Workshop - November 2011 - Toulouse Laurence PIERRE (TIMA)

Workshop - November 2011 - Toulouse

Laurence PIERRE (TIMA)

IntroductionFormal / semi-formal verification

Does the system comply with its requirements /expected behaviour?

Workshop - November 2011 2

Requirements / Specification

Specificationsatisfied?

IntroductionA formal expression of the specification or

requirements is neededAssertion-Based Verification (ABV) the intended

behaviour is formalized as assertionsTemporal logics: CTL (Computation Tree Logic), LTL

(Linear Temporal Logic),…Standardized specification languages: SVA (IEEE Std

1800), PSL (IEEE Std 1850)Does the design obey these logic and temporal

assertions?


IntroductionStatic analysis (formal verification)



Specificationsatisfied?Formal model

Formal proof tool

IntroductionStatic analysis at the RT level: model checkers for

PSL (IEEE standard 1850) and/or SVA (IEEE standard 1800)Incisive formal verifier (Cadence)

http://www.cadence.com/products/ld/formal_verifier

RuleBase (IBM)http://www.research.ibm.com/haifa/projects/verification/RB_Homepage/

Solidify (Averant)http://www.averant.com/products-solidify.html

...


IntroductionSemi-formal (dynamic) verification



Simulation results+

Requirementssatisfaction

Simulator

Input stimuli

IntroductionDynamic verification at the RT level: support for PSL

and/or SVA assertions in simulatorsModelSim (Mentor Graphics)

http://www.model.com

VCS (Synopsys)http://www.synopsys.com/Tools/Verification/FunctionalVerification/Pages/VCS.aspx

Incisive (Cadence)http://www.cadence.com/products/sd/enterprise_simulator/pages/default.aspx


IntroductionAlternative solution for dynamic ABV: construction of

assertions checkers


SENDING NODE

DATATRANSLATION

DATA_IN

VALID_DATA

DATA_OUT

START

READY

ERROR

END

RST EN STOP

RECEIVING NODE

Assertion checker

PSL assertion

always(END -> next (START before ERROR))

IntroductionCheckers (monitors) = hardware components

generated from temporal assertionsFoCs (IBM) RTL

https://www.research.ibm.com/haifa/projects/verification/focs/

MBAC (McGill University, Montreal) RTLM.Boulé and Z.Zilic. Generating Hardware Assertion Checkers: For Hardware Verification, Emulation, Post-Fabrication Debugging and On-Line Monitoring. Springer, 2008

HORUS and ISIS (TIMA) RTL and TLMhttp://tima.imag.fr/vds/Horus/

http://tima.imag.fr/vds/Isis/


ABV at different levels


http://www.synopsysoc.org/viewfromtop/page/3/

SoC's

IP's

ABV at the RT level


IP's

ABV at the RT levelA few words about PSL (Property Specification

Language), IEEE standard 1850Enables the use of temporal relations:

always p : the property p holds at all times p until! q : p holds until q holds eventually! p : p holds at the current cycle or at some future

cycle p before! q : p holds before q holds next_event!(b)(p) : p holds the next time the boolean

expression b is true ...


ABV at the RT levelA few words about PSL (Property Specification

Language), cont’d... Also enables the use of regular expressions to

portray sequences of events: {e1 ; e2} : the concatenation of two regular expressions e1

and e2 {e[*]} and {e[+]} : repeated consecutive concatenations of

expression e {e1 | e2} : one of the alternative expressions holds at the

current cycle ...


ABV at the RT levelTwo simple examples

Error should not occur between End and Start

always(End -> next (Start before Error))

Two successive Error are forbidden

always (Error -> next (not Error)) never {Error[*2]}


ERRORENDSTART

ABV at the RT levelCharacteristics of the properties of interest at the RT

level (or gate level) Fine-grained properties on the signals of the designExpressed and evaluated in a clocked contextExample:

default clock is (clk’event and clk = ‘1’);

assert

always(request1 -> next_e[1..8](grant1));


Assertion checkersHorus technology: compositional construction, using

primitive componentsExample:

always (Req -> (Busy until! Ack));

Integration in Dolphin Integration tools (simulator and schematic editor)


Formallyproven

Application exampleTransmission from dual ADCs to serial output


Application exampleTransmission from dual ADCs to serial output

Controls 2 external dual ADCs and transmits the 4 resulting 12-bit words through a serial output

The four 12-bit data are received using SPI interfaces2 clocks

Clk10meg Clk: division with a clock gating system of Clk10meg (bit-

rate of the serial output)

Transfer protocol: must provide enough time between two acquisitions in order to complete the serial transmission


Application exampleTwo sets of assertions:

Check the SPI protocol requested by the external dual ADCs

Check the internal protocol used to synchronize the data


default clock is (Clk10meg’event and Clk10meg=‘1’);always ({!REQ;REQ} |-> {{ {(!EN_TX)[+];(EN_TX && ACK)[*1:4]} ; {(!EN_TX)[+];(EN_TX)[*1:4]}[*5] ; !EN_TX } && {!SHIFT[+]}});

