Challenging Problems in Industrial Formal … Problems in Industrial Formal Verification Ziyad...
Transcript of Challenging Problems in Industrial Formal … Problems in Industrial Formal Verification Ziyad...
Challenging Problems in Industrial Formal Verification
Ziyad Hanna, PhD, Vice President of R&D, Fellow Formal and Automated Verification, Cadence Formal Methods in Computer-Aided Design Lausanne, Switzerland October 21-24, 2014
2 © 2014 Cadence Design Systems, Inc. All rights reserved. © 2014 Cadence Design Systems, Inc. All rights reserved worldwide. Cadence and the Cadence logo are trademarks of Cadence Design Systems, Inc. in the United States and other countries. All other trademarks are the property of their respective owners and are not affiliated with Cadence.
Software and verification driving SoC project costs 80% of overall development costs, mostly in headcount
Source: IBS July 2013
IP Qualification
Physical Imp.
Verification and
Validation
Software
65nm (354M)
40nm (615M)
28nm (1044M)
20nm (1317M)
16/14nm (1636M)
Process Node (# transistors)
3 © 2014 Cadence Design Systems, Inc. All rights reserved.
Ever-growing system development complexity
Manufacturin
g
System QA
System
Mod
eling and HW
-‐SW Par::
oning
Sub-‐system Verifica:on Sub-‐system Integra:on
SW Driven SoC Bare Metal / Drivers Valida:on
SoC HW Verifica:on SoC
Integra:on
FW/Drivers development
FW/Drivers on accurate IP / Sub-‐System
OS and peripheral Bring-‐
up on virtual models
Middleware Bring-‐up
Middleware Development and Tes:ng
Interconnect Performance
and Verifica:on Power
convergence
Digital – AMS convergence
OS and Peripherals Bring-‐up on accurate HW
Virtual plaKorm crea:on
System Performance and Power analysis
IP Qualifica:on / Development
IP Verifica:on
Bare Metal on Silicon Bring-‐up
Silicon Test
OS on Silicon Bring-‐up
System on Silicon Bring-‐up
System QA
System Performance and Power analysis
Gate-‐level Valida:on
IP
Sub
-Sys
tem
S
oC
Firm
war
e / D
river
s O
S a
nd
Mid
dlew
are
A
pps
Time
Har
dwar
e S
oftw
are
Early Software Development and HW-SW Validation System
and Silicon Validation
SoC / Sub-System Integration and Verification
IP Design and Verification
Gate-level Validation
Silicon
Architect
System Validation Engineer
Logic Designers
Verification Engineer
Firmware Developer
Application Developers
Manager
Integrator
4 © 2014 Cadence Design Systems, Inc. All rights reserved.
System Development Suite Broad and connected solution for today’s and emerging challenges
IP
Sub
-Sys
tem
S
oC
Firm
war
e / D
river
s O
S a
nd
Mid
dlew
are
A
pps
Time
Har
dwar
e S
oftw
are
Early Software Development and HW-SW Validation System
and Silicon Validation
SoC / Sub-System Integration and Verification
IP Design and Verification
Gate-level Validation
Acceleration, Emulation
Multi-abstraction Hybrid and Embedded Testbench
Prototyping
Simulation
Verification IP
High-Level Synthesis
Formal Analysis
Silicon
D
ebug
Pla
nnin
g an
d M
anag
emen
t
Software-Driven Verification
Low-Power, Mixed Signal, Safety
5 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Formal Verification Adoption • Where does FV fit in in the SoC design,
integration, and verification flows? • Overview of some FV applications
• Security verification • Low-power verification • System-level verification
• Forward looking …
Agenda
6 © 2014 Cadence Design Systems, Inc. All rights reserved.
Complexity driving need for Formal Verification
Low Power Dynamic power islands,
functional verification, and sequential equivalence
Security Trusted zones, secure access, immunity from
physical attacks
Multi-Processor Complex on-chip buses,
deadlock, coherency
Use is limited to handful of very high-end ICs 1990s
2010+
2000s
Super computers Software only
Mobile phones Concentrated use in PC and graphics Software only
Use in mobile, consumer, server, graphics, IT, and
computing
Wide-spread use in mobile, consumer,
industrial, automotive, tablets, and mobile phones
Use in mobile, automotive, servers, gaming IC, and
graphics chips
7 © 2014 Cadence Design Systems, Inc. All rights reserved.
