
- 21. ACE Protocol Modeling and Verification With Jasper “Verifying cache coherent systems is difficult and designers need sophisticated VIP to help solve these issues” “ARM partners with EDA companies like Jasper to ensure our SiP’s are enabled to take advantage of improved system performance and power JUG-2011 – Paul Martin provided by AMBA 4” [email protected] Page 21 | © 2012, Jasper Design Automation | Confidential May 2, 2012 21
- 22. Chip-Level Connectivity Verification Solution Exhaustively verifies that the RTL matches the connectivity definition • Verify that point A is equivalent to point B (block or chip level) as certain signals/modes can impact connections • No other signals/modes/settings can impact connections • Important aspect of system integration of many IP’s Types of connection Structural, Boolean condition, temporal condition, and temporal connection with latency and delay Allow fast and exhaustive verification Quickly reconfirm results (regressions) as RTL is being modified Automated flow allows early and frequent verification Page 22 | © 2012, Jasper Design Automation | Confidential May 2, 2012 22
- 23. Chip-Level Connectivity Verification Flow Top-level of SoC A B cond Connec0vity proofs (asser0ons and covers) Waveforms Connectivity map with connectivity conditions RTL Page 23 | © 2012, Jasper Design Automation | Confidential May 2, 2012 23
- 24. Automated Register Verification Formal proofs are exhaustive • Checks for all possible sequences of RD/WRs in any order • Checks for all register addresses Conceptually, the following non-deterministic trace is considered by formal for proving address A Register transfer D1 D2 check update check update check Expected Reset value D1 D2 reg-value Non-deterministic # (zero to infinite) of Rd/ Wr access to any address except A reset Read from address A D Write D to address A Page 24 | © 2012, Jasper Design Automation | Confidential May 2, 2012 24
- 25. Jasper Provides Verification Solutions to IP and System-on-chip Designs Property Synthesis Formal Property Verifica8on Automated asser0on genera0on Protocol cer0fica0on Iden0fica0on of coverage holes End-‐to-‐end packet integrity Inference and synthesis of func0onal proper0es Asynchronous clocking effects from RTL and simula0on waveforms Asser0on-‐based verifica0on RTL Development Verifica8on IP Designer-‐based verifica0on w/o testbench Cer0fica0on of AMBA 4/ACE checkers Design trade-‐off analysis Popular standard protocols X-‐propaga0on detec0on and debug Configurable, illustra0ve, op0mized for formal Power management verifica0on Architecture Valida8on Post-‐Silicon Debug SoC Integra8on Executable spec Failure signature matching Automated register verifica0on Absence of deadlock Root cause isola0on Glitch detec0on Cache coherency Candidate cause elimina0on Mul0-‐cycle path verifica0on Valida0on of fixes before re-‐spin Chip-‐level connec0vity Higher Capacity Interac8ve Debug Increased Throughput Wider Deployment Verify complex 100M gate Modify/create proper0es on U0lize mul0ple proof Proliferate across designs the fly to explore design engines on parallel compute engineering teams with behavior resources unique adop0on model Page 25 | © 2012, Jasper Design Automation | Confidential May 2, 2012 25
- 26. Thanks Page 26 | © 2012, Jasper Design Automation | Confidential May 2, 2012 26