Application exampleSimulation reports violations of this internal property


Application exampleProperty breakpoints stop the simulation when

violations occur


Towards embedded monitorsExample of impact on the area: assertions for a

wishbone crossbar controller (8 masters, 16 slaves)


Y.Oddos, "Vérification semi-formelle et synthèse automatique decircuits à partir de spécifications temporelles écrites en PSL", Thèse de Doctorat Univ. Grenoble 1, Nov. 2009

Altera Cyclone II FPGA,max. frequency 420 MHz

ABV at the system level (TLM)


SoC's

IP's

ABV at the system level (TLM)Characteristics of the properties of interest at the

SystemC TLM levelMore abstract properties, on interactions and

transactions (communication actions)TLM LT (Loosely Timed) or AT (Approximately Timed):

no clockExample property (DMA):

The intended (source or destination) address is used when a memory transfer occurs


ABV at the system level (TLM)Verification of SystemC TLM platforms: no actual

solution yetPrevious work: SystemC RTL, or methods not

applicable to real-size designs, or no automationAcademic results

Univ. Erlangen (Germany) Univ. Monastir (Tunisia), PhD thesis in cooperation with ST

Industrial solutions Infineon Technologies, Munich (Germany) Cadence Incisive platform: only SystemC signals can be

involved in assertions


ISIS: ABV with assertion checkers


ISISSystemC platform

int sc_main(int argc, char *argv[]) { generic_noc generic_noc_inst_ memory memory_inst_0("mem eu_pool eu_pool_inst_0("eu_p eu eu_inst_0("eu_inst_0"); memory memory_inst_1("mem os_config os_config_inst_0("o

PSLassertions

Simulation

Platform

Monitors +observation mechanism

SystemCinstrumented platformXML configuration

files

System requirements



PSL assertion

Design under verification

Ex: the intended address is usedwhen a memory transfer occurs

?

Automatic translation

InstrumentationSystemCassertionchecker



PSL assertion

Design under verification

Simulation of thisinstrumented design

DMA exampleProperty 1: any time the control register is

programmed, an IRQ occurs before the next writing into the control register


Observation

DMA exampleProperty 1: any time the control register is

programmed, an IRQ occurs before the next writing into the control register


always ( (cpu_initiatorport.write_CALL () && cpu_initiatorport.write.p1 == CONTROL && cpu_initiatorport.write.p2 == START) => next(irq before (cpu_initiatorport.write_CALL () && cpu_initiatorport.write.p1 == CONTROL)));

DMA exampleProperty 2: any time a source address is

transferred to the DMA, a read access eventually occurs and the right address is used


Observation

DMA exampleProperty 2: any time a source address is

transferred to the DMA, a read access eventually occurs and the right address is used


int src_add;if (cpu_initiatorport.write_CALL() && cpu_initiatorport.write_CALL.p1 == dma_src_reg) src_add = cpu_initiatorport.write_CALL.p2;

assert always((cpu_initiatorport.write_CALL() && cpu_initiatorport.write_CALL.p1 == dma_src_reg) => next_event!(mem1.read_CALL()) (mem1.read_CALL.p1 == src_add));

PSL "Modeling layer"

DMA exampleVarious verbosity levels for the monitors


MJPEG decoding platformProperty: the data that are written on the RAMDAC

are exactly the ones that have been transmitted by the EU


P.Gerin, X.Guérin, and F.Pétrot, "Efficient implementation of nativesoftware simulation for MPSoC", Proc. DATE'2008

Observation

MJPEG decoding platformProperty: the data that are written on the RAMDAC

are exactly the ones that have been transmitted by the EU


unsigned int req_data;if (eu.write_CALL()) req_data = eu.write_CALL.p2;

assert always(eu.write_CALL() => next_event!(rdac.write_CALL()) (rdac.write_CALL.p2 == req_data));

PSL "Modeling layer"

MJPEG decoding platformIdentification of property violations


CPU times


Without monitoring

Monitoring with ISIS checkers

# property activations

DMA, P1 4.97 s 5.18 s 1.4 millions

DMA, P2 4.97 s 5.54 s 4.2 millions

MJPEG platform 18.67 s 21.64 s 13.7 millions

DMA: 200000 memory transfersMJPEG platform: 10 seconds of video decoding

L.Ferro, "Vérification de propriétés logico-temporelles de spécifications SystemC TLM", Thèse de Doctorat Univ. Grenoble, Jul. 2011

See tomorrow...Airbus case study (avionics flight control remote

module): ABV for the verification of safety requirementsControl of hardware/software interactions for safety

requirementsAstrium case study (space high resolution image

processing): ABV for the verification of correctness requirementsIn particular, discussion on the alternatives for locating

the assertions


Thanks... Questions?


Workshop - November 2011 - Toulouse Laurence PIERRE (TIMA)

Documents

Transcript of Workshop - November 2011 - Toulouse Laurence PIERRE (TIMA)