Traditional verification solutions fall short on hardest problems
Low Power Security Multi-Processor
Simulation is empirical, can’t test all possible combinations, suffers from long run times and labor-intensive debug
Emulation is expensive, happens too late, can’t test all modes
• Previously rare and esoteric verification problems are now common to most chips
• Formal Verification to embrace complexity as a strategy
Large number of possible power modes
Pre-verified modules can deadlock after integration
Register state impacts security path access
Non-deterministic transitions
Cache coherency with many heterogeneous master and slaves
Specifications of prohibited behavior
Structural changes have unexpected impact
Distributed on-chip bus implementation
Simulation and Emulation
8 © 2014 Cadence Design Systems, Inc. All rights reserved.
Formal Verification adoption phases
Time
ROI Quality, Bugs, Coverage, Productivity
Formal Verification
1st wow
Pilot FV Staffing, on risky blocks, Small team
Adopt
Wide Deployment FV an established methodology in Design and Validation flows
Master Formal Technology
Customized Solutions based on FV technologies in Design and Validation Flows
Corner stone In DV flow Cross blocks Multiple projects
ü Completeness ü High coverage ü Uncover hard bugs ü Verify high level properties ü Post-Silicon Debug ü High productivity
9 © 2014 Cadence Design Systems, Inc. All rights reserved.
90’s 00’s 10’s 20’s
ROI Quality Cost Risk Schedule
Dynamic Validation
ü Formal solutions (Apps) ü Replacing simulation ü Wide deployment
ü Addressing system complexity
ü Formal is the primary method at IP level
Disruptive Formal Verification
• Technology • Methodology • Business model
Limited scope (users and problems)
10 © 2014 Cadence Design Systems, Inc. All rights reserved.
EDAC 1Q14 MSS Report 18.9 % Growth YoY in Property Checking
2012 2013 2014
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 4Q/4Q CAE
2.3 Logic Verification 200.2 226.7 229.3 249.9 193.8 223.0 232.3 275.4 246.25
0 8.6%
2.3.1 RTL Simulation 103.2
102.7 106.0 116.3 110.9
107.2 120.7
132.2 108.26
0 7.4%
2.3.3 Hardware Verification 74.1
98.6 97.1 93.6 n/a
n/a n/a
n/a n/a
2.5 Formal Verification 29.8 31.7 37.5 35.4 40.3 38.9 39.5 45.1 35.479 9.6%
2.5.1 Equivalency Checking
17.4 18.9
20.1 19.7
20.1 20.3
19.5 20.0 20.204 1.8%
2.5.2 Property Checking 12.4
12.9 17.5
15.8 20.2
18.5 20.0 25.0 15.275
18.9%
11 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Design capacity: Size of designs that can be read and elaborated
• Verification capacity: Measured by the number of state variables in pruned
models that FV engines can verify
• Performance: CPU run time needed to
complete a verification task
• Debugging: Measured by human effort spent to complete a verification task
• Predictability: Where can FV be applied
• Coverage and progress metrics
Formal Verification Technology Factors
Verification Capacity
Performance
Predictability
Coverage
and Progress Metrics
Debug
Design Capacity
12 © 2014 Cadence Design Systems, Inc. All rights reserved.
Design Analyze and Elaborate
Design Refinement
Compression and Optimization
Proof Engines
RTL and Spec Technology Challenges Technology Frontier
Design size, design style (e.g., latch based) ASIC, SoC, CPU, or GPU Evolving RTL and specification languages and standards
Design Capacity and Complexity
Ease of setup, clocking scheme Path analysis, X analysis, design traversal Ability to get structural and functional design information
Design Traversal Algorithms
Ability to manage verification complexity Automatic abstractions (counters, memories) Design or State Space Abstraction (interactive, automatic)
Formal Capacity
Fast core engines for bug hunting, proofs, visualization Tuning for formula complexity, compression, Optimization, decomposition, engine defaults…
Core Engines Capacity and Performance
Leverage parallel computing for scalability and throughput Exploit various engine technologies, engine races, parallel property processing …
Parallel Computing
Speed of automatically extracting waveforms Trace concatenation, what-if analysis, visualization
Interactive Analysis
Page 12 | © 2013, Jasper Design Automation | Confidential
Industrial FV system, a holistic approach
13 © 2014 Cadence Design Systems, Inc. All rights reserved.
SoC-level Formal Verification
Inte
rcon
nect
Sub
syst
em
Peripherals
Processor Subsystem
Graphics, Video, and
Audio Subsystem
Memory Subsystem
Clocks, Low-Power Controllers, Interrupts
Register Verification
14 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Given a DUV with register space accessed by – Standard interface (AHB, OCP, etc.) – Proprietary interface (parallel, serial)
• To prove – Data integrity of register fields
– i.e., Data read from a register equals previously written data – Reset values
– Data read from a register equals reset value till it is written to
Control and status register verification
15 © 2014 Cadence Design Systems, Inc. All rights reserved.
SoC-level Formal Verification
Inte
rcon
nect
Sub
syst
em
Peripherals
Processor Subsystem
Graphics, Video, and
Audio Subsystem
Memory Subsystem
Clocks, Low-Power Controllers, Interrupts
Connectivity Verification
16 © 2014 Cadence Design Systems, Inc. All rights reserved.
• System can have tens of thousands of static and multiplexed connections among IP blocks
• “Correct-by-construction” tools are not sufficient, as errors can still creep in due to unclear or erroneous specifications
• Additional low-power structures, BIST, and JTAG support, or downstream changes/ECOs that weren’t fully propagated
• Connectivity of a sub-module, that is correct as such, may prove to be erroneous in a larger scope
Connectivity verification
17 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Exhaustively verify that the design matches the connectivity definition
– Verify that Point A is equivalent to Point B – No other signals/modes/settings can impact connections
• Quickly reproduce and reconfirm results (regressions) as RTL is being modified
• Easily add signal connection conditions or exceptions • Read in directly the spec spreadsheet
Connectivity Formal Verification
18 © 2014 Cadence Design Systems, Inc. All rights reserved.
SoC-level Formal Verification
Inte
rcon
nect
Sub
syst
em
Peripherals
Processor Subsystem
Graphics, Video, and
Audio Subsystem
Memory Subsystem
Clocks, Low-Power Controllers, Interrupts
Clock and Low-Power Verification
19 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Power domains: Groups of blocks that can be turned off
together. “Turn off” means all elements in these blocks
lose their values and drive ‘X’
• Isolation cells: Isolated signal has a different driver
(than stated in the RTL) if isolation condition is true
• Retention cells: Cells designed to retain the value of
registers in domains that are “turned-off”
• Level shifters: Structures designed to allow operation in
different voltage in adjacent power domains
Clock and low-power Verification
20 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Power-up and power-down sequences – Visualization of waveform and checking required time delays
• Check that a switchable block does not generate additional X’s at outputs (or dedicated signals) if it is powered down and up again
• Protocols (e.g., ARM® AMBA® AXI standard, etc.) are not violated due to a component being powered down
• FIFOs stretching over two power domains – Confirm they are isolated so that no spurious transitions occur
Example low-power verification tasks
21 © 2014 Cadence Design Systems, Inc. All rights reserved.
SoC-level Formal Verification
Inte
rcon
nect
Sub
syst
em
Peripherals
Processor Subsystem
Graphics, Video, and
Audio Subsystem
Memory Subsystem
Clocks, Low-Power Controllers, Interrupts
Deadlock Detection
22 © 2014 Cadence Design Systems, Inc. All rights reserved.
Deadlock Detection and Verification
Architectural Bugs
Block Implementation
Bugs
System Implementation
Bugs
Use Architectural Modeling to model architecture and detect architectural deadlocks
Use Formal Property Verification to detect deadlocks by verifying protocol, arbitration, data-integrity, etc.
Detects deadlocks due to system implementation and integration bugs
23 © 2014 Cadence Design Systems, Inc. All rights reserved.
SoC-level Formal Verification
Inte
rcon
nect
Sub
syst
em
Peripherals
Processor Subsystem
Graphics, Video, and
Audio Subsystem
Memory Subsystem
Clocks, Low-Power Controllers, Interrupts
Security Path
Analysis
24 © 2014 Cadence Design Systems, Inc. All rights reserved.
25 © 2014 Cadence Design Systems, Inc. All rights reserved.
• System architecture – Moving secured areas to isolation – Analyzing data flow on the whole system – Manually identify potential structural paths and insert blocking
conditions • System integration
– Investigate (often with a structural analysis tool) each structural path to ensure that they are false path
• Very tedious and ad hoc
– Only able to look at a small subset of traces – Rather subjective and no clear checking mechanism – Difficult to get real sense of completeness
What do people do today?
26 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Identify any unintentional path to/from secured areas – Use of path sensitization ideas – User specifies secure area and illegal sources and destinations
for the data inside this area – Optional: User can specify blocks through which data is allowed to
propagate – Waveforms show illegal propagations found
• Potential savings – Time savings: weeks vs. months – Verify all paths and understand progress – Completeness, not just subjective determination of correctness
Security path verification overview
Secure Area
27 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Structural analysis: Look at structural paths and waive connections found. Very inefficient, subjective, and time consuming
• Simulation: Inserting Xs at the source and checking for Xs
at the destination. Could find bugs, but will never guarantee completeness
• Formal: Different problem to handle, requires special
modeling and formal analysis techniques
Possible solutions
28 © 2014 Cadence Design Systems, Inc. All rights reserved.
SoC-level Formal Verification
Inte
rcon
nect
Sub
syst
em
Peripherals
Processor Subsystem
Graphics, Video, and
Audio Subsystem
Memory Subsystem
Clocks, Low-Power Controllers, Interrupts
Connectivity Verification
Security Path
Analysis
Register Verification
Clock and Low-Power Verification
Interface Protocol Modeling and Verification
Architecture Modeling and Verification
Deadlock Detection
29 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Formal property verification
• Sequential equivalence checking
• Structural property synthesis
• Behavioral property synthesis
• X propagation checking
• Coverage analysis and measurement
• Post-silicon debug (PSD)
• Clock glitch analysis and debug
• Functional Safety – ISO26262
• …
IP and subsystem-level design and verification solutions
30 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Arbiters • On-chip bus bridges • Power management units • Memory and DMA controllers • Host bus interface unit • Scheduler, implementing
multiple threads • Virtual channels for QoS
Good candidates for FPV
§ Interrupt controller § Token generators § Cache coherency § Credit manager blocks § Standard interface
(ARM AMBA protocol, DDR, etc.)
§ Proprietary interfaces § Clock disable units
Sweet spots: concurrency and multiple data streams, which are difficult to completely verify using simulation
31 © 2014 Cadence Design Systems, Inc. All rights reserved.
Formal coverage
DUT
Formal Setup
Stimuli Coverage
How restrictive is the design behavior under the formal setup? What dead code does it generate?
DUT
Formal Setup
Property Completeness Coverage
How complete my property set? Do I capture all design behaviors?
Properties
DUT
Formal Setup
Proof Coverage
What coverage is achieved by the proven properties?
Proven Properties ✔ DUT
Formal Setup
Bounded Proof Coverage
What is coverage of bounded proof? Is the bound enough? How to do better?
Bounded Proof Properties
?
32 © 2014 Cadence Design Systems, Inc. All rights reserved.
DUT Coverage
DB
Testbench Simulator
Formal Tool Cover items not hit in simulation
Cover items that are confirmed unreachable
Use formal to cover areas that are hard for simulation to address, or formally prove they are impossible to reach
Interacting with coverage metrics from simulation
33 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Performance, capacity, and convergence of core engine
• Automatic abstraction
• Application-specific automatic proof strategies
• Word-level model checking
• Hybrid of simulation and formal technologies
• Predictability
• Coverage and progress measurement
Core model checking technology
34 © 2014 Cadence Design Systems, Inc. All rights reserved.
• 70% of verification effort is in debug loop !! – Spec, Design, Tools, setup, …
• Debug vs. root-cause analysis
• Self-aware tools
• Pre vs. post silicon validation
Debug and Verification Productivity
��� ������������������
���������������������
������ ��������
����� �����������������
35 © 2014 Cadence Design Systems, Inc. All rights reserved.
• Address cost and productivity issues in design and validation
• Can we get 100% proofs on RTL models (at least for selected IP blocks)? – If not, how do we measure the coverage? – What is the cost?
• HLM for verification is unavoidable…
• Cross software/hardware verification is a huge challenge
• Leverage the great progress in parallel and distributed computing
Challenges and opportunities ahead…
© 2014 Cadence Design Systems, Inc. All rights reserved worldwide. Cadence and the Cadence logo are registered trademarks of Cadence Design Systems, Inc. in the United States and other countries. ARM and AMBA are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other trademarks are the property of their respective owners.